adventuresinsecurity.com Blog » Alerts

Ransomware Password Revealed

Tom Olzak — Mon, 27 Mar 2006 23:44:47 +0000

A trojan horse virus is spreading across the Internet that encrypts Word documents, spreadsheets, and databases. It then leaves a file demanding $300 in return for the password necessary to decrypt the ransomed files. However, Technicians at Sophos have extracted the password (yes, it looks like a path name):

C:\Program Files\Microsoft \Visual Studio\VC8

This kind of attack seems to be growing. So keep those anti-virus and firewall programs up-to-date.

Author: Tom Olzak

Listen to our Podcasts –>

Free training modules available at http://adventuresinsecurity.com/SCourses

User Awareness Alert: IE Exploit Strikes, Installs Spyware

Tom Olzak — Sat, 25 Mar 2006 22:23:46 +0000

“The unpatched CreateTextRange vulnerability in Internet Explorer is already being used by at least one Web site to install spyware on users’ machines, a security organization said Friday.

“‘We just received a report that a particular site uses the vulnerability to install a spybot variant,’ the SANS Institute’s Internet Storm Center (ISC) warned Friday in an alert. ‘It is a minor site with insignificant visitor numbers according to Netcraft’s ‘Site rank.’”

Read the whole Story

Listen to our Podcasts –>

Free security training available at http://adventuresinsecurity.com/SCourses

User Awareness Alert: Open source digital signatures might be vulnerable

Tom Olzak — Mon, 13 Mar 2006 14:36:19 +0000

“A pair of security bugs in cryptography software could allow an attacker to insert content into a digitally signed message or forge signatures on files.

“The flaws lie in the open-source GNU Privacy Guard software, also known as GnuPG and GPG, the GnuPG group said in two alerts. The software, a free replacement for the Pretty Good Privacy cryptographic technology, ships with many open-source operating systems such as FreeBSD, OpenBSD and many Linux distributions” (By Joris Evers, CNET News.com Published on ZDNet News: March 10, 2006, 2:38 PM PT).

Read the rest of the article

Listen to our podcasts –>

Free Security Training available at http://adventuresinsecurity.com/SCourses.html

Technical Security Alert: Rootkits can be hidden in virtual machines

Tom Olzak — Mon, 13 Mar 2006 14:13:02 +0000

“Security researchers have uncovered new techniques to hide the presence of malware on infected systems. By hiding rootkit software in virtual machine environments, hackers have the potential to avoid detection by security software, boffins at Microsoft Research and the University of Michigan warn” (John Leyden, published 13 March 2006 in The Register).

View the rest of the article

Listen to our podcasts –>

Free Security Training available at http://adventuresinsecurity.com/SCourses.html

User Awareness Alert: New IM Malware

Tom Olzak — Tue, 07 Mar 2006 21:49:22 +0000

“An anti-virus vendor warned Tuesday that two new worms spreading on Microsoft’s and America Online’s instant messaging networks delete files and leave systems open to hijacking.

“Symantec posted alerts for the “Hotmatom” and “Maniccum” worms, and ranked both as a level “2″ threat. The Cupertino, Calif.-based security company uses a 1 through 5 scale to label worms, viruses, and Trojans”

Read the rest of the story

Listen to our podcasts –>

User Awareness Alert: Legal Worm

Tom Olzak — Mon, 06 Mar 2006 14:13:43 +0000

A new worm is working its way throught the Internet. Known as Bagle.do, the worm threatens email recipients with legal action if they don’t open the attached .exe file and respond to the sender.

For the whole story, click here

Listen to our Podcasts –>

(User Awareness Alerts are a service provided by Erudio Security, LLC)

BIOS Rootkit Attacks: What’s the Real Risk?

Tom Olzak — Wed, 01 Feb 2006 16:45:00 +0000

As I’ve written in previous articles, the frequency of malicious rootkit installations is increasing. Now it seems that even the BIOS is a potential target. John Heasman, principle security consultant for Next-Generation Security Software, announced this week that a collection of functions known as the Advanced Configuration and Power Interface (ACPI) could be used to deposit a rootkit in the BIOS in flash memory. This is rather easy to do, said Heasman, because the ACPI has a high level programming language that’s easy to learn and easy to use.

When I read this story, which was covered on almost every security web site, I was initially concerned. Who wouldn’t be? The BIOS is the most fundmental layer of functionality in any PC. But the more I thought about it, the more I wondered about how much risk a BIOS rootkit actually presents to a business network. After some research, I concluded that the risk is very low for businesses that take normal precautions.

In this article, we’ll look at rootkit technology, how engineers or programmers flash the BIOS, the typical safeguards protecting BIOS access, and what you can do to protect your business from BIOS rootkit issues.

