Velg landSecurity Information Week 42, 2006
 |
July 2006
July 3: Windows Genuine (Dis)Advantage
Microsoft’s Anti-Piracy initiative is called the Windows Genuine Advantage (WGA) program. Malware writers have written a bot that is spread over the instant messenger as WGA as the same time it became known that WGA will contact Microsoft with software and hardware identifiers of the systems Windows is installed on. The bot will announce itself as a new system driver service called “WGAVN" and displaying itself as “Windows Genuine Advantage Validation Notification". From thereon, it will make sure it executed every time the computer Windows starts. Users who try to remove the bot informed that getting rid of the program will result in system instability. A false statement. When installed, the bot disables, among others, the Windows firewall and opens a backdoor giving full system control.
July 6: IDA Pro as a spread vector
A proof-of-concept virus “Gattman" has been released that is targeting the often used reverse engineering tool Interactive Disassembler Pro (IDA Pro) of Data Rescue. The script language of IDA Pro is used by the virus. When loaded, the virus will look for IDC files to generate a newly infected EXE file. The scripts are sometimes shared between researchers to show interesting aspects of the new malware. The spread of this virus will therefore most likely be limited to researchers only, hence the proof-of-concept.
July 7: Pharming Trojan
A new trojan, DNSChanger, was discovered that is able to “change" the IP number. It is not the IP number of the user’s system that is changed, but it will intercepts connections to specific sites and changes/re-routes them to fraudulent sites professionally looking like the original site . This kind of technology is used more and more by phishers. The user thinks he ends up on the correct site, the URL entered is correct, so where’s the harm to confirm the login and password once more...
July 11: Five new critical vulnerabilities
In its security bulletin summary for July 2006 Microsoft reports five new critical vulnerabilities in its operating systems and applications, as well as two marked as important. Critical is Microsoft’s highest vulnerability rating.
A summary describing briefly the vulnerabilities is available from Microsoft’s Security Bulletin Summary for July 2006. From this page you will also find links to more detailed information in Microsoft’s Security Bulletins MS06-035 - MS06-039 (critical), and MS06-033 - MS06-034 (important).
July 11: The end of Windows 98 and Windows Me
Already scheduled for January 2004, on this day Microsoft has officially ended support for Windows 98 and Windows Me. Effectively it means that users running these Operating Systems will no longer receive security updates from Microsoft. Without frequent updates, users will be vulnerable to attacks on unpatched security holes, the most targeted item on the Internet nowadays.
July 13: Join and open the world: Microsoft and Yahoo to support each others IMs
Microsoft and Yahoo have announced that they will give interoperability between both Instant Messenger (IM) systems Windows Live Messenger (previously MSN) and Yahoo Messenger. This means that more people can reach each other, even if they are on different IM networks, but it also means that the spread vector for malware on IM has instantly grown. Beta software for the interoperability is already available. Microsoft anticipates that more of these cooperational relationships will take place in the future.
July 17: Tiny wireless chip announced by HP
Between 2mm and 4mm... That’s what it takes for a device to have 256Kb and 4Mb of memory and an antenna. Readers inside embedded devices can receive and send data at aprox 10Mbps. According to HP, the chip could be “stuck on or embedded in almost any object". Different than RFID which has ‘limited’ memory, this HP developed technology makes it possible to have transparent data on easily carried devices. Within some industries this is convenient: a patient’s complete medical history on the insurance card can help to save the life of the patient when he is hospitalized in a remote hospital. But it can also be used to track people’s whereabouts when a device as this would be implanted in a passport or driver’s license.
July 19: Microsoft acquires Winternals
Last year, co-founder of Winternals Mark Russinovich discovered that Sony has been selling millions of CDs that had Rootkits software on it. Winternals is owning the popular SysInternals website which hosts several technical utilities for free. Today Microsoft announced that is has acquired Winternals. Mark Russinovich has a blog there and will, for the time being, continue to update his blog.
July 25: MSN Messenger chats are censored by Microsoft
Microsoft is performing automatic real-time censoring of MSN Messenger communications on the MSN Servers. According to Microsoft this is done as protection against malware and exploits and worms spreading through the MSN Messenger. When a filename or URL contains specific expressions, the message is blocked.
This also brings in some problems. Telling a friend where to download the latest version of a utility at http://www.utilities.com/download.php the message is blocked as the URL contains the word “download.php". But replacing “download.php" with “%64ownloa%64.php", it will work again (%64 == ‘d’). And it is common use for people to obfuscate URLs or redirected tiny URLs where malicious content can be downloaded. If the word “download.php" is just in the text of the message, the message is blocked again.
August
August 3: VoIP hacking showed at Black Hat
Security experts from SecureLogix and 3Com’s Tipping Point explained and demonstrated a series of possible hacks and flaws on VoIP. Where VoIP is increasing in popularity, especially for the low cost and ease of use worldwide, attacks on VoIP networks will increase. Together with the presentation, 13 tools were released to show the vulnerabilities of VoIP. All the tools target systems using the Sessions Initiation Protocol (SIP). Almost all systems from leading vendors such as Cisco and Nortel are moving from proprietary protocols towards SIP, making it highly likely to be attacked.
