Friday, October 31, 2008

POC binaries for MS08-067 seen...

The first Proof of Concept binaries that target the MS08-067 vulnerability have been seen. The payload's function is to add the guest account to the administrators group, thus allowing unlimited access to the machine. Let's keep an eye on it ...

EstDomains is not dead yet ...

The EstDomains story continues. ICANN received a response from EstDomains, and the termination has been stayed.
You can read the details here.
What a good lawyer can do these days isn't it?
What could I say ..., 'postponing of execution' ... I hope.

Thursday, October 30, 2008

EstDomains is dead ...

EstDomains is a domain registrar operating from Estonia. They've been the largest registrar used by online criminals for their domain name registration needs. ICANN has pulled the plug on EstDomains, and is removing EstDomains from the list of ICANN-accredited registrars. Most of us first ran into EstDomains in 2005, when investigating the infamous WMF vulnerability. Initially the main site distributing malicious WMF files,, was registered via this new Estonian registrar.
Since then, tens of thousands of malicious domains have been registered with EstDomains. These include drive-by-download sites, botnet command-and-control servers, spammed domains and so on.

So this is really good news but it took a long time for ICANN to do this.
Nevertheless ... thank you ICANN.
You can read more at the Blogs from F-Secure and McAfee.

MS08-067 vulnerability could hit us hard if we don't patch.

Apply the patch referred to in MS08-067 right away, because Trojan horses that take advantage of this security breach are sure to hit us soon. The vulnerability is similar to the hole that was used by the MSBlaster worm, which surfaced on the Internet in 2003. So don't let down your guard. Patch your PC if you haven't already done so, because this exploit is sure to be the focus of malware authors before long.
Since it's only a matter of time until such attacks become widespread, I urge you to reach out to other Windows users you know to ensure that they're protected from this vulnerability — once you've patched your own systems, that is. And oh yes, don't forget to reboot after the patch! A lot of users seems to forget this and this is really needed.

Wednesday, October 29, 2008

Clickjacking: A security problem for all browsers.

At the moment of writing most browsers are still susceptible to clickjacking, but you can take steps to reduce the risk. But what is Clickjacking really?

Clickjacking allows an attacker to use one or more of several new attack scenarios to literally steal your mouse clicks. When you think you're clicking on a simple button — for example, to see the next page of an article — you may actually be giving the bad guys permission to do something entirely different, such as log on to your online checking account.

By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links. The problem doesn't stop there, however. At least some of the flaws that make clickjacking possible also show up in such popular Web tools as Adobe's Flash player and Microsoft's Silverlight streaming-media plug-in. If they can control where your clicks are going, they may be able to get a user to reconfigure the system so they disable security.
In clickjacking, surreptitious buttons are "floated" behind the actual buttons that you see on a Web site. When you click the button, you're not triggering the function that you expected. Instead, the click is routed to the bad guy's substitute link.
Clickjacking isn't new. In fact, it dates back to at least 2002 or 2003.
What's new is the range of browser vulnerabilities that make clickjacking possible.
There are multiple variants of clickjacking. Some of it requires cross domain access, some doesn't. Some overlay entire pages over a page, some use iFrames to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF [Cross-Site Request Forging] to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them. This doesn't mean there are no protections, however. In fact, one of the most important steps that users can take to protect themselves is to enable JavaScript only for approved sites. Disabling JavaScript has serious drawbacks, because so much of the Web's interactivity is driven by JavaScript apps. And even browsing with JavaScript disabled will not protect against all possible avenues of attack. Most browsers are vulnerable.
Besides browsers, the bad guys can also exploit Web programs such as Adobe's Flash player. For instance, one proof-of-concept demonstration shows that a hacker can use the Flash player to take over a PC's webcam and microphone. Imagine the implications of stalkers eavesdropping on your laptop's built-in camera and mic. Clickjacking vulnerabilities don't stop there; attacks may also be launched via iFrames by using cross-site scripting techniques.So disabling browser plug-ins and scripting will help but is no panacea, given the threat's complexity.

Can you stay safe in a clickjacking internet connected world?

Browser and plug-in vendors have joined organizations in describing what you can do to stay safe. Adobe, the Mozilla Foundation and Microsoft has several webpages up describing several precautions or solutions. Even taking all these precautions doesn't guarantee that your system is 100% immune to the new threat. You'll need to become more conservative in visiting untrustworthy sites until the applications you use are made more secure.
While we're all waiting for vendors to patch their products and when in doubt, ask yourself whether your mother would approve of the site. However, even on sites where you could reasonably expect to be safe from such attacks, you can still be blindsided, so always think twice before you click.

However I stay optimistic. While the threat of attack may be high for the next three to six months, I expects more complete protections to become available within the same timeframe.

Friday, October 24, 2008

A problematic MS remote code execution vulnerability fixed, please update ASAP!

Yesterday Microsoft released a security update that fixes a remote code execution vulnerability in the Windows Server Service. This is a serious vulnerability and MS have seen targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 computers so MS have released the fix "out of band" (not on the regular Patch Tuesday). Due to the serious nature of the vulnerability and the threat landscape requiring an out-of-band release, you probably have questions about your own organization's risk level, what actions you can take to protect yourself, and why newer platforms are at reduced risk. We hope to answer those questions in this blog post.

Which platforms are at higher risk?

An unauthenticated attacker can trigger this vulnerability remotely for code execution on Windows Server 2000, Windows XP and Windows 2003. By default, Windows Vista and Windows Server 2008 require authentication. However, the attacker must be able to reach the RPC interface to exploit the vulnerability. In the default out-of-the-box scenario, the interface is not reachable due to the firewall enabled by default on Windows XP SP2, Windows Vista, and Windows Server 2008. Unfortunately, either one of the following two conditions exposes the RPC endpoint:

1) Firewall is disabled
2) Firewall is enabled but file/printer sharing is also enabled.

When File/Printer Sharing is enabled on Windows Vista and Windows Server 2008, the firewall only expose the RPC interface to the network type shared. For example, if a printer is shared on a network type ‘Private’, the firewall will block incoming RPC connections if the computer switches over to a network type ‘Public’. If you then choose to share the printer on the network type ‘Public’, Vista and Windows Server 2008 will prompt to ask if you really want to enable “File and Printer Sharing” for ALL public networks.

For more information about file/printer sharing, visit the following URLs:

- for Vista
- for XP

Most perimeter firewalls will block exploit attempts from outside your organization

If you are behind a perimeter firewall that filters inbound connections to TCP ports 139 and 445, you will not be reachable from the Internet. This is a common home user scenario. In this scenario, only the machines in your local LAN will have the ability to exploit this vulnerability.

How you can protect yourself

You should apply the security update as soon as you can. This is the best way you can protect yourself. While you are testing the update and preparing your deployment process, you may choose to use one or more of the workarounds listed in the security bulletin. ( )

Tuesday, October 21, 2008

Everyone could become a cyber-criminal? I'm not sure...

Or in Dutch 'Iedereen kan een cyber-crimineel worden' quoted out of the Standaard, a newspaper in Belgium.
You can find the article here.

Well this is my reaction to this article and I do not completely agree!
The problem lays in our mindset and as long as everybody is not thinking in the correct way we will face indeed a problem. It's something I already told the public back in 2004. The general public and children do not seem to know what computer security is. And it all goes back to what we teach our children and that's the real problem in my opinion. We don't teach children well these times. My research found out that some of them even find the idea of becoming a hacker or a virus writer ‘cool’. Although some families use parental control mechanisms to secure their home computer networks, many children know how to bypass these mechanisms. Generally, it seems that our children’s knowledge of ethical
computer behaviour and good ‘netiquette’ are a long way off target.

And it's not only children anymore these days. This article in 'De Standaard' is a perfect example 'unfortunately'! Was it really necessary to show the real problem to the public and go the press with it? Do you as a reader of this blog still know the line between good and bad on the internet? I doubt it.

