Information Security News: March 2007

Friday, March 30, 2007

Microsoft Windows Animated Cursor Handling Vulnerability

".. any web page, email or content that can load an animated cursor can allow an attacker to take advantage of the vulnerability and run arbitrary code on the users system."

A short overview by SANS of how the different email clients are reacting to the animated cursor vulnerability.

An unofficial fix for the animated cursor vulnerability from Eeye.

Related Articles:
Microsoft confirms animated-cursor flaw: Microsoft confirmed on Thursday that attacker could take control of a user's system by exploiting a flaw in the way the company's Windows software handles animated-cursor files.

========================================
http://secunia.com/advisories/24659/
Microsoft Windows Animated Cursor Handling Vulnerability

Secunia Advisory: SA24659
Release Date: 2007-03-30

Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2007-0038

Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message.

Successful exploitation allows execution of arbitrary code.

NOTE: The vulnerability is currently being actively exploited.

Solution:
Do not browse untrusted sites or view untrusted e-mails.

Provided and/or discovered by:
Discovered as a 0-day.
Independently discovered by Determina Security Research.

Original Advisory:
Microsoft: http://www.microsoft.com/technet/security/advisory/935423.mspx
http://blogs.technet.com/msrc/archive...-security-advisory-935423-posted.aspx

Determina:
http://www.determina.com/security_cen...ries/securityadvisory_0day_032907.asp

Other References:
US-CERT VU#191609:
http://www.kb.cert.org/vuls/id/191609

================================================================

Labels: Advisory, Microsoft, Virus, Vulnerability

Wednesday, March 28, 2007

Trojan.Optimizer.B

Trojan.Optimizer.B

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
CVE References: CVE-2003-0111, CVE-2005-4560, CVE-2006-0005, CVE-2006-3866, CVE-2006-4868, CVE-2006-6121

Trojan.Linkoptimizer.B is a generic detection for a family of Trojan horse programs that download dialer components, display pop-up advertisements and attempt to prevent removal by blocking security-related applications.

It has been reported that variants of Trojan.Linkoptimizer.B may be installed by visiting several different malicious Web sites while making legitimate searches on some popular search engines.

The initial domains returned by search engines may redirect users to other .com domains with random names which host different browser exploits.

Variants of Trojan.Linkoptimizer.B are installed by exploiting browser vulnerabilities including the following:
Microsoft Java Virtual Machine Bytecode Verifier Vulnerability (Security Focus Bugtraq ID 6221)
Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability (Security Focus Bugtraq ID 16644)
Microsoft WMF Remote Code Execution Vulnerability (Security Focus Bugtraq ID 16074).
Microsoft Internet Explorer VML Remote Code Execution Vulnerability (Security Focus Bugtraq ID 20096).
Acer LunchApp.APlunch ActiveX Control Remote Code Execution Vulnerability (Security Focus Bugtraq ID 21207)

NOTE: At the time of writing, it has been reported that the installation of Trojan.Linkoptimizer.B and its variants works only for users with Italian IP addresses.

The exploits drop an executable file in the following folder:
%Temp%\[RANDOM NAME1].exe

Once executed, the variants of Trojan.Linkoptimizer.B create the following mutexes to ensure that only one copy of the threat is running on the compromised computer:
_x_mgr_
_x_hlp_

The variants may check to see if a modem is installed on the compromised computer by retrieving the Remote Access devices and checking for the presence of one of the following strings, terminating if none are not found:
modem
isdn

It may create the following registry entries so that the threat will be executed everytime Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\"Debugger" = "%System%\[8 RANDOM LETTERS].[EXT]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\"Debugger" = "%System%\[FIXPART1][FIXPART2].exe"

NOTE: The security permissions of these keys are modified so that Administrator users will not be able to remove or change them.

The variants reportedly may create some of the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared\"sr" = "[RANDOM HEXIDECIMAL VALUE]"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared\"sr" = "[RANDOM HEXIDECIMAL VALUE]"

It may create some of the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\ShockPlayer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\[5 RANDOM LETTERS]

The Trojan variants attempt to resolve the following domain:
aondskwje.com

NOTE: The numeric IP address obtained from the DNS server is invalid. The address is decrypted and converted to a different IP address value depending on the variant.

The variants may try to download the following encrypted file:
[http://]196.238.242.23/view/logo[REMOVED]
csr
ctf
drv
dsk
hlp
lsa
man
mod
mon
net
sql
srv
svc
sys
tsk
upd
win

While copying itself into %System% folder, the variant appends itself to a variable amount of
random data and patches the security permissions of the file. It then locks the file so that the malicious file cannot be accessed, deleted or renamed.

If the operating System is Windows XP, 2000 or 2003 the variants may start the
Task Scheduler service and add the following task in order to run when Windows starts:
Run: %System%\[FIXED_STRING][5 RANDOM LETTERS].exe
Run as: NT AUTHORITY\System
Schedule: At System Startup

The task is saved in the following file and has the security permissions set to prevent removal.
%Windir%\Tasks\[5 RANDOM LETTERS].job

Next, the Trojan variants attempt to resolve one of the following domains:
itqoipyqsq.com
addwjf6zoy.com
c5ehm8fp.com

NOTE: The numeric IP address obtained from the DNS server is invalid. The address is decrypted and converted to a different IP address value depending on the variant.

The Trojan variant tries to download the following encrypted file:
[http://]85.255.115.133/styles/deskt[REMOVED]

NOTE: At the time of writing the file is downloaded only if the compromised machine has an Italian IP address. It has been observed that non-Italian IP addresses get a 500 error message from the remote Web server.

The downloaded file may install multiple dialer components that will dial high-cost numbers.

The Trojan.Linkoptimizer.B variant checks for the presence of debuggers or monitoring tools. It will not run on computers running on VMWare environment or with any of the following drivers active:
SIWVIDSTART - Numega SoftICE Debugger
FILEMON - Sysinternals Filemon
REGMON - Sysinternals Regmon
PROCMON - Sysinternals Procmon

It may inject a thread into EXPLORER.EXE that attempts to terminate any program which has the following text in window title:
antidialer
avenger
avz antiviral
catchme
ccleaner
dumphive
gmer
hardware upgrade forum
hijackthis
listdlls
p2p forum italia
pjf(ustc)
restore ssdt
runalyzer
silent runners
suspectfile
swreg
Systemscan
unhook selected
unlockerassistant

It may create a copy of itself with one the following names:
%System%\[8 RANDOM LETTERS].[EXT]
%System%\[FIXPART1][FIXPART2].exe

[EXT] is one of the following strings:
bak
dat
log
old
tmp
txt
ver

[FIXPART1] is one of the following strings:
admin
auto
boot
cfg
chat
defrag
demo
dump
edit
key
note
office
power
reg
run
set
sys
sys32
System
task
video
win
win32

[FIXPART2] is one of the following strings:
audit
backup
cache
check
clean
config
control
debug
event
find
info
init
load
lookup
mode
notify
setup
stat
tray
viewer
wizard

Variants of Trojan.Linkoptimizer.B have XML configuration data that can be updated from a remote site and allows the variant to download or install multiple dialer components. The configuration data that can be updated includes high cost numbers to dial with the following prefixes:
899
00881

The variant will also use the updated configuration data to contact one of the following URLs:
[http://]www.webcont.net/CONTENTS/adul[REMOVED]
[http://]www.keycont.net/CONTENTS/audl[REMOVED]

Updated configuration data will also include valid account information for the URLs dialed.

Writeup By: Elia Florio

Labels: Microsoft, Trojan, Virus

Tuesday, March 27, 2007

Windows Mail URL Bug Lets Remote Users Cause Execute Existing Code on the Target User's System to Be Executed

Windows Mail URL Bug Lets Remote Users Cause Execute Existing Code on the Target User's System to Be Executed
SecurityTracker Alert ID: 1017816
SecurityTracker URL: http://securitytracker.com/id?1017816
CVE Reference: CVE-2007-1658 (Links to External Site)
Date: Mar 26 2007
Impact: Execution of arbitrary code via network, User access via network
Exploit Included: Yes
Description: A vulnerability was reported in Windows Mail. A remote user can cause code to be executed on the target user's system without warning when the user clicks on a link.

