Osama bin Trojan; Wacko Jacko cracko

MSN Korea distributing malicious keyloggers? What is the world coming to? While the full story has not been told (and quite likely never will be publicly disclosed), it seems likely that MSN Korea fell to the same ailment as has afflicted Microsoft servers closer to Redmond before - shoddy, or outright missing, patch management for security updates to Windows (whether on the servers themselves, or on the workstations of those managing them will also probably never be made public). Perhaps one of the MSN Korea administrators fell for something akin to the items mentioned in our second story?

This issue's topics:


* MSN Korea malware; qmail flaw; OS X, WebSphere, Adobe & Macromedia updates

Virus News:

* MSN Korea distributes keylogger

* Osama bin Trojan; Wacko Jacko cracko

Security News:

* Guninski vs. amail.

* AES susceptible to timing attack

* Multiple OS X updates

* IBM WebSphere 5.0.2 Administrative Console fix

* Fix for Adobe License Management Service for Windows

* Fix for Macromedia eLicensing Client for Windows


MSN Korea distributing malicious keyloggers? What is the world coming to? While the full story has not been told (and quite likely never will be publicly disclosed), it seems likely that MSN Korea fell to the same ailment as has afflicted Microsoft servers closer to Redmond before — shoddy, or outright missing, patch management for security updates to Windows (whether on the servers themselves, or on the workstations of those managing them will also probably never be made public). Perhaps one of the MSN Korea administrators fell for something akin to the items mentioned in our second story?

Elsewhere, there appears to be at least one bona fide remotely exploitable vulnerability in qmail. Despite this, qmail's author denies any sensibly managed system would actually be configured in such a way as to allow the vulnerability to be exploited, suggesting that makes the claims for the vulnerability's existence invalid. qmail users running it on 64-bit platforms should take note.

Other security fixes of some importance include the latest OS X updates, a fix for the Administrative Console of IBM WebSphere, and similar fixes for Adobe and Macromedia 'licence management' services on Windows machines. Of significant theoretical note is the discovery of timing attacks against the AES cipher that may allow reliable remote determination of server keys.

Virus News:

* MSN Korea distributes keylogger

MSN's Korean site was distributing a keylogging trojan early in June. As part of Websense's ongoing web scanning, looking for vulnerable sites and those hosting malicious software, the MSN Korea News site showed up hosting some malicious scripting in a hidden frame on MSN Korea's news page and various pages linked from it.

The malicious script tried to exploit Internet Explorer security vulnerabilities to silently download and execute a trojan executable that steals keystrokes while the game Lineage is running. This online, subscription-based game is very popular in Asia, with about four million active players. Presumably the intent of those behind the trojan was to obtain access to the game by using authentication data stolen from the trojan's victims, or to make money by selling the access data to others at a discounted rate.

Microsoft has suggested that its Korean partner responsible for hosting the site (one of the few Microsoft and MSN sites not hosted by Microsoft itself) had not installed all necessary security patches on its servers, leaving an opening for the person who installed the trojan and the code to download it to visitors' machines.

Note that most of the limited news coverage of this issue confuses (or, rather, fails to separate) the client-facing attack (downloading the Lineage keylogging trojan) from the attack that allowed the client attack to be implemented on the MSN Korea servers. Most news coverage also confuses the vulnerability and exploit used in both parts of the attack. We know for sure that the client attack was based on exploits of the MS05-001 HTML Help cross-domain vulnerability (and possibly other IE browser vulnerabilities), but there is no public statement describing how the attackers compromised the MSN Korea servers to install the client attack.

Malicious Website/Malicious Code: MSN Korea — websensesecuritylabs.com

Microsoft investigates MSN Korea hack — networkworld.com

Online gamers targeted in Korean MSN hack attack — theregister.co.uk

Microsoft Security Bulletin MS05-00#

* Osama bin Trojan; Wacko Jacko cracko

Recent days have seen several attempts to distribute new trojan horse programs via the tried and true method of appealing to our presumed interest in high-profile people and events.

Messages promising "pics" of Osama bin Laden's capture instead carried a trojan that downloaded another piece of malware and set it running from its victims machines. Whether "King of Pop" would appreciate the billing or not, the folk behind such schemes obviously rate Michael Jackson as having similar pulling power. Messages suggesting Jackson's ongoing trial had all become too much for him driving him to suicide and, again, offering pictures relating to this supposed event, have also been spammed in the last few days, again really being the distribution method for a network proxy tgrojan variously known as Borobot, Boxed, Dedler and Robobot.

This distribution method only works for two reasons — the folk who have no protective software and are unwise enough to run anything that comes their way, and the folk who are unwise enough to run anything that comes their way and are not stopped from doing so by their virus scanners. However, even those who keep their virus scanners deadly up-to-date (some products are offering virtually hourly updates nowadays) are vulnerable to newly released malware that is not sufficiently similar to other, already detected malware and for which the producers of their virus scanners have not yet added specific detection to their scanners.

Although this "window of opportunity" may be as small as an hour in the case of some products for some malware, this vulnerable timeframe is typically many times greater. However, even at an hour or two (and the antivirus industry probably cannot lower that any further), it is enough for the miscreants behind the latest malware craze of "bot pharming" to get enough additional new active bot agents into the field to extend their "bot armies", or at least to replace those inevitably lost to natural attrition. As contemporary bots almost universally disable or at least side-step their victims' antivirus and personal firewall software, they tend to remain undetected despite the rest of the machine continuing to "work as normal".

Bin Laden Trojan quickly constrained — zdnet.com

Bogus Jackson suicide bid claim used to spread malware — theregister.co.uk

Window of exposure lets viruses run rampant — theregister.co.uk

Security News:

* Guninski vs. qmail

Georgi Guninski, the Bulgarian security researcher notorious for his earlier expositions of numerous nasty Internet Explorer vulnerabilities, has raised the ire of many a qmail fan with his latest security advisory. Guninski claims there are at least three vulnerabilities in qmail involving integer overflows and/or "signedness" and/or confusion of 32-bit integers with 64-bit pointers in the internet's second-most-used SMTP server. Further, and this is the ire-inducing claim, he says that at least one of these vulnerabilities is remotely exploitable under a default installation of qmail on at least some 64-bit AMD systems (he tested 'FreeBSD 5.4 amd64').

Dan Bernstein, the author of qmail, has long held that the attention to security detail is what separates qmail from all other SMTP servers and since March 1997 has been offering a US$500 reward for the publication of 'a verifiable security hole in the latest version of qmail'. Guninski's claims have raised much debate, especially in the qmail mailing lists, since his initial postings of some early work on these issues a month ago. About a week ago he posted a Perl script he claimed executed code with root privileges via qmail-popup.

Bernstein's response to all this is noted in a recent modification he made to the 'qmail security guarantee' page on his cr.yp.to web site (linked below). That page retains Bernstein's claim that '[n]obody has found any security holes in qmail', but he also admits that there are some, perhaps previously undocumented, 'potential 64-bit portability problems' with qmail's current code base. He goes on to deny Guninski's claim of having found a remotely exploitable security vulnerability (that, to many outside observers otherwise seems to meet Bernstein's criteria for claiming to have broken qmail's security) on grounds some may describe as quite specious - that '[n]obody gives gigabytes of memory to each qmail-smtpd process'.

Guninski's exploits require a machine with more than 4GB of memory (physical and swap) per process, and possibly as much as 8GB, or even more. Best practice for configuring and running qmail has, at least since the mid-late 1990s, included running the various qmail processes under various forms of administrator-configured, system-imposed resource limits to prevent otherwise 'unavoidable' resource-exhaustion attacks (this is not a qmail-specific issue). Bernstein's default installation instructions for qmail (written before running under resource constraints became widely recommended) do not mention such constraints, so one may feel Guninski was 'playing by the rules' with his claims.

Anyway, where-ever you stand on the did he/didn't he find a security vulnerability in qmail issue, Guninski's posts on this issue and furore they have raised should at least more strongly then ever recommend qmail users running on 64-bit architectures to check that they are using appropriately configured resource limits on their qmail processes.

64 bit qmail fun — guninski.com

The qmail security guarantee — cr.yp.to

* AES susceptible to timing attack

Speaking of Dan Bernstein, the University of Illinois computer science professor recently published an article describing a timing attack against AES. This paper includes details of an experimental attack that successfully recovered entire AES keys from a server running OpenSSL. Although OpenSSL was used in the demonstration, Bernstein's paper (available as a PDF, linked below) explains why the problem is inherent in the AES design, rather than in the OpenSSL implementation per se, and Bernstein is confident that other his methods could be used successfully against other implementations.

Cache-timing attacks on AES — cr.yp.to (PDF)

* Multiple OS X updates

Apple's June security update includes fixes for vulnerabilities that expose remote arbitrary code execution and local root privilege escalation, among other less serious, exploits. Many of these vulnerabilities are OS X 10.4.x-specific, but some of the most serious also affect 10.3.9. Users with Software Update set to automatically check for, or obtain, updates should already have been alerted to the availability of these updates.

About Security Update 2005-006 — apple.com

* IBM WebSphere 5.0.2 Administrative Console fix

IBM has released an important security fix for WebSphere 5.0.2 as part of cumulative fix 11. Researchers at Application Security Inc have revealed that earlier versions of WebSphere 5.0.2 that have the "global security option" of the Administrative Console enabled are vulnerable to a pre-authentication buffer overflow that can be exploited to run arbitrary code.

Remote Buffer overflow in WebSphere Application Server Administrative Console

WebSphere Application Server 5.0.2 Cumulative Fix 11

* Fix for Adobe License Management Service for Windows

Adobe has released a security update for its Licence Management Service product for Windows. Although Adobe has not released any details of the security problem that is addressed in the update, the company says, in part, that the vulnerability "exists due to a flaw in the installation of the Licence Management Service, which can lead to an unauthorised person gaining access to the user's computer. The unauthorised person can exploit this vulnerability to run a program with administrator privileges."

The Adobe License Management Service is required on machines running Adobe products that must be activated. At present that is Adobe Photoshop CS, Adobe Creative Suite and Adobe Premiere Pro 1.5, if purchased through retail. A link download link for the update is included on the Adobe page linked below.

Adobe Licence Management Service update — adobe.com

* Fix for Macromedia eLicensing Client for Windows

SSDD (same stuff, different developer — although Adobe now owns Macromedia, so perhaps not that different). The eLicensing Client code included with the Windows versions of Macromedia MX 2004 products (Studio, Studio with Flash Professional, Flash Professional, Flash, FreeHand, Dreamweaver, Fireworks, and Director), Captivate, Contribute 2 and Contribute 3 is affected.

According to a security bulletin posted on Macromedia's website, this "potential vulnerability" in its eLicensing Client installations may allow an ordinary user to gain full system privileges on Windows machines. A link to the update installer is included in the bulletin, linked below.

Security Risk with Macromedia eLicensing Client — macromedia.com

Join the newsletter!

Error: Please check your email address.

More about Adobe SystemsAES EnvironmentalAMDAppleApplication securityCacheCreativeFireworksIBM AustraliaMacromediaMicrosoftMSNWebsense

Show Comments