Category Archives: Security News

The latest info on security news around the world

TCPView & AutoRuns vs Undetectable Backdoor

5
Filed under Downloads, Misc, Personal, Security News
Tagged as , , ,

Intro:
We’re going to useTCPView to check active network traffic and AutoRuns to check and see what’s loading with Windows.

Scenerio:
The user is complaining of system slowness. Upon looking at the workstation I noticed AVG Free Edition, Spybot Search and Destroy installed and Windows Firewall enabled. Pretty standard novice user protection plan. Almost a given this system is infected.

Analysis:
I close Firefox and all open applications. Open TCPView and right off the bat I see outbound traffic to *.CO.UK using Firefox to make the remote connection. This is common in backdoors to use reverse connection methods. Once you execute the backdoor, it binds to a common process (IE, Firefox) and then reverse connects to the attacker. The reason for binding to a common process such as Internet Explorer or Firefox, is the fact that most novice users create rules for their software firewall and select “always allow” for common processes. This way the user isn’t bothered every time they open Firefox with “Do You want to allow firefox.exe access…” This is perfect for the backdoor, you’ve allowed unrestricted access outbound through firefox. Strike 1 for this novice user.

tcpview1

Port 95? Firefox should only be allowed access on port 80 and 443 (HTTP / HTTPS) Now that I know the user is infected, I need to find out what the file is called, where it lives, and why AVG’s superior detection is showing a clean system. I load AutoRuns and check for the suspicious Logon items. Bingo Bango! I see scchost.exe (not to be confused with svchost.exe, which is actually legit in most cases) loading upon reboot and it’s stored safely from novice users in the system32 folder. Now, 100% sure that is the backdoor, I would like AVG to agree, so I attempt to update AVG and check the file, No! AVG insists the file is clean. OK, to the USB drive for MalwareBytes. Sure enough a nice password stealer has been detected. Strike 2 for trusting AVG (signature based detection).

malwarebytes

MalwareBytes detected and removed the password stealer, I then put in the KAV rescue disk to scan the system and everything came back clean. In the end, I convinced the user to let me perform a clean install and even teach this user how to properly use Firefox (w/NoScript). Reminding the user that the software firewall is only as good as the user and that the AntiVirus program is only as good as its definitions.

Conclusion:
TCPView provided you with the information needed to see you have unauthorized access to a server in the UK. AutoRuns was able to show us the malicious file loading with Windows. The actual detection and removal is up to you and your utilities, however TCPView and AutoRuns gave you the heads up. On the flip side, the backdoor successfully executed and called home on the system. Being that it’s a password stealer, the information it was programmed to gather completed successfully.

I call this one a DRAW. Why? because a backdoor is designed to go unnoticed and AVG let it do just that, but with a few basic programs you can see that your system is not preforming normally. Also, after detecting the backdoor, I installed it on a virtual machine and after about 18 hours of leaving it alone, it downloaded a new executable and maintained a connection to the client. This shows that we caught it early enough on the users computer to detect and remove it before it phoned home for the latest instructions.

Firefox 1.5.0.3 – DoS / PoC / Simple Fix

3
Filed under Downloads, Security News, Windows

Firefox Process

Introduction:
Another successful day for the script kiddies. The firefox community has been blessed with another exploit released for the latest version of firefox (1.5.0.3). Once again this is more of an annoyance than anything. If you enjoy your browser crashing random as you surf unsafely through the internet, I recommend you do nothing differnet and don’t waste your time researching anything that has to do with security. Seriosuly, there are simple solutions to these types of “exploits.” Please read on for ‘Proof of Concept’ (meaning you can test and see if your browser will crash) and recommended solution.

Exploit:
Firefox 1.5.0.3 Denial of Service – Test me! (Note: Link will crash browser)

Recommended Solution:

No Script Logo

NoScript [info] [download] (exstension for Firefox)

IE 6.0 SP2 – DoS Exploit (Released 05/10/06)

4
Filed under Downloads, Security News, Windows

I was wondering how long we’d make it before being blessed with another delicious exploit for Internet Explorer. Atleast it was the day after Microsoft released the round of ‘May-Day’ patches. No need to panic this is more of an annoyance then a real problem….or is it?

Error & Debug:
Debug

Affected:
IE 6.0 SP1/SP2

Not Affected:
IE 7 beta 1/beta 2
Mozilla (all)

Exploit:
Enjoy (IE 6.0 only)

If this exploit affects you, it’s time to start thinking about the big move. Let go of Microsofts hand and learn to walk on your own. On a serious note, I use IE 7 SP2 for trusted sites only (Banking, etc…) and everything else I use Mozilla w/ Noscript.

