Mac malware will become endemic amongst high-risk groups

Two Mac trojan outbreaks were spotted in the past week leaving several people, including myself, to wonder if the tipping point for the Mac malware epidemic has arrived. Frankly, I don’t know, but I tend not to think so. I do think, however, that Mac malware will now become endemic amongst the high-risk groups such as file-swappers.

This past week a trojan claiming to be the latest iWork release was spotted on file sharing networks. Shortly thereafter, a similar trojan was sighted that masquerading as a crack for Photoshop CS4. Both events are making some people question whether or not the Mac’s long tenure as being a malware-free system is coming to a close and to face facts and install AV software.

The short answer is if you are a relatively well-behaved computer user, probably not. Mac malware is not endemic amongst the general population due to these events. The trojans of the past week is not self-propagating beyond the high-risk population, namely file swappers, and is relatively easy to find, analyze, and remediate. This is in stark contrast to PC users who have been hit with the Downadup/Conficker worm, which propagates via three orthogonal vectors and includes one remote exploit, and actively prevents you from visiting websites that contain remediation tools.

I do think the relative halcyon days of malware-free Macs are coming to an end. Anyone who is currently infected by the new malware will remain infected without direct human interaction due to the lack of any automatic mechanism for the identification and removal of malware. That means there is a non-zero population of Mac users who are now compromised and will remain compromised unless they either clean their machine or they buy a new system. Sounds familiar, right?

The question I want answered is whether or not the monetization rate of compromised Macs is sufficient for the malware authors to continue to pursue the platform. If not, these events will be a blip on the radar; otherwise, Mac owners better keep their Time Machine backups up to date.

[Source: zdnet]

Google Video search results poisoned to serve malware

From the real-time syndication of hot Google Trends keywords, maintaining AdWords campaigns, to the plain simple blackhat search engine optimization tactics, cybercriminals are constantly looking for new ways to acquire traffic by enjoying the clean reputation of each and every Web 2.0 property. From LinkedIn, Bebo, Picasa and ImageShack, to Twitter, everyone’s targeted efficiently using automated account registration tools.

During the last couple of days, a single group involved in a countless number of blackhat SEO campaigns across the Web, started massively targeting Google Video with a campaign that has already managed to hijack approximately 400,000 search queries in order to trick users into visiting a bogus and malware serving (W32/AutoTDSS.BNA!worm) adult web site.

Here’s how the campaign works, and how they’re attempting to cloak it from the eyes of security researchers.

What’s particularly interesting about this campaign relying entirely on Google Video traffic to flourish, is that instead of sticking to the adult content in their keywords inventory, the cybercriminals have been in fact syndicating legitimate YouTube video titles from a variety of topics. Therefore, the number of legitimate videos used is proportional to the comprehensiveness of the campaign, in this case, over 400,000 search queries, a number that is increasing in real-time since they keep having their bogus content crawled by Google Video.

Moreover, based on the fact that they maintain a portfolio of 21 publisher domains with bogus and non-existent video content currently crawled, a simple tactic that they’re using could entirely hijack a search query at Google Video. How come? By simply duplicating the content on their publisher domains, the top 5 search results for a particular video can be easily served from any of the 21 publisher domains, making it look like different sites have the same content.

The search engine results poisoning works as follows. Upon clicking, a Google Video user coming across to any content from any of their 21 publisher domains, is taken to a single redirection point (porncowboys .net/continue.php), then to the well known adult site template abused by cybercriminals (xfucked .org/video.php?genre=babes&id=7375), where the user is told that “Your Flash Version is too old. Your browser cannot play this file. Click “OK” to download and install update for Flash Video Player” and the malware is served if he’s tricked into it (trackgame .net/download/FlashPlayer.v3.181.exe).

The cybercriminals are also taking advantage of a well known evasive technique - http referer checking or “cloaked maliciousness. For instance, the malware redirection to the fake flash player is only served if the potential victim is coming from Google Video. If a researcher is basically browsing around the content of their sites, the legitimate YouTube videos are legitimately syndicated. Excluding this case, it’s worth pointing out that on the majority of occasions cybercriminals do not fully take advantage of the evasive features available within the traffic management kits they use behind the campaigns, making their campaigns easier for analyzing.

Google’s Security Team has been notified and action is expected to be taken anytime now.

[Source: zdnet]

Malware-infected WinRAR distributed through Google AdWords

Fake Download Malware WinrarScammers are at it again - taking advantage of Google sponsored ads for acquiring traffic in order to redirect it to malware-infected copies of legitimate software. win.rar GmbH is warning users of an ongoing fraudulent AdWords campaign pushing a malware-infected copy of WinRAR, the popular archiving application. Starting from the basic fact that, both, legitimate and malicious users can purchase their visibility, the fake WinRAR release is only the tip of the iceberg.

Let’s take a peek at the campaign impersonating — impersonation is a form of flattery — and discuss a separate campaign promising to deliver free copies of the free in general, WinRAR and WinZip, managed by a Zango adware affiliate.

Zango Winzip Google AdWordsUpon searching for WinRAR, the bogus ad appears at the top of the search results, with the actual fake site located at dreamcentury .cn/winrar.htm. Upon execution, the fake WinRAR sets the foundation for the second part of the scam, since the affected users would be periodically redirected to rogue security software sites, urging them to take action and disinfect themselves.

Zango Winzip Google AdWordsWinRAR is also impersonated in another currently active AdWords campaign, next to WinZip, with the second campaign operated by Zango affiliate, a well known adware vendor. Zango’s campaign is naturally not delivering any copies of WinRAR or WinZip, instead it’s pushing a copy of their toolbar taking advantage of fraudulent practices.

The participants in Zango’s affiliate network and the rogue security software one, are generating revenues based on the number of installations, with the affiliate model’s high payout rates as the main incentive for the introduction of new tactics. And whereas Google’s AdWords seems to be part of their ad budget in this particular case, sponsored ads are only part of the (fraudulent) marketing mix, with blackhat search engine optimization tactics remaining the traffic acquisition tactic of choice.

[Source: zdnet]

US-CERT warning: Windows does not disable AutoRun properly

US-CERT: Windows does not disable AutoRun properly

The U.S. Computer Emergency Readiness Team (US-CERT) has issued a technical cyber-security alert to warn that Microsoft’s guidelines for disabling AutoRun in the Windows operating system “are not fully effective” and argues that this “could be considered a vulnerability.”

The U.S. CERT warning comes on the heels of live malware/worm attacks that take advantage of the Windows AutoRun and AutoPlay features to improve propagation.

[ SEE: Is there no end to the AutoRun madness? ]

Here’s the skinny on Microsoft’s hiccup:

  • The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

This means that malware authors can place an Autorun.inf file on a device to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer, US-CERT warned.

The alert includes instructions for editing the registry to properly disable AutoRun in Microsoft Windows.

UPDATE: Microsoft sent me an e-mail to point out that its KB953252 document, published in May 2008, describes how to correct the problem of NoDriveTypeAutoRun registry value enforcement. This prompted an update on the US-CERT notice:

After the update is installed, Windows will obey the NoDriveTypeAutorun registry value. Note that this fix has been released via Microsoft Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin. Windows 2000, XP, and Server 2003 users must install the update manually. Our testing has shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable AutoRun.

[Source: zdnet]

Apple QuickTime bitten by code execution flaws

QuickTime bitten by code execution flawsApple today released QuickTime 7.6 to fix at least seven serious security flaws that expose Mac OS X and Windows users to remote code execution attacks.

The latest upgrade, available for Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista and Windows XP SP2 and SP3, covers vulnerabilities that could be exploited via malicious URLs or booby-trapped movie or audio files.

Here’s the skinny:

  • CVE-2009-0001 — A heap buffer overflow exists in QuickTime’s handling of RTSP URLs. Accessing a maliciously crafted RTSP URL may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0002 — A heap buffer overflow exists in QuickTime’s handling of THKD atoms in QTVR (QuickTime Virtual Reality) movie files. Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
  • CVE-2009-0003 — A heap buffer overflow may occur while processing an AVI movie file. Opening a maliciously crafted AVI movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0004 — A buffer overflow exists in the handling of MPEG-2 video files with MP3 audio content. Viewing a maliciously crafted
    movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0005 — A memory corruption exists in QuickTime’s handling of H.263 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0006 — A signedness issue exists in QuickTime’s handling of Cinepak encoded movie files, which may result in a heap buffer
    overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
  • CVE-2009-0007 — A heap buffer overflow exists in QuickTime’s handling of jpeg atoms in QuickTime movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.

The patch is available via the software update utility on Mac OS X and the automatic-updating tool for Windows XP and Vista. Additionally, QuickTime 7.6 may be obtained from QuickTime Downloads site.

UPDATE: Apple issued a separate advisory for an input validation issue in the QuickTime MPEG-2 Playback Component for Windows:

  • CVE-2009-0008 (available for Windows Vista, XP SP2 and SP3): Accessing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of MPEG-2 files. This issue does not affect systems running Mac OS X.
[Source: zdnet]

New mobile malware silently transfers account credit

Mobile Malware SMS Python FlockerKaspersky Lab today warned users of five newly found variants of the Trojan-SMS.Python.Flocker mobile malware, targeting an Indonesian mobile provider’s service allowing users to transfer money or minutes to each other’s accounts. SMS Python Flocker is a known mobile malware family, whose previous versions used to automatically send SMS message from the infected mobile device to premium-rate numbers operated by the malware authors.

Once infected with the latest variant, the malware would transfer credit from the infected device by silently SMS-ing the provider’s credit transfer service with the desired amount of credit.

Such mobile credit transfer services are used internationally, however, compared to simple cash/account credit transfers, in the long term mobile malware authors would continue looking for ways to steal hard cash. Since the first releases of the RedBrowser in 2006, which was silently sending SMS messages (screenshots) to premium-rate numbers, mobile malware authors have been looking for ways to monetize the infected devices. What has changed since then is the growth of mobile payments/m-payments and mobile wallets, whose popularity is proportionally empowering potential mobile malware authors with all the purchasing power an infected device has.

For the time being, among the main reasons why we still haven’t witnessed an epidemic of mobile malware, is sadly because cybercriminals are making enough profit even without exploiting the fact that there are more people with mobile devices, than people with personal computers around the world.

[Source: zdnet]

Mac OS X Malware found in pirated Apple iWork 09

Researchers at Intego have intercepted a Mac OS X malware threat circulating in pirated copies of Apple’s iWork 09 software.

The malicious file, dubbed OSX.Trojan.iServices.A, was found on BitTorrent trackers and other sites containing links to pirated software. The booby-trapped version of the iWord 09 productivity suite is complete and functional but the installer contains an additional package called iWorkServices.pkg, Intego said.

Mac OS X Malware found in pirated Apple iWork 09From the advisory:

When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password (in older versions of Mac OS X, 10.5.1 or earlier, there will be no password request). This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.

[ Mac Attack: Porn video lures dropping DNS-changer Trojan ]

The company said at least 20,000 Mac users have already downloaded the rigged installer.

The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users.

Although malware attacks on the Mac operating system have been limited, they do exist, especially on the DNS-changing front. Mac OS X users are urged to avoid downloading and installing software from untrusted sources or questionable Web sites.

[Source: zdnet]

GPU-Accelerated Wi-Fi password cracking goes mainstream

Elcomsoft Wireless Security AuditorNo weak password can survive a GPU-accelerated password recovery attack. Last week’s released Wireless Security Auditor is prone to shorter the time it takes for a network administrator to pen-test the strength of the WPA/WPA2-PSK passwords used on the wireless network. Its core functionality of shortening the wireless password recovery time up to a hundred times based on the GPU used, is naturally going to empower unethical wardrivers with the ability to easily guess the no longer considered secure 8 character passwords.

What’s particularly interesting about the Wireless Security Auditor is that it attempts to accomplish the password recovery in an offline/stealth mode, instead of the noisy direct router brute forcing approach :

“Elcomsoft Wireless Security Auditor works completely in off-line, undetectable by the Wi-Fi network being probed, by analyzing a dump of network communications in order to attempt to retrieve the original WPA/WPA2-PSK passwords in plain text. Elcomsoft Wireless Security Auditor requires a valid log of wireless communications in standard tcpdumptcpdump. The tcpdumptcpdump format is supported by all commercial Wi-Fi sniffers. In order to audit your wireless network, at least one handshake packet must be present in the tcpdump file.”

Meanwhile, pen-testing companies have once again urged IT managers and end users to go beyond the 8 character password strength myth, and anticipate the risks posed by the increasingly efficient password recovery solutions hitting the market :

“David Hobson said: “It’s a wake-up call to IT managers, pure and simple. IT managers should now move to 12 and even 16 character keys as a matter of urgency. It’s not very user-friendly, but the potential consequences of staying with eight character keys do not bear thinking about.”

