Earlier today, Microsoft released Security Advisory (981374). This advisory covers CVE-2010-0806, an unpatched vulnerability affecting Internet Explorer versions 6 and 7. This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out.

McAfee Labs is aware of an attack emanating from the domain topix21century.com (over both http and https). In this attack, vulnerable users are directed to a malicious webpage that downloads and executes a file named notes.exe or svohost.exe (classified as BackDoor-EMN) in drive-by download fashion (visiting the page is enough to get infected). There are multiple variants of this trojan involved. Notes.exe creates two copies of itself in the %temp% directory, and drops a DLL file. This DLL file is injected into Internet Explorer and provides remote access to an attacker.

The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes. Infected systems may attempt to communicate with the domain notes.topix21century.com over https.

File names related to this attack include:

• 20100307.htm (CVE-2010-0806 exploit)
• bypasskav.txt (part of exploit obfuscation code)
  • notes.exe (backdoor installer)
    • note.exe (backdoor installer copy)
    • clipsvc.exe (backdoor installer copy)
      • wshipl.dll (backdoor)
    • rsvm.exe (backdoor installer)
      • wshipnotes.dll (backdoor)

Preliminary product coverage is as follows:

• McAfee DAT files (antivirus): Coverage will be provided for known exploits as Exploit-CVE-2010-0806 and known payloads as BackDoor-EMN in the 5916 DAT files, releasing March 10.
• McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover future exploits.
• McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover future exploits.
• McAfee Network Security Platform: The sigset releasing March 9 contains coverage under the signature “HTTP: Microsoft Internet Explorer Code Execution Vulnerability”.
• McAfee Vulnerability Manager: The FSL/MVM package of March 9 includes a vulnerability check to assess if your systems are at risk.
• McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts.
• McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts.
• McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

McAfee Labs is investigating this attack further and will continue to monitor any related activity closely.

Today we unveiled our Threats Report for the fourth quarter of 2009. It highlights many of the most significant spam-generating stories in 2009 as well as the rise of political hacktivism in countries such as Poland, Latvia, Denmark, and Switzerland. The report’s findings also reveal that 2009 averaged approximately 135.5 billion spam messages per day; yet spam volume decreased by 24 percent in Q4 compared with Q3.

Spammers piggybacked heavily on leading headlines in 2009, taking advantage of breaking news stories, global tragedies, and other timely events. The Air France plane crash and Michael Jackson’s death were among the top tragedies exploited by spammers last year. McAfee researchers also noted a significant number of 2010 FIFA World Cup-themed phishing scams, Zeus Trojans masked as the CDC and referencing the H1N1 vaccine program, and “get rich quick” scams due to the rise of U.S. unemployment levels.

Politically motivated attacks are on the rise around the world, targeting popular social networking destinations, as seen recently with the Iranian Cyber Army’s political attack aimed at Twitter. The report confirms that the United States is not the sole target, nor is China the sole origin for these types of assaults. Recent political attacks targeted the Polish government, the Copenhagen Climate Conference, and Latvia’s Independence Day.

Malware–including fake security software, attacks on social networks, and AutoRun USB infections–continued to rise significantly last year. Internet-based, Web 2.0-centric attacks and threats on portable storage devices played a huge role in 2009, contributing greatly to the immense increase in threats and demonstrating how the nature of computer threats are evolving over time. Cybercriminals used social networking sites to target a new generation of victims, with Koobface activity increasing considerably during the latter part of 2009. Koobface is now hosted by servers in 46 countries, with the United States, Germany, and Denmark making up the top three hosting locations.

China Overtakes the U.S. as No. 1 Country Producing Zombies

Zombie production in the U.S. dropped significantly, from 13.1 percent in Q3 to 9.5 percent in Q4, making China the top Zombie-producing country at 12 percent. Brazil ranked third, with Russia and Germany rounding out the top five countries. The United States still remains the number one country in spam production, with Brazil and India taking the number two and three spots. Ukraine and Germany joined the list of top 10 countries producing spam for the first time in 2009.

The Geographic Distribution of Web Threats

North America is the worldwide leader in hosting malicious content, with Europe/Middle East/Africa second, followed by Asia/Pacific. In Europe, Germany holds the number one spot, followed by the Netherlands and Italy. China is the chief host for malicious content in Asia, followed by Russia and South Korea. South America is beginning to play a larger role, with Brazil as the top hosting country in that region.

China is the Worldwide Leader in SQL-Injection Attacks

Although SQL-injection attacks originate from a number of countries across the globe, China was by far the number one country hosting these assaults, at 54.4 percent. Due to the growing popularity of Adobe applications, McAfee Labs saw a number of client-targeted attack attempts to exploit Flash and Acrobat reader.

A full copy of the Q4 2009 Threats Report is available here.

Microsoft has released Security Bulletin MS10-002, regarding Internet Explorer vulnerabilities. In addition to patching the flaw exposed by Operation Aurora, the company released patches for seven other vulnerabilities.

We are aware of reports of private CVE-2010-0249 exploits impacting Internet Explorer 7 and 8 (though these are mitigated with ASLR and DEP). Historically, the odds of private exploits being made public rise dramatically after a patch is released.

In my last post, I mentioned many detections were occurring on systems residing in China. The number of detections today in the United States are closing that gap.

This is not a patch to put on the back burner.

Here’s a quick update on CVE-2010-0249, aka the Aurora exploit.  A few days ago exploit code was made public.  Since then malware authors have been customizing the exploits payload to install their own malicious creations.  Much of the field telemetry we’ve been receiving has been coming from McAfee users in China visiting websites in China.  Some users have been directed to malicious sites from blog and forum posts, while other cases involve compromised web pages that use multiple javascripts and iframes to pull in the malicious content.

The exploits are often served from subdomains of 3322.org and 8866.org.  A common filename is ie.html, which references what.jpg, which contains part of the exploit code (and not a JPEG image).  Some payloads seen download files named down.css and log.css, which are malware executables.  Those executables contain functionality to download other malware, including:

• Artemis!629E2332CFDA – Generic PWS.y!bsk
• Artemis!78043EBA321B – PWS-Mmorpg!la
• Artemis!911BCF95C022 – PWS-OnlineGames.gx
• Generic Downloader.x!coe
• Generic Dropper!byp
• Generic PWS.y!bsk
• PWS-Mmorpg!la
• Suspect-02!50CB7D4BB04E – Generic Dropper.hi
• Suspect-26!4EBF601DCBF6 – PWS-Mmorpg!la
• Suspect-26!6D89EB2792F7 – PWS-Mmorpg!hb
• Suspect-26!B01B63F88994 – PWS-Mmorpg!la

Given that exploit code is readily available, this is likely the tip-of-the tip of the iceberg in terms of the domains and malware we are likely to see over the next few weeks (and we can expect to see new exploit and related malware variants for many months, if not years, to come).

Earlier today, Computer World reported that private exploits were created which exploit Internet Explorer 7 & 8, but that those exploits would remain private.  Still, this publicity may entice others to meet the challenge and go public to prove their prowess.

On the bright side, Microsoft said today that they would release an out of cycle patch for this vulnerability.  McAfee Labs advices those tempted to install an unofficial patch to think twice before doing so as malware and adware often arrive under the guise of such a “fix”.

We are pleased to announce the next event in our complimentary monthly “Hacking Exposed Live!–A Webcast Series,” which educates attendees to protect against cybercrime and hackers. The monthly webcast, hosted by Hacking Exposed coauthor and McAfee Senior Vice President Stuart McClure, walks attendees through the latest hacking techniques and explains countermeasures for preventing attacks.

The next webcast is January 21 at 11 a.m. Pacific time (2 p.m. Eastern) and will feature two white-hot security topics: Botnets and Aurora–the zero-day vulnerability that last week struck Google and several other well-known companies. McAfee Worldwide Chief Technology Officer George Kurtz and McAfee Senior Director Greg Brown will join McClure to enlighten the audience on how hackers exploit these vulnerabilities and what can be done to prevent them from impacting businesses.

Based on the best-selling security book Hacking Exposed, this live monthly webcast gives attendees deep insights into current and evolving hacks and what they can do to keep their environments protected. The webcasts include everything attendees need to know to stay ahead of those who would cause harm. The sessions will also address the universe of hacks–involving social media, mobile, Unix, and more.

Click here to learn more and register today.

Operation Aurora has received a lot of attention over the past couple of days.  To recap, Google, Adobe, and many other companies were attacked with code exploiting a zero-day vulnerability in Internet Explorer.  Since the announcement of this vulnerability (CVE-2010-0249), exploit code has been made public and already revised into a more usable form.

History tells us that when exploit code targeting an unpatched vulnerability in popular software is release; a slew of attackers are ready, willing, and able to capitalize.  What started out as a sophisticated targeted attack is likely to lead to large-scale attacks on vulnerable Microsoft Internet Explorer users.  This often takes the form of drive-by download sites serving malware to unsuspecting users, lured by links spammed in email, social networking sites, blogs, and poisoned search engine results.

For more information on this vulnerability, the Operation Aurora attack, and ways to protect your environment see:
More Details on “Operation Aurora”

Earlier today, George Kurtz posted an entry, ‘Operation “Aurora” Hit Google, Others’,  on the McAfee’s Security Insight blog  The purpose of this blog is to answer questions about this particular attack; fill in some of the threat flow and McAfee coverage details.

How were systems compromised?
When a user manually loaded/navigated to a malicious web page from a vulnerable Microsoft Windows system, JavaScript code exploited a zero-day vulnerability in Internet Explorer;  Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability.  Microsoft has released Security Advisory (979352) for this vulnerability (CVE-2010-0249).

What was the payload of the exploit?
Once a system was successfully compromised, the exploit was designed to download and run an executable from a site, which has since been taken offline.  That executable installed a remote access Trojan to load at startup.  This Trojan also contacted a remote server.  This allowed remote attackers to view, create, and modify information on the compromised system.

How wide-spread is this attack?
Aurora appears to have been a very concentrated attack on specific targets.  It is not believed to be widespread at this time.

How serious is this vulnerability?
The Microsoft Internet Explorer vulnerability leveraged in this attack allows for remote code execution, but does require user intervention (such as following a hyperlink to a website, or opening an email attachment, etc).  Furthermore, the single exploit known to exist can be thwarted by Data Execution Prevention (DEP), enabled by default in Internet Explorer 8 and optionally in Internet Explorer 7.  Microsoft lists the following combinations to be vulnerable: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

How are McAfee customers protected from this attack?
McAfee DAT files (antivirus): Coverage will be provided for associated malware (as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, releasing January 15. Partial coverage is provided in the current (5861) DATs for some components as Generic.dx!kwv, Generic Spy.e, Spy-Agent.ey, and Exploit-Comele.

McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.

McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.

McAfee Network Security Platform: The UDS release of January 14 contains the signature “UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption” which provides coverage.

McAfee Vulnerability Manager: The FSL/MVM package of January 14 includes a vulnerability check to assess if your systems are at risk.

Updated Jan 14
McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E“), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).

Updated Jan 16
McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E“), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).

Updated Jan 18
McAfee Network Security Platform: Extended coverage is provided in the January 18 UDS release via the “Microsoft Internet Explorer HTML DOM Memory Corruption III” signature. Coverage was originally provided in the UDS release of January 14.

McAfee Application Control: All versions of McAfee Application Control protect against infection, without updates, and will prevent all versions of the “Aurora” attack witnessed to date.

