Viruses, worms, trojans and other stuff

Sunday, November 27, 2005

Microsoft Windows Graphics Rendering Engine WMF/EMF Format Code Execution Vulnerability

Microsoft Windows WMF/EMF graphics rendering engine is affected by a remote code execution vulnerability.

The problem presents itself when a user views a malicious WMF or EMF formatted file causing the affected engine to attempt to parse it. Exploitation of this issue can trigger an integer overflow that may facilitate heap memory corruption and arbitrary code execution.

Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine. Successful exploitation can facilitate a remote compromise or local privilege escalation.

Saturday, November 26, 2005

Microsoft Internet Explorer Extremely Critical Vulnerability

Benjamin Tobias Franz has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to certain objects not being initialized correctly when the "window()" function is used in conjunction with the "<body>" event. This can be exploited to execute arbitrary code on a vulnerable browser via some specially crafted JavaScript code called directly when a site has been loaded.

<body onload="window();">

Successful exploitation requires that the user is e.g. tricked into visiting a malicious website.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2, and Internet Explorer 6.0 and Microsoft Windows 2000 SP4.

Note: A PoC exploit has been released for this vulnerability.

Disable Active Scripting except for trusted sites.

Thursday, November 24, 2005

Remember Mafiaboy?

mafiaboyRemember Mafiaboy? The Canadian teenager hacker who launched the first mainstream DDoS attacks in 1999, against targets like Yahoo and eBay? The guy who - after CNN run a story on the attacks - took down CNN.COM? Who had his attacks categorized in the "top 10 hacks of all time" (!)?

Well, turns out he's nowadays a columnist for a newspaper in Montreal. In fact, he's covering some of his old attacks in his articles.

Sunday, November 20, 2005


W32.Sober.X@mm is a mass-mailing worm that uses its own SMTP engine to spread and lowers security settings. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German.
Also Known As: CME-681, WORM_SOBER.AG [Trend Micro], W32/Sober-{X, Z} [Sophos], Win32.Sober.W [Computer Associates], Sober.Y [F-Secure], W32/Sober@MM!M681 [McAfee], W32/Sober.AA@mm [Norman]

Type: Worm
Infection Length: 55,390 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Sony, DRM, Rootkits, Bugs and You

The Sony DRM case seems to be getting more and more twisted. Our readers might be wondering what the actual risks are at this point and what they should be doing about them. Here's a short recap.

If you have the Sony DRM with the rootkit (aries.sys) still active, you should consider getting the update to remove the rootkit. Do this by using the standalone executable available here. There are already several malware variants that try to hide with the help of the Sony DRM cloaking.

After this you're left with the rest of the Sony DRM software, which might be vulnerable to local privilege escalation attacks reported by ISS X-Force. To remove the DRM software entirely, you will have to wait for Sony to fix their uninstaller and carefully consider using the new version once it's released.

If you have already used the ActiveX uninstaller that was available until Sony stopped distributing it, you are vulnerable to a remote code execution attack. You should remove the vulnerable ActiveX component. If you want, set a kill-bit for it (the CLSID is {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}) just to be sure.

Thursday, November 17, 2005

Timeshare spammer finds himself a new home in jail

Experts at Sophos have welcomed the news that a man known as the "Timeshare spammer" has been sentenced to one year in jail under the United States CAN-SPAM act.

Peter Moshou, 37, has been sentenced to spend 12 months in a federal prison, and will have to pay $120,000 in fines. The man, from Auburndale, Florida, sent millions of unsolicited spam emails advertising brokerage services for people interested in selling their timeshares.

By forging the "from" address in emails he sent, using deceptive subject lines, failing to provide an unsubscribe option, and other offences, Moshou fell foul of the CAN-SPAM act which has also successfully snared other spammers.

"In their search for a quick buck, spammers don't mind making life more miserable for millions of internet users. We applaud the law enforcement authorities for pursuing this case through to its conclusion," said Graham Cluley, senior technology consultant for Sophos. "The 'timeshare spammer' will have plenty of time to reflect on his crimes now he's behind bars."

