Focus on Virus
security in yahoo messenger - anwar azam khan Jun 15 2007 11:33AM
anwar azam khan (belasuz yahoo com) (1 replies)
RE: security in yahoo messenger - anwar azam khan Jun 20 2007 01:15PM
Patrick Collins (Patrick Collins thegenius com)
Here is the article from Internet Storm Center where I got my information:

http://isc.sans.org/diary.html?storyid=2952

Yahoo! Messenger exploits seen in the wild
Published: 2007-06-10,
Last Updated: 2007-06-10 01:42:13 UTC
by Bojan Zdrnja (Version: 1)
Just three days after the PoCs for 2 Yahoo! Messenger vulnerabilities have
been posted (http://isc.sans.org/diary.html?storyid=2943), we've been
informed by Roger C. from the Malware-Test Lab about a site hosting exploits
for the mentioned vulnerabilities.

The exploit is referenced the standard way - an iframe points to the web
site hosting the exploit (n.88tw.net). The exploit has been pretty simply
obfuscated. One thing that makes it easier to identify is the object
creation - for some reason attackers left it outside of the obfuscated
string so it is very easy to spot:

<object classid="clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277"
id='viewme'></object>

Practically the only difference from the published PoC is the objects name -
in this case it is, as you can see above, "viewme", while the object name in
the originally published PoC was "target".

The rest is very much the same, apart from the attached shellcode. The
shellcode in the sample we analyzed downloaded another dropper (of course),
and this second component wasn't detected by any AV vendor on the VirusTotal
site when we tested it (!!). This dropper downloaded further components, of
which one was called 5in1.exe - we haven't analyzed this yet but judging
just by the file name, it doesn't sound good.

Mitigation

As you are probably aware, Yahoo! provided a fix practically only couple of
hours after the PoCs have been posted online (kudos to Yahoo! for this). If
you are using Yahoo! Messenger you should upgrade as soon as possible.
Alternatively, you can set the kill bits for the affected ActiveX controls,
as we've posted in our original diary.

One thing that might help as well is the AV detection. Although the second
stage dropper wasn't detected by any AV vendor, the JavaScript that triggers
the exploit was detected by couple of programs. As the names were generic
(HEUR/Exploit.HTML, JS:Feebs-D, Heuristic.Exploit.HTML), my guess is that
those that detected this properly got lucky (the Javascript used standard
eval(unescape("") method). In any case, every defense layer helps.

Patrick
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of anwar azam khan
Sent: Friday, June 15, 2007 6:34 AM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: security in yahoo messenger - anwar azam khan

hello !
i have listen about the bugs in yahoo messnger? In previous days, there was
alot of problem in securitires of yahoo messenger?

Bela
--
View this message in context:
http://www.nabble.com/security-in-yahoo-messenger---anwar-azam-khan-tf39
2727
7.html#a11137637
Sent from the Security - Virus mailing list archive at Nabble.com.

------------------------------------------------------------------------
---
This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.

http://www.blackhat.com
------------------------------------------------------------------------
---

