CounterMeasures - A Security Blog � vulnerability

Don’t take shortcuts

Rik Ferguson — Tue, 20 Jul 2010 08:40:58 +0000

picture from bradleygee's Flickr photostream under Creative Commons.

On the 16th of July Microsoft released Security Advisory 2286198 confirming an as yet unpatched vulnerability in Windows Shell that exposes all users of all current versions of Microsoft Windows to very real risk of attack and infection.

According to Microsoft “The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed.” So what does that mean in plain language?

It means that if any user of Microsoft Windows opens a folder containing a shortcut which has been designed to exploit this vulnerability, they will be infected. No opening of files required, simple browsing is enough.

Although Microsoft have stated that “This vulnerability is most likely to be exploited through removable drives” users should be on their guard against all shortcut files whose authenticity they cannot guarantee. This same vulnerability could be exploited though contaminated file shares or something as simple as a malicious compressed archive such as a zip file.

Worryingly, the malware that was first exploiting this vulnerability appeared to be highly targeted, looking for Siemens WinCC SCADA systems, SCADA systems are routinely used in the control of utilities such as power and water and also in large-scale manufacturing. Siemens were warning their customers of this as early as July 14th.

The source code for this malware is now in open distribution, (and incorporated into the Metasploit framework) and we can expect to see widespread criminal adoption of this technique from this point.

For now the best defence against attacks is contained within the Microsoft Security Advisory; disable the displaying of icons for shortcuts and disable the WebClient service.

Further details on Trend Micro’s detection of the malware involved are available on the TrendLabs blog. Please be aware this is a breaking situation and further malware will take advantage of this same vulnerability.

New malicious Twitter spam

Rik Ferguson — Tue, 15 Jun 2010 14:36:25 +0000

Just a couple of hours ago I started getting some very shady looking tweets like the below.

Malicious Tweet

The link in the post is abbreviated, but leads on to a site hosting some obfuscated JavaScript.



If this JavaScript is executed by the browser an unpleasant payload is delivered to the victim. So far we have seen both malicious PDF documents and executable files. These Trojans attempt to connect to additional locations to download further malware. TrendLabs are currently investigating, watch the blog for updates.

This latest Twitter malspam follows hot on the heels of the Gaza and FIFA spam run earlier this month.

Be careful where you click and make sure your security software is blocking those evil links.

iProtect, iEncrypt… iLeak

Rik Ferguson — Wed, 02 Jun 2010 16:03:18 +0000

or, Careful With Those Naked Snaps!

I was very interested by a blog post by Bernd Marienfeldt that I read today, which appears to illustrate a serious security weakness in Apple’s iPhone data encryption implementation.

A flaw that allows an unauthorised backup to be made? Shurely shome mishtake...

The iPhone 3GS offers Full Disk Encryption using 256 bit AES encoding which should (theoretically) keep your sensitive data safe from prying eyes. It has been public for almost a year that this encryption does not stand up to even the most basic hacking or forensics tools. This latest flaw however will seemingly expose your data to anyone capable of simply booting the device; even if you have set a security PIN.

Bernd Marienfeldt has discovered that by booting a PIN protected iPhone, while it is connected to the USB port of an Ubuntu system, he could access

“music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker.”

This access was through the Ubuntu interface and did not require any PIN at all, furthermore the access was not simply read-only, but read/write.

Even on a standard Windows Vista, it's PIN not required

Further testing by heise Security has shown that it is also possible to trick an iPhone into pairing with a PC running iTunes in the same way. This is a phenomenon that I have been able to reproduce, again using a PIN protected, hardware encrypted iPhone.

This related vulnerability is even more worrying than the first. If an attacker manages to pair an iPhone with an unauthorised PC they can make a full back up the phone which would include notes, messages and even plain text passwords.

Testing indicates that this unauthorised pairing and folder access only occurs when the phone has been shut down in an unlocked state, which does serve to mitigate the risk somewhat.

However when a supposed hardware implementation of full disk encryption surrenders any data *at all* in the absence of credentials, something, somewhere is very broken.

