General discussion

NEWS - April 16, 2010

From the Websense Blog:

Multi-layer Obfuscated JavaScript Using Twitter API

Nowadays infected Web pages are probably the biggest threat to the IT sector. Most compromised HTML documents contain a JavaScript that generates the malicious content dynamically to make it less obvious what it is doing. To avoid detection, they are using more and more complex obfuscation techniques. In this blog we will analyze a sample with 5 different obfuscation layers using a few tricks to fool automated de-obfuscation engines.

Our sample today is a 6KB obfuscated JavaScript that by the end turns into a single iframe pointing to a malicious site. The threat is using a mixture of Codebook, XOR and substitution ciphering as well as the traditional character representation tricks to hide the malicious content. Some of these techniques have already been discussed in this blog.

To decrypt it, we need to tweak the code a little bit so that the evil script reveals its true nature - as opposed to silently executing the payload. As you can see the injected code looks strange, but other than that it does not tell us whether the code is malicious or not: [...]

Continued here:

More regarding this topic throughout today's thread

Discussion is locked
Reply to: NEWS - April 16, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 16, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
IE 8 Security Features Could Be Turned Against Users....
IE 8 Security Features Could Be Turned Against Users, Researchers Say

"At Black Hat Europe, presenters show how filters designed to prevent cross-site scripting can be used to launch those very attacks "

The good news is that Microsoft's Internet Explorer 8 browser offers a new set of filters designed to prevent some cross-site scripting (XSS) attacks. The bad news is that those same filters could be used to enable XSS attacks.

That was the gist of a presentation offered today by security researchers David Lindsay and Eduardo Vela Nava at the Black Hat Europe conference in Barcelona, Spain.

In a paper (PDF) presented at the conference, the researchers described several methods that attackers could use to enable XSS on sites that would otherwise be immune to XSS.

"There's an irony here because you're using filters that are designed to improve security to launch attacks on sites that take security seriously," said Lindsay during a telephone interview prior to the presentation.

The vulnerabilities were found in several filters that Microsoft added to IE 8 to help identify and "neuter" simple XSS attacks, Lindsay explained.

Continued here:
- Collapse -
Scareware: Nocebo instead of placebo

The term nocebo is used to describe the opposite of the placebo effect: although the pill has no active ingredients, the patient's health deteriorates in response. In its forthcoming study entitled "The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution", Google rates the effect of scareware in a similar way: doesn't do anything, but causes the state of the PC (or that of its user) to deteriorate regardless. Google plans the first presentation of the study for the Usenix "Workshop on Large-Scale Exploits and Emergent Threats" at the end of April.

According to Google, scareware now accounts for 15% of all the malware found online ? and the share is said to be steadily increasing. Scareware makes users believe that their systems are infected by trojans and viruses. The programs then try to coax users into buying a full version of the program to remove the alleged viruses and continue to issue frequent disruptive alerts if the user does not immediately comply.

Continued here:

See prior post: Google: 11,000 domains carrying rogue security products

- Collapse -
UK firm offers clickjacking visualization tool

From the Sunbelt Blog:

UK security firm Context Information Security Ltd., is making available a browser-based tool that will demonstrate clickjacking techniques that were discussed at a Blackhat Europe 2010 presentation.

On the Context site, they said ?Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.

?Although it has been two years since the concept was first introduced, most websites still have not implemented effective protection against clickjacking. In part, this may be because of the difficulty of visualising how the technique works in practice.?

?The tool is currently in an early beta stage, and works best in Firefox 3.6. Full support for other browsers will follow shortly.?

Context Ltd. piece here.

See Prior Post: Next-Generation Clickjacking Attacks Revealed

- Collapse -
iPack Exploit Kit Bites Windows Users

Not long ago, there were only a handful of serious so-called ?exploit packs,? crimeware packages that make it easy for hackers to booby-trap Web sites with code that installs malicious software.

These days, however, it seems like we?re hearing about a new custom exploit kit every week. Part of the reason for this may be that more enterprising hackers are seeing the moneymaking potential of these offerings, which range from a few hundred dollars per kit to upwards of $10,000 per installation ? depending on the features and plugins requested.

Take, for example, the iPack crimeware kit, an exploit pack that starts at around $500. [...]

Its name and cute logo aside, iPack has nothing to do with Apple?s products. According to Jorge Mieres over at the Malware Intelligence blog, the software vulnerabilities targeted by exploits contained in this package are all for Windows platforms, including:

Continued here:

- Collapse -
MS10-021: Encountering A Failed WinXP Update

Published: 2010-04-16,
Last Updated: 2010-04-16 17:01:19 UTC

While I do take the time to look at General Information surrounding each Security Update that Microsoft releases, a couple of news articles here and here that surfaced this week (pertaining to the MS10-021 Security Update) made me go back and have a closer look at the full Microsoft Security Bulletin details for MS10-021 here.

If you were to open the Frequently Asked Questions (FAQ) section (a section I honestly don't take the time to read) sure enough, there is a general statement concerning the prevention of the update from installing "if certain abnormal conditions exist on 32-bit systems".

So if you happened to be using WinXP and encountered an error while performing an Update for MS10-021, Microsoft has provided a link here to officially explain what the error means and what resolution steps can be taken.


Articles Referenced Above: MS kernel patch skirts infected machines
Get help with Microsoft Security Bulletin MS10-015 incompatibility message

- Collapse -
Explanation of Error for Update for MS10-021..

The above article states:

'So if you happened to be using WinXP and encountered an error while performing an Update for MS10-021, Microsoft has provided a link here to officially explain what the error means and what resolution steps can be taken.'

I neglected to include where the "link here" led ==>>

- Collapse -
Familiar Rip-Off Strikes Apple, IKEA

From the McAfee Labs Blog:

As I write this blog today, a number of fabulous offers are spreading on Twitter, Facebook, and the Internet. They promise you a free Apple iPad, a free $1,000 IKEA gift card, and other incredible presents to lure people in search of a bargain. For that matter, we can read that the IKEA gift card scam took in nearly 40,000 Facebook users on April 12, and a similar offer fooled 70,000 victims in March. [...]

Be careful: All these offers are fake. They exist only to collect personal data?your name, address, and e-mail?for future spam campaigns. They also take you to various lottery websites, where you are tempted to deposit funds for playing online instant and scratch games. I followed about 10 such offers; they all end in the same websites chosen according your country. Once there, you do not see any trace of the initial proposal (the iPad or gift card). To keep your interest, various windows and pop-ups announce numerous winners. To join them you need only an account and deposit some money. [...]

Continued here:

- Collapse -
Tool for cracking Office encryption in minutes

An implementation flaw allows attackers to bypass the encryption mechanism used for Microsoft Office documents. Although this isn't news, having been made public in 2005, no (officially acknowledged) attack or tool for exploiting the vulnerability has existed until now. Which probably explains why Microsoft has never fixed the problem with an update for older versions of Office.

French crypto expert Eric Filiol in his presentation (PDF) at the recent Black Hat security conference emphasised that the situation has now changed. He says his tool can decrypt a document within a few minutes. Filiol said he began working on the statistical analysis of the RC4 algorithm used in Office back in 1994. Talking to heise Security, the expert explained why he has only now published his results: "I was employed by the French military at the time. Everything I did was classified. Now I am free speak about it."

Continued here:

- Collapse -
New Mac OS X malware variant spotted

Intego is reporting on a newly discovered variant of a Mac OS X malware first detected in 2004.

According to the company, the source code of the OSX/HellRTS.D is already being distributed across multiple forums, which could potentially allow malicious attackers to create new variants of it.

More details on the malware:

* It sets up its own server and configures a server port and password
* It duplicates itself, using the names of different applications, adding the new version to a user?s login items, to ensure that it starts up at login. (These different names can make it hard to detect, not only in login items, but also in Activity Monitor.)
* It can send e-mail with its own mail server, contact a remote server, and provide direct access to an infected Mac
* It can also perform a number of operations such as providing remote screen-sharing access, shutting down or restarting a Mac, accessing an infected Mac?s clipboard, and much more

Continued here:

CNET Forums