4 X Security Team

Monday, 9 June 2008

Last Update: 11/07/08
Should they all be trusted at first sight by unsuspecting online users? Yes, unfortunately this is the case with the websites of renowned and respected IT security companies. However, now that are all vulnerable to cross-site scripting, the possibilities to get phished and infected with malware and crimeware are dramatically increased.

Verisign.com XSS vulnerabilities (6 unfixed/18-06-08):
registrar.verisign-grs.com XSS submitted by C1c4Tr1Z
blogs.verisign.com XSS submitted by Zeitjak
knowledge.verisign.com XSS submitted by Zeitjak
foreseeresults.verisign.com XSS submitted by Zeitjak
servicecenter.verisign.com Redirect submitted by Zeitjak
ispcenter.verisign.com XSS submitted by Zeitjak

Fixed:
digitalid.verisign.com XSS submitted by Zeitjak
www-apps.verisign.com XSS submitted by TreX / unfixed since 16/01/2008!
search.verisign.com XSS submitted by bill
search.verisign.com XSS submitted by bill
www.verisign.com XSS submitted by i-landet / unfixed since 16/02/2007!!!
search.verisign.com.au XSS submitted by Harry Sintonen



Many high profile sites are "Verisign Secured" (allow me to have my doubts here) and Verisign's own one unsecured? Just wonder how easy it would be for the bad guys to phish your clients, or their customer base - I don't think that they are all aware of the risks imposed by XSS vulnerabilities.

Realize now the risk impact and not until you are forced to do so...

McAfee.com XSS vulnerabilities:
mastdb3.mcafee.com XSS submitted by Zeitjak (pending fix)
knowledge.mcafee.com XSS submitted by C1c4Tr1Z
knowledge.mcafee.com XSS submitted by holisticinfosec
us.mcafee.com XSS submitted by TreX
mcafee.com XSS submitted by kusomiso.com
mcafee.com XSS submitted by www.r3t.n3t.nl
www.mcafee.com XSS submitted by kusomiso.com
knowledge.mcafee.com XSS submitted by i-landet
mcafee.com XSS submitted by mityo on 13/06/08 / published on 15/06/08 (fixed-18/06/08)

All vulns are fixed (last update 11/07/2008).

It is a shame that McAfee continuously lies to the users of their "Hacker Safe" clients...
Building user trust just with evil marketing is not the correct way forward! You do knowingly deceive online users with fake promises concerning their privacy and security. How is this for a business plan? :-/ Deliberate deception techniques like yours are only used for the sake of profiting from increased sales.
We are still receiving on a frequent basis many XSS vulnerable "Hacker unSafe" web sites.
It is an embarassing fact that your site is also vulnerable!

- "More bad news for McAfee, HackerSafe certification", Nathan McFeters, ZDNet Zero Day blog - 1 May 08
- "McAfee 'Hacker Safe' cert sheds more cred", Dan Goodin, TheRegister - 29 Apr 08
- "McAfee isn't 'McAfee Secure' or 'Hacker Safe'...", Nathan McFeters, ZDNet Zero Day blog - 13 May 08

Quoting from Russ McRee's blog post titled "McAfee is not McAfee Secure":

Symantec.com XSS vulnerabilities:
nct.symantecstore.com XSS submitted by C1c4Tr1Z
www-secure.symantec.com XSS submitted by Zeitjak
partnerlocator.symantec.com XSS submitted by S_e_YM_e_N
investor.symantec.com XSS submitted by mox
www4.symantec.com XSS submitted by TreX
www4.symantec.com XSS submitted byTreX
symaccount.symantec.com XSS submitted by www.r3t.n3t.nl
service1.symantec.com XSS submitted by www.r3t.n3t.nl
service4.symantec.com XSS submitted by www.r3t.n3t.nl
photocontest.symantec.com XSS submitted by www.r3t.n3t.nl
service1.symantec.com XSS submitted by www.r3t.n3t.nl
searchg.symantec.com XSS submitted by security0x00
www-secure.symantec.com XSS submitted by www.r3t.n3t.nl
securityresponse.symantec.com XSS submitted by www.r3t.n3t.nl
www.symantec.com XSS submitted by Saime
securityresponse.symantec.com XSS submitted by cachaca
partnerlocator.symantec.com XSS submitted byTotalSchaden
www4.symantec.com XSS submitted by TotalSchaden

10 out of 18 XSS vulns are fixed.

Quoting from this news article:
"Symantec.com is never going to get a status clientHold. Malicious phishers can still use the Symantec's XSS vulnerabilities to spread malware and steal personal sensitive information. Why did they choose to validate a mirror of a corrected PayPal XSS as a phishing site and give us the status clientHold? They should have the clientHold status for leaving an open door to the exploitation of their faithful customer's security and privacy."

I want to believe that all the above issues get fixed within the next few days.

Related News (Updated):
"Major Security Vendors' Sites Could Be Launchpads for Phishing Attacks", Tim Wilson, Dark Reading, 10 Jun 08
"Top security companies not immune to XSS problems", Steve Ragan, The Tech Herald, 11 Jun 08
"Verisign and anti-virus vendors fix cross-site scripting holes", Mike Barwise, heise Security UK, 13 Jun 08
"Scripting bugs blight security giants' websites", John Leyden, The Register, 13 Jun 08
"Major security sites hit by XSS bugs", Matthew Broersma, Techworld, 12 Jun 08

[Source: XSSing]

x2Fusion from TheDefaced.org security team, recently contacted us in regards to a serious XSS vulnerability on the popular lifecasting website Justin.tv:

"As of 'Sat, 28 Jun 2008 21:52:33 GMT' - An XSS worm was released on this website,
this was and is meant only for research purposes. It was successfully executed and
lasted roughly around 24 hours.