Mr. Marienfeldt reports that Apple have acknowledged the flaw but not yet made any indications of a fix schedule.

You just can’t trust a drunk

Rik Ferguson — Sat, 08 May 2010 22:01:36 +0000

I was very interested to read an article on The Register yesterday and then try to wrap my brain around the associated research paper from matuosec.com.

Image from dr1066's Flickr photostream (Creative Commons License)

The research paper details a method by which the researchers claim to be able to bypass every anti-malware product they tested against and the list of the 34 products they tested is impressive; covering every major vendor.

The method as described in the research paper involves something called an “argument switch” attack which they have dubbed KHOBE, an acronym for Kernel Hook Bypassing Engine. The paper details how; because of the way that security software hooks into the Windows operating system, an anti-malware program can be asked to check “innocent” code before being fooled into passing malicious code off for execution; this is the so-called “argument switch”. The attack relies on this switch happening at exactly the right time, after the “innocent” code has been checked and before the responsibility is handed to the Operating System, this is what is known as a race condition.

The research is certainly interesting and I’m sure will be very widely referenced in the anti-malware industry as they re-engineer to overcome the issue. However for me, it sheds more light on a wider and maybe more concerning issue. Simply that in standard endpoint security architecture, protection engines run in the same context as the malware they try to protect against.

If the title and content of the matsuosec.com research article “Earthquake for Windows desktop security software” have you worried, then it is worth noting that this problem of context is not something that Trend Micro have been ignoring. In fact we have been developing different technologies to overcome just such an issue.

One important outcome of this is manifested in work that Trend Micro have been doing with VMware which will allow us to offer agentless anti-malware to virtual machines; protection which operates in an entirely different context to the malware itself and which could not be subverted by an attack such as the one described by matsuosec.com. Another manifestation of a response to this same issue, this time in the non-virtualised world, is Threat Management Services in which all detection operates out-of-band and pattern-free cleanup happens at the endpoint.

So while matsuosec.com’s research is absolutely important and significant in the short term (if you’re still using Windows XP); longer term solutions need to build on increasing the possibility of moving effective protection off-box. After all, the drunk guy is always going to tell you he’s OK.

YES the partner friendly exploit system.

Rik Ferguson — Thu, 11 Mar 2010 16:01:31 +0000

The Russian crimeware “YES Exploit System” is a fully manageable system that generates malicious code for injecting into compromised pages or malicious web sites. This code is designed to redirect victims to files on your own hosted exploit server allowing you to push out malicious files invisibly and instantly, and it just got a major version update.

The advertisement for the latest version boasts:

“Hacked all Windows version 9x to 7 32 bit and 64 bit
Hacked all browsers running a vulnerable plug-in”

Using the built in TDS (Traffic Direction System) criminals can specify which malware they want to push out by country, by browser and by OS. It is clearly designed to support the inter-related vendor infrastructure of the criminal economy. YES Exploit System is a fully fledged platform for delivering malware on behalf of other criminal enterprises, perhaps to seed a new ZeuS campaign or maybe to push out some scareware. As previous blog posts have shown YES is often bundled into full service underground ZeuS offerings. As you can see from the screen shot below, projects can be divided on a per-customer basis.

click to enlarge

One feature that really stood out for me in this new version, in light of other recent blog postings, was the addition of a module that automates testing against AV vendors to ensure the malware remains undetected. This is in addition to URL checking functionality already released in earlier versions of YES.

In another illustration of cloud adoption in online crime, the module is priced on a subscription basis at $70USD per month (including support of course) and tests malicious files against 26 of the biggest security companies out there. All processing is offloaded so as not to overburden your own server.

click to enlarge

As is so often the case, the first step in this chain of compromise is a malicious script inserted into an otherwise innocent website, my previous blog gives you a few tips on securing your browser against these types of attack.

Which browser is the most secure, is that the question?

Rik Ferguson — Wed, 10 Mar 2010 17:20:02 +0000

Over the past week I have been asked twice now for my opinion on the question “Which browser is the most secure?” Probably as a result of the release of Microsoft’s “Browser Choice” update. In my view, this choice that people are being prompted to make is leading most of us to ask the wrong question entirely. Your browser will not keep you safe, whoever made it, you need to take steps to keep *yourself* safe, whichever browser you choose.

