Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe mailto vulnerability

Published: 2007-10-09
Last Updated: 2007-10-10 17:16:37 UTC
by Swa Frantzen (Version: 2)
0 comment(s)

On October 5th, Adobe confirmed the vulnerability we reported on on September 20th.

While there is no patch available yet, there is a workaround available for the latest versions and slowly some details about the vulnerability are being made public as well. So applying the workaround might be very wise:

[quoting Adobe]
Acrobat:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\8.0\FeatureLockDown\cDefaultLaunchURLPerms

Reader:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\8.0\FeatureLockDown\cDefaultLaunchURLPerms

If tSchemePerms is set as follows:
version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|
disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:2

To Disable mailto modify tSchemePerms by setting the mailto: value to 3
version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|
disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2

For older versions those hive's will be wrong at least, so the best approach would be to upgrade first as there is no guidance from Adobe themselves for those versions.

While at it, sign up for the adobe vulnerability alerts.

Updated to clarify older versions.

--
Swa Frantzen -- NET2S

 

Keywords:
0 comment(s)

Deobfuscating javascript

Published: 2007-10-09
Last Updated: 2007-10-10 00:08:43 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Obfuscated javascript is something you run into as soon as you start to look at suspicious websites.

Marco wrote in to suggest an approach with code added to it on how to use javascript itself to change the actions of eval() and document.write() statements we might want to try to replace with a less action minded alert(). Obfuscated scripts often have self referencing code that make the de-obfuscation fail if you touch the code itself.

eval:

/*override eval*/
function eval(st){
  alert(st);
}
/*original code goes below*/

Similarly for document.write(), add the following before the obfuscated script:

/*override document.write*/
document.write=function(st){
  alert(st);
}
/*original code goes below*/

Do take care when playing with potentially malicious javascript that the attacker didn't change alert() to do something else ... so always walk through it all and do this on an expendable machine.

--
Swa Frantzen -- NET2S

Keywords:
0 comment(s)

Storm - the paper

Published: 2007-10-09
Last Updated: 2007-10-10 00:07:09 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Some interesting analysis about "Storm" from SRI International:

http://www.cyber-ta.org/pubs/StormWorm/

--
Swa Frantzen -- NET2S

Keywords:
0 comment(s)

Cyber Security Awareness Tip #9: Access Controls, Including Wireless, Modems, VPNs, and Physical Access

Published: 2007-10-09
Last Updated: 2007-10-09 20:41:57 UTC
by Swa Frantzen (Version: 8)
0 comment(s)

As this topic is very wide, we intentionally kept the tips limited to those end-users have influence over.

Modems

When not using the old style modem, disconnect it, or if an external model, power it down. It's an expensive lesson learned by those who managed to catch a dialer calling on their behalf to 900 style numbers for hours in a row...

VPNs

  • Just because the tunnel is authenticated and encrypted does not mean that malware cannot flow through the VPN.
  • Once the VPN tunnel is up, don't allow a separate connection to a network of a lower security classification e.g. don't connect to the corporate VPN while simultaneously connecting to P2P networks over the Internet.
  • When connecting to those networks out of your control (such as in hotels, airports, conferences, a cafe, a hotspot, ...) do use caution to minimize the dependency on offered services and guard yourself against man in the middle attacks. One way is to set up a VPN or a SSH connection that forwards all traffic to a trusted machine.
    Read more ...

Wireless

  • Turn off wireless and Bluetooth on your laptop when you don't need it.
  • Use encryption, even if it's only WEP. Prefer WPA2 and, -if needed- upgrade the hardware to support this.
  • Clean out the preferred network list on the wireless side, those hotel and vendor names of unprotected network make you a sitting duck.
  • No dual connectivity - only allow one network connection at a time i.e. disallow connection to the WiFi-hotspot in the cafe downstairs whilst having a simultaneous connection to the corporate LAN

Physical Access

  • War stories are always a great way to get people interested into listening to what you want to bring across. Jim wrote in:

    "At my previous place of employment we had several small machine rooms dotted around the building. You needed to get a key stored at the security station to enter any of them and there was a list of approved personnel who could check out a key. When I needed to reboot a downed server I asked to borrow the key, but as my name was not on the list security needed an email from someone who was. Their names revealed by the security guard, I promptly went to the authorized person's PC, fired off an email in their absence and trotted back down to the security station. Key was handed over, server rebooted and all was well.

    This place had better security than many other places I've worked but some simple social engineering meant I could get hold of the key and gain physical access to server. The security system was sound in principle, but let down by the simple means by which access could be delegated with a single email. I could have simple forged an email if the person's PC had been locked and most likely achieved the same result.
    "

    Social engineering works in most cases, training people to be service minded and guarded against social engineering isn't the easiest job.