McAfee Firewall Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts. The embedded McAfee AV scanning engine in Firewall Enterprise version 7.0.1.02 and later provides coverage for supported protocols via standard McAfee DAT updates. Coverage for known exploits and associated malware is provided as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, released January 15.

McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

Updated coverage information will be communicated through McAfee Security Advisories:
http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx

Day 2 and Night 2 of the 26th Chaos Communication Congress is over, so it’s time for a short update on what you are missing here.

This year the Congress is organized as a distributed event: Many local Hacker Spaces have joined the network at Berlin Conference Center, giving access to resources and talks to visitors. Check out the Dragons Everywhere Wiki at 26c3 for more info. And of course there are still the live streams of the talks available.

One highlight was certainly an update of the current debate around the Vorratsdatenspeicherung (”data retention”). CCC-spokesperson Constanze Kurz expects a favorable ruling against the current laws by the highest German court. This may have an EU-wide impact.

At the same time (and thank goodness there were streams available!) was Collin Mulliner’s talk about fuzzing smart phones and some of his (and Charlie Miller’s) findings.

Felix ”FX” Lindner changed sides: In a talk covering defense instead of breaking things, he demonstrated the security problems that come with Flash and released a tool for sandboxing .swf files to prevent a class of Flash exploits called Blitzableiter (”lightning rod”). His tool is still work in progress but looks very promising already.

And to finish the day there was the Phonoelit Party at c-base, featuring Mumpi, Vela, and Illo. Another great event!

Of course, this selection is just my personal preference. Make sure to check the schedule for talks that interest you.

With the New Year just days away, it’s time for McAfee Labs 2010 Threat Predictions. What should you be wary of in the coming year? Social networks.

Sites such as Twitter and Facebook have changed the way we communicate, interact, and share on the web. As user bases for the top online social destinations reach record highs, cybercriminals are building out their criminal toolkits, taking advantage of new technologies, third-party applications, and hotspots of activity to exploit users.

What does this mean for the average surfer? Next time you receive an invite from one of your “Facebook friends” to play a game that looks like it’s shaping up to be the next Farmville, think twice before you click. In 2010, users are going to be more vulnerable to attacks that blindly distribute fake apps across their networks. The same goes for bit.ly’s and TinyURLs. As abbreviated URLs become more ubiquitous, it will be even easier for cybercriminals to mask and direct users to malicious sites.

Speaking of ubiquity: McAfee Labs predicts that Adobe will overtake Microsoft as the No. 1 target for cybercriminals in 2010. Adobe products—in particular Acrobat Reader and Flash—have become two of the most widely used apps in the world, and cybercriminals go where the masses go. Cybercriminals will have a field day preying on people using Adobe software.

McAfee also believes the following will play a critical role in 2010:

• Banking Trojans will become even more sophisticated. They showed some firepower in 2009—easily getting around current protections used by banks—but next year they will reach a new level with the ability to interrupt legitimate transactions and make unauthorized withdrawals, while flying under the radar.
• Malware via email attachments will increase, especially targeting corporations, journalists, and individuals
• Botnets, the infrastructure that launches nearly every type of cyberattack, will adopt a peer-to-peer architecture, connecting computer to computer without a centralized control point—making it more difficult for cybersecurity professionals to detect them
• HTML 5 and the evolution of the programming language will give cybercriminals new opportunities to write malware and prey on users

Countering these trends, in 2010 McAfee predicts a good year for law enforcement and the ability to identify, track, and combat cybercrime worldwide. After a decade of cybersecurity research, coordination, and training undertaken by agencies across the globe, the community will reap the benefits of the effort put forth over the past ten years.

McAfee Labs serves up the details on its threat predictions in the full report. Surf the web cautiously in 2010!

(We must correct one oversight: Our colleague Pedro Bueno was one of the authors of the report. His name was inadvertantly left off the document. Thanks, Pedro!)

Client-side exploitation continues to be a popular attack vector. Another zero-day attack has targeted Adobe Acrobat Reader to infiltrate customer networks. The currently unpatched exploit opens the door to code execution when a victim simply reads a malicious PDF document.

This JavaScript code is viewable only if the stream had been unpacked, as can be seen in this FileInsight screenshot:

Although the content of the compressed stream may look like random data, when unpacked the JavaScript code will fill a certain memory area with malicious x86 assembly code and cause the exploited Adobe software to execute this shellcode–commonly know as a heap spray.

To determine the final intent of the shellcode, we have to remove another obfuscation layer that attempts to evade automated detection. The machine code is embedded as a “malformed” and “escaped” sequence of hex bytes. Any occurrence of the substring “XX” is replaced with “%u” before JavaScript can convert the string back into binary, executable code.

After loading it into a disassembler, we can see that the unescaped executable code is stage one of a two-stage attack. The intent of stage one is to identify the open file handle of the malicious PDF to find a particular signature (which is called an egg by exploit writers). This signature (0×0A666F65 in this example) is immediately followed by stage two of the shellcode and is then branched into.

The screenshot below shows the presence of the PDF’s embedded egg, followed by x86 machine code, part of stage 2. The code contains another obfuscation layer, namely a routine that XOR decodes the remaining code and–surprise, surprise–unveils an embedded executable!

The hidden executable, which is visible only in a hex editor after having applied the same XOR decoding, is written to disk and executed by the shellcode–thus highlighting the steps the attacker has taken to evade detection.

McAfee Gateway Anti-Malware detected and blocked this threat proactively (“BehavesLike.PDF.Suspicious” and the embedded executable as “BehavesLike.Win32.Rootkit.H”). McAfee Artemis and the 5766 DATs block it, as well.

<<<<<<<<<< Update Late October, 13, 2009 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Adobe has released a patch that remediates the above issue. Full details available here.

Surrounded by a network of neon lights across the ceiling, walls of computer screens lit with grave headlines regarding our country’s digital dependence–drinking water, sewer systems, banks, government systems, all vulnerable to an electrical grid outage–I introduced my wife and my sixteen-year-old daughter to our latest McAfee endeavor, an exhibit contributor in the new International Spy Museum exhibit “Weapons of Mass Disruption.”

Yes, you read that correctly. Your humble narrator is part of a museum exhibit.

Nestled on the corner of 8th and F Streets in Washington, D.C., the International Spy Museum has become a must-see in our nation’s capital. It speaks to our country’s tales of espionage and the ultimate currency, intelligence. Never has a place been better suited to educate its visitors about the cybersecurity threats facing our government, our businesses, and you and me.

As former national intelligence director Admiral Michael McConnell mentioned during the exhibit’s opening event, the Internet has created an unprecedented level of vulnerability.

These threats, which could bowl you over in their magnitude and frequency, are constantly evolving, morphing into ever-changing but equally lethal pieces of malware–as diverse and fluid as Web 2.0 itself. In that stuff is our office, littered with Red Bull and Twinkies, where I and many other McAfee Labs researchers garner an understanding of the dark side of cyberspace activity. You know the saying: Keep your friends close but your enemies closer. It is this insight that yields information on breaking threats and a more holistic understanding of the black-hatted enemy.

So consider again the computer wall’s grave headlines in the exhibit: “The Pentagon’s IT system is probed 360 million times a day. Twitter crashed as a result of a denial of service attack against a Georgian proponent. Is our air traffic control system protected?”

The exhibit shouts the theme that we as an industry live and that I shared during my contribution interview. The threat is real. Even my daughter got a kick out of it.

I am excited to be involved in the joint industry effort of defining an XML format which will allow for the rapid exchange of information between security companies. This work was done by the “Malware Working Group” operating as part of the “Industry Connections Security Group” (ICSG) and under the umbrella of the IEEE. If you Google for “IEEE” and “ICSG” you should have the link at the top of the list – IEEE ICSG .

There were about 20 people from multiple security companies who contributed to the development of the proposal for the standard and I am very pleased with the results. It is a simple, flexible and powerful format that is already being used by 4 anti-malware companies to transmit meta-data about the prevalence of malware in the field. Wider adoption of this meta-data sharing will replace the trivial malware sample exchange of the past with a real-time exchange of threat intelligence data. Communicating the relationships between malware samples, domains, IPs will open endless possibilities for improving the security of all Internet users.

For example, it will allow us to describe the whole history of domains/IPs that were used by a specific malware writing group, which malware they hosted and even how the malware got installed onto users’ computers. And this can be expressed in an unambiguous way suitable for rapid automated analysis. In a word – it’s powerful!

But there are huge benefits even in trivial transmitting of the simplest malware prevalence data:

• If you are an anti-malware vendor you will be able to prioritize samples in your research queues.
• If you are a testing organization you will be able to create more relevant test sets (for example, downgrade rare and old samples).
• If you are an administrator you can submit consolidated field reports to anti-malware vendors and help make the Internet a safer place.

Here is how a portion of the XML with meta-data looks like.

If you are interested - the complete XML schema is available here and if you want to get involved please get in touch with your current point of contact at McAfee Labs.

In my post “DDoS Response: Part 1,” I started an analysis on combating distributed-denial-of-service attacks. In this post, Part 2, I shall examine solutions for private networks.

To proactively prevent attacks on private networks, one solution is to hide the legitimate paths from attackers and to periodically change the topology of the network. Source-address filtering, secret proxy servers (servlets), and virtual overlay network (with Secure Overlay Access Points, SOAPs) are helpful in a reconfiguration scheme:

Any transmissions that wish to pass the overlay must first be validated at entry points of the overlay (SOAP machines). Only confirmed users can access the network. If the attacker discovers the address of the filtering router in front of the client, a brute force attack is still possible.

Another solution for protecting a private network is to use a cryptographic process such as “client puzzle.” This method requires a client to sacrifice some of its resources to prove that it is legitimate. Basically, when a server comes under attack, it distributes small cryptographic puzzles to clients making service requests. To complete the request, the client must solve the puzzle correctly:

Other solutions filter and mitigate DDoS traffic. In resource replication (for example, XenoService), the victim or the network responds to DDoS attacks by producing replicas of the resources in demand. Legitimacy testing (NetBouncer) can distinguish legitimate from illegitimate traffic. Using containment, ISPs can employ honeypots to trap malicious code, which can then be studied and blocked.

For these posts, I consulted various white papers and thesis reports. The most significant is an impressive (204 pages) August 2008 Ph.D. thesis submitted to Imperial College London by Dr. Vrizlynn Thing Ling Ling.

I extracted the following table to summarize the usefulness of the responses I have already described:

At McAfee, equipment in the McAfee Network Security Platform series can help customers in this fight.

McAfee’s NSP (formerly IntruShield) sensors can detect DDoS attacks by learning the network’s “normal” traffic behaviors and detecting attacks based on deviations from these normal behaviors, including packet counts and rates for various types of packets such as ICMP, TCP SYN, UDP, IP fragments, etc. Details are available in the two McAfee white papers listed below.

Other useful documents:

• A video (in French) on DDoS mitigation (Orange group)
• IP Traceback: A New DOS Deterrent? (IEEE Security & Privacy)
• Secure Overlay Services (Auburn University)
• A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms (University of California)
• Pushback: Remedy for DDoS attack (San Jose State University)
• Deciphering Detection Techniques: Anomaly-Based Intrusion Detection (McAfee)
• Deciphering Detection Techniques: Denial of Service Detection (McAfee)

Distributed-denial-of-service (DDoS) attacks can be conducted in various ways (by SYN flood, UDP flood, Teardrop Attack, Ping of Death, Smurfing, Mail Bombing, etc.).  DDoS attacks can exploit vulnerabilities in software running on the victim’s machine or via sending a higher volume of traffic than the victim’s system can handle. The attacks can target resources (such as the network layer, network link, or end-host systems) or routes to resources. They frequently involve botnets and are used to extort ransoms from websites in the online gambling business. Some recent examples included Sportingbet Australia and Sports Alive. The latter was down for almost an entire day in August.

