CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts

Archive for the ‘Windows’ Category

Scareware Makes Files And Folders Invisible, Demands Ransom For Repair Utility

Thursday, March 8th, 2012

Bitdefender experts came across a piece of scareware that makes victims believe that something may have happened to all the files and folders stored on their computers. The user is then requested to pay $80 (60 EUR) for a tool that allegedly addresses the problem.

Scareware or ransomware is not uncommon, many security solutions providers releasing advisories on how to handle threats which pose as law enforcement agencies that demand the payment of fines, accusing the user of copyright infringement. However, this Trojan relies on the fact that many computer owners panic if they see that all their personal files and folders have suddenly disappeared.

Identified as Trojan.HiddenFilesFraud.A, the rogue disk repair utility starts operating by informing the user of certain issues that affect the computer. Since many people are already accustomed to fake AV’s, this malicious application has an ace up its sleeve that makes everything look more realistic.

It changes the attributes of all files and folders, setting them as Hidden, so that the user may think that everything has been deleted from the hard drive. Certain key shortcuts are also disabled to induce more panic. Even worse, the worm that downloads HiddenFilesFraud.A, Win32.Brontok.AP@mm, ensures that the files’ attributes can’t be modified from Windows Explorer back to their original state.

After displaying the numerous “errors” that affect the system, the scareware advertises a repair utility that costs $80 (60 EUR). Of course, just as in the situations presented on other occasions, the so-called utility does absolutely nothing.

Brontok.AP@mm, the element responsible for installing Trojan.HiddenFilesFraud.A, quickly copies itself on removable media drives to ensure that it spreads without difficulty from one computer to another.

Scareware most often relies on the fact that users fail to keep their security software constantly up-to-date. That’s why internauts are always recommended to ensure that a decent, updated antivirus solution is always keeping an eye out for malicious elements.

Credit: Softpedia.com News

Microsoft Release Standalone System Sweeper, Bootable Malware Scanner For Infected Computers

Thursday, June 2nd, 2011

Microsoft is now providing customers with a standalone malware scanner running from bootable CDs, DVDs or USB drives, for use on systems that are infected with sophisticated threats. The tool, called Microsoft Standalone System Sweeper, might have been available for some time now, but Microsoft didn’t actively promote it to the masses. Instead, it asked its customer support staff to decide which cases warrant its use.

Computer malware comes in various forms and with different capabilities. Some threats are more sophisticated and resilient to removal than others. Many families of malware interfere with certain antivirus programs by preventing them from running on infected systems or stopping their services.

Others prevent access to security websites in order to prevent victims from downloading anti-malware programs or asking for help. One of type of persistent malware is rootkits. These register themselves as drivers which gives them low-level access to the operating system. In some cases they can even interact directly with the hard drive without relying on the Windows file system APIs and they can use this functionality to protect themselves.

One particularly nasty type of rootkits is capable of writing code into the master boot record (MBR). This allows them to control the boot process and start even before the operating system, reason for which they are referred to as bootkits.

All these threats pose various problems for traditional antivirus programs which can make properly cleaning a Windows installation while it’s running impossible. To solve this issue, some antivirus vendors have created so-called rescue discs, bootable CDs that start a separate operating system and can run their anti-malware products unrestricted. This is a very effective method, because the malware can’t interfere with the scanning process and everything is run from memory; nothing is installed on the hard drive.

It looks like Microsoft has decided to provide a similar solution in the form a tool called Microsoft Standalone System Sweeper. This tool is still in beta and depends on the Windows installation. The other antivirus vendors normally use Linux for their rescue discs.

Users can download a builder application which creates a bootable CD, DVD or USB drive. They have to choose between a 32-bit or a 64-bit version, depending on the architecture of the infected Windows system they want to clean.

The link to this tool is now available in our Free Anti-virus, Online Scan And Rescue CDs page.

Credit: Softpedia.com News

Internet Explorer 9 Now Available To Download, Domain Dedicated To The Browser Might Be Abused Soon

Tuesday, March 15th, 2011

Microsoft released version 9 of its Internet Explorer web browser. It can be can downloaded from windows.microsoft.com or from the Beauty of the Web site www.beautyoftheweb.com.

