Category: Security

The return of the Word macro virus

Well, here’s something I haven’t seen in a while: a Word macro virus.

An e-mail message appeared in my Junk Mail folder, purporting to be from someone in France who had been having some trouble transferring funds from one account to another and saw my e-mail address on a list of other addresses associated with the transaction, and blah blah blah. Typical scammer BS.

There was a Zip file (Transfer.zip) attached to the message, which contained a Word document. When I opened the document in Word 2007, I got this error:

That was followed by Enable Content and Trust Center buttons.

Of course, you should never run a macro in a Word document you don’t trust. And under the default settings for Word 2003 you couldn’t do that even if you said yes, because macros are only allowed if they’re signed with a digital certificate from a trusted root authority. In Word 2007, security is even tighter: macros are only allowed to run if they are in documents stored in trusted locations.

Instead of enabling this macro (do I look crazy?), I opened the Visual Basic Editor and looked at its code:

Ah, it’s trying to create an executable file in the root directory of the system drive and then run it. Presumably that big block of gibberish in the center is designed to create a buffer overflow, as described in this SANS bulletin, and it’s probably a variation of the Kukudro Trojan, which arrives in this form.

Moral? Don’t open attachments sent to you by strangers. In fact, even if it appears to be from someone you know, don’t open it unless you were expecting it and you are confident it is what it appears to be.

Have you seen any WGA workarounds?

Over at ZDNet, I’ve been writing a lot about Microsoft’s anti-piracy program called Windows Genuine Advantage. (My latest WGA-related post is a detailed look at exactly how this program works. If you haven’t seen it, go read the article and view the accompanying screenshot gallery.) One comment I hear regularly is how easy it is to work around WGA.

I’m not so sure. Yes, there are lots of instructions and a few utilities for removing the WGA Notifications code. But I have yet to see anyone come up with a hack that allows a machine to access Windows Update (not Automatic Updates, but the full Windows Update site) or to install (not just download, but actually install) Internet Explorer 7 Beta 3.

But maybe I’m just not looking in the right places. So I throw the question open to you. Have you found any WGA validation workarounds? If so, please leave a link in the comments. You can remain completely anonymous if you want. I’m just interested in seeing how the hacker community is approaching Microsoft’s latest attempt to build a wall around Windows.

Caveats: Please don’t bother posting links to the RemoveWGA utility from Firewall Leak Tester or its many clones. All those programs do is get rid of the optional WGA Notification component. I’m looking for stuff that specifically aims at the validation side. And I already did a Google search and know all about last year’s GenuineCheck.exe hacks, which no longer work. If you post something here, it needs to be something that has been confirmed to work within the past few weeks. OK?

A phishing follow-up

My e-mail inbox has been remarkably free of phishing messages lately, so I haven’t been able to compare the performance of the IE7 and Google/Firefox phishing filters, as I promised last week. (The filters on my e-mail server do an excellent job of blocking this junk.)

Today, I finally got one – a come-on from a Romanian server attempting to get my Bank of America credentials. The good news is that both IE7 and the Google Toolbar for Firefox nailed it. (Firefox 2 Beta 1 alllowed it right through, but that’s to be expected since the phishing feature isn’t turned on yet.)

In looking at the two browsers side by side, I was able to compare the different behaviors. Here’s IE7:

Ie7phish

The URL appears in the address bar, but the page itself is completely blocked. I have to choose to click a link to go to the suspicious page. Any other option sends me somewhere else, away from the unsafe site.

Now here’s how the Google Toolbar flags the same site in Firefox:

Ffphish

The phony page is visible, but grayed out. If I try to click on the site, it doesn’t work because the Web Forgery dialog box has completely taken over the focus. That’s good. And the Get me out of here! link is unmistakable in its effect. The only part I don’t like is the big X in the upper right corner. I don’t know about you, but I’ve learned, Pavlov-style, to click that X whenever I see a popup window or a warning dialog box. In this case, though, clicking the X dismisses the dialog box and allows you to go to the page.

