CyberInsecure.com

Archive for the ‘Microsoft’ Category

The notorious LulzSec hacking outfit has leaked over 26,000 email addresses and plain text passwords stolen from the database of an adult website Pron.com. After dumping the data online, the group encouraged people to try the login credentials on Facebook and tell the victims’ family members how they signed up for the adult site.

The reason? Just for fun. “Watch the hilarity. Tell us about it on twitter!” the hackers wrote in their announcement. Fortunately, word of the potential abuse quickly reached Facebook’s security team which forced password resets for all accounts corresponding to those email addresses.

This impressed LulzSec members, but also gave them new ideas for future attacks. “Props to Facebook security for locking all emails located on our list so fast. That’s the kind of security that earns a tip of our hat,” the hackers wrote.

“Hmm… so Facebook automatically locks every email on our list… exploitable. >:] Until next time, Facebook. Bwahahaha,” they later tweeted.

LulzSec pointed out that there were a number of .gov and .mil email addresses registered on the compromised site, as well as some 55 accounts belonging to admins of other adult portals.

Partial screenshot from the 26,000 emails and passwords txt file released online on LulzSec website:

The group didn’t stop with this leak. It also published the personal information (dox) of executive officers and other employees from vulnerability research company Endgame Systems and anti-DDoS solutions provider Prolexic Technologies.

The dox didn’t only include information about these individuals themselves, but also their spouses, children and other family members, and their respective social media accounts.

Endgame Systems is a company set up by former ISS and CIA executives with the purpose of selling offensive security solutions and zero-day vulnerability information. The HBGary Federal email leak from earlier this year revealed that the company and its management make significant efforts to keep a low profile.

Meanwhile, Prolexic Technologies has made a selling point from the DDoS attacks orchestrated by Anonymous. In 2010 the company helped firms considered by the hacktivist group as WikiLeaks enemies to protect themselves.

Credit: Softpedia.com News

Microsoft is now providing customers with a standalone malware scanner running from bootable CDs, DVDs or USB drives, for use on systems that are infected with sophisticated threats. The tool, called Microsoft Standalone System Sweeper, might have been available for some time now, but Microsoft didn’t actively promote it to the masses. Instead, it asked its customer support staff to decide which cases warrant its use.

Computer malware comes in various forms and with different capabilities. Some threats are more sophisticated and resilient to removal than others. Many families of malware interfere with certain antivirus programs by preventing them from running on infected systems or stopping their services.

Others prevent access to security websites in order to prevent victims from downloading anti-malware programs or asking for help. One of type of persistent malware is rootkits. These register themselves as drivers which gives them low-level access to the operating system. In some cases they can even interact directly with the hard drive without relying on the Windows file system APIs and they can use this functionality to protect themselves.

One particularly nasty type of rootkits is capable of writing code into the master boot record (MBR). This allows them to control the boot process and start even before the operating system, reason for which they are referred to as bootkits.

All these threats pose various problems for traditional antivirus programs which can make properly cleaning a Windows installation while it’s running impossible. To solve this issue, some antivirus vendors have created so-called rescue discs, bootable CDs that start a separate operating system and can run their anti-malware products unrestricted. This is a very effective method, because the malware can’t interfere with the scanning process and everything is run from memory; nothing is installed on the hard drive.

It looks like Microsoft has decided to provide a similar solution in the form a tool called Microsoft Standalone System Sweeper. This tool is still in beta and depends on the Windows installation. The other antivirus vendors normally use Linux for their rescue discs.

Users can download a builder application which creates a bootable CD, DVD or USB drive. They have to choose between a 32-bit or a 64-bit version, depending on the architecture of the infected Windows system they want to clean.

The link to this tool is now available in our Free Anti-virus, Online Scan And Rescue CDs page.

Credit: Softpedia.com News

Microsoft released version 9 of its Internet Explorer web browser. It can be can downloaded from windows.microsoft.com or from the Beauty of the Web site www.beautyoftheweb.com.

Beautyoftheweb.com was set up by Microsoft and it is dedicated to the new browser. Unfortunately, that site isn’t hosted under the microsoft.com domain, nor does it have an SSL certificate to confirm that it belongs to Microsoft. Using this site to distribute the browser goes against the advice of downloading software only from known vendor websites. Copycat malicious sites claiming to distribute IE 9 will probably appear shortly, if they aren’t around yet.

There are no significant changes between the RC and the final build. Microsoft tells us that performance has been improved on low-end machines (with low-end graphics cards), but it can not be confirmed yet. There’s also a handy link from the Tracking Protection UI to the ready-made Tracking Protection Lists.

Internet Explorer 9 includes a number of security improvements that make the upgrade worth your consideration. These include application reputation capabilities that are part of the SmartScreen feature that helps protect the user against socially-engineered malware. The browser also supports the notion of Pinned Sites, which implements “secure launch” capabilities to safeguard users’ sessions with important websites. Internet Explorer 9 also improves its resistance to exploits by embracing support for DEP/NX, ASLR and SafeSEH memory protection capabilities.

The new browser also improves the messages its users see when they download files and programs; the messages are designed to make it easier for the users to assess the risk of opening such files.

If you already have the Release Candidate or Beta versions installed, the RTW (release to world) build will be offered via Windows Update (presumably tomorrow morning). If you don’t have the RC or Beta builds installed, you’ll have to grab it manually.

Last week, ESET received a report from a customer who reported that NOD32 had prevented a Trojan from infecting a mobile user’s computer. While that is not unusual in and of itself, what was notable was the source of the infection: Microsoft’s own Update Catalog.

Microsoft not only provides updates for its own operating system and applications, but they also provide hundreds of thousands of device drivers as well. A device driver is a specialized piece of software that allows an operating system to use a particular device, like a printer or a mouse. While Microsoft does write some of these device drivers themselves, many of these are very basic and provide rudimentary functionality: It is up to each hardware manufacturer to create device drivers which take full advantage of whatever additional features they have designed. In order to ensure that customers have the best experience possible with Windows, Microsoft hosts these device drivers written by third-parties in their Update Catalog, so that when a computer running Windows checks for updates, it can download the latest device driver software for its hardware.

In this case, though, the device plugged into customers notebook appears to have been an Energizer® DUO USB Battery Charger, which is an AC and USB charger for rechargeable NiMH batteries. Last year the very same Energizer DUO USB battery charger software allowed unauthorized remote system access by installing an unwanted Win32/Arurizer remote access trojan.

Preliminary analysis of the file indicated this was not a false positive alarm, i.e., an incorrect report of a threat when none was actually present, and Microsoft was notified, who not just promptly removed the file from their Update Catalog, but have even blocked access to the web page that used to host through Internet Explorer’s SmartScreen Filter.

IT managers and consumers rely on Microsoft update services like Microsoft Update to detect and apply patches and security fixes for operating systems and applications, and consider it a safe and trusted source. It is important to remember, though, that although a file may be downloaded from Microsoft, it may not be written by them, especially in the case of a device driver.

Credit: Aryeh Goretsky, ESET ThreatBlog

A whitehat hacker has cracked the digital rights management system enforced by Microsoft on Windows Phone 7 and demonstrated a simple method which allows users to install any application from the Windows Phone Marketplace for free. Hardware hackers also claim to have uncovered the private key used by Sony to authorize code to run on PlayStation 3 systems. Sony’s weak implementation of cryptography was exploited by fail0verflow to pull off the hack.

The Windows Phone Marketplace is Microsoft’s online store for Windows Phone 7 applications and allows users to browse, try and install free or commercial apps. A few days ago, a user posted on the XDA forums a guide with what is needed to crack the protection of the Windows Phone Marketplace.

