Archive for August, 2009

The Fragus Exploit Kit

Tuesday, August 25th, 2009

Posted by: Barracuda Labs

Recently, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious URLs backed by what was found to be Fragus, a new exploit kit that appeared in late July 2009. An example of a Fragus URL and a screenshot of its admin control panel login page are shown directly below.

hxxp://blt.kz/1/show.php?s=5015ba5606

Fragus Admin Control Panel Login

As with most modern exploit kits, Fragus serves not one, but a grab bag of exploits that attack the browser, ActiveX controls, and third party plugins. Deobfuscating the javascript served off of the above URL revealed the following function names (bodies omitted), which each attempt to exploit one or more different vulnerabilities:

directshow(): Performs heap spraying, then serves hxxp://blt.kz/1/directshow.php, which targets the Microsoft Video (DirectShow) ActiveX control vulnerability (a.k.a., MS09-032).

pdf(): Serves hxxp://blt.kz/1/pdf.php?eid=3, which targets Acrobat Reader vulnerabilities in util.printf, Collab.getIcon, and Collab.collectEmailInfo (a.k.a., CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659, respectively).

flash(): Serves hxxp://blt.kz/1/swf.php?eid=4, which targets the Adobe Flash Player integer overflow vulnerability (a.k.a., CVE-2007-0071).

aolwinamp(): Performs heap spraying, then attempts to exploit the AOL Radio AmpX (AOLMediaPlaybackControl) ActiveX control vulnerability (a.k.a., CVE-2007-6250).

snapshot(): Targets the Microsoft Access Snapshot Viewer ActiveX control vulnerability (a.k.a., MS08-041) in an attempt to have hxxp://blt.kz/1/load.php?e=6 executed.

spreadsheet(): Performs heap spraying, then attempts to exploit the Microsoft Office Web Components ActiveX control vulnerability (a.k.a., MS09-043).

ms09002(): Performs heap spraying, then attempts to exploit the Microsoft Internet Explorer 7 memory corruption vulnerability (a.k.a., MS09-002).

The above set of exploits motivates mention of two observations about the continuing evolution of the web threat landscape. First, given that Fragus targets vulnerabilities in at least seven different software components, viewing a given vulnerability as being more or less exploited than another is increasingly incompatible with the way in which it is used. Modern exploit kits will target any and all vulnerabilities that have a reasonable chance of successfully compromising a system, and unfortunately, the presence of just one vulnerable, out-of-date software component is required for that compromise to occur. Second, as one of the above vulnerabilities (MS09-043) is less than a month old, the length of time between the discovery of a vulnerability and its widespread use by criminals is shrinking. The creators of malware infrastructure are now rapidly integrating recently-discovered vulnerabilities into do-it-yourself exploit kits, and security companies must be increasingly quick to respond.

Users of the PWSS are protected from this threat.

Share

Posted in Research | No Comments »

5 Tips For Staying Safe In Social Networks

Thursday, August 13th, 2009

Posted by: Barracuda Labs

In case you haven’t noticed, social networking sites are taking over the Internet. They receive the most traffic; they generate the most media attention, and let’s face it: they’re where all the cool kids are hanging out. Unfortunately, as these sites become more and more popular, they also become more and more attractive as targets for attackers.

So what can you do to protect yourself from attackers? If you’re incredibly paranoid, you can just boycott all social networking sites (that’s what the Marines do). Or if that’s a little too extreme, you can always follow these five simple guidelines for protecting yourself in these environments:

1.) Don’t use “password” as your password. I know it’s easy to remember, but it’s also incredibly easy to guess. Instead, use a strong password with at least 8 characters that consists of numbers, mixed case letters, and special characters. Also, be sure to use a hard-to-guess password reset question (i.e., don’t end up like Sarah Palin’s Yahoo! account).

2.) Don’t use the same password at multiple sites. I realize this is somewhat inconvenient, but consider the alternative. If you use the same password at every site, what happens when one of your accounts is compromised? You guessed it: all of your accounts are compromised! Scary, right?! Now, go change your passwords!!!

3.) Don’t give your username and password to untrusted sites. Some legitimate sites will ask for your username and password (e.g., sites that support Facebook Connect), but you should always verify the trustworthiness of a site before you enter your credentials. When in doubt, err on the side of caution and avoid becoming yet another phishing victim.

