…this won't directly affect 98% of our readership.
But as Mike Clark commented, "I answered Firefox, but I filled out the survey in IE6! This is because I am at work and my boss specifically refuses to allow me to use FF".
So at least one of you has to use IE 6.
This vulnerability has been reported to Microsoft and the research team has created a proof of concept:
The exploit tool, called "Applescript Trojan horse template" was crafted by forum participants of MacShadows.com. These guys appear to have been hobbyist hackers interested in testing the ARDAgent vulnerability. It doesn't appear to be in the wild at present. We detect it as Backdoor.Mac.Hovdy.a.
What's the ARDAgent flaw? In a nutshell, ARDAgent runs Applescript with root privileges. So once the victim is tricked into installing Hovdy, no user passwords are required for it to do its thing, which is provide backdoor access to the attacker.
You can read more details from Security Fix here and here. SecureMac's advisory is here.
Trojan number two:
There was also another Mac OSX trojan discovered last week.
This one was found by Intego. We detect it as Trojan-PSW:OSX/PokerStealer.A.
Response Analyst Mark G. performed our analysis and provided the following details:
PokerStealer.A heavily relies on social engineering. It comes with the filename PokerGame.app (180Kb), sounds interesting, right?
However, once executed, it will prompt the user for a password.
It checks the provided password to see if it matches the username of the machine. If not, it will ask again. It needs the user's password to continue.
What happens behind the scenes is the following: it enables the SSH of the infected machine by running; it acquires the local IP address, subnet mask, private IP address of the router (domain), public IP address by querying via the Internet; it gets the version of OSX, recovers its hash and saves it to a file named "secret_file".
After all the necessary information has been gathered it then sends the information to a specific e-mail address with a subject of "Howdy" and the message details include username, password, and IP addresses.
With the e-mailed information, the attacker can perform routines from a remote location through SSH without the user knowing it and may even take control of the infected machine.
The PokerStealer.A trojan appears to have been written by someone with more than just hobbyist level motivations.
PokerStealer's infection is limited by the password requirement.
So what do you think happens next?
That's right. The author of PokerStealer (motivated by profit) is going to seek out the hobbyist's "Applescript Trojan horse template" and will reduce the infection steps of PokerStealer.A to simply running an application named "PokerGame".
How many Mac users do you think like to play poker?
Earlier today we saw a big increase in e-mails going around with all sorts of interesting subjects, not totally unlike the ones used by the latest Storm.
So far we've seen subjects talking about everything from White House hit by lightning, catches fire to Italy knocked out of Euro 2008 and Nokia unveils revolutionary new phone design. It's a pretty long list of different subjects — too long to list them all here so we've put them in a downloadable TXT file instead.
All of the messages contain a link to different compromised sites which contain the same fake PornTube page. Once there the page displays an error message telling the user that they need to install a Video ActiveX component. The file that gets downloaded is spam trojan that sends out lots of e-mails with links pointing back to the compromised sites.
The list of compromised sites is pretty extensive as well, we've been able to identify 74 different sites so far whereof only a handful have been fixed.
One thing that's not really normal about this case — we first saw the file that gets downloaded, video.exe, over two days ago and already added detection for it then. Why would they send spam promoting an old file? Well, we've seen malware writers do stupid things before.
Firefox 3 has suffered its first reported code execution vulnerability.
About five hours after its release, TippingPoint's Zero Day Initiative received a critical vulnerability affecting Firefox 3.0. Earlier versions of Firefox are also affected.
TippingPoint confirmed the vulnerability, got it from the researcher, then contacted Mozilla. A fix is now in progress. You can read more details from TippingPoint.
TippingPoint hasn't revealed any technical details of the vulnerability. They will not do so until a patch is available. The vulnerability requires some user interaction such as clicking on an e-mail link or visiting a malicious page.
There are no examples of this exploit in the wild so the best advice is to maintain best browsing practices while waiting for Mozilla's fix. And confirm that your Firefox is set to automatically update.
