Fantibag introduces new tricks

With this month's Patch Tuesday looming (remember, it's really 'Patch Wednesday' here) Microsoft is working on a new, critical, publicly disclosed vulnerability in a component of its deprecated (but will it ever really die?) Virtual Machine.

This issue's topics:

Introduction:

* New Trojan tricks; IE, Win2K, zlib, Adobe Reader/Acrobat PHP XML-RPC updates

Virus News:

* Fantibag introduces new tricks

Security News:

* Critical javaprxy.dll flaw publicised — workaround now, patch later

* Windows 2000 Update Rollup released

* Critical zlib 1.2.x patch

* Adobe Reader, Acrobat 7.0.2 for Mac released

* Adobe Reader for Unix updates fix remote code execution vulnerability

* PHPXMLRPC, Pear XML_RPC remote command execution

Introduction:

With this month's Patch Tuesday looming (remember, it's really 'Patch Wednesday' here) Microsoft is working on a new, critical, publicly disclosed vulnerability in a component of its deprecated (but will it ever really die?) Virtual Machine.

Aside from being publicly disclosed, we have also seen functional exploit code publicly posted and there are some indications that this may already be in use in some of the less-than-trustworthy corners of the net. Windows 2000 users have a minor cause for celebration though — the release of the Update Rollup that replaced the promise of SP5.

Elsewhere, critical Adobe Reader and/or Acrobat updates, zlib patches and PHP XML-RPC updates are on the menu.

And, just when it was getting so ho-hum in the malware analysis trenches, a mildly interesting (at least to some very techie folk) twist in the form of the Fantibag trojan came along.

Virus News:

* Fantibag introduces new tricks

Viruses, trojans, adware and spyware interfering with their victim machines' ability to obtain antivirus, operating system and/or other security software updates by messing with the HOSTS file is not news. In fact, although occasionally still trumpeted as if it were a new twist, HOSTS-wrangling by malware has been going on for quite some time now.

A new trojan downloaded and installed by some variants of the Glieder trojan family (itself related to the Bagle virus family) takes an interesting new approach to achieving the same effect but in a way that is much less obvious to the user who knows to check the contents of the HOSTS file when sites that should be available suddenly seem to disappear.

To interfere with its victims' attempts to contact their antivirus and other security sites to obtain updates, Fantibag installs itself to run at system start up. Once running, it uses the Remote Access Services (RAS) API to create filters to block all outgoing and incoming traffic to and from the IP network addresses of about a hundred antivirus, computer security and Microsoft software update web sites.

Computer Associates Virus Information Centre

F-Secure Security Information Centre

Sophos Virus Info

Trend Micro Virus Information Center

Security News:

* Critical javaprxy.dll flaw publicised — workaround now, patch later

Initially described as a possible denial of service vulnerability, a remote code execution vulnerability potentially affecting all supported versions of Internet Explorer has been publicly disclosed.

Early reports were that Microsoft staff could not replicate the effects claimed by the discoverers of the vulnerability, hence the title of the subsequent Microsoft Security Advisory apparently downplaying the seriousness of the vulnerability.

In short, javaprxy.dll — one of the components of the Microsoft (Java) Virtual Machine (or MS VM) — can be called from a webpage through its COM interface. Loading this component thus exposes a heap corruption vulnerability that can be remotely exploited to execute arbitrary code. This vulnerability was initially described by researchers from SEC Consult, but others have subsequently developed and posted more functional exploit code.

Shortly after Microsoft's security advisory was posted, proof of concept code for a remote execution exploit of the vulnerability was published. Your newsletter compiler has seen some evidence of an attempt by a spyware and adware foisting gang to include exploitation of this vulnerability in a so-called "drive by" spyware installation on a website (unfortunately, there is not enough data available to conclude for sure whether this attempt uses successful, working code or just code similar to that in the publicly disclosed proof of concept).

Microsoft has updated its initial advisory to include better descriptions of the workarounds to prevent the vulnerability's exploitation, and has now provided downloadable tools to increase the ease with which the workarounds can be applied.

The affected .dll is not necessarily present on a Windows machine. As a result of the settlement of the Microsoft/Sun court case over Microsoft's use of the Java virtual machine, Microsoft removed support for MS VM from its OSes at various service pack and new product release points. Machines installed fresh from such installation media, or from install points slip-streamed with suitable service packs, will not include the vulnerable component, unless some third-party product has subsequently installed the MS VM. Further, even machines that have had the MS VM installed may not be vulnerable if they have subsequently had the by-special-request-only virtual machine remover run on them.

In summary — it's a bad hole, there is exploit code out there, there is evidence that the bad guys are thinking of using (if not already actively using) that code and Microsoft has not yet released an official patch. Read the official Microsoft security advisory and take the action appropriate to your circumstances ASAP.

IE6 javaprxy.dll COM heap corruption vulnerability — sec-consult.com

A COM Object (Javaprxy.dll) Could Cause IE to Unexpectedly Exit — microsoft.com

* Windows 2000 Update Rollup released

Earlier plans to release Service Pack 5 for Windows 2000 were officially scuttled a while back, with Microsoft promising to replace the long-expected SP5 with the a 'security rollup' style update "by mid-2005". Just a few days before Windows 2000 reached the end of its official "mainstream support" period and entered "extended support", Update Rollup 1 for Windows 2000 SP4 was released.

