SecuriTeam Blogs contains several FAQ documents about MS Office vulnerabilities used in targeted attacks since 2006. This time I’m not writing a FAQ. This document has answers to What this means type questions.

What an organization can make to protect?

#1 Disable JavaScript. Deploy a system to deliver this setting to all workstations. This is not the last Adobe 0-day which we will see.

What this means?

Go to Edit>Preferences menu, select item ‘JavaScript’, Uncheck “Enable Acrobat JavaScript” and to save the setting click ‘OK’.

#2 Enable DEP

Some Windows systems include Data Execution Prevention (DEP) functionality.

What this means?

If your organization is using Windows versions with DEP support the code execution can be avoided.

Adobe has confirmed these mitigation advices in security advisory APSA09-07, but as mentioned DEP method doesn’t fully prevent the exploitation.

#3 Do not open PDF documents from unknown sources AND received unexpectedly.

What this means?

If you don’t know the sender who is sending you file attachments there is always a risk that you are a victim of targeted attack. Remember that the sender can be easily spoofed as well.

#4 Switch to alternative PDF reader.

There are many free and commercial products. However, they are often affected by Adobe vulnerabilities too and a patching policy is needed when switching to another product.

What this means?

Changing the PDF reader in large organization is not an easy move. Today is a good day to start the planning project.

Let’s talk about technical details with some words. The vulnerability exists in Doc.media.newPlayer method. The Trojan in these attacks generated connections to http: // foruminspace dot com and http: // newsplaza dot net (these servers are located in Malaysia).

AV vendors use the following names when detecting the malicious PDF document:

Exploit.JS.Pdfka.atq (Kaspersky)

Exploit:W32/AdobeReader.UZ (F-Secure)

Exploit-PDF.ag (McAfee)

PDF/Pidief.NQ (CA)

Trojan.Pidief.H (Symantec)

TROJ_PIDIEF.PGS (Trend Micro)

Troj/PDFJs-FS (Sophos)

The size of the infected PDF document is 400,918 bytes. The file name varies, but it can be note200911.pdf, note_20091210.pdf or Outline of Interview.pdf.

Link: 911.wikileaks.org/

Listings say that the messages are sent in networks of Arch Wireless, Metrocall, and SkyTel.

One of the oldest documented issue is TRW incident from 1984, when the database of credit history of 90 million American citizen was breached.
Link here.

Update: The winner is an incident from August 1953, when SSN’s were lost.

Open Security Foundation – an organization behind OSVDB and DataLossDB has launched a competition to find the oldest documented data loss incident.

The last day to make a submission is next Friday – 15th May.
The link is easy to remember – datalossdb.org/oldest_incidents_contest.

There will be a new national register of mobile phone users in Mexico.

Under a new law published on Monday and due to be in force in April, mobile phone companies will have a year to build up a database of their clients, complete with fingerprints. The idea would be to match calls and messages to the phones’ owners.

(underlining added)

Mexico has a very strong culture of using prepaid phones.

The Trojan is known as OSX.Lamzev.A by Symantec.

When it is executed it will create the file ezmal to the Applications folder (the name is Applications in localized installations too).

The names of earlier widely known OS X malware are Mac.Hovdy.a (June ’08), OSX.Exploit.Launchd (June ’06) and Leap.A (February ’06). When saying ‘widely known’ it doesn’t mean that they were widely spreaded.

I remember the exact number of 63 when talking about known Mac malware.

There are no worms for Apple – yet.

Like many of us know this Trojan aka Trojan-PSW:W32/Sinowal.CP and Trojan.Mebroo uses so-called MBR rootkit technique.

Link here.

I made a script to generate WHOIS queries and the results say that the victim machines are located mainly in Australia, China, Philippines, India, Japan, Korea, Malta, Malaysia, Taiwan, and Vietnam. There are only some machines in France, UK, and USA.

