Posts Tagged ‘Vulnerabilities’

View All Vulnerabilities

MIDI Files – Mid-Way to Infection

By Arseny Levin  •  January 31st, 2012  •   Vulnerabilities

Microsoft’s January patch MS12-004 addressed a few vulnerabilities in Windows Media components. One particular issue, CVE-2012-0003, can be exploited via Windows Media Player ActiveX, as it leverages a heap overflow occurring in ‘midiOutPlayNextPolyEvent’ function within the Windows Multimedia Library, winmm.dll. The bad guys didn’t waste time and this vulnerability is now exploited in the wild as reported by Trend Micro. A Web page hosted on a South Korean site loads a maliciously crafted MIDI file and sprays the heap. The attacker utilizes the exploitation method presented in Nicolas Joly’s blog from VUPEN. The attack allocates an HTML element of a specific size and eventually overwrites some of its data, and thus achieves malicious code execution.

The author of this page used a Korean JavaScript obfuscator in order to obfuscate a large block of code which hides the shellcode, as can be seen in the following code snippet. In particular, the obfuscated code, generated by this tool, changes itself several times during execution.


The code also ensures that it is being executed only in Internet Explorer because that’s the only browser where this exploitation will be successful. After de-obfuscating the JavaScript code, we can analyze the shellcode itself. The author uses a common evading technique: XOR encryption, with a decrypting loop at the prologue. This technique is usually very effective against signature based detection engines.

Then the shellcode imports and calls URLDownloadToFileA to download the payload which is a packed executable, saving it with an ambiguous name such as “a.exe”.

The executable is a downloader which fetches additional malware with rootkit capabilities. The author of the attack did a decent job obfuscating the executable file, as can be seen by a Virustotal analysis:

All M86 Secure Web Gateway customers are protected from this attack by default without need to install any security update.

Tags:    |    |    |    |    |  

View All Phishing

RapidShare.com – The Phishing Begins

By Yaniv Miron  •  February 20th, 2011  •   Phishing

A few weeks ago, M86 Security Labs discovered how to create a phishing page on RapidShare.com. As most of you probably know, RapidShare is one of the largest file sharing websites, with thousands of users worldwide.

While trying to download a file from RapidShare.com we encountered an error message indicating that the servers were busy.

We decided to test the error message and found that there is an improper input validation vulnerability in the “downloaderror” field.

Below is the original error message from RapidShare:

RapidShare.com Error message – Too many users downloading…

In the following screen, we see a fake phishing message that offers users the opportunity to buy a premium account for RapidShare:

RapidShare.com Fake Error message

A closer look:

For further information, see this demo link:

http://rapidshare.com/#!downloaderror|3|623624|test.avi|723|Too%20many%20users%20downloading%20from%20this%20
server%20right%20now.%20Please%20call%201-800-555-fake-premium%20
or%20email%20your%20Credit%20Card%20to%20fake@premiumfake.com
%20to%20get%20a%20premium%20account%20for%20only%209.95$%20a%20month%20!!!

In addition, we can control all of the “downloaderror” fields. For example, the file folder (623624), the file name (test.avi), and of course the error message.

This type of improper input validation can help malicious attackers create phishing pages within RapidShare.com. A user that receives an email or a link to the malicious phishing page could unknowingly give away credit card information to the malicious attacker either by email or by a phone call.

We contacted RapidShare.com regarding this subject and received a response from the RapidShare Abuse team assuring us that they have fixed the issue.

Tags:    |    |    |    |  

View All Vulnerabilities

Adobe releases PDF patch for Reader and Acrobat

By Anonymous  •  June 30th, 2010  •   Vulnerabilities

Adobe has released an update to its Adobe Reader and Adobe Acrobat products. These new releases are part of an accelerated quarterly update process. According to their Security Bulletin (APSB10-15), this release addresses 17 documented vulnerabilities.

One of the major vulnerabilities addressed in this release is the Launch file dialog warning (CVE-2010-1240). This vulnerability was discovered by security researcher, Didier Stevens and we observed this vulnerability being exploited in the wild in two separate campaigns.

Allowing your software to remain unpatched is a major issue. Therefore, we strongly encourage users to update to the latest version of Adobe Reader and Acrobat.

