Bad bunny – first OpenOffice virus and it’s crossplatform!

some people have a one-track mind...

It runs on Windows, Mac and Linux computers, acting differently for each OS. Anti-malware vendor Sophos admits it poses a low threat, especially as it’s only a proof-of-concept that hasn’t actually been discovered ‘in the wild’.

For the full article, please visit:

http://apcmag.com/6162/first_openoffice_virus_emerges

Share

Gozi Trojan analysis

SecureWorks have posted analysis of another Trojan that used to to steal SSL/TLS encrypted data transfered from the victimized PC.

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

  • Steals SSL data using advanced Winsock2 functionality
  • State-of-the-art, modularized Trojan code
  • Spread through IE browser exploits
  • Undetected for weeks, months by many AV vendors
  • Customized server/database code to collect sensitive data
  • Customer interface for on-line purchases of stolen data
  • Accounts compromised by stealing data primarily from infected home PCs
  • Accounts at top financial, retail, health care, and government services affected
  • Data’s black market value at least $2 million

Full article is here.

Share

Smarter and Smarter

Websense has posted a nice malware analysis showing how easy security software can be bypassed by malicious software.

Before performing it’s primary objective, this malware first disarms any antivirus or firewall it can:

The file is packed with a custom packer/protector, which we had never encountered before. Here is a brief description of the packer and what it does to prevent analysis.

The protected application doesn’t run in a Virtual Machine (default configuration). Once this problem is fixed, it generates 1372 (!) exceptions in the loader to thwart debuggers, tracers, emulators, and so forth.

There is a CRC to prevent patching of the protection code; therefore, the protector will never call the original entry point if the code has been patched, or if a software breakpoint is found in the routine.

One of the first things the malware does is to scan for security applications in memory. It uses a few different techniques, including looking for Windows Name, Process Name

It kills several antivirus products, if they are found in memory, as well as some firewall products.

Lowers the computer sound volume, in order to prevent the users from hearing a warning sound generated by antivirus programs.

Full analysis is here.

Share

Distributing malware over ed2k network

While searching for some legitimate content on e2dk p2p network I’ve stumbled into some strange search results. Those results were looks like forged from the search query. I’ve searched then for surely non existing files and got same forged results.

Quick check of the files shows that at least one of them contains malware.

Malicious server forge ed2k link for every query, by only changing the name of the file, while MD5 remains the same. The malicious server then connects to one of the biggest ones in the network. Users that will use Global search (trans-server) will receive the link on mostly every search and the result may look very legitimate due to good availability of the file. Malicious files are very well shared and will be downloaded in the matter of seconds.

Share

Google debug

I love Google’s web applications. They are cool and actually set a new standard for the Web we know today. It’s fun and educating to check out their JavaScript code. And as usual, when you dig into somebody’s code, you find surprises. (more…)

Share

Google Releases Code Search

Google released a code search engine to catch up with Krugle, Koders, and Codease.

Like most of the other Google’s tools it can be easily abused for hacking :)

To find undisclosed vulnerabilities pass over this code:

http://www.google.com/codesearch?q=ugly%7Chack%7Cfixme

Or some other interesting combination (Use your favorite ugly code comment).

Share

Mini Mac running Os X got pwned in 30 minutes.

On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer’s security and gain root control… – writes ZDNet

“This sucks. Six hours later this poor little Mac was owned and this page got defaced. Good thing is it didn’t get rm’d!”

Share

WMF Exploitation FAQ

You think that every possible bit of information about the WMF issue was already posted ? What about an exploitation FAQ ?

Here it goes, H.D. Moore, creator of Metasploit posted one on the [funsec] list.

Exploitation FAQ:

Q) The Windows Meta File format has a number of optional headers, can any
of these be used to trigger the arbitrary code execution flaw via
SetAbortProc?

A) No. The CLP headers (16 bit and 32 bit) cause the Picture and Fax
Viewer (PFV) and Internet Explorer to throw an error when trying to
render the image. Internet Explorer will only display an image internally
if the “placeable” header has been prepend to the bare WMF header. If the
“placeable” header exists, a device context check will fail during the
call to Escape() and the SetAbortProc() function is not reached. This
effectively prevents IE or the PFV from executing the SetAbortProc() call
when any optional header has been prepended. This may not hold true for
Explorer’s preview and icon view.

Q) What about the Enhanced Meta File format? Does this format allow access
to the exploitable function?

A) No. The EMF format has a separate API (which may or may not have its
own problems), but it does not allow access to the WMF Escape() function.
A WMF file can be delivered with the EMF extension however, which will
cause it to be processed with the vulnerable API.

Q) Are there any other ways to obtain code execution besides via WMF files
viewed by PFV or Explorer?

A) Yes. Any application that accepts WMF files and calls PlayMetaFile with
the supplied data can be exploited. Some of these only recognize WMF
files with the placeable header, which may prevent the application from
reaching the SetAbortProc function. There are *many* other places where
standard (ie. included with the OS) applications call the PlayMetaFile
function, its just a matter of figuring out which ones can be used to
deliver the malicious WMF content. A potential vector includes the
display of icons stored inside of a standard executable. Viewing these
files in an Explorer directory listing could result in the execution of
code in an embedded WMF file. This has yet to be tested.

