February 2011IBM Security Solutions

IBM X-Force Threat Insight Quarterly

2 X-Force Threat Insight Quarterly IBM Security Solutions

Contents

2 About the Report

3 Koobface: The New Face In Cross Platform Malware

6 Mobile Attacks

10 Prolific and Impacting Issues of Q4 2010

20 References

About the report

The IBM X-Force® Threat Insight Quarterly is designed to highlight some of the most significant threats and challenges facing security professionals today. This report is a product of IBM Managed Security Services and the IBM X-Force research and development team. Each issue focuses on specific challenges and provides a recap of the most significant recent online threats.

IBM Managed Security Services are designed to help an organization improve its information security, by outsourcing security operations or supplementing your existing security teams. The IBM protection on-demand platform helps deliver Managed Security Services and the expertise, knowledge and infrastructure an organization needs to secure its information assets from Internet attacks.

The X-Force team provides the foundation for a preemptive approach to Internet security. The X-Force team is one of the best-known commercial security research groups in the world. This group of security experts researches and evaluates vulnerabilities and security issues, develops assessment and countermeasure technology for IBM security products, and educates the public about emerging Internet threats.

We welcome your feedback. Questions or comments regarding the content of this report should be addressed to XFTAS@us.ibm.com.

3 X-Force Threat Insight Quarterly IBM Security Solutions

Koobface: The New Face In Cross Platform MalwareBy John Kuhn

Introduction and BackgroundOnce upon a time, in the not so distant past, corporate networks really didn’t have much diversity in the way of operating systems. Microsoft® Windows® dominated not only workstations, but servers as well and for good reason. It was really the only workstation operating system ready for consumers. This netted Microsoft the largest market share, and subsequently all the software vendors catered to it. As shown in the chart below, Windows XP followed by Windows 7 still has the bulk of the market. However various versions of Mac OS X are starting to get a bigger foothold.

Linux® started to unseat the software giant with its low cost, its flexibility, and grassroots with UNIX® admins. Even though Linux distributions were targeting the desktop and server market, it really only gained market share on servers. Google.com, for instance, uses upwards of 15,000 Linux based servers to index the Internet, and provide services. The Linux desktop still remained marginally used, mainly by IT admins, kiosks, and embedded systems. Mac-based systems 5 to 10 years ago were rarely seen in a corporate network outside of design firms and schools. This is the very reason that 95% of malware is Windows based, utilizing Windows only exploits, and only installing on Windows based systems. Criminals spent their efforts targeting the largest part of the market share, to net the biggest infection rates.

89.70%

5.25%

2.05%

0.95%

0.49%

0.49%

0.81%

Windows

Mac

iOS

Linux

Java ME

Android

Other

Figure 1: Operating System Market Share ( January 2011)1

1 http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=8

4 X-Force Threat Insight Quarterly IBM Security Solutions

KoobfaceToday we see far more diversity in our networks and not just from the computers and servers. With the advent of the smartphone, came devices like the iPhone, iPad, Blackberry & Android based systems all using various architectures and operating systems. This opened some doors for the computer industry, as we see far more Mac-based systems utilized every day in the corporate space. Every time I visit customers I can expect to see at least a few Mac-based systems in use at the enterprise level. This not only presents an opportunity for computer manufactures, it presents an opportunity to criminals as well.

Criminals are looking to target all platforms. However, they suffer from many of the typical woes a software manufacture faces such as maintaining all the different versions while keeping cost and man hours down. The criminals are into making money, they can’t have production costs eating into their profit margins. They also work in small groups, with just one to five “good” developers doing most of the leg work. What was their solution to the problem? Java™, its cross platform base allows them to write a single code base that can infect any operating system that supports it. This includes Linux, Windows, UNIX, BSD and OSX, all now ripe for the picking. Utilizing Java does have some caveats. It requires you to have the Java Runtime Environment installed in order to run. Previously not a problem because many operating systems came with it installed by default, however today many manufactures are choosing to leave it out. It’s as simple as downloading and installing but this is yet another step the end user needs to take in order for the malware to run. Java also has some security features such as digital certificates as you’ll see later in the article. Despite the short comings of their chosen solution it’s still the primary method used to infect systems.

In this article I’m going to investigate one of the big cross platform malware players today. Koobface is a computer worm that targets users of the social networking websites such as Facebook (its name is an anagram of “Facebook”), MySpace, hi5, Bebo, Friendster and Twitter. Koobface was originally designed to infect Microsoft Windows, however newer variants now work on Mac OS X and Linux (in a limited fashion).

Koobface ultimately attempts, upon successful infection, to gather login information for FTP sites, Facebook, and other social media platforms but not any sensitive financial data. It uses this information to then compromise your account and post messages to your unsuspecting friends. Upon clicking on dubious links in these messages, the victims are redirected to a fake YouTube site, prompting them to download an updated flash player. The executable, however, is Koobface and once installed the victim is now part of the Koobface botnet and their accounts are used to compromise more victims. This is how the social networking based worm spreads and it’s a very effective means to netting a massive botnet. Researchers have estimated that Koobface has made over 2 million dollars in profit and with its new cross platform methods I estimate that number to grow even higher.

So let’s take a look at what the Mac OS X version of Koobface does. Once a user visits the malicious site containing Koobface they are presented with a Java applet. Mac OS X warns the user of the activity and also alerts that the digital signature could not be verified.

5 X-Force Threat Insight Quarterly IBM Security Solutions

Figure 2: Java Warning

Clicking the “Show Details” button displays information about the certificate clearly showing that the certificate is not to be trusted.

Figure 3: Unsigned Certificate

Stern warnings are presented to the end user, however, this isn’t enough to keep all users from clicking on the “Allow” button. Once a user authorizes execution of the applet, it then downloads the needed software into the hidden .jnana folder in their home folder. These files include a web server, IRC server,

DNS Changer, and all the core function of the Windows only based version. This scenario is virtually identical to infections on Linux based systems demonstrating how one code base can be used on many operating systems.

Another honorable mention in this arena is the Zeus malware and the pseudo Java based version cleverly named JaZeus. While using the same method of Java to infect users, the Zeus executable in the end is still Windows based. This demonstrates that the people utilizing Zeus are investigating how to get more infections into more systems. Zeus is even more dangerous than Koobface because rather than attacking your social networking login it actively seeks your banking login credentials. They utilize the information gathered to make withdrawals from your account, and in some cases, devastate peoples’ lives.

Utilizing Java has its short comings and the infection rates demonstrate that. It’s simply too much overhead in order to get malware installed. It’s also still banking on exploiting the human element with social engineering techniques. The use of Java however is the first step to something far more widespread and automated.

Organizations need to take higher security precautions with “alternative” operating systems. Many AV vendors, such as Sophos, are now producing Mac OS X and Linux versions freely available from their website. It’s always encouraged to have a properly tuned intrusion prevention system as most of these attacks can be circumvented at the border. You can also invest in secure web gateway technology. Disallowing access to these URLs will mitigate the threat entirely. Both of these technologies give your overall network far better security regardless of the operating system they are protecting. However as the case with many threats independent of the operating system common sense is the best defense.

6 X-Force Threat Insight Quarterly IBM Security Solutions

Mobile AttacksBy C. Bryan Ivey

IntroductionCurrently there is little debate that portable communications devices have become a regular part of daily life in most regions of the world. As more people have begun to depend on cell phones for communications such as email, SMS, and web surfing, businesses are forced to integrate smart phones into their IT infrastructures. This growth, coupled with potentially novice owners, provides an excellent avenue for monetary gain by attackers moving into this market and a danger to smart phone owners’ and their companies’ data. In this article, we will take a short look at the history of cell phones, the problems that plague them, and speculate on what can be done to protect them from outsider attacks.

BackgroundThe 1990’s saw the explosive rise of the cellular phone. The smaller, handheld size made it more attractive to users and required a higher density of cell towers to handle the increase in traffic. The 1990’s also saw the introduction of Short Message Service (SMS or texting). In 1999, full Internet service was made available to cell phones. Research In Motion (RIM) introduced their first two way pager, the 850. In 2001, Microsoft released Pocket PC 2002, a Windows CE based operating system that was used in phones. By 2002, the first third generation (3G) phones began appearing, providing high speed data access to the mobile user2. This was also the year that RIM introduced their first “smart phone” that supported

voice, email, texting, Internet faxing, and web browsing3. In 2003, Microsoft released Windows Mobile 2003, also based on Windows CE. The terminology, “Windows Mobile”, replaced the term “Pocket PC”. There were a number of revisions of Windows Mobile that eventually lead to the current Windows Phone 74. In January of 2007, Apple announced their solution, the iPhone5. A few months later, in November of 2007, Google announced, not a phone, but a concept called Android (the Open Handset Alliance), an open source operating system and applications6.

The meteoric growth of this market is not without its issues. While smart phones become more powerful with greater functionality, user awareness has not kept up with the technology. This makes the smart phones and their owners viable targets from attackers.

IssuesIn this article, we will examine three means of smart phone attacks. First there’s the danger from a trusted source where the attack is based on the transfer of data, whether by SMS or email from a trusted contact or from a web site that appears legitimate. Next there’s the hidden danger from a source you expect to be secure – applications created for your smart phone. Then there’s the loss of your smart phone and its data.

2 History of mobile phoneshttp://en.wikipedia.org/wiki/History_of_mobile_phones

3 BlackBerryhttp://en.wikipedia.org/wiki/BlackBerry

4 Windows Mobilehttp://en.wikipedia.org/wiki/Windows_Mobile#Pocket_PC_2000

5 Apple unveils iPhonehttp://www.macworld.com/article/54769/2007/01/iphone.html

6 Where’s my Gphone?http://googleblog.blogspot.com/2007/11/wheres-my-gphone.html

7 X-Force Threat Insight Quarterly IBM Security Solutions

Danger From a Trusted SourceOne method of attack involves Short Message Service (SMS or texting). Some of the first attacks on smart phones occurred in 2006 and was labeled “phishing”7. Wikipedia defines phishing as “the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.8”

In such an attack, the user normally receives a SMS message with a URL embedded in the text. In some cases, if the user follows the URL, the victim could be signed up for a “for-pay premium service” and a monthly charge would appear on their bill. The attacker would then receive a commission for signing up new users.

Phishing reached new heights in November of 2010 when it was announced that over one million phones in China had been infected with malware that spread itself by sending SMS messages to the phone’s contact list9. Some of the URLs spread by this attack pointed to pay-per-click advertisements thereby earning the attackers real money. Other URLs pointed to malware sites where clicking on the link infects a new phone thus increasing the spread of the infection.