Tags:    |    |    |  

View All Vulnerabilities

Skype ‘Extras Manager’ Vulnerability Found In The Wild

By Daniel Chechik  •  June 16th, 2010  •   Vulnerabilities

On October 12th, 2009, Skype released an updated version (4.1.0.179) of their popular VoIP client, which fixed an unspecified vulnerability in their plug-in component for Skype called EasyBits Extras Manager. The EasyBits software is intended to protect commercial software, such as plug-ins, from illegal redistribution or unlicensed use.

Given the popularity of Skype, it is no surprise that cybercriminals are finding ways to target the users of the application. In this case, the cybercriminals have enough fodder available to them in the form of a potential vulnerability in the application itself. Vulnerability disclosures are one of the most common ways cybercriminals craft their exploits, including those seen in the exploit kits themselves. In this scenario, our Security Labs team has identified a working exploit in the wild that targets this vulnerability.

Skype Malicious Code in the wild

Figure 1: Skype exploit code found in the wild.

As illustrated in Figure 1, the malicious code exploits a Skype ActiveX vulnerability using primitive obfuscation techniques in order to bypass Antivirus security solutions. We can confirm this exploit code works successfully against vulnerable Skype installations. Testing this exploit page with VirusTotal, illustrates the dismal results achieved in Figure 2.

Virus Total dismal results for exploit code

Figure 2: Virus Total Results Page.

It is interesting to note that within Skype’s own release notes for the security vulnerability, they provide a recommendation to their users to “use virus protection services in case of any problems.

Unfortunately for those users, the virus protection would have failed. However, the core issue here is not the antivirus solution’s ability to mitigate this threat, but the fact that the update process remains problematic for many companies. Many users continue to run outdated applications for months, even years, and these old versions continue to be exploited by cybercriminals. Even with the disclosure and security fixes provided by application developers, cybercriminals know that most users rarely update, making it not only easy but beneficial to monitor sites that post disclosures and proof of concept code.

Ask yourself: Do you know what version of Skype you’re running?

Tags:    |    |  

View All Spam

PDF ‘Launch’ Feature Used to Install Zeus

By Gavin Neale  •  April 15th, 2010  •   Spam

Today we began seeing emails, like the one shown below, claiming to be from Royal Mail with an attached PDF file.

This PDF uses a feature, specified in the PDF format, known as a Launch action. A Launch action is intended to be used to run an application or opening or printing a document. Recently it has been discovered by a security researcher that this feature can be used to run an executable embedded within the PDF file.

This PDF also contains an attachment (PDFs can have an attachment embedded within them, just like emails) named Royal_Mail_Delivery_Notice.pdf which has been compressed inside the PDF file. This attachment is actually an executable file and if run, will install the Zeus bot. The image below shows part of this attachment within the PDF file, the start of the executable file is shown decompressed, in the red box.

The PDF uses the JavaScript function exportDataOject, shown below, to save a copy of the attachment to the user’s PC.

When this PDF is opened In Adobe Reader with JavaScript enabled, the exportDataOject function causes a dialog box to be displayed asking the user to “Specify a file to extract to”. The default file is the name of the attachment, Royal_Mail_Delivery_Notice.pdf. This could be somewhat confusing to users, and not really knowing what is happening, they may just click save (It appears as if they are just saving a PDF file after all). Users of Foxit PDF reader will get no warning and the attachment will be saved to the users Documents folder.

Once the exportDataOject function has completed, the Launch action is run. The Launch action is used to execute the Windows command interpreter (cmd.exe) and is given a command line to execute.

This command line searches for the previously saved Royal_Mail_Delivery_Notice.pdf file in some commonly used folders such as My Documents and Desktop and then tries to run the file. (Remember that this is actually the executable file). Adobe Reader will pop up the box shown below and the command will only be run it the user clicks ‘Open’. The latest version of Foxit reader (released April 1st) will display a similar warning, older versions will go ahead and execute the command without asking.

If this command if successfully run, the Zeus data stealing bot is installed. Although having the latest versions of Foxit and Adobe reader will not protect you entirely from this feature, they do offer configuration settings and warnings before any program is launched. In Adobe reader you can disable the opening of non-PDF attachments using the trust manager in the preferences menu. You can also disable JavaScript in both readers to mitigate the impact of this and many other vulnerabilities.

MailMarshal users with the Block Executable rule enabled will be protected from PDF attachments with executable attachments. SpamCensor version 431 and KnownThreats version 26 both protect MailMarshal users from PDFs using this Launch action and Executable attachment feature.

