Smokey's Security Weblog

veritas odium parit

[How-to] Vulnerability test Superfish, Komodia, PrivDog & similar

Probably you have heard about the Lenovo debacle, many of their laptop series are preloaded adware/spyware Superfish (you can also call Superfish a dirty piece of malware) that will intercept all your secure connections and this will allow criminals to do it too. Superfish uses an “SSL hijacker” (Komodia Redirector with SSL Digestor) and an untrustworthy Komodia root certificate. Komodia Redirector with SSL Digestor installs non-unique root CA certificates and private keys, making systems broadly vulnerable to HTTPS spoofing. In this way an attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems.

Many other softwares do similar because Komodia sold its malicious kit to other companies as well, some of these companies/vendors are e.g. Atom Security, Inc, Infoweise, KeepMyFamilySecure, Kurupira, Lavasoft, Qustodio and Websecure Ltd. There will be others as well.

Superfish removal can be done via Windows standard add/remove programs utility, find Superfish Inc VisualDiscovery, tick it, and click uninstall. Uninstalling Superfish and other Komodia-type programs does not remove the root certificates, so you need to do this: type certmgr.msc into the Windows search box, right click on the programs name, and select “run as administrator” from the pop-up menu. Subsequent click the action menu item and select “find certificates”. Type Superfish etc into the search box and click the “find now” button. If you find an unwanted certificate, right-click and select delete.

Fwiw never download from unsafe places such as CNet’s Download.com or from Google search ads, downloading software from such places can be really dangerous, in many cases the downloaded software can and will be contaminated with adware, spyware and/or malware.

There’s a simple way to check your machine on the existence of Superfish, Komodia, PrivDog & Co, we advise you to visit the filippo vulnerability test page and perform the vulnerability test: https://filippo.io/Badfish/ Important: do the test with all browsers installed.

Instructions for identifying and removing a root certificate from Windows here: http://windows.microsoft.com/en-us/windows-vista/view-or-manage-your-certificates

Finally we know that many AV (antivirus) products will find and remove the Superfish, Komodia, PrivDog and similar crap, despite we still strongly advise to perform the filippo vulnerability test and to check your machine also on the existence of untrustworthy certificates.

March 1, 2015 Posted by | Uncategorized | , , , , , , , , , , , , , , , , , , , , , | Leave a comment

New flash attack has no real ‘fix’: ‘everyone is vulnerable’

We all know Adobe Flash, it’s the most widely installed software product possibly in the Internet environment. And of course, the internet-creeps abuse that fact and misuse flash to drop their malicious crap on PC’s that are not well protected against flash attacks.

Past week I stumbled (again) over an article that describe the dangers of flash very well, I will share an excerpt of that article with my blog readers, to warn them and do the necessary to defend them against the dangers of flash.

New flash attack has no real ‘fix’: ‘everyone is vulnerable’
Dark Reading | nov 12, 2009

Researchers have discovered a new attack that exploits the way browsers operate with Adobe Flash — and there’s no simple patch for it.

The attack can occur on Websites that accept user-generated content — anything from Webmail to social networking sites. An attacker basically takes advantage of the fact that a Flash object can be loaded as content onto a site and then can execute malware from that site to infect and steal information from visitors who view that content by clicking it.”Everyone is vulnerable to this, and there’s nothing anyone can do to fix it by themselves,” says Michael Murray, CSO for Foreground Security, which today posted demonstrations of such an attack against Gmail, SquirrelMail, and cPanel’s File Manager. “We’re hoping to get a message out to IT adminstrators and CIOs to start fixing their sites one at a time.”An attacker could upload malicious code via a Flash file attachment or an image, for instance, and infect any user that clicks on that item to view it. “If I can trick a system to let me upload anything, I can run code in any browser, and Adobe can’t fix this,” Murray says. “If I can upload a picture to a site and append it with Flash code to make it look like an image, once a user views that, the code executes and I can steal your cookies and credentials.”

