X-Force vs TrendMicro

Recently, there are several discussion and public criticism in the Internet after IBM ISS X-Force published advisories on their competitor's product (ServerProtect) and criticised them (TrendMicro) on how they handle those vulnerabilities.

According to the X-Force blog posting, they discovered a total of eight vulnerilities in Trend Micro ServerProtect. Some reported to TrendMicro as early as 2006 and the latest disclosed in January 2008. After every report, TrendMicro would assure ISS that it will be fixed in the next scheduled patch.

ISS claims that for all the vulnerabilities reported, TrendMicro either ignored them or the solution implemented was inadequate. They even found a patch that can be easily evaded. ISS also claims that everytime they reported the vulnerabilities to TrendMicro, documentation and links to MSDN articles were provided to assist them. When the communication with TrendMicro comes to "dead-end", ISS also try to communicate with them via CERT/CC and JP-CERT. But it also hit "dead-end".

After facing some many problems with TrendMicro and for the benefit of their customers, ISS X-Force decided to published those advisories with technical details.

There have been mixed reactions on whether ISS did the right thing by disclosing the vulnerability. Some have criticized ISS for breaking industry code and question them if they will do the same if their products was at fault.

Below are the IBM ISS X-Force Trend Micro ServerProtect Advisories:

- CVE-2006-5268 - Trend Micro ServerProtect Unauthenticated Remote Administration

- CVE-2006-5269 - Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflow

- CVE-2007-0072 CVE-2007-0073 CVE-2007-0074 - Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3)

- CVE-2008-0012 CVE-2008-0013 CVE-2008-0014 - Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3)


Related Report:
- Computerworld: IBM's ISS blasts security rival Trend Micro over bugs

- Frequency X blog: The Scoop on the X-Force TrendMicro Advisories

Codec for MP3?? or just a malware..

Last week, someone emailed me a suspicious MP3 file for research. So i decided to test the file on my "research environment".

When i try to play the MP3 file with the default media player(Windows Media Player 9), it prompted that "the file extension does not match the file format" and ask "if i want to try playing it anyway". This prompt makes the file really suspicious. This will normally happen if the MP3 file is corrupted or it was not a media file at all.


I click on "Yes", which is "to try playing it anyway" to see whether it is really a MP3 file. Instead of playing, it opens up the Internet browser and direct me to "www.mp3codec.com".






In this website, it claims that a special codec is required to play the audio file and automatically prompt you to download the "Codec_setup.exe".






With the "Codec_setup.exe" file downloaded, i decided to test it with VirusTotal website. To my surprise, only 13 out of 37 anti virus detected the file as malware. Famous anti virus such as Sophos and Mcafee were not able to detect it.


Thinking that the malicious website or malware file might be removed after a week, i decided to visited the "mp3codec.com" website and even downloaded the file again.
The downloaded file might be different from the one previously downloaded, so i compare both files and found that their hash values is different. I also run the new file with VirusTotal. This time, only 5 anti virus detected it.

Downloaded from the website:
Codec_setup.exe - 55KB
MD5: 278F6EF79C58A3F5B2AD0CC83CCA79BD

Downloaded few days later:
Codec_setup.exe - 55KB
MD5: CBAC09DCB8B8323BA3E457BE0E11B092

With these finding, i hope that people can be more careful when receiving media files such as MP3 or AVI. It is not new for malicious media file to trick users to download fake codec, which is actually a malware. This finding also shows how efficient hacker these days. They will constantly update their malware to avoid detection from the anti virus.

I will being running the downloaded malware on my "research enviroment" this few days. Watch out for my finding in my future post.

Slackware is it?

Heard from a friend recently about an incident that really make me wonder and decided to share. The story goes:

- An IT professional (likely to be an engineer) from a major System Integrator (SI) in Singapore ("Their job is SO Easy"), wanted to find out about the OS platform of a Appliance-based network device. So he contacted the project manager that is managing the device.

This engineer was informed that the Appliance is running on Slackware version x.x. But not knowing about Slackware and thinking that the project manager might have misunderstand his question, he requested the project manager to check on OS platform again.

That project manager repeat his answer and even provide the Slackware website for his reference. But he still stubbornly reject his answer. -

As an IT professional, it is normal for someone not knowing everything in IT (especially knowledge on area out of your specialized domain). Many IT expert and Guru that i know, will not look down (or make fun) on you if you admit that you don't know on certain technology or knowledge. In fact, most of them will share their experience and knowledge if you are keen to learn.

With information easily available in the Internet, just by searching from Google or Wikipedia, you can basically find information of almost everything. There is not reason for anyone (especially IT professional) for not able to find out on certain knowledge.

This posting is to advise fellow readers that never too shameful to admit that you don't know certain knowledge. As long as you are keen to learn and make effort to read up. It will be really shameful if you try to "smoke" (bluff) your way and spotted by others.

Anti Virus, can be "dangerous"

Recently, there are reports that AVG (anti virus) update deletes critical Windows XP file causing the system un-bootable.

Many users of AVG 7.5 and AVG 8.0 reported seeing a warning that the Windows system file 'user32.dll' was infected with the PSW.Banker4.APSA or Generic9TBN Trojans, with a recommendation that the file be moved to the program's vault and deleted.

With the file 'user32.dll' deleted/quarantined, Windows XP will no longer be able to boot up as it is a critical system file.

AVG has since admitted that the detection was a false positive. " Unfortunately, the previous virus database might have detected the mentioned virus on legitimate files. We can confirm that it was a false alarm," said a company spokesman.

A workaround under Topics 1574 False Positive user32.dll was published in their support website. (Shown on picture on the right)

Anyway, Anti Virus having false positive is not only unique to AVG. Major Anti Virus companies such as Symantec, Mcafee and Trend Micro also had reported to wrongly identity Windows system file previously. Some examples below:

- In May 2007, Symantec Anti Virus cripples thousands of Chinese systems when it mistakenly identify two critical Windows .dll files for malware (Related Article in "ComputerWorld: Symantec false positive cripples thousands of Chinese PCs")

- In September 2008, Trend Micro issued two anti-virus signatures that causes Windows DLL files to be quarantined. (Related Article in "ZDNet UK: Trend Micro gives false positive details")

- In October 2008, a faulty update from Mcafee led to an integral component of the Windows Vista operating system being falsely flagged as a trojan horse. (Related Article in "The Register: McAfee update classifies Vista component as a Trojan")


Related Articles:
- Vnunet.com: AVG update deletes critical Windows file

- The Register: AVG slaps Trojan label on core Windows file

WPA crack details finally out

These few days, people have been talking about WPA cracking and the detail of the crack is finally available for download.

The WPA crack was recently announced by 2 German researchers. They were planned to present their finding at the PacSec 2008 conference (12/13 Nov) in Tokyo. But the details on this crack was released today at Aircrack website in a whitepaper.

Wired Equivalent Privacy (WEP), the basic protection mechanism for wireless, was long being cracked. With the more advanced technique these days, it could be easily cracked with less than a minute.

Wi-Fi Protected Access (WPA), which replace WEP, is a more secure method to protect wireless network. Previous attack on WPA was basically launching dictionary attack against weak Pre-Shared Key used. This new crack on WPA will works against the WPA protected network that uses Temporal Key Integrity Protocol(TKIP). The attack is able to decrypt an ARP request or response and send 7 packets with custom content to the network after access for more than 12 minutes.

To summarised, the recommendation against the attack is to use WPA2, which uses CCMP instead of TKIP. If for any reason you are not able to migrate your network to WPA2, There are some other mitigation recommended such as reducing the renew key interval and increase your wireless detection stance and check for multiple MIC failure messages. (Reminder, please test it before making the change on your production environment)

You can download the Whitepaper "Practical attacks against WEP and WPA" from Aircrack or alternatively from local copy.


Related Articles:
- Security Focus: "Researchers find more flaws in wireless security"

US Election over but more Security lessons to learn

As the US election comes to an end,with Barack Obama being the first black president of United States, there are some interesting things that we can learn from this election.

Months before the election, there were already many concerns on the electronic voting machines. There were reports on "flipping votes" (marking a vote for a different candidate than the one selected) and interface that was misleading, which worried the security experts. These had lead to the push for better checks and audit on those voting machines.

The advises that were given to the voters were to double-check on their votes. When in doubt, not to be afraid to ask for help during the voting.

Beside the problem with the voting machines, there were also reports on ways or "dirty tricks" used to influence the result of the election. There were reports of automated phone calls, sms, email or even flyers intended to convince the receiver that they should vote the day after the election, or providing false polling venue so that they will miss the voting day and their chance to support the candidates (useful on those states that pro their opposition).

- An example of those email:
From: Office of the Provost
Subject: Election Day Update

To the Mason Community:

Please note that election day has been moved to November 5th. We apologize for any inconvenience this may cause you.

Peter N. Stearns
Provost
- End of email

- An example of those SMS:
"Due to long lines if you are voting for Barack Obama you can vote tomorrow"

"Due to long lines, all Obama voters are asked to vote tomorrow".
- End of SMS

While some trying to influence the election results, others were using this election to send out malwares. Emails that were claiming to contains Obama's speech or interview were found to be spamming over the Internet. Video or download links will lead users to download the malware while trying to click on the speech or interview.

Currently the malwares that were found from those email were a keylogger that will sends the stolen keystrokes to the Ukraine and a trojan downloader that will automatically download more malwares into your system.

- An example of those email
From: news@cnn.com
Subject: Barack Obama wins

Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page>>

2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
- End of email


Every election is not as simple as what we think. There are always someone who is trying ways to manipulate the results, trying to make use of the situation for their own benefit. Just don't blindly focus on the results. Be mindful of others that is taking advantage of the situation.

Related Articles:
- Concerns continue to shadow e-voting (Security Focus)

- Election Hoax Sent Via D.C. Based E-Campaign Group

- US Presidential Malware - Barack Obama Interview Lure (WebSense Alerts)