Image: J. Anderson

This update no doubt exposes millions of users to a choice which they may not, in many cases, have even been aware they were able to make; the choice of which application to use when browsing the web. Many alternatives are available when making this important choice; Internet Explorer (natch), Mozilla Firefox, Safari, Opera, Google Chrome and seven others are on offer through the Microsoft pop-up.

Rightly security is many folks’ primary concern when browsing online these days, so they want to know which browser is the safest or will offer them the highest personal security. I’m not convinced though that “Which browser is the most secure?” is really the right question.

Every browser has its flaws, vulnerabilities and patches (or lack of them). In any case attacks are increasingly aimed not only at browsers but at application plug-ins like QuickTime, Flash or Acrobat that can be used in multiple different flavours of browser. Either that or they are simply attacks aimed at the individual using the browser (like phishing, pretexting and other social engineering attacks).

Better (and more useful) advice than “Which browser is most secure?” would be “How can I best secure my browser of choice?” Trend Micro offers free tools such as Browser Guard and the Web Protection Add On for Internet Explorer. Browser Guard detects and blocks popularly used exploit techniques (such as heap spray and buffer overflow as well as looking for shellcode) offering proactive protection against unknown threats. The Web protection Add-On blocksknown malicious sites. Many other tools and plug-ins for many other browsers are also out there such as AdBlock Plus or NoScript for Firefox just for example.

It’s different strokes for different folks and various security tools or techniques require varying degrees of familiarity with the browser, with technology or with threats in general in order to effectively protect you without ruining your Internet experience beyond redemption. Helpfully, different indpendent tests and opinions will give you conflicting advice, of course.

In most cases the best advice is stick with the browser you are most familiar with but take steps to secure it. If you suddenly jump into using a browser with which you are unfamiliar, just as a simple knee-jerk reaction your unfamiliarity may leave you less secure than you were before the change.

Google, China, Chicken Little and Cyber Armageddon.

Rik Ferguson — Tue, 19 Jan 2010 14:00:10 +0000

Foxy Loxy by Gustaf Tenggren

In the wake of the highly publicised “highly sophisticated and targeted” attacks on Google, at least three major governments have issued advisories urging their citizens to switch browsers away from Microsoft Internet Explorer. A well-known security company has redesigned their web sites to include a large ominous “Operation Aurora” graphic (that links to trial downloads of pre-existing software). The attacks have been described as “changing the world” by the CTO of that same security company and as “something quite different” by Google.

How much of this is real, justified and proportionate?

So what do we know so far? Well according to Google “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google“. They go on to say “As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies“.

Subsequent external conjecture, comment and analysis has blamed unpatched vulnerabilities in Internet Explorer and also in Acrobat Reader, the malware involved has been identified both as variants of the Hydraq Trojan and also as new malware, dubbed by McAfee as Roarur.dr and as TROJ_PIDIEF.SHK. The attack vectors have been identified as mail with malicious PDF attachments and drive-by downloads.

Google, who were hit by the zero-day vulnerability in Internet Explorer, state that at least 20 other companies were victimised, and iDefense who have customers who were hit by the zero-day vulnerability in Acrobat Reader state that 33 companies were affected.

The motivation for the attack has been described both as an attempt to steal intellectual property and also as an attempt to breach the security of email accounts belonging to Chinese human rights activists. The attacks “appear to have been launched from at least six Internet addresses located in Taiwan” according to James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc

“Changing the world”? I say not.

The attacks are not the first to use zero-day vulnerabilities, in fact we have most often seen zero-day exploits being first used in targeted attacks before becoming more widely spread and widely abused.

The attacks are not the first to use drive-by download or malicious PDF attachments to achieve their goal.

The attacks are not the most complex multi-component system yet seen, you want complex, look at Koobface!

This is not the first time that warnings have been given to use alternative browsers until a patch becomes available.

