So far the biggest announcement has been that Adobe will join MAPP (Microsoft Active Protections Program) and will start sharing vulnerability information for all Adobe products through it. This means that MAPP partners, such as F-Secure, will get advance notifications of vulnerabilities in products such as Adobe Reader or Flash, enabling us to better protect our users.
Regular readers of our blog will know that we have often been quite critical of Adobe. But here we want to give them full credit for a good move.
The conference has just started and there should be more interesting stuff coming up. I will be delivering my talk tomorrow. It's titled "You Will Be Billed $90,000 For This Call".
It seems that rogue peddlers have gotten tired of their old tricks in pushing rogueware into the user's system. It used to be a fake scanning page, that leads to a warning, then a fake AV.
Now, it comes as the Firefox "Just Updated" page. You know that page that instantaneously appears right after you update your Firefox browser? And you open Firefox for the first time? Just like that. But with a catch of course. There is a message telling the user than even if their Firefox got updated, their Adobe Flash Player isn't. So they still have to update. Pretty helpful…
And the user doesn't need to click anything, the download dialog box immediately appears as soon as the page loads…
When the user runs the file… Bad old rogue AV…
Somehow the rogue guys couldn't decide if it's going to be Firefox or Flash Player… so it became a little bit of both.
Note: The malicious site is already blocked and the rogue is detected in our latest database updates.
Here's the bad news: several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (2286198).
But here's the good news: so far, the new exploit samples are detected by us, and by many other vendors. Basically we're seeing new payloads using the same basic exploit method, which is being detected generically, and not new versions of the exploit.
Chymine is a new keylogger (which you can see from the .A variant). It uses the LNK vulnerability to infect, but it doesn't create additional .LNK files to spread (so no worm vector). The folks at ESET discovered Chymine.
Vobfus is an older family that has always used shortcuts, combined with social engineering. This latest variant is merely adding to its feature set. Microsoft researcher, Marian Radu, named the Vobfus family.
Today's news involves Sality (a popular polymorphic virus), and Zeus (a popular botnet). We generically detect the Sality sample and the LNK file it uses as a spreading vector.
The Zeus variant was discovered as an e-mail attachment with a message supposedly from "Security@microsoft.com" and the subject "Microsoft Windows Security Advisory."
This is the body:
Zeus is a challenging threat to combat, and not many vendors detect this variant yet. We're adding detection now. Fortunately, the exploit used is detected by many and the entire thing relies on socially engineering its victim into opening a password protected zip file and copying the lol.dll to the root of the C: since the path must be known in order for the exploit to work.
We don't really expect great success for this particular variant of Zeus.
A World of Warcraft account could be a gold pot for phishers, depending on the player's achievement. In-game items are in demand and could be sold for real cash value, making WoW accounts a favorite phishing target.
An analyst from our Response Lab recently received an e-mail from Blizzard (the creator of WoW) asking for account verification. At a glance, the e-mail appeared to be coming from a legit source. Look at the "From" address. Nothing suspicious here.
Upon further reading of the e-mail content (click image above for larger view), something seemed off. The account has to be verified at an external site not associated with Blizzard; the e-mail content was written with noticeable grammatical errors.
Further investigation revealed that the e-mail was sent from an individual e-mail account. The phisher is using a SMTP relay attack to spoof the "From" address so that the e-mail seem to be originated from Blizzard (click the image below for a larger view):
Accounts for Blizzard games, particularly WoW, Starcraft II and Diablo III are currently being handled by Battle.net. Take note that any changes in the account require a thorough verification process, where a valid ID has to be presented.
Phishers are getting smarter, and their social engineering has gotten more subtle and harder to detect. It is up to user to be extra careful and not to trust every source blindly.
Version 1.2 of the advisory has an important new detail:
"An exploit can also be included in specific document types that support embedded shortcuts."
Documents — such as but not limited to Microsoft Office documents.
This really expands the potential reach of the LNK vulnerability. Depending on the ease to which documents can be utilized, we will now almost certainly see targeted attack attachments via e-mail messages.
Fortunately, Microsoft's Active Protections Program (MAPP) provides excellent technical details and so we have further improved our protection against the WormLink exploit. Our latest signatures: Exploit:W32/WormLink.B and C, are more generic and effective than previously. Kudos to Microsoft.
Let's review the workarounds listed in the advisory.
• Disable the displaying of icons for shortcuts • Disable the WebClient service • Block the download of LNK and PIF files from the Internet
Microsoft Support has a Knowledge Base Article which includes their one click "Fix it" buttons for disabling shortcut functionality.
Everyone should review this new information and evaluate it for their environment while Microsoft continues their work to develop a security update.
There's a couple of new developments in the Stuxnet rootkit case. Last night, the analysts in our Kuala Lumpur lab added detection for another digitally signed Stuxnet driver. This one uses a certificate from JMicron Technology Corporation.