One of the trademarks of the Storm gang's 18 month lifespan has been that they're very creative and current when it comes to their social engineering techniques, e.g. 1, 2, 3, et cetera. The latest variant is e-mail that arrives to your inbox reporting a violent earthquake in Beijing.
If you click on the link you are taken to a page which seem to contain a video that would show you these tragic events but if you click to see the video the site will ask you download and run a file called beijing.exe, which of course is not a video at all but the Storm trojan.
One thing that makes it a bit more difficult for a user to notice that the e-mail is in fact a Storm message is the fact that the links point to valid domains instead of IP addresses. This is not new for Storm but unusual as most of their links point directly to infected IP addresses.
So far we've seen the following domains being used and they are all fast fluxing: biztech-co.cn fconnorlaw.cn ratedhot.cn pacoast.cn cadeaux-avenue.cn tellicolakerealty.cn activeware.cn grupogaleria.cn polkerdesign.cn
The first time we saw Storm was when they sent out e-mails that reported violent storms going through Europe — that's why we named it Storm. At the time there were actually storms going through Europe.
The earthquake in Beijing has fortunately not happened. Speaking of Beijing and Storm, we are still expecting to see Storm, and other malware, use the Olympic games in August as a social engineering trick so be on the lookout for those in a few weeks.
For example: sites using Extended Validation (EV) SSL certificates will be very noticeable to end users from the Navigation Toolbar.
There's also antivirus integration for executable file downloads and malware protection. Malware protection warns users when they attempt to visit bad sites known to be hosting malware. The anti-phishing site features have also been enhanced.
On the other side of the battlefield is Microsoft's beta of Internet Explorer 8. They are working on similar security features.
Then of course there's Opera, which some of us in the lab use. Opera 9.5 is now available and it too has new security options.
All of this is good news for end users. Many of the malware samples and scams that we currently come across are targeting browser applications. So enhancing browser security and an increase in competitiveness is a good thing.
Update: Based on quick look of our usage statistics, a little over half of those that visit our dot.com site are using either IE6 or IE7. Firefox accounts for 20 percent, Opera 2%, and Nokia/Symbian 1%.
FROM THE DESK OF THE PROMOTION OFFICER, GSM MOBILE SWEEPSTAKES PROMO. CALLE CLAUDIO COELLO 41, 28001 MADRID, SPAIN.
UNITED KINGDOM ( UK ) / SPANISH ALLIANCE GSM SUBSCRIBERS PROMOTION.
To, Mr. Xxxx Xxxxxxx . Verification No: CN435-663-6 Winning No: +35840XXXXXX Country: Finland. Date: 11th June , 2008.
Congratulations!!! On behalf of UNITED KINGDOM(UK)/SPANISH GSM Staffs we hereby Congratulates you on your Mobile Phone Serial Number has won you the Sum of €170,000.00 (One Hundred and Seventy Thousand Euro) on the ongoing UNITED KINGDOM(UK)/SPANISH GSM MOBILE PROMOTION . A Cheque has been issued under your name ( Xxxxx Xxxxxxx.) and it will be Deliver to your House Address through the Deplomate Parcel Officers.
PICTURE OF YOUR CHEQUE PARCEL CONSIGNMENT THAT WILL BE DELIVER TO YOU:
All the necessary documents that are require to receive your Winning Cash Prize are file along with your CHEQUE PARCEL CONSIGNMENT.
You are kindly advice to select any of the courier delivery service that will be suitable for you to recieve your CHEQUE in your door step.Beneficiaries are responsible for the courier delivery charge selected.The payment has to be make through the officer Name below.
Despite reports of Storm being killed off, it's still very much alive. As recently as earlier today we saw an upswing in e-mails being sent out attempting to trick people into visiting Storm sites such as the one below.
While the Storm botnet certainly isn't as big as it used to be, it's definitely one of the most persistent botnets we've ever seen… and we've not seen the last of it.
P.S. Nowadays Storm drops a filed called "farkrish.exe" to the system… we wonder if that means something in some language?
A Spanish modder has developed an easy to use privilege escalation hack for Symbian S60 3rd Edition phones. The hack provides unlimited access to the phone's file system. With this access any number of modifications can be made.
Hacks directed towards S60 3rd Edition have been evolving for a while now. A number of OS security enhancements were implemented between the 2nd and 3rd Editions of S60. One of the practical results of these enhancements was the prevention of malware for 3rd Edition phones. The OS is locked down and applications require a Symbian signature. It's essentially a whitelisting system and only "trusted applications" can be installed.
While this provides a very practical consequence to regular consumers — it also tends to frustrate enthusiasts.
Late last year we tested a hack technique using Nokia's firmware update application. It ended up bricking one of our test phones and we needed to get it re-flashed. The hack wasn't very, shall we say, user friendly. And being difficult to use it never really took off.
Modification of firmware is both difficult and error prone. So modders began to look for easier targets that were more reliable.
Recent techniques used a new approach targeting Symbian's debugging interface, thus giving the modders full control without having to touch the device's firmware. Once a hacker has access to debug controls the device is completely under his control.
The first versions of this approach still required the use of a PC and thus could only be used by someone who knew what he was doing and required some time. So from the security point of view this was rather harmless. It would never become popular with the average Joe.
But things went on and then last week the steps were reduced to running a single SISX installation file. And it works easily with no fuss. The SISX installation package contains a simple graphical application to remove the access restrictions of any application that is currently running on the device.
The privilege escalation is still not without side effects. After escalation the operating system is not able to start any new applications until the phone is rebooted. But whatever is running at the time has total control over the device.
So what does the future hold?
Will we see new malware for S60 3rd Edition phones? It's possible. Cabir, Commwarrior, or Beselo source code could be updated to work on 3rd Edition and with the addition of this privilege escalation they could do pretty much the same things as they do on 2nd Edition phones.
More likely we'll see a small but growing subset of enthusiasts running homebrew applications… much as there exists for the iPhone. Those willing to risk the security consequences will run free applications from developers that skip the expensive development cost of the Symbian signing process. Just like those that will skip Apple iPhone's SDK applications which require Apple's approval.
We get samples — lots of samples — every day. Like tens of thousands of them.
They come from various sources: from our customers; from honeypots and honeynets; via our online scanners; submitted directly from our products; from operators and ISPs; via sample exchange with our competitors; and so on.
We also get copies of samples that people submit to online virus scanning services such as VirusTotal, Jotti, and VirSCAN. We'd like to give big thanks to these services for their valuable cooperation.
When we get samples via such online services, we have absolutely no idea where the sample is coming from and who submitted it. Sometimes such samples can be real mysteries.
Take for example this PDF file that we got a sample of via VirusTotal. The only information we have on this 130kB file is that it was named f1be1cdea0bcc5a1574a10771cd4e8e8.pdf (after its MD5 hash) and that it was submitted on the 23rd of May.
When you open this document, this is what you'll see:
Looks like a Department of Homeland Security form G-325A.
What's the filename?
It's not f1be1cdea0bcc5a1574a10771cd4e8e8.pdf. It's 0521.pdf.
This is not the document we opened.
So what happens here?
Apparently this PDF has been used in a targeted attack against an unknown target.
When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files.
Specifically, it creates two files in the TEMP folder: D50E.tmp.exe and 0521.pdf.
Then it executes the EXE and launches the clean 0521.pdf file to Adobe Reader in order to fool the user into thinking that everything is all right.
D50E.tmp.exe is a backdoor that creates lots of new files with innocent sounding filenames, including:
The SYS component is a rootkit that attempts to hide all this activity on the infected machine.
The backdoor tries to connect to port 80 of a host called nbsstt.3322.org. Anyone operating this machine would have full access to the infected machine.
Well, 3322.org is one of the well known Chinese DNS-bouncers that we see a lot in targeted attacks. Does nbsstt mean something? Beats us, but Google will find a user with this nickname posting to several Chinese military related web forums, such as bbs.cjdby.net.
Where does nbsstt.3322.org point to?
IP address 18.104.22.168 is in Zhejiang, China.
And it's live right now, answering requests at port 80.