Snapshot Viewer for Microsoft Access

F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Copyright (c) 2007 F-Secure Corporation. All Rights Reserved. tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001472.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Security Advisories related to Microsoft Office were released last week. Regular weblog readers may have already read about them via other tech-news sources. There's <a href="http://www.microsoft.com/technet/security/advisory/953635.mspx">Microsoft Security Advisory 953635</a> which only affects Microsoft Office Word 2002 Service Pack 3. If you have that particular version of Word installed, you may want to <a href="http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=95E24C87-8732-48D5-8689-AB826E7B8FDF&amp;displaylang=en">download Word Viewer 2003</a> as a workaround, upgrade, or else avoid all external document files. And then there's <a href="http://www.microsoft.com/technet/security/advisory/955179.mspx">Microsoft Security Advisory 955179</a>. A vulnerability in the ActiveX Control for Microsoft Access Snapshot Viewer which could allow remote code execution. This particular vulnerability made a number of headlines last week due to the Internet Explorer implications. It's currently unpatched and there have been some limited cases of an exploit in the wild. One of the cases seen involved a patent themed site with thousands of pages injected with JavaScript. It looks like the site was hacked with a popular kit called Neosploit and the ActiveX exploit was added to the mix. That's only one site but many, many pages. We weren't very familiar with the Snapshot tool so we experimented some earlier this week. It ships with many versions of Microsoft Access previous to Office 2007. However, it isn't necessarily installed if you have Office 2003 with Access. The default option is to install the Snapshot Viewer on first use. So what happens when Internet Explorer encounters an SNP file and you have a "Default" rather than "Full" installation of Office? Well, first a legitimate file causes this prompt: <img width="689" height="34" border="0" src="http://www.f-secure.com/weblog/archives/Information_Bar.png" alt="Information Bar Warning" /> Then, if you elect to continue and push past a couple more prompts, IE will call on the Office installer. In our experience, many people will then see the following prompt: <img width="459" height="307" border="0" src="http://www.f-secure.com/weblog/archives/Office_CAB.png" alt="Office CAB Not found" /> &hellip;and then you've got to go digging for your installation CD. Or perhaps you have to call the guys from IT to map out the network folder with the installation files. That seems like a lot of trouble just to get the Snapshot Viewer OCX installed. So it's far from a perfect exploit. But there are those that have the full installation of Access 2003, et cetera installed. Think you might be vulnerable? Here is a test for you. Open this link &mdash; <a href="http://www.f-secure.com/weblog/archives/SNP.HTML">SNP.HTML</a> &mdash; using Internet Explorer. If you can easily read the "secret message" then you might want to set the killbits as recommend in MSA 955179. <a href="http://www.microsoft.com/technet/security/advisory/955179.mspx"><img width="721" height="154" border="0" src="http://www.f-secure.com/weblog/archives/snapshot_killbit.png" alt="Snapshot Viewer Killbit" /></a> On 18/07/08 At 04:49 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Snapshot Viewer for Microsoft Access tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001471.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com It's always interesting to examine our WorldMap data feeds. Today I spotted an infected machine that belongs to the U.S. <a href="http://whois.domaintools.com/214.3.0.0">Department of Defense</a>. <img width="450" height="350" border="0" src="http://www.f-secure.com/weblog/archives/NavyMIL.png" alt="Pakes.dft Navy.MIL" /> A Navy computer in Ohio&hellip; Also &mdash; I have finally produced <a href="http://www.f-secure.com/weblog/archives/00001448.html">the promised</a>, and long overdue, <a href="http://www.youtube.com/watch?v=UUwc71ySnLI">video of our Google Earth feeds in action</a>. Upgrading my computer hardware was necessary for a smooth video. My old T43 could either run Google Earth or capture the screen but it didn't do both very well with the hardware acceleration enabled. The video is using live versions of the <a href="http://www.f-secure.com/weblog/archives/F-Secure_World_Map_Data_20080704.KML">KML files</a> mentioned in <a href="http://www.f-secure.com/weblog/archives/00001467.html">this post</a>. Some of you wrote to ask about additional KML samples. While it isn't difficult, it does take a bit of time to remove the IP addresses from the feeds. It's not something that I'll do often. But perhaps monthly releases would be of interest? Signing off, Sean On 17/07/08 At 09:12 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Video - Global Malware tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001470.