July 2006 - Posts
Kaspersky Labs shares an excellent commentary on why it's difficult to remember and manage Passwords, esp. in systems where password complexity is a a requirement.
JUL 28th Entry -- When your brain runs out of memory
QUOTE: Back in the Middle Ages, a password was exactly what it said: a simple word that could be used to gain access to a castle, a secret meeting or any other closed area. These days it’s less likely to be a word, but rather a string of characters like “hTfd4Xz”.
There are situations where passwords don't need to be very complex, since the user will be forced to wait a couple of seconds after each attempt (e.g. when logging on to a server), or because the system will block further attempts after a wrong password has been entered several times (e.g. ATMs). This means that simply trying all possible variants (a brute force attack) isn’t going to be very useful.
However, the story’s very different for encrypted data devices – if they fall into the wrong hands, an attacker can just plug them into his computer and try out all passwords without any limitations.
A new SMB based vulnerability and exploit have been developed which could create blue screen crashes for 2000, 2003, and XP. PC firewall protection can help in blocking the 3 key ports associated with this attack in case further developments occur .
MSRC Blog entry
Windows Unpatched SMB DoS Vulnerability and Exploit
Advisory ID : FrSIRT/ADV-2006-3037
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-28
Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to cause a denial of service. This flaw is due to NULL pointer dereference error in the server driver (srv.sys) when handling specially crafted SMB (Server Message Block) packets, which could be exploited by a remote unauthenticated attackers to cause a vulnerable system to crash or display a blue screen, creating a denial of service condition.
Note : A fully functional exploit has been published.
Solution: Restrict access to ports 135, 139 and 445.
This is only a proof-of-concept script and could run in the XP, W/2003, and Vista environments.
MSH/Cibyz - Windows Powershell Proof-of-concept worm
QUOTE: MSH/Cibyz!p2p is a proof of concept worm written in Windows Powershell script. It attempts to spread via the popular peer to peer application KaZaa by dropping a copy of itself in its shared folders. Windows Powershell is a command line shell and scripting language for Microsoft Windows that runs on Windows XP, Windows Server 2003, Windows Vista and Windows Longhorn.
I definitely appreciate all the hard work our crew at work does in supporting the security, development, and business environment Often times, it's behind the scenes with limited credit for the hard work performed -- so they do deserve a day of recognition.
Over one million users were recently impacted by the Flash based worm stored on MySpace pages. The site is now requiring the latest version of Flash to prevent future occurrences.
MySpace Worm Attack - Analysis by ISC
QUOTE: An unusual aspect of this worm was that it resided purely on MySpace pages, rather than installing itself on personal computers of its victims. The essential component of the worm, which Symantec called ACTS.Spaceflash, was a Flash object that was embedded in the victims' profile pages on MySpace. The offending code resided in the redirect.swf file
These are mostly being spammed by email and should not be prevelant in the wild. Users should be cautious with all Powerpoint documents recieved in email.
Powerpoint unpatched vulnerability - new variant
QUOTE: When executed, it exploits a vulnerability in Microsoft Powerpoint wherein a specially crafted document can cause the application to drop and execute an embedded EXE file in the Windows folder. Once it successfully exploits the mentioned vulnerability, it is able to execute a shell code which, in turn, runs the embedded .EXE file. This .EXE file is detected by Trend Micro as TROJ_AGENT.CZW.
Also, Trend has added detection today for a new Powerpoint POC crash exploit that's most likely related to this overall vulnerability:
New PowerPoint POC Crash exploit
A new vulnerability for the Opera browser has been identified. Opera users should look for an upcoming update, as the folks from Norway will most likely fix this promptly.
Opera 9.0 - New HTTPS vulnerability
Advisory ID : FrSIRT/ADV-2006-2987
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-26
Technical Description: A vulnerability has been identified in Opera, which could be exploited by remote attackers to crash a vulnerable browser or potentially take complete control of an affected system. This flaw is due to a memory corruption error when processing a CSS "background" property containing an overly HTTPS URI, which could be exploited by attackers to cause a denial of service or execute arbitrary commands by convincing a user to visit a specially crafted Web page.
Affected Products: Opera version 9
Microsoft and other vendors do not issue security updates using email messages, even though this new spoofed version appears to be realistic.
Microsoft Security Updates - Spoofing Attack
Copy of EMAIL message - HTML coding looks realistic
QUOTE: We've received several reports of a mass mailing that's going around. The messages have been spoofed to look like they are from Microsoft and arrive with title "Warning! New Virus On The Internet! Update Now!". The link in the mail goes to <<<URL REMOVED>>> and downloads an IRC backdoor. The downloaded file is detected as W32/FakeMSUpdate by our latest update
FormSpy (aka FireSpy) is a new spyware program designed to integrate into the Mozilla browser environment. It is being spread by spam email spoofed to appear as a billing issue from Walmart. It was launched on July 24th. The attachment contains a downloader malware agent that can install FormSpy as a Firefox plugin. This new threat can be avoided easily by users avoiding spam email and attachments.
FormSpy - Spyware program hooks into Mozilla Firefox
QUOTE: Upon execution, it registers Mozilla event listeners to the malware and sends information submitted by the victim in the web browser to a malicious website. These information can include, but is not limited to, credit card numbers, passwords, e-banking pin numbers etc. The main executable is also capable of sniffing passwords from ICQ, FTP, IMAP and POP3 traffic.
FireSpy - Sophos Writeup
QUOTE: Troj/FireSpy-A will then attempt to register the dropped component as a Firefox plugin and begin monitoring the user's browsing habits, stealing information including monitoring and logging information from Web forms
----- EMAIL TO AVOID -----
Downloader-AXM - Massively spammed on 07/24/2006
From: billing support [mailto:email@example.com]
Subject: Your order information WC2905036
Message: Dear Sir/Madam, Thank you for shopping with our internet shop. Your order, WC2905036,has been received. Summary of your order you can see in the attachment
All corporate and home users should ensure they are up-to-date on the latest security patches offered by Microsoft as three new exploits have recently surfaced.
MS06-034, MS06-035, and MS06-036 Exploits surface
QUOTE: Exploit code has been published for critical vulnerabilities in Microsoft Windows (SRV.SYS Driver Mailslot Overflow and DHCP Client Service Overflow), and for a less serious flaw in Microsoft Internet Information Services (IIS). These vulnerabilities were recently patched with MS06-034, MS06-035, and MS06-036. Administrators and users are urged to apply the appropriate vendor patches.
Haxdoor is one of the most popular and dangerous Windows based rootkits. Users should continue to be cautious with all suspicious email messages.
Haxdoor.CP - Spammed email with Rootkit
QUOTE: Troj/Haxdoor-CP is a Trojan for the Windows platform. Troj/Haxdoor-CP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. Troj/Haxdoor-CP includes functionality to: - stealth its files, processes, registry entries and services - prevent itself being terminated...
Email to avoid:
Subject line: Confirmation for Order WC2905036
Message text: Dear Sir/Madam, Thank you for shopping with our internet shop. Your order, WC2905036, has been received. Summary of your order you can see in the attachment file.
The ISO and NRG extensions used for CD imaging capabilities may need to be added to AV file extention lists
Bahisho Worm - Spreads to ISO/NRG imaging file extensions
QUOTE: This worm propagates by searching for images with .ISO and .NRG file extensions in random folders. When the said image files are found, it drops its copy into the folder where the image files are located. In effect, when an optical disk image or an .NRG image file is burned, this worm copies itself into the CD or CD-ROM. ISO images (.ISO) are optical disk or Universal Disk Format (UDF) image files, while .NRG files are image files associated with the application Nero.
The new ProtectionBar adware program issues false security warnings that can alarm users into purchasing a license. Users are better served by using a mainstream anti-spyware product (e.g., Webroot, McAfee, Defender, etc), rather than using toolbars or "free" plug-ins that may not provide good security protection.
ProtectionBar - Panda warns on new adware program designed to trick users
QUOTE: Panda Software warns of a new adware program called ProtectionBar, which tries to trick users by installing false security programs on their computers. These programs inform users that their computer is infected by threats that do not exist or show fictitious errors. Then, they threaten users so that they buy the license in order to delete the malware supposedly detected. The aim of this system is to earn a profit for the developers of these programs, who will share it with the creators of ProtectionBar
F-Secure shares an interesting development on how the bad guys are timing exploits to surface right after patch Tuesday. Thankfully, the unpatched Office vulnerabilities have been rare in the wild. Users should continue keep up-to-date on AV protection plus exercise caution when they receive any email with Office related attachments.
Exploit Wednesday -- the day after Patch Tuesday
QUOTE: The bad guys are taking advantage of three things:
1. The first is the patch cycle itself. These new exploits are being released after the second Tuesday of each month to maximize its lifespan.
2. The second is the common day-to-day routine of receiving Office files. There haven't been any new macro viruses to speak of for some time and so Office files (doc/xml/ppt) easily pass through corporate firewalls and people don't think twice about clicking on them. This avenue of attack is currently under the radar and is not perceived as a danger by end users.
3. And the third advantage is that the companies exploited don't want to talk about it. They dread the negative publicity as a victim of espionage. That's why the public doesn't know the name of last month's Excel exploit victim. Such hush-hush may be keeping some of these exploits from being reported.
An important security release to patch vulnerabilities has just been released. This should be quickly lab tested and applied in production.
Oracle - Critical Security Release for July 2006
Users should be careful with all Powerpoint documents (PPT file extensions) recevied by email as one new exploit is now circulating as a trojan horse in-the-wild. However, there are not widescale attacks associated with this new vulnerability. Several links are noted below
Microsoft Security Advisory (922970)
Microsoft Security Response Team
Microsoft PowerPoint Presentation Handling Multiple Memory Corruption and DoS Vulnerabilities
Microsoft PowerPoint Presentation Handling Client-Side Memory Corruption Vulnerability
This zero-day vulnerability is currently being exploited in the wild by Trojan.PPDropper.B
This social engineering scheme goes even a step further than phishing in trying to create a means to steal credit card, bank account, or other information. When it comes to any email message requesting any unusual actions or sensitive information, never take action, as banks and most companies don't operate in that manner. The following is more information on Vishing from an email message I received today.
QUOTE: Experts are warning against the latest Internet scam: "vishing.”
Vishing, or voice phishing, occurs when a scammer sends you an e-mail hoping to get victims to telephone a voice mail box to disclose sensitive financial and personal information.
Many computer users are already aware of so-called "phishing e-mails" linking to counterfeit Web sites that ask computer users to enter account numbers or other personal information.
Many of these scam e-mails look like they were sent from companies like American Express, Bank of America, and other major companies, informing customers they need to update their records.
When they do so, the customer unwittingly provides some criminal enterprise their most sensitive financial and personal information.
Already such phishing scams cost consumers an estimated $929 million. However, new tools – including software that helps locate phony Web sites – have made the scam more difficult to pull off. But the new "vishing" scam gets around computer safeguards by using the telephone instead.
In a typical case of vishing, customers of a California bank received e-mails informing them that their online banking accounts had been disabled because the bank detected unauthorized access, according to The Wall Street Journal.
The customers were told to dial a telephone number with a local area code, where an automated voice asked them to enter their account numbers, personal-access codes, and other information.
Armed with that data, vishing scammers could access the online accounts and transfer money, or make fraudulent purchases with a stolen credit card number.
These schemes are made possible by Internet telephone services, "which allow computer users to quickly establish phone numbers, often without undergoing some of the verification checks used by traditional telephone companies,” the Journal reports.
"Also, Internet phone companies dole out numbers with a choice of area code, regardless of where in the country – or world – the user is located, which makes it difficult to locate the scammers.”
What’s more, automated voice prompts have become common on customer service lines, "and many people have become accustomed to keying in their account information and other details before being able to speak to a representative,” Adam O’Donnell, a senior research scientist at the online security firm Cloudmark Inc., told the Journal.
The bottom line: Experts stress that customers should never turn over private information based on an e-mail request.
Linux users should look for updates and workarounds. While exploits have been developed, I don't believe they are in-the-wild and most vulnerabilities have minor security risks (e.g., DoS potential). Patches may be out or will most likely be coming soon, so please stay up-to-date
Internet Storm Center links
Update from FrSIRT
Technical Description: A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to obtain elevated privileges. This flaw is due to a race condition in "fs/proc/base.c", which could be exploited by malicious users to execute arbitrary commands with "root" privileges.
Note : A fully functional exploit has been released.
Linux Kernel version 18.104.22.168 and prior
Linux Kernel version 22.214.171.124 and prior
Microsoft is releasing the following security bulletins for newly discovered vulnerabilities:
• Important MS06-033 Microsoft .NET Framework 2.0 Information Disclosure
• Important MS06-034 Microsoft (IIS) Remote Code Execution
• Critical MS06-035 Microsoft Windows Remote Code Execution
• Critical MS06-036 Microsoft Windows Remote Code Execution
• Critical MS06-037 Microsoft Excel Remote Code Execution
• Critical MS06-038 Microsoft Office Remote Code Execution
• Critical MS06-039 Microsoft Office Remote Code Execution
I would encourage everyone to quickly apply the July updates, especially in light of MS06-035 and it's potential to become wormable for W/2000.
Microsoft July Update Overall Summary
ISC Detailed Analysis
SPECIAL WARNING: MS06-035 - Patch now!
Rather than the launch of widescale email attacks, virus writers are choosing more sleath-like approaches to quietly infect PCs. Keeping AV protection up-to-date and performing periodic scans are important to ensure a system is free of malware.
Panda - Posts Top 10 viruses for first half of 2006
QUOTE: With the absence of widespread virus alerts, the first six months of 2006 has seemingly been a relatively quiet period. Yet this apparent calm is the result of the drive of malware creators to infect computers silently, ensuring their malicious code can operate undetected for a long as possible. An indication that they are still as busy as ever is the 19,367 new viruses detected over the last six months, only slightly less than for the same period in 2005
More Posts Next page »