Most of the steps in that guide were already doable to some extent except one – removing the XAP (app installer format) signature. However, it wasn’t long until someone took it up as a challenge. WPCentral reports that a developer created a simple application, which allow people to download and crack any XAP file from the official marketplace.

The tool was demoed in a video, but has not been publicly released. Also, no information about how it actually achieves the signature stripping was provided. Instead, WPCentral and the whitehat hacker contacted Microsoft and give them the details so they can start working on a fix.

The issue is pretty serious, because if one developer can do it, then sooner or later others will figure out too and not all of them might be adepts of responsible disclosure. In the end, DRM systems will always be prone to hacking. Someone will eventually figure out a way to bypass them.

The Windows Phone 7 community, which is still fairly limited, will probably end up having access to alternative marketplaces like Cydia for people with jailbroken iPhones.

Different hackers recently uncovered the hack in order to run Linux or PS3 consoles, irrespective of the version of firmware the games console was running. By knowing the private key used by Sony the hackers are able to sign code so that a console can boot directly into Linux. Previous approaches to running the open source OS on a games console were firmware specific and involved messing around with USB sticks.

The same code signing technique might also be used to run pirated or counterfeit games on a console. That isn’t the intention of the hackers even though it might turn out to be the main practical effect of the hack.

The group, fail0verflow, who also run the Wii’s Homebrew Channel, gave more information about the crack and a demo during the annual Chaos Communication Conference hacker congress in Berlin.

Exploit code for an unpatched remote code execution vulnerability in Internet Explorer has been added to the popular Metasploit open source penetration testing framework. The flaw was originally reported as a denial of service condition on the Full Disclosure mailing list on December 8.

However, vulnerability research companies like Secunia and VUPEN Security warned that it could also be exploited to execute arbitrary code. “This issue is caused by a use-after-free error within the “mshtml.dll” library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various ‘@import’ rule,” VUPEN explains.

Microsoft has confirmed in a newly published advisory that Internet Explorer 6, 7 and 8, running on all supported Windows versions, are affected. It does point out, however, that the Protected Mode enabled by default on Windows Vista and 7 restricts the vulnerability’s impact on those systems.

Yesterday, a group called Abysssec Security Research, announced a reliable exploit for the flaw, which also completely bypasses the DEP and ASLR arbitrary code execution prevention mechanisms.

The exploit has been added to Metasploit and since the framework is open source, anyone can potentially grab it and use it to launch drive-by download attacks. In such attacks victims are silently infected with malware only by visiting a maliciously crafted Web page on a compromised legitimate website.

“This exploit utilizes a combination of heap spraying and the .NET 2.0 ‘mscorie.dll’ module to bypass DEP and ASLR,” a description of the Metasploit module reads.

The vulnerability was disclosed days before this month’s Patch Tuesday, when Microsoft fixed another IE 0day exploited in the wild for almost six weeks.

If no widespread attacks exploiting this new flaw (CVE-2010-3971) will appear, Microsoft will most likely wait until January 10 to patch it.

Credit: Softpedia.com News

Malware distributors have managed to trick two large ad networks into delivering malvertizements that silently infected the visitors of large websites with fake scareware programs.

The attacks started on December 3 and were picked up by a cloud-based malware scanning service called HackAlert and operated by Santa Clara-based security vendor Armorize Technologies.

HackAlert is used by VeriSign Trust Services, now a division of Symantec, for its daily VeriSign Trust Seal malware scans. So when several high profile websites started being tagged as infected, Armorize was asked to check its platform for possible bugs. However, their investigation revealed that sites like realestate.msn.com, msnbc.com, scout.com or mail.live.com, were indeed inadvertently infecting their visitors with malware.

It appears that cyber criminals registered a domain called adshufffle.com (three “f”-s) and posed as a legit advertising company named AdShuffle. They somehow managed to get their domain accepted on both the Google-owned DoubleClick network and rad.msn.com, the server used by Microsoft to deliver ads of various sites, including Hotmail and MSN.

The rogue ads served from this domain were not regular scareware malvertizements (malicious advertisements) that falsely claim visitors are infected and offer them a program to fix it. They looked harmless, but loaded the Eleonore drive-by download toolkit in the background. This toolkit silently exploits vulnerabilities in outdated versions of popular applications like Java, Adobe Reader, Internet Explorer and even Windows.

“Users visit websites that incorporate banner ads from DoubleClick or rad.msn.com, the malicious javascript is served from ADShufffle.com (notice the three f’s), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim’s machine, without having the need to trick the victim into doing anything or clicking on anything. Simply visiting the page infects the visitors,” notes Wayne Huang, chief technology officer at Armorize and member of the team who researched the attack.

HDD Plus is one of the recent pieces of scareware that pose as hard disk defragmentation utilities. The other malware downloaded by the malvertizements was a trojan downloader.

Credit: Softpedia.com News

Symantec warns that a 0-day vulnerability, affecting stable versions of Internet Explorer, is being exploited in a sophisticated attack, which targets key people in various organizations.

The attack begins with fake emails posing as hotel reservation notifications. “About the hotel room, please take the attached list for booking [link],” part of the rogue messages read.

The link directs recipients to a page hosted on a compromised, but legitimate website, which checks their operating system and browser version.

Only users running Windows XP and Internet Explorer 6 or 7 get redirected to the exploits. Others are sent to a blank page.

Successful exploitation results in a trojan being installed on the computer. The malware registers itself as a service called “NetWare Workstation” and opens a backdoor.

It reports back to the attackers and downloads encrypted files with commands from a compromised server in Poland.

“Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations,” Symantec researchers revealed.

“The files on this server had been accessed by people in lots of organizations in multiple industries across the globe,” they added.

Microsoft has confirmed the existence of the vulnerability and has published a security advisory with mitigation instructions.

“Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of Internet Explorer 8 are unlikely to be exploited by this issue.

“This is due to the defense in depth protections offered from Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms,” Jerry Bryant, manager of response communications at Microsoft, explained.

Internet Explorer 9 Beta is not vulnerable and the company has since released a Fix It tool to help users apply the workaround until a permanent patch becomes available.

Credit: Softpedia.com News

Security researchers from Sunbelt warn that phishers are trying to steal Live IDs from Xbox users, through a fake program which promises a free Gamertag change.

Gamertags are the unique names used by players on Microsoft’s Xbox LIVE platform and they can only be modified through a special service in exchange of 800 Microsoft Points.

Microsoft also forces users to change their Gamertag if it is deemed offensive by other users, in which case the operation is free of charge.

According to Christopher Boyd, a senior threat researcher at Sunbelt (now part of GFI Software), many users still believe that it is possible to trick the system into allowing a free Gamertag change, if all their friends report it.

Of course, Microsoft has checks in place to detect such fraud attempts, but the myth’s persistence offers a good opportunity for phishers to prey on less knowledgeable players.

Boyd reports that there’s a program called “Gamertag Changer” going around that does nothing more than steal Windows Live credentials from Xbox gamers.

The application claims that it will file numerous complaints regarding the user’s Gamertag in order to trigger an automatic change from the system.

“Microsoft has an automatic system that makes you change your gamertag somewhere between 100-200 complaints.

“This program will send out around 500 at most to be sure you can change your gamertag,” part of the description reads.

Users who fall for the trick and input their credentials will see a message asking them to leave the application open for at least two minutes and then try to re-login on Xbox LIVE.

Meanwhile in the background, the program sends the captured Gamertag, Live ID and password to an email address controlled by the phisher.

“Considering all the things you can use a Windows LIVE ID for, it isn’t really something you want to be handing over to Little Jimmy Hackpants. VirusTotal scores are extremely low at this point – just 2/43,” the Sunbelt researcher advises.

