Saturday, December 13, 2008

Security and Forensics Roundup: Heavy Version #3


Public domain photo: taken by U.S. Air Force Senior Airman Julianne Showalter

Been a busy week in the security world this past week.

Lots of hurt coming up from the swamplands and lots of smack-back from the anti-malware forces.

Pull up a chair, it’s story-time from the trenches.

Malware and Rogue Security Products

Sunbelt blog points us to a recent whitepaper that look at the issues around classification of malware variants: Learning and classification of malware.  Just like virus and trojan classifications, to the average end-user, there seems little rhyme or reason in the way malware and viruses are classified. Adding to confusion, names given by one AV vendor may differ significantly from other vendors, leading to difficulty for both researches and end-users attempting to get uniform and detailed information from vendors.

It’s an interesting paper and while a deeply academic in parts, some sections could benefit both malware-busters and forensic examiners in behavior pattern descriptions and background. Working link to the 20-page PDF here.

FakeXPA... Journey of a Rogue and Win32/Yektel - the Other Kind of Rogue - Microsoft Malware Protection Center – Two short but sweet looks at rogue security products that attempt to lure users into paying for their software by use of fake false-positives and “official” looking Windows Security Center presentations.

The first post contains some new (to me) images where the rogue presents a fake "BSOD” graphic on screen and then a followup fake Windows “reboot” screen image.  While knowledgeable Windows users wouldn’t be fooled, unsophisticated users could easily be taken for an expensive ride “registering” the rogue product. The second post illustrates how a Browser Helper Object (BHO) can get installed and present warnings and alerts during IE browsing sessions eventually leading a user to “register” the rogue product online. Bad, bad, bad behavior!

There are a few security sites that seem to delight in uncovering and exposing these security rogues.  Malwarebytes blog » Rogues is one with a number of great catches. Sunbelt Blog is another great source. In fact, Alex Eckelberry has captures a year’s worth of rogueness on his 2008 Scareware perspective - a set on Flickr page.  I feel a bit guilty for enjoying it so much!

Many AV/AM products can remove a good number of these rogues including Microsoft’s Malicious Software Removal Tool (MSRT), Malwarebytes’ RogueRemover FREE and Malwarebytes' Anti-Malware programs, and Sunbelt Software’s VIPRE Antivirus + Antispyware program.

The Windows Security Blog – New blog from Windows. Anticipate more Windows Vista/W7 related security posts here.

Advanced Malware Examinations

For deeper explorations of malware behavior (always good to understand from both a preventative and incident response perspective) look no further than these articles. It pays to know your enemy.

MS08-076: Windows Media Components: Part 1 and Part 2 – Microsoft Security Vulnerability Research & Defense blog. Now fixed vulnerability that linked two issues to create a combined vulnerability.  Not going to be a common vector, but it just takes one event.

MS08-075: Reducing attack surface by turning off protocol handlers – Microsoft Security Vulnerability Research & Defense blog. Now fixed vulnerability in Windows Explorer in Vista and Server 2008 that was exposed through the search-ms protocol handler.  Required user interaction so this post provides information on turning off any protocol handlers you may not be using.

MS08-067: Worms, Worms, Worms - Ask the Performance Team blog.  Goodness knows there are lots of legitimate reasons your Windows CPU cycles can go off the chart.  It’s a Windows things. In some cases it could be due to malicious software.  This post looks at detecting specific malware that exhibits that particular behavior.

What makes Rustock tick? – Sunbelt Blog – Notice of a presentation by Sunbelt researcher Chandra Prakesh on the Rustock malware at a industry conference. (PDF and PowerPoint).  According to Alex Eckelberry, “Rustock is quite interesting, as it is a complex backdoor trojan that turns a compromised system into a covert proxy, using highly sophisticated methods of evasion.”

Who needs to watch “Law and Order” reruns on cable with this geeky investigative goodness?

Security FAIL

Digging Deeper Into the CheckFree Attack - Security Fix. Yep. For a while folks who logged into CheckFree bill payment system (host to over 330 companies). Attack vector appears to be a phishing or credentials hijack of a website administrator. Changes were thus made to the website and customers accessing the site were directed to a site that attempted a password-stealing application installation. No word if and how-many customers may have been compromised.  The post goes on to examine how this vector at the keepers of the keys may grow instead of attacks at the customers directly.  Good stuff

Yep. The otherwise useful MSRT actually ended up removing a few files from legitimate applications.  Microsoft pushed an updated version that corrected the failures a day later via Windows Updates out of cycle.

Now a word about that IE Zero-Day exploit thing…

Best I can tell at this point, it all started when a researcher found some malware in a Chinese forum that may have been used primarily for the hackers to steal credentials from Chinese gamers.  Or maybe not.

In the base-case, code exploits a bug in the way IE handles XML (Extensible Markup Language) and works on the browser about one in three times.

At first it looked like it was just an IE 6 thing on XP, but then it encompassed IE 7 on XP, and Vista platforms might also be impacted.  Now it appears that all versions of Internet Explorer from 5.x up to 8 betas are probably at risk.

