CyberInsecure.com

Archive for July, 2008

New Storm worm (aka Dorf) campaign has been launched in order to infect Windows running PCs. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook.

Starting a week ago, the authors have renewed their attacks and published 3 campaigns within the last 8 days. As usual, this most recent Trojan is spread via an unsolicited email message spam that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file “fbi_facebook.exe” to infect the user’s system with malicious code.

The email subjects for the latest campaign currently include:

F.B.I. may strike Facebook
F.B.I. watching us
The FBI’s plan to “profile” Facebook
The FBI has a new way of tracking Facebook
F.B.I. are spying on your Facebook profiles
F.B.I. busts alleged Facebook
Get Facebook’s F.B.I. Files
Facebook’s F.B.I. ties
F.B.I. watching you

This latest campaign employs both domains and the IP addresses as links. The malware and spam messages changed very little even though the topics and websites were updated regularly.

Users should install anti-virus software, keep its virus signature files up-to-date and never follow unsolicited web links received in email messages.

Security researchers from Argentina have released a malcode distribution toolkit capable of launching man-in-the-middle attacks against popular products that use insecure update mechanisms. The toolkit, called Evilgrade, works in conjunction with man-in-the-middle techniques (DNS, ARP and DHCP spoofing) to exploit a wide range of applications, according to a post on the Metasploit blog.

The first version of the toolkit ships with exploit modules for several widely deployed software, including Apple’s Mac OS X and iTunes, WinZip, Winamp, OpenOffice, Sun Java, DAP, Speedbit, Notepad++, Linkedin Toolbar and others. The toolkit is a modular framework that allows to exploit poor upgrade implementations by injecting fake updates. It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of the victim DNS traffic.

This demo video shows how a sophisticated blended attack can be used to target millions of Windows users. In the video, Evilgrade uses HD Moore’s recent DNS exploit in tandem with Sun’s Java update mechanims to execute code and hijack a fully patched Windows machine.

It works only when a man-in-the-middle attack has first been carried out, but thanks to the domain name system vulnerability that has dominated security coverage ever since researcher Dan Kaminsky sounded the alarm three weeks ago, that’s not much of a problem.

Recently, numerous independent sources are starting to see evidence of DNS cache poisoning attempts on their local networks, in what appears to be an attempt to take advantage of the DNS cache poisoning vulnerability. Publicly available exploits have been downloaded tens of thousands of times in the last few days.

Users should check whether their ISP is running DNS servers susceptible to cache poisoning. Recent studies show that many ISP companies in USA are vulnerable to this attack.

Two computer servers containing a database of Connecticut College, Wesleyan University and Trinity College library patrons were accessed by hackers, Connecticut College officials said Friday. The database included the names, addresses, social security and driver’s license numbers. The personal information on the servers belonged to 12 Wesleyan University library patrons, approximately 2,800 Connecticut College library patrons and three Trinity College library patrons.

David Pesci, director of public relations at Wesleyan, said that on Wednesday, when information technology workers noticed the servers had been broken into, they removed all the personal information. Investigators from Wesleyan believe the breach was committed so hackers could set up illegal chat rooms, attack other sites and perhaps send spam.

The breach was limited to two servers from the CTW library consortium housed at CTW’s headquarters at Wesleyan. It did not affect other servers in Wesleyan’s computer network, and no Wesleyan faculty, students or staff were affected. The CTW consortium has investigated this incident and found no evidence the personal information on the servers was viewed or stolen.

Officials from Wesleyan and CTW members have alerted police and the state attorney general’s office regarding this incident.

All personal information has been deleted from the database and steps were taken to secure the servers. Individuals with questions may contact Ruth Seeley, manager of computer support services at ruth.seeley@conncoll.edu or (860) 439-2052.

According to National Vulnerability Database, Apple’s Safari browser is vulnerable to session fixation attacks because of the way it handles cookies in country-specific top-level domains. A hacker who appeared at Microsoft’s Blue Hat summit, is credited with discovering this Safari vulnerability. Safari 3.1.2 is vulnerable; other versions may also be affected.