Credit: Softpedia.com News

For the past three weeks, internet addresses belonging to Microsoft have been used to route traffic to more than 1,000 fraudulent websites maintained by a notorious group of Russian criminals, publicly accessible internet data indicates.

The 1,025 unique websites — which include seizemed.com, yourrulers.com, and crashcoursecomputing.com — push Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health&Care Mall. They use one of two IP addresses belonging to Microsoft to host their official domain name system servers, search results from Microsoft’s own servers show. The authoritative name servers have been hosted on the Microsoft addresses since at least September 22, according to Ronald F. Guilmette, a researcher who first uncovered the hijacking.

By examining results used with an internet lookup tool it was determined that 131.107.202.197 and 131.107.202.198 — which are both registered to Microsoft — are housing dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the sites.

The most likely explanation, they say, is that a machine on Microsoft’s campus has been programmed to do so, probably after it became infected with malware.

“The important part seems to be some sort of compromise appears to be in play,” said Randal Vaughn, a professor of information systems at Baylor University. “It could be an NS compromise, an OS compromise, a rogue customer machine, or something else entirely. In order to get the DNS zones entered in there, they must have pwned the box.”

Vaughn also held out the possibility that servers connected to the Microsoft IPs might be part of a honey pot that’s deliberately hosting the name servers so that researchers can secretly monitor the gang’s operations. Another possibility is that the pharmacy operators have subscribed to some sort of managed service offered by Microsoft.

A Microsoft spokeswoman said she was investigating the findings and expected to provide a statement once the investigation was completed.

California-based Guilmette, who said he has uncovered evidence that other large organizations have been similarly hijacked in the past, said he’s convinced the results mean that Microsoft has faced some sort of system compromise.

“I’m a paranoid kind of person,” he said. “There’s no other immediately apparent, reasonably plausible explanation for the facts that I’m looking at.”

Another researcher who goes by the pseudonym Jart Armin said that there may be no Microsoft server compromise at all. Rather, he said, criminals may have figured out a way to cache the zone files on the Microsoft IP addresses and make them appear to be the authoritative results. He didn’t fully explain how this could be done, however, and Guilmette and Vaughn discounted the likelihood of this hypothesis.

Canadian Health&Care Mall is believed to be run by affiliates of a group known alternately as Bulker.biz, Eva Pharmacy, and Yambo Financials, according to Spamtrackers.eu, a site that monitors online scams. The operation, which researchers say also engages in child pornography, identity theft, and rampant spamming, specializes in maintaining websites and name servers that run on infected hosts without the owners’ knowledge, the website says. Members are known to infect Linux and Unix machines with custom-written binaries that act as proxy web hosts.

The benefits of running the website and DNS servers on infected machines are manifold. Not only does doing so drastically reduce the cost of the illegal operation, but the use of IP addresses from organizations with good reputations may make it easier for the scams to fly under the radar of spam filters and search-engine blacklists, Armin said.

Over the past few weeks, Guilmette said, the IP addresses of several other large organizations have also been observed to be hosting name servers for the same criminal outfit. The University of Houston, the government of India, and City University of New York are just three of the names on the list. They have since corrected the problems, so the DNS servers are no longer hitching a free ride on their systems, the researcher said.

In the past year, Microsoft has adopted a more active role in hunting down the very types of criminals Guilmette believes have hijacked Microsoft’s network to help operate the illegal pharmacy. Company researchers were instrumental in founding the Conficker Working Group, which actively infiltrates the massive botnet that was built by the Conficker worm in an attempt to disrupt it or shut it down.

The company recently succeeded in shutting down the Waledac botnet through a combination of technical and legal maneuvers.

The irony that Microsoft IP addresses are playing a crucial role in enabling such scams wasn’t lost on Baylor University’s Vaughn.

“I almost guarantee that there’s somebody up there at Microsoft, probably more than one, that are trying their darnedest to get rid of the Canadian pharmacy group,” he said. “It would be nice if they had that IP information available.”

Credit: The Register