Saturday, March 31, 2007

Windows Animated Cursor Handling vulnerability could give problems!

Microsoft has released advisory 935423 regarding a vulnerability in Windows Animated Cursor Handling. A bug in the way Windows renders animated cursor files can allow execution of arbitrary code under the privileges of the user that downloaded the malicious file. CVE-2007-0038 (previously also CVE-2007-1765) has been assigned to this vulnerability. Affected are Win2k, XP, Server 2003 and Vista (UPDATED). While Animated cursors are usually downloaded as .ani files, blocking these files is not sufficient to mitigate the vulnerability. I have received confirmation of this vulnerability being exploited in the wild using files renamed to jpeg. McAfee has a nice blog entry up on this. They also have a second blog entry with a video showing windows explorer crashing in a loop on windows vista when dropping a malicious animated cursor on the desktop. Trend Micro is reporting here on malicious . ANI files and related links being spread over the web and through e-mail that attempt to download a trojan executable WINCF.EXE. Also F-Secure is reporting on this at their weblog.
What can you do:
Microsoft is reporting that users of Internet Explorer 7 with Protection Mode are protected from active exploitation. E-mails opened in plaintext will not show embedded ANI files. Note that HTML attachments can still be interpreted when separately clicked upon. Anti-virus detection is improving now, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files. One specific file was also discovered by a product triggering on a signature written for MS05-002, a similar vulnerability from 2005. This will not apply to most exploits in the wild.
Microsoft has also now confirmed that:
Outlook 2007 users are protected (as the tool uses Word to display HTML messages);
Users of Windows Mail on Vista are protected if they do not forward or reply to malicious e-mail; Outlook Express users remain vulnerable even when reading e-mail as plaintext.
Eeye has released an unofficial patch that you may wish to consider as well .
It was a little bit too quiet these days wasn't it ... well I'm preparing myself something new ... stay tuned! ;-)

Thursday, March 22, 2007

Dutch attack at ABN-AMRO bank customers.

This morning I was informed about a massive malware run in the Netherlands. The emails were purportedly sent by the Dutch ABN-AMRO bank. Phishing attacks on users of Dutch banks are relatively rare. I’ve only seen basic phishing runs which try and persuade the user to clink on a link. However this morning an email in Dutch was sent out, claiming to be from a Dutch bank, and containing an online banking Trojan. Although the Dutch was not perfect, it didn’t contain the multiple errors which often characterize malicious mass mailings. The email claims that a serious error has been found and that the bank will upgrade to SSL3 tomorrow and that users will need to install the attached patch if they still want to use the Bank's online services. There is speculation that this bank was targeted because of a possible upcoming merger. It certainly wouldn’t be the first time that cyber criminals exploited events publicized in the media for their own ends.

Infosecurity has ended as well and was interesting as always. I got a full room for my panel debate and that at 10 o'clock in the morning with a lot of traffic jams around the venue! Nice!

Monday, March 19, 2007

Infosecurity Belgium 2007, me and 'NOXS Expert News'.

I'm terribly busy these days ... running around and following some courses, passing some exams and looking into new products. I'm even following a training this week however I will skip Wednesday as I will be present at Infosecurity Belgium 2007 for the opening DataNews debate: "Security in 2007: new threats, better weapons." I will be available afterwards for the whole day at the NOXS booth. And oh yes, I started as well another Blog ... well it's not a Blog yet: it's called 'Expert News' and you can find it at the Homepage of www.be.noxs.com . I'll hope you like it!

MySpace problems with QuickTime.

With the sophistication of attacks used by malware these days on the rise, the bad guys are continuously looking for newer infection vectors. Every new attack is tailored to the attacker’s needs in terms of choosing who the targets will be, the social engineering techniques employed to lure the victim and as well as which exploit would be used. And the latest target is unsuspecting fans of the French rock band MAMASAID who upon visiting a MySpace account promoting the music group get a trojan JS/SpaceStalk installed on their computers via a known insecure feature in QuickTime called HREF Tracks. The technique used here does not rely on vulnerability but rather on a feature present in the QuickTime player that allows for links to be opened automatically when the movie is run. This link could be misused to point to malicious websites hosting exploit code. A detailed view of the rigged QuickTime file shows that it will automatically execute JavaScript script hosted on an external website when the movie is played. Once executed it transmits personal information of the visiting MySpace user to the attacker. As the website being communicated is normally controlled by the malware author, any script being downloaded and executed can be remotely modified and the behavior of these new scripts altered to perform further malicious actions. Very few people hesitate to view a movie file. And given that QuickTime is a popular application used on the web, the return on investment for malware authors make it an attractive target using it as an infection vector. At this moment it seems that the latest Quicktime doesn't have this feature anymore!

Thursday, March 15, 2007

Another MS VISTA and IE 7 related problem.

An attacker can use an error message displayed by the latest Microsoft browser IE 7 to send Web surfers to malicious Web sites that will display with the address of a trusted site, such as a bank, Aviv Raff, a developer in Israel, wrote on his Web site. Raff included an example where the error message directs the Web surfer to a site of his choice. Microsoft is looking into the issue at this moment. The vulnerability relates to the message IE displays when Web page loading is aborted, Raff wrote. An attacker can rig the message by creating a malicious link. The message will offer a link to retry loading the page; hitting it, brings up the attacker's page, but showing an arbitrary Web address. To launch a phishing attack, an attacker can create a Web link that purports to go to a trusted site, such as a bank. When clicked, the link results in a rigged error page. Following the reload link on that page will display the attacker's Web site with the address of the trusted site in the IE 7 address bar. Phishing attacks are a prevalent Internet threat that typically use fraudulent Web sites and spam e-mail to trick people into giving up personal information such as Social Security numbers and credit card details. IE 7 on Windows Vista and Windows XP are affected.