As previously discussed, best practices wake-up calls remains largely ignored prompting radical solutions in countries like India for instance, which recently announced that a Wardriving police unit will be locating insecure wireless networks and notifying the owners in order to “prevent the commission of a cognizable offense”.

[Source: zdnet]

Legal concerns stop researchers from disrupting the Storm Worm botnet

Chaos Communications CongressWhat if security researchers were able to disrupt the leftovers of the Storm Worm botnet thanks to a flaw in its communication model allowing them to redirect infected hosts and eventually disinfect them, but fearing legal action have their hands tied?

At the 25th Chaos Communication Congress, which took place in December, 2008, German researchers Georg Wicherski, Tillmann Werner, Felix Leder and Mark Schlösser, held a presentation (Stormfucker: Owning the Storm Botnet) demonstration their idea. The apparently working concept has a single flaw by itself - it operates in exactly the same fashion that a botnet master does when issuing updated malware binaries to the infected hosts, thereby violating computer abuse laws internationally.

Go through a Q&A with the researchers offering insights on the potential for distributed disinfection, and Storm Worm in general.

Q: How did you come up with the Stormfucker idea at the first place, and could you provide us with more details on the lack of server authentication when communicating to the infected clients that the Storm Worm botnet is vulnerable to?

Georg: On the 24c3 congress at the end of 2007, Thorsten Holz gave a presentation on disrupting Zhelatin’s command and control infrastructure, involving a /16 network or 65536 nodes in other terms. This seemed both unfeasible to us and motivated to do better, we started analyzing Zhelatin binaries and eventually found out, that NAT’ed nodes don’t require any authentication to be commanded at all.

They simply use a four-byte XOR challenge response for distinguishing between real command nodes and maybe accidentally connected nodes and that is it, as long as you implement the server protocol properly, you can command these nodes. Later it was brought to our attention that the small minority of non-NAT’ed nodes checks for a 64bit RSA signature, which is obviously trivial to crack.

Q: So basically, Stormfucker is capable of issuing potential disinfection commands to infected hosts meaning the botnet can be a thing from the past? What are the legal implications of saving the infected users from themselves here?

Georg: Stormfucker is able to send an update to a storm node that will then download an executable from a Stormfucker provided host and execute it. This executable would then be a Stormfucker executable that disinfects the computer and also aids in propagation of the update commands. Obviously, issuing a command to download and execute a file without the users’ consent is against the law in many countries, let alone the then carried out further propagation of this command to other users.

Q: The industry and the general public has never been comfortable with the idea of “white worms” or “ethical worms”, and perhaps with a reason. Is this distributed disinfection method any different? Moreover, since there’s never been a shortage of pragmatic solutions to a problem that’s the main vehicle driving the cybercrime ecosystem, what would be the best way to put this pragmatic capabilities into action?

Georg: It is exactly like a white worm, the Stormfucker executable spreads from host-to-host in a distributed setup, however only targeting Zhelatin nodes — other nodes will not see any extra traffic. Luckily some law enforcement agencies in some countries see the need to put an end to such menaces as Zhelatin and other botnets, maybe some of these people will push the button with proper legislation in the future. Rumor has it that it has happened in isolated cases before.

Q: What are your thoughts of a potential (free) opt-in service, where for instance, end users can request to be at least notified that they are part of Storm Worm’s botnet or any other botnet in particular?

Georg: People who are so ignorant to execute an email attachment from an untrusted source would never sign up for such a service. A much better solution is taken by a local German ISP, NetCologne: they are allowed by their AUP to cut off users that are identified to be infected with malware and they have a Nepenthes based system to find such users. Being cut off from the Internet makes these ignorant people clean their computers pretty fast, so that they can browse the tubes again. Other ISPs should come up with similar solutions!

Q: Storm Worm’s copycat Waledac (the same malware gang behind Storm) is currently spreading in the wild, would the same tactic work against it for instance, and how is Waledac’s communication model any different than Storm Worm’s original one?

Tillmann Werner: From the code perspective, waledac isn’t storm’s copycat, it’s totally different, besides the fact that it also uses a p2p infrastructure. For instance, it communicates via encrypted XML messages over HTTP, thus it’s immune to the sibyl attack. It does provide fast-flux DNS services similar to storm, but we would expect that from every serious malware these days, right? Some people think that there is the same group behind storm and waledac. Maybe, maybe not - who wants to know?

Felix Leder: Waledac is pretty new and the C&C structure not researched in-depth, yet. We are on it and may find something interesting. Currently we can only say that it is using “state-of-the-art” cryptography, which complicates things a bit but doesn’t make it invulnerable. Instead of P2P, Waledac uses Fast-Flux networks. It is definitely possible to place controlled nodes in those networks. Whether those nodes can issue commands has to be investigated. So in short: The same tactics may work, but some more research has to be done.

The inside of Waledac is a lot different from Storm and similarities are hardly there. It is definitely a complete rewrite. The similarities (we have seen so far) are the use of open-source libraries in the malware, nodes that speak both storm and Waledac, and decentralized communication.

[Source: zdnet

GoDaddy hit by a DDoS attack

Go DaddyDomain name registrar and web hosting provider, was hit by a DDoS attack on Wednesday affecting thousands of its shared hosting customers for several hours. GoDaddy’s Communications Manager Nick Fuller confirmed the attack originally speculated to be an “outage”, and responded to several questions about it.

Q: Was Wednesday’s “outage” an actual DDoS attack, and if so, how severe was it?

A: Wednesday, Go Daddy experienced a mutating type of DDOS attack.

Q: Could you provide us with more details on the DDoS attack itself, was it aimed at at disrupting GoDaddy’s entire infrastructure (email, DNS servers) or was it basically attacking’s webserver?

A: This attack was aimed at hosting servers.

GoDaddy DDoSQ: For how long was unreachable on Wednesday, and could you provide us with a rough estimate on the number of affected sites?

A: There was an intermittent service disruption to a small percentage of our hosting customers over a period of hours.

Q: This isn’t the first time that GoDaddy’s been hit with a DDoS attack. Do you attribute this pattern to GoDaddy’s popularity in the sense that unethical competition might be behind the attacks, or perhaps you have a different perspective on who and why attacked the company?

A: It’s our policy not to elaborate on any cyber attack. As you can appreciate, we don’t want to give attackers any information that could benefit them.

This isn’t the first time that GoDaddy is getting DDoS-ed. Similar attacks took place in 2005, and then again in 2007.