Q) What WMF header fields are mandatory for code execution through the
PFV ?

A) Not many. The Windows Meta File header and possible field values are
listed below:

# Possible values: 1 or 2 (memory or disk)
WORD FileType

# The HeaderSize must always be 9
WORD HeaderSize;

# The Version field can be 0×0300 or 0×0100
WORD Version

# This parameter can be anywhere from 0×20 to 0xffffffff
DWORD FileSize

# Completely arbitrary
WORD NumOfObjects

# Completely arbitrary
DWORD MaxRecordSize

# Completely arbitrary
WORD NumOfParams

The MSB of the actual MetaFileRecord function field is completely ignored.

Credits: A number of anonymous sources contributed to this information.

More information on the WMF structure can be found at the following sites:
- http://wvware.sourceforge.net/caolan/ora-wmf.html
- http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt

Share

Pandora.com’s box

Recently I discovered and tuned to Pandora service. Its really easy and fun to use this online music provider.

Once you are registered you can choose the music you want to listen by creating “channel(s)”, each channel identified by artist or a song name. Selected channel will stream out music classified by Music Genome Project that similar to those you have chosen when you created the channel. On each of the songs you further decide whether you like it or not, which in turn will fine tune channel specifications.

I loved Pandora from a first minute I heard its music and the first thing I noticed was that I don’t get those annoying pauses anymore when one of my fellow colleagues decide to download something huge. This actually amazed me, first time I got streaming music of this quality without those creepy noises. Well, I had to check how they did it.

I fired up a sniffer, looking for the incoming traffic going to the Pandora’s player. I was pretty amazed with when I discovered that the player sends plain HTTP GET requests, to download the songs in mp3 format. This means that the player does not really stream the music, it downloads it and then play it.

Next step was to open Live HTTP headers Firefox plugin, to grab the GET requests that download these mp3s :evil: .

Well, because I am a person that wears the right colored underwear, I dropped a mail to support dudes at Pandora.com.

Recently we discovered a security flaw in the Pandora service your company provides.

Pandora’s flash player sends an HTTP GET request to retrieve music it plays in mp3 files. Those links are static and do not require any kind of authorization to retrieve the files. Sniffing network traffic it is possible to get those links, thus revealing the static location of the mp3 file.

The impact of this problem is that it allows users to store music locally and to share music with others (even non Pandora.com users) by sending / posting the links.

Looking forward to your response.
…..

The response was of the sorts of, a.e. the flaw is not actually a flaw, rather it is a known feature :mad: .

Thanks for the heads up. We’re aware of this issue. Actually, the URL will only work for a short period of time while the song downloads, so its impossible to post them for others later.
…..

I stated that the links are static, and the links grabbed when sending the notification are still looking valid to me. Should I convince the vendor that I’m right ? Naaw, i’ll just blog it ;) . So actually you can share songs too, not only the channels.

P.S. The URI of the GET request consist of a long “token” named field, that seems encrypted,base64 and URL encoded to me. Interesting if somebody invested time to decompile the Flash to see if its possible to download any of 300.000 songs directly. Who knows maybe they use Blowfish cipher with a static key ? :evil: .
Anyways if somebody did, please keep us informed.

Share

Corporate workers neglect danger of using public email services

According to research, recently conducted by Radicati Group, every 20th corporate worker at least once used email to send information classified as corporate sensitive or even as commercial secret. Among with it every 2 out of 3 workers use personal email boxes such as publicly available web mail services to exchange corporate information.

Public email services are not always secure as corporate email. Insufficient privacy policies of those services make its use for corporative data illegitimate.

We reserve the right to transfer your personal information in the event of a transfer of ownership of XXXX, …. ” sounds familiar ?

Share

Avian flu hits the Internet

All the excitement around bird flue may lead in the end to a virus epidemic – computer epidemic. According to Panda Software some scam group has used the public’s fear of the Avian flu to spread a computer virus infection.

A new Trojan horse, dubbed “Navia.a” by Panda Software, uses subject heads of “Outbreak in North America” and “What is avian influenza (bird flu)?” to dupe recipients into opening an attached Microsoft Word document. That’s when Navia.a goes old school: the Word document is infected with malicious macros.

Share

Draw your katanas, Netsukuku is out there (the Internet is obsolete)

The Internet as it is known to us today is decentralized through an hierarchic network, where domain naming services are provided by international corporations funded by government institutions. Every bit and byte of information is transferred via commercial backbone routers.

But big brother’s eye never sleeps. It is no longer a myth that governments want, try and sometimes even “control” the Internet.

Netsukuku is an attempt to implement a “real” decentralized network, without any kind of root servers or backbones. All the communication is transmitted peer to peer. Big brother – no, cyberpunk – yes.

Netsukuku is a physical network, i.e. it does not rely upon any existing infrastructure, “therefore computers need to be physically linked to each other for Netsukuku to be able to constructs networking routes.

Instead of DNS, Netsukuku uses an “anarchy” domain name system ANDNA (Abnormal Netsukuku Domain Name Anarchy). Each peer keeps and maintains its routing table using its own proprietary algorithm called Quantum Shortest Path Netsukuku (wow :D ).

Anyway … it is a nice project, visit http://netsukuku.freaknet.org/ to learn more about it.

Share