What do they have in common?

Malicious messages including only executable attachment postcard.exe is being spammed to recipients waiting the celebration of the New Year.

There is no message body at all when the Subject is: Happy New Year!

The sender address is spoofed - as expected.

The following AV writeups have been released (vendors in alphabetical order):

Downloader.Tibs (AVG/Grisoft)
Win32.Worm.Luder.B (BitDefender)
Win32/Luder.I (CA) (more…)

When accessing the Exploit Research category of McAfee Avert Labs Blog you will see the following database error text:

WordPress database error: [Can’t create/write to file ‘G:\temp\#sql_d74_0.MYD’ (Errcode: 17)]
SELECT DISTINCT * FROM wp_posts LEFT JOIN wp_post2cat ON (wp_posts.ID = wp_post2cat.post_id) WHERE 1=1 AND (category_id = 9) AND post_date_gmt < = '2006-12-29 15:16:59' AND (post_status = "publish") AND post_status != "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT 0, 999

Visiting the main page generates

“Not Found

Sorry, but you are looking for something that isn’t here.”

error, in turn.

Update #1720 UTC: It appears that they have fixed these problems.

Today was day 0 of CCC (Chaos Communication Congress, in Berlin), meaning, although there weren’t any lectures and although there were only a few dozens to a few hundreds of visitors at any given time - it was still fun!

Early in the day (around 15:30) I went to the conference center expecting to pick Raven and go for food. I expected it to be empty, boy, was I wrong. There were at the very least 5 folks outside in the cold, and at least 10 folks (more, but I saw 10) inside the center itself. Mostly just staff.

After meeting up with Raven and registering with the conference (greets Maha), we went for some dinner. I just got some french fries (I’m sure you wanted to know that). When we got back there was already a 200 meters line for the registration booth (not that it was open) and dozens of people in all the chill-out areas. We walked around the building and met up with some cool people (greets Andy, Jake, Fukami and many others).

Things really kicked up when we discovered the Phenoelit hang-out below-decks and got beered up by FX, Mumpi and the rest of this cool group. Later on, Kaminsky showed up… got jumped (literally) by FX and yours truly, and the rest is history. There have also been some surprises, such as a very cool LED flashlight I got from a very cool guy who ended up being John Gilmore of GDB/EFF/etc. fame.

I had to leave at around 1 AM to catch up on some work before the big first day tomorrow (now today), but on the way I met up with Ilja (of fuzzing fame) and one cool yet poor fellah whose laptop’s BIOS was wiped clean at midnight (and he lectures 8 AM sharp)… the list of folks goes on and on.

Germans really know how to have fun, and drink. CCC is definitely going to be interesting in its 23rd year, and it is worth it both from the technical side (talks) and the networking side. The first day is coming up, and one thing is for sure, there’s going to be a lot of beer (althogh this “official CCC drink - Mate - really grows on me!)

Note to self: study German. Note to defcon: get CCC style on-site food.

Note to world: bad black jokes are allowed in Germany, with younger crowds, anyway.
Gadi Evron,
ge@linuxbox.org.

I love Google’s web applications. They are cool and actually set a new standard for the Web we know today. It’s fun and educating to check out their JavaScript code. And as usual, when you dig into somebody’s code, you find surprises. (more…)

Hey, do I smell history repeating itself? Bots on IRC used to be useful too, and then used for local flooding. Only later did they become the botnets that they are today.

So, from automated playing when you are not around to keep stuff active (rings a bell?) to botnets that throw… privates at people.

http://www.boingboing.net/2006/12/21/second_life_griefers.html

Worth a read. I always love when the real world and the virtual meet, whether by marriages or by physical world Police taking complaints because “someone stole my weapon on World of Worldcraft!!”

We do live in interesting times.

Gadi Evron,
ge@linuxbox.org.

Lately, the bad guys have been using iframe in comments, in order to grab
the content of a spam web page and attempt to show it at the site with the
injected comment. Kind of interesting, as much as it is simple:

Viagra <iframe
height="1" width="1" src="http:// h ome.tiscali.cz:8080/ racktire/"></iframe>

Gadi Evron,
ge@linuxbox.org.

In this post ( http://www.phenoelit.net/lablog/Irresponsible.sl ), FX describes a drop zone for a phishing/banking trojan horse, and how he got to it.

Go FX. I will refrain from commenting on the report he describes from secure science, which I guess is a comment on its own.

We had the same thing happen twice before in 2006 (that is worth mentioning or can be, in public).

Once with a very large “security intelligence” company giving drop zone data in a marketing attempt to get more bank clients (”hey buddy, why are 400 banks surfing to our drop zone?!?!)

Twice with a guy at defcon showing a live drop zone, and the data analysis for it, asking for it to be taken down (it wasn’t until a week later during the same lecture at the first ISOI workshop hosted by Cisco). For this guy’s defense though, he was sharing information. In a time where nearly no one was aware of drop zones even though they have been happening for years, he shared data which was valuable commercially, openly, and allowed others to clue up on the threats.

