The Security Blog

MS08-067 worms

F-Secure Antivirus Research Weblog — Tue, 06 Jan 2009 19:30:55 +0000

Over the last days, we've received reports of corporate networks getting infected with various variants of MS08-067 worms. These are mostly Downadup/Conficker variants.

The malware uses server-side polymorphism and ACL modification to make network disinfection particularily difficult. A sign of infection is that user accounts gets locked out in the Active Directory domain as the worm tries to crack user's passwords using a built-in dictionary. When it fails it leads to those accounts being locked.

We have detailed information about the malware functionality in our description.

We also have a separate tool available to assist in disinfecting. The tool is available from here.

We also recommend system administrators to block access to web sites used by the malware. The sites keep changing, but the current domains to block are:

64.70.19.33
qtjumbvk.ws
zdjmcwcknwn.biz
oecsw.net
oawtwovet.cc
itiuuv.cn
dkvjxac.info
ciopicmfq.info
uikrzcuzw.com
siirkijx.cn
cdbhi.cn
xyywekmbuuq.net
akgjmdzx.cc
xbrpaahhcjl.org
lrwnqgoj.biz
xrbczsuyw.com
fhioqvpdpg.info
fhchak.org
fnopiz.cn
bpufhbvqwjs.com
bxtopike.ws
ibifq.ws
dckhrrqh.com
srfvt.com
crikr.cn
jjdifsh.net
yryxdaecqwa.info
vfdjkunysp.cn
hxhpc.org
xbtqz.com
yrmvbwbzlt.ws
vrfouwsk.net
pvfivnqgk.cn
jilpumzn.ws
rrtvw.org
wagwovomnj.net
cffcipqz.biz
jqlmcfmdua.info
sedueat.cc
acqggcq.cn
zjcmnmrpwdp.info
fjxkmq.ws
jzvpspdcv.cn
zrfdubsgmuq.net
icbabdoo.org
vbvvhgs.net
xakcypzbj.org
drykouwoa.com
xfpzmkcl.cc
kcawyfgl.ws
xihpmics.net
fnmhkizip.ws
xgdgxusdq.org
pnaeydmg.org
weekax.cn
fhoptkn.org
ovqoluqwhf.org
tlxzjjlmk.org
wycqkpn.cn
mxvrtq.net
cjeyj.com
qdgvbkpopx.net
qwwnsrgii.cn
govagjcasyo.cn
ywictoyhzeu.ws
ezkhbz.org
memsvr.com
nhmgtrmka.org
iuqmklmklbw.ws
miyga.biz
tmegbpwamyr.ws
igggellu.ws
vuvjptke.org
eufiwwkplyc.cn
udthrjtx.cc
dwikmnmhx.org
qxdzbtgok.org
ccgdllgwk.info
tsamlnes.cc
jqmdyemnd.cn
zfrcc.org
nqnmjn.org
jfqlrlgf.biz
adbsq.net
yjbslycn.org
kxsmffcsh.biz
ipuuulsw.com
vlfgk.info
hwmggrmzdsw.biz
quvjfczmd.net
rcoesjhoii.info
esujw.cn
lejhfcdm.biz
dphxqdpp.cn
leyloenk.cc
wpnmravf.cc
jpgflwtu.net
gqjgx.cn
bdjtrpaav.cc
hrmwzqif.com
txibddqtpuj.cc
ysuxkcv.com
vxuuur.biz
djthknbtxe.cc
qauaiepfih.ws
fnxklfyxdy.com
hpmhoassp.org
nmdrr.com
gwfnepcus.ws
qhdefcfkqg.cc
uuuwlcpzi.cn
knpfuq.cc
dugnyfnxky.com
vxuiwtpqc.info
wdgeaqrhk.net
vhegpqfiga.cc
sjarftss.biz
ykzoap.cc
jnfcmmuhfum.ws
kkvugfb.biz
ztyshleh.biz
boirczdikw.com
itzbanmjbds.ws
gdneutxoi.cc
lmcrkcuu.net
jufwmttx.net
kbrlxkiohfb.org
tnaqhezhswk.biz
udyxa.info
bclaxb.cn
yrmek.cc
mmprans.ws
bwtrd.net
ccolbxdud.com
hbkbc.biz
dbizknbfyv.cn
snytwwp.cc
qvuycgw.net
kuikq.org
yagcjzafet.cn
pakzqankxai.ws
evuqysnc.cc
imaexvlmjn.org
bdrmppudqh.cn
nwczso.cc
nykyhzap.cc
evtwdavi.net
ktveyekd.cn
wbpciauakl.ws
omxzanan.ws
srtbuvesjmy.org
girirvjy.org
lrkewik.net
bwocsfviu.net
thzydzvunfk.biz

We'll update this list as needed.

