Winamp buffer overflow

Published: 2006-02-25. Last Updated: 2006-02-25 15:33:14 UTC
by Brian Granier (Version: 1)
0 comment(s)
We have been monitoring a reported flaw with Winamp 5.12 and 5.13. A buffer overflow condition with a playlist containing a long file name can cause the application to crash at best and execute arbitrary code at worst. To date, we are not aware of any POC that uses this vulnerability sucesfully for malicious purposes. This problem is fixed in Winamp 5.2 so users are advised to update. More details about this issue can be found at http://secunia.com/advisories/18848.
Keywords:
0 comment(s)

Plugin auto-installation a good thing?

Published: 2006-02-25. Last Updated: 2006-02-25 15:32:57 UTC
by Brian Granier (Version: 1)
0 comment(s)
A vulnerability was recently discovered within the Macromedia Shockwave installer that allowed for a malicious site with specific content to deliver arbitrary code for execution as a part of a plug-in ActiveX installation script. The vendor has reportedly fixed this problem with the installer to eliminate this vulnerability. However, to be cautious, if you intend to user Shockwave, it would be advisable to do so directly from the vendors site, rather than allow auto-installation of the plugin to occur from a random site with content requiring the plugin. The original advisory and more details can be found at http://www.zerodayinitiative.com/advisories/ZDI-06-002.html.
Keywords:
0 comment(s)

Malware: When <!-- comments --> become commands

Published: 2006-02-25. Last Updated: 2006-02-25 02:29:38 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
It's always exciting to find something that you have never seen before! Most of the time it's the same malware that's been repacked or just a new flavor of it. However, not yesterday. Yesterday was a day to remember! A reader submitted an attachment that they had received at their organization. It was carefully worded to get the users to want to read the email and open the attachment. That is where this adventure begins! I passed it through Norman and it saw nothing. I also passed it though VirusTotal and it only got a few hits but it wasn't detected by the major AV folks.

I started to look at the malware and got it unpacked in my faithful debugger when I saw some strings that always peak my interest...those that give you a command shell. I always like those. There was also a URL in the strings, so I fired the malware up in my VM and saw that it indeed wanted to go to that URL. I looked at the source code for the actual URL and found nothing really unique about it. There were two .htm files in that websites directory structure. One we'll call "File.htm" and the other "file2.htm". A regular user gets "file.htm" when they visit the site, but the malware wanted "file2.htm". The only difference between the two files were 8 little characters commented out at the top using html comments "<!--" and --> which seemed interesting.

Well, if it wants a website...give it a website (isn't VM great). I set up a website for my malware using copies of the htm files from the actual site and sent it on its happy way. A packet capture showed the malware going to the website, establishing a connection, getting thefile it wanted, sending an ack for it and then a rst ending the connection. My curiosity was peaked but what exactly was the purpose of it going to that specific site? So when I encounter something new and cool and really need an expert on the code.....what do I normally do.....find my fellow handler Tom Liston and see if he has time to play!

Tom (many thanks to you Tom!) and I spent alot of time looking at this and the mystery is not yet solved as to how it is working in its entirety. But its scary as it currently exists. Not the delivery of it, but the malware itself. The malware gets installed by a user clicking on a link in the email to download a file and then opening that file or by opening the attachment and running it. The .exe installs itself and runs as a service. The malware contacts the site and does a GET, the site passes the page back and looks just like normal web traffic to the casual observer. The malware however parses the first 64 bytes of that page it gets which means it grabs those unique little characters at the top and a little more. Then it uses a delimiter of <!-- for the left side and --> for the right side and pulls the characters out of the middle. It runs them through several commands, but it doesn't appear that the string on the page is the one its looking for right now. Nothing is happening with it at this point. We have theories as to what the malware is doing and we are working to confirm them.

However it doesn't take take much to realize that it is a unique approach and many nasty things could be done. Its really just another sad indicator as to the direction that malware is going and the more difficult our battle is to keep our networks secure.

Keywords:
0 comment(s)

Out of cycle Oracle patch?

Published: 2006-02-25. Last Updated: 2006-02-25 01:44:41 UTC
by Brian Granier (Version: 1)
0 comment(s)
We recently received a report about a potential out of cycle patch related to Oracle Diagnostics called "Diagnostics Support Pack February 2006 with Oracle Diagnostics 2.3 RUP A". We currently have no verification on what it is or what it does. If anyone has any details about this patch, please let us know!

T. Brian Granier
Handler on Duty
Keywords:
0 comment(s)

Comments


Diary Archives