SecPod Research Blog

Antivirus XP 2008
Be careful with what you click! This Trojan makes you believe that there are viruses/worms in your computer, makes you download a file named XPantivirus2008_v880421.exe (v880421 is a variable component in the file) and installs another executable named xpa.exe which is a worm. This will create entries in multiple locations including ProgramFiles, Windows Registry and also adds an entry in the System Startup so that it can reappear after reboot.

This was actually reported to us by an infected user who also reported that many users in Australia are affected. The worm is described in more detail here.

Action:
1. Do not open any link that claims to clean the Virus/Worms existing on your computer
2. If you are already infected, AVG Free has cleanup means and others are adding as well, so run your AV   scanner.
3. We have  Snort signature written for this.

SQL injection attacks are the techniques used by hackers to inject malicious SQL queries into the Web Applications to steal information from the stored database.

SQL injection attacks are on the rise and these days attackers are targeting Social Networking Sites, Online Shopping Cart web pages and other such web based applications. Search Engines are used to search vulnerable pages by attackers. An example search query ‘.*mysql_query\(.*\$_(GET|POST).* ‘ in
Google Code search will yield vulnerable pages which are constructing SQL queries from the user supplied inputs in the Forms.

Web application developers should go with best practices like, Do’s: Alway Filter and Escape user inputs, always go with minimum privileges. Don’t’s: Do not trust user inputs, do not dynamically generate sql queries.

Any message that appears to have come from a friend in the network is trusted by default. By this nature, social networking sites are the easy targets for worm writers to spread the attack. Also, behavioral analysis is possible by looking at enormous amount of content available. An attack that is targeted is thus possible, based on individual’s interest.

The recently identified MySpace, FaceBook worm is one example of such an attack, which transforms victim’s machine into a zombie computer that can be used in the botnet. This worm creates spam messages and sends them to users in the friends network through infected user’s account. The messages include Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments.

Upon clicking these links, a message appears saying latest Flash player is required and it downloads codecsetup.exe which is a worm.

KasperSky coverage is here

Russian-Georgian Cyber attack

Is it real? There are evidences attributing to that though we cannot conclude for sure. “Cyber Warfare” is still the term that can be set aside for the future, though such evidences are making it appear more real. It will only be a speculation at this point in time. It can even be the act of hackers taking advantage of the situation.

Botnets are taking aim at Georgia websites and there were few incidents on the Russian side as well. These are TCP SYN Flood attacks mixed with TCP RST flood attacks.

Time-line of events that have occurred since 8th August are captured here and attack observations here.

MS Bulletins – Aug 2008

11 Security Advisories were released this month, covering about 26 flaws in Microsoft Windows, Microsoft Office, and Internet Explorer, http://www.microsoft.com/technet/security/bulletin/ms08-aug.mspx

The very critical ones being MS08-041 and MS08-042 as these are being exploited in the wild. The SecPod plugins for Nessus are uploaded and we had made a Snort signatures (9003, 9004, 9005) release earlier for MS08-041.

The summary is available at SANS,

http://isc.sans.org/diary.html?storyid=4876&rss

It is just about clicking Windows “Automatic Update” (Is it? Careful deployment plan is certainly required for Enterprise users), go ahead with the installations.

With the release of latest DNS Cache poisoning attack, DNSSEC is gaining some attention. As it is supposed to provide cryptographic means to prevent such attacks. Though it doesn’t prevent DDOS attacks that have come to known in the DNS space, it is a good step forward to consider DNSSEC.

But, why DNSSEC implementation efforts are not moving forward? The issue with this is much the same set of complications as PKI deployments. And there are no commercial value additions that’ll give push to the vendors to adopt DNSSEC.

Here’s an old paper that discusses the reasons, also proposing alternative means to deploy DNSSEC, http://www.research.att.com/~trevor/papers/dnssec-incentives.pdf

Few steps forward,

.ORG Becomes First Generic Top Level Domain to Start DNSSEC Implementation ,
http://pir.org/index.php?db=content/News&tbl=Press&id=9

Domain Name Security Paper Released,
http://www.icann.org/en/announcements/announcement-24jul08-en.htm

Microsoft MS08-033, MS07-064 Revised

The revision included DirectX 9a in the vulnerable list. DirectX 9a users are advised to install the hotfixes.

WinRemotePC 2008 Packet Handling Denial of Service Vulnerability

Inserting huge amount of data of the order of 30000 bytes to replace “Service Pack n” string in the message, in repeated manner causes the CPU consumption to reach as high as 98% and complete memory utilization as well. The system crash wasn’t observed in our setup. We have the snort signature available, 9007

TCP Port Randomization

There’s an Internet Draft up for review, after all the issues surrounding port randomization.

Microsoft Access Snapshot Viewer ActiveX Control Vulnerability

Snort signatures were developed for this vulnerability, based on the POC available. There’s a coverage at, http://www.emergingthreats.net/

The signatures can also be downloaded at www.secpod.org/snort-signatures/

More on DNS Cache Poisoning Issue:

We updated the advisory after seeing number of other vendor products releasing updates and more advisories are getting released,

Debian – http://lists.debian.org/debian-security-announce/2008/msg00185.html

RedHat – http://rhn.redhat.com/errata/RHSA-2008-0533.html

Ubuntu – http://www.ubuntu.com/usn/usn-622-1

Talking about collaboration,

http://www.securityfocus.com/columnists/477?ref=rss

SANS summarized the issue very well,

http://isc.sans.org/diary.html?storyid=4687&rss

Microsoft Word Could Allow Remote Code Execution:

Microsoft released an advisory for the issue which was earlier reported by Symantec. Microsoft has also confirmed reports of attacks that are underway. No solution is made available yet. Since it is confined to Microsoft Office 2002,a patch is unlikely in the near future. Better upgrade or be watchful of the Word documents you open!

Microsoft Advisory: http://www.microsoft.com/technet/security/advisory/953635.mspx

SecPod Advisory: http://www.secpod.org/advisories/Microsoft_Word_2002_Remote_Code_Execution.html

Big day for security researchers, vendors, administrators with Microsoft’s Patch Tuesday release. The release of the patch for DNS cache poisoning attack simultaneously by major vendors makes it all the more interesting and keeps us all busy. I must say a well coordinated effort by vendors.

Current Activities:

1. Vulnerabilities in DNS Could Allow Spoofing (953230) – MS08-037

2. Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582) – MS08-038

3. Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747) –

MS08-039

4. Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203) – MS08-040

5. Sun’s advisory on DNS cache poisoning issue

6. Cisco’s advisory on DNS cache poisoning issue

7. Microsoft Word Unspecified Remote Code Execution Vulnerability – 953635

8. Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution – 955179

DNS Cache poisoning issue:

Almost all the vendors are affected, this being an issue with the protocol implementation. The first issue is with the entropy for DNS Transaction ID and the second issue is UDP source port being constant for all queries. This makes it easy for the attackers to guess and alter the cache redirecting the DNS queries to a different location.

The issue of randomness for Transaction ID was addressed by Microsoft (MS08-020) and BIND earlier. With the latest patches, they have introduced port randomization as well. Caution to be exercised while deploying this patch,

1. Firewall rules may need a review

2. Custom implementations of DNS clients may require a review and rework.

As of now, Microsoft, BIND, SUN, Cisco, Debian, Ubuntu have released advisories, look for more advisories in the coming days.

Slightly exaggerated headline,

ActiveX Control for the Snapshot Viewer for Microsoft Access – 955179

Any ActiveX related issue, set the kill bit. We have been seeing number of these. This doesn’t solve the problem but, stops one of the attack vectors.