We've speculated internally that Realtek's Authenticode leak could have resulted from Aurora style attacks which targeted source code management systems, but now, with the physical proximity of these two companies, we wonder if some physical penetration was also involved.
Additional news regarding Stuxnet is that Siemens, whose SIMATIC WinCC databases are targeted, has advised against changing their SCADA system's hardcoded password. The concern is that adjusting the password will create damaging conflicts.
"For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled."
This is still inaccurate. Or at least, it's not accurate enough. We know what Microsoft is trying to say but we think some folks might misinterpret. It would be better to state that AutoPlay functionality for removable disks is automatically LIMITED.
Take a look at our Windows 7 test machine, which was hardened, this is a button in the AutoPlay Control Panel:
"Reset all defaults."
So we opted to restore the defaults:
"Use AutoPlay for all media and devices" is now enabled. That's ALL media and devices.
This is the dialog that was presented when a USB flash drive containing multimedia files was inserted into the Windows 7 system:
The highlighted option is "Open folder to view files."
So what is disabled? AutoPlay? No. Windows 7 AutoPlay isn't disabled, rather, it doesn't include the OPTION to set a default ACTION for removable disks.
But in the case of the LNK vulnerability, one click, and you're at risk, by DEFAULT.
Windows 7 AutoPlay is a significant improvement compared to Windows XP AutoPlay. In fact, it is almost probably a perfect balance of security and functionality… for consumers.
However, businesses and organizations at risk from targeted attacks are a different story. They should fully disable AutoPlay.
For example, this is one of Conficker's methods of attack:
Conficker's autorun.inf file used a Windows system folder icon in its efforts to be the first option presented. One click, and you'll launch the autorun.inf. Clever trick, eh?
Here's another theoretical AutoPlay issue (not a vulnerability). USB storage devices can include a partition formated as a Virtual CD.
In this case, the partition is treated as a regular CD by AutoPlay.
When we wrote the Virtual CD post back in June, it seemed highly unlikely that we'd see it deliberately used in a targeted attack. We thought it was much more likely to affect someone due to a compromise in the manufacturing process; that the Virtual CD would be infected in the master copy at the factory.
But now, considering the Stuxnet case, which uses a zero-day flaw, signed drivers, and targets Siemens SIMATIC WinCC databases… maybe the idea of a Virtual CD attack isn't so far fetched after all. Clearly there's some very motivated espionage in play.
Bottom line: If you're an IT manager with Windows 7 systems in your network, disable AutoPlay.
If you're not following Mikko's Twitter feed, you may have missed yesterday's news that public proof of concept exploit code for the Windows shortcut (.lnk) vulnerability has been released on exploit-db.com.
This further escalates the danger of the shortcut vulnerability. So far, only the authors of the Stuxnet rootkit have utilized the flaw, but now there's just no doubt that other bad guys will soon follow.
Fortunately some folks are also using the PoC for good.
Didier Stevens (well known for his research on Adobe Reader's /launch feature) tested the exploit with his Ariad tool and it was successfully blocked. Stevens has tested back to Windows 2000 SP4. If you need to maintain a legacy system that's not scheduled for a Microsoft Security update (such as Windows XP SP2), Ariad might be an option.
But Stevens calls Ariad beta software, and so that won't be an option for some. So what else can be done?
"takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction."
Simply browsing the removable drive. No clicking.
And then there's a question about the AutoPlay feature. The advisory states:
"For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled."
But this is what comes up, by default, when we plug a USB device into our Windows 7 test system:
That dialog does say AutoPlay, right? So it seems that AutoPlay isn't automatically disabled on Windows 7 systems.
Perhaps it should have said AutoRun is disabled by default? (Windows 7 is definitely better at handling removal media than previous versions of Windows, but AutoPlay still seems to be a default feature.)
In any case, having AutoPlay disabled isn't much of a mitigating factor for this vulnerability. It's only: click Start, click Computer, and click Removable Disk. Three clicks and you're at risk. But still, organizations should disable the AutoPlay feature in order to limit Windows 7 social engineering tricks.
Ordinarily we wouldn't pick these small nits with Microsoft but we think this is particularly important as it's the advisory that provides official information for those assessing risk to their organizations.
In the meantime though, other things have changed, which may have an impact on the whole venture.
For one thing, the (online) world has gotten a lot bigger and flatter. In the last few years, there's been an explosion in the number of computer users from countries outside of the US and Western Europe.
More users, as a general rule, equals more eyeballs to find flaws; and while technical prowess may generally be lower in less developed countries, the sheer numbers involved may be able to negate that disadvantage. So perhaps in the next few years, we may see more "amateur" researchers becoming involved in paid bug-hunting work.
Also, the assumption that users from less developed countries are less tech-savvy may no longer be entirely correct, or may be defunct very soon, if the various reported attacks in the last few years are anything to go by. Offering a way to channel that proficiency into more helpful activities might not be a bad thing.
And while $3000 isn't that big a prize in the US, or in the underground, it's still a substantial amount in other, less affluent countries — possibly enough to make the effort worthwhile for a weekend tech warrior looking for extra money. For them, a bug bounty like Mozilla's offers some advantages that might appeal, such as:
• Fast, easy pay-off • Unlimited by geography • Legitimacy
Debate over the usefulness of bug bounty programs isn't likely to end soon, with most security experts more or less watching and waiting while Mozilla tests the waters.
Still, with the rapid large-scale changes taking place in the computing world, it's certainly conceivable that these programs could evolve in the next few years and take on a form that's viable for both the majority of software vendors and for the volunteer researcher as well.
We have added detection for the shortcut LNK exploit as Exploit:W32/WormLink.A. The shortcut file used in this case is 4.1 KB. Files associated with the trojan-dropper, backdoor, rootkit are detected as the Stuxnet family.
We mentioned two interesting details yesterday, that the rootkit was signed, and that it was targeting SCADA systems.
The rootkit components are digital signed and we've confirmed that a valid Realtek Semiconductor Corp. signature is used. The dropped drivers are properly signed, while the trojan-dropper itself only attempted to copy the digital signature.
There's a possible new zero day in the wild which is being used in targeted espionage attacks. Belorussian antivirus company, VirusBlokAda, recently published news about two new rootkit samples, and quite interestingly, the infection vector is a USB storage device and Windows shortcut [.LNK] files.
The rootkit uses a LNK file that infects the operating system when viewed by an icon rendering file explorer such as Windows Explorer or Total Commander.
According to Krebs on Security, the method is capable of infecting a fully patched Windows 7 computer.
From Krebs: Jerry Bryant, of Microsoft, stated that "Microsoft is investigating new public claims of malware propagating via USB storage devices. When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem."
Our initial analysis of the samples appears to indicate that the shortcuts somehow take advantage of the way in which Windows handles Control Panel shortcut files.
Our investigation is ongoing.
Two additional interesting details from Krebs' report:
1.) It uses (or attempts to imitate) a digital signature from Realtek Semiconductor Corp. 2.) It appears to target Siemens WinCC SCADA systems, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.
Many organizations have long since established policies for handing USB devices due to autorun worms. This new espionage attack seems to indicate the need for additional review. Disabling AutoRun/AutoPlay by policy is no longer a guaranteed safeguard.
Mozilla recently discovered a security escalation vulnerability in the 3.0.1 version of the popular CoolPreviews add-on.
Firefox users with the CoolPreviews add-on are advised to upgrade to the latest 3.1.0625 version as soon as possible. Other known issues resolved with the update are listed on the CoolPreviews site.
Today's the day — July 13th — Windows XP Service Pack 2 has reached its end of support. After today, Microsoft will no longer publish updates for SP2 and that also includes Microsoft software such as Internet Explorer, Media Player and Outlook Express.
Our telemetry indicates that about 10% to 11.5% of our customer base runs XP Service Pack 2. The numbers drop off during the weekend, due to corporate machines running idle. Windows XP SP3 numbers range from 50% to 54%.
Not bad, just about 10% of our customers are facing end of support issues.
There are still plenty of Service Pack 2 computers out there in the world. While this isn't yet a critical problem, there will eventually be exploitable vulnerabilities that affect these computers. It's going to be an issue sooner or later.
One week ago, TNW Apple published a story about Apple's App Store. It seems that some unscrupulous developers have been using compromised iTunes accounts to "App Farm" a profit from junk applications. TNW Apple's story was originally about Thuat Nguyen, but it rapidly expanded.
And so there was much speculation about the issue and we were asked our thoughts. Gregg Keizer of Computer World wanted to know if we had seen any increase in iTunes phishing. But while speaking with Gregg, we realized that you don't really need to phish iTunes… because the account names are e-mail based, you only need to collect phished e-mail account data and then try the same password with iTunes.
And so how many people fell for this? According to Thompson, the page had nearly 600 thousand likes.
This piqued my interest so I searched for additional pages called: 99% of people can't watch this video more than 25 seconds.
There are currently several pages with over 200 thousand cumulative likes:
The links lead to annoying marketing surveys and other such CPA ilk. Similar pages often lead to scams or malicious websites.
Unfortunately, it's a rather simple task to create a page on Facebook and the bigger problem is that of "landing tabs." What's a landing tab? It's the first tab that's shown to someone that doesn't already like the page, in this case, the "Video Here!" tab.
