XML Core Services 0-day

Hi folks,

I’m sure by now everyone is aware of the XML Core Services 0-day that ISS alerted us about over the weekend. My initial impression was that it didn’t work, but it seems that if you have MSXML 4.0 installed (duh), it works like a charm. On my test system, it installed both an exe and dll.

Watch out.

Roger

Share

October WebAttacker?


Hi folks,

Looks like there’s a new version of WebAttacker tonight. We just found a web site that we know to run Web Attacker and it’s clearly using SetSlice (MS06-057). We couldn’t get at the admin page, to see what else might be in the new version, but the format of the command we saw was “.cgi?type=MS06-057&SP2″, so that’s clearly new at a minimum.

If you’re patched to October, and you’re running SocketShield, you have little to fear, but if not, please be careful. Web Attacker is always widely used.

More to follow.

Roger

Share

Chalk one up for Spamhaus

Hi folks,
Recapping briefly… last weekend, we discovered the SetSlice 0-day in use in both some of the St Petersburg Iframers websites, and in what I call the CoolWebSearch websites. By Monday, I was pleasantly surprised to find they’d been shut down. I figured that they’d made someone really grumpy.

It turns out that the grumpy ones were Spamhaus! Actually, I doubt they were really grumpy, because I doubt they take this stuff personally… but I digress… Spamhaus saw my warning about the CoolWebSearch sites using the SetSlice zero-day, and took the potentially original step of complaining to the ISP, variously known as EstHost or InHoster, and shockingly, EstHost/InHoster actually shut down those websites and a bunch of related websites immediately.

So why is this shocking? Isn’t that what ISPs are supposed to do? Well, yes, but CoolWebSearch has been serving up Windows Metafile exploits with impunity since January! 48 hours of SetSlice, and whap!…. half their network is gone.

One of four things has happened. Either …

(1) The ISP has suddenly become more responsible. Kudos to them if they have, and perhaps this is a harbinger of better days ahead, or,
(2) The ISP decided it didn’t like the heat of being associated with a zero-day. In other words, it’s fine to serve up mouldy old exploits, but not zero-days, or,
(3) The ISP is simply scared of Spamhaus, or,
(4) All of the above.

Spamhaus has been under siege lately, and I think it would behoove us all to understand and remember that they have nipped a potentially huge problem right in the bud.

Folks, do what you can to support Spamhaus.

Roger

Share

SetSlice Update

Hi folks,

Last night our Hunting Pots found this in use in the wild at some of the St Petersburg iframers sites installing rootkits and who knows what else, and this morning, we found it in use at the CWS sites. It infects a fully patched XP SP2 quite nicely.

The CWS people have only been using WMF since december/ january, and have a very big, well-established network for drawing in victims. Imo, this represents a significant escalation.

The last time I examined it in detail, the CWS guys make money by selling their search engine to minor website operators with a pitch along the lines of “Pay us $100 per month, and we’ll guarantee 80m visitors each month”.

Then when a victim visits one of their exploit sites, they install a URL-visiting program and a list of URLs. The URL-visitor then visits each customer website in turn, forging the headers to make it look like a real visitor referred by the bogus search engine.

The minor website operator sees his 80m visitors a month, but doesn’t realize that they are just pcs…. no human eyes at all.

:-)

If they could make money with WMF, they’ll be rich from this one.

Roger

Share

Nifty social engineering

Hi folks,

This is an example of nifty social engineering, which is really quite funny… _unless_ you’re the one on the receiving end. Here’s how it works….

You’re surfing the web, and you find a video that you really want to watch, (no, not one of “those” videos… well, not necessarily anyway), but it says you have to install a codec. Codec stands for compressor/ decompressor and is used to make otherwise huge video files into a more manageable size. You install the codec, and maybe you see the video, and maybe you don’t, but guess what? You’ve been rootkitted! Now, on one level, that’s just the classic bait and switch/ trojan horse scenario, but the _details_ are quite interesting.

I was looking at just such an example today, and I was wondering, suspiciously, why would people give a codec away for free, so I went to the codec website, started looking around, and found of all things …. a EULA. In the EULA, we find that, despite all the references to needing a codec for Windows Media Player, there’s the following paragraph…. (more…)

Share

IE 0-day

Hi folks,

It looks like we have a working Internet Explorer 0-day today. The guys at http://www.xsec.org/ actually published an example yesterday, which was Exploit Wednesday. They clearly have a sense of humor, but that’s beside the point. Their initial example was only tested on Chinese XP SP2, and Internet Explorer 6.0 SP1, and although it managed to crash Internet Explorer in our tests, it was not able to execute code.

Tonight, however, it seems that reliably working attack code now exists. Fortunately, no proofs of concept have been made public, and so far, our monitors have not found any real live code in the wild, so all is still pretty safe.

It would be wise for us all to assume that exploiters around the world are probably trying to figure out the details right now, so everyone needs to be both vigilant and cautious. SocketShield has been updated to protect against the exploit as we currently understand it, and we’ll continue to update it as needed.

Cheers

Roger

Share