Apple Safari allows web sites to set cookies for country-specific top-level domains, such as co.uk and com.au, which could allow remote attackers to perform a session fixation attack and hijack a user’s HTTP session, aka “Cross-Site Cooking”. The flaw allows unauthorized disclosure of information, unauthorized modification of content, disruption of service. To exploit this issue, an attacker must entice an unsuspecting user to open a malicious document.

Currently there are no vendor-supplied patches. As a permanent solution, do not browse untrusted web sites or follow untrusted links.

Several airlines have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages. Airlines that issued warnings include Delta Air Lines Inc., Northwest Airlines Corp., Sun Country Airlines and Midwest Airlines Inc. Sun Country also reported these e-mails to Yahoo, Hotmail and the United States Computer Emergency Readiness Team.

A researcher at McAfee Inc. confirmed the campaign in a post to the company’s blog. Messages may appear as follows (updated spam campaigns may appear different):

From: [name] [airline_name] Airlines
Subject: Your order from {airlines} [number]
or
Subject: Online order for flight ticket [number]
Body:

Hello,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: [characters]
Your password: [characters]

Your credit card has been charged for $[number in the $400 range]
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
[name]
[airline]

Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon).

The e-mails, which purport to be from an airline, thank the recipient for using a new “Buy flight ticket Online” service on the airline’s site, provide a log-in username and password, and say the person’s credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge.

However, the .zip file format attachment is a Trojan horse that steals information, including keystrokes, from the infected Windows PC and transmits that data to a server hosted in Russia. McAfee has labled the malware as “Spy-Agent.bw,” Symantec Corp. has labeled the same Trojan horse as “Infostealer.Monstres.”

This trojan first made a name for itself almost a year ago, when it was used to rip off more than 1.6 million customer records from Monster Worldwide Inc., the company that operates the popular Monster.com recruiting Web site.

The Centers for Osteopathic Research and Education (CORE) at Ohio University removed a Web document last week that inadvertently contained personal information belonging to individuals who have provided academic programming for the medical education consortium. CORE is an osteopathic medical education consortium comprising member teaching hospitals, clinical training sites and osteopathic medical schools. The Ohio University College of Osteopathic Medicine is the central academic member of CORE.

CORE has identified, sent information to and developed resources for the 492 presenters affected, including doctors and nurses. The document was available to all for months. On July 16, CORE removed a spreadsheet that contained the information.

It had been accessible since March 20 and was discovered when a nurse found the information last week while conducting online research. A document that should have been posted did not contain personal information, according to CORE. The document that should have been posted was intended to help CORE’s Residency Program Advisory Committees (RPAC) directors, who coordinate education programs for physicians-in-training and identify and engage medical education speakers.

It was not intended to carry personal information. In addition to names and Social Security numbers, the spreadsheet included contact numbers, addresses, their speaking topics and federal employer identification numbers. The person responsible for posting the information was put on paid administrative leave and has no access to the Web site or to CORE data pending a review.

There is no indication that any of the personal information was misused, said CORE spokeswoman Karoline Lane. With the help of OU experts, CORE is examining what happened and how it happened.

Within one week of learning about the error, CORE has undertaken the following to assist those whose information was exposed: published an informational Web site (www.ohiocore.org/answers); provided a toll-free call-in number (866-437-8698); and offered credit monitoring service for one year.

Saint Mary’s Regional Medical Center recently discovered that an intruder may have gained access to a proprietary database through the on-line registration area of Saint Mary’s public facing website. The database is used for health education classes and wellness programs and contains personal information including name, address, limited health information and some Social Security numbers. The database did not contain any hospital medical records or credit card numbers. The potential breach was discovered in April 28.

Saint Mary’s Regional Medical Center sent warning letters this month to about 128,000 patients and clients. Saint Mary’s officials said they immediately shut down the database and launched an investigation with Equifax, which is one of the three major credit agencies. The medical center hired the Equifax company to investigate the breach, reconstruct the database, set up a dedicated hot line and compile addresses for the notification of customers.

