Computer Security Articles

A 21-year-old Armenian calling himself “Vahe G” has uncovered a way of sending spam to Gmail users, just by them visiting an exploited webpage.

TechCrunch reports that they confirmed the vulnerability by visiting an affected page on Blogspot (Google’s own blogging platform) while logged into Gmail, and receiving an immediate email from Google’s servers. In other words, the headers were not forged.

Although this particular exploit appears to have been set up for mischief, more malicious hackers could easily have exploited the vulnerability to spread the typical money-making spam we often see or to distribute malware or a phishing attack. Users might be much more likely to click on a link if they saw it really did come from Google, and could put their personal data in danger.

The good news is that now Google is aware of the issue, and says that it has rolled out a fix:

We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com.

Nevertheless, security issues like this are a real concern as more and more people rely upon email communications, and their webmail providers to deliver a reliable, filtered inbox. This was a serious security hole. — Naked Security – Sophos

Political and social events with a sprinkle of social engineering seems to be the most successful recipe for cybercrime

Source: MalwareCity Blog

Microsoft last week published a security advisory alerting users to a flaw in Internet Explorer 6, 7, and 8 that allowed remote code execution. At the time of the advisory, the flaw was seeing limited exploitation in targeted attacks. That situation could now change with reports that exploits of the security flaw have been incorporated into an exploit kit.

The result is that anyone with a few hundred dollars to spare has access to an Internet Explorer zero-day attack, opening up the door to widespread exploitation of the browser. Proof-of-concept code has been available since Microsoft’s original advisory, but the inclusion of the exploit in the Eleonore exploit kit makes it much easier for relatively unskilled hackers to develop monetizable exploits that deliver payloads of their choosing.

Though the initial attacks were reportedly blocked by countermeasures such as DEP, and hence could not exploit Internet Explorer 8 in its default configuration, this too could change as the flaw is combined with existing DEP workarounds. The existing proof-of-concept code leaves such improvements as an exercise for the reader.

Though Microsoft is aware of the flaw, a patch will not be included in today’s Patch Tuesday patches. Thus far, the company has not said when a patch will be released, though inclusion of an exploit in a toolkit means that it will be under additional pressure to release an early patch rather than waiting for December’s Patch Tuesday.

Read the comments on this post

View full post on Security

Microsoft will likely issue an emergency kit to an unpatched IE flaw after it was added to the Eleonore crimeware kit.

View full post on Computerworld Security News

The Black Hat security conference will kick off in Abu Dhabi on Monday with new information revealed about the Stuxnet malicious software program along with other cutting-edge research.

View full post on Computerworld Security News

Microsoft today warned that attackers are targeting Internet Explorer (IE) with an exploit of a critical unpatched vulnerability in all current versions of the browser.

View full post on Computerworld Security News

Remember the vulnerability we discussed in https://isc.sans.edu/diary.html?storyid=9835 It appears to be there is an exploit for CVE-2010-3654 in the wild. While Adobe publishes the security patches, consider mitigation measures published in APSA10-05 advisory.
More information at http://blog.fortinet.com/fuzz-my-life-flash-player-zero-day-vulnerability-cve-2010-3654/
– Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

Naked ladies as bait, one more time

One of the much-discussed PDF file exploits is circulating in SEO poisoned links. We found it by following links that popped up from a search for “Vanessa Hudgens No Clothes.”

 (Click on graphic to enlarge)

The malcode takes advantage of a vulnerability in an out-of-date version of Adobe Reader (version 6.0) and it prompts a victim to download Java if it doesn’t find it on his machine. Adobe Reader 9.4, the current version, isn’t vulnerable.

(Click on graphic to enlarge)
Clicking on the “Available Updates” pop-up window runs the exploit which then installs a downloader that can infect the victim with any one of a rogue’s gallery of malicious code.

(Click on graphic to enlarge)
VIPRE detects it as Exploit.PDF-JS.Gen (v)

Thanks Patrick

Tom Kelchner

View full post on Sunbelt Blog

This week is turning out to be a busy one for zero-day exploits. Days after such a bug was found in Firefox, it’s Adobe’s turn to have its products under the gun.

According to the official Adobe security advisory, both the Flash and Acrobat/Reader product lines have been confirmed vulnerable to this latest problem. All current Flash versions are affected, regardless of platform. The same is mostly true for Acrobat and Reader—all released 9.x versions of Acrobat and Reader are affected though older 8.x versions are not. Neither is the Android version of Reader affected. Adobe states that attacks against Acrobat and Reader are in the wild but that no exploits have been found (so far) hitting Flash.

If exploited, the vulnerability causes a system to crash and potentially allows random code execution. More details on this particular flaw have not yet been released but it appears to be very similar to the June zero-day vulnerability. As in the June attack, the vulnerable component lies in Flash. Acrobat and Reader were just both affected because they include what is, in effect, an embedded Flash Player in the file authplay.dll.

For Acrobat and Reader, Adobe’s official advise is to remove the vulnerable component. Instructions to do so may be found at the Adobe page linked to earlier. Mitigation for Flash is only possible with Firefox, as certain extensions such as Flashblock and NoScript allow users to selectively load Flash files, protecting themselves from this flaw.

Official fixes are due by November 9 for Flash and by November 15 for Acrobat and Reader.

View full post on TrendLabs | Malware Blog – by Trend Micro

Adobe today confirmed that hackers are exploiting a critical unpatched bug in Flash Player, and promised to patch the vulnerability in two weeks.

View full post on Computerworld Security News

Security software company Norman has detected a 0-day vulnerability in Firefox 3.5 and 3.6 being used by malware in the wild. This morning the Nobel Prize web site was compromised to serve the malware to users.

The vulnerability allows drive-by installs so Firefox users could have been infected without knowing. Norman calls the malware Belmoo and rates the threat risk “low.” After exploiting the Firefox vulnerability the malware creates an executable in the \Windows\temp directory and sets it to run at boot from the registry. The main task performed by the executable is to open up a connection through which a botmaster can control the system.

Mozilla has acknowledged the bug and is at work on a fix. In the interim, if you’re worried, you can disable Javascript and/or run Noscript.

View full post on Security Watch

I discussed exploit kits as part of the Botnet Wars Q&A conducted by Bart Parys for Malware Database. The article documents perspectives of several malware experts on the topic of exploit kits. I recommend reading the full Q&A if you’re interested in the topic. (The article is mirrored on Bart’s blog.)

Below is an excerpt of my contribution to the discussion.

Defining an Exploit Kit

An exploit kit, sometimes called an exploit pack, is a toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser. Common exploit targets have been vulnerabilities in Adobe Reader, Java Runtime Environment and Adobe Flash Player.

It’s interesting to see that different specialists define an exploit kit/pack a bit differently, while agreeing on the general characteristics of this type of malware.

Characteristics of Exploit Kits

A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn’t need to know how to create exploits to benefit from infecting systems. Further, an exploit pack typically provides a user-friendly web interface that helps the attacker track the infection campaign.

Some exploit kits offer capabilities for remotely controlling the exploited system, allowing the attacker to create an Internet crimeware platform for further malicious activities.

For an overview of the key characteristics of common exploit kits, see Mila’s Overview of Exploit Packs, which includes a spreadsheet of exploit kit features.

Competing for Customers and Victims

An exploit kit is a launching platform used to deliver other payload, which may include a bot, a backdoor, spyware or another type of malware. In this context, exploit kit authors and distributors compete for customers.

The ease of use and affordability of exploit packs makes it possible even for people with low technical skills to become a “hacker,” be it for profit, politics or other reasons. The user friendliness of the control interface of the exploit kit might be one a market differentiator, helping it stand out from the competition.

