Cyber-mobsters drop DoS attacks
Extortion technique no longer profitable, say experts
Shaun Nichols in California, vnunet.com 27 Apr 2007
The practice of holding websites hostage under the threat of denial-of-service (DoS) attacks is declining, according to security researchers at Symantec.
DoS attacks are carried out by botnet operators using armies of remotely controlled PCs to flood a site with traffic and information requests. The attacks can cause sites and web services to run slowly or shut down altogether.
Criminals use the attacks to extort money from organisations by launching a first DoS attack and then threatening to launch further attacks unless the company pays up.
The tactic has recently drawn the attention of legislators, who passed laws last November allowing for tougher punishments for the crime.
Symantec said that it has seen a steady decline in the number of reported DoS incidents in the past six months, and believes that much of it is due to the inefficiency of the practice.
The problem for the criminals, according to Symantec security engineer Yazan Gable, is that the brute-force attacks are often costly and inefficient for the botnet operator.
"Whenever a botnet owner carries out a DoS attack they run the risk of losing some of their bots," Gable said in an article for the company's security response blog.
"This could happen either because an attacking computer is identified and disinfected, or simply blocked by its ISP from accessing the network.
"Furthermore, if the botnet owner is not careful they could lose their entire network if their command and control server is identified."
Another problem for botnet operators arises when the victim calls the attacker's bluff and refuses to pay.
"Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has spent time and resources on a lost cause," wrote Gable.
The security engineer added that the drop in DoS extortion may also be due to the increased use of botnets to deliver large-scale spam mailings.
Gable noted that the drop in DoS attacks has coincided with a
dramatic rise in spam volumes, suggesting that the lower-risk, more lucrative spam market may be luring botnet owners away from the DoS attack business.
Labels: Botnet, DoS, News Article, Spam
http://secunia.com/advisories/24962/
Description:
A vulnerability and a security issue have been reported in Nortel VPN Routers, which can be exploited by malicious people to bypass certain security restrictions or manipulate certain data.
1) Two default user accounts ("FIPSecryptedtest1219" and "FIPSunecryptedtest1219") are configured on the VPN Router, which are not readily visible to the system manager. These can be exploited to gain unauthorized access to the private network.
2) Missing authentication checks within two template files of the web management tool can be exploited to e.g. modify certain router configurations.
An issue regarding same DES keys used to encrypt user's passwords has also been reported, which can facilitate brute-force attacks on user's passwords if the attacker were to gain access to the LDAP store.
The vulnerability and security issue reportedly affect the following products:
* Contivity 1000 VPN Switch
* Contivity 2000 VPN Switch
* Contivity 4000 VPN Switch
* VPN Router 5000
*VPN Router Portfolio
Solution:
Update to versions 6_05.140, 5_05.304, or 5_05.149.
Provided and/or discovered by:
The vendor credits
Detack GmbH.Labels: Advisory, Appliance, Backdoor, Insecurity, Vulnerability
[Full-disclosure] Advisory: Internet Explorer Drag and Drop Redeux [CVE-2005-3240] (fwd)
From: Matthew Murphy (mattmurphy AT kc.rr.com)
Date: Mon Feb 13 2006 - 18:46:38 CST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
My apologies to those who are receiving this late or are otherwise
inconvenienced by the staggered release. I had unexpected, last-minute
travel issues that interfered somewhat with today's release.
Of note since the initial drafting of the advisory is that Microsoft has
released a blog post on the MSRC blog about the vulnerability report,
which can be read here:
http://blogs.technet.com/msrc/archive/2006/02/13/419439.aspx
The technical/strategic points about the exploit that are raised in the
post are indeed accurate (though it references MS05-014, when I believe
the correct reference is MS05-008/MS05-013). The exploit has a greater
dependence on timing than previous, related attacks. As such,
Microsoft's decision not to include this issue in a standalone patch is
seemingly justified at this point. However, the point of disagreement
with Microsoft remains the choice of release *timeline*.
I released the information about this issue to a trusted colleague (Gadi
Evron) for publication today, after what I felt was a reasonable time,
in light of my difficulties obtaining internet access.
