Chris Mosby at myITforum.com

I don't know about you, but I find this pretty damn funny...

Comcast.net not Hacked, DNS Records Hijacked

********************************************************************

Title: Microsoft Security Bulletin Minor Revisions

Issued: May 29, 2008

********************************************************************

Summary

=======

The following bulletin has undergone a minor revision increment.

Please see the bulletin for more details.

* MS08-028 - Critical

Bulletin Information:

=====================

* MS08-028 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx

- Reason for Revision: V1.1 (May 28, 2008): Added entry to Update FAQ to clarify that CVE-2005-0944 was also addressed by this update.

- Originally posted: May 13, 2008

- Updated: May 28, 2008

- Bulletin Severity Rating: Critical

- Version: 1.1

REVOKED: Adobe Flash Player Unspecified Vulnerability

Secunia Advisory:
SA30404

Release Date:
2008-05-28

Last Update:
2008-05-29

Critical:

Extremely critical

Impact:
System access

Where:
From remote

Solution Status:
Vendor Patch

Software:
Adobe Flash Player 9.x

Symantec: Adobe Patch Not a Problem After All
By Brian Prince
2008-05-29

Adobe Product Security Incident Response Team (PSIRT)

Working to help protect customers from vulnerabilities in Adobe software

« Security Bulletins - May 2008 | Main | Potential Flash Player issue - update »

Potential Flash Player issue

Just a quick note to say we are aware of today’s report of a potential exploit involving Flash Player in the wild. We are working with Symantec to investigate the potential SWF vulnerability, and will have an update once we get more information.

UPDATE: This exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071). We strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0.

This posting is provided “AS IS” with no warranties and confers no rights

Free Sysinternals Windows utilities now available online, 24/7

Posted by Ed Bott @ 3:00 pm

Categories: Microsoft, Tips

Tags: Window, Sysinternals, Tool, Productivity, Ed Bott

If you troubleshoot Windows PCs for fun or profit, then chances are you’ve used one or more tools from Sysinternals. Microsoft bought the company and its amazing library of diagnostic, troubleshooting, and management utilities in 2006, and the collection has been continually updated ever since. It’s also still completely free.

A few weeks ago, I ran into Sysinternals co-founder Mark Russinovich at a technical conference, where he told me about a new Sysinternals service that was in private beta testing. Today, I can finally break the news that Sysinternals Live is now open to the public.

The new service enables you to execute the most recent version of any Sysinternals tool directly from an Internet-connected PC, without having to hunt for the executable file and manually download it first. To access the complete library of tools, use either of these methods from a Windows-based PC:

• Go to the Sysinternals Live directory (http://live.sysinternals.com) and click the name of the tool you want to run. Because the directory listing is a bare-bones HTML file, it can be used in any browser.
• If you know the name of the executable file for the tool you want to use, enter it directly, using the syntax \\live.sysinternals.com\tools\<toolname>, where <toolname> is the name of the executable file. (Note the UNC syntax uses backslashes, not slashes, as in a URL. Start with a pair of backslashes to indicate that live.sysinternals.com is the remote server, and don’t include the angle brackets with the tool name.)

If you’ve never used Sysinternals tools before, you’d do well to start at the Sysinternals home page, which includes descriptions of each tool, along with download links and installation instructions. But if you are already familiar with one or more tools in the library, you can create direct shortcuts to those tools on your desktop or on the USB flash drive you keep with your emergency toolkit.

Here are three shortcuts to get you started, all of which have been updated in 2008:

Process Explorer (\\live.sysinternals.com\procexp.exe) - This Task Manager replacement occupies the number-one slot on my top 10 list of all-time favorite Windows programs. As I noted in that writeup, “It provides system information, a hierarchical view of all running processes (including services), and an overwhelming number of technical details about how each process uses CPU and memory. It all runs in real time, making it an ideal troubleshooting tool.”

AutoRuns (\\live.sysinternals.com\autoruns.exe) - Are you still using Msconfig to see which processes are automatically running when you start a Windows PC? Then you literally don’t know what you’re missing. There are dozens of nooks and crannies in the Windows file system and registry where auto-starting programs can park themselves. This tool finds them all. More importantly, it allows you to disable or remove any entry you find.

Process Monitor (\\live.sysinternals.com\procmon.exe) - If you’re trying to figure out exactly what a program or process is doing (especially if you’re actively on the hunt for malware), this tool is your best friend. It combines the features of the now-retired Filemon and Regmon utilities to trace (and capture in an optional log file) the impact of a process as it starts, runs, and exits.