It’s very interesting that there is an IP from Microsoft too – a Wget machine with IP address 64.147.0.80. The Wget version is 1.10.2.

Whois Record

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 131.107.0.0 – 131.107.255.255
CIDR: 131.107.0.0/16
NetName: MICROSOFT

There are several Wget UA’s included, one with the version number Wget/1.8.2 too.

I recommend that Redmon guys patch that machine ASAP

Update: After the weekend the malware analyses shows that the Trojan has designed to steal credential information and to collect a botnet-like network.

Q: What is the recent Microsoft Window RPC vulnerability disclosed in October?
A: This vulnerability is caused by an error when processing malformed RPC (Remote Procedure Call) requests. The issue was disclosed by the vendor after active exploitation of the vulnerability.
Q: How does the vulnerability mentioned works?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine.
This vulnerability is caused due to overflow when handling malformed RPC requests. This enables executing arbitrary code of the attacker. Technically the vulnerability exists in the Server service.

Q: When this vulnerability was found?
A: The exact information is not available. Information about upcoming security update was announced on 22nd October, but this vulnerability has been used in targeted attacks at least two weeks already. The exploitation disclosed the existence of vulnerability.

Q: What is the mechanism in exploitation?
A: Information was not disclosed, but during the exploitation malicious executables are being downloaded and executed from the remote Web site.

Q: Is the exploit code of this vulnerability publicly released?
A: Yes. On Friday 24th October the proof of concept code was released on a blog of security researcher and on public, moderated security mailing list. The PoC has been released at several well-known exploit and security community Web sites too. Metasploit module has been released too (link). PoC’s work against Windows XP SP2, Windows XP SP3 and Windows 2003 Server SP2 machines.

Q: Which Windows versions are affected?
A: Microsoft Windows 2000, Windows XP, Windows Vista, Windows 2003 Server and Windows Server 2008 systems are affected.

Q: I am using the 7 Pre-Beta version of Windows, is my operating system affected?
A: According to the Microsoft it is affected too. An update is available (see MS08-067).

Q: I am a home user, is it possible to update my system in a normal way via Microsoft Update?
A: Yes, visiting the Microsoft Update Web site at http://update.microsoft.com/ will update the system against the exploitation of the vulnerability. If the Automatic Updates is enabled the system will be updated automatically without user’s actions.

Q: Where are the official Microsoft documents related to this case located?
A: The official Security Bulletin MS08-067, entitled Vulnerability in Server Service Could Allow Remote Code Execution (958644) has been released at Microsoft TechNet Security section:
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Updated information released by the vendor has been covered at MSRC Blog (The Microsoft Security Response Center Blog). The address of the blog is blogs.technet.com/msrc/.
File information of the MS08-067 security update has been released at separate Knowledge Base document #958644: support.microsoft.com/kb/958644.
Microsoft Security Advisory #958963 released to notify the availability of the security update is located at
www.microsoft.com/technet/security/advisory/958963.mspx

Q: What the term ‘out-of-band’ means?
A: Normally Microsoft releases security updates once a month, at the second Tuesday of the every month. Very rarely, during the Windows ANI vulnerability etc. the security update will come out outside of this regular update cycle. Out-of-band and out-of-cycle describe the situation when waiting the regular update Tuesday, so-called Patch Tuesday is not enough to protect Windows systems against exploitation.
The next security updates will be released on Tuesday 11th November.

Update:
Q: Is this a new Slammer worm?
A: No, due to new security features included to SP2 etc. However, on 3rd Nov it was reported about the worm exploiting this vulnerability.

