secpod.org

Introduction

---

In the arena of computer security and exploitation world, we come across with many security tools. Some of them are quite useful and some of them you just have to plug it in and plug it out in few days. However, currently the antivirus company, F-Secure has developed an application called Exploit Shield which is mainly prioritized on giving dynamic protection to Zero-Day vulnerabilities. I won’t go that much of deep analysis for its internal mechanism but I will be discussing an overview of this tool, how this works etc. in the next phase.

Overview

---

F-Secure Exploit Shield is a tool developed completely in C and C++ (using GFx libraries), designed to protect the machines responsively and proactively. And the scheme/type of detection and defence method can be set by the end user. If user wants to keep track of the attack logs only or if the user wants to protect the machine immediately once it detects any malicious activities which can be customized through this tool. This tool is currently developed for Windows box and its in Beta state as lots of new features has to be added and lots of bugs are to be fixed yet! This product can be downloaded from their labs page in free. It comes with a straight forward installer and gets installed in less than one minute. It takes less resource from your CPU and hooks itself into the system once you install the application in your win box.

Tech Overview

---

Once the application gets installed into the system it makes itself hooked into the system APIs. Then it starts monitoring the user’s activities and alerts/blocks any unknown client side vulnerabilities which may affect the system. It checks for some generic shellcode patterns, malicious IE/Firefox objects which affects the system security. It also monitors the user’s browsing activities and if any malicious code is found in the current web page then either it blocks the attack by showing an alert in the victim’s web browser (IE/Firefox) or it will log the attack details in a log file which can be verified by the user later and take proper actions against it. As it hooks into the system APIs so it slightly slows down the rendering speed of pages as it works as a MITM (Man-in-the-middle) communication between the user and the browser, but the page rendering speed is quite insignificant and can be ignored as security matters at the end of the day! Once it blocks any attacks then it shows the alert in the browser itself immediately having the exploit type and its details. This tool is basically aimed at blocking most of the browser vulnerabilities. And as per the current Microsoft Security Advisory (961051), which is declared as a critical vulnerability, this tool does the job very well against blocking those vulnerabilities.

Pros

---

• Real time monitoring of user browsing activities and immediate action on the detected attack.
• Installer and Application is very user-friendly and self-explanatory.
• Updates the attack detection modules automatically from the F-Secure server so that the end-user doesn’t have to care about updating it manually as some application does.
• Catches most of the known IE and Firefox vulnerabilities in real-time.
• Feature to detect malicious ActiveX controls and applying the hot patches immediately so that the user doesn’t have to follow the manual processes to set the registry kill bit values to block that exact activex object execution in Internet Explorer.

Cons

---

• While uninstalling, the application reboots Windows immediately without any alerts where as it should let
  the user reboot the system at later time or immediately.

Conclusion

---

As we know the tool is still in Beta state, so still there are lots of new features and modifications required which will be added in the next releases. But this tool should be a must have for everyone who is really concerned about security as its very light weight to use and very user friendly also.

Sujit Ghosal
sghosal@secpod.com
Security Research Analyst

We had earlier released SecPod plugin for Nessus for MS08-067, vulnerability. The plugin required SMB credentials for it to work.

We have now made available the exploit code for the much talked about vulnerability in here. This has been tested with Nessus and OpenVAS and works well on Microsoft Windows 2000, XP and 2003. This doesn’t require any credentials to be supplied. Since this crashes the server service on the target system (Windows 2000 system restarts), you’ll have to restart the server service. Exercise caution!

The advisory released by Microsoft yesterday, MS08-067, calls for immediate update. The vulnerability is actively being exploited. We have the SecPod plugin for Nessus and OpenVAS available here, scan your system quickly and run the missing update.

Microsoft Bulletins - Sept08

There are 4 security bulletins released addressing 8 security vulnerabilities and all are Critical.

1. MS08-052 - GDI+ Remote Code Execution Vulnerability

2. MS08-053 - Windows Media Encoder 9 Remote Code Execution Vulnerability

3. MS08-054 - Windows Media Player Remote Code Execution Vulnerability

4. MS08-055 - Microsoft Office Remote Code Execution Vulnerability

More details can be found here. Also we have released SecPod Plugins for Nessus.

One critical vulnerability, MS08-052 requires considerable effort to deploy the patches. When we did a search for gdiplus.dll (vulnerable file), in one of the system, it returned 23 different locations where it exists and all are of different sizes and file versions. This indicates that each applications have been embedded with different version of GDI+ library.

