Archive

Archive for the ‘Vulns’ Category

Warning: Conficker worm infections gaining traction

January 12th, 2009 13 comments

We're seeing quite a large number of Conficker worm infections since the start of the New Year and specially since the Conficker.C variant appeared on December 31. It seems that the return to work after the Christmas break has kick-started Conficker again. Daniel Nyström, our Tech Support front man in Sweden, already noticed an increase in infections a few days ago.

As you may recall Conficker is a worm that spreads via networks and USB drives. It attempts to brute force usernames and passwords and takes advantage of Server Service vulnerability in Windows which allows for remote code execution. The worm also auto-updates itself every day from a long list of URLs so it looks like its preparing for a larger attack.

Checking again the SANS activity by port it's obvious this is something you need to worry about:

As posted about a month and a half ago, TruPrevent prevents Conficker worm network infections proactively thanks to a new Policy Rule we pushed out to all our retail products. In addition we've added signature detection for all Conficker variants. I'll post details on manually creating and pushing out TruPrevent Policy Rules on corporate networks as soon as possible.

As a curiosity I was travelling the other day and while connected to the WiFi network of a German airport I noticed the following Conficker worm variant trying to brute force its way into my machine:

 

 

The Conficker worm means business so be careful out there. Some preventive steps you should be following if you haven't done so already:

  • If you're responsible for a network, scan for vulnerable machines (using Baseline Analyzer, Nessus, etc.).
  • Patch your servers and workstations by visiting Microsoft Security Bulletin MS08-067.
  • Disinfect infected machines using Malware Radar on networks or ActiveScan for stand-alone PCs.
  • Turn off AutoRun feature for USB drives on your machines (and ask your Microsoft representative for a global solution to AutoRun).
  • Make sure your antivirus and security solution is up-to-date on the latest version and signature database.

Categories: Malware, Vulns Tags:

TruPrevent stops Conficker.A worm proactively

November 28th, 2008 3 comments

As I'm sure you've heard already, there's a new worm called Conficker.A out there exploiting the latest critical Windows MS08-067 vulnerability which allows remote code execution via specially crafted RPC calls. SANS has been tracking this and has seen an important increase in port 445 scans as is shown on their website:

As we've been seeing quite a bit of this worm's activity specially in corporate networks, Isma has created a new TruPrevent Security Policy which can effectively stop this worm on its tracks generically (without antivirus signatures):

 

 

Panda users don't have to worry about this worm. Simply make sure your protection is configured to update itself automatically (which it is by default) and don't forget to patch your Windows installations.

Categories: behavior analysis, Malware, Vulns Tags:

Exploits vs Antivirus – The Last Stand

October 14th, 2008 17 comments

Internet Security Suites fail to block exploits and do little to protect users against exploits, according to a recently released "test" [here] by Secunia, a Danish vulnerability notification firm. I quoted the word "test" as it's very common to see vulnerability companies use close-to-unethical tactics to oversell problems with the AV industry in order to promote their own services [another example here].

Now its Secunia's turn. In their "test" they assume that anti-virus products have poor performance in detecting vulnerability exploits because of their limited focus on traditional AV signatures. So along comes Secunia's Chief Technology Officer (CTO) Thomas Kristensen with the bright idea of testing 12 different Internet Security Suites from McAfee, Norton, Kaspersky, Panda and others against a testbed of exploit files. So far so good, it’s an interesting idea for comparing technologies and I believe it should be performed.

However when testing exploits one very important aspect is that these products don't just rely on traditional signature detection. Yet Secunia's "test methodology" only takes into consideration manually scanning 144 different inactive exploit files. This is very much like saying that you're going to test a car’s ABS breaks by throwing it down a 200 meter cliff. Absurd, sensationalist and misleading at best.

Just to clarify, if you only test 1 part of a product against exploits, which by the way is the part of the product which IS NOT designed to deal with exploits, and leave out of the test the part of the product that DOES deal with exploits and vulnerabilities, there's a very good chance the results will be misleading. Mr. Kristensen, as a Chief Technology Officer, should know this and should be very well aware of the consequences of a faulty methodology. So the question remains, why did he ignore it and just go for the yellow sensationalist approach?

But the absurd doesn't stop with Secunia's flawed testing methodology. Mr. Kristensen concludes that "… major security vendors do not focus on vulnerabilities. Instead, they have a much more traditional approach, which leaves their customers exposed to new malware exploiting vulnerabilities." Well duh, if you only test traditional signatures and neglect the other technologies included in the product which ARE designed to block exploits, what do you expect? Oh, wait, I just saw on their website that Secunia actually sells a vulnerability scanner! Hmmm, I wonder if that has something to do with the flawed conclusions of this test… Internet Security Suites do not rely on signature detection alone since many years ago. Panda's (and other) products integrate behavioral analysis, context-based heuristics, security policies, vulnerability detection, etc. However none of these technologies were tested by Secunia.

Let's just take 1 of the many protection technologies included in Panda Internet Security 2009 which DOES deal with prevention of vulnerability exploitation and see how it behaves against these exploits if tested correctly. I'm talking about Kernel Rules Engine, a security policy technology incorporated in 2004 to all Panda products which effectively prevents zero-day exploits of PDF, DOC, XLS, PPT and many other vulnerable applications. While Secunia's test grants Panda a lowly 1.59% detection rate of the important threats, if they would have tested correctly they would have found out that just with Kernel Rules Engine Panda's product is able to generically and proactively block 56% of the important threats. And this just with KRE technology. But Panda's  products also include other technologies such as TruPrevent's Behavioral Analysis, URL Filters and the Vulnerability Detection module which would prevent other exploits if Secunia cared to run their tests with a minimum level of professionalism.

Note to Secunia:
The following exploits (at least), which in your study are marked as "not detected by Panda", are actually detected generically with the correct testing methodology. Hint: have you tried actually "running" the exploits?

