Cybercriminals release Christmas themed web malware exploitation kit

Christmas themed web malware exploitation tool“Committing cybercrime around the Christmas tree” has always been a tradition for malicious attackers introducing new ways to scam the millions of online shoppers during the holidays. This Christmas isn’t going to be an exception, but what has changed compared last couple of years is the tone of the Xmas promotions already circulating across various cybercrime communities. Do cybercriminals exchange gifts during the Christmas holidays? A recently released web malware exploitation kit coming with three different types of licenses and 9 modified exploits, aims to become “the pefect Christmas gift for all of your friends”.

Christmas themed web malware exploitation toolNot surprisingly, the exploitation kit itself is released purely for commercial gains which when combined with the fact that it appears to be using a large percentage of the source code from a competing exploitation kit — appreciate the irony here — the already patched vulnerabilities it attempts to exploit can be easily taken care of. However, going through the infection rate statistics which were temporarily left available as a promotion tool, thousands of people have already became victim of their lack of decent situational awareness on how important patching of their third-party applications really is.

A translated description of the kit’s marketing pitch :

“Feeling bored? Miss the Christmas spirit? Want to make a lot of money before the holidays but you lack the right tools? We have the solution to your problems - our web malware exploitation kit which will bring back the Christmas attitude and also become the perfect gift for your friends. Available are Professional, Standard and Basic licenses, with each of these including or lacking some unique features based on your budget. Professional package comes with support.”

Modified exploits included within with their associated descriptions :

  • modified MDAC - “the notorious exploit that continues to provide high infection rates of IE6 users”
  • IE Snapshot - “unique exploit offering high infection rates for both IE6 and IE7 users”
  • FF Embed - “still relevant for exploiting all Firefox versions”
  • Opera Old+new - “capable of infecting all versions of Opera up to the latest one”
  • Old PDF - “targeting Adobe Reader v8.1.1 it’s still relevant, also it checks whether the exact version is installed before launching the exploit”
  • New PDF - “targeting Adobe Reader 8.1.2, a perfect combination with Old PDF
  • XLS - “unique exploit targeting Microsoft Excel”
  • SWF- “modification of the infamous exploit, works quietly and targets all browsers”

Christmas themed web malware exploitation toolThe malware obtained in one of the currently active campaigns has a low detection rate (6 out of 37 AVs detect it - 16.22%) and continues phoning back home to findzproportal1 .com (; from where it attempts to drop a rootkit (TDSSserv.sys). Among the main ways of ensuring that you’re going to ruin their holidays is to make sure they’re not exploiting you with last year’s client-side vulnerabilities, which is the main vehicle for continuing growth of web malware exploitation kits in general.

[Source: zdnet]

iPhone update kills 12 security bugs

iPhone update kills 12 security bugsApple has released iPhone OS 2.2 with patches for 12 documented security flaws, some very serious.

The vulnerabilities covered by the patch (which also affect iPod Touch) could allow remote code execution, information theft, software crashes and weakened encryption settings.

The skinny on this batch of updates:

  • CVE-2008-2321: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution. Credit to Michal Zalewski of Google for reporting this issue.
  • CVE-2008-2327: Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2008-1586: A memory exhaustion issue exists in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected device reset. Credit to Sergio ’shadown’ Alvarez of n.runs AG for reporting this issue.
  • CVE-2008-4227: The encryption level for PPTP VPN connections may revert to a previous lower setting. This update addresses the issue by properly setting the encryption preferences. Credit to Stephen Butler of the University of Illinois of Urbana-Champaign for reporting this issue.
  • CVE-2008-4211: A signedness issue in Office Viewer’s handling of columns in Microsoft Excel files may result in an out-of-bounds
    memory access. Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code
    execution. Apple discovered this bug internally.
  • CVE-2008-4228: iPhone provides the ability to make an emergency call when locked. Currently, an emergency call may be placed to any number. A person with physical access to an iPhone may take advantage of this feature to place arbitrary calls which are charged to the iPhone owner.
  • CVE-2008-4229: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is
    entered. A race condition in the handling of device settings may cause the Passcode Lock to be removed when the device is restored
    from backup. This may allow a person with physical access to the device to launch applications without the passcode. Credit to Nolen Scaife for reporting this issue.
  • CVE-2008-4230: If an SMS message arrives while the emergency call screen is visible, the entire SMS message is displayed, even if the “Show SMS Preview” preference was set to “OFF”. This update addresses the issue by, in this situation, displaying only a notification that a SMS message has arrived, and not its content.
  • CVE-2008-4231: A memory corruption issue exists in the handling of HTML table elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Credit to Haifei Li of Fortinet’s FortiGuard Global
    Security Research Team for reporting this issue.
  • CVE-2008-4232: Safari allows an iframe element to display content outside its boundaries, which may lead to user interface spoofing. Credit to John Resig of Mozilla Corporation for reporting this issue.
  • CVE-2008-4233: If an application is launched via Safari while a call approval dialog is shown, the call will be placed. This may allow a maliciously crafted website to initiate a phone call without user interaction. Additionally, under certain circumstances it may be
    possible for a maliciously crafted website to block the user’s ability to cancel dialing for a short period of time. Credit to Collin Mulliner of Fraunhofer SIT for reporting this issue.
  • CVE-2008-3644: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a person with physical access to an unlocked device.

It should be mentioned that several known phishing and spamming flaws in iPhone are not yet addressed.

[Source: zdnet]

Fake Windows XP activation trojan goes 2.0

Fake Windows XP activation trojanKnown as Kardphisher and “in the wild” since April, 2007, last week the malware author of this trojan horse mimicking the Windows XP activation interface while collecting the credit card details the end user has submitted, has made significant changes to visual interface and usability of the trojan, consequently improving its authenticity. Guess what happens when a gullible end user falls victim into this social engineering attack?

Fake Windows XP activation trojanTheir credit card details end up automatically into an IRC channel specifically set for that purposes. Some of changes in the new version include more legitimately looking color scheme, improved restrictions making it much harder for the end user to close the application without submitting their credit card details, built-in validation of credit cards and email, next to displaying the current product key to make the application look more legitimate. Once the user enters all the validated data, the new version of the tool automatically removes itself as if the activation was successful. Moreover, a bogus “verified by Visa” message that is also requesting social security number and a date of birth makes the trojan the perfect tool in the hands of identity thieves relying on nothing else but plain simple social engineering impersonating Microsoft.

Fake Windows XP activation trojanThe latest Kardphisher may indeed by filling in all the gaps from the previous version, but the trojan can never scale as efficiently as crimeware “in the middle” does for the time being. Among the main growth factors for the increasing number of such malware remains the fact that throughout the entire year proprietary crimeware kits costing several thousand dollars on average started leaking out, allowing many new entrants to start using what once used to be a highly exclusive tool in the arsenal of the experienced cybercriminal.

[Source: zdnet]

Microsoft is 5th most spam-friendly ISP

Microsoft is 5th most spam-friendly ISPSpammers are abusing Microsoft’s online services at such an alarming rate that a non-profit spam fighting group now lists Microsoft as the world’s 5th most spam-friendly ISP (Internet Service Provider).

