Internet Security Systems - AlertCon(TM)

Spam & Phishing, A Reflection Of The Times

Posted by Dan Holden on June 26, 2009 at 4:00 PM EDT.

If you think about spam and phishing for a moment, it's not necessarily the most complex aspect of the overall threat landscape, but it is one of the most fast paced.  Spam and phishing are likely the quickest aspects of the threat landscape in terms of spammers having to stay out in front of not only anti-spam technologies but also one step ahead of their targets.  In the case of phishing, it's not much more than sending out a question, and then waiting to see if you get a response.  In recent weeks I have come to the conclusion that phishing is almost a day to day reflection of daily life.  If you don't get your news from television or the web, you could probably get it from your email in the form of spam and phishing attempts.  Let me share the most recent example as it is extremely timely.

"It is sad to see Michael Jackson leave us. You can download 25 of his greatest hits on eMusic at no charge. Listen to the greatest musician/live performer of all time today.

www.eMusic.com/JacksonPromo "

 

Now if you go to the above URL it will be a non-existent link but if you actually clicked on the URL in your email it redirects you to a more unfriendly destination at loudafoul.info.  This all leads to some nasty malware.  It seems as though the spammers and malware folks out there are almost as fast as the guys selling t-shirts outside of the hospital that Michael Jackson was taken to on Thursday.

Phishing has certainly changed over the last 6 months given the economic downturn and we will review that further in the upcoming mid-year X-Force trend report.  However, in some cases the standard goal of phishing, gathering info in the traditional sense of it being sent back by the end user, but instead fooling the user into opening a PDF as a mechanism for malware delivery that then sends the information without any further user interaction.

Below is a good example of being lured to a PDF that could be used for both information gathering via the traditional reply with the info, or malware being delivered via the PDF and an info gathering trojan simply sending back info to the originator of the e-mail.

 

 

"Dear Mr/Ms,

Due to the World Economy Recession, Motor Company, Inc undergo a statistic fall in Sales and result in a drastic financial crisis this last season.

The Government has given us the opportunity to bounce back on our feet, but unfortunately we have not achieved the fund necessary.

Therefore, we offer you the opportunity to purchase a very good Auto at 35% discount of the price. We decided to pull the sales of 1.000 cars at a very low price for us to aquire[sic] the capital needed to bounce back in business and to use this medium to increase the scale of our valued customers.

The payment shall be made in installments through the bank at 1 month after signing the contract.

The first payment for all documents necessary and lawyer is made within five work days or you have the opportunity to get 10% discount if you pay 100% payment.

We will send you: the SALES AGREEMENT between Seller and Buyer, and our payment department will contact you with the invoice to buy with confidence using our Payment Protection.

The vehicle will be delivered to your location. It will be shipped within 5 days after the payment will be cleared the bank. The shipping is free of charge and the vehicle is fully insured for damage during the transportation, inspection process and prior to the physical sale.

You will have 7 days to inspect the vehicle upon delivery. You have the option to use an independent Inspection Authority to make sure that the vehicle is as described.

If the vehicle is not as described or not passes your inspection, the vehicle will be collected and you will be fully refunded. Refund requests are processed within 3 days.

If you are interested in this offer please fill out the application form, A representative will contact you about this application within two business day."

 

Now attached to this email was of course a .pdf that isn't meant to be as friendly as the email suggests.  Same ole malicious email attachment, just a new way of selling it.

Here we see another phishing scam based upon the lower employment rate.  I will omit a good portion of this one and show the more important pieces.

 

"A new Job Offer.

Hello How are you doing, this is a awareness to let the public know that we have a job opening for the position of Accounts Receivable/Payable Clerk.

About 90 percent of our customers prefer to pay through, Cashier Check, Poster Money Order. Based on the amount involves we have decided to open this new contract-to-hire job position for solving this problem. Your First Primary task (Collection of Payments):
 1. Payment will be issued in form of Cashier Check, check or Poster Money Order to your name and send to your address by our customers.
 2. You must be checking your email every day to know when payment has been sent or Wired by our clients.
3. Deduct 10 % which will be your percentage/pay on Payment processed.
4. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment to, you'll have a lot of free time doing another job, because this job is part time, you'll get good income ($1000usd weekly).

You have to contact us here(a.entoray@inmail24.com) But this job is very challenging and you should understand it. We will consider your application if you satisfy our requirements and we are sure you will be an earnest assistant till we start Running our branch office in your state. Get back to us with below information so that we can add your mailing address to our Regional database and forward it to our customers."

 

I'm sure many of you have either seen these same emails or many others like them.  Most of the phishing attempts around the world are related to financial service organizations and every year around tax season you will see some phishing attempts perpetrating as the IRS.  These types of spam and phishing attempts aren't going to go away and aren't all that entertaining either.  These legacy types of phishing emails are also easier to avoid because most people have come across them before.  However, it's the more timely emails as I've shown above that keep spammers out in front of not only the more simplistic security solutions out there, but also fresh so that we don't immediately view them as a threat.  Moral of the story, don't be the kid that has to touch the stove to realize it's hot, take a good look first and make sure that you aren't going to get burned.

