Stratovarius Community

This time it's ..... tadaaaaa... animated cursors. =)

http://blog.spywareguide.com/2007/03/mi ... ulner.html

Good thing animated cursors annoy me and I'd never have one...

JensJohansson wrote:This time it's ..... tadaaaaa... animated cursors. =)

and the retards that download and install this junk like this help to keep people like myself in business!

the grand prize for the world's most infected system goes to the accounting department of one new customer. The bookkeeper's system has over (count 'em kids), 7,000 (!) instances of malware and viruses. I was asked by the owner, "do you really think we have a security problem?"

If you have enough system resources, here is one great way to thwart all of the shit that is floating about-

Download and install VMWare's free VMware player

vmware.com/products/player/

Download and install the KDE GUI on SUSE appliance.

vmware.com/vmtn/appliances/directory/66

This is a great way to surf the web with "virtual impunity" to spyware and viruses. KrakDatPunk!

miditek wrote: The bookkeeper's system has over (count 'em kids), 7,000 (!) instances of malware and viruses.

Oops, that's too much. One friend of mine had the same problem but not on such a big scale. Only 1000 malwares and stuff. It was funny that one was called "trojandownloader.exe"
And he still still doesn't think he needs an antivirus. Luckily I installed one without him noticing much

The world is full of zombie pcs...

stratobabius wrote:And he still still doesn't think he needs an antivirus. Luckily I installed one without him noticing much

It's a dirty job, but somebody's got to do it! Good work, @Stratobabius!

@Jens do you still frequently find yourself getting roped into doing support work for friends and family?

Jens guarding by the security of his electronic daughters

miditek wrote:and the retards that download and install this junk like this help to keep people like myself in business!

I don't think you understand how serious it is.. you don't have to download anything. Open this page in Explorer:

http://jens.org/test.html

(no, the steaming coffee cup does not have malware in it, to my knowledge)

JensJohansson wrote:

miditek wrote:and the retards that download and install this junk like this help to keep people like myself in business!

I don't think you understand how serious it is.. you don't have to download anything. Open this page in Explorer:

http://jens.org/test.html

(no, the steaming coffee cup does not have malware in it, to my knowledge)

I reread the article, and yes, the fly-by type of installations are pretty bad, although not a new completely phenomenon. I did check your test page, and it's a very good example.

For instance, using the preview pane in most versions of MS Outlook allows nearly any type of file attachment or code to auto-execute, which is why we used to disable that feature via system policy at my previous employer. We also began restricting RTF and HTML formatted mail, and only permitting plain-text, before it was over with.

We had to explain to staff that you did not have to open an attachment in Outlook in order for the code to execute, since the preview pane would do it for you. 50% or more of my time eventually got consumed dealing with security related issues of various types, and we even had a third party partner that was monitoring the IDS system 7X24!

One other trick that we used to do to help with this type of issue is via the IEAK (Internet Explorer Administration Kit)console to disable file downloads for sites in the Internet Zone, and only permitting file downloads from sites in the Trusted Sites zone.

(note for IE users:), you can also manually disable or require a prompt for lots of things, such as file downloads, active x controls, and the like under Internet Options -> Security -> Custom Level for each zone. It's not 100% perfect of course, but it does help.

We also filtered the shit out of many different file, application, sites, and protocol types, etc. using ISA Server, RealSecure Server IDS, as well as Symantec Gateway security products.

It's really a cat and mouse game between the black hats and the white hats. Windows certainly isn't the only thing the CERT issues advisories on- you wouldn't believe (well, yeah you probably would) how many vulnerabilities exist for Cisco products running various releases of their vaunted IOS software.

miditek wrote:I reread the article, and yes, the fly-by type of installations are pretty bad, although not a new completely phenomenon. For instance, using the preview pane in most versions of MS Outlook allows nearly any type of file attachment or code to auto-execute, which is why we used to disable that feature via system policy at my previous employer.

I didn't read it carefully, because the animated cursor thing seemed the worst bit. But didn't it say icons as well? Most everything -- including the "desktop explorer" or whatever it's called -- displays icons for objects.

(note for IE users:), you can also manually disable or require a prompt for lots of things, such as file downloads, active x controls, and the like under Internet Options -> Security -> Custom Level for each zone. It's not 100% perfect, but it does help.

That's the thing -- it's like "security by covering your ass" on Microsoft's part. "Well, we told you to disable everything and not open any files, anywhere.. what do you expect? You browsed the internet using our browser? Well, how stupid of you! I guess it's all your fault."

