Technical Tidbits™

Posts Tagged ‘remote procedure call’

After the many responses from readers I did some snooping and have some possible causes of this botnet pop-up issue.

Now, I want you to bear with me on this one because I’m going to take a chain of events to make a connection.

I wanted to establish a time frame of the pop-up so I went back to my original, first post and found the date to be November 20th.  So let’s assume that the pop-ups started around that time (plus or minus a week to be on the safe side).

What’s happened in and around that time frame?

• Microsoft issued a critical update to a Vulnerability in Server Service Could Allow Remote Code Execution (958644): Microsoft Security Bulletin MS08-067, October 23, 2008
• Microsoft issued a important update to a Vulnerability in SMB Could Allow Remote Code Execution (957097): Microsoft Security Bulletin MS08-068, November 11, 2008
• Microsoft issued a critical update to Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218): Microsoft Security Bulletin MS08-069, November 11, 2008
• On November 25, I issued the Bot Update saying it was Flash because there was a flash update issued. (We now know that flash is NOT the issue.)
• On November 25, Trend’s Malware Blog reports on a newly found worm, that may be the precursor to a new botnet that’s exploiting the Microsoft MS08-067 Vulnerability!
• On December 6, Sun Issues 13 updates to Java according to a new post on the Trend Labs blog!

Now, follow with me here a minute. Remember I’ve been saying that the ads on the websites are using JavaScript inside JavaScript? And other readers have reported the pop-up of the Java in their toolbar along with the RUBotted pop-up.  Whereas the sites I’ve been on, already have Java running before the RUBotted pop-up.

What if, this new botnet is being delivered through – or trying to be delivered through – the ad servers?

Now take into consideration the fact that ads are everywhere. What better way to access the millions of users?

And, what if this isn’t just your average, run of the mill threat? We’ve seen blended threats before. What if this takes the threat up a few notches?

The Microsoft Vulnerability cited in MSO8-067 that Trend Labs found being exploited as a precursor to a new botnet is:

The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.

What Microsoft doesn’t tell us is EXACTLY what that specially crafted RPC request is!

For those of you who do not know what RPC is, it’s the Remote Procedure Call code that allows you to do millions of things on your computer. For example, say you want to connect to a remote database somewhere, the RPC service is what calls (code language for requesting a connection, so to speak) the remote server to make the connection.

If you right click over your MY COMPUTER icon and choose MANAGE, you can navigate to Services and Applications and see the Services running on your computer. Switch to the Standard tab and you’ll see the alphabetical list of every service running and stopped on your computer. Find the Remote Procedure Call (RPC) service in the list. Either double click it to open it or right click and choose properties. Look at the Dependencies tab.

The Dependencies are all the other programs and services that need to use this service! (Covered in our Advanced PC Security course, by the way!)

Now, add that to the multitude of mashups, web apps, and other web vulnerabilites, like cross-site scripting and the like and you’ve got a recipe for disaster!

I want to go on record stating right here, right now, that I believe Ad servers are serving up a new kind of bot that we have not seen the likes of yet!

Now, let’s add to this the more detailed reporting on part of this (after much digging, I might add) explains how the code could be misconfigured. For those of you more technically oriented, see this link: FIO02-C.+Canonicalize+path+names+originating+from+untrusted+sources and this link: More detail about MS08-067, the out-of-band netapi32.dll security update

Now, why am I so sure that this is going to come through ads?

Consider this…. most ad services allow you to remotely host your advertising feed content. That being the case, who’s policing what’s being served? No one.  If someone was, why are we still getting the Antivirus 2009 and it’s variants being delivered through ads? My Gmail is full of malware that comes in through my alerts! So tell me who’s minding the store?

I really hope I’m wrong about this but my gut tells me that I’m not.

I think we are in for one heck of a new bot! Don’t say I didn’t warn you!

As always, comments welcome!

I have been running on adrenaline since the cosmic energy shifted on Election Day.

First, congratulations to Barack Obama and Google on the win! I can’t wait for the “Googlization of the Federal Budget!” Talk about transparency in government! Whoooo hooooo!

But alas and alack, life goes on after the election and so does malware.

And you haven’t heard from me recently here because it seems I’ve gone back into the repair business out of demand! In short, I’ve been out of the office updating former client machines again! (I guess they are now current clients again?)

If you remember my recent post, Not a Halloween Hoax – or our recent Critical Alerts Newsletter – I told you to update your windows with the current patches.

Well, today, I’m moving along with my day since I awoke at 4 A.M. wide-eyed and bushy tailed as the saying goes, and I thought I’d get caught up on my blog reading. Well, the first blog post to catch my eye in my Google Reader is a notice from the Microsoft Security Team. (No insult today, they actually done good! )

It seems that there are several exploits appearing on the web that are taking advantage of the vulnerability (weakness) in svchost.exe. (Specifically for those more technically minded, the way the service host handles RPC calls.)

Since teaching is my life’s work, I need to educate those of you who do not understand the severity of what’s happening here and reinforce your need to update!

First, let’s look at just how much the Service Host Manager does on your machine. If you were to pull up your Task Manager and sort the image source column, you would see a list of several of these processes running in the background of your computer.