First step towards applying the patch would be manually downloading the patches from Microsoft Bulletin and applying each of them listed against category of applications. Windows Automatic Update will not help here. Secondly, list out all the applications that are using GDI+ (search for gdiplus.dll) and try and see if you can overwrite those files with the latest versions (This may not work for all applications, as each is bundled with different versions and size). Apply thought while using these applications. Hopefully each vendor will update their software seperately and soon.

Antivirus XP 2008
Be careful with what you click! This Trojan makes you believe that there are viruses/worms in your computer, makes you download a file named XPantivirus2008_v880421.exe (v880421 is a variable component in the file) and installs another executable named xpa.exe which is a worm. This will create entries in multiple locations including ProgramFiles, Windows Registry and also adds an entry in the System Startup so that it can reappear after reboot.

This was actually reported to us by an infected user who also reported that many users in Australia are affected. The worm is described in more detail here.

Action:
1. Do not open any link that claims to clean the Virus/Worms existing on your computer
2. If you are already infected, AVG Free has cleanup means and others are adding as well, so run your AV   scanner.
3. We have  Snort signature written for this.

SQL injection attacks are the techniques used by hackers to inject malicious SQL queries into the Web Applications to steal information from the stored database.

SQL injection attacks are on the rise and these days attackers are targeting Social Networking Sites, Online Shopping Cart web pages and other such web based applications. Search Engines are used to search vulnerable pages by attackers. An example search query ‘.*mysql_query\(.*\$_(GET|POST).* ‘ in
Google Code search will yield vulnerable pages which are constructing SQL queries from the user supplied inputs in the Forms.

Web application developers should go with best practices like, Do’s: Alway Filter and Escape user inputs, always go with minimum privileges. Don’t’s: Do not trust user inputs, do not dynamically generate sql queries.

Any message that appears to have come from a friend in the network is trusted by default. By this nature, social networking sites are the easy targets for worm writers to spread the attack. Also, behavioral analysis is possible by looking at enormous amount of content available. An attack that is targeted is thus possible, based on individual’s interest.

The recently identified MySpace, FaceBook worm is one example of such an attack, which transforms victim’s machine into a zombie computer that can be used in the botnet. This worm creates spam messages and sends them to users in the friends network through infected user’s account. The messages include Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments.

Upon clicking these links, a message appears saying latest Flash player is required and it downloads codecsetup.exe which is a worm.

KasperSky coverage is here

Russian-Georgian Cyber attack

Is it real? There are evidences attributing to that though we cannot conclude for sure. “Cyber Warfare” is still the term that can be set aside for the future, though such evidences are making it appear more real. It will only be a speculation at this point in time. It can even be the act of hackers taking advantage of the situation.

Botnets are taking aim at Georgia websites and there were few incidents on the Russian side as well. These are TCP SYN Flood attacks mixed with TCP RST flood attacks.

Time-line of events that have occurred since 8th August are captured here and attack observations here.

MS Bulletins - Aug 2008

11 Security Advisories were released this month, covering about 26 flaws in Microsoft Windows, Microsoft Office, and Internet Explorer, http://www.microsoft.com/technet/security/bulletin/ms08-aug.mspx

The very critical ones being MS08-041 and MS08-042 as these are being exploited in the wild. The SecPod plugins for Nessus are uploaded and we had made a Snort signatures (9003, 9004, 9005) release earlier for MS08-041.

The summary is available at SANS,

http://isc.sans.org/diary.html?storyid=4876&rss

It is just about clicking Windows “Automatic Update” (Is it? Careful deployment plan is certainly required for Enterprise users), go ahead with the installations.

With the release of latest DNS Cache poisoning attack, DNSSEC is gaining some attention. As it is supposed to provide cryptographic means to prevent such attacks. Though it doesn’t prevent DDOS attacks that have come to known in the DNS space, it is a good step forward to consider DNSSEC.

But, why DNSSEC implementation efforts are not moving forward? The issue with this is much the same set of complications as PKI deployments. And there are no commercial value additions that’ll give push to the vendors to adopt DNSSEC.

Here’s an old paper that discusses the reasons, also proposing alternative means to deploy DNSSEC, http://www.research.att.com/~trevor/papers/dnssec-incentives.pdf

Few steps forward,

.ORG Becomes First Generic Top Level Domain to Start DNSSEC Implementation ,
http://pir.org/index.php?db=content/News&tbl=Press&id=9

Domain Name Security Paper Released,
http://www.icann.org/en/announcements/announcement-24jul08-en.htm