secpod.org

We had earlier released SecPod plugin for Nessus for MS08-067, vulnerability. The plugin required SMB credentials for it to work.

We have now made available the exploit code for the much talked about vulnerability in here. This has been tested with Nessus and OpenVAS and works well on Microsoft Windows 2000, XP and 2003. This doesn’t require any credentials to be supplied. Since this crashes the server service on the target system (Windows 2000 system restarts), you’ll have to restart the server service. Exercise caution!

The advisory released by Microsoft yesterday, MS08-067, calls for immediate update. The vulnerability is actively being exploited. We have the SecPod plugin for Nessus and OpenVAS available here, scan your system quickly and run the missing update.

Microsoft Bulletins - Sept08

There are 4 security bulletins released addressing 8 security vulnerabilities and all are Critical.

1. MS08-052 - GDI+ Remote Code Execution Vulnerability

2. MS08-053 - Windows Media Encoder 9 Remote Code Execution Vulnerability

3. MS08-054 - Windows Media Player Remote Code Execution Vulnerability

4. MS08-055 - Microsoft Office Remote Code Execution Vulnerability

More details can be found here. Also we have released SecPod Plugins for Nessus.

One critical vulnerability, MS08-052 requires considerable effort to deploy the patches. When we did a search for gdiplus.dll (vulnerable file), in one of the system, it returned 23 different locations where it exists and all are of different sizes and file versions. This indicates that each applications have been embedded with different version of GDI+ library.

First step towards applying the patch would be manually downloading the patches from Microsoft Bulletin and applying each of them listed against category of applications. Windows Automatic Update will not help here. Secondly, list out all the applications that are using GDI+ (search for gdiplus.dll) and try and see if you can overwrite those files with the latest versions (This may not work for all applications, as each is bundled with different versions and size). Apply thought while using these applications. Hopefully each vendor will update their software seperately and soon.

Antivirus XP 2008
Be careful with what you click! This Trojan makes you believe that there are viruses/worms in your computer, makes you download a file named XPantivirus2008_v880421.exe (v880421 is a variable component in the file) and installs another executable named xpa.exe which is a worm. This will create entries in multiple locations including ProgramFiles, Windows Registry and also adds an entry in the System Startup so that it can reappear after reboot.

This was actually reported to us by an infected user who also reported that many users in Australia are affected. The worm is described in more detail here.

Action:
1. Do not open any link that claims to clean the Virus/Worms existing on your computer
2. If you are already infected, AVG Free has cleanup means and others are adding as well, so run your AV   scanner.
3. We have  Snort signature written for this.

SQL injection attacks are the techniques used by hackers to inject malicious SQL queries into the Web Applications to steal information from the stored database.

SQL injection attacks are on the rise and these days attackers are targeting Social Networking Sites, Online Shopping Cart web pages and other such web based applications. Search Engines are used to search vulnerable pages by attackers. An example search query ‘.*mysql_query\(.*\$_(GET|POST).* ‘ in
Google Code search will yield vulnerable pages which are constructing SQL queries from the user supplied inputs in the Forms.

Web application developers should go with best practices like, Do’s: Alway Filter and Escape user inputs, always go with minimum privileges. Don’t’s: Do not trust user inputs, do not dynamically generate sql queries.

Any message that appears to have come from a friend in the network is trusted by default. By this nature, social networking sites are the easy targets for worm writers to spread the attack. Also, behavioral analysis is possible by looking at enormous amount of content available. An attack that is targeted is thus possible, based on individual’s interest.

The recently identified MySpace, FaceBook worm is one example of such an attack, which transforms victim’s machine into a zombie computer that can be used in the botnet. This worm creates spam messages and sends them to users in the friends network through infected user’s account. The messages include Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments.

Upon clicking these links, a message appears saying latest Flash player is required and it downloads codecsetup.exe which is a worm.

KasperSky coverage is here

Russian-Georgian Cyber attack

Is it real? There are evidences attributing to that though we cannot conclude for sure. “Cyber Warfare” is still the term that can be set aside for the future, though such evidences are making it appear more real. It will only be a speculation at this point in time. It can even be the act of hackers taking advantage of the situation.

Botnets are taking aim at Georgia websites and there were few incidents on the Russian side as well. These are TCP SYN Flood attacks mixed with TCP RST flood attacks.

Time-line of events that have occurred since 8th August are captured here and attack observations here.

MS Bulletins - Aug 2008

11 Security Advisories were released this month, covering about 26 flaws in Microsoft Windows, Microsoft Office, and Internet Explorer, http://www.microsoft.com/technet/security/bulletin/ms08-aug.mspx

The very critical ones being MS08-041 and MS08-042 as these are being exploited in the wild. The SecPod plugins for Nessus are uploaded and we had made a Snort signatures (9003, 9004, 9005) release earlier for MS08-041.

The summary is available at SANS,

http://isc.sans.org/diary.html?storyid=4876&rss

It is just about clicking Windows “Automatic Update” (Is it? Careful deployment plan is certainly required for Enterprise users), go ahead with the installations.

With the release of latest DNS Cache poisoning attack, DNSSEC is gaining some attention. As it is supposed to provide cryptographic means to prevent such attacks. Though it doesn’t prevent DDOS attacks that have come to known in the DNS space, it is a good step forward to consider DNSSEC.

But, why DNSSEC implementation efforts are not moving forward? The issue with this is much the same set of complications as PKI deployments. And there are no commercial value additions that’ll give push to the vendors to adopt DNSSEC.

Here’s an old paper that discusses the reasons, also proposing alternative means to deploy DNSSEC, http://www.research.att.com/~trevor/papers/dnssec-incentives.pdf

Few steps forward,

.ORG Becomes First Generic Top Level Domain to Start DNSSEC Implementation ,
http://pir.org/index.php?db=content/News&tbl=Press&id=9

Domain Name Security Paper Released,
http://www.icann.org/en/announcements/announcement-24jul08-en.htm

Microsoft MS08-033, MS07-064 Revised

The revision included DirectX 9a in the vulnerable list. DirectX 9a users are advised to install the hotfixes.

WinRemotePC 2008 Packet Handling Denial of Service Vulnerability

Inserting huge amount of data of the order of 30000 bytes to replace “Service Pack n” string in the message, in repeated manner causes the CPU consumption to reach as high as 98% and complete memory utilization as well. The system crash wasn’t observed in our setup. We have the snort signature available, 9007

TCP Port Randomization

There’s an Internet Draft up for review, after all the issues surrounding port randomization.