Security Hero Rotating Header Image

October, 2008:

Facebook Worm drives by Google Reader and Picasa (updated)

Facebook Worm drives by Google Reader and Picasa (updated)

Since end of July 2008, worms targeting Facebook users have been spotted here and there. The strategy has been simple, yet effective: A malicious message is sent to friends of the infected user, prompting them to visit a page carrying an online video – something utterly common in today’s Web 2.0 era. However, should the targeted users follow the link, they would soon find out the video does not start…. unless they install a special codec, as prompted for by the page! As a matter of course, the said codec is nothing else than a Trojan, loading various malware pieces, possibly including a copy of the worm.

Very recently, an interesting bit was added to the attack’s social engineering strategy: As can be seen on Figure 1 below, the link in the malicious, rogue message points to Google.


Figure 1: Notice the intentionally apocalyptic spelling of the message’s title, which could aim at fooling Facebook filters

Upon clicking it, the targeted user is indeed brought to a Google Reader share, seen on Figure 2 below:


Figure 2: This seems to be more than just a tongue-in-cheek video

Google Reader is a news reader allowing its users to share the news they find interesting with their social network (in buzz words, this is a Web 2.0-enabled news reader), and with the public via their “shares” page. It appears that cyber criminals behind the Facebook worms registered Google Reader accounts (either manually, or automatically via phishing operations or automated CAPTCHA solvers) for the sole purpose of loading them with links to malicious sites. Indeed, upon clicking on the tempting video frame seen in the News Reader on Figure 2, the victim is redirected to a classic fake-codec (W32/Zlob.NKX!tr.dldr), Trojan enabled site:


Figure 3: The lack of definitive articles indicates this is the work of Slavic hackers

This “hop” via a Google Reader share serves an essential purpose: it gives the targeted user the feeling that the video is hosted on Google. Thus it must be safe. Combo that with the “it’s a message from a friend” factor, which naturally lowers down users’ wariness shields, and you get quite a good chance of seeing your victim perform the dreaded click.

Update (October 29, 2008):

The cyber criminals behind this scheme are now using Google Picasa to lure targeted users, with the URL in the suspect Facebook messages now being:

http://picasaweb.google.com/[removed]/Youtube#52610132498569990

There, the same video screen grab is displayed and users are enticed to follow the link of the caption:


Figure 4: Pro-Tip: You can’t open it because it’s a Trojan, not because you miss the codecs

After checking, it appears that allowing links in picture captions is really Picasa feature, which could potentially introduce more security threats. Which leads to the question: Is this functionality worth the potential risks if rogue Picasa users post malicious URLs?

Fortinet customers who subscribe to FortinetíŽs antivirus and Web content filtering services should be protected against these threats. FortinetíŽs antivirus and Web content filtering services are two components of FortiGuard Subscription Services, which also offer comprehensive solutions such as IPS and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat’s lifecycle.

Acknowledgement:

Guillaume Lovet of Fortinet’s FortiGuard Global Security Research Team

URL: http://www.fortiguardcenter.com/advisory/FGA-2008-26.html

University of Minnesota Deploys Infoblox Appliances

University of Minnesota Deploys Infoblox Appliances

Infoblox Inc. today announced that the University of Minnesota has deployed Infoblox appliances for delivery of core network services.

URL: http://feedproxy.google.com/~r/InfobloxNewsFeed/~3/Z9Wamo9ja-k/release.cfm

Exploit Code Published Affecting the Server Service – 10/27/2008

Microsoft Security Advisory (958963): Exploit Code Published Affecting the Server Service – 10/27/2008

Revision Note: Advisory published Advisory Summary:Security Advisory

URL: http://www.microsoft.com/technet/security/advisory/958963.mspx

Threatscape Report – October 2008 Edition

Threatscape Report – October 2008 Edition

The following statistics are compiled from Fortinet’s FortiGate network security appliances and intelligence systems for the period September 21st – October 20th, 2008.

