Hacker Toolkit Cloaks Browser Exploits
Plus: Yahoo! e-mail addresses getting rejected by U.K. site, and yet another Microsoft exploit -- this time for PowerPoint.
- By Russ Cooper
- December 04, 2006
A side-project to the Metasploit project called eVade o’Matic Module
, or "VoMM," has sprung up. It purports to provide tactics to obscure browser exploit attempts via a variety of methods, including various types of randomization as well as function pointer obfuscation. The goal of the project is to evade signature-based security products, such as anti-virus and IDS.
It's always a difficult discussion when one considers research projects intended to bypass security measures. Obviously, such research is, if nothing else, going to publicize methods of attack which are, or may not be, commonplace today. That alone may well mean we'll see more sophisticated attacks than we are currently. Of course, the researcher’s argument has always been: "If I can create this, then so can the bad guys." While somewhat true, that precludes the possibility that the research project actually comes up with better ways than those currently employed by the bad guys.
In the case of VoMM, the obvious motivation would be to do away with "signature-based" detection mechanisms. The authors' boast about defeating all of the AV products run by VirusTotal is clear -- signature-based detection mechanisms don’t work sufficiently to detect browser exploitation formulated as they have.
Luckily, such attacks are not currently commonplace, but even if they were, consumers would still likely opt for signature-based detection versus heuristic detection mechanism, as the latter requires more resources and generally creates more false positives.
VoMM is likely to lead to at least one new exploit, or one that is more successful than it would have been prior to VoMM’s publication. It may well push some AV vendors to do less signature-based detection, but more likely it will result in more people being affected by criminal browser-based attacks prior to the offending site being taken offline. No doubt VoMM’s authors have a comment in defense of their actions.
Identity Theft Warning Issued for Yahoo E-Mail
According to credit reporting business Checkmyfile, U.K. e-commerce companies are seven times more likely to have to refund a purchase when the purchaser's e-mail address is yahoo.co.uk, yahoo.com or hotmail.co.uk.
Given that tens of millions of people use these services as their primary e-mail address, it would appear to be a rather harsh suggestion to say that e-commerce companies should outright refuse to sell to customers with such addresses -- yet it appears that Checkmyfile is suggesting that.
Most home users are typically given an e-mail address together with their ISP’s subscription. That address is often quickly overrun with spam as the new Internet navigator sends messages allowing the user's e-mail address to become known. The use of the large, free Web-based e-mail services quickly becomes the only reasonable way of frequently changing your e-mail to reduce spam.
While it’s reasonable to believe Checkmyfile’s contention, it’s equally reasonable to believe that e-commerce companies can’t simply stop selling to such customers. Instead, possibly more scrutiny -- for example, in the form of ensuring that the customer’s ship-to address matches their bill-to address with the credit card used, or contacting the customer by phone -- is required prior to shipping to such customers.
In any event, this information is going to put some pressure on the large Web-based e-mail providers to do something to ensure that their good customers don’t become derided by Internet businesses.
Proof of Concept Published for Office 2003 PowerPoint
Yet another malformed Microsoft Office document has the potential to run code of the criminal’s choice when opened. A proof-of-concept was posted publicly on Oct. 12 that creates the malformed PPT file when run. The file, when loaded, looks to control the flow of code execution such that another criminal could insert their own shellcode to get it to do whatever they wanted. Patches are as yet unavailable, although Microsoft is aware of the problem.
One has to wonder why Microsoft has not yet incorporated sufficient parsing code in its Office document open routines to ensure they are opening a properly formed document. The continuous onslaught against these routines are becoming quite tiresome and repeatedly show that Microsoft is not capable of identifying properly formatted documents from garbage.
It also appears that there is a bevy of such vulnerabilities in Office products and they are being loosed in a dribble. Given the difficulties in getting Office products updated in a domain, it’s time for Microsoft to make a more concerted effort to stop them.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.