-
Adobe Joins Microsoft's MAPP Program
Greetings from Black Hat 2010!
So far the biggest announcement has been that Adobe will join MAPP (Microsoft Active Protections Program) and will start sharing vulnerability information for all Adobe products through it. This means that MAPP partners, such as F-Secure, will get advance notifications of vulnerabilities in products such as Adobe Reader or Flash, enabling us to better protect our users.
Regular readers of our blog will know that we have often been quite critical of Adobe. But here we want to give them full credit for a good move.
The conference has just started and there should be more interesting stuff coming up. I will be delivering my talk tomorrow. It's titled "You Will Be Billed $90,000 For This Call".
Signing off,
Mikko
On 28/07/10 At 08:16 PM
-
Rogue AV Masquerades as a Firefox/Flash Update
It seems that rogue peddlers have gotten tired of their old tricks in pushing rogueware into the user's system. It used to be a fake scanning page, that leads to a warning, then a fake AV.
Now, it comes as the Firefox "Just Updated" page. You know that page that instantaneously appears right after you update your Firefox browser? And you open Firefox for the first time? Just like that. But with a catch of course. There is a message telling the user than even if their Firefox got updated, their Adobe Flash Player isn't. So they still have to update. Pretty helpful…
And the user doesn't need to click anything, the download dialog box immediately appears as soon as the page loads…
When the user runs the file… Bad old rogue AV…
Somehow the rogue guys couldn't decide if it's going to be Firefox or Flash Player… so it became a little bit of both.
Note: The malicious site is already blocked and the rogue is detected in our latest database updates.
Response post by — Mina & Christine On 28/07/10 At 08:48 AM
-
LNK Vulnerability: Chymine, Vobfus, Sality and Zeus
Here's the bad news: several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (2286198).
But here's the good news: so far, the new exploit samples are detected by us, and by many other vendors. Basically we're seeing new payloads using the same basic exploit method, which is being detected generically, and not new versions of the exploit.
Here's a review of the landscape. The Stuxnet rootkit was the family that first made use of the LNK zero-day. Then, last week, Chymine and Vobfus followed. Our detection names are Trojan-Downloader:W32/Chymine.A and Worm:W32/Vobfus.BK.
Chymine is a new keylogger (which you can see from the .A variant). It uses the LNK vulnerability to infect, but it doesn't create additional .LNK files to spread (so no worm vector). The folks at ESET discovered Chymine.
Vobfus is an older family that has always used shortcuts, combined with social engineering. This latest variant is merely adding to its feature set. Microsoft researcher, Marian Radu, named the Vobfus family.
Today's news involves Sality (a popular polymorphic virus), and Zeus (a popular botnet). We generically detect the Sality sample and the LNK file it uses as a spreading vector.
The Zeus variant was discovered as an e-mail attachment with a message supposedly from "Security@microsoft.com" and the subject "Microsoft Windows Security Advisory."
This is the body:
Zeus is a challenging threat to combat, and not many vendors detect this variant yet. We're adding detection now. Fortunately, the exploit used is detected by many and the entire thing relies on socially engineering its victim into opening a password protected zip file and copying the lol.dll to the root of the C: since the path must be known in order for the exploit to work.
We don't really expect great success for this particular variant of Zeus.
On 26/07/10 At 03:46 PM
-
WoW Account Phishing
A World of Warcraft account could be a gold pot for phishers, depending on the player's achievement. In-game items are in demand and could be sold for real cash value, making WoW accounts a favorite phishing target.
An analyst from our Response Lab recently received an e-mail from Blizzard (the creator of WoW) asking for account verification. At a glance, the e-mail appeared to be coming from a legit source. Look at the "From" address. Nothing suspicious here.
Upon further reading of the e-mail content (click image above for larger view), something seemed off. The account has to be verified at an external site not associated with Blizzard; the e-mail content was written with noticeable grammatical errors.
Further investigation revealed that the e-mail was sent from an individual e-mail account. The phisher is using a SMTP relay attack to spoof the "From" address so that the e-mail seem to be originated from Blizzard (click the image below for a larger view):
Accounts for Blizzard games, particularly WoW, Starcraft II and Diablo III are currently being handled by Battle.net. Take note that any changes in the account require a thorough verification process, where a valid ID has to be presented.
Phishers are getting smarter, and their social engineering has gotten more subtle and harder to detect. It is up to user to be extra careful and not to trust every source blindly. On 26/07/10 At 03:49 AM
-
LNK Vulnerability: Embedded Shortcuts in Documents
Microsoft has updated Security Advisory 2286198 (version 1.2).
It's quite evident that the folks at Microsoft are working very diligently on this issue. Our concerns have been addressed and the advisory no longer lists Windows 7 AutoPlay as a mitigation. We thank them for this clarification.
And now the bad news.
Version 1.2 of the advisory has an important new detail:
"An exploit can also be included in specific document types that support embedded shortcuts."
