MalCon: A Call for ‘Ethical Malcoding’

August 24, 2010
31 Comments

I was pretty bummed this year when I found out that a previous engagement would prevent me from traveling to Las Vegas for the annual back-to-back Black Hat and Defcon security conventions. But I must say I am downright cranky that I will be missing MalCon, a conference being held in Mumbai later this year that is centered around people in the “malcoder community.”

According to the conference Web site, MalCon is “the worlds [sic] first platform bringing together Malware and Information Security Researchers from across the globe to share key research insights into building the next generation malwares. Spread across the world, malcoders now have a common platform to demonstrate expertise, get a new insight and be a part of the global MALCODER community. This conference features keynotes, technical presentations, workshops as well as the EMERGING CHALLENGES of creating undetectable stealthy malware.”

The call for papers shows that this security conference is encouraging malware writers of all shapes, ages and sizes to bring and share their creations. “We are looking for new techniques, tool releases,unique research and about anything that’s breath-taking, related to Malwares. If your presentation, when given with all its valid techno-Jargon can give our moderators a head-ache, you are right up there. The papers and research work could be under any of the broad categories mentioned below. You can submit working malwares as well.”

Among the “malwares” encouraged are novel phishing kits, botnets and mobile phone-based malware, malware creation tools, cross-platform malware infection techniques, and new malware self-defense mechanisms, such as anti-virus exploitation techniques.

At first, I didn’t know what to make of this conference, which was initially brought to my attention by a clueful source in the botnet underground. My hoaxmeter went positively bonkers after I pinged both of the e-mail addresses listed on the site and each e-mail bounced.

Continue reading

Anti-virus Products Struggle Against Exploits

August 23, 2010
12 Comments

Most anti-virus products designed for use in businesses do a poor job of detecting the exploits that hacked and malicious Web sites use to foist malware, a new report concludes.

Independent testing firm NSS Labs looked at the performance of 10 commercial anti-virus products to see how well they detected 123 client-side exploits, those typically used to attack vulnerabilities in Web browsers including Internet Explorer and Firefox, as well as common desktop applications, such as Adobe Flash, Reader, and Apple QuickTime.

Roughly half of the exploits tested were exact copies of the first exploit code to be made public against the vulnerability. NSS also tested detection for an equal number of exploit variants, those which exploit the same vulnerability but use slightly different entry points in the targeted system’s memory. None of the exploits used evasion techniques commonly employed by real-life exploits to disguise themselves or hide from intrusion detection systems.

Among all ten products, NSS found that the average detection rate against original exploits was 76 percent, and that only three out of ten products stopped all of the original exploits. The average detection against exploits variants was even lower at 58 percent, NSS found.

Continue reading

Advertisement

Adobe Issues Acrobat, Reader Security Patches

August 19, 2010
12 Comments

Adobe Systems Inc. today issued software updates to fix at least two security vulnerabilities in its widely-used Acrobat and PDF Reader products. Updates are available for Windows, Mac and UNIX versions of these programs.

Acrobat and Reader users can update to the latest version, v. 9.3.4, using the built-in updater, by clicking “Help” and then “Check for Updates.”

Today’s update is an out-of-cycle release for Adobe, which recently moved to a quarterly patch release schedule. The company said the update addresses a vulnerability that was demonstrated at the Black Hat security conference in Las Vegas last month. The release notes also reference a flaw detailed by researcher Didier Stevens back in March. Adobe said it is not aware of any active attacks that are exploiting either of these bugs.

More information on these patches, such as updating older versions of Acrobat and Reader, is available in the Adobe security advisory.

WinMHR: (Re)Introducing the Malware Hash Registry

August 19, 2010
26 Comments

Microsoft Windows users seeking more certainty about the security and integrity of downloaded files should take a look at a free new offering from Internet security research firm Team Cymru (pronounced kum-ree) that provides a solid backup to anti-virus scans.

The tool, called “WinMHR,” is an extension of the “Malware Hash Registry” (MHR), an anti-malware service that Team Cymru has offered for several years. The MHR is a large repository of the unique fingerprints or “hashes” that correspond to millions of files that have been identified as malicious by dozens of anti-virus firms and other security experts over the years.

The MHR has been a valuable tool for malware analysts, but until now its Web-based and command-line interface has placed it just outside the reach of most average computers users. WinMHR, on the other hand, is essentially a more user-friendly, point-and-click interface for the traditional MHR service, which Team Cyrmu described this way:

“While your AV posture helps you perform detection based on signatures, heuristics and polymorphism, the MHR provides you additional layer of detection, for known badness. Based on our research, AV packages have trouble detecting every possible piece of malware when it first appears. The MHR leverages multiple AV packages and our own malware analysis sandbox to help aid your detection rate. Coupled with AV, the MHR helps identify known problems so you can take action.”

