Realplayer Vulnerability

Published: 2008-01-04. Last Updated: 2008-01-05 20:13:55 UTC
by Scott Fendley (Version: 5)
0 comment(s)

Good morning everyone,

Earlier this week, Evgeny Legerov reported a vulnerability involving Real Player which could allow an attacker to execute code on victim computers. At this moment in time, there is no patch or other work around for this vulnerability though I would expect that limiting end-user privileges would limit the potential risk.

Until an update is available, I recommend that you limit viewing multimedia content using Real Player.  It would be worthwhile to plan to add this future update into the mix with any operating system updates which are scheduled to be released soon.

For more information on this vulnerability, please see:

http://secunia.com/advisories/28276/
http://www.frsirt.com/english/advisories/2008/0016

Update 15:10 UTC:  While you're at it, consider blocking access to uc8010-dot-com.  If you do a Google Search for this domain, you'll understand why: Lots of injecting of a mailicious 0.js from this domain is currently going on, plenty of web sites seem to contain this booby trap. One of the IFRAMES fetched from this site, the file "r.htm" contains a RealPlayer exploit. Still the one from last month (www.kb.cert.org/vuls/id/871673) but if they happen to re-tool to the new vulnerability, things might get ugly. 

Update 16:30 UTC  One of our readers noted that there are a number of state government and educational sites that appear to have been compromised with the uc8010 domain.  Upon review, I see that some of these have already been cleaned up.  However, the .gov and .edu sites are only a few of the many many sites that are turned up via google searches for the uc8010 domain.  As that domain was only registered as of Dec 28th, compromises of websites probably occurred in the past week.

I recommend that our readers check to see if their site shows any references to uc8010 via google.  Alternatively, look on their webservers to see if there are any unauthorized change to webpages in the past week.

Update 00:30 UTC 5 JAN 08:  Looks like there is another domain hosting a similar script.  In addition to uc8010 check your flows for "ucmal.com" 

Update 17:52 UTC JAN 08:  We have gotten reports of embeded script links to ucmal on MySpace. It is probably safe to assume that other social networking sites have it as well.

Keywords:
0 comment(s)

Digital Hitchhikers Part Two

Published: 2008-01-04. Last Updated: 2008-01-04 02:51:08 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Several days ago David Goldsmith posted a diary concerning a digital photo frame that came with a value added feature.  Since then, two more readers have sent us notes concerning malware on digital photo frames that were purchased or received as Christmas presents last week.  We've been in contact with the security team of the retail store chain where they were purchased as well as the product vendor and both swear that no malware is on the units they are selling.

So, dear readers, here is your first project for the New Year.  If you either purchased or were given a digital photo frame, GPS unit for your car, external hard drive, or any other device that connects to your computer via a USB cable and appears to your operating system as one or more mounted drives, please let us know via our contact form if you experienced any suspicious behavior that smells like malware.  To give you an idea of what we are talking about, here are edited excerpts from the three notes we have received so far:

First notification. 

Behavior after attaching the USB digital photo frame to the PC:

1. MSCONFIG would not run - it would briefly open and then terminate

2. Blue screen when starting in safe mode

3. Many antivirus websites would result in browser terminating

4. Various popups for random name.exe "not valid image messages"

Using the CA AV2008 product, a new aggressive virus named Win/32Mocmex.AM was found on the photo frame (filename: kwjkpww.exe ). No detailed info on it is listed yet in their database.  (More information was later available at http://www.prevx.com/filenames/394470622808329496-0/KAWDHZY.DLL.html.)

Second notification.

The attached file is from a digital picture frame. This file was originally named "autorun.inf", was marked as a hidden, system file, and was located along-side the sample pictures shipped with the picture frame.  The program file launched by this autorun was deleted, but is a variant of the trojan Win32/Agent virus. This file was also marked as hidden.

It did appear all seals were intact and the product was carefully wrapped when it was unpacked. However, I can't say for sure that this frame was not a victim of a prior connection.
 
The virus scanner I'm using tagged the virus .exe file "cfhskjn.exe" as shown in this log entry:

Threat Name:

Trojan:Win32/Agent

Detection Date and Time:

1/1/2008 4:23 PM

File Name:

G:\kwjkpww.exe

Threat Severity:

Severe

Threat Category:

Trojan

Threat found by On Demand Scan:

(ANTIVIRUS_ONDEMAND)

Threat Status:

Removed

so I'm thinking it was not the autorun.inf worm or "silly worm" as described in this link. Although I've not dug into this particular .exe code that was found on this frame, the classification as a Win32/Agent threat tells me it is not of a worm (self-propagating) type and behaves more as a Trojan threat.
 
Google-ing the name of the virus executable turns up three Chinese-language links. Using the Google-translate function, you get this web page from the first link:
 
http://tinyurl.com/28w8vc
 
which tells me this virus has been in circulation since at least Oct 30 of 2007.

Third notification.

I too connected a digital picture frame to my computer and received the nastiest virus that I've ever encounterd in my 20 plus year I/T career. The product vendor tells me it's not true however I know exactly what, how and when. The virus absolutely came from the frame. Is there any way to cooberate this?

This virus was indeed on the frame. It propagates to any connected device by copying a script, a com file and an autorun file. It hides all systems files and itself while completely eliminating the user admin ability to show hidden files. It creates processes that negate any attempt to go to anti virus and anti spam web sites. It prevents the remote installation of any anti virus components. I was able to remove it by using the attrib command to unhide then delete the files, then run Symantec anti virus. I also manually deleted the files from my USB drive and and flash drive that I used to back up my data. I then had to long format and rebuild my computer because I had no trust that it was safe.

I was using my computer the morning that it crashed without any troubles at all. I web mailed, VPN connected to my business network which is FDA regulatory compliant and very secure. When I completed my work I then connected the picture frame and my system immediately went crazy. After this happened I ceased to use my system and went to a second computer where I your publication that re-enforced my immediate conclusion.

By the way, I also received a digital photo frame for Christmas but have not had any problems with it other than the resolution totally sucks.  But that's a subject of another diary some day.  The GPS unit I bought in November mounts as a drive letter in Windows but it too had no malware on it.  We are pretty certain that this is not a wide-spread problem but we need to know if others have experienced anything like this.  Please use our contact form to report any observed malware-like behavior in any of these external devices you recently purchased or received as gifts.  Please be sure to include information about the model name, where you bought it, and if you've been in contact with the store or product vendor.  We'll provide a summary in a few days with details on what was reported.

Many thanks to readers Edd, Larry, and Rick for bringing this issue to our attention.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)

Comments


Diary Archives