A remote user can send an e-mail message containing a specially crafted link that, when loaded by the target user, will execute an arbitrary existing executable file located on the target user's system. The executable will run without warning and will run with the privileges of the target user.

Kingcope discovered this vulnerability.
Impact: A remote user can cause existing code located on the target user's system to be executed with the privileges of the target user when the user clicks on a specially crafted link.
Solution: No solution was available at the time of this entry.
Vendor URL: www.microsoft.com/
Cause: State error
Underlying OS: Windows (Vista)
Reported By: "Kingcope"

Labels: Advisory, Microsoft, Vulnerability

Monday, March 26, 2007

ELF/Loathe-A

Name ELF/Loathe-A
Type Virus
How it spreads: Infected files

ELF/Loathe-A is an overwriting virus for the AROS platform.

ELF/Loathe-A overwrites files in the current folder with itself.

The virus displays the following message:

Infected by AROS.Libido by [WarGame/doomriderz]

Labels: Virus

Troj/DwnLdr-GSP Windows Trojan

Name Troj/DwnLdr-GSP
Type Trojan
Affected operating systems Windows
Side effects Downloads code from the internet
Aliases Trojan-Downloader.Win32.Small.bur

Troj/DwnLdr-GSP is a Trojan for the Windows platform.

Troj/DwnLdr-GSP includes functionality to communicate with a remote server via HTTP.

When Troj/DwnLdr-GSP is executed, it downloads and creates the file \mensagem.exe. This file is not available at the time of writing.

Labels: Microsoft, Trojan, Virus

Sunday, March 25, 2007

Trojan.Downloader.Stration.F Email-Worm.Win32.Warezov, Trojan-Downloader:W32/Warezov, W32.Stration Skype Worm

Size: 11 kbytes (packed)
Discovered: 2007 Feb 14

SYMPTOMS:
- The presence of the following file: %WINDIR%\sqhos32.wmf
- The presence of the following registry key:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run: "lre"="%path_to_trojan%"

- A process named 'module.exe' running

TECHNICAL DESCRIPTION:
The trojan creates a file named sqhos32.wmf in %WINDIR% folder, file that contains some data the trojan uses. Then, it will create the following registry key in order to execute itself at each system startup:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run: "lre"="%path_to_trojan%"

The trojan tries to download a file named 'module.exe' from http://eased{...}.com/et.exe.

When the link becomes available, it will execute the downloaded file, delete the startup registry key and mark itself for deletion at the next system startup.

ANALYZED BY:
Marius Botis, virus researcher

Labels: Microsoft, Trojan, Worm

Friday, March 23, 2007

Web Application Auditing Over Lunch

Web Application Auditing Over Lunch
March 22nd, 2007
By Dr. Johannes B. Ullrich
Version 1.0

Web applications are frequently the Achilles heel of a network. A Web application has to be accessible to all of your customers. Ports 80 and 443 have to be open to the world to provide ubiquitous access to the Web application. On the other hand, a full-featured Web application is connected to a corporation′s database storing customer, order, and pricing information. In short: A Web application is the shortest path for an attacker to take to reach the organization′s crown jewels. Securing Web applications is critical and not easy. This paper outlines some simple steps to audit the security of a Web application. Sadly, while this audit is simple and incomplete, a lot of applications will fail the test. A more comprehensive audit will include source code reviews and more advanced techniques to circumvent security measures.
NOTE: You will need WRITTEN permission from your company to perform this audit. Failure to obtain such permission may get you fired, prosecuted, or worse: your GIAC certifications may be revoked.

First Steps
Don't forget the obvious. A quick portscan with nmap may reveal an unprotected VNC server or a database server with no password. Any penetration test should start with a quick portscan, likely followed by a vulnerability scan with a tool like Nessus. The use of a more Web-specific scanner (like Nikto) will save you a lot of tedious work. Nikto, in particular, is good at scanning for common problems like default installations of vulnerable tools, outdated versions, and left-over backup and configuration files.
Tools
Before we get started, let's talk about some tools. In order to perform your audit, you need appropriate tools to attack the application under test. You already have the most important tool for auditing Web applications: a browser. If you use Firefox, you will be able to use a number of free toolbars that will make it much easier to launch the attacks outlined below. We recommend the following plugins:
Web Developer toolbar (https://addons.mozilla.org/firefox/60/) A Swiss Army knife-like extension every Web developer should have installed. For our purposes, the important feature is the ability to modify forms on the fly to remove some of the restrictions imposed by forms. For example, you are able to enter strings beyond the designed length, or you are able to edit locked fields.
Hackbar (https://addons.mozilla.org/firefox/3899/) Nice tool to decode Base64 and URL Encoding. It is also helpful in obfuscating SQL injection attacks.
SwitchProxy Tool (https://addons.mozilla.org/firefox/125/) If you decide to use a proxy server like WebScarab, Switch Proxy allows you to quickly switch proxies.
Add N Edit Cookies (https://addons.mozilla.org/firefox/573/) The Add N Edit Cookies cookie editor will allow you to edit cookies on the fly. This tool gives you one less reason to require a full proxy server to intercept requests.
Tamper Data (https://addons.mozilla.org/firefox/966/) This extension, much like a proxy server, will allow you to intercept requests and responses. Either may be manipulated at will.
These toolbars allow you to do most of what is required to quickly test a Web application. However, for some of the more advanced techniques, a proxy server can be helpful. Probably the most full-featured free proxy server for auditing purposes is WebScarab (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project). The Open Web Application Security Project (OWASP) Web site is also a good resource to learn more about Web application security.
Preparation
Before you start, configure your browser to show hidden fields and comments and to ignore form limits. This will make some of the tests discussed later a bit easier to complete. Here is how to adjust the Web Developer toolbar:
In the Options menu, select Persist Features. This will make your selections stick, so you don't need to adjust them for each new page.
Now move to the Miscellaneous menu and select Show Hidden Elements as well as Show Comments.
In Forms, select Make Form Fields Writeable and Remove Maximum Length. Later, you may want to use the Convert POST to GET function to make it easier to manipulate form content.
As a quick test, start browsing the site you are testing and become familiar with it. You will see yellow exclamation marks within the web page displayed by Firefox whenever there is a comment. The current version of the Web Developer toolbar appears to have a bug in that the hidden fields are not shown all the time. It may be easier to use WebScarab if you find a lot of hidden fields, because WebScarab will make them editable.
In a worst case scenario, you will find things like passwords or account names in comments listed in the Web Developer toolbar. At this point, your quick audit would likely be complete. There is no need to go any further if the goal is just to show that a side is vulnerable.
The Audit
With browser and toolbars ready and armed, we are all set to dive into the actual audit. The steps below are listed in the order in which they are most likely to deliver results, staying with our theme to find problems quickly.