Although never enjoying much success (or even interest) in the home and end-user market (for which it was never really intended anyway), Windows 2000 is still heavily used in larger commercial and corporate settings. To this end, the Update Rollup can be applied to slipstream installs of Windows 2000 SP4, to ease the build process for new machines and such.

Note that although this update rollup includes all security updates for Windows 2000 released subsequent to SP4 up to MS05-020 (the cumulative update for Internet Explorer released on Patch Tuesday of April this year), using the rollup may not provide quite what you would expect.

For example, the Knowledge Base article accompanying the rollup's release explains that IE 5.01 is the supported version of the Microsoft web browser for Windows 2000 SP4, so only IE 5.01 updates are included. Likewise, as a result of the resolution of the long-running legal wrangle between Microsoft and Sun over Java, the Microsoft VM was unsupported in SP4, so no VM updates are included yet the rollup can be installed on machines where the VM is still present (and possibly in an older and highly vulnerable state).

There are a few other "gotchas" with the rollup too. Before deploying it, one should very carefully read the release notes and other advice in the Knowledge Base article.

Update Rollup 1 for Windows 2000 SP4 — microsoft.com

* Critical zlib 1.2.x patch

Said by the zlib maintainers to only affect 1.2.1 and 1.2.2 releases, a buffer overflow in the handling of certain specially malformed (or otherwise corrupted) compressed data in inftrees.c may expose systems and packages running vulnerable zlib implementations to remote arbitrary code vulnerabilities.

Very many applications and services depend on zlib, or zlib-derived code, and link dynamically to the official compiled libraries or statically include the libraries or code complied from zlib sources. Many Linux distributions have already shipped updates for the affected libraries and applications that statically link the vulnerable code, but there are many third-party (and especially Windows) applications that have not yet been updated.

zlib: Buffer overflow — gentoo.org

* Adobe Reader, Acrobat 7.0.2 for Mac released

A couple of newsletters back we noted that the 7.0.2 update for the Mac versions of Adobe Reader and Acrobat had not been released yet, despite Adobe's acknowledgement that then extant Mac versions of the software were vulnerable to the XML External Entity vulnerability fixed in the 7.0.2 release of the Windows versions of those products.

Adobe has since released the 7.0.2 updates for the Mac OS versions of those products, and posted additional security advisories describing two further vulnerabilities fixed in those versions. The first of these is an arbitrary local application execution while reading a PDF document. Given the history of such things, one has to be at least a tad sceptical about Adobe's claim that the threat of this vulnerability "is minimised due to the fact that the applications can be executed only if the complete application names and paths are known in advance", as it is often a trivial matter to obtain such information, based on default installation paths and common installation and configuration practices.

The second is a privilege elevation vulnerability, whereby the Adobe Reader and Acrobat updater elevates all users permissions to the Safari Frameworks folder, potentially allowing the addition of unauthorised frameworks.

Updater elevates folder permissions — adobe.com

Arbitrary application execution from malicious PDF document — adobe.com

XML External Entity vulnerability (Reader and Acrobat 7.0-7.0.1) — adobe.com

* Adobe Reader for Unix updates fix remote code execution vulnerability

Adobe is advising Linux, Solaris, HP-UX and AIX users of versions 5.0.9 or 5.0.10 of Adobe Reader to obtain the latest updates that fix multiple security vulnerabilities in those products. Linux and Solaris users are being advised to update to the new Adobe Reader 7.0, while HP-UX and AIX users should obtain the 5.0.11 update for their platforms.

A couple of issues back we reported that the XML External Entity vulnerability had been reported to work against at least the Linux version of Adobe Reader but there is no mention of this in Adobe's security advisories covering these latest updates.

Those advisories do, however, describe a buffer overflow whose exploitation could allow a remote attacker to execute arbitrary code on the victim's machine and a file permissions problem that could result in a local user privilege elevation.

Buffer overflow vulnerability in Adobe Reader — adobe.com

Temporary file vulnerability due to Adobe Reader — adobe.com

* PHPXMLRPC, Pear XML_RPC remote command execution

Since being released as open source software, the PHPXMLRPC package has been widely adopted in a large number, and all manner, of web applications. Similar vulnerabilities in both PHPXMLRPC and the Pear XML_RPC package, due to inadequate sanitising of user input, have now been addressed.

These vulnerabilities allow specially crafted XML data to be sent to a server running the affected packages and be processed such that attacker-supplied PHP code will be run on the server hosting the affected web application.

As these popular implementations of XML-RPC are widely employed in many other packages, it may take some digging to determine if any given system is affected. The US CERT vulnerability note linked below lists some packages and Linux distributions known to be affected, but several others — for example, TikiWiki, eGroupware, phpGroupware, phpWiki — are also strongly suspected or known to be affected.

Multiple PHP XML-RPC implementations vulnerable to code injection

Join the newsletter!

Error: Please check your email address.

More about Adobe SystemsCA TechnologiesCERT AustraliaF-SecureHPLinuxMicrosoftSECSophosTrend Micro Australia

Show Comments
[]