Saturday, December 31, 2005

An Alternative Method of Fixing the WMF Vulnerability - UPDATED

I can't say it any better than the F-Secure blog said it. So here it is..
Here's an alternative way to fix the WMF vulnerability.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF's SETABORT escape sequence that is the root of the problem.

Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

More details from Ilfak's blog: http://www.hexblog.com.
Most people in the patch management world would never recommend a patch NOT from the original vendor, but Ilfak isn't just some kid. This is real...

If you test it, let me know how it works.

UPDATE - I have installed this on my personal laptop and seems to do exactly what it was meant to do. People that are serious about blocking this very danger attack should seriously look at this patch. Even the ISC has given it the go ahead.

They have earned my trust, that is for sure.

WMF Story - Day 4

1) Microsoft has updated their security advisory about the WMF. It now confirms that software-based DEP does NOT protect you from the WMF Exploit.

2) Also on FD, HD Moore has released an updated Metasploit 2.5 MWF Attack Module. This new version uses the "Escape/SetAbortFun code execution flaw" and pads the Escape() call with random WMF records.

3) Viruslist.com is reporting the first IM-Worm to exploit the WMF vulnerability. Appears to be spreading via MSN at this point, but i wouldn't be suprised to see copies on ICQ, AIM and Yahoo soon.

As far as I can tell, one of the biggest attack vectors is the IFRAME tag in a hacked/bad website.
As the number of attacks grow and become more and more nasty...we all wait for a patch. Do you think Microsoft will release it out of cycle? Who knows...

Friday, December 30, 2005

WMF Exploit Story - Day 3

Information is building and views are changing all the time. But everyone agrees that this WMF Zero-Day is nasty. Here is what we know on "WMF Day 3"


DEP Method

Sunbelt is reporting on their blog that the software-based DEP Windows XP SP2 method once suggested by Microsoft is not very effective. They found that hardware-based DEP is effective, but requires a CPU that supports it.

REGSRV32 Method

Bill Hayes pointed me to the latest F-Secure blog entry this morning. F-Secure found that the REGSRV32 workaround doesn't protect you from the WMF when using MSPaint. Great! lol

They suggest not using MSPaint at all for a while, which doesn't seem too difficult at this point.


It should also be stated that using Firefox does NOT protect you totally. Firefox is still open the WMF but it does require a bit more user interaction than IE – which requires zero. ;)

So the war isn’t over. But here are several suggestions that can only help the cause.

1) Always test any workaround before applying it to your network. This really applies to many things and it good all around advice.

2) Don’t trust one workaround to protection you totally. Apply the “Defense in Depth” idea to any threat. In the WMF case, this would include up-to-date antivirus on the clients and on the proxy edge. Use dynamic blocking of known sites with bad WMF using advanced (yet costly) proxy filtering software. Static block known sites if needed.

Here is an incomplete list

m.cpa4[dot]org
008k[dot]com
mscracks[dot]com
keygen[dot]us
dailyfreepics[dot]us
pornsites-reviews[dot]com
mmxo.megaman-network[dot]com
600pics[dot]com
Crackz[dot]ws
unionseek[dot]com
tfcco[dot]com
Iframeurl[dot]biz
beehappyy[dot]biz
Buytoolbar[dot]biz
teens7[dot]com
toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz

Thursday, December 29, 2005

WMF Exploit hits Third-Party Ad Network

http://sunbeltblog.blogspot.com/2005/12/exfol-using-wmf-exploit-on-rotational.html

Man, this is just getting nasty...use Firefox.

CounterMeasures for the WMF 0-Day Exploit

1) Bleeding-Edge Snort has WMF exploit detection sigs for the open-source IDS known as Snort.

2) Combined those sigs with SunBelt's Free (or Full) Kerio Firewall, to help block and detect the WMF exploit. Get the how-to on the SunBeltBlog.

