• MSDN information
• Mozilla documentation

"Microsoft Internet Explorer 7 allows remote attackers to prevent users from leaving a site, spoof the address bar, and conduct phishing and other attacks via onUnload Javascript handlers. "

"Mozilla Firefox fails to properly handle JavaScript onUnload events. Specifically, Firefox may not correctly handle freed data structures modified in the onUnload event handler possibly leading to memory corruption. By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user.

"Put safety first.
Robust new Internet Explorer 7 architecture and improved security features help protect you against malicious software, and help to keep your personal data safe from fraudulent websites and online phishing scams." (taken from http://www.microsoft.com/windows/products/winfamily/ie/default.mspx )

{01010200-5e80-11d8-9e86-0007e96c65ae}
{01010e00-5e80-11d8-9e86-0007e96c65ae}
{01011300-5e80-11d8-9e86-0007e96c65ae}
{01013A00-5E80-11D8-9E86-0007E96C65AE}
{01013B00-5E80-11D8-9E86-0007E96C65AE}
{01013C00-5E80-11D8-9E86-0007E96C65AE}
{01013D00-5E80-11D8-9E86-0007E96C65AE}
{01013F00-5E80-11D8-9E86-0007E96C65AE}
{01014000-5E80-11D8-9E86-0007E96C65AE}
{01014100-5E80-11D8-9E86-0007E96C65AE}
{01014B00-5E80-11D8-9E86-0007E96C65AE}
{01111c00-3e00-11d2-8470-0060089874ed}
{01111e00-3e00-11d2-8470-0060089874ed}
{01111f00-3e00-11d2-8470-0060089874ed}
{01112500-3e00-11d2-8470-0060089874ed}
{01112800-3e00-11d2-8470-0060089874ed}
{01113300-3e00-11d2-8470-0060089874ed}
{01114200-3e00-11d2-8470-0060089874ed}
{01114300-3e00-11d2-8470-0060089874ed}
{01114400-3e00-11d2-8470-0060089874ed}
{01114500-3e00-11d2-8470-0060089874ed}
{01114600-3e00-11d2-8470-0060089874ed}
{01114700-3e00-11d2-8470-0060089874ed}
{01114800-3e00-11d2-8470-0060089874ed}
{01116e00-3e00-11d2-8470-0060089874ed}

We received a report from Hugh Brower that there is a spammed email destined for whois contacts that contains a malicious php attachment. The email is spoofed to look like it's from the domain's hosting provider. The email attempts to trick the recipient into executing the attachment. Currently the attachment information is;

Attachment Name webguard.php
File size: 130990 bytes
MD5: 1071956063131f0fd178ace92ab526bb
SHA1: c47dd28e336030e3d940b66e2884aba91124a831

The email says;

"Subject: Hosting Regular Security Maintenance

Dear yourdomainhost valued Members

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file "webguard.php" in:

"./public_html" or (for Windows Based servers) in: "./wwwroot" in your site.

If you do not know how to use it, you can use the following instruction:

For Unix/Linux or Windows based websites that use PHP/CGI/PERL/ASP:

1) Download the attachment named "webguard.php"

2) Login to your site Control panel.

3) Open "File Manager" window.

4) Go through "Public_html" or "htdocs" (for UNIX/Linux Based servers),

but for Windows Based server, please Go through "wwwroot" directory.

5) Choose "Upload Files"

6) Upload the file "webguard.php"

7) Check its URL too "http://www.yoursite.com/webguard.php", if it is ok

Thank you for using our services and products. We look forward to providing you with a unique and high quality service.

Best Regards"

The attack has targeted more than one domain but does not appear to be widespread at the moment. Additional details will be posted as they develop.

Thanks Hugh!

We've received a report of a spammed email with a hyperlink that ultimately attempts to install malware. The email is targeting Austrailians, the email references a heart attack that the Prime Minister has suffered, of course no such heart attack has occurred.

The email tells the reader to go to Australia's "The Australian - keeping the nation informed" website but the link is not for the real "The Australian" website. The bogus link is to austr-news.c_oh_m.

Thanks for the report Eric!

In the recent past, we've shown several methods on how to unravel obstinate JavaScript codes used to convey exploits. Here's a brief round-up of the methods we commonly use. All four methods require that you get a copy of the hostile page, preferably by use of a text-only HTML tool like wget, curl or similar (since you cannot easily download a Javascript exploit with a browser that speaks Javascript without also running the Javascript code at the same time).

