CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts

Archive for July, 2009

Twitter Confidential Information Exposed After Twitter Administrator Accounts Breach

Thursday, July 16th, 2009

An unidentified hacker has exposed confidential corporate and personal information belonging to microblogging site Twitter and its employees after breaching electronic accounts belonging to several people close to the company.

The episode is the latest reminder that the convenience of cloud-based services that store spreadsheets and other information online cut both ways. While they make it easy to access personal notes from anywhere in the world, they also open up the information to theft – especially when the owners are highly public individuals who didn’t take due care to safeguard the data in the first place.

The breach occurred “about a month ago,” when an email account belonging to a Twitter admin was compromised. From there, the employee’s Google Docs, Calendars, and other Google Apps were also accessed, Twitter co-founder Biz Stone wrote. Around the same time, a personal email account belonging to the wife of Twitter Chief Executive Evan Williams was also compromised, exposing a variety of accounts belonging to the CEO, including Amazon and PayPal.

The breach is an embarrassment for Twitter for a couple of reasons. First, it’s the most recent example of employees at the highly visible company failing to adequately protect their accounts. (In January, accounts belonging to Britney Spears and other celebrities were compromised, and as Wired.com later reported, the weak link in the chain was an admin password set to “happiness”). What’s more, the breach is airing documents the privately held company surely prefers to keep private.

Twitter’s Stone compared the breach to having one’s underwear drawer publicly rifled through: “Embarrassing, but no one’s really going to be surprised about what’s in there.”

Credit: The Register

Microsoft Office Web Components ActiveX Control ‘msDataSourceObject’ Vulnerability Allows Remote Code Execution

Tuesday, July 14th, 2009

Microsoft has released an advisory related to an Office Web Components ActiveX vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.

This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. Microsoft mentions that they are aware of active exploits against this vulnerability and at the moment there is no patch, just a a workaround. Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft advisory can be found here.

The list of affected products include:

Microsoft Office XP Service Pack 3;
Microsoft Office 2003 Service Pack 3;
Microsoft Office XP Web Components Service Pack 3;
Microsoft Office Web Components 2003 Service Pack 3;
Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1;
Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3;
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3;
Microsoft Internet Security and Acceleration Server 2006;
Internet Security and Acceleration Server 2006 Supportability Update;
Microsoft Internet Security and Acceleration Server 2006 Service Pack 1; and
Microsoft Office Small Business Accounting 2006.

The vulnerability is being actively exploited on web sites as attackers just modify the code with a fresh download and payload to slightly modified malware. There is a .cn domain that is using a heavily obfuscated version of the exploit – which may become an attack kit (think MPACK) and is similar to recent DirectShow attacks.

Earlier today there was a highly targeted attack against an organization who received a Microsoft Office document with embedded HTML. It was specifically crafted for the target – with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim’s domain/IP range would not reach with the server.

Here is the workaround details from Microsoft Technet Blog:

By default, if the control is installed, it can be instantiated and scripted as seen by the tool output below:

C:\>ClassId.exe {0002E541-0000-0000-C000-000000000046} (*)
Clsid: {0002E541-0000-0000-C000-000000000046}
Progid: OWC10.Spreadsheet.10
Binary Path: C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True — IE will allow loading
Safe For Scripting (IObjectSafety): True — IE will allow scripting
Safe For Initialization (Registry): False
Safe For Scripting (Registry): False
KillBitted: False — It is not killbitted

(*) This example uses the OWC10 classid. Same applies to the OWC11 classid: {0002E559-0000-0000-C000-000000000046}

In order to protect your system you can issue the killbit for the two classids by adding the following value in the registry following these steps:

1) Use Registry Editor to view the data value of the Compatibility Flags DWORD in the following two registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}

2) Change or add the value of the Compatibility Flags DWORD value to 0×00000400.

