A Trojan injected into sites favoring Tibetan independence from China targeted visitors with a specially crafted download. Security vendor McAfee said the affected websites hosting this Trojan were probably hijacked to place infected web pages in view of browsers.

Once in place, the Trojan, which they dubbed Friebet, grabs software from remote servers that makes the co-opted machine capable of accepting SQL statements and executing them against other machines.

The Friebet malware can try several options to gain access to the databases backing other servers, according to McAfee:

• Bind and connect to local or remote databases from the victim machine

• Query and steal data from local or remote databases
• Insert arbitrary data into local or remote databases, including web data such as hosting a web exploit

Though web application developers may have safeguards in place against common SQL injection attacks, Friebet is a more direct attack against a backend database. Administrators should review protections for databases to ensure such malicious connection attempts cannot succeed.

For instance, one developer was reportedly able to insert a backdoor into Gmail by luring people onto a specially prepared webpage, exposing private data. In not all, but many of these exploits, the problem is that your Google Account cookie can be stolen via so-called cross-site scripting (XSS) attacks; “cross-site”, because the cookie info wanders from Google.com (where it’s supposed to be read) to SomeRandomAbuserDomain.com (where it’s not supposed to be read). Basically, such an attack can be executed when someone finds a way to publish their own, free-style HTML/ JavaScript onto any *.google.com domain (like Google Calendar, Google Docs, Google Reader, Google News and so on).

Now, co-editor Tony Ruscoe stumbled upon another XSS vulnerability. By posting his specially prepared file of the Google Docs family which exploits a non-standard, incorrect Internet Explorer behavior, and then pushing me as experimental “victim” onto this file by sending me a link I clicked, Tony was able to get a Google Account cookie of mine, as I was previously logged-in to Google. (Tony did not need to point me to a domain of his, I was only accessing Google-hosted content; I did have to use Internet Explorer though, as it didn’t work with Firefox.) Google security has been informed about this vulnerabiliy and we won’t disclose how to reproduce this for now to give Google time to fix it.

Now, here’s what Tony was able to do with the cookie (as opposed to how a real attacker would act, he only did this after I gave him permission, of course):

• Read my Gmail email subject lines and the first words of my mails. This was possible by including a Gmail gadget onto iGoogle, using the extra-wide tab layout.
• Access my Google Analytics statistics, including stats of external sites that had been shared with my account.
• View many of my iGoogle gadgets, e.g. a Todo list.
• Access the full contents of my non-public Google Notebook notes/ non-public notes that had been shared with me by others.
• Check my Google Reader.
• See the names of my Docs, Spreadsheets and Presentations files.

Here’s what Tony was specifically not able to do:

• He didn’t see my full emails.
• He didn’t see any of the content of my Google Docs, Spreadsheets or Presentations.
• He didn’t see all of my iGoogle gadgets, e.g. a Google Talk gadget required another log-in.
• He wasn’t able to compromise my account login/ password, e.g. change it to then fully access my Google services.

Below are some of the screenshots Tony took while exploring my Google account:

In other words, this stealing from the cookie jar can be risky for the victim, but it must not be completely dramatic in all cases. Even so, it’s another reminder how the growingly powerful Google Account framework not only offers more power to lazy people (you don’t need to sign-in to Google services over and over), but also more power to abusers. All that’s needed to start most of these attacks is a bug or oversight in one of the many Google services, and a victim who visits a prepared webpage. If you want to be save from this, you can always log-out of your Google account when not using Gmail and other services, and try to not view pages you don’t trust (and try not to follow to pages you may think you trust, but which have been sent to you by non-trusted people).

Comments

Tag:

Yahoo Messenger Webcam Zero-Day Exposed

Security firm McAfee revealed today that hackers in China had been discussing a zero-day exploit available for Yahoo Messenger. McAfee confirmed the exploit existed, and notified Yahoo of their findings.

A malicious webcam invite can trigger a heap overflow in Yahoo Messenger. Heap overflows have been a very common exploit condition in all kinds of software over the years.

Until Yahoo provides a fix for the problem, McAfee recommended that Yahoo Messenger users avoid accepting webcam invites from untrusted sources until this flaw has been patched. For further security, those who can block outbound traffic on TCP port 5100 should do so while Yahoo bashes out a patch.

