CyberInsecure.com

Windows .lnk Shortcut Zero-Day Critical Vulnerability Confirmed By Microsoft

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows’ handling of shortcut files.

Malware targeting the security weakness in the handling of ‘lnk shortcut files has been spotted in the wild by Belarus-based security firm VirusBlokAda. The malware uses rootkit-style functionality to mask its presence on infected systems. These rootlet drivers come digitally signed by legitimate software developer Realtek Semiconductor, a further mark of the sophistication of the attack.

In an advisory, VirusBlokAda says it has seen numerous incidents of the Trojan spy payloads dropped by the malware since adding detection for the malign code last month.

Even fully patched Windows 7 systems are vulnerable to attack in cases where a user views files on an infected USB drive using Windows Explorer, security blogger Brian Krebs reports. Instead of using Windows Autoplay the spread the malware takes advantage in security weaknesses involving shortcut files. Malicious shortcuts on the USB are reportedly capable of auto-executing if users open an infected storage device on Windows Explorer. Normally users would have to click on the link for anything to happen.

Independent researcher Frank Boldewin has uncovered evidence that the malware is targeting SCADA control systems, used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems.

“Looks like this malware was made for espionage,” Boldewin writes.

Firms faced with a spate of Windows autorun worms have responded by disabling outrun, but this advice may no longer be enough with the appearance of a new attack vector, Finnish security firm F-Secure warns. “Our initial analysis of the samples appears to indicate that the shortcuts somehow take advantage of the way in which Windows handles Control Panel shortcut files,” it adds.

Microsoft has released an advisory confirming a previously unknown vulnerability in the way Windows processes shortcut files (CVE-2010-2568). The critical bug is trivial to exploit, affects all versions of Windows and allows for arbitrary code execution.

According to Microsoft, all versions of Windows from Windows XP with Service Pack 3 forward, including both 32- and 64-bit flavors are affected. But, Chester Wisniewski, senior security advisor at Sophos Canada, points out that Windows 2000 and Windows XP SP2, which are no longer officially supported by Microsoft since earlier this week, are also vulnerable.

Even though the malware exploiting this vulnerability was spreading through USB devices, the bug itself can also be exploited from optical media, network shares and WebDAV. The temporary mitigation techniques suggested by Microsoft, involve disabling shortcut icons via a registry hack, which will result in a really weird experience for users, and stopping the WebClient service, which will severely impact SharePoint customers.

Credit: The Register

Government .gov Domains DNS Hijacked, Point To Adult Content And Push Adware

Security researchers warn that various domains in the .gov space had their DNS hijacked and are hosting pages that redirect users to adult websites. The hijacking seems to be part of a scheme to push FLVDirect adware.

Apparently, FLVDirect affiliates are abusing several government domains, including, but not limited to yanceycountync.gov, uppersiouxcommunity-nsn.gov, woodfin-nc.gov, dumontnj.gov and emporia-kansas.gov to trick users into downloading and installing adware on their computers. The attackers have managed to create sub-domains of the form tubes-####.* (where # is a single digit) on all of the affected domains.

“It looks like their DNS has been hijacked and those sub domains point to servers that are not under their control,” researchers from Sunbelt Software, who analyzed the attack, write. Pages hosted on the rogue sub-domains are riddled with keywords and being used in a black hat search engine optimization (BHSEO) campaign to poison search results for queries related to adult content. Such techniques are commonly employed by cyber crooks to infect unsuspecting users looking for information on current events with scareware.

Visiting any of the pages hosted on the rogue sub domains redirects users to either a FLVDirect affiliate site promising hundreds of hours of adult videos for free or an adult dating community. FLVDirect is well known piece of adware – an application designed to display unsolicited ads once installed on a computer.

“Adware:Win32/FlvDirect is the detection for a file that installs the program ‘FlvDirect Media Player’. This program is usually bundled with another adware program detected as Adware:Win32/LoudMo. These installers contain an ID, which can be monitored; the more installers are deployed, the more an affiliate company is paid for deploying the installer,” Microsoft explains.

All the sub-domains appear to be hosted on a server responding to 66.49.238.80. This IP address belongs to a company called Canaca-com Inc, which sells Web hosting and VPS hosting services.

Credit: Softpedia.com News

TweetMeme Hit By Malvertisement, Users Redirected To Fake Antivirus Pages

A malvertising attack targeted TweetMeme.com users today after a rogue advertiser made its way onto the website. The malicious advertisements directed user to third party websites displaying fake malware alerts with the purpose of convincing users to install scareware.

Malvertising (malicious advertising) is a type of attack where cyber crooks manage to insert rogue ads that lead users to malicious content into a legit website. The practice is commonly employed by scareware pushers to distribute their fake antivirus products.

According to StopMalvertising, a website dedicated to researching and stopping such attacks, TweetMeme users were targeted via malicious advertisements served by a rogue advertiser at y5-media.com. An investigation of the incident revealed that the threat distributed through these malvertisements was a fake antivirus called Security Threat Analysis.

The researchers explain that requests to y5-media.com bounce through two other websites before landing on the scareware domains. In order to fly under the radar the cyber crooks tried to make the attack as subtle as possible.

“Both domains perform various checks to see whether you’re a bot, a search engine, a proxy … as in those cases the redirect to the scareware will not happen,” the researchers explain. Also, if a user visits the malicious websites once, a cookie is added in his browser to prevent him from being targeted again.

The landing websites at www3.luckfind42td.in and www2.guardhere5.in, display the typical fake malware scans associated with scareware scams. When these scans are “done” the users are taken to another domain called www1.wareforyou10.in, which serves a file called packupdate107_302.exe for download. This is a program in the FakeAV family of malware, which currently has a very low AV detection rate.

Malvertisements can be very dangerous, because unlike black hat search optimization campaigns that poison search results with malicious links, they can are a lot harder to detect, and abuse the trust that users put into legit websites. Popular websites that were previously affected by similar attacks include the New York Times, Gizmodo or Digital Spy.

Credit: Softpedia.com News

Facebook Users Can Be Forced Into Liking Arbitrary Pages Through Clickjacking

A security researcher has discovered a vulnerability which can be used to force Facebook users into liking arbitrary pages. The type of attack is known as clickjacking and does not require any form of user confirmation.

The Facebook “Like” button allows users to share content they find interesting on the Web. The feature is meant to allow users with similar interests to easily find and connect to each other on the social networking website. The button can be integrated by webmasters into any page on their website via a special IFrame.

The bug was discovered by a 21-year-old student named Eric Kerr who documented it on his blog. Successful exploitation results in arbitrary content being added to the user’s Facebook News Feed, and at the time of writing this article the flaw was still active.

Kerr explains that a bug in the implementation allows potential attackers to trick users into Liking malicious pages without even knowing it. This can be accomplished by hiding the button on the page via CSS and attaching it under the mouse cursor using a bit of JavaScript.

In this way, regardless of where the user clicks on the page, they will always click on the “Like” button. The most important aspect of the attack is that it all happens transparently, without users seeing any warning that they are about to Like something.

This type of attack, which is known as clickjacking or user interface (UI) redressing, can allow for the creation of so called social networking worms – malicious messages that spread virally. The existence of such a vulnerability is worrying because Facebook scams abusing the Like functionality have been particularly active lately.

“More advanced versions might use cookies to detect when a user is returning so they can actually use the site after presumably clicking the like button. Other modifications might include detection on when a user clicks the invisible iframe so it is removed without the user knowing and browsing returns to normal,” Eric Kerr warns.

Credit: Softpedia.com News

The Pirate Bay Compromised, Hacker Swipes Details Of 4 Million Users

The Pirate Bay has been compromised by an Argentinean hacker who made off with usernames, email and internet addresses of more than four million people signed up to the BitTorrent tracker site.

KrebsOnSecurity.com reported yesterday that Ch Russo broke into TPB’s system and grabbed the info from the notorious website, which might amuse some pro-copyright groups.

Russo had considered selling the private data, but in the end decided to go public about TPB’s shaky security credentials. He accessed the information via the site’s user database by exploiting its weakness to SQL injections.

“We wanted to tell people that their information may not be so well protected,” Russo said.

Meanwhile, it may be a coincidence, but The Pirate Bay is currently out of action and carried the following message:

“Upgrading some stuff, database is in use for backups, soon back again.. Btw, it’s nice weather outside I think.”

At this moment the website appears to be offline.

Credit: The Register

Mobile Malware Create A 100,000 Botnet On Symbian Series 60 Handsets

Mobile malware that affects Symbian Series 60 handsets is being used to create a botnet.

Security firm NetQin claims as many as 100,000 smartphones have been compromised with the malware, which typically poses as a game and affects Series 3 and % Symbian devices. NetQin said the malware is programmed to send SMS messages from compromised devices.