SA14896 CVE-2005-0944 PoC.mdb
SA20748#1 CVE-2006-3086 PoC.xls
SA21061 CVE-2006-3655 POC1.ppt
SA21061 CVE-2006-3656 POC2.ppt
SA21061 CVE-2006-3660 POC3.ppt
SA22127#1 CVE-2006-4694 PoC.ppt
SA23540 CVE-2007-0015 PoC.qtl
SA23676#2 CVE-2007-0028 Exploit1.xls
SA23676#2 CVE-2007-0028 exploit2.xls
SA23676#2 CVE-2007-0028 PoC.xls
SA23676#3 CVE-2007-0029 PoC.xls
SA23676#4 CVE-2007-0030 PoC.xls
SA23676#5 CVE-2007-0031 PoC.xls
SA24152 CVE-2006-1311 PoC.rtf
SA24359#1 CVE-2007-0711 PoC.3gp
SA24359#3 CVE-2007-0713 PoC.mov
SA24359#4 CVE-2007-0714 PoC.mov
SA24359#8 CVE-2007-0718 PoC.qtif
SA24359#9 CVE-NOMATCH PoC.jp2
SA24659 CVE-2007-0038 GameOver.ani
SA24664 CVE-2007-1735 PoC.wpd
SA24725 CVE-2007-1867 GameOver.ani
SA24784 CVE-2007-1942 Exploit.bmp
SA24784 CVE-2007-1942 PoC.bmp
SA24884 CVE-2007-2062 GameOver.cue
SA24973 CVE-2007-2194 GameOver.xpm
SA25023 CVE-2007-2244 PoC.bmp
SA25034 CVE-2007-2366 GameOver.png
SA25044 CVE-2007-2365 GameOver.png
SA25052 CVE-2007-2363 GameOver.iff
SA25089 CVE-2007-2498 PoC.mp4
SA25150#1 CVE-2007-0215 PoC1.xls
SA25150#1 CVE-2007-0215 PoC2.xls
SA25150#3 CVE-2007-1214 PoC.xls
SA25178 CVE-2007-1747 PoC.xls
SA25278 CVE-2007-2809 GameOver.torrent
SA25426 CVE-2007-2966 PoC.lzh
SA25619#1 CVE-2007-0934 PoC.vsd
SA25619#2 CVE-2007-0936 GameOver.vsd
SA25619#2 CVE-2007-0936 PoC.vsd
SA25826 CVE-2007-3375 PoC.lzh
SA25952 CVE-2007-6007 PoC1.psp
SA25952 CVE-2007-6007 PoC2.psp
SA25952 CVE-2007-6007 PoC3.psp
SA25988 CVE-2007-1754 PoC.pub
SA25995#1 CVE-2007-1756 PoC.xls
SA25995#2 CVE-2007-3029 PoC1.xls
SA25995#2 CVE-2007-3029 PoC2.xls
SA25995#3 CVE-2007-3030 PoC.xlw
SA26034#4 CVE-2007-2394 PoC.mov
SA26145 CVE-2007-3890 PoC1.xlw
SA26145 CVE-2007-3890 PoC2.xlw
SA26433 CVE-2007-3037 PoC.wmz
SA26619 CVE-2007-4343 Exploit.pal
SA26619 CVE-2007-4343 GameOver.pal
SA27000 CVE-2007-5279 PoC.bh
SA27151 CVE-2007-3899 GameOver.doc
SA27151 CVE-2007-3899 PoC.doc
SA27270 CVE-2007-5709 GameOver.m3u
SA27304#1 CVE-2007-5909 GameOver1.rtf
SA27304#1 CVE-2007-5909 GameOver2.rtf
SA27304#1 CVE-2007-5909 PoC1.rtf
SA27304#2 CVE-2007-6008 PoC1.eml
SA27304#2 CVE-2007-6008 PoC2.eml
SA27361#4 CVE-2007-2263 PoC.swf
SA27849 CVE-2007-6593 GameOver1.123
SA27849 CVE-2007-6593 GameOver2.123
SA27849 CVE-2007-6593 GameOver3.123
SA28034 CVE-2007-0064 PoC1.asf
SA28034 CVE-2007-0064 PoC2.asf
SA28034 CVE-2007-0064 PoC3.asf
SA28034 CVE-2007-0064 PoC4.asf
SA28083#2 CVE-2007-0071 PoC.swf
SA28092#1 CVE-2007-4706 PoC.mov
SA28209#10 CVE-2007-5399 PoCbcc.eml
SA28209#10 CVE-2007-5399 _PoC_cc.eml
SA28209#10 CVE-2007-5399 PoC_date.eml
SA28209#10 CVE-2007-5399 PoC_from.eml
SA28209#10 CVE-2007-5399 PoC_imp.eml
SA28209#10 CVE-2007-5399 PoC_prio.eml
SA28209#10 CVE-2007-5399 PoC_to.eml
SA28209#10 CVE-2007-5399 PoC_xmsmail.eml
SA28209#11 CVE-2007-5399 PoC.eml
SA28209#12 CVE-2007-5399 PoC.eml
SA28209#13 CVE-2007-5399 PoC.eml
SA28326 CVE-2008-0064 GameOver1.hdr
SA28326 CVE-2008-0064 GameOver2.hdr
SA28506#1 CVE-2008-0081 Exploit.xls
SA28506#1 CVE-2008-0081 PoC.xls
SA28506#2 CVE-2008-0111 PoC1.xls
SA28506#2 CVE-2008-0111 PoC2.xls
SA28506#2 CVE-2008-0111 PoC3.xls
SA28506#4 CVE-2008-0114 PoC.xls
SA28506#7 CVE-2008-0117 Exploit.xls
SA28506#7 CVE-2008-0117 GameOver.xls
SA28506#7 CVE-2008-0117 PoC.xls
SA28563 CVE-2008-0392 Exploit_CommandName.dsr
SA28563 CVE-2008-0392 GameOver_CommandName.dsr
SA28765 CVE-2008-0619 PoC.m3u
SA28765 CVE-2008-0619 PoC.pls
SA28802#1 CVE-2007-5659 GameOver.pdf
SA28802#1 CVE-2007-5659 PoC.pdf
SA28904#2 CVE-2008-0105 PoC1.wps
SA28904#2 CVE-2008-0105 PoC2.wps
SA28904#3 CVE-2007-0108 GameOver.wps
SA29293#1 CVE-2008-1581 PoC.pct
SA29321#2a CVE-2008-0118 PoC.ppt
SA29321#2b CVE-2008-0118 GameOver.ppt
SA29321#2b CVE-2008-0118 PoC.ppt
SA29620 CVE-2008-0069 GameOver.sld
SA29650#5 CVE-2008-1017 crgn_PoC.mov
SA29704#1 CVE-2008-1083 PoC.emf
SA29704#2 CVE-2008-1087 PoC.emf
SA29838 CVE-2008-1765 Exploit.bmp
SA29838 CVE-2008-1765 GameOver.bmp
SA29934 CVE-2008-1942 PoC_ExtGState.pdf
SA29934 CVE-2008-1942 PoC_Height.pdf
SA29934 CVE-2008-1942 PoC_MediaBox.pdf
SA29934 CVE-2008-1942 PoC_Width.pdf
SA29941 CVE-2008-1104 Exploit.pdf
SA29941 CVE-2008-1104 PoC.pdf
SA29972 CVE-2008-2021 PoC.ZOO
SA30143#1 CVE-2008-1091 PoC.rtf
SA30953 CVE-2008-1435 PoC.search-ms
SA30975 CVE-2008-2244 PoC1.doc
SA30975 CVE-2008-2244 PoC2.doc
SA31336#2 CVE-2008-3018 PoC.pict
SA31336#4 CVE-2008-3020 PoC.bmp
SA31336#5 CVE-2008-3460 PoC1.wpg
SA31336#5 CVE-2008-3460 PoC2.wpg
SA31336#5 CVE-2008-3460 PoC3.wpg
SA31385 CVE-2008-2245 PoC.emf
SA31441 CVE-2008-4434 PoC.torrent
SA31454#X CVE-NOMATCH PoC.xls
SA31454#2 CVE-2008-3005 Exploit.xls
SA31454#2 CVE-2008-3005 PoC.xls
SA31675#3 CVE-2008-3013 PoC.gif
SA31675#4 CVE-2008-3014 PoC.wmf
SA31675#X CVE-NOMATCH PoC.emf
SA31675#X CVE-NOMATCH PoC.wmf
SA31675#5 CVE-2008-3015 PoC.ppt
SA31821#6 CVE-2008-3626 PoC1.mp4
SA31821#6 CVE-2008-3626 PoC2.mp4
Categories: behavior analysis, News, Vulns Tags:

Windows 2000 remote exploit released

December 21st, 2007 2 comments

48Bits has released code for remotely exploiting vulnerable Windows 2000 machines via the RPC interface.

A little bit of background. Ten days ago ZDI published an advisory about a stack overflow in the Microsoft Windows Message Queuing Service (CVE-2007-3039). At the same time Microsoft released a patch (MS07-065) which replaces MS05-017 and fixes this issue under Windows 2000 SP4 and Windows XP SP2.

The vulnerability affects Windows XP and has been rated Moderate as it requires local exploitation. However under Windows 2000 it can be exploited remotely and has been labeled Important.

If you manage Windows 2000 machines make sure that you either:

a) apply the patch,
b) disable Microsoft Windows Message Queuing Service, or
c) block inbound traffic on ports higher than 1024 or specially configured RPC ports.

Categories: Vulns Tags:

Vulnerability found that allows for "disclosure policy bypass"

November 21st, 2007 4 comments

Among other things I also deal with product vulnerabilities that are reported to us. It's great to be able to work with other security researchers as it allows us to make our products safer and get to know some great people out there. Most of the more "reputable" people and organizations that report vulnerabilities follow some variation of Rain Forest Puppy's "Full Disclosure Policy", which is a good framework for professional researchers and vendors to work together.

While investigating a very recent CAB/RAR scan bypass vulnerability reported to us I came across a post by kurt that links to a sales presentation by n.runs.

Imagine my surprise when I download the presentation and find out that n.runs has already publicly disclosed details of the very same vulnerability it has reported to us not even a week ago and which we're still researching. In their sales presentation they even use this vulnerability as their main argument on why you should buy their product!

Researchers normally release timelines in their disclosures. I think it's a good thing as it allows people to see how slowly or rapidly a vendor deals with reported vulnerabilities. This gave me an idea on how to clearly show the chain of events in this incident:
  Nov. 6:    n.runs initial vulnerability report and PoC to Panda
  Nov. 7:    Panda acknowledges receipt and starts investigating
  Nov. 13:  n.runs publicly discloses Panda as vulnerable
  Nov. 16:  Panda sends comments on vulnerability and PoC to n.runs
  Nov. 16:  n.runs responds to Panda comments (fails to mention the issue is already public)
  Nov. 21:  Panda sends final response to n.runs

I guess this serves as an example of a "specially crafted sales pitch may bypass your very own disclosure policy" vulnerability :)

Comments?

Categories: Fun, Vulns Tags:

How to prevent zero day exploits

October 31st, 2007 3 comments

With all the talk about the latest wave of PDF exploits in the wild,
proactive protections against vulnerabilities in common applications (MS
Office, Acrobat Reader, RealPlayer, WinAmp, Windows Media Player…) are proving
to be an effective solution for protecting users. These proactive measures
allow the vast majority of users to be protected against any and all new 0-day
exploits without going bananas over whose vulnerability it is, where to
download the latest hotfix from, whether this hotfix will prevent future
similar vulnerabilities or even introduce new ones.