This is not the first time that the finger has been pointed at China for a widespread globally distributed espionage attack.

There is no doubt that this attack, or these attacks are methodologically sophisticated. The bad guys were visibly successful at delivering their malicious payloads to the right people in the right companies to get access to things like source code and email accounts, but I don’t see anything here that changes the world.

Social engineering, lack of awareness of the threat landscape, a willingness to share too much information, the highly developed underground economy will all have contributed to the possibility and the success of these attacks.

What can companies and individuals do to try to avoid falling victim to these kinds of attack?

Educate yourselves and your users, clicking a link is enough, opening a PDF is enough to infect you, even on a fully patched system.

That being said make sure all applications and systems are fully patched, if that is not possible, use host-based intrusion prevention to “virtually patch” systems and to secure against zero-day exploits.

When an unpatched vulnerability is identified be sure to follow vendor advice to minimise the risk as soon as possible.

Encrypt valuable personal and intellectual property at file level, that way, even if it is stolen it is of limited value or use.

Consider the deployment of data leakage prevention technologies that will recognise and stop sensitive content from leaving your network.

Rethink your security model from an outside in approach, to an inside out one. Secure data, secure access rights, secure applications. Your perimeter only exists on a network diagram.

At the risk of repeating myself, educate your users not to share too much personal information regarding employers, job roles, contact details. Currently far too many targets are far too visible.

Don’t let Chicken Little run your security.

Pakistani National Response Center for Cyber Crimes… Hacked!

Rik Ferguson — Fri, 08 Jan 2010 11:45:13 +0000

It seems to be the season for defacements and hacktivity. The week began with the Cross Site Scripting attack on the Spanish EU website and the defacement hack of Iranian President Ahmadinejad’s Official site and it closes with a high profile hack of the Pakistani National Response Center for Cyber Crimes, part of the Federal Investigation Authority.

The web site was compromised and defaced as below

Click for larger image

Unfortunately for the Pakistani FIA though this attack appears to go beyond a simple defacement. The hacker “zombie_ksa” also states on the defaced page

“your whole database and e-mails are leaked …. i was really excited to read, see what the f__k is private in here lOl“

At first glance this could well seem like idle l33t H4x0r bragging so I did a bit of digging to see if the boast could be substantiated. In a forum posting, zombie_ksa said

“I was Browsing! today Propakistani.pk So i saw post about” how to register complaint with fia cyber crime”! so i feel to check there Security, and i started Penetration Test On there Webserver, unfortunately I GOT access!! And they got Pwned!! !! thats Sounds crazy ! I got whole database! and e-mail Backup! everything!”

The hacker then posted two screen shots, one of the hacked site and second one, below demonstrating his access to their email database (I have sanitised the email addresses here)

Screen shot posted by the hacker

So it seems that from an amateur penetration test a hacker has access at least to the full email database and possibly the backups, of a National Response Center for Cyber Crimes in a highly politically sensitive country. The forum post was made at 4 in the afternoon yesterday and the hack is still live at the time of writing. To say this hack has national security implications would not be overstating the matter.

Any organisation holding material this sensitive should, as a priority, make sure all Internet facing servers are hardened and fully patched, the servers should also be regularly audited, preferably daily to look for evidence of new vulnerabilities as they arise. Web application firewalls should be used to look for evidence of and block anomalous or malicious behaviour.

But perhaps most importantly emails dealing with matters this sensitive should not be connected with, or stored on your public web server and they should always be stored in a secure encrypted format.

Mr Bean comes out of retirement, takes over Spain

Rik Ferguson — Tue, 05 Jan 2010 10:01:34 +0000

As reported by Reuters and the BBC, the official website set up by the Spanish government to mark it’s six-month presidency of the EU was briefly compromised yesterday afternoon.

