Less than 2 weeks into the new year, there’s another malware attack that can infest your computer with malware without your knowing it.  This is the first of the year.  More coming!

More exploits attacking more vulnerabilities in Internet Explorer, as well as Firefox, Chrome, Safari, and Opera are coming in 2010.  Predicting more malware attacks is equivalent to telling Seattle residents to expect rain in 2010.  If you’re curious as to why this is so, check out this explanation:

Never Ending Vulnerabilities for Web Browsers

Microsoft reports they’ve only seen exploits in the wild that successfully attack Internet Explorer 6 (six) users.  However, various security intelligence organizations as well as the alert Microsoft posted indicates that pretty much every version of Internet Explorer is affected.

McAfee reported that the recently publicized attacks on Google by Chinese hackers to gain information on Chinese dissidents exploited this vulnerability.  It seems unlikely that Google would be using IE6 because organizations that do tend to be stuck with a web application they’d developed in-house that only works on IE6.  So, this goes beyond IE6 to the newer versions.

Reports indicate 30 more enterprise organizations have been targeted with this exploit.  The number of organizations targeted by these attacks will grow as more malware developers create attack code and sell it to the 1000’s of malware distributors.  Remember, as any industry matures, specialization breaks out.  So, the malware creators tend to make their money selling their binaries to malware distributors in the form of web kits, which are automated software tools that enable non-technical people to launch and manage malware attacks and Botnets.

What Puts You Most at Risk from These Zero Day Exploit Attacks?

Just use Internet Explorer to visit websites!  Its not just the sordid websites, any website that you normally use.

This is because cyber criminals have been using their malware to find and infect the computers used by the webmasters that maintain websites.  As webmasters and most other people foolishly believe that their anti-virus software would let them know if they were infected, or that their computer would suddenly slow down and behave oddly.  Organizations should require webmasters to re-image their computers twice a year or more, unless they’re willing to get security software protection that stop zero-day malware attacks.

To those visiting this blog for the first time, and are unfamiliar with the term zero-day, if your computer protection requires ‘virus definition files’ or signature updates, consider yourself unprotected!  There are loads of blog posts here on the subject.

Some Attack Details on CVE-2010-0249 (or Microsoft Knowledge Base Article 979352)

From Microsoft, “The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”  In short, when an Internet Explorer user visits a compromised website they become a victim of a drive-by download attack that drops an executable somewhere in user-space.  This temporary executable launches and assess your computer: what operating system, user’s login privileges, installed security software, etc.  It then downloads and installs the permanent malware ideal for your computer.  As most cyber criminals do not create their own malware any more but instead buy it from professionals, if you get hit with a zero-day drive-by download attack like this, you won’t notice a thing before, during, or after.  In other words, your computer won’t slow down.  That happens when your computer has multiple infections.

Microsoft has already updated their alert page on this exploit and will likely do so again.  As of January 15, there were no practical precautions one could take to avoid one of these attacks.

What Can You Do to Protect Yourself and others from these Zero Day Attacks?

Install some zero-day protection software!

Blue Ridge offers software for consumers and organizations that would stop these and other zero-day drive-by download attacks, and more.  Consumers should get AppGuard, which can be tried for free for 30 days.  Organizations should investigate AppGuard Enterprise.  These recently won “Best Anti-Malware Product” from GSN’s Homeland Security Awards.  Those that need to lockdown and audit the computers in their organization might look at EdgeGuard, which includes the protections of AppGuard as well as the controls and audit capabilities an enterprise needs to plug data leaks and curb insider theft risks.

Microsoft and Adobe have released important security patches that correct vulnerabilities (i.e., programming mistakes) that could be exploited to do serious harm to an individual or organization.  There are no known exploits of the Adobe vulnerability but the Microsoft ones are sure to be exploited.

Microsoft on its November 2009 Security Patches

MS09-063 / CVE-2009-2512

Web Services on Devices API Memory Corruption

Microsoft Exploitability Index Assessment: Inconsistent exploit code likely

Affected Computers: Windows Vista

Vulnerability: The vulnerability could allow remote code execution if an affected Windows system receives a specially crafted packet. Only attacks on the local subnet would be able to exploit this vulnerability.

Blue Ridge on Protection: Though an unlikely attack vector, AppGuard or EdgeGuard would block such attacks that launch from user-space while drive-by download attack protection is enabled. This Microsoft patch should be implemented as soon as practical.