The “live” tools should work equally well in x86 and x64 versions of Windows Vista and Server 2008; I ran into a bug with Process Explorer and Handle.exe in my x64 testing, but corrected versions of both utilities were scheduled to go online today before Sysinternals Live opened to the public. Also, in Windows Vista and Server 2008 you can use “live” versions of command-line tools, but most require that you enter the command name in UNC syntax from an elevated prompt (click Start, type cmd in the Search box, select Cmd.exe from the results list, and press Ctrl+Shift+Enter).  The command-line tools I tested worked perfectly exactly as expected.

If you’re a Sysinternals fan, you’ll love Sysinternals Live.

Free Sysinternals Windows utilities now available online, 24/7 | Ed Bott’s Microsoft Report | ZDNet.com

In mobile news: TippingPoint has reported a JPEG Processing Stack Overflow Vulnerability affecting firmware based Motorola Razr phones. The vulnerability was discovered last summer. New Razr shipments will not be affected as Motorola has produced a fix for the issue.

The vulnerability allows remote attackers to execute arbitrary code on vulnerable Motorola Razr firmware based cell phones.

From TippingPoint:

A corrupt JPEG received via MMS can cause a memory corruption which can be leveraged to execute arbitrary code on the affected device.

So some user interaction is required — accepting the MMS. However, people by and large generally trust image files so that isn't a difficult social engineering challenge.

On a positive note, the Razr uses a proprietary OS and the "knowledge base" is limited to enthusiasts and modders. But there are modders are out there. Popular hardware always generates a crowd of recreational hackers, e.g. iPhone.

Perhaps we'll see this JPEG exploit used to simplify unlocking older Razrs. Jailbreaking the iPhone was simplified by a TIFF handling exploit after all.

We probably won't see any malware as a result of this vulnerability. Still, one interesting thing to consider is that if a Razr were to be exploited by this, the user wouldn't be able to undo the damage without a reinstall of the firmware. Being a closed OS, there is no hard reset available as there are with many smartphones.

Updates are available for older Razr models via Motorola.

Motorola RAZR JPEG Processing Buffer Overflow

Secunia Advisory:
SA30409

Release Date:
2008-05-28

Critical:

Highly critical

Impact:
System access

Where:
From remote

Solution Status:
Vendor Patch

OS:
Motorola RAZR

Description:
A vulnerability has been reported in Motorola RAZR, which can be exploited by malicious people to compromise a vulnerable device.
The vulnerability is caused due to a boundary error in the JPEG thumbprint component. This can be exploited to cause a stack-based buffer overflow via a specially crafted JPEG image sent via MMS.  Successful exploitation allows execution of arbitrary code, but requires that the user accepts the malicious image.
Solution:
The vendor recommends updating to the latest firmware version. Please contact the vendor for more information.
Provided and/or discovered by:
Discovered by an anonymous researcher, reported via ZDI.
Original Advisory:
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-08-033/

OpenSSL Two Denial of Service Vulnerabilities

Secunia Advisory:
SA30405

Release Date:
2008-05-28

Critical:

Moderately critical

Impact:
DoS

Where:
From remote

Solution Status:
Vendor Patch

Software:
OpenSSL 0.9.x

CVE reference:
CVE-2008-0891 (Secunia mirror)
CVE-2008-1672 (Secunia mirror)

Flash Player Exploit Update 2

Wednesday May 28, 2008 at 9:55 am CST
Posted by Craig Schmugar

Trackback

Last night our researchers identified similarities between the recent Adobe Flash exploits and a known (patched) vulnerability: CVE-2007-0071. At first, this appeared to close the case, but there was a report of a patched version of Flash falling victim to one of these attacks, and we’ve seen an SWF file referencing a missing file named WIN 9,0,124,0i.swf, which also suggests that the latest version of Flash is the target of that file.

The exploits that we have captured from the field do not appear to exploit the latest version of Flash. We continue to hunt for missing 9,0,124 exploits and will post an update should one be discovered. In the meantime, it’s best to update to the latest player, if you haven’t yet done so.

There are reports of a critical vulnerability affecting current versions of Adobe Flash and evidence of it being exploited in the wild. Versions including and previous to 9.0.124.0 are reported to be at risk. However — chatter on the security lists we frequent suggest version 9.0.124.0 is not vulnerable and that the attacks are only reliably effective against version 9.0.115.0 and earlier (using CVE-2007-0071).