On 06/01/09 At 06:15 PM

Flashy botnet is Flashy

F-Secure Antivirus Research Weblog — Tue, 06 Jan 2009 19:30:55 +0000

We did some co-operation recently with a company called Clarified Networks. Some of you might remember them as the guys who did the *wow* visualization of the Kaminsky DNS hole for his Black Hat presentation.

So we collected some botnet data and asked them to visualize it.

The end result is a quite nice animation. You can get more info and the actual end result from their blog at www.clarifiednetworks.com

On 05/01/09 At 04:56 PM

Video - SMS Exploit Effects

F-Secure Antivirus Research Weblog — Tue, 06 Jan 2009 19:30:55 +0000

Our post from yesterday mentioned a video demonstration coming soon.

It's online now and you can find it from our YouTube Channel.

The video highlights the symptoms experienced on exploited phones; it doesn't show how to perform the attack. The attacking phone has been kept off screen. (It isn't difficult to find the CCC video at this point.)

The "Curse of Silence" was disclosed to several telecommunications operators about seven weeks ago and we were brought into the loop a few weeks later. The timing has been a real pain in the neck for those of us in the lab. We'd rather be researching something else or enjoying a relaxed holiday than dealing with a detection for an exploit that will mostly likely be used by jealous boyfriends.

Still, it is a safe bet that the Curse will be used to harass people, so support personnel should know what to look for.

On 31/12/08 At 12:09 PM

Malware Analysis Course Rides Again

F-Secure Antivirus Research Weblog — Tue, 06 Jan 2009 19:30:55 +0000

Those of you that missed the Helsinki University of Technology's malware analysis and anti-malware technologies course in the Spring of 2008, have the possibility to participate during Spring 2009.

The course curriculum is pretty much the same as it was last year and so are most of the lecturers. One notable addition will be more focus on Windows kernel malware. Kimmo Kasslin will be lecturing on the topic and there will be some homework fun on it as well.

Please check out the course pages, slides, and assignments from Spring 2008 to get an idea of what the course is all about.

Course web pages for 2009 are already available but still incomplete; students can already enlist, though.

On 31/12/08 At 12:10 PM

Your Friendster Contacts Are Belong To Us

F-Secure Antivirus Research Weblog — Tue, 06 Jan 2009 19:30:55 +0000

Addendum to our earlier post, Fake Friendster and Facebook Sites with One IP Address:

A lot of Friendster users have been complaining about receiving lots of invitations to view a fake video from their contacts (who presumably would not usually send malicious content to their friends).

Here is an example of such an invite, from a known contact:

So how are the spammers getting access to the contacts lists?

Well, as we mentioned in our earlier post, a phishing site that mimics the real Friendster site steals the user's e-mail address and password information. Once the bad guys have that information, they can use it to access the account, and then use the account to start spamming malicious links to all contacts. Simple and effective, really. Users receiving these messages from a contact are more likely to disregard caution and click on it.

This particular link leads the user to the legitimate domain, files.myopera.com, and a file named video.gif. But wait — to check the contents of the file, try using view-source (in Firefox). As it turns out, users will be redirected to a malicious, fake video site.

Of course, the new site will prompt users to "update the video player" with a certain file in order to view the video.

The file the site would like you to download is cunningly named setup.exe, we detect it as net.worm.win32.koobface.dd — a worm that, incidentally, also spreads on social interaction websites.

As usual, beware of clicking any URL links, whether from a known or unknown sender. Don't forget to change your Friendster account password regularly to avoid abuse.

