Vulnerability details

Adobe Flash Player is vulnerable to buffer overflow. When a user runs a malicious multimedia file, the attacker overflows a buffer and compromises the victim’s system to execute an arbitrary code to do a malicious activity.

Example

A malicious shockwave file (SWF) contains the regular SWF and attached code that will trigger the vulnerability and carry out the malicious activity.

Tools:

1. Sothink SWF Decompiler
2. UltraEdit text editor

Static analysis

The main file would be containing the additional malicious code:

Fig 1.1 Malicious code

Fig 1.2 Code view

Fig 1.3 Code view

The malicious activity of this code is:

1.  An array is decrypted using an XOR deciphered loop.
2. The decrypted bytes are further loaded into another compressed SWF file.
3. The compressed SWF file drops 12 other SWFs, which are responsible for triggering the vulnerability.
4. The malware is downloaded from this url: <removed>

XOR decrypting loop:

Fig 2.1 Decrypting loop

Array sArr[i] is bitwise XOR’d with “alsoThePiece” and uses a unicode/ascii "charCodeAt" formula.

APIs and URL found in decrypted file:

Fig 3.1 APIs used for downloading and executing the malware

Solution

Downloading and installing newer versions than Adobe Flash Player 9.0.115.0.

References:

http://www.adobe.com/support/security/bulletins/apsb08-11.html
http://secunia.com/
http://en.wikipedia.org/wiki/SWF
http://en.wikipedia.org/wiki/Exploit_%28computer_security%29
 

A malicious web site can be crafted using an exploit code that will allow IE (Internet Explorer) to be compromised and allow code to be executed on your computer.

The more severe vulnerabilities could allow remote code execution if a user views a specially crafted web page using IE. User accounts with limited privileges on the system could be less impacted than administrative users accounts with full user rights.

Affected platforms: Microsoft Internet Explorer (versions 6, 7 and 8)

How does this exploit work?

At the attacker’s end

The original exploit code is available as a PERL script, which can be used to create an exploitable HTML web page that has the information about the current user accounts available in the victim’s computer. It can also create a new user with administrator privileges.

Fig1.1 Creating HTML webpage using PERL script

Using the exploit script code we can create an exploitable HTML web page with information given below which can be seen in the image Fig 1.1,

• Port number (any)
• Remote user account name
• Remote user account password
• Test IP (attackers IP)

After executing the PERL script, it will create the HTML file in the folder public_html inside the PERL script source directory.

At the victim’s end

The generated link from the exploit code is being accessed from the victim’s end, as illustraded below in Fig 1.2 :

Fig 1.2 Accessing the HTML link generated from exploit code

Before the crafted web page that contains the exploit is accessed, the command “net user” shows the list of user accounts available on the victim’s machine, as shown in Fig 1.3 below:

Fig 1.3 User account information before exploitation

After the crafted exploit web link is accessed by the victim’s machine, a new user account named “test” is created, which is already defined while creating the exploit HTML, which can be seen in Fig(1.4) .

Fig 1.4 User account information after exploitation

Outcome of this attack

With access with administrative privileges to the victim’s computer, the attacker can download and execute arbitrary codes, thus making the victim’s computer more vulnerable to further malware attacks.

The attacker may also use the victim’s computer as a Malware Distribution System since he has a separate administrator account.

Conclusion

Currently no patches have been released by Microsoft for this exploit. Alternatively, using other browsers like Firefox would be a preventive measure.

Reference:

http://www.exploit-db.com/exploits/11457

http://www.moosoft.com/blog/2010/01/15/internet-explorer-0-day-exploit-allows-remote-code-execution/
 

CSRF (Cross Site Request Forgery) vulnerability works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific URLs allowing certain actions to be performed on request. If a user is logged on to the site and an attacker tricks the user’s browser into making a request to one of these task URLs, then the task is performed and logged as the logged on user as shown in figure 1.1

Fig. 1.1

In Google Buzz user contact list are culled out by auto-following those you email regularly. This is similar to Twitter where users can follow someone.

The following characteristics are common to CSRF:

• Involve sites that rely on a user’s identity
• Exploit the site’s trust in that identity
• Trick the user’s browser into sending HTTP requests to a target site
• Involve HTTP requests that have side effects

As of this writing we have not succeeded in finding a sample which exploits this vulnerability in the wild.

Discovery date: February 12, 2009.

Reference:
http://www.packetstormsecurity.org/filedesc/googlebuzz-xsrf.txt.html

Note:
Google is already updated the buzz but this attack is still reproducible in Google reader.