Did anyone ever consider this is an intelligence source, and take down not being exactly the smartest move?

It’s enough that the good guys all fight over the same information, and even the most experienced security professionals make mistakes that cost in millions of USD daily, but publishing drop zone IPs publicly? That can only result in a lost intelligence source and the next one being, say, not so available.

I believe in public information and the harm of over-secrecy, I am however a very strong believer that some things are secrets for a reason. What can we expect though, when the security industry is 3 years behind and we in the industry are all a bunch of self-taught amateurs having fun with our latest discoveries.

At least we have responsible folks like FX around to take care of things when others screw up.

I got tired of being the bad guy calling “the king is naked”, at least in this case we can blame FX.

It’s an intelligence war people, and it is high time we got our act together.

I will raise this subject at the next ISOI workshop hosted by Microsoft
( http://isotf.org/isoi2.html ) and see what bright ideas we come up with.

Gadi Evron,
ge@linuxbox.org.

A few months back I released a post on where I think anti-botnets technology is heading. Now it’s time for what happened in 2006, and what we can expect from here on.

I am not a believer in such retrospective looks, as often, they are completely biased and based on what we have seen and what we want to see. This is why I will try and limit myself to what we know happens and is likely to get attention, as well as what we have seen tried by bad guys, which is working for them enough to take to the next level.

What changed with botnets in 2006:

1.Botnets reached a level where it is unclear today what parts of the Internet are not compromised to an extent. Count by clean rather than infected.
2. Botnets have become the most significant platform from which virtually any type of online attack and crime are launched. Botnets equal an online infrastructure for abusive or criminal activity online.
3. In the past year, botnets have become mainstream. From a not existent field even in the professional realm up to a few years ago, where attacks were happening constantly reagrdless, it has turned to the main buzzword and occupation of the security industry today, directly and indirectly.
4. Websites have returned to being one the most significant form of infection for building botnets, which hadn’t been the case since the late 90s.
5. Botnets have become the moving force behind organized crime online, with a low-risk high-profit calculation.
6. New technologies are finally being introduced, moving the botnet controllers from using just (or mainly) IRC to more advanced C&C (command and control) channels such as P2P, or multi-layered, such as DNS and IRC on the OSI model.
7. Botnets used to be a game of quantity. Today, when quantity is assured, quality is becoming a high concern for botnet controllers, both in type of bot as well as in abilities.

What’s going to happen with botnets in 2007:

Botnets won’t change. All will remain the same as it has been for years. Awareness however, will increase making the problem appear larger and larger, perhaps approaching its real scale. The bad guys would utilize their infrastructure to get more out of the bots (quality once quantity is here) and be able to do more than just steal cash. Maximizing their revenue.

Further, more and more attackers unrelated to the botnet controllers will make use of already compromised systems and existing botnets to gain access to networks, to facilitate anything from corporate espionage and intelligence gathering, to shame-less and open show of strength to those who oppose them (think Blue Security), in the real world as well as the cyber one (which to the mob is one and the same, it’s the income that speaks).

Meaning, the existing botnets infrastructure will be utilized both in an open fashion, due to the fact online miscreants (real-world mob) face virtually no risk, as well as quiet and secretive uses for third-party intelligence operations.

Gadi Evron,
ge@linuxbox.org.

New Firefox version 2.0.0.1 arrived with no fix to Password Manager Information Disclosure vulnerability. This issue was reported on 21th November with this news-type report. Ha.ckers Blog wrote about the problem in August already.
The related Bugzilla Bug #360493 was opened earlier, by Robert Chapin too.

CVE-2006-6077 has been assigned for this vulnerability. At time of writing the CVSS Severity level is 2.3 (Low).

Version 1.5.0.8 - and the new 1.5.0.9 - are affected too.

When we talk about security awareness, we sometimes say that a certain company “does not get it”. It’s hard to define how we measure that and what makes us say that a certain company does or does not “get it” (or even what “it” is) - we just know, just like you can tell which mp3 players suck or which jokes are funny but you can’t always say why.

Many security experts will agree that companies that “don’t get it” fail time after time in trivial security matters, whereas companies with high security awareness will only rarely screw up.

The Bank of America was on my list of companies who ‘got’ what security really is. From the first time I signed up to the service, I noticed they did not fall into the Security by Obstruction trap. Signing up was easy, I got to select my own username and password which means I didn’t need to write either one down (finally an online bank that understands brute force attacks should be blocked at the server side and not by forcing the client to choose an impossible password). In fact, it’s the only password or PIN that I don’t have 3-4 copies of in all my electronic and physical wallets.

(more…)

New worm spreading with Skype has been reported recently.

According to Websense Blog a message via Skype Chat is received.

* the filename is called sp.exe
* assuming the file is run it appears to drop and run a password stealing Trojan Horse
* the file also appears to run another set of code that uses Skype to propagate the original file

It appears that Symantec uses name W32.Chatosky when they released a description document about the worm.

