Yet another 0-day for microsoft

Just a day back there was a new vulnerability released, and the bad guys are already using it a big time, many of the websites are compromised and delivering malwares by using drive-by-download method.
I tried to look into it, and below is what i found some useful information on the issue.

The first and foremost thing i found is you cannot simply get infected until unless you visit a infected site.
Actually this vulnerability exists in the component provided support for digital TV applications and is installed on all versions of Windows XP by default. The vulnerability takes place when 'MPEG2TuneRequest' is accessed which is an object of ActiveX and gets triggered if the object is initialized with malformed input through the 'data' parameter. This vulnerability is mostly exploited when a user visits a maliciously crafted web page. On successful exploit it results in an access with user level privileges by the attacker. Now if the attacker has enough system privileges then he could install programs; view, change, or delete data; or create new accounts with full user rights.

There are few turn around given already by Microsoft.

1. Set the kill-bit for the ClassID which is asscociated with this Microsoft DirectShow (msvidctl.dll).
I have given a .reg file below with is article you can use it to set the kill-bit. just copy paste and create a .reg file and use it.

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0149EEDF-D08F-4142-8D73-D23903D21E90}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E5-45B6-11D3-B650-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E6-45B6-11D3-B650-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{055CB2D7-2969-45CD-914B-76890722F112}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{15D6504A-5494-499C-886C-973C9E53B9F1}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C15D484-911D-11D2-B632-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1DF7D126-4050-47F0-A7CF-4C4CA9241333}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{334125C0-77E5-11D3-B653-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B0353C-A4C8-11D2-B634-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03543-A4C8-11D2-B634-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03544-A4C8-11D2-B634-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{418008F3-CF67-4668-9628-10DC52BE1D08}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{577FAA18-4518-445E-8F70-1473F8CF4BA4}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{59DC47A8-116C-11D3-9D8E-00C04F72D980}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{823535A0-0318-11D3-9D8E-00C04F72D980}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4C-1F63-11D3-B64C-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4D-1F63-11D3-B64C-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9CD64701-BDF3-4D14-8E03-F12983D86664}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E3074E-6C3D-11D3-B653-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E30750-6C3D-11D3-B653-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AD8E510D-217F-409B-8076-29C5E73B98E8}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B0EDF163-910A-11D2-B632-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B64016F3-C9A2-4066-96F0-BD9563314726}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BB530C63-D9DF-4B49-9439-63453962E598}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C531D9FD-9685-4028-8B68-6E1232079F1E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCC-9B79-11D3-B654-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCD-9B79-11D3-B654-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCE-9B79-11D3-B654-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCF-9B79-11D3-B654-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CD0-9B79-11D3-B654-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D02AAC50-027E-11D3-9D8E-00C04F72D980}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FA7C375B-66A7-4280-879D-FD459C84BB02}]
“Compatibility Flags”=dword:00000400

2. If you are using any snort based IDS you can use the follwoing snort rule to capture the attack and prevent it.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"msg:"ET CURRENT_EVENTS Microsoft Video ActiveX Control-Vulnerability Load";flow:to_client,established; content:"clsid"; nocase;content:"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"; nocase; classtype:web-application-attack; sid:2009xxx; rev:0;)

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX ---> is the class IDs mentioned above. (replace this with above class IDs)

=================================================================================================
Few more are there in the below link.
http://doc.emergingthreats.net/bin/view/Main/2009493

References:
http://www.microsoft.com/technet/security/advisory/972890.mspx
http://isc.sans.org/diary.html?storyid=6733

New Variant: W32.Downadup.C

New Variant: W32.Downadup.C

Guys the new variant is out, as expected.
This is the third version of Downadup called as "W32.Downadup.C" this is the update component for machines currently infected with Downadup old variants. This new variant provides more powerful commands to the infected machines to disable antivirus software and other detection and analysis tools. The update also includes not to self-replicate and to behave more like a Trojan than a worm.
The new variant of Downadup is now generating 50, 000 domains rather than from a 250 domain generation in earlier versions, also uses one of a possible 116 domain suffixes.

Any processes found on an infected machine from the list below are killed:

•    wireshark
•    unlocker
•    tcpview
•    sysclean
•    scct_
•    regmon
•    procmon
•    procexp
•    ms08-06
•    mrtstub
•    mrt.
•    mbsa.
•    klwk
•    kido
•    kb958
•    kb890
•    hotfix
•    gmer
•    filemon
•    downad
•    confick
•    avenger
•    autoruns

It lowers the security settings by deleting the following registry entry to prevent automatic startup of certain software:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Defender"

It disables Windows Security Alert notifications by deleting the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}

It also deletes the following registry entry to prevent the compromised computer from restarting in safe mode:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

The security risk then copies itself to one of the following locations:

• %ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
• %ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
• %ProgramFiles%\Windows Media Player\[RANDOM FILE NAME].dll
• %System%\Windows NT\[RANDOM FILE NAME].dll

I will update you more on this issue once i get from my findings.

More in depth information and removal instructions can be found here

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=2

Reference:
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245

Exploitation of MS09-002

Today  Trend Micro reported a exploit related to the vulnerability of  Microsoft Security Bulletin MS09-002. (CVE-2009-0075).

Successful exploits allow attackers to execute arbitrary code in the context of the user running Internet Explorer.

Till now exploitation of this issue is limited to targeted attacks. The exploit is delivered by a  malicious .doc file to a user. When the user opens a file, an ActiveX control included in the file tries to download and open a malicious HTML file that is apecifically designed to exploit this issue. And on  successful exploitation, a backdoor is installed on the vulnerable computer. The malicious code then is used to steal information from the exploited computer and sends it to a remote computer over TCP port 443.

Till now i have only this much Info, when i will get more will update you.

Remedy:
Cumulative Security Update for Internet Explorer (961260)
http://www.microsoft.com/technet/security/Bulletin/MS09-002.mspx

Reference
Patch Microsoft Internet Explorer Uninitialized Memory Remote Code Execution Vulnerability

http://www.securityfocus.com/bid/33627
http://blog.trendmicro.com/another-exploit-targets-ie7-bug/

Kaspersky Hacked by SQL injection

Hi readers, though it's an week old event still I thought to put it across what exactly has happened with two Antivirus vendors, Kaspersky (usa.kaspersky.com) and BitDefender.

Someone (a hacker) hacked into their database and released 40,000 + customer information,

He just did it over a SQL injection on their websites. He named himself as UNU in HaskersBlog.org, have a look.

 

Some info more on this are at below mentioned URLs.

 

http://technicalinfodotnet.blogspot.com/2009/02/kaspersky-usa-portal-sql-injection.html

http://www.darkreading.com/security/attacks/showArticle.jhtml;jsessionid=BE4VOR3YATACEQSNDLPSKH0CJUNN2JVN?articleID=213401799

 

Trojan.Brisv.A Infection toll again

There is one old trojan which is again started taking its toll, that is named as Trihan.Brisv.A by Symantec, though it was discovered on July last year, this is also known as W32/GetCodec-A by Sophos. Well how is this delivered is very simple, its basically delivered by the P2P and/or warez sires, when someone is looking for some cracks or keygens, so while downloading those, all what they get is the trojan infected files, and once activated by trying to open those files, they eventually infect all the media files on the victims system, such as ASF, WMV, WMA, MP2, MP3.

And when these media files are accessed they trigget a connection to malicious links from where it receives an encrypted file with more malicious URLs to download various malware files. This trojan basically injects a script command in the media file header. This script command in this case is "URLANDEXIT", which is followed by a URL ( in this case a malicious URL ), which will be opened with the default browser of the victim system when playing the media file.

As i have seen in different information sources, that this is now going to hxxp://isvbr.net where it gets a 302 redirect command to go to a website named hxxp://www.play-error.com, which is allowing the user to download a reg file to fix the problem of media file not being able to open and play. This site is also delivering multiple payloads and other malwares.

You can use the following tool to see if there is any script command being embeded in the infected media files or you have a file which is downloaded from internet and you are not able to play it.

http://handlers.sans.org/bzdrnja/findasfcommands.zip

How to use it : http://isc.sans.org/diary.html?storyid=4664

More detailed analysis is given here

http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.isvbr.net&x=0&y=0
http://blog.threatexpert.com/2009/02/trojan-getcodecbrisv-comes-back-again.html

Removal Instruction:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-071823-1655-99&tabid=3

Removal Tool:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixBrisvA.exe