Saturday, September 30, 2006

SetSlice update number 2

Hi folks,

Our Hunting Pots just found it in use at the CWS sites. These are different from the St Petersburg iframers, and this represents a significant escalation. These guys have a huge network of lures drawing traffic in from legitimate search engines. Up until this weekend, they have been using the mouldie old WMF exploit from last December, but are now as up to date as they can be. The exploit script, btw, is slightly different from the one in use by the iframers.

More to follow.

Roger

WebViewFolderIcon setSlice exploit in the wild - follow up

Hi folks,

We've now verified that this works pretty well on fully patched XP SP2 (yes, including the VML patch). It installs at least a rootkit, so I'm not going to share the exact URL, but it's along the lines of http://xxxxxxxxxx.biz/dl/slide499.html.

The fact that I only found it on one web site so far is immaterial .... these guys have a well established distribution model, with many adult/ warez sites acting as lures, and it is probably on many more already.

They also like to hack into completely innocent sites, and install an iframe, thus turning them into unwitting lures, and they like to find bulletin boards that are open enough for them to insert their iframe.

I had a question off-blog about what a malicious iframe looks like .... it typically looks something like this...

< i f r a m e src="http://xxxxxxxxx.com/get_st.php?xxxxxxx" width=1 height=1>< / i f r a m e>

The important thing to notice is that width and height are both set to some very small number. What this means is that whatever is inserted by the iframe is too small to be visible, but the code associated with it works just fine.

The exploit is very easy to copy, so I expect this will be widely adopted.

Naturally, SocketShield protects against it.

Roger

Friday, September 29, 2006

WebViewFolderIcon setSlice exploit in the wild

Hi folks,

There are two events worth reporting tonight. Some time today, a new version of this exploit was made available to the public in the usual places, but more importantly, this evening we found a slightly different version in the wild. As of the moment that we're writing this, it's not completely clear how well it works, but it's on at least one site renowned for using stuff that works, so they obviously think it does. Of course, SocketShield blocks it fine.

Even in the unlikely event that it doesn't work, we can expect it to be soon corrected. These guys have big lists of fairly innocent lure sites, so please watch out.

Roger

Thursday, September 28, 2006

Things just got a little more dangerous again

Hi folks,

A couple of days ago, HD Moore (of Metasploit fame) re-released one of his Month of Browser Bugs, this time as a supposedly working code- running exploit. This was released as a Metasploit plugin, which meant that you had to be running the Metasploit framework in order to test the exploit. That's fairly easy, but requires some work and thought.

Tonight, however, someone released a pure HTML version of the same exploit. This means that it just got quite a bit easier for would-be exploiters to use. It still doesn't work properly on our test machines, but it seems like it will with the appropriate tweaking, and when it is "tweaked appropriately", it'll be used for sure.

We're preemptively adding signatures for the variant to SocketShield, just in case.

Cheers

Roger

Wednesday, September 27, 2006

Month Of Browser Bugs

Hi folks,

In July, HD Moore ran his month of browser bugs, most of which were d0s and not code executers. It seems he's corrected one, and last night provided a working metasploit module that he says will allow remote code execution on fully patched systems running XP SP2. We have not yet been able to verify whether this actually works as advertised, but if it does, it will almost certainly find its way into the wild very quickly.

We added SocketShield sigs for all the Month Of Browser Bugs preemptively, so I expect that we'll find this one with little or no changes to the sigs.

Cheers

Roger

Monday, September 25, 2006

Malicious greeting cards now using the VML 0-Day

Hi folks,

Overnight, based on some information provided by MessageLabs, we noticed the ecarders have begun using the vml exploit, rather than the trusty, but five month old, MDAC exploit (MS06-014). If they can catch as many victims as they did with a five month old exploit, one wonders how many they will catch with this one.

This is a move we've anticipated all along ... there are simply too many working versions of this exploit available to the public. It's just a matter of time before all the Bad Guys switch to using it.

Roger

Thursday, September 21, 2006

eCard Scam

Hi folks,

For the last couple of months, I've been following a nifty eCard scam. It goes like this ...

You're sitting at work, and you get an eCard in the mail. It's from a secret admirer, and the card is from a major, and reputable eCard supplier, so you think it must be safe, and click the link. You view your card, but it doesn't really tell you who it was from, so you just forget about it, and get on with life. You've been rootkitted!

