Free Lifetime License to Beta Participants, up to 3 PC’s

Vulnerability/Exploit Background

The vulnerability involves those short-cuts most commonly found on a PC’s desktop and application tray. Actually, any short-cut, which is actually a file with an LNK extension, located anywhere, can be used. Most exploits in the wild are found on USB drives, and utilize the Windows Auto-Play functionality to activate the short-cut upon USB insertion. Similarly, in the enterprise, attackers drop these LNK files onto network drives to get the same Auto-play effect.

A malware name most commonly associated with this exploit is Stuxnet. There’s also a downloader (i.e., a generic malware application that attackers download and launch from user space when they have exploited a software vulnerability, it then assesses the host, downloads persistent malware and files, and finally installs them for permanent use) that implants malicious LNK files as well as an executable. This downloader also attempts to alter the Windows registry (HKCU/…/Run) to automatically launch the permanent malware executable when Windows launches. Also of interest, with each use, the hash checksum, or signature, of this download changes, making detection by traditional anti-virus/spyware highly unlikely. Names for the downloader include: W32.Changeup (Symantec), W32/Autorun.BFG (Sophos), Win32/AutoRun.VB.RD (Eset), Worm:Win32/Vobfus.R (Microsoft), Download-CJX (McAfee), TR/Dldr.Gaat.B (Avira).

The most important thing for enterprise desktop administrators or advanced home users to know is that this vulnerability enables an attacker to launch an arbitrary executable. However, the executable must already be present in the host. Otherwise, a malicious short-cut is moot. Think of this vulnerability as a trigger, which is useless without a bullet (i.e., a malicious executable). Does the LNK vulnerability alone represent a zero day threat? No. But combined with other vulnerabilities it can be zero day.

Microsoft recommends disabling short-cuts, among other workarounds. AppGuard and AppGuard Enterprise need not implement these workarounds. But, they do add another layer of protection.

How AppGuard Defeats LNK Exploits

A Stuxnet or similar malware attack usually begins somewhere in user-space, which is any hard drive or removable media location where an end-user without local admin rights can write. User-space is the preferred initial landing site for any attack because its always accessible whereas system-space is inaccessible when the target PC is running without local admin rights.

AppGuard only allows executables to launch from within user-space if they are on the ‘guard list’, which may be regarded as a white list. So, the malicious executable cannot launch from user-space, period. This includes USB drives too. AppGuard Enterprise, where PC’s frequently encounter network drives, treats these drives as user-space as well.

The attackers must therefore get their malicious executable into system-space before their LNK trigger can be of use. System-space is defined as the Windows and Program Files directories and their children. AppGuard places applications at-risk ‘under guard’. Typically one guards web browsers, email applications, Adobe Reader, Microsoft Office, and others that consumer files and communications from potentially unknown origins. ‘Guarded’ applications can neither write into system-space nor Windows registry where it can trigger executable launches.

So, attackers cannot launch malicious executables from user-space. They cannot exploit vulnerabilities in software applications to plant an advanced persistent [malware] threat (APT, i.e., malicious executable) into system-space. Therefore, the LNK Windows vulnerability poses little risk to AppGuard or AppGuard Enterprise protected computers.

Update: New Zero Day Protection Feature Called MemoryGuard Alone Kills Some Windows LNK Based Attacks

We tested the downloader mentioned above with drive-by download protection disabled (this feature prevents executable launches from user-space) and allowed the downloader to run with nothing restricting it but the MemoryGuard protection feature, currently out in beta.  The result was MemoryGuard blocking the downloader’s attempts to launch code injection attacks on all available processes in the test host.  Below is a screenshot:

Zero Day Protection from Advanced Code Injection Attacks

Can AppGuard Do Even More?

Yes, AppGuard users and administrators can add three executables to the ‘guard list’.

• rundll32.exe
• cmd.exe
• regsrv32.exe

With the forthcoming summer releases of AppGuard and AppGuard Enterprise, these will be guarded by default. We doing so because these Windows facilities are sometimes used by attackers.

Legitimate software installations and patches use these facilities too. Thus, one should suspend all AppGuard protections when doing so. Consumers need only right-click on the AppGuard tray icon and select ‘suspend all’. Enterprise users should always test installs. They have an additional feature whereby they can define power applications, such as patch management or desktop configuration software, which tells AppGuard to allow them to what they wish.

There is no password that locks AppGuard policies. We wish to avoid issues associated with lost passwords. Instead, our approach leverages the existing Windows user account credentials on a PC. So, “family” computers must have at least two Windows user accounts to utilize our parental controls, which SHOULD always be so, though it isn’t. Folks new to having a separate local admin account should make certain their password is never lost as consequences can be disastrous (a public service announcement!).

Let’s clarify something regarding this ‘two Windows user accounts’ minimum requirement for our parental controls.

• Each and every Windows (or Mac or Linux for that matter) must have at least one account with local admin rights
• Each and every Windows (or Mac or Linux for that matter) PC should have at least one non-admin account for day-to-day use of the PC
• This adds up to two unique login accounts per PC, if one follows Microsoft recommended practices
• AppGuard requires nothing more

Getting Started with Parental Controls

Until a user clicks on the AppGuard ‘Advanced’ button and activates the ‘Parental Controls’, no user is restricted in what may be done via AppGuard. Once ‘parental controls’ are activated, one must enter “super user mode” to edit parental controls. The Windows account used to first activate parental controls is endowed with “super user mode” privileges. AppGuard associates those that may run “super user mode” with Windows user accounts, which are not required to possess Windows local admin rights. To enter “super user mode”, one must click on the AppGuard “Advanced” button, answer the Windows authentication challenge (does not involve logging in or out of a Windows account), and then the parental controls dialog is displayed.  BTW, by leveraging Windows authentication and authorization infrastructure, we keep AppGuard lean.

