CyberInsecure.com

Archive for the ‘Windows’ Category

Two Firefox add-ons available for months on Mozilla’s website infected users with malware that stole passwords and opened a backdoor on Windows machines, the open-source browser maker has confirmed.

The add-ons, available on an experimental section of Mozilla’s official add-on download site carried trojans that have been detected since 2008 by commercial anti-virus products. And yet they weren’t removed until late January and earlier this week because a scanning tool used to vet add-ons during upload failed to catch the malicious files.

“If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan,” a note on Mozilla’s add-on blog stated. “Uninstalling these add-ons does not remove the trojan from a user’s system.”

Instead, infected users will need to thoroughly scan their machines with an anti-virus program. Or better yet, use multiple scanners, or simply reinstall the operating system to be on the safe side.

This isn’t the first time Mozilla has served malware-laced add-ons to its loyal base of users. In May 2008, a Vietnamese language pack for Firefox 2 contained a viral infection that resulted in users seeing unwanted ads. The add-on was downloaded almost 17,000 times before it was pulled.

In the most recent case, version 4 of the Sothink Web Video Downloader add-on installed a password sniffer dubbed Win32.LdPinch.gen and was downloaded about 4,000 times between February 2008 and May 2008. A separate add-on called Master Filer was laced with a backdoor trojan known as Win32.Bifrose that was downloaded 600 times between September 2009 and January of this year.

Mozilla removed Master Filer on January 25 and nixed Sothink on Tuesday.

The blog post said Mozilla added two new scanners to its validation chain. It was this change that allowed the organization to detect version 4 of the Sothink Web Video Downloader.

Versions greater the 4.0 of the video downloader add-on were not infected, Mozilla’s blog post stated. Both infections affected only Windows users of the open-source browser.

Credit: The Register

If you use any version of Internet Explorer to surf Twitter or other Web 2.0 sites, Jorge Luis Alvarez Medina can probably read the entire contents of your primary hard drive.

The security consultant at Core Security said his attack works by clicking on a single link that exploits a chain of weaknesses in IE and Windows. Once an IE user visits the booby-trapped site, the webmaster has complete access to the machine’s C drive, including files, authentication cookies - even empty hashes of passwords.

This isn’t the first time security researchers at Core have identified security weaknesses in IE. The company issued this advisory in 2008 and this one in 2009, each identifying specific links in the chain that could potentially be abused by an attacker.

“Every time we reported this to Microsoft, they were fixing just one of the features,” Medina said in a telephone interview from Bueno Aires. “Every time they [fixed] it, we managed another way to build the attack again.”

Medina said he has fully briefed Microsoft on his latest attack, which he plans to demonstrate at next month’s Black Hat security conference in Washington, DC. Microsoft’s “rapid response team” didn’t reply to an email, but a statement sent to other news outlets said the company is investigating the vulnerability and isn’t aware of it being exploited in the wild.

The hole is difficult to close because the attack exploits an array of features IE users have come to rely on to make web application work seamlessly. Simply removing the features could neuter functions such as online file sharing and active scripting, underscoring the age-old tradeoff between a system’s functionality and its security.

Based on Medina’s characterization, it appears that fixing the weakness will require changes in a Windows network sharing technology known as SMB, or server message block, as well as the way Windows makes file caches available to a wide variety of applications.

“The things we are reporting are not bugs, they are features,” Medina said. “They are needed for many applications to work, so [Microsoft] can’t simply remove or truncate” them.

IE suffers from at least one other long-standing security bug that can enable attacks against people browsing websites that are otherwise safe to view. It can be exploited to introduce XSS, or cross-site scripting, exploits on webpages, allowing attackers to inject malicious content and code. Microsoft has said it’s unaware of this vulnerability being exploited.

Core’s previous advisories contain a number of workarounds, including setting the security level for the internet and intranet zones to high to prevent IE from running scripts or ActiveX controls.

Credit: The Register

Initially perhaps conceived as a prank targeting a small community of bikers in central Slovakian region, the worm Win32/Zimuse.A and Win32/Zimuse.B has achieved worldwide notoriety. It is a type of threat that overwrites MBR (Master Boot Record) of all available drives with its own data, making the data stored on the user’s computer inaccessible. Moreover, the restoration of the corrupted data is complicated, requiring specialized software or a provider.

Since the worm’s inception, ESET has detected it on hundreds of computers of its users. Initially after the outbreak, only users in Slovakia were affected – accounting for over 90% of all infections. Presently, the greatest number of infected computers is in the United States, followed by Slovakia, Thailand and Spain, followed with Italy, Czech Republic and other European countries.

The worm uses two ways to spread – either via embedding in legitimate websites, in the form of a self-unpacking ZIP file or as an IQ test program, or via Exchangeable media, such as USB devices. The fact that it relies on USB devices to propagate is responsible for its rapid dissemination, which is likely to increase even further.

To date, the worm’s two variants - Win32/Zimuse.A and Win32/Zimuse.B differ in the method of spread and the timing of activation. While the A-variant needs 10 days to start spreading via USB devices, its B-variant needs only 7 days since infiltration. Moreover, the time needed for the execution of the destructive routine is shortened in the B-variant from the original 40 days to 20.

Moreover, if the right removal method is not used, the worm shifts to its destructive mode. This is similar to making the right choice on which wire to cut, and in what sequence in a bomb-defusing operation.

There is a widely held suspicion that the worm was intended to infect the computers of fans of a motorcycle club in the central Slovakian Liptov region, however, it has spread beyond this target group once it started attacking company networks. What’s more, the infiltration was reminiscent of the well-known OneHalf threat in the worm’s behavior, the country of origin (both originating in Slovakia), and the inflicted damage – causing the total paralysis of the system it attacks.

The infiltration does not posses a degree of sophistication that would encrypt the data on the disk, instead it was designed to corrupt the MBR (Master Boot Record) of physical disk drives. It emulates the old-time threats in that it is timed to go off – in this case in 40 days since the infiltration.

Credit: ESET.eu

The University of Exeter in South West of England experienced serious problems with its computer network earlier this week due to a virus outbreak. Systems running Microsoft Windows Vista with Service Pack 2 seem to have been particularly affected by the unnamed malware.

The problems started on Monday when a computer virus was introduced onto the network. “Experience of dealing with data corrupting viruses elsewhere indicates that it is essential to shut down the network ASAP to avoid so many machines and files being corrupted that it takes weeks to recover. Therefore, although this is a PC rather than a network problem, we had to shut down the network to isolate the virus,” announced David Allen, the university’s registrar and deputy chief executive.

The exact name of the virus has not been disclosed, but ZDNet cites insider sources according to which, it exploits the vulnerability described in Microsoft’s MS09-050 Security Bulletin. “This is a completely new virus and we are the only organisation in the world to experience it. None of the mainstream virus software suppliers have seen this virus, and as such, there is no fix,” a leaked internal e-mail from the IT department allegedly reads.

Mr. Allen also pointed out that a security expert had been called on site to assist with the cleaning efforts. Apparently, this malware has only been detected on computers running Windows Vista and the specialized staff plans to check all such systems. This would suggest that the “virus” can spread from one computer to another, which would technically make it a computer worm.

“University campuses are, of course, complex beasts and the IT teams who secure them can have a tough job. The problem is compounded by having a massive userbase of students who may plug their own devices into the network, or may show little care for the security of a communal computer and put it at unnecessary risk,” notes Graham Cluley, senior technology consultant at antivirus vendor Sophos.

The network is slowly being brought back online, beginning with buildings that do not use Windows Vista computers. Several services such as Outlook Web Access and the MyExeter Web portal remain functional, but other network-dependent equipment like VoIP telephones or interactive teaching boards are unusable.

The University of Exeter has almost 16,000 students and three campuses, two in Exeter and one in Cornwall. The Cornwall campus is shared with the University College Falmouth and was isolated from the affected network immediately after the threat was discovered.

Credit: Softpedia.com News

Microsoft published an advisory today about a critical security vulnerability in all versions of Internet Explorer (apart from version 5). While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default.

According to McAfee, hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used this vulnerability to carry out at least some of the attacks.

The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks, McAfee CTO George Kurtz wrote in a blog post. Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees from at least three of the targeted companies.

Contrary to previous speculation, there was no evidence vulnerabilities in Adobe’s Reader or Acrobat applications were used in any of the attacks, Kurtz said. In its own statement, adobe concurred, saying researchers “have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident.”

Kurtz said his findings were based on malware samples taken from “three to five” of the targeted companies and he stressed that other zero days or exploits could have been used against other victims.

“In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer,” Kurtz wrote. “Our investigation has shown that Internet explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7.”

Shortly after the report, Microsoft confirmed the new IE vulnerability was “one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.” A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions.