The Lazy Method
Edit your copy of the hostile HTML so that it only contains the necessary HTML headers and the Javascript you're interested in. Then hunt down all occurences of "document.write" and "eval" inside the Javascript and replace them with "alert". Copy the modified file onto a web server of yours, or to some other place from where you can easily open it with a web browser, which should make the decoded JavaScript appear inside one (or several) pop-up "alert" windows.

Pro: Quick and easy to accomplish
Con: Usually only decodes one (the first) encoding stage. Don't be disappointed if you get the next level of gibberish in your alert pop-up.


The Tom Liston Method
As explained eg. in https://isc2.sans.org/diary.html?storyid=1917. In your copy of the hostile page, hunt down all the "eval(txt)" and "document.write(txt)" function calls, and replace them with document.write("<textarea rows=50 cols=50>");document.write(txt); document.write("</textarea>"); Then again put the modified HTML onto some place from where you can open it with a web browser. The decoded JavaScript will show up inside a textarea panel.

Pro: Quick and easy to accomplish, and in case the textarea reveals another stage of encoded Javascript, this method allows for easy cut-and-paste to continue the decoding.
Con: Careful with typos. If you have a typo in the leading textarea definition, the following "document.write(txt)" will go right to the browser, as it originally would have, and the exploit will execute.


The Perl-Fu Method
Try to make sense of the Javascript decoding routine, and then re-create it with a short code block in PERL.

Pro: Very easy and fast for use on the dumber encoding methods like XOR, cesarean ciphers (character permutations), etc. Also the "safest" method, as this approach alone does not actually execute the hostile code.
Con: You have to speak Perl and be able to translate the Javascript decoding into Perl. Much too tedious an approach for very convoluted Javascript, or JavaScript codes using functions which are hard to translate into Perl (like the arguments.callee codes seen frequently in fall 2006)


The Monkey Wrench Method
Use the stand-alone Javascript interpreter "SpiderMonkey"  to run the encoded Javascript block. Replace the document.write(txt) with print(txt) before doing so, SpiderMonkey doesn't have any document object by default.

Pro: Little hassle, good results, fast method to get around a hard "outer shell" of a Javascript block encoded multiple times, works well in combination with the Perl-Fu method.
Con: Fails for Javascript code deliberately written to only uncompress on Internet Explorer.


Caveat: For the first two methods mentioned, be mindful that you are actually running hostile code inside a potentially vulnerable web browser. Make sure to apply the usual precautions (VMWare or the like, deployed far away from any production network you might have, and keeping a keen eye on the firewall log, etc).

...and before you write in to ask: Yes, concrete examples on how to use the four methods above will follow later today :)

• PPC Arch Only (We haven't been able to reproduce on Intel based machines)
• 10.4.8 (We can't reproduce on 10.3, only 10.4) and
• Those machines that are patched to 2007-0001 level

• It had problems with Installing the latest Java update but succeeded after a second try
• It cannot complete the download of iTunes+Quicktime 7.0.2 (download freaks out halfway)
• It does download Security Update 2007-0001, but fails to install it 
• It never was allowed to download Security Update 2007-0002 so far

Apple released a security update today for users of Mac OS X v10.3.9 and v10.4.8 (including OS X Server):

• Mounting a maliciously-crafted disk image could lead to a crash or arbitrary code execution (CVE-2007-0197)
• Attackers on the local network can cause iChat to crash. A proof of concept was published in January (CVE-2007-0614 and CVE-2007-0710)
• By using iChat AIM to visit a maliciously crafted URL an attacker could trigger an overflow, leading to a crash of the application or arbitrary code execution.
• The UserNotificationCenter runs with elevated privileges in a local user context. This update forces the application to drop its group privileges shortly after starting. While this does not fix a directly exploitable vulnerability in itself, it fortifies the overall security posture of the application.

Security Update 2007-002, which contains these fixes, can be downloaded at Apple Downloads. Also have a look at these Java and DST updates.

The Clamav development team released version 0.90 of their open-source antivirus toolkit today. This version contains fixes for security vulnerabilities described in a number of iDefense advisories that were simultaneously published.

ClamAV CAB File Denial of Service Vulnerability (CVE-2007-0898)
Remote attackers can perform a service degradation attack by sending a malformed CAB file through a gateway scanner running ClamAV. The vulnerability can prevent ClamAV from scanning archives succesfully by depleting the available local file descriptors. iDefense investigated a number of common setups and observed that in most cases, mails that cannot be scanned will be auto-denied.

