October 2007 - Posts
This 1.4M powerpoint presentation contains 60 slides and was recently referenced in Sunbelt and John Levine's blogs.
http://weblog.johnlevine.com/Email/storm.html
http://sunbeltblog.blogspot.com/2007/10/good-preso-on-storm.html
EXCELLENT Powerpoint Presentation - Download Link
http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt
QUOTE: Last weekend, Brandon Enright of UC San Diego gave a informal talk at the Toorcon conference in which he reported on his analysis of the Storm botnet. According to his quite informative slides, Storm has evolved quite a lot over the past year, with both upgrades to the underlying engine and a variety of applications, most of which involve sending spam.
Everyone should avoid e-cards or other "fun links" associated with Halloween. The Storm Worm has also been adapted to trick folks as noted by Websense. Clicking on these links could lead to hours of restoration and repair work. 
Storm Worm - New Halloween based attacks
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=814
QUOTE: Websense® Security Labs™ has confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Halloween twist in its attempts to infect users with malicious code. The first copies of the new emails began going out just before 9:00am PST on Tuesday, October 30th. As with previous Storm emails, various subjects and bodies will be used. Here is one example email:
Example of new Halloween based attacks
Subject: Nothing is funnier this Halloween
Body: Come watch the little skeleton dance.
(Malicious URL Removed)
This interesting finding could lead to malware possibly being bypassed when processing web pages containing underlying scripts embedded in the HTML.
A000n0000 0000O000l00d00 0I000E000 00T0r0000i0000c000k
http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/
http://it.slashdot.org/article.pl?sid=07/10/29/1747237
QUOTE: When I found a malicious script riddled with 0×00 bytes, SANS handler Bojan Zdrnja explained to me that this was an old trick. When rendering an HTML page, Internet Explorer will ignore all zero-bytes (bytes with value zero, 0×00). Malware authors use this to obscure their scripts. But this old trick still packs a punch.
When I remove all obscuring zero-bytes from this script, things get better: 25 out of 32 AV products detect it. But what happens when I add more zero-bytes to the script? Even more AV are fooled! Gradually adding more zero-bytes makes the detection ratio go down.
And at 254 zero-bytes between the individual characters of the script, McAfee VirusScan is the only AV to still detect this obscured script. One byte more (255 zero-bytes), and VirusScan doesn’t detect the script anymore. No AV on VirusTotal detects this malware obscured with 255 zero-bytes (or more). But for IE, this obscured HTML poses no problem, it still renders the page and executes the script.
Websense has warned of a new HTML based e-card in the Spanish language. It is designed to load a Trojan horse that can steal banking account credentials from the infected PC. More threats could potentially emerge, so please be careful out there.
New Halloween e-card threats
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=813
Sample e-card from Websense
http://www.websense.com/securitylabs/images/alerts/halloween2007.png
QUOTE: Websense® Security Labs™ has discovered a new Trojan Horse information stealer that is being emailed out as a Halloween Greeting Card in Mexico. To date we have seen four unique sites being spammed out all with the same binary file. They were in Korea, Brazil, and Russia, and were all up and running at the time of this alert. The file is called "hallowenDay.exe". It is also poorly detected by anti-virus signatures.
Assuming users access the site and select to run the file a Trojan Horse is downloaded onto their machine which is designed to steal banking information from users, the file appears to also be packed with a unique custom packer. We expect to see additional email lures and malicious websites on our radar with Halloween night quickly approaching. The email is written in HTML and has a variety of subject lines.
This chart denotes that rootkits, botnets, and other advanced attacks have increased two-fold during the past year. As actual infections took place, it signifies that malware authors are using improved social engineering tactics and technical innovations for malware to slip through defense systems (e.g., massive spam attacks, crafted exploits, etc).
This finding illustrates that it's more important than ever to stay up-to-date with security protection and to exercise caution in email, IM, and website visitations.
Trend Micro reports 200% increase in Severe Malware Infections
http://blog.trendmicro.com/200-growth-in-severe-malware-infections/
QUOTE: An infections graph released by the Trend Micro Threat Analytics shows that the growth in severe malware infections grew 200% throughout 2007.
Please be very cautious with any PDF files received in EMAIL messages
If you use Adobe, it's very important to move to the latest version 8.1.1 plus keep AV protection updated.
Malicious PDF files being spammed out in volume
http://www.f-secure.com/weblog/archives/00001303.html
http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml
http://www.avertlabs.com/research/blog/index.php/2007/10/24/pdf-mailto-exploit-seen-in-wild-today/
http://blogs.zdnet.com/security/?p=614
http://www.microsoft.com/technet/security/advisory/943521.mspx
QUOTE: Malicious PDF files (report.pdf or debt.2007.pdf or overdraft.2007.10.26.pdf, etc) have been massively spammed through email during last hour and the spam run is still continuing. The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more componets. At this point it's not clear yet what is the final payload of the malware, because of missing files in the download chain. We are investigating further.
The subjects for the spam messages include:
Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points
Personal Balance Report
Your Credit File
Balance Report
Trend's Exploit Detection
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=EXPL%5FPIDIEF%2EC
Trend - Behavioral Diagram
http://www.trendmicro.com/vinfo/images/EXPL_PIDIEF_C_BD.gif
Adobe Bulletin
http://www.adobe.com/support/security/bulletins/apsb07-18.html
The Storm worm botnet is so well protected that it's central servers and malware authors have remained anonymous. While it uses fast-flux servers that are ever changing, the Storm worm client can launch a DDoS based attack if researchers try to reverse engineer the code to determine how it works.
Storm worm strikes back if researchers attempt to discover its origin
http://www.networkworld.com/news/2007/102407-storm-worm-security.html
The Storm worm is fighting back against security researchers that seek to destroy it and has them running scared, Interop New York show attendees heard Tuesday. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says Josh Corman, host-protection architect for IBM/ISS, who led a session on network threats.
A recently discovered capability of Storm is its ability to interrupt applications as they boot up and either shut them down or allow them to appear to boot, but disable them. Users will see that, say, antivirus is turned on, but it isn’t scan for viruses, or as Corman puts it, it is brain-dead. "It’s running, but it’s not doing anything.
The Real Player security patch was issued promptly by the vendor and should be applied expediently.
Real Player - Security Release for critical ActiveX vulnerability
http://secunia.com/advisories/27248/
Solution - Apply patch for RealPlayer 10.5 and 11 beta:
http://service.real.com/realplayer/security/191007_player/en/securitydb.rnx
When cleaning Storm worm infections, the file names have changed for newer variants and the most up-to-date standalone cleaner should be used.
Storm Worm - Now infects PC with different file names
http://www.avertlabs.com/research/blog/index.php/2007/10/21/nuwar-new-file-names/
QUOTE: We all know that Nuwar aka Storm gang has been continuously changing their spam email text, download sites, executables, network traffic patterns etc in their efforts to penetrate through the security defenses at various layers, all throughout this year. I had a chance to briefly look at a ‘fresh’ Nuwar sample this weekend. It is interesting that they have now also changed the names of files Nuwar drops. It now drops noskrnl.exe, noskrnl.sys and noskrnl.config instead of Spooldr.exe, Spooldr.sys, and Spooldr.ini correspondingly. It also tried to actively propagate by coping itself on the floppy drive, which is new.
This site is one of my favorite links for locating malware cleaning facilities:
GREAT SITE FOR FREE VIRUS REMOVAL TOOLS
(see links on left top side -- "Free Protection and Removal Tools")
http://www.virusintel.com/tiki-index.php
Users should be not open any untrusted TIFF images using iPhone's Safari web browser and watch for available security patches to be released by Apple.
iPhone unpatched vulnerability and Exploit
http://isc.sans.org/diary.html?storyid=3517
http://secunia.com/advisories/27213/
http://secunia.com/cve_reference/CVE-2007-5450/
Description: A vulnerability has been reported in Apple iPod touch and Apple iPhone, which potentially can be exploited by malicious people to compromise a vulnerable device. The vulnerability is caused due to an error in the processing of TIFF images and can potentially be exploited to execute arbitrary code when a specially crafted TIFF image is viewed, e.g. in the Safari web browser. The vulnerability is reported in iPod touch version 1.1.1 and iPhone version 1.1.1. Other versions may also be affected
Solution: Do not browse untrusted web sites and do not open untrusted TIFF images.
Real Player - Zero Day Exploit circulating
A new zero day Real Player exploit is reported to be actively circulating which uses an ActiveX control vulnerability. Real player users the ActiveX control to determine functionality and the maliciously crafted version can allow malware to be automatically installed. Users should avoid or be careful with all Real player files until this is fixed. A killbit can be set to deactivate the ActiveX control as noted below.
Real Player - Zero Day Exploit circulating
http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.html
http://www.avertlabs.com/research/blog/index.php/2007/10/19/realplayer-zero-day-exploit-hits-the-web/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043319
http://www.securityfocus.com/bid/26130
QUOTE: Attackers are exploiting a zero-day vulnerability in RealPlayer in order to infect Windows machines running Internet Explorer, Symantec Corp. said late Thursday. The security company issued an alert that rated the threat with its highest possible score. According to a warning issued to customers of its DeepSight threat network, Symantec said an ActiveX control installed by RealNetworks Inc.'s RealPlayer program is flawed. When combined with Microsoft Corp.'s Internet Explorer (IE) browser -- which relies on ActiveX controls to extend its functionality -- the bug can be exploited and malicious code downloaded to any PC that wanders to a specially crafted site.
KILLBIT CAN BE SET: The vulnerability lies in a RealPlayer ActiveX control, and can be mitigated by setting the appropriate kill bit via the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
KB Article - How to set Killbit for ActiveX objects
http://support.microsoft.com/kb/240797
These email messages should be blocked or deleted if found. The advice
is always misleading and folks are better served by researching stock
information on legitimate websites.
Stock spam - New MP3 version will try to talk you into it
http://www.gfi.com/news/en/mp3spam.htm
http://www.vnunet.com/vnunet/news/2201466/pump-dump-spammers-tell-users
http://www.symantec.com/enterprise/security_response/weblog/2007/10/mp3_version_of_pumpanddump_sto.html
http://www.google.com/search?hl=en&q=mp3+stock+spam
QUOTE: MP3 Version of Pump-and-Dump Stock SpamPump-and-dump
stock spam is a classic example of sophistication and diversity of spam
techniques. Recently the pump-and-dump spammers have started using mp3 files as
a new method of spreading stock spam. In the latest observations we’ve seen an
mp3 file as an attachment in the body of an
email message – without any content – and the subject line usually includes
“RE:”, “FW:”, or is sometimes just blank. The “From:” address is usually random.
Another feature of this new pump-and-dump stock attack is that the mp3 files
have random names, such as the following examples:
"ciara.mp3"
“elvis.mp3"
"crazylady.mp3"
"chrisbrown.mp3
“jillscott.mp3"
"crush.mp3"
The average file size is approximately 63.3 kb,
with the garbled stock tip lasting for about 30 seconds. The Audio content
sounds something like the below example: “Hello, this
is an Investor alert. nnnnn Inc. has announced it is ready to launch its new
nnnnn.com Web site. Already a huge success in Canada, we are expecting amazing
result in USA. Go read the news and hit on nnnnn that Symbol get it nnnnn Thank
you”
All Firefox users should move to the latest release for improved security. Most users will be prompted to autoupdate and these security improvements should be completed as soon as possible.
Firefox 2.0.0.8 - Security Releasehttp://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.8
Mozilla Foundation Security Advisory - Fixed in Firefox 2.0.0.8MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows
MFSA 2007-35 XPCNativeWrapper pollution using Script object
MFSA 2007-34 Possible file stealing through sftp protocol
MFSA 2007-33 XUL pages can hide the window titlebar
MFSA 2007-32 File input focus stealing vulnerability
MFSA 2007-31 Browser digest authentication request splitting
MFSA 2007-30 onUnload Tailgating
MFSA 2007-29 Crashes with evidence of memory corruption
Oracle DBAs and system administrators should pilot test and quickly deploy the quarterly security updates as applicable Related Articlehttp://news.yahoo.com/s/pcworld/20071015/tc_pcworld/138431
Oracle - Quarterly Release Linkshttp://www.oracle.com/technology/deploy/security/alerts.htm
Oracle - October 2007 Security release detailshttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html
QUOTE: Oracle Corp. will release security updates for its products next week fixing 51 vulnerabilities in its products. Included in the Critical Patch Update, set to be released Tuesday, will be critical updates for the company's flagship Oracle Database.
Twenty-seven database bugs will be fixed, but five of the bugs can be "exploited over a network without the need for a username and password," Oracle said in a note on next week's patches.
Recently, we may have been in "calm before the storm", as e-card attacks have diminished some. These 3 blog posts point to more innovation in new attacks that could be coming soon:
Storm Worm - New encrypted packets and I-Frame injection version coming
http://www.symantec.com/enterprise/security_response/weblog/2007/10/strengthening_storm_almost_hur.html
http://www.secureworks.com/research/blog/index.php/2007/10/15/the-changing-storm/
http://blogs.pcmag.com/securitywatch/2007/10/the_gathering_storm.php
QUOTE:
Strengthening Storm – Almost Hurricane?
The new Storm worm variants being seen these days have yet again evolved and are gaining strength. Well, at least in encryption technology. The P2P UDP packets (made up of the header and payload) are now encrypted using a 40-byte key. As our friends at Secure Works pointed out here, this is definitely good news for network administrators who have to deal with legitimate P2P overnet traffic.
The encryption is trivial and isn't the only new thing found in this variant. It seems to have some new techniques for propagation. Firstly, it is able to scan the file system and drop an executable into any folder with at least one .exe file. Secondly, the worm is able to harvest email addresses from the file system and send spam to those addresses. Lastly, it is able to search for .htm, .html, and .php files and inject malicious IFRAME code into them
Opera browser users should upgrade to the latest version, as the following security improvements have been made
QUOTE:
Security
- Fixed an issue where external news readers and e-mail clients could be used to execute arbitrary code, as reported by Michael A. Puls II. See our advisory.
- Fixed an issue where scripts could overwrite functions on pages from other domains. See the advisory. Issue reported to Opera by David Bloom.
Opera 9.24 for Windows is available for download
One of the most technical and in-depth analysis of the Storm Worm botnet can be found in the links below. Every new development should be watched by security professionals, as these constant attacks use convincing and innovative social engineering schemes (e.g., e-cards). Once a workstation becomes infected, it becomes a member of the botnet consisting of at least 1.6 PCs. These infections are also difficult to detect and clean as advanced rootkit techniques are used.
Storm Worm - Comprehensive Analysis by Cyber-TA
http://www.cyber-ta.org/pubs/StormWorm/
http://www.cyber-ta.org/pubs/StormWorm/report/
http://www.cyber-ta.org/pubs/StormWorm/links.html
QUOTE: Since early 2007 a new form of malware has made its presence known on the Internet by its prolific growth rate, its ability to distribute large volumes of spam, and its ability to avoid detection and eradication. Storm Worm (or W32.Peacomm, Nuwar, Tibs, Zhelatin), as it is known, is a highly prolific new generation of malware that has gained a significant foothold in unsuspecting Microsoft Windows computers across the Internet.
Storm, like all bots, distinguishes itself from other forms of malware by its ability to establish a control channel that allows its infected clients to operate as a coordinated collective, or botnet. However, even among botnets Storm has further distinguished itself by being among the first to introduce a fully P2P control channel, to utilize fast-flux to hide its binary distribution points, and to aggressively defend itself from those who would seek to reverse engineer its logic. Despite all the hype and paranoia surrounding Storm, the inner workings of this botnet largely remain a mystery.
Additional Links and Information
http://en.wikipedia.org/wiki/Storm_Worm
http://www.cyber-ta.org/pubs/StormWorm/links.html
Some recent discoveries have been posted where special strings after the URL address may bypass some of the security checking. As noted in the posts below, a special URL string may be crafted that can bypasses the warning prompt to the user and loads an EXE file automatically. Users should continue to be careful with URLs in email, websites, etc. and keep AV protection updated.
Internet Explorer - Special URL strings may bypass security controls for EXE files
http://aviv.raffon.net/2007/10/15/BackFromTheDead.aspx
http://www.securityfocus.com/archive/1/482220/30/0/threaded
http://blogs.pcmag.com/securitywatch/2007/10/new_news_with_old_vulnerabilit.php
Original IE 6 Bug as documented by Secunia and CERT
http://secunia.com/advisories/13203/http://www.kb.cert.org/vuls/id/743974
QUOTE: Sometimes it is nice to see old vulnerabilities come back from the dead. This time I'm referring to a vulnerability in Internet Explorer that was discovered almost 3 years ago by cyber_flash. The vulnerability allows an attacker to bypass the security download warning dialog, and display a regular save file dialog, by manipulating IE into displaying executable file (a file with .exe extension) as a regular html file. While this vulnerability was partially patched by Microsoft in IE7, it was still remained unpactched in IE6 SP2.
This new HTML based attack is socially engineered well and may trick folks. It's always a best practice to avoid every URL present in an email message (even to opt out of spam), unless you are absolutely sure it's safe.
New Storm Worm - Kitty Greeting Card
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=807
http://www.f-secure.com/weblog/archives/00001291.html
http://www.avertlabs.com/research/blog/index.php/2007/10/12/no-laughing-matter-or-curiosity-killed-the-cat/
quote:
Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks. This site poses as a free Ecard Web site. No exploit is on the site itself. However, when users click any of the URLs, they are prompted to download and run a file called "SuperLaugh.exe." This file contains the Storm payload code.
More Posts
Next page »