Recently in Windows Category

Image by otzberg via Flickr

Just a quick note that 2 Mozilla Firefox Add-Ons were found to include a little more than bargained for in the form of Windows-based trojan malware. To be sure, these weren't the most popular add-ons in the catalog, with only around 4,600 downloads between the 2 infected offerings.

These add-ons were available for download from the Mozilla site. This only goes to underscore the importance of having your local scanners active and up to date. You shouldn't blindly download, install or run code from any website, vendor or media regardless of its intentions or reputation. "Trust but verify," seems to apply here.

Google recently accused the Chinese government of hacking into the Gmail accounts of certain Chinese citizens unpopular with the communist leadership. Google has retaliated by threatening to cease filtering search results in China at the behest of the Chinese government. Certainly by now this is news to no one.

What's noteworthy about the details of the yet-unpatched IE 6 vulnerability that allowed this exploit is that it isn't really that noteworthy. IE 6 is outdated by 2 versions already. This vulnerability, while serious, doesn't strike me as anything usual for MS products of that vintage. The response has been typical - the exploit is posted publicly, and the vendor is working on a patch.

So the lessons here are exactly what security pros (and plenty of other folks) already know - keep your OS and key applications up to date and configure software to automate this process. If you're still using IE6 for some reason, do you really need to be told "to be highly vigilant until a patch can be developed[?]"

France and Germany have gone a bit further than necessary, warning folks off of IE completely rather than just old versions. While I personally use Firefox and Chrome for features and speed, I wouldn't necessarily tell folks to abandon IE (though I'd recommend version 8 if you are going to use it). I don't believe other browsers are inherently more secure. It's just that non-IE users represent a slightly more tech-savvy attack vector. Perhaps that's reason enough to avoid IE for some.

YC27UCFX9322

On 11/2/2009 Microsoft published it's Security Intelligence Report.

Microsoft published that Windows XP users experienced significantly more security violations compared to Window Vista users and that the Conficker infections is the top threat in enterprise environments but not even in the top 10 in home computing environments.

Microsoft from their statistical data points out that there are differences in the types of threats per country while the U.S. and UK seem to have a high presence in Win32/Alureon and Win32/Vundo while some EU countries saw Win32/Wintrim as most active and in China Win32/BaiuSobar, Win32/Frethog also in Brazil it is Win32 Bancos.
Client side and Server Side Polymorphic Viruses seem to account for the large amount of the Virus Misc variations, polymorphic viruses can mutate its structure to avoid detection by antivirus programs. It can mutate usually by changing a variable or variables in its code without changing its overall algorithm.

There is a lot of interesting data published in this report that is about 232 pages long with information about organizations that are actively involved in mitigating exploits.

Image via Wikipedia

Microsoft Security Intelligence Report

References:
Conficker Working Group

Brian Krebs from Security Fix at the Washington Post cautions business users to use LIVE CD Operating Systems to to perform online banking. Live CD distributions are generally free, Linux Based operating systems that one can down load and burn to a CD-Rom.

This allows the user to boot the operating system off of the CD everything is just run in memory and when your done with your transactions everything that was performed is now not available on any disk. The advise is just to use the LiveCD for Online Banking transactions and not to visit other sites.

Brian Krebs also points out that this is not only his recommendation but the recommendation of the Financial Services Information Sharing and Analysis Center
(FS-ISAC)

I just want to point out that one needs to be sure where you are acquiring these distributions, simply obtaining one from a download or from an expert does not verify the validity of the distribution make sure that you can verify the distribution before running it.

A response noted by "neversaylie"
"Some Windows malware perform DNS spoofing/ARP poisoning/DHCP spoofing, so even a LiveCD won't help you if you're on a network with some infected Windows machines."

So if you are using Live CD but your DNS or DHCP servers are spoofing IP's your still resolving fake addresses to your on line banking institution and not free of man in the middle attacks.

Avoid Windows Bank on Live CD

According to Microsoft Security Bulletin MS09-021 - Update for Microsoft Excel , an attacker could then install programs, view, change, or delete data; or create new accounts with full user rights.

This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.

Fortinet - "All three vulnerabilities lie in 'excel.exe', which is used when processing an Excel file. A maliciously crafted document may contain a malformed 1) BRAI (0x1051) record or 2) Object (0x5d) record or 3) Formula record (0x06) that, when processed, will result in memory corruption and allow a remote attacker to arbitrarily execute code on the victim's machine."

Telus Security Labs - "A buffer overflow vulnerability exists in Microsoft Office Excel products. The vulnerability is due to improper parsing of an Excel file that includes a malformed set of records. Remote attackers can exploit this vulnerability by enticing target users to open a malicious Excel file, potentially causing arbitrary code to be injected and executed in the security context of the current user."

Acknowledgments:

Microsoft thanks the following for working with us to help protect customers:

Bing Liu of Fortinet's FortiGuard Global Security Research Team for reporting the Pointer Corruption Vulnerability (CVE-2009-0549), the Object Record Corruption Vulnerability (CVE-2009-0557), and the the Field Sanitization Memory Corruption Vulnerability (CVE-2009-0560).

Carsten H. Eiram of Secunia for reporting the Array Indexing Memory Corruption Vulnerability (CVE-2009-0558) and the Record Integer Overflow Vulnerability (CVE-2009-0561).

Sean Larsson and Joshua Drake of VeriSign iDefense Labs for reporting the Record Integer Overflow Vulnerability (CVE-2009-0561).

TELUS Security Labs Vulnerability Research Team for reporting the String Copy Stack-Based Overrun Vulnerability (CVE-2009-0559).

TippingPoint and the Zero Day Initiative, for reporting the Record Pointer Corruption Vulnerability (CVE-2009-1134)

Is it too early to declare that nothing has come of the hype around the wildly successful conficker worm's purported April 1st surprise? So far, press reports like this one seem to indicate a lack of any April Fool's Day fireworks.

Experts are quick to point out, however, that whatever the owner of this enormous botnet has planned doesn't necessarily need to be executed today. While that is true enough, I wonder who's side time is on.

Despite their popularity and longevity as a genre of malware, individual botnets tend to have an expiration date. This is natural. The lifecycle curve generally starts with a big push of initial infections (if the writers are lucky), AV updates and platform patches, and then a gradual slope downward as the worm becomes trivial to block or remove. Malware variants are, of course, a problem but can vary in the success of their continued evasion.

So far conficker has done a great job in its initial phases, but its success may precipitate its downfall. The amount of publicity and awareness combined with the widespread availability of removal tools and information are going to gradually reduce the size and value of this particular botnet, perhaps more rapidly than most.

In that case, doesn't it make sense for the botnet owners to strike while the iron is hot? A day or a week won't make too much difference, but I think if we don't see the horsemen of the Internet apocalypse in a week or 2, we can probably get a good night's sleep - the end is not nigh. Of course, this worm and others like it are still a huge issue and need to be continually addressed, but there's something about this whole 4/1/9 conficker scare that smacks of y2k fever.

Last year we wrote about the possibility of the Conflicker and Downloadup.a back door worm variants that could be delivered via Botnets becoming an issue if the majority of users avoided updating their Windows Operating System. Well looks like this year things got really heated up when these were unleashed and the variants had extra features added to their arsenal that allowed them to spread faster. Computer World and Symantec reported on Jan. 12th that 3 Million Users were infected. On January 14th Computer World reported that 1.1 Million Windows PC's were infected in 24 hours. Panda software raised their Global Threat watch to Orange and F-Secure is now reporting over 8 Million users today according to F-Secure Blog

So despite all the alerts and alarms from Microsoft about this issue some users thought that they might be protected even though Microsoft warned that it does not require any authentication to perform a network attack on the PC.

The bad part about this is that the initial worm spreading is only the beginning of what stuff is being downloaded, compiled and what stuff is being uploaded to be analyzed by an attacker. This might cause you some anxiety as you are fighting one thing over another, and new adventures maybe happening now on your other Operating Systems, through your internal VPNs, and maybe attacking your partners and suppliers. Whether you have a small business or a large business, this may mean you're already restoring boxes with last weeks backups that maybe still infected.

When these massive outbreaks occur, you not only feel bad for the data owners but also for the people who have to put out the fires because they could not get the buy-in from the data owners to mitigate the risk.

Sometimes during these outbreaks suddenly there is an immediate need to upgrade, as the system maybe taken offline at the switch you can hear the cry from down the call "but I just patched my system" - across the cubicles "and I ran an antivirus! It was clean, I should be ok now." But no. As the hard drive sound is heard, as you get closer and closer and the applications are now doing all kinds of nice things by themselves, the antivirus program is probably not the antivirus program any more. We probably can't even count the number of infections you have on the PC, but judging by the IDS, DLP, and Firewalls it's more than one I'm sure.

This is when the data the backup and recovery administrators get a bit testy or their faces are as white as snow -- because they know the task at hand.

Last year everyone was saying that all the worms and viruses seemed to have dropped off and "I have XP SP2 firewall enabled what could happen?" And then one day you and your co-workers are enjoying a nice wormy day and....!!

To all my friends and family, hope your not having a nice wormy day and that you had upgraded weeks ago.

- Bill Le Roy

On Nov. 26th, Computer World Security published an article on the new variants of the MS08-67 Windows Server Service Exploit. The variants called "Conflicker" by Microsoft and "Downadup" by Symantec have spread outside Asia to the U.S. and other countries: http://www.microsoft.com/security/portalEntry.aspx?Name=Worm%3aWin32%2fConficker.A
The new variants apparently also attempt to connect to several urls: getmyip.org, getmyip.co.uk and checkip.dynsdns.org. The another interesting piece is that the worm has been reported to reset the computers restore point.

CVE Reference: CVE-2008-4250

Symantec has written some removal procedures on: http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=3

On Nov. 25th, Microsoft Malware Protection Center also published an update
concerning a Backdoor IRC Bot exploits that exploit systems that are not updated: http://www.microsoft.com/security/portal/Entry.aspx?Name=Backdoor%3aWin32%2fIRCbot.BH

The trojan connects to a predefined remote IRC server named '0x90.devtech.us'
The trojan can also send Clip Board Entries from the infected computer.

Win32/IRCBot.worm.Gen (AhnLab)
Win32/IRCBot!generic (CA)
WIN.IRC.WORM.Virus (Dr.Web)
Exploit-DcomRpc.gen (McAfee)
Mal/IRCBot-B (Sophos)
Purple Exploit (other)

Don't know how many more variants will continue to be released and as always we don't always know if the patch fixes all the issues involved.

A few thought's on Microsoft latest Intelligence report. Although the number of reported vulnerabilities apparently has decreased, the number of high severity vulnerabilities has increased. And while there continues to be a decrease in viruses reported, there was an increase in password stealing exploits. One really interesting piece of information is the amount of Trojan downloaders and droppers, which is maybe why worms, backdoors, password stealing, and monitoring software has stayed basically the same or increased. The report also signifies that most of the developing countries fall victim to these vulnerabilities, compared to more advanced economies. Although from other reports that I read, the U.S. and China seem to have higher incidents than the other economic developed powers. China, for example, with the latest MS08-67 RPC exploit seems to have been hit harder then the US or other economic advanced nations.

Last year I heard Dan Geer at the Forrester Security Conference talk about the difficulty of measuring information security events. The fact that you may have gotten 1 alert concerning a download but what did not get reported was the 6 payloads that it left behind that went undetected. For those of us that had to follow up on initial viruses, worms, trojans and other incidents know that there is usually more there then what was discovered during the first cleanup attempt and that the ratio of what is reported compared to what was there was more like 10:1 depending on the incident.

There is an interesting article on the CDC site called "Contagion on the Internet" by Trudy M. Wassenar and Martin J. Blaser. Although written in 2002, this article is still relevant today comparing the similarities of the biological and virtual tiny monsters.

There has been a significant amount of work done recently to combat this recent RPC exploitation on Microsoft Windows Servers and clients. Since the beginning of last month there have been a lot of warnings and information available to mitigate this attack. This week we are seeing a number of increased worms detected that are apparently having an impact in Asia. Symantec is reporting activity on W32.Kernelbot.A and W32.Wecort. SecureIteam had published some sample code, and Don't Stuff Beans Up Your Nose also had a nice article. Microsoft released the patch for this before their normal release time. Due to Windows XP SP2/SP3 and Vista enabled firewalls, the ability to buy personal home firewalls for cable and dsl, and all the lessons learned by Blaster and Slammer, we may have at least for now avoided another worldwide outbreak. Although, I am sure there are still users that put their PC's on the Internet without Firewalls, host-based Firewalls, or Antivirus -- and never patch their systems that bring them into their company's and connect them to wired and wireless networks to share with their co-workers.