I also posted this in the security forums over at http://myitforum.com/forums.
Webroot Spysweeper 2.0 Enterprise by default creates a website on port 8080. The webserver is an Apache Jetty server. This website is used to sent updates to the clients.
The website is misconfigured so the “PUT” command is enabled. This allows anyone to upload files to the server and potentially replace the files that are there. Traditionally leaving the PUT command enabled can lead to complete system compromise.
If you go to http://servername:8080/updates, you will see a list of folders with sequential naming: 0057F161…0057F165. Each folder contains a zip file and an INI file. The zip file contains a mst file and an INI file. I have not tested this, but I postulate that at best an attacker could overwrite these files preventing client updates. At worst an attacker could create their own mst files that could crash webroot and potentially run hostile code on the clients.
I called webroot today. At first the professed to have no idea what I was talking about. After explaining it a few times, it turns out this has been discovered and will be fixed in version 2.1 due next week.
Archive for February 2005
Webroot Spysweeper Server Vuln
AV-Comparatives.org results
AVComparative’s regularly scheduled antivirus scanner testing results is available.
http://www.av-comparatives.org/seiten/ergebnisse_2004_02.php
What does it really mean? I dont know. Does it matter that one scanner can scan a bunch of zoo viruses (viruses not in the wild) but another scanner misses it? I dont think so.
After looking at the scan results, I had a bunch of questions about their methodology. Fortunately they have written up how they went about this. I found that more interesting than the actual results. Very cool.
IM Security Challenge
Instant Messaging presents the same vulnerabilities as email, yet it is not protected in nearly the same manner. Corporations have dumped money on preventing email viruses but every other port is left untamed.
Potential Problems:
1. Application attacks. Such attacks are possible if IM client software is not kept up to date. Generally speaking companies stay on top of Microsoft patches but not as many patch their other applications. Since IM is generally ad hoc and user installed, it is not likely to be kept up to date.
2. Viruses sent via file transfers – There are many viruses such as Bropia that spread through IM networks and have effected corporate customers.
3. SPAM – (SPIM) Spam to IP accounts is fairly easy to control. Dont accept IMs from people not on your buddy list.
4. URLs. This is where a link to an exploit or virus is sent.
Solutions:
1. Ban IM. It can be blocked at the firewall, but you may find yourself looking for a new job if you choose to implement that solution.
2. Implement an internal IM server with Antivirus such as Microsoft LCS with Sybari Antivirus for IM. With LCS SP1 coming out this spring you can force Yahoo and AIM users to go through your server so that public traffic i protected.
3. Implement IMLogic to hijack public IM sessions so you can scan and control IM traffic.
Security Attitudes and Firewall Traversal
An employee writes to a company helpdesk complaining that he cannot access a site. The URL was sent to him by the vendor to be used to register software. When he attempts to go to the URL he gets blocked by Websense. (Websense is an industry leading web filtering/ web security company. Corporations use their block list to prevent employees from accessing disallowed sites). He writes to the helpdesk “No biggie, I will just login to my AOL account and bypass company policy. That will make it easier.”
I’d forgotten that the AOL client basically acts as a VPN and allows users to bypass corporate policy. 
The kicker is that the url actually produces a 404. I suspect that the user has spyware loaded locally that redirects 404s to a specific webpage, and it is that page that is on the block list.
Window Firewall under fire
I started the morning with a quick glance at the blog headlines. Donna’s Security Flash has a headline “Windows Firewall has a backdoor”. Donna is a MVP, I would assume based in security based on the name of the blog.
The blog entry contains a link to discussion on bugtraq. It seems someone has reported that if they add a new key to HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List they can “circumvent” the firewall. I have no doubt that this will be picked up by the usual Microsoft hating press eg, news.com and The Register. Of course reading bugtraq would require real work. They likely wont pick up the story until after it appears in Slashdot.
Others quickly replied to debunk this story. “This is not a backdoor or vulnerability. The default permissions on this key are Full Control for SYSTEM and Administrators and Read for Users. The Administrator should be able to configure the firewall to allow programs to connect outbound.”
Another reply from a Pivx employee “having an exception list is not a back door”. Basically any time you run code as administrator there is no limit to the damage that you can do. This is true with any software.