Patch is still pending from Microsoft and most recommendations are folks to temporarily switch to an alternative browser including Google Chrome, Opera Browser, Firefox, or Apple Safari. If you haven’t tried one before most all should auto-import your IE bookmarks, but you can also try using the freeware Transmute utility.

For “official” word from Redmond see this Microsoft Security Advisory KB961051 which includes a number of workarounds (hint, look at the bottom of the expanded Suggested Actions section), although the risk is relatively low for users who practice safe computing behavior.  As summarized by rmogull at they are:

    1. Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones.
    2. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
    3. Enable DEP for Internet Explorer 7.
    4. Use ACL to disable OLEDB32.DLL.
    5. Unregister OLEDB32.DLL.
    6. Disable Data Binding support in Internet Explorer 8

Late breaking update: Clarification on the various workarounds from the recent IE advisory – Microsoft Security Vulnerability Research & Defense blog:

The vulnerability is caused by memory corruption resulting from the way Internet Explorer handles DHTML Data Bindings. This affects all currently supported versions of Internet Explorer. Malicious HTML that targets this vulnerability causes IE to create an array of data binding objects, release one of them, and later reference it. This class of vulnerability is exploitable by preparing heap memory with attacker-controlled data (“heap spray”) before the invalid pointer dereference.

Which workarounds should you apply?

The advisory now lists nine different workaround options. We have been adding additional workarounds with each advisory revision to give you more surgical options to cut off the vulnerable code path. Only IE8 has an option to turn off data binding altogether. So unless you are using IE8, you’ll need to:

  • (A) block access to the vulnerable code in MSHTML.dll via OLEDB, protecting against current attacks
  • (B) apply the most secure configuration against this specific vulnerability.

Optionally, you may choose to (C) make it much harder to heap spray.

The table…lists what type of protection each advisory workaround provides.

What is very beneficial from this late-breaking article is that it then goes into depth in technical discussion on why the various protection method workarounds work, and why some are “better” than others.  Neat and quite open material from Microsoft on a potentially impactful IE exploit.

Here is a roundup of what may be useful cross-referencing linkage on the IE exploit.

Forensic and Security LiveDVD goodness

Some GOLDEN find in Live boot disk compilations.  I carry several of these disks in my software kit, but these just might lead me to reduce the # considerably:

SUMO Linux – Combines Backtrack 3, Helix 2.0, Samurai Linux, DBAN, and DVL live distros into a single package.  How awesome is that!  Spotted via Room362 blog

MultiISO LiveDVD - Something for everyone - BadFoo.NET Pen Testing Shells -

…an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc. It's a all-in-one multipurpose LiveDVD put together. There's something in it for everyone. I hope you enjoy it.

MultiISO LiveDVD Version 1.0 consists of Backtrack 3, Damn Small Linux (DSL) 4.2.5, GeeXboX 1.1, Damn Vulnerable Linux (Strychnine) 1.4 edition, Knoppix 5.1.1, MPentoo 2006.1, Ophcrack 1.2.2 (remastered to contain SSTIC04-5k [720MB] table sets), Puppy Linux 3.01, and last but not least Byzantine OS i586-20040404.

Spotted, yet again, via Multi-Boot Security LiveCD DVD – Room362 blog. That link also contains a link to a podcast review and more information.

Bonus Linux find: DEFT Linux LiveCD that contains Xplico; an alternative Sniffer/assembler from Wireshark and ClearSight Analyzer that combines many of the best of their features and capabilities.  Spotted over on the Eternal sunshine of the geeky mind blog’s: Network forensics beyond Wireshark post.

Yeah baby!

Crime and Smackdown Punishment

Nigerian Defense - Eternal sunshine of the geeky mind blog.  Really officer, I was duped!

CYB3RCRIM3 –new blog I discovered via above story.  Great writing and analysis on the intersection of criminal and civil laws and technology.  I lost a full afternoon just reading the many posts.  Interesting meter of just how laws and technology are changing each other.

Sunbelt Blog: FTC goes after Winfixer and Sunbelt Blog: The Innovative Marketing saga continues. From the first post:

At the request of the Federal Trade Commission, a U.S. district court has issued a temporary halt to a massive “scareware” scheme, which falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. According to the FTC, the scheme has tricked more than one million consumers into buying computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The court also froze the assets of those responsible for the scheme, to preserve the possibility of providing consumers with monetary redress.

As we used to say to the neighbor’s sweet boxer Rufus, “Sic ‘em!”


Syn: The Story of an Insider - Part 2. The Sys Admins Story – SynJunkie’s second story detailing an insider threat and the security incident response is getting into high-gear now.  I sense a collision coming on!

Windows Physical Memory: Finding the Right Tool for the Job - SANS Computer Forensics, Investigation, and Response blog. Wonderful roundup of many free and a few commercials tools that can be of use to both forensic investigators as well as curious system administrators.

Got Download?

--Claus V.

No comments: