Wednesday, June 07, 2006

Multiple Browser Vulnerability

FrSIRT has reported a vulnerability in the most widely used browsers, which could be exploited by remote attackers to gain unauthorized access to arbitrary files.

The flaw stems from a design error that allows keystroke events to be cancelled through JavaScript code, which could be exploited by remote attackers to make users upload arbitrary files inadvertently from a vulnerable system to a malicious host.

To do this, it is necessary to trick target users into visiting a maliciously crafted web page and carry out certain actions (like typing a text in a text field), which will cause an arbitrary file to be uploaded automatically.

Rather unusually, this flaw does not affect a single browser, but several: Mozilla Firefox and prior versions, Mozilla SeaMonkey 1.0.2 and prior versions, Netscape 8.1 and prior versions, Mozilla Suite 1.7.13 and prior versions, and Internet Explorer 6 and 5.01.

Also, a demo exploit has been published as proof of concept for this flaw.

Sunday, June 04, 2006

Current Virus Threats

Trojans Briz.I and Mitglieder.IZ, worms Bagle.JG and BlackAngel.A and the spyware DigiKeyGen are the subject of this week's report.

Briz.I is a Trojan used in a criminal scam to steal confidential data, such as banking data or passwords. It needs user intervention to spread, such as opening email attachments or downloading files from the Internet or P2P networks.

It has also been found in certain web pages, mainly with illegal or pornographic contents, which redirect targeted users to another page that downloads the malicious file automatically through exploits.

Once on the system, Briz.I takes the name "iexplore.exe", trying to pass itself off as the Internet Explorer process.

Then, it disables the Windows security services (firewall) and modifies the "hosts" file in order to prevent access to websites of antivirus companies.

It finally downloads another component onto the affected computer and deletes itself. This component sends the attacker information from the target system, including IP address and country of origin.

It also installs a plug-in to capture data entered by the user in Internet Explorer forms, like passwords or banking data.

Briz.I also allows the infected computer to be used as a gateway to access other websites, masking the attacker, and grants access to files in the affected system.

Mitglieder.IZ is a Trojan dropped into systems by the worm Bagle.JG, which attempts to download other files, probably worm updates, to the target system. To do this, it connects to several websites in order to search for eDonkey network servers, and copy itself to the network.

Also, Mitglieder.IZ attempts to download other files that try to pass themselves off as JPG or PHP files, but are actually updates of Bagle.JG.

The Trojan copies itself to the affected system under the name Mdelk.exe and creates a Registry key (Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run) pointing to mdelk.exe, in order to ensure it is run on every system startup.

Bagle.JG is a worm that drops the Trojan detected as Mitglieder.IZ onto systems. It also tries to reduce the security of the infected computer by finishing services related to security tools, including antiviruses and firewalls.

Bagle.JG spreads through the P2P eDonkey program, by copying itself under P2P file and server names obtained by Mitglieder.IZ, so that users download it thinking it is a useful file.

It inserts an entry in the Windows Registry to ensure it is run on every system startup, and another one in Hkey_Current_User\ Software\FirstrRun to mark the computer to know if it is has been infected or not.

BlackAngel.A is worm that tries to end processes associated to security tools, such as antivirus programs or firewalls. Also, it prevents certain Windows tools from running on infected computers, like the Registry editor and the Task Manager.

It spreads through MSN Messenger, by passing itself off as a Windows Media Player file with a double extension, which, once run, displays an error message on the screen and sends a copy of the worm to all of the user's currently active contacts.

The worm's most destructive action consists of deleting a series of critical Windows Registry entries, which prevents the operating system from being booted.

DigiKeyGen is an adware hosted on several web pages that lures users by offering them passwords for free access to pornographic contents.

Once run, it drops a code called SpywareQuake onto the system, together with an anti-spyware application with the same name.

The anti-spyware then blackmails users by informing them that their computer is infected, and telling them that the only way to clean their computer is to buy the program license.

DigiKeyGen can be downloaded from several web sites with adult contents, as well as from the program's official web page.

Finally, the adware creates a file called eregperf.exe in the affected computer's Windows folder, together with a file that counts the times that the program has been run.

It also enters a key in the Hkey_Local_Machine\Software\Microsoft\Windows\Currentversion\ Policies\Explorer\ Run Registry entry to make manual disinfection more difficult.