After applying the killbit you can check it again with the ClassId.cs tool:

C:\>ClassId.exe {0002E541-0000-0000-C000-000000000046} (*)

Clsid: {0002E541-0000-0000-C000-000000000046}
Progid: OWC10.Spreadsheet.10
Binary Path: C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
Safe For Initialization (Registry): False
Safe For Scripting (Registry): False
KillBitted: True — Since the kilbit has been applied, IE will refuse to load the control

(*) This example uses the OWC10 classid. Same applies to the OWC11 classid: {0002E559-0000-0000-C000-000000000046}

At this point you are no longer vulnerable to this threat through the IE vector.

As mentioned in the advisory, we are also providing a way to apply this workaround automatically. You can click the button below to set the kill-bit on this control.

Credit: SANS ISC
Credit: Microsoft TechNet Blogs

Unpatched Memory Corruption Flaw In Latest Firefox 3.5 Can Install Malware

Tuesday, July 14th, 2009

An unpatched memory corruption flaw in the latest version of Firefox creates a means for hackers to drop malware onto vulnerable systems.

Security notification firm Secunia reports that the security bug (which it describes as extremely critical) stems from errors in handling JavaScript code. The flaw has been confirmed in the latest 3.5 version of Firefox, released in late June.

Older versions of the popular alternative browser might also be affected, Secunia warns.

Exploit code has been uploaded onto recently revived security exploit website milw0rm, a factor that could hasten the development of more attack code.

Secunia advises Firefox users to avoid browsing untrusted websites or following untrusted links pending the availability of a fix from Mozilla (there’s nothing in the pipeline just yet).

The appearance of an unpatched vulnerability in Firefox could hardly have come at a worse time because it coincides with confirmation from Microsoft on Monday of a second unpatched ActiveX flaw affecting users of its Internet Explorer software.

Only one of these two security bugs is likely to be fixed later on Tuesday, when Microsoft publishes its monthly Patch Tuesday update. That prompted some security researchers, including those at the SANS Institute’s Internet Storm Centre, to consider the use of an alternative browser on the grounds of security.

Selecting Firefox over IE when both have unresolved security problems fails to make much sense, leaving Windows users looking for more secure surfing software alternatives with a choice limited to Opera, Safari and Google Chrome.

Credit: The Register

ImageShack Hacked By Anti-Sec Group In Protest Of Security Vulnerabilities Full Disclosure

Monday, July 13th, 2009

A hacking group has broken into one of the biggest image hosting websites on the net before uploading its manifesto.

“Anti-Sec” broke into ImageShack to post a protest over sites that publish full disclosure material on security vulnerabilities, though how the attack furthers this agenda is unclear. The group, which also attacked the websites of astalavista.com last month, pledged to cause further “mayhem and destruction” against supporters of full disclosure, which it argues benefits security firms and cybercrooks at the expense of the wider community.

Ironically, exploit code associated with Anti-Sec’s latest attack was posted on a full disclosure mailing list.

Anti-Sec’s proposed program of action calls for “eliminating the security industry in its present form”. Security blogs or exploit-related websites who support full-disclosure were warned to brace themselves for attack.

Security firms were quick to pick apart the group’s arguments. Rik Ferguson, a security consultant at Trend Micro, said the group fails to acknowledge that full disclosure allows security organisations to “mitigate against attacks before they are exploited in the wild”. It also ignores the point that cybercrooks often profit from undisclosed vulnerabilities.

Ferguson compares the group to the “wacky end of the survivalist movement… heading for the hills with their tins of beans and their AK-47s (and now SQLi [SQL injection - a common website exploit technique].”

ImageShack, which was hit by the defacement late on Friday, restored its service to normal over the weekend.

Credit: The Register

Twitter Micro-blogging Compromised Accounts Spread Koobface Worm

Sunday, July 12th, 2009

The Koobface worm, which previously infected users of Facebook and MySpace, is spreading among users of micro-blogging website Twitter.

The scale of the attack is unclear but serious enough for Twitter to issue a warning on Friday morning, via the service’s status page:

Some users’ PCs have been infected with a variant of the Koobface malware. This malware sends bogus tweets when the user logs into Twitter.

