The messaging about Conficker was extremely strong. Prior to a briefing with a Microsoft executive, reporters were given a slide deck largely void of information except for data about Conficker; Microsoft’s 126-page report had been boiled down to 16 slides. Microsoft proclaimed Conficker as “the No. 1 threat facing businesses over the past 2.5 years.” It was “detected on 1.7 million machines in the fourth quarter of 2011; it was “detected almost 220 million times since 2009;” and there has been a 225% increase in quarterly detections since 2009, Microsoft said.
It sounds alarming, but that’s just marketing at its worst.
Conficker has no payload. There are no cybercriminals controlling it. The worm itself was designed to spread quickly to establish the infrastructure for a botnet. Once it’s installed on an infected machine it opens connections to receive instructions from a remote server. But that function has been neutralized by the Conficker Working Group, which uses the worm’s broken domain algorithm to block it from receiving data.
If Conficker isn’t a serious threat, what is? Here are a few data points to consider from the Microsoft SIR that may be more important than Microsoft’s Conficker message:
Windows exploits rise significantly: Operating System exploits, specifically targeting Microsoft Windows, skyrocketed by 100% in 2011.
Despite a security update in August 2010 addressing a publicly disclosed vulnerability in Windows Shell, attackers have been successfully targeting the flaw using malicious shortcut files. Exploits against the vulnerability and several others that were detected by Microsoft increased from 400,000 in the first quarter of 2011, to more than 800,000 in the fourth quarter of 2011. The statistics point to the Ramnit worm as the culprit targeting the flaw. It was recently detected transforming into financial malware capable of draining bank accounts.
The other Microsoft Windows flaw being targeted was a Microsoft Windows Help and Support Center vulnerability that can be targeted via a drive-by attack. It was repaired in a security update issued in July 2010.
Windows Vista infection rate higher than Windows XP: The infection rate for 32- and 64-bit editions of Windows Vista SP1 and the 64-bit edition of Windows Vista SP2 outpaced Windows XP SP3. Microsoft says attackers are targeting the newer platforms because companies are migrating to them. Infection rates for the 64-bit editions of Windows Vista and Windows 7 have increased since the first half of 2011, Microsoft said.
Microsoft said the increase is also due to detection signatures it added to its Malicious Software Removal Tool for several malware families in the second half of 2011. “Detections of these families increased significantly on all of the supported platforms after MSRT coverage was added,” the company said in its report. In addition, a security update addressing the Windows Autorun feature in Windows was issued last year and was likely a major factor in driving down the infection rate in Windows XP, the software maker said.
Adobe Reader, Acrobat attacks: While not out of control, it continues to be a favorite attack method of cybercriminals. “Exploits that affect Adobe Reader and Adobe Acrobat accounted for most document format exploits detected throughout the last four quarters.” There were nearly 1 million of them.]]>
Researchers at vulnerability management vendor Qualys Inc. discovered this week how to reverse-engineer a Microsoft patch to perform a denial-of-service attack on a Windows DNS Server.
The researchers reverse engineered one of two critical patches released by Microsoft in its August Patch Tuesday round of security updates. The 11-058 update resolves two vulnerabilities to Windows DNS.
The research goes against Microsoft’s Exploitability Index, which gave the update a 3, meaning it was unlikely that code would surface exploiting the flaws. The index is used by patch management specialists to weigh the priority of specific patch deployments. Qualys said it is possible to accomplish the attack through a step-by-step process.
“We reverse engineered the patch to get a better understanding of the mechanism of the vulnerability and found this vulnerability can be triggered with a few easy steps,” explained Bharat Jogi, a vulnerability security engineer at Qualys, in a blog post.
Although this proof of concept demonstrates a denial of service, Jogi explains that “an attacker who successfully exploited this vulnerability could run arbitrary code in the context of the system” and those “with malicious intent may be able to get reliable code execution.”
Qualys took advantage of one of the two patches that were rated critical. This particular patch fixed two flaws in Windows DNS Server while the other fixed seven flaws in Internet Explorer.
Qualys researchers used binary-diffing of the unpatched and patched version of the files to compare and understand the changes that were made to fix the vulnerabilities. The binary-diffing tool, called TurboDiff, shows them “a list of all the functions that are identical, changed, unmatched, and those that look suspicious,” said Jogi.
Two DNS servers were needed for the proof of concept in order for researchers to crash one of them and serve as a comparison. Researchers discovered it was particularly simple and the vulnerability could be triggered with a few easy steps. Therefore, they recommend to “apply this security update as soon as possible.”]]>
By Ron Condon, UK Bureau Chief
Researchers at Trend Micro Inc. are warning Internet Explorer users that a workaround, which can be deployed to block a new zero-day flaw in the browser, can break the functionality of most Web pages.
Microsoft warned last week that it is investigating a new vulnerability that affects all supported versions of Internet Explorer, and could lay it open to remote code execution. The company also said it is aware of targeted attacks that are already trying to exploit the vulnerability.
The IE flaw exists due to an invalid flag reference within Internet Explorer, which can be accessed after an object has been deleted under certain conditions. The company says that in a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
Jonathan Leopando, a researcher with Trend Micro’s TrendLabs is warning that the temporary measures advocated by Microsoft to block the flaw will cause most Web pages to load improperly in IE.