Facebook's statement: "We've removed the recently-added authentication requirement for setting custom landing tabs on Pages. The requirement was instituted as part of a Pages quality initiative, however we are now re-investigating the situation. We will not make any further changes without first giving notice and lead time."
Why did Facebook back off? Because small business complained. The 10,000 fan requirement was seen as too difficult to achieve. The major use for landing tabs is to build the page's base, so perhaps it was too much to ask.
But at this point, having nothing in place opens up a deluge of scams and spam. Some kind of compromise must be possible.
Our own Facebook page occasionally uses a landing tab, such as our during Anti-Theft Phonehunt campaign, but we don't rely on the feature. If we had to jump through a couple of extra hoops to enable the feature, then so be it. The folks that are currently falling for these scams would be better off and we'd better happier for that.
Let's hope that Facebook doesn't take too much longer with its re-investigation.
TinyURL quickly disabled the six links that I abused. Cheers to Gilby!
Over the weekend, the lab stumbled upon a spambot application that capitalizes on Chuck Norris' popularity to boost a particular site's search engine ranking via spamdexing. It is used to poison search results and tricks the search engine into ranking a site high in the search result list.
The spambot installer, which is detected as Application:W32/Spambot.A drops PE files upon installation, and then attempts to connect to a website that sells various programs for PHP board flooding and chat flooding. It advertises the spambot application as "[the] best app to get your site ranked high on the search results."
The string "Chuck Norris" is one of the many strings (mostly in Polish) that are defined to be highlighted on the result page when a user conducts an entry search. In addition to highlighting keywords, the application can also be used to harvest e-mail addresses, automate clicking and crawl over websites in order to drive traffic to a particular site.
Anti-Malware Testing Standards Organization (AMTSO), which F-Secure is a member of, had a meeting in Helsinki in May. During that meeting AMTSO members approved two new guidelines to be published.
The first new guideline is for "Whole Product Testing." The introduction of whole product testing is a very important development. It basically means that instead of testing each of the features of a product separately and trying to deduct the real-life protection provided by the product from that (sum-of-parts testing), the whole product is tested against real threats. Whole product testing will bring testing closer to reality and as such will guide development of security software to a direction that truly benefits users.
We at F-Secure are strong believers in defense in depth and as such welcome "whole product" approaches. Most users of security products do not really care which feature in their security suite protects them as long as they are kept safe. We have several layers of protection in our product and so does everyone else. Measuring each layer separately in a vacuum is just not the right way to evaluate the protection level provided by a product.
As the readers of our blog certainly know, the web is the number one infection vector today. A very typical infection scenario is SEO (Search Engine Optimization) poisoning: Criminals have tricked Google into listing their site very high in search results when the user searches e.g. for a current event. In a scenario like this F-Secure has three layers of defense in place (see image).
A "whole product" approach for testing protection against a threat like this could go like so:
1) Take a URL that links to a drive-by-download exploit or malware download
2) Browse to that URL with a web browser imitating a normal user
3) See what happens. Does the malware infect the system or not?
One of the fundamental principles of AMTSO is that "testing must not endanger the public". So, a tester that conducts a test like the one above must take the necessary precautions e.g. make sure his network infrastructure prevents malware from attacking any outside systems.
The second new guideline released is about performance testing. It talks about scanning speed and resource usage. It is not just about "whole product performance testing" yet, so it is somewhat focused on testing individual aspects of performance. It gives sound advice on how performance aspects of security products can be evaluated. It especially highlights that the performance tests run should be relevant to the use-case in question. As an example, typically it does not make sense to test scanning speed by scanning infected files since most files a normal user would scan are clean. Also, while home user tests might focus on performance effects on computer games or media players, an enterprise file server focused test might concentrate more on on-demand scan performance.
The Register has interesting article on 50 people that were arrested in Romania for using smart phone spying tools to spy on their spouses, competitors, and other people who fell victim for one or another motivation.
We have covered there spying tools already in 2006, back then the first versions of these tools were classified as trojans, later variants are classified as riskware. And while they have not made much into news lately they are actively used as we can see from this Romanian case.
These spying tools are just another manifestation of age old problem, when someone wants to pry on other person's private matters, they will use whatever tool they have access to. Jealous husbands and suspicious wives have been installing keyloggers and other monitoring tools on their spouse's PCs for at least 15 years now. And now as phone spying tools are readily available they will be used to victimize phones, just another tool in a spy's toolkit.
Which means that if you have reason to be concerned about your privacy, it might be a very good idea to keep good care of your phone, and maybe install some protection.
The good news about these mobile spying tools is that they cannot be installed remotely to a device, in order for someone to spy on their victim they have to be able to access the phone and install software to it. So the simple and efficient protection against these tools is to set up lock code on your phone, when the phone is locked nobody can surreptitiously install unwanted software.