MS09-064/ CVE-2009-2523

License Logging Server Heap Overflow

Microsoft Exploitability Index Assessment: Inconsistent exploit code likely

Affected Computers: Windows 2000, Service Pack 4

Vulnerability: The vulnerability could allow remote code execution if an attacker sent a specially crafted network message to a computer running the License Logging Server. An attacker who successfully exploited this vulnerability could take complete control of the system.

Blue Ridge on Protection: Neither AppGuard nor EdgeGuard officially support Windows 2000.

MS09-0065

CVE-2009-1127, Win32k Null Pointer Dereferencing Vulnerability

CVE-2009-2513, Win32k Insufficient Data Validation Vulnerability

CVE-2009-2514, Win32k EOT Parsing Vulnerability

Microsoft Exploitability Index Assessment: Inconsistent exploit code likely: CVE-2009-1127; Consistent exploit code likely: CVE-2009-2513, CVE-2009-2514

Affected Computers: Windows XP SP2, Windows Vista, and others, Windows 7 is unaffected

Vulnerability:

CVE-2009-1127. An elevation of privilege vulnerability exists because the Windows kernel does not properly validate an argument passed to a Windows kernel system call. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-2513. A remote code execution vulnerability exists in the Windows kernel-mode drivers due to the importer parsing of font code when building a table of directory entries. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-2514. A remote code execution vulnerability exists in the Windows kernel-mode drivers due to the improper parsing of font code when building a table of directory entries. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Blue Ridge on Protection:

CVE-2009-1127. AppGuard or EdgeGuard would block such attacks that launch from user-space while drive-by download attack protection is enabled. Should such an attack elevate a guarded application to run with kernel mode privileges, AppGuard or EdgeGuard protection would not be degraded. This Microsoft patch should be implemented as soon as practical.

CVE-2009-2513. AppGuard or EdgeGuard would block such attacks that launch from user-space while drive-by download attack protection is enabled. This Microsoft patch should be implemented as soon as practical.

CVE-2009-2514. AppGuard or EdgeGuard would block such attacks. This Microsoft patch should be implemented as soon as practical.

MS09-066/ CVE-2009-1928

LSASS Recursive Stack Overflow Vulnerability

Microsoft Exploitability Index Assessment: Functioning exploit code unlikely

Affected Computers: Windows XP SP 2/3, but Windows Vista/7 are unaffected

Vulnerability: This is just a denial of service vulnerability and of little practical value to cyber criminals.

Blue Ridge on Protection: Irrelevant. Low priority patch.

MS09-0067

CVE-2009-3127, Excel Cache Memory Corruption Vulnerability

CVE-2009-3128, Excel SxView Memory Corruption Vulnerability

CVE-2009-3129, Excel Featheader Record Memory Corruption Vulnerability

CVE-2009-3130, Excel Document Parsing Heap Overflow Vulnerability

CVE-2009-3131, Excel Formula Parsing Memory Corruption Vulnerability

CVE-2009-3132, Excel Index Parsing Vulnerability

CVE-2009-3133, Excel Document Parsing Memory Corruption Vulnerability

CVE-2009-3134, Excel Field Sanitization Vulnerability

Microsoft Exploitability Index Assessment:
Inconsistent exploit code likely: CVE-2009-3127, CVE-2009-3128, CVE-2009-3132, CVE-2009-3133, CVE-2009-3134
Consistent exploit code likely: CVE-2009-3129, CVE-2009-3130, CVE-2009-3131

Affected Computers: Microsoft Office XP SP 3, Office 2003 SP 3, Office 2007 SP 1/2

Vulnerability:

CVE-2009-3127. A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3128. A remote code execution vulnerability exists in the way Microsoft Office Excel handles specially crafted Excel files that include a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3129. A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files that include a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3130. A remote code execution vulnerability exists in the way Microsoft Office Excel handles specially crafted Excel files with malformed BIFF records. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3131. A remote code execution vulnerability exists in the way that Microsoft Office Excel parses documents containing a specially crafted formula embedded inside a cell. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights in the context of the currently logged on user.