Though there are disagreements between myself and Microsoft about the
nature of this vulnerability, I would like to thank Brian Schafer of the
MSRC for adhering to a high level of professionalism and technical
accuracy in that post and for continuing to work with me once it was
made clear that the issue would imminently become public.
Also of note is that there was a typo in the information I provided
originally to SecuriTeam. The proper candidate is CVE-2005-3240, not
*3840* as was originally reported by me. SecurityFocus has also
informed me that my original BID reservation was a casualty of a data
migration and that the proper BID associated with this vulnerability is
now BID 16352, which is public in full detail as of this writing.
There have also been some incorrect reports made to SecuriTeam that this
issue does not affect Windows XP Service Pack 2. These reports are not
correct -- my testing during this investigation was done exclusively on
current installations of Windows 2000 and Windows XP. These systems had
all service packs applied and all updates installed when tests were
performed.
Thanks to Gadi Evron for doing some of my bidding today and taking some
of the heat for my fat-fingers.
The final advisory, corrected with the now-accurate references is
attached with an armored-format PGP signature inline.
- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."
-- Michael Holstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38
iD8DBQFD8Shufp4vUrVETTgRA/hpAJ9DobMIa4EH8otBMNlzIPK6RrMGUgCfcrrj
ZI9G00rer59rLkwI5uH0KGQ=
=DQ2a
-----END PGP SIGNATURE-----
Microsoft Internet Explorer Drag-and-Drop Redeux
I. SYNOPSIS
Affected Systems:
* Microsoft Internet Explorer 5.01
* Microsoft Internet Explorer 5.5
* Microsoft Internet Explorer 6.0
- Windows 98
- Windows 98 Second Edition
- Windows Millennium Edition
- Windows 2000
- Windows XP
- Windows Server 2003
Risk: Medium
Impact: Potential remote code execution with some user interaction
Status: Uncoordinated Release
Author: Matthew Murphy (mattmurphykc.rr.com)
II. VULNERABILITY OVERVIEW
Microsoft Internet Explorer suffers from a vulnerability in its handling of certain drag-and-drop events. As a result, it is possible for a malicious web site to predict and exploit the timing of a drag-and-drop operation such that any drag operation (including using scroll-bars) could potentially lead to the installation of arbitrary files in sensitive locations that may enable further system compromise.
III. TECHNICAL DESCRIPTION
As a result of recent updates to its drag-and-drop functionality, Internet Explorer now imposes a rigid set of restrictions on most drag-and-drop sources:
* Input to the browser from other applications is not permitted.
* Dragging an object from inside a frame is not permitted.
* Dragging an HTML element from a top-level window will produce a security warning.
However, certain objects not derived from an HTML document (specifically, file objects within a folder view) remain draggable. This gives rise to a potential race condition in the handling of user input. If an attacker can persuade a user to drag any object within the top-level window that his/her site is contained in, malicious script can redirect these inputs to other top-level windows, potentially resulting in an unintended consequence such as file installation.
Proof-of-concept code has been developed that utilizes a pop-under window pointing to a malicious file share. This window can be created using window.open() or other stealthier methods that are known to evade Internet Explorer's built-in pop-up blocking. Focus is then returned to the opening window, where the user is encouraged to drag an object (image, link, etc.) in a seemingly "safe" fashion.
Immediately prior to this object being dragged, a mouseOver event is triggered that enables the attacker to (with a varying degree of success) predict the imminent drag attempt. The pop-under can then be returned to focus by way of a window.blur() executed in the current window. If the timing of the transition is accurate to a margin of error within a user's reaction time threshold, the user will unwittingly initiate a drag of a file from the pop-under instead of the object originally used as a lure by the attacker.
As soon as it transfers focus, the window with the original interactive content may set a timer (via window.setTimeout()) that returns focus to the window with a simple window.focus() call. After a split-second delay, focus is returned to the interactive window. At this point, on-demand alteration of CSS attributes can be used to display previously-hidden objects (such as inline frames). These objects serve as "drop target" windows and will initiate the copying of the file dropped from the (presumably malicious) pop-under window.
