Excel 0-Day Exploited

February 24, 2009 – 5:32 AM

Symantec is reporting that Trojan.Mdropper.AC is exploiting an unpatched vulnerability in Excel 2007. Earlier versions of Excel may also be vulnerable.

The vulnerability is described as a “Boundary Condition Error” and can result in remote code execution, but that’s it for details for now. The research is obviously in its early stages, and the fact that Symantec calls Trojan.Mdropper.AC a “Risk Level 1: Very Low” threat indicates that it was used in a targeted attack. So it’s not likely that this will be widespread any time soon, but eventually it may be.

You already had ample reason to be suspicious of unsolicited Excel files, but take this as added warning against opening such documents unless you know what they are.

Source:
http://blogs.pcmag.com/securitywatch/2009/02/excel_0day_exploited.php

Posted in Coding, Security, Software, Windows | No Comments

Conficker becomes a more flexible worm

February 23, 2009 – 1:05 PM

It seems that the authors of the Conficker worm for Windows are continually updating their malware. In their current analyses, researchers at SRI International have found that the current Conficker variants B and B++ are decidedly more flexible than their predecessors in downloading further components and new versions.

The first version of the worm used an easily predictable method for choosing contact domains. In response, Microsoft and ICANN tried to either gain control of these domains, or shut them down. The next version, B, used a different method to establish the domains for its contact attempts. In also did not have the “suicide switch” that was enabled in version A if the worm detected a Ukrainian keyboard layout.

The most recent variant of the malware, Conficker B++, can not only download DLLs, but also entire arbitrary programs; this extends the botnet operators’ scope for further activity. In addition to the download feature, this version also contains a back door, which can be used to actively and remotely inject additional components, or new versions.

Source:
http://www.h-online.com/security/Conficker-becomes-a-more-flexible-worm–/news/112705

Posted in Internet, Privacy, Security | No Comments

eBay auction tool website infected with malware

February 23, 2009 – 7:48 AM

A Trojan horse lurking on servers belonging to Auctiva.com, a Web site offering eBay auction tools, infected people’s PCs last week.

The problem became very public when Google’s malware warning system kicked in as people tried to browse the site, saying Auctiva was infected with malware. Google will display an interstitial page warning people of certain Web sites known to contain malware.

“It appears the reason these virus alert warnings started showing up on our site is because some of our machines were injected with malware originating in China,” according to a post on Auctiva’s community forum. “The malware we believe to be at fault has also hit a number of other high-profile websites over the past six months.”

It appears that the malware targeted Microsoft’s Internet Explorer browser. Auctiva recommended using Firefox, as that browser is “less susceptible to this sort of malware than Internet Explorer.”

“Found eight trojans on my system that seemed to have snuck through my on-access protection, or maybe because, like a fool, I clicked ‘ignore the warning’ to get to Auctiva’s front page,” wrote one user on Auctiva’s forum.

Source:
http://www.pcworld.com/article/160010/ebay_auction_tool_web_site_infected_with_malware.html?tk=rss_news

Posted in Coding, Internet, Security, Software | No Comments

Researcher Shows New SSL Website Hack

February 21, 2009 – 8:28 AM

A researcher has found a convincing way to hack the SSL protocol used to secure logins to a range of Web sites, including e-commerce and banking sites.

Using a specially-created app, ‘SSLstrip’, a researcher calling himself Moxie Marlinspike demonstrated to Black Hat Arlington, Va attendees, how vulnerable many SSL connections were to an involved but clever man-in-the-middle (MitM) attack where a hacker could proxy traffic from users accessing genuine secure https:// website logins.

To prove the usefulness of the attack to a hypothetical criminal, he claimed the hack had given him access to 117 email accounts, 16 credit card numbers, 7 PayPal logins and over 300 other “miscellaneous secure logins” in a 24-hour period. Sites involved included Ticketmaster, Paypal, LinkedIn, Hotmail, and Gmail.

The clever bit is that the attack didn’t need to touch the encrypted SSL traffic at all, simply exploit the fact that users almost never call https directly, instead accessing that by calling a conventional http web page first. That fact makes it possible to monitor and map the traffic between the browser and website before the SSL is set up securely, putting itself between the two so that neither site is aware that anything is amiss.

According to Marlinspike, the hack is also able to overcome the possibility that the browser will generate invalid certificate warnings from the fake proxy site, even passing back convincing if bogus favicons such as the traditional https padlock. The only signal that something is wrong would be the lack of the https:// address in the toolbar, something few users would likely notice, he said.

“Lots of times the security of HTTPS comes down to the security of HTTP, and HTTP is not secure,” says Marlinspike in his presentation summary . “If we want to avoid the dialogs of death, start with HTTP not HTTPS.”

Importantly, the visual indicators that help ordinary users detect such attacks should once again be emphasized, overturning some years in which developers, including browser developers, had downplayed such reinforcement.

“Once we’ve got control of that, we can do all kinds of stuff to re-introduce the positive indicators people might miss,” he says.

An indirect hack on the secure web infrastructure was reported some weeks ago, whereby a flaw in the MD5 encryption algorithm was used to fool certificate authorities into accepting a bogus certificate as the real thing.

Source:
http://www.networkworld.com/news/2009/022009-researcher-shows-new-ssl-website.html

Posted in Internet, Privacy, Security | No Comments

Cain & Abel v4.9.27 released

February 21, 2009 – 8:14 AM

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol’s standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some “non standard” utilities for Microsoft Windows users.

Changes:

– Added support for Licensing Mode Terminal Server connections in APR-RDP sniffer filter.
– Added channel hopping capability on A, BG and ABG channels in Passive Wireless Sniffer.
– Added support for A channels in Passive Wireless Sniffer.
– Added automatic detection of RX/TX ABG channels for AirPcap NX adapters.
– WEP ARP Injection thread now avoid sending packets to disassociated stations.
– AirPcap library upgrade to version 4.0.0 (to support the new AirPcap NX adapters from CACE Technologies).
– Winpcap library upgrade to version 4.1 beta 5.

Download:
http://www.oxid.it/downloads/ca_setup.exe

Homepage:
http://www.oxid.it/cain.html

Posted in Internet, Networking, Privacy, Security, Software | 1 Comment