The malware queries Skype for random users every three minutes and an error message is being displayed if there is no Skype installed to the system.

Update: This updated Websense information released on Tuesday states that it is a Trojan Horse, in fact:
www.websense.com/securitylabs/alerts/alert.php?AlertID=716.

Seems like blackbox testing tools (fuzzers) gain more ground, but not in the way I would expect.

I expected software/networking vendors to be buying commercial fuzzers to check their products for security holes (or using open source fuzzing tools as part of the development cycle). Surprisingly, most companies I know that have implemented fuzzers are not the ones writing code, but those who rely on other people’s products - telcos, cell phone providers, financial institutions, and equipment suppliers.

Apparently, some of these companies check 3^rd party products for security holes before they install them in their network.

While this ‘certification’ attitude is expected from financial institutions, it’s pleasantly surprising to see it from equipment suppliers, for example. One large telco went as far as informing several networking equipment vendors that any new version of their networking products will undergo extensive security tests before it is purchased. Since the tests are done with a commercial fuzzing product, the networking vendor has a chance to buy a similar product and do its testing already in the development lab - saving the shame of having the customer find its security holes for him.

Perhaps I shouldn’t be too surprised - there were many instances of organizations running nessus on their networking equipment and sending the vendor a ‘report card’ with all the known vulnerabilities present in the product. But doing a quick nessus run is way different from implementing security testing as part of the acceptance process. At least one company picked up on this upcoming trend - BreakingPoint’s business model is around companies benchmarking security products before deciding which ones to buy. Will this trend tie up with testing products for security holes before deciding which ones to buy?

Another pleasant surprise is that Microsoft, who has been behind in terms of security for many years (to a point where many people, myself included, were convinced that they “just don’t get it”), has implemented a fuzzing infrastructure that is more advanced than anything else I’ve seen. A couple of networking vendors are not too far behind, but the rest of the software development world seems to be in the security testing dark ages.

This is obviously a good step for the security world - if large customers begin to pressure product vendors to develop more secure products (rather than spend marketing dollars on branding themselves as secure), product security will have a clearer ROI and the result will be more secure products.

A cynical friend of mine told me that this is yet another proof that product vendors will not take steps to increase their product’s security unless pushed to do so by external forces. I tend to think that whatever the reasons, a net result of less security holes is good for everyone.

Mr. Bruce Schneier reports at his latest Crypto-Gram Newsletter:

It’s a hard question to answer because data is scarce. But recently, a colleague sent me some spoils from a MySpace phishing attack: 34,000 actual user names and passwords.

Even 25 % of users had a password of eight characters and 17 % logged in with a password of nine characters.

There was some 32-character passwords as well.(!)

The entry continues that 28 % were just lowercase letters plus a single final digit — and two-thirds of those have the single digit 1. The report lists passwords like password1, myspace1, qwerty1, 123456, princess1 etc, however. But there is that ‘1′ added!

Some older references included too.

Have a safety weekend!
Juha-Matti Laurio

Since 5th December we have seen three separate, serious vulnerabilities in Microsoft Word:

[Disclosed - original reference - CVE name
Affected products and product versions]

Tue 5th Dec - MS Security Advisory #929433 - CVE-2006-5994 and FAQ
Word 2003/2002/2000, Word 2004/v. X for Mac, Works 2006/2005/2004, Word Viewer 2003

Sat 9th Dec - MSRC Blog entry 10th Dec - CVE-2006-6456
Word 2003/2002/2000, Word Viewer 2003

Tue 12th Dec - Fuzzing list posting - CVE-2006-6561
Word 2003/2002/2000, Word 2004/v. X for Mac, Word Viewer 2003, OpenOffice.org 2/1.1.3, AbiWord 2.2

Related to the third issue new submission to VirusTotal has been done. There is some better results now:

# 12.15.2006 01:04:58 (CET)

AntiVir 14th Dec: EXP/W97M.DuBug
BitDefender 15th Dec: Exploit.MSWord.Gen.2
Fortinet 14th Dec: W32/CVE20065994!exploit (the CVE of 1st issue)
Ikarus 14th Dec: Exploit.MSWord.Gen.2
McAfee 14th Dec: Exploit-MSWord.c.demo
NOD32v2 14th Dec: W97M/Exploit.1Table.NAE
Panda 15th Dec: Trj/1Table.D

Symantec is not listed, but they have released Bloodhound.Exploit.108.

This a quite negative title is based to the current result of VirusTotal scan of Word 0-day PoC file 12122006-djtest.doc. This Proof of Concept file was publicly released on Tuesday 12th December [I’m not linking to the exploit/PoC site].

Complete scanning result of “12122006-djtest.doc” submitted to VirusTotal.com recently is the following:

–clip–

Antivirus Version - Update Result
AntiVir 7.3.0.15 - 12.13.2006 no virus found
Authentium 4.93.8 - 12.13.2006 no virus found
Avast 4.7.892.0 - 12.13.2006 no virus found
(more…)