Monday, July 27, 2009

Network Solutions hacked, 500,000 card numbers compromised




Another major data breach this time Network Solutions which offers security products such as SSL certificates is the latest to be compromised at the tune of 500,000+ credit/debit cards.

This attack seemed to be very sophisticated and the company claims the had maintained PCI compliance during the time of the hack. This is a huge one for the industry as it will spark a huge PCI works/doesn't work debate and it's perfectly timed as industry conferences BlackHat and Defcon start in Las Vegas this week.

References:

Washington Post


Finextra

SC Magazine

Monday, July 6, 2009

New MS 0-day ActiveX (MSVidCtl dll exploit)



This was just announced this morning and was found in the wild on several Chinese forums. Apparently this has been rampant for almost a month undetected.

This is a client side (browser) exploit, so visiting a malicious site will result in infection.

There is one known hotfix and that is to set a "kill bit" in the registry for the ActiveX component.

* Create a registry key called:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]

Then, create a dword value named "Compatibility Flags" and give it a value of 400.

Here are the current Snort IDS/IPS signatures for this exploit:


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MSVidCtl 0-day"; flow: to_server, established; uricontent:"/aa/go.jpg"; nocase; classtype: attempted-admin; reference:URL,isc.sans.org/diary.html?storyid=6733; sid: 3000305; rev: 2;)


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit";
flow:to_client,established; content:"|00 03 00 00 11 20 34|";
content:"|ff ff ff ff 0c 0c 0c 0c 00|"; within:70;
classtype:trojan-activity; sid:2009493; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Vulnerable Microsoft DirectShow ActiveX Load";
flow:to_client,established; content:"clsid"; nocase;
content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase;
reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799
classtype:web-application-attack; sid:2009xxx; rev:0;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Microsoft DirectShow ActiveX Exploit Attempt";
flow:to_client,established; content:"clsid"; nocase;
content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; content:"omybro";
nocase; content:"logo.gif"; nocase;
reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799
classtype:web-application-attack; sid:2009xxx; rev:0;)