NEWS FROM THE LAB - June 2008
 

 

Friday, June 27, 2008

 
Internet Explorer 6 Cross-Domain Scripting Vulnerability Posted by Vulnerabilities @ 14:44 GMT

Microsoft's Internet Explorer 6 has a reported cross-domain scripting vulnerability which could potentially expose user credentials (such as usernames/passwords) and allow cookie hijack sessions.

Based on the results of our most recent poll:

Browser Poll Results

…this won't directly affect 98% of our readership.

But as Mike Clark commented, "I answered Firefox, but I filled out the survey in IE6! This is because I am at work and my boss specifically refuses to allow me to use FF".

So at least one of you has to use IE 6.

As per reports, the vulnerability exploits Internet Explorer 6 installed on Windows XP SP2/SP3. The latest version of Internet Explorer (IE 7) with its improved handling of JavaScript protocol URLs is not vulnerable.

This vulnerability has been reported to Microsoft and the research team has created a proof of concept:

http://raffon.net/research/ms/ie/crossdomain/string.html

If you open the link in IE 6, you'll see that the domain raffon.net has been linked to the cookie of different domain, i.e. Google.com.

It's a PoC and isn't yet known to be in the wild, but it is considered to be moderately critical as many people still use IE 6.

Vulnerability Team post by — Jay

 
 

 
 
Wednesday, June 25, 2008

 
Data Security Summary - January to June 2008 Posted by Sean @ 16:25 GMT

We've published our Security Threat Summary for the First Half of 2008.

You find the report and video from www.f-secure.com/2008/.

You can watch the video via our video-channel:

Security Summary H1 2008 Video-Channel

Or you can watch the video via our lab's YouTube Channel:

Security Summary H1 2008 YouTube

If you're behind some restrictive firewalls, such as .mil domains, e-mail and we'll provide you a link for a download. Cheers!

 
 

 
 
Tuesday, June 24, 2008

 
Two New Mac OSX Trojans Posted by Sean @ 15:35 GMT

Trojan number one:

A report of an Apple Remote Desktop Agent vulnerability recently surfaced. Now there's news of a trojan that can exploit the flaw.

The exploit tool, called "Applescript Trojan horse template" was crafted by forum participants of MacShadows.com. These guys appear to have been hobbyist hackers interested in testing the ARDAgent vulnerability. It doesn't appear to be in the wild at present. We detect it as Backdoor.Mac.Hovdy.a.

What's the ARDAgent flaw? In a nutshell, ARDAgent runs Applescript with root privileges. So once the victim is tricked into installing Hovdy, no user passwords are required for it to do its thing, which is provide backdoor access to the attacker.

You can read more details from Security Fix here and here. SecureMac's advisory is here.

Trojan number two:

There was also another Mac OSX trojan discovered last week.

This one was found by Intego. We detect it as Trojan-PSW:OSX/PokerStealer.A.

—————

Response Analyst Mark G. performed our analysis and provided the following details:

PokerStealer.A heavily relies on social engineering. It comes with the filename PokerGame.app (180Kb), sounds interesting, right?

Trojan-PSW:OSX/PokerStealer.A

However, once executed, it will prompt the user for a password.

Trojan-PSW:OSX/PokerStealer.A

It checks the provided password to see if it matches the username of the machine. If not, it will ask again. It needs the user's password to continue.

What happens behind the scenes is the following: it enables the SSH of the infected machine by running; it acquires the local IP address, subnet mask, private IP address of the router (domain), public IP address by querying via the Internet; it gets the version of OSX, recovers its hash and saves it to a file named "secret_file".

After all the necessary information has been gathered it then sends the information to a specific e-mail address with a subject of "Howdy" and the message details include username, password, and IP addresses.

With the e-mailed information, the attacker can perform routines from a remote location through SSH without the user knowing it and may even take control of the infected machine.

—————

The PokerStealer.A trojan appears to have been written by someone with more than just hobbyist level motivations.

PokerStealer's infection is limited by the password requirement.

So what do you think happens next?

That's right. The author of PokerStealer (motivated by profit) is going to seek out the hobbyist's "Applescript Trojan horse template" and will reduce the infection steps of PokerStealer.A to simply running an application named "PokerGame".

How many Mac users do you think like to play poker?

 
 

 
 
Saturday, June 21, 2008

 
Pretty Good Key Posted by Mikko @ 22:35 GMT

I've been using PGP (Pretty Good Privacy) since version 2.1.