 

But how can we achieve effective proactive protection against these vulnerabilities? Some protections against Buffer Overflows, Heap Overflows, Integer Overflows, etc. have to overcome some great technological difficulties.
We need to search for a different path when designing an effective proactive
solution for end users. At Panda we developed a project of proactive
protections over 3 years ago which is now known under the commercial name of
TruPrevent ("How TruPrevent Works" Part 1 and Part 2).
The second part of this technology was specifically designed to avoid these types of
0-day exploits, protecting users from the very same moment the exploit is
released and before the vulnerability is widely patched.

 

The main idea consists of establishing a behavioral profile for
software.

Basically, if we are able to establish which actions are legal and
which actions are outside of the normal behavior of an application, we can
detect potentially dangerous actions. You might think that establishing this
type of profile can be complicated, but let's go over a few examples that,
while being fairly simple, have allowed us to proactively block 100% of the
Microsoft Office and PDF exploits seen recently.

 

For example, how can we block 100% of the vulnerabilities that affect
Microsoft Office products?

If we review the malware that exploits vulnerabilities in Word, Excel,
PowerPoint, etc. we will find a common behavior which occurs when the
vulnerability is exploited: the creation of executable code in the system by
the Microsoft Office applications. Now we should ask ourselves the following
question: is it really necessary that Word, Excel, and PowerPoint should be able to create and launch executable code on the system? Is this not an atypical
behavior for these types of applications?

 

Let's think about some more examples. What applications really need to
execute cmd?

Does Adobe Acrobat need to execute cmd? NO.
Does Windows Media Player need to execute cmd? NO.
Does RealPlayer need to execute cmd? NO.

These are very simple examples but which have demonstrated their
effectiveness against many vulnerabilities during the last years. These types
of protections can be greatly enhanced with the help of event correlation
logic, which allows for establishing a baseline of application behavior,
thereby avoiding the limitation of basing decisions only on individual or point
actions.

 

Why don't we block these behaviors by default?
But the big question is "who is we?" Who is responsible for
creating a safe computing environment that does not allow these types of
vulnerabilities to run wild and spread more malware with complete immunity?
Without going into another finger-pointing war about who's fault it is (Adobe
has issued a patch even though it doesn't solve the underlying problem), "we" is the
entire computing industry, including OS and third-party vendors as well, not
only the anti-malware vendors. Fixing point-problems (patches for
vulnerabilities) without attacking the root of the problem will continue to allow
malware to prevail.


TruPrevent's Kernel Rule Engine proactively blocking a PDF exploit 

Thanks to Ismael Briones for his great contributions and continued work on vulnerability exploitation prevention.

Categories: behavior analysis, Vulns Tags:

ANI loader vulnerability analysis

April 10th, 2007 Comments off

The guys over at Hispasec have just published a very nice analysis of the ANI loader vulnerability. It's also very interesting to see the stats of unique samples received at VirusTotal that exploit the ANI vulnerability.

Categories: Vulns Tags:

Point-and-click Internet Explorer VML exploits

April 9th, 2007 2 comments

Just a curiosity, but today's the 3 month anniversary of the integer overflow vulnerability in VML (vgx.dll). We shouldn't get too caught up on the latest and greatest media-friendly PoC and keep an eye on what's going on in the underground. Sure, MS released the patch for this some time ago and probably quite a few users are protected already, but how about those who haven't applied the patch or have deployed it internally in their networks? Most the time it's these people that cause the majority of the problems for the rest of us, and we're definately still seeing users being infected through this vector.

Couple of days ago I came across a recently released utility to create exploits for the VML vulnerability. The utility, named "MS-07004 V3.0", allows malicious users to easily create exploits using a graphical user interface. The utility creates HTML and JS files that exploit both MDAC and VML vulnerabilities, both of which allow remote attackers to execute arbitrary code.

All you need to do is provide a URL pointing to a critter of your choice. Then simply choose the type of exploit to use to execute the trojan remotely. You can choose between MS06-014, MS07-004 or a combination of both for "redundancy". If you simply choose MS07-004 it will create 3 files, a INDEX.HTM which loads MM.JS, which in turn references 07004.HTM.

Just a friendly reminder to those with responsability over "reminding people to patch their systems", to keep doing so. Users are much more likely to encounter a VML or ANI exploit than having their iPod catch a cold.

Categories: Vulns Tags: