So as promised in my earlier post, I have started the analysis of the exploit, and here are some details thus far. The exploit is affecting Adobe Reader and Acrobat 9.2 and earlier.
When the malicious PDF file is opened in Adobe Acrobat/Reader it attempts to download an executable payload.
The payload I analyzed was downloaded from hxxp://foruminspace.com/documents/dprk/
This server looks like it has been taken down a few times since about 6am EST this morning but is back up.
The executable, once downloaded searches for and encrypts certain files and then uploads them to another server. This server is online and its contents are publicly browsable.
Based on the number of files found on the upload server, it appears that this exploit is only targeting specific attacks at this time, however this may change at any point.
Adobe Patch schedule is quarterly, with security patches coming as needed on the same release and Microsoft patches, using this patching SOP it could be January 12th before Adobe pushes out a patch.
The exploit I detected as Exploit:W32/AdobeReader.Uz
The downloader files as Trojan-Dropper:W32/Agent.MRH
The Dropped files as Trojan:W32/Agent.MRI, Trojan:W32/Agent.MRJ, and Rootkit:W32/Agent.MRK
At this point I would recommend using altrenative PDF readers, or disabling the javascript option within Adobe products as a temporary remediation.
http://www.adobe.com/support/security/advisories/apsa09-07.html
Wednesday, December 16, 2009
New Adobe Acrobat /Reader 0-day Exploits
This just came across my desk so I figured I would post a short informational piece for those of you who are using the mentioned Adobe products.
The 0-day has been active since about 2 weeks ago from some of the code samplings I have seen thus far and has now been brought to the attention of the vendor, so with that the we can expect to see a patch soon I would hope.
The Exploit allows an attacker to craft a malicious PDF and upon being opened on a vulnerable version of the Adobe software will allow the execution of arbitrary code. this may allow an attacker to take complete control of the affected system. No patch is currently available and A proof of concept module has been added to the Metasploit framework. I will be playing with this POC module in the days to come and have additional details at a more in depth technical level.
Happy Patching / Updating.
The 0-day has been active since about 2 weeks ago from some of the code samplings I have seen thus far and has now been brought to the attention of the vendor, so with that the we can expect to see a patch soon I would hope.
The Exploit allows an attacker to craft a malicious PDF and upon being opened on a vulnerable version of the Adobe software will allow the execution of arbitrary code. this may allow an attacker to take complete control of the affected system. No patch is currently available and A proof of concept module has been added to the Metasploit framework. I will be playing with this POC module in the days to come and have additional details at a more in depth technical level.
Happy Patching / Updating.
Tuesday, November 10, 2009
Facebook Phishing - Cant Trust your "FRIENDS"
As I start to write this I am as comfortable as one can be on an airline seat with laptop in front of me, I’ve been reflecting a little on another interesting week in information security and somewhat trying to settle into this blog writing gig. At the request of a very special reader that I was conversing with regarding this somewhat interesting but now common place finding on facebook, I decided to share the following.
As I was trolling facebook earlier this week I came across a posting on a friends page, that is pictured to the left. Upon seeing this posting I decided to do a little digging as the use of shortened url’s has become the norm thanks to twitter links. Upon clicking on the link users were redirected to what appeared to be a facebook login page at 1st glance, however upon looking at the browser URL the shortened link provided in the original posting directs users to a site named hxxp://phasebooklogine.t35.com this site is hosted on a free and quick and easy to setup hosting site named t35.com
This image shows what the login page looks like and as you can see it’s a somewhat convincing page unless you look closer. Most user would type in their credentials without thinking twice, due to what I call blind faith in what appears to be something originating from a “friend”
This site is another example of just one of the attack vectors that are currently widely disbursed on all social networking sites, primarily myspace, facebook, youtube, and twitter. This vector here of course is a modified approach to your standard phishing attacks, phishing attacks usually come in the form of emails from your bank, your friend , etc and use the same tactic of harvesting user credentials via an authentic looking login page that in some instances will do nothing after you enter your creds, and in other cases will forward you on to the legitimate site.
In the case of phasebooklogine.t35.com upon entering any credentials the page would direct you to one of about 5 randomized seemingly legitimate facebook apps.