Beautyoftheweb.com was set up by Microsoft and it is dedicated to the new browser. Unfortunately, that site isn’t hosted under the microsoft.com domain, nor does it have an SSL certificate to confirm that it belongs to Microsoft. Using this site to distribute the browser goes against the advice of downloading software only from known vendor websites. Copycat malicious sites claiming to distribute IE 9 will probably appear shortly, if they aren’t around yet.

There are no significant changes between the RC and the final build. Microsoft tells us that performance has been improved on low-end machines (with low-end graphics cards), but it can not be confirmed yet. There’s also a handy link from the Tracking Protection UI to the ready-made Tracking Protection Lists.

Internet Explorer 9 includes a number of security improvements that make the upgrade worth your consideration. These include application reputation capabilities that are part of the SmartScreen feature that helps protect the user against socially-engineered malware. The browser also supports the notion of Pinned Sites, which implements “secure launch” capabilities to safeguard users’ sessions with important websites. Internet Explorer 9 also improves its resistance to exploits by embracing support for DEP/NX, ASLR and SafeSEH memory protection capabilities.

The new browser also improves the messages its users see when they download files and programs; the messages are designed to make it easier for the users to assess the risk of opening such files.

If you already have the Release Candidate or Beta versions installed, the RTW (release to world) build will be offered via Windows Update (presumably tomorrow morning). If you don’t have the RC or Beta builds installed, you’ll have to grab it manually.

Remote Access Trojan Distributed Through Microsoft Update Catalog

Sunday, February 6th, 2011

Last week, ESET received a report from a customer who reported that NOD32 had prevented a Trojan from infecting a mobile user’s computer. While that is not unusual in and of itself, what was notable was the source of the infection: Microsoft’s own Update Catalog.

Microsoft not only provides updates for its own operating system and applications, but they also provide hundreds of thousands of device drivers as well. A device driver is a specialized piece of software that allows an operating system to use a particular device, like a printer or a mouse. While Microsoft does write some of these device drivers themselves, many of these are very basic and provide rudimentary functionality: It is up to each hardware manufacturer to create device drivers which take full advantage of whatever additional features they have designed. In order to ensure that customers have the best experience possible with Windows, Microsoft hosts these device drivers written by third-parties in their Update Catalog, so that when a computer running Windows checks for updates, it can download the latest device driver software for its hardware.

In this case, though, the device plugged into customers notebook appears to have been an Energizer® DUO USB Battery Charger, which is an AC and USB charger for rechargeable NiMH batteries. Last year the very same Energizer DUO USB battery charger software allowed unauthorized remote system access by installing an unwanted Win32/Arurizer remote access trojan.

Preliminary analysis of the file indicated this was not a false positive alarm, i.e., an incorrect report of a threat when none was actually present, and Microsoft was notified, who not just promptly removed the file from their Update Catalog, but have even blocked access to the web page that used to host through Internet Explorer’s SmartScreen Filter.

IT managers and consumers rely on Microsoft update services like Microsoft Update to detect and apply patches and security fixes for operating systems and applications, and consider it a safe and trusted source. It is important to remember, though, that although a file may be downloaded from Microsoft, it may not be written by them, especially in the case of a device driver.

Credit: Aryeh Goretsky, ESET ThreatBlog

ICQ Ads Infect Users With Scareware Via Malvertizing

Wednesday, January 26th, 2011

Scareware distributors have managed to push rogue antivirus advertisements onto the ICQ network by posing as a known clothing retailer.

According to Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab, the security vendor began receiving numerous reports of infections with a piece of scareware called Antivirus 8 recently. Upon investigating the problem, Kaspersky’s researchers realized that fake antivirus popups were being displayed on people’s desktop even when they were not using their browsers.

The rogue ads were tracked down to running instances of the ICQ instant messaging application which has its own internal advertising mechanism. When investigating the ICQ advertisements, experts found that one of them was loaded from [censored]charlotterusse.eu, a domain name that, at first glance, seems to be related to clothing retailer Charlotte Russe.

The use of a known brand name in their malvertizing campaign helped scareware distributors in several ways.

First, it allowed them to get their malicious ads onto the ICQ network and second, make it seem as if Charlotte Russe’s own server was compromised if the scheme was discovered.

“By making it look like their server got compromised, the criminals can claim it isn’t them who’s responsible for distributing the malware. But rather someone else who hacked their server to spread malware.