Continue reading

Apple Patch Catchup

August 18, 2010
18 Comments

I’ve fallen a bit behind on blog posts about notable security updates (I was counting on August to be the slowest month this year work-wise, but so far it’s actually been the busiest!). Recently, Apple released a series of important patches that I haven’t covered here, so it’s probably easiest to mention them all in one fell swoop.

Continue reading

NetworkSolutions Sites Hacked By Wicked Widget

August 16, 2010
23 Comments

Hundreds of thousands of Web sites parked at NetworkSolutions.com have been serving up malicious software thanks to a tainted widget embedded in their pages, a security company warned Saturday.

Santa Clara, Calif. based Web application security vendor Armorize said it found the mass infection while responding to a complaint by one of its largest customers. Armorize said it traced the problem to the “Small Business Success Index” widget, an application that Network Solutions makes available to site owners through its GrowSmartBusiness.com blog.

Armorize soon discovered that not only was the widget serving up content for those who had downloaded and installed it on their sites, but also it was being served by default on some — if not all — Network Solutions pages that were parked or marked as “under construction.”

Parked domains are registered but contain no owner content. Network Solutions — like many companies that bundle Web site hosting and domain registration services – includes ads and other promotional content on these sites until customers add their own.

Continue reading

Spam King Leo Kuvayev Jailed on Child Sex Charges

August 11, 2010
32 Comments

Undated photo of Leo Kuvayev, courtesy Spamhaus.org.

A man known as one of the world’s top purveyors of junk e-mail has been imprisoned in Russia for allegedly molesting underage girls from a Moscow orphanage, KrebsOnSecurity.com has learned.

According to multiple sources, Leonid “Leo” Aleksandorovich Kuvayev, 38, is being held in a Russian prison awaiting trial on multiple child molestation charges.

Sources in the United States and Russia said that Kuvayev, who holds dual Russian-American citizenship, was alleged to have molested more than 50 young girls he had lured away from one or more local orphanages. He was brought in for questioning after one of the girls reported the incident to Russian police, who reportedly found videotaped evidence of the incidents.

Brandon A. Montgomery, a spokesman for the Immigration and Customs Enforcement (ICE) division at the U.S. Department of Homeland Security, confirmed that Kuvayev was indicted on Aug. 3, 2009, and arrested on Sept. 15 in Moscow for child molestation charges.

“Our attaché in Moscow is working with the criminal investigative team in Russia, and the investigation is ongoing,” Montgomery said.

The Russian criminal case against Kuvayev, Case. No. 378243, charges him with violations of Russian Criminal Code 134, which prohibits “crimes against sexual inviolability and sexual freedom of the person.” According to sources in Russia familiar with the case but who asked not to be named, Kuvayev is being held in a Moscow jail awaiting trial, which is currently scheduled to start 10 months from the date of his incarceration on Dec. 22, 2009.

Kuvayev in Thailand, 2001

Kuvayev is widely considered one of the world’s most notorious spammers. Anti-spam group Spamhaus.org currently features Kuvayev as #2 on its Top 10 worst spammers list.

In 2005, the attorney general of Massachusetts successfully sued Kuvayev for violations of the CAN-SPAM Act, a law that prohibits the sending of e-mail that includes false or misleading information about the origins of the message, among other restrictions. Armed with a massive trove of spam evidence gathered largely by lawyers and security experts at Microsoft Corp., the state showed that Kuvayev’s operation, an affiliate program known as BadCow, was responsible for blasting tens of millions of junk e-mails peddling everything from pirated software to counterfeit pharmaceuticals and porn.

Continue reading

Critical Updates for Windows, Flash Player

August 10, 2010
39 Comments

Microsoft issued a record number of software updates today, releasing 14 update bundles to plug at least 34 security holes in its Windows operating system and other software. More than a third of flaws earned a “critical” severity rating, Microsoft’s most serious. Separately, Adobe released an update for its Flash Player that fixes a half-dozen security bugs.

Microsoft tries to further emphasize which critical patches should be applied first, and it does this largely by assessing which of the flaws appear to be the easiest and most reliable to attack. According to an analysis posted on the Microsoft Security Response Center blog, the most dangerous of the critical flaws patched this month involve media file format and Office bugs.

Specifically, Microsoft pointed out a critical flaw in Microsoft Silverlight and its .NET Framework, as well as bugs in the Microsoft MPEG-Layer 3 and Cinepak codecs. All of these media format vulnerabilities are critical and could be exploited merely by loading a tainted media file, either locally or via a Web browser, Redmond said.

The software giant also urged customers to quickly deploy a patch that fixes at least four vulnerabilities in Microsoft Office, the most severe of which could lead to users infecting their PCs with malware simply by opening or viewing a specially-crafted e-mail.

Continue reading

Shunning and Stunning Malicious Networks

August 10, 2010
22 Comments

McAfee just published the sixth edition of its Security Journal, which includes a lengthy piece I wrote about the pros and cons of taking down Internet service providers and botnets that facilitate cyber criminal activity. The analysis focuses on several historical examples of what I call “shuns” and “stuns,” or taking out rogue networks either by ostracizing them, or by kneecapping their infrastructure in a coordinated surprise attack, respectively.

The theme of this edition of the journal is finding ways to take security on the offense, and it includes articles from noted security researchers Joe Stewart and Felix “FX” Lindner.

Here’s the lead-in from my contribution:

The security technologies most of us rely on every day — from anti-virus software to firewalls and intrusion detection devices — are reactive. That is, they are effective usually only after a new threat has been identified and classified. The trouble is that, meanwhile, an indeterminate number of individuals and corporations become victims of these unidentified stalkers.

Until quite recently, this “bag ’em and tag ’em” approach to dealing with malicious activity online had become so ingrained in the security community that most of the thought leaders on security were content merely to catalog the Internet’s worst offenders and abide the most hostile networks. Exponential increases in the volume and sophistication of new threats unleashed during the past few years — coupled with a pervasive attitude that fighting criminal activity online is the principal job of law enforcement — have helped to reinforce this bunker mentality.

Then, in the fall of 2007, something remarkable happened that seemed to shake the security industry out of its torpor: a series of investigative stories in the mainstream and technology press about concentrations of cybercrime activity at a Web hosting conglomerate in St. Petersburg known as the Russian Business Network (RBN) caused the ISPs serving the infamous provider to pull the plug. The RBN, which had been a vortex of malicious activity for years, was forced to close up shop and, subsequently, scattered its operations.

This was the first of many examples that would demonstrate the strategic (and, arguably, cathartic) value of identifying and isolating significant, consistent sources of hostile — if not criminal — activity online. I will focus on two popular methods of taking the fight to the enemy and will offer a few thoughts on the long-term viability of these approaches.

Copies of the journal are available from this link.

Foxit Fix for “Jailbreak” PDF Flaw

August 8, 2010
16 Comments

One of the more interesting developments over the past week has been the debut of jailbreakme.com, a Web site that allows Apple customers to jailbreak their devices merely by visiting the site with their iPhone, iPad or iTouch. Researchers soon learned that the page leverages two previously unknown security vulnerabilities in the PDF reader functionality built into Apple’s iOS4.

Adobe was quick to issue a statement saying that the flaws were in Apple’s software and did not exist in its products. Interestingly, though, this same attack does appear to affect Foxit Reader, a free PDF reader that I often recommend as an alternative to Adobe.

According to an advisory Foxit issued last week, Foxit Reader version 4.1.1.0805 “fixes the crash issue caused by the new iPhone/iPad jailbreak program which can be exploited to inject arbitrary code into a system and execute it there.” If you use Foxit, you grab the update from within the application (“Help,” then “Check for Updates Now”) or from this link.

Obviously, from a security perspective the intriguing aspect of a drive-by type jailbreak is that such an attack could easily be used for more nefarious purposes, such as seeding your iPhone with unwanted software. To be clear, nobody has yet seen any attacks like this, but it’s certainly an area to watch closely. F-Secure has a nice Q&A about the pair of PDF reader flaws that allow this attack, and what they might mean going forward. Apple says it plans to release an update to quash the bugs.

I’m left wondering what to call these sorts of vulnerabilities that quite obviously give users the freedom that jailbreaking their device(s) allows (the ability to run applications that are not approved and vetted by Apple) but that necessarily direct the attention of attackers to very potent vulnerabilities that can be used to target jailbreakers and regular users alike. It’s not quite a “featureability,” which describes an intentional software component that opens up customers to attack even as the vendor insists the feature is a useful, by-design ability rather than a liability.

I came up with a few ideas.

– “Apptack”

– “Jailbait” (I know, I know, but it’s catchy)

– “Freedoom”

Maybe KrebsOnSecurity readers can devise a better term? Sound off in the comments below if you come up with any good ones.

Finally, I should note that while Adobe’s products may not be affected by the above-mentioned flaws, the company said last week that it expects to ship an emergency update on Tuesday to fix at least one critical security hole present in the latest version of Adobe Reader for Windows, Mac and Linux systems.

Adobe said the update will fix a flaw that researcher Charlie Miller revealed (PDF!) at last month’s Black Hat security conference in Las Vegas, but it hinted that the update may also include fixes for other flaws. I’ll have more on those updates when they’re released, which should coincide with one of the largest Microsoft Patch Tuesdays ever: Redmond said last week that it expects to issue at least 14 updates on Tuesday. Update, Aug. 10, 5:06 p.m. ET:Adobe won’t be releasing the Reader update until the week of Aug. 16.