So April 1st came and went, and it seemed that all might be right in the post-Conficker world…

Of course, nothing is that easy. With the latest activity, there is also a continual flood of information out there. Below, I have attempted to aggregate the new functionality.

Around April 7th/8th Conficker started to move again. Our peers were able to confirm this new update functionality.

When it did wake, it used the peer-to-peer (P2P) communication channel to call home rather than the HTTP rendez-vous to start its latest escapade. In this case, the infected host will be contacted initially by another host over an ad-hoc P2P connection. Kind of like an alarm clock. Then, after hitting the snooze button over a period of several hours, the communication begins again - starting this time from the infected host.

Conficker is definitely not in any rush to tango. Communication is done in such a manner that this traffic (aka update) may go unseen - or at least mostly under the radar, by using fragmented and irregular UDP communication.

So what happens next? When this P2P communication stream ends, our host is basically told to go to a domain and download a file. This is when TCP comes into play. Our infected host goes out to an address and an encrypted executable file is downloaded. Once executed, it could contain malware such as the ever-changing FakeAlert or even Waledac. So at the end of this round, we may be left looking at something similar to the below screenshots:

We have also seen some hosts serving up a Waledac payload.(Realistically, it may contain anything that the bad guys are serving up on those domains.)

These downloads are detected as FakeAlert-SpywareProtect and Waledac.gen.b respectively.

Also downloaded as part of the payload, we again have the MS08-067-like “hot” patch. This time however, it is closer to the original patch - so as to elude detection. (Note: our McAfee Conficker Detection tool is in process of being redesigned to allow detection of the latest variants).

There are also two other notes of interest. The first of which is that we have a new deadline to watch. On May 3rd this latest variant is set to expire.

Thinking aloud, this point brings some interesting questions to mind. Such as - Is this just a test from the Conficker crew who are serving up Waledac incidentally? Or is this done for other self-serving reasons? (i.e. - Attention diversion) Maybe it’s just a deadline for a rented botnet? Interesting questions I am sure the security community at large is wondering.

Second, when an infected host resolves a HTTP rendez-vous domain name, it compares the IP resolved with the list of IPs it already queried, if the new IP is in the list, it will move on to the next domain in its list.

Of course, we will update if anything else comes along…

As a follow-up to my colleagues’ blog post about the newest Office exploits, here is an analysis of one of the Microsoft PowerPoint Zero-Day exploits that once again are used in targeted attacks to infect victims with a trojan horse. The malicious presentation files abuse a new, yet unpatched hole in Microsoft PowerPoint and causes it to execute code infiltrated by the attackers. This blog post shows how the shellcode works and what it does, right after an innocent victim opens the malicious file - if the attacker gets their way of course!

For size reasons, the code is split up into several parts that are scattered among the malicious PowerPoint file. Part one of the shellcode consists of an “egghunter”, which is used to relocate the remaining part of the shellcode in memory. In order to do that, it first sets up an exception handler that prevents crashes when accessing bad memory locations, then goes on a hunt for the shellcode’s prepended egg (0xD1CF11E0). Once that egg (which is a marker for the beginning of the shellcode’s second part) is found in memory, code execution is transfered to the code following it.

Part two of the shellcode begins with a loop that looks for a writable memory block of at least 1KB in size (starting at address 0×30000000). Another loop then XOR decodes another part of the shellcode into that memory location and branches to it. Once decoded, a filename (”fssm32.exe”) can be seen in the disassembly. In order to either download or drop a second-stage executable, shellcode needs access to operating system API functions. The ones it needs are going to be imported by parsing OS internal structures, such as the Process Environment Block, to locate kernel32.dll, then parsing the library’s PE header to locate the desired function pointers.

As shellcode mostly needs to fit into a size-limited block of memory, this piece of exploit not only has its code split into several parts for it to work reliably, it also uses 32bit hashes of API functions to import, rather than a list of respective function names which would consume more space. The shellcode’s ROR-13 hashing algorithm iterates over any exported API function name and compares it against its given list at run-time. Applying the same technique when statically analyzing shellcode, the list of imported functions becomes readable. Looking at the now readable list, it does not contain any function which would indicate the shellcode to download a file but rather drop an embedded one from the PowerPoint file and execute it.