[Source: zdnet]

Phishing without bait: The in-session password theft attack

In-session password theft attacksSkilled identity thieves can pilfer user names, passwords and other sensitive data for banking sites without using e-mail lures and other other social engineering tactics.

According to a security advisory from Trusteer, hackers can launch what is described as “in-session phishing attacks” using pop-up messages during an active browser session. The attack technique is somewhat sophisticated — it requires that a base Web site is compromised and the attacker must know which Web site the victim user is currently logged into — in-session phishing can be highly effective because the average end user is likely to enter credentials without a second thought.

Here’s how it works:

  1. A user logs onto their online banking application. Leaving this browser window open, the user then navigates to other Web sites.
  2. A short time later a pop-up box appears, allegedly from the banking website, requesting the user re-type their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc.
  3. Since the user had recently logged onto the banking website, he/she will likely not suspect this pop-up is fraudulent and thus provide the requested details.

To mount a successful in-session phishing attack, a base Web site must be compromised (check!), the malware injected onto the hijacked Web site must be able to identify the site the user is logged into (not trivial but very possible).

Trusteer has issued a research paper (.pdf) that calls attention to a vulnerability in the JavaScript engine of all leading browsers — Internet Explorer, Firefox, Safari, and Chrome — which allows a Web site to check whether a user is currently logged onto another website.

The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.

It explains how a skilled attacker can program a compromised website needs to maintain a list of sites it wants to check.

There is no limit to the number of URLs that a compromised website can check for logged on users. It simply asks the browser a simple question: “is the user currently logged onto this specific website?” and the browser will answer “yes” or “no”. Once the compromised website identifies a website to which the user is logged on, it can inject a pop up message in the browser pretending to be from the legitimate website and asking for credentials and private information.

To protect themselves from in-session phishing attacks, Trusteer recommends that users:

  1. Deploy Web browser security tools.
  2. Always log out of banking and other sensitive online applications and accounts before navigating to other websites.
  3. Be extremely suspicious of pop ups that appear in a web session if you have not clicked a hyperlink.

* Image source: ToastyKen’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

3.5m hosts affected by the Conficker worm globally

Conficker 445 Port SANSA recently conducted experiment by F-Secure estimates that approximately 3.5 million hosts have been infected with W32/Conficker.worm also known as W32.Downadup spreading through the now patched MS08-067 as of November, 2008. Basically, F-Secure’s experiment took advantage of the very same domain registration algorithm that the cybercriminals were using in order to temporarily redirect some of the infected hosts and in the meantime count the number of infected hosts.

With several new Conficker variants released since the original November campaign, the worm’s authors seem to be diversifying the propagation vectors in order to increase the worm’s lifecycle.

Conficker Affiliate NetworkThe latest propagation tactics include USB spreading, network shares spreading, and according to McAfee, the latest samples that they’ve analyzed are attempting to exploit only English language OS versions thanks to an OS fingerprinting feature within a Metasploit exploit used by the worm’s authors.

Ever since the first release of the worm, the authors’ criminal intentions became pretty evident. Infected hosts would be exposed to fake security software claiming that the host’s security has been compromised — appreciate the irony here — with the worm’s authors earning $30 for each and every successful sale of the bogus security software. This approach of monetizing malware infected hosts through an affiliate-based network is one of the main incentives for assembling a botnet these days.

[Source: zdnet]

Malware author greets Microsoft’s Windows Defender team

Zlob malware familyA Russian malware author with involvement in the Zlob malware family, one of the most prolific malware families in 2008 thanks to its successful mimicking of video codecs, has left a message for the Windows Defender team inside a sample analyzed by French researchers. The message is a follow-up to a previous note left in October, and is basically greeting Microsoft in respect to their improving detection rates for this malware family.

For Windows Defender’s Team:
I saw your post in the blog (10-Oct-2008) about my previous message. Just want to say ‘Hello’ from Russia. You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast. I can’t sign here now (he-he, sorry), how it was some years ago for more seriously vulnerability for all Windows ;) Happy New Year, guys, and good luck! P.S. BTW, we are closing soon. Not because of your work. :-)) So, you will not see some of my great ;) ideas in that family of software. Try to search in exploits/shellcodes and rootkits. Also, it is funny (probably for you), but Microsoft offered me a job to help improve some of Vista’s protection. It’s not interesting for me, just a life’s irony.

Who’s this guy? The malware author claims that has coded a critical vulnerability affecting Windows a couple of years ago, and that Microsoft has once offered him a job presumably as a researcher. This message clearly indicates the ongoing multitasking mode of cybercriminals. Moreover, even though the author is trying to distance himself from future Zlob releases, the malware family is not going away anytime soon despite that his campaigns have been somehow affected by Microsoft and, of course, the community as a whole.

The reason for that is the affiliation-based model (Inside an affiliate spam program for pharmaceuticals; Botnets committing click fraud observed) cybercriminals have been developing throughout the entire 2008, forwarding the process of dissemination and coming up with lower detection rates to the binaries to third-parties who earn money in the process as long as the infected hosts phone back to desired location. This affiliation-based model is the main factor for the growth of the Zlob malware, now an inseparable part of the underground ecosystem as one of the key promotional tools for fake security software.

[Source: zdnet]

RIM warns of BlackBerry PDF processing vulnerabilities

BlackBerry security advisories Hackers can use booby-trapped PDF attachments sent to BlackBerry devices to launch malicious code execution attacks, according to warnings issued by Research in Motion (RIM).

The company shipped patches this week to address a pair of critical vulnerabilities affecting its enterprise product line.

The vulnerabilities are due to the improper processing of PDF files within the Distiller component of the BlackBerry Attachment Service, RIM said. Here are the raw details:

  • KB17118: Multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service. These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone, could cause memory corruption and possibly lead to arbitrary code execution on the computer that hosts the BlackBerry Attachment Service. These vulnerabilities each have a Common Vulnerability Scoring System (CVSS) score of 9.3.
  • KB17119: Multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service. These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone, could cause memory corruption and possibly lead to arbitrary code execution on the computer that hosts the BlackBerry Attachment Service. CVSS 9.3. RIM recommends that users upgrade to the latest version of the BlackBerry Unite! software.

RIM customers are strongly urged to apply the updates or implement the workarounds listed in the documents to help mitigate the risk.* Image source: edans’ Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

Paris Hilton’s official web site serving malware

Paris Hilton site infected with malwareThe official web site of Paris Hilton ( has been embedded with a malicious iFrame, automatically exposing visitors to client-side vulnerabilities and banker malware, according to researchers from ScanSafe. Upon closer analysis, it appears that the site has been infected on the 8th of January, Thursday, becoming the very latest legitimate site whose use of outdated web application software led to its exploitation.