Rootkits appeared about 10 years ago. Their initial purpose was to provide “back doors” into applications and systems, bypassing the normal security safeguards. Many rootkits were installed by developers who wanted quick access to system internals, especially if the standard access methods failed. But the one defining characteristic of rootkits was stealth. They were invisible to users, system administrators, and to most malware detection tools.

Over the years, rootkit development and use took two paths. The first path led to ethical uses. Again, providing back door system management functionality as well as the ability to collect information for forensic or administrative purposes. The second path led to malicious activities designed to surreptitiously acquire information with criminal intent. Today’s rootkits can perform many functions, including

keystroke logging
interception of system calls, resulting in system behavior modified to suit the needs of the rootkit owner
remote control of a system

Malicious rootkits are typically installed by exploiting a software vulnerability, either in the operating system or an application. Although there was one well known successful application of rootkit technology to BIOS firmware in 1999 (CIH), rootkit infections of BIOS implementations have been largely ignored by the hacking community. But with stronger system safeguards, attackers are looking for other avenues of entry into your computers.

So how can an attacker gain access to PC, server, and peripheral BIOS firmware? One way a to install a rootkit in BIOS firmware is through a user-initiated firmware upgrade. Firmware upgrades are often necessary to correct problems with hardware operation or to add additional functionality. In this scenario, the point of greatest vulnerability is retrieving the new firmware file. It should be downloaded from the hardware vendor site or obtained from a reputable local hardware vendor. This is the point at which it’s most probable that an infection will occur. As with the CIH attack, the firmware may already contain a rootkit. This is why it’s important to get it from a well-known and secure source.The other way infected firmware can be loaded into your hardware is through the actions of an attacker. This normally requires physical access to the system to be compromised. Why? Because most hardware components are protected against changes to BIOS firmware with a jumper or a password.In the case of a jumper, the attacker would have to physically move the jumper to enable firmware flashing. With most hardware, this requires not only physical access to the device, but also the opportunity for partial disassembly of the system in which the device is installed. Standard physical controls should be sufficient to prevent this type of access.The effectiveness of firmware password safeguards depends on how you manage both administrative and physical processes. If your engineers changed the password, the attacker may have to execute a series of steps to reset the BIOS security configuration to factory defaults. This requires the same kind of access as that described for jumper manipulation. However, once the factory defaults are restored, vendor passwords are easily obtained. Again, standard physical access safeguards should be sufficient to prevent this type of access – especially if your engineers change the firmware password as part of all hardware installations.There are other ways to compromise the BIOS. For example, overloading keyboard buffers is often one attack method that works on older systems. And BIOS password cracking software exists and is available for download from the Internet. But physical access is still necessary in many cases to enable firmware changes.

Although firmware rootkit attacks should be considered when reviewing the effectiveness of your security program, I don’t believe you have to declare a state of emergency because of this week’s announcement. A business that follows security best practices should be adequately protected from the kinds of access necessary to effect a firmware rootkit infection. Probably the most important point to take away from reading this article is how critical it is for your engineers to be aware of the potential risks related to obtaining clean firmware. Awareness is your first line of defense against BIOS rootkit attacks.

Author: Tom Olzak

Resources: RSS Feed for our Podcasts

Sources:

Researchers: Rootkits headed for BIOS

The Basics of Rootkits: Leave no Trace

BIOS Flashing and Hotflashing

How to Bypass BIOS Passwords

New Worm in the Wild

Tom Olzak — Wed, 25 Jan 2006 22:42:47 +0000

From US-CERT

Nyxem Mass-mailing Worm
added January 24, 2006

US-CERT is aware of a new mass-mailing worm known as Nyxem (CME-24). This worm relies on social engineering to propagate. Specifically, the user must click on a link or open an attached file.

The Nyxem worm targets Windows systems that hide file extensions for known file types (this is the default setting for Windows XP and possibly other versions). The worm’s icon makes it appear to be a WinZip file. As a result, the user may unknowingly start the worm.

Once a Windows system is infected, the malicious code may:

Attempt to harvest email addresses stored on the infected system
Utilize its own SMTP engine to send itself to the harvested email addresses
Disable anti-virus and file sharing programs
Spread itself using all available Windows network shares on the infected system
Modify the active Desktop

In addition, on February 3, 2006, the worm will destroy files with the following extensions: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DM.

Although there is limited information concerning this potential threat, US-CERT strongly encourages users and system administrators to implement the following workarounds:

Install anti-virus software, and keep its virus signature files up-to-date
Block executable and unknown file types at the email gateway

Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source. Users may also wish to visit the US-CERT Computer Virus Resources for general virus protection information.