Adobe Vulnerabilities

Posted by Mark Dowd on June 12, 2009 at 7:40 PM EDT.

Last Tuesday, Adobe released a patch addressing multiple security flaws for various components of their premier Adobe Reader product. Of these vulnerabilities, 6 of them were discovered by myself. I thought it was worth mentioning this advisory on the blog.

The vulnerabilities I uncovered were all within the JBIG2 filter of Adobe Reader. Essentially, JBIG2 is a JPEG-related encoding scheme that can be optionally used for encoding monochrome image objects within a PDF stream. After reviewing the specifications of JBIG2 streams, it was apparent to me that a JBIG2 parser could be quite easily susceptible to memory corruption-style vulnerabilities if not coded quite carefully - primarily because of the excessive manipulation of inter-related size
parameters.

Vulnerabilities such as these highlight why it's important to stay up-to-date with patching in your applications. In fact, earlier this year a vulnerability in the same JBIG2 component was discovered in the wild. The vulnerability was being exploited to install a backdoor on vulnerable installations of Adobe Reader, which was all of them at the time, since the bug had not been reported to the vendor. Therefore, by performing analysis such as this, we intend to help minimize the risk of such malware outbreaks in the future by finding and reporting bugs before they are exploited in the wild.

A VB Runtime Bug and Critical Section Lock Exploitation

Posted by Robert Freeman on June 09, 2009 at 6:21 PM EDT.

A significant number of applications are written in the Visual Basic (VB) language because it is easy to write and even if you haven’t been looking closely enough at the applications you’ve installed over time, the chances are that some of them have been VB applications. They’re ubiquitous and with them come the VB runtime libraries that provide functionality to the applications they are bundled with. In short, you are likely to have these libraries.

Since late last year, several VB Runtime ActiveX controls have been patched and or have received killbits (to disable loading in Internet Explorer). Today, the MSCOMM32.OCX library from the VB6 runtime received a killbit for a bug I disclosed last year. Interestingly, this bug pertains to a heap overflow opportunity in a class object allowing a critical section lock overwrite. Critical section locks are common synchronization objects that also happen to be added at compile time to most class objects when compiling with Visual C++. This is an interesting exploitation vector because there’s little public research on critical section lock exploitation and abusing it will not be useful without something crafty it can influence. Nicholas Falliere produced the earliest public research I could find on the subject back in 2005. His paper notes various constraints which are troublesome in the context of a web browser. Given that Data Execution Prevention (DEP) under Vista can be a real pain (and also in Server 2003, etc.), it seemed like an interesting project to undertake--the goal being reliable exploitation of the ActiveX control bug in both XP and Vista by leveraging the critical section lock pointer. The result is that I’ve come up with a few crafty approaches that work even under IE8 (and maybe some other browsers) and hopefully you will read about them in a future whitepaper. I will point out that the BlackHat ’08 talk by Alex Sotirov and my colleague Mark Dowd, is a good starting point for anyone looking to research this exploitation vector.

Conficker SQL Injection connection or coincidence?

Posted by Jennifer Szkatulski, John Kuhn, and Ryan McNulty on June 08, 2009 at 1:16 PM EDT.

Even though the would-be juggernaut called Conficker has left us a bit underwhelmed, perhaps we shouldn’t count it out just yet.  Conficker may actually have some tricks up its sleeve.  Once the Conficker hype settled down, it became clear that the elaborate botnet was assembled to simply make money.  Initial reports stated that the botnet was used to install the trojan/worm Waledac, scareware and fake antivirus software.  All of these updates generate revenue for the botmaster of Conficker, through pay per install or “leasing” the botnet to other criminals.  It was baffling to some why the botnet that could have been so much more resulted in such payloads.  While effective and profitable, we just expected more drama.  More intrigue.  More of the ingenuity we saw in the sophistication, encryption, and technology used to create and spread Conficker itself.  Among the theories bandied about, researchers speculated that Conficker would be responsible for cyberwarfare, mass identity theft, DDoS, the creation of Skynet, and the end of life as we know it.  As time passed, however, no evidence of this has surfaced.  Although I have heard that Conficker is responsible for bringing “I’m a Celebrity…Get Me Out of Here!” to our television sets.

Thanks to the work of Mark Yason of X-Force, we are able to see a very in depth view of Conficker, from its many random probes looking for peers, to its executable data transfers.  We see and track thousands of nodes from the botnet, and look at any deviation or surrounding attacks that accompany them.  Here in the ISS/MSS Security Operations Center, our massive reach across the globe allows us a very unique opportunity to view traffic traversing the Internet and to detect emerging trends.  Recently, an interesting trend began to appear that included our old friend Conficker. 

The trend we started to see was SQL injection sourcing from the same Conficker infected peers.  The SQL statement involved is typically associated with the user-agent string “NV32ts” often referred to as the NV32ts botnet.  Currently the string includes slight variations on the following:

999999 And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0

It appears that the attackers are simply performing reconnaissance on the web/sql database for possible direct targeted attacks. 