Parental control is a variant of our TamperGuard technology. Only a Windows account with local admin rights and with “super user mode” enabled may uninstall AppGuard. If AppGuard detects that there are no longer any “super user” accounts, the uninstall feature as well as parental controls in general would be disabled.

A user that has simply logged into a Windows account that is authorized to employ “super user mode” has not yet enabled this mode. One must click on a button in the AppGuard GUI, which initiates a Windows authentication challenge prompt, “super user mode” is activated, and then one may edit parental controls, allowing one to:
- Enable, disable, and edit parental controls
- Uninstall AppGuard
- Designated specific Windows accounts as having “super user mode” privileges

Thus, from an AppGuard parental controls perspective, there are two types of AppGuard users (or Windows user accounts), those with and those without the “super user mode” privilege. Windows accounts with the “super user mode” privilege are in no way restricted by parental controls; other Windows accounts are.

If someone without “super user mode” privileges needs assistance from someone with the privileges to temporarily remove an obstacle, that person with the privileges does not have to log out of that person’s account and into their own. Instead, that person simply navigates to AppGuard, clicks on the ‘Advanced’ button, gets an authentication challenge, and then has “super user mode” enabled. When no longer needed, return there and log out of there (not the Windows account) to return things to normal.

Ideal for Families with Kids Playing Games that Require ‘Local Admin Rights’

For reasons that escape me (I’m not a computer gamer), many computer games cannot be fully utilized unless run via a Windows user account that possess local admin rights.  Maybe the game needs to be able to write something into its respective ‘Program Files’ directory, maybe something else.  Whatever the reason, this motivates folk to run a PC with local admin rights on a daily basis.  This is a very bad security practice.  AppGuard does a very good job of removing the risks.  But, as a security solutions vendor for over 15 years, we always recommend layered defenses.  And this means, try to run PC’s without local admin rights, unless installing, configuring, or updating software.

With parental controls in place, a family member can do far less harm through direct action or foolishness.  They cannot uninstall AppGuard.  And, when combined with a new feature also coming in version 2.0 called InstallGuard, they cannot install most software, even though they have local admin rights.  They also cannot launch potentially dangers applications (executables) from user-space (e.g., My Documents, Desktop, etc.) if the parental control settings of AppGuard say otherwise.

This blog post was inspired by an article at GCN (Government Computer News) called “5 Top Security Suites for Teleworks”, 17 June 2010.  The author Carlos Soto reviewed leading consumer anti-virus/spyware software so that federal agencies inclined to subsidize or somehow require the use of such software on employees telecommuting via home computers could choose the best software for the job.  On the surface, its sound advise.  A safer PC reduces federal data leak and malware intrusion risks, right?  But, what if this advice is akin to encouraging federal agencies to doing something foolish such as going into harm’s way with a target on your back and nothing but a helmet?

Employee-owned Windows PCs are more likely to be already infested than not. And those not, soon will be. Consider this, Cyveillance and AV-Comparatives measured the effectiveness of numerous antivirus products against newly created malware finding average detection rates of 25% and 44% in 2010, respectively.

And as more than half of these PCs operate with local admin rights accounts, they may well be infested with rootkit based malware. Such infestations are detectable when sloppy code is used by cyber criminals. Otherwise, where 3rd generation rootkits are used (available on the black market cheap), when the AV asks the OS for a list of files in a directory to be scanned, for example, the AV receives an incomplete list because the OS has been ‘brainwashed’ and coerced to lie on behalf of the malware.

So, if federal agencies intend to practice safe telework, its not simply a matter of are employees practicing safe-computing from now on but whether they have always practiced safe-computing.

While an employee’s computer is untrustworthy until you know otherwise, this has no bearing on the integrity of the employee itself.

I’m afraid matters are even more complicated. More and more households have multiple computers operating within a home network. One infected PC leads to infections of the others. However, from the federal agency perspective, the ‘other’ infected PCs are a severe data leak risk. They can launch a DNS poisoning attack, an SSL man-in-the-middle attack, a man-in-the-browser attack, or numerous others that effectively steal sensitive data from all other computers in the home network. In other words, federal agencies must consider home networks untrustworthy.  In short, federal telecommuting solutions must regard both the employee-owned computer as well as the employee-managed home network as untrustworthy!

There’s yet more. Each of us values convenience. What percentage of federal telecommuting employees are saving work documents on their home computers? Each employee home computer represents a potentially embarrassing security breach.  For these reasons and others, agencies that can afford to provide telecommuters with laptops. Ones hopes these include properly configured full disk encryption based on two factor authentication. Anything less means not only data loss from a lost or stolen laptop but also another potential security breach.  A key walk-away point to consider here is that any data or document that is free to leave the enterprise becomes a potential liability to it as well, or in other words, an asset to be managed but usually not.

Getting Practical

Blue Ridge offers a solution called Pixie that allows for the safe use of employee-owned computers with virtually no malware or data leak risks. An employee inserts the Pixie USB device into their PC, Pixie generates a virtual workspace, securely connected to the enterprise via a virtual VPN appliance, and when the employee is finished doing whatever one might do from a typical Microsoft Office environment with access to all of the user’s network drives, no data or document from the telecommuting session remains on the employee’s PC. No malware from the employee’s PC sneaks in, and no sensitive data or document leaks out from the federal government leaks.  If you’d like to know more about how this works, look at this page on Pixie Telework.  If you’d like to speak with another federal organization already using Pixie, contact us and we’ll make an introduction.