Documents — such as but not limited to Microsoft Office documents.
This really expands the potential reach of the LNK vulnerability. Depending on the ease to which documents can be utilized, we will now almost certainly see targeted attack attachments via e-mail messages.
Fortunately, Microsoft's Active Protections Program (MAPP) provides excellent technical details and so we have further improved our protection against the WormLink exploit. Our latest signatures: Exploit:W32/WormLink.B and C, are more generic and effective than previously. Kudos to Microsoft.
Let's review the workarounds listed in the advisory.
• Disable the displaying of icons for shortcuts
• Disable the WebClient service
• Block the download of LNK and PIF files from the Internet
Microsoft Support has a Knowledge Base Article which includes their one click "Fix it" buttons for disabling shortcut functionality.
Everyone should review this new information and evaluate it for their environment while Microsoft continues their work to develop a security update. On 21/07/10 At 10:20 AM
-
Another Signed Stuxnet Binary
There's a couple of new developments in the Stuxnet rootkit case. Last night, the analysts in our Kuala Lumpur lab added detection for another digitally signed Stuxnet driver. This one uses a certificate from JMicron Technology Corporation.
Our detection for this new binary is Rootkit:W32/Stuxnet.D.
Here's the Digital Signature Details from the file properties:
And here's the Certificate:
Here's the certificate details via VeriSign.
This particular certificate is valid until July 25, 2012.
While there are some modifications, initial analysis indicates that this new driver is very similar to the first set of Stuxnet samples we've seen, with the same basic functions and approach.
A hat tip to Pierre-Marc Bureau at ESET, he notes that JMicron and Realtek Semiconductor Corp both have offices in Hsinchu Science Park, Taiwan. Realtek is the source of the previously used certificate which has now been revoked by VeriSign.
We've speculated internally that Realtek's Authenticode leak could have resulted from Aurora style attacks which targeted source code management systems, but now, with the physical proximity of these two companies, we wonder if some physical penetration was also involved.
Additional news regarding Stuxnet is that Siemens, whose SIMATIC WinCC databases are targeted, has advised against changing their SCADA system's hardcoded password. The concern is that adjusting the password will create damaging conflicts.
Robert McMillan has more on this at PCWorld.
Updated to add: ICS-CERT has published an useful advisory [PDF] which includes all the file names needed to scan for Stuxnet infections on computers with no antivirus installed.
On 20/07/10 At 01:00 PM
-
Update on Security Advisory 2286198
Microsoft has updated Security Advisory 2286198 and it now clarifies that:
"The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed."
Displayed is the important keyword. This is good and addresses our earlier concerns.
However, the advisory still reads that:
"For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled."
This is still inaccurate. Or at least, it's not accurate enough. We know what Microsoft is trying to say but we think some folks might misinterpret. It would be better to state that AutoPlay functionality for removable disks is automatically LIMITED.
Take a look at our Windows 7 test machine, which was hardened, this is a button in the AutoPlay Control Panel:
"Reset all defaults."
So we opted to restore the defaults:
"Use AutoPlay for all media and devices" is now enabled. That's ALL media and devices.
This is the dialog that was presented when a USB flash drive containing multimedia files was inserted into the Windows 7 system:
The highlighted option is "Open folder to view files."
So what is disabled? AutoPlay? No. Windows 7 AutoPlay isn't disabled, rather, it doesn't include the OPTION to set a default ACTION for removable disks.
But in the case of the LNK vulnerability, one click, and you're at risk, by DEFAULT.
Windows 7 AutoPlay is a significant improvement compared to Windows XP AutoPlay. In fact, it is almost probably a perfect balance of security and functionality… for consumers.
However, businesses and organizations at risk from targeted attacks are a different story. They should fully disable AutoPlay.
Why?
As we noted in our previous post, social engineering tricks have targeted AutoPlay.
For example, this is one of Conficker's methods of attack:
Conficker's autorun.inf file used a Windows system folder icon in its efforts to be the first option presented. One click, and you'll launch the autorun.inf. Clever trick, eh?
Here's another theoretical AutoPlay issue (not a vulnerability). USB storage devices can include a partition formated as a Virtual CD.
In this case, the partition is treated as a regular CD by AutoPlay.
When we wrote the Virtual CD post back in June, it seemed highly unlikely that we'd see it deliberately used in a targeted attack. We thought it was much more likely to affect someone due to a compromise in the manufacturing process; that the Virtual CD would be infected in the master copy at the factory.
But now, considering the Stuxnet case, which uses a zero-day flaw, signed drivers, and targets Siemens SIMATIC WinCC databases… maybe the idea of a Virtual CD attack isn't so far fetched after all. Clearly there's some very motivated espionage in play.
Bottom line: If you're an IT manager with Windows 7 systems in your network, disable AutoPlay.