“These botnets do one of two things; send messages to all the contacts of the address book directly, or send messages to the random phone numbers by connecting to a server,” NetQin explains in a blog posting.

“The viruses will delete the sent messages from the user’s Outbox and SMS log. All messages contain URLs linked to malicious sites that users won’t be able to see until after they’ve fallen into the virus trap.”

The Symbian Foundation said that the certificate used to sign has been revoked, so providing revocation checking is enabled on a phone the malware will not run. Symbian downplayed the threat of the malware which a spokesman described as posing only a “very minor threat”, V3.co.uk reports.

Credit: The Register

New Critical Vulnerability In Internet Explorer, Versions 6, 7, 8 Affected

French vulnerability research company VUPEN Security reports the discovery of a use-after-free vulnerability affecting all versions of Internet Explorer that could possibly lead to code execution. According to the company’s new “no more bugs for free” policy, details of the flaw will not be shared with Microsoft unless it pays.

“We Discovered the 10th Unpatched Use-after-free Vulnerability in MS Internet Explorer. IE 8/7/6 are all affected,” a short announcement from VUPEN posted on Twitter reads. However, the research will only be available to its paying customers.

Use-after-free conditions occur when a program continues to use a pointer to a location in memory that has already been deleted or freed. According to an article from OWASP (Open Web Application Security Project) this type of vulnerability poses a very high risk level and has a high exploitation likelihood.

“The use of previously freed memory can have any number of adverse consequences - ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved,” is explained in the article.

VUPEN Security, which was previously known as FrSIRT, has been credited with discovering numerous critical vulnerabilities in widely deployed software, including Microsoft products. The company recently claimed to have discovered the first two vulnerabilities in the new Microsoft Office 2010 suite.

However, VUPEN is no longer willing to give away its research for free to the affected vendors. Instead, it practices responsible disclosure only with software developers that pay for the information. “Why should security services providers give away for free information aimed at making paid-for software more secure?,” Chaouki Bekrar, VUPEN’s chief executive officer, commented for Heise Media.

The company continues to provide intelligence about the unpatched vulnerabilities, to various governments who are members of its Threat Protection Program, even if the vendor has not been informed. The information includes full binary analysis and detection guidelines.

This “no more bugs for free” policy appears to be a growing trend between security researchers. Proeminent white hat hackers like Charlie Miller, Alex Sotirov or Dino Dai Zovi have already already this stance since a year ago. Evgeny Legerov, founder of Moscow-based vulnerability research company Intevydis, who declared himself a responsible disclosure contester, compared the practice with doing free Quality Assurance work for vendors.

Credit: Softpedia.com News

Critical Security Holes In OpenCart, Multiple osCommerce Websites Infected With Malicious Code

A security researcher claims he’s found a total of fourteen dangerous vulnerabilities in OpenCart. However, because the project’s lead developer is apparently unwilling to address security issues, he recommends that people migrate away from OpenCart as soon as possible. Security researchers also warn that multiple osCommerce websites have been compromised during the last few days. The rogue code injected into their pages attempts to infect visitors with malware served from an external domain.

OpenCart has grown to be one of the most popular open source online shopping cart systems along with osCommerce, Zen Cart and Magento. The software is used by thousands of online stores, that handle sensitive customer information on a daily basis.

Considering that people expect to be in a secure environment when they shop online, one would think that security is one of the primary development goals for such a project. However, a Mexican security researcher named Eduardo Vela, who goes by the online moniker of sirdarckcat, claims this couldn’t be further from the truth when it comes to OpenCart.

In his blog Mr. Vela explains that some time ago he tried to report several serious vulnerabilities to the OpenCart project on behalf of a fellow researcher who discovered them. Amongst these, there was a Local File Inclusion (LFI) flaw, an issue allowing remote arbitrary code execution and a critical cross-site request forgery (CSRF) bug, which could be exploited to take complete control of the Web application.

According to the researcher, who adheres to responsible disclosure practices, Daniel Kerr, the OpenCart lead developer asked not to bother him. Since then, further security audits of OpenCart performed by Mr. Vela and his associates have revealed a total of fourteen dangerous vulnerabilities, that, giving Daniel Kerr’s attitude towards security, will probably never get fixed. Therefore, the only advice left to give to webmasters is to stop using the product entirely.

