Attacks

DLL preloading attacks

by certifiedbug on August 26, 2010

in Internet Security

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
Published: August 23, 2010

Executive Summary
Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries.

This issue is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks”. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.

This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected.

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://blogs.technet.com/b/msrc/archive/2010/08/21/microsoft-security-advisory-2269637-released.aspx

Metasploit’s HD Moore

Last Thursday, Acros, a Slovenian security firm, published an advisory that identified what they call a “binary planting” flaw in iTunes. Essentially, if you open a file type associated with iTunes from a remote network share, iTunes will also try to load one more DLLs from the share. Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.

While working on the Windows Shortcut exploit, I stumbled on this class of bugs and identified a couple dozen applications that seemed to be affected by this problem. iTunes was one of these applications and the details in the Acros advisory made it clear that this was indeed the same flaw. I was planning to finish the advisories and start contacting vendors on August 20th (last Friday). The Acros advisory on the 18th threw a wrench into this process.

Read the rest here: http://blog.rapid7.com/?author=20

{ 0 comments }

Hacker sentenced to two years in prison

by certifiedbug on October 12, 2008

in Internet Security

United States Attorney McGregor W. Scott announced Tuesday that Gregory King, 21, a California resident once known as “‘Silenz” “sZ” “Gregk707″ and “GregK” was sentenced to two years in federal prison and ordered to pay $69,000 in restitution following a guilty plea to two counts of transmitting code to cause damage to a protected computer.

The Reporter.
http://www.thereporter.com/news/ci_10677450

King used a botnet to conduct distributed-denial-of-service (Ddos) attacks against two Web sites. KillaNet Technologies, a British Columbia-based website for high school students preparing for careers in online media, and Castlecops security forums.

The Register, 4th October 2007.
Portrait of an (alleged) cyber bully as a young man

Certifiedbug, November 30, 2007.
FBI: Botnet Crack Down (again) in Operation Bot Roast II

{ 0 comments }

Storm Worm Alert

by certifiedbug on July 9, 2007

in Internet Security

The subject matter varies, all such emails are bad news and an attempt to get people to download an exe file.

Sample:

Virus Activity Detected!
Dear Customer,

Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.

We recommend you to install this patch (< --- concealed link) to remove worm files
and stop email sending, otherwise your account will be blocked.

Postmaster

SANS: The ever morphing Storm

AusCERT: High volume of email linking to the “Storm Worm” malware

{ Comments on this entry are closed }

FBI Takes Down botnet

by certifiedbug on June 13, 2007

in Internet Security

ABC News reports the FBI has identified 1 million computer addresses that have been hacked by criminals who hijack other people’s computers, turn them into servers and use them to send out massive amounts of spam and spyware.

Story abcNews

{ Comments on this entry are closed }

Latest on security update for Windows Animated Cursor Vulnerability

April 1, 2007

We have some new information tonight on the status of the security update that we’re working on that addresses the vulnerability in Windows Animated Cursor Handling. From our ongoing monitoring of the situation, we can say that over this weekend attacks against this vulnerability have increased somewhat. Additionally, we are aware of public disclosure of [...]

Read the full article →

Windows Animated Cursor Handling Vulnerability

March 29, 2007

Microsoft Security Advisory (935423) Vulnerability in Windows Animated Cursor Handling Published: March 29, 2007 Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a [...]

Read the full article →

Storm Worm Trojan spam

January 21, 2007

This Trojan is spreading throughout the world rapidly. Once the attached file is executed, it creates a backdoor that can be used by the malware creators to take control of a system and make it part of a botnet to launch more attacks. F-Secure has detailed information on their Blog

Read the full article →

Three Russian cyber-criminals jailed

October 5, 2006

According to Russian news sources, each of the three extortionists who had aimed botnet-derived DDoS (distributed denial of service) attacks at targeted businesses, received eight year jail sentences. Russian security company Kaspersky writes: Yesterday a full stop was placed to one of the most notorious cases of cybercrime in Russia over the past few years. [...]

Read the full article →

US Attorney sends Botnet master to jail for three years

August 26, 2006

David Bowermaster, Seattle Times reports that Botnet Master Christopher Maxwell was sentenced to three years in prison by Judge Marsha Pechman, federal court in Seattle. Maxwell pleaded guilty in May to one count of conspiracy to intentionally damage a protected computer and one count of intentional computer damage that interferes with medical treatment. He must [...]

Read the full article →

Spyware Fighter has new site

June 27, 2006

Webhelper 25 June 2006 Due to the June 2006 DDos attacks against webhelper4u.com along with the lack of security with my old hosting service, I have moved to a new hosting service that gives me the ability to fight against future DDos attacks. More here 26 June 2006 Webhelper DollarRevenue Main Menu Because of the [...]

Read the full article →