4.) Don’t click on that! Never click on links from unknown users because they can lead you to any number of malicious destinations. Even if you trust the user, use caution because you never know when one of your friends has been compromised (not everyone reads this blog :-P ). Also, be extremely careful with shortened URLs because you have no idea where they will lead you. To be on the safe side, use an unshortener (e.g., Untiny, Unshorten, etc.) to determine a shortened URL’s final destination.

5.) Verify the trustworthiness of people by using reputation systems such as Purewire Trust and TweetGrade. Social networking sites are like the Wild Wild West of the Internet, but reputation systems aim to establish a sense of order to these sites so that users can make informed decisions in these environments. Before interacting with unknown individuals in a social networking site, you should check their reputations in one of these systems to safeguard yourself from malicious activity.

If all else fails, just remember to use common sense! When a smoking hot stranger sends you a friend request or a link, just ignore it and keep on moving.

Share

Posted in Purewire Trust, Security, Tweet Grade | No Comments »

A month of zero day(s)!

Tuesday, August 4th, 2009

Posted by: Barracuda Labs

July proved to be quite an eventful month for security researchers! First we had 0Day in Microsoft video ActiveX controller exploiting DirectShow discussed here (http://www.microsoft.com/technet/security/advisory/972890.mspx) , then another 0Day in Office Web Component (OWC) (http://www.microsoft.com/technet/security/advisory/973472.mspx) , followed by 0Day in Firefox (http://www.mozilla.org/security/announce/2009/mfsa2009-41.html) and ended with a 0Day in Adobe flash player (http://www.adobe.com/support/security/advisories/apsa09-03.html). Each of these vulnerabilities is being exploited in wild right now and switching from one browser to another is no longer a solution. Instead users should take all precautionary measures suggested by vendors to avoid these exploits and they should also update their systems as soon as the fix is out for vulnerable components.

As for researchers it is interesting to see how quickly attackers are adapting various ways to make sure that exploits execute unnoticed and stay alive to take advantage of the period between advisory and fix or users who don’t update their systems immediately! When we first started following the msVidCtl (DirectShow) exploit, it looked pretty usual heap spray and shellcode injection attack served as javascript include. However, soon attackers started masking javascript as jpg and lying about the content-types so if your scanner only scanned files that are served as javascript extensions, you would be out of luck for any protection at that time. Next they started fragmenting the exploit javascript in multiple smaller javascript includes so looking at just one file you can not determine if it is serving an exploit. Use of various obfuscation techniques for hiding javascript has become very common and it probably needs its own post .. may be next time. We saw similar techniques being employed in OWC exploits and it would not be a surprise if we start seeing them with Firefox exploits or flash exploits.

Another interesting point to notice in all these exploits is their transport mechanism. In most cases attackers try to lure users to visit a site hosting the exploit. However due to diligent work by security researchers it is becoming harder to keep specific malware serving sites up for long time before they get blacklisted! So what does an attacker do? Find a reputable site that can host the malware! Why would a valid site host a malware ? They wont ‘knowingly’ but what if bad stuff gets in their via door site owners don’t know about! Attackers are trying to find holes like SQLInjection in legitimate sites not to steal data but to inject malicious scripts that make their way back to the webpage served to the user when users visit the site.One real world attempt to serve exploit for OWC is reported here (http://isc.sans.org/diary.html?storyid=6811). So this is not all theory but happening now. You can only imagine millions of other websites that are ready to be victims of these kind of exploits. If you have a site make sure you do everything to not become attacker’s accomplice.

For now users can set the killbit for ActiveX controls as suggested by Microsoft for OWC (http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx) and for Microsoft Video control ActiveX component (http://blogs.technet.com/srd/archive/2009/07/06/new-vulnerability-in-mpeg2tunerequest-activex-control-object-in-msvidctl-dll.aspx). Users using Firefox 3.5 should update to 3.5.1 a new release issued by Mozilla fixing the issue. Adobe has released a fix for flash plugin (http://www.adobe.com/support/security/bulletins/apsb09-10.html).

Share

Posted in Security | No Comments »