The 2006 Security Event Overview (II)

April 2006

4 April: Microsoft Says Recovery from Malware Becoming Impossible

"When you are dealing with Rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit", says Mike Danseglio, a program manager in the Security Solutions Group of Microsoft at the InfoSec World Conference. The best action corporations can take is to invest in automated processes to restore systems that have been affected by malware.

5 April: Public Beta Software Enables Intel-based Macs to Run Windows XP

Apple has released a beta version called “Boot Camp" that enables the Intel-based Macintosh machines to install Windows XP. After the installation and a reboot, the user has the option to either boot Mac OSX or Windows XP. Boot Camp is a part of “Leopard", the codename used for Apple’s next version of Mac OSX, which will have its first preview in August 2006.

5 April: Cisco releases information vulnerabilities

Vulnerabilities have been discovered for several of Cisco’s devices. The first device is for the Cisco 11500 Content Services Switch that suffers from HTTP request vulnerability. If these switched are configured to perform compression for HTTP, the switch may be vulnerable to a Denial of Service attack when processing specially crafted HTTP request.

Multiple vulnerabilities were discovered for the Cisco Optical Networking Systems (ONS). These affect the Multi-Service Provisioning Platforms on the ONS 15310, ONS 15327, ONS 15600 and the Multi-Service Transport Platforms on the ONS15454 where the Optical Nodes that have Common Control Cards connected to a Data Communications Network are affected when used for IP4. When exploited, this may result in a Denial of Service attack on the Common Control Cards.

Vulnerability was found in the Cisco Transport Controller applet launcher which can lead to have arbitrary code executed on the workstation.

Cisco has made software available to address the vulnerabilities for both these devices.

6 April: Oracle posts information about its own flaw by accident

Oracle by accident has published details about an unpatched flaw on its own MetaLink website, with full details, including exploit code. The flaw was affecting all versions of Oracle Database from version 9.2.2.0 to 10.2.0.3. After Oracle became aware of this information being freely available, they have removed it from their website. The flaw involves how Oracle Database handles certain specially crafted views created by unprivileged users. These users could gain SELECT privileges and then update, delete or insert data into the databases.

Interestingly it is Oracle that usually criticizes others for making details on vulnerabilities public. Now Oracle did it herself, although by accident.

7 April: Proof of Concept Linux/Win32 infector

So far, the year 2006 seems to be the Proof of Concept year, with yet another one: a file infecting virus that infects both Windows (PE format) and Linux (ELF format) files. The virus uses two different techniques to infect files on both platforms. It uses the Kernel32.dll function to infect Windows files and uses the Int 80 system call function to infect Linux files. Other than infecting both formats, this virus is not doing anything malicious.

10 April: SecureBlue: brought to you by BigBlue

IBM has created a hardware based encryption device inspired on mainframe security that has to protect consumer products, medical devices, defense systems and digital media. The technology, named SecureBlue" can be applied to a variety of imaginable equipment that contains valuable confidential or private information as mobile phones, PDA’s, PC’s, notebooks, etc.

11 April: MS06-013, Remote Execution from Internet Explorer

A vulnerability was discovered in the CreateTextRange API that could allow remote execution from code through specially crafted websites or emails. The actual damage was limited as Microsoft has worked closely together with partners as Norman taking websites hosting malicious code down and sharing URL's of malicious sites.

17 April: Another two dozen security flaws in Firefox

It is always suggested to be safer than Microsoft’s Internet Explorer, but Mozilla’s Firefox already had more security updates this year than Internet Explorer the whole last year. Today the Mozilla Foundation has released no more than 21 fixes for flaws in the Firefox Web browser. Among other things, these flaws can be exploited to perform phishing attacks and tamper with security restrictions or sensitive data.

18 April: Norman under DDoS

At 16:30, Norman’s popular Sandbox Information Center (http://sandbox.norman.com) was under attack of a DDoS. The web/sql server was extremely busy due to an attack of a botnet. Together with the aid of our ISP, the DDoS could be blocked at the Norwegian internet backbone, so operations within Norman could continue as normal. The botnet was brought down.

Ever since Norman has offered the Sandbox Information Center, people try to beat the Sandbox. This results in some interesting references in malware in which for instance the sexual preference of Norman according the bad guys is listed. Needless to say that the sexual preference of Norman is classified and therefore all suggestions are nothing but speculations.

19 April: Three dozen more flaws in Oracle

This year seems to become a year of the frequent and numerous patches. Although these patches were for several Oracle products including its database and server application software, the wide usage in large corporations make this number severe. And together with the security patches, Oracle also made changes to their existing tool which can look for default logins and weak passwords. Weak passwords can usually be guessed or used in a brute-force attack and hackers would be able to get easy access this way.

May 2006

1 May: American Express suffers from false pop-up

The well-known American Express credit card company suffered from false pop-ups which were requesting personal details as name, date of birth, social security number and mother’s maiden name. Important detail is that this pop-up can even appear when the user browses to American Express’ own website. The pop-up most likely is created by spyware that has been vested on the computers of users that experience these pop-ups. Several hundreds of new banking trojans are discovered monthly.

2 May: DDoS on Blog-site

Millions of blogs were not available anymore due to a distributed denial of service on Six Apart, one of the most popular blog-services in the USA. It becomes more and more common to DDoS popular sites.

9 May: Welcome to the Carnival: Ride the SpyCar

The EICAR test file was created to make sure your antivirus products is working, detecting the viruses and taking the appropriate actions. To counter a common misconception: detection of the EICAR test-file is NOT an assurance that your antivirus product detects each and every virus. By their own choice, there are antivirus vendors that have chosen not to detect the EICAR test file for their own reasons. All Norman products having the Norman Scanner Engine incorporated are detecting the EICAR test file.