The latest update of’s list of the world’s worst spam networks shows Microsoft at #5 because of 26 “current known spam issues” surrounding Nigerian (419) advance-free fraud e-mails (see screenshot below):

Microsoft 5th most spam-friendly ISP

The comments from Spamhaus highlight the problems at Microsoft:

  • Months of LifeFileStore abuse, we see little done to stop it.
  • - hacked by the tens of thousands.
  • used and abused by spammers.
  • Pump and Dump spam anonymized via Hotmail.

Security Fix’s Brian Krebs first reported this story.

[Source: zdnet]

Malware found in Lenovo software package

Malware found in Lenovo ThinkCenter driverComputer maker Lenovo is shipping a malware-infected software package to Windows XP users, according to warning from anti-virus researchers at Microsoft.

The malicious file was identified by Microsoft as Win32/Meredrop, a Trojan dropper that is used to install and execute multiple malicious executables on an infected computer. Other anti-virus vendors are detecting the threat as a ‘hooligan’ virus or a porn dialer. It was found the Lenovo Trust Key software for Windows XP, a digitally signed driver package available to Windows XP SP2 users.

The infected software is used to install the Lenovo Security Logon and the Lenovo Private folder applications for use with the Lenovo Trust Key (also known as Lenovo Insider Key).

[ SEE: Malware-infected USB drives distributed at security conference ]
My sources tell me the Lenovo package contains lots of files, including the one with the embedded malware. At first glance, the malicious file contains functional, but buggy code and attemps to infect files, spread across the network and USB drives.

Lenovo has been notified and is investigating the issue.

UPDATE: Lenovo has removed the compromised download from its Web site.

[Source: zdnet]

Under worm attack, US Army bans USB drives

Under worm attack, US Army bans USB drivesUnder sustained attack from what is described as a rapidly spreading network worm, the U.S. army has banned the use of USB sticks, CDs, flash media cards, and all other removable data storage devices, according to internal e-mail messages seen by Wired’s Noah Shachtman.

According to the article, service members have been ordered to “cease usage of all USB storage media until the USB devices are properly scanned and determined to be free of malware.” Eventually, some government-approved drives will be allowed back under certain “mission-critical,” but unclassified, circumstances. “Personally owned or non-authorized devices” are “prohibited” from here on out, according to the e-mails.

The USB device ban was handed down by the commander of U.S. Strategic Command and includes everything from external hard drives to “floppy disks. It takes effect immediately.

To make sure troops and military civilians are observing the suspension, government security teams “will be conducting daily scans and running custom scripts on NIPRNET and SIPRNET to ensure the commercial malware has not been introduced,” an e-mail says. “Any discovery of malware will result in the opening of a security incident report and will be referred to the appropriate security officer for action.”

The threat from malware that spreads via removable media has been on a steady rise with some estimates showing a 10 percent increase in detections this year.


Malware-infected USB drives distributed at security conference

Malware found in Lenovo software package

[Source: zdnet]

Commercial vendor of spyware under legal fire

RemoteSpy SoftwareJust like every decent marketer out there, vendors of commercial malware tools are very good at positioning their tools. However, their pitches often contradict with themselves in a way that what’s promoted as a Remote Administration Tool, has in fact built-in antivirus software evading capabilities, rootkit functionality and tutorials on how to remotely infect users over email.

This fake positioning is finally receiving the necessary attention. CyberSpy Software LLC, a popular vendor of such commercial spyware tools has been recently targeted by the U.S Federal Trade Commission, with the company’s sites shut down already. Wish it was that simple.

“Defendants touted RemoteSpy as a “100% undetectable” way to “Spy on Anyone. From Anywhere.” According to the FTC complaint, the defendants violated the FTC Act by engaging in the unfair advertising and selling of software that could be: (1) deployed remotely by someone other than the owner or authorized user of a computer; (2) installed without the knowledge and consent of the owner or authorized user; and (3) used to surreptitiously collect and disclose personal information. The FTC complaint also alleges that the defendants unfairly collected and stored the personal information gathered by their spyware on their own servers and disclosed it to their clients. The complaint further alleges that the defendants provided their clients with the means and instrumentalities to unfairly deploy and install keylogger spyware and to deceive consumer victims into downloading the spyware.”

Commercial MalwareGoing through a dozen of such tutorials and new releases courtesy of the illegal vendors of malware daily, the way commercial vendors explain the process of sending the malware is very similar to the way the illegal vendors do it :

“Now it is time to send out the file to the remote PC. In this guide we are using Outlook Express on Windows XP. Click the Create Mail button to open a new mail window. Click ATTACH and navigate to where you saved your Realtime-Spy file you created previously. Click on the file and then click ‘Attach’ to attach the file to your email. You will now have to enter a recipient for the file you are sending, as well as an email subject and body. Notice the size of the Realtime-Spy file - it should be approximately 100-115kb at all times! Once you are ready to go click Send to send the email! Note: Users will only appear after they have downloaded and executed the file you have sent them.”

Mobile SpywareVendors of commercial malware are naturally vertically integrating by not only offering malware for PCs, but also, actively developing mobile malware applications. Both of these are then actively advertised through popular advertising networks, but are mostly driving their traffic from affiliate based programs.

Commercial MalwareWhat’s the antivirus vendors take on this particular piece of commercial malware? Labeled as a surveillance tool or spyware, the majority of them already detect it. Anyway, such shut down operations must be done in a “bulk fashion” with a great deal of other commercial malware and keylogging software vendors whose products still remain active online. For instance, the following brands remain active and are operated by other companies whose network of affiliates is reaching a wider audience, with some of the vendors allowing affiliates to re-brand leading to new names for old commercial malware :

“Keystroke Spy, Keylogger Pro, Key Spy Pro, KeyCaptor, Keylog Pro, Invisible Keylogger, SpyAgent, SpyBuddy, Golden Eye, CyberSpy, Screen Spy, AceSpy Spy, SniperSpy, RemoteSpy, Realtime Spy, SpyAnywhere, RemoteSpy, KeySpy Remote, Catch Cheat, Silent Logger, Email Spy Pro; WebMail Spy; Spy Mail; Stealth Email Redirector, Perfect Keylogger for Mac OS X, “

With CyberSpy Software LLC’s site now shut down, it would be interesting to monitor whether another company would brandjack the popularity of their products.

[Source: zdnet]

Microsoft kills OneCare, replaces it with freebie ‘Morro’

Microsoft kills OneCare, pushes ‘free’ anti-malware toolMicrosoft today announced plans to kill its Windows Live OneCare PC care and security suite and replace it with a free anti-malware utility.

The new product, code-named “Morro,” will be designed for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs, Microsoft said its surprise announcement.

Retail sales of Windows Live OneCare, which offered non-security PC care features such as printer sharing, data backup and automated PC tune-up, ends on June 30, 2009.

The company said “Morro” will be available in the second half of 2009 and will feature standard anti-malware capabilities to detect viruses, spyware, rootkits and trojans.

Morro will use the same home-built malware protection engine that powered Windows Live OneCare.