It's the same thing with this fucking Vista UAC system.

http://www.youtube.com/watch?v=JheuLfWYSsc

http://www.telegraph.co.uk/news/main.jh ... cro128.xml

Oh.. but it's an acceptable tradeoff, because it's just so much more secure right??

http://www2.theregister.co.uk/2006/10/2 ... ntroversy/

and here's Joanna thumbing her nose some more..

http://theinvisiblethings.blogspot.com/ ... y-day.html

BTW it doesn't seem there is any way to get Firefox to display an animated cursor, just a static image, but I am not 100% sure.

Me? Certainly not going for vista yet... and sticking with Firefox for all sites where IE can be avoided (it's like 99% for me).

The vmware idea is great, I forgot they made a free sandbox player nowadays, thanks!! =)

Funny, I run Firefox all the time and nothing happened when I entered your test page.

miditek wrote:I reread the article, and yes, the fly-by type of installations are pretty bad, although not a new completely phenomenon. For instance, using the preview pane in most versions of MS Outlook allows nearly any type of file attachment or code to auto-execute, which is why we used to disable that feature via system policy at my previous employer.

JensJohansson wrote:I didn't read it carefully, because the animated cursor thing seemed the worst bit. But didn't it say icons as well? Most everything -- including the "desktop explorer" or whatever it's called -- displays icons for objects.

Yes, you're correct. The article does say that icons are affected as well. Most icons on the Windows desktop (which is actually a file/folder itself, more or less) are shortcuts though. This does seem a bit fishy, since Microsoft was trying like hell to promote the "iconless desktop" since the advent of XP itself. Perhaps they knew something all along regarding this vulnerability- and yet, refuse to fix it. They damn near abandoned IE development for years.

miditek wrote:(note for IE users:), you can also manually disable or require a prompt for lots of things, such as file downloads, active x controls, and the like under Internet Options -> Security -> Custom Level for each zone. It's not 100% perfect, but it does help.

JensJohansson wrote:That's the thing -- it's like "security by covering your ass" on Microsoft's part. "Well, we told you to disable everything and not open any files, anywhere.. what do you expect? You browsed the internet using our browser? Well, how stupid of you! I guess it's all your fault."

I understand what you're saying completely, and yes, it's a royal pain in the ass! IE itself is anything but secure, although, Uncle Bill does provide the tools to mitigate a lot of the issues. I frequently explain to management (at various clients) that the human factor, such as user stupidity, cannot be ignored, and this is particularly the rule in a business environment.

I've observed lots of users doing everything except their jobs, (Chat rooms, gambling sites, porn sites, on-line games, e-cards; you name it!) Microsoft's strength is, and will always be, not necessarily in security per se , but in it's desktop and server applications. That's really the only reason why corporations put up with all of this bullshit, it's to run their accounting and messaging systems, and related items. Microsoft's (and it's partners') applications are highly evolved, even if the security is not, at least out of the box.

Home users and consumers are a different story altogether, and I must confess that I'll frequently "hide" when friends, neighbors, and family call complaining about their problems. (I hear enough of it during the day from customers!)

JensJohansson wrote:It's the same thing with this fucking Vista UAC system.

http://www.youtube.com/watch?v=JheuLfWYSsc

http://www.telegraph.co.uk/news/main.jh ... cro128.xml

Oh.. but it's an acceptable tradeoff, because it's just so much more secure right??

UAC is, like DEP (Data Execution Prevention), typical of Microsoft's band-aid approach to security. DEP won't even permit some legitimate print drivers and other applications to load! It has to be disabled via editing the boot.ini file. In order to do this, you have to unhide the boot.ini file, uncheck it's read-only attrib, and then add the following switch to the command line "/noexecute=AlwaysOff"

What is really needed with Microsoft, is a complete rewrite and radical architectural change to the kernel itself- similar to how Apple completely got rid of its old Mac OS, in favor of the new OS X. Unfortunately, Microsoft can't/won't do this, since they are way up higher on the food chain of an installed base of Win32 applications.

So in other words, Apple had the luxury of being able to "orphan" the users of the classic Mac OS, where it is not a realistic option for Microsoft, unfortunately.

You can disable UAC in Vista via several methods- my particular favorite is via regedit:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

DWORD=EnableLUA (change value from 1 to 0)

Reboot

You can also use MSCONFIG to do the same thing

Start -> Run -> MSCONFIG -> Tools -> Disable UAC (X)

My brother is running Vista at his company, and they have really good IT staff there. They asked me to setup a remote office and VPN connections for them, and the systems were preconfigured rather well, and runs most newer software, such as AutoCAD, MS Office, Acrobat Professional, and other business apps with little or no problems.

