Malware authors are constantly banking on the "next-big-thing" in order to deliver their malicious payload/content onto un-suspecting user machines. Due to its huge user base, the Windows is un-undoubtedly the most targeted of operating system platforms.
Source of image: HorseHats.comMalware delivery mechanisms have constantly been evolving from the old floppy disk days to the fast spreading Internet worms (attachments via e-mail). Today's malware delivery mechanisms are shifting more and more toward web technologies. Instead of directly delivering malicious content to user machines via e-mail attachments, malware are being hosted on a myriad of web servers world wide. Users are then enticed into somehow visiting these websites either by spamming out an e-mail with a link to a malicious website or by tainting search results to obtain a higher ranking to their malicious website. Such malicious links are also delivered via IM (Instant Messaging), bulletin boards, forums, etc.
Usually malicious websites also host recent (or in some cases older) browser/application/system exploits along with malware. An unsuspecting user who visits such a malicious website with an un-patched system or browser application is easily exploited and malware is delivered onto their system (
drive-by-downloads). In case of fully-patched systems, all it takes is to entice the user or fool them into downloading and executing the malware. Such malicious web servers could be made accessible via HTTP or FTP and malicious code (HTML, JavaScript, PHP, CGI, etc.) embedded within web-pages. Malware authors could hack legitimate websites and redirect visitors to a host of malware via invisible
IFrame tags. With the birth of
Web2.0 technologies, and mobile platforms, newer avenues are being explored in terms of malware delivery.
In regards to Windows related vulnerabilities, with Microsoft scheduling its patch release on every second Tuesday of each month popularly known as "patch Tuesday", hackers and malware authors have coined the term "
exploit Wednesday" where they exploit an un-patched vulnerability the day after Microsoft has released its patches for that particular month.
Information Gathering - Vulnerabilities and ExploitsMalware authors are constantly looking to find vulnerabilities in software in order to exploit them. The software they target could be Operating system libraries, application software, kernel mode drivers, etc. They either hack these up themselves or obtain them from published material on
Fulldisclosure mailing list, or from published material via blog posts of vulnerability researchers and enthusiasts, or from a community of hackers, etc. There is also the open source vulnerability database (
OSVDB) where detailed vulnerability information is published on or before the same day that a vendor patch is released.
Information and advisories about vulnerabilities can also be obtained from from the following sites listed below:
@Risk: The Consensus Security Alert
Bugtraq mailing listBugtraq archives at neophsisCERTCERIASCIAC.orgCVEeeye advisories and
ZeroDay trackerFinjan Vulnerability ListFrSIRTGovernmentSecurity (
forum1,
forum2)
IBM ISS (X-Force)IDefense advisoriesLWN.netMicrosoft security bulletin - List of vulnerabilities fixed since 1998
milw0rmNational Vulnerability DatabaseNet-SecurityNIST.orgNTBugtraqNTSecurity.net archives at
neohpsisRapid7 vulnerability databaseRain Forest Puppy AdvisoriesSANS top20 listSecuniaSecuriTeamSecurity Alert ConsensusSecurity-databaseSecurityFocusSecurityLabSecurityReasonSecurityTrackerSecurity Threat Watch archives at
neohpsisSecurityVulnsSecWatchUS-CertVirus.orgVulnDiscuss archives at
neohapsisVulnWatch archives at
neohapsisXdiscloseZone-HZero Day Initiative (TippingPoint)A unique blog-roll of "month of vulnerability disclosure" was also started by certain people who decided to find vulnerabilities in various software and simply disclose them via independent blog posts. Listed below are a few:
MOAB - Month of Apple bugs
MOKB - Month of Kernel bugs
MOBB - Month of Browser bugs
MOSEB - Month of Search Engine bugs
MOAxB - Month of ActiveX bugs
MOBiC - Month of bugs in CAPTCHAs
Before the details of a vulnerability gets into Fulldisclosure, OSVDB, or such independent open blog-rolls, the researcher or hacker has several options as what he or she can do with the discovered vulnerability:
- Responsibly disclose the entire details of the vulnerability to the software vendor alone, for free.
- Sell it to certain companies that buy vulnerabilities such as
IDefense (now part of VeriSign),
Digital Armaments,
Argeniss (now acquired by
Gleg Ltd),
Netragard,
TippingPoint (now a part of
3com), and
Immunity, that gives the buying company exclusive rights to the vulnerability.
- Place the vulnerability for an auction at
Wabisabilabi and sell it to the highest bidder.
The ethics behind disclosing vulnerabilities has always been a subject of debate. Microsoft has coerced a few software vendors to join their Organization for Internet Safety (
OIS) that strives to actively suppress vulnerability disclosure within their organizations.
The number of vulnerabilities have been increasing since 2006. Here are some stats:
Full stats from CERT.
A post on "The Register".
Windows Libraries - a haven for malware exploitsA large number of Windows applications leverage Windows libraries (modules that contain functions and data) as dynamic-link libraries (DLL) or OCX (libraries containing ActiveX controls). Such libraries allow their functionality to be updated and reused easily while reducing significant memory overhead when several applications use the same functionality synchronously. Thus, the discovery of a critical vulnerability in a library usually affects a wide range of applications from Microsoft and other third-party vendors that use that library. Hackers and malicious authors then try to find multiple attack vectors in order to exploit the vulnerability. For instance, a vulnerability in an image processing library could be exploited via Internet Explorer, Microsoft Office and Image Viewing software. Considering the massive base of Windows users, such an exploit ensures huge deployment.
Several such vulnerabilities have been discovered in the recent past, for which, many had exploit codes either made available or discovered before patches were released. This scenario is also known as "zero-day". Listed below are a few:
VML Exploit - (
CVE-2006-4868,
MS06-055) - a vulnerability in Vector Graphics Rendering engine (vgx.dll) could allow remote code execution via a specially crafted Vector Markup Language file. The vulnerable library is used by applications such as Microsoft Outlook and Internet Explorer which can be used as attack vectors.
WebViewFolderIcon Exploit (via setSlice method) - (
CVE-2006-3730,
MS06-057) - a vulnerability in Windows Shell, due to improper validation of input parameters when invoked by the WebViewFolderIcon ActiveX control via setSlice method, could allow remote code execution.
WMF Exploit - (
CVE-2005-4560,
CVE-2005-2124 MS06-001,
MS05-053) - a vulnerability in the graphics rendering engine (GDI32.DLL) could allow remote code execution while handling a specially crafted Windows Metafile (WMF) image.
EMF Exploit - (
CVE-2005-2123,
CVE-2005-0803) - a vulnerability in the graphics rendering engine (GDI32.DLL) could allow remote code execution via a heap-based buffer overflow or cause a application crash while handling a specially crafted Enhanced Metafile (EMF) image.
ANI exploit - (
CVE-2007-0038,
CVE-2004-1049,
CVE-2004-1305,
MS07-017,
MS05-002) - a vulnerability in Cursor and Icon format handling could allow remote code execution or denial of service (kernel or application crash).
Web View exploit - (
CVE-2005-1191,
MS05-024) - a vulnerability in Web View DLL (webvw.dll) could allow remote code execution.
PNG exploit - (
CVE-2004-1244,
CVE-2004-0597,
MS05-009) - a vulnerability in PNG Image Processing (by Windows Media Player 9 or via libpng 1.2.5 and earlier) could allow remote code execution.
JPEG exploit - (
CVE-2004-0200,
MS04-028) - a buffer overflow vulnerability in JPEG (JPG) parsing engine in GDIPlus.dll could allow remote code execution.
iPhone exploit - H.D. Moore (creator of the Metaspoilt Framework) has several blog entries consisting of step-by-step descriptions of how to exploit the Apple iPhone. Here, he exploits a vulnerable version of the
libtiff library that is shipped with the latest update to the iPhone.
URL handling exploit - (
CVE-2007-3896,
MSA-943521) - a URL/URI handling bug in Shell32.dll with Internet Explorer or Mozilla Firefox installed could allow remote code execution. Attack vectors could be applications such as mIRC, Outlook, Adobe Reader, Skype, etc.
Microsoft Office file formats - have always been a target for digging out vulnerabilities that could be exploited by malicious authors. The
SANS 2006 list and
SANS 2007 list of office file format vulnerabilities provides information about a number of these bugs.
