|
Archive for July, 2008
Thursday, July 31st, 2008
We are researching a couple of highly prevalent pieces of malware, and may be drawing some links between the two.
Thousands of websites have been compromised and are spreading phony “get_flash_update.exe” files via a “showvideo.html” page titled “Watch Free Movie”. But you won’t be watching “Out of Africa” once this malware gets dropped on your system. This executable provides months old malicious functionality when, instead of updating flash, it drops “CbEvtSvc.exe” to the system directory and runs this trojan from there. Exploit pages that we’ve examined also deliver files with static names like “wXtwRzv.exe” and the slightly more camouflaged “C:/Documents and Settings/All Users/Start Menu/Programs/Startup/smss.exe”.
Here is a list of google results for a search on showvideo.html. You’ll see over one thousand hits (a german news agency reports 20,000 customers at one ISP effected). The compromised sites that we have evaluated in the lab appear to mostly be located in Europe, but they are scattered. They maintain the same executables, images, html and javascript exploit pages. DO NOT VISIT THESE LINKS. They will redirect to a 1.html exploit page containing multiple canned exploits that we are analyzing:
Clicking on one of these links takes the user to malicious sites presenting a page with an apparently persuasive social engineering scheme, enticing the user to run a flash update with a blank video mockup. A popup appears with “Flash player: Incorrect version”:
When the user attempts to close the dialog box in front of them, the page takes another stab at prompting the user to run the install (statistics probably are in the bad guys favor here):
This sort of blended threat attack is somewhat like the Storm sites of last year, where the administrators of the malicious content attempt to con the user into manually running the malware if their drive-by exploits from 1.html fail in the browser background. The themes varied a bit more and were more creative than this one. So far, we’ve seen the following vulnerabilities targeted by canned exploits on these sites:
Old reliable MS06-014 MDAC Vulnerability (nothing new here)
The fresh new Microsoft Office Snapshot Viewer ActiveX control race condition
The one year old Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow
A one year old stack overflow in GomManager
The recent RealPlayer.Console heap vulnerability
The 2006 ancient WebViewFolderIcon.setSlice integer overflow vulnerability. Thanks HD, the gift keeps on giving.
The exploit page utilizes reliable heap spray techniques to deliver its standard download and exec shellcode for the overflow attempts.
We will continue to research this one and provide more details here. The interest here is mostly in the large scale effort to spread this months old malware and serve it up on newly compromised sites under a somewhat different name. The spam is mostly the same, as it has been spread as video.exe, video.avi.exe, and others.
Our hunch is that a IM worm or spammed link over the past several days was dropping an ftp password stealer that in turn collected the passwords to upload these “showvideo.html” pages and other content alongside the usual content to these legitimate sites. The sites continue to serve up legitimate pages as well. There were CuteFtp and other stealers, distributed in prevalence, with random names starting “wins.exe” over the past several days. The first of the suspected stealer family started with the name winsbb.exe.
In the meantime, if you need to update your Flash player, only do so at the legitimate Adobe site.
Posted in Bot, Dropper, Social Engineering, Undetected malware | No Comments »
Thursday, July 24th, 2008
A google search for poison still returns a top result for one of the tackiest 80s pouty lipped glam bands around. They are still on tour, and they probably haven’t even heard of Dns.
Dns cache poisoning (there is a fine wiki for it) vulnerabilities have been all the rage on various security research mail lists for the past couple weeks and should be at the top of any search result list now. New working exploits targeting those vulnerabilities have been created and distributed. Coincidentally, Blackhat is being held next week, where Dan Kaminsky will present his original findings on it. Dan Kaminsky reportedly grouped together a huge number of dns providers and got a patch properly worked out and distributed for this thing.
What does “DNS Insufficient Socket Entropy Vulnerability” really mean to the average end user? Before you ask, there is a hitch. What was supposed to remain mysterious and closeted within the shadowy network security and dns administrator community has been released full force via full disclosure and Metasploit, the open source pen testing tool project run by HD Moore and friends. This addition means that this potentially dangerous information is public and potentially freely usable.
So now go ahead and ask. What does “DNS Insufficient Socket Entropy” really mean to me? If you are a standard user, you’re probably not administering a Dns server, but you (possibly unknowingly) are using Dns. Your ISP maintains these DNS servers, or the routes to them, for you. It is these systems that tell your browser what server to connect with when you are visiting “www.google.com”. They need to send your browser’s requests to your bank’s authentic web site when you attempt to browse it, instead of some creaky old mock up hosted in the furthest reaches of the planet. While you are dependent on Dns servers working properly and supporting “sufficient entropy”, there most likely is nothing you directly can do to administer and patch them.
In the meantime, visit the Microsoft Update site to check for new updates and ensure that third party software on your system is patched. Dns admins need to get their servers patched.
You can check Dan Kaminsky’s own site here or another tool here for information to present to your ISP, if they haven’t yet patched.
Update: Dan Kaminsky posted additional information that “DNS clients are at risk, in certain circumstances”, and that microsoft is patching multiple other dns client-side vuln (”has received two MSRC fixes in the past six months”). So, while the major focus is on the Dns servers, be sure to visit the windowsupdate site and patch away!
Posted in Disclosure, Dns, Exploit, Penetration testing | No Comments »
Wednesday, July 23rd, 2008
Talented and well connected cyberthreat analyst Dancho Danchev posted an interview with researcher Thierry Zoller of n.runs AG, the group that recently published a paper on 800 AV product vulnerabilities. He gave Thierry a chance to discuss thoughts on McAfee’s response to the vulnerability findings.
Keep in mind, I may be a bit biased that ThreatFire is one of the best behavioral based products out there, and here is my favorite part of the interview:
“Dancho : Isn’t the single most important vulnerability found in antivirus software during the last couple of years, the easy to bypass signatures based scanning approach, and the product concept myopia of spending years of research into heuristics where the same amount of resources should have probably been spend on behavioral detection solutions?
Thierry : From a larger viewpoint, concentrating the functional aspect of AV software – you are absolutely correct. The “problem” with behavioral detection is this one – they need less updates and..updates is what keeps the AV business model rolling. If this would have not been the case – I am sure we would have a lot better behavioral and overall detection nowadays. It’s ridicule how easy it is to bypass heuristics.”
Great reading.
Posted in AntiMalware Solutions, Evasion technique | 3 Comments »
|
|
|
|