August 8: Nine new critical vulnerabilities
In its security bulletin summary for August 2006 Microsoft reports a total of nine new critical vulnerabilities in its operating systems and applications, as well as three marked important. Critical is Microsoft’s highest vulnerability rating.
A summary describing briefly the vulnerabilities is available from Microsoft’s Security Bulletin Summary for August 2006. From this page you will also find links to more detailed information in Microsoft’s Security Bulletins MS06-040 - MS06-044, MS06-046 - MS06-048 and MS06-051(critical), and MS06-045, MS06-049 and MS06-050 (important). The potentially most serious of these vulnerabilities is the one discussed in MS06-040, which may be exploited over the Internet, and without any user interference.
August 11: Theft of a laptop: 133,000 Florida residents at risk
It happened again: personal details of 133,000 Florida residents were lost as they were available unencrypted on a stolen system. This year the US citizens were already confronted with similar thefts of identity. It only took the authorities two weeks to inform the public about the theft by sending those affected a letter. Professional identity thieves would have used the information instantly and considerable financial damage can be done within two weeks. The Department is offering a $10,000 reward for the safe return of the system, but of course that will not protect those whose data is on the system. It can simply be copied so further measurements are required.
August 15: Microsoft patch could make Internet Explorer to cause trouble
With the Microsoft’s security update from patch-Tuesday in August, some users may start to experience problems with Internet Explorer. The cruel pit is in critical update MS06-042 update. This one could make Internet Explorer to crash when the user accesses certain websites. As this problem is rather problematic, Microsoft scheduled an extra update for this problem for August 22.
August 22: And guess what... No patch
Patching isn’t easy, something Microsoft has discovered. Hours before they would release a 2nd MS06-42 update, it was discovered that the new patch would, besides fixing the newly introduced crash problem, introduce a serious new vulnerability on some Windows systems. This could let malicious people take over a system if that system would run Internet Explorer 6 with Service Pack 1 and the fresh MS06-042 update.
August 29: Big Brother is finding You!
Former CEO and Founder of Comverse Kobi Alexander was traced to the Sri Lankan capital Negombo after he placed a one-minute call using Skype. Kobi Alexander fled the US on the charges that he personally profited millions of dollars by tampering with option grant dates, all at the expense of Comverse stockholders.
Believing that VoIP calls are safe to use and that tracking is not possible certainly proved wrong for Kobi Alexander. Even using anonymizers and other evasive actions to hide his whereabouts, it wasn’t safe. The call using the Skype service alerted some intelligence agencies to his presence in Sri Lanky after which he was tracked down by a private investigator.
This event clearly shows that no matter what we do on the Internet, it is far from being anonymous.
September
September 4: 419-Scam goes US Marine
Constantly trying to find new angles, the 419-scammers now are using the US mission in Iraq as their new ploy. The scammer claim to be a US marine officer and that after a raid where some Iraq criminals died, they discovered containers with a serious amount of cash. Of course they like to get it out of the country and need your help. Be aware...
September 7: Botnets and Wiki
Vulnerabilities in Wiki are started to be exploited by hackers to create a network of vulnerable computers, a botnet. The problems lie with in the Pmwiki and Tikiwiki applications.
The exploit for Pmwiki can only be used if the attribute for "Register globals" is enabled. The exploit for Tikiwiki can always be used
Connecting to different IRC channels, the exploits are also loading a variety of other exploits and attack tools to the compromised machines (among these the Perl flood scripts). Both Pmwiki and Tikiwiki have released updates and patches.
September 12: Harddisk with a new feature final solution
If we have to believe Jasim Saleh Al-Azzawi, his latest invention will put us all out of business. He has ‘invented’ a harddisk with additional features making past, present and future viruses harmless. His new type of harddisk has additional switches that will turn on and off the heads of any of the arms. His basic idea is to redirect all disk I/O to a safe location, protecting the confidential data. When the system is disconnected from the Internet, the safe location is switched off and nor reachable anymore and therefore viruses that got into your machine when connected to the Internet will not pose a problem.
It is very easy to see several implementation faults in this ‘invention’. It would be difficult if not impossible to fix these as it would create an unworkable situation comparable with not turning on your computer. Safe but not desirable!
September 20: VML Exploit hits Internet Explorer
Sunbelt has discovered a new zero-day exploit for Internet Explorer that makes Internet Explorer’s VML (Vector Markup Language) rendering code vulnerable. Mozilla’s Firefox and Opera are not affected by this exploit.
The exploit uses a hole in VML in Internet Explorer to overflow a buffer and inject shellcode. The exploit seems to be widely used already by porn-sites. Microsoft has responded reasonably well by releasing an out-of-cycle patch for the vulnerability, which also implicates that the vulnerability was extremely serious.
September 26: Another 0-day Exploit, this time for Microsoft Office
Zero Day vulnerabilities seem to be the catch of the day nowadays. Today another one was discovered affecting Microsoft PowerPoint. Colleagues at McAfee discovered an interesting artifact:
“It appears that Microsoft’s antivirus product added detection three days before the exploit became known. The only public information on these threats is the boiler plate Malicious Software Encyclopedia entries (which show an incorrect discovery date of Sep 26, when virus definition files from Sep 23 detect): Exploit:Win32/Controlppt.W and Exploit:Win32/Controlppt.X".
 |
Medium risk
Low risk