Banking Trojans Targeting SMB Are Sweeping Across America

A recent survey of over 500 SMB organizations surfaced some alarming statistics (conducted by the Ponemon Institute and Guardian Analytics):

• 55% of the SMBs experienced a fraud attack in the last year
• 58% of the incidents involved online banking
• Over 50% experienced multiple incidents
• 87% failed to fully recover lost funds

From a separate study of 50 SMBs that fell prey to online banking Trojans in 2009, they initially lost $157,000 on average.  Those that discovered the fraudulent bank transfers and notified their banks within 24 hours recovered significantly more than those that did not.  On average, the victim SMBs recovered approximately 44% of their initial losses.

Risks to SMBs Under-Reported Due to Lack of Government Oversight

SMB decision-makers are unaware of their growing risks from online banking fraud because no government entity tracks and reports on the number of victim organizations and the amounts lost.  Until Banks start losing money, the Federal Deposit Insurance Corporation (FDIC) will not seek permission from the White House to require banks to submit incident reports. 

[Update] We have summarized a series of banking Trojan Loss incidents reported by the Washington Post in the summer of 2009, whose columnist Brian Krebbs may have collected more incident reports than federal organizations.

Banks Not Obligated to Cover Commercial Online Banking Fraud

“Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and non-profits have suffered some relatively large losses”, said David Nelson, an examination specialist with the FDIC. 

Banks are not required to reimburse enterprise victims of Banking Trojans.  They will work with a victim to try to reverse fraudulent transfers.  However, after 24 hours, the odds of succeeding diminish greatly.  Ultimately, the customer is required to discover and report the fraudulent bank transfers to their bank within that 24 hour period.

Such was the case for Little & King LLC, a marketing company that is facing bankruptcy due to a computer virus infection that siphoned $164,000 from their commercial bank accounts.

Cyber criminals are targeting small to medium businesses because they do not have the checks and balances in place to monitor their commercial bank accounts on a daily basis.  Further, smaller organizations have fewer defenses in place.

Update: FBI Does Not Open a Case for a Victim that Lost Less than $500,000

Brian Krebs recently reported that a dental practice in Springfield, Missouri fell prey to a Banking Trojan that stole $205,000.  The office manager said that the FBI told him that they do not open a case for lossess under $500,000.  However, the FBI said a task force in Omaha, Nebraska investigating similar cases would include the information from the dental practice in their efforts.  One hopes this task force stationed in the great metropolis of Omaha is well resourced.  What do you think?   Me too. 

 Your Up-to-Date Anti-Virus/Spyware Will Not Detect Today’s Banking Trojans

An information security firm that finds malware on legitimate websites, in part by observing certain types of changes to the website, conducted a six month long study on the effectiveness of leading anti-virus/spyware products.  At the end of each day, they’d collect hundreds of new malware samples, then they tested the ability of 14 leading anti-virus/spyware products to detect the samples.  The daily average detection rate was a mere 25%, tabulated below.

DIY Zeus Banking Trojan Kits Mean Any Idiot Can Empty Your Commercial Bank Accounts

Panda Labs reported finding 77% more unique Banking Trojans in 2009 than in 2008.  The widespread availability and affordability of malware kits that automate the creation of unique Banking Trojans will mean that Panda Labs will certainly be reporting a much higher growth rate next year.  Anyone with the skills to use iTunes can use one of these kits to steal hundreds of thousands of dollars from an SMB commercial bank account.  Basic kits cost $400 to $700.  They enable a person you wouldn’t hire to wash your windows to send you day-old Banking Trojans that elude your traditional anti-virus/spyware products.  Actually, the malware that will infect your computer will likely be less than 10 minutes old. 

Every petty criminal in the world is hearing stories of others making a lot of money with very little risk.  For example, a German cyber gang called Cosmos made $7 million from just a week’s worth of attacks. 

Most organizations have thus far not been attacked by Day-Old or Zero-Day malware because there were so many other fish in the barrel for those with the required skills to attack .  Malware kits are a game-changer.

 Two Factor Authentication Does Not Deter Today’s Banking Trojans

“Online banking customers are getting too reliant on authentication and practicing layers of controls”, says FDIC David Nelson.

Today’s banking Trojans, such as the Zeus family, employ several different techniques to circumvent one-time pass code tokens, such as a man-in-the-middle or more aptly called a man-in-the-browser attack.  In short, when users enter the six character code into a form, they’re actually entering it into a fake form that is dynamically generated within the users’ web browser.  Another technique involves stealing the “session cookie”.  So, when the user thinks she’s logged off, the banking Trojan has not and continues to conduct fraudulent transfers.

A New Hampshire based IT consulting firm, Cynxsure LLC,  employed a fingerprint scanner for authentication to mitigate risks from password-stealing malware.  However, Cynxsure lost nearly $100,000 February 2010.  Zeus family Banking Trojans include a feature called “form grabber” that effectively steals the fingerprint authentication data before the web browser can encrypt.  Consequently, after just one use, such a Trojan can use it later.  Two factor authentication implicitly assumes its host computer is not compromised.

Blue Ridge Enterprise Solutions

Online Banking from Enterprise-Owned Computers

AppGuard can triple you’re your effective computer protection by blocking the new malware attacks that elude traditional anti-virus/spyware software.   Different organizations can choose different forms of AppGuard protection: centrally managed do-it-yourself, managed security service, or employee self-managed.

Online Banking from Employee-Owned Computers

Pixie provides a virtual workspace that is locked-down and malware-free for safely conducting online banking.

More exploits attacking more vulnerabilities in Internet Explorer, as well as Firefox, Chrome, Safari, and Opera are coming in 2010.  Predicting more malware attacks is equivalent to telling Seattle residents to expect rain in 2010.  If you’re curious as to why this is so, check out this explanation:

Never Ending Vulnerabilities for Web Browsers

Microsoft reports they’ve only seen exploits in the wild that successfully attack Internet Explorer 6 (six) users.  However, various security intelligence organizations as well as the alert Microsoft posted indicates that pretty much every version of Internet Explorer is affected.

McAfee reported that the recently publicized attacks on Google by Chinese hackers to gain information on Chinese dissidents exploited this vulnerability.  It seems unlikely that Google would be using IE6 because organizations that do tend to be stuck with a web application they’d developed in-house that only works on IE6.  So, this goes beyond IE6 to the newer versions.

Reports indicate 30 more enterprise organizations have been targeted with this exploit.  The number of organizations targeted by these attacks will grow as more malware developers create attack code and sell it to the 1000’s of malware distributors.  Remember, as any industry matures, specialization breaks out.  So, the malware creators tend to make their money selling their binaries to malware distributors in the form of web kits, which are automated software tools that enable non-technical people to launch and manage malware attacks and Botnets.

What Puts You Most at Risk from These Zero Day Exploit Attacks?

Just use Internet Explorer to visit websites!  Its not just the sordid websites, any website that you normally use.

This is because cyber criminals have been using their malware to find and infect the computers used by the webmasters that maintain websites.  As webmasters and most other people foolishly believe that their anti-virus software would let them know if they were infected, or that their computer would suddenly slow down and behave oddly.  Organizations should require webmasters to re-image their computers twice a year or more, unless they’re willing to get security software protection that stop zero-day malware attacks.

To those visiting this blog for the first time, and are unfamiliar with the term zero-day, if your computer protection requires ‘virus definition files’ or signature updates, consider yourself unprotected!  There are loads of blog posts here on the subject.

Some Attack Details on CVE-2010-0249 (or Microsoft Knowledge Base Article 979352)

From Microsoft, “The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”  In short, when an Internet Explorer user visits a compromised website they become a victim of a drive-by download attack that drops an executable somewhere in user-space.  This temporary executable launches and assess your computer: what operating system, user’s login privileges, installed security software, etc.  It then downloads and installs the permanent malware ideal for your computer.  As most cyber criminals do not create their own malware any more but instead buy it from professionals, if you get hit with a zero-day drive-by download attack like this, you won’t notice a thing before, during, or after.  In other words, your computer won’t slow down.  That happens when your computer has multiple infections.

Microsoft has already updated their alert page on this exploit and will likely do so again.  As of January 15, there were no practical precautions one could take to avoid one of these attacks.

What Can You Do to Protect Yourself and others from these Zero Day Attacks?

Install some zero-day protection software!

Blue Ridge offers software for consumers and organizations that would stop these and other zero-day drive-by download attacks, and more.  Consumers should get AppGuard, which can be tried for free for 30 days.  Organizations should investigate AppGuard Enterprise.  These recently won “Best Anti-Malware Product” from GSN’s Homeland Security Awards.  Those that need to lockdown and audit the computers in their organization might look at EdgeGuard, which includes the protections of AppGuard as well as the controls and audit capabilities an enterprise needs to plug data leaks and curb insider theft risks.

Microsoft on its November 2009 Security Patches

MS09-063 / CVE-2009-2512

Web Services on Devices API Memory Corruption

Microsoft Exploitability Index Assessment: Inconsistent exploit code likely

Affected Computers: Windows Vista

Vulnerability: The vulnerability could allow remote code execution if an affected Windows system receives a specially crafted packet. Only attacks on the local subnet would be able to exploit this vulnerability.

Blue Ridge on Protection: Though an unlikely attack vector, AppGuard or EdgeGuard would block such attacks that launch from user-space while drive-by download attack protection is enabled. This Microsoft patch should be implemented as soon as practical.

MS09-064/ CVE-2009-2523

License Logging Server Heap Overflow

Microsoft Exploitability Index Assessment: Inconsistent exploit code likely

Affected Computers: Windows 2000, Service Pack 4

Vulnerability: The vulnerability could allow remote code execution if an attacker sent a specially crafted network message to a computer running the License Logging Server. An attacker who successfully exploited this vulnerability could take complete control of the system.

Blue Ridge on Protection: Neither AppGuard nor EdgeGuard officially support Windows 2000.

MS09-0065

CVE-2009-1127, Win32k Null Pointer Dereferencing Vulnerability

CVE-2009-2513, Win32k Insufficient Data Validation Vulnerability

CVE-2009-2514, Win32k EOT Parsing Vulnerability

Microsoft Exploitability Index Assessment: Inconsistent exploit code likely: CVE-2009-1127; Consistent exploit code likely: CVE-2009-2513, CVE-2009-2514

Affected Computers: Windows XP SP2, Windows Vista, and others, Windows 7 is unaffected

Vulnerability:

CVE-2009-1127. An elevation of privilege vulnerability exists because the Windows kernel does not properly validate an argument passed to a Windows kernel system call. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-2513. A remote code execution vulnerability exists in the Windows kernel-mode drivers due to the importer parsing of font code when building a table of directory entries. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-2514. A remote code execution vulnerability exists in the Windows kernel-mode drivers due to the improper parsing of font code when building a table of directory entries. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Blue Ridge on Protection:

CVE-2009-1127. AppGuard or EdgeGuard would block such attacks that launch from user-space while drive-by download attack protection is enabled. Should such an attack elevate a guarded application to run with kernel mode privileges, AppGuard or EdgeGuard protection would not be degraded. This Microsoft patch should be implemented as soon as practical.

CVE-2009-2513. AppGuard or EdgeGuard would block such attacks that launch from user-space while drive-by download attack protection is enabled. This Microsoft patch should be implemented as soon as practical.