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com There was a remote code execution vulnerability for Mozilla Firefox 3 discovered last month. We mentioned it in our <a href="http://www.f-secure.com/weblog/archives/00001458.html">June 19th post</a>. Version 3.0.1 has been released to resolve MFSA2008-34 and two other security issues. But the nice thing about Firefox is that you probably already know about the fix if you have the "automatically check for updates" option selected. <img width="710" height="330" border="0" src="http://www.f-secure.com/weblog/archives/Firefox301.png" alt="Firefox 3.0.1" /> For more details see the Firefox 3.0.1 <a href="http://en-us.www.mozilla.com/en-US/firefox/3.0.1/releasenotes/">Release Notes</a> or <a href="http://www.mozilla.org/security/announce/2008/mfsa2008-34.html">Mozilla Foundation Security Advisory 2008-34</a>. On 17/07/08 At 05:01 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Firefox 3.0.1 Released tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001469.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Microsoft released four security updates yesterday. <a href="http://blogs.technet.com/msrc/archive/2008/07/08/july-2008-bulletin-monthly-release.aspx"><img width="750" height="320" border="0" src="http://www.f-secure.com/weblog/archives/July_Updates.png" alt="July Updates" /></a> The DNS update is noteworthy as it's part of a significant <a href="http://news.zdnet.co.uk/security/0,1000000189,39444944,00.htm">multi-vendor effort</a>. There will be lots of patching going on as a result. The MS08-037 <a href="http://www.theregister.co.uk/2008/07/09/ms_dns_patch_zonealarm_woes/">update reportedly conflicts with ZoneAlarm's firewall</a> software. Proceed with caution if you have ZA installed. All of <a href="http://blogs.technet.com/msrc/archive/2008/07/08/july-2008-bulletin-monthly-release.aspx">this month's updates</a> are rated as important. The SQL update is of interest to us what with the recent <a href="http://www.microsoft.com/technet/security/advisory/954462.mspx">SQL Security Advisory</a> and the rise in <a href="http://www.f-secure.com/weblog/archives/00001427.html">Mass SQL injection attacks</a>. Microsoft is working to secure SQL servers. Clearly there's a group of bad guys focused on SQL. How could an attacker exploit the patched vulnerabilities? An authenticated attacker could create insert statements that cause a buffer overrun, thus corrupting memory in such a way as to allow code execution &mdash; and you can easily do INSERT statements in SQL injections if the code isn't sanitized properly. We recommend that you try out the free <a href="http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx">HP Scrawlr</a> and <a href="http://learn.iis.net/page.aspx/473/using-urlscan">UrlScan</a> tools mentioned the SQL advisory and apply the SQL update to your servers. Update: The Microsoft Security Response Center (MSRC) has a <a href="http://blogs.technet.com/msrc/archive/2008/07/10/revision-for-ms08-037.aspx">revision for MS08-037</a>. On 09/07/08 At 04:22 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z DNS and SQL Updates tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001468.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com It may surprise some to find out exactly how much we use Python in our daily work here in the Security Lab (and beyond). Well truth be told, it's hard to imagine life at F-Secure without it. That's why F-Secure is well represented with five individuals from Helsinki and Stockholm sent to this year's European Python Conference taking place right now in Vilnius, Lithuania. <a href="http://www.f-secure.com/weblog/archives/DSCF1271.jpg"><img border="0" src="http://www.f-secure.com/weblog/archives/DSCF1271.jpg" width="480" height="360"></a> The conference opened this morning at 9:00 local time and the lectures end Wednesday evening with sprints taking place beyond that, all the way through