Just after the November patchday this week new reports about an issue with Microsofts SMB implementation in Windows 7 and Windows Server 2008 popped up. Rob VandenBrink of the Internet Storm Center took the publicly available exploit code, fixed a line of code – et voilà, a machine with Windows 7 or Server 2008 connecting to this faked server instantly freezes. There are no reports yet about Microsoft investigating this issue.

Update: Microsoft has released a security advisory this weekend where the company explains that it investigates the reports and is preparing a patch.

Dirk Knop
Technical Editor

Users of Adobe Reader and Acrobat with earlier versions than the new 9.2 are advised to install the updated software immediately to protect themselves from the attacks; Adobe rates the vulnerabilities as critical. New versions of Reader are available for Windows, Mac and Unix. Further links for updates for different Acrobat versions are listed in Adobes security advisory.

Dirk Knop
Technical Editor

The patches affect the Windows operating systems starting from Windows 2000 up to the brand new Windows 7. The vulnerable software is a lengthy list too: Internet Explorer, Media Player, Office from XP up to 2007, .Net runtimes, SQL server, Visual Studio 2003 up to 2008, Visual FoxPro, Report Viewer, the antivirus solution Forefront and Silverlight 2.

As the patches deal with critical security vulnerabilities which in some cases are already abused (like the FTP hole in IIS) it is advised to install them ASAP.

Dirk Knop
Technical Editor

In those forums there were links embedded in the posts which lead to a JavaScript on a Russian website. A google search with the URL revealed that already more than 100 web pages, especially forums, got infected with that malicious link – the infection rate is increasing fast. Later another URL with the malware script was identified, which Google reported on more than 16.000 obviously infected web pages.

Fig. 1: The JavaScript is encrypted and obfuscated in several layers.

The JavaScript is trying to exploit several vulnerabilities to silently install malware on affected users’ computers. Among these are exploits for Microsoft Video ActiveX Control Vulnerability (CVE-2008-0015), Microsoft Internet Explorer XML Parsing Vulnerability (CVE-2008-4844), Microsoft Internet Explorer Malformed CSS Memory Corruption Vulnerability (CVE-2009-0076) and some PDF exploits for Firefox and the Internet Explorer. All these exploits are already known and security updates are available. The malware writers obviously assume that a lot of Internet users do not update their systems.

Fig. 2: Decrypting the JavaScript needed some brute force, too.

That malicious JavaScript is hosted on a fast-flux’ed domain – the Internet addresses to which the embedded link points resolves to different locations every few minutes (fast flux as abbreviation from fast fluctuation, see Wikipedia). So it doesn’t help to take down one server as there are plenty of them. Usually infected computers serve the malware.

Fig. 3: The domain the JavaScript was loaded from was a fastflux'ed domain.

The servers are GeoIP-aware. Trying to access them directly with an IP from Deutsche Telekom network resulted in an “access denied”, while using a proxy in the USA made the bots deliver the malware.

Fig. 4: The shellcode in the JavaScript finally leads to a FakeAV infection.

But this malware – Avira detects it TR/FraudPack.ams – is just another downloader. It is encrypted with some layers as well.

Fig. 5: The crypter author sends out greetings to Sunbelt.

One of the encryption layers contains greetings to the company Sunbelt.

Fig. 6: Contents of the FakeAV downloader svcst.exe.

It accesses a set of “double fast-flux’ed” domains to fetch the actual malware, a FakeAV and a ftp password stealer which sends the data to guest books on the Internet. These are detected by Avira with generic detection as TR/Crypt.ZPACK.Gen and as TR/FakeAV.RK, while the password uploader gets detected as TR/Downloader.Gen.

Fig. 7: The FakeAV disguises itself as Antivirus Pro 2010.

The WebGuard of the Avira Premium and Professional blocks the URLs from where the malicious JavaScript is included and also the malware download URLs. Avira AntiVir also protects users from the downloaded malware.

(Article updated on 6th October to add more details about the malware.)

Emanuel Somosan
Moritz Kroll
Engine R&D

Dirk Knop
Technical Editor

Now administrators should take countermeasures if they haven’t done so yet. Microsoft doesn’t provide a patch to solve the issue, but offers a “1-click-tool” which disables SMBv2 services on the affected systems. This can have a small performance impact. Another suggested solution by Microsoft is to block traffic to the TCP Ports 139 and 445 – which would disable Windows Network Sharing altogether.

We’re constantly monitoring the malware scene – if malware using this attack vector appears we can protect our customers very fast. Anyhow it is a good idea to implement the workaround with the Fix-it-for-me-tool.

Dirk Knop
Technical Editor

Now a security company released an exploit for this vulnerability for their exploit framework for penetration testing. It should work for Windows Vista and Server 2008. Also, the open source framework Metasploit is said to release a reliable exploit soon.

So it is just a matter of time until malware exploiting the SMBv2 vulnerability will appear in the wild. The security hole could be used by a worm for example. Microsoft has no patch ready, but advises to implement one of the following workarounds:

- Disable SMBv2 support. The Redmond company also provides a “Fix-it-for-me” tool which will do this for the user. There is also a tool for enabling SMBv2 again.

- Block access to the TCP ports 139 and 445.

While the latter completely disables network shares for windows, the first solution should only have a small performance impact. Administrators might be advised best to disable the SMBv2 support in their LANs until Microsoft releases a patch so that no worm can spread through this security hole.

We’re monitoring the malware scene very closely so we can provide updated detections for appearing worms or similar malware for this vulnerability if necessary.

Dirk Knop
Technical Editor

Consequently, all Windows XP users should run Windows Update again (as soon as the patch is available for XP, it currently isn’t) – though the impact of the error isn’t as critical as in Vista or Server 2008, where it allows for remote code execution. In Windows XP it is possible to cause a Denial of Service (DoS) condition with sending manipulated network packets to the unpatched computer.

Update: Microsoft updated the bulletin once more. Now it states “By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability.” So an update won’t be available any time soon – if at all, because in the default installation no service is listening on the network interface.

Dirk Knop
Technical Editor

The security holes can be abused by hackers to compromise Windows installations remotely. Microsoft expects that exploits for these holes appear soon, so it is advised to install the patches as soon as possible!

Patches for the recently discovered SMB2 flaws within Vista and Windows 7 (only up to RC1 though) aren’t ready yet. Also missing are updates that fix the vulnerabilities in the FTP component of the Internet Information Services.

Dirk Knop
Technical Editor

Opera released the final version 10 of their Web browser. It fixes some security issues and has some new and improved features. They are listed in the changelog.

The OpenOffice.org developers released OpenOffice.org 3.1.1 (changelog). This version fixes a security flaw in the Word document processing which can lead to system compromise. Users of OpenOffice.org should download the new version and update immediatly.

Dirk Knop
Technical Editor

According to the exploitability index of Microsoft, exploit code is likely to appear for all but one of those vulnerabilities. Therefore it is recommended to install the updates as soon as possible.

Dirk Knop
Technical Editor