Yahoo’s Webcam function also suffered from a problem with its ActiveX Controls back in June 2007. This new problem being discussed in China is not related to the June issue, which has been patched, McAfee said in its post.

Saturday evening, a member discovered an exploit where you could send someone a request to join their community as a co-author and then automatically approve the request. In other words, someone (dare I call them a jackass) could force you to be a co-author of their community. I have no idea why they would do this, other than a negligible bump in marketing, but who ever said jackasses made sense?

To their credit, they’ve reacted well and today announced new steps to improve the community and hopefully reduce the amount of spam. Future features include:

* We’re going to post an official Terms of Service (ToS) and hold people accountable.

* By default, you now see only message from your own contacts.

* We will include the text of the comment and associated controls (delete,reply, etc) in the alert email.

* We will limit users to only five requests for co-authors a day.

* We will limit users to join 15 communities and add 15 contacts during any day.

* After the first five are complete, we will set up a comment approval system

All of the above will be welcomed by those who are active MBL users, but I think MBL faces a bigger issue than spam. I for one have taken off the widget that loads images of the most recent visitors to the site. While I’m still tracking visitors and using avatars on comments, the widget was just too slow to load. It’s a real shame, because I believe it was the widget that made MBL grow so fast, but it’s also their achilles heel.

I’m hoping they’ll figure out a way to speed up the load times and provide better customization of the widget – maybe iFrames are the answer here. In any event, the MBL guys need to tap into Yahoo’s (in)finite resources to get these updates done quickly. MBL did well, because it was unique, but I’m already hearing about new services that might challenge them, so they’d do well to keep ahead of the curve.
Comments

Tag:

A Reddit

Bookmark WebProNews:

If you look at my profile on MyBlogLog You will see 2 sites that I did not add.

I wonder if Yahoo could be possibly liable here because basically Yahoo is saying that I said I own these sites yet I did not

Check out Jason Calacanis community. Evidently in addition to calacanis.com he also owns and authors seoadwords.com . right.

So what else can people do with cross site xploits on mybloglog? Oh I think we are just seeing the tip.

Comments

Tag:

Add to Del.icio.us | Digg | Reddit | Furl

Bookmark WebProNews:

I assume this will also include word of mouth campaigns. The division is called Denuo, Latin for “afresh” or “anew.”

Today the advertising empire struck back with an attempt to show that they are down with the people. So far it’s all hat, no cattle. The success or failure of this venture will not be judged by pronouncements like these but by the consumers who control the client messages to begin with.

By talking more about “exploiting” new communications channels rather than using them to co-create marketing with consumers, the ad agencies demonstrate that, at least for now, that they still don’t get what this revolution is all about. Publicis appears to be operating in a mode where they still are marketing to consumers, rather than with them.

There’s no “I” in Denuo, but there is in Me2Revolution.

Steve Rubel is a PR strategist with nearly 16 years of public relations, marketing, journalism and communications experience. He currently serves as a Senior Vice President with Edelman, the largest independent global PR firm.

He authors the Micro Persuasion weblog, which tracks how blogs and participatory journalism are changing the public relations practice.

An increase of port scanning for machines listening on 10000/tcp for incoming connections led the US CERT team to believe malicious activity targeted at a new vulnerability was taking place.

The Veritas Backup Exec Remote Agent for Windows Servers turned out to be the application listening for those connections. Upon investigation, it was found a buffer overflow could allow a remote attacker to execute arbitrary code with administrative privileges on a system.

The company has released a patch to correct the problem. US-CERT and security company iDefense have verified the patch does correct the problem.

For further protection, administrators should ensure connections through a firewall to port 10000 be limited only to backup servers specifically. Veritas is in the process of merging with security company Symantec, which offers firewall products in its catalog.

David Utter is a staff writer for WebProNews covering technology and business. Email him here.

Two scams using the Indonesian/Indian crisis as a theme emerged this weekend. One of the scams involves an email with “Tsunami Donation! Please help!” in the subject line. The mailing contained an attachment called Tsunami.exe. When opened, the infected file launches VBSun-A, a newly discovered worm.

According to Sophos.com, “running the attached file will not only forward the virus to other Internet users but can also initiate a denial-of-service attack against a German hacking website.”

This is the second such worm that uses the Tsunami to fool unsuspecting people.

The other scam, a phishing attempt, uses a fake but convincing Red Cross web site to trick users into entering credit card information. This includes pin numbers. The site is located at www.american-redcross.org. If you would like to donate to the official Red Cross, please visit them here: www.redcross.org.

Graham Cluley, senior technology consultant at Sophos, said, “Duping innocent users into believing that they may be helping the tsunami disaster aid efforts shows hackers stooping to a new low. This gruesome insensitivity is a despicable ploy to get curious computer users to run malicious code on their computers. Everyone should be wary of unsolicited email attachments, and visit the established charity websites instead if they wish to assist those suffering as a result of the disaster.”

Chris Richardson is a search engine writer and editor for WebProNews. Visit WebProNews for the latest search news.

Just do this.

Don’t give away articles freely. Just allow unique article per issue of newsletter.

Why?

The reason is very easy to understand.

You can kill your profit flooding the industry with your articles.

No doubt you can get high readership. But, the Pavlovian theory will kick in fast on the Internet. Readers soon perceive your articles as commercials. This human behaviour happens all the time.

History had already proven that advertisement banners yield poor result. This is the outcome of overuse.

Some may suggest creating new articles very often. But, why waste time?

Here’s how you do.

You just need to write a batch of articles first. Then, circulate them in other people’s newsletters one by one. Readers will perceive your content fresh and rare. It boosts your credibility to higher ground. You can exploit this psychological weakness.

Give exclusive publishing rights of an article to one newsletter per issue. Never allow more than one publisher send out the same article at the same time.

Most people subscribes to many different newsletters. Never

floods them with same article. It is often perceived as spamming. Don’t take the risk.

Besides, most publishers avoid competition. They want unique and exclusive content for newsletters.

One thing to take note is that the publishers are not allowed to store your article in archive.

Imagine this.

If you’ve 50 articles, this means 50 publishers promote your product. Each article is published in just one newsletter at a time. Rotate different article in every issue. Your readers will get different content. They’ll cherish the information like gold.

Assume a publisher sends 1 article every month. It will take 50 months before you give a new batch of articles. You can save time to create more solid information.

What is the potential profit you can make?

Let’s see the worst case scenario.

A publisher has an average of 10,000 readers. One percent of them may be your customers. That will be around 100 every month. It means you’ll have about 5,000 potential customers from 50 chosen publishers.

Remember, this is the estimated value.

This strategy generally pulls in more earnings than the usual way of playing the number game. Since you play with psychological influence of scarcity, the sales percentage is usually much higher.

To further boost your sales, be selective in choosing your partners. Seek out those newsletters with big readership and responsive subscribers. Give 3-months trial before you commit long term partnership with newsletter owners.

You can also offer long term resale rights to your partners who actively generate leads for you.

The call is yours. This strategy is better than blasting the industry with your articles.

By the way, do you’ve problem writing articles?

You may think that creating 50 articles is time consuming and difficult. In fact, it is not.

There’s one method without cracking your brain.

The usual way is to write 50 articles with different subject. Why not create them from just one topic? You just need to rehash the content of the first article.

Here’re 6 proven tricks you can use;

1. Change to different headline.

2. Re-arrange the structure of your article.

3. Include a storyline.

4. Weave testimony of customer into a story.

5. List one benefit of your product.

6. Show the strength and weakness of your product.

Another lazy method is to hire ghost writer. This usually generates more sales faster.

Start doing this now! Be different!

Create article network by working only with productive partners.

Provide solid content in your article. It is like a public relation expert.

If you’ve 1,000 articles on 1,000 sites, it is like having 1,000 public relation experts out there telling people about you 24 hours a day.

That is how you make money on the Internet

Click here to sign up for FREE B2B newsletters from iEntry!

Eo Lim has helped many businesspeople succeed online
using the revolutionary P.E.R.F.E.C.T. writing
formula. Visit his site to find out how you can get a free
consultation: http://www.EoLim.com

Microsoft originally released this bulletin and patch on July 16, 2003 to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. The patch was and still is effective in eliminating the security vulnerability.