Q: Are there any workarounds available? Our organization is making tests with the patch still.
A: The security bulletin lists the following workarounds:
-Disable the Server and Computer Browser services
-Block TCP ports 139 and 445 at the firewall

Q: Is there Snort rules for this vulnerability available?
A: Yes. Additional details can be obtained at
www.snort.org/vrt/advisories/vrt-rules-2008-10-23.html
known as a ruleset against Microsoft DCE/RPC remote code execution attempts.
The download address is www.snort.org/pub-bin/downloads.cgi
(to paying Sourcefire customers)
Emerging Threats project has released new signatures too, details at

http://www.emergingthreats.net/index.php/component/content/article/17-sigs/125-weekly-new-signatures-october-25-2008.html

Q: What is the situation of Nessus plugins related to this vulnerability?
A: Nessus Plugin ID #34476 has been released. More information is available at
www.nessus.org/plugins/index.php?view=single&id=34476

Q: What are the target organizations etc. of this vulnerability?
A: This information is not available and probably it will never go public. Microsoft has confirmed that fever than 100 organizations are targeted in targeted attacks.

Q: Is there information about file sizes used during the attacks?
A: Yes. The size is 397,312 bytes.
Update: The size can be anything between 49,152 and 417,792 bytes.

Q: How the user can notify the infection?
A: It is reported that the command prompt will appear.

Q: What are the names of malwares exploiting this vulnerability?
A: There are reports about a data collecting Trojan (Gimmiv.A) and a Trojan searching for non-patched machines on LAN (Arpoc.A).

The following names are being used (listed in alphabetical order):
AhnLab – Dropper/Gimmiv.397312 since 2008.10.24.04
Authentium – W32/Gimmiv.A since 23rd Oct
Avira – TR/Dldr.Agent.gcx since 24th Oct, iVDF 7.00.07.81
Bitdefender – Win32.Worm.Gimmiv.A since since 23rd Oct
- dropper detected as Win32.Worm.Gimmiv.B
CA – Win32/Gimmiv.A since eTrust 31.6.6167
ClamAV – Trojan.Gimmiv since 8524
- Trojan.Gimmiv-1…Trojan.Gimmiv-7 since 8526
Dr.Web – DLOADER.PWS.Trojan since 23rd Oct
Eset – Win32/Gimmiv.A since 24th Oct, v.3551
- Win32/Spy.Gimmiv, Win32/Spy.Gimmiv.A since v.3553
- Win32/Spy.Gimmiv.B since v.3555
Fortinet – W32/Gimmiv.A!tr.spy
- name change: W32/Gimmiv.A!worm since 9.676
F-Secure – Trojan-Spy:W32/Gimmiv.A since 2008-10-24_01
- Trojan-Spy:W32/Gimmiv.B since 2008-10-24_05
- Trojan-Spy:W32/Gimmiv.C, D, E, F variants since 2008-10-24_08
- Net-Worm.Win32.Gimmiv.a since 25th Oct 2008-10-25_01
McAfee – PWS.y!C91DA1B9 since DAT5413
- Spy-Agent.da since 23rd Oct, DAT5414, its DLL component detected as Spy-Agent.da.dll
Microsoft – TrojanSpy:Win32/Gimmiv.A[.dll] since 23rd Oct
- since 24th Oct update 1.4005 included signatures
- exploit: Exploit:Win32/MS08067.gen!A
Kaspersky – Trojan-Downloader.Win32.Agent.alce since 24th Oct, 7.0.0.125
Panda Security – detected as ‘Suspicious file’ since 23rd Oct, 9.0.0.4
- Gimmiv.A since 24th Oct
PCTools – Trojan-Spy.Gimmiv.A
Prevx – detected as ‘Cloaked Malware‘
Rising – Trojan.Spy.Win32.Undef.z since 23rd Oct, 21.00.32.00
Sophos – Sus/Dropper-A since 21st Aug (based to heuristic techniques)
- additionally Troj/Gimmiv-A, IDEs since 4.34.0,
- Troj/Gimmiv-Gen since 4th Nov
Symantec – Infostealer since 23rd Oct
- name change: Trojan.Gimmiv.A since 24th Oct, rev. 024
- malicious files detected as Bloodhound.Exploit.212
Trend Micro – WORM_GIMMIV.A since 5.617.00
- TSPY_GIMMIV.A since 5.617.00

where ’2008.10.24.04’ states that these virus signatures or newer include a protection for the malware.