3) Disabling the library that contains the vulnerability will also work. From the ISC/SAN website. FYI - Infocon = Green
The vulnerability seems to be within SHIMGVW.DLL. Unregistering this DLL (type REGSVR32 /U SHIMGVW.DLL at the command prompt or in the "Start->Run" Window, then reboot) will resolve most of the vulnerability, but will also break your Windows "Picture and Fax Viewer", as well as any ability of programs like "Paint" and "Explorer" to display thumbnails of any picture and real (benign) WMF files.

"There is no Spoon" - Vanishing Teaspoons

Noticed this funny article on Scotsman.com and wanted to share it. We need some humor with all the bad Windows WMF stuff running around.

Viewing the article will require you to register your soul away, or you could just use Bugmenot.com - which is what I did.

Scientist cause a stir over vanishing teaspoons.

SCIENTISTS have proved what is common knowledge to most people - that teaspoons appear to have minds of their own. A study monitored the movements of 70 secretly numbered teaspoons over five months. Supporting expectations, 80 per cent of the spoons vanished during the period - although those in private areas lasted nearly twice as long as those in communal sections. "At this rate, an estimated 250 teaspoons would need to be purchased annually to maintain a workable population of 70 teaspoons," said researchers from the Macfarlane Burnet Institute for Medical Research and Public Health in Melbourne. Writing in the British Medical Journal, they said their research proved that teaspoons were an essential part of office life and the rapid rate of disappearance proved that this was under relentless assault. Regretting that scientific literature was "strangely bereft" of teaspoon-related research, the scientists offered a few theories to explain the phenomenon. Taking a tip from Douglas Adams's Hitchhiker's Guide to the Galaxy , they suggested that the teaspoons were quietly migrating to a planet uniquely populated by "spoonoid" life. They also offered "resistentialism", in which inanimate objects like teaspoons have an aversion to humans. On the other hand, they suggested, people might simply be taking them.


Wednesday, December 28, 2005

Microsoft Windows Zero-Day Making the Rounds - UPDATED

A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.

Secunia has classified the vulnerability as "Extremely Critical". It is currently unpatched and being exploited in the wild to spread spyware and viruses.

HD Moore has included this new exploit in his Metasploit Framework. The exploit was discovered by "noemaipls" and released onto the Bugtraq Security Mailing List.

Sunbelt Software, makers of CounterSpy, has reported via the FD Security Mailing List seeing this exploited on multiple sites and increasing in use. They also provided several live links to the exploit.

UPDATE (12/28/05) -

Here is the Exploit on the French Security Incident Response Team (FrSIRT) website, a known exploit release site.

Here is a demo video of the exploit from Websense Security Labs.

UPDATE (12/29/05) -

Microsoft has released a Security Advisory titled "Vulnerability in Graphic Rendering Engine Could Allow Remote Code Execution".

All versions of Microsoft Windows are open to this attack. But several special features in Windows 2003 SP1 can mitigate the attack when the vector is e-mail.

CERT Vulnerability Note VU#181038

It has also been reported that Google Desktop may be another potential attack vector and that various anti-virus software products cannot detect all known variants of exploits for this vulnerability.

IMPORTANT NOTE - We must also remember that WMF files can pretend to be other image files (JPEG, GIF, TIF, etc). Just because the file is named .gif, doesn't mean it really is. Windows will read the inside the file, see that it is a WMF and run as normal.

SunBelt has released a

Thursday, December 22, 2005

Sacred Gospel of the Flying Spaghetti Monster Found!!

Ok, it wasn't found...but it is being written. Scheduled for publication in March.

Wired Article and interview with Bobby Henderson - Passion of the Spaghetti Monster

Learn more about the Chruch of the Flying Spaghetti Monster at Wikipedia

-Ramen

Tuesday, December 20, 2005

Its a Wonderful Internet - Happy Bedtime Story

Ok, more humor and fun. It shows you how much the internet has changed our world in that little kid bedtime story kind of way. =)

It's a Wonderful Internet

Thanks Todd P. for the link.

Thursday, December 15, 2005

Building the Real "A-Team"

Ok, so this is the "side of humor" entry. This is great. It cleared up my "case of the Mondays" on this week. Enjoy.