Phishing is not the only attack delivered through this methodology, however. Another example of SMS attacks are messages with malicious URLs that deliver a Trojan to the victims. In incidents where owners are victimized by these attacks, the victim’s smart phone may be turned into a “zombie”, over which an attacker has control. The implications of carrying a zombie smart phone are serious. Specifically, the attacker has remote control over the phone and it would be a

simple matter to enable the microphone on the device without the user’s knowledge. Essentially the device would become a mobile listening device, carried unnoticed into company meetings or other sensitive conversations.

In addition, as a zombie phone, the attacker has access to the device and the data stored in memory or on the data card. All of the contact information could now be compromised. This opens up the contacts stored in the zombie phone to attack as well. Given the personal information an attacker would have access to; it would be easy to direct the compromised device to send a SMS message to one of the contacts listed in the address book seemingly from the victim.

Hidden DangerAnother avenue of attack on smart phones is through mobile application stores10. Attackers create malicious applications which claim to have a legitimate use, such as a banking application, and may even be digitally signed through the process the application store requires. A malicious banking application, for example, duplicates the legitimate application in look and feel. However, when used, the user’s banking credentials (login ID, password) are captured and sent back to the attacker.

Malicious applications posing as legitimate pieces of software within mobile application stores are not specific to one platform such as the Apple iPhone or RIM’s Blackberry. Indeed, applications like “Angry Birds Bonus Levels”, which exploited two vulnerabilities within an Android phone, serve as a testimony to this fact11. In this particular malicious application, researchers discovered that the internal browser had the ability to install additional applications to facilitate the

7 SMS phishing: A harbinger of mobile attacks? http://www.networkworld.com/newsletters/wireless/2006/0904wireless1.html

8 Phishinghttp://en.wikipedia.org/wiki/Phishing

9 More than 1 million Chinese phones infected with malwarehttp://www.virusbtn.com/news/2010/11_11.xml

10 The Coming Wave of Mobile Attackshttp://threatpost.com/en_us/blogs/coming-wave-mobile-attacks-051710

11 Employees Put Personal Security, Interests Above Company’s, Survey Sayshttp://www.darkreading.com/insider-threat/167801100/security/vulnerabilities/224701559/index.html

8 X-Force Threat Insight Quarterly IBM Security Solutions

browser updating its Flash Lite plug-in without additional user prompting. When downloading Angry Birds, the user gives explicit permission to install the application. Once installed, though, Angry Birds downloads and installs three other applications (“Fake Toll Fraud”, “Fake Contact Stealer” and “Fake Location Tracker”) without asking the owner’s permission12. According to the original developers, these additional applications are benign, but Google has since removed all of the developer’s applications from the marketplace to protect their users.

Danger From LossThe loss of smart phone data (contact information, email, etc.) does not have to be through malicious attacks. The phone could be physically lost or stolen. Depending on the amount of time before the loss is reported, physical access to the phone could potentially provide a connection to the user’s company network, with all the resources the user has access. With physical access, anything stored locally in the phone’s memory or on the data card (contact list, email, text messages, stored documents, possibly passwords) is easily offloaded to other storage facilities. If acted upon before the carrier is notified, the possessor of the phone could even send a text message to one of the contacts in the same manner as they could if the phone had been compromised by a Trojan horse, as was discussed in the SMS attacks example.

Potential SolutionsWhat can we as smart phone owners do to protect ourselves? Let us examine how to help protect your smart phone by validating incoming data, screening the applications you install, and keeping close tabs on your smart phone’s location.

ValidateWhile we have seen that escape from all forms of SMS is not possible, users can take precaution against following URLs sent via SMS or email. Be suspicious of messages from unknown or unexpected sources. Sending the question, “Did you send me a link?” back to the sender is an easy form of protection. If the sender’s phone is being controlled by an automated attack, a response will not be forthcoming, thus alerting the receiver that the original message containing the link may not be one they will want to follow.

ScreenThe smart phone’s application store is another avenue where protection can be added to smart phones. Attackers can sign malicious applications with the vendors own keys and uploaded to the store for user download. These applications would be indistinguishable from legitimate applications. Vendor pre-screening of the applications could help, though that could potentially eliminate all “free apps” from the stores and increase the price of the other applications due to additional overhead.

Google does attempt to provide the prospective user with information regarding possible resources an application requires but does not go into details as to how the resources will be used. For example, before an application is installed, a resource screen might be displayed that states the application in question requires the GPS resource. But it does not state whether this resource will be used for legitimate reasons (as in an application that deals with maps) or whether it is needed for a “questionable” reason, such as a means to target geographically specific advertisement to the phone. More detailed information regarding the use of the various required resources would help, especially if the user could expand on issues they were not familiar with. As with PCs, user education is fundamental to the protection of the smart phone.

12 Android holes allow secret installation of appshttp://rss.feedsportal.com/c/32569/f/491734/s/f8c1416/l/0L0Sh0Eonline0N0Csecurity0Cnews0Citem0CAndroid0Eholes0Eallow0Esecret0Einstallation0Eof0Eapps0E1134940A0Bhtml0Cfrom0Crss/story01.htm

9 X-Force Threat Insight Quarterly IBM Security Solutions

Care should be taken when choosing applications to install on the smart phone. If the download process provides indications of what resources are used by the application, examine the list carefully. If possible, determine if the particular resource is actually needed by the application. Use the Internet to research and learn more about the terminology if necessary. You are trying to determine if the application truly needs that functionality. For instance, a text editor should not need access to GPS. If GPS is specified as a requirement for a text editor, it probably indicates the application is advertisement supported. If true, whenever the application is in use, your location will be reported back to a central location. While this could only be a means of targeting geographically specific advertisements, it could potentially be used to provide a means of gaining physical access to your phone or you. Applications that specify that network access or contact access could be what is required for the application to function, in the case of a SMS client alternative to the OS supplied version. But for these same resource requirements to be specified in a Sudoku game, for example, should raise red flags and sound the warning bell! An application that specifies a need to access resources outside of what is required for it to run is a probable sign of a Trojan or a means of divulging your privacy to an unknown destination.

Keep It CloseDo not provide physical access of your smart phone to people you don’t know and trust. A number of phones provide an easy means of legitimately transferring contact information from one phone to another, such as Bluetooth. While this is convenient for the owner, it is also a quick and easy means that a stranger can use to gain access to your private information.

Keep your phone on your person at all times when away from your home. A cell phone on a desktop or on a bar is a very easy item for someone to slip into their pocket and walk away if it is left unattended.

Consider the use of encryption for your data, if it is supported on your smart phone. While encryption may not be available for data used by the smart phone’s operating system (contact information, for example), it may be possible to encrypt other private data (text files, documents, etc.). This could protect some of your data, at least, if the phone is lost or stolen.

PerspectiveWhat is next in the cross hairs of attackers? One concern might be access to your credit card accounts. Vendors are preparing smart phones to provide the ability to send personal credit card information to special “tap and go” devices in stores to pay for the customer’s purchases. To be able to do this, the phone would have to have a Near Field Communications (NFC) chip installed to transmit the information, similar to the tap and go credit cards in existence today. If the phone is compromised by any of the means discussed above the owner’s financial assets could be in jeopardy.

As the cell phone’s owner, you are responsible for the safety and security of your smart phone. A number of the same methods you use to keep your personal computer safe can be applied to protecting your smart phone as well. If an SMS or email message arrives unexpectedly verify with the sender before opening. Before installing applications on your smart phone, screen the requirements carefully. Consider alternatives to applications that specify the need for resources not directly related to function of the application such as access to GPS or contact list by a text editor. One alternative could be choosing another application that does not require the questionable resource requirements. Know where your phone is located at all times. If you discover that it has been lost or stolen, report it to your provider as soon as possible.

10 X-Force Threat Insight Quarterly IBM Security Solutions

Prolific and Impacting Issues of Q4 2010

Significant disclosuresIn Q4 2010, the X-Force team researched and assessed 1922 security related threats. A significant percentage of the vulnerabilities featured within the X-Force database became the focal point of malicious code writers whose productions included malware and targeted exploits.

High: 528

Medium: 1235

Low: 120

Critical: 39

Total Vulnerabilities in Q4 2010: 1922

Source: IBM X-Force

11 X-Force Threat Insight Quarterly IBM Security Solutions

The chart below categorizes the vulnerabilities researched by X-Force team analysts according to what they believe would be the greatest categories of security consequences resulting from exploitation of the vulnerability. The categories are: Bypass Security, Data Manipulation, Denial of Service, File Manipulation, Gain Access, Gain Privileges, Obtain Information, and Other. *

Bypass Security

Gain Access

Data Manipulation

Gain Privileges

Denial of Service

Obtain Information

File Manipulation

Other

Obtain local and remote access. This also includes vulnerabilities by which an attacker can execute code or commands, because this usually allows the attacker to gain access to the system.

Privileges can be gained on the local system only.

Obtain information such as file and path names, source code, passwords, or server configuration details.

Anything not covered by the other categories.

Create, delete, read, modify, or overwrite files.

Crash or disrupt a service or system to take down a network.

Manipulate data used or stored by the host associated with the service or application.

Circumvent security restrictions such as a firewall or proxy, and IDS system or a virus scanner.

12.37%

11.70%

0.52%1.97% 5.75%

0.52%55.75%

4.71%

* Represent unique vulnerability count.

Source: IBM X-Force

12 X-Force Threat Insight Quarterly IBM Security Solutions

The IBM X-Force team published two protection advisories and three protection alerts for vulnerabilities covered in Microsoft’s October 2010 Security Release. Vulnerabilities highlighted in the protection advisories were discovered by the X-Force team.

The first protection advisory addresses a vulnerability affecting Microsoft Internet Explorer. By persuading a victim to visit a specially crafted web page, a remote attacker could exploit this vulnerability to gain control of victim’s machine. The second protection advisory highlights an issue affecting Microsoft WordPad and Windows Shell. Attackers could bypass the security settings of WordPad and Windows Shell and embed known flawed objects in files. Upon exploitation of the pre-existing flaws in these controls, attackers can achieve arbitrary code execution.

• A protection advisory provided by IBM: Microsoft Internet Explorer Deleted Object Code Execution13

– IBM Protection Signature: JavaScript_Shellcode_Detected • CVE-2010-3326• Microsoft Security Bulletin MS10-071: Cumulative Security

Update for Internet Explorer (2360131)14

• A protection advisory provided by IBM: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution15

– IBM Protection: This vulnerability represents a new “class” of threat and not a specific vulnerability that can be protected against by a static or point signature. We recommend applying the patch released by Microsoft for this issue.

• CVE-2010-1263• Microsoft Security Bulletin MS10-083: Vulnerability in COM

Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882)16

Two of the protection alerts released addressed vulnerabilities affect the OpenType font format driver in Internet Explorer. The first issue can lead to an escalation of privilege while the second issue can lead to a denial of service by crashing the system. Both vulnerabilities are considered local as Internet Explorer does not support embedding of these types of fonts. However, other web browsers that support embedding of OpenType fonts could be vulnerable to remote attack.

13 A protection advisory provided by IBM: Microsoft Internet Explorer Deleted Object Code Executionhttp://www.iss.net/threats/385.html

14 Microsoft Security Bulletin MS10-071: Cumulative Security Update for Internet Explorer (2360131)http://www.microsoft.com/technet/security/bulletin/ms10-071.mspx

15 Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Executionhttp://www.iss.net/threats/389.html

16 Microsoft Security Bulletin MS10-083: Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution (2405882)http://www.microsoft.com/technet/security/bulletin/ms10-083.mspx

13 X-Force Threat Insight Quarterly IBM Security Solutions

The third protection alert addresses a vulnerability in the Secure Channel (SChannel) security package in Windows. A successful exploitation of this vulnerability involves sending a specially crafted message to an affected Internet Information Services (IIS) server hosting a Secure Sockets Layer (SSL) enabled web site that could cause a denial of services.

• A protection alert provided by IBM: Microsoft Windows SChannel Could Allow Denial of Service17

– IBM Protection Signature: TLS_Client_Certificate_Request_DoS

• CVE-2010-3229• Microsoft Security Bulletin MS10-085: Vulnerability in

SChannel Could Allow Denial of Service (2207566)18

• A protection alert provided by IBM: Microsoft OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege19

– IBM Protection Signature: OTF_Parsing_Misallocation• CVE-2010-2740• Microsoft Security Bulletin MS10-078: Vulnerabilities in the

OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)20

• A protection alert provided by IBM: Microsoft OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege – DoS21

– IBM Protection Signature: Windows_Kernel_Font_Code_Execution

• CVE-2010-2741• Microsoft Security Bulletin MS10-078: Vulnerabilities in the

OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)22

Aside from addressing issues in the Microsoft Security Release, IBM X-Force also produced several protection advisories and alerts for other significant issues disclosed in October. The X-Force team discovered a remote code execution vulnerability in the Java Plug-in for Microsoft Internet Explorer. An attacker would need to entice a user to visit a web-page to trigger this vulnerability.

• A protection advisory provided by IBM: Java Plug-in for Internet Explorer Remote Code Execution23

– IBM Protection Signature: HTML_Browser_Plugin_Overflow

• CVE-2010-3552• Oracle Java SE and Java for Business Critical Patch Update

Advisory - October 201024

17 A protection alert provided by IBM: Microsoft Windows SChannel Could Allow Denial of Servicehttp://www.iss.net/threats/388.html

18 Microsoft Security Bulletin MS10-085: Vulnerability in SChannel Could Allow Denial of Service (2207566)http://www.microsoft.com/technet/security/bulletin/ms10-085.mspx

19 Microsoft OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilegehttp://www.iss.net/threats/386.html

20 Microsoft Security Bulletin MS10-078: Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)http://www.microsoft.com/technet/security/bulletin/ms10-078.mspx

21 Microsoft OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege - DoShttp://www.iss.net/threats/387.html

22 Microsoft Security Bulletin MS10-078: Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege (2279986)http://www.microsoft.com/technet/security/bulletin/ms10-078.mspx

23 A protection advisory provided by IBM: Java Plug-in for Internet Explorer Remote Code Execution Java Plug-in for Internet Explorer Remote Code Executionhttp://www.iss.net/threats/390.html

24 Oracle Java SE and Java for Business Critical Patch Update Advisory - October 2010http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

14 X-Force Threat Insight Quarterly IBM Security Solutions

The last two protection alerts released in October affect Adobe® products. The first vulnerability affects Adobe Shockwave Player versions 11.5.8.612 and earlier for Windows and Microsoft operating systems. The second vulnerability affects recent versions of Adobe Flash Player, Reader and Acrobat for Windows, Linux, Macintosh and Solaris operating systems and has been found exploited in the wild. Successful exploitation of either issue would result in execution of attacker supplied code which can lead to such things as further system compromise, information gathering and installation of other attacker supplied software.

• A protection alert provided by IBM: Adobe Shockwave Director rcsL Chunk Remote Code Execution25

– IBM Protection Signatures: JavaScript_ShellCode_Detected, JavaScript_Large_Unescape, JavaScript_NOOP_Sled

• CVE- 2010-3653• Adobe Security Bulletin APSB10-25: Security update available

for Shockwave Player26

• A protection alert provided by IBM: Adobe Flash, Reader, and Acrobat are vulnerable to a critical vulnerability that can allow remote code execution27

– IBM Protection Signature: PDF_JavaScript_Exploit • CVE-2010-3654• Adobe Security Bulletin APSB10-28: Security updates

available for Adobe Reader and Acrobat28

The X-Force team also published several protection alerts to highlight issues disclosed in the Microsoft November Security Release.

All three vulnerabilities could result in remote code execution. Two of the vulnerabilities affect Microsoft Office. The first of these has to do with an issue in the way that Microsoft Office processes Rich Text Format (RTF) documents. A user’s system could be compromised if the user views malicious content either through a malicious document or in Outlook through an RTF formatted email. The second issue involves how Microsoft Office loads certain file types from a remote system. When opening certain types of Office files shared remotely via SMB or WebDAV, Microsoft Office can load an attacker supplied DLL from the same remote site. The Microsoft Office file itself need not be malicious.

The third issue exists in the way that Microsoft Internet Explorer handles certain CSS elements inside of a table. An attacker who entices a victim to visit a malicious web page can then run arbitrary code with the current user’s level. Public exploits of this vulnerability have been seen in the wild.

• A protection alert provided by IBM: Microsoft Office RTF Could Allow Remote Code Execution29

– IBM Protection Signature: RTF_Office_Stack_Overflow • CVE-2010-3333• Microsoft Security Bulletin MS10-087: Vulnerabilities in

Microsoft Office Could Allow Remote Code Execution (2423930)30

25 A protection alert provided by IBM: Adobe Shockwave Director rcsL Chunk Remote Code Executionhttp://www.iss.net/threats/391.html

26 Adobe Security Bulletin APSB10-25: Security update available for Shockwave Playerhttp://www.adobe.com/support/security/bulletins/apsb10-25.html

27 A protection alert provided by IBM: Adobe Flash, Reader, and Acrobat are vulnerable to a critical vulnerability that can allow remote code execution.http://www.iss.net/threats/392.html

28 Adobe Security Bulletin APSB10-28: Security updates available for Adobe Reader and Acrobathttp://www.adobe.com/support/security/bulletins/apsb10-28.html

29 A protection alert provided by IBM: Microsoft Office RTF Could Allow Remote Code Executionhttp://www.iss.net/threats/393.html

30 Microsoft Security Bulletin MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx

15 X-Force Threat Insight Quarterly IBM Security Solutions

• A protection alert provided by IBM: Microsoft Office (DLL) Could Allow Remote Code Execution31

– IBM Protection Signatures: SMB_PowerPoint_DLL_Hijacking (SMB) HTTP_PowerPoint_DLL_Hijacking (WebDAV)

• CVE-2010-3337• Microsoft Security Bulletin MS10-087: Vulnerabilities in

Microsoft Office Could Allow Remote Code Execution (2423930)32

• A protection alert provided by IBM: Microsoft Internet Explorer Could Allow Remote Code Execution33

– IBM Protection Signatures: CSS_IE_Flag_Code_Execution, JavaScript_Shellcode_Detected, JavaScript_Large_Unescape, JavaScript_NOOP_Sled, JavaScript_Large_FromCharCode

• CVE-2010-3962• Microsoft Security Bulletin MS10-090: Cumulative Security

Update for Internet Explorer (2416400)34

There was one issue in November that drew the attention of our analysts. Currently released exploits for this vulnerability cause Adobe Reader to crash when processing a specially crafted PDF file. Although current exploitation results in a denial of service, remote code execution is a possibility which would allow an attacker to execute arbitrary code on the system with the privileges of the victim.

Adobe Reader has a heap corruption vulnerability in the Acrobat JavaScript printSeps function.

• A protection alert provided by IBM: Adobe Reader Heap Corruption vulnerability35

– IBM Protection Signature: PDF_PrintSeps_Overflow • CVE-2010-4091• Adobe Security Bulletin APSB10-28: Security updates

available for Adobe Reader and Acrobat36

In December, Microsoft released numerous Security Bulletins. Many of those issues covered were highlighted in X-Force Protection Alerts. Five of the Protection Alerts addressed issues affecting Microsoft Windows. Successful exploitation of these vulnerabilities could allow an attacker to launch a denial of service attacker, gain elevated privileges or execute code remotely.

• A protection alert provided by IBM: Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution37

– IBM Protection Signatures: HTTP_ICS_Wizard_DLL_Hijacking, SMB_ICS_Wizard_DLL_Hijacking

• CVE-2010-3144• Microsoft Security Bulletin MS10-097: Insecure Library

Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution38

31 A protection alert provided by IBM: Microsoft Office (DLL) Could Allow Remote Code Executionhttp://www.iss.net/threats/394.html

32 Microsoft Security Bulletin MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx

33 A protection alert provided by IBM: Microsoft Internet Explorer Could Allow Remote Code Executionhttp://www.iss.net/threats/395.html

34 Microsoft Security Bulletin MS10-090: Cumulative Security Update for Internet Explorer (2416400) http://www.microsoft.com/technet/security/bulletin/ms10-090.mspx

35 A protection alert provided by IBM: Adobe Reader Heap Corruption vulnerabilityhttp://www.iss.net/threats/396.html

36 Adobe Security Bulletin APSB10-28: Security updates available for Adobe Reader and Acrobathttp://www.adobe.com/support/security/bulletins/apsb10-28.html

37 A protection alert provided by IBM: Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Executionhttp://www.iss.net/threats/401.html

38 Microsoft Security Bulletin MS10-097: Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105)http://www.microsoft.com/technet/security/bulletin/ms10-097.mspx

16 X-Force Threat Insight Quarterly IBM Security Solutions

• A protection alert provided by IBM: Microsoft Windows NetLogon Service Could Allow Denial Of Service39

– IBM Protection Signature: MSRPC_NETAPI_GetDomainInfo_Dos

• CVE-2010-2742• Microsoft Security Bulletin MS10-101: Vulnerability in

Windows Netlogon Service Could Allow Denial of Service (2207559)40

• A protection alert provided by IBM: Microsoft Windows OpenType Font (OTF) Format Driver Could Allow Remote Code Execution41

– IBM Protection Signatures: OTF_Windows_Bad_Font_Index, OTF_Windows_Double_Free, CFF_Invalid_Offset_Size, OTF_Windows_Cmap_Table_Corruption

• CVE- 2010-3956, CVE-2010-3957, CVE-2010-3959• Microsoft Security Bulletin MS10-091: Vulnerabilities in the

OpenType Font (OTF) Driver Could Allow Remote Code Execution (2296199)42

• A protection alert provided by IBM: Microsoft Windows Media Encoder could allow remote code execution43

– IBM Protection Signatures: HTTP_Media_Encoder_DLL_Hijacking, SMB_Media_Encoder_DLL_Hijacking

• CVE-2010-3965• Microsoft Security Bulletin MS10-094: Vulnerability in

Windows Media Encoder Could Allow Remote Code Execution (2447961)44

• A protection alert provided by IBM: Microsoft Windows Could Allow Remote Code Execution45

– IBM Protection Signatures: HTTP_BranchCache_DLL_Hijacking, SMB_BranchCache_DLL_Hijacking

• CVE-2010-3966• Microsoft Security Bulletin MS10-095: Vulnerability in

Microsoft Windows Could Allow Remote Code Execution (2385678)46

39 A protection alert provided by IBM: Microsoft Windows NetLogon Service Could Allow Denial Of Servicehttp://www.iss.net/threats/402.html

40 Microsoft Security Bulletin MS10-101: Vulnerability in Windows Netlogon Service Could Allow Denial of Service (2207559)http://www.microsoft.com/technet/security/bulletin/ms10-101.mspx

41 A protection alert provided by IBM: Microsoft Windows OpenType Font (OTF) Format Driver Could Allow Remote Code Executionhttp://www.iss.net/threats/398.html

42 Microsoft Security Bulletin MS10-091: Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (2296199)http://www.microsoft.com/technet/security/bulletin/MS10-091.mspx

43 A protection alert provided by IBM: Microsoft Windows Media Encoder could allow remote code executionhttp://www.iss.net/threats/399.html

44 Microsoft Security Bulletin MS10-094: Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961)http://www.microsoft.com/technet/security/bulletin/MS10-094.mspx

45 A protection alert provided by IBM: Microsoft Windows Could Allow Remote Code Executionhttp://www.iss.net/threats/400.html

46 Microsoft Security Bulletin MS10-095: Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2385678)http://www.microsoft.com/technet/security/bulletin/ms10-095.mspx

17 X-Force Threat Insight Quarterly IBM Security Solutions

One of the December X-Force Protection Alerts addressed a remote code execution vulnerability affecting Microsoft Windows. Some versions of Microsoft Office improperly process TIFF files that could allow an attacker to execute code in the context of the current user.

• A protection alert provided by IBM: Microsoft Office Graphics Filters Could Allow Remote Code Execution47

– IBM Protection Signature: Image_TIFF_Office_Heap_Overflow

• CVE-2010-3947• Microsoft Security Bulletin MS10-105: Vulnerabilities in

Microsoft Office Graphics Filters Could Allow for Remote Code Execution (968095)48

The remaining X-Force protection alerts released in December highlight remote code execution issues affecting Microsoft Internet Explorer.

A remote code execution vulnerability exists in the way that Microsoft Internet Explorer handles certain CSS elements. The first vulnerability exists in the way that Microsoft Internet

Explorer handles certain CSS elements and the second exists in the way that the application handles the CSS import statements. Both issues could allow an attacker to run arbitrary code with the current user’s level if the victim is enticed into visiting a malicious web page.

• A protection alert provided by IBM: Microsoft Internet Explorer Could Allow Remote Code Execution – IBM Protection Signature: HTML_IE_Animation_Exec

• CVE-2010-3343• Microsoft Security Bulletin MS10-090: Cumulative Security

Update for Internet Explorer (2416400)49

• A protection alert provided by IBM: Microsoft Internet Explorer CSS Remote Code Execution50

– IBM Protection Signatures: CSS_Import_Corruption, JavaScript_Shellcode_Detected, JavaScript_NOOP_Sled, JavaScript_Large_Unescape

• CVE-2010-3971• Microsoft Security Bulletin (2488013): Vulnerability in

Internet Explorer Could Allow Remote Code Execution51

47 A protection alert provided by IBM: Microsoft Office Graphics Filters Could Allow Remote Code Executionhttp://www.iss.net/threats/403.html

48 Microsoft Security Bulletin MS10-105: Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution (968095)http://www.microsoft.com/technet/security/bulletin/ms10-105.mspx

49 A protection alert provided by IBM: Microsoft Internet Explorer Could Allow Remote Code Executionhttp://www.iss.net/threats/397.html

50 A protection alert provided by IBM: Microsoft Internet Explorer CSS Remote Code Executionhttp://www.iss.net/threats/404.html

51 Microsoft Security Advisory (2488013): Vulnerability in Internet Explorer Could Allow Remote Code Executionhttp://www.microsoft.com/technet/security/advisory/2488013.mspx

18 X-Force Threat Insight Quarterly IBM Security Solutions

Additional Q4 2010 Quarter highlightsThis section of the report briefly covers some of the additional threats facing security professionals during Q4 2010.

US Justice Department Seizes Domain NamesOver the 2010 Thanksgiving weekend the US Department of Justice announced they had seized 82 domains that were used to sell counterfeit items, items that are in violation of copyright infringement, or other illegal items or services. This is the second large scale action of this type that the Justice Department took in 2010. The seizure of a domain name is a complex issue that has gained the attention of the media, and is a topic that will gain more momentum in 2011.

DNS is simply a process that associates an IP address to a user readable name. For example, ibm.com is the DNS name for an IP address. That IP address is what networked systems need to communicate. In the case of all DNS names that end in .com, = Verisign is responsible for maintaining the relationship between domain names and which DNS server answers for that domain. When the Department of Justice performs a seizure on a .com domain name, they take the court order for the seizure to Verisign, and Verisign changes the record for that particular domain name. Rather than point to the IP address of the DNS server for the company or individual, the seizure would point to the Department of Justice DNS server which directs the user to a page that announces the seizure has taken place. For example, fakewidgets.com would normally point to a server that hosts a website that sells counterfeit widgets. After fakewidgets.com has its domain name seized, any Internet user that tries to access fakewidgets.com would get the Department of Justice website.

It’s important to note that the company’s server has not been accessed or modified in this process. If you were to try and access the site directly by the IP address, it would work as

designed. Businesses do not use their IP addresses though, so seizing the domain name effectively takes the site offline to potential customers. Another important note is that because the hardware is not being seized, the server could be located OUTSIDE the United States.

While domain seizure has a rapid, powerful impact on the business that uses the domain, it is not a permanent condition. The business can take the action of registering a new domain and pointing it to the same site as the seized domain. Our example domain, fakewidgets.com, could register a new domain name like morefakewidgets.com and within hours the site will be accessible to a majority of the Internet again. Another limitation would be that the seizure has to occur within the jurisdiction of the US Federal Government. Each of the Top Level Domains (TLDs) has a company or organization that manages the domain names and their corresponding DNS servers. In our examples, and in the seizure of the 82 domains, all were in the .com TLD which is managed by Verisign, a US based company. If the domain was fakewidgets.cn, the US could not take seizure of the domain. This is because the .cn TLD is managed by a company in China, outside the scope of US law. It is also worth noting that the Justice Department does not have the power to make the decision to seize a domain. They must bring it to the courts where they can evaluate if the site is “dedicated to infringing activities”.

The US Congress is working on new legislation that will expand the Department of Justice’s power to seize domains. Currently the Senate is considering a bill (S.3804 aka Combating Online Infringement and Counterfeits Act) which would expand that power to all domains. The way this is done is through your ISP’s DNS servers. For example, if you get your Internet service from BigISP, BigISP has their own DNS servers that handle all the DNS requests for their customers.

19 X-Force Threat Insight Quarterly IBM Security Solutions

The new legislation would allow the Government to go to these ISPs and require them to “take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address”. In other words, if a BigISP customer tried to access fakewidgets.cn, the BigISP DNS server would point them to the Department of Justice’s site that tells them that domain has been seized, rather than the real site. A benefit to the ISP in this bill is they are granted immunity from any lawsuit that could be brought against them with relation to this seizure. The owners of fakewidgets.cn could not sue the ISP for not directing customers to the real fakewidgets.cn site. This bill is going to gain further scrutiny as it goes through the process of passage bringing up arguments of government censorship, net neutrality, and intellectual property concerns.

Many of these sites have already restarted operating with new domain names, switching to a .info or some other non-.com based domain. Already we are seeing other major sites moving off their .com names and moving to a domain space that is outside the scope of US jurisdiction. The popular torrent site deminoid.com is moving to deminoid.me in order to avoid potential seizure. Businesses have to be even more aware of Internet based companies trying to infringe on their intellectual property. The use of search engines such as Google offer the ability to setup alerts to notify individuals of sites using specific terms. For example if your company sells the “WidgetMaster 2000” you could setup an alert for that term and when a new website uses that term, potentially notifying you of a site selling counterfeit WidgetMaster 2000s. What can a business do once it discovers another company or website selling goods that infringe on their intellectual property? The Immigration and Customs Enforcement group has a website (National Intellectual Property Rights Coordination Center) where you can report sites and companies that you suspect of infringement. These leads will be investigated and potentially lead to domain seizures.

List of Contributors for this paper include:

IBM MSS Intelligence Center

Michelle Alvarez – Team Lead & Cyber Threat Intelligence Analyst

C. Bryan Ivey – Cyber Threat and Intelligence Analyst

John Kuhn – Senior Threat Analyst

IBM X-Force Database Team

© Copyright IBM Corporation 2011

IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A.

Produced in the United States of America February 2011 All Rights Reserved

IBM, the IBM logo, ibm.com and X-Force are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

Adobe is a registered trademark of Adobe Systems Incorporated in the United States, and/or other countries.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

Other company, product or service names may be trademarks or service marks of others.

Information in this document concerning non-IBM products was obtained from the suppliers of these products, published announcement material or other publicly available sources. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

All performance data contained in this publication was obtained in the specific operating environment and under the conditions described above and is presented as an illustration. Performance obtained in other operating environments may vary and customers should conduct their own testing.

The use of third-party data, studies and/or quoted material does not represent an endorsement by IBM of the publishing organization, nor does it necessarily represent the viewpoint of IBM.

The customer is responsible for ensuring compliance with legal requirements. It is the customer’s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law or regulation.

Please Recycle

WGL03006-USEN-00

References

Prolific and Impacting Issues of Q4 2010

US Justice Department Seizes Domain NamesSensing Danger, Demonoid BitTorrent Tracker Ditches .COM Domainhttp://torrentfreak.com/sensing-danger-demonoid-bittorrent-tracker-ditches-com-domain-101202/

National IPR Coordination Center Referralhttp://www.ice.gov/iprcenter/iprreferral.htm

ICE seizes 82 website domains involved in selling counterfeit goods as part of Cyber Monday crackdownhttp://www.ice.gov/news/releases/1011/101129washington.htm

Text of S. 3804 [111th]: Combating Online Infringement and Counterfeits Acthttp://www.govtrack.us/congress/billtext.xpd?bill=s111-3804