ClamAV MIME Parsing Directory Traversal Vulnerability (CVE-2007-0897)
An input validation bug allows a remote user to overwrite files on the system that are owned by the clamd scanner. A potential target mentioned in the advisory is the virus database. By overwriting this file, the scanner's effectiveness against certain threats can be reduced significantly.

Both vulnerabilities were resolved in ClamAV's new stable 0.90 release. Do note that users that automatically download and install signature updates are not automatically covered. When vulnerabilities in anti virus software are addressed, it is important to understand whether they are fixed in the signatures or scanning engines. Depending on the solution in use, most setups are configured to automatically update the former, while the latter may require separate upgrades.

Earlier today, Symantec released a security advisory detailing a vulnerability in how Palm OS Treo smartphones allow users to access data. Users with physical access to the device are able to use the Find feature to locate data, even when the device is locked. As a fix has not yet been released, Symantec advises to notify users so they are aware of this weakness and can take other actions to prevent disclosure of sensitive data.

Virtually all of your organizations are currently supporting the use of mobile devices in one way, shape or form. That these may impact the organization's security posture has been proven by new threats such as cell phone viruses (Commwarrior, Cabir) and Bluetooth hacking. These examples show that an understanding of wireless technology needs to be built into all security capabilities within the organisation; not just into policy statements, but also in their respective translation into procedures, guidelines and the supporting awareness programs.

If you're looking for inspiration, have a look here:

Australia's DSD government policy on Blackberry security
DRAFT NIST Guidelines on Cell Phone Forensics

Any other good examples you know of ? Drop us a message.

--
Maarten Van Horenbeeck

Overview of the February 2007 Microsoft patches and their status.

--
Swa Frantzen -- NET2S

About 3 weeks ago, one of our readers, Andrew, submitted a very interesting malicious binary. Andrew did some analysis himself and told us that he found encrypted files and some certificates which immediately caused interest amongst handlers.
If you are regularly reading ISC, you probably read the diary I wrote back in January about unsophisticated malware (http://isc.sans.org/diary.html?storyid=2022). Well, this time, things were completely different.

Initial analysis by Andrew showed that the machine was infected with a VML exploit. A small binary is dropped on the infected machine which, in this case, was a bit more than a typical downloader.

The analysis of unknown malicious programs can be a very difficult task. The first step in any analysis is to determine if the binary is packed or not. PEiD (http://peid.has.it), a tool I mentioned in the previous diary quickly determined that the binary was packed with UPX. UPX is a very common packer that is easy to unpack – various utilities exist that can help you with unpacking UPX and even doing it manually is very simple.

Once the binary was unpacked, you will typically want to run the strings command on the unpacked code, to see if there is anything that you can determine quickly by manually inspecting strings result.
The following two lines looked very interesting:

inflate 1.2.3 Copyright 1995-2005 Mark Adler
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

It looks like our malware has been linked with zLibDll, an open source ZLIB compression library. This also explained what Andrew was seeing as he said that a password protected ZIP file was downloaded by the downloader. A quick search of potential passwords did not result in anything so we concluded that the binary must either generate the password with some code, or download it from the Internet. In this case, the second assumption was correct.

Now we come to the most interesting (and difficult part). You could, of course, manually analyze disassembled malware code (IDA Pro is of great help here, if you can afford it), but an easier approach (in my opinion) is to run the downloader through a debugger and carefully watch what it is doing. The debugger of my choice is, of course, OllyDbg (http://www.ollydbg.de), which is the best free debugger for Windows operating system.
In order to debug a program you will need x86 assembly knowledge, so this would be a good time to refresh it (or read some books about it).

The debugging process is relatively simple: you load a file into the debugger, and execute it step by step while carefully watching what’s going on.
The downloader in question did the usual stuff. After copying itself into C:\Documents And Settings\All Users folder, it opened a HTTP connection to the control Web server:

http://ijk [dot] cc/cgi-bin/ [REMOVED] oadfile=q/q2_started_ok
(the site is still up)
Once it registered properly, the downloader downloaded a file called qa.zip, which was the password protected ZIP archive.
Now came the interesting bit. By stepping through the binary with the debugger, we were able to determine the password used to protect the archive. You can see how it is slowly appearing in the EDI register (the real password is much longer which makes brute forcing the ZIP archive difficult). A method similar to this one is always used when a malware generates a password programmatically – it will either keep it in one of the registers or somewhere in the memory.



Knowing the password it is easy to extract the ZIP archive now and as the standard ZIP format was used this can be done even with a standalone ZIP program.

The archive contained some interesting binaries:

$ ls -l
total 144
drwxr-xr-x 2 test test 4096 Jan 10 19:57 .
drwxr-xr-x 4 test test 4096 Feb 12 14:05 ..
-rw-r--r-- 1 test test 1505 Aug 10 2005 cert.pem
-rw-r--r-- 1 test test 692 Jan 8 09:49 crontab.cb
-rw-r--r-- 1 test test 432 Jan 8 09:49 _qbot.cb
-rw-r--r-- 1 test test 96768 Jan 8 09:30 _qbot.dll
-rw-r--r-- 1 test test 20480 Dec 29 08:19 _qbotinj.exe
-rw-r--r-- 1 test test 600 Jan 8 09:49 updates.cb

Casual inspection of files did not show much and we concluded that all the .cb files were encrypted (or obfuscated) as they had purely binary contents. The cert.pem file was obviously used as some kind of a certificate to encrypt something. So we continued with the debugging of the main downloader.

After some time spent on it, the part that decrypted the *.cb files was executed. It was a simple obfuscation function. Typically in cases like this what most analysts do is write a perl program that does the same thing so you can decrypt the files without running the malware.
The file contents were pretty obvious – updates.cb contained list of URLs to update from and _qbot.cb contained information about the C&C IRC servers.

The last thing that puzzled us was the certificate – what was it used for? The answer was in the _qbot.dll file. This file contains the main IRC bot, that is injected in another process and executed. Analyzing this file revealed that it was linked with another package (this time commercial), called MatrixSSL. MatrixSSL is a library by PeerSec Networks (http://www.peersec.com/matrixssl.html) that allows application to support SSL/TLS. This was obviously used by the malware to encrypt its network communication. In this case, the cert.pem file was used to connect to the IRC C&C server and encrypt the session, so network IDS tools would not see any commands issued to the bot.

As most anti virus analysts already saw, malware authors often reuse their code. It’s not strange to see code from one malware family used in another. This case showed us that malware authors are happy to use open source or even commercial packages that can help them. And they treat their programs as full blown projects, as one string from the bots binary confirmed: J:\projects\qbot\matrixssl\src\matrixSsl.c.

Finally, the AV detection on submitted files is still very bad, even weeks after it has been released. The original downloader was detected by only a handful of AV programs, while the second stage (real bot) was detected by only 3 programs. It is clear that you can not rely only on the AV program and that you should have defense in depth. In this case, blocking outgoing TCP traffic would at least prevent the bot from contacting the C&C server and doing more harm on your internal network.

"The majority of the security vulnerabilities discovered and resolved can in most cases be only abused by local users and cannot be triggered remotely. However, some of the above issues can be triggered remotely in certain situations, or exploited by malicious local users on shared hosting setups utilizing PHP as an Apache module. Therefore, we strongly advise all users of PHP, regardless of the version to upgrade to 5.2.1 release as soon as possible. PHP 4.4.5 with equivalent security corrections will be available shortly."

dspam

clamav

greylisting

DNS blocklists

block dynamic IPs

block all gif images

playing with SA scores for mailing lists

"1. Encrypt all data on mobile computers/devices which carry agency data unless the data
is determined to be non-sensitive, in writing, by your Deputy Secretary or an
individual he/she may designate in writing; "

mod_security

http://www.modsecurity.org/

mod_evasive

http://www.zdziarski.com/projects/mod_evasive/

fail2ban

http://www.fail2ban.org/

Nathan used this tool to ban IP addresses doing repeated 404/501 error results.  He catches attempts to hack forums based on PHP this way, and was able to trace it back to owned servers doing those attacks towards him.

suhosin

http://www.hardened-php.net/suhosin.127.html

--
Swa Frantzen -- net2s.com

"I recorded a sound file that would engage speech command on Vista, then engaged the start button, and then I asked for the command prompt.  When I played back the sound file with the speakers turned up loud, it actually engaged the speech command system and fired up the start menu.  I had to try a few more times to get the audio recording quality high enough to get the exact commands I wanted but the shocking thing is that it worked!"