CVE-2009-3132. A remote code execution vulnerability exists in Microsoft Office Excel as a result of pointer corruption when loading Excel formulas. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed formula. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3133. A remote code execution vulnerability exists in Microsoft Office Excel as a result of memory corruption when loading Excel records. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3134. A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Blue Ridge on Protection: AppGuard or EdgeGuard would protect computers from attacks attempting to exploit any of these vulnerabilities: CVE-2009-3127, CVE-2009-3128, CVE-2009-3129, CVE-2009-3130, CVE-2009-3131, CVE-2009-3132, CVE-2009-3133, and CVE-2009-3134.

Simply put: any such attack would either seek to spawn a malicious executable in user-space, which would fail to launch because of drive-by download attack protection, or the attack would attempt to place a malicious executable elsewhere, which would be blocked because AppGuard and EdgeGuard do not allow ‘guarded’ applications to write elsewhere.

MS09-068/ 3135

Microsoft Office Word File Information Memory Corruption Vulnerability

Microsoft Exploitability Index Assessment: Consistent exploit code likely

Affected Computers: Microsoft Office 2007 SP 1/2, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2, Microsoft Works 8.5, Microsoft Works 9

Vulnerability: The vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Blue Ridge on Protection: AppGuard or EdgeGuard would block these attacks without additional configuration.

Adobe on its November 2009 Security Patches

CVE-2009-3489, APSB09-17

Potential Photoshop Elements Privilege Escalation Vulnerability

Affected Computers: Photoshop Elements 8.0, Photoshop Elements 7.0

Vulnerability: A moderate vulnerability has been identified in Adobe Photoshop Elements versions 8.0 and 7.0. The vulnerability could allow a user with valid login credentials and/or physical access, who successfully exploits the vulnerability, to execute arbitrary commands with elevated privileges. Adobe is not aware of any exploits in the wild for the issue.

Blue Ridge on Protection: AppGuard or EdgeGuard would block an attack that attempted to exploit this vulnerability without any additional configurations. Users should make certain that Photoshop Elements has been added to the ‘Guard List’. This patch should be implemented when doing so is convenient.

Related Articles:

SANS: Client-Side Software Vulnerabilities Are Highest Priority But Most Neglected Risk

Why Should UnPatched PC Software Concern You?

Facebook users are receiving emails that pretend to from Facebook informing them that their password has been changed.  They are asked to open the email attachment to see their new password.  Opening the attached zip file results in their computers becoming silently malware infested and part of a Botnet.  Traditional anti-virus/spyware protection will NOT stop these attacks, but new types of security software would.

“Because of the measures taken to provide safety to our clients, your password has been changed.  You can find your new password in attached document”

Security vendor Websense reports they have observed over 350,000 of these email messages (spear phishing attacks).  Its only a matter of time until the millions of other Facebook users receive one.

As of 27 October 2009, only 14 out of 41 anti-virus/spyware products detected this attack (per Virus Total, reported by MX Lab).

When Facebook users open the email attachment, short-lived malware connects to two servers and downloads additional files (Pushdo, also known as Cutwail).  Once Pushdo is installed and running, it sends out more of these email spear phishing attacks to other Facebook users.  This Trojan is also known as a new Bredolab variant.

This is a clever piece of malware.  It tries to elude security researchers and personal firewalls that restrict outbound PC communications by injecting its own code into a legitimate process svchost.exe and explorer.exe.  If it detects virtualization or honeypot characteristics within a host, it goes dormant to thwart the AV vendor consortium from quickly generating detection signatures.

The Trojan creates several files (%AppData%wiaservg.log, %windir% empwpv861256600826.exe, and %Programs%Startupisqsys32.exe.  It also launches two processes: a svchost.exe and something called isqsys32.exe.

What does this malware do once successfully installed?  Whatever it wants!  It may steal money from your online bank account or just silently operate as part of a Botnet.  The Botnet operators can remotely tell it to do what they want at a later time.

Consumer and Enterprise Computers Are at Risk

With Facebook users routinely accessing it from their work computers, they are placing their employer at risk.

Effective Protection from these Facebook Zero Day Trojan Attacks

Consumers with AppGuard, and organizations with either AppGuard Enterprise or EdgeGuard deployed, are protected from these attacks.  They should already have “drive-by download protection” enabled as well as have their email software guarded.

Related Articles

Botnets Inside the Gates, Every PC Must Defend Itself

Employee Owned Computers are Data Leak Risks to Employers

Business Protection from AntiVirus-Failure Caused Fraudulent Bank Transfer Losses

Todays Spear Phishing Attacks Can Wipe Out Small Businesses in One Click