Even though Microsoft released the biggest batch of patches ever on Tuesday–28 flaws affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player, 23 of them rated “critical”–there’s no fix for a zero-day XML parser vulnerability that surfaced the same day. This was first reported by Robert McMillan of IDG News and was picked up quickly by other media. According to McMillan:
In attacks, the code drops a malicious program on the victim’s PC which then goes to download malicious software from various locations.
According to a blog post by Symantec:
The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic “0x0A0A” value in it,” Elia Florio, a security researcher at Symantec, wrote….
Symantec released the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 – HTTP MSIE Malformed XML BO to protect users against this exploit.
I recommend that anyone using Symantec’s antivirus or IPS products, immediately perform an update. Furthermore, Symantec recommends blocking the following hosts which are apparently being used by the exploit to download and install other malware:
In its security advisory 961051, Microsoft presents the following mitigating factors:
• Protected Mode in Internet Explorer 7 and Internet Explorer 8 in Windows Vista limits the impact of the vulnerability.
•By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
•An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
•Currently known attacks cannot exploit this issue automatically through e-mail.
Nevertheless, users should avoid using Internet Explorer and should instead use Firefox with the NoScript extension installed until Microsoft issues a patch. We may see an out-of-cycle patch on this one according to the security advisory:
We are actively investigating the vulnerability these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Well, since I’m forced to use IE for certain applications in my job, this customer needs a patch as quickly as possible.
If you tried to click through to the link in my December 2d article, you probably saw this page:
Apple has taken down their notice recommending that users install multiple antivirus programs on their Mac computers. They said it was “because it was old and inaccurate.”
Could the real reason be that they can’t afford to compromise their expensive ad campaign?
SANS Editor Eugene Schultz says: “Apple needs to quit flipflopping re. whether anti-malware software needs to run on Macs. Many serious malware-related threats against Macs exist. Apple’s waffling with respect to recommending what to do about these threats is a huge disservice to the Mac user community.”
C’mon, Apple. You’ve just lost a ton of credibility with this one.
On November 25, 2008, Secunia released the first official version of its Secunia Personal Software Inspector (PSI). The program had been in beta for 17 months. From the Secunia blog:
“Though the PSI so far has been in beta, it has received a huge amount of praising words like these from ZDNet in a review of 10 essential security tools: ‘Number one is the Secunia Personal Software Inspector, quite possibly the most useful and important free application you can have running on your Windows machine’.
“Version 1.0 of the PSI is somewhat more mature and bug free (as far as we know) compared to the first version, which only ran on XP 32bit. Today, it runs on 2000, XP 32/64bit, and Vista 32/64bit.”
I’ve been using the PSI in both the online and beta versions since day one and I’m happy to report that all of my systems are 100% patched! However, Secunia’s statistics show that 98 out of 100 PCs have 1 or more insecure programs installed, so this is a tool that everyone should download and install immediately. It’s stable and it’s free, so there’s no reason not to use it.
The thing I like most about the utility–other than its obvious boost to my system’s security–is the toolbox.
Talk about handy: Every action you might need to take on a program is right there, a click away.
I have to agree with the ZDNet review–Secunia Personal Software Inspector has just been put at the top of my security utilities list.
“Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.”
Needless to say, this is getting a lot of play in the media.
From The Register:
“Long something of a phantom menace, strains of malware capable of infecting Mac machines have gradually been increasing in prevalence over recent months. In addition, VXers are making more use of web-based attack and applications specific vulnerabilities to infect PCs whatever their underlying operating system might be.”
From the Washington Post:
“This is news to me. Just under three months ago, I asked an employee at our local Apple store whether I needed anti-virus for my MacBook, and was told not to bother, that it was not necessary. I wonder if this means Apple will stop running television ads saying Mac users don’t have to worry about malicious software?”
It had to happen sooner or later. The Mac user base may be much smaller than the PC’s, but it’s still significant and enjoyed a 38 percent market share growth, going from 6.4 percent of the market in 2007 to 8.5 percent during the second quarter of 2008. Even more significant is the little known fact that Apple’s market share of the so-called “premium” computer market — machines that cost more than $1,000– hit a whopping 66% in the first quarter of 2008. Maybe, just maybe, people who buy “premium” stuff have more money which can mean a bigger payday for the Internet criminals.
Just my opinion, but if you could steal a Jaguar with no more effort than it takes to steal a Chevy, which would you take?