While Internet Explorer blocks hiding or resizing of certain "suspect" objects (IFRAMEs, for instance), so-called container objects (DIV, SPAN, etc.) suffer no such restrictions, even when they contain one of the objects in the former category. The proof-of-concept code as developed simply stores a full-screen inline frame in a container initially marked with the "hidden" visibility style.
The pop-under window, in this instance, would be a folder on a malicious server. This could be accessed via SMB (\\HOSTILESERVER\SHARE), FTP (ftp://hostileserver/somedirectory) or even HTTP (web folders) using certain link behaviors in combination with the click() method of a hyperlink object. In the third case, the pop-under would be targeted to an HTML document initally, which would then open the web folder containing hostile content.
The path to the drop target (the hidden frame in the original window) requires a little more creativity. Particularly in Windows XP Service Pack 2, Microsoft has done a fairly good job of locking down access to local resources. The most interesting vector for the purposes of this attack is via the network redirector. By using the IP address or machine name of the local system (typically obtainable via any number of means), such as:
\\MACHINENAME\share
It becomes possible to access resources offered by the network redirector on the local system. Of most interest is the "Scheduled Tasks" folder:
\\MACHINENAME\Scheduled Tasks
Items dropped into this folder execute automatically at a system-determined time (3 AM local time in tests on Windows XP Professional Service Pack 2) each day as the user dropping the file. Also of interest are common shares such as the administrative shares (C$, D$, etc.) and typical share names like "SharedDocs" on Windows XP. In most cases, this is at least a partial functional equivalent to local file system access and is not subject to zone restrictions, even on Windows XP Service Pack 2.
IV. IMPACT
A malicious web site, with a minimum of social engineering, may be able to compromise user systems by triggering an unintended installation of malicious software. Typical defense-in-depth measures may mitigate this issue. For those who run Internet Explorer with administrative privileges, the impact of any successful exploitation is complete control of the affected system. A malicious web site could install software that would add or delete privileged user accounts, alter, destroy or disclose the content of personal or otherwise sensitive files, record personal information or any number of other activities.
Users who do not browse with such high levels of privilege would be at a significantly reduced risk from exploitation of this vulnerability. In the case of a user with limited privileges, this vulnerability could only be exploited by an attacker to install software that executes with the privileges of that user.
V. WORKAROUNDS
The following workarounds are believed at the time of this writing to be effective against the exploitation of this vulnerability in some form:
1. Set a Kill Bit on the Shell.Explorer Control
-----------------------------------------------
Setting a kill bit on this control will prevent Internet Explorer from displaying the rich folder view interface that gives rise to this attack. For more information about setting kill bits, please see Microsoft Knowledge Base Article 240797:
http://support.microsoft.com/kb/240797
The CLSID of this component as deployed on Windows XP is:
{8856F961-340A-11D0-A96B-00C04FD705A2}
Tools to automate the process of setting this kill bit have been provided at:
http://student.missouristate.edu/m/matthew007/tools/shellkill.zip
PGP signature: http://student.missouristate.edu/m/matthew007/tools/shellkill.zip.asc
Included in this archive are an Administrative Template (.adm) and a VBScript file (.vbs) which implement this setting. The Administrative Template also allows an administrator to work around a specific case of functionality loss caused by the implementation of this workaround. Instructions on using both files are contained within the readme file in the archive.
IMPACT: This workaround will cause Internet Explorer to no longer render folder views for local directories, network file shares, FTP directories and web folders by default. The ability to browse FTP directories in Internet Explorer can be restored by clearing the "Enable Folder View for FTP Sites" option in Internet Explorer's "Advanced" options. However, this countermeasure is known to expose another security vulnerability that does not appear to have been fixed as of this writing:
http://lists.grok.org.uk/pipermail/full-disclosure/2003-June/005321.html
For ordinary browsing purposes, the Windows Explorer tool is unaffected by this change. This defensive measure has been successfully implemented in at least one commercial software product and tested on a significant scale prior to the release of this advisory. Therefore, it is the belief of the author that potential loss of functionality *should* be minimal. As with all measures, you are encouraged to test the impact of this workaround prior to making any decision about deployment.
