Technical Tidbits™

Lot’s going on and trying to keep up with this changing security landscape!

Just in from a LinkedIn friend from Trend Micro group:

Trend Micro Security Labs has discovered that malware authors are already using Christmas themes as a social engineering tactic in an effort to gain control over compromised machines.

This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards. These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns. The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene.

Here are mine that I posted today.

1. Twitter will either replace conventional messaging systems (AIM, Yahoo, etc), or the messaging systems will be adapted to facilitate the use of your twitter @twittername. (You can follow me: @debbiemahler)

2. There will be a IWMD (Internet Weapon of Mass Destruction) launched sometime during this year. It will be considered a mashup blended threat because it will take advantage of the security flaws in a multitude of web apps and will propagate through ad servers.

3. Google will post the Federal Budget for President-elect Obama proving that a) campaigning for a candidate can increase your business, and b) we just may be capable of transparency in government.

4. Steve Balmer will get hit with a pie (if not several) while giving a speech this year.

5. Microsoft will purchase Yahoo and ruin it like it does everything else giving Google a clear and leading advantage in the search engine business as well as advertising and free email.

So now it’s preserved on the web forever!

Trend Micro says that the toolkit related to this exploit is being sold in the Chinese underground community and that files associated with this attack have been designed to steal information such as online gaming credentials.

According to Virustotal, a file analysis service, only 20 out of 38 listed antivirus applications detected the information-stealing malware.

Trend Micro also says that victims of this attack could become infected with a rootkit. (Source: http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=212400523&cid=nl_IWK_daily_H)

Hey Trend? Any idea what’s causing your pop-ups on RUBotted? Or are you not concerned because I’m not a Chinese underground hacker?

But as an aside, I think I’m going to check my system for a rootkit just the same. Maybe that’s the RUbotted pop-ups??

Congratulations to Google. I still don’t trust it and still won’t use it! But congratulations just the same!

After the many responses from readers I did some snooping and have some possible causes of this botnet pop-up issue.

Now, I want you to bear with me on this one because I’m going to take a chain of events to make a connection.

I wanted to establish a time frame of the pop-up so I went back to my original, first post and found the date to be November 20th.  So let’s assume that the pop-ups started around that time (plus or minus a week to be on the safe side).

What’s happened in and around that time frame?

• Microsoft issued a critical update to a Vulnerability in Server Service Could Allow Remote Code Execution (958644): Microsoft Security Bulletin MS08-067, October 23, 2008
• Microsoft issued a important update to a Vulnerability in SMB Could Allow Remote Code Execution (957097): Microsoft Security Bulletin MS08-068, November 11, 2008
• Microsoft issued a critical update to Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218): Microsoft Security Bulletin MS08-069, November 11, 2008
• On November 25, I issued the Bot Update saying it was Flash because there was a flash update issued. (We now know that flash is NOT the issue.)
• On November 25, Trend’s Malware Blog reports on a newly found worm, that may be the precursor to a new botnet that’s exploiting the Microsoft MS08-067 Vulnerability!
• On December 6, Sun Issues 13 updates to Java according to a new post on the Trend Labs blog!

Now, follow with me here a minute. Remember I’ve been saying that the ads on the websites are using JavaScript inside JavaScript? And other readers have reported the pop-up of the Java in their toolbar along with the RUBotted pop-up.  Whereas the sites I’ve been on, already have Java running before the RUBotted pop-up.

What if, this new botnet is being delivered through – or trying to be delivered through – the ad servers?

Now take into consideration the fact that ads are everywhere. What better way to access the millions of users?

And, what if this isn’t just your average, run of the mill threat? We’ve seen blended threats before. What if this takes the threat up a few notches?

The Microsoft Vulnerability cited in MSO8-067 that Trend Labs found being exploited as a precursor to a new botnet is:

The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.

What Microsoft doesn’t tell us is EXACTLY what that specially crafted RPC request is!

For those of you who do not know what RPC is, it’s the Remote Procedure Call code that allows you to do millions of things on your computer. For example, say you want to connect to a remote database somewhere, the RPC service is what calls (code language for requesting a connection, so to speak) the remote server to make the connection.

If you right click over your MY COMPUTER icon and choose MANAGE, you can navigate to Services and Applications and see the Services running on your computer. Switch to the Standard tab and you’ll see the alphabetical list of every service running and stopped on your computer. Find the Remote Procedure Call (RPC) service in the list. Either double click it to open it or right click and choose properties. Look at the Dependencies tab.

The Dependencies are all the other programs and services that need to use this service! (Covered in our Advanced PC Security course, by the way!)

Now, add that to the multitude of mashups, web apps, and other web vulnerabilites, like cross-site scripting and the like and you’ve got a recipe for disaster!

I want to go on record stating right here, right now, that I believe Ad servers are serving up a new kind of bot that we have not seen the likes of yet!

Now, let’s add to this the more detailed reporting on part of this (after much digging, I might add) explains how the code could be misconfigured. For those of you more technically oriented, see this link: FIO02-C.+Canonicalize+path+names+originating+from+untrusted+sources and this link: More detail about MS08-067, the out-of-band netapi32.dll security update

Now, why am I so sure that this is going to come through ads?

Consider this…. most ad services allow you to remotely host your advertising feed content. That being the case, who’s policing what’s being served? No one.  If someone was, why are we still getting the Antivirus 2009 and it’s variants being delivered through ads? My Gmail is full of malware that comes in through my alerts! So tell me who’s minding the store?

I really hope I’m wrong about this but my gut tells me that I’m not.

I think we are in for one heck of a new bot! Don’t say I didn’t warn you!

As always, comments welcome!

I’m sorry I was unable to post our Friday Quickies yesterday. My daughter was in town and we had a family gathering planned. I did a big pot of stew and all the “mommy” kind of things I haven’t done in years! So, I hope you’ll forgive me!

First a Quickie….

Do you remember my Halloween post where I took all the spam in my inbox and made a ‘mad libs’ kind of post? (In case you missed it: Halloween Fun with Spam)

Well, a twitter friend of mine – Rex Hammock – did the same thing a bit differently. His blog post is called, If Spammer’s Created my Christmas List.  If you’ve been the brunt of the recent round of spam, you’ll find this pretty amusing!

The RUBotted Saga Continuing….

We’ve had many more responses to this RUBotted pop-up situation. It appears we’ve narrowed down the software that the sites are trying to launch as an IRC (Internet Relay Chat or Instant Messaging Program).

I would like you to comment to this post if you’ve received the RUBotted pop-up message and if you have any kind of Instant Messaging installed on your computer.  Oh, wait a minute! Everyone who uses Windows has Windows Messenger installed! Hmmmmmmm…..

Okay, well I know I have Yahoo Messenger but I don’t use it. I do use my Google Chat and that’s always running in the background. I used to have Windows Live Messenger but I don’t use that either.

I just checked my services and my ‘Messenger’ is disabled. (I did that on purpose.)

However, there’s iTunes service running, Bonjour, and that stupid Mobile Device Manager running.

So, what’s running on your machine? If we can put our heads together, maybe we can figure this out!

Comments welcome!