CVE-2009-2514. AppGuard or EdgeGuard would block such attacks. This Microsoft patch should be implemented as soon as practical.

MS09-066/ CVE-2009-1928

LSASS Recursive Stack Overflow Vulnerability

Microsoft Exploitability Index Assessment: Functioning exploit code unlikely

Affected Computers: Windows XP SP 2/3, but Windows Vista/7 are unaffected

Vulnerability: This is just a denial of service vulnerability and of little practical value to cyber criminals.

Blue Ridge on Protection: Irrelevant. Low priority patch.

MS09-0067

CVE-2009-3127, Excel Cache Memory Corruption Vulnerability

CVE-2009-3128, Excel SxView Memory Corruption Vulnerability

CVE-2009-3129, Excel Featheader Record Memory Corruption Vulnerability

CVE-2009-3130, Excel Document Parsing Heap Overflow Vulnerability

CVE-2009-3131, Excel Formula Parsing Memory Corruption Vulnerability

CVE-2009-3132, Excel Index Parsing Vulnerability

CVE-2009-3133, Excel Document Parsing Memory Corruption Vulnerability

CVE-2009-3134, Excel Field Sanitization Vulnerability

Microsoft Exploitability Index Assessment:
Inconsistent exploit code likely: CVE-2009-3127, CVE-2009-3128, CVE-2009-3132, CVE-2009-3133, CVE-2009-3134
Consistent exploit code likely: CVE-2009-3129, CVE-2009-3130, CVE-2009-3131

Affected Computers: Microsoft Office XP SP 3, Office 2003 SP 3, Office 2007 SP 1/2

Vulnerability:

CVE-2009-3127. A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3128. A remote code execution vulnerability exists in the way Microsoft Office Excel handles specially crafted Excel files that include a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3129. A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files that include a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3130. A remote code execution vulnerability exists in the way Microsoft Office Excel handles specially crafted Excel files with malformed BIFF records. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3131. A remote code execution vulnerability exists in the way that Microsoft Office Excel parses documents containing a specially crafted formula embedded inside a cell. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights in the context of the currently logged on user.

CVE-2009-3132. A remote code execution vulnerability exists in Microsoft Office Excel as a result of pointer corruption when loading Excel formulas. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed formula. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3133. A remote code execution vulnerability exists in Microsoft Office Excel as a result of memory corruption when loading Excel records. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3134. A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Blue Ridge on Protection: AppGuard or EdgeGuard would protect computers from attacks attempting to exploit any of these vulnerabilities: CVE-2009-3127, CVE-2009-3128, CVE-2009-3129, CVE-2009-3130, CVE-2009-3131, CVE-2009-3132, CVE-2009-3133, and CVE-2009-3134.

Simply put: any such attack would either seek to spawn a malicious executable in user-space, which would fail to launch because of drive-by download attack protection, or the attack would attempt to place a malicious executable elsewhere, which would be blocked because AppGuard and EdgeGuard do not allow ‘guarded’ applications to write elsewhere.

MS09-068/ 3135

Microsoft Office Word File Information Memory Corruption Vulnerability

Microsoft Exploitability Index Assessment: Consistent exploit code likely

Affected Computers: Microsoft Office 2007 SP 1/2, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2, Microsoft Works 8.5, Microsoft Works 9

Vulnerability: The vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Blue Ridge on Protection: AppGuard or EdgeGuard would block these attacks without additional configuration.

Adobe on its November 2009 Security Patches

CVE-2009-3489, APSB09-17

Potential Photoshop Elements Privilege Escalation Vulnerability

Affected Computers: Photoshop Elements 8.0, Photoshop Elements 7.0

Vulnerability: A moderate vulnerability has been identified in Adobe Photoshop Elements versions 8.0 and 7.0. The vulnerability could allow a user with valid login credentials and/or physical access, who successfully exploits the vulnerability, to execute arbitrary commands with elevated privileges. Adobe is not aware of any exploits in the wild for the issue.

Blue Ridge on Protection: AppGuard or EdgeGuard would block an attack that attempted to exploit this vulnerability without any additional configurations. Users should make certain that Photoshop Elements has been added to the ‘Guard List’. This patch should be implemented when doing so is convenient.

Related Articles:

SANS: Client-Side Software Vulnerabilities Are Highest Priority But Most Neglected Risk

Why Should UnPatched PC Software Concern You?

“Because of the measures taken to provide safety to our clients, your password has been changed.  You can find your new password in attached document”

Security vendor Websense reports they have observed over 350,000 of these email messages (spear phishing attacks).  Its only a matter of time until the millions of other Facebook users receive one.

As of 27 October 2009, only 14 out of 41 anti-virus/spyware products detected this attack (per Virus Total, reported by MX Lab).

When Facebook users open the email attachment, short-lived malware connects to two servers and downloads additional files (Pushdo, also known as Cutwail).  Once Pushdo is installed and running, it sends out more of these email spear phishing attacks to other Facebook users.  This Trojan is also known as a new Bredolab variant.

This is a clever piece of malware.  It tries to elude security researchers and personal firewalls that restrict outbound PC communications by injecting its own code into a legitimate process svchost.exe and explorer.exe.  If it detects virtualization or honeypot characteristics within a host, it goes dormant to thwart the AV vendor consortium from quickly generating detection signatures.

The Trojan creates several files (%AppData%\wiaservg.log, %windir%\temp\wpv861256600826.exe, and %Programs%\Startup\isqsys32.exe.  It also launches two processes: a svchost.exe and something called isqsys32.exe.