McAfee’s report is the latest to shed light on one of the most significant cyberattacks in years. Google first disclosed the “highly sophisticated and targeted attack” on Tuesday, saying it originated in China and targeted its intellectual property. It added that 20 other companies suffered similar assaults, a number that independent researchers soon raised to 34. So far, only Google and Adobe have been identified as victims.

Yahoo, Symantec, Northrop Grumman and Dow Chemical have also been penetrated according to The Washington Post, citing unnamed “congressional and industry sources.”

The malware that McAfee researchers analyzed was sent to a highly select group of employees of a handful of companies that Kurtz declined to identify.

“This wasn’t something that got blasted to 300,000 people in a corporation,” Kurtz said in an interview with The Register. “It was really targeted at senior technology leaders that had access to core pieces of intellectual property, source code, et cetera.”

Kurtz has dubbed the attack “Aurora,” a reference to the filepath on the attacker’s machine that showed up in some of the malware code McAfee researchers analyzed. They believe that is the name the attackers gave to the operation. There was nothing in the binaries that indicated either way whether the code writers spoke Cantonese or Mandarin or were located in China.

The IE vulnerability stems from an invalid pointer reference that when exploited allows an attacker to execute malicious shell code on underlying machines. The malware caused exploited machines to download further malicious scripts that installed a backdoor. The machines then connected to command and control channels that were hosted on servers that resided in the US and Taiwan.

A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn’t say when an update would be released that patches the vulnerability.

Credit: The Register, SANS ISC

A Romanian grey hat hacker has disclosed an SQL inject (SQLi) vulnerability on a website belonging to the United States Army, which leads to full database compromise. The website, called Army Housing OneStop, is used to provide information about military housing facilities to soldiers. The website has been taken offline.

The Army Housing OneStop (AHOS) is “the official Army website for soldiers who need information about Military Family Housing (MFH), Unaccompanied Personnel Housing (UPH) and/or Community (Off-Post) Housing. It includes both comprehensive and quick-reference information for Army installations worldwide.”

A self-confessed security enthusiast, who goes by the online handle of TinKode, documented a proof-of-concept attack against the onestop.army.mil on his personal blog. The published screenshots reveal that the Web server runs on Microsoft Windows 2003 with Service Pack 2 and the database engine used to power the ASP website is Microsoft SQL Server 2000:

#Version: Microsoft SQL Server 2000 - 8.00.2282 (Intel X86) Dec 30 2008 02:22:41 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2
#User: Dynatouch
#Database: AHOS
#Host Name: AHSGSVDAHQIT130

The AHOS website seems to have been developed by DynaTouch Corporation, a third-party government contractor that provides software and hardware solutions to create “self-service kiosk systems.” The company’s client portfolio includes a long list of local and federal government organizations.

There are a number of 76 databases on the server, but TinKode focused his attention on the one called “AHOS.” There are various tables in this database containing general website configuration information, but two in particular stand out as they are called “mgr_login” and “mgr_login_passwords.”

Upon investigating the latter, the hacker stumbled upon passwords stored in plain text, a major security oversight. Storing cryptographic hashes instead of the actual password strings has been a common practice in Web application programming for years now. Furthermore, if for convenience the hashes are generated with a weak algorithm, a technique known as “salting” can be employed to make them nearly impossible to crack.

In a time when even the most amateur programmers follow such security practices, the fact that many business or government websites do not boggles one’s mind. Additionally, the administrative account is called “Dynatouch” – who would have guessed that? – and its password is “AHOS” – yes, really.

Credit: Softpedia News

Fraunhofer SIT has presented a method for discovering the BitLocker drive encryption PIN under Windows. The method even works where TPM is used to protect the boot process. An attacker with access to the target computer simply boots from a USB flash drive and replaces the BitLocker bootloader with a substitute bootloader which mimics the BitLocker PIN query process but saves the PINs entered by the user to disk in unencrypted form.

Although the BitLocker boot process carries out an integrity check on the system, and thereby the Windows installation, it does not check the bootloader itself – not that the actual attack described even gets as far as the Windows boot process. Consequently, according to the Fraunhofer SIT report, even if a Trusted Computing Module (TPM) is fitted, it fails to protect against such an attack.

Once the substitute bootloader has saved the victim’s PIN to the hard drive, it rewrites the original bootloader to the MBR and restarts the system. The victim may indeed wonder why their computer is restarting, but then we’ve all seen computers suddenly decide to abort a boot and restart.

