Vulnerabilities « M86 Security Labs Blog

Archive for the ‘Vulnerabilities’ Category

Adobe Security Update for Flash Player

By Satnam Narang • September 20th, 2010 • Vulnerabilities

Today, Adobe announced the release of a security update for its Flash Player software, which was originally scheduled for release on September 27th. The update was moved up a week, as it addresses a critical vulnerability (CVE-2010-2884) in Flash Player, which has been seen in attacks in the wild. This vulnerability impacts all versions of Flash, including Mac and Linux as well as Android, Google’s mobile operating system.

Running unpatched versions of software is one of the key vectors used in attacks in the wild today. We strongly encourage our readers to update to the latest version of Adobe Flash Player (version 10.1.85.3), which can be obtained from the Adobe Flash Player Download Center. An update has also been made available for Android users, which can be obtained through the Android Marketplace.

Tags: Adobe | Flash | Patches

Adobe releases PDF patch for Reader and Acrobat

By Satnam Narang • June 30th, 2010 • Vulnerabilities

Adobe has released an update to its Adobe Reader and Adobe Acrobat products. These new releases are part of an accelerated quarterly update process. According to their Security Bulletin (APSB10-15), this release addresses 17 documented vulnerabilities.

One of the major vulnerabilities addressed in this release is the Launch file dialog warning (CVE-2010-1240). This vulnerability was discovered by security researcher, Didier Stevens and we observed this vulnerability being exploited in the wild in two separate campaigns.

Allowing your software to remain unpatched is a major issue. Therefore, we strongly encourage users to update to the latest version of Adobe Reader and Acrobat.

Tags: Acrobat | Adobe | Reader | Vulnerabilities

Skype ‘Extras Manager’ Vulnerability Found In The Wild

By Daniel Chechik • June 16th, 2010 • Vulnerabilities

On October 12th, 2009, Skype released an updated version (4.1.0.179) of their popular VoIP client, which fixed an unspecified vulnerability in their plug-in component for Skype called EasyBits Extras Manager. The EasyBits software is intended to protect commercial software, such as plug-ins, from illegal redistribution or unlicensed use.

Given the popularity of Skype, it is no surprise that cybercriminals are finding ways to target the users of the application. In this case, the cybercriminals have enough fodder available to them in the form of a potential vulnerability in the application itself. Vulnerability disclosures are one of the most common ways cybercriminals craft their exploits, including those seen in the exploit kits themselves. In this scenario, our Security Labs team has identified a working exploit in the wild that targets this vulnerability.

Skype Malicious Code in the wild

Figure 1: Skype exploit code found in the wild.

As illustrated in Figure 1, the malicious code exploits a Skype ActiveX vulnerability using primitive obfuscation techniques in order to bypass Antivirus security solutions. We can confirm this exploit code works successfully against vulnerable Skype installations. Testing this exploit page with VirusTotal, illustrates the dismal results achieved in Figure 2.

Virus Total dismal results for exploit code

Figure 2: Virus Total Results Page.

It is interesting to note that within Skype’s own release notes for the security vulnerability, they provide a recommendation to their users to “use virus protection services in case of any problems.“

Unfortunately for those users, the virus protection would have failed. However, the core issue here is not the antivirus solution’s ability to mitigate this threat, but the fact that the update process remains problematic for many companies. Many users continue to run outdated applications for months, even years, and these old versions continue to be exploited by cybercriminals. Even with the disclosure and security fixes provided by application developers, cybercriminals know that most users rarely update, making it not only easy but beneficial to monitor sites that post disclosures and proof of concept code.

Ask yourself: Do you know what version of Skype you’re running?