Has your facebook been running slow lately? Go to "Settings" and select "application settings", change the dropdown box to "added to profile". If you see one in there called "un named app" delete it ... It's an internal spybot. Pass it on. THIS IS NOT A DRILL!! ------

And indeed, most users will actually have such an application in their “added to profile” box. Relax. Breathe out. This is no virus, it is just the “boxes” tab on your profile. Delete the application, and “boxes” goes away as well. If this is what you want, fine. According to Facebook, the “boxes” tab is going to go away soon anyway : [ http://wiki.developers.facebook.com/index.php/Tabbed_Profile ]

There is however a more sinister side to this hoax. Most users, when confronted with this kind of alarmist message, will turn to Google for more information. When they do, the pages they find may not be of the beneficial kind. We have verified that Googling for this hoax returns multiple live links to pages infested with malicious content. These sites try to trick users to download a fake antivirus program by showing a web page like the one below, which looks a lot like a regular desktop being scanned. And, of course, the fake scan shows a lot of viruses and whatnot, a very convincing argument that you should accept download of a “virus-remover” . This virus-remover is in itself a trojan program that could cause all manner of real mischief.

The lesson to take away from this is that all warnings are not good. In particular, do not send warnings that ask to be sent on to others – they are chain letters!

This security flaw, which was revealed about a week ago, is a threat that we follow closely. As of this writing we and others have seen a limited number of in-the-wild attacks using this. Some of these attacks were quite serious, affecting large targets like Google and Adobe (http://threatpost.com/en_us/blogs/inside-aurora-malware-011910).

The various virus scanners from Norman detect the known malwares that are installed by these. However, there are no guarantees, as it is always possible to create malware to be undetectable for a limited time window.

Attacks through this vulnerability is possible on:

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6,
Internet Explorer 7,
Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

The vulnerability is script-based, and occurs when trying to access an HTML object which has been deleted. This causes an error that can be exploited to run unauthorized code.

Mitigation

Some level of protection is gained by having Data Execution Prevention (DEP) active. DEP is enabled by default on Internet Explorer 8 on Windows XP Service Pack 3, Internet Explorer 8 on Windows Vista Service Pack 1 and later, Internet Explorer 8 on Windows Server 2008, and Internet Explorer 8 on Windows 7. DEP on Windows XP SP2 and Windows Vista RTM can be enabled with a tool downloadable from this site: http://blogs.technet.com/srd/archive/2010/01/18/additional-information-about-dep-and-the-internet-explorer-0day-vulnerability.aspx

Further mitigation is to turn off Active Scripting in the Internet and Local Intranet security zone, and setting the Internet zone security setting to “high”.

Microsoft has stated that they will release an Out-Of-Band release to fix this problem as soon at the patch has been tested properly.

The thing to do is of course to apply brain. Don’t install anything attached to or linked to by emails, instant messages or social network messages, unless you know what you are doing. Hopefully, everyone will enjoy a quiet and virus-free turn of the year.

Norman is one of only five anti-virus vendors certified by ICSA labs for Windows 7. See the story here:
http://www.icsalabs.com/press-release/icsa-labs-offers-first-anti-virus-certification-program-microsoft-windows-7

From an Apple perspective, Mac sales increased 17% for the 3rd quarter, contributing to a 47% net profit increase. Some of this demand is undoubtedly the result of Vista frustrations. Nevertheless, the niche Mac momentum building over the past several years seems to be ready to penetrate the market with force as public attitude of Apple’s superior products improves.

Over the Over the next 12-18 months, the operating systems market will consume with vigor. This means the security industry will be under heavy burden as threats shift to the new platforms other than the XP platform which has become our comfort zone over the past 8 years. New technology innovations are great for productivity, but we know this opens up opportunities for the dark side. Prepare for battle.

If I enter my credentials here, who gets my credentials? Twitter, Messagelabs, or a highjacker? 3rd party login interfaces lead to phishing scam opportunities when users become trusting of such practices as the norm.

I strongly suggest never entering account credentials for a 3rd party account though anyone's site.

Business education promotes the understanding of different business cultures and standards. When within our moral bounds, we are taught to accept those differences and customize our business in the interest of stakeholder gain. This mindset leads to compromise because we learn to dance with anyone, including the devil, in the interest of some type of perceived profit. Ironically, during dinner with fellow AMTSO members, a peer commented that the MBA degree would lead to the end of the world. Many in the security community share this opinion, including the very popular blogger Alex Eckelberry, who takes the opportunity to mention the “MBA moron” when opportunity presents itself. What is lacking, and cannot be taught in MBA theory, is discretion of when and how to apply modern business theories.

The AMSTO workshop was a prime case study of when culturally accepting MBA attitudes have no place. Rather, to avoid compromise, “Let’s get it right” was echoed several times over the course of workshops. When creating standards in the interest of global computer security, agreeing that everyone’s view is okay will not produce results. I’m happy to report that the passionate member opinions and group discussions were not a dance, but rather 2 days of hard work that producing proper standards.

See related blog posts from VirusBulletin, Sophos, and Eset (opens separate browser windows):

• http://www.virusbtn.com/news/2009/10_16a.xml?rss
• http://www.sophos.com/blogs/sophoslabs/v/post/6870
• http://www.eset.com/threat-center/blog/2009/10/16/so-what-is-amtso-compliance

I have enjoyed drafting the network based anti-malware testing documents over the past few months and look forward very productive meetings next week. AMTSO has a number of different purposes benefitting the stakeholders of anti-malware technologies outlined in the charter. 

I invite anyone who is not an attending member to please send me any questions, comments, or concerns about AMTSO or any topics on the agenda that I can voice at the meetings. Your direct input will improve my ability to represent your best interests and needs. I may be contacted at Matt.Allen@Norman.com

This is a good initiative! Lack of awareness of potential issues regarding security in cyberspace is one of the main reason why so many persons and organizations become victims of cyber crime.

Take social engineering as an example. Most security issues are results of clever social engineering. There is a huge potential to reduce these if the public and professionals become more aware of the fact that it is extremely unlikely that a person has won multimillions in a lottery (which he has never heard of) and can claim the prize by visiting a web site. And is it likely that a famous movie star has picked a person's email address and offers to get to know/meet him if you visit her web site and enter your personal information?

A higher degree of awareness will result in fewer persons accepting such too-good-to-be-true schemes.

One may hope that more governments realise that cybersecurity awareness is of utmost importance and take intiatives to introduce the cybersecurity month in their respective contries.

More information about the national cybersecurity month is available from several web sites, including

• United States Homeland Security's information about National Cybersecurity Awareness Month
• Government of Canada's information about Cyber Security Awareness Month

As I considered the number of people working in this environment, I realized how many insiders had knowledge of such classified systems. We see news reports almost daily about fraudulent insiders, but then there are the insiders who may not be skeptical enough of trusted parties. I will be the first to argue the case that dissemination of information leads to innovation and social gain. However, the level of trust that must be extended to so many people to protect the integrity of sensitive information and global safety is scary.

This experience was yet another reminder that we must be more careful than ever who we trust. These days, malintent is hidden within the vectors we use for information dissemination with more and more frequency. Every information query must be scrutinized as a probable attack or breach tactic. I’m proud to be part of an organization and product team focused on identifying, investigating and researching the mind and work of the enemy.
 

Unfortunately, many of the most reputable antimalware product reviews today evaluate value based upon threat spread vectors from years past. Modern malware uses a range of spread vectors including browser attacks, phishing campaigns, and targeted attacks to name a few. Many testing methodologies evaluate products against collections of threats after they have already emerged. Additionally, products are tested for simple detection of a sample, rather than using the threat vector by which the sample spreads.

NSS Labs has released new antimalware comparatives focused on real world testing methodologies, demonstrating an understanding that comparatives must be aligned with the security threats of today to have any genuine positive effect on computer security stakeholders. Antimalware stakeholders often argue that security organizations are not adequately protecting them. Security organizations dedicate resources to performing well in the tests consumers trust because it leads to an increased customer perception of value, which ultimately leads to revenue. Such focus distracts security companies from focusing entirely on the real world threats.

The solution to this viscous cycle is to either abandon initiatives to perform well in comparatives and risk depressed revenue, or change testing methodologies. By aligning industry testing methodologies with current threats, vendor obligations to the computing community can be unified as one research objective with the previously independent focus on performing well in the comparative reviews consumers trust. As malware threats become increasingly complex, so do our security products. To drive innovation and adequate products, the sources consumers trust must be aligned with consumer needs. Commendations to NSS Labs as they pioneer this initiative.

More information on the host malware protection tests from NSS Labs can be found at the following sites:

• http://nsslabs.com/host-malware-protection/corporate-endpoint-protection-products.html
• http://nsslabs.com/host-malware-protection/consumer-anti-malware.html

Network based security products fall into the three main categories. Software-only, appliances, and hosted solutions. In general, the software component of network based security products can be evaluated utilizing the same methods as traditional host based products. I hope I can help those evaluating such products aware and considerate of any additional variations introduced as a result of implementing security products at the network level.