However, the “mitigating factors” and “workarounds” discussions in the original security bulletin did not clearly identify all of the ports by which the vulnerability could potentially be exploited. We have updated this bulletin to more clearly enumerate the ports over which RPC services can be invoked, and to ensure that customers who have chosen to implement a workaround before installing the patch have the information that they need to protect their systems. Customers who have already installed the patch are protected from attempts to exploit this vulnerability, and need take no further action.

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on specific RPC ports.

Mitigating factors:

To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135, 139, or 445 or any other specifically configured RPC port on the remote machine. For intranet environments, these ports would normally be accessible, but for Internet connected machines, these would normally be blocked by a firewall. In the case where these ports are not blocked, or in an intranet configuration, the attacker would not require any additional privileges.

• Best practices recommend blocking all TCP/IP ports that are not actually being used, and most firewalls including the Windows Internet Connection Firewall (ICF) block those ports by default. For this reason, most machines attached to the Internet should have RPC over TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments. To learn more about securing RPC for client and server please refer to http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp.

To learn more about ports used by RPC, please refer to: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp.

Severity Rating

Windows NT 4.0	Critical
Windows NT 4.0 Terminal Server Edition	Critical
Windows 2000	Critical
Windows XP	Critical
Windows Server 2003	Critical

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability Identifier CAN-2003-0352

Tested Versions

Microsoft tested Windows Me, Windows NT 4.0, Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP, and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by this vulnerability.

Microsoft thanks The Last Stage of Delirium Research Group for reporting this issue to us and working with us to protect customers.

Description of Events

For a detailed analysis of this exploit, see: http://www.xfocus.org/documents/200307/2.html.

I’ve never seen an exploit develop so quickly in my life. The hacker underground was rocked for 4 whole days. It was a gruesome sight – machines we’re being “Dropped” (hacked) at an insane rate. It was obvious that a large majority of computers were still not patched.

I watched sadly, as the Internet was being violated, innocent victims becoming the unsuspecting targets of over hormone-ized teenage kids. One by one they fell, while the hackers slaved relentlessly to gain control over more and more machines. At some stage, I even saw an IRC channel that had the topic “RPC – DCOM – Leave some for the worm!”. There was nothing I could do, except to warn everyone I knew.

The first exploit released by Xfocus was rather anticlimactic, as it was found to be a DOS attack, and not the promised SYSTEM shell. However, redemption was soon to come as Metasploit published a fixed fully working exploit, a few days later.

This was quickly compiled for windows and a working version was made public:

From this stage onwards, all hell broke loose. In a matter of hours, more universal offsets were published, and more advanced exploits were sent to the wild, which in turn would affect a larger variety (targets) of machines. Like mushrooms after the rain, newer versions of the exploit were being released; 9 targets, 18 targets, 29 targets, 48 targetsand thenthe nightmare became real. A universal RET address was found for both Windows XP and Windows 2000 (0x0100139d and 0x010016c6 respectively). This is what the hacker community was waiting for. An easy to use, 99% working fully blown universal exploit for Windows 2000 (upto SP4) and Windows XP (upto SP1).

With the RPC vulnerability scanners that were published by Eeye and ISS, the internet suddenly turned into an African savannah, with supercharged predators, and sick, weak prey.

An apocalyptic mood fell upon me, when I realized the implications of this. “Oy Vey,” I thought to myself, and went to sleep with a sigh.

Quite soon it was clear that the exploit was not flawless. It seemed to reboot the machines after one minute. A deeper inspection of this revealed that the RPC service crash would indeed result in a reboot, as can be seen on a Windows XP computer.

This meant that the hacker had little time to do his deed before the machine rebooted, and he’d lose control over it.

The community did not give up, and in a matter of hours the source code was modified to open a port (4444) on the target machine, without rebooting it. Not surprisingly this exploit was called rpc_univ_nocrash.exe.

Conclusions

For the sake of humanity, PATCH YOUR MACHINES!

If you have a few machines or a network; consider using SUS (it’s free!).

Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP

Visit the Security through Hacking Web site at http://www.secureit.co.il for additional information.