Microsoft has released an advisory alerting its users about a critical vulnerability in ASP.NET (CVE-2011-3414). An attacker could potentially bring down a server (Denial of Service) with specially crafted requests. Given that all versions of ASP.NET are vulnerable, its exposure is pretty big. This advisory was in response to a public advisory presented in the 28th Chaos Communication Congress.

The root cause of the problem lies in hash collisions. Most web applications use hashes to store user supplied inputs/form parameters. The inputs are supplied by users; hence attackers can control what values are eventually filled in the hashes. In this particular attack, the attacker sends too many key value pairs with colliding keys. If the hash implementation of the language is not randomized, it can result in numerous hash collisions, given that a lot of colliding entries are sent. The resolution of these collisions results in very high CPU usage.

An interesting aspect of this attack is that it doesn’t only affect Microsoft products. Several other web applications, such as Apache Tomcat, Apache Geronimo, Oracle web applications, PHP using python, ruby, Java are also vulnerable to this same issue. It’s not a specific vulnerability but a fundamental software flaw with the implementation of hash algorithms.

Trend Micro customers need not worry, as Deep Security provides protection with the rule 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414). For more details, user may refer to Trend Micro security advisory page in our Threat Encyclopedia.

Because of its severity, users are also advised to immediately update their systems before they usher in the new year.

Update as of January 9, 2012,11:00 PM PST

The Microsoft out of band update also addressed three other vulnerabilities:

CVE-2011-3415:

This vulnerability is a domain spoofing/open redirect vulnerability in Forms Authentication feature in the .Net Form Authentication. An attacker can use crafted URL to redirect the users to any website without the users’ knowledge. The attack vector can be a crafted link, which leads to a phishing attack to steal the sensitive information from the user like login credentials.

Websites with ASP.Net installed are at risk from this vulnerability. Microsoft .NET Framework 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 are also vulnerable to this.

CVE-2011-3416:

This vulnerability is an authentication bypass flaw in ASP.Net. An attacker who successfully exploited this vulnerability can gain complete access to targeted users’ accounts and run any arbitrary commands with its privileges.

Trend Micro Deep Security provides zero day protection against such attacks using it’s heuristic based rule like ‘1000128 – HTTP Protocol Decoding‘.

CVE-2011-3417:

This vulnerability pertains to a specific configuration of ASP.Net. A system with sliding expiration enabled is only vulnerable to this. Once successfully exploited, an attacker can gain access to arbitrary user accounts on the system by sending specially crafted requests.

The following rules in Trend Micro Deep Security provide protection to Trend Micro customers:

• 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414)
• 1004887—Microsoft ASP.NET Framework Forms Authentication URI Spoofing Vulnerability (CVE-2011-3415)
• 1000128—HTTP Protocol Decoding

Attacks that use the holidays as a social engineering lure are starting to pour in as the Christmas day draws near. We recently found a page on Facebook that offers a Christmas theme on one’s profile. The page leads to a malware that comes in the form of browser plugin.

Read the rest of this entry »

…if there’s actual evidence, I have no doubt that law enforcement will act. However, I think this is highly unlikely.
—Konstantin Poltev (spokesman of Esthost/Rove Digital), October 13, 2008

In the past, some cybercriminals have been so brazen that they publicly declared chances they will ever be caught are slim. Today, however, it is time for them to think again. In 2011, historic steps were taken in the battle against cybercrime. Collaboration between law enforcement and the security industry led to important takedowns and arrests. Here are some of the highlights of 2011.

Rustock

On March 16, 2011, Microsoft took down the Rustock spam botnet. The simultaneous takedown of all of its command-and-control (C&C) servers led to the true death of the Rustock botnet. The Rustock zombies could not be resurrected because Microsoft made sure that all of the hard-coded domains Rustock used were no longer made available to bad actors. The gang behind the botnet was not arrested but Microsoft published advertisements in Russian newspapers offering a US$250,000 reward for anyone who gave information that led to the identification, arrest, and conviction of the minds behind Rustock. Microsoft’s lawyers used novel legal arguments to convince a federal court in Seattle that it had the right to seize the Rustock servers. This set an important legal precedent for future cases.

Kelihos

Taking down a large spam botnet has a huge impact on the spam volume and makes the Internet a safer place for everyone. However, some bad actors won’t stop committing crimes even if their botnet is taken down and even if bounty hunters are looking for them. Consider the case of the Kelihos spam botnet, believed to have been written by the same people responsible for Waledac, another botnet taken down in 2010.

In September 2011, Microsoft once again convinced a federal judge to allow it to block all of the IP addresses and domains Kelihos’s C&C servers used without first informing the defendants. One of the defendants was explicitly named in the complaint—the owner of the cz.cc domain, one of the domains taken offline. This was a remarkable step as cz.cc was a so-called rogue second-level domain (SLD) name. The takedown of cz.cc meant that hundreds of thousands of subdomains, which were either illegitimately used or were used for Kelihos’s C&C servers, were taken offline. This sets an example for all other rogue SLDs to be more accountable for abuse incidents.

CoreFlood

CoreFlood was a botnet made up of hundreds of thousands of computers infected with a data-stealing Trojan. This particularly dangerous botnet was dismantled by the FBI in April 2011. The FBI took over its C&C servers and operated these until mid-June 2011. The FBI sent a stop command to the bots in the United States, causing the malware to exit. This was the first time the U.S. government took over the C&C infrastructure of a botnet and pushed a command to the bots so these became unreachable to the botmasters.

Read the rest of this entry »

Looking for cheaper iPhone 4S this holiday season? Be wary, because cybercriminals can trick you into giving out your online financial credentials. We’ve recently found a phishing attack that specifically targets users who are out to purchase an iPhone 4S through eBay.

The attack involves domains that display replicated eBay posts for iPhone 4S units. The screenshots below show a sample of the fake page, and the original eBay post from which the content was copied.

There are some differences between the two pages. For example, the real post uses US dollar as its currency, while the fake post uses Euro. The price in the fake one is also dramatically cheaper. You’ll also notice that the post the cybercriminals chose to replicate is one by a seller with a good reputation, to gain the trust of potential victims.

The fake eBay pages are hosted on domains that are followed by /www.ebay.ie/ in order to trick users into thinking that it is the real eBay domain. All the links in the fake page will lead to the legitimate one, except for the “Buy It Now“. Clicking “Buy It Now” leads to a fake login page that asks users to enter personal information.

Read the rest of this entry »

Twitter‘s list of trending topics appears to have been hit hard by another variant of the familiar “see who unfollowed you” scam:

Significant numbers of Tweets are being sent out that contain the above message: saying that a certain number of people have unfollowed them, and to find out who unfollowed you, click on the link. A few hashtags were generally attached to the end of the tweet.

What happens when you click on the link? You are redirected to a page for a “Followers Monitor”, which leads eventually to a page asking you to authorize an application to use your Twitter account. This rogue application is able to carry out such “minor” operations as reading your tweets, updating your profile, and even posting tweets on your behalf. If you actually give the app access, of course, the first thing it will do is post its own version of the spammed Tweet.

Read the rest of this entry »