Video Screencast Help
Security Response
Showing posts in English
Eric Chien | 19 Jun 2007 07:00:00 GMT | 0 comments

On multiple Windows Live Messenger accounts (formally MSN Messenger), we received the messages (don't visit the link!):

     Get surprise at http://www.messengerweb.info/ Unbelievable!

     Hey, http://www.messengerweb.info/ helps u find out who is your friend!

     U have deleted me! Look here http://www.messengerweb.info

Was this a new worm? Or a bot that was sending out IM spam? Turns out it is neither and instead much more like adware. The site being advertised states they can find out who may have removed you from their contact list. All the service requires is for you to "enter your MSN account and password and we will tell you who has...

Peter Ferrie | 19 Jun 2007 07:00:00 GMT | 0 comments

It seems that for every scripting language that is powerful enoughto host a virus, a virus will be written for it eventually. It alsodoesn't seem to matter if the audience for that scripting language isvery restricted, or that the scripts might not be shared with anyoneelse.

This brings us to the first virus for the Autodesk Maya 3D scriptinglanguage - "Maya Embedded Language" or "MEL" - which we call MEL.Odorous.

This virus is simply a proof-of-concept. It begins by searching inthe current directory for the .MEL file that contains its code. Itreads this code into a buffer that will be used for replication. Thenit searches again in the current directory for other .MEL files. Forany .MEL file that is found to not be already infected, the virus willprepend itself to the file. There is no payload, and it does nothingbut replicate.

Such a virus...

Amado Hidalgo | 19 Jun 2007 07:00:00 GMT | 0 comments

You always thought that by staying clear ofthe dark alleys of the Internet and visiting only “reputable” websites,you would be safe from attacks and dubious content. I am afraid that isnot enough. My colleagues Elia Florio and Hon Lau reported recently (here and here)about legitimate sites that had been compromised to include a maliciousIFRAME that, without your knowledge, redirects you to a site servingexploits.

As Elia mentioned, thousands of sites (mostly Italian, but withseveral other nationalities included) were compromised. We were puzzledas to how the MPack gang had managed to hack so many sites in a shortperiod of time, and how they could inject the malicious iframe soquickly.

The MPack gang...

Elia Florio | 18 Jun 2007 07:00:00 GMT | 0 comments

When SkyLined released in 2004 one of the first proof-of-conceptexploits introducing the “Heap Spraying” technique, he commented [1]his code in this way:

“The JavaScript creates a large amount of heap-blocksfilled with 0x0D byte nopslides followed by the shellcode. This is tomake sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thingin the world but it works like a charm for most IE bugs.”

Well, it was not the most efficient thing in the world, but it hasbeen proven to work so well that it actually is the mostcopied-and-pasted piece of code used to exploit many of the InternetExplorer vulnerabilities discovered since 2004.
So, I was surprised to come across an exploit in the wild that uses adifferent heap manipulation technique. The malicious code was hosted ona Russian domain (hxxp://crun[REMOVED].info) and was part of one of thetypical web attacker toolkits developed by Eastern European gangs. Thecode exploited...

Eric Chien | 15 Jun 2007 07:00:00 GMT | 0 comments

Just hours after Apple released Safari for Windows and I wrote about the potential for associated exploits, multiple exploits have been released. This currently includes:

Apple Safari for Windows Protocol Handler Command Injection Vulnerability (BID 24434)
Apple Safari for Windows Unspecified Denial of Service Vulnerability (BID 24431)
Apple Safari for Windows Unspecified Remote Code Execution and Denial of Service Vulnerabilities (BID 24433)

Details on the first one have already been released publicly and theother two have been reportedly disclosed to Apple. We have not...

Elia Florio | 15 Jun 2007 07:00:00 GMT | 0 comments

We verified a report of a large-scale web attack on going in Italy at the moment. The attack is similar to what we described in our previous blog; it just uses a new different final domain which runs the hostile exploits of Mpack 0.86 kit.



The gang behind the attack had successfully compromised the homepagesof hundreds of legitimate Italian websites. We checked many of them andwe verified that they include now a malicious IFRAME (detected asTrojan.Mpkit!html) which redirects to the same bad IP address. The listof compromised sites is huge and from Mpack statistics this attack isworking efficiently (the...

Ron Bowes | 14 Jun 2007 07:00:00 GMT | 0 comments

In my recent article about Spam in Multiplayer Online Games(smog), I talk about how spammers sell resources such as gold. Theseresources can be obtained with minimal user interaction, by using anautomated program to control characters and play the game. By doingthis, gold can be collected and either used or sold for real money.

As a massively multiplayer online game develops, an economydevelops. The value of rare items tends to emerge, and people will makefair trades or purchases from each other. People who play the game fora reasonable amount of time are able to purchase the same items asothers, by collecting gold (or whatever currency is used). Ideally, theeconomy will balance and end up at a fair point.

However, automated programs can be used to for this collection. Aprogram can run 24/7, doing nothing but harvesting gold. This gold...

Greg Ahmad | 13 Jun 2007 07:00:00 GMT | 0 comments

On April 27, 2007, various Internet resources from the Republic of Estonia came under a series of DDOS or distributed denial of service attacks.According to claims by Estonian government officials and media, theattacks originated in Russia and followed a dispute between thegovernment and ethnic Russians over the relocation of a Soviet warmemorial from the Estonian capital of Tallinn. The attacks targetedwebsites belonging to government ministries, banks, media, politicalparties and businesses.

Though DDOS attacks against various networks have taken place onnumerous occasions in the past, the particularly interesting aspect ofthese attacks was that they appear to be...

Ben Greenbaum | 12 Jun 2007 07:00:00 GMT | 0 comments

Hello again... this month's update contains 6 advisories with atotal of 15 patched vulnerabilities. Major apps for this month wereonce again IE and Outlook/Windows Mail, coming in with 6 and 4 patchedvulnerabilities respectively. This month we also see updates forfile-based attack vectors against Visio, remotely exploitablevulnerabilities in both a dev library and a security package patched,and a fairly low profile information disclosure vulnerability in Vistadealt with.
As usual details are given below in order of descending urgency. Happypatching, and we'll be back for another round next month...

MS07-034; KB929123
Cumulative Security Update for Outlook Express and Windows Mail

This release addresses four issues in Windows Mail (vista) andOutlook...

Ron Bowes | 12 Jun 2007 07:00:00 GMT | 0 comments

In today's computerized world, loss of confidential information is far too common. If you look at a good list of personal information data breaches , you will quickly see that a breach occurs almost every day, and that's just in the United States!

Almost everybody knows that databases get hacked and laptops getstolen, both of which can expose all kinds of information aboutcustomers and employees. Information is frequently lost due tomalicious intentions. So security is audited, laptops are encrypted,and a lot of companies take steps to ensure that this type of exposuredoesn't happen. Data is still exposed, but many companies actively tryto prevent it.

I'll start with a story. I know a company that sells acustomer-management solution that once had a demo site, with demo data,which potential customers could play with. After a software upgrade,the demo database was...