Using a hex-search for typical indicators of an executable file, such as an “MZ” or “PE” header doesn’t yield any feasible results - which is not astonishing at all. Of course, the attackers responsible for having built the exploit intended to prevent their cover being blown by something as obvious as an executable that is embedded into a PowerPoint presentation file! By looking more closely at the shellcode, there is another suspicious XOR-decoding loop.

The loop decrypts a given memory block using an 8bit XOR key. By incorporating the same decryption-loop into a Python script and applying it to the PowerPoint file (see screenshot below), both an MZ- and PE header surface in the hex editor. It’s the embedded executable that was assumed to hide between the PowerPoint “slides” - the malware can finally be extracted.

McAfee VirusScan products detect this threat as Exploit-PPT.k trojan, McAfee Anti-Malware Gateway Edition (former Secure Computing) detects the new exploits as Heuristic.Exploit.OLE2.CodeExec.PGPG.

An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild.  Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code. The modus operandi bears close resemblance to the zero-day attack using word documents, we blogged about in December 2008.

The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.

Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.

The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.

For those who have not patched their machines, we suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.

The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075.

A picture is worth a thousand words…

First let me say, “PATCH your systems” if you have not done so already!

Seriously, you and your machines are sitting ducks for attacks such as MS08-067, which we learned about from Microsoft last month. This type of attack is especially dangerous if your Windows Updates or security products are not up to date. Microsoft released its out-of-cycle emergency patch on the 23rd of October–more than one month ago–so you have no excuse today for being at risk!

At McAfee Avert Labs we have seen a few proof-of-concept binaries using the exploit code that was released into the wild to attack this Windows Server Service vulnerability; the latest is W32/Conficker.worm. According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000.

Once loaded in the service space, the worm attempts to download files from the Internet–specifically, further malware from trafficconverter.biz and data files from maxmind.com.

The worm continues by setting up an HTTP server that listens on a random port on the victim’s system while hosting a copy of the worm. It then scans for new vulnerable victims to exploit, at which point the new victim will download the worm from the previous victim and so on.

To recap McAfee’s coverage and protection for this vulnerability, please check here. We have increased coverage in today’s DATs (Version 5445) to protect against this, and future variants, of the W32/Conficker.worm.

For more information on the Microsoft vulnerability, refer to their security bulletin.

As many of us enter the holiday season of Thanksgiving it’s vital to ensure your systems are patched and up to date while you’re enjoying your time off. Malware doesn’t break for holidays!

It has been over 2 years since I last wrote about malware exploitation of a major vulnerability in the Windows Server Service (MS06-040) by malware.

In 2006, worm authors were quick to adopt the remotely executed exploit in just 4 day following a security update released as part of the regular Patch Tuesdays - IRC-Mocbot, W32/Sdbot, W32/Spybot, W32/Opanki, et ceteras.

Now in 2008, we are faced with malware authors, motivated by profits, more organized, and are more likely to target zero-day vulnerabilities, as we have reported on several critical incidents we have discovered since 2006. Like déjà vu, Microsoft released an out-of-cycle security update today to address in-the-wild attacks against a new MS08-067 vulnerability targeting the same Windows Server Service.

Attacks seen in the wild so far seem to have come from variants of the Spy-Agent.da trojan. When run, it may not be immediately apparent to the victim that it was using any exploits. Taking a quick glimpse into the binary code of basesvc.dll (Spy-Agent.da.dll), one of the DLL components installed by Spy-Agent.da, one can see strings that would look very familiar to those familiar with MS06-040.

On closer analysis, Spy-Agent.da.dll seeks out potentially vulnerable Windows machines in the local network, and sends maliciously crafted DCERPC requests to exploit the Server Service (SvrSvc).

When successful, hardcoded shellcode embedded within the malware, is executed on the targeted machines to download Spy-Agent.da (or possibly other variants or files) from a web server hosted in Japan.

(shellcode after decoding)

Just hours following the patch release, public source code has already been seen distributing on the Internet. What more can I say ? Patch your systems ! Yes, NOW !