  • Brian wrote in with his war story:

    "Working as a n00b general-service tech at my .edu, I was to physically verify that all servers and systems were shut down as weekend work was scheduled to replace a failing electrical utility feed. As part of the plan, I would be contacted when the power was restored, and make sure all servers were booted up gracefully.

    Well, this happened to be the weekend of the last big NorthEast blackout. Instead of a controlled power shutdown on Friday, everything went dead on Thursday. Most folks assumed the work schedule had just moved up.

    I spoke with the electrical project managers, and they decided to put work off - but since they were here, they were going to stay and monitor the power restoration. I hung around to practice my plan to bring all computing systems back on line.

    Well, I needed to get into an administrative office when power came back on. The magnetic locks were in a default lock condition, (1st dangerous problem), so my 'master' keys wouldn't work. I did remember some employees of that office using a fire door for sneaking the occasional cigarette, so I tried that door, and got in. (No alarm on that door - 2nd issue). One of the chief admins found me in the office, and wondered how I got in. I explained, and thought nothing of it until Monday morning, when both I and my director were 'invited' to speak with detectives in separate 'interview' rooms with the campus police.

    I later found out that the campus police - who also manage all access keys - had told that administrator his office suite was only accessible to 6 people who had the "special" keys. They had no idea that all of the IT staff - and possibly others - also had access.

    What I learned:

    1) If you promise security, you had better verify your claim and keep checking it.

    2) If you manage keys, remember that many keys open locks they aren't specifically keyed to. Check each set.

    3) If you are the person who will access restricted areas, be sure to get affirmative consent from the appropriate parties before you attempt that access."

  • Password protect BIOS and set to boot from HDD only.
  • Locking down computers against physical theft can be a great way to slow down thieves, but it'll not slow them down that much if they really want your machine. As Niel put it: "at Defcon I let a guy pick the Master lock on my laptop bag.  He did it in 12 seconds.  His friend took 16 seconds on the same lock.  So a lock may be viable in some environments, but not a long-term deterrent".

Thanks

In no particular order: thanks to Boris, Jim, Andy, Peter, Niel, Brian and many others.

 

--
Swa Frantzen -- NET2S

Keywords:
0 comment(s)

October Black Tuesday overview

Published: 2007-10-09
Last Updated: 2007-10-09 18:56:29 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Overview of the October 2007 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS07-055 An input validation failure allows remote code execution.
Windows - Kodak image viewer

CVE-2007-2217
KB 923810
No publicly known exploits Critical Critical Important
MS07-056 Input validation failure in the NNTP protocol allows remote code execution.
Updates MS06-076.
Outlook express and Windows mail (vista)

CVE-2007-3897
KB 941202 No publicly known exploits Critical Critical Important
MS07-057 Memory corruption in Internet Explorer lead to remote code execution.
Multiple address bar spoofing vulnerabilities.
Cumulative patch for IE, replaces MS07-045.
MSIE

CVE-2007-3893
CVE-2007-3892
CVE-2007-1091
CVE-2007-3826
KB 939653 Some vulnerabilities have been publicly known since February 22nd 2007. Critical Critical Important
MS07-058 NTLMSSP authentication can be abused to cause the RPC service to stop in a way that it also prevent the system from restarting the service.
Replaces MS06-031 (information leak).
Windows RPC

CVE-2007-2228
KB 933729 No publicly known exploits Important Important Important
MS07-059 XSS issues on the sharepoint server cause elevate privileges problems on the server itself and information leaks on the client connecting to such server.
Sharepoint

CVE-2007-2581

KB 942017

Publicly known exploit since May 4th 2007. Important Less urgent(**) Important(**)
MS07-060 Input validation problem allows remote code execution with the rights of the logged on user.
Word

CVE-2007-3899
KB 942695 Abused in targeted exploits Critical Critical Important

 

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): Typical for XSS issues: it's mostly important for the client, but the actual problem is on the server. The risk is mainly linked to the data to be protected and it can vary wildly depending on the organization and its needs.

--
Swa Frantzen -- NET2S

Keywords:
0 comment(s)

Follow the Bouncing Malware: Columbus Day

Published: 2007-10-09
Last Updated: 2007-10-09 05:23:58 UTC
by Tom Liston (Version: 1)
0 comment(s)

[This FTBM is created in honor of Columbus day, celebrated in the US on October 8th]

 

“I Know India Is Around Here SOMEWHERE”

 

Joe Sixpack leaned back in his chair and glared at the photo of his son sitting on his desk.  It was nearing midnight, and Joe had spent the last several hours building a model depicting the landing of Christopher Columbus’ ship, the Niña.  Earlier tonight, at dinner, Joe junior had announced that he needed a diorama for school in the morning.  