We are currently suspending all accounts that we detect sending such bogus tweets. If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC.

Koobface-related activity has been detected on Twitter before, but the latest assault has provoked a more concerted response from the micro-blogging service, including plans to temporarily suspend compromised accounts.

Accounts accessed from compromised PCs inject rogue updates into a Twitter stream, supposedly containing a link to a video but actually pointing towards one of around 20 sites loaded with exploit code that poses as a video codec. Windows users who follow this links and install the “codec” wind up getting infected with Koobface, re-starting the whole infection cycle.

Some messages that point to exploit sites promise “michaeljackson’ testament on youtube” while others refer to “My home video :)”, Sophos reports, adding that users should avoid following malvertised links.

Panda Security reports that attempts to install rogue anti-virus (scareware) packages onto compromised machines are made, strongly suggesting that the attack is financially motivated.

Credit: The Register

Mobile Malware Transmitter.C Spreading In The Wild

Wednesday, July 8th, 2009

Researchers from NetQin Tech. are reporting on a newly discovered mobile malware variant (Transmitter.C) distributed through a modified version of legitimate mobile application. Upon execution, the malware attempts to automatically spread by sending hundreds of SMS messages linking to a web site where a copy of it (sexySpace.sisx) can be found.

NetQuin’s CEO, Dr. Lin Yu provided more insight into the nature of the malware, its financial implications for the infected user, as well as thoughts on the future of mobile malware.

As a foreign variant of previous erotic short message virus (Transmitter.A), this virus camouflages in a normal third party mobile phone software ” Advanced device locks” to inveigle the users to install it. After installation, this virus will be automatically started up and it will automatically access network for about 3 minutes. Later, the virus will send short messages externally at interval of 10 – 15 seconds. As can be observed from the communication record, there are large amount of records of sending short messages, all the numbers to which short messages are sent are strange numbers, but it is completely impossible to find the record of short messages that have been sent in the Sent Box.

After having sent about 500 strange short messages, this virus will traverse the cards folder to send out short messages. Furthermore, this virus can automatically identify mobile phone languages and send different short message contents including “Classic Gongfu stories, City passion, Wife change, School girl, Violent incest… Please immediately access?” A very interesting girl. Try it now!” etc., and attach a URL after each short message.

This virus will run away with user’s tariff by sending out short messages at such high frequency. In addition, it is very likely that this virus forcibly subscribes some services for the users, thus consuming user’s tariff.

Furthermore, this virus has transmissibility. In the form of obscene short messages, it will inveigle the users to click the links in the contents of short messages. Upon clicking such links, a user will download virus to his/her mobile phone, becoming the next virus-spreader. In addition, this virus can also transmitted in the form of legitimate third party software that is put in the Website and Forum for downloading mobile phone software.

As compared with the Symbian malicious software formerly discovered, Transimitter.C has even stronger transmissibility and harmfulness: It not only has the corresponding server end for coordination, but can also be dynamically adapted to the current language of mobile phone and thus send short messages to address lists and strange numbers in different languages Furthermore, utilizing obscene short messages with links, it can inveigle the users to click it for installation. If this virus has been transmitted to mobile phones, it will bring tremendous economic loss and reputation crisis to the users.

This virus can camouflage as legitimate software for transmission. Camouflage mode: The executable body of virus attaches at normal software to inveigle the users to install it. This malicious software is designed to realize the object of making commercial profit. Transimitter.C has promoted some malicious links. Very likely, it forcibly subscribes some services for the users, thus consuming the tariff of users; These malicious links may induce a user to download virus to his/her mobile phone, so that this user will become the next virus-spreader.

Credit: ZDnet.com Security Blogs

Government And Private Companies Websites Struggle Against DDoS Attacks

Wednesday, July 8th, 2009

Websites belonging to the federal government, regulatory agencies and private companies have been struggling against sustained online attacks that began on the Independence Day holiday, according to multiple published reports.

