Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

November Black Tuesday Overview

Published: 2008-11-11
Last Updated: 2008-11-13 00:04:14 UTC
by Swa Frantzen (Version: 2)
1 comment(s)

Overview of the November 2008 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS08-068 The NTLM protocol allows an attacking server to reflect credentials and use them against the client gaining the rights of the logged on user.
Replaces MS06-030 and MS05-011.
SMB

CVE-2008-4037

KB 957097

UPDATE: Vulnerability first made public in March 2001, exploits readily available.

Important Critical Important
MS08-069 Multiple vulnerabilities allow memory corruption (code execution with the rights of the logged on user), cross domain scripting and cross domain information leaks.
Replaces MS07-042.
XML core services

CVE-2007-0099
CVE-2008-4029
CVE-2008-4033
KB 955218 CVE-2007-0099 was made public on January 4th, 2007. Critical Critical Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

--
Swa Frantzen -- Section 66

1 comment(s)

Acrobat continued activity in the wild

Published: 2008-11-11
Last Updated: 2008-11-12 02:04:02 UTC
by Swa Frantzen (Version: 3)
1 comment(s)

It seems those responsible for the prior reported attacks, and followed up only yesterday, are still busy and most probably successful at it.

Holger reported a site that via obfuscation and redirection pointed back to the same site as where Bojan initially found his malicious pdfs.

Interesting the pdfs are new files.

Checking the new pdf again (both file names have the same content (MD5: e51f24ec2e3d2cf71aa1ba74a7210841) on virustotal to get an up to date idea of the coverage, we get this:

Antivirus Version Last Update Result
SecureWeb-Gateway 6.7.6 2008.11.11 Exploit.PDF.Shellcode.gen (suspicious)
Symantec 10 2008.11.11 Trojan.Pidief.D

All the rest of the products tested at virustotal fail to detect these newer pdfs at all at this time.

So, what are we to do ?

  • Are your acrobat installations fully up to date on patches ? How can you be sure ?
  • Do you really need pdf viewers to execute downloaded javascript ? How can it be turned off ?

Perhaps the policy file contributed by Elazar can help you:

CLASS USER 
 
CATEGORY "Adobe Acrobat/Reader 6.x - 8.x" 
 
POLICY "JavaScript Reader 8.x" 
KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 8.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Reader 7.x" 
KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 7.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Reader 6.x" 
KEYNAME "Software\Adobe\Acrobat Reader\6.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 6.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 6.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\6.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 6.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
END CATEGORY

Disclaimer: I've not tried this policy file.

UPDATES:

Holger seems to have taken an interest in this and reported that they seem to have updated the attack once again, no more detection in virustotal.

A big part of getting this right is to be notified timely of such updates being available. Jacob reported that he noticed he didn't get the notification from Adobe for the last few updates. (You can sign up for it, but YMMV...)

An anonymous reader reported: "I observed the following on two different computers (one at work; one at home) about a week or two ago.  Both mentioned that there was an update to Adobe Reader available but that the update failed.  Subsequently, that message did not reappear.  Manually selecting Update from within Adobe Reader allowed for the installation of the patched version, which required a reboot." Hence, take care when relying solely on automatic updates ...

--
Swa Frantzen -- Section 66

1 comment(s)

Phishing for Google adwords

Published: 2008-11-11
Last Updated: 2008-11-11 21:15:09 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Today, (Tue Nov 11 17:27:xx in GMT+1) I received:

From: Google AdWords <setup@google.com>                                       
To: xxx@xxx.xxx
Subject: Google AdWords Alert 
Date: Wed, 12 Nov 2008 02:27:xx +1000 
 
Hello, 
 
Our attempt to charge your credit card on Wed, 12 Nov 2008 02:27:xx +1000
for your outstanding Google AdWords account balance was declined. 
Your account is still open. However, your ads have been suspended. Once 
we are able to charge your card and receive payment for your account 
balance, we will re-activate your ads. 
 
Please update your billing information, even if you plan to use the 
same credit card. This will trigger our billing system to try charging 
your card again. You do not need to contact us to reactivate your 
account. 
 
To update your primary payment information, please follow these steps: 
 
1. Log in to your AdWords account at: http://adwords .google .com 
.session- xxxxxxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxxxxxx .com68 .ru 
3. Click 'Billing Preferences' link. 
4. Click Edit next to the appropriate 'Payment Details' section. 
5. Enter your new or updated payment information. 
6. Click 'Save Changes' when you have finished. 
 
In the future, you may wish to use a backup credit card in order to 
help ensure continuous delivery of your ads. You can add a backup 
credit card by visiting your Billing Preferences page. 
------------------------------------------------------------------ 
This message was sent from a notification-only email address that does 
not accept incoming email. Please do not reply to this message. If you 
have any questions, please visit the Google AdWords Help Centre at 
https://adwords.google.com/support/?hl=en_GB to find answers to 
frequently asked questions and a 'contact us' link near the bottom of   
the page.
---------------------------------------------------------------- 
 
Thank you for advertising with Google AdWords. 
We look forward to providing you with the most effective advertising available. 
 
Sincerely,

The Google AdWords Team 

The x-ed out stuff was spot-on, the spaces are added to the URL to prevent any reader from clicking on this. It was sent to an email address I actually have used in association with Google adwords, (although it's not that well targeted, I got other copies of it on addresses I use in conjunction with managing websites but not linked to adwords.)

Notice the lack of obvious errors aside of a date that's in the future (their timezone calculation might be off) and the concealed URL that does not point to google.com, but to .com68.ru

Now, when explaining to your users how to detect phishing from real warnings, do you think your users have a reasonable chance of noticing this before the credit card gets abused?

Tracing it back:

  • com68.ru has a private registration. Sure, what's new.
  • The email originated in 77.34.0.0/15 (used by an ISP based in Vladivostok).
  • The actual DNS name didn't resolve at the time of this writing.

--
Swa Frantzen -- Section 66

0 comment(s)
Diary Archives