Twiguard update week 4 and final week.

Although this update was a little late the analysis ran at the correct time and produced its results. 1239 bad urls in the list with 876 of them being new. That is almost 70%. The chart to the left shows the progression from week one of total flagged URLs in red with the unique URLs that week in blue. After 4 weeks they almost intersect and at this rate I am guessing that they will intersect in the next few weeks. This goes along way to showing that URL blacklisting alone is not fast enough to stop a spread on malware on a social network like twitter.

There are alot of reasons that can explain the numbers with one being that although we captured the URL weeks ago it didn’t start hosting malware until recently. Keep in mind though that the purpose of this experiment is to judge how quickly traditional blacklists can respond to malware spread with Twitter. Although Safe Browse may have flagged a URL as bad this week that doesn’t mean it was serving malicious content when it was first captured by Twiguard. In this experiment the majority of bad urls captured (58.6%) are hosted in Brazil. On Sunday the 7th twiguard will capture another 24 hours worth of URLs and make them available to anybody who wishes to duplicate this experiment.

Can antivirus be a virus?

My beloved Blackberry Curve met a bad end so I needed to pick a new phone. I decided to go with the Motorola Q9 after hearing good things about it. In rummaging around my new phone I found a link to download MacAfee VirusScan. After kicking the tires, I decided it added nothing useful so I removed it. It did not go away. I then tried killing it in the process list but it came back. It’s like a zombie from a George Romero movie, it just won’t stop. It no longer shows up in the list of installed programs and it is eating up my battery needlessly.



Its running yet its not installed...hrm...in fact you could I say I uninstalled it yet it stuck around...hrm...Whats the name for software like that?

MacAfee VirusScan Mobile I dub you "malware."

Apple malware

Macs only seem safer that other OSes. In reality they are just as risky. Because of this, I pay attention to any report of Mac based malware and exploits. Last week two Mac security vendors (I didn’t know the market was large enough for one) announced that they had discovered malware in the wild that took advantage of a recently discovered flaw that allows the an Applescript to run as root because of the permissions of the Apple Desktop Agent. In the Windows world it is common to talk about a vulnerability going from PoC to malware in a few hours or days, but this is the first time I can think of it happening on a Mac. The Mac flaw was made public on Slashdot on June 18th and the Macscan advisory is on June 19th. You can come to two different conclusions and neither is good for Mac users.

1. You could conclude that malware authors are starting to pay more attention to Macs and quickly wrote malware to take advantage of the flaw. This means that as more vulnerabilities appear so will more malware. This is not good for a population of people that have been repeatedly told they do not have security problems.

2. You could conclude that this vulnerability is publicly known because the new Trojan uses it to install itself. This would mean that malware authors are finding and using 0day to spend their wares. This also is not good for a population of people that have been repeatedly told they do not have security problems.

Either way the Apple security problem is growing.

Apple Quicktime RTSP update

Milw0rm currently has 3 Proof-of-Concepts for the QuickTime flaw that I worte about earlier.

PoC 1

PoC 2

PoC 3

The newest one by Yag Kohha has refined the attack to an almost weaponized state. This means that anklebitters, bot masters, and a general assortment of unsavory types now have everything needed to easily take advantage of the flaw.

The developers of another PoC modified it after Symantec released a blog post declaring that standard buffer overflow protection will mitigate the vulnerability in some cases. The exploit has also been tweaked to work via a redirection attack on IE7, Firefox, and Opera. Safari on Windows seems left out, but that does not mean you are safe if you use Safari.

We are also receiving some scattered reports that it is showing up in the wild but have not been able to validate them. Because malicious code can be embedded so many different ways it is advisable to following the US CERT suggestions here or remove QuickTime completely.

Although the published exploits target Windows, the flaw is present in OSX so Apple users should be cautious as well.

An interesting note is the most robust of the exploits makes a derogatory mention of WabiSabiLabi Labs, the exploit auction site. WabiSabiLabi has a QuickTime exploit for sale now that lists QuickTime 7.2 and Windows XP as the targets. You have to wonder if this is another case of a researcher using vague details to find the same vulnerability.

Keep in mind that the analysis shows that all the exploits rely on a known offset for successful attack. ASLR could mitigate these attacks by changing the load address of components to make the attacks nothing more than Denial-of-Service. If Apple had enabled QuickTime to take advantage of ASLR in all of its components, this would be a non-issue. Instead they put you at risk.

UPDATE:

I thought a screen shot of what the warning message on Vista with IE7 looks like would be appropriate.

Storm Worm vs. IDS

News from last week was this "Storm Worm". A hacker launched malware by a massive spam campaign. This meant that thousands of users were likely infected before the anti-virus companies had a chance to respond to the virus and release signatures to their customers.

SANS has an interesting post about how this shows that traditional anti-virus can't deal with the problem. The describes a one-line Linux shell script that can detect whether a ZIP file likely contains a virus:

if zipinfo patch-58214.zip grep -q 'BX.*\.exe' ; then echo 'encryped executable'; fi

This is almost identical to a signature I wrote for the Proventia IPS. Proventia is based upon protocol-analysis technology. This means that it decodes the SMTP protocol, e-mail format, and BASE64 decodes MIME attachments. It then parses the ZIP file just like 'zipinfo'. While it doesn't uncompress/decrypt the contents of a ZIP file, it can still process the filenames. My signature tests the filename to see if it ends in something executable, such as .exe, .scr, .pif, etc. Because it uses protocol-analysis, Proventia blocks the e-mail by sending a "500" return code in SMTP instead of killing the TCP sesson. Because it uses protocol-analysis, it reports to the operator the filename, the subject line of the e-mail, and the from/to addresses in the SMTP session. Because it's NOT a store-and-forward proxy, it can run at multiple gigabits-per-second. This, and a few similar signatures in Proventia will stop most 0day e-mail viruses at gigabit speeds. It's fabulously useful, but of course, few people use it.

The technology is ready for 0day viruses, the problem is that the market still isn't. The technology I describe above doesn't fit within any easy market category, it's neither precisely what people understand as "intrusion-prevention" nor "anti-virus". It's like a thousand other bits of technology that languish in our industry because there is no neat category for them. I created the first IPS (BlackICE Guard aka. Proventia), but it was a just an IDS feature until Intruvert showered money on Gartner to create a new category for it.

EDIT: btw, for people interested in the history of IPS, the following is a post from 2001 I made to the Security Focus IDS mailing list. This was before Gartner created the market segment. You can tell my frusteration trying to differentiate IPS from firewalls and pure IDS.

http://archives.neohapsis.com/archives/sf/ids/2001-q1/0168.html

Blah Blah Blah

I love having a blog, it means I can rant, and I sure do like ranting. Like earlier in the week I was upset that the media made a huge deal out of a Russian site selling a Vista exploit. These reports made it seem like a much worse problem that it was and few reporters actually mentioned that is was a LOCAL bug and an attacker needs valid credentials to login to the machine to carry out the attack. I suppose headlines like “Russian site selling lame bug that affects almost nobody” would not have been as eye grabbing.

This trend of dumping on Vista has continued but this time its cracks. If you are not familiar with the term there are ways to circumvent legitimate licensing and copyright protection schemes and download and run copies of Microsoft’s latest shiny toy with out *GASP* paying for it. Maybe this story is getting play because outside of the hacker community not many people have heard of “warez” and it’s finally going mainstream, maybe its getting play because it’s a slow news week; I can’t decide which.

Let me disclose something: all the cracks that have been discussed in the media recently I made efforts to go and find. I now have a very extensive collection of Windows Vista cracks. You might be asking yourself why I would do that, why not just buy a copy of ask MS to give me one. Its simple, I am waiting for the first cracks to appear that are massively infected with virii or spyware. I have seen some, but I am more waiting for something that is massively blatant like after 90 days of operation you are prompted for a credit card number or the OS will delete itself and take all of your work/photos/music with it. Surely these free spirited pirates wouldn’t do such a thing you might say…honor among thieves and stuff like that.

I ask you, what’s the best way to build a botnet now that a botnet master can’t count on massive windows remote 0day every three months that can be used in a recruitment drive. Its simple you build yourself a good reliable network of people who can’t patch (security patches require a legit copy of Windows) and you know will take your bait (free copies of Vista!!). It makes for a great plan; you can even add new functionality to your trojaned OS by releasing “cracked” patches. I am going to call this the “addict pirate” because once you get a sap hooked on this he or she has to keep coming to you for his fix or *GASP AGAIN* pony up for a legit copy.

Enough ranting about “addict pirates” and back to the poor reporting and business aspects of these “cracks”. These types of cracks have been around for years and no matter what people say this will not affect the sale of the OS. What makes me the most irate is how the reporting on the Vista cracks make it seem like this is the first time an OS has been pirated. Right now on file sharing networks you can find copies of Windows XP, 2000, ME, 98, and 95. There are even copies of Windows 3.1 floating around! And I don’t mean 3.11 for Workgroups, I am talking about the OLD SCHOOL stuff.

If you take one thing away from this blog post make sure it’s this thought: this is not a new or shiny problem, as long as there has been software there have been people stealing it. Nothing to see here, move along.