A suggestion as to how we may begin to influence students and young people is by using societal control. An example of how this has worked in the past is with the issue of drink-driving. At one time, drinking and driving was a personal choice, but
as society witnessed some of the consequences of the combination of the two activities, we began to pass laws which restricted such behaviour. Initially there was some resistance to these laws – people saw them as an infringement on their rights. However, as the laws became more widely accepted, people began to refuse to drink and drive on the principle that it is ‘wrong’ to do so.
Policy makers and law makers are very aware of this form of societal control. However, they are less aware of the societal structure of ‘cyberspace’, and for this reason there is the danger that the laws they make will not create the desired ethical model, and conversely will create a backlash or revolutionary movement. By taking time to develop realistic policies and effective laws, it is possible we can
avoid such a reaction. The speed with which global electronic communication is
developing has brought with it an enormous benefit to all those fortunate enough to be able to exploit it. However, it has also brought opportunities to those who are willing to abuse it. The way in which it has introduced relative and absolute
anonymity for its users may encourage acts which would otherwise have appeared to be too risky to the perpetrator. Its very nature may encourage various kinds of anti-social activities, ranging from innocent pranks through serious malicious damage to data and individuals, and downright criminal fraud. As a result of the fact that many of its principle users are relatively young, or people who may be impressionable or unprincipled, an ethos has developed in the Internet
community, in which it is ‘cool’ to be an outlaw. Moreover, the inherent power embodied in being able to control the ‘system’ is potentially irresistible.
Resources that would enable us to emphasize and integrate ethical computing behaviour may provide a stabilizing influence. Our computing environments are very vulnerable regarding distribution of information – after all, it is what
they were designed to do. If we want to change people’s behaviour and reduce the
attractiveness of becoming a virus writer or hacker, we must start ethical computer education at a much earlier age. I think the way forward is to recognize the different factors introduced by computer technology – factors we have long
ignored. If we don’t, the technology may ultimately be self-destructive.
But that's not what you always read in the newspapers, isn't it? ;-)

Thursday, October 16, 2008

PiggyBacking is not allowed in Belgium.

During my visit to the Virus Bulletin conference 2008 2 weeks ago a man was arrested in Belgium for using someone else's unsecured Wifi connection to get on the Internet. (More details in Dutch available here).
The case is interesting because the only thing this guy did was use the connection to get onto the Internet - what we call Wifi "piggybacking," or logging on to someone's open 802.11b/g/n network without their knowledge or permission. And quite a lot fo countries (such as the UK and Belgium) have laws making this illegal. Stealing Wifi Internet access may feel like a victimless crime, but it's wrong nonetheless. You could be depriving ISPs of revenue. Furthermore if you've hopped onto your next door neighbors' wireless broadband connection to illegally download movies and music from the Internet, chances are that you are also slowing down their Internet access and impacting on their download limit. From a security point of view, if someone can access your network, they can misuse that network, and (potentially) the computers on it. And Belgian law enforcement want to make an example of the man arrested last week. So to stay on the right side of the law, do yourself a favour: don't go using anyone else's network without permission. And make sure that your network and router are secured - you may be ethical, but that doesn't mean that everyone else is.

If you want to read more about this, please read also my posting from 10 October at the weblog from Kaspersky Lab.

Friday, October 10, 2008

Eugene Kaspersky and David Perry working for ESET?

Of course they are not! This is just one of the many pictures I've taken during the Virus Bulletin Conference 2008 in Ottawa. It was my 13the VB in a row! And again everybody was overloaded with good presentations ranging from the definition of Cybercrime via Russian spam and botnets to phishing related to the recent worldwide 'bank-problem'. You always can find an interesting subject and if you didn't the networking possibilities are nearly endless. Kaspersky Lab, the company I am working for, was present with 3 speakers and a large team of delegates.

You can see my colleagues Costin Raiu, Roel Schouwenberg and me in the second picture.

You can find my pictures from VB 2008 at this link.
You can even find older pictures from some older events as well over there.

I also put up a movie from the event online at my iTunes and YouTube Channels:

And there are Kaspersky Lab (Internet Security Suite 2009) prices for the first 5 correct answers...