InfoSec News

Brand-new laptop and desktop computers sold in China contain preinstalled malicious software, which has infected millions of computers around the world, according to an investigation by Microsoft revealed on Thursday.
Attackers have been using Rich Text Format (RTF) files to carry exploits targeting vulnerabilities in Microsoft Office and other products. We documented one such incident in June 2009(details.rtf). In a more recent example, the CVE-2012-0158 vulnerability was present in Active X controls within MSCOMCTL.OCX, which could be activated using Microsoft Office and other applications. McAfee described one such exploit, which appeared in the wild in April 2012:

In the malicious RTF, a vulnerable OLE file is embedded with \object and \objocx tags. ...Upon opening a crafted file with the vulnerable application, as in other document exploit files, we see an innocent file posing as bait, while in the background, the Trojan files are installed.

How might you analyze a suspicious RTF file, perhaps delivered to you or your users as an email attachment? RTFScan, now available as part of Frank Boldewin's OfficeMalScanner toolkit, can examine RTF files and assist in extracting embedded artifacts.
Consider the details.rtf file, which contained an embedded PE executable without any obfuscation. In an earlier diary we demonstrated a technique for extracting the PE executable from this file with the help of sed, Perl, hexdump and dd. RTFScan makes the task easier:

RTFScan automatically located the embedded PE file and extracted it.
Consider the more sophisticated example that took advantage of theCVE-2012-0158 vulnerability mentioned above. In one such incident, a file named 6TH WPCT Action Plan from Environment Group.doc was delivered to victims by email as part of a targeted attack. Though the file ends with the .doc extension, it is actually an RTF file. RTFScan can scan it and identify malicious artifacts:

In this case, the malicious executable wasn't directly stored within the RTF file. Instead, the RTF file embedded an OLE object that included the attacker's shellcode. A vulnerable version of Microsoft Word could be tricked into executing the shellcode, which deobfuscated and extracted the malicious PE executable hidden within it.
RTFScan located the embedded OLE object and extracted it. Moreover, it scanned the OLE object for the patterns commonly included in shellcode, such as FS:[30] (looking for PEB), API hashing and others. At this point, you could use another tool in the OfficeMalScanner toolkit, called MalHost-Setup, to extract the shellcode and debug it to better understand its functionality. (If you're wondering what the executable embedded into this sample does, see an overview byByt0r.)
If this is interesting to you, take a look at the articleHow Malicious Code Can Run in Microsoft Office Documents.
-- Lenny Zeltser
Lenny Zeltserfocuses on safeguarding customers' IT operations at NCR Corp. He also teaches how toanalyze malwareat SANS Institute. Lenny is activeon Twitterand writes asecurity blog. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
In the second major legal victory for music labels in recent weeks, the U.S. Court of Appeals for the Eight Circuit has upheld a jury award of $222,000 against a woman accused of pirating 24 songs over a peer-to-peer file sharing network.
KEYW says Sensage will help it develop its cyber response platform.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Google Chrome for Android Prior to 18.0.1025308 Multiple Security Vulnerabilities
Intel demonstrated its wireless gigabit docking technology, with speeds of up to 7Gbps, using the unlicensed 60Ghz frequency band.
Buyers of computers running Windows RT, the Windows 8 version for ARM-based devices, will receive at no additional cost a version of Office that will become available in multiple languages between November and January.
Intel on Thursday showed off technologies for the future that are designed to improve the computing experience by extending the battery life of PCs, making devices smaller and enabling always-on communications.
Guidelines, aimed at developers and device manufacturers, support the need for more secure development practices for mobile payment acceptance.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Anticipating greater usage of Ubuntu within the enterprise, Canonical has released a significant update to its Landscape Ubuntu system management tool.
The U.S. government needs to do a better job of identifying wireless spectrum used by federal agencies that could be repurposed for commercial mobile services, several lawmakers and an auditing agency said Thursday.
Dallas law enforcement authorities have arrested self-professed Anonymous spokesman Barrett Brown in what appears to have been a dramatic raid of his apartment late Wednesday night.
Google Chrome Prior to 21.0.1180.89 Multiple Security Vulnerabilities
Google Chrome Prior to 20.0.1132.43 Multiple Security Vulnerabilities
Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities
Knowledge Base EE v4.62.0 - SQL Injection Vulnerability
APPLE-SA-2012-09-12-1 iTunes 10.7
[SECURITY] [DSA 2547-1] bind9 security update
Sprint announced that the Samsung Galaxy Victory 4G LTE smartphone will go on sale Sunday for $99.99 after rebate with a two-year service agreement.
Used iPhone values dropped as much as 8% at several trade-in firms after Apple announced the new iPhone 5 and cut prices for two older models on Wednesday.
ISIS, a consortium of three wireless carriers, said Thursday that it will not launch its Near-Field Communication-based mobile payment service in Salt Lake City or Austin, Texas by the end of the summer as planned.
There's little doubt that multi-sourcing enterprise IT services. The average U.S. IT shop is working with 13.5 service providers overall, according to Gartner. But managing multiple providers remains a challenge for most IT organizations..
Apple left out near field communication technology in the new iPhone 5, a decision that one NFC backer said could be Apple's loss. But several mobile payment experts said Apple was right to wait, given the slow rollout of NFC, especially in the U.S.
A French court fined a man 150 euros (US$193) for failing to secure his Internet connection, according to a spokesman for the French High Authority for the Distribution of Works and the Protection of Rights on the Internet (Hadopi).
Adobe ColdFusion CVE-2012-2048 Local Denial of Service Vulnerability
Apache HTTP Server HTML-Injection And Information Disclosure Vulnerabilities
In a few years, instead of getting an instant text message from the boss, workers may see the chief's face pop up on the screen and start talking.
Intel used its Developer's Conference in San Francisco to unveil a desktop computer prototype that has a display that can double as a 27-inch tablet with a four-hour battery life.
The PC isn't in as great a decline as many have predicted. It's just becoming part of a new spectrum of computing, according to Intel researcher and fellow Genevieve Bell.
Google has upgraded its Chrome browser for Android devices, boosting its security framework and patching several security bugs.
Apple is one of the most secretive companies on the planet, so the Apple-Samsung trial was fascinating in that it lifted the veil of secrecy that typically shrouds Apple's operations. From marketing budgets to photos of never-before-seen iPhone prototypes, the evidence introduced at trial gave the world an unprecedented glimpse into the inner workings of Apple.
Sloppy storage of passwords should be a thing of the past with PHP 5.5, which makes secure storage as simple as possible thanks to a new password API