That's a slight exaggeration, because if you've been keeping your patches up to date (or you're running SocketShield), it won't happen, but lots of corporations _don't_ patch every month because of fears of compatibility issues. The idea is that if you're behind the corporate firewall, you're safe.

Here's how it works...

(1) The Bad Guys set up a legitimate greeting card from a reputable eCard firm.... pick one, any one... they're all vulnerable to this sort of attack.

(2) They construct a tricky link URL that takes the victim through an exploit server, on the way to the greeting card.

It looks a bit like this ...
http://InnocentSoundingName.com/index.php?http://ReputableGreetingCardCompany.com/?AndABunchMoreParametersThatReferenceTheRealCard

It doesn't much matter that this URL looks a bit funny, because that's all hidden in the HTML. All the victim sees is something like ...

Click _Here_ to get your card.

What's happening is the InnocentSoundingName.com is acting as a redirector, and sending the victim on to the greeting card, but ... _first_ it silently launches an exploit at the victim. If it's successful, it silently installs software in the background.

(3) You (might) get your greeting card, but you also get a keylogger and a rootkit.

I first noticed one of these cards in late July. It was using an MDAC exploit to install a keylogger and a rootkit, and had stolen about 200mb of data (bank accounts, credit cards, anything with a user id/ password). I then noticed a similar card about a month later, and when I checked my records, I found they'd been sending a new card about every week since early April. That's about 200mb of data per week, for five months!

The eCard scammers were quiet for most of September, so I thought they'd either stopped (hah!) or they'd gone to ground while they reorganize their exploit servers (and perhaps, get a new exploit ready). Alas, in just the last couple days we've seen a new crop arrive that we're now studying. More later...

Roger

Wednesday, September 20, 2006

VML 0-day

NOP, an exploit researcher over at XSEC, has just released a version of the VML 0-day that supposedly allows for code execution. If it does work as advertised, this will be big.

-Roger

Tuesday, September 19, 2006

Yet Another IE 0-Day

Hi folks,

Our colleagues at SunBelt have found yet another IE 0-day. See
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html.

Please note that this is very different from the XSEC ComObject overflow announced last week. This one seems to be a new WebAttacker, but fortunately, SocketShield already detects it with generic WebAttacker signatures. We'll post more as we know more.

Special thanks to Eric Sites and the guys at Sunbelt for being so willing to share knowledge. It's this sort of vendor/researcher level cooperation that gives the world a chance to defeat the Bad Guys.

Cheers

Roger

Monday, September 18, 2006

Codec bait and switch

Hi folks,

This is a nifty example of social engineering, which is really quite entertaining ... _unless_ you're the one on the receiving end. Here's how it works....

You're surfing the web, and you find a video that you really want to watch, (no, not one of "those" videos... well, not necessarily anyway), but it says you have to install a codec. Codec stands for compressor/decompressor and is used to reduce otherwise huge video files to a more manageable size. You install the codec, and maybe you see the video, and maybe you don't, but guess what? You've been rootkitted. Now, on one level, that's just the classic bait and switch/trojan horse scenario, but the _details_ are a little different.

I was looking at just such an example today and, being suspicious - as one tends to be in this business - I thought I'd check out why someone would give a codec away for free. So I went to the codec website, started looking around, and found of all things .... a EULA. Buried in the EULA, we find, in spite of all the references to needing a codec for Windows Media Player, the following paragraph....

"SOFTWARE DESCRIPTION This software grants you access to many different video files, provided by the Licensor on its sites. The software is not any kind of Media Player Add-On or plugin, it does not implement any additional compressor/decompressor or any other additional video software. "

Wait.... it's _not_ a compressor/decompressor or a Media Player plugin? That's kind of bold of them. Time to find out what it actually is.

So, I now install it on a Virtual PC, loaded with diagnostic software, to see what it does. Heck.... it doesn't do anything. It just installs. It's not working, because I can't see a video. It hasn't attached itself to Internet Explorer or Windows Explorer. None of my rootkit detectors shows any system anomaly. I see no way for it to get into the execution cycle on reboot. My sniffers don't see any traffic. I can't even find any place to run software.

All I can see is an Uninstall command.

Hmmmmm ..... that makes no sense. So I try again on a native machine .... no Virtual PC involved at all. This time, the rootkit detectors go off like roman candles ... hidden files and processes and registry keys all over the place. Dang! They're reasoning, correctly, that if they're on a virtual pc, they're being studied and won't play nicely. How very perceptive of them.

This shouldn't really be a surprise, because it's been well documented how to tell that you're inside a vpc, but one does rather marvel at their cunning.

But even on a native, non-virtual PC, the video that started all of this process _still_ won't play, so I decide to test what the uninstall does. Here's the entertaining part I was referring to earlier ... It very politely and tidily uninstalls all the extra bits _except_ the rootkit! And you _still_ don't get to see the video!

So how can you tell if a codec is safe, or if it's a rootkit? It turns out that you can't, unless your antivirus software recognizes it before it installs. Once it installs, it's invisible, so even if you get an update, it's probably too late... even the a-v probably won't see it.

Bottom line ... if you have to install a codec to watch a video ... the video probably isn't worth it.

Roger

Saturday, September 16, 2006

We Found One

Hi folks,

This is a minor heads up...our hunting pots found a website this morning that is serving a modified version of this exploit.

It's only a minor heads up, because it is

(1) so far, just a single site, and
(2) the exploit is still only an IE crash in our tests.

In other words, it's still nothing much to worry about, but everyone should be aware that people are tweaking the code and experimenting. And, of course, there might be many more sites...we don't see everything at once.

Cheers

Roger

Thursday, September 14, 2006

Working Internet Explorer Zero-Day

Hi folks,

It looks like we have a working Internet Explorer 0-day today. The guys at http://www.xsec.org/ actually published an example yesterday, which was Exploit Wednesday. They clearly have a sense of humor, but that's beside the point. Their initial example was only tested on Chinese XP SP2, and Internet Explorer 6.0 SP1, and although it managed to crash Internet Explorer in our tests, it was not able to execute code.

However, it appears that reliably working attack code now exists. Fortunately, no proofs of concept have been made public, and so far, our monitors have not found any real live code in the wild, so all is still pretty safe.

It would be wise for us all to assume that exploiters around the world are probably trying to figure out the details right now, so everyone needs to be both vigilant and cautious. SocketShield has been updated to protect against the exploit as we currently understand it, and we'll continue to update it as needed.

Roger

Friday, September 08, 2006

It's not MS06-042...it's a new and improved MS06-014

Hi folks,

In the cold hard light of day, it turns out that the new exploit that we found last night is not MS06-042. Instead, it seems it's an improved MS06-014 (MDAC) exploit.

Here is what we know, after spending much of the day looking at it.

(1) It definitely infects April and June patched machines. It doesn't infect an August patch.

(2) MS06-014 (MDAC) would only infect up to and including March, so this is at least two months better.

(3) Nothing in the August patch set actually matches this, although on the surface, one part of MS06-042 looks close, so it seems that something might have been silently fixed in August (or perhaps July... .we're still checking that out).

(4) The differences between the two attack scripts are minor, but very instructive. One gets the impression that there are many minor improvements that might be made and tried. We can be sure that the Bad Guys are looking at it right now and thinking. We can expect many tweaks to this.

(5) A great question would be to ask how a small tweak to the MDAC attack script allowed it to get past two months of patches.

Roger

Thursday, September 07, 2006

MS06-042 is in the wild

Hi folks,

Those 'nice' folks known as the Russian Iframers started using a new exploit tonight... MS06-042. Microsoft issued a patch for this vulnerability in August, and a proof of concept began circulating within a few days of that release. Because it allowed execution of arbitrary code from within Internet Explorer, thus going straight through a firewall, this always looked more dangerous to us than the other August patches, and we immediately created a SocketShield signature for it. I guess it took the bad guys two or three weeks to figure out their strategy, but it is now being used.

Of course, just as with WMF and MDAC, this exploit will soon be "borrowed" by other malicious website operators, and it appears to work quite effectively. In our tests, it failed against a fully patched machine, but worked like a charm on a machine that hadn't been patched since June, which makes sense for an August patch exploit.

What this means is that if your patching is up to date, or you are running SocketShield, you're probably safe, but if not... be careful... These guys have a habit of installing rootkits, most recently Rustock, which is pretty hard to detect, and even harder to remove.

Please either patch your systems or install SocketShield.

Cheers
Roger