|
Archive for October, 2008
Friday, October 31st, 2008
The Anti-Malware Testing Standards Organization (AMTSO) is meeting in Oxford, England, trying to finalize two documents that we have worked on as a part of the group for months. The “Fundamental Principles of Testing” document and “Best Practices of Dynamic Testing”, applicable to ThreatFire and its tests, have been receiving public comments for quite some time now.
PC Tools is proud to be a part of the AMTSO. We believe that we are making progress on improving the state of testing and its relevance to our customers. Far too often, descriptions of the ThreatFire product are met with blank stares and a lack of understanding. We are excited that with more standards-compliant testing and reviews, coherent and understandable analysis of the product and its comparable efficacy will be better received by users. More details and results from the meeting will be posted later on the AMTSO site.
Posted in AMTSO | No Comments »
Thursday, October 23rd, 2008
Microsoft is releasing an out of band patch today. This Critical severity release is unusual — the last time such a patch was released was 18 months ago, when Windows users were getting slammed with exploits targeting one of the .ani vulnerabilities.
It most likely is a very serious issue, and Microsoft is remaining tight on the details. The fact that the April 2007 ani vulnerability was targeted by one of the last serious Windows worm incidents (although it wasn’t well publicized) when a variant of the Fubalca/Fujacks family was released, provides a clue as to just how bad this one is. At the time in 2007, hundreds of attacking web sites also were targeting the vulnerability in client-side browser attacks.
At any rate, Windows users need to be sure to update their systems today.
Update: MS08-067 is released. The vulnerability is related to the Server Service as a delivery vector and resides in multiple versions of Netapi32.dll and Wnetapi32.dll: “The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request”.
Even their newest project, Windows 7.0 pre-beta, is effected. It’s interesting to note that authentication can effect exploit delivery, but the same code vulnerability is maintained in the base networking code:”On Windows 7 Pre-Beta systems, the vulnerable code path is only accessible to authenticated users. This vulnerability is not liable to be triggered if the attacker is not authenticated, and therefore would be rated Important.” Is “guest” considered an authenticated user on Windows 7.0?
Workarounds can be found at the link for those who cannot patch immediately.
And look at that, it’s so fresh that the CVE identifier is empty even a couple of hours following its release. Here’s a snapshot of the National Vulnerability Database at 2:00 p.m. MST:
Install now. You should be looking at something like this screenshot, instead of spending time on this blog:
Unfortunately, keep in mind that the update requires a reboot.
For all you hardcore hax0rs, Skywing has put together a detailed post on using the AT service and hiew to to inject the updated code into svchost.exe and manually hot patch the running vulnerable service, avoiding a reboot. Fun reading, but not recommended.
In it he claims that he wasn’t able to use BinDiff to identify the patched code, but for those RE’s with a lack of funding, there is a limited trial version of v2.0 that worked great on netapi32 and helped id this problem as a stack overflow within a couple minutes of Microsoft’s patch release. You can see for yourself what a great tool Bindiff really is — google is your friend.
Finally, our colleague Sergei also posted a fine writeup on some ITW malware targeting the vulnerability. There has been some accusations of misinformation from a couple other vendors’ blogs, but it’s a solid writeup. Imho, the trojan/bot could be described as a multi-component worm, much like Sasser of four years ago.
Posted in Vulnerability | No Comments »
Monday, October 6th, 2008
A variation on an old IM-Worm is making the rounds in Thailand and Vietnam. It just may be interrupting your Virus Bulletin reading — the papers were good this year.
The worm is another AutoIt script compiled as “ssvichosst.exe” designed to interact with Yahoo! Messenger — among other things, the process searches for a window with the title “Yahoo! Messenger”, and then sends out one of a list of 10 fairly random Vietnamese or Thai messages to the user’s buddies. Sorry, we don’t have a speaker nearby right now, here are a few examples in which google didn’t pick up anything obscene:
“E may, vao day coi co con nho nay ngon lam”
“Vao day nghe bai nay di ban”
“Biet tin gi chua, vao day coi di”
“Trang Web nay coi cung hay, vao coi thu di”
It performs a number of operations to turn off Vietnamese based security products like “Bach Khoa AntiVirus” and “FireLion”, and disables system configuration tools. It will disable any display of folder options, and disable the task manager and registry tools.
In the meantime, Peter Szor’s Virus Bulletin 2008 Conference presentation on the possibility of the true evolution of malcode is a fascinating idea, and must have been a lot of fun to work on, but does not hold a lot of weight. While Peter Szor deserves credit and respect for writing the book on malware in “The Art of Computer Virus Research and Defense”, this presentation didn’t seem to have the same impact. The abstract suggested that an evolution could occur in software code that attacks behavioral based products such that, “As a consequence, we predict behaviour-based virus detection would quickly become ineffective if malware can evolve based on the Darwinian paradigm.” A friend thought that such an occurrence is as likely as a pack of monkeys in front of keyboards eventually typing out Shakespeare. Too true.
Szor’s paper co-author C. Adami provided the academic efforts and study of evolution to back up their thoughts. The open source software Avida that he used to display potential can be found on sourceforge (was developed at the Michigan State Devolab), and creates an extraordinarily dynamic and fascinating evolutionary environment right on your laptop, with the text version looking much like this:
While it is apparent that bypass techniques can be designed against most any software solution, it will continue to require a human to figure out bypass techniques. It is interesting when malware authors write a separate and legitimate looking set of actions into their code for times when it is run in a VMWare environment, or if a debug dll is loaded. But no additional number of monkeys or amount of time will make it probable that randomly mutated software will figure them out in a sequence that will morph into such an evasive danger. Szor provided a couple examples of corrupted infections that their research team has found including macro viruses, and examples of viral payloads piggybacking on worms for crossbreeding, but there really isn’t any evidence that malcode payloads exist containing random mutations resulting in evasion of behavioral based security technologies.
The Yahlover script will continue making the rounds in Vietnam and elsewhere, infecting AV scanner-protected machines. No realistic amount of accidental corruption is going to help it past behavioral based protection, but maybe an unemployed script writing monkey could help.
Posted in AntiMalware Solutions, Fun, Virus Bulletin, Worm | No Comments »
|
|
|
|
