As Bkis predicted in the previous blog entry Emails from Santa, virus distributors have taken action in this Christmas season.

On November 28, 2009, Bkis honeypot has collected multiple malicious emails which fake Coca cola’s promotion campaign on occasion of Christmas.

The email generates an attractive message: “Play our fantastic new online game for your chance to WIN a trip to the Bahamas and get all Coca Cola drinks for free in the rest of your life. See the attachment for details” to trick users into opening the attached file.

When users run this attached file, their computers will be infected with a backdoor. The hacker then is able to take remote control over the victim’s machine as well as steal important data.

Below is the detailed analysis of this Worm:

• Name: W32.XmasCo.Worm
• Family: W32.XmasCo.Worm
• Type: Worm
• Discovered: November 28, 2009
• Size: 439Kb
• Severity: high

Risks:

• Reduces system security level.
• Installs backdoor.

Symptoms:

• Registry is modified.
• The following window is popped up:

Infection methods:

• Via websites.
• Via emails.

Preventions:

• Do not visit websites which provide software crack, hacking technique and websites with erotic content.
• Do not open unknown attached files, particularly files with .exe .com .pif and .bat extensions.

Technical details:

• Writes the following values:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}]
  StubPath = “%SystemDir%\qnx.exe”
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  Wind River Systems = “%SystemDir%\vxworks.exe”
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
  QnX = “%SystemDir%\qnx.exe”
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  QnX = “%SystemDir%\qnx.exe”
  to activate virus on Window’s start-up.
• Copies itself as file named “vxworks.exe” to the directory %SystemDir%
• Dumps the following file “%SystemDir%\qnx.exe”
• Opens the following gates: 1051, 1070, 1085 and 1086 to receive hacker’s commands.
• Connects to the following servers to load malicious codes to the affected machine:
  63.249.1.40 25
  63.249.1.41 25
  70.87.6.99 25
  84.17.190.210 25
  72.233.89.197 80
• Automatically sends massive emails to the addresses found on the affected machines with noreply@coca-cola.com as the sender’s address.

Analyst: Nguyen Cong Cuong

This year-end is coming nearer with two important holidays namely, Christmas and New Year. People tend to show more interest in these holiday related themes.

Taking advantage of this tendency, bad guys often exploit symbolized images of these year-end holidays to attack users. Distributed spams entice users to click the links that one may have no idea to which they will be redirected.

The above pictures exemplifies a spam taking advantage of Santa image. In fact, if users click on the email’s link, their browser will be automatically redirected three consecutive times to a website which has nothing to deal with Santa or Christmas.

Apparently, Santa image is taken advantage by spammers to draw more users to click on the links with aim to advertise a certain service. Similarly, virus distributors can also take advantage of these occasions to spread malware.  XmasStorm last year is an example.

Thus, you should take precaution when these year-end holidays are coming. Do not to open unknown attach files or click on strange links received. You should also use updated antivirus software to protect your computer from such risks.

By Hoai Linh

Popular webmail providers like Yahoo, Google, etc recently confirmed that a large number of their users’ account names and passwords have been made available on the Internet. At the same time, Bkis got lots of complaints about spam emails originated from real email addresses. Judging there might be a security hole, we decided to investigate the problem on Yahoo’s services.

A user needs just one Yahoo! ID to use Yahoo’s different services, such as Yahoo Messager, Yahoo Mail, Yahoo Calendar, Yahoo Group, Yahoo 360 plus, etc. To ensure the independence among the services, Yahoo implements APIs, which enable the application programs or services to gain necessary information when processing. For instance, by sending the online checking request to http://opi.yahoo.com/online?u=[account]&m=t , a program may find out whether an account is online or not through the returned information.
[account] is NOT ONLINE
Yahoo users use a common login interface page to sign in to Yahoo different services.

Figure 1: Yahoo login interface page

The login interface page is built in a way that prevents Brute force attacks with the checking mechanism of the number of incorrect logins. Accordingly, if users unsuccessfully log in to the system a successive number of times, the system will warn and require users to fill in the authentication information.

Figure 2: Warning of invalid login credentials and demand for authentication

Additionally, the warning does not state clearly which part of the login credentials, the username or the password, is incorrect.
Specifically, when a user tries to log in to the system, his browser will send a request under the following form to the server:

