McAfee Avert Labs has received reports of a new phishing attack that purports to be from the U.S. Internal Revenue Service (IRS). This email attack is similar to IRS phish campaigns seen before and offers victims a $375.20 refund directly to their credit card for filling in an online form. A copy the spammed email is shown below:

IRS phishing scams faithfully appear every year during the US tax season. There have been several campaigns in the past and this one was first observed on Jan 28th in our spam traps.

The phish is hosted on a legitimate website based in the United States that deals with special effects for Halloween and movie props. The phish page is a rip-off of the original IRS website and the online form asks for the victim’s name, social security number and credit card details. In addition to these CVC/CVV2 and ATM pin number details are required. Makes you wonder how many people would still give such information in their eagerness to get a refund given it is the middle of the tax season.

Of late we are seeing the numbers of legitimate web sites compromised by attackers surpassing those purposefully hosted by an attacker. By abusing compromised legitimate web sites to host malicious code, a spammer can subvert real-time blacklists that are used to traditionally check for the validity of links advertised in emails.

When the website owner was informed of this compromise, his reply was “I’m not a techie, but I have to run this site and don’t know how to fix this problem. Any help would be wonderful.” This brutally honest reply left me speechless!

Ps: I’ve ensured a McAfee Avert Labs field service engineer would be getting in touch with him shortly as well as making sure the IRS has the spamming information.

Zero-day vulnerabilities in Yahoo products are not something novel and should be taken very seriously. Last year, we also saw a couple of ActiveX based vulnerabilities in Yahoo Messenger that are still exploited and incorporated into various web-based attack kits. One of the most prolific still is the Yahoo Webcam ActiveX Controls buffer overflow vulnerability .

Yahoo Music Jukebox is free music-management software that lets you play music files, burn CDs, and tune into your favorite Web radio stations. Within a day of the new Yahoo Jukebox zero-day being publicly disclosed on February 2, a fully working exploit was developed and widely circulated in various forums.

The first vulnerability is a stack-based buffer overflow in the overly long “url” parameter passed to the AddButton and AddImage functions in the YMP DataGrid ActiveX control (datagrid.dll).

The second vulnerability is a buffer overflow with a long “bitmapUrl” parameter passed to the AddBitmap function in the YMGMediaGridAx ActiveX control (mediagridax.dll).

This issue has been observed with Mediagridax.dll version 2.2.2.056 and datagrid.dll version 2.2.2.056, which are distributed as part of latest version of Yahoo Music Jukebox 2.2.2.056 and few older Yahoo Messenger versions.

A further temporary workaround for the problem would be to set the killbit for the offending ActiveX controls:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5F810AFC-BB5F-4416-BE63-E01DD117BD6C}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{22FD7C0A-850C-4A53-9821-0B0915C96139}

It could be only a matter of time until we see customized versions of these exploits make their way into the wild to be employed by malware authors to infect machines. McAfee customers have been protected from this threat since the 5223 DATS–as JS/Exploit-YahooGrid.

I’ve been extremely happy over the last several days when I discovered that the FAR Manager, one of the tools that we use quite a lot in Avert Labs, has recently been released as open source under a BSD license. What is exactly FAR? Well, FAR is an advanced file manager that is heavily customizable and extensible.

Such a tool is very effective when dealing with malware, and through customization it is possible to turn FAR into a sort of “command center” for malware analysis. For example, you can tell FAR to associate a disassembler like IDA to executable files, so that whenever you select one, the disassembler will be fed such file, as well as telling FAR to use Wordpad to display the contents of text documents.

Of course, its set of capabilities is far bigger, and it is not the purpose of this post to document such a complex program in detail; instead, we want to express our interest in this initiative.

Keep up the good work guys!

McAfee Avert Labs is tracking an active exploitation of a recently patched vulnerability in Adobe Acrobat Reader now in the wild. The current vulnerability can be embedded in a PDF file and manipulated through Adobe JavaScript.

The first evidence of such maliciously crafted PDF files was posted to an Italian message forum from an alert administrator who noted that three of his workstations had been infected. Successful exploitation leads to the embedded JavaScript being executed on the victim’s machine. The script attempts to download a Trojan from an IP address in the Netherlands.

This exploit works for both browser-based and email attack vectors and affects the following Adobe products:

• Adobe Reader 8.1.1 and earlier versions
• Adobe Acrobat Professional, 3D, and Standard 8.1.1 and earlier versions

Complete mitigation requires upgrading Acrobat and Adobe Reader 7.x and 8.x to Version 8.1.2.

Malware authors will find this technique of using exploit-laden PDF files in spear phishing attacks very profitable–especially since the Portable Document Format (PDF) is a de-facto standard for exchanging electronic documents online. PDF files have traditionally been unfiltered at the gateway and until recently were considered risk free–in contrast to the notorious history associated with Microsoft Office documents.

With the release of Windows Vista and Microsoft Office 2007, however, Microsoft has made it more difficult for attackers to use buffer overflow exploits. Thus we expect to see exploit writers target the lower hanging fruit. Exploiting vulnerabilities in popular applications from Adobe, Apple, or RealPlayer are proving to be just as advantageous and profitable for the bad guys.

We strongly advise users running vulnerable versions of Adobe Reader and Acrobat to update them from the Adobe site. McAfee users are protected against these maliciously crafted PDF files with today’s 5227 DAT release, which detects them as Exploit-PDF.b.

With Valentine’s Day coming this week, we have seen a new wave of Nuwar spamming this Monday evening, amounting to more than 20 variants in a couple of hours. Detection for these variants from major AV vendors was near nonexistent, as the Nuwar writer is using a new compiler this time to bypass detection.

When you click on the link in the e-mail, the Web site will display a picture and you will be prompted to download the executable as shown below.

We have seen samples named valentine.exe.
Happy Valentine’s Day!

Whilst the masses stay vigilant to “love” attacks [1][2][3][4] in the run-up to Valentine’s Day (tomorrow, don’t forget!), others, including McAfee Avert Labs, are wary of further hybrid spam and malware attacks. This morning we received thousands upon thousands of “Google Ad link” samples via our anti-malware and anti-spam automation systems.

A topical social-engineering trick highlights the race to the White House [5] for the Hillary Clintons and Barack Obamas of the world. It’s actually surprising we didn’t see more of this attack yesterday–the week’s anniversary of Super Tuesday [6].

The spam email (example below) contains a link (hidden by HTML [7]) that points to Google’s page-ad service passing another URL–a malicious one–which effectively redirects your browser to a site hosting a protectively detected Downloader.gen.a [8] sample. The site used in this attack is suspected to be linked to the notorious Russian Business Network (RBN) [9].

Other examples of this spam included some of the following subjects:

• Hillary Clinton Full Video !!!
• Interesting dvd with Beyonce + 4 asiatic lovers!
• Interesting dvd with Jennifer Lopez + 5 english boys!
• Interesting mp3 with Beyonce + 5 portuguese horse!
• Interesting photo with Mylene Farmer + 6 black stallions!
• Interesting video with Keira Knightley + 2 black dogs!
• Keen melody with Christina Aguilera + 4 english boys!
• Keen photo with Britney Spears + 4 asiatic stallions!
• Kick-up mp3 with Christina Aguilera + 5 irish mans!
• New melody with Kylie Minogue + 3 spain dogs!
• New presentation with Mylene Farmer + 6 portuguese lesbians!
• Part of presentation with Jessica Parker + 6 black dogs!
• Shocking photo with Jessica Parker + 3 italian horse!
• Stunning presentation with Beyonce + 3 black stallions!

We urge you to be vigilant and keep your anti-spam and anti-malware protection up to date. Remember, if it sounds too good to be true, it normally is.

[1] : http://www.publicopiniononline.com/localnews/ci_8249998
[2] : http://blogs.knoxnews.com/knx/silence/archives/2008/02/valentines_day.shtml
[3] : http://www.nbc13.com/gulfcoastwest/vtm/news.apx.-content-articles-VTM-2008-02-13-0006.html
[4] : http://press-releases.techwhack.com/16498/microworld-technologies
[5] : http://www.independent.co.uk/news/in-the-news/race-for-whitehouse
[6] : http://en.wikipedia.org/wiki/Super_Tuesday
[7] : http://www.avertlabs.com/research/blog/index.php/2007/08/20/the-risks-of-html-formatted-e-mails
[8] : http://vil.nai.com/vil/content/v_142821.htm
[9] : http://www.securecomputing.net.au/news/69637,britney-paris-used-as-hook-in-new-spam-botnet.aspx

Zero-day emerges

On February 9, zero-day exploit code [1] was posted on milw0rm site. It exploited
vulnerability in Linux kernels Versions 2.6.17 to 2.6.24.1. This bug allows
an unprivileged local user to gain root privileges. This vulnerability was
assigned CVE-2008-0600.
There are reports that this exploit is reliable and actively used in the wild.
The inner workings of this exploit are quite interesting from the
technical point of view; let’s have a look.