Alias names CVE-2008-4250, W32.Slugin.A and W32/NetAPI32.RPC!exploit.M20084250 are in use too.

Update: Added Arpoc section:
BitDefender – Win32.Worm.Gimmiv.B
CA – Win32/Gimmiv.B since 31.6.6172
Dr.Web – Win32.HLLW.Jimmy.3 since unknown signatures
McAfee – Spy-Agent.da since DAT5414, its DLL component detected as Spy-Agent.da.dll

Update: Added RPC worm section:
AntiVir – TR/Expl.MS08-067.G
BitDefender – Trojan.Downloader.Shelcod.A
ClamAV – Exploit.MS08-067 since 8566
Eset – Win32/Exploit.MS08-067.B, C and D since 3576
F-Secure – worm component as Exploit.Win32.MS08-067.g
- kernel component as Rootkit.Win32.KernelBot.dg
Ikarus – Virus.Exploit.Win32.MS08.067.g
Kaspersky – Exploit.Win32.MS08-067.g since 31th Oct
McAfee – kernel component as KerBot!37E73FFB since DAT5422
Microsoft – Exploit:Win32/MS08067.gen!A
- Trojan:Win32/Wecorl.A
- Trojan:Win32/Wecorl.B
Norman – kernel component as w32/agent.jbvo
Prevx – Worm.KernelBot
Sophos – Mal/Generic-A
- Exp/MS08067-A since 4th Nov
Symantec – W32.Wecorl since 3rd Nov (latest daily certified version) rev. 052
- W32.Kernelbot.A since 3rd Nov (latest daily certified version) rev. 041
Trend Micro – WORM_KERBOT.A since 5.637.00
- WORM_WECORL.A since 5.640.05

Q: What kind of payload this Trojan horse has?
A: This is what the Trojan gathers (according to Microsoft’s document):
*User Name
*Computer Name
*Network Adapters / IP Addresses
*Installed com objects
*Installed programs and installed patches
*Recently opened documents
*Outlook Express and MSN Messenger credentials
*Protected Storage credentials

Q: What kind of Trojan has attacked to the targeted organizations?
A: It is a very sophisticated and dangerous Trojan. It encrypts the data with AES and deletes itself after its operations. Before sending the gathered data to the attacker it reports the AV software of the installation (from HKEY_LOCAL_MACHINE\SOFTWARE\) as a parameter (BitDefender, Jiangmin, Kingsoft, Kaspersky, Microsoft OneCare, Rising and Trend Micro).

Q: Are there any changes to Windows registry or the file system made by this malware?
A: The following registry key is being modified:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr
The display name of the service being generated is System Maintenance Service.
The malicious files are being copied to System32\wbem folder including basesvc.dll, syicon.dll, winbase.dll and winbaseInst.exe. NOTE: After being executed the Trojan deletes these files and itself.
Update: According to Arbor Networks the file C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\macnabi.log is being dropped too.

Q: Now I know that my anti-virus software can report computers in my organizations as clean because the Trojan has deleted itself from the system. What are the malicious executables that I can search them and examine logs etc.?
A: There are several names and all of the files has same size mentioned earlier, i.e. 397,312 bytes.
Update: According to McAfee the size varies from 49,152 to 417,792 bytes.

The most common file name is N2.exe. However, file names Nx.exe are widely spreading as well; [x] represents a number from 1 through 9.
The MD5 hash of the one specific N2.exe file in the wild on 23rd Oct is f173007fbd8e2190af3be7837acd70a4.
Update: To list one more the MD5 hash of n5.exe is 24cd978da62cff8370b83c26e134ff4c.

Prevx database knows the following file names too:
15197927.EXE, 00003106.EXE, NVIR/N2.EXE, 18912604.EXE, 54800477.DAT
The format of the file can be NVIR/N3.EXE etc. too.

Q: What type of network connections these malware make?
A: Gimmiv.A sends an ICMP Echo Request packet to multiple IP addresses including the string ”abcde12345fghij6789”.

Q: How can I recognize malicious files spreading RPC worm (Exploit.Win32.MS08-067.g)?
A: The files names reported in the wild are 6767.exe and KernekDbg.exe.

Q: What is the size of these files?
A: The size are various, but many of them are 16,384 bytes long.

Q: What kind of network connections the worm makes and are there any modifications made to Windows registry?
A: It connects to robot.10wrj.com, ls.cc86.info, ls.lenovowireless.net and ls.playswomen.com. Yes, the worm will add the new value to HKLM\SOFTWARE\Licenses and HKLM\SOFTWARE\Google.

Q: Are there any changes to Windows HOSTS file?
A: Yes, the lines
127.0.0.1 dnl-cn1.kaspersky-labs.com
127.0.0.1 alert.rising.com.cn
127.0.0.1 www.mcafee.com
will be added yo the HOSTS file.

Q: Is there CVE name available to this issue?
A: Yes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has released the following CVE candidate CVE-2008-4250:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

Q: What is the CVSS severity of this vulnerability?
A: The CVSS (Common Vulnerability Scoring System) score is 10.0 (High).

Q: Is there a CWE class assigned?
A: The CWE (Common Weakness Enumeration) ID of the vulnerability, in turn, is #119, i.e. Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer class:
cwe.mitre.org/data/definitions/119.html

Q: Is there a CME name available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier for these malware.

Q: When exploiting this RPC vulnerability is the authentication needed?
A: On Windows 2000, XP, and Windows Server 2003 systems arbitrary code can be run without authentication. On Vista systems the authentication is needed.

Q: What is the vulnerable component?
A: It is netapi32.dll (Net Win32 API DLL). On Windows 2000 SP4 the non-affected version is 5.0.2195.7203, on Windows XP SP3 5.1.2600.5694 and on Vista SP1 there are several 6.0.6000.xxxx versions, see KB958644 for details. The vulnerable Windows API call is NetPathCanonicalize(), in turn.
Secunia has renamed its vulnerability advisory to Windows Path canonicalisation vulnerability. It states that processing directory traversal character sequences in path names enables to send drafted RPC requests to the Server Service.

(c) Juha-Matti Laurio, Finland (UTC +2hrs)
The author has released several Microsoft Office 0-day vulnerability FAQ documents, e.g.
blogs.securiteam.com/index.php/archives/759
and Windows Vector Markup Language vulnerability FAQ’s
blogs.securiteam.com/index.php/archives/640
since 2006.

Revision History:
1.0 25-10-2008 Initial release
1.1 26-10-2008 Updated document and some minor fixes
1.2 26-10-2008 Major updates to Trojan section, added credits, information of non-affected dll versions and Snort rule reference
1.3 27-10-2008 Added information about the various file names and sizes, a separate Arpoc section and Nessus plugin reference and [UPDATED] to the title
1.4 27-10-2008 Several virus description release dates and ID’s added, updated the summary to clarify the characteristics of the exploitation
1.5 28-10-2008 Added Microsoft Security Advisory #958963 link
1.6 29-10-2008 Added names to Arpoc Trojan section
1.7 03-11-2008 Updated the exploit/PoC section and added information about the worm exploiting the vulnerability
1.8 04-11-2008 Added names to RPC worm section, updated the summary
1.9 05-11-2008 Added information about Windows HOSTS file modification and new worm names

Credits: Microsoft, AV vendors, Prevx Malware Center

There is a phishing vulnerability and a spamming vulnerability, which Aviv Raff has reported this month.