Saturday. Today's lectures will come to an end with a special video conference featuring none other than <a href="http://en.wikipedia.org/wiki/Guido_van_Rossum">Guido van Rossum</a>, the author of the Python programming language. We'll try to bring some of the highlights of the conference as soon as we can but in the meantime, why not head over to <a href="http://www.europython.org">EuroPython 2008</a> to learn a bit more, and maybe start planning your attendance to next year's conference. <a href="http://www.f-secure.com/weblog/archives/DSCF1280.jpg"><img border="0" src="http://www.f-secure.com/weblog/archives/DSCF1280.jpg" width="480" height="360"></a> Signing off for now, Dan On 07/07/08 At 12:12 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Live from Vilnius, EuroPython 2008 tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001467.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Happy Independence Day USA. <img width="700" height="525" border="0" src="http://www.f-secure.com/weblog/archives/USA_Fireworks_Spam.png" alt="Fireworks Spam" /> Our use of Google Earth <a href="http://www.f-secure.com/weblog/archives/00001448.html">was a weblog topic several weeks ago</a>. We've been working on additional features since then. There were a few questions asked in the <a href="http://www.f-secure.com/weblog/archives/comments.html?PostID=00001448">comments</a> section. Question &mdash; I like maps like these (I like maps in general). But � and I'm asking this out of curiosity, not because I'm criticising your work &ndash; does it add something to anti-malware research? Answer &mdash; The map's data source comes from our statistics server, which is very useful in our forecasting efforts. Analyzing the numbers helps drive the direction of our research. The application of the data to Google Earth adds to our presentation and education efforts. Actually seeing a real-time view of malware in the world really helps lab visitors understand the threat scope. The <a href="http://www.f-secure.com/weblog/archives/00001095.html">live world map</a> also shows real-time spikes in malware traffic and assists our shift managers. Question &mdash; Are we able to subscribe to these feeds? Answer &mdash; Unfortunately the public is unable to subscribe to the feeds. The data contains IP addresses and because those IP address are the source of spam, malware, et cetera &mdash; that means there are infected computers on the other end. Infected computers are vulnerable to further exploitation. One of the ways to build a botnet is to hijack someone else's. We also consider IP addresses to be personal data. <a href="http://www.f-secure.com/weblog/archives/Phishing_in_Fairbanks.jpg"><img width="500" height="500" border="0" src="http://www.f-secure.com/weblog/archives/Fairbanks_Phishing.png" alt="Phishing in Fairbanks" /></a> Click the image for a 1400x1050 view. So because you can't subscribe to the feeds, we've created an offline KML file that you can download and import into your own installation of Google Earth. We've sanitized the IP addresses to 0.0.0.0. Here's the data from today, <a href="http://www.f-secure.com/weblog/archives/F-Secure_World_Map_Data_20080704.KML">20080704.KML</a>. Legend: <img width="250" height="300" border="0" src="http://www.f-secure.com/weblog/archives/GoogleEarthLegend.png" alt="Google Earth Legend" /> GeoIP conversion can be very helpful. The <a href="http://www.f-secure.com/weblog/archives/00001335.html">Warezov botnet uses fast-fluxing techniques</a> with domain names registered in China. Sending abuse messages regarding the domains is fairly pointless. New domains quickly replace any that are actually taken down. Locating the infected servers is more useful. The last time we analyzed our Warezov pharmacy site hosts lists, we found 397 unique domains online. Those 397 domains resolved to 76 unique IP address, 40 of which are located in the United States according to GeoIP. That list of 76 addresses is a much better target of abuse. Warezov pharmacy website hosts <a href="http://www.f-secure.com/weblog/archives/Warezov_Pharmacy_Sites_sans_IPs.KML">KML file</a>. Seattle is infested&hellip; <img width="600" height="500" border="0" src="http://www.f-secure.com/weblog/archives/Warezov_bots_Seattle.png" alt="Warezov bots in Seattle" /> Just out of curiosity, we can also do other things with GeoIP conversions such as determine where our readership resides, e.g. we converted the IP addresses of those that answered our recent <a href="http://www.pollmonkey.com/p.asp?U=5562248985">browser poll</a>. KML files can be viewed via Google Earth or they can be imported into <a href="http://maps.google.com/maps/ms?hl=en&amp;ie=UTF8&amp;oe=UTF8&amp;msa=0&amp;msid=116935375438237165987.00045130313f7853f21be&amp;z=2">Google Maps</a>. <a href="http://maps.google.com/maps/ms?hl=en&amp;ie=UTF8&amp;oe=UTF8&amp;msa=0&amp;msid=116935375438237165987.00045130313f7853f21be&amp;z=2"><img width="720" height="400" border="0" src="http://www.f-secure.com/weblog/archives/GoogleMapPollRespondents.png" alt="Google Maps - Weblog Poll Respondents" /></a> On 04/07/08 At 02:08 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Google Earth Downloads tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001466.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com As the United States is preparing for one of their biggest holidays of the year, 4th of July, it wasn't really a surprise to see that the Storm gang has started using this as a social engineering vector. <center> <img border="0" src="http://www.f-secure.com/weblog/archives/storm_4th_july.jpg" alt="4th July of Storm" height="586" width="738" /> </center> Using fireworks as the social engineering vector is definitely not new. Remember <a href="http://www.f-secure.com/v-descs/ska.shtml">Happy99</a>? On 03/07/08 At 11:23 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Stormy Fireworks tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001465.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Tibia is a massively multiplayer online role-playing game (MMORPG). See part one of this post for <a href="http://www.f-secure.com/weblog/archives/00001464.html">more details</a>. Open Tibia players use "IP Changer" applications to reconfigure their Tibia clients. We recently analyzed a sample which included one such IP Changer. It's detected as Trojan-Dropper.W32/Agent.EUJ. Agent.EUJ has a file size of 728,637 bytes and is packed with FSG 2.0. When the file is executed it runs this IP Changer: <img width="206" height="122" border="0" src="http://www.f-secure.com/weblog/archives/Tibia_IPChanger.png" alt="IPChanger" /> It also installs a Trojan-Spy on the player's computer. <a href="http://www.f-secure.com/blacklight/">BlackLight</a> reveals FQHG.exe hidden in the process list. <img width="489" height="337" border="0" src="http://www.f-secure.com/weblog/archives/Blacklight_FQHG.png" alt="Blacklight FQHG" /> So this is what happens when Agent.EUJ is executed&hellip; It drops and executes: <blockquote> C:\WIN.EXE &ndash; detected as Trojan-Dropper.Win32.Small.awz C:\SHYNZO IPCHANGER.EXE &ndash; which is a non-malicious IP Changer </blockquote> Small.awz is compiled in Microsoft Visual C++ 6.0 with a file size of 492,166 bytes. It creates the following files: <blockquote> %temp%\@{random hex numbers}.tmp &ndash; a library file detected as Monitor.Win32.Ardamax.o %temp%\@{random hex numbers}.tmp &ndash; a non-executable file which has embedded malicious executable files </blockquote> Small.awz then loads the library file and executes its exported function "sfx_main". This library file extracts the embedded malicious executable files in the non-executable file "%temp%\@{random hex numbers}.tmp" and drops it to the folder %windir%\Sys32. <blockquote> %windir%\Sys32\FQGH.006 &ndash; detected as Trojan-Spy:W32/Ardamax.N %windir%\Sys32\FQGH.007 &ndash; detected as Monitor.Win32.Ardamax.o %windir%\Sys32\FQGH.exe &ndash; detected as Trojan-Spy.Win32.Ardamax.r %windir%\Sys32\AKV.exe &ndash; detected as Trojan-Spy.Win32.Ardamax.gz </blockquote> Lastly, it executes Trojan-Spy.Win32.Ardamax.r. Ardamax.r is used by the files FQGH.006, FQGH.007 and AKV.exe as a component for hiding its process, to monitor processes, and to take snapshots of the system. It creates the following Registry entry as its Autorun: <blockquote> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FQHG Agent = "%windir%\Sys32\FQHG.exe" </blockquote> It then sends the snapshots and monitored processes via e-mail to "Ardamax Keylogger" <[REMOVED]@itelefonica.com.br>. E-mail message: <img width="738" height="538" border="0" src="http://www.f-secure.com/weblog/archives/Agent_EUJ_1.png" alt="Agent.EUJ" /> E-mail message: <img width="630" height="462" border="0" src="http://www.f-secure.com/weblog/archives/Agent_EUJ2.png" alt="Agent.EUJ" /> Monitor logs: <img width="578" height="418" border="0" src="http://www.f-secure.com/weblog/archives/Agent_EUJ_3.png" alt="Agent.EUJ" /> Online game passwords are frequently targeted for a variety of reasons. Hacked accounts are a common support issue. Check out option number four from Tibia's Lost Acconts page&hellip; <img width="600" height="480" border="0" src="http://www.f-secure.com/weblog/archives/Tibia_LostAccount.jpg" alt="Tibia Lost Account" /> Response Team post by � Lordian &amp; Sean On 03/07/08 At 06:06 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Tibia: Part Two tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001464.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Massively multiplayer online role-playing games (MMORPGs) are immensely popular. <a href="http://www.tibia.com/abouttibia/?subtopic=whatistibia">Tibia</a> was established in 1997 and is an MMORPG with 250 thousand players. It's a free game that includes the option to pay for a premium account &mdash; which provides special in-game benefits. It's developed by <a href="http://www.cipsoft.com/home/index.php?language=en">Cipsoft GmbH</a>. <img width="315" height="250" border="0" src="http://www.f-secure.com/weblog/archives/What_is_Tibia.jpg" alt="What is Tibia?" /> The basic idea is to play for free and those that pay get extra stuff. A mobile version called <a href="http://www.tibiame.com/home/?language=en">TibiaME</a> also exists using the same pricing model. The majority of Tibia's players are from Brazil, Poland and Sweden that are distributed between servers located in Germany and the United States. With success often come those that wish harm for one reason or another. Tibia's servers in the United States have experienced problems due to repeated and ongoing DDoS attacks. Cipsoft's Marketing Manager Mercutio Mercado's <a href="http://mercutiosmind.blogspot.com/2008/04/ddos-interview.html">blog has more details</a>. According to Mercado's interview: Most of the attacks concentrate on a few servers, so we think we are dealing with a personal vendetta, which is used to take revenge over in-game issues. Personal Vendetta? Moving an online grudge into the offline world? This shouldn't be surprising to anyone familiar with the social interactions of MMORPGs&hellip; Some people prefer to create their own reality and play unofficial versions of Tibia using "<a href="http://www.open-tibia.com/">Open Tibia</a>". There are numerous OT Servers available with many in <a href="http://brazil.otservlist.org/">Brazil</a> and <a href="http://poland.otservlist.org/">Poland</a>. OT players use an official Tibia software client to connect to unofficial open source back-ends. Open Tibia players use a tool called an IP Switcher to configure the server that they play. Part two of this post will examine a Trojan-Spy that uses such an IP Switcher as bait. It appears to have been written by a Brazilian. Perhaps it was authored by someone with an online grudge? Response Team post by &mdash; Lordian &amp; Sean On 02/07/08 At 04:02 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Tibia: Part One tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001463.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Microsoft's Internet Explorer 6 has a reported <a href="http://www.f-secure.com/vulnerabilities/SA30857">cross-domain scripting vulnerability</a> which could potentially expose user credentials (such as usernames/passwords) and allow cookie hijack sessions. Based on the results of <a href="http://www.pollmonkey.com/p.asp?U=5562248985">our most recent poll</a>: <img width="460" height="256" border="0" src="http://www.f-secure.com/weblog/archives/BrowserPoll.png" alt="Browser Poll Results" /> &hellip;this won't directly affect 98% of our readership. But as <a href="http://www.f-secure.com/weblog/archives/comments.html?PostID=00001456">Mike Clark commented</a>, "I answered Firefox, but I filled out the survey in IE6! This is because I am at work and my boss specifically refuses to allow me to use FF". So at least one of you has to use IE 6. As <a href="http://blogs.zdnet.com/security/?p=1348">per reports</a>, the vulnerability exploits Internet Explorer 6 installed on Windows XP SP2/SP3. The latest version of Internet Explorer (IE 7) with its improved handling of JavaScript protocol URLs is not vulnerable. This vulnerability has been reported to Microsoft and the research team has created a proof of concept: http://raffon.net/research/ms/ie/crossdomain/string.html If you open the link in IE 6, you'll see that the domain raffon.net has been linked to the cookie of different domain, i.e. Google.com. It's a PoC and isn't yet known to be in the wild, but it is considered to be moderately critical as <a href="http://www.w3schools.com/browsers/browsers_stats.asp">many people still use IE 6</a>. Vulnerability Team post by &mdash; Jay On 27/06/08 At 02:44 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Internet Explorer 6 Cross-Domain Scripting Vulnerability tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001462.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com We've published our <a href="http://www.f-secure.com/2008/1/index.html">Security Threat Summary for the First Half of 2008</a>. You find the report and video from <a href="http://www.f-secure.com/2008/1/index.html">www.f-secure.com/2008/</a>. You can watch the video via our <a href="http://f-secure.goodmood.net/tv?player-video_id=8368">video-channel</a>: <a href="http://www.f-secure.com/video-channel/"><img width="585" height="475" border="0" src="http://www.f-secure.com/weblog/archives/SecuritySummaryH12008_VC.png" alt="Security Summary H1 2008 Video-Channel" /></a> Or you can watch the video via our lab's <a href="http://www.youtube.com/watch?v=Lf1pCBgYzzU">YouTube Channel</a>: <a href="http://www.youtube.com/user/fslabs"><img width="465" height="293" border="0" src="http://www.f-secure.com/weblog/archives/SecuritySummaryH12008_YT.png" alt="Security Summary H1 2008 YouTube" /></a> If you're behind some restrictive firewalls, such as .mil domains, <a href="http://www.f-secure.com/weblog/archives/aboutus.htm">e-mail</a> and we'll provide you a link for a download. Cheers! On 25/06/08 At 04:25 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Data Security Summary - January to June 2008 tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001461.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Trojan number one: A report of an <a href="http://www.f-secure.com/vulnerabilities/SA30776">Apple Remote Desktop Agent vulnerability</a> recently surfaced. Now there's news of a trojan that can exploit the flaw. The exploit tool, called "Applescript Trojan horse template" was crafted by forum participants of MacShadows.com. These guys appear to have been hobbyist hackers interested in testing the ARDAgent vulnerability. It doesn't appear to be in the wild at present. We detect it as Backdoor.Mac.Hovdy.a. What's the ARDAgent flaw? In a nutshell, ARDAgent runs Applescript with root privileges. So once the victim is tricked into installing Hovdy, no user passwords are required for it to do its thing, which is provide backdoor access to the attacker. You can read more details from Security Fix <a href="http://blog.washingtonpost.com/securityfix/2008/06/serious_security_vulnerabilty_1.html">here</a> and <a href="http://blog.washingtonpost.com/securityfix/2008/06/new_trojan_leverages_unpatched.html">here</a>. SecureMac's advisory is <a href="http://www.securemac.com/applescript-tht-trojan-horse.php">here</a>. Trojan number two: There was also another Mac OSX trojan discovered last week. This one was found by <a href="http://www.intego.com/news/ism0803.asp">Intego</a>. We detect it as Trojan-PSW:OSX/PokerStealer.A. &mdash;&mdash;&mdash;&mdash;&mdash; Response Analyst Mark G. performed our analysis and provided the following details: PokerStealer.A heavily relies on social engineering. It comes with the filename PokerGame.app (180Kb), sounds interesting, right? <img width="144" height="164" border="0" src="http://www.f-secure.com/weblog/archives/Trojan_PSW_OSX_PokerStealer_A_1.png" alt="Trojan-PSW:OSX/PokerStealer.A" /> However, once executed, it will prompt the user for a password. <img width="360" height="197" border="0" src="http://www.f-secure.com/weblog/archives/Trojan_PSW_OSX_PokerStealer_A_2.png" alt="Trojan-PSW:OSX/PokerStealer.A" /> It checks the provided password to see if it matches the username of the machine. If not, it will ask again. It needs the user's password to continue. What happens behind the scenes is the following: it enables the SSH of the infected machine by running; it acquires the local IP address, subnet mask, private IP address of the router (domain), public IP address by querying via the Internet; it gets the version of OSX, recovers its hash and saves it to a file named "secret_file". After all the necessary information has been gathered it then sends the information to a specific e-mail address with a subject of "Howdy" and the message details include username, password, and IP addresses. With the e-mailed information, the attacker can perform routines from a remote location through SSH without the user knowing it and may even take