These days you can find many reports and papers on DDoS attacks. Most of these articles explain how attacks occur, but a few discuss how Internet service providers can protect their customers from this threat. And that’s why I wrote this two-part post.

The following image shows how a typical DDoS attack takes place:

In return for payment or to suit themselves, botmasters start DDoS attacks by relaying instructions via their command-and-control servers to their bots, which simultaneously send fake traffic to the victim to disrupt service. Trying to process packets or requests, the system consumes all of its available resources, crashes, or becomes unresponsive.

The first method ISPs can use to mitigate attacks is redirection or black-hole routing:

When implemented, all traffic going to the victim’s address is forwarded to a “discard pile.” Any router configured this way will eliminate all traffic–the good and the bad–sent to the victim. If an ecommerce website works almost exclusively with national consumers, a black-hole mechanism implemented at the international perimeter can be a good temporary solution to release bandwidth and to allow resources to regular users. But the botnet is not really impacted, and bots within the national perimeter are still active. In this example, however, we anticipate this remaining DDoS efforts will not greatly impact the victim.

A more effective solution is filtering:

With packet filtering, we can distinguish the bad packets from the good packets. Only the good packets will be transmitted to the recipient. However, traditional packet filtering can be inadequate to mitigate some botnets that dynamically or rapidly modify their configuration. Flooding attacks using legitimate services can often succeed. IP protocol and forwarding mechanisms also make it difficult for an ISP to identify the real origin of a packet. Futhermore, DDoS attackers can use spoofed IP addresses. To make up for this gap, we have a third technique: traceback.

With IP traceback mechanisms, we can find the true source of the attacks. We can determine the origin (or nearby) of the attack and block it at a point nearest to its source.

Rate limiting is another effective technique. It imposes a rate limit on high-bandwidth incoming traffic for streams that are characterized as malicious:

Traffic, whether good or bad, might be subjected to rate limiting. The probability of false positives is also high. In Part 2, we shall look at some other solutions, as well as references for reports and a university thesis that helped me in this discussion.

As we already mentioned multiple times in the past, exploits that take advantage of newly discovered holes in popular applications represent a growing threat to Internet users. Many, if not most, computer systems are vulnerable to these attacks. More evidence shows zero-day attacks remain the preferred choice of cybercriminals.

Today, a new unpatched Adobe vulnerability has been discovered in the wild. It takes advantage of a new feature to add interactive Flash (SWF) content into PDF files. This bug was found to affect at least Adobe Reader and Acrobat 9.1.2 , as well as Adobe Flash Player 9 or later.

In our investigation of the issue, we found that Acrobat 9 introduced a new “Rich Media” annotation type, which uses Acrobat’s built-in Flash Player to play SWF content. In the current attack, specially crafted SWF files were embedded into PDF documents. These can cause Adobe Reader to execute arbitrary code when viewed. When successful, shellcode in the exploit is executed by Adobe Reader. The picture below depicts how the shellcode works and what it does:

It first gets a KERNEL32.dll image base using the Windows PEB structure, sets up the required Windows APIs, then decrypts and executes its malware payload. This specific malicious PDF file contains three embedded executables encoded using a simple 1-byte XOR key. When run, it drops a file called SUCHOST.EXE and sends the information gathered from the infected machine to a free host-redirection service based in China:

• [blocked].3322.org
• [blocked].2288.org

The victim is then redirected to other malicious IP address(es). This malware acts as a backdoor to allow remote access to the infected computer.

According to Adobe, the Rich Media annotation is new to Acrobat 9.x and will not be understood by PDF document viewers that can support only up to Acrobat 8 specifications. Thus, if you place the SWF file with Acrobat 9 into the PDF files, it is not readable by Acrobat or Adobe Reader 8 and older versions, and will not be vulnerable to this attack.

Although details of this vulnerability have not yet become public, more attackers are likely to take advantage of this weakness. For McAfee customers, both the PDF and its associated payload can be proactively detected as “Exploit-PDF.t” since the 5683 DATs (released July 21).

Even though anti-malware vendors continue to add detection for new zero-day threats, there are several things you can do to mitigate such risks. Refrain from opening attachments from untrusted sources and visiting untrustworthy web sites.

This bug is currently being investigated by the Adobe Product Security Incident Response Team.

(Thanks to Abhishek Karnik and Aditya Kapoor for helping to analyze the malware.)

Today, Microsoft released a security advisory on active attacks in the wild using a vulnerability in Microsoft Office Web Components. Computers installed with Microsoft Office features that uses vulnerable versions of the Microsoft Office Web Components could be infected with malware when browsing upon malicious websites in Internet Explorer. 

From our investigation, Exploit-CVE2009-1136, a new 0-day exploit was added into web exploit toolkits that widely released Exploit-MSDirectShow.b  on hijacked websites in China just the previous week.  Since the start of this new wave of attacks, new trojans installed by Exploit-CVE2009-1136 has been detected by Artemis technology which also allow us to get a global view of the spread of this new threat.

In one of the new trojan samples used by Exploit-CVE2009-1136, we first saw Artemis queries coming from China at 11:53 GMT on July 13th, 2009. We didn’t have automatic protection for this at this point, but various systems analyzing the threat details soon mark this as malicious.

By now, this sample has spread to many other Internet users in China, and is now queried and blocked by Artemis more than 328 times at more than 145 unique IP addresses (ISP , not end point).

Besides China, we only saw Artemis queries coming from Virus Total (Spain) and fellow malware researchers in the UK and Germany in small numbers.

We will post more information as we receive it.

As a follow-up to our two recent blogs, we want to provide some details for this zero-day exploit from the perspective of the McAfee Network Security Platform (formerly known as IntruShield).

Unlike traditional ActiveX exploits, in this case the Microsoft Video ActiveX controls are being used to load malicious image files and trigger the vulnerability. McAfee Network Security Platform detects this exploit attempt using the attack signature HTTP: Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution. At this point, we have seen active attempts in the wild trying to exploit this vulnerability. Figure 1, below, shows one such attempt as viewed on the Alert Viewer and Figure 2, bottom, shows the corresponding packet capture from the evidence report.

Figure 1. Exploit attempt alert

Figure 2. Packet capture from evidence report

Microsoft Security Advisory 972890 says customers can set the kill bit for a bunch of Class Identifiers. Any attempt to use these Class Identifiers for exploitation can be detected using the audit signatures HTTP: Potential Harmful Microsoft Video ActiveX Control I, HTTP: Potential Harmful Microsoft Video ActiveX Control II, and HTTP: Potential Harmful Microsoft Video ActiveX Control III.

All of the attack signatures described above were released on July 6 in the following network security signature sets.
• 5.1.22.14
• 4.1.52.14

In our blog from yesterday, we described how Exploit-MSDirectShow.b has been widely deployed on hijacked websites in China, targeting Internet Explorer users. When a victim browses one of these sites, malware is downloaded to the computer. To better understand the current impact of these attacks, we have monitored the prevalence of its downloaded malware through Artemis.

Since yesterday, our Artemis technology has detected new malware installed by Exploit-MSDirectShow.b that was targeted to certain geographical regions of the world.

In China, a new sample variant was queried by Artemis more than 180 times at more than 70 unique IP addresses (ISP, not end point) over a 24-hour period. This is represented by the many red dots in the following figure:

This particular sample was first seen only in mainland China, but we soon saw Artemis queries from Korea, Japan, Australia, Singapore, Taiwan, and the United States in very small numbers. As we know, the web has no boundaries and the potential risks of the DirectShow zero-day vulnerability is not limited to specific languages or regions. We will closely monitor this trend.

This sample is already heuristically detected in the DATs and Artemis. After our analysis, it has now been classified as Downloader-BRT Trojan.

Since we reported about the new attacks against Internet Explorer exploiting a vulnerability in a DirectShow ActiveX object, we have released DATs/coverage updates for many of our products and technologies.

Current status for each of the content areas:

• Malware: Coverage is provided for exploit code in the 5668 DATs, released on July 6
• HIPS: Generic buffer overflow should provide coverage
• McAfee Network Security Platform: Coverage was provided on July 6
• McAfee Vulnerability Manager: Coverage was provided on July 6
• MNAC: Coverage will be provided in the next release
• VirusScan Enterprise: Buffer overflow protection should provide coverage
• McAfee Web Gateway, Anti-Malware Edition: Behavior analysis provides coverage against currently known exploits

Other Internet users and website administrators can also download the free Stinger tool to scan computers and web pages for known malware relating to this attack:

• http://download.nai.com/products/mcafee-avert/stinger.exe

We will continue to monitor the situation to provide comprehensive coverage.

If you read Geok Meng and Xiaobo’s blog published in December last year, this must almost seem like a movie sequel. Over the July 4 weekend, an exploit targeting a zero-day vulnerability in the Microsoft Microsoft DirectShow ActiveX object was widely discovered on many Chinese websites.

At the time of research, over a hundred hijacked sites were found to be injected with malicious links that are still actively hosting this Trojan. Many of these sites are what you and I would not consider “malicious” or “dodgy.” For example, some of them are school websites or the local community club’s website that had been hijacked or infected.

When browsing these sites (hijacked site #1), the victim is hyperlinked to hijacked site #2, which seems to act as a proxy. In this case, if someone were to audit the source code of hijacked site #1, he or she would see that the links are connected to sites that look legitimate. Hijacked site #2 is, subsequently, hyperlinked to a malicious site hosting a web exploit toolkit.

During research, one of the things we found interesting was the web exploit toolkit explicitly checks that the origin of the hyperlinked references do not come from the “.gov.cn”  and “.edu.cn” domains, which are used by Chinese government and education sites, respectively. If the references are not coming from any of these domains, it starts sending a cocktail of exploits including:

• Exploit-MSDirectShow.b (zero-day)
• Exploit-XMLhttp.d
• Exploit-RealPlay.a
• JS/Exploit-BBar
• Exploit-MS06-014

Each of these exploits targets a different application that could be vulnerable–Internet Explorer 6 and 7, DirectShow ActiveX, RealPlayer, Baidu Toolbar–that can be accessed via the Internet Explorer browser.

From past investigations, this toolkit has been widely used on many Chinese hijacked sites this year. The attackers may be trying to avoid or delay attention from the Chinese government.

When successful, the attacker installs a downloader Trojan that could download other malware.

This zero-day vulnerability has been verified to affect at least Windows XP systems with Internet Explorer 6.x and 7.x. However, on IE 7, the browser on Windows Vista systems, risky ActiveX objects are blocked by default, which may mitigate this zero-day attack. Users should ensure that their systems are always kept up to date against the older exploits.

The zero-day exploit will be detected as Exploit-MSDirectShow.b by McAfee VirusScan in today’s 5668 DATs. The downloader Trojan installed by this exploit can be proactively detected as Generic.dx since the 5567 DATs (released March 28).

We will post more information as we receive it.

(Thanks to our colleague Wei Wang for assistance in this analysis.)

On April 30, an exploit targeting a zero-day vulnerability in the Baofeng media player was published on the Internet. The proof-of-concept exploit had more than enough details for others with malicious intent to create more malicious variants.

Baofeng is a widely popular media player in China, and it plays many common media file formats. May 1 to 3 was the May Day weekend in China. One can imagine many Chinese users surfing the net or searching for their favorite video clips could be hit by this vulnerabililty during the holidays.