Updated to add: Microsoft has updated their advisory. Our latest post has the details. On 20/07/10 At 09:26 AM
-
Code for Shortcut Zero-Day Exploit is Public
If you're not following Mikko's Twitter feed, you may have missed yesterday's news that public proof of concept exploit code for the Windows shortcut (.lnk) vulnerability has been released on exploit-db.com.
This further escalates the danger of the shortcut vulnerability. So far, only the authors of the Stuxnet rootkit have utilized the flaw, but now there's just no doubt that other bad guys will soon follow.
Fortunately some folks are also using the PoC for good.
Didier Stevens (well known for his research on Adobe Reader's /launch feature) tested the exploit with his Ariad tool and it was successfully blocked. Stevens has tested back to Windows 2000 SP4. If you need to maintain a legacy system that's not scheduled for a Microsoft Security update (such as Windows XP SP2), Ariad might be an option.
But Stevens calls Ariad beta software, and so that won't be an option for some. So what else can be done?
Chet Wisniewski at Sophos has suggested using Group Policies to restrict the launch of executables to local hard drives.
And of course, the workarounds from Microsoft's Security Advisory.
• Disable the displaying of icons for shortcuts
• Disable the WebClient service
Regarding Security Advisory 2286198: parts of it seem unclear to us.
For example, the advisory states:
"The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut."
Yet our analysis indicates otherwise, clicking is not required.
Microsoft's own Malware Protection Center states that the exploit:
"takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction."
Simply browsing the removable drive. No clicking.
And then there's a question about the AutoPlay feature. The advisory states:
"For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled."
But this is what comes up, by default, when we plug a USB device into our Windows 7 test system:
That dialog does say AutoPlay, right? So it seems that AutoPlay isn't automatically disabled on Windows 7 systems.
Perhaps it should have said AutoRun is disabled by default? (Windows 7 is definitely better at handling removal media than previous versions of Windows, but AutoPlay still seems to be a default feature.)
In any case, having AutoPlay disabled isn't much of a mitigating factor for this vulnerability. It's only: click Start, click Computer, and click Removable Disk. Three clicks and you're at risk. But still, organizations should disable the AutoPlay feature in order to limit Windows 7 social engineering tricks.
Ordinarily we wouldn't pick these small nits with Microsoft but we think this is particularly important as it's the advisory that provides official information for those assessing risk to their organizations.
Updated to add: Microsoft has updated their advisory. Our latest post has the details.
On 19/07/10 At 03:56 PM
-
More Money for Bugs?
So Mozilla recently upped their bug bounty money from $500 to $3000 (USD).
Here's a few thoughts on the topic:
The whole concept of paying for outsiders to report bugs and vulnerabilities was controversial even before 2004, when Mozilla's program first started (check out No More Free Bugs, Bug Bounty Program Answers Critics and Bug Finders: Should They Be Paid? for more background) and six years on, the arguments for and against don't seem to have changed too much.
In the meantime though, other things have changed, which may have an impact on the whole venture.
For one thing, the (online) world has gotten a lot bigger and flatter. In the last few years, there's been an explosion in the number of computer users from countries outside of the US and Western Europe.
More users, as a general rule, equals more eyeballs to find flaws; and while technical prowess may generally be lower in less developed countries, the sheer numbers involved may be able to negate that disadvantage. So perhaps in the next few years, we may see more "amateur" researchers becoming involved in paid bug-hunting work.
Also, the assumption that users from less developed countries are less tech-savvy may no longer be entirely correct, or may be defunct very soon, if the various reported attacks in the last few years are anything to go by. Offering a way to channel that proficiency into more helpful activities might not be a bad thing.
And while $3000 isn't that big a prize in the US, or in the underground, it's still a substantial amount in other, less affluent countries — possibly enough to make the effort worthwhile for a weekend tech warrior looking for extra money. For them, a bug bounty like Mozilla's offers some advantages that might appeal, such as:
• Fast, easy pay-off
• Unlimited by geography
• Legitimacy
Debate over the usefulness of bug bounty programs isn't likely to end soon, with most security experts more or less watching and waiting while Mozilla tests the waters.
Still, with the rapid large-scale changes taking place in the computing world, it's certainly conceivable that these programs could evolve in the next few years and take on a form that's viable for both the majority of software vendors and for the volunteer researcher as well.
Thoughts? On 19/07/10 At 08:19 AM
-
Zero-Day Vulnerability in Windows Shell
Microsoft has released Security Advisory 2286198, which provides details on the LNK shortcut (Windows Shell) vulnerability that's currently being exploited by the Stuxnet rootkit.
The news is not good.
Besides USB devices, the Windows Shell vulnerability can also be exploited via Windows file shares and WebDav.
All versions of Windows are affected:
Vulnerable versions include Windows XP Service Pack 2 which is not listed by the advisory due to its recent end-of-support status.
If there's to be no patch for SP2, users will need to implement the suggested workarounds:
• Disable the displaying of icons for shortcuts
• Disable the WebClient service
See Microsoft's Security Advisory for details. On 17/07/10 At 10:04 AM
|
News Feeds 