I generated my first public/secret keypair in March 1993. Here's a screenshot of it:

PGP

As you can see, I underestimated the need for sufficient keylengths; my first key was a 384-bit RSA key.

Keylengths actually mattered in 1993 — we were running 486 processors at the time, and using long keys was slow.

However, I quite quickly realized that 384 bits wasn't going to be enough and my key would eventually became crackable as factoring technology would get better and computers would get more powerful.

So I took the plunge and created a new keypair — this time with a whopping 1024-bit keylength!

I actually spent the shortest night of the summer 1993 to do that — the midsummer night.

And the new key was long enough.

It was slow, yes — but it was long enough.

In fact, I still use it today, almost daily.

I've never needed to generate a new keypair.

Around 1994 I got Dr. Vesselin Bontchev to sign my key. Which was cool, because Vesselin's key was signed by Phil Zimmerman — the guy behind PGP.

And the midsummer night in 1993… it was the 21st of June.

Which means my key is 15 years old today.

Happy Birthday, key 0F265709. You've served well.

PGP

 
 

 
 
Friday, June 20, 2008

 
Lots of Subjects and One Video Posted by Patrik @ 06:11 GMT

Earlier today we saw a big increase in e-mails going around with all sorts of interesting subjects, not totally unlike the ones used by the latest Storm.

sagent_tyw_mail


So far we've seen subjects talking about everything from White House hit by lightning, catches fire to Italy knocked out of Euro 2008 and Nokia unveils revolutionary new phone design. It's a pretty long list of different subjects — too long to list them all here so we've put them in a downloadable TXT file instead.

All of the messages contain a link to different compromised sites which contain the same fake PornTube page. Once there the page displays an error message telling the user that they need to install a Video ActiveX component. The file that gets downloaded is spam trojan that sends out lots of e-mails with links pointing back to the compromised sites.

agent_tyw_www


The list of compromised sites is pretty extensive as well, we've been able to identify 74 different sites so far whereof only a handful have been fixed.

One thing that's not really normal about this case — we first saw the file that gets downloaded, video.exe, over two days ago and already added detection for it then. Why would they send spam promoting an old file? Well, we've seen malware writers do stupid things before.
 
 

 
 
Thursday, June 19, 2008

 
Firefox 3 Vulnerability Discovered Posted by Vulnerabilities @ 09:47 GMT

Firefox 3 has suffered its first reported code execution vulnerability.

Firefox 3 - http://www.mozilla.com

About five hours after its release, TippingPoint's Zero Day Initiative received a critical vulnerability affecting Firefox 3.0. Earlier versions of Firefox are also affected.

TippingPoint confirmed the vulnerability, got it from the researcher, then contacted Mozilla. A fix is now in progress. You can read more details from TippingPoint.

TippingPoint hasn't revealed any technical details of the vulnerability. They will not do so until a patch is available. The vulnerability requires some user interaction such as clicking on an e-mail link or visiting a malicious page.

There are no examples of this exploit in the wild so the best advice is to maintain best browsing practices while waiting for Mozilla's fix. And confirm that your Firefox is set to automatically update.

Firefox 3 Update Options

Signing off,
Jay

 
 

 
 
Storm Rumbles Beijing Posted by Patrik @ 05:56 GMT

One of the trademarks of the Storm gang's 18 month lifespan has been that they're very creative and current when it comes to their social engineering techniques, e.g. 1, 2, 3, et cetera. The latest variant is e-mail that arrives to your inbox reporting a violent earthquake in Beijing.

storm_beijing_earthquake_web


If you click on the link you are taken to a page which seem to contain a video that would show you these tragic events but if you click to see the video the site will ask you download and run a file called beijing.exe, which of course is not a video at all but the Storm trojan.

storm_beijing_earthquake_web


One thing that makes it a bit more difficult for a user to notice that the e-mail is in fact a Storm message is the fact that the links point to valid domains instead of IP addresses. This is not new for Storm but unusual as most of their links point directly to infected IP addresses.

So far we've seen the following domains being used and they are all fast fluxing:

   biztech-co.cn
   fconnorlaw.cn
   ratedhot.cn
   pacoast.cn
   cadeaux-avenue.cn
   tellicolakerealty.cn
   activeware.cn
   grupogaleria.cn
   polkerdesign.cn

The first time we saw Storm was when they sent out e-mails that reported violent storms going through Europe — that's why we named it Storm. At the time there were actually storms going through Europe.

The earthquake in Beijing has fortunately not happened. Speaking of Beijing and Storm, we are still expecting to see Storm, and other malware, use the Olympic games in August as a social engineering trick so be on the lookout for those in a few weeks.
 
 

 
 
Tuesday, June 17, 2008

 
Firefox 3 Aims for Guinness World Record Posted by Sean @ 12:48 GMT

Firefox 3 will be released today. Many of us in the lab were not aware that Mozilla is pushing for a Guiness World Record. Mozilla is aiming for a record number of downloads within the first 24 hours.

Kudos to Jay, from our Vulnerability Team, for pointing it out to us.

Firefox 3, Guinness World Record

There's already a large number of pledges and it should be interesting to see how many of those are fulfilled.

This release kicks off a browser skirmish…

Firefox 3 will introduce a number of new security features that look very promising.

For example: sites using Extended Validation (EV) SSL certificates will be very noticeable to end users from the Navigation Toolbar.

Firefox 3, PayPal EV SSL

There's also antivirus integration for executable file downloads and malware protection. Malware protection warns users when they attempt to visit bad sites known to be hosting malware. The anti-phishing site features have also been enhanced.

On the other side of the battlefield is Microsoft's beta of Internet Explorer 8. They are working on similar security features.

Then of course there's Opera, which some of us in the lab use. Opera 9.5 is now available and it too has new security options.

There's even Apple's Safari available for Windows.

All of this is good news for end users. Many of the malware samples and scams that we currently come across are targeting browser applications. So enhancing browser security and an increase in competitiveness is a good thing.

Update: Based on quick look of our usage statistics, a little over half of those that visit our dot.com site are using either IE6 or IE7. Firefox accounts for 20 percent, Opera 2%, and Nokia/Symbian 1%.

Question: What is your browser of choice?



 
 

 
 
Thursday, June 12, 2008

 
419 SMS Scams Posted by Mikko @ 14:31 GMT

There's an ongoing SMS / e-mail fraud underway.

People are receiving text messages to their phones that look something like this:

CONGRATULATIONS! Your mobile number has won 170.000.00 Euro in the ongoing GSM MOBILE PROMO. For claim contact +34-685-346-100 & e-mail gsmn92@yahoo.com

If you send an e-mail to the listed address, this is what you'll get back:



From: Gsm Notification (gsmn92@yahoo.com)
Date: 11.06.2008 11:49
FROM THE
DESK OF THE PROMOTION OFFICER,
GSM MOBILE SWEEPSTAKES PROMO.
CALLE CLAUDIO COELLO 41,  28001 MADRID,
SPAIN.

UNITED KINGDOM ( UK ) / SPANISH ALLIANCE GSM SUBSCRIBERS PROMOTION.

To,
Mr. Xxxx Xxxxxxx .
Verification No: CN435-663-6
Winning No: +35840XXXXXX
Country: Finland.
Date: 11th June , 2008.


Congratulations!!! On behalf of UNITED KINGDOM(UK)/SPANISH GSM Staffs we hereby
Congratulates you on your Mobile Phone Serial Number has won you the Sum of
€170,000.00 (One Hundred and Seventy Thousand Euro) on the ongoing UNITED
KINGDOM(UK)/SPANISH GSM MOBILE PROMOTION . A Cheque has been issued under your name ( Xxxxx Xxxxxxx.) and it will be Deliver to your House Address through the Deplomate Parcel Officers.

PICTURE OF YOUR CHEQUE PARCEL CONSIGNMENT THAT WILL BE DELIVER TO YOU:

PostSafe Mailing Bags Size P26, 440mm x 320mm Pack 100

All the necessary documents that are require to receive your Winning Cash Prize are file along with your CHEQUE PARCEL CONSIGNMENT.

You are kindly advice to select any of the courier delivery service that will be suitable for you to recieve your CHEQUE in your door step.Beneficiaries are responsible for the courier delivery charge selected.The payment has to be make through the officer Name below.

COURIER DELIVERY OPTIONS
===========================================================

DHL COURIER
Courier Charges: €695.00
Insurance: �‚1,300..00 (PAID)
Administrative: € 579.00(PAIID)
Time of delivery: 72hours
Total: € 695.00 Euroo.

================================================
FEDEX EXPRESS
Courier Charges: € 595.00
Insurance: €1,500.00 (PAID)
Administrative: €160.00(PAID)
Time of delivery: 84hours
Total: ‚ 595.00 Euro.

================================================
UPS
UPS COURIER
Courier Charges: € 590.00
Insurance €1,300.00





Obviously you can't win a lottery if you haven't bought a ticket in the first place.

These guys just want you to pay for the "courier delivery" of your "cheque parcel".

There is no parcel.

Don't fall for this scam.
 
 

 
 
Wednesday, June 11, 2008

 
June Updates Posted by Sean @ 11:29 GMT

Microsoft released their monthly updates yesterday. There are three critical updates.

The Security Bulletin Summary for June 2008 has more details.

MS08_033

Apple also released a security update yesterday for QuickTime. Users should update to version 7.5.

Apple's Software Update is one method:

QuickTime_75_update

Apple's security article has additional details and you can also read our vulnerability report.

In other updates, Skype 3.8 was released last week. You can read vulnerability report SA30547 for details, and can download the latest version from Skype.com.

 
 

 
 
Tuesday, June 10, 2008

 
iFone 3G? Posted by Sean @ 17:28 GMT

One year ago many of us in the lab were rather curious about the Apple iPhone.

We conducted a poll — What is your level of interest in the iPhone?

Most of you weren't interested at the time. But that was then.

Now it's one year later and Apple has announced the iPhone 3G.

So let's conduct another poll:

What's your level of interest in iPhone 3G?




Would you jailbreak your iPhone?




Added: If you decide to jailbreak your iPhone, maybe you should wait until you've left the store.

 
 

 
 
Wednesday, June 4, 2008

 
Storm Still Alive Posted by Patrik @ 00:20 GMT

Despite reports of Storm being killed off, it's still very much alive. As recently as earlier today we saw an upswing in e-mails being sent out attempting to trick people into visiting Storm sites such as the one below.

Storm May 2008


While the Storm botnet certainly isn't as big as it used to be, it's definitely one of the most persistent botnets we've ever seen… and we've not seen the last of it.

P.S. Nowadays Storm drops a filed called "farkrish.exe" to the system… we wonder if that means something in some language?
 
 

 
 
Tuesday, June 3, 2008

 
Symbian Jailbreak Posted by Jarno @ 18:32 GMT

A Spanish modder has developed an easy to use privilege escalation hack for Symbian S60 3rd Edition phones. The hack provides unlimited access to the phone's file system. With this access any number of modifications can be made.

� jojojojo. Image from BigStockPhoto.comMobile modding is a very dynamic scene. See our recent Motorola Razr post — and of course Apple iPhone research has had a great deal of activity from the time of its introduction. Despite the diversity of platforms, mobile phone enthusiasts are drawn to popular hardware and are eager to unlock any restrictions that exist.

Hacks directed towards S60 3rd Edition have been evolving for a while now. A number of OS security enhancements were implemented between the 2nd and 3rd Editions of S60. One of the practical results of these enhancements was the prevention of malware for 3rd Edition phones. The OS is locked down and applications require a Symbian signature. It's essentially a whitelisting system and only "trusted applications" can be installed.

While this provides a very practical consequence to regular consumers — it also tends to frustrate enthusiasts.

Late last year we tested a hack technique using Nokia's firmware update application. It ended up bricking one of our test phones and we needed to get it re-flashed. The hack wasn't very, shall we say, user friendly. And being difficult to use it never really took off.

Modification of firmware is both difficult and error prone. So modders began to look for easier targets that were more reliable.

Recent techniques used a new approach targeting Symbian's debugging interface, thus giving the modders full control without having to touch the device's firmware. Once a hacker has access to debug controls the device is completely under his control.

The first versions of this approach still required the use of a PC and thus could only be used by someone who knew what he was doing and required some time. So from the security point of view this was rather harmless. It would never become popular with the average Joe.

But things went on and then last week the steps were reduced to running a single SISX installation file. And it works easily with no fuss. The SISX installation package contains a simple graphical application to remove the access restrictions of any application that is currently running on the device.

It makes modding an S60 phone as easy as jailbreaking an iPhone.

The privilege escalation is still not without side effects. After escalation the operating system is not able to start any new applications until the phone is rebooted. But whatever is running at the time has total control over the device.

So what does the future hold?

Will we see new malware for S60 3rd Edition phones? It's possible. Cabir, Commwarrior, or Beselo source code could be updated to work on 3rd Edition and with the addition of this privilege escalation they could do pretty much the same things as they do on 2nd Edition phones.

However — Nokia and Symbian have worked on more security features than just the platform security capabilities model. For example, S60 3rd Edition FP1's user interface was modified to prevent simple social engineering tactics used by Cabir variants. So user interaction would still be required and we think more of a social engineering challenge than with 2nd Edition phones.

More likely we'll see a small but growing subset of enthusiasts running homebrew applications… much as there exists for the iPhone. Those willing to risk the security consequences will run free applications from developers that skip the expensive development cost of the Symbian signing process. Just like those that will skip Apple iPhone's SDK applications which require Apple's approval.

 
 

 
 
Monday, June 2, 2008

 
Creating Malicous PDF Files Posted by Mikko @ 19:46 GMT

Yesterday's post discussed a mystery PDF file that was booby trapped to drop a backdoor.

Today we'll look at how these documents are created.

Here's an example of a tool called Y08-40 aka GenMDB.

GenMDB

When run, it displays this user interface:

y08-04 by Noble

The apparent purpose of this tool is to create trojanized PDF files. You select which EXE you want to embed, which PDF file you want to trojanize, and which platform you expect the victim to be using.

Cool. Now, the real question is this: How on earth did we get our hands on such a tool?

You'd never guess it.

We received it inside a trojanized PDF file.

Here's what we believe happened:

Someone, somewhere was using this tool for the first time.

They did a test run, selecting a random PDF file and a random EXE to create a trojanized PDF, just as a test.

As a random EXE, they selected — wait for it — GenMDB.EXE itself!

Then the perpetrator was probably curious to find out if the trojan PDF would be detected by virus scanners or not.

So he uploaded the trojanized PDF to an online scanner.

Hey, thanks. Keep up the good work.

 
 

 
 
Sunday, June 1, 2008

 
DHS PDF Posted by Mikko @ 12:14 GMT

We get samples — lots of samples — every day. Like tens of thousands of them.

They come from various sources: from our customers; from honeypots and honeynets; via our online scanners; submitted directly from our products; from operators and ISPs; via sample exchange with our competitors; and so on.

We also get copies of samples that people submit to online virus scanning services such as VirusTotal, Jotti, and VirSCAN. We'd like to give big thanks to these services for their valuable cooperation.

When we get samples via such online services, we have absolutely no idea where the sample is coming from and who submitted it. Sometimes such samples can be real mysteries.

Take for example this PDF file that we got a sample of via VirusTotal. The only information we have on this 130kB file is that it was named f1be1cdea0bcc5a1574a10771cd4e8e8.pdf (after its MD5 hash) and that it was submitted on the 23rd of May.

When you open this document, this is what you'll see:

Department of Homeland Security G-325A

Looks like a Department of Homeland Security form G-325A.

Look again.

What's the filename?

It's not f1be1cdea0bcc5a1574a10771cd4e8e8.pdf. It's 0521.pdf.

This is not the document we opened.

So what happens here?

Apparently this PDF has been used in a targeted attack against an unknown target.

When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files.

Specifically, it creates two files in the TEMP folder: D50E.tmp.exe and 0521.pdf.

Then it executes the EXE and launches the clean 0521.pdf file to Adobe Reader in order to fool the user into thinking that everything is all right.

D50E.tmp.exe is a backdoor that creates lots of new files with innocent sounding filenames, including:

   \windows\system32\avifil16.dll
   \windows\system32\avifil64.dll
   \windows\system32\drivers\pcictrl.sys
   \windows\system32\drivers\Nullbak.dat
   \windows\system32\drivers\Beepbak.dat

The SYS component is a rootkit that attempts to hide all this activity on the infected machine.

nbsstt.3322.orgThe backdoor tries to connect to port 80 of a host called nbsstt.3322.org. Anyone operating this machine would have full access to the infected machine.

Well, 3322.org is one of the well known Chinese DNS-bouncers that we see a lot in targeted attacks. Does nbsstt mean something? Beats us, but Google will find a user with this nickname posting to several Chinese military related web forums, such as bbs.cjdby.net.

Where does nbsstt.3322.org point to?

nbsstt.3322.org

IP address 125.116.97.19 is in Zhejiang, China.

And it's live right now, answering requests at port 80.