Details on the vulnerability and methods of exploitation

The vulnerability lies in the get_iovec_page_array function
(in fs/splice.c, line numbers from 2.6.23.1-42.fc8 kernel),
reachable from the vmsplice() system function:

1286:       if (unlikely(!len)) // "len" variable is under user's
            control
1287:               break;
...
1296:       off = (unsigned long) base & ~PAGE_MASK;
...
1306:       npages = (off + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
1307:       if (npages > PIPE_BUFFERS - buffers)
1308:               npages = PIPE_BUFFERS - buffers;
1309:
1310:       error = get_user_pages(current, current->mm,
1311:                              (unsigned long) base, npages, 0, 0,
1312:                              &pages[buffers], NULL);

The get_user_pages function expects its fourth argument (the
number of pages descriptors to fill; it limits the return value) to be at
least 1. In the preceding code it is assumed that the npages variable is at least 1 (because len must be nonzero, so the off + len + PAGE_SIZE - 1 expression should be greater or equal than PAGE_SIZE). However, if the len variable is close to UINT32_MAX, then the off + len + PAGE_SIZE -1 computation will result in an integer wrap, and npages can be zero.

As a result, get_user_pages may return more than
PIPE_BUFFERS entries, and the pages array will
overflow. However, the overflow payload is not controlled by the attacker,
so it would be difficult to turn this overflow into reliable code execution.

The reliable exploitation happens thanks to the subsequent loop:

1320:       for (i = 0; i > error; i++) {
1321:               const int plen = min_t(size_t, len,
                    PAGE_SIZE - off);
1322:
1323:               partial[buffers].offset = off;
1324:               partial[buffers].len = plen;
1325:
1326:               off = 0;
1327:               len -= plen;
1328:               buffers++;
1329:       }

Here, the partial array, which is also PIPE_BUFFERS
elements long, is overflowed with (off=0, plen=0×1000) pairs. Now, depending on the variables
layout chosen by the compiler, various data structures (that follow partial array) can be overwritten with zero. In the most common case, the pages array will be located after the partial array. The pages array contains pointers,
thus after the preceding loop, it will contain NULL pointers.

Normally, when the kernel tries to access a NULL pointer, it will result in an
exception and the process will be terminated. However, the attacker can map
memory pages at address zero, and store arbitrary data there. In such a scenario,
when the kernel dereferences pointers from the pages array,
attacker-controlled data will be processed, which may result in arbitrary
code execution in the kernel context. In our case, the convenient technique is
to make an entry in the pages array look as a compound page
descriptor, which will result in a function call to an attacker-controlled
address in user space:

37 static void put_compound_page(struct page *page)
   /* attacker controls arg */
38 {
39     page = (struct page *)page_private(page);
40     if (put_page_testzero(page)) {
41             void (*dtor)(struct page *page);
42
43             dtor = (void (*)(struct page *))page[1].lru.next;
44             (*dtor)(page); /* so attacker controls the target
                of the call
45     }
46 }

To sum up, the exploitation involves:

• integer overflow
• buffer overflow
• mapping the zero address to allow NULL dereference

Workarounds

The kernel upgrade is the preferred solution; but if it is not feasible, there
are workarounds.

A simple kernel module, which disables the sys_vmsplice system
call, has been posted [2].

The exploit we’ve discussed relies heavily on the possibility to map memory at
address zero. Starting with kernel 2.6.23, there is a mechanism to forbid such
mapping via procfs. The echo 65536 > /proc/sys/vm/mmap_min_addr
command will set the lowest possible mapping to be at 64K. Note that:

• SELinux must be enabled (in enforcing mode) for this command to take effect.
• Although this setting certainly makes the current exploit fail, there is a nonzero probability that the vulnerability can be exploited without mapping the zero address. I know of no code capable of such exploitation; however, it cannot be ruled out.
• This setting may prevent exploitation of future NULL pointer dereferences vulnerabilities. Very few programs make legitimate use of mapping the zero address.

References

[1]
Linux vmsplice Local Root Exploit By qaaz
[2]
Runtime disable of sys_vmsplice

Earlier today, the Nanshan District Court of Shenzhen, in southern China, convicted 11 members of a password-theft syndicate to between six months and one year of imprisonment.

According to the official press, the syndicate led by Jin has been operating from three malware development bases in northern China, each employing exploit developers, Web site hijackers, command and control, and other teams to support the ultimate goal of stealing passwords for the Tencent QQ instant messenging network.