The new solution will deliver the same core protection against malware as that offered through Microsoft’s enterprise solutions, but will not include many of the additional non-security features found in many consumer security suites.

The freebie will be available as a stand-alone download and offer malware protection for the Windows XP, Windows Vista and Windows 7 operating systems.

UPDATE: Mary-Jo Foley has more, including this nugget:

Microsoft’s Equipt — which Microsoft launched in July of this year — is dead and Microsoft is having to go back and pull copies of Equipt from the channel (Circuit City in the U.S. and DSGI in the U.K.). Microsoft is offering customers a pro-rated refund for the service and allowing purchasers to keep Office Home & Student edition for free forever, Microsoft officials said.

* Disclosure: I work for a company that competes directly with Microsoft’s anti-malware offerings.

[Source: zdnet]

Anti fraud site hit by a DDoS attack

Bobbear DDoS AttackThe popular British anti-fraud site is currently under a DDoS attack (distributed denial of service attack) , originally launched last Wednesday, and is continuing to hit the site with 3/4 million hits daily from hundreds of thousands of malware infected hosts mostly based in Asia and Eastern Europe, according to the site’s owner. Targeted DDoS attacks against anti-fraud and volunteer cybercrime fighting communities clearly indicate the impact these communities have on the revenue stream of scammers, and with Bobbear attracting such a high profile underground attention, the site is indeed doing a very good job.

Anyway, who’s behind this attack? Let’s track down a well known DDoS for hire provider currently operating 10 Black Energy DDoS botnets, and take an exclusive peek at his switchboard indicating that 4 of his botnets are currently set to attack only, proving that the attack may have well been outsourced. With cybercriminals so overconfident in their abilities to remain unnoticed so that they’re using a well known botnet command and control server historically used to manage Zeus banker malware campaigns, it’s fairly easy to connects the dots :

“Bob Harrison, the administrator of the Bobbear website, got in touch with me this weekend to tell me that his site was under fire from a distributed denial-of-service (DDoS) attack using compromised botnet computers around the world. The botnet is bombarding Bob’s website with traffic, effectively blasting it off the internet and making it impossible for legitimate visitors to reach the site.

Bobbear DDoS AttackMorever, as you can see in this exclusive screenshot attached, 4 of their botnets are currently set to attack using the following preferences :

“icmp_freq = 10
icmp_size = 2000
syn_freq = 10
spoof_ip= 0
attack_mode = 0
max_sessions = 30
http_freq = 50
http_threads = 4
tcpudp_freq = 20
udp_size = 1000
tcp_size = 2000
cmd = flood http
ufreq = 5
botid = (not set)”

The DDoS attack is only the tip of the iceberg, as while tracking down the source of the attack I’ve also managed to establish a direct connection between his DDoS for hire services and the DDoS attacks against the Georgian government, once again proving that DDoS and cybecrime in general is getting easier to outsource these days..

[Source: zdnet]

Adobe AIR hits ‘critical’ security turbulence

Adobe Air update fixes critical vulnerabilityBuried in today’s flurry of feel-good Adobe news is this less flattering nugget: Adobe AIR is vulnerable to several critical vulnerabilities that could expose users to code execution attacks.

The company released AIR 1.5 with fixes for previously discussed flaws in Flash Player (which is embedded into AIR) and a patch for a separate issue that allows the execution of untrusted JavaScript with elevated privileges.

As this bulletin explains, the issues are all remotely exploitable:

  • A vulnerability has been identified in Adobe AIR 1.1 and earlier that could allow an attacker who successfully exploits this potential vulnerability to execute untrusted JavaScript with elevated privileges. An Adobe AIR application must load data from an untrusted source to trigger this potential vulnerability. In addition, AIR 1.5 includes a Flash Player update to resolve the critical issues outlined in Flash Player Security Bulletin APSB08-22, as well as issues included in Flash Player Security Bulletins APSB08-20 and APSB08-18. Adobe recommends AIR customers update to Adobe AIR 1.5. These issues are remotely exploitable.

Adobe recommends all users of Adobe AIR 1.1 and earlier versions upgrade to the newest version AIR 1.5 by downloading it from the AIR Download Center, or by using the auto-update mechanism within the product when prompted.

[Source: zdnet]

Apple turns to Google for Safari anti-phishing

Apple finally goes phishing on SafariApple has quietly teamed up with Google to add anti-phishing features into the latest version of the Safari browser.

The feature, turned on by default in Safari 3.2, displays a warning page (see screenshots below) when Safari users surf to a fraudulent Web site. It is powered by Google’s blacklist of fake Web sites that are used to steal user credentials for banking and other finance-related Web sites.

[ SEE: Apple fixes 12 Safari security flaws ]

Apple finally goes phishing on Safari

Here’s the roadblock that appears when Safari is used to surf to a phishing site:

Apple finally goes phishing on Safari

Apple is the last major Web browser provider to add anti-phishing protection. Microsoft’s Internet Explorer, Mozilla’s Firefox and Opera all provide warning mechanisms to end users.

[Source: zdnet]

VoIP vulnerabilities in Microsoft Communicator

VOIP Vulnerabilities in Microsoft CommunicatorResearchers at VoIPshield Labs have pinpointed a wide range of denial-of-service vulnerabilities in Microsoft Communicator, the unified communications that features business-grade instant messaging , voice, and video tools.

The flaws, rated “high severity,” could cripple VoIP-powered communications on Office Communications Server 2007, Office Communicator and Windows Live Messenger.

The skinny:

  • Microsoft Communicator Emoticon: By issuing instant messages to a client which contain a very large number of emoticons it is possible to cause the Microsoft Communicator to become nonresponsive for a certain period of time. During this period of time the phone does not respond to incoming invite messages and can even be forced to go into an offline state, eventually requiring the phone to reregister.
  • Microsoft Communicator INVITE Flood: Due to the manner in which sessions and authentication are managed it is possible to cause Microsoft Communicator to open a very large number of sessions resulting in the consumption of huge amounts of memory, potentially resulting in a Denial of Service.
  • Microsoft Communicator Real-time Transport Control Protocol Report Block: Using a specially crafted RTCP receiver report packet it is possible cause a Denial of Service (DoS) against Microsoft Communicator, Office Communications Server (OCS) and Windows Live Messenger.

The company said Microsoft has acknowledged the issues.

[Source: zdnet]

Sun plugs holes in StarOffice

Sun plugs holes in StarOfficeTwo weeks after the team shipped patches for code execution flaws in office suite, Sun Micrososystems has followed up with a high-priority update for StarOffice, which is based on the open-source code.

Sun’s patch, available for Windows, Linux and Solaris, address highly-critical vulnerabilities that could expose users to arbitrary code execution attacks via specially crafted image files.

[ SEE: Code execution flaws haunt OpenOffice ]

As previously reported, the vulnerabilities could be exploited via manipulated WMF and EMF files in StarOffice or StarSuite documents. described the bugs as file-handling heap overflows. Patches are available in OpenOffice 2.4.2.

[Source: zdnet]

Apple fixes 12 Safari security flaws

Apple plugs critical Safari holesApple has release Safari 3.2 to fix at least a dozen security flaws, some very serious.

The update, available for Windows XP, Windows Vista and Mac OS X (Tiger and Leopard), address vulnerabilities that could be exploited to take full control of a compromised machine.

Some of the more serious flaws:

CVE-2008-1767: A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution. Further information on the patch applied is available via

CVE-2008-3623: A heap buffer overflow exists in CoreGraphics’ handling of color spaces. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-2327: Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-2332: A memory corruption issue exits in ImageIO’s handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-3642: A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution.

Three of the 12 issues were found and fixed in WebKit, the open-source Web browser engine.

Safari 3.2 should be treated as an “highly critical” update. End users should apply this patch immediately.Blogger: 4 X Security Team - Create Post

[Source: zdnet]

Google Chrome vulnerable to data theft flaw

Google Chrome vulnerable to data theft flawGoogle has seeded a new version of its Chrome browser to developers with fixes for a pair of security issues that could expose users to data theft.

The issue, rated as a “moderate” risk could allow hackers to use HTML files to steal arbitrary files from a victim’s machine.

Details below:

  • r4188 and r4827 Address an issue with downloaded HTML files being able to read other files on your computer and send them to sites on the Internet. We now prevent local files from connecting to the network using XMLHttpRequest() and also prompt you to confirm a download if it is an HTML file.
    • Severity: Moderate. If a user could be enticed to open a downloaded HTML file, this flaw could be exploited to send arbitrary files to an attacker.

The patch, which will eventually be rolled out via Chrome’s automatic update feature, also adds new features around bookmarking and pop-up blocking.

[Source: zdnet]

Firefox security makeover: 11 vulnerabilities, 4 critical

11 vulnerabilities, 4 critical Mozilla has released a new version of its flagship Firefox browser to fix a total of 11 vulnerabilities that expose users to code execution, information stealing or denial-of-service attacks.

Four of the 11 flaws covered with the new Firefox 3.0.4 are rated “critical” because of the risk of code execution attacks via specially rigged Web pages.

The four critical vulnerabilities are:

  • MFSA 2008-55 Crash and remote code execution in nsFrameManager. A vulnerability in part of Mozilla’s DOM constructing code can be exploited by modifying certain properties of a file input element before it has finished initializing. When the blur method of the modified input element is called, uninitialized memory is accessed by the browser, resulting in a crash. This crash may be used by an attacker to run arbitrary code on a victim’s computer.
  • MFSA 2008-54 Buffer overflow in http-index-format parser. This is a flaw in the way Mozilla parses the http-index-format MIME type. By sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim’s computer.
  • MFSA 2008-53 XSS and JavaScript privilege escalation via session restore. The browser’s session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Any otherwise unexploitable crash can be used to force the user into the session restore state. This vulnerability could also be used by an attacker to run arbitrary JavaScript with chrome privileges.
  • MFSA 2008-52 Crashes with evidence of memory corruption. Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

The Firefox update also fixes the following issues:

  • MFSA 2008-58 Parsing error in E4X default namespace
  • MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals
  • MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
  • MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome
  • MFSA 2008-47 Information stealing via local shortcut files
[Source: zdnet]

Spam rates massively down on shutdown of rogue ISP

Several major news outlets are reporting that the shutdown of a rogue ISP in the Bay Area has lead to a massive drop in the global amount of spam. While this is “good thing”, this event is not an end of spam, nor is it even the beginning of the end of spam; it is merely a temporary lull.

Thanks in no small part to evidence gathered by Brian Krebs, The San Jose based McColo was dropped from the Internet yesterday resulting in a massive decline in spam rates around the globe. The common consensus right now is that the takedown resulted in a 35% to 50% drop in inbound spam sending attempts.

The shutdown has removed pieces of infrastructure critical for the operation of several spammers, but this does not mean they cannot adapt. We have seen that command and control servers can be eliminated by using distributed control algorithms, and storefronts can be hidden across compromised websites. The spammers may even regroup by recreating the services provided by McColo somewhere in Eastern Europe.

While many people would like to declare this event as the first step in the end to spam, I can pretty much guarantee you that it isn’t. Over the next few weeks, spammers will further decentralize their operation, turn the botnets back on, and restart their barrage.

[Source: zdnet]

$10k hacking contest announced

Hacking ContestIsraeli software developer Gizmox is challenging hackers to try hacking into the company’s Visual WebGui Platform, by offering a $10,000 incentive to those who manage to achieve the objectives of their contest launched at the beginning of the month. What’s particularly interesting about the contest is the fact that the company is running the contest as an investigation into the identity of their secret agent, the data for whom resides on their unhackable platform.

Nothing’s unhackable, the unhackable just takes a little longer.

“Gizmox, the developer of Visual WebGui open source platform, today announced a contest, sponsored by the Company, which will pay $10,000 to anyone who can hack into its Visual WebGui Platform. The Contest will take the shape of an investigation into the identity of a secret agent. The goal of the contest is to uncover the true identity of their secret agent, code named OWL. The Contest will feature a flash movie presented within the Visual WebGui application that will contain the data necessary to uncovering the identity of the OWL. Participants will be required to provide a reproducible pathway into the Visual WebGui Pipeline (without having to penetrate any non Visual WebGui Peripherals) in order to claim the prize. The contest will begin on November 3rd and end January 30th, Participants must register to receive login information and contest details.”

Registration is open to everyone, here are some of the highlights of what is considered acceptable hacking of the company’s framework :

“- The game assumes that the database is safe and cannot be penetrated to; hacking the database in any level will not qualify. In addition gaining a more powerful username and password is only valid if done through Visual WebGui path and will not be a valid winner in any other case.
- Assume in general, that any peripheral system and software is safe and cannot be penetrated through; in general a non-Visual WebGui layer hack-through will not be considered a win.
- Hacking through the Visual WebGui pipeline only is acceptable, meaning that using the VWG AJAX messages will qualify for winning the award.
- Manipulating any client code (JS, XSLT, XML, HTML and any client resource) is permitted, in order to try and shift the system from its original security behavior.
- Using any side effects or consequences of Visual WebGui code in runtime in order to hack the system is allowed, as long as the actual hack will use those side effects and consequences in order to manipulate the original server security behavior and not to penetrate any other software or infrastructure.”

Gizmox Hacking ContestOffering financial incentives in the form of hacking contests or bug bounties are nothing new. For instance, in 2000 PacketStormSecurity offered $10k reward for the winner in their “Protecting Against the Unknown” whitepaper contest, with another $10k offered by iDefense for a critical Microsoft vulnerability in 2006, followed by the most recent PWN 2 OWN $10k reward this year.

Gizmox’s contest is different in that it’s indirectly advertising the “unhackability” of its products compared to enticing research into the products of other companies. Whatever their motivation, the contest is worth the try, especially when their AJAX/Silverlight Web Applications Framework can be “examined” for free.

[Source: zdnet]

Google fixes critical XSS vulnerability

Google SSL Login XSSAll your accounting data are not belong to us. Hours after a proof of concept example detailing a XSS vulnetability at Google’s account login page was posted at the XSS Project’s clearing house, the company quickly took notice and fixed it.

