SecurityZone.org - Information Security Blog

Have you heard about the new Google Chrome browser lately? Chances are high that you have. However, are you or anyone you know actually using the browser? My guess is there’s a good chance the answer is NO. Sure, it’s just a beta version, but it’s been getting all kinds of hype.. seemingly out of no where. In fact I haven’t used it and don’t plan on even trying it out for some time. Why? Well, for starters I haven’t seen a real compelling reason to use it yet. Couple that with the horrendous privacy issues that have been raised and you’ve got a potential (as the article puts it) security nightmate. Oh did I mention there’s already been multiple public proof of concept exploits that can possibly result in a remote compromise?

It looks like Google Chrome is a pretty risky proposition right now. Yes, it is beta but some of these items are a bit alarming. I am not one of the people that calls Google evil, but I try not to let them near my data whenever possible. Using this browser definitely won’t further that cause. It is still a bit early with a few early adopters(testers), so we might see a lot of fixes and improvements across the board before its final release. I’ll post my two cents at a later date for anyone that might care.

I did a quick check and I can see that at least two visitors of the blog are trying out Google Chrome. Hopefully I’m not scaring anyone away from testing the browser, that certainly isn’t my intent. However, I just want people to know about the potential risks to privacy and security that presently exist. All browsers have security issues, however, that doesn’t mean we should ignore them. If you have any comments on this issue or the browser, feel free to submit them and I will post them.

In case there’s any interest, the Google Chrome User-Agent looks like this:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13

…and well I am a bit disappointed. Note that I’ve added a new “category” in my blog called “whining” because that’s basically what I am doing now, so if you hate whining (read: b*tching) then you might want to skip this post.

In 2004 I got a copy of PGP 8.1 for Windows to use on an XP install at home. With this install came the standard PGP system tray icon that would let you control a sleuth of things to include clipboard and current window encryption/decryption as well as give you quick access to the PGP keys interface. This fine little install also had an Outlook (Express for me on that machine) plug-in for easy encryption/decryption of e-mail. It had its kinks and bugs but it worked pretty well. Now jump 4 years ahead to the present and on my Mac and Linux systems I use GnuGP (gpg) but that’s all done on the command line, so it’s kind of a pain. On an XP install with Office 2007 that I have at home — I do not have anything at all (no PGP or GPG).

Today I decided to put and end to that and paid for the upgrade for $29.99 (I was eligible from my old license) to PGP Home Desktop 9.8. Sure I feel like a sucker paying for software for which there are similar free options, but the GUI and a couple of other features are something I wanted to have. The new version also has some full disk encryption options as well as the creation of encrypted drives/storage spaces, which sounds nifty I suppose. Still consider checking out TrueCrypt anyway.

Anyway, the first thing I noticed was that the download of PGP Desktop was 72 MB .zip file, which seemed a little large. To my surprise they decided to pack both the 64-bit and 32-bit versions into the same .zip file. I really don’t see the logic in this. They could save bandwidth usage and time for both parties and I’ll take an absolutely wild stab in the dark that their 64-bit installs aren’t quite as numerous as their 32-bit installs (I could be wrong… it happened once). Great so I managed to install the correct version and am all fired up and good to go. Only I guess I suck at the whole RTFM thing because I didn’t realize there is no longer an Outlook plug-in. They went with the god awful proxy-detect-email-look-for-encryption-keys-we-suck method. All I can say is that I am very disappointed. I believe the plug-in was one of the best features of the old product. Now you’re stuck with some half-assed detection method that will send unencrypted messages if it messes up — super idea! I think I will pass on that.

Anyone else have some thoughts and opinions on the latest versions of PGP? I would love to hear them and I’ll approve/post the comments as long as they’re not overly vulgar (PG-13 at worst please).

I just got a humorous Spam message that someone else told me about earlier. Apparently it’s supposed to have some sort of Virus attached to it. Only it seems my copy has been made a bit safer. The Spam message looks a little something like this:

Subject: We have hijacked your baby

Body:

Hey We have hijacked your baby but you must pay once to us $50 000. The details we will send later…

We has attached photo of your fume

Funny topic and bad grammar all make for a good virus/spam campaign. However, you might be wondering if I am nervous about receiving such an e-mail? Well, e-mail never really makes me nervous and then again I also don’t have a baby. Although I think I would be concerned if I had a baby and someone “hijacked” it. It seems my message got nibbled on by “MIMEDefang”, which was a bit disappointing since I wanted to see the attachment. I wanted to see if the trojan included a picture of a baby or not. I guess I’ll have to wait in suspense until someone shares a copy with me.

Feel free to drop me a line with a copy of this e-mail if you have it intact - steven [at] securityzone [dot] org

Update: 11:40 PM

Got a copy of the e-mail with the attachment in place. Sorry no picture but there is an attachment called “photo.zip” that has “photo.exe” inside of it. File MD5 for the .exe is 807efe034e50327234e83bc9e6a94b32.

This is a piece of malware which then downloads more malware from the known malicious website reddii.org. Stay away from these e-mails and that domain.

Woops! It looks like multiple servers by the Red Hat and Fedora projects were compromised last week. It’s always unfortunate when this sort of stuff happens, especially when the hackers make modifications to the SSH packages. Fortunately the issue only affects a few versions of the packages and only existed for a short time. There have been various announcements and mailing list postings on this issue that can be viewed here and here.

Potential affected OS versions that may have received these updates:

Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)

You can grab the OpenSSH blacklist script from the Red Hat website by clicking here. This script can be run by a non-privileged users to check if the OS has any of the listed malicious packages.