Overall, it’s not uncommon for criminals of all shapes and sizes to battle one another for control. I’m not surprised we’re seeing such battles in the Internet world as well. Though there are a lot of potential targets for competing attackers to infect, it’s natural for the attacker to wish to assert full control over newly-compromised system. If the host is already infected, the new attacker will need to remove the presence of a competing entity. It’s a variation of a children’s game called King of the Hill, though obviously with more severe repercussions.

Exploit Kits and Geographic Boundaries

Some of exploit kits are developed and marketed in a specific country and, therefore, will be used more widely by attackers who speak that language or who hang out in those forums. However, the “beauty” of exploit kits is that they can be developed in Country A, sold in Country B, and used in Country C to attack Country D by using systems hosted in Country E. As the result, is that it’s hard to attribute malicious activity to actors located in a particular country by simply looking at IP addresses observed during the immediate attack.

Resisting Exploit Kit Attacks

Though some exploit packs target zero-day vulnerabilities, a large number of exploits go after vulnerabilities for which patches exist. End-users and organizations should look closely at how they keep up with security patches on the desktop. End-users at home can use auto-update mechanisms of the targeted applications or specialized tools such as Secunia PSI. Enterprise environments should use automated tools to identify vulnerable systems, install relevant patches and validate that the patches are installed. It’s also important to lock down the environment so that when an individual system is affected, the attack is contained and discovered quickly.

— Lenny Zeltser

View full post on Lenny Zeltser on Information Security

In a posting yesterday on Adobe Reader X I noted that, due to increased security vigilance on Adobe’s part, PDF files were no longer the leading vehicle for software exploit-driven malware. That dishonor belongs to Sun’s Oracle’s Java.

Others took notice of the same phenomenon. A blog entry from Microsoft’s Malware Protection Center includes a graph which shows the extent of it: PDF exploits are flat, probably declining, and Java exploits are skyrocketing.

I don’t have hard data myself, but I suspect (hope?) that the reason is partly what made Reader into such an inviting target 2 or 3 years ago: large numbers of clients with old, unpatched versions of Java on their systems. In fact, due to the way Java worked until not too long ago, users may have several copies of it, each quite old, containing numerous exploitable vulnerabilities and individually callable by malware run by the user.

And exploit writers have great tools at their disposable. Metasploit has a Java Meterpreter which allows exploits written in Java. It works fine on Windows and Linux.

Want to see the Java Meterpreter in action?

Metasploit JAVA Meterpreter from NightRanger on Vimeo.

View full post on Security Watch

Several weeks ago, a new Adobe Acrobat/Reader zero-day vulnerability was found and soon exploited in the wild. What’s most interesting about this particular exploit is how it used return-oriented exploitation (ROP) techniques to bypass some of Windows’ security features such as Data Execution Prevention (DEP). In addition, it uses a two-staged shellcode to perform its routine. The first stage uses ROP techniques to load the second stage. The second stage is what actually executes the malicious behavior and is sprayed into memory by JavaScript within the .PDF file itself.

Threats like these show how vulnerability threats, like malware, are evolving to become more sophisticated. Despite the best attempts of vendors such as Microsoft to incorporate new and emerging technology to make exploitation more difficult, those behind these threats are just as ready to grow and make life more difficult for users.

Static Analysis

Once we examined the .PDF file, we noticed a a suspicious FontDescriptor object in it. (A FontDescriptor object describes a font that has been used in the given .PDF file.)

The font’s stream is encoded with FlateDecode. Once we decoded this and found the SING table, we immediately saw something suspicious. The uniqueName field here is supposed to be a 27-character string encoded with 7-bit ASCII encoding and null-terminated.

However, the length of the data exceeds 28 bytes. This has all the hallmarks of a buffer overflow.

Debugging

Via static analysis, we now know which part of the .PDF file was used in the exploit. We can then use a debugger to verify this and see just how it was used. Once the malicious .PDF file was opened in Adobe Reader, a call to the strcat function was made. Let’s look at what was in the source buffer at the time.

We have seen this “A8AAAAAA…” before. It was actually the content of the uniqueName field from earlier. The destination buffer is on the stack with a fixed size. Combined, this causes an overflow.

After the overflow, a function pointer on the stack will be overwritten with the value 0x4a80cb38. This function pointer will be called later, effectively passing control of execution to the attacker.

Return-Oriented Exploitation

By itself, an overflow is not all that interesting nor unusual. However, this particular exploit used ROP to bypass one of Windows’ exploitation mitigation mechanisms, DEP. DEP tries to prevent attacks by disabling the execution of code that comes from nonexecutable pages in memory.

ROP is designed to defeat DEP by using parts of already-loaded code that are marked executable to perform its routines. The logic in ROP is that for any sufficiently large code base, a working exploit can be formed by reusing existing code and forming a “chain.”

The attacker chose the icucnv36.dll component of Reader to target. The said component does not support address space layout randomization (ASLR), which makes it more vulnerable to ROP attacks. The address mentioned earlier—0x4a80cb38—is the starting point in icucnv36.dll for this particular shellcode:

4a80cb38 81c594070000 add ebp,794h
4a80cb3e c9 leave
4a80cb3f c3 ret

These instructions serve as the start of the ROP chain by adjusting the stack pointer. Succeeding instructions point to the stack data used for the ROP chain. The stack data is sprayed into memory by JavaScript code within the malicious .PDF file. Here is a snippet of the code used:

The highlighted part will be the double word in memory with the value 0x4a801064 after some replacement and unescape operations.

The second stage shellcode, which actually performs the malicious routines, is also first sprayed into memory by JavaScript. After deobfuscation, this is what the code looks like:

%u52e8%u0002%u5400%u7265%u696d%u616e%u6574%u7250
%u636f%u7365%u0073%u6f4c%u6461%u694c%u7262%u7261
%u4179%u5300%u7465%u6946

This is native x86 code, which was used to carry out the actual malicious routines.

Returning to the first-stage ROP code after adjusting the stack pointer, the code looks for portions of icucnv36.dll, calling several APIs:

1. It calls CreateFileA to create a file named “iso88591” (the file name is not important).
2. It calls CreateFileMappingA with flProtect=0×40 (allows the file to be executed).
3. It calls MapViewOfFile to map the created file.
4. It calls memcpy to copy the second-stage code to the buffer, which points to the beginning of the shared mapping file.
5. It jumps to the beginning of the file-mapping buffer. Since the memory is executable, it bypasses DEP protection.

View full post on TrendLabs | Malware Blog – by Trend Micro

Microsoft is warning users that hackers are exploiting the unpatched bug in ASP.Net to hijack encrypted Web sessions.

View full post on Computerworld Security News

Twitter on Tuesday blamed this morning’s “onMouseOver” incident on a recent site update that unknowingly resurfaced a site exploit it discovered and patched last month.

View full post on PCMag.com Security Coverage

Websense Security Labs™ ThreatSeeker™ Network has detected a new virus spam outbreak after Daniel Covington's death. Websense customers were proactively protected against the malicious code by our Advanced Classification Engine (ACE).

Most popular sport Web sites have reported this news: Daniel Covington, a former Louisville football player, was shot and killed after an altercation in downtown Louisville in the early hours of the morning on Sep 16, 2010.  Of course, hackers never lose their chance to extend their criminal activities and this time, Daniel Covington has been their victim.

Let's track their vicious trail. Firstly, they send thousands of spam messages with a subject of "Daniel Covington die" to attract people's attention on the Internet.

Screenshot of the email:

Be careful of the HTML attachment: don't click it, as it hides malicious obfuscated JavaScript code and the obfuscation technique has been mentioned in our previous blog.

Let's see how evil they are. If a recipient clicks the HTML file, they will be redirected to two malicious sites. One site contains rogue AV, and the other one includes a Phoenix exploit kit – a well known kit used by web attackers.

"Daniel Covington die" is not the only theme in this campaign. We have also found the virus spam in emails with these subjects:

    * America's Got Talent
    * Cops kill active shooter at Johns Hopkins Hospital
    * Church of Body Modification
    * failure notice
    * Jackie Evancho and Sarah Brightman
    * NFL Picks Week 2

View full post on Security Labs

Digital Trends – Hours after Apple released its iOS 4.1 update, coders have identified an exploit in the operating system’s boot ROM. First announced by iPhone Dev-Team member pod2g on Twitter, it has since been confirmed by other hackers.

View full post on Yahoo! News: Security News

Digital Trends – Less than a week after warning users about a zero-day exploit in its PDF software, Adobe found another zero-day exploit in Flash. Adobe said hackers are already taking advantage of a critical flow in the current version of Flash to attack Windows PCs to “cause a crash and potentially allow an attacker to take control.”

View full post on Yahoo! News: Security News

Handler Daniel wrote a story abot Enhanced Mitigation Experience Toolkit(EMET) in september 2. This tool can be used now to successfuly block Adobe Reader and Acrobat CVE-2010-2883 exploit. More information athttp://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx

More details about EMET athttp://technet.microsoft.com/en-us/security/ff859539.aspx

– Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

Microsoft and Adobe are urging that users run Microsoft’s Enhanced Migration Experience Toolkit to block ongoing attacks against the popular PDF viewer software.

View full post on Computerworld Security News

Early this week Adobe released a new security advisory about a critical vulnerability found in their Adobe Acrobat and Acrobat reader applications. Even the Internet Storm Center issued a security advisory about the same exploit after it has been found in the wild.

Here at Prevx labs we have had reports of this infection on 2010, September 8th, when our community database automatically detected the dropped malware code.

Actually the exploit itself is not trivial at all and it looks like the job of one or more skilled programmers. While we are seeing more and more pdf exploits targetting Adobe Acrobat and Adobe Acrobat Readers products, we must admit this one is a really rare exploit.

It is able to fully bypass both Data Execution Prevention and Address Space Layout Randomization techniques used to prevent stack overflow, heap overflow and return to libc attacks. Actually most of the job has been done by Adobe by using insecure functions more than by the attackers themselves.

Indeed the exploit is effective due to a couple of programming errors that should have been fixed years ago.

The exploit is triggered when Adobe Reader tries to load and parse a True Type Font which contains a malformed SING table in it. When analyzing the exploit, we spot that the bug is inside the CoolType.dll library installed by Adobe product.

To be more exact, when parsing the SING table, it makes use of a deprecated function called strcat, used to append two strings together. This function is well known to be insecure because it doesn’t check for sufficient space in the destination buffer before appending the source string. There are more secure functions available to the programmer like strcat_s or just strncat. Why is this module still using an old, deprecated and insecure function as it is strcat? Why do Adobe programmers still use it?

Anyway, the stack is now overwritten, but this wouldn’t be enough to exploit the bug because the CoolType.dll has been compiled with /GS and /SAFESEH parameters. This means that a cookie is being put on the stack just before the return address and that the module is using safe exception handlers.

So, overwriting the stack and manipulating the return address is not a feasible way to execute the exploit’s payload because it would overwrite the security cookie too, resulting in an application crash. The same applies if trying to overwrite the exception handler.

Whomever wrote the exploit is much more skilled than what you could think and he deeply analyzed Adobe code, finding out a piece of code inside the exploited routine that could be used as a jump to his own payload. By overwriting initial function’s parameters on the stack, the exploit is able to force a specific call function to redirect the flow code to the malicious payload. Nothing has been overwritten, no security cookie is being alterated, execution is simply passed to the exploit payload.

Usually at this time the payload is blocked by DEP technology because it’s placed in a non-executable memory region. Or, another way to get around DEP is using a return to libc attack to call VirtualProtect API and mark the overwritten memory region as executable. Yet this one would not work because of ASLR which randomize system modules’s base addresses at every system startup. How does this exploit intend to run its payload?

The technique used is really interesting and already known for some years. It is called Return Oriented Programming, and it could be described as a way to control an application flow code by overwriting the call stack to indirectly execute specified instructions of the application code itself. Return-to-libc attack is known to be a more specific implementation of this Return Oriented programming.

To be able to use this exploit technique, the attacker must know in advance the memory addresses where he needs to redirect the flow code to. This would be quite difficult with ASLR running on the target PC, but even this time Adobe gives a hand to the attacker.

Adobe Acrobat and Acrobat Reader make use of a library called icucnv36.dll, which has not been compiled by Adobe with /DYNAMICBASE parameter. This means that, by default, it is not being randomized by the Windows ASLR unless if specifically set.

This is the perfect target the attacker was looking for. By using return oriented Programming the attacker is able to (ab)use icucnv36.dll code. He knows where the module is importing specified functions and he can alterate stack calls to re-use such functions. This way, the payload is able to call CreateFileA, CreateFileMappingA, MapViewOfFile and memcpy APIs to copy and execute its own payload from a fresh new allocated executable memory region.

The job is done. The exploit bypassed both DEP and ASLR, it is now able to run its own code which is a trojan downloader, able to download new malware on the machine. At this time the website from where the trojan is downlading new malware has been shut down. Though we are seeing more pdf exploits using same technique to drop malware.

The trojan downloader dropped by the pdf exploit, called hlp.cpl, has been digitally signed. Yes, this is another case of digital certificate stolen by legal owners. This time the victim was an american financial institution called Vantage Credit Union. The malware appears to be digitally signed by this bank. Clearly it is not, their digital certificate has been stolen. The certificate has been revoked since last Sept. 9th 2010.

Who claimed years ago that digital signatures were the solution to malwares?

By the way, what could we learn from this attack? Adobe could have easily prevented this type of exploit. When developing software, please take time to respect security development guidelines, don’t use deprecated functions and make your own developed code DEP,ASLR and SAFESEH compabile to enforce the security of your software and the safety of your whole operating system.

A more detailed analysis has been published by security company Vupen at this link. While waiting for a security patch that Adobe should release soon, Windows users could use Microsoft EMET tool – Enhanced Mitigation Experience Toolkit – that will enhance system security by tuning up DEP and ASLR system settings.

View full post on Prevx Blog

The exploit for a critical unpatched bug in Adobe Reader that’s now circulating is ‘clever’ and ‘impressive,’ security researchers said this week.

View full post on Computerworld Security News

Just after Adobe released their Out of Band patch for CVE-2010-2862, We discovered a malware exploiting a new 0-day vulnerability in the wild. Similar to the iOS PDF jailbreak vulnerability and CVE-2010-2862, this 0day vulnerability also occurs while Adobe Reader is parsing TrueType Fonts. We’ve analyzed and confirmed that the vulnerability affects the latest Adobe Reader (v9.3.4).

This 0day vulnerability is a typical stack buffer overflow vulnerability and exploitation of this issue is expected to be relatively easy. Although the latest version of Adobe Reader has been compiled with stack protection (/GS), the exploit uses an Return Oriented Exploitation (ROP) technique to bypass /GS protection and DEP.

We saw a similar technique used to exploit an older Adobe TIFF parsing vulnerability. All this seems to point to the fact that ROP is gaining wider acceptance by malware writers to bypass DEP and existing stack protections.

McAfee Labs is coordinating with Adobe PSIRT currently and we’ve provided them with additional details on the bug. The Adobe team is actively working on this issue. There is no patch available at the time of writing this blog. Adobe Acrobat users are urged to update their security definitions for the various products.

McAfee protection to date:

• McAfee Network Security Platform: Coverage provided under the signature 0×40293c00, UDS-HTTP: Adobe Reader Unspecified Buffer Overflow
• DAT files: Coverage for known exploits provided in the 6099 DAT release under the signature Exploit-PDF.ps.gen
• Host IPS: Generic Buffer Overflow protection provides partial coverage
• FoundStone: The FSL package of September 8 includes a vulnerability check to assess if your systems are at risk

View full post on McAfee Avert Labs