“Security researcher “Xylitol” is credited with the discovery of this critical bug. In this case, the fact that SSL is being used on the login page, does not necessarily mean that the users’ login information is secured. Malicious people can exploit this Google XSS to propagate malware, spyware, adware and steal authentication credentials.”

Google SSL Login XSSIn October, Google was criticized for not paying attention to an already reported cross domain frame injection vulnerability, prompting the release of a proof of concept example demonstrating how third-party content can be injected within Google pages. Ignoring the endless debate of the pros and cons of full disclosure, responsible disclosure and partial disclosure for a moment, the fact that a large number of already reported vulnerabilities remain unfixed despite the potential for abuse, clearly indicates a company’s commitment — or the lack of.

XSSed is a great open source resource, whose early warning feature and RSS feeds are an invaluable resource that could help the affected sites into prioritizing the fixing of particular flaw that’s now in the public domain, if only were the affected companies to embrace it as such.

[Source: zdnet]

MS Patch Tuesday: Critical Windows, Office flaws fixed

Microsoft patches 4 critical flaws on Patch TuesdayMicrosoft’s scheduled batch of patches for November crossed the wires today with fixes for at least four documented vulnerabilities affecting millions of Windows and Office users.

As previously reported, the company released two security bulletins — one rated critical, one rated important — with fixes for flaws that could lead to remote code execution attacks. The updates apply to users running all supported versions of Windows (including Vista and Windows Server 2008) and most versions of Microsoft Office.

The critical MS08-069 bulletin should be treated with the utmost priority because of the risk of remote code execution attacks if a Windows user is simply tricked into browsing to a rigged Web page with Internet Explorer.

Details from the bulletin:

  • CVE-2007-0099: A remote code execution vulnerability exists in the way that Microsoft XML Core Services parses XML content. The vulnerability could allow remote code execution if a user browses a Web site that contains specially crafted content or opens specially crafted HTML e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  • CVE-2008-4029: An information disclosure vulnerability exists in the way that Microsoft XML Core Services handles error checks for external document type definitions (DTDs). The vulnerability could allow information disclosure if a user browses a Web site that contains specially crafted content or opens specially crafted HTML e-mail. An attacker who successfully exploited this vulnerability could read data from a Web page in another domain in Internet Explorer. In all cases, however, an attacker would have no way to force users to visit these Web sites.
  • CVE-2008-4033: An information disclosure vulnerability exists in the way that Microsoft XML Core Services handles transfer-encoding headers. The vulnerability could allow information disclosure if a user browses a Web site that contains specially crafted content or opens specially crafted HTML e-mail. An attacker who successfully exploited this vulnerability could read data from a Web page in another domain in Internet Explorer.

The second update — MS08-068 — provides cover for a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. Exploit code for this flaw is currently available on the Internet.

  • CVE-2008-4037: A remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol handles NTLM credentials when a user connects to an attacker’s SMB server. This vulnerability allows an attacker to replay the user’s credentials back to them and execute code in the context of the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
[Source: zdnet]

Why did Microsoft wait 7 years to fix SMBRelay attack flaw?

Micosoft takes 7 years to fix SMB Relay vulnerabilityOne of the code execution vulnerabilities fixed in this month’s Microsoft Patch Tuesday release dates back to 2001 when it was first disclosed by Cult of the Dead Cow hacker Sir Dystic (pictured left).

If that wasn’t cause for worry, get this: An exploit for the bug — in the way that Microsoft Server Message Block (SMB) Protocol handles NTLM credentials — has been part of the Metasploit hacking tool since July 2007.

So, why did it take Microsoft seven years to fix something that could lead to full system takeover?

Microsoft’s Christopher Budd explains:

When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers’ network-based applications then inoperable. For instance, an Outlook 2000 client wouldn’t have been able to communicate with an Exchange 2000 server. We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.

[ SEE: Responsible disclosure, the Microsoft way ]

Sisk said the case was never closed and investigations continued over the years to determine if there was a way to fix the bug without requiring developers to completely rewrite applications.

Over the course of the past year, however, that ongoing work showed us a way to build on those incremental changes that we believed would enable us to make changes that address the issues outlined in the SMBRelay attack and also minimize the impact on network applications. If we were able to do that, we would be able to look at addressing this issue not in a new version of Windows but instead in a security update, provided it met the appropriate quality bar.

Our engineering teams spent a great deal of time testing this approach and found it was feasible. We then took that work and developed it into a security update, putting it through our standard testing to ensure it met an appropriate level of quality for broad release. What we released today with MS08-068 is that security update. It addresses the SMBRelay issue but does so in a way that doesn’t have the negative impact on applications that we originally believed addressing this issue would have.

[ SEE: Where on earth are these Microsoft patches? ]

Microsoft wasn’t alone discussing attack paths to this old vulnerability. In 2003, on the Full Disclosure mailing list, there’s evidence of public discussion of the issue and a note by Dave Aitel that it was already part of a previous DefCon presentation.

Microsoft has done an amazing job of improving its security response process but these time-to-patch hiccups continue to be a major source of worry. I’ve documented several times in the past when Microsoft failed to fix issues in a timely — and responsible — manner and these examples only highlight one of the company’s biggest security weakness.

Oh, by the way, there’s another outstanding issue collecting cobweb. This ‘token kidnapping’ issue was first discussed in March 2008 and, after a bit of hemming and hawing, confirmed in this Microsoft security advisory. Exploit code for this privilege escalation vulnerability was publicly released last month.

Microsoft knows all this.

We are still waiting on a patch.

[Source: zdnet]

BBC hit by a DDoS attack

BBC DDoS AttackThe British Broadcasting Corporation ( was hit by a DDoS attack on Thursday, according to a statement sent to the Inquirer :

“In a statement to the INQ, the BBC said the attack originated in a number of different countries but didn’t specify which. When the Beeb’s techies blocked international access to a limited subset of servers, it resulted in a marked improvement of the serving of Service supplier Siemens was forced to block addresses and prevent the attack using other methods like changing the DNS settings.”

The attack appears to have lasted for 1 hour and 15 minutes, which is the longest time the site has been offline during the entire 2008, was also confirmed by the distributed uptime monitoring company Pingdom earlier today :

“During the attack, the BBC website responded very slowly, and our monitoring shows that for a total of 1 hour and 15 minutes it did not respond at all. The downtime was spread over multiple short intervals, lasting just a few minutes each time. The attack lasted the entire evening. It started to have an effect after 5 p.m. CET and the performance was not back to normal until after 10 p.m. CET. Analyzing the response times of the website clearly shows the effect the DDoS attack had on the performance of the BBC website. The diagram below shows the hourly average load time of the HTML page (just the HTML page, without any images, external scripts, etc).”

Was the attack an act of hacktivism based on a particular article that somehow contradicted with the attackers’ perspective of the world? With the lack of specific details regarding the DDoS attack provided by the BBC, we may never know. One thing’s for sure - political DDoS attacks (Georgia President’s web site under DDoS attack from Russian hackers; Coordinated Russia vs Georgia cyber attack in progress) are going to get even more mainstream in 2009.

What are some of the driving factors contributing to this trend? The overall availability of malware infected hosts, which when once monetized ends up in DDoS for hire services whose prices for a large scale hourly attack are getting disturbingly affordable to anyone. The recently released “Worldwide Infrastructure Security Report” report by Arbor Networks also indicates that the DDoS attack rates exceed the ISP network’s growth, and have already reached the 40GB barrier. Ironically, the report also states that managed DDoS mitigation services are increasing, which is exactly what is happening on the DDoS for hire services front - they’re becoming ubiquitous as outsourcing DDoS attacks to experienced attackers directly messes up the entry barriers into a space that used to require experience, and an operational botnet a couple of years ago.

[Source: zdnet]

Profitability of spam finally measured

Researchers at UCSD have determined the return on investment for spam generated by the Storm botnet. While the per-message response rate is astonishingly low, it is sufficient for a spammer to generate a profit.

At this year’s ACM Conference on Computer and Communication Security, Stefan Savage, Vern Paxson and crew presented a paper that measures the conversion rate, or the rate at which an advertising impression results in a product sale, for spam. The team used somewhat aggressive tactics to collect their data; namely, they hijacked a portion of the Storm botnet to inject spam that contained links to domains and storefronts they controlled.

The team’s data and analysis has shown that that generating 28 sales, averaging around $100 each, of various “male-enhancement” products required 350 million separate spams. This provides a yearly revenue rate of the Storm botnet for the sale of pharmaceuticals of around $3.5 million dollars.

What I feel to be the most interesting result from the paper is the direct measurement of the quality of anti-spam technology broken down by geographic location. The countries with the spam lowest response rate include the UNited States and Japan. Both nations have some of the highest capital investment in anti-spam technologies. As of early 2008, the countries with the worst anti-spam technology appear to be India, Pakistan, and Bulgaria.

The researchers do state that the profit margins of the spammers appear to be sensitive to anti-spam techniques. I am left to wonder what would be the profitability of spam if everyone in the world used effective anti-spam software.

[Source: zdnet]

AVG and Rising signatures update detects Windows files as malware

AVG AntivirusYesterday, a signatures update pushed by AVG falsely labeled a critical Windows file as a banker malware, prompting the company to quickly fix the issue and issue a workaround, following end users complaints at its support forums.

AVG’s false positive causing downtime for Windows users is happening a week after Rising antivirus apologized to its customers for falsely detecting Outlook Express as malware leading to loss of emails, and yes, productivity too.

The impact of the false positive leads to a continuous reboot cycle :

“An update for the AVG virus scanner released yesterday contained an incorrect virus signature, which led it to think user32.dll contained the Trojan Horses PSW.Banker4.APSA or Generic9TBN. AVG then recommended deleting this file; this causes the affected systems to either stop booting or go into a continuous reboot cycle. So far, the problem only appears to affect Windows XP, but there is no guarantee that other versions of Windows don’t have the same issue.”

Rising AntivirusAVG’s brief response to the situation, with the workaround posted at AVG’s support section under the “False positive user32.dll” title :

“Unfortunately, the previous virus database might have detected the mentioned virus on legitimate files. We can confirm that it was a false alarm. We have immediately released a new virus update (270.9.0/1778) that removes the false positive detection on this file. Please update your AVG and check your files again.

We are sorry for the inconvenience and thank you for your help.

Best regards,
Zbynek Paulen
AVG Technical Support”

AVG and Rising aren’t an exception to previous cases where components of Microsoft’s Windows have been detected as false positives. In fact, in 2006 Microsoft’s Anti-Spyware was detecting a competing solution as a piece of malware :

Response time is crucial in such a situation, so the best thing the vendors can do is go public and provide assistance in fixing the problem.

[Source: zdnet]

Newsweek: Obama, McCain campaigns hacked by ‘foreign entity’

Obama, McCain campaigns hacked by ‘foreign entity’Newsweek is reporting that the computer systems of the campaigns of both Barack Obama and John McCain were compromised in a “sophisticated cyberattack” by an unknown “foreign entity.”

At Obama headquarters, what was originally believed to be a virus planted in a phishing attack turned out to something more ominous. After an investigation, the FBI and Secret Service issued a dire warning:

  • You have a problem way bigger than what you understand,” an agent told Obama’s team. “You have been compromised, and a serious amount of files have been loaded off your system.”

[ SEE: Obama looking for help thwarting Web site hackers ]
Newsweek reported that the FBI said the McCain campaign’s computer system had been similarly compromised.

  • Officials at the FBI and the White House told the Obama campaign that they believed a foreign entity or organization sought to gather information on the evolution of both camps’ policy positions—information that might be useful in negotiations with a future administration. The Feds assured the Obama team that it had not been hacked by its political opponents.

The FBI declined to comment for the Newsweek story.

[Source: zdnet]

Remote buffer overflow bug bites Linux Kernel

Remote buffer overflow flaw in Linux KernelA remote buffer overflow vulnerability in the Linux Kernel could be exploited by attackers to execute code or cripple affected systems, according to a Gentoo bug report that just became public.

The flaw could allow malicious hackers to launch arbitrary code with kernel-level privileges. This could lead to complete system compromise or, in some cases if an exploit fails, result in denial-of-service attacks.

This from the Gentoo bug report:

  • Anders Kaseorg discovered that ndiswrapper did not correctly handle long ESSIDs. If ndiswrapper is in use, a physically near-by attacker could generate specially crafted wireless network traffic and crash the system, leading to a denial of service.

Secunia rates this a “moderately critical” vulnerability:

  • The vulnerability is caused due to a boundary error in the ndiswrapper kernel driver when processing wireless network packets. This can be exploited to cause a buffer overflow via an overly long ESSID (Extended Service Set Identifier). Successful exploitation may allow execution of arbitrary code.

The vulnerability (CVE-2008-4395) affects Linux Kernel 2.6.27. As a temporary mitigation, Linux users should disable wireless network card that are not in use.

[Source: zdnet]

Google and T-Mobile push patch for Android security flaw

Google AndroidDuring the weekend, Google and T-Mobile pushed a patch fixing last week’s disclosed security flaw affecting Google’s Android. The flaw and the PoC were communicated to Google on October 20th, with the vulnerability itself made possible due to Android’s use of outdated third-party software packages.

“Users of the G1 Android phone on Friday have begun receiving a software update that fixes a flaw that security researchers found earlier in the week. The update included the fix to the browser vulnerability and a couple of other minor changes as well, said Michael Kirkland, a Google spokesman. Every user of the G1 may not have gotten the update yet but should within a short time frame, he said. Google worked with T-Mobile USA, the only operator selling the device, to push the update out to users. The G1 went on sale last week, and T-Mobile has not disclosed how many have sold so far.”

The same issue occurred back in March, when multiple vulnerabilities were reported in Google’s Android SDK, the exploitation of which was once again made possible due to the use of outdated open source image processing libraries. If there’s a pure Android security flaw that you’re looking for, try the outdated software packages running on it for starters — pretty similar situation to Microsoft’s recent emphasis on how the exploitation of third-party applications undermines their security.

[Source: zdnet]

MS08-067 worms squirming in the wild

MS08-067 worms squirming in the wildFirst came Microsoft’s emergency patch. Then the public release of reliable exploit code. Now, virus hunters are reporting two new in-the-wild worms exploiting the critical MS08-067 vulnerability.

The worms, intercepted on Chinese-language versions of Windows, are being used to install a Trojan downloader, a denial-of-service bot and a rootkit to maintain stealthy presence on infected machines.

[ SEE: MS ships emergency patch for Windows worm hole ]

The in-the-wild attacks are using portions of the proof-of-concept code that’s publicly available, according to a source tracking this new threat.

One of the two worms spotted is capable of conducting DDoS (distributed denial-of-service) attacks against several Chinese sites, including the two big search engines Google and Baidu. It also downloads the eMule peer-to-peer program and drops an erotic movie on the hijacked system.

Windows users that have applied the MS08-067 update are not vulnerable to these attacks. Patch now.

[Source: zdnet]

Heads up: Patch your Adobe Reader now

Critical vulnerability in Adobe Reader 8(See important update below for information on patching this vulnerability).

Heads up for Windows users: There’s a critical, remotely exploitable vulnerability in Adobe Acrobat/Reader version 8.

According to an advisory from Core Security, Adobe Reader suffers from a stack buffer overflow when parsing specially crafted (invalid) PDF files. The flaw could be exploited if a user is tricked into opening a rigged PDF file, the company warned.

From the alert:

  • The vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the “util.printf()” JavaScript function. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader. Adobe Reader version 9, which was released in June 2008, is not vulnerable to the reported problem.
  • A specifically crafted PDF file that embeds JavaScript code to manipulate the program’s memory allocation pattern and trigger the vulnerability can allow an attacker to execute arbitrary code with the privileges of a user running the Adobe Reader application.

Vulnerable versions: Adobe Reader 8.1.2 and Adobe Acrobat 8.1.2.

If, for some reason, you can’t upgrade to the latest version, Core says a possible workaround for this vulnerability is to disable JavaScript in Adobe Reader and Acrobat (in the software’s Edit/Preferences menu). Disabling JavaScript will prevent the issue, although it will also prevent many basic Acrobat and Reader workflows from properly functioning.


An Adobe security bulletin regarding the vulnerabilities has been published. The product updates are available at: (Windows), (Mac), (Linux/Solaris).

Black market for zero day vulnerabilities still thriving

Ebay Excel Zero Day VulnerabilityOne would assume that popular sources for zero day vulnerabilities+Poc’s such as Full-Disclosure, Bugtraq or Milw0rm are the primary sources for obtaining responsibly or irresponsibly released flaws. They’d be wrong. The black market for zero day vulnerabilities and the concept of over-the-counter (OTC) trade of zero day flaws, has been gradually developing itself through the last couple of years.

Let’s take a brief retrospective of the black market for zero day vulnerabilities, and review a recently launched underground shop for zero day vulnerabilities, currently offering 15 zero day vulnerabilities affecting popular web applications in order to execute successful XSS or SQL injection attacks, with prices ranging from $10 to $300.

Zero Day Vulnerabilities SurveyBack in 2005, a bid for a zero day vulnerability affecting Microsoft’s Office Excel was posted on Ebay prompting mass media outbreak on the potential of rewarding security researchers for their research. It didn’t take long before a zero day vulnerabilities cash bubble started to form, with legitimate sellers and cybercriminals over hyping the seriousness of their discoveries. Around December, 2005, the first publicly disclosed case of underground market trade of zero day vulnerabilities took place when it became evident that the the infamous Windows Metafile vulnerability (WMF vulnerability) has been sold for $4,000 :

“It seems most likely that the vulnerability was detected by an unnamed person around 1st December 2005, give or take a few days. It took a few days for the exploit enabling random code to be executed on the victim machine to be developed. Around the middle of December, this exploit could be bought from a number of specialized sites. It seems that two or three competing hacker groups from Russian were selling this exploit for $4,000. Interestingly, the groups don’t seem to have understood the exact nature of the vulnerability. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public.”

International Exploits ShopInterestingly, the authors of the then popular WebAttacker DIY web exploitation kit started conducting basic market research on the potential of this market, by featuring a survey asking their visits how much would they be willing to pay for a zero day vulnerability. The results out of 155 votes indicated that 40% of the potential buyers were willing to pay between $100 and $300, with 14.19% answering that they code their own zero day exploits and another 17% stating that they obtain them for free.

International Exploits ShopIt didn’t take long before the underground market model materialized in the face of the International Exploits Shop, among the first underground offerings of a web malware exploitation kit featuring a multitude of client-side vulnerabilities, next to two zero day flaws back in 2006. And whereas the shop quickly disappeared, the concept always remained there.

In times when legitimate online auctions for zero day vulnerabilities are admitting that the market model they’ve introduced is far ahead of its time, their underground alternatives are thriving. Launched in early IPB XSSAugust, this web based shop is the latest attempt to utilize a black market model for zero day vulnerabilities.

Here’s a translated introduction to the exploits shop :

“We present you the private exploits shop targeting PHP-applications (Content Management Systems, Guest books, forums, chat rooms, statistics and any other scripts). Our store will be constantly updated so you can expect to find the exploit you were looking for at any given time. If it doesn’t you will still be able to request such a vulnerability for a web application of your choice, and our team will provide with you the necessary PoC’s and tools to start using it. All exploits are written solely to our command, meaning you’re not going to find them anywhere else on the Internet.

Each exploit is accompanied by information on the approximate number of sites running the vulnerable application in Google, the language the exploit is written in, and price. We also have a forum where you can place an order, discuss, complain, express an opinion or ask a question about the exploit purchased. All exploits have a user-friendly Web interface, possibly in the future we’ll be releasing win32 console exploits. There are also technical support, patiently waiting for requests from users who have a problem using the exploit. We also conduct audits, security services, tests for entry (this service will be available by the end of August this year).

Watch our virtual merchandise, and if not today perhaps tomorrow you’ll find what you’re looking for.”

PHP Nuke SQL InjectionWhat’s particularly interesting about the service is the major shift towards exploitation of web applications in order to facilitate massive SQL injection attacks compared to previously known and analyzed services focusing exclusively on client-side vulnerabilities.

As always, you have a pure cybercrime market proposition pitched as a security service. The e-shop is not only offering proof of concept exploits to demonstrate the vulnerabilities, but also, easy to use web based applications for exploitation.

Moreover, this pseudo responsible positioning is flawed right from very beginning since the service administrators have done their homework and are also offering stats from basic search engines reconnaissance — Google dorks — so that potential buyers can easily measure the impact of the flaw that they’re purchasing. These very same vulnerabilities would later on be abused for blackhat search engine optimization, and injection of malicious scripts redirecting to live exploit serving URLS. Here’s their ethical pen-testing pitch :

“Our team is reviewing source code software and finding bugs in the programming, leading to critical consequences and employees of security systems. Thus, we are pleased to offer you the results of their analysis of popular (or little) systems. The results of our study are presented in the form of finished applications in languages php / perl, which aim - to demonstrate the vulnerability of the system to further assist in their neutralization. If you’re going to use our software for other purposes than penetration testing, the administration does not take responsibility for your actions.

