Threat Level: green Handler on Duty: Russ McRee

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Fake anti-virus

Published: 2009-09-04
Last Updated: 2011-01-24 23:50:54 UTC
by Adrien de Beaupre (Version: 1)
12 comment(s)

Matt wrote in with the following:

"It might be a good idea to make end users aware that the fake-antivirus scan / trojan / ransomware people have raised the bar.  I'm planning to put together a small educational email to send to my end users.

I had a difficult malware extraction today.  One of our users ended up with Windows Police Pro (WPP) malware installed on her machine. I was really surprised at how tough this program was to clear, and ended up re-loading the machine via Ghost image.

In the past two days, I've heard of two reports of users getting infected, had to handle one myself, and got an email after work from a tech at a remote site.  It appears the fake-antivirus scammers have improved their game a lot. The initial 'lure' on the web has been polished quite a bit to get users to accept the program.

The issues that made Windows Police Pro especially hard to remove were:

1. The main program will not close, and will respawn if killed through Task Manager.
2. The program puts up fake Windows Security pop-ups that are very good copies of the original.
3. It contains a fake of the Windows Security control panel that is a very accurate reproduction.
4. It re-assigns actions for .exe files to its own command interpreter, desote.exe.  This program does not run any .exe chosen, just pops up an error window claiming the desired file is infected.  This action makes it impossible to install MalwareBytes or CCleaner, or even run just about anything else from within the infected session.

I tried to change the .exe assignment in the Registry, but ultimately just deleted the main WPP program files and desote.exe file (Windows Search would still work), which meant the machine came up with the 'I don't know what program to use to open this file' dialog when I clicked on the installer package.  I was able to manually find and run cmd.exe from the /Windows/System32 directory, and get CCleaner to install, but it did not fix the broken registry keys to re-stabilize the system.  At this point I just gave up pursuit, copied the user's files to USB drive, and reloaded from Ghost.

The only element of this that I thought was groundbreaking was the .exe hijack.  Otherwise it's just an impressive polishing job on a tired scam.

Users with only Windows knowledge, or otherwise without an alternate OS to use to cure this, will be at a big disadvantage."

Thanks Matt! Couldn't agree more.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Keywords: fake antimalware
12 comment(s)

Vulnerabilities (plural) in MS IIS FTP Service 5.0, 5.1. 6.0, 7.0

Published: 2009-09-04
Last Updated: 2011-01-24 23:50:32 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Microsoft has published an advisory on multiple vulnerabilities in the Microsoft FTP services bundled with IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0. At this time arbitrary remote code execution only works against IIS 5.0 running on Windows 2000 fully patched. On more recent versions a DoS condition occurs. If you are still running an Internet accessible FTP service you may want to take this opportunity to rethink running it under IIS. For internal instances I might monitor them very closely. One mitigation is to NOT allow anonymous connections (as indicated in the POC circulating on the Internet). Unless the attacker is able to obtain a valid username for the system and modify the exploit... and then DoS can still occur, but complete compromise of the system will not. The DoS takes out all inetinfo processes, including www. There is currently no patch available for these vulnerabilities. The exploit code is available. Take the appropriate precautions.

If you must allow FTP, disable anonymous access. If you must allow anonymous access, modify the NTFS permissions to disable write access. If you must allow write access, disable creation of directories. You will still be vulnerable to the DoS in any case.

The following CVEs are assigned:

  CVE-2009-3023 (RCE on IIS 5.0 and DoS on IIS 5.1 and IIS 6.0) 
CVE-2009-2521 (DoS on IIS 5.0, IIS 5.1, IIS 6.0, and IIS 7.0)

The advisory is here: http://www.microsoft.com/technet/security/advisory/975191.mspx

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

0 comment(s)

So, you updated your Flash did you?

Published: 2009-09-04
Last Updated: 2011-01-24 23:50:14 UTC
by Adrien de Beaupre (Version: 1)
1 comment(s)

Helpfully Snow Leopard downgrades it for you. If you had upgraded to Flash version 10.0.32.18 prior to installing the new OS, you ended up with Flash version 10.0.23.1 afterwards. Leaving you vulnerable.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Keywords: flash snow leopard
1 comment(s)

SeaMonkey Security Update

Published: 2009-09-04
Last Updated: 2011-01-24 23:49:58 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

SeaMonkey is an 'all-in-one' Internet suite for users. SeaMonkey 1.0 will no longer be updated, download the new version SeaMonkey 1.1.18, which has a number of security fixes. The advisory is here: http://www.seamonkey-project.org/news#2009-09-03 with release notes: http://www.seamonkey-project.org/releases/seamonkey1.1.18/

Download link is here: http://www.seamonkey-project.org/releases/#1.1.18

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Keywords: seamonkey update
0 comment(s)
Diary Archives