The compromises of osCommerce websites have been detected by Sucuri Security, a company selling Website integrity monitoring solutions. An investigation into the incidents is ongoing, but it has been determined that all have been injected with a rogue script element loading code from an http://nt02. co.in/ 3 address [intentionally malformed].

So far most of the affected websites also had clandestine files uploaded in their /images folder. These files are called inclasses.php, loadclasses.php or phpclasses.php. “If you are an osCommerce user, please make sure to update your installation (and check your sites) as soon as possible,” Sucuri researcher David Dede, advises.

The company is still trying to determine how the attackers succeeded in compromising the websites, but an osCommerce Remote File Injection (RFI) vulnerability disclosed about a month ago, might be responsible. The bug is in “file_manager.php” and according to a SecurityFocus advisory, is the result of failure to properly sanitize user input.

osCommerce is notorious for extremely long wait times between releases. The latest stable version is 2.2 RC2a and has been released more than two and a half years ago, on January 30, 2008. However, there are a few measures webmasters can take to protect their websites.

Credit: Softpedia.com News

YouTube Cross-site Scripting Flaw Abused By Hackers, Redirects Visitors To Fake Or Malicious Sites

Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site.

The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that this JavaScript code was run on the machines of surfers viewing the same video clip.

Predictable enough, pranksters at 4Chan have begun using the vulnerability to redirect surfers looking for Justin Bieber video clips to goatse or false reports that the irksomely clean-cut Canadian singer had died in a car crash. Denizens of 4Chan are separately trying to rig an online poll to encourage Beiber to play North Korea in an upcoming tour.

In other cases the flaw has become the fodder of comment spam. Google iced the problem hours after it first appeared, techie-buzz.com reports.

“We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago,” said Google. “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.”

The appearance of the vulnerability sparked rumours on Twitter and elsewhere that a virus was spreading across YouTube. A blog post by Chris Boyd of Sunbelt charts the genesis of this rumour, which is just the sort of thing that’s likely be used in new anti-virus (scareware) scams.

Security watchers at the Internet Storm Centre note that the vulnerability on YouTube might potentially have been used for all manner of hacking attacks, including password stealing scams.

“They [hackers] could steal your YouTube cookies, which probably doesn’t mean much to them, but they could also post various JavaScript code that will execute in your browser, in the context of YouTube,” an ISC handler writes. “I’ve seen nasty XSS attacks that are used to fake whole login screens and we know how many people use [the] same passwords for multiple accounts.”

Credit: The Register

Lenovo Support Website Loads Malicious IFrame, Infects Visitors With Trojan

The support site of leading Chinese PC manufacturer Lenovo has been compromised by unknown attackers who injected a rogue IFrame into the pages over the weekend. Security researchers warn that unwary visitors looking for drivers are exposed to several exploits that install the Bredolab trojan onto their computers.

According to a report from Vietnamese antivirus vendor Bkis, the pages have been infected since at least Sunday afternoon. However, some users have been reporting getting antivirus warnings when visiting Lenovo’s download website since Saturday.

The IFrame points to an exploit kit hosted on a domain called volgo-marun.cn. After performing several checks to determine what vulnerable software they had installed on their computer, the visitors were served with exploits targeting older versions of Internet Explorer, Adobe Reader or Adobe Flash player.

“These exploit codes attempt to load file hxxp://volgo-marun.cn/pek/exe.exe which is a virus, onto victim’s computer. The virus is a new variant of Bredolab Botnet […]. After being loaded onto the computers, the virus copies itself as %Programs%\Startup\monskc32.exe and receives commands from C&C server with domain sicha-linna8.com,” Le Minh Hung, senior security researcher at Bkis, writes.

At the moment, the malicious executable is detected by only ten of the 41 antivirus products listed on VirusTotal. The entire download.lenovo.com subdomain has been blacklisted by Google’s Safe Browsing service. This means that Firefox or Chrome users should see malware warnings when opening resources hosted on it.

“Of the 46 pages we tested on the site over the past 90 days, 39 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-06-20, and the last time suspicious content was found on this site was on 2010-06-20. Malicious software includes 1 trojan(s). Malicious software is hosted on 1 domain(s), including volgo-marun.cn/,” a detailed explanation of the Google warnings reads.

Even though the malicious .cn domain appears to be dead at the moment, it could return back online at any time. Therefore, users are advised to stay clear of the Lenovo support website for a couple of days, until the manufacturer has a chance to clean it up and plug the hole that allowed the compromise in the first place.

Credit: Softpedia.com News