Computerworld weekly threat wrap-up
- 14 April, 2010 10:44
Welcome to Computerworld's weekly threat wrap-up, your one-stop-shop for the most prevalent malware and vulnerabilities in common applications and operating systems discovered by researchers. This list will expand over time to include proof-of-concept exploits, and some less prevalent but ingenious viruses, Trojans and worms. We welcome all suggestions.
|Researcher||threat name||threat type||% infected||infections counted|
|McAfee Australia||Generic!atr||Trojan||10%||175 computers|
Page BreakNext: Top vulnerabilities for April
|Title||QualysID||CVE Reference||Ext. Reference|
|Adobe Flash Player Multiple Vulnerabilities||115593||CVE-2007-2022||APSB07-12|
|Adobe Flash Player Update Available to Address Security Vulnerabilities||116244||
|Adobe Acrobat and Adobe Reader Multiple Vulnerabilities||115847||
|APSA09-02 and APSB09-06|
|Sun Java Multiple Vulnerabilities||116174||CVE-2008-2086||244988 and others|
|Microsoft Office PowerPoint Could Allow Remote Code Execution||110094||
|Microsoft Excel Remote Code Execution Vulnerability||110093||
|Sev4 Microsoft Word Multiple Remote Code Execution Vulnerabilities||110092||
|WordPad and Office Text Converters Remote Code Execution Vulnerability||90474||
|Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution||90503||
|Bulletin||Most likely attack vector||Max Bulletin Severity||Max Exploit-ability Index||Likely first 30 days impact||Platform mitigations and key notes|
|Victim browses to a malicious webpage.||Critical||1||Likely to see reliable exploit code developed||Windows Vista, Windows Server 2008, and Windows 7 not affected|
|Victim browses to a malicious webpage or opens a malicious AVI movie.||Critical||1||Likely to see reliable exploit code developed||Windows 7 codec is not vulnerable.|
|Victim double-clicks a malicious EXE or allows malicious content to run because content claims to be signed by a trusted publisher.||Critical||2||Likely to see effective proof-of-concept code released to downgrade Authenticode checks from v2 down to v1. Authenticode v1 is a weaker algorithm. To reach code execution, attackers will need to find an Authenticode v1 bypass.||Microsoft Update and Windows Update clients not directly vulnerable to this threat.|
|Attacker hosts malicious SMB server within enterprise network. Attacker lures victim to click on a link that causes victim to initiate an SMB connection to the malicious SMB server.||Critical||2||Proof-of-concept code already exists for denial-of-service vulnerability. May see unreliable exploit code developed for other client-side SMB vulnerabilities that most often results in denial-of-service.||Egress filtering at most corporations will limit exposure to attacker within enterprise network.|
Several issues with differing exploitability. Please see SRD blog for more information.
|Victim browses to a malicious webpage and is tricked into clicking F1 on a VBScript messagebox.||Important||1||Public exploit code exists for code execution after a user presses F1. Have not heard reports of real-world attacks yet, despite public exploit code.||Vulnerability not reachable on Windows 7, Windows Server 2008, and Windows Vista by default. Bulletin rated defense-in-depth for those platforms.|
Windows Server 2003 not vulnerable by default due to Enhanced Security Configuration.
(Windows Media Services)
|If a victim Windows 2000 machine has enabled Windows Media Services, an attacker can send network-based attack over port 1755 (TCP or UDP).||Critical||1||Likely to see reliable exploit code developed.||Only Windows 2000 is affected.|
|Attacker able to run code locally on a machine exploits a vulnerability to run code at a higher privilege level.||Important||1||Likely to see reliable exploit code developed for one or more of these eight vulnerabilities.||SRD blog post explaining the Windows registry link vulnerabilities.|
|Attacker causes SMTP Service running on 64-bit Windows Server 2003 to crash by initiating a DNS lookup handled by a malicious DNS server.||Important||n/a||No chance for code execution. May see proof-of-concept code that crashes SMTP Service but not for Exchange.||Exchange Server not directly affected by denial-of-service vulnerability because vulnerable versions never shipped as 64-bit application. Security update applies to 32-bit Exchange Server to add additional DNS protections.|
|Victim opens malicious .VSD file||Important||1||Visio exploits not often seen in the wild. Unsure whether we will see exploit released.||Visio not installed by default with most Office installations.|
|Victim opens malicious .PUB file||Important||1||Publisher exploits not often seen in the wild. Unsure whether we will see exploit released.|
|Attacker spoofs own source address by encapsulating iPv6 attack packet inside IPv4 wrapper. This may allow attacker to reach IPv6 destination that otherwise would be blocked.||Moderate||n/a||May see proof-of-concept released publicly.|
Next: Comment from the vendors
Comment from the vendors
The Indian Premier League 2010 is a huge attraction for the cricket-crazy population in India. These matches are packed with all the ingredients to entertain, and are capable of satisfying viewers’ hunger for more and more cricket matches. People are ready to buy tickets in all possible ways just to watch their local and international cricket stars play. Symantec was anticipating a spamming campaign against ticket sales during the initial period of the sporting extravaganza; however, it is just halfway through the event and still not too late to lure email users with offers related to IPL tickets.
Symantec has now come across few spam samples that offer free tickets/passes to the recipients. In return, users need to register on a website. After registering with this website, spammers claim that users may receive a free IPL ticket through a lucky draw.
An interesting and unknown feature used by sysadmins around the world in some large corporate networks is the use of proxy-auto config (pac) files. This benign feature is accepted by all modern browsers and is described in detail here. It contains a function to redirect your connection to a specific proxy server.
Unfortunately this simple and smart proxy technique are (sic) being largely used by brazilian malware writers to redirect infected users to malicious hosts serving phishing pages of financial institutions. A .pac script URL is configured in the browser, in the field “Use automatic configuration script”.
After being infected by a Trojan banker, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server.
A lot of the Brazilian malware is using this trick nowadays. Not only Internet Explorer users are affected, but also users of Firefox and Chrome. The malware changes the file prefs.js, inserting the malicious proxy in it.
And finally to make sure the malicious proxy will be not removed by the user, a malicious DLL is inserted on initialization by rundll32.exe to always rewrite the proxy, if removed.
Earthquakes, Lawsuits Spam, Kids’ Choice Awards, Moscow bombings, Adobe Spoofs and IM attacks [There is a] rising popularity among hackers to exploit public interest in natural occurrences, disasters and social events. These days, our instinct is to use the Internet to direct us to the latest news on worldwide events, however, it’s becoming clear that cybercriminals will target and take advantage of this interest and curiosity for malicious gains in every way possible. Users should be wary of sophisticated tricks linking to familiar software like Adobe Acrobat, and on high alert for attacks via instant-messenger applications which are increasingly popular. We also recommend particular vigilance around periods of heightened attack, for example when youth-targeted events occur.