robots.txt: A vulnerability roadmap. The robots.txt file is often misunderstood by Web developers. The file will not protect or hide content. It is only used by well-behaved search engines to avoid indexing content that should not be indexed. A good robots.txt file includes content like image directories or locations that are generated dynamically and do not work if a search engine accesses the page. A bad robots.txt file, on the other hand, will list admin pages, Web logs, and similar locations. Access all the locations listed in robots.txt and see what you find. If, as part of this experiment, you hit a page with Web logs, browse the Web logs for any administrative pages. If they are not obviously named /admin, look for pages hit by only very few hosts. Your quest to prove that the web application is vulnerable may already be over if you find a non-password-protected admin page. For each password-protected admin page, try a few obvious username/password combinations. But don′t spend too much time on it. After all, we only have 1 hour to break the site.
XSS: trial and error. Cross site scripting (XSS) is probably the most common vulnerability. Not all XSS issues are easily exploitable. However, the presence of these errors demonstrates lack of attention to input validation and output sanitation. The most likely place to find XSS is in the search function. Enter a "e;>"e; as a search string and see what you get. In particular, watch for pieces of HTML code that may all of the sudden be visible or for skewed formatting in forms. As a next step, enter ">. Even if you don't see the popup message, try to find the string in the result. See how the application dealt with the quote. As a note, many applications will escape single quotes (′) but not double quotes ("). If you try to inject JavaScript, you may need to use double quotes only. Again, for this 1 hour exercise, we are only trying to find XSS problems. Exploiting them may take a bit more time. More dangerous XSS issues arise if content is stored in a database and not escaped properly if returned. The most likely location for this XSS vulnerability is any mailing or shipping address. Try to set up an account with the Web site, and use > or similar strings as street or city name. These issues are almost always exploitable to retrieve administrator cookies because they retrieve addresses for order fulfillment or customer service.
SQL Injection: trial and error. The procedure to find SQL injection is similar to what we did for XSS. Start by entering a single quote in various form fields. As an indication of SQL injection is going to be possible, you may see a database error returned. Once you have the database error, it should tell you more about the nature of the problem. Some Web sites do a decent job of hiding the error messages. In this case, SQL injection is a bit more tricky. Try to guess a valid, but bad, SQL query. For example if you get an error for page.html?id=1′ , try page.html?id=1%20or%201 and page.html?id=1′%20or′1′=′1 or page.html?id=1-- to see if you still get the error page. This can easily be the most time-consuming part of the audit. If you suspect SQL injection issues, try to use a tool like Paros, which can assist you in finding SQL injection problems. In addition to the obvious quotes, try to use characters like double-dash (--), semi-colon (;) or comma (,). Blind SQL injection, which is frequently necessary if no error messages are displayed, is a more advanced topic and is beyond the scope of this paper.
Cookies and Hidden Fields. Cookies and hidden form fields are just another form of user-provided input. However, a lot of Web developers don't see it that way and treat cookies and hidden fields as trusted data. So, if you are still looking for vulnerabilities, try to inject some single quotes and XSS characters and see what you get. The Add N Edit Cookies toolbar is all you need for this. The Web Developer toolbar will allow you to edit hidden fields that you find.
Sessions. With sessions, you will find developers who are using a standard toolkit, in which case the sessions are likely reasonably secure, or you will find developers using homemade toolkits that are frequently flawed. Take a look at the session ID. Does it look like a long random string? Start playing with it. Remove and add characters. Again, try to add a single quote or XSS. Is the text cleaned up? If your session ID is numeric: Try to replace the session ID with the next number. Also, try and increment the last two numbers by 1 each (in case the last digit is a checksum). Are you able to get someone else's session? At the very least, your session ID should change after you log in. In the best case scenario, the session ID should change on each page view. Webscarab can help with session ID analysis if you need to dive in deeper. Webscarab is a proxy server. It can be configured to intercept all data passed to the server or to the browser. Before it passes the data to the server or browser, the user can edit the data at will. Webscarab offers a large number of additional features to analyze the content passing between browser and server. The session ID analysis is one of these features. Session ID analysis will graph session Ids collected from the website to make it easy to spot patterns.
Google Hacking. Take a look at Google and check what it knows about the site. You can limit Google's focus by adding a?site:example.comato the search. Strings to search for include: "sql", "error", "password", "cvv2".
Spidering.Run wget -m http://www.example.com to retrieve a mirror of the site. This will cause wget to create a directory called www.example.com. Use grep to find any errors or other odd contents like error messages or comments. This is essentially the same thing the Google search will do, but grep is more complete. Note that Google as well as wget obey robots.txt. At this point, you are likely a bit more familiar with the application you are testing. Google can help to find default locations for configuration files (e.g. global.asa) or administrative consoles for the particular Web application.
Conclusion
These tests will only find obvious problems and are less likely to find more complex issues. We totally neglect some common problems like response-splitting or secondary SQL injection issues, and we spent little time on actually exploiting these problems. See this 1 hour audit as a due diligence test that should be done periodically. It is also a great learning tool for Web developers. By involving them in such an audit, they will find out more about how easy it can be to exploit some of the problems the audit identifies. Have them actually perform the test or perform the test with them. If they are part of the audit team it will be much easier to explain what is going on and they won't see the test in a confrontational manner.

In order to do a more exhaustive test, it is highly advisable to use the source code for the Web application. Again, this is easy if you have cooperating Web developers. With source code, it is much easier to validate a problem and estimate its impact.

We did not say much about how to defend against each of these tests. However, the overall approach should not be to fix vulnerabilities one at a time as they are found, but to develop strategies and procedures that will prevent these vulnerabilities in the first place. It is imperative for a Web application to create a library of authentication, access control, session handling, and validation functions that are used consistently throughout the application.

References
http://www.owasp.org: Open Web Application Security Project.
http://www.cgisecurity.com/articles/xss-faq.shtml: The Cros Site Scriptin (XSS) FAQ
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf": SQL Injection White Paper
http://www.robotstxt.org: The Web Robots Page
http://johnny.ihackstuff.com: The Google Hacking Database
Many thanks to the ISC handlers, in particular Jason Lam, for the discussions that led to this paper.

Labels: Attack Tools, http, News Article

Thursday, March 22, 2007

Microsoft Excel Long Palette Heap Overflow Vulnerability

Microsoft Excel Long Palette Heap Overflow Vulnerability
I. BACKGROUND

Microsoft Excel is the spreadsheet application from the Microsoft Office System. More information is available at the following link:

http://office.microsoft.com/
II. DESCRIPTION

Remote exploitation of an heap-based buffer overflow vulnerability in Microsoft Corp.'s Excel spreadsheet application format could allow an attacker to execute arbitrary code in the context of the user who started Excel.

The vulnerability specifically exists in the handling of the PALETTE record in BIFF8 format spreadsheet files. By supplying a record with too many entries, an exploitable buffer overflow condition can occur.
III. ANALYSIS

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the user who opened the document. In order exploit this vulnerability, an attacker would need to convince the target to open an Excel spreadsheet file. Likely attack vectors include sending the file as an attachment in an email or linking to the file on a website.

Systems with a default install of Office 2000 will open Office documents, including Excel spreadsheet files, from websites without prompting the user. This allows an attacker to exploit this vulnerability without user interaction beyond visiting a website. Later versions of Office will not open these documents automatically unless the user has chosen this behavior.
IV. DETECTION

iDefense Labs have confirmed the existence of this vulnerability in Microsoft Excel 2003 with all service packs and security updates. Previous versions of Excel are also likely to be affected.
V. WORKAROUND

Do not follow links or open files from unknown sources or that you were not expecting to receive.
VI. VENDOR RESPONSE

Microsoft has addressed this vulnerability with Microsoft Security Bulletin MS07-002. A link to this bulletin can be found below.

http://www.microsoft.com/technet/security/bulletin/ms07-002.mspx
VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0031 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE

09/22/2006 Initial vendor notification
09/22/2006 Initial vendor response
01/09/2007 Coordinated public disclosure
IX. CREDIT

This vulnerability was discovered by Greg MacManus, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Labels: Microsoft, Vulnerability

Wednesday, March 21, 2007

Stealing Phone Cards

. In fact my wife in UK just told me that she has just been robbed, there was someone in the market giving free calling cards, so she took it as a bonus and when she does so according to the instruction written on it her credit was all gone. WOW,

The 'Free' calling card has instructions to call a number, tell them your existing phone card details! Once the thief has your numbers, your calling card is cleaned out. Very clever. How many people can resist a free calling card?

Labels: Social Engineering

F-Secure Anti-Virus Client Security Local Format String Vulnerability

Mar 19 2007 10:41AM
dh layereddefense com
=================================================
Layered Defense Research Advisory 18 March 2007
=================================================
1) Affected Software
F-Secure Anti-Virus Client Security Version 6.02
=================================================
2) Severity Rating:
Low risk
Impact: Local read write arbitrary memory, denial of service.
=================================================
3) Description of Vulnerability
A format string vulnerability was discovered within F-Secure Anti-Virus Client Security Version 6.02. The vulnerability is due to improper processing of format strings when processing Management Server name field. When special crafted format strings are entered into the Management Server name field under Communication settings an attacker can read/write arbitrary memory and at a minimum can cause a denial of service condition.
=================================================
4) Solution
Fix: http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-cs-hotfi
xes.shtml
=================================================
5) Time Table:
11/20/2006 Reported Vulnerability to Vendor.
11/29/2007 Vendor acknowledged the vulnerability
03/01/2007 Vendor published hot fix
=================================================
6) Credits Discovered by Deral Heiland, www.LayeredDefense.com
=================================================
7) Reference
=================================================
8) About Layered Defense Layered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within the information security arena. http://www.layereddefense.com
=================================================

Labels: Anti-Virus, Microsoft, Vulnerability

W32.Zhosu@mm Worm

W32.Zhosu@mm
Risk Level 1: Very Low

Discovered: March 20, 2007
Updated: March 21, 2007 4:02:06 AM
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Zhosu@mm is a worm that spreads by sending itself to email addresses that it finds in the Windows Address Book.

Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

Threat Assessment
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Distribution
Distribution Level: Low

Writeup By: Chen Yu

Labels: Microsoft, Virus, Worm

Tuesday, March 20, 2007

Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability, Denial of Service

Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability

I. BACKGROUND

Trend Micro AntiVirus is an virus scanning engine included in a wide array of products by Trend Micro. Several examples of vulnerable products include PC-cillin and Internet Security Suite.

http://www.trendmicro.com/en/home/us/home.htm

II. DESCRIPTION

Remote exploitation of a divide by zero error in Trend Micro AntiVirus may allow attackers to cause a denial of service.

The vulnerability exists in the kernel driver, VsapiNT.sys. This driver is responsible for scanning various file formats for malicious content. The code that parses UPX files takes an integer value from an attacker supplied file and uses it as a divisor. This results in a divide by zero error in kernel mode. This causes a kernel fault resulting in a blue screen of death (BSOD).

III. ANALYSIS

Exploitation of this vulnerability results not only in a DOS of the Trend Micro process, but in an operating system crash.

There are several different attack vectors depending on which product is being targeted. Someone targeting a home user would need to convince a user to download a file from a website or an attachment from an email message. The user would then need to manually scan this file or save it and have the Trend Micro auto scan process scan it at some later time. If instead a mail gateway is being targeted this vulnerability can be exploited automatically by sending a malicious attachment through a gateway that uses Trend Micro to scan content.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Trend Micro AntiVirus version 14.10.1041, engine version 8.320.1003. Previous versions may also be affected.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

"To address this vulnerability, Trend Micro recommends customers to update to Virus Pattern File 4.335.00 or higher."

For more information, consult the Trend Micro Knowledge Base article at the link shown below.

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034587

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
VIII. DISCLOSURE TIMELINE

02/27/2007 Initial vendor notification
02/27/2007 Initial vendor response
03/14/2007 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Labels: Advisory, Anti-Virus, Microsoft, Vulnerability

Monday, March 19, 2007

Troj/Psychwa-S

Name Troj/Psychwa-S
Type Trojan
Affected operating systems Windows

Troj/Psychwa-S is a Trojan for the Windows platform.

Troj/Psychwa-S includes functionality to access the internet and communicate with a remote server via HTTP.

Labels: Anti-Virus, Microsoft, Trojan

Sunday, March 18, 2007

JS_SPACESTALK.A

Malware type: JavaScript
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP, Server 2003, Mac OS X
Encrypted: No

Overall risk rating: Low

Reported infections: Low

Damage potential: High

Distribution potential: Low

Size of malware: 5,609 Bytes

Initial samples received on: Mar 16, 2007

Related to: TROJ_DLOADER.JHV

Payload 1: Steals information

Details:

This malicious JavaScript may be dropped by another malware. It may also be downloaded from the Internet, particularly by the malware TROJ_DLOADER.JHV.

It is used to steal information, such as login credentials, used in MySpace accounts. MySpace (www.myspace.com) is a popular social networking Web site that hosts profiles of users from all around the world.

This JavaScript uploads the stolen information to the URL http://BLOCKED}ofileawareness.com/logs4/connect.php. As a result, remote users may view and use the uploaded information for malicious purposes.

It runs on Mac OS X, Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Carlo Panganiban

Labels: Anti-Virus, http, Microsoft, Trojan

A Cost Analysis of Windows Vista Content Protection

An interesting analysis of the costs (to end users) of protecting (media companies) intellectual property from their customers.

This includes:

Disabling of Functionality
Decreased Playback Quality
Denial-of-Service via Driver/Device Revocation
Decreased System Reliability
Increased Hardware Costs
Unnecessary CPU Resource Consumption (to quote "In order to prevent active attacks, device drivers are required to poll the underlying hardware every 30ms for digital outputs and every 150 ms for analog ones to ensure that everything appears kosher. This means that even with nothing else happening in the system, a mass of assorted drivers has to wake up thirty times a second just to ensure that… nothing continues to happen (commenting on this mechanism, Leo Laporte in his Security Now podcast with Steve Gibson calls Vista “an operating system that is insanely paranoid”).
Unnecessary Device Resource Consumption

Read the entire article here.

Labels: Microsoft, News Article

Saturday, March 17, 2007

Troj/Singu-AQ Spyware Trojan

Name Troj/Singu-AQ
Type Spyware Trojan
Affected operating systems Windows
Side effects Steals information, Records keystrokes, Installs itself in the Registry, Installs a browser helper object

Troj/Singu-AQ is a password-stealing Trojan for the Windows platform.

When first run, Troj/Singu-AQ copies itself to \gdien32.exe and creates the following files:

\lmrtend.dll
\shlapi.dll

lmrtend.dll is also detected as Troj/Singu-AQ
shlapi.dll contains logged keypresses

The Trojan creates the following registry entries in order to be run automatically:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
gdien32
\gdien32.exe

lmrtend.dll is installed as a BHO (browser helper object).

Labels: Anti-Virus, Microsoft, Virus

Microsoft OneCare Problems

As with any new Microsoft product, OneCare Anti-virus has problems. However the competition should not take this to mean that they can rest easy. Microsoft has the staying power and determination to develop their products into world beaters. Once MS has come into a market they will keep spending money until they dominate it.

Best quotes from this article:
"Usually Microsoft doesn't develop products, we buy products. It's not a bad product, but bits and pieces are missing,"

"OneCare is a new product — they shouldn't have rolled it out when they did, but they're fixing the problems now,"

"Microsoft is not a security company. Security is important, but it's just a little part of Microsoft,"

Ouch.

===================================

Microsoft: OneCare should not have been rolled out

Tom Espiner ZDNet UK
Published: 16 Mar 2007 13:03 GMT

Microsoft has said that its OneCare security suite has "a problem" with the underlying antivirus code, and admitted that security is just "a little part of Microsoft".

Speaking to ZDNet UK exclusively at the CeBIT show in Hanover, a senior manager for the software giant said that its consumer security product is far from perfect and that pieces are actually "missing".

OneCare has been dogged by controversy since its launch last May. Signs that the software was not up to scratch came earlier this month when OneCare failed to achieve certification in an independent test of security products. Shortly before that, it emerged that the product did not sufficiently protect users of Microsoft's Vista operating system against malware.

But the latest and most serious problems arose in March this year after the product mistakenly quarantined and even deleted Outlook and Outlook Express files for the second time.

Microsoft apologised for the problems and has issued an update that has now been automatically pushed out to OneCare customers, to halt the false positive identification as malware of Outlook .pst and Outlook Express .dbx files.

Asked about these problems, Arno Edelmann, Microsoft's European business security product manager, told ZDNet UK on Thursday that the code itself has pieces missing.

"Usually Microsoft doesn't develop products, we buy products. It's not a bad product, but bits and pieces are missing," said Edelmann.

The problem lies with a core technology of OneCare, the GeCAD antivirus code, and how it interacts with Microsoft mailservers. According to Edelmann, the Microsoft updates and mailserver infrastructure do not harmonise.

"It's a problem with the updates, and it's a problem with the implementation," said Edelmann.

If mail is received from a server running Exchange 2007, users are unlikely to encounter problems. However, if mail is received from servers running Exchange 2000 or 2003, the likelihood of quarantining is high, said Edelmann.

"OneCare is a new product — they shouldn't have rolled it out when they did, but they're fixing the problems now," said Edelmann.

According to the security manager, security is only a small part of what Microsoft does, suggesting it does not have as much security expertise as established security vendors.