We also take orders for individual study of your source code, security auditing of servers and sites (penetration tests). Orders for such services are taken at the forum, and the price purely individual and dealt with each customer individually (mainly depends on the number and type of vulnerabilities discovered, as well as the number of code).”

Which products are they targeting? Currently offered zero days affect multiple versions of the following web applications :

- All versions of PHP Fusion
- WHMCompleteSolution
- PHP Nuke
- PunBB
- Tiki Wiki
- BMForum
- Invision Power Board
- YaBB
- PunBB
- e170 Plugin Calendar
- vBulletin v3.6 + ICQ Mod
- vBulletin v3.6 + GVideo Mod
- vBulletin v3.6 + Youtube Mod
- vBulletin v3.6 + LJ Mod
- Zen Cart

VBulletin XSSThe most expensive is the $300 SQL injection flaw affecting all versions of PHP Fusion, which can be exploited on a large scale since there are over 2.5 million instances of it on the web, and even if the stats are conservative this hit list building approach through search engines reconnaissance has always been there, with the most recent proof of its usability were the massive SQL injections attacks.

Next to their current inventory, the service is also offering zero day vulnerabilities on demand charging the following prices :

“- Remotely upload shell - $120
- Remote file inclusion on request - $100
- Remote SQL injection - $70
- Passive and Active XSS for $10 and $40 respectively”

Punbb exploitThis overall shift from client-side vulnerabilities to web applications based ones is taking place due to the increasing demand for techniques allowing the easy hijacking of traffic from legitimate web sites, which is where these web application vulnerabilities fit in. Once they acquire the traffic by exploiting them, they would ultimately redirect it to malware and exploits serving domains taking advantage of outdated but unpatched on a large scale client-side vulnerabilities. It’s all a matter of perspective, and the people behind this particular e-shop for zero days are taking the pragmatic one by offering the right product for the right moment.

[Source: zdnet]

Happy 20th birthday, internet worm!

This weekend marks the 20th anniversary of the Internet Worm, the first major worm that propagated on the Internet. Even though many years have passed and underlying media has changed, worms are still able to wreak havoc and keep system administrators up at night. Today the damage done by worms is far less visible and far less newsworthy but far more difficult to repair than in the past.

On November 2nd, 1988, Robert Tappan Morris launched an application ostensibly designed to count the number of systems on the Internet. It was designed to propagate across Unix systems by exploiting several vulnerabilities, including a conceptual flaw in how r-services (rlogin, rsh, and rexec) authenticate connections, the archaic remote debug feature in Sendmail, and a buffer overflow in the finger daemon. Due to a flaw in it’s design, the Worm attempted far more propagation attempts than were necessary, causing targeted machines to slow dramatically from resource starvation. Long story short, the then Mr. Morris was caught, found guilty, and sentenced to probation and community service.

Many years of highly visible worms followed. Who could forget such classic hits as Melissa and I Love You, viruses that attacked software that is standard on Windows PCs, as well as Code Red and SQL Slammer for their Windows Server brethren. These worms were created just for the sole fact that they could be created. Their existence served no purpose but to exist. The damage done by the load they created on networks and systems made headlines not just on technical forums but in real newspapers.

Today’s worms, however, feel no need to make themselves known, and their authors don’t want to be visible. The authors want the worms to do one thing only, and that is make money. Modern worm authors will use any underlying transport mechanism that is available, eschewing operating system and programming language religious barriers maintained by more orthodox hackers. They propagate using systems like Facebook messages for lures, redirecting users through legitimate sites such as Google until finally they reach a piece of malware that claims to be a video, with the final goal being the infection of another desktop and restarting the infection process again. Even when the messages have been cleaned up from the servers, tens of thousands of desktop systems are left compromised and transmitting keystroke logs and credit card numbers captured from the unsuspecting user.

Two decades ago, we experienced a rare contagion that left us with thousands of servers compromised and experienced system administrators burning overtime to remediate the situation in what became a historical event. Today, we see frequent contagions that leave us with millions of compromised desktops and home users who are completely unprepared to fix the situation, costing us a fortune in losses due to electronic financial fraud, and it happens so frequently that it is no longer newsworthy. As a result, the average user feels safer because the headlines have gone away without realizing they are in far worse shape from a financial risk perspective than before.

One last topic I want to mention. The criminal justice system could have thrown the book at Robert Tappan Morris 20 years ago, and it chose not to. Mr. Morris went on to become Dr. Morris, Professor at MIT and co-founder of Y-Combinator, a venture incubator that helps ignite promising startups. While not all individuals who come before the courts have the capacity to achieve that level of success, it would be wrong to think that every teenager and college student who ends up in Mr. Morris’s situation is irredeemable and should not be allowed to contribute to society. Who knows what the future may hold for both the individual and technology at large once these kids are directed a better path.

[Source: zdnet]

Phishers apply quality assurance, start validating credit card numbers

Phishing gameWith the exact number of end users interacting with phishing emails by submitting bogus data still unknown, phishers are on the other hand continuing to apply basic quality assurance processes ensuring that they will be collecting only validated credit card details, and limiting the opportunity for researchers and end users to poison their campaigns.

For instance, a recent blog post at Symantec’s Security Response blog analyzes a phishing page where the fraudster is applying credit card validation checks before accepting anything, an approach that in times when phishers are attempting to scam other phishers, can easily turn into a commodity feature for phishing pages in general — even the backdoored ones.

“Fraudsters are aware of these techniques and are continuously trying to optimize their attacks and thus their profits. As a proof of concept, shown below is a piece of PHP code revealed from a phishing attack that is intended to check the validity of the credit card number provided by the user according to card number conventions. After performing this check, the fraudster tries validating the card number by using the Luhn algorithm (figure 2). If both conditions are met (the card number appears to be correct and the Luhn algorithm is verified) the information is delivered to the drop box. This approach makes the Random Data Dilution strategy described above useless, because invalid data won’t be accepted. The piece of code in figure 3 (below) shows one of these tricks, which checks to see if the credentials provided by the user are indeed valid. It has been implemented by submitting the credentials to the original website and then identifying specific patterns in the response page in order to verify their validity.”

The phishers in this particular case are capable of achieving the validation by forwarding the submitted data to the original site, potentially exposing their campaigns in the process, if only was the targeted company properly monitoring where traffic is coming from. Phishers tend to switch tactics or introduce new ones on a quarterly basis, and with EstDomains about to face the music, yesterday Sophos already started detecting phishing campaigns targeting exclusively domain registrants by impersonating eNom and Network Solutions. Despite the potential for abuse of legitimate domains once the domain portfolio owner falls victim into the phishing scam, data mining malware infected hosts for domain registrant’s accounting data seems to be the tactic of choice on a large scale, at least for the time being.

Poisoning a phishing campaign by submitting bogus data or personal messages to the phisher isn’t the way. If you truly want to express your feelings about a phisher - report their campaigns.

Image courtesy of the Anti-Phishing Phil.

[Source: zdnet]