Moreover, just like we’ve seen in previous related attacks, Hilton’s site compromise is a part of bigger malware campaign affecting several thousand sites, and is not being exclusively targeted.

Paris Hilton site infected with malwareA javascript embedded at the bottom of the site, is actually an iFrame that used to point to the now down you69tube .com/flvideo/.a/.t/index .php. Once the downloader is executed it attempts to download another binary from the same site, including configuration files from several other sites among which is The abuse and use of legitimate infrastructure as a foundation for the entire malicious campaign, is a common practice applied by cybercriminals these days. For instance, in this campaign not only is the official web site of a popular celebrity used to acquire the traffic, but also, another legitimate site is used as a dropzone for the configuration file of the banker malware.

Let’s discuss the attackers’ logic applied here. December’s massive SQL injection attack affecting thousands of Chinese web sites used as infection vectors serving the IE XML parsing zero day, is an example of the “long tail of SQL injected sites” versus targeted attacks against high profile sites. Basically, their mentality relies on the fact that not only would thousands of sites acquire more traffic than a high profile one, but also, that their campaign may live longer if they diversify instead of centralizing it by using a single high profile site despite the anticipated traffic that would come from it.

For the time being the malicious iFrame has been removed, and the malware campaign is in a cover-up phrase — they wish.

[Source: zdnet]

MS Patch Tuesday: 3 critical SMB vulnerabilities

3 critical SMB vulnerabilitiesMicrosoft today shipped a solitary bulletin with patches for at least three documented security flaws in the Microsoft Server Message Block (SMB) Protocol.

The three vulnerabilities, rated “critical” on Windows 2000, Windows XP and Windows Server 2003, exposes Windows users to remote code execution attacks, Microsoft said in its MS09-001 bulletin. The company warns:

“An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights.”

Only two of the three vulnerabilities affect Windows Vista and Windows Server 2008.

Although the exposure to risk seems severe (remote code execution), Microsoft believes it’s unlikely that functioning exploit code will be created and released. Microsoft’s Mark Wodrich explains why:

  • The vulnerabilities cause a fixed value (zero) to be written to kernel memory – not data that the attacker controls.
  • Controlling what data is overwritten is difficult. To exploit this type of kernel buffer overrun, an attacker typically needs to be able to predict the layout and contents of memory. The memory layout of the targeted machine will depend on various factors such as the physical characteristics (RAM, CPUs) of the system, system load, other SMB requests it is processing, etc.

Eric Schultze, CTO at patch management specialists Shavlik, still recommends that Windows users view at MS09-001 as “super critical to install right away.”

This flaw enables an attacker to send evil packets to a Microsoft computer and take any action they desire on that computer - no credentials required. The only pre-requisite for this attack to be successful is a connection from the attacker to the victim over the NetBIOS (File and Printer Sharing) ports (tcp 139 or 445). By default, most computers have these ports turned on.

While these ports are usually blocked on Internet firewalls and personal firewalls, these ports are typically left open in a corporate network. If a worm is released, and that worm makes it into a corporate network, it will make swiss cheese of that network relatively quickly.

According to Roel Schouwenberg, a senior anti-virus researcher at Kaspersky Lab (my employer) the risk of a network worm attack is minimal. “It’s unlikely we’ll see a worm,” he said.

[Source: zdnet]

Privacy flaw haunts Apple Safari RSS reader

Privacy flaw haunts Apple Safari RSS readerThere’s a major privacy problem with the RSS reader built into Apple’s Safari browser.

According to an alert from Brian Mastenbrook, there is a serious Safari vulnerability that allows a malicious web site to read files on a user’s hard drive without user intervention.

Mastenbrook warns:

This can be used to gain access to sensitive information stored on the user’s computer, such as emails, passwords, or cookies that could be used to gain access to the user’s accounts on some web sites. The vulnerability has been acknowledged by Apple. All users of Mac OS X 10.5 Leopard who have not changed their feed reader application preference from the system default are affected, regardless of whether they use any RSS feeds or use a different web browser (such as Firefox). Users of previous versions of Mac OS X are not affected.

[ SEE: Microsoft issues Safari-to-IE blended threat warning ]

Mastenbrook, who has a credible history of reporting security issues affecting the Mac ecosystem, said users of Safari on Windows are also affected.

The researcher recommends that Safari users change the default feed reader in the browser.

[ SEE: Adobe Flash, Apple Safari fail privacy test ]

To select a different feed reader:

  1. Open Safari and select Preferences… from the Safari menu.
  2. Choose the RSS tab from the top of the Preferences window.
  3. Click on the Default RSS reader pop-up and select an application other than Safari.

The only workaround available for users of Safari on Windows is to use a different web browser, Mastenbrook recommends.

[Source: zdnet]

This is not the first time that Apple’s Safari browser has failed a privacy-related test.

Oracle drops critical database server patch bundle

Oracle has dropped the first quarterly critical patch update for 2009 — with patches for 41 vulnerabilities in a wide range of database server products.

The January 2009 CPU includes 20 new security fixes for the company’s flagship database product lines, 4 new security fixes for the Oracle Application Server, 9 vulnerabilities in Oracle Secure Backup, 4 new security fixes for the Oracle Applications Suite, and 6 new security fixes for the PeopleSoft and JDEdwards Suite.

On the Oracle Database side, here’s a breakdown of the main patches:

  • 10 new security fixes for the Oracle Database. None of these vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password. 2 of these fixes are applicable to client-only installations, i.e. installations that do not have an Oracle Database installed.
  • 9 new security fixes for the Oracle Secure Backup product. All of these vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.
  • 1 new security fix for the Oracle TimesTen Data Server. This vulnerability is remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.

According to Alexander Kornbrust from Red Database Security, the most critical bug could allow any user with execute privileges on dbms_ijob (e.g. DBA or hacker/user with DBA privs) to bypass Oracle Auditing completely.

This means no traces in the AUD$ and/or the operating system! All databases are affected.

Risk matrix definitions, including CVSS scores for all the vulnerabilities, are included in Oracle’s advisory.

* Image source: Oracle Security at

[Source: zdnet]

Google adds HTTPS-only browsing to Chrome

Google adds HTTPS-only browsing to Chrome

Google has quietly released a pre-beta version of Google Chrome 2.0 with a new HTTPS-only browsing mode.

The new feature lets users add “force-https to your Google Chrome shortcut” to only load Web sites with valid security certificates. “Sites with SSL certificate errors will not load,” the company explained.

The newest Chrome release also updates the WebKit and V8 JavaScript engines, offers a better implementation for SafeBrowsing (malware/phishing protection), and new code for the HTTP network protocol.

Google’s release notes provide more detail on the changes.


[Source: zdnet]

Oracle planning Patch Tuesday whopper

Oracle plans monster patch dayMicrosoft may be offering a Patch Tuesday respite this month but, if you’re an Oracle database administrator, January 13 will be a very busy day.

The database server giant announced plans for a monster Patch Day next Tuesday with fixes for 41 security vulnerabilities in “across hundreds of Oracle products.”

The first CPU (Critical Patch Update) for 2009 includes patches for flaws that affect multiple products, the company said. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”

The following products are affected:

[ SEE: Microsoft planning quiet Patch Tuesday (1 critical) ]

  • Oracle Database 11g, version
  • Oracle Database 10g Release 2, versions,,
  • Oracle Database 10g, version
  • Oracle Database 9i Release 2, versions,
  • Oracle Secure Backup version,
  • Oracle Secure Backup version,,
  • Oracle TimesTen In-Memory Database version,,,
  • Oracle Application Server 10g Release 3 (10.1.3), version
  • Oracle Application Server 10g Release 2 (10.1.2), versions,
  • Oracle Collaboration Suite 10g, version 10.1.2
  • Oracle E-Business Suite Release 12, version 12.0.6
  • Oracle E-Business Suite Release 11i, version
  • Oracle Enterprise Manager Grid Control 10g Release 4, version
  • PeopleSoft Enterprise HRMS versions 8.9, 9.0 and 9.1
  • JD Edwards Tools version 8.97
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0 released through MP1, 10.3 GA
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 GA, 9.1 GA, 9.2 released through MP3
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 released through SP6
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 released through SP7
  • Oracle WebLogic Portal (formerly BEA WebLogic Portal) 10.0 released through MP1, 10.2 GA, 10.3 GA
  • Oracle WebLogic Portal (formerly BEA WebLogic Portal) 9.2 released through MP3
  • Oracle WebLogic Portal (formerly BEA WebLogic Portal) 8.1 released through SP6

Additional details, including CVSS scores and affected components can be found in Oracle’s advance notice.

[Source: zdnet]

Microsoft planning quiet Patch Tuesday (1 critical)

Microsoft to patch Windows worm holeMicrosoft plans to ship a solitary security bulletin next Tuesday with fixes for a serious security problem in its flagship Windows operating system.

The bulletin will carry a “critical” rating, which means that exploitation of the vulnerability could allow the propagation of an Internet worm without user action.

According to an advance notice issued by Redmond, the flaw is rated critical on Windows 2000, Windows XP and Windows Server 2003.

On Windows Vista and Windows Server 2008, the severity is downgraded to “moderate.”

Technical details on this issue will not be publicly available until Microsoft ships the patch on January 13, 2009.

[Source: zdnet]

Microsoft study debunks phishing profitability

Phishing PagesDo phishers actually make money, or is phishing an unprofitable business, scammers lose time and resources into? Taking the economic approach of generalizing how much money phishers make, a recently released study by Microsoft researchers Cormac Herley and Dinei Florencio (A Profitless Endeavor: Phishing as Tragedy of the Commons), states that phishing isn’t as profitable as originally thought.

Citing a 1968 published article “Tragedy of the Commons” the researchers argue that due to the fact that so many phishers operate on the same scam-scene, they earn less than the could possibly do. Moreover, according to the research the enormous volume of phishing emails is in fact an indication of the failure of phishing. Naturally, they are many more factors to consider, in particular, are phishers in fact profit-maximization machines or are they willing to sacrifice potential profit for the sake of their own security? Is it all about making big money, or about breaking-even in general?

“However, as we will show, the economics of phishing are far far worse than this. Rather than sharing a fixed pool of dollars phishing is subject to the tragedy of the commons ; i.e. the pool of dollars shrinks as a result of the efforts of the phishers. A community (all phishers) share a finite resource (the pool of phishable dollars) that has limited ability to regenerate (dollars once phished are not available to other phishers). The tragedy of the commons is that the rational course of action for each individual (phisher) leads to over-exploitation and degradation of the resource (the phishable dollars).”

Using the Tragedy of the Commons analogy in this case makes it sound as every phished person’s disposable income to which phishers would eventually have access to is universally the same. Logically, that’s not the case, since a single phished person could prove to be a more profitable catch for a phisher than a hundred phished people, and the number of potentially phishable people is always increasing with more people going online.

Moreover, perhaps not so economic models minded phishers are constantly looking for ways to achieve better efficiency, lower costs, and ways to eat other phishers lunch - by scamming their fellow colleagues. For instance, a related research published in August, 2008, found evidence that phishers are in fact backdooring phishing pages and then distributing them for free so that they can have other phishers do the scam for them. The same backdooring process, even though no properly analyzed in a study, continues to take place at a more advanced and far more profitable level - backdooring web malware exploitation kits and botnet command and control interfaces. Therefore, of the hundred actively participating phishers, eighty could be easily phishing for the other twenty.

There are even more variables to consider. Take internal competition among different phishers. Just because a phisher has just sent a million phishing emails pretending to be from a leading German bank to a million Chinese users, perhaps not knowing that the spamming database he’s using belongs to Chinese citizens, doesn’t mean that the outcome of his campaign would be similar to a fellow phisher that’s taken basic localization and targeting steps into account. With localization of cybecrime taking place as of early 2008, outsourcing the translation process of a particular phishing campaign/email is opening up an entire new space for phishers to more effectively target potential victims. The bottom line here is that the second phisher has a higher chance for success even though they’re attempting to phish the same Chinese users, since he’d be impersonating a local bank and his phishing creatives would be speaking native language.

This is where efficiency and scalability comes into play, a situation pretty similar to that of spam. As long as even a small number of people out of a million phishing emails sent become victims, the phishers would break-even and thus, continue expanding the number of emails sent. This shouldn’t be taken as a failure of phishing in general, instead, it should be considered as a campaign optimization practice attempting to achieve better results by targeting a larger population.

DIY Phishing KitQuality assurance is yet another differentiation factor distinguishing the sophisticated phisher from the novice one, who will never get close to the potential market share the sophisticated one is aiming at. Just because all phishers have access to the same quality fakes of legitimate banks, and DIY phishing tools assisting them in redirecting accounting data to a single domain, doesn’t mean that all of them will make the same impact. The experienced ones would achieve a higher average online time for their phishing domains, and would apply better targeting and localization tactics due to the fact that spammers, phishers and malware authors are consolidating and vertically integrating to cut costs and achieve scalability. Phishing may be described as a low-skill, low-reward job in the study, but just like every cybercrime practice the “knowledge workers” in the phishing ecosystem are those getting most of financial rewards, with the rest basically generating noise and in fact often getting busted due to their inexperience, acting as a human shield for the sophisticated phishers.

There’s another issue to consider and that is how much money is a phisher actually looking to make out of his phishing campaigns, and is there in fact a maximum or a minimum to his ambitions? Even though access to someone’s account is obtained, is the phisher actually able to withdraw the money from the account, or is he in fact going to be making money from selling access to the phished account to someone who can do it, thus, monetizing the accounting data instead of using it? Evidence gathered on this practice clearly indicates that novice phishers may in fact never obtain any of the money that they have access it, but again make money out of selling the access to a particular account to those who can.

Phishers may not be making the money that they used to a couple of years ago, but then again phishing has long stopped being an exclusive cybercrime practice - it’s turned into a cybercrime practice “in between” with the phishers breaking-even given the lowering costs and entry barriers into the phishing space in general. And as long as they break-even, millions of phishing emails would continue circulating, again “in between” the rest of their malicious activities.

[Source: zdnet]

Bogus LinkedIn profiles serving malware

LinkedIn Bogus Profiles MalwareA currently active malware campaign is taking advantage of bogus LinkedIn profiles impersonating celebrities in an attempt to trick users into clicking on links serving bogus media players. LinkedIn is among the latest social networking services considered as a valuable asset in the arsenal of the blackhat SEO knowledgeable cybecriminal, simply because this approach works. For instance, Googling for “Keri Russell nude” or “Brooke Hogan Naked pics” you’ll notice that the bogus profiles have already been indexed by Google and are appearing within the first 5/10 search results.

This is a proven tactic for acquiring search engine traffic which was most recently used in the real-time syndication of hot Google Trends keywords and using them as bogus content for the automatically generated bogus profiles using Microsoft’s Live spaces. Approximately 70 to 80 bogus LinkedIn profiles appear to been created within the past 24 hours, with LinkedIn’s staff already removing some of them.

LinkedIn Bogus Profiles MalwareUpon several redirections a malware dropper (TubePlayer.ver.6.20885.exe) is served currently detected by 10 AV vendors as TrojanDownloader:Win32/Renos.gen!BB. Overall, the malware campaign is thankfully not taking advantage of any client-side vulnerabilities for the time being, leaving it up to the end user’s vigilance — if any if we’re to exclude the most abused infection vector for 2008.

[Source: zdnet]

Thousands of Israeli web sites under attack

Israel Hamas Web Site DefacementsIn the wake of the escalating conflict between Israel and Hamas, it didn’t take long before pro-Hamas supporters organized themselves and started to defacing thousands of pro-Israeli web sites in order to use them as vehicles for propaganda — Israel is meanwhile hijacking TV signals.

For the time being, pro-Israeli sites remain automatically probed for web application vulnerabilities through search engines reconnaissance of the Israeli web space by JURM-TEAM and TEAM-Evil, two groups working together and using identical templates for the defaced sites.

Israel Hamas Web Site DefacementsCompared to previous hacktivism (politically motivated hacking) activities on behalf of this group consisting primarily of mass web site defacements through web applications vulnerabilities exploitation, last week TEAM-Evil managed to hijack the DNS records of several hundred Israeli domains — traffic was redirected to — once compromising the administration panel of the domain registrar DomainTheNet.

Members of Team-Evil are no strangers to Israel. The group has been periodically attacking pro-Israeli web sites since 2006. Who are Team-Evil anyway?

Israel Hamas Web Site DefacementsOriginally started as a Moroccan-based hacking group of Muslim hackers, today thanks to the group’s popularity, they’ve managed to not only recruit more hackers/script kiddies, but also, gain the support of other Muslim hacking groups. The group’s efficient way of exploiting Israeli and pro-Israeli web sites through commodity web site defacement tools scanning and exploiting known web application vulnerabilities reached such a peak, that a 17 years old member of Team-Evil got busted. In the ongoing web site defacement attacks, several other well known Muslim hacking groups appear to be working directly cooperating with Team-Evil, such as:

  • JURM-TEAM - members include sql_master, Jurm, Dr.Noursoft, RedDoom, Lpooxd, Cyb3rt and
  • Islamic Cr3w - members include Twister and AlH7N00TY
  • TEAM SPECIAL AGENT - members include PrOf-HaCkEr,Black^Monster, FREEM@N, and R00t-Os
  • Team-Evil themselves - members include Jurm, Cyber-terrorist, J3ibi9a, Scritpx, Fatna Bant Hmida

Israel Hamas Web Site DefacementsIt’s important to point out that the massive web site defacements taking place are not rocket science, they are the low-hanging fruit made possible for them to abuse due to insecurely configured web servers. Interestingly, according to one of the messages left on the defaced sites, a separate campaign is launched by the Hamas supporters in response to June, 2008’s defacement done by Israeli hackers of the portal.

Israel Hamas Web Site DefacementsHaving monitored the demise of international cyber jihadist hacking teams (Osama Bin Laden’s Hacking Crew, Ansar AL-Jihad Hackers Team, HaCKErS aLAnSaR) attacking primarily Western sites, in comparison Israel, Palestine and their supporters are not going to give up that easily the propaganda capabilities that they’ve building since 2001 by means of web site defacements.

[Source: zdnet]

Real plugs critical holes in Helix Server

Real plugs critical holes in Helix Server RealNetworks has shipped a new version of its Helix Server to plug at least four vulnerabilities that introduce code execution and denial-of-service risks.

The flaws affect Helix Server Version 11.x, Helix Server Version 12.x, Helix Mobile Server Version 11.x and Helix Mobile Server Version 12.x. Three of the four bugs are considered “highly critical” because of the risk of remote code execution attacks.

