September 2004 - Posts
MS04-028: Trojan.Ducky A/B exploits GDI+ vulnerabilities
Trojan.Ducky is a downloader Trojan that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (as described in the Microsoft Security Bulletin MS04-028).
You can order the CD, and it's even free, but there's the possibilty of a good week or so wait. If you know someone who has high speed Internet or if an admin can burn a CD at work for you that can help. I'm on dialup at home and I also had to burn my own copy.
Still, everyone should get patched up on Windows immediately with Windows Update and you can get Office XP protected later, as most likely the 1st threats will be thru email and hostile web sites. AV protection can help you on Office until you can get that patched.
Office 2003 SP1
Office XP SP3
HOW TO TEST YOUR PC FOR MS04-028 PC vulnerabilities
1. DOWNLOAD the free ISC scanning tool for individual workstations. It's only a 6KB download and will run in seconds. Vulnerable versions of the .dll files are listed in RED.
Download Link (6KB)
2. Double click on the gdiscan.exe file after downloading
3. IF ANYTHING ON THE REPORT IS IN RED your system is vulnerable. If so, follow these guidelines in patching:
BAGLE.AZ - MEDIUM RISK (DAT 4395 RELEASED)
This is a mass-mailing worm with the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- harvests email addresses from the victim machine
- the From: address of messages is spoofed
- contains a remote access component
- copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
FORMAT OF INFECTED EMAIL MESSAGES
From : (address is spoofed)
Re: Thank you!
Re: Thanks :)
Attachment: (with an extension of .exe, .scr, .com or .cpl)
MS04-028 - Trojan.Moo: First Trojan Horse emerges
Trojan.Moo is a Trojan horse program that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028).
Note: The latest McAfee and Norton DAT files will detect infected files created by Hacktool.JPEGDownload.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
A new toolkit designed to create malformed and potentially dangerous JPEGs has been released to the public.
MS04-028 -- JPEG Exploit Toolkit released to public
A toolkit designed to exploit a recently-disclosed Microsoft JPEG vulnerability has been released. The security hole compromises the system and creates a buffer overflow condition. This could potentially allow an attacker to create a JPEG file. The JPEG file would then over take control of a victim's machine when the user views it through Internet Explorer, Outlook, Word, and other programs.
For a complete list of Operating Systems and Application Programs potentially affected by this see Microsofts information at:
A group of Handler's have been "playing" with the toolkit. So far it hasn't worked too well. However, as with all of these, they have a tendancy to get better real fast. Therefore apply the patches on both the Operating Systems and Application Programs as recommended by Microsoft.
The 3 major anti-virus companies have now released definition files that will detect the JPEG exploits.
Symantec - Hacktool.JPEGDownload http://securityresponse.symantec.com/avcenter/venc/data/hacktool.jpegdownload.html
McAfee - Exploit-MS04-028 http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=128461
Trend Micro - HKTL_JPGDOWN.A http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HKTL_JPGDOWN.A
The Internet Storm Center has released a free scanning tool for individual workstations. It's only a 6KB download and will run in seconds. Vulnerable versions of the .dll files are listed in RED.
Internet Storm Center - Release of GDIplus Scanner
Main Information Page
Download Links (6KB)
Sharing as FYI ... The ISC denotes an "improved" edition that opens up a commmand prompt MS04-028 - More POCs and Exploits Released
In F-Secure's weblog (Sept 21 entry), a new hostile Java applet is noted which can impact web browsers using older versions of Java.
Today we found a new type of malicious Java applet. Unlike Java Applet trojans that we have seen previously, Java/Binny.A uses exploit in Sun Java Runtime, and is thus capable of affecting any web browser that uses Sun Java Runtime for executing Java Applets.
This means that also those who use Mozilla or Opera are also in danger, not just users of Microsoft Internet Explorer. If you are using Sun Java Runtime that is older than 1.41_04 please update it.
Sun Alert notification about the Java Runtime vulnerability
The Internet Storm Center shares some good informaton on these developments and practical safeguards. Only 3 days after the update, POC code is beginning to circulate. Here's hoping we have more time as malicious individuals are most likely reverse engineering the MS04-028 patch. MS04-028 - ISC reports Proof of Concept rumors http://isc.sans.org//diary.php?date=2004-09-17
McAfee, Symantec, and possibly other AV providers offer MS04-028 detectability but getting Windows/Office patched up is the best defense of all. MS04-028 Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx MS04-028 Recommendations
(Excellent Step-by-Step guide) http://www.microsoft.com/security/bulletins/200409_jpeg.mspx
(More Technical) http://support.microsoft.com/default.aspx?scid=kb;EN-US;873374
This one is well crafted and always remember NEVER SEND A PASSWORD thru EMAIL.