The only thing close to a “fix” is for the Website to move its user-generated content to a different server, according to Michael Bailey, the senior researcher for Foreground Security who discovered the attack.

Bailey says the attack is similar to a cross-site scripting attack. “This is very easy to perform,” he says.

The researchers don’t expect Adobe to issue any fixes to Flash’s origin policy, mainly because it would affect so many applications.

Web application developers could help prevent the attack by denying Flash content by default, which isn’t a very realistic option: “Doing that will break a lot of applications,” Bailey says. “And that’s the problem.”

For end users, the Firefox browser add-in NoScript provides some protection from this attack, as does Toggle Flash for Internet Explorer, the researchers say.

 

I produced the same article on DSLReports, feel free to join the DSLR-discussion, and to look for suggestions how to protect yourself.

November 15, 2009 Posted by | Advisories, Alerts, Anti-Spyware, Anti-Virus, Bundleware, Downloads, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , | Leave a comment

Watch your steps: Leaked copies of Windows 7 RC contain Trojan…..

By ComputerWorld – Gregg Keizer 05 May

Pirated copies of Windows 7 Release Candidate (RC) on file-sharing sites contain malware, according to users who have downloaded the upgrade. Some of the pirated builds include a Trojan horse, numerous users said in message forums and in comments on BitTorrent sites such as Mininova.org.

“Just a warning for anyone downloading the new RC builds of windows 7. Quiet [sic] a lot of the downloads have a trojan inbedded [sic] in the setup EXE,” said someone identified as Frank Fontaine on a Neowin.net discussion thread. “The Setup EXE is actually a container, it appears to be a self-extracting EXE. There are 2 files inside, Setup.exe and codec.exe.”

Source:  ComputerWorld

Get the official Windows 7 RC download:

The 32- and 64-bit versions of Windows 7 RC are available in five languages: English, German, Japanese, French, and Spanish. Just choose the version that fits the system you’ll be using, pick your language, and click go to register for and download the RC.

Downloading the Windows 7 RC could take a few hours. The exact time will depend on your internet provider, bandwidth, and traffic. The good news is that once you start the download, you won’t have to answer any more questions – you can walk away while it finishes. If it gets interrupted, it’ll restart where it left off. (txs NICK_ADSL_UK!)

Official downloadlink Windows 7 RC: Microsoft

May 6, 2009 Posted by | Uncategorized | , , , , , , , , , , | Leave a comment

Microsoft Out-of-band security bulletin MS08-067 – Critical

Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Published: October 23, 2008
Version: 1.0


Added 25 Oct 2008 – Revision 1.3: Note In addition to the products that are listed in the “Affected Software” section, this article also applies to Windows 7 Pre-Beta.

Executive Summary

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by correcting the way that the Server service handles RPC requests. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation

Microsoft recommends that customers apply the update immediately.

Known Issues

None

Affected Software

(Operating System – Maximum Security Impact – Aggregate Severity Rating – Bulletins Replaced by this Update)

Microsoft Windows 2000 Service Pack 4
Remote Code Execution
Critical
MS06-040

Windows XP Service Pack 2
Remote Code Execution
Critical
MS06-040

Windows XP Service Pack 3
Remote Code Execution
Critical
None

Windows XP Professional x64 Edition
Remote Code Execution
Critical
MS06-040

Windows XP Professional x64 Edition Service Pack 2
Remote Code Execution
Critical
None

Windows Server 2003 Service Pack 1
Remote Code Execution
Critical
MS06-040

Windows Server 2003 Service Pack 2
Remote Code Execution
Critical
None

Windows Server 2003 x64 Edition
Remote Code Execution
Critical
MS06-040

Windows Server 2003 x64 Edition Service Pack 2
Remote Code Execution
Critical
None

Windows Server 2003 with SP1 for Itanium-based Systems
Remote Code Execution
Critical
MS06-040

Windows Server 2003 with SP2 for Itanium-based Systems
Remote Code Execution
Critical
None

Windows Vista and Windows Vista Service Pack 1
Remote Code Execution
Important
None

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Remote Code Execution
Important
None

Windows Server 2008 for 32-bit Systems*
Remote Code Execution
Important
None

Windows Server 2008 for x64-based Systems*
Remote Code Execution
Important
None

Windows Server 2008 for Itanium-based Systems
Remote Code Execution
Important
None

*Windows Server 2008 server core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.

Source/full bulletin: Microsoft TechNet

Attack code for critical Microsoft bug surfaces

10/27/2008

By Jason Meserve/Network World – THREAT ALERT

Hope you’ve got that out-of-cycle Windows patch installed, because there’s already a worm running amok exploiting the flaw.
Microsoft took the unusual step of rushing out a patch for Windows last Thursday and within hours attack code was published that could take advantage of the flaw. Not quite Zero Day, but pretty close. Of course, a lot of noise was made over Microsoft’s non-Patch Tuesday release, but some in the security community are wondering what the big deal is? After all, there are automatic systems in place to install said patches, and other vendors release patches all the time without a parade. So why the hoopla over this Microsoft release?

Full story: NetworkWorld

October 24, 2008 Posted by | Advisories, Alerts, Downloads, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , | Leave a comment

Researchers Raise Alarm Over New Iteration of Coreflood Botnet

The seven-year-old Coreflood botnet is quietly stealing thousands of passwords from corporate users and other large organizations, thanks to recent enhancements that allow it to spread like a worm, researchers say.
In a nutshell, Coreflood has combined its old ability to deliver a password-stealing Trojan with a new ability to infect whole Windows domains in a matter of hours.

“This is potentially way more malicious than Storm, because it is collecting passwords — rather than just sending out spam or denying service — and because the user doesn’t have to click on a link or do anything at all in order to be infected,” says David Jevans, CEO of security vendor IronKey and chairman of the Anti-Phishing Working Group.

Coreflood, which started out as a simple Trojan in late 2001, has been reiterated more than 100 times during its long lifespan. But with the enhancements, the Trojan now has the ability to infect Windows administrators’ machines and then use their privileges to infect all of the other machines in the administrator’s domain.

“We’ve literally seen situations where there was only one machine infected, and within a few hours, 30,000 other machines on the same network were also infected,” Jevans says. “And these aren’t random infections — if it gets through to one administrator’s machine, then all of the devices in his domain will be infected.”

Source/full article: Tim Wilson/DarkReading

July 26, 2008 Posted by | Advisories, Alerts, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , | Leave a comment

New kind of malicious software could pose a danger to Windows users who download music files on peer-to-peer networks

A new kind of malicious software could pose a danger to Windows users who download music files on peer-to-peer networks.

The new malware inserts links to dangerous Web pages within ASF (Advanced Systems Format) media files.

“The possibility of this has been known for a little while but this is the first time we’ve seen it done,” said David Emm, senior technology consultant for security vendor Kaspersky Lab.

If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec, a well-known trick to get someone to download malware.

The actual download is not a codec but a Trojan horse, which installs a proxy program on the PC, Emm said. The proxy program allows hackers to route other traffic through the compromised PC, helping the hacker essentially cover their tracks for other malicious activity, Emm said.

The malware has worm-like qualities. Once on a PC, it looks for MP3 or MP2 audio files, transcodes them to Microsoft’s Windows Media Audio format, wraps them in an ASF container and adds links to further copies of the malware, in the guise of a codec, according to another security analyst, Secure Computing.

The “.mp3” extension of the files is not modified, however, so victims may not immediately notice the change, according to Kaspersky Lab.

“Users downloading from P2P networks need to exercise caution anyway, but should also be sensitive to pop-ups appearing upon playing a downloaded video or audio stream,” Secure Computing said.

Trend Micro calls the malware “Troj_Medpinch.a,” Secure Computing named it ” “Trojan.ASF.Hijacker.gen” and Kaspersky calls it “Worm.Win32.GetCodec.a.”

