SecPod Research Blog

Antivirus XP 2008
Be careful with what you click! This Trojan makes you believe that there are viruses/worms in your computer, makes you download a file named XPantivirus2008_v880421.exe (v880421 is a variable component in the file) and installs another executable named xpa.exe which is a worm. This will create entries in multiple locations including ProgramFiles, Windows [...]

SQL injection attacks are the techniques used by hackers to inject malicious SQL queries into the Web Applications to steal information from the stored database.
SQL injection attacks are on the rise and these days attackers are targeting Social Networking Sites, Online Shopping Cart web pages and other such web based applications. Search Engines are used [...]

Any message that appears to have come from a friend in the network is trusted by default. By this nature, social networking sites are the easy targets for worm writers to spread the attack. Also, behavioral analysis is possible by looking at enormous amount of content available. An attack that is targeted is thus possible, [...]

Russian-Georgian Cyber attack
Is it real? There are evidences attributing to that though we cannot conclude for sure. “Cyber Warfare” is still the term that can be set aside for the future, though such evidences are making it appear more real. It will only be a speculation at this point in time. It can even [...]

MS Bulletins – Aug 2008
11 Security Advisories were released this month, covering about 26 flaws in Microsoft Windows, Microsoft Office, and Internet Explorer, http://www.microsoft.com/technet/security/bulletin/ms08-aug.mspx
The very critical ones being MS08-041 and MS08-042 as these are being exploited in the wild. The SecPod plugins for Nessus are uploaded and we had made a Snort signatures (9003, [...]

With the release of latest DNS Cache poisoning attack, DNSSEC is gaining some attention. As it is supposed to provide cryptographic means to prevent such attacks. Though it doesn’t prevent DDOS attacks that have come to known in the DNS space, it is a good step forward to consider DNSSEC.
But, why DNSSEC implementation efforts [...]

Microsoft MS08-033, MS07-064 Revised
The revision included DirectX 9a in the vulnerable list. DirectX 9a users are advised to install the hotfixes.
WinRemotePC 2008 Packet Handling Denial of Service Vulnerability
Inserting huge amount of data of the order of 30000 bytes to replace “Service Pack n” string in the message, in repeated manner causes the CPU consumption [...]

Microsoft Access Snapshot Viewer ActiveX Control Vulnerability
Snort signatures were developed for this vulnerability, based on the POC available. There’s a coverage at, http://www.emergingthreats.net/
The signatures can also be downloaded at www.secpod.org/snort-signatures/

More on DNS Cache Poisoning Issue:
We updated the advisory after seeing number of other vendor products releasing updates and more advisories are getting released,
Debian – http://lists.debian.org/debian-security-announce/2008/msg00185.html
RedHat – http://rhn.redhat.com/errata/RHSA-2008-0533.html
Ubuntu – http://www.ubuntu.com/usn/usn-622-1
Talking about collaboration,
http://www.securityfocus.com/columnists/477?ref=rss
SANS summarized the issue very well,
http://isc.sans.org/diary.html?storyid=4687&rss
 
 
Microsoft Word Could Allow Remote Code Execution:

Microsoft released an advisory for the issue which was earlier reported [...]

Big day for security researchers, vendors, administrators with Microsoft’s Patch Tuesday release. The release of the patch for DNS cache poisoning attack simultaneously by major vendors makes it all the more interesting and keeps us all busy. I must say a well coordinated effort by vendors.
Current Activities:
1. Vulnerabilities in DNS Could Allow Spoofing (953230) [...]