Recommended Solution:
Mozilla Firefox 1.5.0.3 Final [ download ] w/ NoScript [ info] [download]

0-Day : IE 6.0 SP2 (mshtml.dll) DoS exploit (PoC)

4
Filed under Security News, Security Programs, Windows

Another exicting day for Internet Explorer surfer!

This morning we’re going to list a DoS exploit released in the wild early this morning. This exploit isn’t as serious as the one we went over yesterday regarding WMF. I concider this DoS exploit more of an annoyance than a threat. Not to mention this only effects IE users, however it affects all of you at this point. First we’re going to list the code for this exploit, discovered by rgod and then we’ll go over recommended solutions and followup with the PoC.

Code:

< .head.>
< .style.>< .!-- #page div p:first-child:first-letter { border-bottom: 2px ridge #F5DEB3; } //-->
< ./style.>
< ./head.>
< .body.>< .div id="page">

< .strong.>suntzu< ./strong.>< ./p.>< ./div.>< ./p.>< ./div.>

As you can see this is a very simple attack and very easy to create. The good news is, I don’t see many people using this exploit for any benefits at most and annoyance, but who knows this could escalate into something bigger. However, since the WMF exploit is public now, I think the malicious users will be focusing on that bad boy.

Recommended Solution:
Mozilla Firefox 1.5 Final [ download ] w/ NoScript [ info] [download]

I know this isn’t a solution for die hard Internet Explorer users. However regardless the reason, we recommend using multiple browsers for different browsing habits. If your extra patanoid you can even go as far as running VMWARE Workstation 5.5.

Proof Of Concept:
Crash Internet Explorer 6.0

Note: clicking this link using Internet Explorer is pointless unless you actually want to crash you browser. We are unaware of any way around this using Internet Explorer as of now. If you know otherwise, please advise…

0-Day Exploit : MS/IE – WMF Remote Code – Fix!

2
Filed under Downloads, Security News, Security Programs, Windows

A little spice to the end of 2005… Christmas was nice spending it with family, securing their computers, the usual for holidays with the family. Only if it was that easy this year, as of this morning a new exciting exploit was released. The good news is my current configuration wasn’t affected by this annoyance. So, we’re going to list the advisory released by FrSIRT and let you review that, then we’ll move forward to steps to take for protecting yourself. Also, look at the end for references.

Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-28

Technical Description

A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to an error in the rendering of Windows Metafile (WMF) image formats, which could be exploited by attackers to remotely take complete control of an affected system by convincing a user to open a malicious WMF file using a vulnerable application (e.g. Windows Picture and Fax Viewer), or visit a specially crafted Web page that is designed to automatically exploit this vulnerability through Internet Explorer.

Note : This unpatched vulnerability is currently being exploited in the wild.

Exploits

http://www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php

Affected Products

Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition

Solution

The FrSIRT is not aware of any official supplied patch for this issue.

References

http://www.frsirt.com/english/advisories/2005/3086

http://www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php

Credits

Vulnerability reported in the wild by noemailpls

ChangeLog

2005-12-28 : Original Advisory

Tech-Security Explains:
As shown by FrSIRT, there is no real solution for this until we receive a patch to fully resolve the issue. However, there are steps you can take in protection yourself. I’m running Firefox 1.5 Final w/ NoScript extension and configured browser settings (mentioned in an early thread) and when I went to one of the infected site, I wasn’t hit by the exploit.

Want to start thinking about secure browsing?? Good it’s about time…

Update your anti-virus software 1-3 times a day, this way if you do get infected by this exploit, you’ll have protection shortly afterwards. not good enough? I agree…

Tech-Security Recommended Fix:
For safe browser…I would recommend installed VMWARE and install a fresh copy of Windows. This enables you to browser within the VMWARE isntance of Windows, allowing nothing to enter into your production OS version. This is a great idea for browsing and testing exploits/infected programs. Just be sure you keep your VMWARE Workstation updated too.

Protect yourself:
VMWARE Workstation 5.5
[ more info ] . [ download ]

Easiest Fix:
Windows Media File Viewer | [disable] . [enable]

This is more of a temp solution, which is why we recommend VMWARE, it might seem like a hassle at first, but no more than if you get infected with a serious virus. Atlease VMWARE is a one-time deal.

IceSword…The Best Rootkit Defender?