Admittedly, it wasn’t Joe’s best work, but he was on a deadline.  He had scavenged through Junior’s toy chest and had made do with what he could find.  The brown paint didn’t completely cover up the red plastic on the toy pirate boat, and you could still see the outline of the skull and crossbones underneath the name “Niña,” hastily scrawled in black Sharpie marker.  He felt, however, that the action scene that he had created with Junior’s plastic Indian figurines more than made up for the poorly disguised boat.  There was a slight scale issue (the Indians on horseback, surrounding Columbus’ men – who were dressed remarkably like cowboys and WWII combat soldiers – were about as tall as the boat) but if you squinted your eyes up just right, it looked pretty good.  The centerpiece of the work, Columbus reared up on horseback, six-shooter blaring, single-handedly gunning down several bloodthirsty savages, would at least get Junior a “B.”  Besides, he wasn’t going to go crazy trying to get everything perfect – Junior needed to learn that leaving his assignments until the last minute had consequences.

Joe turned his attention to the worksheet that accompanied the diorama assignment.  It was full of questions about names and dates and it appeared as though Junior had made a half-hearted attempt at answering them.  One question was left blank:

“How were the ships Columbus used constructed?”

Joe was pretty sure he knew the answer, but he decided to take the matter to a higher authority.  He reached over and tapped on the keyboard of his trusty computer, watching as the monitor slowly came to life.

At the dentist’s office, the week before, Joe had been stuck reading some science magazine to pass the time (it was that, or several back issues of Cosmo, which, despite the sexy, half-dressed model on the cover, weren’t all that interesting to actually read).  In the “geeky/computer” section of the science magazine he had found a description of some techniques to get better search results out of Google.  The article had been somewhat interesting and he thought that now would be a good time to try out the stuff that he could remember.  

He was interested in finding out “information”, and he remembered that you could restrict your Google search in some way that that had something to do with “domains”.  Since the search results that he was looking for was “information”, he would use the “.info” domain.  He was interested in the construction of Columbus’ ships, specifically the fasteners used to hold them together, so he used the first two words that popped into his head.  His search term string looked like this:

“site:.info nina screw”

The search results that he got back didn’t seem to be all that much better than when he didn’t put that “site” stuff in there.  In fact, they seemed to be more than a little “off topic.”  He couldn’t help but chuckle to himself as he looked at his search string… what had he been thinking?

Then again, though Joe, perhaps he would take a little voyage of discovery of his own.

Two hours later, Joe was in a quandary.  There was a “Video ActiveX Object Error” sitting in the middle of his screen, and he didn’t know how to get rid of it.

Your browser cannot display this video file,” it proclaimed, and went on to tell him, “You need to download new version of Video ActiveX Object to play this video file.”  Below that, it said. “Click Continue to download and install ActiveX Object.”  

Before all this pop-up nonsense began, Joe had been hoping to see some VERY active X, but this was just annoying.  If he clicked “Cancel,” another box popped up, this time from Internet Explorer telling him that his browser couldn’t play the video and telling him to “Click ‘OK’ to download and install missing Video ActiveX object.”  If he clicked “Cancel” on that box, another window opened saying “Please install new version of Video ActiveX Object” and only offering him the option of clicking “OK”.  Clicking “OK” took him back to the previous screen.  Around and around he went.

Joe was so frustrated and angry that he finally decided to just click “OK” and install the software.  Internet Explorer popped up a warning screen, telling him that some files could harm his computer, but then again, it did that when he downloaded things from other places too.  Besides, he was running antivirus software… at least he thought he was.  He couldn’t remember if he’d re-enabled it the last time some program had told him that he should disable it while installing… but he was pretty sure he had.  He clicked on “Open” and held his breath.

A “License Agreement” popped up on his screen.  He glanced through it quickly… reaffirmed his decision that law school would’ve been a bad idea, and clicked on “Install.”

Several things appeared to happen all at once.  Windows opened and closed, and finally, when things settled down, a new, shiny, slick-looking window opened on the middle of his screen.

“AntiVirGear v.3.8,” the window declared.  “Warning! 4 threats found!”

What had started out as a voyage of discovery had ended up with Joe washed up on some strange foreign shore.

It was going to be a long, long night.
 

Land Ho!

(or, more politically-correctly: Land Lady-of-the-Evening!)

According to the history books, Columbus, before he moved to the great state of Ohio and set up shop as a state capitol, sailed the ocean blue in fourteen hundred ninety two, with the lofty goal of finding an ocean passage to India.  

As it turned out, he missed by a long shot.

Like most really big screw-ups, Columbus blundered his way through life so incredibly self assured that even when he’d obviously made a mistake of historic proportion he just… well… went with it.  Rather than admit that he fell awfully dang short of his intended goal, he decided to go ahead and drop names on things to try to convince the folks back home that he knew exactly what he was doing.  Thus, the “West Indies” were born. (Which, to be entirely correct should have been called the “Waaaaaaay West Indies”.)
 
Five hundred and a few years later, much like Chris, Joe Sixpack found himself in the middle of a mess-up of his own making and decided to simply bowl ahead as though he knew it would all work out just fine in the end.

Today, we’ll only take a look at the single most obvious portion of Joe’s misadventure. But, like that whole “Native American / Indian” debacle that Columbus left for us to straighten out, Joe’s expedition into the unknown has some long-term ramifications that we’ll discuss in a later installment.

But for now, let’s see what Joe’s carelessness has wrought.  In the course of clicking his way around the globe, Joe encountered a new and interesting download: a “Video ActiveX object” from the fine folks at “kimsoftware.com” who, based on the wording of their License Agreement, apparently like to go by the rather off-putting nickname “Licensor.”  It also seems that “Licensor” has a bit of an inferiority complex and something of a “thing” for self-deprecation… but we’ll get into that in a minute.

One result of installing this “Video ActiveX object” is a cascading download and installation of several files onto Joe’s machine, one of the most interesting of which goes by the name AntiVirGear3.8.exe.  

Weighing in at 3,262,914 tasty bytes it’s dropped onto Joe’s desktop machine like a wet sail hitting the deck of a ship. After grinding the hard drive for some period of time, it suddenly pops up a message saying that it has found four indications that Joe’s machine is infected with “Win32.Trojan.Click.Spywad.b”

The program then offers to “clean” the infection … for a fee.  You see, the “unregistered” version of AntiVirGear will only TELL you about the infections on your machine.  If you want to get rid of the infections, then you need to shell out fifty bucks to the folks at antivirgear.com

Not that I have anything against people wanting to make a buck… but in the past, I’ve investigated other “antivirus” programs that “found” malware even on a fresh install of Windows.  Those programs also would only remove the “found” items for a fee.  Could this be the same scam?

Through the magic of virtual machines and snapshots, I was able to return to the moment before all of the downloading and installing on Joe’s machine began.  Having extracted AntiVirGear3.8.exe from the downloaded traffic, I moved it back in time (so to speak) and installed it on Joe’s machine BEFORE Joe said “yes” to installing the big bundle o’fun from the kimsoftware.com/Licensor folks.

What did it find?  Nothing!  AntiVirGear didn’t find anything bad on the clean version of Joe’s machine.

Hmmm…. That’s strange.

Let’s recap for a moment:  you’re a software developer that markets your wares under the brand “kimsoftware.com”… so let’s assume (for the sake of argument) that you’re a young, blond, 23 year old named Megan.

No… no… wait…

Kim.  

Let’s say your name is Kim.

So… you create cutting edge software…. perhaps something like a “Video ActiveX object.”  You obviously have a bit of trouble with the English language and a penchant for porn.  Perhaps you failed out of law school, or are dating someone who did.  That might explain your twisted need to be called things like “Licensor” and the almost brutally lengthy “License Agreement” that you bundle with your “Video ActiveX object.”

So far, so good.  You’re a little strange, perhaps “quirky”, but you still fall somewhere within the big center portion of that bell curve we like to call “normal.”

But then it all comes crashing down.  

Kim, Kim, Kim…  Where did it go wrong?

What happened?  What drove you to the pits of self-loathing in which you obviously now seethe?  What inner daemons have driven you to the depths of depraved self-deprecation? How is it that you could possibly bundle a piece of software with your “Video ActiveX object” that would… dare I say it?... brand the child of your keyboard, the fruit of your software loins… as a virus?

Oh, the humanity.

Dear readers, pity poor, poor Kim.

Or… perhaps there might be another explanation.  Perhaps Kim has a cunning, almost evil plan.  What if there was some way that Kim might benefit if unsuspecting denizens of the Internet were to be convinced to register AntiVirGear?  What if there was some sort of “system” where Kim would make money every time a version of AntiVirGear that she installed got registered?

But how could a system like that ever exist?  For one thing, it would take someone at AntiVirGear willfully ignoring the obvious potential for abuse that such a system would create.  For another, you would have to have someone so completely morally bankrupt that they would purposefully infect someone else’s computer for their own financial gain.  How could such people possibly exist?

Sheesh… the next thing you’ll be telling me that the earth is round.

 ------------------------------------------------------------------

Tom Liston - Handler on Duty - Intelguardians

 

Keywords:
0 comment(s)
Diary Archives