On 31/12/08 At 06:51 AM

Curse of Silence, a Symbian S60 SMS Exploit

F-Secure Antivirus Research Weblog — Tue, 06 Jan 2009 19:30:55 +0000

An easily reproducible SMS exploit was disclosed and demonstrated today at the 25th Chaos Communication Congress (25C3). The exploit is effective against a wide range of Symbian S60 smartphones and will effectively prohibit victims from receiving SMS messages.

The Chaos Communication Congress is a popular event among international "hacker" enthusiasts. It has been organized by the Chaos Computer Club since 1984, has been held in Berlin since 1998 and typically takes place between December 27th and 30th.

Today's Security Nightmares 2009 presentation included a demonstration of the Curse of Silence exploit, which was researched by Tobias Engel of the CCC.

According to Engel's research, the exploit affects the messaging components of Nokia Series 60 phone versions 2.6, 2.8, 3.0, and 3.1. Our own tests determined that Sony Ericsson UiQ devices are vulnerable as well.

Versions 2.6, 2.8, 3.0, and 3.1 are also better known as S60 2nd Edition, Feature Pack 2; S60 2nd Edition, Feature Pack 3; S60 3rd Edition (initial release); and S60 3rd Edition, Feature Pack 1 respectively.

That's a lot of numbers…

S60.com has a handy comparison view of many Series 60 phones.

According to Engel's research, the vulnerable phones fall into two camps: S60 versions 2.6/3.0 (2FP2/3) and versions 2.8/3.1 (2FP3/3FP1). That's still too many numbers, so let's just select two phones.

Nokia 6680 — 2nd Edition, Feature Pack 2
Nokia N95 — 3rd Edition, Feature Pack 1.

The vulnerability is very simple to exploit via an SMS message. No special software is required and the message can be drafted from a large number of phones. The message just needs to be formatted in a particular way. (We will not provide exact details here.)

What happens when a vulnerable phone receives the exploit message?

Example 1 — on the older 6680 nothing happens. Nothing at all… The first exploit message is enough to crash the SMS messaging service. It is a completely silent attack and there are no hints of trouble presented to the victim. The phone will simply stop receiving SMS (as well as MMS) messages.

Click here to see some of the phones that fall into the 6680 example's category.

Example 2 — on the newer N95, nothing will happen until several messages have been sent by the attacker. Then, once the critical limit has been reached, the phone will prompt an alert: "Not enough memory to receive message(s). Delete some data first."

The attack messages will not be visible from the Inbox, and deleting previously received messages will not resolve the problem.

There will also be one additional notification on the N95. A blinking envelope, indicating that the Inbox is full, appears in the upper right-hand corner of the display.

Turning the N95 off and on again may return some limited functionality, but that functionality is very fragile. One multi-part message was enough to completely disable our test phone's SMS/MMS service, at which point even cycling the power did not help.

Click here to see some of the phones that fall into the N95 example's category.

Exploited phones will remain otherwise completely functional; only the SMS/MMS messaging is affected. Practically speaking, this also means no SMS notifications of voicemail, though the phone log will display the missed call.

A firmware fix is not yet available. Performing a hard-reset is the only manual solution. And backing up the phone also backs up the exploit messages and the damaged messaging service.

Shameless self-promotion begins:

However — Engel practiced reasonable disclosure, which is why we have had time to test the exploit ourselves before today's CCC demonstration. Our Mobile Security solution will detect the exploit and can repair affected phones.

The exploit is detected as Exploit:SymbOS/SMSCurse and Mobile Security is capable of repairing exploited phones so that it will not lose any messages. Messages that have been sent while the messaging service is jammed will of course be lost.

Hopefully this exploit will not be widely used. We don't see much of a profit motive after all. Still, there were thousands of participants at this year's CCC and many of them saw the demonstration. As easy as it is to utilize the Curse of Silence, someone will surely try this for harassment…

A free seven day trial of Mobile Security can be directly download to phones from here.

We will have a video demonstration available soon.
Update: Info on the video is here.

On 30/12/08 At 03:34 PM

Safe to Open

F-Secure Antivirus Research Weblog — Tue, 06 Jan 2009 19:30:55 +0000

A few weeks ago, I received the following Instant Message:

Was it some kind of clever social engineering IM-worm?