Source / full article: PCWorld Business Center

July 18, 2008 Posted by | Advisories, Alerts, Downloads, Malware, News, Recommended External Security Related Links | , , , , , , , , , , , , , , , , | Leave a comment

IE6 zero-day cross-site scripting bug reported

Security researchers are warning users about an unpatched cross-site scripting bug in Internet Explorer 6 (IE6) that could be used by hackers to capture keystrokes and steal other information.

At BlueHat, researcher Manuel Caballero, who has worked for Microsoft as an independent penetration tester, said he had found a way to capture every browser action, including keystrokes used to type passwords. In a videotaped interview that Microsoft conducted during BlueHat, Caballero said that the combination of Flash and any browser, not just IE, could be hacked with a malicious script to give attackers full access to the browser.

The vulnerability is caused due to an input validation error when handling the ‘location’ or ‘location.href’ property of a window object. This can be exploited by a malicious website to open a trusted site and execute arbitrary script code in a user’s browser session in context of the trusted site.

IE7, the current version of Microsoft’s browser, does not contain the vulnerability, both Secunia and McAfee said. Until Microsoft produces a patch for the older browser, users should update to IE7, they added.

Sources: ComputerWorld, Secunia, McAfee

June 27, 2008 Posted by | Advisories, Alerts, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , | Leave a comment

Photobucket are not cleaning up their act: continuous malvertizements on their website

Photobucket has been mentioned several times because of malvertizements appearing on the site. The most recent outbreak is proving to be problematic, to say the least.

They have been advised several times that there are malvertizements appearing on their web site. Photobucket have been given sufficient information to enable them to quickly identify and remove the malvertizements. Email acknowledgements have been received from Photobucket advising that the malvertizement reports would be forwarded to the “advertising team”.

The malvertizements have also been reported to the advertising networks being used to host and distribute the malvertizements.

Why, then, are the malvertizements cited here still appearing on the Photobucket web site?

rlslog.net were able to get rid of the malvertizements reported to them. mininova.org were able to get rid of the malvertizements that were reported to them. Why is it so hard for photobucket.com to clean up *their* act???

For reason of the condemnable ignore attitude/tactics of Photobucket and to protect the user against malware the strong advice:

nobody should visit photobucket.com unless they have software in place that will prevent any advertisements on that site from being displayed on their computer.

This advice stands unless and until the malvertizements are removed AND photobucket.com can reassure that:

1. Photobucket have improved their investigative processes when checking advertisements offered to them to minimise the possibility of this happening again; and
2. Photobucket have put in place new procedures to ensure that reports of malvertizements are identified and acted upon immediately.

Source: SpywareSucks

May 13, 2008 Posted by | Advisories, Alerts, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , | Leave a comment

Java Anonymous Proxy (JAP): once a Crook, always a Crook?

Today’s post on DSLReports with subject “JAP” draw my attention.

From Java Anonymous Proxy (JAP) Homepage:

JAP makes it possible to surf the internet anonymously and unobservably.Without Anonymization, every computer in the internet communicates using a traceable Address. That means:

– the website visited,
– the internet service provider (ISP),
– and any eavesdropper on the internet connection

can determine which websites the user of a specific computer visits. Even the information which the user calls up can be intercepted and seen if encryption is not used. JAP uses a single static address which is shared by many JAP users. That way neither the visited website, nor an eavesdropper can determine which user visited which website.

Sound great. Especially because the software and services are free. But after reading the DSLR post my mind about JAP changed.

SUMware mentioned in the DSLR post an 2003 SecurityFocus article about the fact that JAPs anonymity service was (and still is?) back-doored. Sound not good anymore, sound really bad.

Excerpt SF article:

The popular Java Anonymous Proxy (JAP), used to anonymise one’s comings and goings across the Internet, has been back-doored by court order. The service is currently logging access attempts to a particular, and unnamed, Web site and reporting the IP addys of those who attempt to contact it to the German police.