This Security Focus article discusses the extent of vulnerabilities in Microsoft's Office documents in recent months, while
this blog entry by Symantec discusses about malware exploiting such vulnerabilities. Ryan Naraine's
blog also talks about malware authors creating tools to exploit vulnerabilities in Microsoft Word document format, while Microsoft itself
releases a tool called MOICE with an intent to isolate potential exploitable elements.
Vulnerabilities in ApplicationsVulnerabilities or un-patched bugs in commonly used applications such as image viewers, media players, browsers, file readers, etc. are also sought to be exploited by malicious authors. Listed below are a few examples:
- A vulnerability in
Windows Media Player (
CVE-2006-0006,
MS06-005) while processing of a specially crafter BMP image could allow remote code execution.
- A vulnerability in
Windows Media Player plugin (
CVE-2006-0005,
MS06-006) for non-Microsoft browsers could allow remote code execution.
- A recent vulnerability in
Adobe Reader for Windows (
CVE-2007-5020) while processing a specially crafted
PDF file could allow remote code execution via another vulnerability in Shell32.dll (
CVE-2007-3896). Adobe has already released a patch for this
here. This vulnerability was discovered by Petko D. Petkov of
gnucitizen.
- Several vulnerabilities in Adobe Reader (
SA23483) could allow remote code execution or aid
CSRF attacks. Improperly handled input passed to a hosted PDF file via a vulnerable
Adobe Reader browser plugin could allow remote code execution. Improperly sanitized returned values by a vulnerable Adobe Reader browser plugin, when input is passed to a hosted PDF file, could allow remote code execution. Improperly sanitized input values to a hosted PDF file via a vulnerable Adobe Reader browser plugin could allow requesting of arbitrary URLs and hence facilitating a vector for CSRF attacks.
- A vulnerability in
Adobe Photoshop for Windows (
FrSIRT-1523) while processing specially crafted BMP, DIB, RLE files could allow remote code execution.
- A vulnerability in
Apple QuickTime (
FrSIRT-3155) while processing the "qtnext" parameter withing QuickTime Link Files (.qtl files), could allow remote code execution by tricking a user into visiting a specially crafter webpage or opening a malicious file. This vulnerability was discovered by Petko D. Petkov of
gnucitizen.
- A vulnerability in
Apple QuickTime (
US-CERT-659761,
CVE-2007-6166) while processing a specially crafted RTSP (Real Time Streaming Protocol) stream could allow remote code execution. Since QuickTime is a component of Apple iTunes, all such installations are vulnerable to the attack on all supported Windows and Mac operating systems.
- A vulnerability in
Adobe Flash Player (
CVE-2007-3456,
APSB07-12) could allow remote code execution due to a "input validation error" (buffer overflow) via a specially crafted FLV or SWF file. Another recent vulnerability (
CVE-2007-3457) due to insufficiently validating HTTP referrer headers, could allow remote attackers to conduct a
CSRF attack via a specially crafted SWF file.
- A vulnerability in Database Component in MPAMedia.dll in
RealPlayer (
CVE-2007-5601, ) could allow remote code execution via certain play-list names via the import method to the IERPCtl ActiveX control in ierpplug.dll. RealNetworks has released a patch for this
here. Malicious authors have known to be
exploiting this vulnerability.
- A vulnerability in RPC on
DNS server (
CVE-2007-1748,
MS07-029) could allow remote code execution.
- Multiple vulnerabilities in Microsoft
PowerPoint (
MS06-058,
SA22127) could allow remote code execution.
- A vulnerability in the
cPanel software (control panel software that is widely used by hosting providers such as Apachi web-hosting), could allow a remote attacker to
gain access to the web servers and taint web-pages with malicious iFrame links.
- A vulnerability in
Winamp could allow the execution of malicious code via a specially crafter MP4 file.
Here is a post on "The Register" about it.
- A myriad of
Anti-Virus products as well were reveled of vulnerabilities, according to a blog post
here.
- A blog post by Aviv Raff
here, details the vulnerabilities discovered in
Gadgets (script-able applications) on Vista.
- A post
here describes a myriad of security issues with
Google such as a vulnerability in Google desktop and an
XSS error in Gmail, among many others.
- A recently
discovered XSS vulnerability in common
Shockwave Flash files.
- A
vulnerability in an
ATI driver allows malicious code to be loaded into Vista's kernel, in spite of its latest security measures (such as PatchGuard and only allowing signed drivers to be loaded).
And the saga continues...