Tags:    |    |    |  

View All Malware

New neosploit – without MDAC :)

By Anonymous  •  April 6th, 2008  •   Malware

There are some things in common to most of the attack toolkit, one of which is exploit against the MDAC vulnerability (patched in 2006), MDAC is also in many cases the first exploit the attacker is trying to use. 
Looking at the new version of neosploit, we found it to contain the following exploits: 

  • SB.SupperBuddy
  • CA, AddColumn
  • NCTAudioFile
  • GomManager
  • (and the elder) WebViewFolderIcon

As you can see, after almost 3 years of running strong, MDAC has finally retired :)  
Good riddance, 
Golan 
Posted by Golan Yosef

Tags:    |  

View All CybercrimeView All MalwareView All Vulnerabilities

BlackHat USA 2007 / DefCon 15 – some notes

By Anonymous  •  September 20th, 2007  •   Cybercrime Malware Vulnerabilities

Dangling Pointer … Jonathan Afek

Dangling pointers are pointers that do not point to a valid object of the appropriate type, or to a distinguished null pointer value in languages which support this. It can be caused when an object is deleted or de-allocated, without modifying the value of the pointer, so that the pointer still points to the memory location of the de-allocated memory.

If the pointer is used to make a virtual function call, a different address (possibly pointing at exploit code) may be called due to the vtable pointer being overwritten. Alternatively, if the pointer is used for writing to memory, some other data structure may be corrupted.

Nevertheless, Java-based applications are not vulnerable to this exploit because the language has a built-in mechanism for de-allocating memory.

Jonathan and Adi found that they could cause the crash Web server intentionally by sending a specially crafted URL to the server and found a way to run their own code on the target machine.

Tactical Exploitation HD Moore & Valsmith

One of the most popular briefings was “Tactical Exploitation” by H.D. Moore of Metasploit , and Valsmith from offensive-computing (No place to sit or stand).

They talked about how to correctly pen-test an organization – not just by blindly using exploit code. They presented a number of tools that are not available yet but should be soon as new modules for Metasploit.

The first half of the talk focused on some lesser-known discovery and fingerprinting method, and more-known tools. They showed how to collect information (reconnaissance) on the target (person/network) as the first step of the penetrating testing process. A few examples were shown, using third-party services, such as DomainTools.com and others (such as using the web interface to Paterva’s – http://www.paterva.com/evolution.html ).Old techniques (such as reverse DNS, zone transfer) and more active technique (using SMTP bounces, brute force HTTP virtual host)

The first half ended up with some examples of real-life service fingerprinting, including graphing the traffic activity for a particular web site.

They discussed firewall discovery, client applications discovery, and even process discovery.

The second half of the talk discussed some topics, such as entry points into the external network, and issues caused by using NAS devices as file servers. It led into a discussion of NTLM hijacking, NFS tricks, abuse of the OpenSSH master mode, and a demo of stealing Kerberos tickets.
More technical stuff – http://metasploit.com/confs/blackhat2007/tactical_paper.pdf

Building and Breaking the Browser (Window Snyder)

The Mozila security crew selected a transparent approach and shared their knowledge regarding the weaknesses of their software.

One of the values from this approach can be seen by the release of tools such as the http fuzzer they have spoken about in the convection. The fuzzer is used against JavaScript.

They claim that the fuzzer has already produced some findings and released it to the public after the meeting.

One of the points mentioned in the talk was the plan to create a “blocking page” much like other security products currently offer. This is due in the next version they will release.

CaffeineMonkey: Automated Collection, Detection and Analysis of Malicious JavaScript
Ben Feinstein, Daniel Peck

The authors present a software framework for the automated collection of JavaScript from the wild that they have developed. The goal is identification of malicious code, and characteristic analysis of malicious code once identified.

The focus of the lecture was on attacks using JavaScript for obfuscation or exploitation, such as “white spaces randomization, string encoding, string splitting, and integer obfuscation.”

They presented findings & analysis based on the deployment of a distributed network of “CaffeineMonkeys”, and their method using honey clients and “behavior analysis” that was not detailed, to identify malicious code.

This was a rather reassuring lecture for us – as we know obfuscated code as highly sophisticated decryption functions that process extremely jumbled inputs that turn into malicious code (see the recent analysis of such obfuscators in the latest Malicious Page of the Month, and a couple of posts by other MCRC members). Seems like we are still ahead of the curve…

Posted by Amir Davidi

Tags:    |    |    |    |