Unfortunately, many end users will have a tough time getting used to it, since Microsoft loves to hide things in each new release. I'm afraid that many people may find that even simple tasks in Vista (like opening a command prompt), will seem like an Easter egg hunt!

JensJohansson wrote:BTW it doesn't seem there is any way to get Firefox to display an animated cursor, just a static image, but I am not 100% sure.

When I checked the test page on your site, I used both IE, as well as Firefox. Only IE would display the animated icon. Does this make Firefox safer than IE for general use? Certainly to a degree, but it's important to keep in mind that many of the security bulletins from CERT advise security administrators that many exploits are written to where IE doesn't have to be running, but only present on the system. After all, IE and Windows are pretty tightly intertwined, which imo, was a stupid thing to do on Microsoft's part.

JensJohansson wrote:Me? Certainly not going for vista yet... and sticking with Firefox for all sites where IE can be avoided (it's like 99% for me).

I really don't blame you. As with all new versions of Windows, any RTM (Release to Manufacturing) version is going to suck. You'd save yourself a lot of headaches by waiting for Vista SP1, at least. I personally prefer Firefox myself, and generally leave IE for corporate installations (to leverage IEAK and system & group policy tools), as well as for MS SharePoint services.

JensJohansson wrote:The vmware idea is great, I forgot they made a free sandbox player nowadays, thanks!! =)

VMWare is a great tool. Global virtualization of all Microsoft products is a dream that I've had for a long time! They (Redmond) think I'm crazy, but we know better! VirtualPC is also a very good tool, and yes, you can build VM's in Virtual PC with other operating systems, such as Fedora, with a little tweaking....

miditek wrote:VMWare is a great tool. Global virtualization of all Microsoft products is a dream that I've had for a long time! They (Redmond) think I'm crazy, but we know better! VirtualPC is also a very good tool, and yes, you can build VM's in Virtual PC with other operating systems, such as Fedora, with a little tweaking....

Ironically, virtualization may also turn out to be a double-edged sword, enabling what Joanna Rutkowska refers to as "type III malware" (I guess.. completely undetectable except for a timing analysis) in this document (page 56)

http://invisiblethings.org/papers/towar ... ystems.ppt

[ the irony that this is a ppt document is not lost on me =) ]

She proposes a new machine level instruction, even

Joanna wrote:How about creating a new instruction – SVMCHECK:

Code: Select all

mov rax, <password>
svmcheck	
cmp rax, 0
jnz inside_vm

Password should be different for every processor
Password is necessary so that it would be impossible to write a generic program which would behave differently inside VM and on a native machine.
Users would get the passwords on certificates when they buy a new processor or computer
Password would have to be entered to the AV program during its installation.

I don't see that happening any time soon.

I also like how she closes her talk with this very cheerful projection:

#5: By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses. (source: eWeek)

The whole document is an interesting read. I didn't realize there were already fairly advanced successes in hiding malware in BIOS or ACPI-related code, for instance. That does make scanning the hard disk for malware pretty useless.

Think about it, miditek.. every single one of the machines you are responsible for, where the user opened any web page where the mouse cursor was changed (perhaps it even changed to an arrow shape so it couldn't even be detected...) .. on every single one of those machines, there could be malware using the BIOS or ACPI as the door.. leeching sensitive documents out undetectably, to your competitors, to the Chinese, to the Russians, to the US government.. to anyone that would be interested in your company's documents, for whatever reasons. You could run a simplistic disk ("virus") scan, or you could even mount the disk on a completely different OS and compute hashes for important system files until you were blue in the face. You could try to re-flash the BIOS and reset the ACPI code.. it wouldn't help, since the BIOS and/or ACPI is already subverted and your attempt to fix it would be intercepted.

Sleep well!

Well... actually, the good news is that you probably won't be unemployed? Good for you.

I am not up on current black hat stuff to say where something like Trusted Computing fits into all this.

miditek wrote:VMWare is a great tool. Global virtualization of all Microsoft products is a dream that I've had for a long time! They (Redmond) think I'm crazy, but we know better! VirtualPC is also a very good tool, and yes, you can build VM's in Virtual PC with other operating systems, such as Fedora, with a little tweaking....

JensJohansson wrote:Ironically, virtualization may also turn out to be a double-edged sword, enabling what Joanna Rutkowska refers to as "type III malware" (I guess.. completely undetectable except for a timing analysis) in this document (page 56)

I actually read Joanna's entire presentation, and it was very interesting. Am on my way out the door for the day's service calls, but will follow-up more on this later today.

JensJohansson wrote:[ the irony that this is a ppt document is not lost on me =) ]

he he there's no getting away from it. Microsoft is a caliphate unto itself.

Here's a link to a black hat conference presentation that I thought you'd like- to see what the kids are up to these days.

It's by John Heasman, and I believe that Joanna referenced him in her PPT show.

blackhat.com/presentations/bh-europe-06/bh-eu-06-Heasman.pdf

(No, the irony of this guy converting his PPT to PDF prior to publishing isn't lost on me, either. )

JensJohansson wrote:This time it's ..... tadaaaaa... animated cursors. =)

http://blog.spywareguide.com/2007/03/mi ... ulner.html

Hmmm, CERT has issued a security bulletin that has tips for both home users, as well as systems administrators, that looks to be useful. It highlights some workarounds for dealing with this particular threat.

It does appear that firewalls, proxy servers, and other gateway security devices can be set to filter packets that contain the malformed .ani files, based on criteria specified in the article. The bad news is that most home users do not have the capability to do this.

For those that are running LANs at home, you could probably use an open source proxy server such as SQUID or an open source IDS such as SNORT to write filters for this.

squid-cache.org

Looks like I'm going to have to create some filters for ISA server, as well as some Cyberguard and Juniper based firewalls and IDS that I currently support.

For home users, my advice would be to use webmail, if possible, in lieu of Outlook.

CERT kb article # 191609
kb.cert.org/vuls/id/191609

Microsoft kb article # 935423 (lots of propaganda)
microsoft.com/technet/security/advisory/935423.mspx

ISS (Internet Security Systems)/IBM article # 398322
iss.net/threats/258.html

Waow! What interesting topic about cursors and malwares!

Very instructive! Thanks!

miditek wrote: For home users, my advice would be to use webmail, if possible, in lieu of Outlook. l

Well, not if you access to your webmail via IE!

One amazing software for emails : The Bat. It is not just more safe than all those Outlook / Outlook Express, but it also has much more features. Thus, it is really pleasant to use!

People should also use Firefox instead of IE.

cliff wrote:People should also use Firefox instead of IE.

People should also use Safari instead of IE.

Equinox wrote: People should also use Safari instead of IE.

I'm gonna use iceweasel inside a vmware sandbox inside another vmware sandbox inside a third vmware sandbox. Plus I'll wear two condoms and use Tamiflu in my coffee instead of sugar.

<rant>
Seriously.. what's the fucking point in even trying to keep anything secret, or personal, or private, if you're running Windows? I might as well make a huge text file of all my passwords, any banking info... credit card numbers.. and to zip up all my personal documents, diary, any compromising pictures.. =)... whatever I wouldn't want anyone to see... and just fucking upload all this to a public server, with a note: OK just help yourself, I fucking give up now. Tell you what: I'll use my S3 account and neatly just make a .rar file of each and every of my disk partitions on all my hard drives and post the keys everywhere.
</rant>

JensJohansson wrote: Plus I'll wear two condoms and use Tamiflu in my coffee instead of sugar.

Two??? Why two? I use always three...Much more warmer and comfortable But in my coffee is Burana

JensJohansson wrote:

Equinox wrote: People should also use Safari instead of IE.

I'm gonna use iceweasel inside a vmware sandbox inside another vmware sandbox inside a third vmware sandbox. Plus I'll wear two condoms and use Tamiflu in my coffee instead of sugar.

Microsoft Virtual Server devteam's famous last words: "Hey, who shit in the sandbox?!"

<stupid statement>Gee, all that computer stuff sounds complicated. I'm glad I got this little 'ol primitive Webtv--at least it doesn't get viruses or spyware.</stupid statement>




:user:

A patch now available for the .ani file vulnerability. I would recommend loading it, even if IE is not normally used, as Windows and IE are pretty tightly interwoven these days.

There is a history of IE vulnerabilities affecting Windows, even when iexplore.exe is not running.

microsoft.com/technet/security/Bulletin/MS07-017.mspx

If you're truly sick of Windows, there's always an option to simply format the disk, and then check the friendly new HCL (unofficial Hardware Compatibility List) for MacOS 10.4.5

If you're x86-class PC is on the list, then you're good to go!

wiki.osx86project.org/wiki/index.php/HCL_10.4.5/Desktops