He went on to say that there was a Blackhat 2004 Briefings in Las Vegas where Eugene Tsyrklevich had a presentation called “Attacking Host Intrusion Prevention Systems” in which he demonstrated on-stage how to completely circumvent McAfee Entercept, a behavioral host based protection product which tries to limit the actions of malicious code once it is already running on the machine.
Malware takes a nasty turn
Computer world has an artiicle quoting Microsoft as saying spyware and malware is beginning to use rootkits more. Currently malware is relatively easy to fine. Most is as vanilla as looking in the run key in the registry. Spyware takes advantage of many places to start from that the typical user and even many admins weren’t aware of until they began battling spyware. Rootkits go deeper than that. Possibly even modifying the kernel. This brings a new urgency to the advise to reload your system if compromised!
On the same subject, Microsoft Research has a paper on detecting rootkits that is an interesting read.
Microsoft document downloads
Why it it every time you want to read a document from Microsoft, they wrap it up into an EXE file? I’ve read somewhere that this is so they can digitally sign the exe to prevent content spoofing. I guess that is an indication of how little trust they put in digital signatures attached to Word documents.
Exploit Code Too Prevalent?
Microsoft complained this week about “security” companies publishing exploit code for its vulnerabilities. It was once common to publish proof of concept code as a method of proving a vulnerability exists. This goes beyond that. These companies that have received credit for holding off public announcement of the vulnerability until a patch is available, then release exploit code at the same moment Microsoft releases the patches.
Administrators have not yet had time to do any due diligence on the patches. Even if they deployed patches without any testing, roll-outs at large organizations take time.
This exploit code is widely available. Its not like the olden days where you had to know where to look. Now every script kiddie has 5 copies of the code at their disposal and the administrator has it too. This exploit code is then expanded on to create a worm.
Sometimes exploit code is neat. It gives a solid demonstration that encourages people to patch. Releasing this code publicly at the same time the patches are released is reprehensible. Why help the virus writing incubation period?
SAIC Breakin Nets employee records
http://www.washingtonpost.com/wp-dyn/articles/A17506-2005Feb11.html?nav=rss_technology
A smash and grab operation stole computers from an administrative SAIC building. The stolen information included names, Social Security numbers, addresses, telephone numbers and records of financial transactions. It was stored in a database of past and present SAIC stockholders. It is not known if the data on the computers was encrypted.
Physical security cannot be neglected.
Oh you wanted updated virus defs?
Its amazing the amount of companies that are willing to take your money and sell you antivirus software, but when it comes providing virus definition files, that costs them money so they are a little bit more reticent.
Kaspersky is one exception to this. They seem to have update available on an hourly basis. While there is a slightly greater chance of false positive, there is also a greatly reduced chance that a virus will slip through because an update wasn’t available for it yet.
When you are a customer of Symantec, you have two methods of updating. Liveupdate into Symantec, and manually downloading the intelligent updater and running it. I don’t think too many people are aware of the scripts available to download the intelligent updater. But that’s a unsupported solution, so I’m not going to give them any credit for offering it.
Time after time, customers who rely exclusively on Symantec for antivirus protection have been burned. They must rely on antiquated defense mechanisms such as blocking file types at the mail gateway and disabling file associations for pif, vbs , etc on the desktop.
So what does Symantec do to resolve this problem? Do they innovate in antivirus software so their product is not so dependent on virus definitions? No McAfee is leading the way in that area. Do they speed up their release of liveupdate? Well, in a way. Their “Platinum” customers (read those with deep pockets) now have access to LiveUpdatePlus. This uses Live Update servers available only to platinum customers to send intelligent updaters every day.
So now customers can pay a premium to get daily virus defs. But others are left out in the cold to fend for them selves.
It reminds me of a Seinfeld episode where he is at the rental car counter complaining that they can take the reservation, but they cant seem to actually reserve a car for him. Symantec can take are money for antivirus software. But when it comes to virus defs in a timely manner, they cant do it. That would hurt the bottom line. I hate to say it but every time Symantec fails to protect its customers, reporters wrote about a virus that is running wild, and Symantec’s stock price goes up. The reporters dont write about the failure to protect.