At time of writing, most of the targets appeared to be afloat. Nonetheless, several targets have buckled under the DDoS, or distributed denial of service, attacks, which try to bring down a website by bombarding it with more traffic than it can handle. FTC.gov was experiencing “technical issues” on Monday and Tuesday that prevented many people from reaching the site, spokesman Peter Kaplan said.

Other sites, including FAA.gov, Treas.gov and DOT.gov also experienced outages. DOT spokeswoman Sasha Johnson said late Tuesday: “The DOT has been experiencing network incidents since this past weekend. We are working with the US Computer Emergency Readiness Team at this time.”

Both Kaplan and Johnson declined to say whether their agencies’ sites were under attack.

The DDoS attacks appear to be originating from compromised computers located primarily in the Asia Pacific region and are being delivered as plain-vanilla floods of ping, syn and UDP packets, said the person, who asked not to be identified because he wasn’t authorized to share the details.

The attacks came as South Korean websites operated by the government and private companies also were hit, the Associated Press reports. In all, 26 websites, including those run by Nasdaq, the New York Stock Exchange and the Washington Post are being targeted, according to The Washington Post, which also covered the attacks.

There seems to be some confusion about just how powerful the attacks are. The person familiar with the attacks said they were relatively modest.

“Most are easy to mitigate,” the person familiar with them said. “I’m surprised any of these attacks are as effective as they are.”

But an unidentified person briefed by government investigators told IDG News the attacks directed as much as 20 gigabytes to 40 gigabytes of bandwidth per second during their height over the weekend. They have since settled down to about 1.2 gigabytes per second, IDG said.

Credit: The Register

Update (July 09): It seems there is still a DDoS attack against a number of websites, most of them belong to US and South Korea goverment sites. The malware involved in the attack has been detected as Mydoom.HN. This is the list of URLs that is targeting:

www.president.go.kr
www.mnd.go.kr
www.mofat.go.kr
www.assembly.go.kr
www.usfk.mil
blog.naver.com
mail.naver.com
banking.nonghyup.com
ezbank.shinhan.com
ebank.keb.co.kr
www.hannara.or.kr
www.chosun.com
www.auction.co.kr
www.whitehouse.gov
www.faa.gov
www.dhs.gov
www.state.gov
www.voanews.com
www.defenselink.mil
www.nyse.com
www.nasdaq.com
finance.yahoo.com
www.usauctionslive.com
www.usbank.com
www.washingtonpost.com
www.ustreas.gov
whitehouse.gov
faa.gov
evisaforms.state.gov
www.moneyfactory.gov
www.dot.gov
www.ftc.gov
www.nsa.gov
www.usps.gov
www.voa.gov
www.yahoo.com
travel.state.gov
www.nyse.com
www.site-by-site.com
www.marketwatch.com
www.amazon.com

Credit: PandaLabs

Fresh DirectShow Exploit In Internet Explorer Hits Windows Users

Monday, July 6th, 2009

Thousands of websites have been hit by fast-moving exploit code that installs a cocktail of nasty malware on visitors’ computers by targeting a previously unknown vulnerability in some versions of Internet Explorer.

The compromised websites link to a series of servers that exploit a zero-day vulnerability in an IE component that processes media. The vulnerability affects those using the XP and 2003 versions of Windows, Microsoft warned in advisory 972890.

“An attacker who successfully exploited this vulnerability could gain the same user rights as the local user,” company security representatives wrote. “When using Internet Explorer, code execution is remote and may not require any user intervention.”

More than 1,000 websites have been compromised so they include links that redirect users to sites that exploit the vulnerability, according to this translation of an advisory from CSIS. The warning said Windows 2000 was also vulnerable to the attacks, contrary to Microsoft’s write-up, which explicitly said 2000 was not affected.

What isn’t in dispute is that IE 7 on Vista is not vulnerable, presumably because ActiveX objects are blocked by default, according to McAfee researchers Haowei Ren and Geok Meng Ong.