Is Conficker being used to perform SQL injection attacks or distribute the NV32ts bot? As of yet, we don't know for sure. Unpatched, unprotected hosts out on the Internet can naturally get infected with multiple botnets at the same time. Also, NAT devices make multiple hosts appear from the same source address. However, there have been reports of cases in which limited numbers of Conficker infected nodes have been updated with other common malware, such as Waldec. So there is a possibility that a connection exists. We will continue to trend the issue and monitor any deviation, or influx in hosts sourcing the malicious SQL. 

At its height, estimates credited over 9 million infections to Conficker.  With the infection numbers far lower now, it is easy to forget how much damage Conficker could cause.  However, that would be a mistake.  Conficker and other botnets have the potential to be sleeping giants.  Botmasters are in control and can always change their payloads.  What may be executing fake antivirus software today may be executing the newest 0-day exploit tomorrow.  We must never become complacent when it comes to botnets.  They are a rapidly growing trend and awareness of their existence in your network should be a raised priority for every administrator.  At any given point, they may change their directive and become what we fear.

6/8/2009: Updated contributors.

6/8/2009: Coinfection clarification.

SQL Injection Lessons from X-Force Emergency Response Service Investigations

Posted by Harlan Carvey on May 08, 2009 at 1:46 PM EDT.

The Frequency X blog has visited the topic of SQL Injection on a number of occasions; however, it is worth delving into again to emphasize exactly how much internal network access attackers can gain through vulnerable web applications. Over the past several years, SQL injection has been THE means for accessing entire infrastructures on many of the engagements that our Emergency Response Service (ERS) team has handled. 

SQL injection can be pretty simple and straightforward. Yet, through this vector, an attacker could infiltrate deep into an infrastructure and be relatively unseen. What many database administrators don’t understand is that SQL injection doesn’t merely allow the attacker to manipulate the data in a web application’s underlying database – it can provide direct access to the operating system that database is running on. Using features like xp_cmdshell in Microsoft SQL Server, SQL injection can be leveraged to run dos shell commands against the underlying operating system of the SQL Server at the same privilege level as the database application, which is most often SYSTEM level. 

Very often, while examining the logs, you'll see the attacker perform recon, using 'dir' and 'type' commands to examine the contents of the local disk, and then using 'ipconfig' and 'ping' to check network connectivity.  From there, the attacker then uses variations of the 'net' command to add a user to the system (or domain) and to locate other systems on the network running either SQL Server or MSDE. 

The means of getting malware on a system is equally simple and straightforward.  ERS has seen indications of the use of TFTP to download files to a system.  Another favorite tactic is to use SQL injection to create an FTP script file, and then run the FTP command line client against it. Some administrators may not realize there is an FTP client on Windows systems by default or may not be familiar with what an FTP script is or looks like.  Once the malware is on a system, the attacker is able to execute it remotely through the use of SQL injection.  Some of what's been done has been to download wget.exe to systems so that additional files can be downloaded to the system (and executed); the use of this tool leaves some tell-tale and interesting artifacts. 

In some incidents, we’ve seen SQL injection used to load 512 byte chunks of an executable file into tables in a database.  The intruder then has the database reassemble the chunks, in order, to a file on the system itself, which can then be executed through numerous different means including the creation of a new stored procedure. Sometimes this technique is used when xp_cmdshell has been properly locked down by the database administrator, although in other cases this is simply an efficient means to load malware into a network through a SQL injection vulnerability.
 
As database servers are often considered to be well protected, they may have access to internal networks with sensitive information on them. Once the attacker controls the database machine, it is used as a gateway to probe deeper into the victim’s infrastructure. Jumping from system to system is relatively simple with SQL injection...locating other systems on the network running database software (ie, MS SQL Server or MSDE) is relatively straight forward, particularly if SQL traffic is allowed through the firewall between database servers. 

In many incidents, ERS has seen that once malware is loaded on a system and executed, SQL injection to that particular system stops. The malware provides attackers with remote access to the desktop of the database server, by reaching out of the infrastructure on port 80.  You can often tell that the attacker then had access to the system via the Windows Explorer shell by various artifacts left on the system.  Running at SYSTEM level privileges, attackers can and have installed sniffers, specific tools to collect passwords, and even run searches across the network using the MS search capability.

Around the time that the media was reporting on the use of SQL injection to add malicious JavaScript to the database, and by extension, the Web site, the SQL injection attacks ERS was seeing were increasing in sophistication, in that the attackers were obfuscating their SQL injection commands through the use of hexadecimal or character set encoding.  ERS located the SQL injection commands and wrote decoders so that they could see what was going on.

The bad guys are getting in and are not being detected; they're finding and taking what they want and leaving, not bothering to clean up.  Most often, ERS gets called when an outside third party calls the customer and tells them that a fraud investigation had identified them as a common point of purchase or activity; in some cases, this is months after the fact.

Developing proper web application and database security are complicated tasks that involve numerous components. Administrators should work directly with professional security consultants to develop secure applications and mitigate the SQL injection threat.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.