To get hold of the saved PIN, the attacker needs to gain access to the target computer for a second time, to once more boot up from a USB flash drive and then access the hard drive. The computer can then be rebooted and the PIN thus obtained used to open up BitLocker, allowing access to the protected Windows system.

The technique could be used to obtain data in targeted acts of industrial espionage. SIT is nonetheless keen to stress that, “Despite the security vulnerability, BitLocker is a good solution for hard drive encryption, as it offers good protection against the most common threat to sensitive data on a hard drive – loss or theft of the computer.”

A similar attack on system encryption using TrueCrypt was presented at Black Hat in July. Austrian security specialist Peter Kleissner used his Stoned bootkit to nobble the boot process in order to inject spyware onto the system and read off data. His method does not, however, work where TPM is in place, since the MBR hash no longer matches the stored version. The advantage of Kleissner’s method is that it only requires one-time access to the victim’s computer.

Credit: H-online.com Security

Miscreants have developed a ransomware package that blocks internet access in a bid to force infected users into paying up by sending a text message to a premium rate SMS number, lining the pocket of cybercrooks in the process.

The malware comes bundled in a package called uFast Download Manager and targets potential marks in Russia. Users of infected machines are told (via a Russian language message) that they need to send a text message in order to obtain an activation code for the product, which (ironically) poses as a software package designed to increase download speeds. Victims are told that internet access has been blocked in the meantime because of supposed violations of a licensing agreement.

The ploy is a variant on previous ransomware packages that encrypt and block access to document files. One strain of ransomware detected in January 2008 locks up Windows machines, seeking payment via SMS. That threat wasn’t specific to Russia and didn’t affect a net connection as such but is otherwise very similar to the latest attack.

CA, which detects the threat as RansomSMS-AH, explains how the malware works in greater depth in a blog posting featuring screenshots culled from infected machines.

English translation:

Internet access is blocked due to violation of the
license agreement schedules of uFast Download Manager
You must activate your copy

Get a registration code by sending an SMS with the following
code fw0004199 to number 7122

In response you will receive an activation message.

Enter the activation message received from the SMS response ________

The anti-virus vendor has developed an activation code generator that allows victims to get online again - providing they can download the utility through an uninfected machine first, of course.

CA ISBU activation code generator for this particular ransomware can be found here. It can create activation code only for ransomware detected by CA as Win32/RansomSMS.AH.

Credit: The Register, CA Community Blogs

Exploit code for a critical (remotely exploitable) vulnerability in Microsoft’s Internet Explorer 7 browser has been released on the Internet, prompting a new round “upgrade now!” warnings from computer security experts. The vulnerability could be used in malware attacks to take complete control of a Windows machine running IE 6 or IE 7, according to an advisory issued over the  weekend.

The vulnerability could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

The vulnerability was confirmed on fully patched Windows XP SP3 systems with Internet Explorer 6 and 7. For IE users unable (or unwilling) to upgrade to IE 8, you can disable Active Scripting in the Internet and Local intranet security zones.

Security researchers at Symantec have tested the published exploit and warned that a fully-functional reliable exploit will be available in the near future. When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.

Microsoft has issued an advisory with mitigation guidance, it can be found here.

Credit: ZDNet.com Security Blogs

A bug in Microsoft’s Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said.

The documents stored in Adobe’s PDF format display the internal disk location where the file is stored, an oversight that can inadvertently expose real-world names and login IDs of users, the operating system being used and other information that is better kept private. The data can then be retrieved using simple web searches.

Google searches such as this one expose almost 4 million documents residing on users’ C drives alone. Combined with searches for other common drives, the technique exposes more than 50 million files that display the local disk path, according to Inferno, a security researcher for a large software company who asked that his real name not be used.

“If they have those kind of PDFs, somebody can use search engines to find out user names or do more reconnaissance on the operating systems used,” he told The Register. “That actually invades the privacy of a user.”

The potentially sensitive data is included in PDFs that have been printed using Internet Explorer. The full path location is appended to its contents as soon as the Microsoft browser is used to print the document. Although the data isn’t always exposed when the document is viewed with Adobe Reader, it is easily readable when the file is opened in editors such as Notepad, and the text is also available to Google and other search engines.

The only way to remove the path is erase the text in an editor and save the document.

All versions of IE suffer from the bug. A Microsoft spokeswoman said company engineers are working to reproduce the reported behavior. “We can confirm that this is not a vulnerability,” she wrote in an email. Adobe representatives didn’t reply to requests for comment.

Credit: The Register