The compromised websites are largely located in China and are operated by local schools and community centers. They point to a series of links that ultimately redirect users to a server at 8oy4t.8 866.org, according to CSIS. The site includes a JPG file that exploits a variety of vulnerabilities, “including an unprecedented stack overflow in DirectShow MPEG2TuneRequest,” according to CSIS. Secunia rates the vulnerability “extremely critical,” the highest rating on its five-tier severity scale.

Other vulnerabilities that are exploited are known as XMLhttp.d, RealPlay.a, BBar, and the MS06-014, according to McAfee.

The new vulnerability in DirectShow is different than a DirectShow security bug Microsoft warned of in late May, a spokesman said.

Today’s Microsoft advisory offers a workaround users can take to safeguard against the vulnerability until a patch is released. It involves making changes to the Windows registry, a risky undertaking for those who aren’t sure what they’re doing. The easier fix is to stop using IE until there’s a fix, at least for those who don’t use apps that are dependent on the Microsoft browser.

Credit: The Register

Multiple Popular Websites Affected By EyeWonder Malware Incident

Saturday, July 4th, 2009

According to ZDNet, during the last couple of hours, visitors of popular and high trafficked web sites such as CNN, BBC, Washington Post, Gamespot, WorldOfWarcraft, Mashable, Chow.com, ITpro.co.uk, AndroidCommunity, Engadget and Chip.de, started reporting that parts of the web sites are unreachable due to malware warnings appearing through the EyeWonder interactive digital advertising provider.

According to Google’s SafeBrowsing advisory for EyeWonder, the exploits were hosted on currently active and participating in the Cold Fusion injection attack domains, namely elfah .net, 2ici .cn and javazhu.3322 .org – the following have also managed to compromise Pakistan’s Telecommunication Authority.

By using RealPlayer Import stack overflow exploit and another one attempting a QVOD Player URL overflow, the cybercriminals then attempt to push eight different malware samples. Detection rates for the droppers are improving.

Interestingly, one of the malware samples attemps to download the updated list of malware binaries by connecting a compromised Italian site part of the Cold Fusion injection attacks (betheboss.it) since it appears to have been exploited in such a way.

This malware incident demonstrates how a single exploitation of a trusted third-party content/ad serving vendor can not only undermine its credibility, but potentially the credibility of the sites using the network. And since the ads on the affected sites are dynamically served through different networks, it remains questionable whether it was in fact EyeWonder that served malicious content, or a compromised partner of the network itself.

Case in point – the partnership between Facilitate Digital and EyeWonder comes in a very insecure fashion with EyeWonder having a permanent iFrame tag loading a domain (adsfac.us) belonging to Facilitate Digital on its front page.

For the time being, EyeWonder.com remains down for maintenance.

Credit: ZDNet.com Security Blogs

Drive-by Download Attack Hits Multiple Sites Running Vulnerable ColdFusion Application

Saturday, July 4th, 2009

Hackers are running a mass compromise against sites running vulnerable ColdFusion application server installations.

Security watchers at the SANS Institute’s Internet Storm Centre are warning that a “high number” of sites have been hit over the last 36 hours or so. Miscreants are exploiting sites running older installations of some ColdFusion applications, such as FCKEditor (a popular HTML text editor) or CKFinder (an Ajax file manager).

The two main strands of the assault both target FCKEditor. Firstly version 8.0.1 of ColdFusion installs a vulnerable version of FCKEditor that is enabled by default. The security flaw creates a means for criminals to upload arbitrary files on affected servers. Details of how to resolve this problem can be found on ColdFusion’s site.

The second strand of the attack relies on third party applications, in particular the CFWebstore e-commerce app, that incorporate vulnerable versions of FCKEditor.

Hackers are taking advantage of the vulnerabilities to plant malicious scripts onto compromised websites, as part of a drive-by download attack that ultimately aims to infect visiting surfers.

SANS reckons the crackers behind the attack are the same as the gang that pulled off a similar attack back in March. Security researchers urge sites to review their ColdFusion installations, paying particular attention to deleting older applications that may have been left around as orphans during systems upgrades.

Credit: The Register