Wednesday, November 16, 2005

Spammers urge recipients to decrease their organs

SophosLabs™, Sophos's global network of virus and spam analysis centers, has recently spotted spam with a novel take on "bodily organs". Rather than offering to increase the size of one or more parts of your body, they are now offering to buy bits of it off you.

A typical example follows:

Subject:** Sell your organs online!
Message body: Please reply to this email if you want to make some cash selling your organs!

"In this case computer users should have little difficulty in following the adage of 'don't try, don't buy, don't reply'," says Paul Ducklin, Sophos's Head of Technology, Asia Pacific. "This sort of spam should focus the mind on how the spam economy works. A handful of responses - one or two, even - would represent success to the spammers, because their operating costs are borne by you and me. So give them the cold shoulder, if you will pardon the pun."

Tuesday, November 15, 2005

CAPTCHA spam / phish incident

We have received reports from a lot of different places that they have received apparent phishing messages, including a couple of Finnish banking sites who have also published phishing alerts.

It appears, though, that these phishing messages are always targeted to the domain of the recipient. In other words, if your address is, you would receive a message which looks like it's from, with a subject of " ID:", urging you to click on a link in order to verify your account details (if you can make this out from the message ... the samples we have received are so obfuscated as to be nearly unintelligible).

So if you work at a bank, the message would appear to be from your bank, but recipients in other organizations would see a message similarly pretending to be from their own organization. But it's understandable, and prudent of the banks, that they issue alerts.

Example CAPTCHA image

As with most phishing messages, these contain a masqueraded link which looks legitimate, but in fact takes you to another site. If you click on the link in one of these phishing messages, you are redirected to a site which opens up the "real" target site in the main window, but in front of this, it throws up a popup with a CAPTCHA — a distorted image which contains text which you are asked to type into a box. A lot of webmail sites use these to prevent automated systems from registering a large number of free accounts; they hope that deciphering the text in the distorted images will be relatively easy for a human, but hard for a computer.

In this case, it seems that the phisher is merely trying to get unwitting victims to help him crack the CAPTCHAs, apparently in order to be able to register "throwaway" accounts with a particular Russian webmail provider, probably to be used for spamming. Or rather, was trying, because the sites which hosted the popup pages appears to be gone now.

Six years jail for "Weaselboy" scammer who defrauded hundreds

23-year-old Francis-Macrae, who went by the online moniker of "Weaselboy", is said to have earned more than £100,000 a week by selling bogus .eu internet domain names from his father's house in St Neots, Cambridgeshire.

Businesses who complained about being sold the domain names were mail-bombed with millions of junk emails, and investigating police officers were told that their headquarters would be petrol-bombed.

Francis-Macrae was found guilty at Peterborough Crown Court of fraudulent trading, concealing criminal property, threatening to destroy or damage property, blackmail, and making death threats. Investigators claim that he has refused to divulge where he has hidden more than £1.1 million.

Francis-Macrae sent unsolicited emails to thousands of people offering to pre-register .eu domain names before they were released by the regulatory body. He spent his fortune on designer clothes and helicopter lessons.

"Peter Francis-Macrae's stiff sentence sends out a clear message to others who may be tempted to engage in internet crime. The details of how he threatened those who got in the way of his crime spree make harrowing reading," said Carole Theriault, senior security consultant for Sophos. "We hope other young people will think twice before making the mistakes this man made, and not be tempted by a life of cybercrime. The public can consider themselves safer now Francis-Macrae is behind bars."

"You deceived hundreds of people of countless thousands of pounds of their money. When investigated, following the countless complaints of your misdeeds, you resorted to threats to kill and a threat to set fire to property, and ultimately blackmail," said Judge Nicholas Coleman. "Whoever stood in the way of your criminality became subject to abuse and threats. You are, I think, one of the most vindictive young men I have ever seen."

Detective Constable Jody Faro told reporters after the hearing that police had dealt with more than 2000 complaints around the globe about Francis-Macrae's business dealings.