We know this because the JAP operators immediately warned users that their IP traffic might be going straight to Big Brother, right? Wrong. After taking the service down for a few days with the explanation that the interruption was “due to a hardware failure”, the operators then required users to install an “upgraded version” (ie. a back-doored version) of the app to continue using the service.

“As soon as our service works again, an obligatory update (version 00.02.001) [will be] needed by all users,” the public was told. Not a word about Feds or back doors.

Fortunately, a nosey troublemaker had a look at the ‘upgrade’ and noticed some unusual business in it, such as:

“CAMsg::printMsg(LOG_INFO,”Loading Crime Detection Data….\n”);”
“CAMsg::printMsg(LOG_CRIT,”Crime detected – ID: %u – Content:
\n%s\n”,id,crimeBuff,payLen);”

and posted it to alt.2600.

Soon the JAP team replied to the thread, admitting that there is now a “crime detection function” in the system mandated by the courts. But they defended their decision:

“What was the alternative? Shutting down the service? The security apparatchiks would have appreciated that – anonymity in the Internet and especially AN.ON are a thorn in their side anyway.”

Sorry, the Feds undoubtedly appreciated the JAP team’s willingness to back-door the app while saying nothing about it a lot more than they would have appreciated seeing the service shut down with a warning that JAP can no longer fulfill its stated obligation to protect anonymity due to police interference.

A press release from ICPP assures users that JAP is safe to use because access to only one Web site is currently being disclosed, and only under court-ordered monitoring.

But that’s not the point. Disclosure is the point. The JAP Web site still claims that anonymity is sacrosanct: “No one, not anyone from outside, not any of the other users, not even the provider of the intermediary service can determine which connection belongs to which user.”

This is obviously no longer true, if it ever was. And that’s a serious problem, that element of doubt. Anonymity services can flourish only if users trust providers to be straight with them at all times. This in turn means that providers must be absolutely punctilious and obsessive about disclosing every exception to their assurances of anonymity. One doesn’t build confidence by letting the Feds plug in to the network, legally or otherwise, and saying nothing about it.

Telling us that they only did it to help catch criminals isn’t good enough either. Sure, no normal person is against catching criminals – the more the merrier, I say. But what’s criminal is highly relative, always subject to popular perception and state doctrine. If we accept Germany’s definition of criminal activity that trumps the natural right to anonymity and privacy, then we must accept North Korea’s, China’s and Saudi Arabia’s. They have laws too, after all. The entire purpose of anonymity services is to sidestep state regulation of what’s said and what’s read on the basis of natural law.

The JAP Web site has a motto: “Anonymity is not a crime.” It’s a fine one, even a profound one. But it’s also a palpably political one. The JAP project inserted itself, uncalled, into the turbulent confluence between natural law and state regulation, and signaled its allegiance to the former. It’s tragic to see it bowing to the latter.

I don’t know JAPs anonymity service is anno 2008 still back-doored.

Main queustion after the JAP back-doored issue is, can we ever trust JAP again?  My answer is a clear NO. JAP will always have an element of doubt.

SecurityFocus hitted the nail with following remark in the article:

Anonymity services can flourish only if users trust providers to be straight with them at all times. This in turn means that providers must be absolutely punctilious and obsessive about disclosing every exception to their assurances of anonymity. One doesn’t build confidence by letting the Feds plug in to the network, legally or otherwise, and saying nothing about it.

I share SFs opinion. Therefore, stay away from JAP.

April 26, 2008 Posted by | Advisories, Alerts, Downloads, Malware, News, Recommended External Security Related Links | , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Unlocking Windows Using FireWire

If you are running Windows XP, anyone who can connect his laptop or modified iPod to your FireWire port can get complete access to your PC’s memory. And by using that access the attacker can do whatever he wants such as unlock Windows, steal encryption keys, or install malware.

Currently there is no known fix for this problem, so if you have a computer that has a FireWire port and you don’t use it for anything, we recommend disabling it.

Source: F-Secure Weblog

March 22, 2008 Posted by | Alerts, Friends, Malware, Recommended External Security Related Links | , , , , | Leave a comment