The phishing flaw exist in iPhone’s Mail application. With a specially drafted link it’s possible to convince the victim that the link is trusted. Including the address bar, naturally – see Raff’s screenshot here [.jpg].

The second problem is that downloading remote images is not disabled in Mail, i.e. the Web Bug flaw exists in the application and there is no ways to disable that “feature”.
The third one is a SMS security issue found by the son of blogger Karl Kraft, described below:

Those settings block the display of incoming text messages and show an alert saying “New Text Message” if an SMS comes through while the phone is locked. However, if the phone is set to emergency call mode the incoming text messages are previewed.

And then:

“Thus all I need to do to intercept the messages from his girlfriend is to place the phone in emergency mode and wait 30 seconds for the next sickly sweet message,” Kraft writes.

That was reported (yes, by his father) in iPhone version 2.1 (5F136) – the most recent version too.

But don’t say “We won the race – at last” yet. The number of crimeware-spreading URLs rose to a new record.
Nothing special when digging the statistics of top hosting countries – U.S., China, Russia, etc. But hey, France is listed too.

And link to the recently released Q1 Phishing Trends Report (pdf) here.

The Fedora Project issued a recommendation that users will not download any packages or update their Fedora installations. There was a note to change the Fedora Project passwords (it was not reported widely for some reason) too.

Today, Mr. Paul W. Frields, Fedora Project Leader has posted an announcement about the facts:

One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

The Fedora Project servers are hosted at Red Hat Inc., the employee of Mr. Frields.

This is an interesting detail from hosting history section:

209.132.176.122 – Linux Apache/2.2.3 Red Hat – 19-Aug-2008
209.132.176.122 – Linux Apache/2.2.0 Fedora   – 16-Aug-2008
209.132.176.122 – Linux Apache/2.2.3 Red Hat – 19-Aug-2008

Adam Gowdiak from Poland is a well known researcher, man behind Windows RPC issue MS03-026 etc.

Sun has confirmed that older versions of Java 2 Platform Micro Edition (J2ME) are affected (this was on 15h Aug already) and Nokia confirmed these issues today (let’s say, at last).

It is not known if Sun Microsystems or Nokia Corp. paid €20 000 to Gowdiak, last week or possible later.

Some references:

Security Explorations: J2ME security vulnerabilities 2008
MIDP’s and MIDlets put tens of millions Nokia S40 phones in danger

Update 22nd Aug: From IDG.no:

“Gowdiak would not disclose if he was paid, but said that only reputable, vetted companies that pay would get the full research, which amounted to 180 pages and 14,000 lines of proof-of-concept code.

Nokia has a complete copy of Gowdiak’s research, said Mark Durrant of Nokia’s corporate communications.”

We can’t expect that an ordinary worker will know if USB sticks, peripherals with Bluetooth enabled, innocent looking hardware keyloggers etc. connected to their desktop computers and even to laptops are malicious – and not installed by a local IT support.

This Swedish worker recognized an odd device connected to his workstation, but a target organization is not so lucky every time. ”Employee quickly pulled the plug, interrupting a transfer” ($7.9 million), but there was an extra cable which ended up under his desk.

It’s worth of mentioning that this remote control device had been installed to bank workstation during a previous break-in, during which nothing had been stolen from the building.

Therefore, the ways how we can protect against these threats are not so typical:

* Check the USB and PS/2 connectors of your workstations and servers several times a year
* Always check these connectors when a computer returns from being repaired
* Remember that visitors have a possibility to connect these devices often

The research material includes information about

reliable MIDP 2.0 privilege elevation technique for Nokia Series 40 devices

and

Nokia specific exploitation technique leading to the remote and persistent deployment of a backdoor shell application into the target Nokia Series 40 phone

Mr. Gowdiak has tested 7 Nokia Series 40 models.

Needless to say that this information in the hands of bad guys is dangerous.

And related to the devices – Nokia Series 40 shipped with 3rd edition Feature Pack 2 and 3rd edition are affected.