That default behavior seems wrong to me. If I’ve chosen to use a piece of security software, I want it to protect me from any threat unless I specifically and unequivocally choose to ignore its warning. The X in the dialog box is ambiguous, and in my opinion the default behavior in that case should be the exact opposite: I didn’t choose to ignore the warning, so send me somewhere else, far away from that threat.

If anyone at Google or Mozilla is listening, consider this a feature request.

Security affects everyone

I pass along the following not to mock Mac users but to point out a simple fact: Security updates affect everyone. Today’s example courtesy of TechWeb’s Gregg Keizer: 

Ship Monday, Patch Wednesday: Apple Fixes Brand New Mac Pro

Apple Computer Inc. on Wednesday issued a security update for the Mac Pro, the top-of-the-line Intel Xeon-based system that the company rolled out only two days before.

The fix, dubbed Update 2006-004 for Mac Pro, adds 5 patches included with the Aug. 1 security upgrade for the Cupertino, Calif. company’s other systems, to Apple’s newest and beefiest client computer.

Two sections of that update — four patches for the ImageIO component to defend against malicious TIFF files, and one fix for the OpenSSH server — weren’t included with the version of Mac OS X 10.4.7 pre-loaded on the new Mac Pro machines.

No computer is inherently secure. No operating system is inherently secure. That applies whether you run Windows, the Mac OS, or any flavor of Linux.

New security release format? It’s about time

Update: I’ve replaced the link at the bottom of this page, which originally contained search results from Microsoft’s support site, with a Knowledge Base article that has permalinks to all monthly security releases in ISO format.

Microsoft has been doing this since the beginning of this year, apparently, but this is the first time I’ve noticed it. Security patches for August 2006 are now available as Bulk Updates in ISO-9660 CD image format. The files can be burned onto blank CDs, used on multiple machines, and archived.

This is good news for people who prefer to do updates manually. No more downloading a dozen or so individual patch files and then saving each one. Just make sure you get the right CD image(s). One is for Windows 2000 and Windows Server 2003; another is for Windows XP; and a third is for IE.

If you want to go back and get earlier releases, try this page, which lists all updates in ISO image format since January 2006.

Piracy doesn’t pay

Over at ZDNet, I’ve posted an account of my attempts (so far in vain) to get busted by Windows Genuine Advantage for installing a bootleg version of Windows XP. (See Another WGA failure for the details.)

In my quest for an illegal Windows product key, I visited a lot of very unsavory sites before I finally found one that actually contained the information I was looking for. It was a case study in how shady searches lead to personal tragedy. During the process, I was presented with multiple opportunities to install spyware and even a Trojan horse program.

  • One site offered to install an ActiveX control that identified itself as an “Internet Explorer add-on” from Inter Technologies. It turned out to be a toolbar from Dollar Revenue, which McAfee classifies as a Trojan for its “deceptive practices.” According to my ZDNet colleague Suzi Turner, it downloads “a bucketful of other adware.”
  • Another site offered to install that same set of scumware plus another ActiveX control that was identified only as “Click here to agree” from E.C.S. International. That turned out to be Dollar Revenue again.
  • One site that claimed to offer cracks and product keys for every imaginable software product had a clever gimmick. Following any of the links generated an executable program with the name of the program you were looking for, ostensibly containing key codes. In reality, every download was the same: a copy of a Trojan that Windows Live OneCare identified as Agent.LM.

Now, the fact that I was running Windows XP with Service Pack 2 or Windows Vista means that I didn’t get any “in your face” prompts for these downloads. I actually would have had to go out of my way to install any of this malware. But the fact that I ran into so many examples of truly awful security threats underscores the problems you’re likely to face when you go looking for underground stuff.

As Bob Dylan once sang, “To live outside the law, you must be honest.” You’d better be careful, too.