POST /config/login? HTTP/1.1
Host: login.yahoo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15 (.NET CLR 3.5.30729)
Accept: text text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referrer: https://login.yahoo.com/config/login_verify2?&.src=ym
Cookie: B=4jm3qlp5d58u3&b=4&d=O130OmxpYEGlIZP1YCbDzSTPktg-&s=f6&i=oA8AifqduP1j..zoKIjA; F=a=TYdAO04MvTLKDFRF6qigU15.SbNMKCHfWLkAgqc9Z4tfEo1jWCkmbkJsbfI7kj2oFAJCUkpmArDdIxsOvO6Dxzx7vA–&b=BSAU; YLS=v=1&p=0&n=0; U=mt=l.idZZ2MhYnqT.OMUmZv.oKxh_Zgndd.3dI41zbZ&ux=Vkm6KB&un=d67bv68g9ld8r; BA=t=1257385349; Y=v=1&n=4hu7753hahuam&p=; RT=s=1257385453007&u=&r=http%3A//vn.mc767.mail.yahoo.com/mc/welcome%3F.gx%3D0%26.tm%3D1257385301%26.rand%3D9p5f9pabnhspm
Content-Type: application/x-www-form-urlencoded
Content-Length: 296
POSTDATA:
.tries=1&.src=everything&.md5=&.hash=&.js=&.last=&promo=&.intl=us&.bypass=&.partner=&.u=6aud7al5f4kf3&.v=0&.challenge=D9iPEQpGzXGCr3LjAYINhuqL2ZKu&.yplus=&.emailCode=&pkg=&stepid=&.ev=&hasMsgr=0&.chkP=Y&.done=http%3A%2F%2Feverything.yahoo.com%2Findex.php&.pd=everything_ver%3D0%26c%3D%26ivt%3D%26sg%3D&login=[username]&passwd=[password]&.persistent=y&.save=Sign+In

In that:

- .tries indicates the number of unsuccessful logins,
- login bears the username and
- password is the user’s access password.

The server, on receiving the request, will utilize an API named config/isp_verify_user to identify the accuracy of the username and password. If the information carried by the request is correct, the user then has access to Yahoo’s services. On the contrary, basing on .tries variable, the server notifies the user and requires another account’s authorization.

Nevertheless, there’s a weakness in this user authentication mechanism of Yahoo that can be bypassed by bad guys. In that, Brute force attacks will not be performed on the login interface page that Yahoo provides. Instead, hackers will directly send requests to config/isp_verify_user. From the returned values, the hackers can identify the exact usernames and passwords.

For example, when the request sent to config/isp_verify_user is as followed:

http://…./config/isp_verify_user?cookies=1&l=[username]&p=[password]

, the information the hackers get back will be:

We can see that by sending direct requests, hackers can avoid the limitation of unsuccessful logins. This creates a favorable condition for hackers to write programs that are able to automatically send requests, check the returned values and get the users’ information.
Besides, with Yahoo, easy-to-guest passwords like “123456”, “123456789”, “abcdef” … are totally acceptable. In reality, many users use simple passwords for their email accounts. This helps hackers have more effective efforts with their attacks.

The gained usernames and passwords will then be used for malicious purposes. Hackers might use these accounts to send spams. The spams, for being sent from authenticate accounts, have high possibility to bypass Yahoo’s anti-spam system. Moreover, under the name of real users, hackers can carry out transactions with other people through the accounts they harvested. They can also use confidential information of users for bad purposes.

Yahoo hasn’t released any solution to this problem yet. Bkis, hence, recommends that users of Yahoo’s services use strong passwords to minimize the chances that hackers find out your passwords through normal methods. Strong passwords have at least 8 characters and contain uppercase letters, lowercase letters and numeric characters. You can check the strength of your passwords here.

Analyst: Truong Thao Nguyen

References:

http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time

http://tacticalwebappsec.blogspot.com/2009/09/distributed-brute-force-attacks-against.html

http://www.theregister.co.uk/2009/09/18/ongoing_yahoo_mail_attacks/

By MinhBQ

Recently, several dangerous vulnerabilities have been found in many xml processing libraries. Among these vulnerabilities, one is in the libxml2, an open source library for Gnome (http://xmlsoft.org/). libxml2 runs on different platforms and is used in a variety of popular softwares and systems.

In fact, I paid attention to libxml2′s vulnerabiltity because I sometimes use this library for my applications. I, therefore, tried writing demo exploit code.

From the patch of Gnome and other sources of information, I learned that the bug lies in the following function of parser.c source code: xmlParseElementChildrenContenDecl().

The name of this function reveals that the vulnerability is in the processing of DTD ELEMENT declaration in xml files. Let’s examine the code of the patch for libxml2:

-xmlElementContentPtr

-xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {

+static xmlElementContentPtr

+xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,

+ int depth) {

xmlElementContentPtr ret = NULL, cur = NULL, last = NULL, op = NULL;

const xmlChar *elem;

xmlChar type = 0;

+ if (((depth > 128) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||

+ (depth > 2048)) {

+ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,

+”xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE\n”,

+ depth);

+ return(NULL);

+ }

The fixed function has more a parameter (depth). So, I guested the error is an over-deep ELEMENT declaration and the result is the recursive call will consume all the stack memory, causing the program to completely crash.

Applications using libxml2, when calling xml file load functions (xmlReadFile, xmlParseFile…), can make these functions crash.

You should be cautious when receiving such email like this:

An email with attractive subject and content accompanied by an attached file is the typical motif for spreading Worms. You need to be prudent when receiving emails with unknown origins like this. Sometimes, the email itself has no content at all, but its attached file can somehow raise curiosity with an attractive name. When you open the attachment, the malicious code will be executed on your computer. The hacker then can steal sensitive information as well as control your computer for spamming purposes or DDoS attacks.

Thus, you should be cautious in receiving new information and at the same time, constantly update your antivirus software.

Analyst : Nguyen Cong Cuong