Microsoft Zero-Day DirectX Flaw

Vulnerability Details

Microsoft has reported a critical new vulnerability in Microsoft DirectX affecting older versions of Windows. The vulnerability could allow remote code execution if a user opens a rogue QuickTime media file. Microsoft reports limited, active attacks that use this exploit code.

The vulnerability exists in the way a DirectX application programming interface known as DirectShow handles supported QuickTime files. By manipulating the format, attackers can gain the same system privileges assigned to the logged-in user. The Microsoft Security Advisory states: “If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Affected Software

• Windows 2000 Service Pack 4
• Windows XP
• Windows Server 2003

All versions of Windows Vista, Windows Server 2008, and the beta version of Windows 7 are NOT vulnerable. In addition, Apple’s Quick Time player is NOT affected.

Please consult the official Microsoft Security Advisory for details on workarounds, fixes and patch availability.

Workaround

Microsoft has issued a workaround that disables the automatic QuickTime parsing on machines running Window 2000, Windows XP or Windows Server 2003.

Recommendations

Keep your anti-virus products up-to-date with the current pattern files.

Trojan.Bankpatch.D

Trojan.Bankpatch.D
Risk Level 2: Low

Discovered: April 12, 2009
Updated: April 12, 2009 10:50:33 AM
Type: Trojan
Infection Length: 28,880 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Trojan.Bankpatch.D is a Trojan horse that modifies system files and attempts to steal information from the compromised computer.

Protection

* Initial Rapid Release version April 12, 2009 revision 033
* Latest Rapid Release version April 12, 2009 revision 033
* Initial Daily Certified version April 12, 2009 revision 033
* Latest Daily Certified version April 12, 2009 revision 033
* Initial Weekly Certified release date April 15, 2009

Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Medium
* Payload: Modifies system files and steals information from the compromised computer.

Distribution

* Distribution Level: Low

Not Installing MS08-067 Cause for Growing Botnet

As I reported a few weeks back on both my blog and the SecurityOrb.com website, the worm titled WORM_DOWNAD.A continues to cause wide spread security issues in the Microsoft platform. It has been estimated that over 500,000 systems running MS Windows has been infected around the world and the amount continues to increase.

It is recommended that system administrators and users install the Microsoft patch MS08-067 update to protect against this worm.

Vista Service Pack 2 in First Quater 2009

SecurityOrb.com researchers stated at an interview Microsoft will post a release candidate of Vista SP2 in first quarter of 2009 and finish the service pack next April.

According to Microsoft, Vista SP2 will include Windows Search 4, Bluetooth 2.1 wireless support, faster resume from sleep when a wireless connection has been broken and support for Blu-ray. Some of those features, including Windows Search and the Bluetooth support, have been available to Vista users for months through individual updates.

The service pack will update both Vista, the client version of Windows, and Windows Server 2008, the company's corresponding server software.

Vista SP2 will require SP1 as a prerequisite, a factor that played to Microsoft's ongoing recommendation that users deploy the first service pack as soon as possible.

MS08-067 - Worm is Attacking Windows Security Hole

Security researchers at Microsoft Corp. Tuesday warned of a significant climb in exploits of a Windows bug it patched with an emergency fix last month, confirming earlier reports by Symantec Corp.

Improving Gramm-Leach Bliley Security Compliance - read this white paper.

Microsoft again urged users to apply the MS08-067 patch if they have not already done so.

The new attacks, which Microsoft's Malware Protection Center said began over the weekend but spiked in the past two days, use the same worm Symantec first spotted last Friday.

Dubbed "Conficker.a" by Microsoft and "Downadup" by Symantec, the worm exploits the vulnerability in the Windows Server service, used by all versions of the operating system to connect to file and print servers on a network. Microsoft patched the bug in an out-of-cycle update five weeks ago after it discovered a small number of infected PCs, most of them in Southeast Asia.

Full article at InfoWorld.com

Malware Infected Windows PCs

Lately, there has been a rash of PC infestations.  In the past week, I have personally worked on 4 Intel based PCs that had slowed down to a crawl or did not allow the user to be productive.

In reviewing their PCs, I noticed the “Trojan.Smitfraud” to be of abundant on these systems amongst other malicious software.

I personally feel these compromised systems are lethal weapons that can allow hackers to attack our infrastructure, other businesses or committee crimes.  Better software and usability measures need to be a priority.

I use Ultimate Boot CD for Windows to examine and repair these systems.  I find that it work well and does not use the Windows based OS to do its analysis.