Nope — It was just Mikko sharing a link that he found from Alex Eckelberry.

Even though I was sure, I still called out across the room to confirm that he had sent the link…

That's just one of the habits that's reinforced when working in the Response Lab.

Stay safe during the holidays. See you next week.

Signing off,
Sean

On 24/12/08 At 12:13 PM

Extremely Dangerous Internet Explorer Security Hole - Beware!

F-Secure Antivirus Research Weblog — Tue, 06 Jan 2009 19:30:55 +0000

Updated to add: Microsoft has announced that they will be releasing out-of-band updates for this on December 17th.

Zero-day exploits are actively targeting an unpatched Internet Explorer vulnerability.

Microsoft recently expanded their Security Advisory 961051 to include all versions of Internet Explorer. The vulnerability was originally thought to only affect IE7.

As you can see, it's now a very long list of related software:

There are a number of (perhaps cumbersome) workarounds that may provide some mitigation:

More bad news, SQL Injection attacks are being used to hack legitimate websites in order to host exploits, turning trusted sites into malicious exploit hosts.

You can read additional details at Security Fix and eWeek.com.

Someone in the eWeek advertising department is trying to tell you something.

…and a tip of the hat goes to Camillo for providing the subject line to this post.

On 15/12/08 At 06:21 PM

Exploit Shield - F-Secure’s Solution to Zero-Day Exploits

F-Secure Antivirus Research Weblog — Tue, 06 Jan 2009 19:30:55 +0000

Our previous post highlighted a recently disclosed vulnerability which exists in Microsoft Internet Explorer… and that there are currently websites hosting exploits targeting the vulnerability. Today our Vulnerability Response team would like to offer you our Security Labs' solution, which is now publicly available for download.

We call it Exploit Shield.

Exploit Shield protects against exploits both responsively and proactively. It has both shields and generic heuristics that monitor for and block suspected malicious activity. It logs attack attempts; and will also report suspicious URLs to our Real-time Protection Network¹. New shields are delivered via our automatic update channel servers.

Vulnerability Shields offer "Patch-equivalent protection". Our Vulnerability Analysts, primarily based in Kuala Lumpur, publish vulnerability advisories and detections (used by our Health Check² service). The Vulnerability team then uses the analysis to create exploit shields. The shields utilize either a hotpatch or else will disable the vulnerable ActiveX plugin.

This is what shield details look like:

The Proactive Measures currently block suspected malicious activity in Internet Explorer and Mozilla Firefox. This component of the beta monitors for heuristic behavioral techniques common to many types of exploits. We've tested the proactive component against a couple of malicious sites targeting the vulnerability, and the attacks have been successfully blocked.

As noted above, Exploit Shield has the option to report malicious websites that are blocked.

What do we do with the reported URL? The Response Lab will use it to respond faster. We have "HoneyMonkey" like systems to collect the exploit samples. Thus we'll have a greater ability to collection exploits and add signature detections to protect all of our customers. Exploit Shield users will help contribute to everyone's protection while remaining protected.

You can download a wmv video by Patrik demonstrating Exploit Shield in action.

—

You will find the download link for the beta on our Labs site.

—

Our Vulnerability Response team has been working very hard during the last few days to make this beta release ready at this time. Remember, it's still in beta, and you can help them by testing and by providing feedback. A big thank you is due to all those involved.

—

Footnote¹ The current version of our DeepGuard Technology utilizes cloud-based networking lookups to our Real-time Protection Network. We'll cover that in a future weblog post.

Footnote² Try Health Check. It's free and assists in updating and patching third-party applications.

On 17/12/08 At 10:45 AM

Update: Patch for Internet Explorer Security Hole

F-Secure Antivirus Research Weblog — Tue, 06 Jan 2009 19:30:55 +0000

A quick update to our earlier post about the recent critical vulnerability (MS08-078) in all available versions of Internet Explorer — Microsoft has released an update patch for the vulnerability. More information, including the patch, can be found here.

There have been a number of reports citing thousands of websites (both intentionally malicious and legitimate but compromised) exploiting this vulnerability. You can read more at BBC News and The Register.

Everyone is strongly encouraged to download and apply the patch without delay.

On 18/12/08 At 02:22 AM