“The ad distributor is very likely to simply give them a warning, which gives these criminals at least one more shot at infecting more machines,” Mr. Schouwenberg explains.

The practice of posing as legit advertisers in order to push malicious popups via ad networks is common. In December last year cyber criminals managed to get malicious ads onto Google-owned DoubleClick and MSN.

People are advised to always run an up-to-date antivirus program on their computer and ignore alerts about infections if they don’t originate from it.

Credit: Softpedia.com News

0-Day Vulnerability In Internet Explorer 6, 7 and 8, Exploit Code Already Released

Thursday, December 23rd, 2010

Exploit code for an unpatched remote code execution vulnerability in Internet Explorer has been added to the popular Metasploit open source penetration testing framework. The flaw was originally reported as a denial of service condition on the Full Disclosure mailing list on December 8.

However, vulnerability research companies like Secunia and VUPEN Security warned that it could also be exploited to execute arbitrary code. “This issue is caused by a use-after-free error within the “mshtml.dll” library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various ‘@import’ rule,” VUPEN explains.

Microsoft has confirmed in a newly published advisory that Internet Explorer 6, 7 and 8, running on all supported Windows versions, are affected. It does point out, however, that the Protected Mode enabled by default on Windows Vista and 7 restricts the vulnerability’s impact on those systems.

Yesterday, a group called Abysssec Security Research, announced a reliable exploit for the flaw, which also completely bypasses the DEP and ASLR arbitrary code execution prevention mechanisms.

The exploit has been added to Metasploit and since the framework is open source, anyone can potentially grab it and use it to launch drive-by download attacks. In such attacks victims are silently infected with malware only by visiting a maliciously crafted Web page on a compromised legitimate website.

“This exploit utilizes a combination of heap spraying and the .NET 2.0 ‘mscorie.dll’ module to bypass DEP and ASLR,” a description of the Metasploit module reads.

The vulnerability was disclosed days before this month’s Patch Tuesday, when Microsoft fixed another IE 0day exploited in the wild for almost six weeks.

If no widespread attacks exploiting this new flaw (CVE-2010-3971) will appear, Microsoft will most likely wait until January 10 to patch it.

Credit: Softpedia.com News

Zero-Day Internet Explorer Vulnerability Exploited In Targeted Email Attacks

Thursday, November 4th, 2010

Symantec warns that a 0-day vulnerability, affecting stable versions of Internet Explorer, is being exploited in a sophisticated attack, which targets key people in various organizations.

The attack begins with fake emails posing as hotel reservation notifications. “About the hotel room, please take the attached list for booking [link],” part of the rogue messages read.

The link directs recipients to a page hosted on a compromised, but legitimate website, which checks their operating system and browser version.

Only users running Windows XP and Internet Explorer 6 or 7 get redirected to the exploits. Others are sent to a blank page.

Successful exploitation results in a trojan being installed on the computer. The malware registers itself as a service called “NetWare Workstation” and opens a backdoor.

It reports back to the attackers and downloads encrypted files with commands from a compromised server in Poland.

“Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations,” Symantec researchers revealed.

“The files on this server had been accessed by people in lots of organizations in multiple industries across the globe,” they added.

Microsoft has confirmed the existence of the vulnerability and has published a security advisory with mitigation instructions.

“Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of Internet Explorer 8 are unlikely to be exploited by this issue.

“This is due to the defense in depth protections offered from Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms,” Jerry Bryant, manager of response communications at Microsoft, explained.

Internet Explorer 9 Beta is not vulnerable and the company has since released a Fix It tool to help users apply the workaround until a permanent patch becomes available.

Credit: Softpedia.com News

Nobel Peace Prize Website Compromised, Infects Visitors Through Zero-Day Firefox Vulnerability

Tuesday, October 26th, 2010

Security researchers from Norman have come accross a drive-by download attack exploiting an unpatched Firefox vulnerability in order to infect users with a new trojan.

The attack was launched from the Nobel Peace Prize website, which appears to have been compromised and had rogue code injected into its pages. According to Norman, the exploit used targeted a previously unknown vulnerability affecting versions 3.5 and 3.6 of the Mozilla Firefox browser.

The antivirus company doesn’t mention wether this attack was instrumented with an exploit kit targeting vulnerabilities in multiple applications, as it is normally the case, or if it was only aimed at Firefox users.

The second scenario would be somewhat unusual, because Mozilla Firefox has not been commonly targeted in drive-by downloads for quite some time now, even though it is the second most used browser in the world after Internet Explorer. This is because more widespread software like Java, Adobe Reader or Flash Player are usually more attractive targets for cybercriminals.

Norman reports that successful exploitation of the Firefox zero-day flaw, led to the installation of a new trojan the company dubbed Belmoo.

According to researcher, the trojan installer was created on Sunday and drops a file called symantec.exe in the %WINDOWS%\temp folder. The file name was clearly chosen to mislead users, and so is the “Microsoft Windows Update” name used for the start-up registry entries created under HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

After installation, the trojan tries to establish connections with nobel.usagov.mooo.com and update.microsoft.com over port 80 (HTTP). It’s not yet clear why it queries the microsoft.com host and the first address is not currently used for anything.

The malware also tries to connect to two different addresses pointing to a server in Taiwan. It tries different ports and if any attempt is successful, it opens a local shell. An attacker located at the other end can then use it to execute commands with the privileges of the current user.

Credit: Softpedia.com News

Latest Adobe Reader Version Under 0day Attack

Wednesday, September 8th, 2010

Researchers have uncovered sophisticated attack code circulating on the net that exploits a critical vulnerability in the most recent version of Adobe Reader.

The click-and-get-hacked exploit spreads through email that contains a booby-trapped PDF file that remains virtually undetected by most anti-virus programs, according to Mila Parkour, the security researcher who first alerted Adobe to the threat. It was being sent to a small group of individuals who “work on common issues,” he said, causing him to believe they were narrowly selected by the attackers.

Adobe on Wednesday confirmed that the vulnerability affects Reader 9.3.4 and earlier versions for Windows, Mac OS X, and Unix. The company’s security team is in the process of figuring out when it will release a patch. Adobe is working with security companies to help them develop detection and quarantine techniques to contain any attacks.

In the meantime, there are no mitigations users can take other than to exercise due care in opening PDF documents. It may also make sense to use an alternate PDF viewer such as FoxIT, but it’s not yet been confirmed that that other programs aren’t vulnerable.

The malicious PDF, which also exploits Adobe Acrobat, uses some highly sophisticated techniques to ensure success. It contains three separate font packages so it works on multiple versions of the Adobe programs, and it also has been designed to bypass protections such as ASLR, or address space layout randomization and DEP, and data execution prevention, which are built in to more recent versions of Microsoft Windows.

The exploit comes as Adobe is putting the finishing touches on a security feature that’s designed to significantly lessen the severity of attacks that exploit buffer overflows and other types of common bugs in Reader. The “sandbox” is intended to put a container around the application so that sensitive parts of the operating system can’t be accessed by rogue code. Adobe has said it will be available by the end of this year.

Active exploits are likely to become more widespread once the attack code is put into Metasploit.

Credit: The Register

New Windows Arbitrary Code Execution Flaw Disclosed, All Windows Versions Affected

Friday, August 6th, 2010

A new Windows vulnerability that could allow for privilege escalation and arbitrary code execution has been identified. According to vulnerability research company VUPEN Security, the flaw affects all supported versions of Microsoft Windows.

The issue is described by VUPEN in its advisory as a Windows kernel memory corruption vulnerability, because it is located in the Win32k.sys kernel-mode device driver. The bug can be exploited by placing and retrieving specifically formatted bitmap data from the clipboard and can potentially be leveraged by local attackers to elevate their privileges or execute arbitrary code.

Malicious users can also generate a Denial of Service condition by crashing the system. “VUPEN has confirmed the vulnerability on fully patched Microsoft Windows 7, Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, and Microsoft Windows XP SP3,” the company writes, noting that it is not aware of any patch supplied by the vendor.

The bug is rated as moderate risk and a researcher identified only as Arkon is credited with its discovery. It’s not clear if Microsoft has been informed of the issue, because VUPEN no longer supplies vulnerability intelligence to vendors for free and Redmond giant doesn’t want to pay for bug information.

Microsoft has recently rebranded its vulnerability disclosure guidelines as Coordinated Vulnerability Disclosure (CVD). “CVD’s core principles are simple: vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action — and even then it should be coordinated as closely as possible,” the company explained.

Credit: Softpedia.com News