Firefox phishing filter fails

[Update: Mozilla’s PR agency says the anti-phishing feature isn’t fully enabled in Firefox 2 Beta 1. Details here.]

Over at ZDNet, I’ve just published a lengthy comparison of the security features in the most recent beta releases of Internet Explorer 7 and Firefox 2. (The comparison is entitled IE7 or Firefox 2: Which browser is more secure? It includes a detailed image gallery so you can draw your own conclusions.)

One prominent feature of each new release is technology to detect so-called phishing sites, which try to spoof legitimate sites and deceive visitors into giving up personal information like credit card numbers and banking account login details. Like most people, I was initially skeptical about whether this technology would work, so over the past few months I’ve been putting IE7’s phishing filter to the test. Normally I just delete those phishing messages, but lately I’ve been clicking on every single one to see what happens. Surprisingly, IE7 has nailed one fake site after another. I haven’t kept detailed records, but the hit rate has been nearly 100%.

I’ve only begun using the Firefox beta in the past few days, so I have only a small sample size to work with. But so far it has missed every one of four phishing sites I’ve pointed it to, each of which has been detected by IE7. I’ve tried monkeying with the settings for the anti-phishing option in FF2, with no luck, and I’ve repeated the installation on a separate computer with identical results. (Both computers were running stock installations of Windows XP.)

Frankly, this is baffling to me. Both Microsoft and Mozilla have been testing this feature for a year. In Mozilla’s case, the testing has been done by Google, which developed the technology as part of its Google Toolbar for Firefox. As a control, I installed Google’s Firefox toolbar on the latest official release of Firefox, 1.5.0.6. It failed to detect two obvious phishing sites as well. (Two other links that I had used for testing yesterday have already been taken down.)

I’m going to begin monitoring this feature a lot more closely and will report my results periodically here.

The irony of anti-virus software

Bruce Schneier points out a recent study on the behavior of malware against the top-selling antivirus programs:

The top three antivirus programs — from Symantec, McAfee, and Trend Micro — are less likely to detect new viruses and worms than less popular programs, because virus writers specifically test their work against those programs.

Well, that’s not good news, is it? The original report is here. The money quote:

At a security breakfast hosted by e-mail security firm Messagelabs in Sydney on Wednesday, the general manager of the Australian Computer Emergency Response Team (AusCERT), Graham Ingram, told the audience that popular desktop antivirus applications “don’t work”.

“At the point we see it as a CERT, which is very early on — the most popular brands of antivirus on the market … have an 80 percent miss rate. That is not a detection rate that is a miss rate.

“So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in,” said Ingram.

And if you think you’re safer because you’re relying on some obscure piece of software, think again:

Although less popular antivirus applications are more likely to pick up new malware, Ingram said that the average level of new malware that is undetected is 60 percent, which is “worrying”.

Indeed. I’ve been a vocal critic of the whole concept of security software for a long time. The business model is flawed and it’s vulnerable to precisely this sort of targeted engineering. Now that malware writers are making serious money off their poison, they have a powerful incentive to write higher-quality code. And it appears that’s exactly what they’re doing.

AVG now works with Windows Vista

I know that AVG Free Edition from Grisoft is very popular. But if you tried to install it or one of the commercial AVG anti-virus products on Windows Vista Beta 2 it didn’t install properly. Apparently that’s now been fixed. A download available via Windows Update fixes the installation issue, according to Grisoft. I can confirm that Critical Update 920296 was automatically installed here a couple of days ago. If you’re able to run AVG on Windows Vista, post a comment below.

Microsoft’s KB article 921583 describes the update and includes links for manual downloads of the update. And no, I have no idea why the article and the update have different numbers.

And a reminder that Trend Micro and CA both have free Windows Vista-compatible evaluation versions of their security software available.

Update: In the comments, Mike Dimmick notes that the AVG update is actually numbered 921590. He’s right, as a more careful reading of the article confirms. Update 920296 fixes a separate installation issue that affects unspecified applications.. Thanks, Mike.