On December 9, 2008, a “weaponized” zero-day exploit for a previously undisclosed vulnerability in Microsoft Internet Explorer 7 was discovered in the wild being used by Chinese hackers to install malware on victims’ computers. The exploit was based on a proof-of-concept that was posted on a Chinese forum early in November of 2008, and coincidentally, launched on the same day as Microsoft’s last batch of security patches for the year. The vulnerability is caused by memory corruption that results from an invalid pointer reference when Internet Explorer handles Dynamic HTML (DHTML) data bindings. The exploit itself is written in JavaScript and is intended to execute only in Internet Explorer 7 browsers on Windows XP, Windows Server 2003, Windows Vista, and Windows 2008; however, the underlying vulnerability resides in all versions of Internet Explorer. As of this date, no exploit for them has been discovered.

To exploit this vulnerability, a malicious website would cause IE to create an array of data binding objects, release one of the objects and re-reference it later on. The result is that Internet Explorer neglects to check the new array length after the object is released and a loop will continue to reference the released object, resulting in a use after free condition. If the deleted object’s memory space is reallocated and filled with user supplied data, Internet Explorer could crash in a way that is exploitable and effectively allow for remote code execution with the privileges of the logged-in user. While most attacks that exploit this vulnerability are being used to propagate malware, one must realize that this vulnerability can be leveraged to execute arbitrary code.

There are inherent vulnerabilities that exist in all browsers, but Internet Explorer is the most widely used web browser around the world, making it a prime target for hackers. The time between the release of proof of concept code and the release of full-fledged exploits is getting smaller and smaller. Although Microsoft has been quick to release workarounds to mitigate vectors for exploitation, the seriousness of this flaw has prompted Microsoft to release an out-of-cycle security update, MS08-078.

In order to maintain a good security posture, minimize your risk by being aware of the vulnerabilities that may pose a threat, and be prepared to show due care when a threat comes knocking at your door. Considering that security and functionality can often be a tradeoff, there isn’t a single product or configuration that caters to everyone; the solution is to figure which tradeoffs are appropriate for you or your company. As such, until issues like this can be addressed with a security patch, users should apply the workarounds, and/or consider using an alternate browser in the meantime.

Early last week the FTC took aim at Antivirus XP and the people behind it. This kind of scareware is a well known scam. My colleague Joe Stewart had previously investigated a similar scam, run by the Russian Bakasoftware group. From the court filings, the group the FTC is pursuing is run by American and Canadian citizens. The FTC sought and was granted a temporary restraining order (TRO) that requires the entities and people behind Antivirus XP to stop claiming they are performing AV scanning, concealing their identities (including to cease use of any domains registered using false information), and to not spend, hide or transfer any of their ill-gotten gains.

The TRO also extends to the defendants’ web hosting providers and banks. They are respectively ordered to take down and preserve web properties and to freeze assets owned by the defendants.

These scareware products have been marketed under a wide variety of names, those listed in the FTC’s complaint include: WinFixer, WinAntivirus, DriveCleaner, WinAntispyware, ErrorProtector, ErrorSafe, SystemDoctor, AdvancedCleaner, Antivirus XP, and XP Antivirus 2008. These are remarkably similar to the names used by the Bakasoftware group that Joe reported on: Easy Spyware Cleaner, SpyRid, InfeStop, WinIFixer, Advanced XP Defender, Advanced XP Fixer, Malware Protector 2008, Antivirus XP 2008. We do not believe these groups are related, but rather that this is another example of successful tactics being copied by other malicious actors.

These scareware products have defrauded millions of dollars from consumers and left them vulnerable to other malware. It’s great to see the FTC take action against them. The order also requires the defendants to supply the FTC with business records, including affiliate data.

Hopefully the FTC will also be able to go after the affiliates as well. As we previously disclosed, affiliates can earn big money from this kind of scam. A hacker known as NeoN, broke into the Bakasoftware affiliate website and found that some affiliates were earning in excess of a hundred thousand dollars a week installing Antivirus scareware.
The hearing for this issue is scheduled for this (Friday, December 12, 2008) afternoon. The defendants are ordered to appear, but personally I don’t have terribly much confidence they will be there. The complaint, restraining order, and press release can be found at the FTC’s website. Even if not, I’d like to see the FTC follow the paper trail and seize assets. Good job FTC, and good luck chasing the money trail.

Security researchers have had a number of victories to celebrate recently. First Atrivo and now McColo have been disconnected from the Internet. This was done not by law enforcement or other governmental action, but rather by the concerted efforts of the Internet community. The Internet is made up of privately owned networks that are voluntarily connected. The companies that were connected to Atrivo and McColo have severed those connections, removing the companies from the Internet.

Removing those two companies from the Internet has also removed large amounts of botnet and spam infrastructure. Several sources have reported seeing spam drop as much as 60-70% following McColo’s loss of connectivity. There was a similar, but smaller drop when Atrivo was taken offline. Of course, one of the reasons that the McColo disconnect reduced spam more than Atrivo, is that some of the spammers simply moved from Atrivo to McColo.

Back in October, my colleague Joe Stewart documented the Warezov botnet moving to McColo and also predicted (quite correctly as it turned out) that disconnecting McColo would reduce spam by one-half world wide. A number of other botnets, including Rustock, Srizbi, Pushdo and Ozdok had infrastructure hosted at McColo.

It’s clear that this infrastructure remains in place. Over the weekend McColo was able to temporarily find a new upstream provider. Thankfully, they were quickly shut down again. However, this did allow botnet C&C platforms in McColo to connect to their bots, updating software and rerouting the bots to new C&C servers located elsewhere. This has been seen to be happening with Srizbi, where researchers were able to register domains used as a fallback C&C mechanism.

Other botnets will also be relocating their C&C servers. While most, if not all, will just pop up in another datacenter, the growing trend of upstream providers disconnecting nefarious hosting companies is encouraging. So far these companies have been US based. We’re now seeing early evidence that bot-herders are moving their C&C servers overseas. The next question is: will the Internet community be able to put pressure on those companies and their upstream providers to prevent the bot-herders from finding a new safe haven?

On October 23, 2008, Microsoft released an out-of-cycle emergency patch for a flaw in the Windows RPC code. The reason for this unusual occurance was the discovery of a “zero-day” exploit being used in the wild by a worm (or trojan, depending on how you look at it). The announcement of a new remote exploit for unpatched Windows systems always raises tension levels among network administrators. The fact that this one was already being used by a worm evoked flashbacks of Blaster and Sasser and other previous threats that severely impacted the networked world.

But, unlike these past worms, Gimmiv turned out to have infected scarcely any networks at all. One reason for this is that the scanning done by Gimmiv looking for vulnerable hosts is limited to the local subnet, meaning it can only jump networks if an infected computer is moved from one network to another. Even if this were not the case, by default Windows XP SP2 (and above) restricts connections to the RPC ports to the local subnet only. So although future trojans and worms might utilize the same exploit, the window of opportunity for a globally impacting worm using this vector has passed for the most part.

Because of some mistakes made by the author(s) of Gimmiv, third parties were able to download the logfiles of the Gimmiv control server. Although most of the data in the logs is AES-encrypted, we were able to find the key hardcoded in the Gimmiv binary and decrypt the data.

Although it has been reported that Gimmiv is a credential-stealing trojan, this functionality is actually not used - the gathered data is never sent. What is sent is simply basic system information, such as the Windows version, IP and MAC address, Windows install date/time and the default system locale. Using this data we were able to track exactly how many computers had been infected prior to October 23rd (after this time infection counts are somewhat skewed due to malware researchers all over the world investigating Gimmiv). As it turns out, only around 200 computers were infected since the time Gimmiv was actively deployed on September 29, 2008.

By converting the decrypted log data into KML format, we were able to use Google Maps and Google Earth to take a look at the global impact and spread of Gimmiv. Only 23 countries had infected users, and Southeast Asia appeared to have the greatest number of infections:

Each computer on the maps above represents a Gimmiv-infected location - due to NAT, this may include dozens of computers. For example, two networks in Malaysia had the most infections:

While Malaysia was the hardest hit, it appears that the “in-the-wild” spread of Gimmiv may have started in Vietnam on September 29:

But, looking in the logs, we actually see that Gimmiv appeared first on August 20, 2008 - but we don’t count this as being in-the-wild. This is because logs were seen from only two IP addresses, only briefly. One of these IP addresses, located in Korea, we can tell was running Gimmiv in a VMware virtual machine - exactly the kind of thing you might expect someone testing a piece of malicious mobile code to do:

Additionally, a zip file left behind on one of the control servers contained Korean characters in the compressed folder name. For these two reasons, we believe Gimmiv’s author is probably from South Korea.

The KML file used to generate the maps above can be downloaded into Google Earth and is available here.

If you’re a hacker wanting to register a domain for nefarious purposes, EstDomains is your go-to guy. They registered tens of thousands of malicious domains during their existence, providing an integral piece of the malware lifecycle. The Russian Business Network (RBN) used them extensively for their “bullet proof” hosting (web hosting designed to make takedowns extremely difficult if not impossible). Back in February of this year Vladimir Tsastsin, EstDomains founder, was sentenced to three years in prison for forgery, money laundering and credit card fraud. This conviction caused EstDomains to break section 5.3 of ICANN’s Registrar Accreditation Agreement. This section states:

Any officer or director of [a] Registrar is convicted or a felony or of a misdemeanor related to financial activities, or is adjudged by a court to have committed fraud or breach of fiduciary duty, or is the subject of judicial determination that ICANN deems as the substantive equivalent of any of these; provided such officer or director is not removed in such circumstances.

On October 28th, ICANN notified EstDomains that on November 12th, 2008, it would no longer be an accredited registrar. ICANN has posted this notice here: http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf

EstDomains is currently attempting to distance themselves from Tsastsin in an attempt to stay in business. They responded to ICANN claiming Tsastsin was removed from his position in January one month before his conviction on the 29th: http://www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf

Due to this response October 29th ICANN stayed the termination process:
http://www.icann.org/en/announcements/announcement-2-29oct08-en.htm

Hopefully ICANN will make the right decision and shutdown these criminals for good.

DarkMarket.ws (known in carding, identity theft, and other black-hat rings) went “Dark” earlier this month. DarkMarket was widely known and respected among criminals as a forum for exchanging stolen banking data, credit card information, and other underground activities. What users of the site didn’t know was that the site wasn’t really hosted by Eastern-European hackers. Run from an FBI location in Pittsburgh PA, Agents of the National Cyber Forensics Training Alliance collaborated with industry professionals and graduate students for assistance tracing the identity and locations of criminals. The DarkMarket site was run primarily by agent J. Keith Mularski, under the handle ‘Master Splyntr’.

Reports leaked from Südwestrundfunk, a German radio station, revealed the FBI operation’s role in detaining a German card fraudster active on the site. In operation since November of 2006, DarkMarket was especially well known for English-speaking forums. Ironically, soon after DarkMarket’s launch in 2006, well-known hacker Max Ray Butler penetrated the site’s servers and found information revealing FBI ties. Butler’s claims to the underground were largely ignored; at the time, he ran a competing underground forum. As a result, most believed his claims false. DarkMarket successfully continued operations despite Butler’s claims.

Now that the site has gone down and the cat is out of the bag, numerous arrests are expected. This is a big win for the good guys. So far, 56 arrests have been made. We have a suspicion that others who may have conducted business at DarkMarket have not been sleeping too well, as additional arrests are expected.

In this case, the FBI got it right. It’s an impressive feat to penetrate the inner circle of these criminals.

ClickJacking has recently been getting lots of media attention. Security Researchers Robert Hansen (”RSnake”) and Jeremiah Grossman planned to give a talk outlining this vulnerability at OWASP AppSec, but the talk was cancelled. At this point, some details have come to light. The specifics of the attack may vary. Some variants require JavaScript, Flash, cross-domain access, IFRAMEs, overlays, or a combination of these.