control of the infected machine. &mdash;&mdash;&mdash;&mdash;&mdash; The PokerStealer.A trojan appears to have been written by someone with more than just hobbyist level motivations. PokerStealer's infection is limited by the password requirement. So what do you think happens next? That's right. The author of PokerStealer (motivated by profit) is going to seek out the hobbyist's "Applescript Trojan horse template" and will reduce the infection steps of PokerStealer.A to simply running an application named "PokerGame". How many Mac users do you think like to play poker? On 24/06/08 At 03:35 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Two New Mac OSX Trojans tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001460.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com I've been using <a href="http://www.cryptorights.org/lists/pgp-users/resources/pgp-version-history.html">PGP</a> (Pretty Good Privacy) since version 2.1. I generated my first public/secret keypair in March 1993. Here's a screenshot of it: <img width="500" height="297" border="0" src="http://www.f-secure.com/weblog/archives/pgp384.png" alt="PGP"> As you can see, I underestimated the need for sufficient keylengths; my first key was a 384-bit RSA key. Keylengths actually mattered in 1993 &mdash; we were running 486 processors at the time, and using long keys was slow. However, I quite quickly realized that 384 bits wasn't going to be enough and my key would eventually became crackable as factoring technology would get better and computers would get more powerful. So I took the plunge and created a new keypair &mdash; this time with a whopping 1024-bit keylength! I actually spent the shortest night of the summer 1993 to do that &mdash; the midsummer night. And the new key was long enough. It was slow, yes &mdash; but it was long enough. In fact, I still use it today, almost daily. I've never needed to generate a new keypair. Around 1994 I got Dr. Vesselin Bontchev to sign my key. Which was cool, because Vesselin's key was signed by Phil Zimmerman &mdash; the guy behind PGP. And the midsummer night in 1993&hellip; it was the 21st of June. Which means my key is 15 years old today. Happy Birthday, key 0F265709. You've served well. <img width="526" height="187" border="0" src="http://www.f-secure.com/weblog/archives/pgp1024.png" alt="PGP"> On 21/06/08 At 10:35 PM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Pretty Good Key tag:www.f-secure.com,2008-07-18:%2Fweblog%2Farchives%2F00001459.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Earlier today we saw a big increase in e-mails going around with all sorts of interesting subjects, not totally unlike the ones used by the <a href="http://www.f-secure.com/weblog/archives/00001457.html">latest Storm</a>. <center><img width="684" height="368" border="0" src="http://www.f-secure.com/weblog/archives/agent_tyw_mail.jpg" alt="sagent_tyw_mail" ></center> So far we've seen subjects talking about everything from White House hit by lightning, catches fire to Italy knocked out of Euro 2008 and Nokia unveils revolutionary new phone design. It's a pretty long list of different subjects &mdash; too long to list them all here so we've put them in a downloadable <a href="http://www.f-secure.com/weblog/archives/agent_tyw_subjects.txt">TXT file</a> instead. All of the messages contain a link to different compromised sites which contain the same fake PornTube page. Once there the page displays an error message telling the user that they need to install a Video ActiveX component. The file that gets downloaded is spam trojan that sends out lots of e-mails with links pointing back to the compromised sites. <center><img width="740" height="555" border="0" src="http://www.f-secure.com/weblog/archives/agent_tyw_www.jpg" alt="agent_tyw_www" ></center> The list of compromised sites is pretty extensive as well, we've been able to identify 74 different sites so far whereof only a handful have been fixed. One thing that's not really normal about this case &mdash; we first saw the file that gets downloaded, video.exe, over two days ago and already added detection for it then. Why would they send spam promoting an old file? Well, we've seen malware writers do stupid things <a href="http://www.f-secure.com/weblog/archives/00001450.html">before</a>. On 20/06/08 At 06:11 AM 2008-07-18T16:03:36Z 2008-07-18T16:03:36Z Lots of Subjects and One Video XML::Atom::SimpleFeed 2008-07-18T16:03:36Z Weblog of F-Secure Antivirus Research Team F-Secure Antivirus Research Weblog