BitTorrent serves malware directly from website – no need for P2P!

Back in 2001, when BitTorrent was first announced, it seemed inevitable – and, at the same time, implausible – that a commercial company based around its social approach to file sharing would emerge and succeed, despite its novelty.

Inevitable, because the sheer popularity of peer-to-peer file sharing means that the potential return for any company successfully commercialising a popular P2P client is enormous.

Implausible, because the indelible association between P2P and piracy means that potential risk of burning out in lawsuits from copyright holders is vast.

But the creator of BitTorrent, Bram Cohen, did create a company out of his codebase, and BitTorrent, Inc. is effectively today’s Torrent mothership.

The company is also the custodian of two popular Torrent clients: the so-called Mainline version, and its extremely popular compact cousin, uTorrent.

(The character u is commonly, if confusingly, used in Latin alphabets to represent the Greek letter μ. Short for micro, it’s pronounced in English as mew, as in cat. So much for internationalisation.)

In its ten-year history, BitTorrent – the protocol, not the company – has become well known for facilitating the unregulated sharing of arbitrary material. Indeed, it’s become quite the way to find all the ripped-off software, films, TV shows and porn you might need. Unsuprisingly, the cybercrooks love that sort of neo-anarchic mix, because it makes it easy for them to expose you to your fair share of malware.

Unfortunately, however, even if you are one of the several many entirely law-abiding users of BitTorrent, the folks at BitTorrent, Inc. may recently have put you in harm’s way.

According to a really-ought-to-be-more-visible warning on the download pages of www.bittorrent.com and www.utorrent.com, a breach of the two servers resulted in a two-hour window in which downloading BitTorrent’s software would have given you a fake anti-virus program instead.

This morning [13 Sep 2011 on the US West Coast] at approximately 4:20 a.m. PT, the uTorrent.com and BitTorrent.com Web servers were compromised. Our standard software download was replaced with a type of fake antivirus "scareware" program.

Just after 6:00 a.m. PT, we took the affected servers offline to neutralize the threat. Our servers are now back online and functioning normally

BitTorrent, Inc. identifies the malware as belonging to the Security Shield scareware family. Program files under this “brand” of fake anti-virus should be mopped up by Sophos Anti-Virus as CXmal/FakeAV-A.

Confusingly, the BitTorrent blog has recently been updated to claim that the software available from the www.bittorrent.com URI was not affected, implying that only those who downloaded utorrent during the infection window would be at risk.

Since the two sites share the same network infrastructure – both resolve to the same IP number in Limelight Networks’ cloud – you might want to ignore that blog update and assume that any recent downloads from Bittorrent, Inc. were dodgy and give yourself a thorough anti-malware checkover.

I’d also ignore the time window, since BitTorrent used the annoyingly ambiguous abbreviation “PT” to denote the timezone. I’m guessing they meant to say UTC-7, but they didn’t.

Update. Allison at BitTorrent got in touch to say she’s updated the official report to make it clear: Pacific Daylight Time, UTC-7. Thanks for listening, Allison!

PS. If you will forgive some mild commercialism, you can download a fully-functional trial of Sophos Endpoint Security and Control – with detection AND cleanup included, unlike with scareware! – from our website. Registration is required, and you will get contacted by Sales. But for one month, you can use the product as widely as you like at home or in your business. And you’re entitled to our award-winning 24/7 support by email and phone throughout. Give it a go. You know it makes sense. (Did I get that right? Is that how salespeople speak?)



.HLPing Targeted Attacks

Thanks to Takayoshi Nakayama for his research and contributions to this blog.

Targeted attacks have been a pretty popular topic of discussion in the security industry in recent years. Many may recall the incident involving Hydraq—from January 2010—and Shady RAT was something discussed more recently.

Most targeted attacks involve emails with malware attachments as the trigger point of the attack. Once a computer is infected with the malware, an attacker can compromise not only the computer, but can also work to expose the infrastructure of the targeted organization and the sensitive data it possesses.

In the early stages of the targeted attacks involving emails that I started seeing around 2005, attachments included files such as Word documents, Excel spreadsheets, PowerPoint presentations, and even Access database files. At some point along the way, PDF files as attachments came along. Of course, we can’t forget about the simple executables with forged icons that looked like Microsoft Office files. Targeted attacks have also used regional software as well. Software such as Ichitaro, developed by the Japanese vendor Justsystem, is a common target. Lhaca archiving software (developed by a Japanese author) was also exploited.

Now we’re seeing the Windows Help File (.hlp) extension being used to deliver these attacks. .hlp files are typically used by Windows Help, which is a program included in Windows that allows users search for and read help details. An .hlp file typically contains documentation and indexes for software and Windows. .hlp files are not new to the malware game; they have long been used, but not as email attachments for the infection vector.

So, why use this type of file? The reason may be because the attackers do not have to rely on vulnerabilities like they do for the other file types I mentioned above. Usually, a vulnerability needs to be exploited in order for malicious files to execute code. If the targeted system is patched, the attack will not succeed. However, .hlp files can call the Windows API and therefore run the shell code encoded in the file. So, by enticing a user to open an .hlp file, malicious files can easily be dropped onto a system. But from a user’s point of view, the only thing that happens is that Windows Help opens (as shown below).
 


 
Under normal circumstances, no user should ever receive .hlp files by email. However, email recipients can easily recognize the icon for the .hlp file type, as shown below:


 
Of the samples I have observed, none have forged icons. So, avoiding these files is relatively simple compared to other file types. However, since human beings are not perfect, one out of the many targets will eventually end up opening it. So, for those administrators securing their networks, if there isn’t any justification for allowing .hlp files to be delivered by email, I would advise that the file extension be filtered out.

Microsoft Patch Tuesday – September 2011

Hello and welcome to this month’s blog regarding the Microsoft patch release. This is a smaller month in terms of patches—the vendor has released five bulletins covering a total of 15 vulnerabilities.

This month, all of the issues are rated “Important” and they affect Windows, Office, Excel, and SharePoint. Of note this month are the Office and Excel issues, which can be exploited to execute arbitrary code if a user opens a specially malformed file.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the September releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms11-sep.mspx

The following is a breakdown of the issues being addressed this month:

1. MS11-073 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)

CVE-2011-1980 (BID 49519) Microsoft Office Shared Component CVE-2011-1980 DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)

A remote code-execution vulnerability affects Office due to the way it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening an Office file from a remote SMB or WebDAV share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected application.

CVE-2011-1982 (BID 49513) Microsoft Office 'MSO.dll' Uninitialized Pointer (CVE-2011-1982) Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Office when handling a specially crafted Word file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected application.

2. MS11-072 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505)

CVE-2011-1986 (BID 49476) Microsoft Excel Malformed Object CVE-2011-1986 Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Excel when handling a malformed file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a specially crafted Excel file. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected application.

CVE-2011-1987 (BID 49477) Microsoft Excel Array Indexing CVE-2011-1987 Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Excel when handling a malformed file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a specially crafted Excel file. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected application.

CVE-2011-1988 (BID 49478) Microsoft Excel Malformed Record CVE-2011-1988 Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Excel when handling a malformed file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a specially crafted Excel file. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected application.

CVE-2011-1989 (BID 49518) Microsoft Excel Conditional Expression CVE-2011-1989 Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Excel when handling a malformed file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a specially crafted Excel file. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected application.

CVE-2011-1990 (BID 49517) Microsoft Excel Array Index CVE-2011-1990 Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Excel when handling a malformed file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a specially crafted Excel file. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected application.

3. MS11-074 Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)

CVE-2011-0653 (BID 49002) Microsoft SharePoint Calendar CVE-2011-0653 Cross Site Scripting Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A cross-site scripting vulnerability affects SharePoint because it does not properly handle JavaScript elements in a URI. An attacker can exploit this issue by tricking an unsuspecting victim into following a malicious URI. A successful exploit will allow an attacker to disclose potentially sensitive information, perform actions on the targeted site in the context of the victim, or execute arbitrary script code in the browser in the context of the targeted site.

CVE-2011-1252 (BID 48199) Microsoft Internet Explorer 'toStaticHTML' HTML Sanitizing Information Disclosure Vulnerability (MS Rating: Important / Symantec Rating: 6.7/10)

A previously public (June 14, 2011) information-disclosure vulnerability affects SharePoint due to the way the SafeHTML function sanitizes HTML. An attacker may be able to exploit this issue to conduct cross-site scripting attacks.

CVE-2011-1890 (BID 49010) Microsoft SharePoint 'EditForm.aspx' CVE-2011-1890 Script Injection Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A cross-site scripting vulnerability affects SharePoint because it does not properly sanitize data supplied to the ‘EditForm.aspx’ page. An attacker can exploit this issue by tricking an unsuspecting victim into following a malicious URI. A successful exploit may allow an attacker to disclose potentially sensitive information, perform actions on the targeted site in the context of the victim, or execute arbitrary script code in the browser in the context of the targeted site.

CVE-2011-1891 (BID 49005) Microsoft SharePoint Contact Details CVE-2011-1891 Cross Site Scripting Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A cross-site scripting vulnerability affects SharePoint because it does not properly sanitize certain SharePoint parameters. An attacker can exploit this issue by tricking an unsuspecting victim into following a malicious URI. A successful exploit will allow an attacker to disclose potentially sensitive information, perform actions on the targeted site in the context of the victim, or execute arbitrary script code in the browser in the context of the targeted site.

CVE-2011-1892 (BID 49511) Microsoft SharePoint XML Handling Remote File Disclosure Vulnerability (MS Rating: Important / Symantec Rating: 5/10)

An information-disclosure vulnerability affects SharePoint because it fails to properly restrict the use of XML classes. An authenticated attacker can exploit this issue to retrieve arbitrary files from the SharePoint service in the context of the Web service. Information obtained may aid in further attacks.

CVE-2011-1893 (BID 49004) Microsoft SharePoint Calendar CVE-2011-0653 Cross Site Scripting Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A cross-site scripting vulnerability affects SharePoint because it does not properly sanitize URI input. An attacker can exploit this issue by tricking an unsuspecting victim into following a malicious URI. A successful exploit may allow an attacker to disclose potentially sensitive information, perform actions on the targeted site in the context of the victim, or execute arbitrary script code in the browser in the context of the targeted site.

4. MS11-071 Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)

CVE-2011-1991 (BID 47741) Multiple Microsoft Products DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)

A previously public (May 6, 2011) remote code-execution vulnerability affects Windows due to the way certain components load DLL files. An attacker can exploit this issue by enticing an unsuspecting victim to open a file on a remote SMB or WebDAV share. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

5. MS11-070 Vulnerability in WINS Could Allow Elevation of Privilege (2571621)

CVE-2011-1984 (BID 49523) Microsoft Windows WINS Server 'ECommEndDlg()' Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Rating: 8/10)

A local privilege-escalation vulnerability affects Windows Internet Name Service (WINS) when handling a series of malformed packets sent over the loopback interface. A successful exploit will allow an attacker to elevate their privileges to local-system. This may facilitate a complete compromise of an affected computer.

-------------

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

TA11-256A: Microsoft Updates for Multiple Vulnerabilities

Original release date: September 13, 2011
Last revised: --
Source: US-CERT

Systems Affected

  • Microsoft Windows
  • Microsoft Office
  • Microsoft Server Software

Overview

There are multiple vulnerabilities in Microsoft Windows, Microsoft Server Software, and Microsoft Office. Microsoft has released updates to address these vulnerabilities.


I. Description

The Microsoft Security Bulletin Summary for September 2011 describes multiple vulnerabilities in Microsoft Windows, Microsoft Server Software, and Microsoft Office. Microsoft has released updates to address the vulnerabilities.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.


III. Solution

Apply updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for September 2011. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).


IV. References



Feedback can be directed to US-CERT.


Produced 2011 by US-CERT, a government organization. Terms of use


Revision History

September 13, 2011: Initial release