Consider this part one of this facebook analysis article specific to posted phishing attacks, I will be writing a followup article with more technical details as to my analysis.
As I was trolling facebook earlier this week I came across a posting on a friends page, that is pictured to the left. Upon seeing this posting I decided to do a little digging as the use of shortened url’s has become the norm thanks to twitter links. Upon clicking on the link users were redirected to what appeared to be a facebook login page at 1st glance, however upon looking at the browser URL the shortened link provided in the original posting directs users to a site named hxxp://phasebooklogine.t35.com this site is hosted on a free and quick and easy to setup hosting site named t35.com
This image shows what the login page looks like and as you can see it’s a somewhat convincing page unless you look closer. Most user would type in their credentials without thinking twice, due to what I call blind faith in what appears to be something originating from a “friend”
This site is another example of just one of the attack vectors that are currently widely disbursed on all social networking sites, primarily myspace, facebook, youtube, and twitter. This vector here of course is a modified approach to your standard phishing attacks, phishing attacks usually come in the form of emails from your bank, your friend , etc and use the same tactic of harvesting user credentials via an authentic looking login page that in some instances will do nothing after you enter your creds, and in other cases will forward you on to the legitimate site.
In the case of phasebooklogine.t35.com upon entering any credentials the page would direct you to one of about 5 randomized seemingly legitimate facebook apps.
Consider this part one of this facebook analysis article specific to posted phishing attacks, I will be writing a followup article with more technical details as to my analysis.
Wednesday, November 4, 2009
Windows 7 Insecure OUT-OF-BOX
Microsoft, has been touting the improved security and updated features of UAC (User Access Control) in Windows 7 but resent findings show that Windows 7 is no different than its older siblings in the Microsoft Operating System family.
I just completed reading a report by security firm Sophos and the the report shows that out of the box with default configuration Windows 7 was vulnerable to 8 out of 10 viruses thrown at it by the testers at Sophos Labs.
User Access Control (UAC) is a technology introduced by Microsoft to its Operating Systems in Windows Vista. It is aimed to improve the security of the operating system by limiting applications from running background processes without interaction from the user. After its initial introduction in Vista it was largely criticized as annoying and in most cases turned of as a result by the users. The improvements made to UAC by Microsoft to make it "less chatty" may have accomplished the less chatty part, however has done nothing for security.
Microsoft does acknowledge and encourage users to install anti-virus software as they do say it is a required piece of software to aid in the securing of Windows workstations. In their report that was released Monday, the Microsoft security team reports that Vista fared better that all other Windows flavors including Windows 7 when it comes to security, Vista SP1 infection rates were 61.9% less than XP SP3.
In conclusion, anti-virus is a must, and with a multitude of freely available ones, that are legitimate its easy and strongly recommended. A recommended free AV for Windows 7 is Microsoft's own Security essentials which is freely available for download on their site.
*Image courtesy of SophosLabs
Tuesday, November 3, 2009
The threat of "Visual" Social Engineering
The upswing in the use of bogus codec/flash player/video pages, has been a major factor in a assisting the efficiency level and infection rates of malware campaigns. The use of these visually pop ups mimicking legitimate software updates is what I am referring to as Visual Social Engineering, this same tacktic is the single most effective method for many drive by download infections mainly the fake AV software.
Cyber criminals have successfully managed to monetize the use of visual social engineering and as a result of its success there is no end in sight.
The latest attempt to continue monetizing the scheme comes with the release of a social engineering driven web malware exploitation kit that has surfaced on a few cybercrime related marketplaces. The main exploit modules in the kit are in the form of "Missing Flash Player", "Outdated Flash Player", "Missing Codec", and "Codec Required" modules.
These modules represent the most dominant attack vectors for self-infection malware due to the users' gullibility, and the mere quality of the actual spoof.
In one instance that I analyzed upon clicking the video pictured, the end user was redirected to 67.228.143.62 - Email:fullhdvid@gmail.com and then to world-news-scandels .com where the codec was served from execfreefiles .com
Multiple other fake codec domains are parked on the same IPs:
216.240.143.7
sunny-tube-world. com
onlysteeltube. com
fllcorp .com
In coclusion, thanks for reading my 1st blogpost, and research will continue, and the final word is verify before you click...
Subscribe to:
Posts (Atom)