Finding The A-team: A Stuffo Experiment

New Metasploit Framework v3.0 Alpha Release 1

The Metasploit Framework (MSF) is an advanced open-source platform for developing, testing, and using exploit code. The MSF can be roughly compared to commercial offerings such as Immunity's CANVAS and Core Security Technology's Impact. The major difference between the Framework and these commercial products is the focus; while the commercial products need to provide the latest exploits and an intuitive GUI, the Framework was designed to facilitate research and experimentation with new technologies.

The original MSF was written in Perl scripting lanuage and included various components written in C, assembler, and Python. The new 3.0 branch was a complete rewrite of the 2.0 branch using the Ruby programming language.

The primary goals of the 3.0 branch are listed below:
  • Improve automation of exploitation through scripting
  • Simplify the process of writing an exploit
  • Increase code re-use between exploits
  • Improve and generically integrate evasion techniques
  • Support automated network discovery and event correlation through recon modules
  • Continue to provide a friendly outlet cutting edge exploitation technology

Remember this is a *alpha* release, so things will break. Help HD Moore by giving good quality feedback. It is almost crazy to see how this project has expanded and growth. Nice work indeed.

Sorry no Windows support yet, only Linux and Mac OX platforms with Ruby 1.8.x are supported.

Wednesday, December 7, 2005

Nmap 3.94 ALPHA3 Released - UPDATED

Update - Nmap 3.95 has been released, check out http://www.insecure.org/

Nmap is the de facto port scanner in existence today.

Fyodor recently released Nmap 3.94 ALPHA3. He spent all last weekend trimming its waistline. This should reduce the memory consumption on very large network scans. Remember this is an ALPHA release, so treat it as such.

Download Points

Linux Source - http://download.insecure.org/nmap/dist/nmap-3.94ALPHA3.tgz
Linux RPM - http://download.insecure.org/nmap/dist/nmap-3.94ALPHA3-1.src.rpm
Windows Binary - http://download.insecure.org/nmap/dist/nmap-3.94ALPHA3-win32.zip

Nice work Fyodor. Thanks Harlan for catching my error, even if I was late to fix it.

Thursday, December 1, 2005

UPDATED - Gmail to Include Anti-Virus Scanning Soon

Like Yahoo Mail, Gmail will soon start to scan all attachments for viruses. Any detect viruses will be cleaned or deleted. As far as I can tell, it doesn't sound like there is a way to disable this feature - which is sad but understandable.

Since it was first created, Google has locked down some of the "nice" features of Google in the name of security. For example, Zip files are blocked, but this is easily bypassed by renaming the file.

Looks like if you want to trade exploit code or new malware on Gmail, you will need to get your GPG up and working if you want to continue.

Google is not just increasing the security of the free service; they are adding many cool features as well. I really like the AutoSave feature - oh and the 2.5 GB of storage.

Question of the Day - Which Anti-virus product will Google license for Gmail? Sophos? F-Secure? Kaspersky? Trend Micro? Or will it be one of the US Standards - McAfee & Symantec.

UPDATE - Ryan over at thebillygoatcurse.com ran a series of tests and decided that Gmail is using Sophos. His results are very interesting. Thanks Michael for the information.

Tuesday, November 29, 2005

FCC Expected to Back Pay-Per-Channel Cable TV

Wall Street Journal is reporting that the Federal Communications Commission (FCC) is expected to back 'a la carte' pricing in the industry, instead of bundled channels. Last years' FCC report on the subject found that most U.S Households would face higher television bills if they only paid for the channels they wanted to watch. However, the FCC is now releasing a revised report that will conclude just the opposite.

Pay-Per-Channel does better serve the customer IMHO. This is long overdue too. I live in Texas but really do not know that much Spanish, so why do I have two/three Spanish channels on my extended cable? Why am I paying for them? Good Question.

FireFox 1.5 - Releasing Today?

LinuxWorld.com is reporting that Firefox will be released on Tuesday (today). Another false release? I guess we can only wait and see.
After a host of test releases and one false start, a new version of the Firefox browser will be ready on Tuesday, according to a media alert issued by the Mozilla Foundation.

Firefox 1.5 will be available for free on Tuesday afternoon, U.S. Pacific Standard Time, at
www.getfirefox.com and www.mozilla.com, according to the open-source group. A complete press release outlining the new features in Firefox 1.5, as well as some additional Mozilla news, will be issued tomorrow at the time the new version is available.

Tuesday, November 22, 2005

EFF Files Class Action Lawsuit Again Sony BMG

The Electronic Frontier Foundation (EFF), along with two leading national class action law firms, yesterday filed a lawsuit against Sony BMG, demanding that the company repair the damage done by the First4Internet XCP and SunnComm MediaMax software it included on over 24 million music CDs.

When MediaMax software doesn't contain as many "magic tricks" as the XCP software, it is on over 20 million CDs - ten times the number of CDs as the XCP software.

MediaMax installs files on the users computer even if they click "No" on the EULA and like the XCP, does not include a way to fully uninstall the program. Both MediaMax and XCP send data back to their owners, allowing them to track user listening habits at the flip of a switch - even though the EULA states that the software will not be used to collect personal information.

Remeber the XCP EULA states that Sony is never liable to the customer for more than 5 dollar. Would Sony like to tell me where a computer can get repaired for 5 dollars??

The EFF - Defending Freedom in the Digital World.

Monday, November 21, 2005

State of Texas Sues Sony BMG over XCP

Texas Attorney General Greg Abbott today sued Sony BMG Music as the first state in the nation to bring legal action against Sony for its rootkit XCP DRM software.

This suit is the first filed under the state's spyware law of 2005. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems.

“Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers,” said Attorney General Abbott. “Consumers who purchased a Sony CD thought they were buying music. Instead, they received spyware that can damage a computer, subject it to viruses and expose the consumer to possible identity crime.”

Because of alleged violations of the Consumer Protection Against Computer Spyware Act of 2005, the Attorney General is seeking civil penalties of $100,000 for each violation of the law, attorneys’ fees and investigative costs.

This is a bold step taken by the state of Texas. Makes me proud to be a Texan. I wouldn't be surprised to see other states file suits as well. Many states passed similar anti-spyware legislation in 2005.

See the full lawsuit in PDF form. After reading the text, I don't see any possible way the state could lose.

XCP DRM Defeated by a "Piece of Tape"

Vnunet.com has a very interesting aritcle about another XCP discovery. It isn't a new feature of the XCP rootkit, but the discovery that a very old anti-DRM trick still works.

Researchers at Gartner released this information just today.
Applying a piece of opaque tape to the outer edge of the disk renders the data track of the CD unreadable. A computer trying to play the CD will then skip to the music without accessing the bundled DRM technology.

"After more than five years of trying, the recording industry has not yet demonstrated a workable DRM scheme for music CDs," Gartner concluded in
a newly published research note.

The use of a piece of tape will defeat any future DRM system on audio CDs designed to be played on a stand-alone CD player, the analyst said.
How can these DRM scheme really be worth all the money, if they are easily bypassed by a peice of tape, a magic marker or the "SHIFT" key??

Thursday, November 17, 2005

Sony Story Gets Going - Enter MediaMax

While Sony was slow to response to the initial story of the XCP, it seems they are finally putting their money where their mouth should have been all along. This story proves that the blogosphere can make a difference in a very huge way.

Sony have taken several very positive steps in the last few days -

1) Along with an open letter to their customers, Sony has released a list of the CDs that contain the XCP DRM software - all 52 of them.

2) Not only has Sony recalled all these CDs from the stores, but they will also provide customers a free XCP-free replacement.

3) Sony states they will be releasing a complete and "secure" XCP uninstall program in the near future as well.

Sony must not be allowed to sweep their under the "carpet". Dan Kaminsky has produced an extremely striking picture of the geographic extent of rootkit-related DNS traffic. Dan collected this information in a process called DNS Cache Snooping. While these steps should be seen as a positive step in the right direct, the real case is not closed just yet.