According to same officials, the delay (almost 3 months) in notifications occurred because the database had to be reconstructed. Saint Mary’s has no evidence that any identity theft or fraud has occurred as a result of this incident, but is notifying in writing all persons whose information was included in the database.

Several recipients of the letters expressed concern about the nature of the database, including its size, about 128,000 records, and how their information was collected. Saint Mary’s officials said they were trying to determine if everyone affected was informed and the records were compiled properly. Others wondered how Saint Mary’s managed to find them and whether the center keeps personal information for decades after treatment. Saint Mary’s officials said the database is “absolutely separate” from hospital medical records.

Saint Mary’s Regional Medical Center have put new security measures in place to minimize the likelihood of this occurring again, said Saint Mary’s president and CEO. Free credit monitoring is being offered to those customers whose Social Security numbers were in the database. More information is available on Saint Mary’s website at www.saintmarysreno.org, or by calling Saint Mary’s infoline at 775-770-7711.

After recent malware emails disguised as UPS and tax messages, there is a new attack circulating via bogus email messages and claims to be from “US Customs Service.” The messages may contain the following subject lines:

Customs - We have received a parcel for you

Customs, please read

Parcel requires declaration

Your parcel is at the customs office

The message indicates that a parcel has been received addressed to the recipient of the email. These messages may also encourage users to open an attachment to the message that may contain malicious code.

The messages start with a greeting, and then says:

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

The attachment currently called Bill_Tax.zip, and the Trojan inside is a variation of what we’ve seen previously, detected by Sophos as Mal/Spy-A.

Users should not open attachments contained in unsolicited email messages and use anti-virus software with updated virus signature files.

Researchers from the University of Michigan found 75 percent of bank sites surveyed had at least one security flaw. The report was presented Friday at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University. According to the research, vast majority of US bank websites jeopardize the security of their online customers by including design flaws that expose passwords and are susceptible to tampering by attackers.

In a paper titled “Analyzing Web sites for user-visible security design flaws,” researchers describe design flaws that could compromise security of some of the largest banks in the country. The flaws aren’t bugs, but rather features built into the design of the sites. They include:

Placing secure login boxes on insecure pages, i.e. pages that aren’t protected by secure sockets layer. That allows passwords to be intercepted through man-in-the-middle attacks.

Putting contact information and security notices on insecure pages. This makes it easy for scammers to change addresses and phone numbers listed on the page.

Not making it clear when the website is redirecting customers to a page outside the bank’s domain. As a result, customers don’t know whether to trust the site.

Allowing inadequate user IDs and passwords. Sites frequently allowed email addresses as user IDs and didn’t require strong passwords.

Emailing sensitive information. This included passwords and statements.

The report was based on the examination of websites for 214 financial institutions. The study was conducted in 2006, so it’s possible the designs have been cleaned up. It is also possible that between 2006 and 2008, a lot more security flaws has been added but yet discovered.

RealNetworks has issued an update that patches four security holes in its RealPlayer jukebox program, including a critical flaw that vulnerability tracker Secunia published today. The patch comes a few hours after Secunia released an advisory warning for one of the vulnerabilities, a heap-based buffer overflow caused by a design error within RealPlayer’s handling of frames in Shockwave Flash (SWF) files.

Among the bugs that are fixed is a flaw within the handling of frames in Shockwave Flash (SWF) files that can be triggered by a heap-based buffer overflow. Secunia published this advisory warning of the vulnerability, which carries the common vulnerability and exposure designation CVE-2007-5400.

A second bug, CVE-2007-1309, affects the RealAudioObjects.RealAudio ActiveX control, which doesn’t properly manage memory for the Console property, allowing the remote execution of code. Details weren’t yet available about the remaining two vulnerabilities, CVE-2008-3064 and CVE-2008-3066.

The vulnerabilities were brought to RealNetworks attention by Dyon Balding, Elazar Broad, CERT/CC, Haifei Li and Peter Vreugdenhil.

According to RealNetworks, at least one of the four bugs affects all platforms: Windows, Mac OS X and Linux. Users should update as soon as possible.