"Microsoft is not a security company. Security is important, but it's just a little part of Microsoft," said Edelmann.

Security vendor Kaspersky said that it was not acceptable for two Microsoft products — such as OneCare and Exchange 2007 — to be incompatible, especially as Microsoft has market dominance.

"Microsoft, welcome to our business," said Eugene Kaspersky, the founder of the company. "All in all it's a bad thing. It's not acceptable for Microsoft products to do that. Microsoft dominates the market. If they do that it creates a big noise, many affected people, and happy lawyers."

This is not the first time Microsoft has had a problem with OneCare and Outlook. In January OneCare also erroneously quarantined Outlook files. However, Kaspersky said that although the problems then and now were the same, the cause of the problems in January was different.

"They fixed the first false positive, and now they have the next one," said Kaspersky.

Kaspersky said that false positives are not just a problem for Microsoft, but for the whole antivirus industry. He said that about 1 percent of Kaspersky records were false positives, but they were almost totally stopped by the company's test robots. He added, however, that sometimes false positives are released by Kaspersky.

Microsoft purchased the Romanian GeCAD company in 2003.

Labels: Anti-Virus, Microsoft, News Article

Friday, March 16, 2007

How Bluetooth marketing opens the way for mobile viruses

More and more businesses are experimenting with Bluetooth advertisements. In doing so they are doing consumers a disservice - because it is almost impossible to tell where a Bluetooth message comes from, they are smoothing the way for the distribution of mobile viruses.

In the age of fast mobile communication, marketing is also becoming ever more flexible, so it comes as no surprise that advertisers are attempting to make use of Bluetooth. After all, Bluetooth opens up new ways of sending advertising messages to mobile phones and PDAs. These adverts can include images, videos, java games or applications, which can be transmitted to passers-by at trade shows, exhibitions, airports and stations or in the vicinity of restaurants or shopping centres.

full story here

Labels: News Article, Symbian, Virus

Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources.

Phishing using IE7 local resource vulnerability

Summary
Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users.

Affected versions
• Windows Vista - Internet Explorer 7.0
• Windows XP - Internet Explorer 7.0

Technical Details
The navcancl.htm local resource is used by the browser when for some reason a navigation to a specific page is canceled.
When a navigation is canceled the URL of the specific page is provided to the navcancl.htm local resource after the # sign. For example: res://ieframe.dll/navcancl.htm#http://www.site.com. The navcancl.htm page then generates a script in the “Refresh the page.” link in order to reload the provided site again when the user clicks on this link.
It is possible to inject a script in the provided link which will be executed when the user clicks on the “Refresh the page.” link.
Luckily, Internet Explorer now runs most of its local resources (including navcancl.htm) in “Internet Zone”, so this vulnerability cannot be exploited to conduct a remote code execution.

Unfortunately, there is also a design flaw in IE7. The browser automatically removes the URL path of the local resource and leaves only the provided URL. For example: when the user visits res://ieframe.dll/navcancl.htm#http://www.site.com, IE7 will show http://www.site.com in the address bar.

To perform a phishing attack, an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site (e.g. bank, paypal, MySpace).
When the victim will open the link that was sent by the attacker, a “Navigation Canceled” page will be displayed. The victim will think that there was an error in the site or some kind of a network error and will try to refresh the page. Once he will click on the “Refresh the page.” link, The attacker’s provided content (e.g. fake login page) will be displayed and the victim will think that he’s within the trusted site, because the address bar shows the trusted site’s URL.

Proof-of-Concept
A CNN.com article spoofing proof-of-concept can be found here.
If you are not using IE7, you can watch a demonstration video here.

Workaround / Suggestion
Until Microsoft fixes this vulnerability, do not trust the “Navigation Canceled” page!

Labels: Exploit, http, Microsoft, Vulnerability

PHP phpinfo() Multiple Method User Supplied Array XSS

OSVDB ID: 32774
Disclosure Date: Mar 3, 2007

Description:

PHP contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not escape the content of user supplied arrays in GET, POST or COOKIE variables upon submission to phpinfo(). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Vulnerability Classification:
Remote/Network Access Required
Input Manipulation
Loss Of Integrity
Exploit Available

Products:
PHP PHP 4.4.3
PHP PHP 4.4.4
PHP PHP 4.4.5
PHP PHP 4.4.6

Solution:

Currently, there are no known upgrades, patches, or workarounds available to correct this issue. PHP scripts calling phpinfo() should not be publicly accessible on production systems.

External References:
CVE ID: 2007-1287
National Vulnerability Database: CVE-2007-1287
Bugtraq ID: 22803
Generic Exploit URL: http://www.php-security.org/MOPB/code/MOPB-08-2007.phpt
Secunia Advisory ID: 24356
Vendor URL: http://www.php.net/
Other Advisory URL: http://www.php-security.org/MOPB/MOPB-08-2007.html

Credit:
Stefan Esser - Hardened-PHP Project

Labels: Vulnerability

Break 40-bit Adobe PDF encryption in minutes

ElcomSoft released an Enterprise version of its award-winning Advanced PDF Password Recovery software. This program makes it easy to remove both password encryption and usage restrictions from Adobe Acrobat PDF files. APDFPR Enterprise now comes with support of all Adobe Acrobat versions (up to 8.0), including those that use AES encryption, and super-fast guaranteed recovery of PDF files with 40-bit encryption using state-of-the-art "time-memory trade-off" technology.

With the increasing popularity of PDF formatted file, comes an increasing number of problems which occur when authors forget the passwords to their source documents. ElcomSoft has revised version 3.0 of all three editions of its Advanced PDF Password Recovery software (Enterprise, Professional, and Standard) to allow the seemingly impossible recovery of passwords for these documents. This software package handles both owner and user passwords used to protect PDF documents. The latest addition to ElcomSoft's family of password recovery software allows business managers to recover lost and destroyed passwords. It also helps in dealing with employees who, intentionally or unintentionally, are unable to edit and print password-protected PDF files.

APDFPR is also a state-of-the-art computer forensics tool that could be used by law enforcement, military and intelligence agencies to open secure documents. PDF documents protected with access restriction passwords can be decrypted instantly, allowing full access to the document. For documents with "user" passwords (that could not be opened without that password), the program blazes through brute-force password attempts at a rate of a few hundred thousand passwords per second!

The code has been effectively optimized for most CPUs such as Pentium II/III, Pentium 4, Intel Core/Core 2 (Duo) and Athlon. More sophisticated methods are available, such as applying all words from a dictionary. ElcomSoft's website has dictionaries for more than 20 different languages, from English to Swahili.

Even if the above methods fail because the password is too long and complex, the program runs a special key search attack which gives a 100% success rate on files with 40-bit encryption (used in all Adobe Acrobat 4 files, and most files from more recent versions). This may take some time to run, but is well worth the time if your document is very important. If you have a dual processor system, APDFPR takes advantage of it to double the performance of this software.

On modern systems with Intel Core Duo CPUs, the document can be recovered in maximum 3-4 days, regardless of the password length and complexity. And in APDFPR Enterprise, ElcomSoft has introduced a new "rainbow attack" subsystem -- it is shipped with a DVD that contains special pre-computed hash tables that will allow you to decrypt most (an estimated 99.6 percent) PDF files in just minutes instead of days, even on slow computers.

Advanced PDF Password Recovery Enterprise costs $999(US) for a single-user license and includes express delivery worldwide. Professional and Standard versions, with reduced feature sets, are available at affordable prices. The program runs under Windows 95/98/Me/NT4/2000/XP/2003/Vista.

Labels: Attack Tools, News Article

Thursday, March 15, 2007

Steal Browser History Without JavaScript

'We all know there are still people out there who think turning off JavaScript protects them from everything.'

See also : https://www.indiana.edu/~phishing/browser-recon/

Research by RSnake
----------------------------------
Well, the server is back up and running (big thanks to id - during our upgrade there was a drive failure causing us to have to switch machines), and to celebrate I didn’t want to come back with a boring post that would make you question why you read this site. So instead I decided to play around with some CSS tricks - bare with me for a minute. I don’t know why, but I really think CSS is going to get worse over time. Anyway, as I was poking around I happened across one of the missing pieces of the puzzle to solve a simple problem in using CSS to hack - the lack of conditional logic.