Spy-Agent.da and Spy-Agent.da.dll are now detected using the current 5414 DATs. See Dave’s blog for McAfee’s coverage.

(thanks to Joey Koo and Xiaobo Chen for providing analysis data and packet dumps used in this blog)

Due to the MS08-067 out-of-cycle release from Microsoft today we are in the process of releasing emergency DATs/coverage updates for many of our products and technologies. We are also working on an emergency Security Advisory as well.

Current state for each of the content areas is as follows:

Malware - Emergency DAT cut and testing in progress. ETA of 2 - 3 hours.

HIPS - Generic buffer overflow should provide coverage.

Intrushield - Partial existing coverage. Additional emergency sigset releasing today.

Foundstone - Emergency signatures being released today.

V-Flash - Emergency signatures being released today.

MNAC - Emergency signatures being released today.

VirusScan Enterprise BOP - Should provide coverage for the buffer overflow.

We will continue to monitor this critical event to provide the most comprehensive coverage we can.

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 - What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting - Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

Avert Labs recently discovered and reported a couple of Linux Kernel vulnerabilities, all of which have been patched by linux kernel maintainers.

The first one is BER Decoding Remote vulnerability (CVE-2008-1673) . This vulnerability was patched by the Linux dev team on 9th June 2008.

This vulnerability is a kernel heap overflow in CIFS module and ip_nat_snmp_basic module. It’s possible to reach the exploitable condition on 64bit platform. Though its hard to trigger a kernel heap overflow in 32bits platform, it’s still possible to crash the Linux box. We strongly recommend users to update to the following kernel versions:

Linux kernel 2.6.25 .5
Linux kernel 2.6.26-rc5-git1
Linux kernel 2.4.36.6

Some vendors have mistakenly marked this as a vulnerability exploitable only in the local network. A correction for them, this vulnerability is remotely exploitable. We contacted one such security service providers who had mentioned this issue as exploitable over the ‘local network’ only and got this response:

“According to our information the ASN.1 decoding vulnerability exists within the modules handling CIFS and SNMP traffic. These are both protocols which we think should be firewalled off the Internet via common “best practices”, thus we set the attack vector to “local network” only.”

I don’t really agree with this approach, anything that is firewallable is locally exploitable then? In fact I would rather say that it is remote vulnerabilities like these that need firewall policies to be enabled and not the other way round. I would love to hear opinions from others on this issue.

BTW our McAfee Network Security Platform (formerly IntruShield) has already been updated with content to protect against this vulnerability.

The other issue was found by Brandon Edwards which is another interesting issue in DCCP, it is a local privilege escalation vulnerability (CVE-2008-2358). The vulnerability (supposedly) only exists in 2.6.17, 2.6.18, and 2.6.19 due to boundary checks in the upstream kernel versions. It is non-trivial to exploit this vulnerability.

The latest Microsoft ActiveX flaw disclosure looks like a silently patched issue.

The flaw, disclosed by US-CERT, was not part of Microsoft’s MS07-069 Security Bulletin released in December of 2007. The CVE ID (CVE-2007-6255) is not listed in Microsoft’s Bulletin at the time of this writing and is still in the reserved state on MITRE’s CVE Web site.

The vulnerability affects an ActiveX control used to play games on the MSN Games site. When exploited, it would allow for code execution at the rights level of the victim because of improperly processing a crafted “host” parameter.

The workaround for those who have not installed the patch is…

Bingo! Set the kill bit. You’ll want to disable the ActiveX object from loading using this class id: E5D419D6-A846-4514-9FAD-97E826C84822.

This is one of those cases where the moment you hear about the vulnerability, there is a patch available already. This, of course, is better than the alternative. Most of you should have the patch already installed.

I’m not going to get into the “Why weren’t we notified?” issue, I just wanted to call attention to this on the off-chance there is anyone who isn’t patched.

Late on Thursday Microsoft released an advisory about a new privilege escalation vulnerability affecting IIS and SQL Server on Windows XP, 2003, Vista, and Server 2008.