Assuming you or your client is not already infected with Mebroot, there’s another tool you can use to easily recover in the event of an infection: MBRtool 2.3 from DIY DataRecovery.
MRBTool is a freeware DOS program designed to backup, restore, and manipulate your hard disk MBR. The latest version includes a boot disk builder that will allow you to create a diskette or bootable CD/DVD, making it ideal for recovering from a Mebroot infection. If you are sure the target machine is clean, or you have a clean image that you can restore, you simply use MBRTool to make a backup of the valid MBR. In the event of infection, use the boot disk to start the machine and restore the valid MBR. Bye, Bye, Mebroot!
Going beyond simple recovery, you could use MBRTool to make a copy of and examine an infected MBR to compare its code against known Mebroot variants. But, be careful: you don’t want that infected MBR to get away from you.
Happy Thanksgiving and good luck surviving Black Friday!
I’ve been using F-Secure’s BlackLight Rootkit Eliminator ever since it was first released in early 2005. It’s a solid tool and has saved me from having to completely reload a system on at least three occasions, so I don’t know why I didn’t think of it as a weapon against Mebroot. Thanks to a news update from Windows Secrets, I visited F-Secure’s site and discovered the following in a March 31, 2008 blog post:
“A while ago we blogged about the MBR rootkit, which has been getting attention from all security vendors. We’re glad to inform you that the latest version of the F-Secure BlackLight standalone rootkit scanner now detects MBR rootkit infections.
“BlackLight has stood the test of time ever since it was released in the beginning of 2005. A new rootkit technique that has been able to evade detection has been a very rare event. The MBR rootkit is quite different from other rootkits we’ve seen over the years, so we had to add completely new technology into BlackLight to detect it successfully.”
Needless to say, I immediately downloaded the latest version and have it ready to go for any suspected Mebroot infections. Of course, I used it to check all of my own systems and am happy to report that the tool didn’t find anything wrong with my MBR. You can download the standalone BlackLight here.
In my next post, I’ll give you two more tools that you can use to combat this sinister threat: MBR BIOS locking and an MBR backup tool.
According to Microsoft, the November release of its Malicious Software Removal Tool (MSRT) removed the phony security software, Win32/FakeSecSen, from 994,061 distinct machines in just nine days: MSRT Review on Win32/FakeSecSen Rogues. Win32/FakeSecSen is a family of programs that claim to scan for malware and display fake warnings of “malicious programs and viruses”. These programs attempt to force users to pay to remove the “threats” they found. Some of them attempt (illegally) to look official by impersonating Microsoft products using names such as “Antivirus XP”, “AntivirusXP 2008”, “WinDefender 2008”, “XP Antivirus”, or similar.
Over at Ask the Geek, I often receive questions about how to properly erase a PC hard drive so personal data can’t be recovered. Clients also ask similar questions, particularly those involved in medical, dental, or financial practices. I’ve posted on this subject before, of course. “Paranoid About Hard Drive Security? Try This” outlined a two-step approach that works well, but is probably overkill for most, including those under regulatory scrutiny. The Center for Magnetic Recording Research (CMRR) points out that completely secure erasure doesn’t exist: erasure security is relative and is “a tradeoff between the erasure security level and the erasure time required. A high security protocol requiring custom software or days to accomplish will be avoided by most users, making it little used and therefore of limited practical value.” Enter Secure Erase (SE).
According to CMRR, “The Secure Erase (SE) command was added to the open ANSI standards that control disk drives, at the request of CMRR… The SE command is implemented in all ATA interface drives manufactured after 2001 (drives with capacities greater than 15 GB)….
“Secure erase does a single on-track erasure of the data on the disk drive. The U.S. National Security Agency published an Information Assurance Approval of single pass overwrite, after technical testing at CMRR showed that multiple on-track overwrite passes gave no additional erasure.”
Secure Erase is a DOS-based program, so you need to make a bootable floppy, CD, or flash drive that boots DOS, FreeDOS, or a Windows 95/98/ME rescue disk. Download the freeware HDDerase, extract HDDerase.exe to your bootable media, boot the computer to a command prompt, and execute HDDerase.exe (HDDerase.exe must be run from an actual DOS environment and not a Window based DOS command shell).
In about an hour or two, depending on the size of the hard disk, you’ll have a drive that can be safely disposed of or re-deployed without fear. If you plan to re-deploy the disk, you’ll have to create a new partition and format the disk before you’ll be able to use it again.
