I’m sure by now everyone is aware of the XML Core Services 0-day that ISS alerted us about over the weekend. My initial impression was that it didn’t work, but it seems that if you have MSXML 4.0 installed (duh), it works like a charm. On my test system, it installed both an exe and dll.

Watch out.

Roger

Looks like there’s a new version of WebAttacker tonight. We just found a web site that we know to run Web Attacker and it’s clearly using SetSlice (MS06-057). We couldn’t get at the admin page, to see what else might be in the new version, but the format of the command we saw was “.cgi?type=MS06-057&SP2″, so that’s clearly new at a minimum.

If you’re patched to October, and you’re running SocketShield, you have little to fear, but if not, please be careful. Web Attacker is always widely used.

More to follow.

Roger

It turns out that the grumpy ones were Spamhaus! Actually, I doubt they were really grumpy, because I doubt they take this stuff personally… but I digress… Spamhaus saw my warning about the CoolWebSearch sites using the SetSlice zero-day, and took the potentially original step of complaining to the ISP, variously known as EstHost or InHoster, and shockingly, EstHost/InHoster actually shut down those websites and a bunch of related websites immediately.

So why is this shocking? Isn’t that what ISPs are supposed to do? Well, yes, but CoolWebSearch has been serving up Windows Metafile exploits with impunity since January! 48 hours of SetSlice, and whap!…. half their network is gone.

One of four things has happened. Either …

(1) The ISP has suddenly become more responsible. Kudos to them if they have, and perhaps this is a harbinger of better days ahead, or,
(2) The ISP decided it didn’t like the heat of being associated with a zero-day. In other words, it’s fine to serve up mouldy old exploits, but not zero-days, or,
(3) The ISP is simply scared of Spamhaus, or,
(4) All of the above.

Spamhaus has been under siege lately, and I think it would behoove us all to understand and remember that they have nipped a potentially huge problem right in the bud.

Folks, do what you can to support Spamhaus.

Roger

Last night our Hunting Pots found this in use in the wild at some of the St Petersburg iframers sites installing rootkits and who knows what else, and this morning, we found it in use at the CWS sites. It infects a fully patched XP SP2 quite nicely.

The CWS people have only been using WMF since december/ january, and have a very big, well-established network for drawing in victims. Imo, this represents a significant escalation.

The last time I examined it in detail, the CWS guys make money by selling their search engine to minor website operators with a pitch along the lines of “Pay us $100 per month, and we’ll guarantee 80m visitors each month”.

Then when a victim visits one of their exploit sites, they install a URL-visiting program and a list of URLs. The URL-visitor then visits each customer website in turn, forging the headers to make it look like a real visitor referred by the bogus search engine.

The minor website operator sees his 80m visitors a month, but doesn’t realize that they are just pcs…. no human eyes at all.

If they could make money with WMF, they’ll be rich from this one.

Roger

This is an example of nifty social engineering, which is really quite funny… _unless_ you’re the one on the receiving end. Here’s how it works….

You’re surfing the web, and you find a video that you really want to watch, (no, not one of “those” videos… well, not necessarily anyway), but it says you have to install a codec. Codec stands for compressor/ decompressor and is used to make otherwise huge video files into a more manageable size. You install the codec, and maybe you see the video, and maybe you don’t, but guess what? You’ve been rootkitted! Now, on one level, that’s just the classic bait and switch/ trojan horse scenario, but the _details_ are quite interesting.

I was looking at just such an example today, and I was wondering, suspiciously, why would people give a codec away for free, so I went to the codec website, started looking around, and found of all things …. a EULA. In the EULA, we find that, despite all the references to needing a codec for Windows Media Player, there’s the following paragraph….

“SOFTWARE DESCRIPTION This software grants you access to many different video files, provided by the Licensor on its sites. The software is not any kind of Media Player Add-On or plugin, it does not implement any additional compressor/ decompressor or any other additional video software. ”

Wait…. it’s _not_ a compressor/ decompressor or a Media Player plugin? That’s kind of bold of them.

So, with that in mind, I now install it on a Virtual PC, loaded with diagnostic software to see what it does. Heck…. it doesn’t do anything. It just installs. It’s not working, because I can’t see the video. It hasn’t attached itself to Internet Explorer or Windows Explorer. None of my rootkit detectors show any system anomaly. I see no way for it to get into the execution cycle on reboot. My sniffers don’t see any traffic. I can’t even find any place to run software. All I can see is an Uninstall command.

Hmmmmm ….. that makes no sense, so I try again on a native machine …. no VPC involved at all, and this time the rootkit detectors go off like roman candles… hidden files and processes and registry keys all over the place. Dang! They’re reasoning, correctly, that if they’re on a virtual pc, they’re being studied and won’t play nicely. How perceptive of them. This shouldn’t really be a surprise, because it’s well documented how to tell that you’re inside a vpc, but it is a surprise if only to marvel at their cunning.

But even on a native, non-virtual PC, the video still won’t play, so I decide to test what the uninstall does. Here’s the funny bit I was referring to earlier … It very politely and tidily uninstalls all the extra bits _except_ the rootkit! And you _still_ don’t get to see the video!

So how can you tell if a codec is safe, or if it’s a rootkit? It turns out that you can’t, unless your antivirus software recognizes it before it installs. Once it installs, it’s invisible, so even if you get an update, it’s probably too late… even the av probably won’t see it.

Bottom line … if you have to install a codec to watch a video… the video is probably not worth it.

Roger

It looks like we have a working Internet Explorer 0-day today. The guys at http://www.xsec.org/ actually published an example yesterday, which was Exploit Wednesday. They clearly have a sense of humor, but that’s beside the point. Their initial example was only tested on Chinese XP SP2, and Internet Explorer 6.0 SP1, and although it managed to crash Internet Explorer in our tests, it was not able to execute code.

Tonight, however, it seems that reliably working attack code now exists. Fortunately, no proofs of concept have been made public, and so far, our monitors have not found any real live code in the wild, so all is still pretty safe.

It would be wise for us all to assume that exploiters around the world are probably trying to figure out the details right now, so everyone needs to be both vigilant and cautious. SocketShield has been updated to protect against the exploit as we currently understand it, and we’ll continue to update it as needed.

Cheers

Roger