Thursday, 30 October 2008

Near misses

Hello all

It has been an interesting few days for me. I have been involved in a couple of things that I can talk about and a few that I can’t. So, on to the ones that are fine to chat about.

Microsoft released an out of band patch – let me remove the jargon around that. There was a security update that came out when it wasn’t a regular patch Tuesday. Patch Tuesday falls on the second Tuesday of the month except for the March before last when there weren’t any. Well, this one (MS08-067) was released on October 23, 2008 which is fairly close to the November patch date which will be the 11th – I don’t have any inside information but that would be what every system administrator expects and the MSRC blog should confirm that soon. So, this out of band patch was released pretty much in the middle of two patch cycles and that would mean that it was something special.
Well, it is. From the bulletin (and again, no special knowledge here), it was a vulnerability in the computer browser service and the server service. The question that MS always ask themselves when a vulnerability is reported or found is “Could this be used to write a networked virus, or a worm for short?” For the answer to be yes, the following things have to be true:

1. It has to be a remote code execution vulnerability.

2. It has to attack software that is running all the time on vulnerable systems

3. It can’t require user action for the exploit to work

Well, this one ticks all those boxes. It is an RPC based vulnerability. You have probably heard of a worm that used an RPC vulnerability. Blaster did that. However, this wouldn’t be as limited as Blaster since it affected more versions of Windows. Accordingly, I would advise installing this one pretty damn quickly. The proof of concept code was released on the 24th and the black hats have it now. Oh, and just to add to the fun, the malicious code would be running as SYSTEM and would be able to do what it liked to the target machine.

One of the things that I did related to this was quash a rumor that Microsoft is releasing viruses that utilise flaws in Microsoft software. I have heard that one so many time and it has never made sense to me. The point of malware is to put code onto the box that the attacker wrote. What a Microsoft written virus would do would be to... uh, well, patch Windows. MS already has control over what code is in Windows. As for the motive, that is even more puzzling. Do you think that Microsoft wants to steal your product keys? They already have loads. Your credit card details? I think that someone would notice. No, the main reasons that I hear behind this insane rumour are that it is to force people to install patches (uh, they are provided free so where is the motive) or to encourage sales of Microsoft Antivirus products.

Did you know that Microsoft markets anti-virus products? Their home anti-virus is called One Care and it is not a huge seller. The business solution is Forefront Client Security. They are decent enough products but could the profit possibly be worth doing something illegal and easily traceable to the company that is perhaps the most monitored company in America? Clearly not. Also, given the respective market shares, this would help Microsoft’s competitors much more than it would help Microsoft. Clearly, this is nonsense.

However, imagine that I believe that MS kicks puppy dogs and eats small children. Imagine that I didn’t know for a fact that MS doesn’t do these things and that they can normally be traced to some well known sources. The question would be, why on earth would Microsoft bother? There are hundreds of malware writers, maybe even thousands, who will write these things for free.

The other thing that I can mention is that I saw a SPAM email the other day. Nothing odd about that. This one read:

“Good day.
You have received an eCard

To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!”

The website was actually listed and had been hacked using a fairly simple attack. There is nothing unusual about this as a technique but it reminded me so much of the first wave of attacks that built the Storm bot net, now largely defunct. However, this malware proved to be the much less interesting Zbot while Storm was an evolution of RBot. Storm was much more flexible and much more resilient than Zbot – and the malware servers were the bots themselves rather than a normal website. It did look very familiar for a moment though as some of the early cases were used hacked websites as the hosts before they developed their fast flux DNS capability.

Anyway, I helped out the company that got hacked. It didn’t take long so there was no charge in this case. They wanted a French speaking consultant so all that I did was prepare enough information to hand over and let them find their own man.

So, it has been something of a week of "might have been"s

Signing off

Mark Long, Digital Looking Glass Ltd

No comments: