CyberInsecure.com

Archive for the ‘Windows’ Category

International cooperation between law enforcement agencies in Spain and the U.S., as well as several security companies, led to the arrest of three Spanish citizens who controlled one of the largest botnets in history. Dubbed Mariposa, the army of zombie computers connected from more than 12 million unique IP addresses.

The Mariposa (Butterfly in English) botnet was identified in May 2009 by researchers from a Canadian information security company named Defence Intelligence. The malware behind the botnet is an information stealing computer trojan, which has seen more than 200 variants to date.

In order to investigate and track the threat more efficiently, security experts from various organizations, including Defence Intelligence, Georgia Tech Information Security Center and Spanish antivirus vendor Panda Security have established the Mariposa Working Group (MWG). The group closely cooperated with the FBI and their Spanish counterpart, La Guardia Civil (the Civil Guard).

The experts managed to hijack the botnet in December, but the cyber-criminals, who called themselves the Días de Pesadilla Team (the Nightmare Days Team), regained control and retaliated with crippling Distributed Denial of Service (DDoS) attacks. A second, more successful takeover allowed researchers to count the number of IP addresses trying to access the Command and Control (C&C) servers and get an idea of the threat’s true scope.

“We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history,” notes Luis Corrons, technical director of PandaLabs, Panda Security’s malware intelligence laboratory. It was also discovered that the gang leased parts of the botnet to other cyber-crooks or sold DDoS services.

In addition, on the infected computers, the trojan displayed rogue ads while surfing the Web and altered Google search results. It also stole personal and financial information, such as online banking credentials and other usernames and passwords.

The authorities were able to identify F. C. R., a 31-year-old bot herder known online as “Netkairo,” after he slipped and accidentally revealed his home IP address. He was arrested by the Spanish Civil Guard in his home town of Balmaseda last month.

Data collected from Netkairo’s computer led to the capturing of two other accomplices, identified only as J. P. R., 30, a.k.a. “jonyloleante”, and J. B. R., 25, a.k.a. “ostiator.” A fourth co-conspirator is believed to be located in Venezuela.

Stolen information belonging to 800,000 users was also found, as well as data belonging to companies, government institutions and educational organizations in 190 countries. “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were,” commented Defence Intelligence’s CEO Christopher Davis.

Credit: Softpedia.com News

Microsoft has confirmed that an unpatched Internet Explorer vulnerability makes it potentially dangerous to press F1 if you are running earlier versions of Windows.

A security bug in the VBScript technology bundled with Internet Explorer means that it might be possible to create a web site that displays a specially crafted dialog box that pushes malware providing a victim is tricked into pressing the F1 (help menu) key while viewing a booby-trapped site using Internet Explorer. The novel exploit technique works on older versions of Windows (Win 2000, XP and Server 2003). Vista, Windows 7 and Windows Server 2008 are immune.

Proof of concept code is reportedly in circulation but Microsoft said: “We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.”

Redmond went on to criticise security researchers for not coming to them with the problem first in an advisory, published on Monday.

“Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.”

The advisory expands on an earlier holding statement in providing a list of potentially vulnerable systems, a preliminary risk assessment and suggested workarounds. Redmond security gnomes are still investigating the flaw but a decision to develop a patch looks like a big odds-on favourite if past form holds true.

Microsoft gave no indication of when a patch might become available but the next scheduled Patch Tuesday is only six days away, cutting it very fine to develop, much less test, a fix. An April or even May update for IE seems more likely.

Credit: The Register

The name of the popular file analysis service VirusTotal is being abused by cyber-crooks to infect users with scareware. A recent forum spam campaign tries to trick people into visiting a malicious website hosted at virus-total.in.

VirusTotal.com has been well known as free virus and malware online scan service which allows submitters to test a particular file against a multitude of malware scanners. So, it’s not highly surprising that malware authors would try to use that name to further their gain.

Security researchers from Sophos reported a spam run promoting the rogue virus-total domain, as a private message on a forum. The message employs scare tactics in order to frighten users into visiting the scareware-pushing website.

The message looks like this:

Subject: Warning!