Wednesday, March 07, 2007

Happy Birthday Michelangelo (15 years old yesterday).

It seems like only yesterday the media was in a frenzy about the end of the world due to some computer virus or another, actually it was last week when some media organisations ran a story about the Rinbot worm. Rinbot is nothing special, like many worms these days it exploit a known vulnerability or two in order to propagate and generally go about it’s thing. It just so happens it uses a patched vulnerability in Symantec products as one of the three vulnerabilities it exploits. Symantec themselves only rate Rinbot as a low risk piece of malware, so what did it do to deserve this hype. Probably nothing, it seems Thursday and Friday where slow news days. But has anything really changed in the last 15 years, well actually not really. Back in March 1992 the media was in a frenzy again, this time about a 'super bug' called Michelangelo. The press at the time hyped this simple boot sector virus in to something like the end of the world. The virus was set to trigger on March 6th, the birth date of it’s name sake, at which point it would proceed to overwrite sections of the hard disk with nulls. The press and experts ran with the premise that thousands, if not hundreds of thousands of machines had been infected with the virus. In reality the number probably was more like hundreds, and after the event reported losses as a result of the virus where limited. At the time it was claimed the virus could lay dormant for years, but as we all know now this was plainly not the case.

I have been feeling a little bit sick the last 5 days, recovering from the flu. Tomorrow I will be back in the office and possible try to see what will happen with the EICAR conference this year as it appears to me that the EICAR-conference was attacked by the flu as well and possibly will be cancelled this year. I will post more if I have more details about this bad situation.

Tuesday, March 06, 2007

XBOX 360 also Vulnerable!

It was only a matter of time until someone discovered an interesting vulnerability in the Xbox 360... Well, the designers of the Xbox 360 went to extreme lengths to try to make it "unhackable" and chose a special hypervisor design in which, unlike previous generations of gaming consoles, games no longer take over the system. Together with a method to inject data into non-privileged memory areas, this vulnerability allows an attacker with physical access to an Xbox 360 to run arbitrary code such as alternative operating systems with full privileges and full hardware access. As a matter of fact if you read the actual description you will notice that it is a subtle bug with one instruction in the validation path only looking at 32 bits of a 64-bit register with a subsequent instruction acting on all 64 bits. Now for the good news: this has been patched since January 7th 2007. But still ... this could be the beginning of course. Can an Internet-connected games console be an interesting addition to the available systems for a botnet or a virus? Well there are many parameters to the game. On the one side you have low-latency high-speed lines favoured by gamers but on the other side you have a totally new operating system which you have to develop for, not to mention the connection time of these systems. What are the chances of a games console being left on a whole day compared to a home PC on a high-speed line? So is it worth to develop a new engine and a virus to go after the Xbox 360's? Probably not yet because there are still plenty of Windows systems which will do just fine. However with more and more devices connected to the internet with a browser like the Nintendo Wii game console, it's just a matter of time in my opinion. When you can browse the internet or have some kind of access to email the problems will follow automatically. You can take my word for it. And oh yes ... Microsoft doesn't describe the Xbox update as a security fix. Instead, on its Web site it lists an "operating system update" for download, without stating what the update does.

Thursday, March 01, 2007

Julie Amero Trial: A US Joke?

The conviction of substitute teacher Julie Amero has led to no small amount of heated debate in technology and anti-malware forums. On January 5, 2007, Amero was found guilty of four counts of "Risk of Injury to a Child, in violation of Connecticut General Statute 53-21(a)(1). The charges stemmed from Amero's actions regarding a computer which was serving up pornographic images in the classroom. Proponents of Amero claim she was the victim of adware and that the trial itself is a case of conspiracy. But under Connecticut law, the cause - i.e. the alleged presence of adware - is a moot point and it was Amero's failure to protect the children that led to conviction. Central to the due diligence question is why Amero did not simply turn off the computer. The transcripts show that at some point in her substitute teacher training - far previous to the day in question - Amero was instructed "not to touch anything in the teacher's classroom without permission". Later in the testimony, Amero indicates she did ask for permission to use the computer on the day in question. And she testified that she continued to use that computer constantly throughout that same day. But when asked why she didn't pull the plug to stop the porn-storm, Amero states "I did not pull the plug because I was taught never to touch anything in the teacher's classroom." Amero also left the door to the classroom open, and left the classroom unattended for lunch and breaks while the computer continued to dish up porn sites. Asked if she was concerned a child might look in and see the porn, she said 'yes'. Asked if she considered closing the door, she said 'no'. Amero wasn't exactly forthcoming about the nature of the problem either. A witness for the defense testified that when Amero came into the teacher's lounge that morning, she asked for advice on how to stop pop-ups but didn't mention anything about the porn deluge. And the principal testified that just a just weeks prior to the offense, Amero had been warned about spending too much time Internet surfing and not enough time actively engaged teaching the class. The jurors in this case were not asked to decide how the porn got onto the computer - nor were they asked if they agreed with the possible penalties associated with a guilty verdict given the circumstances of this particular case. They were, however, explicitly asked to weigh the evidence presented and vote whether the defendent exercised due diligence in protecting the minors under her charge from material capable of impacting their morals. You may read the transcripts here.
This is what I call a typical US case. This case is completely impossible and possibly irrelevant in a European country and shows how some US laws could be interpreted if it comes to these kind of questions. My advise here is to become more open for such kind of things and try to handle this at the basic. I mean ... open a case against the adware writers who caused the real problem from the beginning. What a mistake... If you were on the jury, what would you have done?