Another initiative launched to ‘aid’ the end-user testing their spyware is the SpyCar Project. By their own definition, SpyCar is a suite of tools designed to mimic spyware-like behavior, but in a benign form. Intelguardians created SpyCar so anyone could test the behavior-based defenses of an AntiSpyware tool. But the actions made by SpyCar are rather generic. Changing ones default homepage in Internet Explorer is something lots of end-users do willingly and automatically by clicking on a link at their favorite homepage. The same applies for changing the default search page. These actions are not necessarily made by spyware or adware.

One of the downsides of SpyCar is that it fully concentrates on Internet Explorer and does not focus on other popular browsers as Firefox and Opera. The EICAR test file is antivirus platform independent. The call for a test file for antispyware has been increasing lately. EICAR will change the description of the EICAR test file from an antivirus to an antimalware test file. The definition and the contents of the 68 byte file stay the same. This can not be changed without causing world-wide problems in the antivirus industry.

11 May: Safe Max OSX, 43 flaws fixed

The assumed much safer Mac OSX isn’t that safe after all. It’s only since BootCamp that Macintosh machines became more popular. The new Macintosh machines are Intel CPU based and BootCamp makes the Mac a dual boot between Mac OSX and Windows. Since the target vector has increased, people suddenly pay more interest in Mac OSX and therefore vulnerabilities are found in quantities that were unimaginable before. No less than 31 OSX vulnerabilities were fixed and 12 Safari vulnerabilities. Safari is the internet browser for Mac OSX.

12 May: ContextPlus RootKit bites the dust

ContextPlus has stopped their activities. This company’s most known programs are PeopleOnPage and Apropos. Once installed, they will monitor the browsing behavior and send the obtained information to the ContextPlus servers. Based on the browsing behavior, the user will be faced with pop-ups that rather conveniently reflects the user’s interest. It is of course rather irritating if these pop-ups are appearing all the time. During the installation of these programs, it deploys kernel mode RootKit technology to hide from the antispyware programs. As will be known to most, detection of programs that are hidden by this kind of technology is far from easy.

25 May: The new ‘sales-pitch’

Whatever the event, people will try to get money from it. The upcoming World Championship Soccer in Germany is the victim this time. A new worm called W32/Banwarum is sending out German language emails where in some instances it is offering printable tickets for the games. In reality, the worm is sending out a password protected archive - which contains a copy of the worm again - where the password is inside the email. Needless to say there are no tickets inside the archive (as if the tickets are that easily printable).

June 2006

6 June: Attacked by numbers

Since 6 June, a large number of companies are seeing odd emails where the recipient address is the same as the sender address. The Subject line and body are both variable numbers between 3-7 digits in length and there are no attachments, or embedded scripts. Looking at the headers, you can see the from field is spoofed. Some seeded pieces of malware are sending out these ‘test’ emails. Some speculation about the why is that it might be an attempt to clean up a master email list of invalid entries, or perhaps verifying new ones. Others say it will be used for spam or for phishing. In the end it turned out to be messages send by a new Bagle variant.

12 June: Department of Energy hacked

Personal information as names and social security numbers has been copied from a file on a system at the Department of Energy. The information, mostly from contract workers can of course be misused in many ways. The data was in an unclassified portion of the network and not the part that contains the data on nuclear systems, which is much more secure. Although the theft happened a few months earlier, only at a public hearing it was acknowledged. And up to the hearing, no attempt was made to inform those whose information was taken.

13 June: MS06-021, Internet Explorer holes again

No less than eight critical and important vulnerabilities were fixed with this update. An attacker using one or more of these vulnerabilities can take complete control of an affected system. The attackers can then install programs or tamper with precious data. Furthermore the attackers could create new accounts with full user rights.

13 June: MS06-027, Vulnerability in Microsoft Word

A vulnerability discovered in Microsoft Word, also identified as CVE2006-2492, makes it open for attack. Within a specially crafted Word document, an attacker could execute shell-code which would allow him to take full control over the system. Several proofs of concepts of this vulnerability are floating around, luckily none with harmful content.

21 June: WiFi as a security hole

US based researchers have been able to seize control of a laptop by manipulating code in the device driver of the system’s WiFi card. Using the open-source “Lots of Radio Connectivity" (LORCORN), they have been sending a lot of wireless packages at different wireless cards. Applying this technique they found many flaws in WiFi device drivers where one of them allowed them to take full control of the laptop exploiting the bug. The researchers will disclose the information with a demonstration on 2 August at this year’s Black Hat in Las Vegas.

30 June: Macintosh under attack again

Just a day after Apple released updates for its operating systems, including OSX, code has been released to exploit one of the vulnerabilities. Although the vulnerability (in the “launched" system component) is fixed with the update, experience shows it takes a while before everyone has applied the patches. It seems that the Mac world will become as insecure as the Windows one, a side effect caused by the growing popularity of the Macintosh, especially since the new PowerBooks now have an Intel CPU and is able to run Windows XP as well.

30 June: WinFS again laid off

Microsoft’s advanced new filesystem WinFS, which should be released within Windows Vista again has been laid off. Originally it would be one of the main items within Windows Vista, a database driven file system, but over the years it already has caused delays. Microsoft has now announced that Vista will ship without WinFS and that WinFS will not be made available as a plug-in for Windows Vista or Windows XP.

The reason for the laying off is unclear. If it isn’t technical, it might be legal. Several people have raised antitrust issues with the WinFS system already since it is database driven.

Previous Security Event Overviews