DO NOT REPLY TO THIS EMAIL!
***************************

Dear [Redacted forum user name],

You have received a new private message at [Redacted] Forum from [Redacted], entitled “Warning!”.

To read the original version, respond to, or delete this message, you must log in here:
http://[Redacted]

This is the message that was sent:
***************
Dear, [Redacted forum user names]

There are viruses’ activities from your computer! Highly recommend you to scan your computer for malicious and potentially unwanted software. If you do not follow this, I will have to make a complaint to your Internet Service Provider with attached log file (your IP address, etc.). If you want to find a report about your computer’s security and solve every problem with it, please click here: http://www.virus-total.[TLD removed]/detected/[Redacted] This is an online service that you can use for free spyware removal. Use it to scan your computer to help protect, clean, and keep your computer running at its best. Use the free scan to check for and remove viruses, spyware, and other potentially malicious software and to find vulnerabilities or shortcomings in your Internet security.

Thank you. Yours truly, [Redacted].
***************

This attack clearly targets VirusTotal.com, a popular free service which allows users to scan suspicious files with over 40 antivirus engines and other tools. Julio Canto, VirusTotal’s project manager, issued an alert about the rogue virus-total.in website via Twitter.

The site displays bogus security warnings and fake antivirus scans to unsuspecting visitors, tricking them into installing a scareware program called SecurityTool. Rogue security programs such as these are commonly used by cyber-criminals to charge money for useless licenses and steal credit card details.

The above popup would follow by the loading of a fake scanning page inside the browser:

One of the interesting parts of this fake page is that the “Windows Security Alert” pop-up is actually a time-delayed object inside the page. Even though the box looks like a window box from Windows XP, it is not moveable at all.

When the fake scanning completes, another pop-up will be generated asking the user to download a file called security_tool_setup.exe. Needless to say, this file is malicious and is yet another one of the Fake Antiviruses.  This executable has already been proactively detected by Sophos as Mal/FakeVirPk-A.

“An unfortunate side effect of a scam like this is that the real VirusTotal could start to receive emails from irate victims of the fake site claiming they’ve ‘infected my PC’ – fingers crossed it doesn’t get to that stage. Remember: the REAL domain for VirusTotal is Virustotal.com. Don’t fall for this scam!” Sunbelt’s Chris Boyd advises.

Another unusual aspect of this attack is the threat of filing a complaint with a user’s ISP about the virus activity alleged in the spam message. This statement comes at a time when ISPs have announced initiatives to identify compromised computers on their networks and take proactive measures to clean them.

Credit: Softpedia.com News, SophosLabs Blog

A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla’s Firefox browser.

The exploit - which allows attackers to remotely execute malicious code on end user PCs - triggers a heap corruption vulnerability in the popular open-source browser, said Evgeny Legerov, founder of Moscow-based Intevydis. He recently added it as a module to Vulndisco, an add-on to the Immunity Canvas automated exploitation system sold to security professionals.

“We’ve played a lot with it in our labs - it was very reliable,” Legerov wrote in an email to The Reg. “Works against the default install of Firefox 3.6. We’ve tested it on XP and Vista.”

The report comes as Mozilla pushed out a Firefox update that tackles three critical vulnerabilities in version 3.5.7. One of those bugs is also described as a heap corruption vulnerability, but Legerov said the flaw is different from the one his code exploits.

Mozilla issued a statement that read in part: “Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. We value the contributions of all security researchers and encourage them to work within our security process, responsibly disclosing vulnerabilities to ensure the highest level of security and best outcome for users.”

Legerov said his firm does not provide advanced notification to software makers under an arrangement often referred to as responsible disclosure.

If Legerov’s claim pans out, it would be one of the few times in recent memory that a zero-day vulnerability for Firefox has circulated in the wild. While the exploit is currently available only to those who pay a hefty licensing fee, wider circulation can’t be far behind.

Credit: The Register

Two Firefox add-ons available for months on Mozilla’s website infected users with malware that stole passwords and opened a backdoor on Windows machines, the open-source browser maker has confirmed.

The add-ons, available on an experimental section of Mozilla’s official add-on download site carried trojans that have been detected since 2008 by commercial anti-virus products. And yet they weren’t removed until late January and earlier this week because a scanning tool used to vet add-ons during upload failed to catch the malicious files.

“If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan,” a note on Mozilla’s add-on blog stated. “Uninstalling these add-ons does not remove the trojan from a user’s system.”

Instead, infected users will need to thoroughly scan their machines with an anti-virus program. Or better yet, use multiple scanners, or simply reinstall the operating system to be on the safe side.

This isn’t the first time Mozilla has served malware-laced add-ons to its loyal base of users. In May 2008, a Vietnamese language pack for Firefox 2 contained a viral infection that resulted in users seeing unwanted ads. The add-on was downloaded almost 17,000 times before it was pulled.

In the most recent case, version 4 of the Sothink Web Video Downloader add-on installed a password sniffer dubbed Win32.LdPinch.gen and was downloaded about 4,000 times between February 2008 and May 2008. A separate add-on called Master Filer was laced with a backdoor trojan known as Win32.Bifrose that was downloaded 600 times between September 2009 and January of this year.

Mozilla removed Master Filer on January 25 and nixed Sothink on Tuesday.

The blog post said Mozilla added two new scanners to its validation chain. It was this change that allowed the organization to detect version 4 of the Sothink Web Video Downloader.

Versions greater the 4.0 of the video downloader add-on were not infected, Mozilla’s blog post stated. Both infections affected only Windows users of the open-source browser.

Credit: The Register

If you use any version of Internet Explorer to surf Twitter or other Web 2.0 sites, Jorge Luis Alvarez Medina can probably read the entire contents of your primary hard drive.

The security consultant at Core Security said his attack works by clicking on a single link that exploits a chain of weaknesses in IE and Windows. Once an IE user visits the booby-trapped site, the webmaster has complete access to the machine’s C drive, including files, authentication cookies - even empty hashes of passwords.

This isn’t the first time security researchers at Core have identified security weaknesses in IE. The company issued this advisory in 2008 and this one in 2009, each identifying specific links in the chain that could potentially be abused by an attacker.

“Every time we reported this to Microsoft, they were fixing just one of the features,” Medina said in a telephone interview from Bueno Aires. “Every time they [fixed] it, we managed another way to build the attack again.”

Medina said he has fully briefed Microsoft on his latest attack, which he plans to demonstrate at next month’s Black Hat security conference in Washington, DC. Microsoft’s “rapid response team” didn’t reply to an email, but a statement sent to other news outlets said the company is investigating the vulnerability and isn’t aware of it being exploited in the wild.

The hole is difficult to close because the attack exploits an array of features IE users have come to rely on to make web application work seamlessly. Simply removing the features could neuter functions such as online file sharing and active scripting, underscoring the age-old tradeoff between a system’s functionality and its security.

Based on Medina’s characterization, it appears that fixing the weakness will require changes in a Windows network sharing technology known as SMB, or server message block, as well as the way Windows makes file caches available to a wide variety of applications.

“The things we are reporting are not bugs, they are features,” Medina said. “They are needed for many applications to work, so [Microsoft] can’t simply remove or truncate” them.

IE suffers from at least one other long-standing security bug that can enable attacks against people browsing websites that are otherwise safe to view. It can be exploited to introduce XSS, or cross-site scripting, exploits on webpages, allowing attackers to inject malicious content and code. Microsoft has said it’s unaware of this vulnerability being exploited.

Core’s previous advisories contain a number of workarounds, including setting the security level for the internet and intranet zones to high to prevent IE from running scripts or ActiveX controls.

Credit: The Register

Initially perhaps conceived as a prank targeting a small community of bikers in central Slovakian region, the worm Win32/Zimuse.A and Win32/Zimuse.B has achieved worldwide notoriety. It is a type of threat that overwrites MBR (Master Boot Record) of all available drives with its own data, making the data stored on the user’s computer inaccessible. Moreover, the restoration of the corrupted data is complicated, requiring specialized software or a provider.

