The Fail

As MSFT was releasing their patches another group of people were releasing their own little bug. On Tuesday morning as the patches from MSFT were being released several online publications starting reporting a new IE 0day exploit in the wild. All the publicity started here at PC World and from there it just rolls down hill.

The flaw was made public in Chinese language discussion forums two days ago by a security group called the Knownsec team. In tests, it worked on IE 7 running on Windows XP, Service Pack 2.

Since the initial report out of PC World the news starts to spiral out of other media outlets. However nothing  good gets published until HD Moore does some really good analysis on the exploit over at the Breaking Point Security blog.

Defenses

1. Start off by switching browsers to FireFox. You can get it here.
2. Enable DEP on your system,

Until MSFT releases a patch for this I would recommend switching to another browser.

So whats the scope here. It seems that someone out there took over the DNS settings for CheckFree and redirected, high jacked, the CheckFree online bill pay sites to another web site. From what we are told, when a user attempted to access a checkfree bill pay site through their financial institution they were directed to a blank screen. How ever if you went directly to the online bill pay from check free you were directed to another site that was a replica of ChekFree’s that also attempted to install password-stealing software on the victims machine.

You can read more from Security Fix here and here.

In addition CheckFree has started to send out emails to users that they fell “could” have been effected by this attack.

December 7, 2008

First Initial, Last Name
Address
SAN DIEGO, CA Zip Code

Dear First Initial, Last Name,

We take great care to keep your personal information secure. As part of these ongoing efforts, we are notifying you that the computer you use for online bill payment may be infected with malicious software that puts the security of your computer’s contents at risk. This letter will help you determine if your computer is actually infected and advise you how to fix the problem and protect yourself against future risk.

The malicious software affects some but not all customers who accessed online bill payment on Tuesday, December 2, 2008. For a limited period of time, some customers were redirected from the authentic bill payment service to another site that may have installed malicious software. Your computer may be infected if all of the following are true:

* You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
* You were using a computer with the Windows operating system, and
* You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
* After reaching the blank screen, your computer’s virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.

If all four of the conditions above are true, your computer may be infected. We have arranged with McAfee, the world’s largest dedicated security technology company, to provide you with an assessment of your computer’s hard drive and remove any malicious software. Please contact us at 877-800-4864 for further instructions or 800-564-9184, Option 1 for further instructions. We will also offer you both advice and free services that can help you mitigate any risk you may face as a result of this incident or other everyday exposures you may encounter.

We value your business and your trust, and we apologize for any inconvenience this recent incident has caused.

Thank you,

Art D’Angelo

Vice President, CheckFree Customer Operations

If you feel that you may have visited the Check Free site during those times or are just worried. Update your virus scan software and run a complete scan. You can also visit various AV vendors web sites for online virus scans of your computer.

Does this mean you should stop using online banking? No of course not, however you should look into browser toolbars that can help in identifying sites that are Phishing or just plain wrong. One of my favorites is the Trace tool bar from TraceSecurity. Most security tool bars out there only use what is called a blacklist, know bad sites, this is a method that is always reactive in nature (one step behind, like Antivirus vendors). The Trace tool bar using a whitelist. This method is more ideal in that it keeps a list of know good, and can alert you to any change in the location of your financial instutions web site. In the case of Check free DNS highjack, it could have alerted the user that the checkfree web site was no longer loading from the know good location. Read more about and download the Trace tool bar here.

As it turns out Secunia did a test of 12 internet security suites and the results where lets say less than desireable. The test was to throw 300 exploits to known vulnerabilities at the 12 and see how well their detection rate was. Over all – one word FAIL. So does this mean that you are not safe well sort of.

Even the “high” score from Symantec was disappointing. Symantec detected a mere 64 out of 300 exploits, or less than one-fourth, leaving 236 exploits undetected!

Read more here http://secunia.com/blog/29/

and

here are the test results http://secunia.com/gfx/Secunia_Exploit-vs-AV_test-Oct-2008.pdf

Stay tuned for What’s Next for AV

Personally I have cleaned around 15 systems from this infection it is not easy and typically downloads other malware such as Keylogger’s, Browser toolbars, etc..

The writters are putting out new varients of this malware every couple of weeks, so what we have here is a virus that the real antivirus companies are having trouble keeping up with.

You can read more about the new variant here.

Once your files are encrypted it places a text file in every directory that contains encrypted files.

Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: [censored]@yahoo.com

=== BEGIN ===
[key]
=== END ===

At this time Antivirus vendors are looking for looking for a solution at this time. Kapersky Lab’s seems to be leading the effort here. If you are a code breaker you can go here for more info.

Solutions to help (before this happens to you)

• Backup your data regularly
• Keep a fair amount of back ups
• And what ever you do to not store them on the PC that could become effected, keep them off line via CD/DVD or an external Hard Drive that you keep unplugged from your system

More information and references

http://isc.sans.org/diary.html?storyid=4544

http://blogs.zdnet.com/security/?p=1259

http://people.csail.mit.edu/tromer/gpcode/

http://usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000131

http://www.viruslist.com/en/viruses/encyclopedia?virusid=313444