The Service Host Manager does quite a number of things in the background that makes your computer work efficiently. The service is a generic host process name for services that run from dynamic-link libraries (DLLs).

Now, if you look at the seemingly harmless list of svchost files running, you may not realize how intense this is from your pc’s standpoint. If any one of these listed svchost.exe files are allowing DLL’s to run programs or other services, then how many can each single svchost.exe run?

Unlimited!

If you use Spybot S&D in Advanced Mode and look at your svchost process, you will see loaded modules of DLL’s all over the place!

And in the graphic above, that’s just one of the running service host files!

What is dangerous about this new vulnerability (flaw) in the Windows Operating System is the fact that one of the services running as a DLL is called the RPC Service, or Remote Procedure Call.

This is the service that allows your computer to connect to programs and applications on other computers, servers, or the network. This includes file and print sharing!

A call is a programming term that can be likened to a phone call. Let’s say you are using a database program and the database is connected to a server in your company. When you open the program, the database portion on your computer has to connect to the server in order for you to see your data. That’s when the call is made to the server.

The server is considered “remote” because it’s not on your machine. The procedure portion is what the call is telling the server to do. So, in the case of my example, the Remote Procedure Call would send a signal (call) to the Server database (Remote) and say, “Hey! Connect to this user so we can get our data!” (Procedure)

Now, some very dangerous code writers found that there was a way to send an RPC call that would cause your machine to suffer what is known as a stack buffer overflow. A shortened explanation of this stack buffer overflow is: when someone programmed the code for this service, they didn’t program a way for the code to dump extra information.

If you remember in the past, I’ve explained buffer overflows with the printer problem you may have experienced. If you’ve ever experienced your printer pushing out hundreds of pieces of paper with odd characters on one line across the top, you’ve experienced a buffer overflow.

Earlier printers didn’t have memory for huge print jobs, so when you sent a huge file to the printer to print, the printer received more data then it knew what to do with and it went berserk! This is called a buffer overflow.

Instead, the programmers – who should’ve learned by now – should have put in a line or two of code that stated something to the effect of: If you get more than so many bytes of information, delete the extra information and cancel the task you were supposed to accomplish.

Malcode writers have figured out that by programming a Remote Procedure Call in a special way, they can force your computer to experience the overflow. But! Instead of your computer trashing the information, it actually allows for another bit of extra code to sneak into your computer and take control of it.

The part of this whole mess that is most frightening, is the disclosures from Microsoft – courtesy of Symantec – of what these exploits (capitalizing on the flaw) are doing!

Here’s just a sneak peak of one of the examples out there as to the damage it does.

Trojan:Win32/Wecorl.B

Infection: In the wild, this Trojan may be hosted on a malicious Web site as a file named ‘jj.exe’. This Trojan may be downloaded and executed by other malware such as Trojan:Win32/Wecorl.A.

The Trojan then adds registry values and data that are specific to the affected computer.

Replaces IEXPLORE.EXE

When executed, it drops a patched version of the Web browser Internet Explorer (IEXPLORE.EXE)

The Trojan replaces the existing IEXPLORE.EXE executable with the patched dropped copy.

Trojan: Win32/Wecorl.B patches ‘IEXPLORE.EXE’ in the following way:

• modifies the file header with specific bytes to prevent re-infection
• adds the malicious payload at the end of the resource section (.rsrc) and patches one of the calls near entry-point to execute the payload

Downloads Files

Virus:Win32/Wecorl.B may start multiple threads that do the following:

• Download and execute other malware or spyware components
• Connects to one of these locations (chosen randomly) in order to download a list of URLs:

ls.cc86.info

ls.lenovowireless.net

ls.playswomen.com

(Source: http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fWecorl.B)

Notice that this is a blended threat. That means that it will perform multiple types of malicious events from replacing your Internet Explorer to one of their own, and then initiating multiple download infections from a variety of sources.

There are several other Trojan’s that are being produced for this vulnerability. You can look into them further here:

Trojan:Win32/Wecorl.A
http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fWecorl.A

Trojan:Win32/Clort.A
http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:Win32/Clort.A

Trojan:Win32/Clort.Alexploit
http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:Win32/Clort.A!exploit

Trojan:Win32/Clort.A.dr
http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:Win32/Clort.A.dr

TrojanDownloader:Win32/VB.CQ
http://www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader:Win32/VB.CQ

TrojanDownloader:Win32/VB.CJ
http://www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader:Win32/VB.CJ

So far, they are not widespread and not self-replicating. Self-replicating means they are not worms that can spread without you. Therefore, if you do get infected, your network should not be compromised, just your machine.

Best Practices

Make sure your Antivirus is updated, make sure you are using a good firewall (windows firewall doesn’t constitute “good”), and be careful where you visit and click!

I hope this has helped you understand more about the dangers of this flaw and the need to patch your system.

For the Techies

http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx

I am in the process of typing another post about how to by-pass the annoying malware pop-ups and how to protect yourself from infection. It’s really quite simple to do – honestly! It should be up by 3 PM this afternoon (CDT). This includes the winivstr.exe and braviax.exe, and the other types of malware that pops up saying you need to update because you’re infected with spyware or malware.

You won’t want to miss this next post!