Because this vulnerability exploits an ActiveX component, attackers may inject malicious code via common means such as SQL exploits, or they can simply upload malicious web content onto certain websites. Once users browse these web pages, attackers may execute arbitrary code on the users’ computers via the flawed ActiveX component.

Currently, the vendor has confirmed this flaw and the following versions are reportedly affected by this vulnerability:

•  Build versions: 3.09.03.30，3.09.03.25，3.09.04.17，3.09.04.27.

A patch has been released for this vulnerability. Affected users should immediately contact the vendor for the security update.

McAfee VirusScan has proactively detected this exploit as the JS/Exploit-BO.gen Trojan since as early as the 4679 DATs (January 20, 2006).

So April 1st came and went, and it seemed that all might be right in the post-Conficker world…

Of course, nothing is that easy. With the latest activity, there is also a continual flood of information out there. Below, I have attempted to aggregate the new functionality.

Around April 7th/8th Conficker started to move again. Our peers were able to confirm this new update functionality.

When it did wake, it used the peer-to-peer (P2P) communication channel to call home rather than the HTTP rendez-vous to start its latest escapade. In this case, the infected host will be contacted initially by another host over an ad-hoc P2P connection. Kind of like an alarm clock. Then, after hitting the snooze button over a period of several hours, the communication begins again – starting this time from the infected host.

Conficker is definitely not in any rush to tango. Communication is done in such a manner that this traffic (aka update) may go unseen – or at least mostly under the radar, by using fragmented and irregular UDP communication.

So what happens next? When this P2P communication stream ends, our host is basically told to go to a domain and download a file. This is when TCP comes into play. Our infected host goes out to an address and an encrypted executable file is downloaded. Once executed, it could contain malware such as the ever-changing FakeAlert or even Waledac. So at the end of this round, we may be left looking at something similar to the below screenshots:

We have also seen some hosts serving up a Waledac payload.(Realistically, it may contain anything that the bad guys are serving up on those domains.)

These downloads are detected as FakeAlert-SpywareProtect and Waledac.gen.b respectively.

Also downloaded as part of the payload, we again have the MS08-067-like “hot” patch. This time however, it is closer to the original patch – so as to elude detection. (Note: our McAfee Conficker Detection tool is in process of being redesigned to allow detection of the latest variants).

There are also two other notes of interest. The first of which is that we have a new deadline to watch. On May 3rd this latest variant is set to expire.

Thinking aloud, this point brings some interesting questions to mind. Such as – Is this just a test from the Conficker crew who are serving up Waledac incidentally? Or is this done for other self-serving reasons? (i.e. – Attention diversion) Maybe it’s just a deadline for a rented botnet? Interesting questions I am sure the security community at large is wondering.

Second, when an infected host resolves a HTTP rendez-vous domain name, it compares the IP resolved with the list of IPs it already queried, if the new IP is in the list, it will move on to the next domain in its list.

Of course, we will update if anything else comes along…

Recently, our APAC threat intelligence team discovered a couple of Windows kernel zero-day vulnerabilities in the field, which could be potentially used for malicious purposes.  These were discovered in some discussion forums in China.

One of these issues exists in Windows NT/2000/XP according to the description provided. The issue arises due to insecure win32 syscalls, the buffer being supplied from usermode. This can lead to a Blue Screen Of Death (BSOD) if the kernel address is overwritten, leading to a Denial of Service (DoS) condition.  However, this issue requires admin privileges and hence cannot lead to a privilege escalation. But a deeper look suggests that this could be used to subvert or install kernel mode hooks, which can be used for malicious purposes.

Besides this issue, another kernel bug with similar behavior was found recently in the field. In this case it involved atapi.sys. 

The cause of this bug is also the same: It doesn’t verify the data passed from user mode and results in a buffer overflow. In most cases it will also cause a BSOD.

From the point of view of software design, data passed from user mode should never be trusted and must be always validated. Many of the known Windows local vulnerabilities exist because of this reason. Microsoft noticed this problem and fixed many potential defects in the kernel’s main module. However, many defects still exist in the win32k kernel part because it’s extremely complex. Most kernel vulnerability diggers are now targeting this module and have discovered many vulnerabilities in the past two years. With Windows 7 we will hope that kernel security will grow stronger.

We’ve notified Microsoft of both of these issues before posting this blog and technical details have been omitted here as the vulnerabilities are unpatched. We’ll do a follow up post after the issues are resolved.

As a follow-up to my colleagues’ blog post about the newest Office exploits, here is an analysis of one of the Microsoft PowerPoint Zero-Day exploits that once again are used in targeted attacks to infect victims with a trojan horse. The malicious presentation files abuse a new, yet unpatched hole in Microsoft PowerPoint and causes it to execute code infiltrated by the attackers. This blog post shows how the shellcode works and what it does, right after an innocent victim opens the malicious file – if the attacker gets their way of course!

For size reasons, the code is split up into several parts that are scattered among the malicious PowerPoint file. Part one of the shellcode consists of an “egghunter”, which is used to relocate the remaining part of the shellcode in memory. In order to do that, it first sets up an exception handler that prevents crashes when accessing bad memory locations, then goes on a hunt for the shellcode’s prepended egg (0xD1CF11E0). Once that egg (which is a marker for the beginning of the shellcode’s second part) is found in memory, code execution is transfered to the code following it.

Part two of the shellcode begins with a loop that looks for a writable memory block of at least 1KB in size (starting at address 0×30000000). Another loop then XOR decodes another part of the shellcode into that memory location and branches to it. Once decoded, a filename (”fssm32.exe”) can be seen in the disassembly. In order to either download or drop a second-stage executable, shellcode needs access to operating system API functions. The ones it needs are going to be imported by parsing OS internal structures, such as the Process Environment Block, to locate kernel32.dll, then parsing the library’s PE header to locate the desired function pointers.

As shellcode mostly needs to fit into a size-limited block of memory, this piece of exploit not only has its code split into several parts for it to work reliably, it also uses 32bit hashes of API functions to import, rather than a list of respective function names which would consume more space. The shellcode’s ROR-13 hashing algorithm iterates over any exported API function name and compares it against its given list at run-time. Applying the same technique when statically analyzing shellcode, the list of imported functions becomes readable. Looking at the now readable list, it does not contain any function which would indicate the shellcode to download a file but rather drop an embedded one from the PowerPoint file and execute it.

Using a hex-search for typical indicators of an executable file, such as an “MZ” or “PE” header doesn’t yield any feasible results – which is not astonishing at all. Of course, the attackers responsible for having built the exploit intended to prevent their cover being blown by something as obvious as an executable that is embedded into a PowerPoint presentation file! By looking more closely at the shellcode, there is another suspicious XOR-decoding loop.

The loop decrypts a given memory block using an 8bit XOR key. By incorporating the same decryption-loop into a Python script and applying it to the PowerPoint file (see screenshot below), both an MZ- and PE header surface in the hex editor. It’s the embedded executable that was assumed to hide between the PowerPoint “slides” – the malware can finally be extracted.

McAfee VirusScan products detect this threat as Exploit-PPT.k trojan, McAfee Anti-Malware Gateway Edition (former Secure Computing) detects the new exploits as Heuristic.Exploit.OLE2.CodeExec.PGPG.

We’ve just seen the Microsoft Excel 0-day attacks in February. Today, Microsoft published a new Security Advisory reporting a new unpatched vulnerability in Microsoft Office PowerPoint.

McAfee Avert Labs investigated and discovered multiple attacks in the field using the PowerPoint exploit. McAfee VirusScan products detects this threat as Exploit-PPT.k trojan using the 5573 DATs to be released on the same day. 

As with most other document exploits, these PowerPoint files install malicious trojans in the background but displays an innocent PowerPoint presentation to the victim as a deceptive measure. The following list shows a variety of malware files installed in these attacks:

• fssm32.exe: 428,032 bytes (Muster.c trojan)
• IEUpd.exe : 45,056 bytes (Muster.c trojan)
• setup.exe : 13, 1072 bytes (Muster.c trojan)
• PeerCM.exe : 80,666 bytes (Generic BackDoor.u trojan)
• ws2_42.dll :10,6740 bytes (Generic BackDoor.u trojan)

Some of these specially crafted exploits arrived as PowerPoint Showfiles with the “.pps” extension. Such files typically opens in full screen mode and hides the  applications running on the desktop such as system monitoring tools that could give any clue to the dodgy installation of trojans to the victim.

Please keep your DAT files up-to-date and refrain from opening any PowerPoint files from any untrusted sources until a patch is made available by the vendor. Where possible, verify with the sender to make sure what you get is what was intended.

Everyday there are thousands of websites that have been injected with malicious code and there are millions of hosts that have been infected by malware from these malevolent URLs. The main vulnerabilities lately are Windows-based as well as third-party application issues. This blog will introduce the most common vulnerabilities used by malevolent URLs in China throughout 2008.

1. BaoFeng2 Storm
BaoFeng2 Storm is the most powerful media player used in China. The software supports multiple media formats, and its features are easy-to-use, as well as free. Multiple buffer overflow in Baofeng2 Storm allow for the downloading and execution of files. CVE Number is CVE-2007-4816.
Reference:
http://www.baofeng.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4816

2. Baidu Soba
Baidu Soba is a search bar for the Internet that is integrated with a powerful MP3 search, web page search, flash search and so on. Vulnerabilities in the BaiduBar.dll in Baidu Soba have allowed for the download and execution of files via a specific link. According to the vulnerability description, the vulnerability exists in versions prior to version 5.4. CVE Number is CVE-2007-4105.
Reference:
http://bar.baidu.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4105

3. Xunlei Web
Xunlei Web is downloader software. Its GUI control is very browser-like. It’s important to note that people can find more and more valuable resources to download via Xunlei Web, so Xunlei Web has a great deal of customers. Buffer overflows in Xunlei Web before version 5.6.3.44 can execute arbitrary code with the vulnerability. CVE Number is CVE-2007-5064.
Reference:
http://dl.xunlei.com/index.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5064

4. PPStream
PPStream is IPTV software base on p2p streaming techniques. It’s very popular in China. Buffer overflows in the PowerPlayer.dll in PPStream before version 2.0.1.3829 allow for the execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-4748.
Reference:
http://www.ppstream.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4748

5. OurGame Chat
OurGame is a kind of free game. It is a gaming platform that covers all the related fields and areas of network games. It has a category of nearly one hundred species of games, including Card games, leisure games, large-scale network and so on. Buffer overflows in the GLChat.ocx of the OurGame Chat module in the ConnectAndEnterRoom() method allows for the execution arbitrary code. Its CVE number is CVE-2007-5722.
Reference:
http://www.ourgame.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5722

6. Ultra Star Reader
Ultra Star Reader is an e-book reader tool. It’s similar to a PDF reader. Buffer overflows in the Ultra Star Reader allows for execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-5807.
Reference:
http://www.ssreader.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5807

7. JetAudio
JetAudio is media player with sound-effect enhancing functionality. Vulnerabilities in the JetFlExt.dll in JetAudio version 7.0.3 allows for the overwriting of arbitrary local files. Attackers can drop malware on a system via this vulnerability. Its CVE number is CVE-2007-4983.
Reference:
http://www.jetaudio.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4983

8. Xunlei Thunder
Xunlei Thunder is free downloader software. It supports multiple download protocols such as http, ftp and bit torrent. Buffer overflows in the pplayer.dll in Xunlei Thunder allow for the execution of arbitrary code. Its CVE number is CVE-2007-6144.
Reference:
http://www.xunlei.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6144

In the run-up to April 1, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April Fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed”–no other worm in recent history has generated this much media attention. But what have we learned from history? From the days of Michelangelo to the recent Blaster, SoBig, Sober, and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have turned out to be only damp squibs.

What happens on April Fool’s Day is anyone’s guess. Although we still don’t know the real intent of the authors of the Conficker worm, they have consistently improved the worm by adding new functionality and anti-debugging tricks with every released variant. In order to resist the Conficker Cabal initiative, which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially host a payload for the Conficker worm to download and execute.

What we do know is almost all the security vendors have thoroughly analyzed Conficker–also known as Downadup and Kido worm–and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site consistently shows an overall anti-virus detection rate of 90 percent or above. And these high detection rates are across vendors–small or big.

To prepare for any trouble on April 1, McAfee now offers a special build of its standalone cleaning tool Stinger, which will be updated on a daily basis to include any undetected Conficker variants from the wild. This special build of Stinger can be downloaded from the Avert Tools site. We’ve also posted detailed documentation on mitigation steps that security staff within organizations can take to combat W32/Conficker. Additional McAfee product coverage information for MS08-067–the Microsoft Windows Server Service vulnerability, which is exploited by the worm–can be viewed at the McAfee Threat Center.

Please ensure that your copy of Microsoft Windows is patched and your security software is fully up to date. That way you won’t end up an April Fool.

When I wrote a scanner plug-in this week for an old directory traversal vulnerability–CVE-2008-4419–I wondered whether there are vulnerable HP LaserJet printers online that can be controlled from the Internet. To find out, I used Google. The search listed almost 50 results, and I found that almost all of these printers are not patched, even though HP has provided firmware updates to resolve this vulnerability. An attacker could leverage this unicode-encoded directory traversal vulnerability to read configuration files or cached documents, and gain read access from the Internet to important internal information.

Usually administrators ignore the security of printer devices. They may think there is no harm even if the printer can be controlled remotely by an attacker.

The administration web interface of these LaserJets can be accessed without passwords. The attacker can use these LaserJets to print any documents from anywhere. Although attackers may not be able to reach the printouts, at least they can waste a lot of paper. Spammers can also post free advertising to companies if they connect to these printers.

So please harden your network gateway or firewall to restrict access to these devices. Don’t give everyone on the Internet a chance to use your printer, and patch the vulnerable LaserJets to prevent the potential information disclosure.

To download the HP firmware updates and upgrade instructions, click here.

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

For years, the Japanese word processor Ichitaro has been attacked by malware authors exploiting flaws in the application. So it is no surprise that in the last week we discovered in the wild specially crafted Ichitaro document files exploiting a new vulnerability.

This time, the crafted file (detected as the Exploit-TaroDrop.g Trojan) drops and runs the Generic Dropper Trojan, which is responsible for dropping the BackDoor-DNW Trojan. The last attempts to connect “lightsut.com:80” and opens a backdoor to give attackers remote access to compromised machines. McAfee proactively detects Generic Dropper, which prevents users from being infected with BackDoor-DNW even with a non-patched copy of Ichitaro.

Detection alert of Japanese McAfee VirusScan Enterprise

The patch for this vulnerability has already been published by JustSystem. Ichitaro users should apply the update as soon as possible.

– Update Feb 24, 10:15 PDT –
Microsoft has released a security advisory for this issue (CVE-2009-0238):
http://www.microsoft.com/technet/security/advisory/968272.mspx

Many versions of Excel are vulnerable, including 2000, 2002, 2003, 2007, 2004/2008 for Mac, Excel Viewer/Excel Viewer 2003.
 –

A Trojan exploiting an unpatched Microsoft Excel vulnerability has been reported from the field. McAfee Avert Labs has confirmed that Microsoft Excel 2007 and 2003 are affected. Other versions may also be impacted.

McAfee DAT files identify known malicious Excel spreadsheet files as Exploit-MSExcel.r Trojan, and dropped files as BackDoor-DUE Trojan in the 5534 DATs.

As with the initial Exploit-PDF.i threat, current attacks are very targeted and limited. When succesfull, it installs a backdoor that attempts to connect a remote site port 80 and waits for commands.

The mitigation for this infection is to block unknown TCP connections. However, one of the best protection methods is to remain vigilant against Excel files from untrusted sources or sent at an unexpected time until a security update is available.

Needless to further remind everyone, zero-day attacks are the preferred choice of cyber criminals and will continue to be so in 2009. If the recent W32/Conficker.worm (MS08-087) and Exploit-XMLhttp.d (MS08-078, MS09-002) were not good enough to prove our point, here is another one.

At the turn of 2009, malicious PDF documents were discovered to be exploiting a 0-day vulnerability affecting Adobe Reader 8,x and 9.x. In parsing a specially crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location. The attacks, found in the field, use the infamous “HeapSpray” method via JavaScript to achieve control of code execution (see below):

In the above image, the eax register is specially crafted to point to the malicious shellcode that installs a trojan. When successful, the attack installs a backdoor to enforce remote control and monitoring on infected systems. Further characteristics of this backdor and detection details are posted at http://vil.nai.com/vil/content/v_153842.htm

While the distribution of this exploit thus far appears to be targeted, new variants are expected as more information is made public. As with the Conficker experience, the lack of good patch management is a very worrying trend that deserves more attention from IT security practitioners. Adobe is expected to release a patch very soon:

http://www.adobe.com/support/security/advisories/apsa09-01.html

An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild.  Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code. The modus operandi bears close resemblance to the zero-day attack using word documents, we blogged about in December 2008.

The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.

Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.

The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.

For those who have not patched their machines, we suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.

The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075.

Recently we got some new samples of the W32/Conficker.Worm to analyze. While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself. Below is the traffic packet capture snapshot sent by the worm:

As we can see from the image above, there are some random alphanumeric characters in the packet which seem to have been generated from Rex::Text.rand_text_alpha in ms08_067_netapi.rb. And if we do a byte order conversion of data in red box above, we get 3 addresses: 0×00020408, 0×6f8917c2, 0×6f88f807, which are the internal targets of the ms08_067_netapi.rb exploit as listed below (from metasploit):

# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 English (NX)',
	{

                     'Ret'       => 0x6f88f807,
                     'DisableNX' => 0x6f8917c2,
                     'Scratch'   => 0x00020408
	}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

The latest metasploit exploit, besides including Windows XP/2003 OS’s; also includes several targets for languages such as English, Arabic, Czech, Danish, German, Greek Spanish Finnish, French, Hebrew, Japanese, Chinese, etc. The exploit module of ms08_067_netapi in metasploit also provides the “smb_fingerprint()” function to detect the Windows version information, Service Pack information and also the language information of the target OS. This makes programming the worm much easier and can cause much bigger impact. By using the exploit from the metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading. We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills. After further analysis of the traffic capture, we found that only the functions for detecting OS version and Service Pack information were embedded into this worm. Hence without the remote OS language determination ‘feature’, this worm only targets the English OS versions at the time of writing the blog.

Here is a packet capture snippet used in this malware to detect the OS version and Service Pack information:

By sending SMB session setup and request, it can detect OS information of target machine. If the OS is Windows Server 2003, then the Service Pack information will also be returned.

Since there are a huge number of Windows XP systems it’s obvious that the worm writer did not want to miss out on this pool, hence this is why the worm determines what the Service Pack level is by accessing \SRVSVC named pipe, which is similar to the method used in metasploit smb_fingerprint() function :

if (os == 'Windows XP' and sp.length == 0)
            # SRVSVC was blocked in SP2
            begin
                         smb_create("\\SRVSVC")
                         sp = 'Service Pack 0 / 1'
            rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
                         if (e.error_code == 0xc0000022)
                                 sp = 'Service Pack 2+'
                         end
            end
end

So in this instance it’s obvious that malware/worm writers are abusing open source tools to their advantage to make their work easier.

For those who haven’t patched their machines, we suggest you install the MS08-067 patch ASAP! If you are a McAfee Host IPS or Network IPS user, we’ve verified that you are protected against this worm by our Signatures ID’s 3961 and 0×40709d00 respectively. For VirusScan users, the DAT update version 5444 has coverage to detect this worm.

We have lost count of how many blogs we have written this year that have anything to do with zero-day threats or unpatched vulnerabilities.

Today, many Internet users in China have reported an infection, presumably from browsing the web using a fully patched version of Microsoft Internet Explorer 7.x. My colleague Xiaobo Chen and I investigated the incident and found it to be an active exploit containing downloader shellcode that installs the Downloader-AZN Trojan (proactively detected as New Malware.n since 2005 when scanning with heuristics enabled).

The root cause was found to be the incorrect handling of certain XML tags in Internet Explorer 7.x that references already freed memory in the mshtml.dll.

We have confirmed this vulnerability to be affecting, at least, a fully patched Windows XP SP3 and a Vista SP1 system. The exploit uses publicly known heap-spray techniques that enable control over a vtable pointer, allowing arbitrary code execution.

Fortunately, the 5404 DATs proactively detect the Downloader-AZN Trojan, but there could be other variants. Additional coverage is going into today’s DATs to detect the malicious web scripts as Exploit-XMLhttp.d or Exploit-XMLhttp.c Trojan.

Details about this vulnerability, as well as exploit code, are known to be publicly available.

More information on this situation will be posted as it becomes available.

A picture is worth a thousand words…

First let me say, “PATCH your systems” if you have not done so already!

Seriously, you and your machines are sitting ducks for attacks such as MS08-067, which we learned about from Microsoft last month. This type of attack is especially dangerous if your Windows Updates or security products are not up to date. Microsoft released its out-of-cycle emergency patch on the 23rd of October–more than one month ago–so you have no excuse today for being at risk!

At McAfee Avert Labs we have seen a few proof-of-concept binaries using the exploit code that was released into the wild to attack this Windows Server Service vulnerability; the latest is W32/Conficker.worm. According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000.

Once loaded in the service space, the worm attempts to download files from the Internet–specifically, further malware from trafficconverter.biz and data files from maxmind.com.

The worm continues by setting up an HTTP server that listens on a random port on the victim’s system while hosting a copy of the worm. It then scans for new vulnerable victims to exploit, at which point the new victim will download the worm from the previous victim and so on.

To recap McAfee’s coverage and protection for this vulnerability, please check here. We have increased coverage in today’s DATs (Version 5445) to protect against this, and future variants, of the W32/Conficker.worm.

For more information on the Microsoft vulnerability, refer to their security bulletin.

As many of us enter the holiday season of Thanksgiving it’s vital to ensure your systems are patched and up to date while you’re enjoying your time off. Malware doesn’t break for holidays!

It has been over 2 years since I last wrote about malware exploitation of a major vulnerability in the Windows Server Service (MS06-040) by malware.

In 2006, worm authors were quick to adopt the remotely executed exploit in just 4 day following a security update released as part of the regular Patch Tuesdays – IRC-Mocbot, W32/Sdbot, W32/Spybot, W32/Opanki, et ceteras.

Now in 2008, we are faced with malware authors, motivated by profits, more organized, and are more likely to target zero-day vulnerabilities, as we have reported on several critical incidents we have discovered since 2006. Like déjà vu, Microsoft released an out-of-cycle security update today to address in-the-wild attacks against a new MS08-067 vulnerability targeting the same Windows Server Service.

Attacks seen in the wild so far seem to have come from variants of the Spy-Agent.da trojan. When run, it may not be immediately apparent to the victim that it was using any exploits. Taking a quick glimpse into the binary code of basesvc.dll (Spy-Agent.da.dll), one of the DLL components installed by Spy-Agent.da, one can see strings that would look very familiar to those familiar with MS06-040.