Jeremiah and I spent at least an hour on the phone several months back when he was coming up with browser port scanning without JavaScript. One of the key problems with that technique, which he later overcame, was that he was unable to find any good way to do conditional logic in CSS, so instead he leaned on a browser quirk that delays the rendering of images. Watching the timing differences can help an attacker derive which ports are open and which aren’t. While very cool, it’s caused some headaches and only solved one of our problems.

Before that Jeremiah also came up with the original CSS history hack as you may or may not remember. Later on pdp came up with another variant of the same issue using a very different technique (Firefox caching). Both of those techniques were cool, but both of them also required that you have JavaScript turned on. We all know there are still people out there who think turning off JavaScript protects them from everything.

Keeping this in mind it would be great if you could create a form of conditional logic in CSS. Well I finally figured out a way. Using a hybrid of a:visited and display: attribute you can detect that the user has visited a page and more importantly perform an action based on that fact. The actions are somewhat limited if you can’t use JavaScript, however, one action is enough. The reason being, when something is set to display:none it will actually cause the HTML tag that it references to not render. Setting the background: image attribute for the visible tag to use a URL of a logging CGI script allows you to send a request to a remote webserver based on the conditional logic as mentioned above.

Now, the only lacking part is the state management, and that can easily be tied together using a unique cookie, and/or an IP address in the QUERY_STRING or anything else you want to use to identify the user. In this way, the remote website can steal history information from the user without ever once using JavaScript, or any client side programming. Click here for a proof of concept of the CSS history theft without using JavaScript. This works nearly instantly, so it is far better than the JavaScript-less intranet hacking and pdp’s version of the JavaScript CSS history hack in terms of speed. The only latency is the time it takes your browser to request the images associated with each URL you’ve visited - which is nearly instant since I don’t return any data (and thanks to browser threading). The other nice thing about this is that it works beautifully in both Internet Explorer 7.0 and Firefox 2.0.0.2 (although it doesn’t work in Opera 9.22).

I haven’t experimented much with this yet, but I also believe this could be expanded to do another form of intranet port scanning as well. Using a series of iframes and forced browsing it may be possible to detect which pages the user can access. I’m not in love with this technique because the CSS will fire too quickly so you’d have to delay the CSS from loading or make it reload with a meta refresh or something equivalent, but I also haven’t put much thought into it yet.

The ramifications of the CSS history hacking stuff is that it allows the attacker to steal information about the client, which can be useful to identify a target, to find information about the user, for use in targeted attacks, to know trending information for use in targeted advertizements or other forms of private information theft.

So now we’ve eliminated the JavaScript pre-requisite from Intranet port scanning, cross site request forgeries, session riding and of course CSS history hacking. The only thing we can’t yet do without JavaScript is read cross domain (and I stress the word yet). What else is left? I don’t mean to sound ho-hum about this, but really, what else do we have to do? Are there any nay-sayers left?

Labels: Exploit, http, Vulnerability

Buffer Overflow Vulnerabilities in McAfee ePolicy Orchestrator

hi full-disclosure,

McAfee ePolicy Orchestrator Multiple Remote Buffer Overflow Vulnerabilities

by cocoruder of FSRT(Fortinet Security Research Team)
hfli_at_fortinet.com

Summary:

Multiple remote buffer overflow vulnerabilities exist in the ActiveX Control named "SiteManager.Dll" of McAfee ePolicy Orchestrator. A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system.

Affected Software Versions:

McAfee ePolicy Orchestrator 3.6.1
McAfee ePolicy Orchestrator 3.5 patch 6

Details:

1.Function "ExportSiteList()" educed by "SiteManager.dll" stack overflow.

InprocServer32: SiteManager.dll
ClassID : 4124FDF6-B540-44C5-96B4-A380CEE9826A
ProgID : SiteManager.SiteMgr.1
Function Name : ExportSiteList

When we set the parameter of "ExportSiteList" a long string, there will cause a stack base overflow. The following is the related code:
(SiteManager.dll,version=3.6.1.166)

.text:5262B1DE ; func_ExportSiteList
.text:5262B1DE ; Attributes: bp-based frame
.text:5262B1DE
.text:5262B1DE ; int __stdcall sub_5262B1DE(int,wchar_t *,int)
.text:5262B1DE sub_5262B1DE proc near ; DATA XREF: .rdata:5265B504o
.text:5262B1DE ; .rdata:5265B614o
.text:5262B1DE
.text:5262B1DE var_414 = word ptr -414h
.text:5262B1DE var_20E = word ptr -20Eh
.text:5262B1DE var_20C = word ptr -20Ch
.text:5262B1DE var_4 = dword ptr -4
.text:5262B1DE arg_0 = dword ptr 8
.text:5262B1DE arg_4 = dword ptr 0Ch
.text:5262B1DE arg_8 = dword ptr 10h
.text:5262B1DE
.text:5262B1DE push ebp
.text:5262B1DF mov ebp, esp
.text:5262B1E1 sub esp, 414h
.text:5262B1E7 mov eax, dword_52670218 ; set stack cookie
.text:5262B1EC push esi
.text:5262B1ED push [ebp+arg_4] ; lpSrcBuff
.text:5262B1F0 mov [ebp+var_4], eax
.text:5262B1F3 lea eax, [ebp+var_20C]
.text:5262B1F9 push eax ; lpDestBuff
.text:5262B1FA call ds:wcscpy ; stack overflow

2.Moreover, we think that the following "swprintf" function also has carried out the copy action without attestation, as follows:

.text:5262B257 push ebx
.text:5262B258 push edi
.text:5262B259 mov edi, offset aSitelist_xml ; "SiteList.xml"
.text:5262B25E push edi
.text:5262B25F lea eax, [ebp+var_20C]
.text:5262B265 push eax
.text:5262B266 lea eax, [ebp+var_414]
.text:5262B26C push offset aSS_0 ; "%s\\%s"
.text:5262B271 push eax ; lpSrcBuff
.text:5262B272 call ds:swprintf ; stack overflow

3.Function "VerifyPackageCatalog()" educed by "SiteManager.dll" stack overflow.

InprocServer32: SiteManager.dll
ClassID : 4124FDF6-B540-44C5-96B4-A380CEE9826A
ProgID : SiteManager.SiteMgr.1
Function Name : VerifyPackageCatalog

When we set the parameter of "VerifyPackageCatalog" a long string, there will cause a stack base overflow. The following is the related code:
(SiteManager.dll,version=3.6.1.166)

part1:

.text:5262CFAC func_VerifyPackageCatalog proc near
.text:5262CFAC
.text:5262CFAC mov eax, offset loc_52649F86
.text:5262CFB1 call __EH_prolog
...
.text:5262D00C lea eax, [ebp-28h]
.text:5262D00F push eax
.text:5262D010 push ebx
.text:5262D011 push esi
.text:5262D012 push offset loc_5263AD1A
.text:5262D017 push ebx
.text:5262D018 push ebx
.text:5262D019 call ds:_beginthreadex

part2:

.text:5263AD1A mov eax, offset loc_5264B221
.text:5263AD1F call __EH_prolog
.text:52637229 push ecx
.text:5263722A mov eax, 1774h
.text:5263722F call __alloca_probe ; int
.text:52637234 mov eax, dword_52670218
.text:52637239 mov [ebp-14h], eax ; set stack-cookie
...
.text:5263AD9A lea ecx, [ebp-23Ch]
.text:5263ADA0 push ecx
.text:5263ADA1 push eax
.text:5263ADA2 mov ecx, edi
.text:5263ADA4 call sub_5263721F
|
|_____ .text:5263721F mov eax, offset loc_5264AD1C
.text:52637224 call __EH_prolog
...
.text:5263731A push dword ptr [ebp+8] ; lpSrcBuff,"AAA..."
.text:5263731D lea eax, [ebp-62Ch]
.text:52637323 push eax ; lpDestBuff
.text:52637324 call ds:wcscpy ; stack overflow

Solution:

McAfee has released two patches and advisories which are available on:

https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612495
https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496

Disclosure Timeline:

2006.12.19 Submitted vul1 and vul2 via security-alerts at mcafee.com
2006.12.19 Vendor responded
2006.12.30 Submitted vul3 via security-alerts at mcafee.com
2006.12.30 Vendor responded
2007.03.12 Vendor noticed patches has been developed completely
2007.03.13 Coordinated public disclosure

Disclaimer:

Although Fortinet has attempted to provide accurate information in
these materials, Fortinet assumes no legal responsibility for the
accuracy or completeness of the information. More specific information
is available on request from Fortinet. Please note that Fortinet's
product information does not constitute or contain any guarantee,
warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.

