Security Research | Page 59

Flash exploits targeting the old integer overflow vulnerability (CVE-2007-071) in Flash Player are still relatively active and multiplying on the base of the early versions exploit code, with more or less slight differences. One such variation was rendered tremendously more stealth and reliable, thanks to the use of a Flash run-time packer spawning a multiplexer component. It is caught as SWF/Dloader!exploit by Fortinet, yet, detection of this peculiar variant across the spectrum of antivirus products is still extremely scarce. Let's lift the lid... [Read More]
by RSS Bin Liu  |  Nov 20, 2009  |  Filed in: Security Research
Since my last post on Jane Doe and Bredolab, John has been slightly jealous of her fame. He told me that, he too, as a manager of the returned material service, was dealing with plenty of parcels and that he could have been the perfect target. As I was curious to see what a genuine shipment company e-mail looked like (to compare them with Bredolab), I asked him if I could have a quick look at his mailbox. I had hardly started reading his e-mails, that I ran into one that had me immediately start. For those of you who do not speak French, I have... [Read More]
by RSS Axelle Apvrille  |  Nov 16, 2009  |  Filed in: Security Research
Laurent Gaffié disclosed on Nov. 11 on his blog a proof of concept written in Python. This occured just the morrow after the Black Tuesday, and seems the author does not follow responsible disclosure, and decided to publicly disclosed the code, as he disagreed with Microsoft's answer (they wanted to delay the patch in a service pack rather than a Black Tuesday patch). This piece of code (see Figure 1) has been verified to successfully remotely crash Microsoft Windows 7 and Windows 2008-R2. It is caused by sending a specially crafted NetBIOS header... [Read More]
by RSS David Maciejak  |  Nov 13, 2009  |  Filed in: Security Research
Do you remember Asprox, the botnet that used SQL injection attacks combined with result from search engine like Google to automatically infect Microsoft IIS powered websites? We did a talk (slides) at last Virus Bulletin about that, and for about a month now, we've been seeing some new variants in the wild. Like last December, a blind SQL injection targeting ASP pages using Transact SQL is attempted using the following chain as a request argument: DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C41524520405420564...%20AS%20VARCHAR(4000));EXEC(@S) Once... [Read More]
by RSS David Maciejak  |  Nov 06, 2009  |  Filed in: Security Research
Today, I feel like telling you a true story that happened at Fortinet, the story of Jane Doe. Jane Doe works for Human Resources at the reception desk, so she is used to receiving lots of mail, UPS or DHL parcels for the company. Some time ago, Jane received an e-mail from DHL, notifying her they had been unable to deliver a parcel (see figure below). She does handle plenty of DHL parcels every day, consequently, she did not give this e-mail any particular attention and, quite absent-mindedly, tried to open the attachment. Fortunately, she did... [Read More]
by RSS Axelle Apvrille  |  Nov 05, 2009  |  Filed in: Security Research
Heap Spraying is a technique that can effectively increase the reliability of flaw exploitation code (aka "exploits") on various OS, and in many cases, go as far as enabling an exploit that would practically not "work" otherwise. It contributed tremendously to the popularity of exploits targeting Web browsers over the last years. As a matter of fact, it ended bothering Microsoft to the extent a protection against Heap Spraying was introduced in IE8. Besides Internet Explorer, Microsoft Office is also a privileged target of vulnerabilities researchers,... [Read More]
by RSS Bin Liu  |  Nov 02, 2009  |  Filed in: Security Research
The papers Bryan, Guillaume and I presented at Virus Bulletin 2009 have been available on the FortiguardCenter since yesterday: 'I am not a numero!': assessing global security threat levels - Bryan Lu Fighting cybercrime: technical, juridical, and ethical challenges - Guillaume Lovet Botnet-powered SQL injection attacks: a deeper look within - David Maciejak & Guillaume Lovet It's the 4th year in a row that Fortinet has had at least one paper in the line-up, but the first time we hit a count of three presentations. The conference was held... [Read More]
by RSS David Maciejak  |  Oct 29, 2009  |  Filed in: Security Research
Our October 2009 Threat Landscape Report has been posted, and it highlights some significant movement on the threat landscape. As always, be cautious out there - this month's report underscores the dangerous state of cyberspace (see "Danger, Danger" below). We hit some milestones this period, with total detected malware volume being at its highest in more than a year. While this volume has been generally increasing over the past six months, it surged significantly towards the end of September leading through October. In fact, detected volume this... [Read More]
by RSS Derek Manky  |  Oct 28, 2009  |  Filed in: Security Research
If smart phones were human, we would most probably compare them to assistants - you know, those organized persons we rely on to cope with our own lack of memory and who will remind us of any important meeting and never lose any valuable phone number. Others would perhaps compare them to close friends to whom one can tell secrets (your bank PIN ?) or with whom one shares a few holiday or family pictures. It looks like few of us consider the betrayal of such a close friend, turning him/her into our worst enemy. Yet, this is exactly what mobile phone... [Read More]
by RSS Axelle Apvrille  |  Oct 27, 2009  |  Filed in: Security Research
I previously wrote about the popularity of document exploits ("poisoned documents"), noting that such exploits would be well suited for targeted attacks on social networks. The usage of PDF has become ubiquitous to the world wide web, supported through many platforms - from desktops to smartphones. While most attacks still concentrate on one platform, innovative exploitations continue to arise, opening the door to further attack avenues. Such exploitations typically require much time and effort, which is clearly being invested and is a good indicator... [Read More]
by RSS Derek Manky  |  Oct 19, 2009  |  Filed in: Security Research