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?
X0?=0?¦ͺVðßä¼Tþ"¬³rªU0
 *?H?÷
0_1 0 UUS10U
VeriSign, Inc.1705U .Class 1 Public Primary Certification Authority0
960129000000Z
280801235959Z0_1 0 UUS10U
VeriSign, Inc.1705U .Class 1 Public Primary Certification Authority0?0
 *?H?÷
0?å¿m£Va-?HqögÞ¹ë·???
?ú8%¯F??ås¨ ?$]
Ìen °ÐV????¡sß´X9knÁöÕ¨¨?ª1¬°4׏4g? ÍâNEVix?ÚÜG?)»6Éc\Åà×-?{¡·2°{0º*/1ªî£gÚÛ0
 *?H?÷
L?¸?ÆhßîC3]é¦Ë?Mz3ÿ?ô6­Ø?"6hl|BÌó?.Ä?°Oÿ?vùâ¼JéÍ ?
÷Å)ñ?"]¸±Ý#£{%F0yøêK?ÂÈã·ô@<Ã_SèHä?´{¡5°{%º¸Ó?«?84?óÑq?0?b0?
Ë  Ú Á???« tz´Î.30
 *?H?÷
0_1 0 UUS10U
VeriSign, Inc.1705U .Class 1 Public Primary Certification Authority0
980512000000Z
080512235959Z0Ì10U
VeriSign, Inc.10U VeriSign Trust Network1F0DU =www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not Validated0?0
 *?H?÷
0?»ZD?»Uýz?-?Ox6¸
J²o?T¿¼èw*¹ðh»?Ù1ApzK¹HV-Çá?B«À¢?«D\ªBð?é/ûÂ;»¾É'
]¶°6B3µnT?O?J¿Úùè?¶ãÌÆ??j$?ãüàeº§±~ïÉÛ7jÈJÈ ä?£°0­0U0ÿ0GU @0>0< `?H?øE0-0++www.verisign.com/repository/RPA01U
*0(0& $ "? http://crl.verisign.com/pca1.crl0 U0 `?H?øB0
 *?H?÷
}?oEK8 ¸ÞéSd!¼äL+þ?@¬Ø
9j¡2!,?«YþÒb}U8°7sÜôfcb½áSpR?ç¨ØRé[-ªáÞϬ1TÔ?ÈØ#¨ï+2},È|?¨.wòDÑe
MtµîÓ?st.?;5rç@1?ӲīçV¾?ãû0?­0? oazM§?¾??ösåå?¸ó0
 *?H?÷
0Ì10U
VeriSign, Inc.10U VeriSign Trust Network1F0DU =www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not Validated0
070308000000Z
080307235959Z0?10U
VeriSign, Inc.10U VeriSign Trust Network1F0DU =www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)9810U Persona Not Validated1301U *Digital ID Class 1 - Netscape Full Service10UPatrick Collins1,0* *?H?÷
 patrick.collins (at) thegenius (dot) com0 [email concealed]?"0
 *?H?÷
?0?
?Åï-Ã??xX)j $,²?W´¸½?ȳQhÏÂ^±?µë]4wr(?ccvÿÓà¸I¯ÑÇ??*(âÒýÔåHUG)
?@{§ýÒ? ?¸¿?ÀèRºMéãïãÈ?Ë÷ûAÈ?Æw©z9>?J©7Ó?êi>øFBÎùÉ?,ÿØbL)!Q¬£ðÏxÔr·g
eºÃ?iû?»/¼?ÈæÞ0`çë:UÕ#?ÓÙè^ö??Á+~c??
dڐyíÔ?!cÕkW²?ÙR?{fð?W=o?û¶dO^V?4Ë(?Òðr©:È"À¡?Ú?ÕÙ3ÈÅ£µ0²
0 U00DU =0;09 `?H?øE0*0(+https://www.verisign.com/rpa0 U
 0U%0++03U,0*0( & $?"http://crl.verisig
n.com/class1.crl0
 *?H?÷
s?&«???BÓÜ¢$c~Þ;å?V­¯A³
¬,:?.+åH`gBبmb¡º¶ÿ;}I?÷NKþÁs?GaÌ ¯KÛ??^A7W)?óðÕ¸¶³ê¿¥Æq5Ü?B)i$?«> I?+ ]²bÍ;¸üC»Ñ]s¢X¬:Ò§1?¿0?»0á0Ì10U
VeriSign, Inc.10U VeriSign Trust Network1F0DU =www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not ValidatedoazM§?¾??ösåå?¸ó0 + ?²0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
070620131537Z0# *?H?÷
 1ù¸LQ?Üzº?zË^ÿ7£¶Å?0g *?H?÷
 1Z0X0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0+0
*?H?÷
0ò +?71ä0á0Ì10U
VeriSign, Inc.10U VeriSign Trust Network1F0DU =www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not ValidatedoazM§?¾??ösåå?¸ó0ô *?H?÷
  1ä á0Ì10U
VeriSign, Inc.10U VeriSign Trust Network1F0DU =www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not ValidatedoazM§?¾??ösåå?¸ó0
 *?H?÷
?AÁ??u?
/P¬ÙÑ ?D¬9K1ì?²ÇkO£3ºq?¼Y
Æ!î83ô?¡Ï^¿õ³n§ËF Õîo¿5-ð£M??ð ?a¾Æɺ¨»- W?
êÔ®? u e??IVxa?MFö:èLyÇãO
Å¢³Q½0®Z]yÁªnùB?)?ÙMB9Ö`F ÞÉa¨"ô°M¼ÎR?ëiXðû1RÂ; ¦Vvõ?#Ã?£ë?)?(5?%$Ó5_y?k:wC?"æ°K?~×??ºà°,:?÷÷È?Þ6'¯ ºz?i
­Íá/ <!Ú

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus