Saturday, April 26, 2008

Managed Security Services: the home-users edition


If you think about security problems nowadays, it would be either corporate security problems, or home-users security problems. Most security vendors are focusing on the first one, because simply there is the cash. But who will help the clueless end user, who got his new laptop or desktop and he has nothing to do with Internet security. Ok, you may tell me that OEM shipped computers come with antivirus already installed there. Stop! Norton Antivirus has to be activated before it starts working. Also, evaluation versions run for 1 month, or 2 months. Then what? It will stop updating definitions or even stop working at all. Here where the problem starts, end users have to be managed somehow by someone. The nearest one is their lovely ISP. ISPs can play an effective role here, because the user is connecting through their proxy servers, DNS servers, web filtering servers …etc. But what if we add one more server to this mix, an Antivirus server! Let their marketing departments start new campaigns (ex. AV for everyone), gain more money, and build a secure Internet users community at the same time.


Technically, it’s not more than installing a corporate edition antivirus (clients/server) and deploying the agents to the paying customers who preferred to leave the antivirus management to the ISP’s technical support. What are the advantages of such a service? Well, it will fix many issues, such as (commercial AV licensing, insecure default AV installation, corrupted AV files which may stay for ever showing bogus notifications, updating definitions using the ISP hosted server which will defeat local poisoned AV vendor’s domain record (ex. Update.symantec.com ---> 127.0.01) which makes virus definitions update is impossible.

I hope that ISPs start taking some responsibility and stand beside their users, which make them better than the others.


If you have any comment, share it with us here …

Thursday, April 24, 2008

U.N site took the injection







U.N site is another victim of SQL injection attacks, when a user browses the site events page, he will get redirected to (www.nihaorr1.com/[removed]). The "1.js" redirects the user to another page "1.htm", once loaded it will try to exploit the following vulnerabilities:



Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (Critical)

http://www.microsoft.com/technet/security/Bulletin/MS07-055.mspx

Cumulative Security Update for Internet Explorer (Critical)

http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx

Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/Bulletin/MS07-018.mspx

Vulnerability in Vector Markup Language Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution

http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

The Baofeng Storm MPS.StormPlayer.1 ActiveX control heap-based buffer overflow

http://xforce.iss.net/xforce/xfdb/36543

GLChat Stack-based buffer overflow

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5722

Baidu Bar ActiveX Control Remote Command Execution

http://www.frsirt.com/english/advisories/2007/2699

Real Player RAM Download Handler ActiveX Control

http://www.frsirt.com/english/advisories/2005/0368/references

http://www.snort.org/pub-bin/sigs.cgi?sid=8383

http://www.snort.org/pub-bin/sigs.cgi?sid=8384


Finally, it will redirect the user to another two pages that serve malwares: (gg.haoliuliang.net/one/ hao8.htm?036) and (gg.haoliuliang.net/wmwm/ new.htm).

Mitigation checklist for system administrators:

  1. Make sure all windows machines are up-to-date, use WSUS to distribute patches and critical updates. Use Microsoft Baseline Security Analyzer (MBSA) to scan for missed patches and vulnerable security settings.
  2. Make sure all installed applications and softwares are up-to-date, you can use Secunia Network Software Inspector to check for vulnerable softwares.
  3. Secure the ActiveX settings of Internet Explorer, check here IE ActiveX security 101. Also check the "ActiveX Killpit App" from Tom Liston of Intelguardians.
  4. Block all http requests to http://www.nihaorr1.com/blah.js [replace blach.js with 1.js]
  5. Make sure your Antivirus vendor has signatures for W32/PWStealer1!Generic; PWS:Win32/Lineage.WI.dr; Trojan-PSW.Win32.OnLineGames.ppu; Trojan.PSW.Win32.OnlineGames.GEN