Monthly Archives: August 2010

A New Chapter in Malware Affecting Windows Computers

First, two definitions:

Rootkit:  A computer program or series of programs designed to infect a computer and hide itself from view, making it very hard to uncover without special tools. It can also hide the presence of other malicious software in the system.

32-bit vs. 64-bit operating systems: These two terms refer to how the computer processor handles information. They have distinctly different architectures. 64-bit operating systems are also notorious for enhanced security features.

Now that we have those out of the way, to the point: Up until a few days ago, the 64-bit operating system was thought to be immune to rootkit infections… up until a few days ago. A famous rootkit, notorious for its advanced techniques and stealth features has been on the loose for sometime now, infecting 32-bit operating systems like there’s no tomorrow. Well, it was found a few days ago and for the first time it was observed infecting 64-bit operating systems, shattering the idea that rootkits could not infect such systems. Its name is TDL3, AKA Alureon, AKA TDSS.

So much for 64-bit immunity. A new chapter has begun.

Newest Vulnerability in Windows Computers, an Emerging New Class

If the expression “opening a can of worms” means anything to you, you’ll start to get the idea on what’s happening with this subject. Or maybe Pandora’s box is a better metaphor. At any rate, It seems that a vulnerability disclosed lead to another, and another. As predicted in a recent article, these are now surfacing. And one of the immediate problems is that is not only having to do with the Windows operating system per se, but with programs used in Windows. Many of them.  Details on this new class are still sketchy, since the idea is to get patches developed before revealing too much about the vulnerability.

About a week ago a Slovenia based security company called Acros published an advisory regarding a vulnerability related to iTunes, that would allow a remote attacker to take control of the attacked computer. Acros has reportedly been working on analyzing this type of vulnerabilities since late 2008. A tool was developed to spot this vulnerability in many Windows based programs – over 200 programs were tested, and surprisingly, about 90% were found potentially vulnerable to the exploit. This testing had gone unpublished until a few days ago.

Hours after Acros published the above mentioned advisory, HD Moore, the Chief Security Officer of Rapid7, a US based security company, published the fact that he had discovered about 40 Windows based programs to be vulnerable to this new exploit. Then Acros decided to let the big cat out of the bag and next day they expanded the list of 40 to over 200. And then over this past weekend, academic researcher Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis also joined the party with the research paper he and Zhendong Su had published earlier this year on the  subject. Then just yesterday Microsoft published a security advisory on the subject. That’s the time track so far when it comes to this new vulnerability class.

What to do

Patching this vulnerability is a bit of a catch-22 because the nature and reach of this vulnerability is so wide, that if Microsoft were to issue a single patch that would handle the vulnerability, it would break scores of legit applications. Plus the vulnerability lays mainly in the lax way the programs have been coded, so the programs creators are the ones that need to issue individual patches. For these reasons mitigating actions are all that can be done for now. One of the mitigating actions that can be taken is stopping and disabling the service that allows for a remote (over the internet) exploit of this vulnerability (the webclient service). Disabling this service will have no impact on most users machines as far as functionality is concerned.

To stop and disable the webclient service:

1a. for Windows XP users, click on start, All Programs, Run, type “cmd” (without quotation marks) and press enter.

1b. For Vista and 7 users, click on start, type “cmd” in the search box, go to the top of the list, right click on cmd.exe and select Run as Administrator. Click on continue if prompted.

2. Now let’s type a couple of commands in the black box that showed up.

First let’s stop the service. Type (or copy and paste):

SC stop webclient

And press enter.

Now let’s disable it so the service doesn’t restart automatically next time you reboot your computer. Type (or copy and paste):

SC  config webclient start= disabled

And press enter.

(Notice the space after the equal sign in the above command. That’s mandatory.)

Now you can close the command prompt window where you typed all the above.

A well configured firewall will also help mitigate the effects of this problem. Incoming and outgoing ports 139 and 445 need to be blocked. (Port: In computer networking, specific channels are used to send and receive data. These are called ports and are numbered from 1 to 65536). Be aware that some functions like network file sharing, and printing over a network might be affected by blocking these ports. IF you block this ports and afterwards notice a loss of network connectivity, revert the changes.

Another action that can be taken is to close the door to the possibility of unauthorized programs execution, with programs like AppGuard by BlueRidge Networks. This has been covered before in other computer security articles.

If you have any questions on how to do any the above, I’ll be happy to answer them.

Adobe Confirms New PDF Vulnerability, Patch to be Issued Shortly

In what seems to be yet one more vulnerability found in a string of recent ones, Adobe said a few days ago it would issue an emergency patch the week of Aug. 16 to fix a critical flaw in its Reader and Acrobat software.
The bug was disclosed at last month’s Black Hat USA 2010 security conference (Black Hat: a series of highly technical security briefings held annually). Shortly after Adobe announced it would release a rush security update during the week of Aug. 16-20. Adobe issues its quarterly security updates for Reader and Acrobat on Tuesdays, and has shipped emergency fixes on that same day of the week. If the company continues the practice, it would most likely deliver the out-of-band patch later today, Aug. 17.

Adobe hinted that the out-of-band update will include fixes for vulnerabilities other than the one recently uncovered. The company also said it would still ship its next regularly-scheduled quarterly update on Oct. 12.

Affected software versions

Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh

Vulnerability has been classified as critical. As usual, make sure you update your Adobe Acrobat and Reader version as soon as possible, if not earlier 🙂

More Vulnerabilities in Windows Computers

Last week’s article was about a vulnerability affecting Windows computers running on Windows XP, Vista, and yes, 7 as well. That was, however, the tip of the iceberg of a broader and more general flaw in Windows that predicts more zero-day exploits will be coming from that direction in the near future. The specifics on this are a little over the level of the average user, so I will try to break it down to its simplest possible form while recommending remedies.

First, a definition. The vulnerabilities referred to above are related to Windows PowerShell. Windows WHAT? PowerShell. Shell: The simplest way to communicate this is the command prompt window you sometimes might have seen. You can invoke it by going Start, Run, type “cmd” and press enter. You’ll see a black window with a prompt, problably something like c:\windows\system32>_ or perhaps c:\users\username>_ . That would be an example of a shell. If you know how to, you can enter commands the computer will understand and execute, providing you know the correct syntax.

Ok so PowerShell has been around since 2006. More about why is it called POWERshell below. But the important thing is, the second release of it (version 2.0) was released in Aug 2009. And THAT is the version currently being exploited in the wild.

One thing you need to be aware of: PowerShell is, as its name indicates, very powerful. For that reason many security measures were put in place to limit its improper use. Unfortunately, those measures fell short and now we are starting to experiences the consequences of it.

What to do? The passive way to go about this is to wait for Windows to release patches as the specifics vulnerabilities involving PowerShell are discovered. For the more proactive users, there’s a remedy that resolves the issue even before resorting to patches. In an article written about a year ago on what is the best security model for a Windows computer, I mentioned a specific program designed to avoid unauthorized execution of programs. That model is still valid and the program is AppGuard by Blue Ridge Networks. Computers protected by AppGuard are immune to the particular family of zero-day exploits covered here, and more. No other product that I’m aware of provides such protection. To understand fully why you’ll have to read that article.

Recently Found Vulnerability in Most Versions of Windows, and What to Do

From time to time vulnerabilities are found in Windows systems, and are patched via Windows Update. This recent one deserves special attention because it is classified as critical for Windows XP, Vista and 7. The vulnerability allows for remote code execution (meaning a remote attacker could take control of your computer) and is related to the displaying of an especially crafted shortcut icon.

If your system does not have Windows Update configured to automatically download and install updates, your computer might be at risk. If you want to browse through available updates and decide to install only the one related to this vulnerability, this is the keyword (Remember if you have Windows XP, it must have at least Service Pack 3 installed, and if you have Windows Vista, at least Service Pack 1 installed): “KB2286198”.

Contact me if you need help dealing with this.