In any case — we are seeing Flash exploits being used in combination with SQL injection attacks. See Patrik's May 13th post for more information on the SQL attacks. Many/most people probably don't update Flash every time there's an update. This in combination with the SQL injection attacks against tens of thousands of hacked sites is cause for concern. Many, many users could be at risk and should update their Flash software. Shadowserver has a good post highlighting some domains pushing Flash exploits.

Adobe is aware of the issue and is investigating but does not yet have a full report. We'll update you later on whether or not version 9.0.124.0 is affected.

In the meantime, there may be some mitigating strategies you'd like to employ.

First of all you can uninstall Flash. But that can be somewhat aggravating as you'll then be prompted frequently to install Flash from numerous websites. So another option is to update and then disable your current installation.

If you have Flash installed on your Windows computer, Add/Remove Programs includes a "Click here for support information" link.

ActiveX component for Internet Explorer:



Firefox Plugin:



Update to the most recent version. You can test your installation from this page.

What are your options once you're up to date?

For Internet Explorer, you can use the Manage Add-ons option to disable Flash:



But then you'll get this annoying prompt on Flash enabled sites:



An alternative is to use registry (.reg) files. This file disables Flash and this file enables Flash in IE. Right-click, save, and place the files in a convenient location and you can toggle Flash on/off as needed.

A big hat tip goes to John Haller's Useful Stuff site for the .reg files.

And for Firefox?

We suggest Flashblock and NoScript:



NoScript is an excellent plugin and will block Flash from any untrusted sites. But be careful whom you trust. Remember, even trusted sites can be hacked. Still, it's a must have plugin for security conscious individuals. You can install it from noscript.net.

Flashblock prevents all Flash content from loading. It inserts a placeholder that then allows the user to toggle only the desired Flash. You can install it from flashblock.mozdev.org.

Followup to Flash/swf stories

Published: 2008-05-28,
Last Updated: 2008-05-28 16:57:38 UTC
by Jim Clausing (Version: 2)

0 comment(s)

We've received quite a bit of mail about our stories yesterday about the malicious SWF files attempting to exploit older versions of the Adobe Flash player.  So, here are a few of the things that have come out of our discussions.

1. Our friends over at shadowserver.org (thanx, Steven) have a nice writeup that includes a bunch of domains they've noted that have the malicious SWF files.
2. If you aren't sure which version of the flash player you are using, Adobe provides this page where you can check for yourself.
3. On closer examination, this does not appear to be a "0-day exploit".  Symantec has updated their threatcon info, as well.  We have yet to see one of these that succeeds against the current version (9.0.124.0), if you find one that does, please let us know via the contact page.
4. It appears that this exploit may be included in the Chinese version of the MPack exploit toolkit (among others).
5. In case we weren't clear about it earlier, it appears that the infected web sites check which browser you are using in addition to the flash player version to determine which exploit to deliver.

There are several ways to protect yourself even if you have a vulnerable version of the Flash player.

• In Firefox, you can use either of the following add-ons, NoScript (one of our favorites, found here or here) or FlashBlock (here or here).
• In IE, see here for how to set the "killbit", the CLSID is BD96C556-65A3-11D0-983A-00C04FC29E36.

Update: (2008-05-28-16:54UTC) I was remiss in not mentioning Dancho Danchev's writeup.

Romanian Whack-A-Mole and Linux Bots
Posted by Toni @ 17:27 GMT | Comments

It doesn't always have to be the latest and greatest zero-day exploit that causes you to lose control of your computer or server to external attackers. Today's example comes in the relatively ancient form of brute force SSH.
We recently received a sample containing several different files:

A psyBNC installation; legitimate software used by many for normal purposes, but it's also a common tool in an attacker's toolkit.
And a collection of scripts, binaries, and password files that were used to scan for machines that have their SSH port open.
The binaries that were used maliciously in this case were connecting to a large public IRC network. We see quite many such as these, all headed for the same network even though it does have a working abuse address and the network's administrators actually do something to the botnet channels that get reported. In our experience, the botnets are most often run by various small gangs coming largely from eastern Europe; notably from Romania.

Once one of the botnet channels has been suppressed, it takes only a few hours for a new one to pop up in the same IRC network but under a different channel name.

The botnet in this case was made up of about forty infected Linux machines, and judging by their DNS Resource Records, most of them are either webservers or mail servers, which usually have a bit fatter Internet connection than you average Joe Consumer.
The moral? Even unsophisticated attackers don't need the latest and greatest techniques if the target's passwords are weak.

The Strange Case of ‘Mr. Spilberg’

Friday May 23, 2008 at 10:27 am CST
Posted by Paolo Palumbo

Trackback

When analyzing malware, it is not uncommon to stumble across interesting situations. Recently, I have been analyzing a variant of a FakeAlert BHO. This threat isn’t notable; it displays “alert” pop-ups when correctly installed, and prompts users to download a fake anti-spyware product.

However, when analyzing it, I noticed that this BHO was trying to access a file named “f***youspilberg.bat” located in the root folder of my research machine. Of course, with such a name, I immediately got interested and started to dig deeper to see what was going on.

After removing the inevitable compression layer, I was quickly able to locate the file access operation inside the FakeAlert’s code; specifically, it resides inside the DllRegisterServer export function, which is used to initialize BHOs.

After analyzing the code, I saw that the routine which contains the file access operation will perform checks on the existence of this file and the file creation date, returning TRUE if the checks are OK or FALSE otherwise. This again increased my curiosity.

So, I resumed analyzing the code that follows the invocation of the routine which performs the check on the f***youspilberg.bat file:

We can see now that if the checks on the file are succesful, the next block of code will be bypassed. What is that block of code? Why do we want to bypass it? After looking further, I found that block just checks for the presence of VMWare. If VMWare is detected, then no other operation occurs and the FakeAlert silently exits.

Glueing this all together, our code becomes:

Now we have all the pieces. If the f***youspilberg.bat file is found, then the anti-VMware check is skipped. Otherwise, we need to verify that we are not running inside a VMware box. The VMware check is performed to prevent analysis in a safe environment, but why bypass such a check if the f***youspilberg.bat is present?

We can only guess. It is probable that the authors of this FakeAlert needed to test their creation, and they have probably decided to use VMware for their testing. By placing f***youspilberg.bat in the root of their VMware image, they could do the testing without being caught by their protection mechanism.

But the real question is, What did “Mr. Spilberg” do to the authors of this malware to arouse such antagonism? Maybe they don’t like the return of Indiana Jones? Or are they scared of E.T.?

"Dear Google AdWords Customer"
Posted by Mikko @ 21:31 GMT | Comment (1)

Sometimes it can be quite hard to spot a phishing site on the first glance.

Sure, it looks quite real. But always double check the address.

Adobe Flash Player Unspecified Vulnerability

Secunia Advisory:
SA30404

Release Date:
2008-05-28

Critical:

Extremely critical

Impact:
System access

Where:
From remote

Solution Status:
Unpatched

Software:
Adobe Flash Player 9.x

Malware Attack Exploiting Flash Zero Day Vulnerability

Flash Bugs Exploited in Latest Mass Compromise

by Jake Soriano (Technical Communications)

Another mass compromise through (yet again) another SQL injection attack. The yet again’s and another’s keep coming, right? This time, unlike its predecessors that use relatively old and known (and patched) exploits, the attack introduces a new kid on the block: in the form of what looks like a zero-day exploit taking advantage of an unknown vulnerability in Adobe Flash Player, allowing malicious users to install info-stealers on affected PCs.

Well, this one already has a lot of history in it. Mass compromises are the month of May’s major stories. TrendLabs discovered them happening to Web sites everywhere from a huge portion of the Asian region (see here and here) to those in the Italian language. We have seen these mass compromises happening just mere days between each other (beside the links above, more information can be read in our blog).

Certain legitimate sites were found to have been injected with scripts that lead browsers silently to sites hosting exploits for the Flash vulnerability/ies. Upon meeting certain system conditions that allow the exploitation to commence, PCs download and execute info-stealers (like TSPY_UPACK.D) or droppers (like TROJ_DROPPER.NAK).

TrendLabs detects the .SWF files as SWF_DLOADER.YVM and SWF_DLOADER.YVN. Remarkably, the related domains in this attack spoof the domain name of legitimate and known phone company Nokia, as well as that of the popular online game Defense of the Ancients (DotA). Other domains are lkjrc and woai117 (both belonging to–surprise, surprise–.cn).

TrendLabs has already blocked the malicious domains involved in this attack, and also detected the following malware which are installed in systems:

• HTML_DLDR.BF
• TSPY_UPACK.D
• TROJ_DROPPER.NAK
• HTML_DLDR.BF
• TSPY_UPACK.D
• TROJ_DROPPER.NAK

This unspecified remote code execution vulnerability in certain versions of Adobe Flash Player is the one referred to here.

Our engineers are still analyzing this attack further. Updates will be posted as soon as more information becomes available. As of this writing we are still seeing several new malicious domains that are hosting .SWF files exploiting the Adobe Flash Player bug.