Gmail Phishing Scam - Never send password in email
|Last night I received a gmail email from Gmail Team with the subject, "More Gmail invites." I found this email very weird. It continued to read "The Gmail Team is proud to announce that we are offering Gmail free invitation packages to the existing Gmail account holders. By now you probably know the key ways in which Gmail differs from traditional webmail services. Searching instead of filing. A free gigabyte of storage. Messages displayed in context as conversations." |
Now, normally Gmail gives you invites directly in the top console and does not ask you to fill out information. This email looks really valid, plus it got through Gmail's spam filter. So is it real? I doubt it. But it looks so real. Anyway, it asks you for your current gmail account and password. That is a direct tip that someone is phishing for passwords. Be Careful and look out for this email!
COPY OF THE GMAIL PHISHING SCAM CURRENTLY CIRCULATING
MS04-028 - may require more than a Windows Update
You may see a message, that more products were detected that need updating besides Windows, esp. if you have MS Offfice installed.
One complicating factor on this security update is that many folks don't update Office or other products as closely as we're used to doing with Windows. Microsoft Office, IE, Visual Studio, and other products can process JPEG files. So it's important to update these products in case a malicious JPEG in an email or a website exploits this vulnerability. This is an issue of a vulnerable DLL being used multiple times on the same PC (so Windows, Office, IE, and other products could need patching).
1. Windows Update - It's recommend you install the latest SP for your OS
2. Office Security Update - It's recommend you install the latest SP for your version of Office. Also, the Office update could require the original CD, hard drive, or network location to be authenticated.
3. Manually patch Individual products as needed (e.g., Visual Studio Net)
You can eventually work these in over time, as there is no current threat I'm aware of. Still, JPEGs or graphics might be a better method of tricking folks than email?
Most of us will only need a Windows and Office update. But you might need SP updates on Office if you've not done this in the past. This one will take more work for home and corporate users to achieve complete safety. It wasn't bad for me, as I keep everything as up-to-date as possible, but the Office Update might be new to some folks.
So far these applied changes are working properly for me using Windows 2000 SP4
Microsoft - September 2004 Bulletins
Microsoft - Windows Update Site
Microsoft Security Bulletin MS04-027 - Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)
Executive Summary: A remote code execution vulnerability exists in the WordPerfect 5.x converter that is provided as part of the affected software that could allow remote code execution on an affected system.
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution
Affected Software: Office, FrontPage, Works, and Publisher. For more information, see the Affected Software and Download Locations section.
Microsoft Security Bulletin MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
Executive Summary: A remote code execution vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system.
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Windows, Office, Developer, Internet Explorer, and others. For more information, see the Affected Software and Download Locations section for details.
Note - This vulnerability might require the installation of several security updates. Review the entire column in the Affected Software and Download Locations summary table for the MS04-028 bulletin identifier to verify the updates that you have to install, based on the programs or components that you have installed on your system.
For years, I've used multiple browsers as tools to help test newly developed web pages, so that they are compatible for any browser. During the past year, I've settled on 3 choices (IE 6, Mozilla Firefox, and Opera 7.53).
I like all 3 browsers and Microsoft has improved security extensively in the new IE that's part of XP SP2. Firefox is one of the most secure browsers and today, Mozilla released their FireFox 1.0 Preview Release version. In early testing, this is working well so far. You can download the EXE version of Firefox 1.0PR from Mozilla's home page
FTP site for EXE and ZIP builds (includes MAC and LINUX links)
Article promoting Mozilla FF to help combat spyware:
Note - this commentary was shared in light of Microsoft's UK executive who stated that XP SP2 should hold up well to attacks by hackers. This statement was taken out of context and even bookies were betting with 2-to-1 odds that SP2 would not stand up to the challenges by year end.
Microsoft challenges hackers to crack service pack 2
Many evaluators have debated the strength of XP SP2 security and we all hope it will hold up. But at the kernel level, "code is code" when it comes to any OS. All it takes is for one weakness in a remotely exploitable service like we've seen for Internet worms manipulating DCOM, LSASS, and PCT vulnerabilities.
Unfortunately, in our era of "sound bytes" any statement can be taken out of context or over-emphasized. I don't believe this was an invitation for an "Open Hack on XP SP2", but an encouragement for XP users to install SP2 and ramp up their security.
Personally, I like XP SP2 and think overall MS did a good job with it. It's an incremental step forward in security and TWC (despite the "naysayers"). SP2 ain't perfect and I probably wouldn't bet on it holding up (e.g., as the article notes - bookies have already established 2 to 1 odds in favor of the hackers -lol).
Below is a great article discussing all the "feeding frenzy" by the media regarding XP SP2 (e.g., where minor issues suddenly become "crater sized security holes").
XP SP2 - Feast of Egos
We've received some questions on the Amus (yeah, we know) email worm. Specifically, on the speech properties of this virus. This worm will use the Windows Speech Engine (built-in to Windows XP) to speak the following message when run:
How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa.
You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule.
To find out what the message sounds like, listen to this audio file:
Each of us detail daily with a rash of SPAM that makes telemarketing calls seem tame. Unforunately inexperienced Internet users of all ages want to believe that they have “won something“ or they have a special gift coming. The fradulant message below tries to set up an interesting story, but why would someone from Australia contact you out of the blue?