Fortinet Security Research
secresearch at fortinet.com
http://www.fortinet.com

Best Regards,

¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡hfli
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡hfli at fortinet.com
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡2007-03-14

Labels: Anti-Virus, Exploit, Vulnerability

Spam storm needs ISP action, urges security chief

Windows insecurity leads to the creation of botnets which are used to send oceans of spam to everyone. This is about a proposal to try to stem that tide. Of course if spam is stopped the botnets will still be there and used by the criminal gangs for other purposes. Ed.
=====================================
Spam storm needs ISP action, urges security chief

By Will Sturgeon

Published: Wednesday 14 March 2007

Ispa, the UK's internet service providers' association, will today make a presentation to the House of Lords science and technology committee on computer security and spam.

The session, which follows the submission of a written response, coincides with claims the number of compromised PCs – known as botnets – in the UK has tripled over the past year.

And one security expert claims ISPs are still shirking their responsibilities.

These criminals have a very advanced command and control structure.

Speaking about the growing problem of botnets and the deluge of spam they create, David Rand, CTO of security company Trend Micro, told silicon.com: "I absolutely believe this is the ISPs' responsibility. Yet top ISPs still aren't doing anything."

Rand said: "It's not like the ISPs can't tell this is going on. They can see all this on their networks."

Many leading ISPs currently refuse to take measures such as blocking port 25 traffic, a move which Rand claimed would affect very few users sending legitimate email, while blocking the port used to relay email via the internet on compromised machines.

And he expressed doubts that ISPs would ever volunteer such measures to legislators because they fear taking greater responsibility for the use of their networks and the implications of increased operating costs.

A spokesman for Ispa said it understands the majority of spam originates from compromised PCs connected to its members' broadband services - and those of other ISPs - often unbeknownst to customers. But he said it is not the ISPs' lone responsibility to solve the problem, suggesting legislation and end-user education are essential tools in the fight.

The Ispa spokesman told silicon.com: "No ISP wants to tolerate any criminal activity on their network."

He also denied suggestions ISPs have been slow or unwilling to act on the matter. "If there was a flick-switch solution to this, we would have done it," he said.

Trend Micro's Rand told silicon.com the number of infected PCs has tripled in the UK over the past year, according to his company's research.

This means more UK homes and businesses are operating compromised PCs which - as well as sending vast volumes of spam - could potentially be plundered for sensitive data such as passwords or bank details.

Rand told silicon.com one reason for the upsurge in rogue activity on European networks dates back to a major fibre cut between China and Taiwan in December 2006. At that time botnet activity switched dramatically from China to Europe within around six minutes, he said.

Rand said millions of infected machines in Europe were brought online by the criminals who control them remotely, showing not only a vast amount of redundancy built into these criminal networks but also "highly sophisticated" business continuity plans.

He said: "These criminals have a very advanced command and control structure. We've got a real challenge ahead of us to take that down. And we've not managed it yet."

Labels: Botnet, News Article, Spam

W32.Fujacks.BH W32/Catcher-A

W32.Fujacks.BH W32/Catcher-A

Discovered: March 14, 2007
Also Known As: W32/Fujacks.z [McAfee], W32/Fujacks.dll [McAfee]
Type: Virus, Worm
Infection Length: 80,384 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Once executed, the worm copies itself as the following files:
%System%\[RANDOM].dll
%System%\[RANDOM].exe

The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{21LYYSYS-9421-2126-L2Y1-L2Y1Y1S3Y1S4}\"StubPath" = "%System%\[RANDOM].exe"

The worm injects itself into the following processes:
Explorer.exe
Services.exe
Winlogon.exe

The worm attempts to download a file from the following URL:
[http://]www.lovesa.info/logo[REMOVED]

Note: At the time of writing, the file was unavailable.

The worm scans the compromised computer and prepends itself to .exe and .scr files. It avoids infecting files located in the following folders:
ComPlus Applications
Common Files
Delphi
Internet Explorer
Messenger
Microsoft Frontpage
Movie Maker
NetMeeting
Online Services
Outlook Express
RECYCLER
System Volume Information
System32
Temp
WINNT
WIndows Media Player
WIndows NT
WinRAR
Windows

Note: Executable files increase in size by 80,384 bytes.

The worm also appends a reference to the domain www.lovesa.info into all files it finds with the following extensions:
.asa
.asp
.aspx
.bat
.cdx
.cer
.css
.htm
.html
.inc
.jsp
.php

Uses the following list of passwords in attempt to copy itself to available network shares:
000000
00000000
1
110
111
111111
11111111
12
120
121212
123
123123
123321
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
2000
2004
2005
2006
2007
2008
2k
321
4321
5021314
520
5201314
520520
54321
654321
88888
88888888
999999
Admin
Administrator
Password
Root
abc
abc123
abcd
abcd123
admin
admin123
administrator
adsl
asdf
asdf123
bye
byebye
cctv
china
computer
data
database
date
enable
foobar
fuck
fuckyou
ghost
god
godblessyou
goodbye
guest
guest123
guest321
hao123
happy
home
ihavenopass
iloveyou
internet
japan
kaonima
live
login
love
loveyou
mylove
mypass
mypass123
no
oracle
pass
passwd
password
pwd
qq
qwer
root
sa
server
sex
super
sybase
temp
temp123
test
test123
user
users
wangba
window
windows
windows2000
windows2003
windowsxp.
xp
xxx
yxcv
zxcv

The worm then attempts to copy itself as one of the following filenames:
FuckJacks.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe
c0nime.exe
iexpl0re.exe
nvscv32.exe
spoclsv.exe
svch0st.exe

Threat Assessment
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Moderate
Damage
Damage Level: Medium
Payload: Infects various files.
Distribution
Distribution Level: Medium
Shared Drives: Copies itself to network shares.

Writeup By: Jeong Mun

Labels: Anti-Virus, Microsoft, Worm

Wednesday, March 14, 2007

JS_FEEBS.JM

Malware type: JavaScript
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
Encrypted: No

Overall risk rating: Low
Reported infections: Low
Damage potential: High
Distribution potential: High

Malware Overview

This malicious JavaScript is usually embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on a system as an attachment to a mass-mailed email message.

Upon execution, it decodes and drops a file detected by Trend Micro as WORM_FEEBS.OV. As a result, routines of the related worm may be exhibited on the affected system.

It also displays a fake loading page that displays the following message:

Error while decrypting file

Solution:

(Note: Close all instances of Internet Explorer before proceeding with the solution below.)
Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as JS_FEEBS.JM and WORM_FEEBS.OV. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Labels: http, Microsoft, Virus

Win32/Nirbot

Win32/Nirbot Family

Threat Assessment
Overall Risk: Low
Wild: Low
Destructiveness: Medium
Pervasiveness: Medium

Characteristics
Type: Worm
Category: Win32
Also known as W32/Delbot (Sophos), W32.Rinbot (Symantec), Backdoor.Win32.VanBot (Kaspersky)

Description

Win32/Nirbot is a family of IRC-controlled backdoors that can be used to gain unauthorized access to a victim's machine. They can also exhibit worm-like functionality by exploiting many different software vulnerabilities, including SYM06-010 and MS06-040.

Method of Infection

When executed, Win32/Nirbot copies itself to the %System% directory using filenames such as:

arman.exe
atievx.exe
crcss.exe
lemsrv.exe
msync.exe
navscnr.exe
netadp.exe
prevx.exe
rinsv.exe
symmec.exe

It then makes the following registry modification to ensure this copy is executed at each Windows start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ = ""

where differs depending on the variant, for example:

ATI Active Graphics Card Monitor
JW Manager
LEMSRV
Network Bridge
Random Interface Network Manager
Symmetrical Network
Syncronization

Nirbot continuously checks for and sets the above registry entry.

