Within the last week, two large-scale releases of malicious code have included exploits for a vulnerability that Microsoft patched in April 2006. The weekend's defacement of more than 70,000 Web sites and the installation of an MBR rootkit both require exploitation of the number of older vulnerabilities, including MS06-014. Why bother?
The original security bulletin for MS06-014 was posted back in April 2006. It concerned a flaw within the Microsoft Data Access Components (MDAC), specifically within the RDS.Dataspace ActiveX control, that is part of the ActiveX Data Objects (ADO) distributed in MDAC. Shortly after the patch was available, an exploit was published to the Web.
Roger Thompson, chief research officer at Grisoft, said in an e-mail, "MS06-014 works really well, and it's really easy to use and modify. It's shocking that it's still producing enough to make it worth their while, but it must be so."
Shortly after MS06-014 was published, Microsoft released Windows XP SP2, which, among other things, includes all the previous Windows XP security patches.
Given the exploit's revival, there must be a large number of machines still running Windows with XP SP1 or before.
Thompson said the continued use of older exploits "underlines how hard it is to do a new exploit, as opposed to just using someone else's." Thompson, whose company makes the Linkscanner safe browsing application, said blocking these exploits is the best protection. Of course, keeping your Windows system up-to-date can't hurt either.
Security experts warned on Wednesday of a new rootkit aimed at users of the Windows operating system.
The rootkit hides in the Master Boot Record (MBR), or Sector 0 of the hard disk drive where the primary partition entries in its partition table are stored. According to Verisign's iDefense research unit, the rootkit overwrites the existing MBR, making discovery very difficult. A rootkit is a program or group of programs designed to take root or administrator control of a computer without the user knowing.
Trend Micro and Sunbelt indicate that infection rates appear low, especially if end users have applied all available Windows updates to their system.
According to iDefense, the samples of this MBR rootkit were first reported in mid-December, with the first wave hitting 1,800 computers on December 17 and a second wave hitting 3,000 computers on December 19. On December 22, the code was released into the wild, with iDefense reporting a total of 5,000 infections worldwide through January 7.
The current rootkit code appears to be based on two theoretical stealth rootkit presentations, one given by eEye security researchers Derek Soeder and Ryan Permeh (PDF file) for Windows NT machines at Black Hat USA 2005, and by independent security researchers Nitin Kumar and Vipin Kumar (PDF file) for Windows Vista machines at Black Hat USA 2007. A comparison of the demonstration codes used in the presentation alongside the actual MBR rootkit code can be found on the GMER site. GMER is the nickname of a researcher who makes an application that detects and removes rootkits.
Infection occurs when a user visits an infected Web site. The infected site contains an iframe that links to a server hosting several exploits. If the user's machine is vulnerable to any of the following exploits, it will become infected:
- Microsoft JVM ByteVerify (MS03-011)
- Microsoft MDAC (MS06-014)
- Microsoft Internet Explorer Vector Markup Language (MS06-055)
- Microsoft XML CoreServices (MS06-071)
According to GMER, detection of this rootkit requires a comparison of current MBR to a stored image. If the comparison is not identical, then the machine has most likely been infected. Removal requires reverting the infect system back to an uninfected version of the MBR.
Remember the hubbub over Sony BMG Music Entertainment's rootkit debacle, involving its CDs?
Well, another arm of Sony, this time Sony Electronics, may face a little of the brouhaha, as well.
According to a blog posting Monday by F-Secure, Sony's Micro Vault USM-F thumb drive comes with software that contains a rootkit.
For those who missed out on the Sony BMG fiasco, a rootkit is a tool that can cloak the presence of certain files or processes and prevent users from performing certain tasks on their computer. While Sony BMG used the rootkits as a means to prevent the pirating of their artists' work, it also had the potential side affect of allowing attackers to hide their malicious software if it made its way onto users' systems.
F-Secure says Sony's Micro Vault USB drive fingerprint reader software installs a driver that hides a directory under "c:\windows\". As a result, that directory and the files within it don't show up in the Windows API, when trying to count files and subdirectories.
It's an ironic twist, considering fingerprint readers are designed to add another lay of security.
"It is our belief that the Micro Vault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass," F-Secure's blog posting notes. "However, we feel that rootkit-like cloaking techniques are not the right way to go here."
The security firm also notes that when the Sony BMG rootkit debacle flared up in 2005, malicious software with rootkits was not pervasive. But over the past two years, a number of malicious versions have popped up that include rootkit cloaking techniques.
UPDATE
Users who are out shopping for a Sony Micro Vault USB this year won't have the same problem, said a Sony spokesman. He noted that the USM-F version was discontinued last year and it was the only Micro Vault that came with a fingerprint reader feature.
Sony fans, the famously secretive company is extending a hand. For the first time in the conglomerate's history, it has begun blogging as it seeks a much more open exchange of information with customers.
In the past month, Sony has launched two blogs. The most recent came Tuesday with the debut of a blog from Sony Electronics. The company's PlayStation unit began blogging about a month ago.
Corporate blogs are designed to build stronger ties with customers and have been around for years. For Sony, a blog might pay additional dividends. For instance, the electronics giant could learn in advance that customers might consider it in poor taste to promote a videogame with half-naked dancing girls and a slaughtered goat, or might balk at paying $600 for a videogame console, or might downright revolt if their computers are exposed to rootkits.
Why did it take so long for Sony to reach out to customers? Sony follows such cutting-edge tech companies as Ford, General Motors and Maytag.
One has to realize that letting go of information has never been one of the company's strengths, say analysts.
"Blogging is a huge step for such a closed-off company," said Josh Bernoff, an analyst with Forrester Research. "This eliminates some of the barriers between the company and its customers"
Written by Rick Clancy, who runs corporate communications for Sony Electronics, the blog will feature the usual fare. Clancy will highlight where the company is winning, such as high definition technology, Bravia televisions and digital imaging. The company will also post moderated comments from readers, according to Clancy.
"It will give us the real-time feedback of what Sony customers want," Clancy said.
But Sony should be careful. Google found out two weeks ago that being too talkie on a blog can backfire. A Google executive who disliked Michael Moore's Sicko wrote on one of the company's blogs that the search engine could help defend the healthcare industry. After a wave of criticism, Google was forced to admit "We blew it."
Sony BMG Music Entertainment is suing an antipiracy CD software company claiming that the technology provided was flawed. In November 2005, researcher Mark Russinovich discovered hidden files left behind on computers when certain Sony copy-protected CDs were played. The subsequent consumer complaints and government investigations, says Sony, cost the entertainment company millions of dollars in losses.
Now Sony BMG has filed a complaint against The Amergence Group, formerly SunnComm International, a company that produced the piracy-protection system known as MediaMax CD. According to the Associated Press, Sony BMG is seeking $12 million in damages for unfair business practices and for breaching the terms of its license agreement.
The Amergence Group told the Associated Press it would fight the allegations and suggested that lawsuits against Sony BMG's use of copy-protected software involved Sony's use of other technologies.
- prev
- 1
- next