The information against Sony keeps coming in and the world keeps fighting. Soon Sony's other DRM software, MediaMax, will be all over the news as well.

J. Alex Halderman released information today on his Freedom-to-tinker blog, that the web-based uninstaller used to remove the MediaMax DRM software opens up a major security hole very similar to the one created by the web-based uninstaller for Sony's XCP. He has verified that it is possible for a malicious web site to use the SunnComm hole to take control of PC where the uninstaller has been used. In fact, he states that the SunnComm problem is easier to exploit than the XCP uninstaller flaw. Secunia has released an advisory on this highly critical vulnerability.

EFF is collecting stories from EFF members and supporters who have purchased Sony-BMG CDs that contained SunnComm's MediaMax copy protection software. The MediaMax software is somewhat different, but similarly has no true uninstall option and establishes an undisclosed ongoing communication from the users’ computer to SunnComm. CDs with this technology include:

Amici Forever, Defined
David Gray, Life in Slow Motion
Foo Fighters, In Your Honor
My Morning Jacket, Z
Santana, All That I Am
Sarah McLachlan, Bloom Remix Album

Apple/Mac users that laughed about the XCP story can now join in on the fight against Sony, since MediaMax has been Apple/Mac compatible since 2003.

Right in the middle of this battle, the House Subcommittee on Commerce, Trade, and Consumer Protection heard from witnesses discussing "Fair Use: Its Effect on Consumers and Industry." on Wednesday.

While that the blogs and the stories will fade, it is very important that people know their rights and learn to defend those freedoms even in the face of a corporate giant, like Sony.

Wednesday, November 16, 2005

Exploit of the Sony/First 4 Internet ActiveX Control in the Wild

Active exploits of the "Uninstall" ActiveX Control Vulnerability have been found in the wild.

Websense Labs have recieved reports of websites that are using the Sony DRM "Uninstaller" vulnerability as a means to perform malicious actions on end user machines.

Remember this ActiveX control will only be present on your system if you used Sony's web-based XCP decloaker.

But why use another Sony program to decloak Sony's XCP rootkit?

I would use one of the many third-party decloaking utilities, like Sophos' UnMaking Tool.

Once it is decloaked, you still have to ask yourself the following.

"Am I comfortable with the Sony's XCP software on my computer? "

Tuesday, November 15, 2005

Sony's Wants to Kill Your Computer - Again

Remember the Sony web-based "patch" that removed the cloaking ability of the XCP rookit and updated all the files to XCP2?

It appears that if you believed the magic words of Sony and ran the web-based patch, you may have dug a larger security hole into your computer than the original cloaking rootkit itself.

A post co-written by Ed Felten & J. Alex Halderman over at Freedom to Tinker explains the new security threat posed by the CodeSupport ActiveX control.

The root of the problem was in a serious security flaw in Sony's web-based uninstaller patch. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

In short, this is the situation that Sony has created for THEIR CUSTOMERS that currently have the CodeSupport ActiveX control installed -

1) A malicious website author can write a malware program.

2) Package it up and throw it on some URL.

3) Trick the user into visiting the site that calls the above URL using IE. (Think Phishing or Pharming)

As soon as you visit the evil site, the package is downloaded to your computer and executed automatically without the user seeing a thing. You now have a non-sony rootkit/keylogger/bot installed on your computer. Thanks again Sony. Depending on the target range of the attack, the now installed malware may not even be detected by anti-virus.

Sony has again heard the voices of the public and provided an EXE version of this uninstaller patch. As long as you have never used the web-based patch, then you should be safe from this new threat.

If you think you might have the CodeSupport ActiveX installed, try Muzzy Reboot Test.

After infecting more than half a million networks, including military and government, Sony has decided to pull the XCP CDs off the shelf.

For now, pulling the CDs off shelves "could go a long way toward making a consumer feel comfortable that the CD they just purchased isn't going to mess up their computer," says record store owner John Kunz of Waterloo Records in Austin.

If you ever feel the need to dig for vinyl records, Waterloo and Alien are both great Austin stores.

Microsoft has finally jumped in the game and joined the rest of the anti-spyware world in its view of the Sony Rootkit. Microsoft will include removal signatures for the Sony rootkit in the Windows AntiSpyware beta, the Malicious Software Removal Tool, and the Windows Live Safety Scanner. Good news for many Windows users.

To top off all the lawsuits currently in the works against Sony, a Dutch article was released today that indicates that Sony may have used the LAME LGPL mp3 encoder in their rootkit. If this is true, then Sony failed to follow the rules for using open-source software, therefore putting it in direct violation of the open-source license agreement.

Friday, November 11, 2005

Reaction to Sony's "Magic" makes Sony Halts Production of XCP CDs

It would appear that Sony has heard the public and the world for once. They have decided to suspend the manufacture of CDs containing XCP technology. They have finally decided to put a link to their "patch" on their website also. Brilliant..and why did they not do that from the start? I wouldn't even call it a patch - more like an upgrade to XCP2 with the cloaking.

It seems that the global security reaction to Sony's magic tricks was enough to make them stop and think about their actions - for once. In my mind, I see Sony rolling its sleeves up and saying "nothing up my sleeve".

Digital-rights advocates and consumers attorneys are preparing nearly a half dozen legal actions against the music giant. Included in the legal actions are the following -

  • Chicago-based law firm Cirignani Heller Harman & Lynch may be filing a class-action law suit.
  • San Francisco-based law firm Green Welling will be filing a class-action law suit against Sony to recover damages caused by consumers by the XCP CDs. The lawsuit alleges that Sony BMG has broken three Californian laws.
  • Italian digital rights group Associazione per la Libertá nella Comunicazione Elettronica Interattiva (ALCEI) filed a criminal complaint with that nation's Economic and Financial Police Division to investigate whether Italy's consumers were affected by the Sony BMG cloaking technology and, if so, whether the company, and any other music company, violated national laws and should be prosecuted.
  • Electronic Frontier Foundation (EFF) is collecting stores from EFF members and supporters who have purchased Sony BMG CDs that contained the XCP technology. They are considering litigation against Sony but have not made a final decision on the issue.
  • New York lawyer, Scott Kamber, is planning a class-action lawsuit for all Americans affected.

Antivirus and Anti-Spyware vendors are taking action as well.

There is even an online Sony DRM Boycott petition, if you want to personally express your unhappiness in the public eye.

It is my belief that Sony knew they were going into untouched waters with this rootkit-like technology, but I do also believe that they do not understand the security issues related to releasing a tool of this nature. Within the last two days, several bots have been released that are using the Sony DRM cloaking code to hide and infect users with very evil stuff.

I can only assume that spyware makers and botnet writers will start using Sony's DRM cloaking as soon as possible. They already jump on every new IE exploit like it is gold, why whould this be any different? Did Sony not see this happening? Where were they?

They are busy staring at their bottom line...and it is above to drop... like it's hot.

Thursday, November 10, 2005

Sony DRM / Rootkits - Why You Need to Care

In August 2005, I received a virus alert in my e-mail. It was from a computer in the financial department - it was infected with a rootkit. Not the best way to start out a day, but stuff happens. We looked over the file and I reported it to our anti-virus vendor. The vendor responded that it was not a false positive and that we should treat it like a normal rootkit. Here was the detection -

Virus Troj/RKProc-Fam detected in:"C:\WINNT\system32\$sys$filesystem\aries.sys"
Disinfection unavailable.

Thanks to my friends at TRE Research for reverse engineering the above file with IDA Pro. Check that out here.

The threat was removed but I kept the file for several months. On Nov 9th, I tested the file at VirusTotal.com and it was no longer detected as a rootkit. Study the filename closely and remember it as you read the rest of this blog.

On the morning of October 31, I started my day like every other day. I was looking over the standard security websites, reading Full-Disclosure and drinking my coffee. I ran across Mark Russinovich's Blog that morning but my eye didn't get past the title for some reason. I was asked to work on a network device, so I started my day.

