Security Response: Showing posts tagged with Endpoint Protection (AntiVirus)

Over the last few days there have been many articles written about an issue in Microsoft’s Internet Information Services (IIS).  This issue allows an attacker to bypass normal security restrictions when uploading a file to a Web application running on a vulnerable version of IIS.  This issue could allow an attacker to upload and execute arbitrary code with the privileges of the Web server.

There are varying reports on the severity of this issue, but according to Microsoft only poorly configured Web servers are at risk from this issue:

“An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration.”

...

Theft
As we discussed in Part I, the primary purpose of Qakbot is to steal information from the compromised computer. In addition to targeting login details for FTP, POP3 and IMAP, the worm also attempts to steal Cookies - not only regular browser session cookies but also Flash cookies. A discussion of Flash cookies is beyond the scope of this article, but be aware that unlike traditional browser cookies, Flash cookies are not controlled through the cookie privacy controls in a browser which means they cannot be cleared or deleted in the simple manner that normal tracking cookies are removed.

Qakbot uses several techniques to collect private keys from the system certificates contained on the compromised computer. First, it replaces all certificate-related dialog boxes so that the “OK” button is automatically pushed as soon as the dialog is created...

Spammers are recycling their old spamming methods after more than two years. Symantec reported an .mp3 version of pump-and-dump stock spam back in October 2007.

In this recent spam attack, a small .mp3 file promoting a meds domain is attached in the email messages. These email messages contain no subject line or message body. The .mp3 file is a five-second message recorded in a female voice and promotes a particular meds domain. The file is approximately 11 KB in size and recorded at a 16 kbps bit rate. The voice is heavily distorted with background noise. The domain name described in the file is a recently registered domain in China.

Some of the random filenames used are as follows:

milksoppy.mp3
enwomb.mp3
realiser.mp3
escort.mp3
recarboniser.mp3
unlights.mp3
scathing.mp3
byproduct.mp3
lewes.mp3
micrometers.mp3
...

We have recently learned of yet another zero-day exploit in Adobe Acrobat. This time it's an overflow for a special type parameter in a function provided by the multimedia.api plugin that can be manipulated from JavaScript in the following manner:

media.newPlayer(null)

Somewhere deep in newPlayer, deinit_obj is set as the handler for deleting the object when it's no longer needed:

And eventually deinit_obj calls the destroy function from the object's v_table:

So far...

We’ve monitored a great deal of Christmas sales spam (in English) for the upcoming holiday. Compared to English holiday spam, Chinese spammers seem to have fewer activities for Christmas, most likely because it is not a major holiday in the Chinese calendar. The Christmas holiday is popular among younger Chinese generations, however, and shopping for gifts is still expected. We have observed a couple of notable Chinese samples covering the topic of Christmas shopping. In the first sample, a spammer has sent a random Christmas sales ad, and we found that the spammer purposely set the promotion text background color in gray (<FONT style="BACKGROUND-COLOR: gray" color=gray>); you have to highlight the gray line in order to see the promotion text. In the header we observed a forged and randomized “From” alias. They used a shortened URL service in the body image, which led to an actual business website.

Sample Header:...

Earlier today, we received a tip from a source that there is a possible Adobe Reader and Acrobat 0-day vulnerability in the wild. We have indeed confirmed the existence of a 0-day vulnerability in these products. The PDF files we discovered arrives as an email attachment. The attack attempts to lure email recipients into opening the attachment. When the file is opened, a malicious file is dropped and run on a fully patched system with either Adobe Reader or Acrobat installed. Symantec products detect the file as Trojan.Pidief.H.

We have reported our findings to Adobe who have acknowledged the vulnerability in this blog.

The analysis is still ongoing, so more details to follow. In the meantime, I recommend everyone to be extra vigilant during this holiday season, especially when...

The AVAR 2009 Conference was held in the historical city of Kyoto, Japan from November 5. As this year's trend is cloud computing, fake antivirus software and massive PDF file attacks, the cloud and PDF topics were covered in the conference.

We had several Japan-specific sessions. Some delegates from the Japanese ministries and governmental agencies spoke about their tasks and statistics on cyber crimes. As with other nations, Japan has its own specialty in computer usage and malware, such as wide-spread usage of the peer-to-peer software called Winny and the related malware W32.Antinny and a destructive Trojan horse Trojan.Haradong that was discovered in the Winny network (the creator was eventually arrested). Another trend in Japan is the so-...