Experts Warn of New Windows Shortcut Flaw

July 15, 2010

Researchers have discovered a sophisticated new strain of malicious software that piggybacks on USB storage devices and leverages what appears to be a previously unknown security vulnerability in the way Microsoft Windows processes shortcut files.

Update, July 16,  7:49 p.m. ET: Microsoft just released an advisory about this flaw, available here. Microsoft said it stems from a vulnerability in the “Windows shell” (Windows Explorer, e.g.) that is present in every supported version of Windows. The advisory includes steps that can mitigate the threat from this flaw.

Original post:

VirusBlokAda, an anti-virus company based in Belarus, said that on June 17 its specialists found two new malware samples that were capable of infecting a fully-patched Windows 7 system if a user were to view the contents of an infected USB drive with a common file manager such as Windows Explorer.

USB-borne malware is extremely common, and most malware that propagates via USB and other removable drives traditionally has taken advantage of the Windows Autorun or Autoplay feature. But according to VirusBlokAda, this strain of malware leverages a vulnerability in the method Windows uses for handling shortcut files.

Shortcut files — or those ending in the “.lnk” extension — are Windows files that link (hence the “lnk” extension) easy-to-recognize icons to specific executable programs, and are typically placed on the user’s Desktop or Start Menu. Ideally, a shortcut doesn’t do anything until a user clicks on its icon. But VirusBlokAda found that these malicious shortcut files are capable of executing automatically if they are written to a USB drive that is later accessed by Windows Explorer.

Continue reading

The Case for Cybersecurity Insurance, Part II

July 14, 2010

When cyber crooks stole nearly $35,000 this year from Brookeland Fresh Water Supply District in East Texas, the theft nearly drained the utility’s financial reserves. Fortunately for the 1,300 homes and businesses it serves, Brookeland had purchased cyber security insurance, and now appears on track to recoup all of the unrecovered funds in exchange for a $500 deductible.

As this attack and a related case study I wrote about last month show, cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts.

The attack on Brookeland’s Internet banking account began on Friday, April 9, about the time that General Manager Trey Daywood had authorized the utility’s payroll transfer — just a half hour before the 2 p.m. the bank’s cutoff time. A few minutes later, unidentified hackers went in and deleted Daywood’s payroll batch and set up their own payroll, sending sub-$10,000 payments to seven individuals across the United States who were recruited to help launder the money through work-at-home job scams.

Daywood soon heard from his financial institution, Texas based First National Bank, which thought the $34,038 amount was quite a bit higher than the organization’s regular payroll total. But the bank only called after it had finished processing the fraudulent transfers, and most of the unauthorized payments still were sent out the following Monday.

Continue reading

Advertisement

Microsoft Security Updates, and a Farewell to Windows XP Service Pack 2

July 13, 2010

Microsoft today released software updates to fix at least five security vulnerabilities in computers running its Windows operating system and Office applications. Today also marks the planned end-of-life deadline for Windows XP Service Pack 2, a bundle of security updates and features that Microsoft first released in 2004.

Four out of five of the flaws fixed in today’s patch batch earned a “critical” rating, Redmond’s most severe. Chief among them is a bug in the Help and Support Center on Windows XP and Server 2003 systems that’s currently being exploited by crooks to break into vulnerable machines. Microsoft released an interim “FixIt” tool last month to help users blunt the threat from this flaw, and users who applied that fix still should install this patch (and no, you don’t need to undo the FixIt setting first). Update 5:50 p.m. ET: I stand corrected on this — it looks like Microsoft won’t offer the patch for this flaw if you’ve already used the FixIt tool.

Continue reading

Pirate Bay Hack Exposes User Booty

July 7, 2010

Security weaknesses in the hugely popular file-sharing Web site thepiratebay.org have exposed the user names, e-mail and Internet addresses of more than 4 million Pirate Bay users, according to information obtained by KrebsOnSecurity.com.

A screen shot of the Pirate Bay admin panel showing newly registered users.

An Argentinian hacker named Ch Russo said he and two of his associates discovered multiple SQL injection vulnerabilities that let them into the user database for the site. Armed with this access, the hackers had the ability to create, delete, modify or view all user information, including the number and name of file trackers or torrents uploaded by users.

Russo maintains that at no time did he or his associates alter or delete information in The Pirate Bay database. But he acknowledges that they did briefly consider how much this access and information would be worth to anti-piracy companies employed by entertainment industry lobbying groups like the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), each of which has assiduously sought to sink The Pirate Bay on grounds that the network facilitates copyright infringement.

That effort has largely failed, but both industries have been busy suing individual music and movie downloaders for alleged copyright violations, often obtaining substantial monetary damages when defendants settled the charges out of court. In almost every case, the entertainment industry learned the identities of file-sharing users by subpoenaing subscriber information from Internet service providers based on the user’s Internet address.

“Probably these groups would be very interested in this information, but we are not [trying] to sell it,” Russo told KrebsOnSecurity.com in a phone interview. “Instead we wanted to tell people that their information may not be so well protected.”

Continue reading

Microsoft Warns of Uptick in Attacks on Unpatched Windows Flaw

July 5, 2010

Microsoft is warning that hackers have ramped up attacks against an unpatched, critical security hole in computers powered by Windows XP and Server 2003 operating systems. The software giant says it is working on an official patch to fix the flaw, but in the meantime it is urging users to apply an interim workaround to disable the vulnerable component.

Redmond first warned of limited attacks against the vulnerability in mid-June, not long after a Google researcher disclosed the details of a flaw in the Microsoft Help & Support Center that can be used to remotely compromise affected systems. Last week, Microsoft said the pace of attacks against Windows users had picked up, and that more than 10,000 distinct computers have reported seeing this attack at least one time.

If you run either Windows XP or Server 2003, I’d encourage you to consider running Microsoft’s stopgap “FixIt” tool to disable the vulnerable Help Center component. To do this, click this link, then click the “FixIt” button in the middle of the page under the “enable this fix” heading. Should you need to re-enable the component for any reason, click the other FixIt icon. Users who apply this fix don’t need to undo it before applying the official patch once it becomes available, which at this rate probably will be on Tuesday, July 13.

Top Apps Largely Forgo Windows Security Protections

July 1, 2010

Many of the most widely used third-party software applications for Microsoft Windows do not take advantage of two major lines of defense built into the operating system that can help block attacks from hackers and viruses, according to research released today.

Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.

These protections are available to any applications built to run on top of the operation system. But according to a new analysis by software vulnerability management firm Secunia, half of the third party apps they looked at fail to leverage either feature.

As indicated by the chart to the right, Secunia found that at least 50 percent of the applications examined — including Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, VideoLAN VLC Player, and AOL‘s Winamp — still do not invoke either DEP or ASLR. Secunia said DEP adoption has been slow and uneven between operating system versions, and that ASLR support is improperly implemented by nearly all vendors.

“If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly,” wrote Alin Rad Pop, a senior security specialist at Secunia. “While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms. If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attackers choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.”

Continue reading

Security Updates for Adobe Acrobat, Reader

June 29, 2010

Adobe Systems Inc. is urging users to update installations of Adobe Reader and Acrobat to fix a critical flaw that attackers have been exploiting to break into vulnerable systems.

The update brings Adobe Acrobat and Reader to version 9.3.3 (another update for the older 8.2 line of both products brings the latest version to v. 8.2.3). Patches are available for Windows, Mac, Linux and Solaris versions of these programs. Adobe’s advisory for this update is here, and the Reader update is available from this link — or by opening the program and clicking “Help” and “Check for Updates.” If you download the update from the Adobe Reader homepage, you’ll end up with a bunch of other stuff you probably don’t want (see below, after the jump for more on this).

If you use Adobe Reader or Acrobat, please take a moment to update this software. Users may also want to consider switching to other free PDF readers that are perhaps less of a target for malicious hackers, such as Foxit Reader, Nitro PDF Reader, and Sumatra.

Continue reading

e-Banking Bandits Stole $465,000 From Calif. Escrow Firm

June 28, 2010

A California escrow firm has been forced to take out a pricey loan to pay back $465,000 that was stolen when hackers hijacked the company’s online bank account earlier this year.

In March, computer criminals broke into the network of Redondo Beach based Village View Escrow Inc. and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.

Owner Michelle Marisco said her financial institution at the time — Professional Business Bank of Pasadena, Calif. – normally notified her by e-mail each time a new wire was sent out of the company’s escrow account. But the attackers apparently disabled that feature before initiating the fraudulent wires.

The thieves also defeated another anti-fraud measure: A requirement that two employees sign off on any wire requests. Marisco said that a few days before the theft, she opened an e-mail informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice. Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a Trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on both Marisco’s computer and the PC belonging to her assistant, the second person needed to approve transfers.

As a guarantor of payment for residential real estate transactions, Village View Escrow holds other peoples’ money until the sale of a property is complete. Failure to come up with the funds when a real estate deal is finalized can spell bankruptcy and possibly worse for an escrow provider. Since the incident, Marisco has had to take out a $395,000 loan at 12 percent to cover the loss (she managed to get $70,000 in wires reversed).

“I’m working for nothing right now, and can’t afford to pay myself,” Marisco said in a phone interview.

Officials from Professional Business Bank did not immediately return calls seeking comment.

Continue reading

Anti-virus is a Poor Substitute for Common Sense

June 25, 2010

Common sense always speaks too late.” — Raymond Chandler

A new study about the (in)efficacy of anti-virus software in detecting the latest malware threats is a much-needed reminder that staying safe online is more about using your head than finding the right mix or brand of security software.

Last week, security software testing firm NSS Labs completed another controversial test of how the major anti-virus products fared in detecting malware pushed by malicious Web sites: Most of the products took an average of more than 45 hours — nearly two days — to detect the latest threats.

The two graphs below show the performance of the commercial versions of 10 top anti-virus products. NSS permitted the publication of these graphics without the legend showing how to track the performance of each product, in part because they are selling this information, but also because — as NSS President Rick Moy told me — they don’t want to become an advertisement for any one anti-virus company.

That’s fine with me because my feeling is that while products that come out on top in these tests may change from month to month, the basic takeaway for users should not: If you’re depending on your anti-virus product to save you from an ill-advised decision — such as opening an attachment in an e-mail you weren’t expecting, installing random video codecs from third-party sites, or downloading executable files from peer-to-peer file sharing networks — you’re playing Russian Roulette with your computer.

Continue reading

Exploiting the Exploiters

June 23, 2010

Most computer users understand the concept of security flaws in common desktop software such as media players and instant message clients, but the same users often are surprised to learn that the very software tools attackers use to break into networks and computers typically are riddled with their own hidden security holes. Indeed, bugs that reside in attack software of the sort sold to criminals are extremely valuable to law enforcement officials and so-called “white hat” hackers, who can leverage these weaknesses to spy on the attackers or interfere with their day-to-day operations.

Administrative page from a live Crimepack exploit kit.

Last week, French security researchers announced they had discovered a slew of vulnerabilities in several widely used “exploit packs,” stealthy tool kits designed to be stitched into hacked and malicious sites. The kits — sold in the underground for hundreds of dollars and marketed under brands such as Crimepack, Eleonore, and iPack — probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to quietly install malicious software.

Speaking at the Syscan security conference in Singapore, Laurent Oudot, founder of Paris-based TEHTRI Security, released security advisories broadly outlining more than a dozen remotely exploitable flaws in Eleonore and other exploit packs. According to TEHTRI, some of the bugs would allow attackers to view internal data stored by those kits, while others could let an attacker seize control over sites retrofitted with one of these exploit packs.

“It’s time to have strike-back capabilities for real, and to have alternative and innovative solutions against those security issues,” Oudot wrote in a posting to the Bugtraq security mailing list.

Continue reading