What does this malware do once successfully installed?  Whatever it wants!  It may steal money from your online bank account or just silently operate as part of a Botnet.  The Botnet operators can remotely tell it to do what they want at a later time.

Consumer and Enterprise Computers Are at Risk

With Facebook users routinely accessing it from their work computers, they are placing their employer at risk.

Effective Protection from these Facebook Zero Day Trojan Attacks

Consumers with AppGuard, and organizations with either AppGuard Enterprise or EdgeGuard deployed, are protected from these attacks.  They should already have “drive-by download protection” enabled as well as have their email software guarded.

Related Articles

Botnets Inside the Gates, Every PC Must Defend Itself

Employee Owned Computers are Data Leak Risks to Employers

Business Protection from AntiVirus-Failure Caused Fraudulent Bank Transfer Losses

Todays Spear Phishing Attacks Can Wipe Out Small Businesses in One Click

Secunia Casts More Doubt on Signature-based-Only Anti-Malware Defense

These figures come from an information security vendor named Dasient. They offer free and paid services for assessing website health. Their free service, which requires registration with a valid email address, sends out a periodic email stating your website either is or is NOT on any of the malware infected website blacklists. They also offer paid services whereby they scan your website(s) periodically for malware and alert you if ever malware is detected.

Websites Infected via Webmaster’s Computer

Though many websites still get infected the old fashioned way, by exploiting a vulnerability in the web server or other software. Cyber criminals have found that compromising a webmaster’s laptop or desktop is far easier.

It begins with a typical malware attack infesting an arbitrary computer. Once running, it scans the host webmaster characteristics: FTP programs, web authoring tools, HTML files, etc. Some research points to the malware altering HTML files located on the webmaster’s computer just prior to or while they are uploaded to the server. The beauty of this approach is that doing so leaves no anomalous log entries on the server. Whereas the other common method, which involves stealing the webmaster’s login credentials, does leave such breadcrumbs (e.g., server log: login from an unfamiliar IP address).

There are at least three common methods employed for stealing webmaster credentials to infect legitimate websites. First, the malware looks for the presence of typical webmaster software and then looks for its password store, which tends to be located in relatively the same place, unencrypted. Second, the malware download and installs a keylogger. Third, the malware monitors all FTP traffic and parses out any credentials, which are frequently unencrypted. There’s a bonus to this approach. The malware can listen for FTP traffic originating from other nearby machines. So, the webmaster must be mindful of where his/her computer is located when accessing the servers.

Any Website May be Infected; Any Visitor May Get Infected

Web browsers are amongst the most security flawed client software application classes in existence. They offer very poor compartmentalization, keeping activities from one tab or window, separate from another tab or window. And, matters will only get worse as cyber criminals exploit the undiscovered country of vulnerabilities amongst the browser itself, its library components, plug-ins, and add-ons. If that were not enough, many browsers will automatically load another application when a specific document is encountered. So, Microsoft Excel would load when a xls document is encountered, for example. Thus, its not just a matter of ensuring that web browsers are vulnerability free. These others must be as well.

Use Two or More Different Web Browsers

By using Internet Explorer or Firefox for sensitive activities such as online banking, and using the other for general purpose browsing, one effectively compartmentalizes these activities such that cyber criminals cannot merely subvert internal web browser security but instead must infect the entire computer. More here

Your Anti-Virus/Spyware Will NOT Protect You

Though old malware still circulates around the web, cyber criminals are increasingly discarding their newly created attack code after only 48 hours to ensure that the signature-based or patterns-based technologies of your anti-virus/spyware cannot detect them. The more short-lived the attack code, the less likely anti-virus/spyware vendors’ honeypots will ever encounter the attack code for which to develop a detection signature. Cyveillance recently found in its lab tests of leading anti-virus/spyware products against NEW malware an average detection rate of 29%.

You Need Computer protection Designed to Stop NEW or Zero-day Malware Attacks!

Blue Ridge offers AppGuard for consumers and small businesses, which protects them from whatever they encounter. AppGuard co-exists with any anti-virus/spyware product already installed. Your existing anti-virus/spyware excels at stopping OLD malware (more than one month old). AppGuard excels at stopping NEW malware. You could rely only on AppGuard. But, layered protection is always good. And, good anti-virus/spyware software is available for free: Microsoft Security Essentials for consumers; Comodo AV for enterprises (remember to disable the HIPS).

For the enterprise, Blue Ridge offers AppGuard Enterprise, a centrally managed computer protection software solution. Organizations looking for extensive audit and control over their computers can either buy EdgeGuard, or conduct a field upgrade from AppGuard Enterprise to EdgeGuard later, via a policy update.  Small enterprises can outsource computer protection, control, and audit to Managed EdgeGuard.

The protection in these solutions is called AppGuard Technology. Check out this white paper if you wish to understand how it works. [link] AppGuard Technology not only snuffs out drive-by download attacks but also prevents attacked applications such as Adobe Reader from being coerced by attackers to directly harm a PC. Users can also install MBRguard to stop nasties such as KillDisk as well as sophisticated MBR based Rootkit attacks.

Related Articles

ALERT: Malicous PDF’s Exploiting Adobe Acrobat, You May Be Next

Botnets Inside the Gates, Every PC Must Defend Itself

SANS: Client-Side Software Vulnerabilities Are Highest Priority But Most Neglected Risk

(Beladen) Websites Unknowingly Attacking PCs

Signature Based AntiVirus Technologies vs Malware Detection with a Coin Toss

Cloud Computing Economics Can Save Organizations Real Money (Quick Background)

Historically, an enterprise acquires and deploys robust hardware to host private and publicly facing server applications. This includes component and system redundancy to attain those additional nines for availability. It also includes the infrastructure software and IT personnel to manage these beasts, which consume a considerable amount of costly electricity and Internet/network bandwidth.

Imagine if an enterprise partnered with another to share all of the above. This might reduce their costs by half. Add another partner, reduce them more. That’s cloud computing. Its analogous to the progression in the 1990’s from private line to frame relay and ATM to MPLS, Metro Ethernet, DSL, cable and other local Internet access media. Add in web services and other technologies, an enterprise would realize workflow, analytic, and transaction economic gains.

Shared Cloud Computing Software Promises Better Application Security

We can assume that cloud based software will be more secure than custom applications or even self-hosted shrink-wrapped applications because more users means more risk means more stress and penetration testing and more aggressive patching of discovered vulnerabilities. This reminds me of Kerckchoffs’ Principle, which characterizes the value of peer review of cryptographic algorithms. This does NOT mean that new algorithms or new applications will not have problems early on. It means that over time they will either converge toward having no vulnerabilities or will be discontinued in favor of something better.

Cloud Computing Poses Horrifying Enterprise Data Leakage Scenarios

A cloud computing service provider tends to employ robust physical security at its data center as well as various network-based cyber security services to limit access. All this exists to prevent unauthorized access and disclosure of what can be extremely confidential information. Now enter the end-user with valid, perhaps robust authentication, whose privileges may be tightly regulated via fine-grained authorization policies and audit records.

Here’s the rub! A typical cloud computing end-user accessing a cloud computing service:

• Uses any web browser (i.e., unpatched and actively exploited vulnerabilities)
• With who knows what plug-ins and extensions (i.e., unpatched and actively exploited vulnerabilities)
• With one or more other browser tabs/windows opened simultaneously running dynamic applet code (i.e., man-in-the-browser attack)
• All of this running on any computer in who knows what state of a malware compromise (i.e., signature-based malware detection yields less than 50-50 shot at identifying today’s malware)
• Traversing either a very safe or an extremely dangerous local network for Internet access (i.e., man-in-the-middle attack)
• From any location in the world (i.e., identity theft)

Whatever a cloud computing application authorizes an end-user to access can also be accessed via any of these data leak risks!

How Reliable is Endpoint Data Leak Detection?

Most IT personnel tend to be network-centric in their mitigations of security risks. So, malware has evolved accordingly by encrypting its communications to the mother ship, obfuscating/hiding its communications within seemingly legitimate traffic, using ever changing Botnets to mediate communications, and in the case of laptops, limiting communications to when off-enterprise. Ironically, many IT personnel don’t trust personal firewall logs for malware communication detection because malware could compromise the logs.

And, if cloud computing only audits data access by user ID and IP addresses, how does one really know what data has traversed and/or resides on what computer of an unknown state? So really, how reliable can data leak detection be?

Endpoint Security Considerations Minimizing Cloud Computing Data Leaks

Examine your employee workforce and those of your partners from the standpoint of their roles. To do his/her job, must the end-users:

1. Store Cloud Data/Files Locally?
2. Upload Data/Files from a Client Computer to the Cloud?
3. Copy/Paste Data between the Cloud Computing Enivoronment (i.e., the cloud computing web browser) and an Application Running Natively on the Client Computer? (because manually typing data seen from one window into another is too burdensome)

Blue Ridge Anti-Data Leak Cloud Computing Solutions

Stateless Solutions

If ALL of the above questions are answered ‘No’, then you can employ a stateless solution.

Blue Ridge offers a stateless solution called Pixie, which provides a virtualized workspace isolated from its host computer, and this virtual workspace is securely tunneled via a virtual VPN appliance using non-SSL technology, connecting to or near the cloud.  It provides an anti-data leakage solution that is free from malware, plugs all electronic data leaks, and defeats every form of local network attack (man-in-the-middle, DNS poisoning, etc.). 

Pixie exists in two form factors:

1. Users boots their PC from a Pixie USB device
2. User launches a Pixie virtual workspace from within the Host Computer, while a USB Authentication token is Inserted

Look here for more information on Pixie Anti-Data Leakage Cloud Computing and Other Use-Cases.

Stateful Solutions

For roles requiring a general purpose, make computer protection from zero day malware your top priority. We recommend AppGuard Enterprise or EdgeGuard, which are centrally managed security software products. Next implement endpoint security policy enforcement to harden the computers and minimize potential for insider mistakes. For policy enforcement, which also includes assessing and correcting issues with other 3rd party security software (e.g., antivirus, disk encryption, etc.), we recommend EdgeGuard, which offers both protection and policy enforcement. EdgeGuard also takes most of the pain out of allowing employees to operate computers with local admin rights.

Related Articles

SSL Vulnerabilities Pose Tremendous Malware, Data Leakage, and Other Risks

Enterprise: Worry about Mini-Botnets more than the Big Botnets

Trend Micro is expected to report that the global median for the duration a computer is Botnet infected is over 300 days.  Further, they will also report that approximately one fourth of all detected Botnet zombies are enterprise computers.  The enterprise share may actually be higher because the numbers are more difficult to estimate because multiple enterprise computers share a single public IP address.

Damballa, a network security firms that offers network appliances that detect Botnet communications within an enterprise, recently published figures that both challenge and complement the Trend Micro findings.  They estimate that 7% to 9% of detected Botnet communications stem from enterprise owned IP space, or less than half what Trend Micro estimates.  I suspect that the Trend Micro research is based upon a significantly larger set of data points, some 100 million detected Botnet IP addresses.

Damballa reports that less than 5% of their detected enterprise Botnet computers were part of the loud, monster Botnets such as Koobface and ZDbot, meaning most infected enterprise computers are part of mini-Botnets.