Since the worm’s inception, ESET has detected it on hundreds of computers of its users. Initially after the outbreak, only users in Slovakia were affected – accounting for over 90% of all infections. Presently, the greatest number of infected computers is in the United States, followed by Slovakia, Thailand and Spain, followed with Italy, Czech Republic and other European countries.

The worm uses two ways to spread – either via embedding in legitimate websites, in the form of a self-unpacking ZIP file or as an IQ test program, or via Exchangeable media, such as USB devices. The fact that it relies on USB devices to propagate is responsible for its rapid dissemination, which is likely to increase even further.

To date, the worm’s two variants - Win32/Zimuse.A and Win32/Zimuse.B differ in the method of spread and the timing of activation. While the A-variant needs 10 days to start spreading via USB devices, its B-variant needs only 7 days since infiltration. Moreover, the time needed for the execution of the destructive routine is shortened in the B-variant from the original 40 days to 20.

Moreover, if the right removal method is not used, the worm shifts to its destructive mode. This is similar to making the right choice on which wire to cut, and in what sequence in a bomb-defusing operation.

There is a widely held suspicion that the worm was intended to infect the computers of fans of a motorcycle club in the central Slovakian Liptov region, however, it has spread beyond this target group once it started attacking company networks. What’s more, the infiltration was reminiscent of the well-known OneHalf threat in the worm’s behavior, the country of origin (both originating in Slovakia), and the inflicted damage – causing the total paralysis of the system it attacks.

The infiltration does not posses a degree of sophistication that would encrypt the data on the disk, instead it was designed to corrupt the MBR (Master Boot Record) of physical disk drives. It emulates the old-time threats in that it is timed to go off – in this case in 40 days since the infiltration.

Credit: ESET.eu

The University of Exeter in South West of England experienced serious problems with its computer network earlier this week due to a virus outbreak. Systems running Microsoft Windows Vista with Service Pack 2 seem to have been particularly affected by the unnamed malware.

The problems started on Monday when a computer virus was introduced onto the network. “Experience of dealing with data corrupting viruses elsewhere indicates that it is essential to shut down the network ASAP to avoid so many machines and files being corrupted that it takes weeks to recover. Therefore, although this is a PC rather than a network problem, we had to shut down the network to isolate the virus,” announced David Allen, the university’s registrar and deputy chief executive.

The exact name of the virus has not been disclosed, but ZDNet cites insider sources according to which, it exploits the vulnerability described in Microsoft’s MS09-050 Security Bulletin. “This is a completely new virus and we are the only organisation in the world to experience it. None of the mainstream virus software suppliers have seen this virus, and as such, there is no fix,” a leaked internal e-mail from the IT department allegedly reads.

Mr. Allen also pointed out that a security expert had been called on site to assist with the cleaning efforts. Apparently, this malware has only been detected on computers running Windows Vista and the specialized staff plans to check all such systems. This would suggest that the “virus” can spread from one computer to another, which would technically make it a computer worm.

“University campuses are, of course, complex beasts and the IT teams who secure them can have a tough job. The problem is compounded by having a massive userbase of students who may plug their own devices into the network, or may show little care for the security of a communal computer and put it at unnecessary risk,” notes Graham Cluley, senior technology consultant at antivirus vendor Sophos.

The network is slowly being brought back online, beginning with buildings that do not use Windows Vista computers. Several services such as Outlook Web Access and the MyExeter Web portal remain functional, but other network-dependent equipment like VoIP telephones or interactive teaching boards are unusable.

The University of Exeter has almost 16,000 students and three campuses, two in Exeter and one in Cornwall. The Cornwall campus is shared with the University College Falmouth and was isolated from the affected network immediately after the threat was discovered.

Credit: Softpedia.com News

Microsoft published an advisory today about a critical security vulnerability in all versions of Internet Explorer (apart from version 5). While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default.

According to McAfee, hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used this vulnerability to carry out at least some of the attacks.

The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks, McAfee CTO George Kurtz wrote in a blog post. Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees from at least three of the targeted companies.

Contrary to previous speculation, there was no evidence vulnerabilities in Adobe’s Reader or Acrobat applications were used in any of the attacks, Kurtz said. In its own statement, adobe concurred, saying researchers “have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident.”

Kurtz said his findings were based on malware samples taken from “three to five” of the targeted companies and he stressed that other zero days or exploits could have been used against other victims.

“In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer,” Kurtz wrote. “Our investigation has shown that Internet explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7.”

Shortly after the report, Microsoft confirmed the new IE vulnerability was “one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.” A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions.

McAfee’s report is the latest to shed light on one of the most significant cyberattacks in years. Google first disclosed the “highly sophisticated and targeted attack” on Tuesday, saying it originated in China and targeted its intellectual property. It added that 20 other companies suffered similar assaults, a number that independent researchers soon raised to 34. So far, only Google and Adobe have been identified as victims.

Yahoo, Symantec, Northrop Grumman and Dow Chemical have also been penetrated according to The Washington Post, citing unnamed “congressional and industry sources.”

The malware that McAfee researchers analyzed was sent to a highly select group of employees of a handful of companies that Kurtz declined to identify.

“This wasn’t something that got blasted to 300,000 people in a corporation,” Kurtz said in an interview with The Register. “It was really targeted at senior technology leaders that had access to core pieces of intellectual property, source code, et cetera.”

Kurtz has dubbed the attack “Aurora,” a reference to the filepath on the attacker’s machine that showed up in some of the malware code McAfee researchers analyzed. They believe that is the name the attackers gave to the operation. There was nothing in the binaries that indicated either way whether the code writers spoke Cantonese or Mandarin or were located in China.

The IE vulnerability stems from an invalid pointer reference that when exploited allows an attacker to execute malicious shell code on underlying machines. The malware caused exploited machines to download further malicious scripts that installed a backdoor. The machines then connected to command and control channels that were hosted on servers that resided in the US and Taiwan.

A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn’t say when an update would be released that patches the vulnerability.

Credit: The Register, SANS ISC

A Romanian grey hat hacker has disclosed an SQL inject (SQLi) vulnerability on a website belonging to the United States Army, which leads to full database compromise. The website, called Army Housing OneStop, is used to provide information about military housing facilities to soldiers. The website has been taken offline.

The Army Housing OneStop (AHOS) is “the official Army website for soldiers who need information about Military Family Housing (MFH), Unaccompanied Personnel Housing (UPH) and/or Community (Off-Post) Housing. It includes both comprehensive and quick-reference information for Army installations worldwide.”

A self-confessed security enthusiast, who goes by the online handle of TinKode, documented a proof-of-concept attack against the onestop.army.mil on his personal blog. The published screenshots reveal that the Web server runs on Microsoft Windows 2003 with Service Pack 2 and the database engine used to power the ASP website is Microsoft SQL Server 2000:

#Version: Microsoft SQL Server 2000 - 8.00.2282 (Intel X86) Dec 30 2008 02:22:41 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2
#User: Dynatouch
#Database: AHOS
#Host Name: AHSGSVDAHQIT130

The AHOS website seems to have been developed by DynaTouch Corporation, a third-party government contractor that provides software and hardware solutions to create “self-service kiosk systems.” The company’s client portfolio includes a long list of local and federal government organizations.

There are a number of 76 databases on the server, but TinKode focused his attention on the one called “AHOS.” There are various tables in this database containing general website configuration information, but two in particular stand out as they are called “mgr_login” and “mgr_login_passwords.”

Upon investigating the latter, the hacker stumbled upon passwords stored in plain text, a major security oversight. Storing cryptographic hashes instead of the actual password strings has been a common practice in Web application programming for years now. Furthermore, if for convenience the hashes are generated with a weak algorithm, a technique known as “salting” can be employed to make them nearly impossible to crack.

In a time when even the most amateur programmers follow such security practices, the fact that many business or government websites do not boggles one’s mind. Additionally, the administrative account is called “Dynatouch” – who would have guessed that? – and its password is “AHOS” – yes, really.

Credit: Softpedia News