Software

A significant variation between host and network based scanning is the scope of data scanned. A host based Anti-Malware product can scan anything supported by the underlying engine. The scope of this support will often dictate the types of threats the engine will protect against. Similarly, network based products are usually limited to scanning on a restricted number of popular ports. Typically, the more protocols supported by a device, the more protection offered. The evaluator should have knowledge of the significance of each specific protocol within their network to make decisions on the effectiveness of a product within their network. For example, it is more critical for network based products purchased for use within and between subnets to support network communication protocols such as CIFS and SMB, whereas a product required strictly as a gateway device would primarily need to focus on internet protocols.

When evaluating network based products at the network level, certain product attributes will also be weighted differently for each unique network. For example, latency is more important when evaluating network based products because it can often affect the computing performance of other users in the network, making underlying engine scan efficiency of more importance. A security product denying service can negatively impact an organization as much as some security breaches. In such a case, latency would have a more significant weight to the end user than exceptional detection abilities. Further complicating measurements is the fact that default settings shipped on the product may affect detection vs. latency performance. Certain proactive and heuristics may slow down scanning, but produce better detection, or visa versa.

There may be several different software modules operating concurrently on a network security product. These products are commonly referred to as Unified Threat Management(UTM) products, and may include such technologies as intrusion prevention, intrusion detection, Anti-Malware, anti-spam, content control, etc. In many cases, these products may be able to provide a higher level of overall security than a single component product. However single component products will often be more cost effective, more efficient handling network traffic, and more flexible for implementation at various network and subnetwork locations. The customer should understand that single component products are more focused in functionality and cannot be expected to compete directly as total security product within the UTM product category.

Hardware

As with host based security products, hardware influences network based Anti-Malware product performance. The actual security software is in most cases only approved by the vendor for use on specific hardware. Hardware requirements often differ according to the performance required by the user. Hardware requirements should be respected and the product should used according to the performance scale on which the product is designed to operate. For example, if a test box is unable to handle your network load, you should consider requesting more robust hardware rather than discounting the product as an inferior product.

The evaluator may find it appropriate to consider product attributes that address how the product reacts and performs when power to an appliance unit fails or network traffic exceeds max capacity, etc. The results of these and other scenarios can lead to service denials by blocking safe traffic, as well as security breaches by allowing potentially malicious traffic to bypass. Even though these scenarios are unrelated to the underlying security engine, hardware limitations can affect detection ability of the overall product.

Hardware products have additional product features and specs that should be considered for validity beyond host based solutions. For example, are vendor claims such as throughput and other performance measures met by both the hardware and software? Can stability be maintained over long periods of time? What happens in the case of an additional traffic spike? More importantly, how do the product attributes and features increase overall value to your network security initiatives in relation to both your current solutions and the competitive solutions on the market?

A new kind of virus?

No. Nope. Not at all. This kind of virus is almost as old as the computer virus problem itself. In operating systems like Linux, C compilers are part of the setup and malware for these platforms often comes as source code to be compiled locally.

On the PC platform script/macro viruses has done this for years, though one may argue that these are special cases since no explicit compiler is targeted. However, a few source code viruses targetting compilers like C, pascal, or assembler were created in the early 90’ies, mostly as proof-of-concept. These viruses never had much success due to the lack of people with build environments.

This exact virus, Induc.A, has been very “successful” – it has at least existed since around December 2008, infecting files silently without anyone noticing it. How is this possible?

The first reason the virus has not been noticed is that it does not touch any of the files that normally are under scrutiny by security tools. Instead it replaces a file in the popular Delphi programming environment with itself. This file, sysconst.pas, is compiled into a file called sysconst.dcu and imported into almost all Delphi projects created. From now on, the programmers themselves create new infected files without knowing.

The second reason it has not been noticed is that it has no additional payload. It does not download anything, it does not attempt to contact any entity outside the infected PC. The action of just injectring itself into the Delphi environment is quickly done and requires no further resources on the computer.

The third reason has to do with trust. “I’ve just compiled this file, so I know it is clean”. A lot of these infected files have been digitally signed and/or come from serious software producers, and are thus treated with a lot more trust than run-of-the-mill executables. The files do what they are supposed to, their little sideeffect notwithstanding, so no one has raised any alarm.

It just goes to show that no software is entirely safe, even if the sources seem legitimate.

Supporters of Mir-Hossein Mousavi, one of the presidential candidates in Iran, are using mainly Twitter to coordinate their protest efforts and to get information out of Iran. This happens round the #iranelection search tag, where people tweet updates on the situation, warnings, coordination messages and so on. As the world has focused its attention on these happenings, so have interested twitterers from around the globe; #iranelection has been on top of the most trending topics for days. Depending on time of day, there are tens to hundreds of new tweets a minute.