Table of Contents:


FortiGuard Global Threat Research

Exploits and Intrusion Prevention

Top 10 Exploitations

Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:

Rank     Vulnerability                             Percentage          Severity1        Trojan.Storm.Worm.Krackin.Detection       39.7                  High2        Worm.Slammer                              34.6                  High3        PhpInclude.Worm.B                          5.5                  High4        invalid_length                             1.7                  Low5        TCP.Bad.Flags                              1.1                  Critical6        SSH.Brute.Forcer                           1.0                  Low7        invalid_encoding                           0.8                  Low8        large_fragsize                             0.8                  High9        Danmec.Asprox.SQL.Injection                0.7                  High10       chunk_overflow                             0.4                  Critical

New Vulnerability Coverage

There were a total of 66 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 18 were reported to be actively exploited.

Figure 1 breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:


Figure 1: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition’s Top 100 ranking, with “new” highlighting the malware’s debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank     Malware Variant                  Percentage  Top 100 Shift1        W32/Agent.AGGP!tr.dldr           23.6          new2        W32/FakeAlert.D!tr.dldr          10.6          new3        W32/Inject.GZW!tr.bdr            9.4           -24        W32/Autorun.PNL!worm             4.7           new5        W32/Agent.XGG!tr                 4.1           new6        W32/Virut.A                      3.2           +17        W32/Goldun.AZL!tr.spy            3.0           new8        W32/FakeAlert.D!tr               2.9           new9        W32/Netsky!similar               2.7           -410       W32/Agent.AHVM!tr.dldr           2.4           new

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Six month trends are also given up to the last calendar day of the most recently completed month. Figures 3a-3c below show these statistics:


Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six month trend

URL: http://www.fortiguardcenter.com/reports/roundup_oct_2008.html

Vulnerability in Server Service Could Allow Remote Code Execution (958644)

MS08-067 íV Critical: Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Bulletin Severity Rating:Critical – This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

URL: http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx?pubDate=2008-10-23

Microsoft Windows Server Service Remote Code Execution Vulnerability (MS08-067)

Microsoft Windows Server Service Remote Code Execution Vulnerability (MS08-067)

Summary:

A specially crafted RPC request can be delivered to the server service of the affected Microsoft Windows system to run arbitrary code.

Impact:

  • Remote code execution

Risk:

  • Critical

Affected Software:

  • Windows 2000 Service Pack 4
  • Windows XP Service Pack 2
  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 1
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP1 for Itanium-based Systems
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista
  • Windows Vista Service Pack 1
  • Windows Vista x64 Edition
  • Windows Vista x64 Edition Service Pack 1
  • Windows Server 2008 for 32-bit Systems
  • Windows Server 2008 for x64-based Systems
  • Windows Server 2008 for Itanium-based Systems

Solutions:

  • Apply the security update available at http://windowsupdate.microsoft.com
  • The FortiGuard Global Security Research Team released the following:
    • IPS signature “MS.DCERPC.NETAPI32.Buffer.Overflow”, which covers this specific vulnerability.
    • and, Antivirus signature “W32/NetAPI32.RPC!exploit.M20084250” to detect the malicious file related to this vulnerability.

Fortinet customers who subscribe to FortinetíŽs intrusion prevention (IPS) service should be protected against this remote code execution vulnerability. FortinetíŽs IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat’s lifecycle.

References:

URL: http://www.fortiguardcenter.com/advisory/FGA-2008-25.html

Wireshark Multiple Vulnerabilities

Wireshark Multiple Vulnerabilities

Summary:

Wireshark (http://www.wireshark.org/) is the most popular network protocol analyzer (aka “sniffer”).A memory corruption vulnerability exists in Wireshark, potentially allowing a remote attacker to compromise targeted systems by sending them specially crafted “live” network traffic or malicious network trace files (pcap files).Multiple denial of service vulnerabilities also exist in Wireshark, allowing a remote attacker to crash targeted systems upon sniffing network traffic or viewing network trace files (pcap files).

Impact:

Full compromise of the targeted system.

Risk:

  • High

Affected Software:

  • Wireshark version older than 1.0.4

Additional Information:

  • The Bluetooth HCI memory corruption vulnerability lies in the BTHCI packet dissector and is caused by insufficient checking of packet parameters. This issue occurs either when Wireshark is configured to sniff Bluetooth traffic (with an USB dongle for example) and sent “live” malicious traffic, or upon opening a crafted Bluetooth HCI encapsulation format traffic file.
  • The Parallel Redundancy Protocol post-dissector (not enabled by default) is vulnerable to a denial of service when handling specially crafted Ethernet frames; the issue is caused by a missing exception handling.
  • The USB URB denial of service vulnerability lies in the USB packet dissector, where insufficient checking of packet parameters is performed; the vulnerability is present only when Wireshark is configured to sniff packets from USB ports or opens a crafted USB traffic pcap file.
  • The two denial of service conditions above may be used by an attacker as a Cyber Counter-Measures tool, in order to render the network surveillance systems “blind” before engaging in further deleterious action.

Solutions:

References:

Acknowledgment:

  • David Maciejak of Fortinet’s FortiGuard Global Security Research Team

URL: http://www.fortiguardcenter.com/advisory/FGA-2008-24.html

EMC NetWorker Denial of Service Vulnerability

EMC NetWorker Denial of Service Vulnerability

Summary:

A resource exhaustion vulnerability exists throughout multiple EMC products through an exploited RPC interface.

Impact:

Denial of service.

Risk:

  • Medium

Affected Software:

  • NetWorker Server, Storage Node and Client 7.3.x and 7.4, 7.4.1, 7.4.2
  • NetWorker Client and Storage Node for Open VMS 7.3.2 ECO6 and earlier
  • NetWorker Module for Microsoft Exchange 5.1 and earlier
  • NetWorker Module for Microsoft Applications 2.0 and earlier
  • NetWorker Module for Meditech 2.0 and earlier
  • NetWorker PowerSnap 2.4 SP1 and earlier

EMC Recommended Updates for Affected Software:

  • NetWorker Server, Storage Node and Client 7.4 SP3
  • NetWorker Server, Storage Node and Client 7.3 SP4 build 565
  • NetWorker Client and Storage Node for Open VMS 7.3.2 ECO7
  • NetWorker Module for Microsoft Exchange 5.1 SP1
  • NetWorker Module for Microsoft Applications 2.1
  • NetWorker Module for Meditech 2.0 SP1
  • NetWorker PowerSnap 2.4 SP2

Additional Information:

The RPC interface used by the affected EMC products does not properly enforce bounds checking on a parameter which is used to allocate memory on the heap. The vulnerable NetWorker products use the process “nsrexecd.exe”. A remote attacker can exploit this by repeatedly sending requests to the RPC interface, each time allocating more and more memory. Eventually system resources will be exhausted, and denial of service is achieved.

Solutions:

Fortinet customers who subscribe to FortinetíŽs intrusion prevention (IPS) service should be protected against this resource exhaustion vulnerability. FortinetíŽs IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat’s lifecycle.

References:

Acknowledgment:

  • Zhenhua Liu, Xiaopeng Zhang and Junfeng Jia of Fortinet’s FortiGuard Global Security Research Team

URL: http://www.fortiguardcenter.com/advisory/FGA-2008-23.html

Microsoft Security Bulletin for October 2008

Microsoft Security Bulletin for October 2008

The table below lists the Microsoft vulnerabilities for October 2008.

MS Bulletin Number

Microsoft Bulletin Title

Severity

Impact of Vulnerability

Affected Software

CVE ID

MS08-056

Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)

Moderate

Information Disclosure

Microsoft Office

CVE-2008-4020

MS08-057

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)

Critical

Remote Code Execution

Microsoft Office

CVE-2008-3471,CVE-2008-3477,CVE-2008-4019

MS08-058

Cumulative Security Update for Internet Explorer (956390)

Critical

Remote Code Execution

Microsoft Windows, Internet Explorer

CVE-2008-2947,CVE-2008-3472,CVE-2008-3473,CVE-2008-3474,CVE-2008-3475,CVE-2008-3476

MS08-059

Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)

Critical

Remote Code Execution

Microsoft Host Integration Server

CVE-2008-3466

MS08-060

Vulnerability in Active Directory Could Allow Remote Code Execution (957280)

Critical

Remote Code Execution

Microsoft Windows

CVE-2008-4023

MS08-061

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)

Important

Elevation of Privilege

Microsoft Windows

CVE-2008-2250,CVE-2008-2251,CVE-2008-2252

MS08-062

Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)

Important

Remote Code Execution

Microsoft Windows

CVE-2008-1446

MS08-063

Vulnerability in SMB Could Allow Remote Code Execution (957095)

Important

Remote Code Execution

Microsoft Windows

CVE-2008-4038

MS08-064

Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)

Important

Elevation of Privilege

Microsoft Windows

CVE-2008-4036

MS08-065

Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)

Important

Remote Code Execution

Microsoft Windows

CVE-2008-3479

MS08-066

Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)

Important

Elevation of Privilege

Microsoft Windows

CVE-2008-3464

Threat Remediation

Fortinet provides coverage on Microsoft vulnerabilities in October 2008.

CVE Number

Signature Name

CVE-2008-1446

MS.Internet.Printing.Service.Code.Execution

CVE-2008-2250

n/a (local vulnerability)

CVE-2008-2251

n/a (local vulnerability)

CVE-2008-2252

n/a (local vulnerability)

CVE-2008-2947

MS.IE.Window.Location.Handling.Cross.Domain.Script.Execution

CVE-2008-3464

n/a (local vulnerability)

CVE-2008-3466

MS.Host.Integration.Server.RPC.Service.Code.Execution

<a href=”h

URL: http://www.fortiguardcenter.com/advisory/FGA-2008-22.html

Cisco Response to Outpost24 TCP State Table Manipulation Denial of Service Vulnerabilities

Cisco Response to Outpost24 TCP State Table Manipulation Denial of Service Vulnerabilities

URL: http://www.cisco.com/en/US/products/products_security_response09186a0080a15120.html

Microsoft Security Bulletin Major Revisions

Microsoft Security Bulletin Major Revisions

Posted by Microsoft on Oct 16

********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: October 15, 2008
********************************************************************

Summary
=======
The following bulletins have undergone a major revision…

URL: http://seclists.org/microsoft/2008/q4/0002.html

Microsoft Security Bulletin Summary for October 2008

Microsoft Security Bulletin Summary for October 2008

Posted by Microsoft on Oct 14

********************************************************************
Microsoft Security Bulletin Summary for October 2008
Issued: October 14, 2008
********************************************************************

This bulletin summary lists security bulletins released for
October 2008.

URL: http://seclists.org/microsoft/2008/q4/0001.html

Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)

MS08-066 íV Important: Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)

Bulletin Severity Rating:Important – This security update resolves a privately reported vulnerability in the Microsoft Ancillary Function Driver. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

URL: http://www.microsoft.com/technet/security/bulletin/ms08-066.mspx?pubDate=2008-10-14

Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)

MS08-065 íV Important: Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)

Bulletin Severity Rating:Important – This security update resolves a privately reported vulnerability in the Message Queuing Service (MSMQ) on Microsoft Windows 2000 systems. The vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled.

URL: http://www.microsoft.com/technet/security/bulletin/ms08-065.mspx?pubDate=2008-10-14

Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)

MS08-064 íV Important: Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)

Bulletin Severity Rating:Important – This security update resolves a privately reported vulnerability in Virtual Address Descriptor. The vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

URL: http://www.microsoft.com/technet/security/bulletin/ms08-064.mspx?pubDate=2008-10-14