2. Prevent Automatic Navigation to Local Intranet Zone (Windows XP SP2, Windows Server 2003 SP1)
------------------------------------------------------------------------------------------------
This workaround will prevent internet content in Internet Explorer from automatically navigating to URLs within the Local Intranet Zone. This effectively prevents the introduction of malicious code to the local system via the network redirector. To implement this workaround, follow these steps:
1. In Internet Explorer's Tools menu, choose "Internet Options..."
2. Select the "Security" tab and choose "Local Intranet"
3. Click the "Custom Level" button
4. Set the "Web sites in less privileged content zone can navigate into this zone" setting to "Disable" or "Prompt".
5. Click OK to close any dialogs and optionally, close Internet Explorer.
IMPACT: This workaround will block or prompt before allowing any navigation to LAN resources from the Internet Zone. Direct access to LAN resources continues to function normally. As a result of this workaround, attempts to access local intranet content (for instance, web applications on corporate intranets) from web sites outside of the LAN will fail or produce prompts, depending upon the chosen setting.
3. Disable Active Scripting
---------------------------
This workaround will prevent internet content from executing script that could potentially cause the exploitation of this vulnerability. To implement this workaround, follow these steps:
1. In Internet Explorer's Tools menu, choose "Internet Options..."
2. Select the "Security" tab and choose "Internet"
3. Click the "Custom Level" button
4. Set the "Active scripting" option to "Prompt" or "Disable".
IMPACT: This workaround will block or prompt before allowing web sites to execute any script statement. Scripting in more-privileged zones (Local Intranet, Trusted Sites) continues to function normally. Setting this option to "Prompt" may cause a significant increase in the number of security prompts received while browsing and may be ineffective in closing this vulnerability for users not capable of making an assessment of a web site's relative trustworthiness.
VI. MITIGATION RECOMMENDATIONS
1. Limit Viewing to Trusted Web Sites
-------------------------------------
In some situations, browsing can be successfully limited to only trustworthy sites without significant loss of productivity. Users should be extremely cautious while browsing unknown or untrusted web sites, as such web sites are often able to introduce hostile code.
2. Run Exposed Applications With Reduced Privilege
--------------------------------------------------
Users who log on interactively without the privileges of powerful groups such as the "Administrators" or "Power Users" groups are at a much lower risk of damage from successful exploitation of software vulnerabilities in client applications. This mitigation step greatly reduces the likelihood of a successful malware installation if this vulnerability is exploited.
VII. VENDOR RESPONSE
Microsoft was informed of this vulnerability on August 3, 2005. Currently, the company has no plans to issue a security update to correct this vulnerability. Fixes for this issue are scheduled to be included in Service Pack 2 of Windows Server 2003 and Service Pack 3 of Windows XP. Of particular note is that Windows 2000 users will *NOT* receive an update to correct this vulnerability.
Microsoft's internal risk-assessment concluded that this issue was not sufficiently serious to be fixed in a security bulletin. This conclusion appears fundamentally inconsistent with the way related issues were handled by Microsoft. In particular, the drag-and-drop vulnerability patched by MS05-013 received an "Important" rating.
I disagree with the technical conclusion behind Microsoft's decision and I further find the timeframe of delivery and deployment for maintenance releases to be largely unsuitable for security fixes of any significant magnitude. I find the harm this decision could potentially inflict upon down-level users (most importantly, users of Windows 2000) to be unjustified by the technical concern Microsoft has raised to me. Microsoft also rejected a request that it consider the issue for inclusion in a later security update as a "Moderate" risk issue.
Due to Microsoft's noncommittal and generally unimpressive response to the issue, this advisory is being issued to inform users of this vulnerability such that defensive action may be taken as desired.
VIII. REFERENCES/STANDARDS
* CVE
The MITRE Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3840 to this issue. Status information and related references for this candidate may be found at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3840
* OSVDB
The Open Source Vulnerability Database (OSVDB) project has assigned OSVDB vulnerability ID #2707 to this issue. Information will be available shortly after the publication of this advisory at the following URL:
http://www.osvdb.org/displayvuln.php?osvdb_id=2707
* SecurityTracker
SecurityTracker has pre-assigned an alert number in its internal database to reference this issue. Information will be available shortly after the publication of this advisory at the following URL:
http://www.securitytracker.com/id?1015049
* SecurityFocus
SecurityFocus has pre-assigned BugTraq ID #15089 to reference this issue. Information will be available shortly after the publication of this advisory at the following URL:
http://www.securityfocus.com/bid/15089
IX. ACKNOWLEDGEMENTS
* The Administrative Template file supplied in the workaround ZIP was authored by Steven Platt.
X. CONTACT
The author may be contacted via e-mail at mattmurphykc.rr.com
XI. LEGAL
This document is believed accurate based upon information available at the time it was written. However, the information offered is offered in an AS-IS condition, without warranty. By acting upon this information in any way you accept all responsibility for damage that may occur as a result.
This document may be reproduced in whole without limitation and in part provided that a full copy of the original document is readily accessible and the author of the document is duly acknowledged.
Labels: Advisory, http, Microsoft, Vulnerability
Secunia Advisory: SA22896
Release Date: 2007-04-10
Last Update: 2007-04-11
Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
CVE reference: CVE-2007-1205
Description:
Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error in Microsoft Agent (agentdpv.dll) when processing specially crafted URLs passed as arguments to certain methods.
Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website with Internet Explorer.
Solution:
Apply patches.
Windows XP (requires SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=e16ededa-6e8c-40d6-a3c0-d61362411accWindows XP Professional x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=23909036-898f-41af-a3de-4a899a15d25dCredits: discovered by JJ Reyes and Carsten Eiram, Secunia Research.
Changelog:
2007-04-11: Added link to US-CERT.
Original Advisory:
MS07-020 (KB932168):
http://www.microsoft.com/technet/security/Bulletin/MS07-020.mspxSecunia Research:
http://secunia.com/secunia_research/2006-74/
Other References:
US-CERT VU#728057:
http://www.kb.cert.org/vuls/id/728057Labels: Advisory, Critical, Microsoft, Vulnerability
Name : Email-Worm:W32/Zhelatin.CQ
Alias: Email-Worm.Win32.Zhelatin.cq
Type: E-Mail Worm, Rootkit
Category: Malware
Platform: Microsoft Windows Win32
Date of Discovery: April 08, 2007
Radar Alert Level 2
Summary The Zhelatin.CQ worm started to spread very late on April 8th, 2007. The worm spreads in e-mails with war-related subjects as an attachment named 'video.exe', 'movie.exe', 'click me.exe' and so on. The worm creates its own peer-to-peer network.
Detailed Description After the worm's file is started by a user, it drops a randomly named file into the same folder where it was started from and runs it. This file installs a rootkit and p2p (peer-to-peer) component into the Windows System folder. The file name is wincom32.sys. The following startup key is created in the Registry for the dropped file:
[HKLM\System\ControlSet001\Services\wincom32]
@ = "%WinSysDir%\wincom32.sys"
The installed component has rootkit features: it hides its Registry keys and active process so that an anti-rootkit engine is needed to reveal them. In addition this component drops a text file named wincom32.ini into the Windows System folder. This file contains a list of clients for the worm's peer-to-peer network. The peer names and access ports are encoded. Here's an example of the file's contents:
[counter]
Counter=0
[peers]
003964D3640550573F800125725481EF=5326859A123900
004982069E5DB75721B54CFF33A26170=5955FC93123900
00A1836AE91D076BC265F9735204714F=451AAE831EBF00
The dropped file also has a blacklist area, but it's empty at the moment. The worm decodes the clients' addresses and access ports and connects itself to the peer-to-peer network. A significant number of UDP connections can be observed when the worm is trying to connect to its p2p network.
