Monday, November 06, 2006

Watch out for JPGs now - update #1

Hi folks,

In my earlier blog post, I said that I thought the XML Core Services 0-day didn't work. Looks like I was wrong. It seems that if you actually have XML Core Services (MSXML 4.0) installed, it works nicely, thank you very much.

On my test system, it installed a new copy of Explorer.exe and a dll. So far, no avs recognize the dropped programs, and so far, on my test system, they don't do much. Of course, these days, it's not unusual for malcode to recognize that they are in a virtual environment, and thus refuse to run. I think it's reasonable to assume that, any file dropped by any 0-day, is not there for your health.

I don't really imagine that squillions of people will have MSXML 4.0 installed, but if you have, you should be careful.

More to follow.

Roger

Watch out for JPGs now

Hi folks,

This has been an exceptionally busy weekend. First, ISS has alerted on a new IE 0-day, and then we separately discovered a new script that re-packages some existing exploits, the newest of which is SetSlice.

The ISS discovery is explained here ... http://xforce.iss.net/xforce/alerts/id/239 . It does not appear to work reliably at this point, but is an interesting discovery and interesting concept. We've added sigs for it and will keep watching for developments. Kudos to ISS for finding it.

Our discovery is also quite interesting in that the Bad Guys are referencing what appears to be a simple jpg, for example ...

h t t p :// www.SomeThingOrOther/img16349.jpg , and in fact, you do see a harmless picture, but they've prepended the html with an obfuscated jscript, which launches exploits at you. I'm sure, by the way, that this has always been possible, but I've never noticed it used quite this way before.

Unlike the normal iframer and trimode launchers, this one tries to be selective about what exploits it throws, based on the OS and patch level. The most recent exploit is SetSlice, which was patched in October, so if you are running SocketShield and you are patched, you have little to worry about.

Roger

Friday, November 03, 2006

October Web Attacker?

Hi folks,

Looks like there's a new version of WebAttacker tonight. We just found a web site that we know to run Web Attacker and it's clearly using SetSlice (MS06-057). We couldn't get at the admin page, to see what else might be in the new version, but the format of the command we saw was ".cgi?type=MS06-057&SP2", so that's clearly new at a minimum.

If you're patched to October, and you're running SocketShield, you have little to fear, but if not, please be careful. Web Attacker is always widely used.

More to follow.

Roger