Technical details:

  • ZDI-CAN-293: RealNetworks Helix Server RTSP DESCRIBE Heap Overflow Vulnerability. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of RealNetworks Helix Server. User interaction is not required to exploit this vulnerability. Authentication is not required to exploit this vulnerability.
  • ZDI-CAN-323 DOS stack-based buffer-overflow vulnerability when parsing RTSP SETUP. Denial of Service can be triggered performing three consequent crafted requests on port 554 (default RTSP) of the server.
  • ZDI-CAN-333: RealNetworks Helix Server DataConvertBuffer Heap Overflow Vulnerability. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of RealNetworks Helix Server. Authentication is not required to exploit this vulnerability.
  • ZDI-CAN-380: RealNetworks Helix Server NTLM Authentication Malformed Base64 Heap Overflow Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of RealNetworks Helix Server. Authentication is not required to exploit this vulnerability.

Information on patching these installations can be found in this RealNetworks advisory (.pdf)

[Source: zdnet]

Adobe Flash, Apple Safari fail privacy test

Adobe Flash, Apple Safari fail privacy testsThird party plug-ins like Adobe Flash do a poor job of cleaning traces of your browser sessions, rendering private-browsing features somewhat useless, according to a new study by researcher Katherine McKinley.

McKinley, a researcher at iSec Partners, created a tool for testing the functionality of clearing private data after a browser session and browsing in private mode and found that some browsers — most notably Apple’s Safari for Windows — do a poor job of wiping traces of a browser session.

[ SEE: Microsoft confirms ‘InPrivate’ IE 8 ]

McKinley warns (.pdf):

Third party plug-ins like Adobe Flash, which is far more popular than any individual browser or platform, seem to undermine the data protection schemes offered by all common browsers, however. While browsers are introducing more features with privacy implications, such as persistent local storage, they have mostly integrated the management of this type of information into a single location. When users want to ensure their privacy with respect to information stored via the browser standard methods, they can go to a single location to clear the data, use a separate browser, or use a working private browsing mode, if available.

Plug-ins need to take extra steps to ensure the privacy of their users. The clear best practices in this area, as exemplified by Google’s Gears, prompts users before allowing a site to store data on their system, holds a per-browser data store, and integrates their management UI into the browser UI. Adobe Flash does none of these things, instead silently allowing web sites to store data, uses one global data store for all browsers, and uses a settings UI accessible only when the user is connected to the Internet.

[ SEE: Major Web browsers fail password protection tests ]

She called on browser vendors and plug-in vendors to cooperate to make their platforms more trustworthy:

A set of standard APIs to communicate the need for plug-ins to clear data for a particular origin, all sites, or even a date range needs to be developed, and its use required of all plugins. In the absence of these APIs, plugins which require use of any local system resources should prompt before allowing web sites to store data locally, and integrate the management of interface into the standard browser API.

In the study, McKinley tested the data storage on modern browsers, including HTTP cookies, HTML 5 session storage, Mozilla Firefox perisistent storage, HTML 5 database storage, IE userData, Adobe Flash and Google Gears.

[ SEE: Firefox scrambles to add ‘private mode’ browsing ]

Apple’s Safari on Windows, which offers a “Private Browsing” option, did not fare well:

The HTML 5 Database store on Safari is not cleared when resetting the private data, the user must go to their preferences and select Security, then click the “Show Databases” button on that tab to review or delete databases. For IE 8 Beta 2, the browser must be closed to actually clear the data for the running instance. In each of these cases, it is necessary to perform additional actions to effectively clear this data.

And more:

Safari on Windows fared the worst of all in [tests] with respect to private browsing, and did not clear any data at all, either before entering or after exiting the private mode. On OS X, Safari’s behavior was quirky; in no case was the HTML 5 database storage cleared before or after private browsing. Previously set cookies seem to continue to be available if the user entered a private browsing session, but if the user started the browser and went directly into private browsing, it seemed to behave as expected.

* Image source: 253C. Hat tip to NYT’s Brad Stone.

[Source: zdnet]

An easy fix ignored

An easy fix ignoredIn the wake of this morning’s 25C3 presentation by Alex Sotirov and Jacob Appelbaum, most of the coverage I’ve read so far has focused on the technical details and real-world impact of their findings. Rightly so — their paper describing the attack is a fascinating read filled with enough gory details to make any security practitioner salivate.

To summarize, the crux of the attack was the fact that certain certificate authorities (CAs) still use the MD5 algorithm to sign SSL certificates. The researchers exploited this implementation by harnessing some existing academic research on MD5 chosen-prefix collisions and sprinkling in a few additional tricks.

The most frustrating part of this whole debacle is that it should have never happened.

Like any widely-used cipher, MD5 has been scoured for weaknesses by crypt-analysts since its introduction in 1991. The first significant cracks in the surface appeared at the CRYPTO 2004 conference in August 2004, when Xiaoyun Wang presented a paper entitled Collisions for Hash Functions that described a method for producing MD5 collisions.

[ SEE: SSL broken! Hackers create rogue CA certificate using MD5 collisions ]

History has shown repeatedly that cryptanalysis is an evolutionary process. Each subsequent compromise builds on top of prior work, and each new attack is more practical than the last. The Wang presentation should have been a wake-up call that the clock was ticking on MD5. But, aside from the security community, nobody paid much attention.

At the time, I was employed as a security consultant for @stake, and I can remember revising all of our deliverable templates to remove any mention of MD5 from our best practices or boilerplate text. Even some of my own colleagues were split on whether that was necessary, since the attack didn’t have any practical implications yet. I agreed that we had no reason to act like the sky was falling, but it would only be a matter of time until a practical attack would be discovered. As such, our customers should be advised, at the very least, to eradicate MD5 from their code going forward.

But people tend to be lazy. The typical enterprise mindset can best be summarized as “if it can’t hurt me today, stop bothering me,” and that probably won’t change anytime soon. For an enterprise application, the risk is bounded. If you choose to use a weak hash algorithm in your custom web application, you only hurt yourself and your customers. Apparently, that is a risk people are willing to take, even though switching hash algorithms is a fairly trivial code modification.

A few years later, right on cue, Marc Stevens released a master’s thesis entitled On Collisions in MD5 (.pdf), detailing a chosen-prefix attack against MD5. This was a significant breakthrough and one crucial step closer to the practical, real-world attack revealed today in Berlin.

It’s an absolute travesty that the CAs failed to act not only on the Wang research, but on every other MD5 attack that has materialized since. Any organization who is in the business of selling trust should take all possible measures to be trustworthy, and the CAs failed miserably in that regard.

* Chris Eng is senior director of security research at Veracode. He is currently removing root CAs from his web browser.

[Source: zdnet]