On closer analysis, Spy-Agent.da.dll seeks out potentially vulnerable Windows machines in the local network, and sends maliciously crafted DCERPC requests to exploit the Server Service (SvrSvc).

When successful, hardcoded shellcode embedded within the malware, is executed on the targeted machines to download Spy-Agent.da (or possibly other variants or files) from a web server hosted in Japan.

(shellcode after decoding)

Just hours following the patch release, public source code has already been seen distributing on the Internet. What more can I say ? Patch your systems ! Yes, NOW !

Spy-Agent.da and Spy-Agent.da.dll are now detected using the current 5414 DATs. See Dave’s blog for McAfee’s coverage.

(thanks to Joey Koo and Xiaobo Chen for providing analysis data and packet dumps used in this blog)

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 – What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting – Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

A zero-day exploit against the latest QuickTime (Version 7.5.5) and iTunes (8.0) was released yesterday. The exploit author announced this as a remote heap overflow so we decided to take a look and analyze it.

After our research, we found that this is actually an off-by-one stack overflow. Some noteworthy points:

1. QuickTime has the /GS switch option enabled, hence a cookie is put into the stack.

2. Since this is an off-by-one stack overflow, the attacker can just overwrite one byte of the cookie. The Check_stack_cookie function is called when the function returns. If the Check_stack_cookie found out that the cookie is not matched, then the program exits. This results in the crash of QuickTime and iTunes.

The crash means it is unlikely that code execution would be feasible via this attack vector. Howerver, users of these apps should take the attack seriously and look at appropriate defenses.

One of the issues that we’ve been highlighting at our recent conference presentations and blogs was the emergence of major localized threats around Asia. McAfee Avert Labs discovered yet another unidentified vulnerability in the Japanese word processor , Ichitaro, last Friday.

This Japanese application have been known to be under the targeted attacks for several years and a few 0-day vulnerabilities were discovered and exploited in the past. Other than Ichitaro, other popular and localized applications are often targeted by 0-day exploits. We also frequently observe exploits targeting vulnerabilities, even months after they have already been patched by the vendor.

Users should continue to stay vigilant of any suspicious email attachments, and do not open unknown files. Please be sure to update your applications, whether it is popular or not, with the latest security patches to protect you and your organization from the known attacks.

These newly crafted malicious documents are detected as Exploit-TaroDrop.e trojan, and the payload as BackDoor-DRZ trojan in the 5368 DATs.

The vendor has acknowledge the vulnerability and will be posting a patch.

During the BlackHat conference, security researcher Dan Kaminsky revealed full details on the DNS cache-poisoning vulnerability that has been all over the media the last couple of weeks. Later on the day he received an award for the “Most Overhyped Bug.”

Was that award really justified? I think not.

DNS cache-poisoning vulnerabilities are nothing new. Such vulnerabilities have been known for more than 10 years. But now we live in a different time: The threat landscape has changed significantly, and there are gangs of criminals trying to get their Trojans installed on as many machines as possible, stealing as much information as they can. We have seen just this year that they would go as far as hacking hundreds of thousands of web pages just to distribute malware. It is safe to assume that they would take advantage of a vulnerability that allows them to route unsuspecting victims to their web sites, and this vulnerability allows them to do just that. And a lot more. Just combine the DNS vulnerability with other vulnerabilities and features, such as routing the emails of the “forgotten password” feature on web sites to them, to steal login details. No one takes seriously their being able to perform all the attacks that require them to act as a man-in-the-middle, because it’s so hard to do.

Considering all this, I don’t think it was overhyped. As of today there are probably still thousands of unpatched DNS servers. So stop shouting “hype,” go patch!

The need to pay attention to security never goes away. Fortunately, operating system vendors continue to improve their platforms, and they have made great progress in security. Traditional stack or heap overflows have become more difficult to exploit. However, we cannot become complacent because it’s clear that hackers have transferred their attention to third-party software. Some popular applications have become targets for viruses and Trojans. Just recently, many vulnerabilities were found and exploited in several popular programs: Real Player (CVE-2007-5601), Yahoo Messenger (CVE-2007-5017), Adobe Acrobat Reader (CVE-2008-2641), and Flash Player (CVE-2007-0071). All of these were found to have remote code-execution vulnerabilities, and actual exploits can be found on the Internet. So although the majority of users has installed the latest operating-system patches, they are still at risk to be attacked via third-party vulnerabilities.

A few days ago, I witnessed an actual exploit occur at a friend’s home. He was running Microsoft Windows Vista, and the attack was targeted at RealPlayer. His mistake was that he had disabled the User Access Control functionality of Vista because he did not like the alerts. So he didn’t get any warning prompts except when a message box showed that RealPlayer would close before the malicious code ran. I then saw many cmd.exe and other suspicious processes start. Windows Vista has the best security so far in the Windows family; nonetheless, all of this happened.

Watching this attack made me think of enterprise security. Businesses cannot pay attention only to operating system vulnerabilities. They need to pay attention to third-party software as well. Currently securiy in third-party software is no better than that in operating systems. So the best practice I can recommend is to use risk and compliance software to scan and find third-party software that doesn’t match enterprise policy. The final step is to update or delete these applications.

Here’s a quick note about an unpatched vulnerability affecting Adobe Flash Player. McAfee Avert Labs has received submissions of samples of exploits from many sources spanning multiple domains over the past 24 hours. We’re currently investigating the flaw.

Stay tuned for more details.

In March I blogged about a round of mass Web site compromises. Since then there have been several other instances discovered, as well as a couple of smoking guns. The net net is that the bad guys are using automated tools to find and attack Web applications that are vulnerable to SQL-injection attacks. Many of these applications are homegrown and thus there is no patch or hotfix for administrators to install. This means that simply removing the injected malicious code won’t last long.

Just now I was reviewing the latest batch of hacked sites, and I noticed pages that were previously compromised and “repaired,” only to be compromised again. The entry point for these attacks must be closed in order to thwart future attacks. This means that underlying code must be audited and improper input validation must be corrected. And given that many Web administrators install out-of-support freeware and shareware applications, we can expect many sites to remain vulnerable for a very long time.

McAfee’s Foundstone Hackme Shipping Tool can be a useful resource for those in need of a better understanding of how common Web application attacks occur and how to properly code against them.

Late on Thursday Microsoft released an advisory about a new privilege escalation vulnerability affecting IIS and SQL Server on Windows XP, 2003, Vista, and Server 2008.

It’s likely that this is the same flaw discussed by Cesar Cerrudo in his talk, “Token Kidnapping”, at the HITB Security Conference 2008 in Dubai. Cerrudo had discovered a privilege-escalation vulnerability earlier, and said in March, “Design weaknesses can be abused on Windows XP, Vista, Internet Information Services 7 and Windows Server 2003 and 2008”.

So what is known about this flaw? A malicious local user who has authentication could execute specially crafted code to raise his privilege level to LocalSystem. IIS and SQL Server are the main attack vectors. But other vectors are possible, such as Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2003.

While the vulnerability is limited to a local privilege escalation, IIS’s susceptibility is concerning. The Web server is widely used on the Internet, and is a top pick by Web-hosting providers. We might see Web-hosting providers targeted, and — this is scary -– their clients’ Web sites breached. As Microsoft stated in its advisory, “Hosting providers may be at increased risk from this elevation of privilege vulnerability.” However, no exploitation has been observed at this time.

The next Patch Tuesday is May 13. Sysadmins, please heed to Microsoft’s suggested workarounds for IIS until then -– or more to the point, until Microsoft patches this vulnerability.

Finally, a bit of speculation (hat tip to Kevin Beets). One attack vector for this vulnerability uses the SeImpersonateClient privilege. The MSDN page for privilege constants states:

Windows XP/2000: This privilege is not supported. Note that this value is supported starting with Windows Server 2003, Windows XP SP2, and Windows 2000 SP4.

Microsoft did not say that Windows 2000 or Windows 2000 SP4 are vulnerable. But curiously, they did say Windows XP SP2 is. If Service Pack 2 for Windows XP introduced this vulnerability in that operating system, might Service Pack 4 for Windows 2000 not have done the same for Windows 2000?

A Microsoft Works ActiveX potential zero-day threat has been disclosed on a handful of Chinese blog sites. This threat was originally posted as a proof of concept that caused a Windows host to crash, but very soon after, a working exploit was posted. (Show of hands: Who’s surprised?)

Here’s the meat of this: The flaw lies in an ActiveX component of Microsoft Works Image Server (WkImgSrv.dll). Yes, it appears successful exploitation would allow for code execution via a controlled pointer. For this to occur, the victim would need to visit a malicious Web site.

On the plus side, this control is not marked safe, and attempts to use it should be accompanied with a warning from Internet Explorer. Even though this is the case, you will want to set the kill bit for clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 to help mitigate. Initial testing on Windows XP SP2 and Internet Explorer 7 shows this to be easily exploitable once past the “warning” hurdle.

In the mean time, McAfee Avert Labs will continue researching this issue.

Update: June 6, 2008
Microsoft has confirmed that exploitation of this issue is not possible due to the control not being safe for scripting, nor safe for initialization. They have a nicely written, thorough write-up here explaining why.

A few weeks ago we blogged about a recent MS Access exploits being nothing new.  Well there is now something new.

On the heels of Symantec blogging about a new tandem Word document/Access database exploit; Microsoft released Security Advisory (950627).  As we stated before, Microsoft considers MDB files to be unsafe.  Accordingly, Microsoft email clients prevent users from attempting to double-click on MDB (Microsoft Access Database) files.  Up until recently attackers typically exploited MS Jet DB vulnerabilities through MDB files, and therefore Microsoft stuck to their “MDB files are unsafe” story.  Well that’s changed.

In several recent-yet limited-attacks, exploits were crafted to attack an MS Jet Database vulnerability through Word.  The Word docs are coded to reference Access database files regardless of extension (which allows attackers to circumvent content filters looking for specific email attachment extensions).

An attack scenario looks like this:

1. A user receives an email message with 2 attachments (one of which is a Word document)
2. The email client saves the attachments to the same directory
3. The user opens the Word document, which in turn opens the Access database containing the exploit code

In another scenario the attackers have archived both the database and Word document in a ZIP file, but the principle is the same.

Microsoft states that Msjet40.dll versions greater than 4.0.9505.0 are not vulnerable, which means this issue was (silently) fixed for Windows Server 2003 SP2 and Windows Vista.

McAfee DAT files version 5256 (released March 20) detect all known Access exploits as Exploit-MSJet.

Here’s a quick post about a claimed zero-day vulnerability in CA BrightStor ARCserve Backup, software that provides backup functionality for Windows systems. Proof-of-concept exploit code for this vulnerability is public.

A specially crafted Web page could trigger a stack overflow in the AddColumn() method in the ListCtrl Active X Control. For an attack to occur, a user would have to be tricked into visiting a malicious Web site. The exploit writer states that he has successfully run his attack code against CA BrightStor ARCserve Backup r11.5, with Internet Explorer 6 running on Microsoft Windows XP SP2 (the Polish edition).

McAfee Avert Labs is analyzing the flaw. As an aside, our research database reveals that the last known vulnerability in CA BrightStor ARCserve Backup was disclosed on November 26, 2007: CVE-2007-5328. CA worked with the discloser to release a patch for the vulnerability on the same day.

Last night Microsoft released Security Advisory (947563) due to the discovery of a targeted zero-day attack. Microsoft states the following products are vulnerable:

• Microsoft Office Excel 2003 Service Pack 2
• Microsoft Office Excel Viewer 2003
• Microsoft Office Excel 2002
• Microsoft Office Excel 2000
• Microsoft Excel 2004 for Mac

I took a look at previous Office zero-day vulnerabilities that were discovered through active exploitation since the beginning of 2005. As you can see below, there was a seven-month gap in the public disclosure of these vulnerabilities.

Although this bit of trivia is somewhat interesting, it’s difficult to draw meaning from it. It’s possible that the lull exists only in reporting, rather than in the active exploitation itself. Here’s a per-product breakdown of the source of the vulnerabilities:

The last Excel zero-day discovered through exploitation was reported more than 18 months ago.

You may have seen a number of news reports in the past day or two on the active exploitation of a Microsoft Access vulnerability. Here is one story by PC World.

The US-CERT’s current activity Web page, “a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT,” warned about this active exploitation on December 10.

It is rumored that the vulnerability being exploited is CVE-2007-6026.

Avert Labs is working to find out more. As they say in the press, watch this space!

While we wait, here’s what we know about CVE-2007-6026. It’s a stack overflow in Access. A user would have to open a specially crafted Access database for an attack to take place. Although user assistance is required for exploitation, an exploit could be delivered over various attack vectors, including the Web, e-mail, and IM. Attacks could be coupled with well-establishing social engineering techniques. And now for the rub: This vulnerability is currently unpatched.

It seems to be about that time to, once again, get out our computer security crystal ball and conjecture about the upcoming year.

Many things are changing. Some are staying the same. In some areas we are in uncharted territory.

Threats are moving quickly to technologies such as VoIP and instant messaging. Virtualization will have a huge impact on both data security and the data security industry itself. Professional and organized criminals continue to drive much of the malicious activity. The complete set of predictions is available for download on McAfee’s Threat Center as well as a bonus episode of our podcast AudioParasitics.

All companies, software, and websites need to have a clear means of receiving information about vulnerabilities. Every application has vulnerabilities and sometimes 3rd parties just happen to see them. I was using a Web App for a local diamond dealer. Clearly they deal with a high value product that should be well protected. While I was browsing the site, I noticed that it appeared to use GET requests to pass item and price information. It turns out that the two aren’t cross verified on the back end — it was possible to change the price. Maybe they have internal processes to verify the price, but maybe not. Likewise, if an evil attacker uses the vulnerability, is the merchant bound to the price they charged the credit card? They also allowed negative prices. Would the 3rd party credit card servicing site happily provide a charge back?

I’ve tried to contact the merchant, but I just can’t seem to get through to anyone that understands the problem. I only want someone that understands the potential problem to be aware of it so that they can accept the risk or go about fixing it. So New Rule, if you have an application (web or otherwise) you MUST have a clear means of receiving vulnerability information.

W32/Nuwar aka the Storm worm ever since it debut in Nov 2006 has relentlessly flooded internet users with its ever-changing email campaigns. With the storm worm authors having this uncanny knack of using sensationalist themes that draw public attention, the morbid curiosity it has generated has ensured that is the most blogged about piece of malware this year!

The latest campaign is an HTML formatted email using the Labor Day theme, inviting users to view an online greeting card. A copy of the spammed email is as follows:

The authors have used anchor tags in HTML to mask the greeting card link so that an unsuspecting user does not notice that it actually points to a malicious ip address. Hovering the mouse over this disguised link is a quick and dirty way to reveal the real destination address. Users who fall for this bait are directed to the following Happy Labor Day page.

Everything looks hunky-dory except an unsuspecting user is served an xor’ed exploit cocktail in the background. In addition to the usual Microsoft exploits, QuickTime and WinZip buffer overflow exploits are also attempted on a user’s machine. Given the slim likelihood of vulnerable third party applications being up to date on a user’s machine, it increases the attacker’s chances of a successful exploitation. Especially since most applications do not support automated updates and it is left up to the users to first find out if they have a vulnerable version of the application and then manually patch it.

Enterprise customers have the bandwidth and resources to ensure every machine on the corporate network is fully patched. It is usually home consumers – the low hanging fruit that fall prey to these malicious tactics. For users wanting to check if third party applications on their systems are vulnerable, a free online resource to visit would be the Secunia Software Inspector. Happy Patching

The patches for the Webcam vulnerabilities we reported earlier have been released by Yahoo. We urge Yahoo Messenger users to download the latest Messenger. Thanks to the Yahoo security team for working with us to resolve this issue in a short time. Here’s what you need to know.

[UPDATE]
Yahoo has fixed its Webcam vulnerability. The patches for the Webcam vulnerabilities have been released by Yahoo. We urge Yahoo Messenger users to download the latest Messenger. Thanks to the Yahoo security team for working with us to resolve this issue in a short time. Here’s what you need to know.

[Original blog:]
Earlier today Karthik had blogged about details of a new zero day in Yahoo! Messenger being published on some security forums in China, we got a chance to dig a bit deeper into this and were able to reproduce the vulnerability on Yahoo! Messenger version 8.1.0.413 based on the information provided in the forum. It seems like a classic heap overflow which can be triggered when the victim accepts a webcam invite. Note that this vulnerability is different from the recently patched one in June which exploited the Yahoo! Webcam ActiveX controls. 

We’ve been able to reach Yahoo! security team and have informed them about this issue. 

We recommend the following to users using Yahoo! Messenger Webcam:

1) Don’t accept webcam invites from untrusted sources until a patch for this is released.

2) It’s advisable to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability.

To mitigate this, we’re releasing our NIPS IntruShield signatures today to protect Yahoo! Messenger users from this threat. We shall keep on monitoring this threat and update if we come across anything.

Recently Gartner slammed 3Com’s TippingPoint division for sponsoring zero day contests without giving the vendor Apple Inc. a chance to fix the flaws before their patch release. They apparently paid $10,000 bounty to Dino Dai Zovi, a well distinguished security researcher at the recent CanSecWest conference.

Wow! It is rather ironic that a security company, who presumably wants to protect customers, will first put everyone to risk, not notify the vendor on time, and then release signatures! The anti-virus community, long the target of (bogus) claims that they write viruses to make money, wouldn’t touch a contest like this with a barge-pole. In fact, even staunch full-disclosure advocates note the ethical disconnect implicit in security companies producing content earlier than their competitors via such initiatives (see http://blog.ncircle.com/archives/2005/08/3coms_zero_day_initiative_cest.html and our premier issue of Sage.)

As security vendors, our mission is to protect our customers and the internet community at-large , not to create hype and FUD by giving the world a chance to exploit unpatched flaws!! Failing to disclose to anyone leaves the good guys in the dark – but supporting irresponsible disclosure give the bad guys night vision…

Last week was spent combating a slew of exploits for the vulnerabilities patched by Microsoft on April 3.

Yesterday saw the release of several Microsoft Office zero-day exploits in security forums. Some of these flaws may allow for remote code execution. McAfee Avert Labs is investigating all these zero-days. Today is Patch Tuesday for April. So, yes: this is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximize the public’s exposure to these flaws until the next month’s Patch Tuesday.

Update, 2pm PST

Further research by Avert Labs indicates that all but one of the Office zero-days reported yesterday result in denial of service. There is one heap-overflow flaw that might be exploited for code execution. We’ll keep you updated.

Update, 5pm PST

Avert Labs has been analyzing proof-of-concept code for a zero-day vulnerability in Microsoft Windows’s handling of HLP files. This is another heap-overflow flaw that might be exploited for code execution. Stay tuned.

Update, April 17
Microsoft has ruled out the possibility of code execution in the zero-day vulnerabilities in Word 2007 released last week.

On April 6th, 2007, our heuristics proactively detected a new document exploit for Ichitaro, a popular Japanese word processor, that was being exploiting a new 0-day vulnerability in the wild. The vendor was notified immediately and confirmed we have identified a new and previously unknown vulnerability. This follows the other 0-day vulnerability for Ichitaro that was exploited in the wild in August the previous year.

The specially crafted document (Exploit-TaroDrop.b) came with a Japanese filename with extension “.jtd” that is used by Ichitaro.

When users open this document, Exploit-TaroDrop.b causes a buffer overflow, executes shellcode, drops a malware called %Windir%\System32\downhk.exe (BackDoor-DKI.dldr) and silently terminates. Before the user could realize the disruption, Ichitaro is restarted and they can continue to view the document but with a different filename “a.jtd”.

What goes on behind the scenes was really Exploit-TaroDrop.b taking control over code execution from Ichitaro after a buffer overflow occurred and caused the application to terminate. The malware author attempts to “repair” the user experience by dropping a clean document that can be viewed in Ichitaro so as not to arouse any suspicion.

We are seeing similar methods used in the other document type exploits for Microsoft Office applications. Although this method may vary in other cases, it would be worth checking the filename in the application title bar, and take note of any abnormal behavior as such.

We can expect malware authors to continue discovering and creating new exploits in localized (and often neglected) applications; and using various social engineering methods to keep these threats undetected. Users must be armed with both advanced heuristics and good vigilance and intuition and even then threats like these are going to be increasingly difficult to track and defend against.

A security patch is being developed by the vendor to deal with this vulnerability.

This malware was reported by both Shinsuke Honjo and Geok Meng Ong of McAfee Avert Labs.

Malware authors have been at the cutting edge of incorporating exploit code into their creations for zero day vulnerabilities. Fueled by financial incentives and readily available source code, the bad guys of today aggressively pursue continued development of malware code. Over the years, the window between vulnerability discoveries to its incorporation into a worm or exploit candidate has shrunk from months, to weeks, to zero day. This leaves administrators with very little time to schedule and deploy patches to all servers and workstations on their networks. And during this vulnerable time frame if the network is hit with a bot that uses a zero-day vulnerability, an organization could be faced with a potential worm outbreak or large scale attack.

The chart below shows the time frame between the vulnerability being reported and how long it took for malware authors to incorporate it into a worm candidate.

The paper “Defeating bots on the internal network” from McAfee Avert Labs published in the Feb 2007 issue of Virus Bulletin describes setting up an IRC honeypot on a network using minimal resources and requiring little maintenance to be used as an early warning system to proactively alert botnet activity. Also discussed is using the internal IRC honeypot to gain control over infected machines and removing the bot from infected machines.

There have been numerous stories recently covering unpatched Microsoft Word vulnerabilities. For reference, the CVE designations for these vulnerabilities are:

• CVE-2006-5994
• CVE-2006-6456
• CVE-2006-6561
• CVE-2007-0515
• CVE-2007-0621 (Microsoft has stated that this is not a new, but related to CVE-2006-6456)

Recently McAfee Avert Labs added detection for Exploit-MSExcel.h, an Excel document that was submitted from the field. This exploit is consistent with other targeted zero-day attacks and is believed to be contained.

Microsoft has confirmed that this exploit targets an unpatched vulnerability. According to Microsoft’s Security Advisories Archive (Microsoft Security Advisories are released in advance of patch releases, not to be confused with Microsoft Security Bulletins), the only Excel-related security advisory in the past 20 months, was patched in MS06-037. Numerous other Excel-related patches have been released during this time.

Update Feb 2, 2007 at 7 pm PST
Microsoft Security Advisory (932553) has been released and CVE-2007-0671 has been assigned. Microsoft describes this vulnerability as affecting the following products:

• Microsoft Office 2003 
• Microsoft Office XP 
• Microsoft Office 2000
• Microsoft Office 2004 for Mac

From the advisory:

Workarounds for Microsoft Office Remote Code Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

• Do not open or save Office files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Office file.

McAfee Avert Labs has confirmed Microsoft’s testing; not opening malicious Office files successfully mitigates this threat.

While various bits of North America have seen wintry flurries in the past fortnight, those in computer security have seen a flurry of four Microsoft-related zero-day exploits.

The first three of these flaws affect Microsoft Visual Studio:

• Microsoft Visual Studio .CNT Buffer Overflow
• Microsoft Visual Studio .HPJ Buffer Overflow
• Microsoft Visual Studio .RC Vulnerability

The fourth flaws affects Microsoft Word:

• Microsoft Word 0-Day Vulnerability IV

All four flaws would allow a remote attacker to execute arbitrary code on a vulnerable machine. For an attack to occur in all four cases, user interaction is required; e.g., a user would have to visit a Web site that hosts a malicious file or open a malicious file locally.

With Microsoft’s next Patch Tuesday falling on February 13, these flaws will remain un-patched for at least two more weeks. So stay warm this winter, and insulate yourself from these zero-day exploits too!

This just hasn’t been a great year for the security of applications or responsible disclosure, has it. First we have the Month of Apple Bugs (which is finding a number of application-specific vulnerabilities), then we have a raft of Adobe product vulnerabilities. Now we have VeriSign offering a substantial bounty for people to poke holes in IE7 and Vista.

It seems that what we’re seeing in the malware world is also happening in the vulnerability world. Financial motivation, a vast increase in overall traffic with no one incident being particularly huge, and a general feeling of being in the Wild West. Lawlessness and vigilantism seems to be the order of the day. That doesn’t generally lead one to feel like the internet is a shiny, happy place.

But what are we to do about this? Telling people they’re naughty and need to behave, when they’re getting such notoriety or financial gain obviously isn’t going to work. Making the notoriety and money stop coming is a largely futile effort as well, it would seem. Even suing Adware makers, as an example, seems to be reasonably ineffective.

Maybe the key lies in the consumer side of the equation. Maybe as the general populace becomes more aware of what things to avoid, and what things to do to protect themselves, this will become a moot point. The glut of malware and vulnerabilities will be like flies buzzing in our ears – an academic concern rather than a constant state of emergency. I do find it hopeful that people are becoming more aware of security issues, even if we have a very long way to go yet.

For many, the Portable Document Format (PDF) has become the de-facto standard for exchanging documents. In using PDFs, some wish to sidestep the risks of malware-prone Microsoft Office documents. But with the announcement of six new PDF-related vulnerabilities in several security forums last week, we should all now be more careful with PDFs.

The first five of these new vulnerabilities have to do with the Adobe Reader plugin. Attacks that exploit these flaws may result in one of more of these results: HTTP-response splitting, cross-site scripting, session forgery, session riding, denial of service, memory corruption, or code execution. This scary list of attack results notwithstanding, a user would have to open a malicious web URL for an attack to occur. Adobe has issued Adobe Reader 8 that remedies these flaws.

The sixth new PDF vulnerability is also the sixth of the Month of Apple Bugs (MoAB) installment. If a malicious PDF document crafted to exploit this flaw were opened by a user, it would corrupt memory and could lead to code execution. Landon Fuller has posted or referred to temporary fixes for all eight MoAB flaws so far. The fix for the MoAB PDF flaw can be found here. Thank you, Landon!

Please stay secure against the PDF vulnerabilities, as we continue to protect our customers against such threats.

No, it’s not a Massive Ordnance Air Blast Bomb, thankfully. But could users of Apple software feel that it’s really that bad? January 2007 is the Month of Apple Bugs (MoAB), in which a new Apple-related vulnerability is announced for every day of the month.

The first two MoAB bugs affect Apple Quicktime and VLC Media Player respectively. If exploited, both bugs would allow remote code execution — however user interaction is needed.

MoAB is a project similar to November 2006’s Month of Kernel Bugs (MoKB). The bugs released during the MoKB affected software from a gamut of vendors, including Apple, Linux, Microsoft, NetGear, and others. In both projects, security researchers announce previously-unknown bugs in selected software in order to raise awareness about the state of security in these software products.

While many MoKB bugs remain un-patched and the software they affect remain vulnerable, Apple users affected by MoAB can thank Landon Fuller for some temporary relief. Landon, a system architect, has promised to develop unofficial patches for software affected by MoAB bugs.

The researchers at McAfee Avert Labs will continue to follow MoAB closely, so keep reading!

Apparently not! On December 20, a new zero-day exploit for Microsoft Windows operating systems was released. This exploit targets a weakness in the Client Server Run-Time Subsystem, and allows local privilege escalation or denial of service.

Microsoft has acknowledged this vulnerability and admitted that its newest operating system, Windows Vista, is vulnerable.

Keep reading for more on exploits released this holiday season. Happy holidays!

In the week leading up to 12 December 2006, two new Microsoft Word zero-day vulnerabilities became public (Word I, Word II). Microsoft’s December Patch Tuesday fell on December 12, but this cocktail of Microsoft’s patches did not include fixes for the two new Word flaws. To make matters worse, on December 12, a third zero-day Word flaw was released (Word III).

Although one could argue that the December 12 release of a new Microsoft flaw was only a coincidence, it fits the trend of the disclosure of Microsoft vulnerabilities on or just after a Patch Tuesday. November’s trend-fitter, a vulnerability in Microsoft Active Directory, did not include a public proof-of-concept; this month’s trend-fitter, however, does have a public proof-of-concept.

So the Word zero-day trio has a window of exposure of at least a month. Please stay secure as we continue to protect our customers against such attacks.

Last Wednesday, Microsoft posted an advisory for a targeted “zero-day” attack using a Microsoft Word vulnerability CVE-2006-5994, we refer to this as “Microsoft Word 0-Day Vulnerability I”.

In our tracking of this new 0-day vulnerability, I analyzed a Word Document sample for MessageLabs. Just when you would have thought this could be the same 0-day which was most recent, Microsoft confirmed upon our request that we are seeing double trouble — this was really “Microsoft Word 0-Day Vulnerability II”.

I previously wrote about non-executable file formats being a popular vector in recent years; this is a trend that will continue into 2007 and deserves to be given ample consideration in planning for security resources, policies and user education programs.

McAfee Avert Labs released DAT coverage for payload associated with “Microsoft Word 0-Day Vulnerability I” in DAT version 4914 for Downloader-AZQ and Downloader-AZR. The new threat that is exploiting “Microsoft Word 0-Day Vulnerability II” is now covered in DAT version 4915 as Exploit-MSWord.b.

Malware authors have been pro-active in including exploit code for almost every new vulnerability reported into bots with utmost professionalism. Apart from the numerous Microsoft windows vulnerabilities where exploit code has been methodically incorporated into bot code, McAfee Avert Labs is seeing a trend where popular applications from software vendors are being targeted. In recent weeks we have seen bots that target vulnerabilities or weak passwords in the following applications:

Famatech Remote Admin http://vil.nai.com/vil/content/v_140984.htm
Symantec Antivirus http://vil.nai.com/vil/content/v_140978.htm

Although the vulnerabilities in the above software are dated and patches available, bot authors still found them enticing enough to target machines running vulnerable versions of the these software applications.

Other popular software applications with vulnerabilities that have been targeted by bots in the recent past include:

• CA BrightStor
• Dameware
• MySQL
• WU-FTP
• VNC

Most of the major software vendors like Adobe, Microsoft and Oracle now follow a monthly patching cycle and administrators have their hands full in ensuring that every machine on the network is patched. Sadly, most administrators do not have the flexibility to deploy patches immediately to machines on the network for policy reasons. For example, the organization could be using legacy software which could break if a new service pack was applied and keeping these legacy applications running takes precedence over applying the latest hot fixes. In rare cases a fix could break something else in the operating system or adversely affect other applications. Administrators need more time to first deploy these hot fixes in a test environment and QA them properly before deploying them to the entire enterprise.

Given the trend where malware authors are expanding their attack horizon by targeting vulnerable software applications, it wouldn’t be surprising if an exploit directed at popular instant messaging (IM) clients should surface. IM is popular both in consumer and corporate networks and an exploit that gives remote shell on a machine running an instant messenger would be stunningly effective.

That being said, it will be interesting to wait, watch and revisit this topic if and when an instant messenger remote shell exploit surfaces.

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

This week, Secunia and SecurityFocus published advisories on a Microsoft Windows Active Directory vulnerability. Reportedly, a remote attacker could deny service to vulnerable machines by exploiting this vulnerability.

Not much more is public about this flaw. Nonetheless, the flaw’s publication date is conspicuous: it was published on November 14, which coincides with Microsoft’s November Patch Tuesday.

I’ve called attention before to what may be a trend for vulnerability disclosure. Security researchers might be releasing Microsoft vulnerabilities on or just after a Patch Tuesday to maximize the vulnerabilities’ window of exposure. The November 14 Windows Active Directory vulnerability is yet another curve-fitter in this trend!

In my last blog entry I talked about the consequences of Microsoft’s policy of releasing security updates only once a month. Is this encouraging exploit writers to release zero-day Microsoft exploits soon after a month’s Patch Tuesday to maximize the vulnerability’s window of exposure? Yesterday, on 24 Oct 2006, exploit code was released for a Microsoft Internet Explorer (IE) vulnerability. This proof-of-code code could cause denial-of-service (DoS) in IE. Avert Labs is investigating this exploit further.

Patch Tuesday next month falls on November 14. So this IE bug’s potential window of exposure is at least three weeks…

Patch Tuesday refers to the second Tuesday of each month when Microsoft releases security updates for its products. As a matter of policy, Microsoft releases patches only on Patch Tuesday. (One recent exception to this was an out-of-cycle patch for the Internet Explorer VML vulnerability.)

The researchers at McAfee Avert Labs follow Patch Tuesday with interest: Microsoft’s products are used by the lion’s share of industry and home users, and un-patched vulnerabilities in Microsoft’s products can often have an impact on global security.

Back in July 2006, Patch Tuesday fell on July 11. On July 12, a Trojan, Exploit-PPT.b, was released. This Trojan exploited a previously-unknown Microsoft PowerPoint vulnerability.

An exploit for a new vulnerability follows a Patch Tuesday. A one-time event?

This month, on 12 October 2006-two days after the October Patch Tuesday-we discovered a zero-day exploit in the wild for a new Microsoft PowerPoint 2003 vulnerability, CVE-2006-5296. Microsoft has said on its TechNet blog that this exploit could carry out code execution on the victim’s machine.

Security expert Bruce Schneier has commented that exploits might be released to follow a Patch Tuesday to maximize the “window of exposure”-the time until next month’s Patch Tuesday arrives with security patches for the new vulnerability.

Is Zero-Day Wednesday (or Thursday) going to become a trend? We’ll be watching.

An epic transformation in the world of security is upon us. Today, we released the first issue of our semi-annual security magazine Sage. We will leverage this communication vehicle to deliver meaningful and sometime raw content to the masses. We take our responsibility to protect the public from malicious malcontents very seriously and will not shy away from difficult content or taboo topics. Instead, we will share with the world our day-to-day fight and let you decide how important the concepts being broached are to you.

The premiere issue examines the use of open source by the malware writing community. We show the pivotal role that code sharing and full disclosure have played in the evolution of the threat environment, and we anticipate a surge in malware quality and reliability as the malware writers become more professional. Though open source cannot be blamed for how some unsavory individuals may choose to use its tools, techniques, and methodologies, the movement should acknowledge that there are dangers associated with some of its fundamental beliefs.

Sage is meant to be a forum for thought leadership and serious discourse on topical security issues. By drawing on the Labs wealth of data and expertise, and writing challenging security articles, we hope to provoke important discussion about the digital battlefield we have found ourselves in.

Get Sage now from the McAfee Threat Center site:

http://www.mcafee.com/us/threat_center/white_paper.html