I’ve used this handy utility many times to sanitize disks that contained data subject to the Health Insurance Portability and Accountability Act (HIPAA). All normal attempts to discover any trace of identifiable data on my test drives failed to reveal anything usable.
Sinowal, also known as “Mebroot” and “Torpig” to various antivirus companies, is a dangerous rootkit that uses the computer’s Master Boot Record (MBR) as its Auto-Start Entry Point (ASEP). The Trojan typically infects Windows XP PCs via malicious websites using code that exploits vulnerabilities in Adobe Reader, Flash Player, or Apple QuickTime–vulnerabilities that have already been patched. Once the Trojan gets on your system, it does an interesting little dance to prevent detection. Windows Secrets writer Woody Leonhard describes Sinowal’s stealthy behavior in his November 20, 2008 article, “Don’t be a victim of Sinowal – the super-Trojan:”
“The key to Sinowal/Mebroot’s ‘success’ is that it’s so sneaky and is able to accomplish its dirty work in many different ways. How sneaky? Consider this: Sinowal/Mebroot doesn’t run straight out to your MBR and overwrite it. Instead, the Trojan waits for 8 minutes before it even begins to analyze your computer and change the Registry. Digging into the MBR doesn’t start until 10 minutes after that.
“Sinowal/Mebroot erases all of its tracks and then reboots the PC using the adulterated MBR and new Registry settings 42 minutes into the process.”
Also contributing to the Trojan’s effectiveness is that it’s constantly changing. Washington Post journalist Brian Krebs posted a chilling overview of Sinowal’s criminal mischief in his October 31, 2008 column, “Virtual Heist Nets 500,000+ Bank, Credit Accounts:”
“Sinowal…constantly morphs its appearance to slip past security software. Between April and October, researchers spotted an average of 60 to 80 new Sinowal variants per month…
“On Oct. 21, a new Sinowal variant was submitted to Virustotal.com, which scans incoming files against nearly three dozen commercial anti-virus programs and maintains a historical record of those results. Only 10 out of 35 of those security programs – or 28.5 percent – identified it as such or even flagged it as suspicious.”
Very scary, but here are seven things you can do to protect yourself:
- Apply all security patches to Windows XP.
- Apply all patches to third-party software, particularly Adobe Reader, Flash Player, and Apple QuickTime. These are the main avenues of infection.
- Make sure your antivirus detection definitions are up to date.
- Create a limited user account and use it to browse the web.
- Only visit websites you trust.
- Run your browser in a sandbox.
- Switch to Vista–it’s not currently vulnerable.
As always, constant vigilance is necessary on the Wild, Wild, Web.
In my How to Secure Your Computer series of articles, I issued Maxim #13, “WiFi Security–The Only Way is WPA“. However, TKIP–which is one of the protocols used under the WPA certification standard–is now vulnerable to attack, so I feel it prudent to modify my stance a bit and shed a little light on the subject. Certain media reports would have you believe that WPA has been cracked; this isn’t the case. (See “WPA Not Cracked, But Still Vulnerable.”) Steve Gibson’s latest episode (#170) of Security Now! explains in great detail the TKIP hack and why it’s much to worry about–at least, not yet.
Under the WPA/WPA2 standards, a wireless access point or router can use either TKIP (Temporal Key Integrity Protocol) or AES-CCMP (Advanced Encryption Standard, Counter Mode/CBC MAC Protocol). TKIP is an enhancement of WEP that utilizes the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for authentication; CCMP provides much stronger protection because it uses AES (Rinjdael) encryption.
Two German researchers, Martin Beck and Erik Tews, recently found a way to crack TKIP. They use what is called a chopchop attack, which attempts to decrypt packets byte by byte. You can read all about it in their white paper, “Practical attacks against WEP and WPA” so I won’t go into the details here.
While there doesn’t appear to be much an attacker can do at this point, the attack is a harbinger of things to come and now would be a good time to log into your wireless router and see what’s up. I discovered that mine doesn’t support AES-CCMP, only TKIP, so I need to upgrade the firmware. I recommend that everyone do one of the following: 1. Switch your current WPA configuration to AES-CCMP if it’s supported; 2. Upgrade the firmware in your router so it supports WPA2 with AES-CCMP; 3. If neither of those is possible, or, heaven forbid, your router only supports WEP, replace it with one that’s WPA2 compliant and use AES-CCMP.