Information on Trojan.Smitfraud can be found below:

Trojan.Smitfraud

Type	Malware
Type Description	Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
Category	Trojan
Category Description	Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.
Level	High
Level Description	High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Type	Remove
Description	Trojan.Smitfraud is a group of programs that are used to download rogue security products and change the user's desktop to display false warnings that the computer is infected with spyware.
Add. Description	Trojan.Smitfraud downloads and installs programs that purport to scan for adware and spyware and typically display false reports of spyware in order to frighten the user into paying for the program.
Release Date
Last updated on	May 9 2008
File Traces
	%SYSTEM%\ adobepnl.dll
	%SYSTEM%\ ccc3.dll
	%system%\ cdromdrv32.dll
	%SYSTEM%\ dcvwaah.dll
	%SYSTEM%\ dpfwu.dll
	%SYSTEM%\ ekvrlfzz.exe
	%SYSTEM%\ fyhhxw.dll
	%SYSTEM%\ gqagksr.dll
	%SYSTEM%\ gtpbx.dll
	%system%\ hjfjhigjxe.dll
	%SYSTEM%\ ishost.exe
	%SYSTEM%\ ismini.exe
	%SYSTEM%\ ismon.exe
	%SYSTEM%\ isnotify.exe
	%SYSTEM%\ issearch.exe
	%SYSTEM%\ ixt0.dll
	%SYSTEM%\ okkmtv.dll
	%system%\ olechs32.dll
	%SYSTEM%\ oqabf.dll
	%SYSTEM%\ sbnudh.dll
	%SYSTEM%\ syycum.dll
	%SYSTEM%\ titiau.dll
	%SYSTEM%\ urroxtl.dll
	%SYSTEM%\ users32.exe
	%SYSTEM%\ veklo.dll
	%SYSTEM%\ vwlummc.dll
	%SYSTEM%\ wuwbxp.dll
	%SYSTEM%\ xxfgmy.dll
	%SYSTEM%\ zphnok.dll
	%windows%\ dpvtporsdq.dll
	asgp32.dll
	flashwindow.exe
	loader.exe
	main.exe
	reger.exe
	wow.dll
	zloader3.exe

 

XP SP3 Issues

FYI, SANS Diary just posted an entry on XP SP3 Issues at

http://isc.sans.org/diary.html?storyid=4429

"According to an article published by Information Week, the newly released 

XP SP3 is causing systems to blue screen (aka BSOD) on AMD based systems. 

Microsoft and HP seem to think its center around the Power Managment 

feature.

http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=207800691

Here is an example of a message you might receive:

A problem has been detected and Windows has been shut down to prevent 

damage to your computer...

Technical information:

*** STOP: 0x0000007E (0xC0000005, 0xFC5CCAF3, 0xFC90F8C0, 0xFC90F5C0

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED

HP has posted a work around that has you go boot into Safe Mode and 

disable the Intel Power Management.

http://h10025.www1.hp.com/ewfrf/wc/genericDocument?lc=en&cc=us&docname=c01457284&dlc=en&printable=yes&encodeUrl=true&

UPDATE

------

ISC contributors also sent in links to a blog by Jesper Johansson. The 

blog contains loads of information on the issue and a link to Jesper's 

"small tool that will detect the IntelPPM problem and mitigate it before 

installing the service pack".

For free SP3 MS support call (866) 234-6020 ("Free unlimited installation 

and compatibility support is available for Windows XP, but only for 

Service Pack 3 (SP3). This support for SP3 is valid until April 14, 

2009)."

And an older diary entry notes the following wrt XP-SP3:

"retrofits some of the Vista functionality into XP, namely in the area of 

Network Access Protection, Black Hole Router Detection, enhanced security 

for administrator and service policy entries (basically some better 

default settings) and a kernel mode crypto driver.  Additionally, some of 

the "optional" updates released since SP2 will be installed with SP3 (MMC 

3.0, MXSXML6, WPA2 support, etc)." 

http://isc.sans.org/diary.html?storyid=4387

Windows XP End of Life is Coming...

Windows XP End of Life is Coming...

Microsoft has plans to stop selling Windows XP on Jan. 31, 2009 and to cut off support of the operating system will soon occur in an effort to push their Windows Vista operating system. This is not a good thing for since Windows XP is the most widely used operating system and Windows Vista has been plagued with issues.

I can see the market share for Linux becoming very favorable in the low end PC and laptop market.

Let's see how this will turn out.

Vista SP1 Issues Already

Vista SP1 Issues Already

I will be attending Black Hat DC 2008 tomorrow, so I hope to have some good stuff. But, on another note, for those of you who were waiting for the release of Microsoft Vista SP1 from a few blog postings ago, I have bad news....

Late last week, Microsoft started to receive trouble calls after update KB937287 caused some Vista PCs to either fail to properly boot up or enter an endless boot up loop.

Microsoft released a statement:
"We've received reports that some customers may be experiencing an unusual reboot cycle after installing KB937287, the servicing stack update we released last week. To prevent further instances of this issue, we temporarily stopped automatic distribution of the update and are investigating solutions to the problem. We believe this problem only impacts a small number of customers. We are working to identify possible solutions and will resume automatic distribution again after we address the issue."

The bottom line is... Wait until they get it right...