We have recorded such records making it possible for us to create graphical images
graphing the progress of this XSS worm as it infected each profile upon the last
being viewed.

The XSS Vulnerability was discovered and fixed during 'Sun, 29 Jun 2008 21:12:21
GMT', with an after mass of 2525 profiles."

Due to insufficient input sanitization of the Location field on users' profiles, TheDefaced.org team could add the following code:


src="justinworm.js" language="javascript">"


The worm's source code will soon be posted on XSSing.com.

"This actually is the very first XSS worm which we have unleashed, and it was
solely upon research reasons; non-malicious at all :)

We've contacted the JTV Programmers prior to the fixing of the XSS worm and
have sorted things out with them and made sure that they knew NO information such as IP Address, Cookies, Sessions and further
information which poses private is not to be released. After that I put myself
forward and found another XSS in turn to prove that I was dedicated to
helping JTV out in any further possible vulnerabilities", says x2Fusion.

[Source: XSSing]

From Wormblog reader Adli Abdul W., more virus and worm source code. The Neworder site contains links to the virus source code for Melissa, ILOVEYOU, and other mass mailers and traditional viruses. Note that these are for educational purposes only, are detected by any decent AV engine, and use only on a testbed network you have the authority to use.

So, what can you do with these sorts of things? You can set up a research lab that tests, for example, your detection algorithms and implementations. If you're developing a plugin to a mail client or even a mail server, this can be an invaluable aid in your testbed. If you're testing a new AV signature engine, this is also useful. While the worms themselves aren't all that complex, the techniques they used are still around.

[Source:wormblog]

Martin Overton, from IBM in the UK, is back with another interesting malware paper. He's got an outline of how to use Snort to detect malware in transit on the wire.

When most people think of tools to combat malware, very few will give a passing thought to Intrusion Detection Systems, why?

Common reasons include:

• They don’t realise that IDS systems can be used against malware (viruses, Trojans, worms, etc.)
• They are too difficult to setup, maintain and use.
• That they are too prone to false alarms.

This paper will investigate the use of IDS systems, specifically to counter/block/detect malware. What’s more, this paper will focus on SNORT (which is a free IDS system available for both UNIX and Windows).

This paper will include instructions and guidance on the setup of such a system, numerous examples of suitable rules to detect and block malware and useful tools that can make the sifting of logs easier and more palatable as well as configuration and other tools and utilities that may be useful in managing and maintaining SNORT.

The use of an IDS system can be extremely useful in cases of fast burning or very complex malware outbreaks as a stop-gap until the anti-virus vendors manage to get reliable updates out to their customers.

An IDS is also useful in identifying infected systems in your organization that need remedial action before the ‘trickle’ of infections become a ‘torrent’ and you are left fighting to keep your head above the rising waters.

This paper is based on the recent two-part article written for Virus Bulletin [October and November 2004] and parts of that article have been used with their permission.

Anti-Malware Tools: Intrusion Detection Systems

[Source:wormblog]

The Swiss research group hosted under the banner of 'DDoSVAX' has been known for many years for doing good work. They have used some of their measurement infrastructure to analyze worm traffic, as well. Several worms are studied and presented on their website:

13.8.2003: Traffic Analysis for the W32.Blaster Worm
19.8.2003: Traffic Analysis for the Sobig.F Worm
26.1.2004: Traffic Analysis for the Novarg/MyDoom Worm
9.5.2004: Traffic Analysis for the Sasser Worm

[Source:wormblog]

I posted a list of two Zotob removal tools the other day, but it seems that more are out. If you're building a USB keychain for malware removal and Zotob cleanup, these should be on it. They don't replace a full blown AV scanner, but they can help you in a crisis time. Many thanks to Donna's blog for the list.

• Panda QuickRemover by Panda Software
• W32.Zotob Removal Tool by Symantec
• Zotob.A disinfection tool by F-Secure
• ZOTOBGUI by Sophos
• Stinger by McAfee
• Malicious Software Removal Tool by Microsoft
• Sysclean by Trend Micro

[Source:wormblog]

If you've been wondering how some very large networks have been able to use their network layer to defeat worm outbreaks, you should look over this Cisco technical document. It shows you how to track and defeat worms using NetFlow analysis tools.

Internet worms have had a severe impact on many enterprise customers. Recently developed tools and architectural techniques can be employed to assist with the mitigation of worm activity in an enterprise environment.

This paper provides:

• A conceptual overview of worm mitigation techniques
• Details for deployment of these techniques into an overall solution for enterprise customers

This document has been written from a solution standpoint. It is primarily designed to provide a tool kit for dealing with the issue of Internet worms within an enterprise environment. Although this is the primary motivation of this document, the overall solution has application well beyond this primary purpose and additionally provides capability for detecting and responding to other security incidents.

Source: Worm Mitigation Technical Details,

[Source:wormblog]