Tags: Skype | Unpatched | Vulnerabilities

Finjan prevents 0-day exploit of Adobe Acrobat Reader and Flash player vulnerability

By Anonymous • July 23rd, 2009 • Vulnerabilities

Finjan’s Malicious Code Research Center (MCRC) has detected yet another case of a 0-day attack “in the wild”. This time, hackers are exploiting a vulnerability (CVE-2009-1862) in Adobe Acrobat/Reader and Flash player. By exploiting this vulnerability, the hackers can download and execute malicious code on the victim’s PC. According to Adobe, an update will be available only on July 31, 2009; leaving end users’ PC in the mean time unprotected.
As with the previous 0-day attacks we reported, Finjan’s unified Secure Web Gateway (SWG) successfully detected and prevented the attempt to exploit the vulnerability and to execute code. By utilizing its patented real-time content inspection technology, Finjan’s SWG proactively prevented the attack without any update.
As discovered by the MCRC research, the attack is being used on compromised website containing a script tag that loads the exploit from a remote malicious server. The malicious script uses heap spray technique to load the attack Shellcode and than loads a malcrafted Flash file that triggers the vulnerability.
Following is a code snippet of the malicious script:

Another interesting aspect of this exploit is that the embedded Shellcode in the script loads an obfuscated executable. This simple obfuscation is done in order to evade detection by signature-based security products. The downloaded malicious executable creates a Trojan DLL named “wmimachine2.dll” and registers it as service on the victim’s PC.
When posting the exploit on VirusTotal, we found that none of the 40 Anti-Virus products detected it as malicious.

Posting the Malicious script ended with a similar result – no detection.

Posting the Malicious flash file ended with the same result – no detection

Posting the Obfuscated payload ended with the same result – no detection.
When browsing to the compromised site serving the 0-day attack via Finjan’s unified secure web gateway, users are protected as can be seen below:

Posted by Golan Yosef

Finjan’s Unified Secure Web Gateway Prevents IE 0-Day Attack Associated with Microsoft Windows TV Tuner library

By Anonymous • July 6th, 2009 • Vulnerabilities

A new 0-day attack has hit the web recently. The reported vulnerability is associated with Microsoft Windows TV Tuner library, ‘MPEG2TuneRequest’ Object and can be exploited via a malformed Web page. The attack enables remote code execution (RCE) on the targeted machine. Exploit code has already been spotted on the web.
Here is a code snippet of the 0-day exploit as detected:

Utilizing patented real-time code analysis technologies, Finjan’s unified secure web gateway blocks the 0-day attack at the gateway, as indicated by the following screenshot.

Posted by Finjan MCRC

Tags: Microsoft | RCE | TV Tuner library

Did You Update Your Unique Pack Toolkit Today?

By Moshe Basanchig • May 20th, 2009 • Cybercrime Vulnerabilities

Recently we wrote about a crimeware toolkit called “Unique Pack”, which is one of the most popular toolkits ”in the wild” these days. Just like other popular toolkits we reported on in the past, these are highly successful in exploiting end-users PCs when released. However, the effectiveness in exploitation decreases as time passes, since more and more users are patching their PCs.
Just like operating systems and browser updates, some toolkits get updates as well, allowing them to exploit newer vulnerabilities and offer the cybercriminal more options in orchestrating the attack. This is also the case with “Unique Pack”.
Recently we’ve found an updated version of the “Unique Pack” toolkit.
Let’s take a look at the changes in the administration panel:

The new “settings”tab in the panel shows the collection of exploits included in the toolkit. The toolkit provides links to information about each exploit (google.com, Microsoft.com, SecurityFocus, etc.). Moreover, it enables the cybercriminal to change the exploitation order and to enable/disable individual exploits during the attack. In the above screenshot that was taken from a cybercriminal’s server, we see that no exploit was enabled for the Firefox web browser while almost all exploits for IE 7,8 were enabled. Indeed, visiting the malicious site using Firefox wouldn’t trigger any exploit.
Following is the obfuscation used by the toolkit:

As you can see, it’s a rather simple JavaScript obfuscation merely used to avoid AV signatures.
The obfuscated code is generated dynamically at the server side according to the user’s browser.
Below are the different vulnerabilities being exploited by the new “Unique Pack” in order to install malicious software on computers running Internet Explorer 6:

AOL SuperBuddy ActiveX Control Code Execution Vulnerability.
NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow.
Yahoo! Messenger ywcvwr.dll ActiveX Control Buffer Overflow.
Yahoo! Messenger ywcupl.dll ActiveX Control Buffer Overflow.
Microsoft Windows XVoice.dll and Xlisten.dll Buffer Overflow Vulnerability.
Real Player IERPCtl Remote Code Execution Vulnerability.
GOM Player GomWebCtrl.GomManager ActiveX RCE Vulnerability.
Aurigma Facebook Image Uploader ActiveX RCE Vulnerability.
Real Player rmoc3260.dll ActiveX Control Remote Code Execution Vulnerability.
CA BrightStor ARCserve Backup ActiveX Remote Buffer Overflow Vulnerability.
Microsoft Works ActiveX Control Remote Code Execution Vulnerability.
Ourgame GLWorld GLIEDown2.dll multiple RCE Vulnerabilities.
Creative Software CTSUEng.ocx ActiveX Control RCE Vulnerability.
Microsoft Access Snapshot Viewer ActiveX Control Vulnerability.
Sina DLoader File Download Vulnerability.
Windows Media Encoder (wmex.dll) ActiveX Vulnerability.
IE RDS ActiveX Vulnerability.
IE WMIScriptUtils createObject vulnerability.
IE WebViewFolderIcon vulnerability.

Indeed – quite an impressive list. Some of these vulnerabilities are rather new, such as the “Snapshot viewer”, while others are old, yet effective. If the client would have used a newer version of Internet Explorer, such as 7 or 8, different vulnerabilities would be exploited, such as MS08-078.
When using the Opera web browser, “Unique Pack” is trying to exploit the opera.setPreference method, to change the handler of TN3270 protocol, and execute such a URL. The new handler is an executable downloaded by the toolkit and saved in the temporary internet folder by Opera. Due to another weakness of the Opera browser, the attacker can figure out the full path for it and set this path as the protocol handler. This would result in the browser running the executable file. The vulnerability that allows this exploit was fixed in Opera 9.62.
Apart from exploiting web browsers, “Unique Pack” also tries to exploit both Adobe Acrobat Reader and FoxIt Reader vulnerabilities. Following is part of the PDF file exploiting one of the latest Acrobat Reader vulnerabilities:

Finally, had the attack been successful, a malicious executable file would be pushed and installed on the client machine.
The VirusTotal report below shows that only 2/40 AV products detected it:

As always, we encourage users to upgrade their OS, browser, PDF reader, and the rest of their software stack with the latest security updates. Stay safe!
Posted by Moshe Basanchig

India’s Union Public Service Commission Government Website Compromised

By Anonymous • May 10th, 2009 • Cybercrime Vulnerabilities

An India Government web site upsc.gov.in was compromised by cybercriminals. The criminals injected Iframes that directed visitors to malicious content.

Following is a code snippet of the Iframes injected to the website:

The Iframes point to malicious content hosted on server in Poland armed with the Fiesta attack toolkit:

The obfuscated code shown above, attempts to exploit 7 different vulnerabilities in order to install malicious software on the user machine. Below are the vulnerabilities it attempts to exploit:

DirectAnimation ActiveX Controls Memory Corruption Vulnerability
NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow
Microsoft Access Snapshot Viewer ActiveX Control Vulnerability
IE Data Binding Handler Vulnerability (CVE-2008-4844)
IE RDS ActiveX Vulnerability
IE WMIScriptUtils createObject vulnerability
IE WebViewFolderIcon vulnerability

The exploit page was detected by only 3 out of 40 AV engines at VirusTotal:

We have notified CERT India about this issue; hopefully it will be fixed soon.
Again, it illustrates how popular legitimate websites are for criminals to serve their malware.
For previous incidents, please read our blog postings on livedoo.jp, yaplog!, cbs.com, Times of India, and Saucony.
[UPDATE: May 12] The website is safe for browsing now.
Posted by Golan Yosef

Tags: India Government Website | Injected IFrame | upsc.gov.in

A strike for lucky – LuckySploit Toolkit Exposed

By Anonymous • March 18th, 2009 • Cybercrime Vulnerabilities

In the past three years we wrote many times about Crimeware toolkits. These toolkits have become the cyber criminals’ tool of choice when conducting crime online. Starting from the moment we spotted the first crimeware toolkit – the WebAttacker – we have since seen hundreds of them all over the web, also today.
Blockbuster Crimeware toolkits include AdPack, Fiesta,and G-Pack;. Less popular ones include UniquePack 2.0, Sploit25 2.2, Nuc_Pack, and Nuke sploits P4ck – to just name a few.
In this blog post, we would like to share with you one of the toolkits that we have been tracking for the last six months – LuckySploit. LuckySploit brings code obfuscation to a whole new level of sophistication, far more advanced than all others we have seen so far.

