Over the last days, we've received reports of corporate networks getting infected with various variants of MS08-067 worms. These are mostly Downadup/Conficker variants.
The malware uses server-side polymorphism and ACL modification to make network disinfection particularily difficult. A sign of infection is that user accounts gets locked out in the Active Directory domain as the worm tries to crack user's passwords using a built-in dictionary. When it fails it leads to those accounts being locked.
We have detailed information about the malware functionality in our description.
We also have a separate tool available to assist in disinfecting. The tool is available from here.
We did some co-operation recently with a company called Clarified Networks. Some of you might remember them as the guys who did the *wow* visualization of the Kaminsky DNS hole for his Black Hat presentation.
So we collected some botnet data and asked them to visualize it.
The end result is a quite nice animation. You can get more info and the actual end result from their blog at www.clarifiednetworks.com
The course curriculum is pretty much the same as it was last year and so are most of the lecturers. One notable addition will be more focus on Windows kernel malware. Kimmo Kasslin will be lecturing on the topic and there will be some homework fun on it as well.
It's online now and you can find it from our YouTube Channel.
The video highlights the symptoms experienced on exploited phones; it doesn't show how to perform the attack. The attacking phone has been kept off screen. (It isn't difficult to find the CCC video at this point.)
The "Curse of Silence" was disclosed to several telecommunications operators about seven weeks ago and we were brought into the loop a few weeks later. The timing has been a real pain in the neck for those of us in the lab. We'd rather be researching something else or enjoying a relaxed holiday than dealing with a detection for an exploit that will mostly likely be used by jealous boyfriends.
Still, it is a safe bet that the Curse will be used to harass people, so support personnel should know what to look for.
A lot of Friendster users have been complaining about receiving lots of invitations to view a fake video from their contacts (who presumably would not usually send malicious content to their friends).
Here is an example of such an invite, from a known contact:
So how are the spammers getting access to the contacts lists?
Well, as we mentioned in our earlier post, a phishing site that mimics the real Friendster site steals the user's e-mail address and password information. Once the bad guys have that information, they can use it to access the account, and then use the account to start spamming malicious links to all contacts. Simple and effective, really. Users receiving these messages from a contact are more likely to disregard caution and click on it.
This particular link leads the user to the legitimate domain, files.myopera.com, and a file named video.gif. But wait — to check the contents of the file, try using view-source (in Firefox). As it turns out, users will be redirected to a malicious, fake video site.
Of course, the new site will prompt users to "update the video player" with a certain file in order to view the video.
The file the site would like you to download is cunningly named setup.exe, we detect it as net.worm.win32.koobface.dd — a worm that, incidentally, also spreads on social interaction websites.
As usual, beware of clicking any URL links, whether from a known or unknown sender. Don't forget to change your Friendster account password regularly to avoid abuse.
An easily reproducible SMS exploit was disclosed and demonstrated today at the 25th Chaos Communication Congress (25C3). The exploit is effective against a wide range of Symbian S60 smartphones and will effectively prohibit victims from receiving SMS messages.
The Chaos Communication Congress is a popular event among international "hacker" enthusiasts. It has been organized by the Chaos Computer Club since 1984, has been held in Berlin since 1998 and typically takes place between December 27th and 30th.
Today's Security Nightmares 2009 presentation included a demonstration of the Curse of Silence exploit, which was researched by Tobias Engel of the CCC.
According to Engel's research, the exploit affects the messaging components of Nokia Series 60 phone versions 2.6, 2.8, 3.0, and 3.1. Our own tests determined that Sony Ericsson UiQ devices are vulnerable as well.
Versions 2.6, 2.8, 3.0, and 3.1 are also better known as S60 2nd Edition, Feature Pack 2; S60 2nd Edition, Feature Pack 3; S60 3rd Edition (initial release); and S60 3rd Edition, Feature Pack 1 respectively.
According to Engel's research, the vulnerable phones fall into two camps: S60 versions 2.6/3.0 (2FP2/3) and versions 2.8/3.1 (2FP3/3FP1). That's still too many numbers, so let's just select two phones.
Nokia 6680 — 2nd Edition, Feature Pack 2 Nokia N95 — 3rd Edition, Feature Pack 1.
The vulnerability is very simple to exploit via an SMS message. No special software is required and the message can be drafted from a large number of phones. The message just needs to be formatted in a particular way. (We will not provide exact details here.)
What happens when a vulnerable phone receives the exploit message?
Example 1 — on the older 6680 nothing happens. Nothing at all… The first exploit message is enough to crash the SMS messaging service. It is a completely silent attack and there are no hints of trouble presented to the victim. The phone will simply stop receiving SMS (as well as MMS) messages.
Example 2 — on the newer N95, nothing will happen until several messages have been sent by the attacker. Then, once the critical limit has been reached, the phone will prompt an alert: "Not enough memory to receive message(s). Delete some data first."
The attack messages will not be visible from the Inbox, and deleting previously received messages will not resolve the problem.
There will also be one additional notification on the N95. A blinking envelope, indicating that the Inbox is full, appears in the upper right-hand corner of the display.
Turning the N95 off and on again may return some limited functionality, but that functionality is very fragile. One multi-part message was enough to completely disable our test phone's SMS/MMS service, at which point even cycling the power did not help.
Exploited phones will remain otherwise completely functional; only the SMS/MMS messaging is affected. Practically speaking, this also means no SMS notifications of voicemail, though the phone log will display the missed call.
A firmware fix is not yet available. Performing a hard-reset is the only manual solution. And backing up the phone also backs up the exploit messages and the damaged messaging service.
Shameless self-promotion begins:
However — Engel practiced reasonable disclosure, which is why we have had time to test the exploit ourselves before today's CCC demonstration. Our Mobile Security solution will detect the exploit and can repair affected phones.
The exploit is detected as Exploit:SymbOS/SMSCurse and Mobile Security is capable of repairing exploited phones so that it will not lose any messages. Messages that have been sent while the messaging service is jammed will of course be lost.
Hopefully this exploit will not be widely used. We don't see much of a profit motive after all. Still, there were thousands of participants at this year's CCC and many of them saw the demonstration. As easy as it is to utilize the Curse of Silence, someone will surely try this for harassment…
A free seven day trial of Mobile Security can be directly download to phones from here.
We will have a video demonstration available soon. Update: Info on the video is here.
Our File Analysis Team — they collect non-malicious files — came across an interesting case yesterday. Dzul Aiman was researching available driver downloads from Acer's Taiwanese (.tw) site and discovered something out of place. Maybe the site was hacked?
The list for WindowsXP Desktop drivers…
…included "nc.exe". That's a bit suspicious, don't you think?
That's probably a "driver" that you don't want to download. (Though it was probably Net Cat, it still shouldn't be there… it's not a trusted source.)
The team e-mailed Acer and the issue seems to have been resolved promptly.
So, even those that aren't looking for trouble may still find it. Stay vigilant.
There are some new developments on the mobile security front. Spy tool applications are now available for Apple's iPhone. Symbian and Windows Mobile spy tools have been around from two and a half to almost three years.
Now it would seem that it's finally the iPhone's turn.
One of the two spy vendors appears to require a jailbroken iPhone. They also claim to be the "first and only" spy software. If only that were true. Their application can be installed on 3G model iPhones.
…and on December 21st, a second option will be available. This vendor's comparison chart claims quality and features over costs.
Note that their application lets you "secertely" spy.
It doesn't seem entirely sure based their promotional promises, but it appears that vendor number two may be able to jailbreak, install, and then un-jailbreak the iPhone during its installation. It can be installed on older iPhones as well as current.
We wonder what Apple's position on this will be; will they do anything about it? What do you think?
We won't bother providing these spy vendors with a backlink to our weblog, so if you want to see more, use the addresses in the image below.
The first link in the set is a blog, not a vendor.
A quick update to our earlier post about the recent critical vulnerability (MS08-078) in all available versions of Internet Explorer — Microsoft has released an update patch for the vulnerability. More information, including the patch, can be found here.
There have been a number of reports citing thousands of websites (both intentionally malicious and legitimate but compromised) exploiting this vulnerability. You can read more at BBC News and The Register.
Everyone is strongly encouraged to download and apply the patch without delay.
