Thursday, October 23, 2008

Gimmiv.A exploits critical vulnerability (MS08-067)

Critical vulnerability in Server Service has only been patched by Microsoft (MS08-067), as a new worm called Gimmiv.A has found to be exploiting it in-the-wild.

Once executed, the worm will drop 3 files: winbase.dll, basesvc.dll and syicon.dll into the directory %System%\Wbem\basesvc.dll.

It will then install and start up a new service called BaseSvc with the display name "Windows NT Baseline". The service BaseSvc will force svchost.exe to load the DLL winbase.dll which is specified as a ServiceDll parameter for BaseSvc.

Once loaded, winbase.dll will load 2 additional DLLs into the address space of the system process services.exe: basesvc.dll and syicon.dll.

After dropping and loading the aforementioned DLLs, the worm will collect system information from the compromised computer, collect passwords from the Windows protected storage and Outlook Express passwords cache, and post collected details to a remote host. The details are posted in an encrypted form, by using AES (Rijndael) encryption.

The collected information seems to specify if the following AV products are found to be installed on the compromised system:

  • BitDefender Antivirus

  • Jiangmin Antivirus

  • Kingsoft Internet Security

  • Kaspersky Antivirus

  • Microsoft's OneCare Protection

  • Rising Antivirus

  • Trend Micro

Details collected by Gimmiv.A are then posted to a personal profile of the user "perlbody", hosted with hosting provider. At this time, the collected details are displayed at this link.

At the time of this writing, there are 3,695 entries in that file. Every line contains an encrypted string, which could potentially conceal current victims' details, indirectly indicating how many victims have been compromised by this worm so far.

The worm also fetches a few files from the following locations:




One of the downloaded files is a GIF image shown below:

The most interesting part of this worm is implemented in the DLL basesvc.dll. This DLL is responsible for the network functionality of Gimmiv.A.

What needs to be clarified here, is that the exploit MS08-067 used by Gimmiv.A allows remote code execution, which makes it potentially "wormable". Considering that the vector of attack is RPC DCOM and the code is similar to typical RPC DCOM network-aware worms, which is used against other hosts in the network, Gimmiv.A is determined in this post as a worm. However, it could technically be classified as a network-aware trojan that employs functionality of a typical RPC DCOM network-aware worm to attack other hosts in the network.

Gimmiv.A starts from probing other IPs from the same network by sending them a sequence of bytes "abcde" or "12345". The worm then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable Server service. As known, Server service uses a named pipe SRVSVC as its RPC interface, which is registered with UUID equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188. In order to attack it, the worm firstly attempts to bind SRVSVC by constructing the following RPC request:

Next, Gimmiv.A submits a maliciously crafted RPC request that instructs SRVSVC to canonicalize a path "\c\..\..\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" by calling the vulnerable RPC request NetPathCanonicalize, as shown in the traffic dump below (thanks to Don Jackson from SecureWorks for the provided dump):

As this is a critical exploit, Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately.

Friday, October 10, 2008

Genuine Advantage for Rogue Antispyware

That’s quite funny – the latest build of the rogue antispyware “AntiVirus2010” now fakes BSoD and complains about activation:

What’s next – popping up an annoying message "This copy of AntiVirus2010 is not genuine. You may be a victim of software counterfeiting"?

Monday, October 6, 2008

Fun with Click and Jack

Clickjacking - a relatively new trick that can potentially be used for malicious purposes under any browser/OS platform.

There is not much known yet on what exactly has been discovered by Robert Hansen and Jeremiah Grossman, as they pulled their presentation from OWASP AppSec NY 2008 "due to vendor request". As a result, many researchers started playing around with the proof-of-concept code, and came up with some really interesting demos.

To explain the concept of clickjacking, it could be helpful to recall one of the memorable episodes from the movie "Fun with Dick and Jane" (2005):

Dick Harper: I don't care... I don't care. I'm not walking out of this bank empty-handed.
Jack McCallister: ...Alright. Alright, Dick, I'm gonna write you a check... So, here you go. Just a little something to show you what I think you're worth [hands him a check for $100]

All Dick Harper needed was to get McCallister's signature. His wife, Jane Harper, was then able to forge it. While Jack McCallister was tricked by Dick Harper to sign a document that had no value to him, his signature was "hijacked" to sign a different document (worth millions of dollars).

Clickjacking is based on a similar principle: to convince the end user to provide information that does not seem to have any value to the user, but factually has power over the user's assets or ID, if applied in a particular context.

One such possible scenario is outlined below.

When user has an active online banking session, any particular transaction means particular controls clicked in a particular order. An attacker can make a guess that his victim is currently logged on, and thus, sends an instant message to the victim with an invitation to click a link to the attacker's own website.

The forged website will try to conceal the online banking website (with the victim currently logged on as the previous session was not terminated) inside an invisible frame, as shown on the picture below:

Any clicks submitted by the victim to the forged website will eventually be handled by the transparent (but still active) frame. In the example above, the victim may unintentionally add a new login name to his/her account that could now be used by the attacker.

So far, the danger of clickjacking remains purely hypothetical and there are no confirmed cases of malicious clickjacking “in-the-wild”.

Nevertheless, until transparent frames are treated as a feature (not a bug), it’s worth keeping in mind that there are potential ways of compromising users without implanting malicious code.