LuckySploit tries to exploit the same vulnerabilities other toolkits are trying to – Adobe Flash and PDF exploits, IE7 data binding vulnerability, the recent MS09-002, signed applets etc. its uniqueness consists of the way it hides/obfuscates these exploits to avoid detection by signature and heuristic based security products.
Code Obfuscation by LuckySploit
Here’s how it works. First, as we have seen with many other crimeware toolkits, a user is visiting a compromised website and is being redirected (using IFRAME or other techniques) to a server armed with LuckySploit. All is invisible to the user’s eyes and happens “behind the browser scene”.
The first LuckySploit’s malicious page that is sent to the user’s browser contains a moderately obfuscated JavaScript code. The code is created at runtime with random variables and functions names. This part is used to construct the “brains” of the toolkit – an asymmetric key encryption and decryption.
From this point on forwards, there’s a ‘dialog’ between the victim’s browser and the remote server, in which the browser sends metadata regarding its supported features (running platform, supported applications, installed plug-ins etc.). It receives in return an exploit suitable for those features. The browser’s supported features are being sent encrypted to the remote server using the server’s public key along with a random key generated at the client side. In return, the exploiting code is being sent encrypted by server, using the client’s key.
This dynamic technique makes it almost impossible to do an offline (or post-infection) analysis of the toolkit and the served malicious code, since the key used by the client is not available. On every round a new key is generated. Following is a diagram demonstrating the entire process:

We simplified this s diagram to make the process easier to understand. The dialog between the client and the server could be longer or shorter depending on the toolkit’s settings, the version of the client browser and the installed plug-ins.
While the key generated by the browser is a simple, symmetric key, the server key is truly asymmetric, and uses RSA-like algorithm. Here’s a screenshot of a malicious server private key:

Here are some code snippets of LuckySploit we want to show you.
First, the obfuscation JS (partial) sent at the beginning of the attack:

Here’s how it looks like when de-obfuscated (partial):

Highlighted are two interesting lines of code: 1) the setting of the server’s public key, and 2) the dynamic creation of the result, which leads to the second part of the dialog between the client and the server.
A new script tag is added to the page, the SRC value of the script tag contains the “next key” generated by the client as GET data. Below is shown how the server response at this stage looks like (partial):

Please note that it is assumed that the browser already knows “rc4Decrypt” and the key.
Below you see how it looks like when decrypted (partial):

Please notice the generation of the “nextkey”, which contains the browser’s supported features (plug-in versions in this case) and the new SCRIPT tag.
Administration
LuckySploit is accompanied with a very handy administration panel. Below is a screenshot of this panel.

The options “extra silent”, “silent”, etc. differs from one another by the amount of round-trips between the client and the server. As more round-trips are involved, it’ll be more difficult to detect the exploitation, and to decrypt the messages. The cost would be a higher load (CPU time and traffic) on the malicious server.
LuckySploit’s administration panel supports multi-campaigns/users. This is achieved by special parameters allowing each campaign control over the evasive level, the download executable, the exploits used, stats collected etc.

Finally, let’s have a look at the LuckySploit’s administration dashboard:

Just look at the 20% infection rate – alarming!
This toolkit is a great example for the sophistication, time and efforts that toolkit makers are investing in to make their “Swiss knife” undetectable for security products. The reason they are investing so much in this is clear – they make money out of it, and money is what drives the cybercriminals.
Posted by Moshe Basanchig & Daniel Chechik

Tags: Command & Control Server | Exploit Kit | Luckysploit Exploit Kit | Obfuscated Code | Private Key

Cyber Sino-Japanese War?

By Moshe Basanchig • February 26th, 2009 • Cybercrime Vulnerabilities

Recently we reported on a high ranking Japanese website which was compromised by cyber criminals. This time we discovered an even a higher ranked site that was compromised- Livedoor.jp. This popular web portal is owned by a Japanese ISP and has an Alexa ranking of 6 in Japan, and 70 worldwide.

Just as described in our previous report, the attack characteristics include an injected IFRAME to some pages on the Japanese portal which refers to a Chinese server that attempts to exploit multiple browser vulnerabilities.

The included page is quite simple, yet effective: it checks which ActiveX objects the browser is ‘familiar with’, and includes relevant IFRAMEs to exploit those objects.
First, the popular IE7 data binding vulnerability is being exploited. In order to avoid detection by signature-based protection solutions like Anti-Virus, the page was obfuscated:

Needless to say there are still many Internet Explorer users who haven’t patched their browser yet, and are still vulnerable to this attack.
Let’s look at the executable pushed to the client as a result of a successful exploitation of the browser’s vulnerability. The downloaded executable is a Trojan that steals a user’s credentials. This Trojan is known for quite some time now. Despite being known, many Anti-Virus products still don’t detect it. As you can see below, only 18/39 AV products on VirusTotal detected this file as malcious:

The next vulnerability exploited is the infamous RDS vulnerability, which is still widely used by cyber criminals, even though it is quite old and users should therefore have been protected from it a long time ago.
Last, the rather new Snapshot Viewer ActiveX control vulnerability is exploited.
This Chinese attack is very popular and is known to infect hundreds of websites all over the world. However, we can’t ignore the fact that two very popular Japanese websites were infected in such a short period of time.
The malicious code was removed from Livedoor.jp and it’s now safe to visit.
Update:
On March 5th we received the following comment from “livedoor.jp”:
“As each page on the domain of [livedoor.jp] is being managed by the user himself/herself, we are not involved in the management of the contents or the codes of each page”
Although we can understand this comment, it just reconfirms Finjan’s position regarding the risks of Web2.0, giving users the power to add code also gives them the power to add malicious code – this is why we believe in real-time content inspection for web security.
Posted by Moshe Basanchig

Tags: Compromised Website | IE Vulnerabilities | IE7 Data Binding Vulnerability | Injected IFrame | Livedoor.jp

Malware and the rising sun website

By Moshe Basanchig • February 24th, 2009 • Cybercrime Malware Vulnerabilities

We at Finjan always claim that malware has no boundaries, and national borders won’t prevent cybercriminals from infecting websites with their malware. To demonstrate, let us take a closer look at the following site which is ranked 41 in Japan (!) and 382 worldwide, according to Alexa: yaplog.jp

As you can guess, this website was compromised and was found serving malware. Let’s look at this attack thoroughly.
First and foremost, an HTML IFRAME element was injected to one of the pages of yaplog.jp:

The embedded IFrame on this Japanese site points to an external webpage hosted in China, which we at MCRC are familiar with since July last year. But as old as it may be, it is still effective at infecting innocent visitors, especially those who run an outdated Operating System.
The first thing the malicious page does is creating an MDAC ActiveX object instance, which in turn creates a new XMLHTTP object instance. If this creation succeeds, it means that the browser being used is a vulnerable (un-patched) IE; hence an inclusion of another page is done. The new page uses the MDAC vulnerability in order to push a Trojan to the client, and execute it.
This is the MDAC check:

The included page is moderately obfuscated in order to increase its chances of avoiding signature-based scans, such as by Anti-Virus products.
Had the MDAC check failed, other vulnerabilities would have been exploited, each in a new IFRAME which includes an obfuscated page. First, IE’s VML renderer, which is used to have a buffer overflow, was simple to exploit in order to execute malicious code on the client machine. This is followed by the latest – and very much talked about – IE data-binding vulnerability, that also enables the execution of malicious code. This exploit was added only recently, and is known to be highly effective, as many browsers weren’t patched yet.
Next are attempts to use the previously vulnerable ANI (animated cursor) file type by instructing the browser to use a malicious ANI file for the mouse cursor.
Last, but not least, an attempt to exploit a Yahoo! Messenger vulnerability is done. This vulnerability is another buffer overflow which allows remote code execution.
Below is the code responsible for all of the exploits described above:

All of those exploits are used for the same purpose: push a downloader Trojan to the client. Once that Trojan is executed, it pulls a second Trojan, which is capable of stealing user data.
In order to make the attack more difficult to track, it uses a cookie as a client-side mechanism, ensuring that the malicious pages would be executed only once a day, and not more.
We are happy to report that yaplog.jp removed the malicious code from their website.
Posted by Moshe Basanchig

Tags: Injected IFrame | yaplog.jp