As with any largely anonymous news source, information via tweets must be taken with spades of salt. The Iranian government is reportedly posting wrong and misleading information in order to f.ex. keep people away from the streets . There is anyhow plenty of low-quality messages coming from ordinary twitterers.

Actual tweets from inside Iran are the minority; the bulk of the traffic is re-tweets (RTs), messages repeated to keep them visible. This results in old tweets being re-sent, sometimes in direct contradiction to each other.

The Iranian government is also trying to limit the Twitter information flow by blocking users and domains. However, this is seemingly an impossible task.

More and more twitterers from outside Iran are joining the discussion. By setting their timezone to GMT+03.30 and location to Tehran they make it hard for the Iranian government to check and stop the information leakage. In addition, people set up twitter proxy servers faster than the Iranian governmentt can block them – all this, of course organized via Twitter.

Other actions are more direct. Some people are using distributed denial of service (DDOS) tactics to attack sites they consider to be spreading Iran government propaganda. Most of these tools are pretty basic; they usually involve more or less continuous page loads from the attacked sites.

However, there can be little doubt that other and more powerful tools are also in full swing.

This trend seems to be slowing down a bit. Not only are people pointing out that DDOS is a crime in most countries and can land you in serious trouble, but many want it stopped because it is hurting their own case.

We here at Norman strongly advice against using DDOS tactics, regardless of what kind of political sympathies one might have.

This is indeed interesting times, a teaching moment for governments and action groups alike. Social networking tools have become a system of information dissemination that makes it very hard to do effective propaganda or information control – certainly a good thing, all told.

[all Twitter ID’s and links are removed].
 

During several months personnel from different departments in Norman have been working on a complete new web with new navigation structure as well as a totally new design. Our aim has been to make the web more appealing and easier to navigate for our various user groups (like customers, partners, security personell and the casual surfer).

The main changes from the previous version are:

• Totally new look
• Product information is split into three for the different user groups
  • Home / home users
  • Small and medium businesses
  • Enterprises
• The former microsites Norman SandBox Information Center and Norman Malware Analyzers are removed and content from these webs integrated into the main Norman web.
• A new special section - Security Center, which contains general security information, including
  • general security articles,
  • this Security blog,
  • information about Norman's assessment of the current threat level and particularly dangereous malware among other useful security information.
• A new section - Our technology - with in-depth information about the special technology that Norman uses in its products.

I trust that the new web will be recognized as a considerable improvement for all visitors.

A full technical observation from Norman’s Tom Bonner can be found here. This observation deals with the complete behavior of W32/Virut.CM, infection vectors, connections to IRC Servers, blocking of specific security websites including Norman’s (so if you read this online, it means your system is not infected by this Virut variant, congratulations!) and some anti-emulation tricks. It will also list all the additional components it will download and install, including a rootkit, complemented with the SandBox output and network traffic details. Well worth the time to read.

Norman has released a special cleaning utility (*) for the W32/Virut.CM that can be downloaded and used by everyone. Instructions for usage can be found here (*).

(*) The functionality in the special Virut cleaner has as of 2nd September 2009 been incorporated in the free general tool, Norman Malware Cleaner. You will find this tool here.

The Anti-Malware Testing Standards Organization (AMTSO) had another Membersmeeting on May 4 and May 5 2009 In Budapest, Hungary. At this meeting, 3 standard documents were finished and adopted. One of them is pretty unique as it is covering means to provide public analysis of anti-malware reviews where testing methodology used is compared to AMTSO’s standards for anti-malware testing. The primary goal of this analysis is to provide consumers with information on the accuracy and reliability of product reviews, and to improve the overall quality of anti-malware testing.

There are too many tests that do not publish any details on methodology used or sample set used, which leaves users only to guess why a specifc result was established. Without clarification, that test is as much worth as nothing then. Hopefully, with this process of public analysis, clarity will come for the end-users and the end-users can read why a test is 'not good'.

The two other papers adopted were “Suggested Methods for the Validation of Samples” to help the tester with deciding which samples are good to use for testing purposes and which are not and “Best Practices for Testing In‐the‐Cloud Security Products” which provides an overview of the problems faced in conducting reliable and repeatable tests of security products. As ‘In-The-Cloud’ is the buzzword of the moment, it is likely that many testers will try to test these solutions and we encourage them to read the documents and offered advice on how to approach the testing to minimize the problems this new technology brings to testing.

The full press release can be read here.