42
Filed under Downloads, Security News, Security Programs, Windows

IceSword 1.2

Look out people! Over the past few months people have heard more and more about rootikits. I’ve been dealing with rootkits for some time now and after having numerous friends infected by Sony’s rootkit, I decided it’s time to help educate the prey. Now, hopefully you’re not sitting there saying, “Prey?? I use Norton Internet Security and if your suggestion that a rootkit can bypass that, I have news for you!” My response would be a standard “laugh out loud” followed by blocking your IP from my website. No, seriously regardless of your current protection, it’s not enough. Rootkits change on a regular basis to bypass AntiVirus software along with the popular antirootkit software.

I recommend using 3 useful rootkit utilties in your hunt for the invisable rootkit. I do not recommend only using one of the three, or even two of the three. I say three, for the fact that incase the nifty rootkit infecting your system was updated to bypass one or two of my recommendation, you would have a 3rd opinion. Now that I’ve explained myself and hopefully conveinced you to install, update, and run these utilties on a weekly basis we’ll move forward with testing.

Note: Click links below to download software.

Our Test Enviornment:
- Windows XP SP2 (fully updated)
- Sygate Personal Firewall Professional (.dll injection detection)
- Kaspersky AntiVirus Professional (script detection)
- All-Seeing Eye (Best system monioring tool around)
- Spyware and other tools not listed.

Programs under the spotlight:
- Rootkit Revealer [info] | [download]
- BlackLight [info] | [download]
- IceSword English [info] | [download]

Rootkit under oath:
Lil Rob’s album “Twelve Eighteen” released by Upstairs Records.

Results:
All 3 softare programs detect the rootkit, however none of them removed it. Blacklight allows you to rename the files, but the junk is still there. Rootkit Revealer lets you know where all the files are so you can manually remove the files in DOS and the registry entries using PSEXEC. Finally my personal favorite IceSword, this program displays a lot more information than the other two, however it’s for more advance users. On this note, exactly why I recommend using ALL three for detection and IceSword for advance removal.

I’m interested to hear what others think about IceSword and your techniques for battling rootkits!

Firefox 1.5 Final – Exploit & PoC : Easy Fix!

4
Filed under Security News, Security Programs, Windows

Today, a minor DoS (Denial of Service) exploit was released. Showing how even Firefox 1.5 Final, which was just released 11/29/05 is vulnerable to attacks. I say, “minor” for the fact that you have a choice whether or not you’re affected by this type of DoS atack or not.

PacketStorm and their research has paid off again!

Basically firefox logs all kinda of URL data in it’s history.dat file,
this little script will set a really large topic and Firefox will then
save that topic into it’s history.dat.. The next time that firefox is
opened, it will instantly crash due to a buffer overflow — this will
happen everytime until you manually delete the history.dat file — which
most users won’t figure out.

this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.

Okay, so you would have to click a link or try and access a vulnerable website for this to take affect. Now, with the default installation of Firefox 1.5 Final, your browser would crash on you and when attempting to open your browser again you would experience another browser crash. Are you being hacked? No, this is an annoyance… Enough with the small talk, lets go over what needs to be done to prevent this attack and future attacks like this from affecting you! Put an end to the abuse!

Technically you have 2 options to resolve this issue:

1) You can simply open Firefox click ‘Tools’ > ‘Options’ > Select the ‘Privacy’ button and check everything (The only two that have to be checked are, ‘Browser History’ & ‘Clear private data when closing Firefox’).

Firefox Privacy

- This will clear the browser history everytime Fixfox closes. So, if you did run across this DoS attack while browsing, your browser will crash, but the data was cleared upon crashing. This isn’t the best option because you’re still losing your current searches and have been annoyed by the exploit. This is why step 2 is the only way to go…

2) A great firefox extension called, No Script offers protection over Javascripts from running on your system from untrusted sites. What this program use, is when you access a website that wants to run javascript on your system it blocks it and prompts you, giving you the option to “always allow from the site” or to “temporarily allow from the site.” So when this exploit tried to run against me, I knew I didn’t want to allow this javascript to run and continued browsing without being affected at all. Now, before you go out and get all browser happy read up on this program and get this extension installed on your computer!

No Script Logo

Download: Install this bad boy now!
More Information: What is it?

Manual removal: (example:) C:\Documents and Settings\techsec\Application Data\Mozilla\Firefox\Profiles\4rbeef38.default\history.dat

The history.dat file is 10,153 KB once code is successful ran, deleting it clears it as well.

This seems to affect previous version of Firefox also, so please be sure to protect yourself before testing the PoC on your computer!

Test Yourself: Think you’re secure? (modified script of the original from ZipLock)

0-Day Exploit & Security Tips

2
Filed under Security News, Security Programs, Windows

Today is just another day to the security experts, but another painful day to the Internets novice. Over 6 months ago an exploit was released that gave hackers the capability to view files and folders on a user’s computer… Well this morning an updated exploit was released that let people run code on the attacked computer as well. Usually when we hear about exploits like these, the vendor has already released a patch for the exploit. However, it’s not the same this time, as of now even a fully patched Windows 2000 / XP computer is still at risk. Below is the information regarding the exploit, followed by a few programs I use to help monitor and prevent these issues from happening again.

Rated as : Critical
Remotely Exploitable: Yes
Locally Exploitable: Yes
Release Date: 2005-11-21

Technical Description

A critical vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to JavaScript "window()" objects and "onload" events, which could be exploited remote attackers to take complete control of an affected system by convincing a user to visit a malicious Web page.

This vulnerability has been confirmed on Windows XP SP2 with Internet Explorer 6 (fully patched).

Exploits

Proof of Concept

Affected Products

Microsoft Internet Explorer 6 for Microsoft Windows XP SP2
Microsoft Internet Explorer 6 SP1 on Microsoft Windows XP SP1
Microsoft Internet Explorer 6 SP1 on Microsoft Windows 2000 SP4
Microsoft Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4

Solution

Disable Active Scripting in Internet Explorer:

1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. On the Security tab, click Custom Level.
4. In the Settings box, click Disable under Active scripting.
5. Click OK, and then click OK.

References

http://www.frsirt.com/english/advisories/2005/2509

http://www.frsirt.com/english/reference/1111

Credits

Vulnerability originally reported by Benjamin Tobias Franz and exploited by Stuart Pearson

Now let’s take a look at a few of the programs I use to monitor internet attacks, provide alternate browsing, and monitor and prevent system changes.

Internet Storm Center handler Tom Liston created a systray application to monitor the status of the infocon. Basically if you see this application flashing yellow, orange, or even red then you know it’s time to come back here and see whats going on!

Download: ISC Alert

Mozilla Firefox is an alternate browser you may use to bypass this exploit. I do recommend using Firefox, but not only firefox. I use both for different things, Internet Explorer I use for trusted sites, and firefox for normal web browsing.

Download: Firefox

The wonderful people at Fortego Security have created a program called All-Seeing Eye. This program gives you full monitoring control of all system changes. This is a little extreme for some, but a must for others.

Download: All-Seeing Eye

Sony’s DRM, Rootkit, and Future…but is Sony the only intruder?

2
Filed under Security News

Sony Infection 500,000 +

Sony, Sony, Sony… Why have we come to hate you? or have we?

For starters on Monday October 31st (Halloween) your little trick or treat was revealed to all on the internet. This shows that by installing the media player on a number of your CD’s would also installed a rootkit, allowing any file with $sys$ in front of it to be hidden. (ex. $sys$Virus.exe would be invisible). In Marks (www.sysinternals.com) research on this matter he shows how there isn’t an uninstall feature for this rootkit and manual remove will render you CDROM useless.

At first, I was strong against my hate for Sony; however last night was a different story. I’m not going to go to into detail of the situation, so I’ll get to the point. I run an updated virus scan with Kaspersky and all systems show clean. Well I’ve been a user of Rootkit Revealer and Blacklight along with a few others for detecting rootkits. So, I scan my brothers computer w/ Rootkit revealer and boom, he’s infected with the same rootkit described in Mark’s blog. I asked my brother what CD’s has he listened to on his computer lately and he said, “I’ve listen to my new Lil Rob CD.” I asked, “Did it require you to install a media player from the CD?” He replied, “Yes, why?” Now it gets interesting…

Today I checked the list Sony released of infected CDs and Lil Rob isn’t on the list. So I started to follow Mark’s @ sysinternals.com steps and went to Amazon.com to look up Lil Rob CD’s. Sure enough, Sony has nothing to do with this CD, Lil Rob’s record label is, Upstairs Records. Both of these record labels are using First 4 Internet Lld. This is that company’s responsibility for this technology; however Sony and Upstairs Records are responsible for implementing such technology against their paying customers.

On a personal level, I’ll never purchase a Sony product again (except maybe a PS3). Seeing this rootkit first hand just like I’ve read about over the last 3 weeks makes me sick to my stomach. How do you think it feels to say, “I haven’t been infected for over 3 years, until Sony’s rootkit.”

More to come on this topic…