But later I came back to Mark's blog entry for Oct 31 and was very impressed with what he had found. In the process of testing the latest version of Sysinternals' RootKit Revealer, he had discovered hidden software on his computer. Mark, like many in the security community, does not like to find surprises hiding in his computer. He started a basic forensic breakdown on the software and found that it was connected to a company not normally known for its rootkit technology - Sony BMG.

Digging deeper, he found that the main driver of the rootkit (aries.sys) was designed by the UK firm - First 4 Internet. This driver is part of a new Digital Rights Management package from Sony called Extended Copy Protection (XCP). This new software is installed onto your computer when you attempt to listen to certain copyright-protected music CDs. When the CD is inserted into the computer, it automatically runs the software and presents the user with a common End User License Agreement. The EULA tells the user that a special player needs to be installed to listen to the CD but fails to fully describe the "player" software. If you agree to the install, the software installs itself onto the computer, hooks its "claws" into the kernel and cloaks itself using standard "rootkit technology".

"Root technology" in a simple yet very broad sense can be seen as a piece of software that hooks into the lowest level of a computer and attempts to cloak itself using many techniques. In general this cloaking ability will enable a piece of software to hide form the operating system itself and even lie about its existence to applications that run at "levels" higher than itself. This means that the rootkit can lie to anti-virus, running process detection software, anti-spyware and other applications that may hint at its existence. But you have to remember, the hooking is separate from the cloaking. Kernel hooking is in itself a valid programming technique used by some anti-virus vendors, anti-spyware vendors and IDS/IPS vendors.

This is where the water gets dirty however. Sony's rootkit driver cloaks ANY file or folder that has $sys$ in the filename. Sony stated that the cloaking rootkit does not increase the security risk to normal user, but I will state the opposite. This does make a computer more vulnerable overall and puts the casual user in greater risk. I also stated this fact in a small e-mail interview with TechTarget/SearchSecurity.com yesterday.

Sony's statement about the security risk only proves to the public that they do not understand the security risk of their rootkit-technology. Sony mislead the public about the risk only to save its image (aka bottom line), nothing more. If they are aware of the increased risk, then this proves they lied to the public. If they are not aware of the increated risk, this proves they do not understand the technology they are forcing onto millions of computers and therefore should have never started down this road in the first place.

Just today, a Trojan was discovered using Sony's cloaking driver to hide itself. This Trojan would normally have to contain code to hook itself into the kernel. But who needs the code, when Sony already has the hooks in place. The Trojan only needs to have $sys$ it its name to hide from the user and operating system.

Under the recent public pressure, Sony and First 4 Internet have released a "patch" that decloaks the DRM software but doesn't remove it at all. It actually updates the DRM software to new versions.

Sony's rootkit-like tricks are not the real legal problem however. There are two main legal problems with Sony's actions -

1) Sony's attempt to mislead the public about the software and its security risk - multiple times.
2) Sony's lack of information discourse in their EULA about the true nature of the software and how it is impossible to remove for a normal computer user.

See the Electronic Frontier Foundation's report on the Sony BMG EULA.

A class-action lawsuit has been started in the state of California, a nationwide class-action lawsuit is expected to be filed in the state of New York this week and there could be criminal cases bought against Sony under the "U.S. Computer Fraud and Abuse Act" and the UK's "Computer Misuse Act of 1990". Italian police have been asked to by the ALCEI-EFI in Italy to investigate Sony DRM code as well.

Computer Associates International said today it is now classifying Sony's software as spyware and will begin searching for and removing XCP with its anti-spyware software, starting on November 12. I can only hope that other vendors will follow suit.

How much trouble will Sony get into? Only time will tell...

In the meantime, conduct a simple test on your computer. Create a new folder on your desktop and name it test. Then rename the folder to $sys$test. If the folder disappears, your computer is infected with Sony's new DRM software. Then do two things -

1) E-mail Sony to thank for putting your system at increased security risk.
2) Wipe your computer and install everything fresh or use Sophos' UnMasking Tool to decloak the DRM Software. It will not remove it however.

Monday, October 31, 2005

Microsoft's WSYP Project - Customer Feedback for the Digital Age

Microsoft's WSYP (We Share Your Pain) is a new project spearheaded by Mauro Meanti in Microsoft's UK Office.

Check the Microsoft TechNet video for all the details. Every Windows user should watch it, IMHO.

Key Features developed by the project include - Micro-Stun option, Micro-Impact option and the Micro-Jab option.

Friday, October 28, 2005

Wireless Network Detection 101

Wireless Detection Tools can be divided into two major groups - Active Scanning or Passive Scanning.

Active scanning detection tools are noisy and are much more likely to be detected by IDS. They send out probe requests on all available channels at the rate of about once a second. All wireless access points that are set to broadcast their SSID will respond. Most Windows-based WLAN tools are in this group, including NetStumbler.

NetStumbler can be called the de facto wireless detection tool for the Windows platform. It is very easy to setup and free (free as in beer). There are many wireless tools for Windows but most aren't cheap and do more than just detection. Airopeek NX is a perfect example.

If you want to use NetStumbler while staying connected to a wireless network, check out this nice hack by Israel Torres. By using a hex editor, he was able to reactivate the Wireless Zero Configuration service for Windows XP.

Passive scanning detection tools are well - passive. Most passive tools will change the run state of your wireless card to disable it from sending packets out. This is often called monitor or promiscuous mode. Most of the time this is only possible in Linux/BSD operating systems, therefore most passive tools are designed for these systems.

This gives them a huge advantage over active scanning systems for three reasons.

1) Less Likely to set off IDS or IPS systems.
2) Able to dectect non-broadcasting clocked wireless networks.
3) Some Passvie tools can detect the use of Active Scanning tools.

Kismet and by far my favorite and one of the best passive wireless detection tools in the world IMHO. It is the program that all other wireless dectection tools are measured against.

In terms of Linux software, the Kismet program itself isn't too hard to setup but getting your wireless card to work in Linux with the correct drivers is normally the hardest part. Drivers have to be patched to work with monitor mode sometimes. But once it is working, you will be able to detect almost any wireless network (using the correct wireless card, of course =).

This is a very simple view of the wireless detection world however. Throw in encryption and GPS and you could easily fill up a book or two.

Thursday, October 27, 2005

Unique Web-Based File Systems

What do you think of when you heard the term "Web-Based File Systems"? Do simple web services like Xdrive pop into my head? Xdrive is a secure web based file systems, but it isn't free.

There is where the world of hacking meets the world of need. You need to store your files online, but you don't own an internet connected server and you don't want everyone in the world to read them. So what do you do? Check out these unique options.

Gmail Drive for Windows - creates a virtual file system on top of your Google Gmail account and enables you to save and retrieve files stored on your Gmail account directly from inside Windows Explorer.

Gmail drive type programs based on the same idea exist for both Linux and Mac OS X as well.

Encrypting the data before it is stored online increases the security, of course. Why not use free open sources tools for the encryption step as well?

GPG has always been my program of choice on Linux. It is installed by default on most Linux distros, so getting it up and working is almost painless. In Windows, you will have to install GnuPG from binaries to get the same features, but it isn't too hard either. There appears to even be a Mac OS X release of GnuPG.

This Gmail trick isn't anything new however. For total uniqueness, check out TinyDisk.

TinyDisk stores AES encrypted data in TinyURL.com's database! It basically takes your file, encrypts it using 128-bit AES, cuts the file into parts and then submits those parts as URLs (base64 encoded) to TinyUrl. TinyDisk stores the returned hashes from TinyURL along with the AES encryption key in a metafile.

Pretty cool eh? Right now, TinyURL doesn't verify if the submitted data is a valid URL link and it doesn't limit the amount of data submitted. That could be a huge problem for TinyURL. Luckily, the creator of TinyDisk built in the protection for them.

Want to play with TinyDisk, but don't like the idea of filling TinyURL's database? Check out Nanourl.

I would guess that changes will be made to TinyURL in response to this program. Is it the best web-based file system? Nah. But it is the most unique I have seen. Two Cheers to the Ad-wizards that came up with this one.