It’s likely that this is the same flaw discussed by Cesar Cerrudo in his talk, “Token Kidnapping”, at the HITB Security Conference 2008 in Dubai. Cerrudo had discovered a privilege-escalation vulnerability earlier, and said in March, “Design weaknesses can be abused on Windows XP, Vista, Internet Information Services 7 and Windows Server 2003 and 2008”.

So what is known about this flaw? A malicious local user who has authentication could execute specially crafted code to raise his privilege level to LocalSystem. IIS and SQL Server are the main attack vectors. But other vectors are possible, such as Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2003.

While the vulnerability is limited to a local privilege escalation, IIS’s susceptibility is concerning. The Web server is widely used on the Internet, and is a top pick by Web-hosting providers. We might see Web-hosting providers targeted, and — this is scary -– their clients’ Web sites breached. As Microsoft stated in its advisory, “Hosting providers may be at increased risk from this elevation of privilege vulnerability.” However, no exploitation has been observed at this time.

The next Patch Tuesday is May 13. Sysadmins, please heed to Microsoft’s suggested workarounds for IIS until then -– or more to the point, until Microsoft patches this vulnerability.

Finally, a bit of speculation (hat tip to Kevin Beets). One attack vector for this vulnerability uses the SeImpersonateClient privilege. The MSDN page for privilege constants states:

Windows XP/2000: This privilege is not supported. Note that this value is supported starting with Windows Server 2003, Windows XP SP2, and Windows 2000 SP4.

Microsoft did not say that Windows 2000 or Windows 2000 SP4 are vulnerable. But curiously, they did say Windows XP SP2 is. If Service Pack 2 for Windows XP introduced this vulnerability in that operating system, might Service Pack 4 for Windows 2000 not have done the same for Windows 2000?

Late last Friday, Avert Labs became aware of an interesting piece of malware. In this latest social engineering scenario an attacker sends a new “friend request” to MySpace users. When the user clicks on the picture or name of their new potential friend, an overlaid image of what looks like a legitimate Windows “Automatic Update” pop-up box is displayed. Clicking on or near this bogus dialog will result in a request for a file download that is visually disguised as a Microsoft update called “updateKB890830.exe” from a server named “winxpupdate.Microsoft[removed]“.

Instead of an update however, this download contains a malware cocktail containing additional downloaders, several trojans, as well as a remote admin tool. It is advised to be aware of dialogs that have abnormal properties. One such property may be that the dialog disappears when the web browser is minimized. If this is the case the dialog is probably an image rendered within the context of a web browser and is not a legitimate update. McAfee AV users were proactively protected against this threat.

Today Microsoft released six Security Bulletins detailing 15 vulnerabilities. Three of the vulnerabilities had surfaced before today’s fixes. Two vulnerabilities are uniquely found on Windows Vista; one can lead to disclosure of sensitive information on Vista and one to remote code execution via Vista’s Windows Mail. After the release of the patches today, exploit details for MS07-032, the Windows SChannel vulnerability have been posted.

Did Microsoft actually patch more than 15 vulnerabilities? The actual number is indeed higher judging from the MS07-030 Visio Security Bulletin: “This important update resolves [...] in addition to other security issues identified during the course of the investigation.”. Silently fixing “other security issues” leaves Microsoft’s customers in the dark since they can’t tell the urgency to apply the patches and whether their security tools will protect the affected software.

The monthly update of the numbers is shown below. After adding the fifteen patched vulnerabilities, the 2007 numbers are still higher than those of earlier years.
Š

Yesterday Microsoft patched 19 vulnerabilities; among them are the DNS-RPC vulnerability that was exploited by botnets in April and the Word vulnerability that was first disclosed on this blog. One of the new vulnerabilities, the Exchange MIME decoding vulnerability, can be remotely exploited without user interaction and should get high priority if you are running Microsoft Exchange.

When creating the graphs below I realized that I wasn’t even a tiny bit surprised by the high number of patched vulnerabilities. Time will tell if we will return to the days when the number of monthly patches was in the single digits. For now, I seem to be used to the high number of patches on Patch-Tuesday probably helped by similar large patch releases by Oracle, Apple and other vendors.