It appears there are now Adobe Flash vulnerabilities live and in the wild on several sites. This is not good considering some of the websites involved in the recent mass SQL injection attacks are aiming to exploit this vulnerability. Basically, if you can’t recall upgrading flash recently, you probably need to go ahead and do it.

You can check your current flash version by clicking here.

You can upgrade to the latest version of flash by clicking here.

Don’t wait - just upgrade right now!

The phishers out there are once again finding new ways to obfuscate their URLs in attempts to fool end users. I am pretty sure I saw this method mentioned this elsewhere recently, but I cannot recall where. In any event, this recent phish found itself into SPAM folder on one of my e-mail accounts. Notice the URL they provided:

Subject: Tax Notification
From: “Internal Revenue Service” <taxrefund@1×8c.8xdb95d4.irs.gov>
Date: Tue, May 20, 2008 6:36 am

Internal Revenue Service (IRS)
United States Department of the Treasury

Dear Taxpayer,

After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, use the following personalized link:

http://0×7C.0xDB11D1/www.irs.gov/

Regards,
Internal Revenue Service

Document Reference: (0×7C.0xDB11D1).

Notice that the URL is http://0×7C.0xDB11D1/www.irs.gov/ and that they used 0×7C.0xDB11D1 as the “Document Reference” in attempt to make it look more official. Well it turns out that 0×7C.0xDB11D1 really converts to an IP address in Taiwan - 124.219.17.209. Visiting this IP address or the URL abovve ends up redirecting you http://www.comtipps.de/www.irs.gov/index.htm?memberID=0×7C.0xDB.0×11.0xD1.

This then tries to get your social security number, credit card information (including CVV code and ATM PIN), date of birth, full name and address, phone number, and finally e-mail address (wouldn’t one assume they already have this if they e-mailed you? :D). Be on the look out for this slightly different take on an old trick.

It appears that CNN has been and will be the target of choice for Chinese hackers to show their displeasure with Western media coverage over “pro-independence protests in Tibet.” It would seem that some people in China have been offended by this coverage and are calling form attacks according to the website The Dark Visitor. They have provided details on several Chinese websites calling for attacks on www.cnn.com starting at 8:00 PM Beijing Time (8:00 AM EDT or 12:00 PM GMT) today April 19, 2008. However, according to another update on The Dark Visitor’s website, these attacks have seen been called off and are to be rescheduled.

According to a recent update on the CNN website, they have already observed several attacks that occurred this past Thursday. They took action to limit access to the site from certain regions and users in Asia may have experienced minor disruptions. These attacks appear to be either coincidental or preemptive in nature as they came two days earlier than called for. Arbor Networks is also monitoring this situation and has reported they have observed at least 36 different attacks thus far.

While the attacks have been “called off” for now, it will be interesting to see if they continue regardless — as scheduled or at a later date. It appears that attacks are expected and are being planned for. We can hope that they are unsuccessful regardless of the level of participation. We will update more if we learn anything new.

It appears that in addition to “supersameas.com”, the Storm Worm is now using and spamming itself out with several new domain names. These domain names are all with Chinese registrars and have been around since at least February but are just now starting to be used. In addition to serving up the executables for download, they are also attempting fire exploits at users that have the Internet Explorer browser. It is highly recommended that you do NOT visit these domains. Here is the list that is currently active:

biggetonething.cn
gasperoblue.cn
giftapplys.cn
gribontruck.cn
limpodrift.cn
loveinlive.cn
newoneforyou.cn
normocock.cn
orthelike.com
supersameas.com
thingforyoutoo.cn

They are coming through via e-mail as always and continuing their assault against Blogger (blogspot.com) sites. Searching Google shows the standard “love” related campaign. However, there is at least one result on Google showing politically motivated e-mails that are being sent as well. At least one Spam reported on the Google group “news.admin.net-abuse.sightings” shows an e-mail with the subject “Cowen confirmed as next Irish premier Options” and a body of “Police fire on protesters in Nepal” followed by a link to one of the above domains.

If you visit these sites with IE, you will quickly find yourself being attacked via different ActiveX objects. The first set of exploits will attempt to download “load.exe” to the system. It will then ultimately redirect the visitor to “flow.php” which is full of obfuscated JavaScript. It is recommended that you block the above domain names and do not visit them.

There’s a new round of Storm Worm e-mails going around taking advantage of our favorite technique, showing people what looks like a video and telling them they’re missing a codec to view it. Only these guys are using a rather blunt name for the files this time: StormCodec.exe and StormCodec8.exe - Not very subtle for the “Storm” Worm.

Users are lured this time by e-mail that wants them to visit the fast-flux domain “supersameas.com“. You can protect yourself and your organization at this juncture by blocking this domain. Once on the site there is a video looking image in the middle with the following message:

The video and download links point to the aforementioned files. Tip: You don’t want Storm Codec on your PC! Thanks to Jose from Arbor Networks for pointing out the update to me, otherwise I probably wouldn’t have noticed this until much later.

As you might know, this blog runs on WordPress which already supports RSS feeds. It seems a few of you out there and several search engine/social media sites have already manually located the URLs to subscribe to my RSS feed. In an effort to be more RSS and Web 2.0 friendly, I am now signed up with Feedburner and have put direct link to my RSS feed on this website (continue reading). Hopefully this change is relatively seamless for those that are already subscribed.

For anyone that is not subscribed, you can now click the RSS Feed link on the right panel on my website or subscribe via http://feeds.feedburner.com/securityzone. If you check in on my site regularly or even infrequently and have an RSS reader, I’d recommend signing up. It’ll help you keep up with my sporadic update schedule that not even I can predict!