Tomorrow at 12pm EST Joanna Rutkowska and Loic Duflot are publishing a paper and actual exploit code that works against Intel cache mechanisms.  These attacks will allow privileged escalation in SMM (System Management Mode) space and capable of deploying a rootkit that can take complete control of the machine.   SMM space is out of reach of operating systems and this attack cannot be detected or protected with any current form of software anti-virus protection.  SMM space is available on all Intel CPUs from as far back as the Intel 386.

This exploit has been reported to Intel on numerous occasions over the last few years.  Loic reported it 3-4 months prior back in October and Intel’s own employees had made mentioned of it in documents as far back as 2005.  So far to date, Intel has not provided any resolution to this vulnerability and is this is the main reason behind Joanna and Loic going the full disclosure route.  Joanne mentions on her blog “If there is a bug somewhere and if it stays unpatched for enough time, it is almost guaranteed that various people will (re)discover and exploit it, sooner or later.”

Intel did alert CERT back in October when Loic reported his findings, this was tracked under Issue VU#127284.

You will find full details published at Joanna’s website Invisible Things Kernel Security Blog

Currently, there is no defense to this threat outside of using AMD or Virtualization, or is there Intel?

Author: Christopher

Another serious vulnerability in Adobe Acrobat is making its way around the Internet.  So far testing has confirmed  the vulnerability in Adobe Acrobat 8.1.0, 8.1.1, 8.1.2, 8.1.3, and 9.0.0.  This affects the latest version of both 8.x and 9.x versions of Adobe Acrobat.  Although the exploit is not JavaScript based, it is trigger via JavaScript, so for now disabling JavaScript will help mitigate this threat.  Adobe has acknowledge the vulnerability and has plans on releasing a patch around March 11th.

For now, if you want to disable JavaScript in Adobe Acrobat, you can go into the Edit menu and select preferences.   Under preferences you will see a JavaScript option group, from there you can un-check the box to disable JavaScript.

This can also be disabled via the registry or a GPO under HKEY_CURRENT_USER

Author: Christopher

Neosploit, a crimeware kit thought by some security experts to have been retired, has reared its ugly head again, and may have been used in one of the biggest organized crimeware attacks in history.  Ian Amit, a security researcher investigating the possible resurrection of the notorious kit, discovered a server hosting the login credentials of more than 200,000 servers in more than 86 countries around the world.  According to Amit, he has uncovered evidence suggesting that 80,000 legitimate web sites from dozens of countries have been infected with the malware, which in turn infect visitors to these sites with various Trojans and other malware.

Last April, the neosploit development team had announced that it was discontinuing support and development of the kit, despite the success of the “product,” citing concerns with the ongoing viability  of the business.  Now it appears that this statement was a ruse designed to buy the gang some time to perfect the next release of the kit.  The latest discoveries by Amit and his crew indicate that a new version was used to compromise the data of millions of users across hundreds of thousands of systems.  These include major overseas weapons manufacturers, the U.S. Postal Service, Fortune 500 companies, universities, and government departments.

Amit is working with US-CERT (a department of Homeland Security) as well as other local and international law enforcement agencies to investigate and shut down the servers operated by these criminals, and to notify and work with infected enterprises to clean up their systems.

Author: Christopher

Here is September’s most widespread malware according to Kaspersky Security Network. The most interesting thing the previous leader Trojan.Win32.DNSChanger.ech is nowhere to be found.

Source: Kaspersky Lab

Author: Christopher

Long considered to be malware and a threat to privacy and security, keylogging software has been found on Microsoft Internet Explorer 8 and Google Chrome. However, these keyloggers were not placed there by hackers—the companies put them there on purpose.

Google and Microsoft added keyloggers to their browsers in an attempt to improve searches for their users. Keylogging allows the browser to determine common or most likely searches based on the user’s past usage. They also store user log-ins and passwords for the user’s convenience, track activity to help determine the cause of errors, and employers use keyloggers to track employee productivity. While this is all very useful for the companies doing the tracking, it makes anti-malware protection more complicated, because the malware applications like Kaspersky AntiVirus cannot simply delete all keyloggers as they have up until this point.

Cyber criminals use keylogging to capture and record each keystroke you make to steal personal information like user IDs, passwords and anything else they can use to steal your identity. However, some companies are now using keylogging for more legitimate purposes.

In order to determine the best course of action regarding keyloggers, Kaspersky Labs, an industry leader in anti-malware protection, is seeking legal counsel. While they do not want to accuse legitimate companies of wrongdoing, they still want to provide the best and most comprehensive anti-malware protection on the market. If it were up to Eugene Kaspersky, CEO of the company, users would not stand for these privacy-invading programs to be present on their browsers and request the companies to remove them. “That would save us a lot of work, and we already have plenty to do,” he told Computer Weekly. Google is already reacting to the public’s aversion to keylogging by promising to keep the information anonymous, but Microsoft has made no such announcements as of yet.

What it all comes down to is this: is the convenience provided by keylogging worth compromising the security of your computer?

Author: Christopher

In its second month of compiling data, the new Kaspersky Security Network (KSN) technology revealed some significant changes amongst the most widespread malicious programs.

The first table is based on statistics provided by our 2009 antivirus products. This table shows the malicious programs detected on users’ computers.

 1              Trojan.Win32.DNSChanger.ech
 2    New    Trojan.Win32.Pakes.kab
 3    New    Trojan-Downloader.Win32.Agent.xqz
 4    New    Trojan-Downloader.Win32.Agent.yaw
 5    New    Trojan-Downloader.Win32.Agent.xws
 6    New    Trojan-Downloader.Win32.Small.zie
 7    New    Trojan-Downloader.Win32.Agent.xna
 8    New    Trojan-Downloader.JS.Agent.chk
 9    New    Trojan.Win32.Agent.tfc
10    +6      not-a-virus:AdWare.Win32.BHO.ca
11    New    not-a-virus:AdWare.Win32.Agent.cp
12    -3      Trojan.Win32.Agent.abt
13    New    Trojan-Dropper.Win32.Agent.tbd
14    New    not-a-virus:AdWare.Win32.BHO.sc
15    New    not-a-virus:AdWare.Win32.BHO.vp
16    New    Trojan-GameThief.Win32.OnLineGames.sjbb
17    New    Trojan-Clicker.Win32.Agent.bkd
18    +1      Trojan.Win32.Chifrax.a
19    New    Trojan.RAR.Qfavorites.a
20    New    Trojan-GameThief.Win32.OnLineGames.sgpq

A total of 28940 different malicious and potentially unwanted programs were detected on users’ computers in August. That is an increase of more than 8000 on July’s figures and points to a significant increase in the number of in-the-wild threats.

Source: Kaspersky Lab

Author: Christopher