Date: Sat, 11 Sep 2004 07:08:05 -0400
commmonwealth Bank of Australia,
18 Bank Place Melbourne,
11th of Septmber , 2004.
Dear Respected friend,
This is a proposal in context but actually an appeal soliciting for your unreserved assistance in consummating an urgent transaction requiring maximum confidence. Though this approach appears desperate, I can assure you that whatever questions you would need to ask or any other thing you will need to know regarding this proposal will be adequately answered to give you a clearer understanding of it, so as to arrive at a successful conclusion.
My name is DR. JOHN OWEN , Head of Securities,Commonwealth Bank of Australia, Melbourne. On December 6, 2001, a foreign consultant/contractor with the Cadbury Kenya Ltd, Mr. David Sidney Jocelyn-Duffield, made a numbered time (fixed) Deposit for twelve calendar months, valued at US$30,000,000.00, (Thirty Million United States Dollars) in my branch. Upon maturity, I sent a routine notification to his forwarding address but got no reply.
After a month, I sent a reminder and finally we discovered from his contract employers, the Cadbury Kenya Ltd, that Mr. Jocelyn-Duffield died from an automobile accident. On further investigation,I found out that he died without making a WILL, and all attempts to trace his next of kin was fruitless. I therefore made further investigation and discovered that Mr. Jocelyn-Duffield did not declare any next of kin or relations in all his official documents,including his Bank Deposit paperwork in our Bank. I have carefully moved out these funds (US$30million)from our bank as sundry funds to an offshore Deposit Company in the European Union.
From past experiences, I know that no one will ever come forward to claim the deceased funds. According to Australian Law, at the expiration of 5 (five) years,the funds will be Unclaimable and revert to theownership of the Australia Government if nobody applies to claim the fund. In order to avert this negative development, I in conjunction with a colleague (the Chief Operating Officer in the bank) now seek your permission to allow my attorney do a CHANGE OF OWNERSHIP/REASSIGNMENT OF CREDIT of stated funds from the "deceased" to your name, so that the funds (US$30million) would be released to you as the new owner (on behalf of me and my colleague). We are writing you because, as public servants, we cannot operate a foreign account or have an account that is more than 160,000:00.
Consequently, I will present you as the owner of the funds in the Deposit Company so you can be able to claim them. This is simple. I will like you to provide immediately;
1. Full names
2. Contact address
3. Telephone and fax numbers
Once I receive these information, I will prepare the necessary documents which will put you in place as the new owner of the funds. The money will then be released to your custody by the Deposit Company, for us to share in the ratio of 70% for us and 30% for you. There is no risk at all as all the paperwork for this transaction will be done by the solicitor and this will guarantees the successful execution of this transaction. If you are interested, please reply immediately via my email address. Upon your response,I shall then provide you with more details and my confidential phone number for further explanation that will help you understand the transaction.
No doubt this proposal will make you apprehensive, please we imploy you to observe utmost confidentiality and rest assured that this transaction would be most profitable for both of us because we shall require your assistance to invest our share in your country (buying of properties like real estate etc). This is why your urgent action and response is of priority to enable us conclude this transaction in a timely and professional manner.I await your swift response please through
my alternative/private email box:
REPLY TO EMAILs:
Thanks for anticipated and kind co-operation.
DR JOHN OWEN.
REPLY TO EMAILS:
This link shares the need to have Windows 2000 or XP PCs patched fully prior to connecting them to the Internet. Blaster, Sasser, and other worms are still circulating and randomly selecting IP addresses, which on average it will find in about 20 minutes.
Study: Unpatched PCs compromised in 20 minutes
Don't connect that new PC to the Internet before taking security precautions, researchers at the Internet Storm Center warned Tuesday.
According to the researchers, an unpatched Windows PC connected to the Internet will last for only about 20 minutes before it's compromised by malware, on average. That figure is down from around 40 minutes, the group's estimate in 2003.
Another related link:
Hopefully this one will stay low-risk for everyone. McAfee uses “U“ and Symantec uses “S“:
MyDoom "U" - another one for the watchlist
W32.MyDoom.S@mm is a mass-mailing worm that downloads an executable file.
This new variant, packed with UPX, bears the following characteristics:
- contains its own SMTP engine for constructing messages
- harvests target email addresses from the victim machine
- forges the From: header of outgoing messages
- downloads BackDoor-CEB.c over HTTP
WinZip Computing has released a patch WinZip 9.0 Service Release 1, which it claims will resolve a buffer overflow issue. WinZip warned last month of a security flaw in WinZip, its compression/decompression tool that runs on the Windows platform. Security firm Secunia has just rated the flaw as "highly critical", the fourth highest out of its five severity levels.
WinZip versions 3.x, 6.x, 7.x, 8.x and 9.x contain vulnerabilities that could allow a remote attacker to execute malicious code. The problem is caused by a flaw in the way WinZip handles command-line inputs, and can be exploited by a malicious hacker to cause a buffer overflow.
More Posts Next page »