At the same time the worm's copy that stays in memory, starts its spreading cycle. It creates a mutex named klllekkdkkd and scans files on local hard disks for victims' e-mail addresses. The worm ignores e-mail addresses if they contain any of the following substrings:
microsoft
.gov
.mil
Then the worm starts to spread in e-mails. It sends messages with the following subjects to all found e-mail addresses:
USA Declares War on Iran
USA Missle Strike: Iran War just have started
Missle Strike: The USA kills more then 20000 Iranian citizens
Missle Strike: The USA kills more then 1000 Iranian citizens
Missle Strike: The USA kills more then 10000 Iranian citizens
Israel Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III
As you see, the subjects are war-related, so it's a good social engineering trick. The worm always attaches itself to the e-mails that it sends out. The attachment names can be any of the following:
More.exe
Read More.exe
Click Here.exe
Click Me.exe
Read Me.exe
Movie.exe
News.exe
Video.exe
When a recipient of such e-mail opens the attachment, his/her computer becomes infected and the worm continues its spreading cycle.
The worm has a payload. It kills processes if they have the following substrings in their names:
mcafee
taskmgr
hijack
f-pro
lockdown
msconfig
firewall
blackice
avg
vsmon
zonea
spybot
nod32
reged
rav
nav
avp
troja
viru
anti
Labels: Email, Microsoft, Worm
Secunia Advisory: SA24767
Release Date: 2007-04-06
Critical:
Moderately critical
Impact: System access
Where: From local network
Solution Status: Vendor Patch
Software: Symantec Enterprise Security Manager 5.x , Symantec Enterprise Security Manager 6.x
Description:A vulnerability has been reported in Symantec Enterprise Security Manager (ESM), which can be exploited by malicious people to compromise a vulnerable system.
The problem is that the ESM agent remote upgrade interface does not authenticate the source of remote upgrade requests. This can be exploited to e.g. deploy a malicious program to a vulnerable system via a specially crafted ESM remote upgrade request.
All versions of ESM are reportedly affected, with the exception of ESM agents running on the following platforms since they do not support remote upgrade:
* NetWare 6.0
* NetWare 6.5
* OS/400 V5R2
* OS/400 V5R3
* OpenVMS AXP 7.2
* OpenVMS AXP 7.3
Solution:Apply patches.
http://securityresponse.symantec.com/avcenter/security/Content/2007.04.05b.html
Provided and/or discovered by:
Reported by the vendor.
Original Advisory:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2007.04.05d.html
Labels: Anti-Virus, Vulnerability
April 5, 2007
CVE ID:
CVE-2007-0445
Affected Vendor:
Kaspersky
Affected Products:
Anti-Virus 6.0
Internet Security 6.0
Anti-Virus for Workstation
File Server version 6.0
Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on systems with affected installations of the Kaspersky Anti-Virus Engine. User interaction is not required to exploit this vulnerability.
The specific flaw exists in the engine's handling of the ARJ archive format. The Kaspersky engine copies data from scanned archives into an unchecked heap-based buffer. This results in heap corruption when a malformed ARJ archive is processed by an application that utilizes the engine. This corruption can be exploited to execute arbitrary code.
Vendor Response:
Kaspersky has issued an update to correct this vulnerability. More details can be found at:
http://www.kaspersky.com/technews?id=203038693
http://www.kaspersky.com/technews?id=203038694
Disclosure Timeline:2006.11.09 - Vulnerability reported to vendor
2006.12.12 - Digital Vaccine released to TippingPoint customers
2007.04.05 - Coordinated public release of advisory
Credit:
This vulnerability was discovered by an anonymous researcher.
About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:
www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
Labels: Anti-Virus, Vulnerability
I. BACKGROUND
Kaspersky AntiVirus offers comprehensive protection from computer viruses and malware threats. More information can be found on the vendors site at the following URL.
http://usa.kaspersky-labs.com/products/anti-virus.php
II. DESCRIPTION
Remote exploitation of a information disclosure vulnerability in Kaspersky AntiVirus 6 could allow malicious websites to steal files off of a user's machine.
The vulnerability specifically lays with in the following ActiveX Control:
ProgID: KL.SysInfo Clsid: BA61606B-258C-4021-AD27-E07A3F3B91DB File: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\AxKLSysInfo.dll Version: 5.0.5.0 This control includes a method called "StartUploading" which allows malicious web scripts to perform an anonymous FTP transfer of any file they specify off of the victims machine.
III. ANALYSIS
Exploitation of this vulnerability allows attackers to steal files from a victim's computer.
This vulnerability can be triggered by a malicious website. Users would be required to have a vulnerable version of the target software installed and be lured to a malicious site.
No dialogs, warnings or user action is required to perform the transfer.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in version 6.0 of Kaspersky AntiVirus.
V. WORKAROUND
Setting the kill-bit for the target ActiveX control will prevent exploitation via Internet Explorer.
VI. VENDOR RESPONSE
Kaspersky has addressed this vulnerability by removing the vulnerable libraries upon installation of Maintenance Pack 2. More information is available from the vendor's advisory at the following URL.
http://www.kaspersky.com/technews?id=203038694
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
VIII. DISCLOSURE TIMELINE
12/12/2006 Initial vendor notification
12/12/2006 Initial vendor response
04/04/2007 Coordinated public disclosure
IX. CREDIT
This vulnerability was reported to iDefense by Peter Vreugdenhil.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense.
Labels: Anti-Virus, Vulnerability
Yahoo! Messenger AudioConf ActiveX Control Buffer Overflow Secunia Advisory: SA24742
Release Date: 2007-04-04
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Yahoo! Messenger 5.x , Yahoo! Messenger 6.x , Yahoo! Messenger 7.x, Yahoo! Messenger 8.x
CVE reference:
CVE-2007-1680 Description:
A vulnerability has been reported in Yahoo! Messenger, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error within the AudioConf ActiveX control (yacscom.dll) component of Yahoo! Messenger. This can be exploited to cause a stack-based buffer overflow by setting the "socksHostname" and "hostName" properties to an overly large string and then calling the "createAndJoinConference()" method.
Successful exploitation allows execution of arbitrary code when a user visits a malicious web site.
The vulnerability is reported in version 8.x. Other versions may also be affected.
Solution: Update to the latest version.
http://messenger.yahoo.com
Labels: Critical, Microsoft, Vulnerability
Infostealer.Banker.CRisk Level 1: Very Low
SUMMARY Discovered: April 2, 2007
Updated: April 2, 2007 9:02:00 AM
Type: Trojan
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Infostealer.Banker.C is a Trojan horse that may steal sensitive information from the compromised computer.
Threat Assessment Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Medium
Payload: May steal sensitive information from the compromised computer.
Distribution
Distribution Level: Low
Writeup By: Elia Florio
Labels: Microsoft, Trojan, Virus
Mar 29 2007
Nikolay Grebennikov
'Keyloggers, phishing and social engineering are currently the main methods being used in cyber fraud.'In February 2005, Joe Lopez, a businessman from Florida, filed a suit against Bank of America after unknown hackers stole $90,000 from his Bank of America account. The money had been transferred to Latvia.
An investigation showed that Mr. Lopez’s computer was infected with a malicious program, Backdoor.Coreflood, which records every keystroke and sends this information to malicious users via the Internet. This is how the hackers got hold of Joe Lopez’s user name and password, since Mr. Lopez often used the Internet to manage his Bank of America account.
However the court did not rule in favor of the plaintiff, saying that Mr. Lopez had neglected to take basic precautions when managing his bank account on the Internet: a signature for the malicious code that was found on his system had been added to nearly all antivirus product databases back in 2003.
Joe Lopez’s losses were caused by a combination of overall carelessness and an ordinary keylogging program.
Full article
hereLabels: Backdoor, News Article, Social Engineering, Trojan
W32/Poebot-KN Type Spyware Worm
How it spreads Network shares
Affected operating systems Windows
Side effects Allows others to access the computer; Steals information; Downloads code from the internet; Installs itself in the Registry; Exploits system or software vulnerabilities
W32/Poebot-KN is a worm for the Windows platform.
W32/Poebot-KN spreads through network shares protected by weak passwords and by exploiting common vulnerabilities including:
LSASS (MS04-011)
SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
WKS (MS03-049)
Dameware (CAN-2003-1030)
PNP (MS05-039)
W32/Poebot-KN runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Poebot-KN copies itself to
\spooIsv.exe.
The following registry entry is created to run spooIsv.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spooler SubSystem App
\spooIsv.exeLabels: Microsoft, Virus, Worm