“The mitigating steps force the use of a user-specified CSS style sheet (breaking site formatting) and disabling scripting (disabling many site features),” he wrote, adding that users should also check that Data Execution Prevention (DEP) is enabled, to reduce the potential effects of any exploits.
The best way to avoid the problem, he says, is to upgrade to the beta version of IE version 9, which is not affected.
In the TrendLabs blog, Leopando said Trend Micro researchers have acquired a sample of the exploit for the vulnerability and have analyzed the threat. The main page that delivers the exploit downloads a backdoor, which in turn downloads various encrypted files which, when decrypted, contain the commands that the backdoor will perform.
“This makes exploiting the vulnerability easier, which means that attacks that target will probably become more commonplace,” he wrote.
Microsoft’s Security Development Lifecycle is officially going open source. The software giant said it plans to place its SDL documentation under a Creative Commons license.
A Creative Commons license gives anyone the ability to copy and distribute Microsoft’s SDL documentation. Companies also have the ability to change the work, adapting it so it can be applied to their own development environment. Under the license, the Microsoft SDL cannot be sold or used commercially and Microsoft needs to be credited with the work.
“This shift in licensing makes SDL content more accessible and portable, and allows software and application developers around the industry to better tailor and incorporate elements of the SDL into their own development lifecycles,” said David Ladd, principal security program manager.
Microsoft began to more formally make its SDL more public with its customers in 2008 when it unveiled the SDL pro network. Prior to that, the company informally released parts of its development processes under its Trustworthy Computing Program.
SDL materials were under an exclusive Microsoft license. The new copyright model is more flexible and could encourage developers to build upon the SDL and incorporate security and privacy into their development processes, Ladd said.
The Microsoft SDL is in its fifth version. It illustrates the way the software maker applies security to its products. The documentation gives guidance on a number of different development methodologies, including Waterfall, Spiral development and Agile development. A simplified version is also available to guide companies through implementation.
Over time, white papers, case studies and other materials will undergo license conversion, Ladd said. Microsoft’s templates and threat modeling tools will remain under the standard Microsoft license.]]>
Security researchers reported a new Windows vulnerability that could allow attackers to gain elevated privileges on vulnerable machines.
Security research firm VUPEN Security said it confirmed the vulnerability on fully patched Windows 7 systems, and machines running Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, and Windows XP SP3.
Microsoft is investigating “reports of a possible vulnerability in Windows Kernel,” Jerry Bryant, Microsoft group manager of response communications, said in an emailed statement. “Upon completion of the investigation, Microsoft will take appropriate actions to protect customers,” he said.
According to VUPEN, the Windows vulnerability is caused “by a buffer overflow error in the ‘CreateDIBPalette()’ function within the kernel-mode device driver ‘Win32k.sys’ when using the ‘biClrUsed’ member value of a ‘BITMAPINFOHEADER’ structure as a counter while retrieving Bitmap data from the clipboard.”
The flaw, which the company rated as a moderate risk, could be exploited by an attacker to crash a system or execute arbitrary code with kernel privileges. Security provider Secunia rated the vulnerability, which was discovered by a researcher going by the name of “Arkon,” as “less critical,” just one step above the company’s “not critical” rating.
<<<<<<<< AUG 11 UPDATE >>>>>>>>>>>>
A Microsoft spokesman said engineers have determined the Windows Kernel zero-day to be a low-level threat that will be addressed in a future security update.]]>
The faulty update caused widespread problems for organizations across the country, including law enforcement in Kentucky and emergency rooms in Rhode Island, according to numerous reports.
In an email statement, McAfee said the the problem was a with a virus definition file that was released at 6 a.m. Pacific Time Wednesday. “Our initial investigation indicates that the error can result in moderate to significant issues on systems running XP Service Pack 3,” the company said.
SANS Internet Storm Center reported that systems affected by the faulty McAfee DAT file version 5958 enter a reboot loop and lose network access. McAfee has published technical details about the problem and workarounds.
McAfee said it was working to support customers impacted by the defective update, and released an updated virus definition file within hours. “We are investigating how the incorrect detection made it into our DAT files and will take measures to prevent this from reoccurring. We sincerely apologize for the inconvenience this has caused our customers,” the company said.]]>
Microsoft issued the results of its investigation into a number of people reporting a Blue Screen of Death condition after deploying its February batch of patches, finding ties to a specific patch and malware infected machines.
Engineers at the software giant confirmed the blue screen is tied to the deployment of MS10-015, a Windows kernel patch that repairs two longstanding kernel vulnerabilities. Machines that have the blue screen condition are infected with the Alureon rootkit, a family of data stealing Trojans that allow an attacker to intercept a computer’s Internet traffic in order to steal user names, passwords and credit card data. The rootkit gives Alureon the ability to avoid detection, allowing it to perform malicious routines uninterrupted. Microsoft said it can also hide files and disk sectors.
“The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state,” said Mike Reavey
Director of the Microsoft Security Response Center in a MSRC blog entry. “Customers should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software.”
Shortly after Microsoft released its updates Feb. 9, customers began reporting sporadic machines being blue screened after deploying the patches. Patching professionals and patching experts from several vulnerability management vendors said few corporate deployments were reporting the condition.
Microsoft halted its automatic release of MS10-015 pending the results of its investigation. Patrick W. Barnes, an Amarillo, Texas-based computer expert was the first to discover a rootkit infection.
Reavey further explained the cause of the blue screen:
In the particular case of Alureon, malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address which usually happens when an executable is loaded. The chain of events in this case was a machine became infected, during which the malware made assumptions as to the layout of the Windows code on the machine. Subsequently MS10-015 was downloaded and installed, during which the location of Windows code changed. On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function.
The only way to repair the problem, according to Reavey is to reinstall Windows. But Reavey said a simpler solution to detect and remove Alureon is being developed and could be available in a few weeks.]]>
Update 1/23: Microsoft has released a blog post explaining everything you need to know about Conficker/Downadup. The bottom line: Ensure that MS08-067 is installed on all machines in the environment, use up-to-date antivirus, ensure you have strong passwords for user accounts, consider disabling AutoPlay.
Security vendors from across the spectrum have warned that a stingy worm has been successfully exploiting a hole in Microsoft Windows server service. Known as Conficker or Downadup, the worm spreads by exploiting a remote procedure call (RPC) vulnerability.
The flaw was patched by Microsoft in October. The MS08-067 update was meant to stop the worm in its tracks. Many patching vendors say organizations apparently have been slow to deploy the update.
But that may not be the case. Symantec released data explaining which countries have had the highest worm infection rates. North America does not even rank in the top 10 countries infected by the worm. It has spread in countries where software pirating is rampant. Bootlegged versions of Microsoft Windows won’t receive the latest security updates. Is it a coincidence that the highest infection rates are in China, Russia, Argentina, Taiwan and Brazil? (In that order) China and Russia have been at the top of the list of software pirating countries for years.
So first don’t panic. If you’re running antivirus and it’s up-to-date, you’re probably fine. Second, ensure that the MS08-067 update has been deployed. If it hasn’t deploy it and then do a thorough review of your patch management processes. This patch should have been deployed months ago.
In its latest round of updates, Microsoft security experts addressed the spread of the worm and how people can check to see if their machines are infected. Microsoft advises customers to scan the machine with up-to-date antivirus. The worm also blocks access to a large number of security websites listed by Microsoft.
Also, Microsoft said its Malicious Software Removal Tool completely cleans the registry elements related to the worm.
What’s all the fascination among security researchers about Conficker/Downadup? It’s not necessarily who’s infected, but how they are being infected. As Derek Brown, of TippingPoint’s DVLabs points out, the worm is an example of advanced malicious software coding. Conficker/Downadup can self-propagate by guessing a person’s weak password or it can spread by simply being passed along on someone’s portable storage device. It disables several system services and security products and then signals to its host that it is ready to download additional instructions.]]>
Second, the group approached Microsoft and Mozilla, the two dominant browser vendors, and explained that they had a serious browser security issue they’d like to share. But first, they needed some assurances from the two vendors that they wouldn’t share what they heard with the CAs before the researchers were ready to announce their findings. So they asked Microsoft and Mozilla officials to sign non-disclosure agreements. It was a 180-degree reversal from the way that these things normally work.
In most cases, researchers who approach a vendor with a security problem are asked by the vendor to keep quiet about the vulnerability until a patch is ready. But in this instance, the researchers held the upper hand and chose not to even tell the vendors what the issue was until they had the signed NDAs in hand. Alex Sotirov, one of the researchers involved in the project, said that it took some negotiations to get Microsoft officials to agree to the NDA, but they eventually signed on. As did Mozilla.
During their presentation on Tuesday, the researchers said they were hopeful that other researchers would follow their lead. And Dino Dai Zovi, a researcher who was not part of the project but who was briefed on the team’s work, agreed. “A letter from a lawyer is usually enough to stop any researcher,” he said. “But showing up with your own lawyer changes the balance of power.”]]>
The exploit sites we’ve seen so far drop a wide variety of malware — most commonly password stealers like new variants of game password stealers like Win32/OnLineGames and Win32/Lolyda, keyloggers like Win32/Lmir, Trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack. We fully expect the variety of malware being dropped by this exploit to broaden as the exploit code starts to circulate around the Internet underground.
This issue could impact you even if you avoid surfing questionable sites. Over the past few months, we’ve seen a surge in SQL injection attacks which enable miscreants to inject content onto trusted sites (we even blogged about the technique a few months ago). This class of attack, along with other more classical forms of website intrusion, mean that even trusted sites can end up serving malicious content causing you to get infected.
Microsoft’s Security Response Center has added more information about the attacks and workarounds to its advisory, as well.
We’ve also added additional workarounds to the advisory and updated our guidance to recommend that you evaluate implementing two of the workarounds together for the most effective protection. Specifically, we’re recommending both setting the Internet zone security setting to High and using ACLs to disable Ole32db.dll. Our research so far has shown that these two steps together provide the most effective protections for this issue.