The attack starts with a malicious web page that may have some unintended consequences. Objects embedded in the page may capture mouse clicks and direct them to a hidden target. Hijacked clicks from users may be used in many ways, including deleting mail, advertisement click fraud, or other, more sinister actions. A demo page demonstrating one possible variation (reads images from a webcam without knowledge of the user) can be seen at the following URL:

http://guya.net/security/clickjacking/game.html

Unfortunately, there is no quick and easy fix. Firefox users using the NoScript plugin will thwart the majority of these attacks (make sure you are using version 1.8.1.9 or later!). We will continue to monitor this vulnerability and provide an update when more information is available.

Greetings from sunny San Diego! The past couple of days have been an absolute blast. The folks at ToorCon have put together an awesome conference this year, including speakers from around the world presenting some cutting edge research.

Ben Feinstein and I attended a two-day “crash course” in penetration testing offered by Learn Security Online. Chris Gates and Joe McCray presented some excellent introductory material. They also included a few advanced evasion techniques that I hadn’t seen before. It’s always good to sharpen your skills.

During the Friday seminars, Jay Beale from InGuardians gave an overview of his man-in-the-middle tool, The Middler. He mentioned the code would be released Real Soon Now, so I look forward to a chance to play around with it. Jared DeMott, now at Crucial Security, also gave a rundown of reverse engineering using IDA Pro and the Immunity Debugger. I’m a big fan of Jared’s previous work with fuzzing.

The first day of the convention was pretty packed. Since I didn’t have the chance to attend Black Hat/Defcon this year, Dan Kaminsky’s DNS keynote and Alex Sotirov’s evasion of Vista’s memory protections were fresh and eye-opening to me. Ben also gave his talk about brute-forcing SSH sessions that use the broken Debian SSL libraries, the code for which is available as part of our open-sourced Snort plugins. Joe McCray also gave a good survey of various advanced SQL injection techniques; I really like his classification scheme for the types of SQL injection. Finally, Kurt Grutzmacher’s squirtle tool for obtaining and reusing NTLM hashes from inside corporate networks via XSS definitely proves that you must secure even internal Web applications.

Day two’s shorter format squeezed a lot more presentations in, but some of them kind of felt pressed for time. Marc Bevard showed how to crack DES passwords with the PS3, using some awesomely optimized code. Chema Alonso released a tool for downloading remote files via blind SQL injection. Dennis Brown presented some interesting new details on the Asprox/Damnec botnet, which we’ve covered before. The presentation on hacking telephone entry systems elicited a few chuckles, especially the “dial 333 for rickroll” segment. Stephan Chenette’s presentation on browser hooking is an excellent new technique for deobfuscating Javascript, like our Caffeine Monkey tool. I’ve been really impressed with the convention this year. ToorCon is big enough to attract some high quality presenters, but still small enough where you don’t get lost in the crowd. Hope to see everyone again next year!

I have the honor of presenting at ToorCon X this coming weekend at the San Diego Convention Center. I will be delivering a new talk entitled “Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln” at 2pm PDT on Saturday, September 27. If you’re in the vicinity of southern California this weekend, I encourage you to make the trip down to ToorCon. Based on my experience as an attendee last year, it is a great smaller con with a strong reputation for very deep technical talks.

I’ll also be in the Crash Course in Penetration Testing Workshop and the Deep Knowledge Seminars, so maybe I’ll catch some of ya’ll there too, before the actual conference kicks off Friday evening.

At SecureWorks, we follow a Responsible Disclosure Policy. As such, when we find vulnerabilities in other vendors’ products or services, there is often a delay between the discovery and when we can publicly disclose the issue.

The following cryptographic hashes are related to a couple of disclosure processes I kicked off on Thursday, September 18, 2008.

File #1
MD5 b0625c8d39e3fcfaf51a577e310eb053
SHA1 0a8bdb073855eee0d31ff3afb081cf1d8d17c2bd

File #2
MD5 c74309900e7b11de5d7f211eb536cdb6
SHA1 99870aa6a0b4b33a88a2fbfd3eb83ce38bfbb7ce