Image Courtesy of El Mundo

Mischievous hackers reportedly took advantage of Cross-Site Scripting (XSS) vulnerabilities on www.eu2010.es and replaced an image of Spanish Prime Minister Jose Luis Rodriguez Zapatero with the smiling face of Rowan Atkinson in his Mr. Bean guise, complete with friendly greeting “Hi there!” Perhaps the hackers were hoping the attack would go unnoticed, as apparently there is a physical resemblance between Mr. Zapatero and Mr. Bean (of course I couldn’t possibly comment). The compromise only lasted a few hours until the original content was restored, by 4pm GMT yesterday afternoon, the site administrators were reportedly working on a fix.

In this instance there does not appear to have been any malicious intent, but the dangers of XSS vulnerabilities should not be underestimated. Cross Site Scripting vulnerabilities allow attackers to inject code into innocent web pages in which it would not otherwise appear. This can be used to steal information such as logins or banking credentials, redirect users to malicious web sites or even to directly infect visitors to the site. The real problem is that many web site admins are unaware of the dangers, and even some security companies continue to underestimate and downplay the importance of XSS vulnerabilities and attacks.

On an interesting side note, El Mundo also reported recently that more then 12 million Euros had been spent on “technical assistance and security for the website of the Spanish Presidency [of the EU]“. Again, I couldn’t possibly comment, but SecureSite and Web Application Security are both an awful lot cheaper than that…

Sophisticated banking Trojan – Human consequences

Rik Ferguson — Wed, 04 Nov 2009 17:55:29 +0000

I was contacted by a friend yesterday who was understandably very concerned to find that a large amount of money had been transferred from her bank account to the account of a complete stranger hundreds of miles away. My friend had been using her online banking at home the evening before, had made a couple of transfers and all appeared to go normally. However when she heard the following day that one of the transfers hadn’t arrived she checked her account from a PC at work and was devastated to find the hitherto invisible transfer of €5000.

Bank statement showing the fraudulent transaction

Of course the incident was reported to the bank and to the police. The bank shut down the online facility of the account and set about tracing the money and we set about finding out what kind of malware she had on her PC.

You may, if you’re interested in malware, have seen some reports recently of a “next generation” banking Trojan that goes by the name of Bebloh or URLZone, and this is what was responsible for the theft of just enough money to stay within the agreed overdraft facility of the account, helping to ensure the transfer was successful.

Later in the day someone else in Germany reported the incident from their end. A woman had met some people in a Russian chat room, they offered her 500 euros if she would transfer the money on. Part of the money was to go to an account in Turkey and part to a Russian account. The mule account holder though was this lady’s son, she had given the Russian criminals his bank details “because he still had some overdraft allowance”. The morning after the transfer they called her every ten minutes, to prompt her to send the money on. Since she had given her son’s details she had to get him out of school and go to the bank with him. By the time they arrived at the bank, the theft had already been reported by the victim, so the bank refused to forward the money. Even then she still got calls, while she was at the bank. As soon as the bank told the mules that fraud had been reported and she told the criminals, they stopped calling her. The mule then went to the police herself. The mule is obviously worried and shaken by her brush with serious organised crime and embarrassed by her naïveté. The victim has been left with no access to cash and no way to meet her direct debit commitments until the investigations are completed.

Bebloh is a banking Trojan that spreads through what we call drive-by-download techniques, in which websites including legitimate ones are infiltrated and booby-trapped. Unwary visitors with unpatched web browsers or other software that hasn’t been kept up-to-date are then infected simply by visiting the sites.

Once installed the Trojan connects back to a command & control server to receive instructions, instructions on how much money to steal from you and where to send it. The Trojan is sophisticated enough be able to work out exactly how much money it can siphon from your account without being refused and is able to hide the fact that these transfers have taken place. The stolen funds are then transferred to mule accounts where volunteers have agreed to “process payments” in return for a small fee or percentage. A detailed report on the malware is available from RSA FraudAction Research Labs and in a TrendLabs Malware blog posting.

This malware surfaced in Germany which has long had the reputation of leading the way in online banking security, as I mentioned in a previous blog post. Germany uses a system of transaction authentication numbers (TAN) to validate money movements. To overcome this Bebloh operates inside the web browser, hijacking authenticated sessions even to the extent of faking the balance that is displayed to the user to hide all trace of it’s malicious activity. Estimates have put its earnings at £11000 per day.