Despite lacking the comparative scale of the big Botnets, the mini-Botnets are impressive, lacking nothing in terms of malware attack code variants or command and control sophistication.

Multi-Stage Malware Infestations Maximize Penetration and Value for Cyber Criminals

Mini-Botnets employ black market malware kits that enable them to launch intelligent, multi-stage attacks on computers.  These kits automate production of never-before-seen malware attack code (i.e., zero day attack/exploit), which means no signature exists for typical anti-virus/spyware software to detect them.  Targeted email attacks, or spear phishing attacks, either include virus/worm/Trojan tainted attachments or a hyperlink to a compromised web server, 100,000’s of which are legitimate sites.

When a PC gets hit, temporary malware launches and assesses the computer, determines the best options for infestation, downloads the necessary code, and loads it into the PC.  This staged process is even used to conduct privilege escalation attacks such that computers running with limited user accounts (i.e., no local admin rights) can still be infested with rootkit-based malware.  Third generation rootkits are effectively invisible to commonly available detection techniques.

Mini-Botnets Quietly, Systematically Harvest Information

Once one or a few computers in an enterprise are part of a Botnet, the operators quietly explore network shares, application/database servers, network topology, available communication protocols, and other client computers, and they collect credentials so they can dig deep into information resources as needed.  They infect other computers when they seek to access additional information.

On the other hand, they may infect end-user documents and/or multimedia that are likely to be sent to another enterprise.  For the other enterprise, they may create a separate Botnet, meaning a separate command and control system.  This way, if one mini-Botnet is discovered, the other may continue unabated.

If all this seems unsettling, and it should, consider the steps following the harvesting of information.  Someone has to read through it to determine what is valuable and who would buy it.  These are significant challenges.  Consider the distinction between insider information and intellectual property from the Botnet operator perspective, for example.  Intellectual property materials not only require analysis but they also require a buyer, whereas insider information can yield considerable gains (e.g., stock market trades) without finding a trustworthy buyer.  The collection of enterprise information creates demand for a new black market industry of analysts and brokers.  This suggests that the enterprise might prioritize its anti-data leak efforts toward the most readily identifiably valuable and exploitable information.

Data Leak Prevention Could Inadvertently Help Cyber Criminals

As the bad guys work out how they are going to find gold nuggets in the gravel, data leak practitioners should be careful not to mistakenly make matters easier for the bad guys.  Note, part of data leak prevention implementation involves classifying and tagging information/documents so that security policies can be enforced based on content.  The tags could be exploited by the bad guys to more easily find the gold.  Maybe these tags should be encrypted, and maybe even polymorphic/variable.

Laptops Make Great Mules for Data Leaks

Large organizations have already begun to deploy network-based data leak prevention systems.  Some are merely intrusion detection, looking for suspicious outbound communications.  Some actually inspect communications content.  Neither detects anything leaking from laptops off the enterprise.  Blue Ridge offers centrally managed endpoint security policy enforcement agents that are location aware/based.  Why can’t Botnet malware?

Cost Effective, Zero Day Malware Prevention is Paramount

Implementing data leak prevention systems is very burdensome.  Detecting Botnet communications is already hard and getting worse as they get more sophisticated.  So, ultimately, the enterprise must focus on preventing virus, worm, Trojan, and other zero-day malware infestations on their client computers.  But, signature-based anti-virus/spyware security software found on typical enterprise computers misses 71% of Botnet attack code, because its altered every 10 minutes to elude detection.  The big and familiar vendors offer massive endpoint security suite software with features that detect/block Botnet attack code.  However, these features are so difficult to configure and maintain that they are usually disabled or severely under-utilized.  In other words, their effective protection is far less than what the vendors report via their independent lab tests.

Blue Ridge Recommendation

Deploy one of our AppGuard Technology solutions designed to provide zero-day protection from Botnet attack code.  AppGuard is available as a free 30 day trial, no registration required.  Administrators can get a very good sense for how little effort is required to configure and maintain AppGuard, AppGuard Enterprise, or EdgeGuard.  Check out their respective product pages to determine, which is best for you.  For more information on how they protect computers better than your existing anti-virus/spyware security software, check out our zero day computer protection white paper.

A Different, Better Approach to Zero Day Attack Computer Protection

These security software solutions take a different approach to computer protection than that of anti-virus/spyware products that rely on virus signatures.  They place the applications under guard that process the incoming and potentially malicious content, instead of picking out the good from the bad out of a nearly infinite variety.  However, we steered away from protection that depends on knowing good behavior from bad behavior by those guarded applications, to a deterministic approach.

We focus on preventing the guarded applications from doing harm by blocking write operations to critical PC resources.  Secondly, all those endpoint places where users have write access, we prevent unknown/unauthorized executables from launching at all.  We call this user-space, and one can consider USB as such. Guarded apps can launch from user-space (typically 2 to 4 applications from user-space are listed), this amounts to user-space whitelisting, which is considerably less effort to implement than total whitelisting.  With the at-risk applications and unknown user-space executable launches precluded from writing into ‘Program Files’ and ‘Windows’ directories, total whitelisting is far, far less of a value-add, and that’s where the bulk of the total whitelisting implementation pain lies.

Related Articles

SANS: Client-Side Software Vulnerabilities Are Highest Priority But Most Neglected Risk

Never Ending Vulnerabilities for Web Browsers

Employee Owned Computers are Data Leak Risks to Employers

Business Protection from AntiVirus-Failure Caused Fraudulent Bank Transfer Losses

Why Should UnPatched PC Software Concern You?

Todays Spear Phishing Attacks Can Wipe Out Small Businesses in One Click

Signature Based AntiVirus Technologies vs Malware Detection with a Coin Toss