Microsoft will reportedly announce an upgrade program for its next Office suite in five weeks.
In an eternal quest to become the next big thing in social media, many iOS developers have tried to do for video what Instagram has done for still photography. But this endeavor can get tiresome, and sometimes the impulse to produce high-quality results trumps the desire to generate shareable content.
Mozilla Firefox/SeaMonkey/Thunderbird CVE-2012-3972 Heap Buffer Overflow Vulnerability
WebKit Multiple Unspecified Remote Code Execution Vulnerabilities
Apple is one of only two notable vendors missing from supporting the industry standard for wireless charging. So while its new, smaller connector marks a demarcation from what it used over the past 10 years, it goes in a different direction from what other mobile products coming out today offer.
Apple won a preliminary sales ban on Motorola phones and tablets in Germany on Thursday when the regional court of Munich ruled that Motorola infringes on a touchscreen-related patent, a spokeswoman for the court said.
Researchers Juliano Rizzo and Thai Duong will present a new tool called CRIMEat the upcoming Ekoparty 2012 conference in 5 days. Their tool takes advantage of a flaw in the SPDY (speedy) TLScompression protocol implementation. It allows an attacker to hijack an encrypted SSLsession. It appears that for this attack to work both the website and the browser must support the SPDY protocol. Several widely used websites such as Google, Gmail and Twitter do support the SPDYprotocol. Both the Firefox and Chrome browsers also support this protocol. Internet Explorer and Safari does not support SPDY and are not vulnerable.
It is recommended that you disable the use of the SPDYprotocol on your HTTPSwebsites until the problem is addressed.

Join me in San Antonio Texas November 27th for SANS504 Hacker Techniques, Exploits and Incident Response! Register Today!!
Mark Baggett
Twitter: @MarkBaggett (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The Ohio Department of Public Safety successfully moved its mainframe applications to a Windows-based system, and all the work was done in-house.
Managing financial information is, by far, my least favorite part of being in business for myself. Don't get me wrong, I like the money, but time tracking, invoicing, bill collection, monthly statements, and expenses--all a necessary part of the business process--require far more attention than I want to give. Which is why it's important for me to have the kind of financial business tools that make painful processes less painful--or ideally, painless.
Pakistan will block access within the country to a YouTube film trailer that mocks the Prophet Muhammad and sparked protests at U.S. embassies this week in Libya and Egypt earlier this week, and in Yemen on Thursday, a spokesman for the country's telecom regulator said Thursday.
There is an interesting article that was just published by Microsoft's Digital Crimes Unit. Attackers have been infecting manufacturer supply chains to spread their evil warez. Some unnamed manufacturers have been selling products loaded with counterfeit versions of Windows software embedded with harmful malware. The article goes on to say that the Malware allows criminals to steal a persons personal information to access and abuse their online services, including e-mail, social networking accounts and online bank accounts. Examples of this abuse include malware sending fake e-mails and social media posts to a victims family, friends and co-workers to scam them out of money, sell them dangerous counterfeit drugs, and infect their computers with malware. Microsoft worked with law enforcement and began filtering traffic associated with the domain 3322.org to disrupt the botnet's communications.
The full story is here: http://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx

Join me in San Antonio Texas November 27th for SANS504 Hacker Techniques, Exploits and Incident Response! Register Today!!
Mark Baggett
Twitter: @MarkBaggett (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC BIND 9 DNS Resource Records Handling CVE-2012-4244 Remote Denial of Service Vulnerability
Sitecom Home Storage Center Multiple Security Vulnerabilities
Western Digital today announced it will begin shipping new lines of 3.5-in hard disk drives that are hermetically sealed with helium gas inside. The result: Cooler, higher capacity drives that use less power.
Amazon is making it easier for developers in some European countries to get paid for selling their apps on the Amazon Appstore, the company said in a blog post on Wednesday.
Version 10.7 of Apple's popular iTunes media player closes a large number of security holes on Windows that could lead either to application termination or arbitrary code execution while browsing the iTunes Store

Google has updated Chrome for Android to version 18.0.1025308 to improve the browser's sandboxing capabilities. The new version also closes seven security vulnerabilities in the mobile browser


Has antivirus outlived its value?
CSO (blog)
A story yesterday about badly-configured AV reminds me of a discussion I once had with some infosec pros who no longer use it. Is AV truly obsolete, or are we simply doing it wrong? Posted September 13, 2012 to Network Security | . After reading a ...

and more »
PC maker Acer has allegedly canceled the launch of a new smartphone using a Chinese-developed mobile operating system because Google threatened to cancel the company's license to use the Android OS.
The University of California is suing Facebook, alleging infringment on four patents that enable Internet browsers to host embedded interactive applications.
The rumor mill nailed most of the iPhone 5 features, but that doesn't mean there aren't questions about it. Here's our answers to those questions.
The U.S. House of Representatives has voted to approve the extension by five years of a controversial law, that its critics claim allows for the warrantless surveillance of electronic communications like email and phone calls of not only foreigners but U.S. citizens.
Microsoft started accepting on Wednesday requests for access to the Windows Phone SDK 8.0 Developer Preview program, the company [said in a blog post.
A new version of the BlackHole exploit toolkit, popular in underground circles, has been unleashed on the net. Its unknown developers now also hire out the tool on a daily basis - "Crimeware-as-a-Service", so to speak

OpenStack Dashboard (Horizon) CVE-2012-3540 Redirect Module Open Redirection Vulnerability
OpenStack Keystone Token Validation CVE-2012-4413 Security Bypass Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-3960 Use-After-Free Memory Corruption Vulnerability

Posted by InfoSec News on Sep 13

Forwarded from: security curmudgeon <jericho (at) attrition.org>

[Chris Nickerson, and at least three other people, are running to get
their names on the ballot for the upcoming ISC(2) board elections. Each
of them need 500 signatures from any person that has an ISC(2)
certification and is in good standing. There has been at least one post
to ISN about these folks. I am sending this one because Nickerson
outlines *why* wants to...

Posted by InfoSec News on Sep 13


By Sean Gallagher
Ars Technica
Sept 12 2012

A new version of the BlackHole exploit kit is now out on the web and
ready to start infecting. The developer of the toolkit, who goes by the
handle "Paunch," recently announced the availability of Blackhole 2.0,
which removes much of its trove of known and patched exploits, and
replaces them with...

Posted by InfoSec News on Sep 13


By Jennifer Baker
IDG News Service
September 12, 2012

European institutions on Wednesday beefed up cybersecurity efforts by
establishing a permanent Computer Emergency Response Team (CERT-EU).

The decision was made following a one-year test for the team, which
works closely with the internal IT security teams of the European Union...

Posted by InfoSec News on Sep 13


By Aliya Sternstein
September 12, 2012

The Homeland Security Department and a U.S. espionage satellite agency
are moving highly sensitive data to the cloud, through a project with
CIA venture funding arm In-Q-Tel and Web startup Huddle.

On Wednesday, officials with the London-based company said the effort
also involves other...

Posted by InfoSec News on Sep 13


[For those you keeping tally at home, this is the fourth time Ankit
Fadia has been hacked this year, (often by erectile dysfunction
spammers) and eight times total, I have to wonder who he's planning on
blaming this time for this most recent breach of security. --
http://securityerrata.org/errata/charlatan/ankit_fadia/ - WK]

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-3963 Use-After-Free Memory Corruption Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-3964 Use-After-Free Memory Corruption Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-1975 Use-After-Free Memory Corruption Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-3962 Memory Corruption Vulnerability
Mozilla Firefox CVE-2012-3979 '__android_log_print' Remote Code Execution Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-3959 Use-After-Free Memory Corruption Vulnerability
Internet Storm Center Infocon Status