The malware “workers” are reportedly paid a commission of 0.5 cents RMB (renminbi, or yuan) per stolen password, and the top performer was believed to have made as much as 7,000 RMB in a month. The stolen passwords in turn were sold to a broker, where the virtual gold or “QQ coins” harvested from the stolen accounts and often used for online gaming, were traded for real money. This has been a very profitable modus operandi for many virtual gold seekers, leading to the increase in game password stealers since 2006.

For the “infringement of personal communications,” according to Chinese law, each of the 11 members received between six to 12 months imprisonment. In comparison, the crime of stealing an equivalent amount of real-world money in China carries a hefty sentence of more than five years. As Mr. Qing Feng of the Legal Affairs Office of the Chinese State Council explains, the current laws interpret the stealing of passwords and “QQ coins” as the deletion or modification of data, which does not match the legal definition of theft.

Disputes over virtual properties and crimes involving virtual theft are a growing issue in both the real and virtual worlds. Barely three months ago, a Dutch teenager was arrestedfor stealing virtual furniture in an online game.

Each year I eagerly await the annual Federal Trade Commission report on Consumer Fraud and Identity Theft Complaint Data. It has been available for the last few days and confirms that after a three year stability period, the situation is moving.

For the first time since 2004, the three complaints indicators are increasing. In 2007, the FTC received over 810,000 Consumer Sentinel complaints when they had never taken over 700,000 in any previous year. As ever, Identity Theft is the main complaint category. It has reached 32%. In 2007, 64% of fraud complaints involved unscrupulous companies initially contacting consumers over the Internet. This percentage has grown year after year. It was 60% in 2006 and 55% in 2005. E-mail contact is the most frequent method.

Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.

With this report, FTC released its top 20 complaint list is follow :

When a colleague pointed me at this article about some MS research on using worm techniques to distribute patches more efficiently, I had a moment of extreme déjà vu. After all, Fred Cohen was talking about beneficial uses of viruses in the mid-80’s. But since then, we’ve had a number of attempts occur that prove the old adage that the road to hell is paved with good intentions.

Back in 2001 we saw CodeGreen attempt to locate and patch machines infected with the infamous CodeRed worm. In a variety of other cases, one piece of self-propagating code (worm) has tried to patch backdoors or vulnerabilities, but usually in a self-preservation attempt against a rival author rather than for any altruistic purpose. Examples of this include the Linux Cheese worm and a variety of Bagle and Netsky variants that attempted to remove the other during the much-publicized “Virus Wars” of 2004.

The use of self-replicating code to fix other security problems has invariably proved to be a Bad Idea in the real world because we simply do not understand the epidemiology of the complex, heterogeneous universe we call the Internet. Rather than steal his thunder, I’d invite you to check out Igor Muttik’s talk on “Good Viruses” in the Research Revealed track at RSA this April 9th, if this topic interests you. Alternatively, check out Vesselin Bontchev’s paper on this subject here.

On the other hand, if you actually read the Microsoft research at http://research.microsoft.com/~milanv/, he’s really looking at how the epidemiology of good code versus bad code works. Given that most worms are Windows-based, and Microsoft, by definition, is providing the patches to block those worms that exploit vulnerabilities in their software, this is not irrelevant. While biological analogies to computer viruses are often dismissed, this is one area where a “computer epidemiology” discipline would be most welcome.

McAfee pushes something like a petabyte (Pb) of DAT signatures out in a month, so I can’t even imagine how much bandwidth Microsoft consumes delivering patches to all the Windows machines on the planet. And given how little we really understand about how information flows between computers on the internet, there’s something to be said for advancing the science of information dissemination.

Unfortunately, what most researchers concentrate on is the spread of self-propagating worms exploiting services, like Slammer, Blaster, CodeRed, Witty and other high-profile, fast-spreading worms. Today, though, we’re much more likely to see a huge variety of fairly prosaic threats that rely as much on social engineering as exploits to propagate. And this is an area where there is painfully little research.

What are the different propagation rates for Web 2.0-based threats like the spate of MySpace or FaceBook attacks over the last couple of years, versus any other web-based attack? How do regional idiosyncrasies like localized software vectors or language of social engineering affect threat propagation? How fast do patches or AV signatures need to be distributed to dampen the spread of threats propagating at different rates? How do different peer-to-peer (P2P) strategies compare to other mechanisms for “good code” dissemination. All of these are increasingly valid and relevant questions in the Wild West of today’s internet.

Let’s just remember that there is no “beta” version of the internet we can experiment on at scale.