The worm also creates a mutex to avoid running multiple instances of itself.

Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Method of Distribution
Via Exploit

Win32/Nirbot spreads by exploiting a number of vulnerabilities in Windows operating systems and third party applications. Nirbot's spreading routine starts with scanning for vulnerable target machines. The worm can generate random values for all or part of each IP address it targets.

Nirbot variants can spread by exploiting the following vulnerabilites: Symantec Client Security and Symantec AntiVirus Elevation of Privilege (SYM06-010)

The worm opens a configurable port on the compromised machine and runs a TFTP server. The worm probes remote machines on port 2967 to determine if they are prone to the SYM06-010 vulnerability. If successful, the worm executes a small amount of code on the target machine that instructs it to connect back to the running TFTP server and retrieve a copy of the worm.

For more information on this vulnerability, please visit the following:
http://www.symantec.com/avcenter/security/Content/2006.05.25.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2630

Microsoft Windows Server service buffer overflow vulnerability (TCP port 139)

The worm creates an HTTP server on the system on a random port. The worm also checks if the IP address of the local machine partially matches a list of IPs contained in its code, for example:

192.168.*.*
10.*.*.*
111.*.*.*
15.*.*.*
16.*.*.*
101.*.*.*
110.*.*.*
112.*.*.*
170.65.*.*

If the IP does not match, the worm instructs the machine vulnerable to this exploit to connect back to the HTTP server running on the system and retrieve a copy of the worm. If the IPs do match, the worm executes a small amount of code on the targeted machine that instructs it to download a copy of the worm from a specific domain. The following is a list of domains and IPs that Nirbot variants have been observed to download from:

66.29.116.82
58.20.109.39
digiflex.info
t3arj3rk.com
sw1tchbck.net
pennysheet.com
jimmybuttons.com

For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34486
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx

Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities (TCP port 135)

If the worm finds a machine vulnerable to this exploit, it executes a small amount of code on the targeted machine that instructs it to retrieve a copy of the worm. This is also done through a TFTP server the worm creates on the compromised system on a configurable port.

For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=25975
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx

Exploiting weak passwords on MS SQL servers, including the Microsoft SQL Server Desktop Engine blank 'sa' password vulnerability (TCP port 1433)

If Win32/Nirbot finds an exploitable machine, it attempts to log into SQL server accounts 'sa', 'root' and 'admin'. It attempts to authenticate these accounts using several passwords stored in its code. If the worm successfully logs into an account, it sends code to the remote machine instructing it to retrieve a copy of itself.

For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=5705
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321081

Payload: Backdoor Functionality

Nirbot is an IRC-controlled backdoor. Variants of the worm usually attempt to connect to between two to four IRC servers before joining a specific channel. The following is a list of some known IRC servers Nirbot variants have attempted connection to (generally on port 8080, however this differs between variants):

crusade.godhatesfags.com
is.wayne.brady.gonna.have.to.chokeabitch.us
lol.godhatesfags.com
phatcamp.org
x.anti-viral.us
x.pennysheet.com
x.rofflewaffles.us

When the worm connects to one of these servers and joins a channel, it then has control of the compromised machine. Once the victim's computer is under control, the overseer is able to instruct Nirbot to attempt to perform malicious operations such as spreading.

Via its backdoor, the trojan can also be instructed to:

Retrieve system information such as operating system details
Download and execute files from the Internet
Run a SOCKS proxy on the affected host
Perform a Denial of Service attack
Execute commands on the affected host
Update itself
Remove itself
Steal CD keys
Downloads and Executes Arbitrary Files

When first run, some Nirbot variants download and execute a file. The file is downloaded from a specific domain and is usually executed from the C:\ directory. Downloaded files are usually Win32/Amahkey trojan variants - for example, Win32/Amahkey.F.

Analysis by Amir Fouda

Labels: Anti-Virus, Microsoft, Virus, Worm

Tuesday, March 13, 2007

Troj/IMspam-B

Troj/IMspam-B is a Trojan for the Windows platform.

Name Troj/IMspam-B
Type Trojan
Affected operating systems Windows
Side effects Forges the sender's email address. Uses its own emailing engine. Downloads code from the internet

Troj/IMspam-B is a mass spamming tool that targets MSN Messenger, Windows Live Messenger, AOL Instant Messenger and email addresses.

When run Troj/IMspam-B closes all other instances of itself and removes all EXEs in the root folder of the C drive.

Sample text appears as:

"Heeey i saw a pic of u online HAHAHA check "

At the time of writing, the EXE downloaded from the malicious link is detected as W32/Delbot-U.

Labels: Anti-Virus, Microsoft, Trojan, Virus

W32.Messmulti

W32.Messmulti
Risk Level 1: Very Low

Discovered: March 12, 2007
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

W32.Messmulti is a worm that sends a link to itself through multiple instant messengers or chat programs.

Threat Assessment
Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Payload: Sends a link to itself through multiple instant messengers or chat programs.
Distribution
Distribution Level: Low

Writeup By: Masaki Suenaga

Labels: Microsoft, Worm

Monday, March 12, 2007

Troj/DownLdr-QP

Name Troj/DownLdr-QP
Type Trojan
Affected operating systems Windows
Side effects Downloads code from the internet
Aliases Trojan-Downloader.Win32.Delf.yj

Troj/DownLdr-QP includes functionality to access the internet and communicate
with a remote server via HTTP.

When first run Troj/DownLdr-QP copies itself to:

\niw.exe
\impai.exe

and creates the following files:

\Content.IE5\89irkl2n\cd321[1].htm
\Content.IE5\od6fwfox\677977[1].htm

These files may be deleted.

Labels: Microsoft, Virus

Online Anti-Virus Scans: A Free Second Opinion

Brian Krebs on Computer Security

Online Anti-Virus Scans: A Free Second Opinion

Periodic online virus scanning is a good idea for Windows users, even for people already using up-to-date anti-virus tools. There are a couple of reasons I suggest this: First, anti-virus software is frequently slow to spot new threats. Take a gander at the daily "unrecognized" stats posted by Shadowserver.org, which tracks the performance (or lack thereof) of several popular tools in spotting new variants. That list currently examines the performance of several free programs, but the reality is not much different with the commercial tools. Just have a look at performance metrics and virus detection failure rates chronicled here (virustotal.com) and here.

The second reason follows from the first: If something nasty does make it past your security defenses, usually the first thing it will try to do is disable the active protection and update features in those tools. In such cases, you probably would not know about the infection unless you turned to a third-party program that is not already installed on your computer.

In my experience, two of the better free online anti-virus scanners are Panda Software's PandaScan and Kaspersky Lab's Free Virus Scan. Both require that you run the scans using Internet Explorer, as both require the installation of an ActiveX plug-in to do the job.

F-Secure Corp., CA and BitDefender also offer free online scanners that also use IE and ActiveX, but I haven't yet tried those so I can't offer an opinion on them.

TrendMicro's HouseCall service lets you install and run a free scanning tool from inside an IE or Firefox browser. However, I found the program both annoying -- it emitted a series of very loud and startling tones through my computer speakers while downloading virus definitions -- and ineffective. It crashed halfway through the scan, taking all of my other open Firefox windows with it, including an earlier, unsaved version of this blog post. (I had hoped Firefox 2.0's crash-recovery feature would save what I had typed as it had in previous crashes, but no such luck this time.)

If you have just a single file or archive that you'd like to scan, I'd suggest submitting it to VirusTotal, a free online anti-virus engine that will scan your submission against more than two dozen of the most well-known tools.

Depending on the speed of your PC and the number of files and hard drives you have, conducting an online scan can take between a few minutes to several hours to complete. It's not a bad idea to run the scan only when you can afford to be away from the PC for a few hours, or perhaps right before bedtime. Even on my test machine -- which sports a 2.2 GHz processor and 2 gigabytes of memory -- running several of the online scanners interfered with the simplest of tasks, such as composing an e-mail.

Labels: Microsoft, Virus

Proof of concept code for MS FTP Server Response

Proof of concept code fo