Apple just released their web browser Safari in version 4.0.4 – both for Mac OS X and for Windows. Previous versions have some serious security vulnerabilities which can lead to remote code execution, crashes or to information disclosure, for example. More details can be found in Apples security advisory.

Just after the November patchday this week new reports about an issue with Microsofts SMB implementation in Windows 7 and Windows Server 2008 popped up. Rob VandenBrink of the Internet Storm Center took the publicly available exploit code, fixed a line of code – et voilà, a machine with Windows 7 or Server 2008 connecting to this faked server instantly freezes. There are no reports yet about Microsoft investigating this issue.

Update: Microsoft has released a security advisory this weekend where the company explains that it investigates the reports and is preparing a patch.

Dirk Knop
Technical Editor

Not only Microsoft released a bunch of patches to close security holes in their products, but also Adobe now ships updated software to fix several vulnerabilities in Adobe Reader and Acrobat which already get attacked with specially prepared PDF documents to take over control of vulnerable computers – Avira AntiVir protects its users and detects the currently circulating exploit PDF as Exp/Pidief.xam.

Users of Adobe Reader and Acrobat with earlier versions than the new 9.2 are advised to install the updated software immediately to protect themselves from the attacks; Adobe rates the vulnerabilities as critical. New versions of Reader are available for Windows, Mac and Unix. Further links for updates for different Acrobat versions are listed in Adobes security advisory.

Dirk Knop
Technical Editor

Just as announced last Friday, Microsoft ships updates for plenty of products and closes 34 security holes. Many of them are rated critical which means that attackers can infiltrate vulnerable systems remotely.

The patches affect the Windows operating systems starting from Windows 2000 up to the brand new Windows 7. The vulnerable software is a lengthy list too: Internet Explorer, Media Player, Office from XP up to 2007, .Net runtimes, SQL server, Visual Studio 2003 up to 2008, Visual FoxPro, Report Viewer, the antivirus solution Forefront and Silverlight 2.

As the patches deal with critical security vulnerabilities which in some cases are already abused (like the FTP hole in IIS) it is advised to install them ASAP.

Dirk Knop
Technical Editor

Our researchers found a malicious JavaScript link embedded to the headlines and thread titles in some forums as well as on other web sites after a user notified us about possible issues with a particular forum. The scripts resulted in slowing down forum access which raised suspicion, so we started to analyse what was going on.

In those forums there were links embedded in the posts which lead to a JavaScript on a Russian website. A google search with the URL revealed that already more than 100 web pages, especially forums, got infected with that malicious link – the infection rate is increasing fast. Later another URL with the malware script was identified, which Google reported on more than 16.000 obviously infected web pages.

Fig. 1: The JavaScript is encrypted and obfuscated in several layers.

The JavaScript is trying to exploit several vulnerabilities to silently install malware on affected users’ computers. Among these are exploits for Microsoft Video ActiveX Control Vulnerability (CVE-2008-0015), Microsoft Internet Explorer XML Parsing Vulnerability (CVE-2008-4844), Microsoft Internet Explorer Malformed CSS Memory Corruption Vulnerability (CVE-2009-0076) and some PDF exploits for Firefox and the Internet Explorer. All these exploits are already known and security updates are available. The malware writers obviously assume that a lot of Internet users do not update their systems.

Fig. 2: Decrypting the JavaScript needed some brute force, too.

That malicious JavaScript is hosted on a fast-flux’ed domain – the Internet addresses to which the embedded link points resolves to different locations every few minutes (fast flux as abbreviation from fast fluctuation, see Wikipedia). So it doesn’t help to take down one server as there are plenty of them. Usually infected computers serve the malware.

Fig. 3: The domain the JavaScript was loaded from was a fastflux'ed domain.

The servers are GeoIP-aware. Trying to access them directly with an IP from Deutsche Telekom network resulted in an “access denied”, while using a proxy in the USA made the bots deliver the malware.

Fig. 4: The shellcode in the JavaScript finally leads to a FakeAV infection.

But this malware – Avira detects it TR/FraudPack.ams – is just another downloader. It is encrypted with some layers as well.

Fig. 5: The crypter author sends out greetings to Sunbelt.

One of the encryption layers contains greetings to the company Sunbelt.

Fig. 6: Contents of the FakeAV downloader svcst.exe.

It accesses a set of “double fast-flux’ed” domains to fetch the actual malware, a FakeAV and a ftp password stealer which sends the data to guest books on the Internet. These are detected by Avira with generic detection as TR/Crypt.ZPACK.Gen and as TR/FakeAV.RK, while the password uploader gets detected as TR/Downloader.Gen.

Fig. 7: The FakeAV disguises itself as Antivirus Pro 2010.

The WebGuard of the Avira Premium and Professional blocks the URLs from where the malicious JavaScript is included and also the malware download URLs. Avira AntiVir also protects users from the downloaded malware.

(Article updated on 6th October to add more details about the malware.)

Emanuel Somosan
Moritz Kroll
Engine R&D

Dirk Knop
Technical Editor

10 days ago first exploit code for the security vulnerability in the SMBv2 protocol appeared in the underground. Today working exploit code for the open source penetration testing framework Metasploit was released. Therewith it is possible for the cybercriminals to produce malware which infects vulnerable systems – Windows Vista, Windows Server 2008 and Windows 7 up to Release Candidate 1.

Now administrators should take countermeasures if they haven’t done so yet. Microsoft doesn’t provide a patch to solve the issue, but offers a “1-click-tool” which disables SMBv2 services on the affected systems. This can have a small performance impact. Another suggested solution by Microsoft is to block traffic to the TCP Ports 139 and 445 – which would disable Windows Network Sharing altogether.

We’re constantly monitoring the malware scene – if malware using this attack vector appears we can protect our customers very fast. Anyhow it is a good idea to implement the workaround with the Fix-it-for-me-tool.

Dirk Knop
Technical Editor

Microsoft acknowledged a security hole in its SMBv2 implementation in Windows Vista, Server 2008 and Windows 7 up to the Release Candidate. With injecting specially prepared network packets attackers obviously are able to take complete control over affected computers.

Now a security company released an exploit for this vulnerability for their exploit framework for penetration testing. It should work for Windows Vista and Server 2008. Also, the open source framework Metasploit is said to release a reliable exploit soon.

So it is just a matter of time until malware exploiting the SMBv2 vulnerability will appear in the wild. The security hole could be used by a worm for example. Microsoft has no patch ready, but advises to implement one of the following workarounds:

- Disable SMBv2 support. The Redmond company also provides a “Fix-it-for-me” tool which will do this for the user. There is also a tool for enabling SMBv2 again.

- Block access to the TCP ports 139 and 445.

While the latter completely disables network shares for windows, the first solution should only have a small performance impact. Administrators might be advised best to disable the SMBv2 support in their LANs until Microsoft releases a patch so that no worm can spread through this security hole.

We’re monitoring the malware scene very closely so we can provide updated detections for appearing worms or similar malware for this vulnerability if necessary.

Dirk Knop
Technical Editor

Now that didn’t happen for a while: Microsoft updated one of the security bulletins from Tuesday. It deals with a security flaw in TCP/IP networking. The first version of the bulletin mentioned Windows 2000, Vista, Server 2003 and Server 2008 as affected. The updated version also mentions Windows XP as affected.

Consequently, all Windows XP users should run Windows Update again (as soon as the patch is available for XP, it currently isn’t) – though the impact of the error isn’t as critical as in Vista or Server 2008, where it allows for remote code execution. In Windows XP it is possible to cause a Denial of Service (DoS) condition with sending manipulated network packets to the unpatched computer.

Update: Microsoft updated the bulletin once more. Now it states “By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability.” So an update won’t be available any time soon – if at all, because in the default installation no service is listening on the network interface.

Dirk Knop
Technical Editor

As announced last Friday, Microsoft released 5 security bulletins – all dealing with critical flaws within the Windows operating systems. Affected are Windows XP to Windows Vista and Server 2008.

The security holes can be abused by hackers to compromise Windows installations remotely. Microsoft expects that exploits for these holes appear soon, so it is advised to install the patches as soon as possible!

Patches for the recently discovered SMB2 flaws within Vista and Windows 7 (only up to RC1 though) aren’t ready yet. Also missing are updates that fix the vulnerabilities in the FTP component of the Internet Information Services.

Dirk Knop
Technical Editor

There is a severe security hole in Microsofts Internet Information Services (IIS) versions 5 and 6. “0-day” Exploit code is publicly available on the net. The error is within the FTP component. Thus Microsoft recommends as workaround to disable (anonymous) FTP on IIS, or to withdraw anonymous users the rights to create directories. A security advisory was already available but currently leads to a Bing search page. There you can see the advisory as “cached page” at least.

Opera released the final version 10 of their Web browser. It fixes some security issues and has some new and improved features. They are listed in the changelog.

The OpenOffice.org developers released OpenOffice.org 3.1.1 (changelog). This version fixes a security flaw in the Word document processing which can lead to system compromise. Users of OpenOffice.org should download the new version and update immediatly.

Dirk Knop
Technical Editor

As announced before the weekend, Microsoft now released 9 security bulletins. The patches related to those bulletins close overall 19 security holes in Windows, Microsoft Office, Visual Studio, ISA- and BizTalk-Server, RDP client for Mac and the .Net framework.

According to the exploitability index of Microsoft, exploit code is likely to appear for all but one of those vulnerabilities. Therefore it is recommended to install the updates as soon as possible.

Dirk Knop
Technical Editor