Attack Exploits Windows Zero-Day Elevation of Privilege Vulnerability

On November 27, Microsoft issued a security advisory regarding the recent discovery of a zero-day vulnerability in a kernel component of Windows XP and Windows Server 2003. The advisory states that the Microsoft Windows Kernel 'NDProxy.sys' Local Privilege Escalation Vulnerability (CVE-2013-5065) can allow an attacker to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers.

Symantec is aware of the attacks attempting to exploit the vulnerability and confirms the attacks have been active since the beginning of November. The attack arrives as a malicious PDF file with file names such as syria15.10.pdf or Note_№107-41D.pdf, likely by an email attachment, although there is a possibility that targeted users are being enticed to download the malicious file from a website prepared by the attacker.

Upon successful exploitation of the vulnerability, another malicious file, observed since mid-October, is dropped onto the compromised computer which Symantec detects as Trojan.Wipbot. This Trojan collects system information and connects to a command-and-control (C&C) server. Symantec telemetry is currently reporting a small number of detections for malicious PDFs in various countries including India, Australia, United States, Chile, Hungary, Germany, Norway, and Saudi Arabia.

Figure. Distribution of attacks exploiting the vulnerability

Symantec may also detect this attack as Trojan.Pidief and Suspicious.Cloud.7.F. The following antivirus detection and Intrusion Prevention System (IPS) signature has also been added to detect the exploit code and block any downloads:

No patch is available for the Windows vulnerability, however, Microsoft has provided a workaround in its security advisory.

As always, we recommend computers be kept up to date with the latest software patches and to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of this kind.

TV news team falls for Facebook doppelgänger scam

The doppelgänger Facebook profile scraped from WBAL producer Chris Dachille convinced many of his friends that it was actually him—and then spammed them with requests for money and malicious links.

Reporters and producers at a television station in Baltimore recently found out the hard way that they shouldn't blindly accept Facebook friend requests. Last month, they found that their profiles had been cloned by an attacker who quickly used their network of friends to spread malicious links and ask for money.

Attacks on media organizations' social media accounts have been at an all-time high this past year, including "hacktivist" and state-sponsored attacks on media outlets from the Syrian Electronic Army. But the attack on the staff of WBAL-TV was directed toward staff members' personal accounts. And this initiative was a more workaday one, less targeted at the station itself than the friends, co-workers, and viewers who were connected to the cloned accounts.

Because some of WBAL's staff members mixed their personal and professional social networking together, the attack gave the scammer access to a huge audience's Facebook news feeds. After the attack was discovered, it took weeks for Facebook to shut down the fake accounts.

Read 12 remaining paragraphs | Comments

Microsoft Releases Security Advisory for Microsoft Windows Kernel

Original release date: November 28, 2013

Microsoft has released Security Advisory 2914486 to address a vulnerability in a kernel component of Windows XP and Windows Server 2003. This vulnerability could allow an attacker to obtain elevation of privilege and then execute arbitrary code. Microsoft is aware of limited, targeted attacks that attempt to exploit this vulnerability in the wild.

US-CERT encourages users and administrators to review Microsoft Security Advisory 2914486. Please note that the advisory indicates that the workaround does not correct the vulnerability, but it may help mitigate risk against known attack vectors.

US-CERT will provide additional information as it becomes available.

This product is provided subject to this Notification and this Privacy & Use policy.

New Linux worm targets routers, cameras, “Internet of things” devices

Researchers have discovered a Linux worm capable of infecting a wide range of home routers, set-top boxes, security cameras, and other consumer devices that are increasingly equipped with an Internet connection.

Linux.Darlloz, as the worm has been dubbed, is now classified as a low-level threat, partly because its current version targets only devices that run on CPUs made by Intel, Symantec researcher Kaoru Hayashi wrote in a blog post published Wednesday. But with a minor modification, the malware could begin using variants that incorporate already available executable and linkable format (ELF) files that infect a much wider range of "Internet-of-things" devices, including those that run chips made by ARM and those that use the PPC, MIPS, and MIPSEL architectures.

"Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability," Hayashi explained. "If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures."

Read 4 remaining paragraphs | Comments