back to article Trojan smuggles out nicked blueprints as Windows Update data

Security watchers have uncovered a new highly targeted email-borne attack that uses a supposed conference invitation as a lure - and disguises extracted data as Microsoft Update traffic. The spearphishing attempts, which have been levied against several government-related organisations worldwide, try to use alleged unfixed …

COMMENTS

This topic is closed for new posts.
  1. TeeCee Gold badge
    WTF?

    "...alleged security flaws in Adobe software..."

    What's "alleged" about security flaws in Adobe software?

  2. Robert Carnegie Silver badge

    "Alleged' zero day exploits

    The claim is that unknown, unpatched faults have been used in this hack. (One of them is enough.)

    However, it only requires that the victim hasn't installed the latest patches for the Reader.

    (Since usually this obliges them to reboot the PC, they may hesitate.)

    I've seen office computers still using Adobe Reader 8. That's pretty dumb. It isn't even supported any more. The latest bugs will -never- be fixed on version 8.

  3. This post has been deleted by its author

  4. eulampios

    @Robert Carnegie

    >>(Since usually this obliges them to reboot the PC, they may hesitate.)

    What a flawed piece of software both the Adobe Crap and Microsoft Windows are!!!

    Are you guys serious? You have to reboot your machine for every PDF viewer update? !!

  5. Anonymous Coward
    Anonymous Coward

    Security flaws in Adobe Reader...

    How does a document viewer contain security flaws?

    "Industry-leading security Take advantage of the security of Protected Mode in Reader, which helps safeguard your computer software and data from malicious code".

    Why do you need to put 'security` in the Document Viewer?

    http://www.adobe.com/products/reader.html

  6. Anonymous Coward
    Anonymous Coward

    Adobe 8 you say?

    Hell we have users running version 7. Granted it's the Pro product, but I doubt that helps any, in fact, I expect it makes it worse. :(

  7. Paul Crawford Silver badge

    Alleged?

    "...try to use alleged security flaws in Adobe software..."

    Really, is it not riddled with them?

  8. Anonymous Coward
    Anonymous Coward

    Steve Jobs Reaches from beyond the grave

    Contacts us via Ouija board and say's "I told you so about Adobe"

  9. The BigYin
    Joke

    See, this is why one should use GNU/Linux!

    >Get me those files!

    You do not have permission.

    >sudo Get me those files!

    Your are not in sudoers. This incident has been reported.

    >ln -s /usr/bin/sudo ./%s

    >./%s -D9

    >Get me those files!

    Why certainly, all my base are belong to you.

    See how much more secure than Windows that was?

    More info here.

  10. Vic

    > ./%s -D9

    ./%s: invalid option -- 'D'

    > See how much more secure than Windows that was?

    Indeed I do. Thanks.

    Vic.

  11. Chemist

    @Vic

    Same here

    OpenSUSE 11.4

    sudo version 1.7.6p2

  12. The BigYin

    FFS

    Did the "joke alert" pass you guys by and did you bother to read the link?

    v1.7.6sp2 is not affected. Yeesh.

  13. Chemist

    Sorry BigYin

    It didn't read like a joke

  14. The BigYin

    @Chemist

    Maybe not the best joke in the known Universe, no; but I figured some frothing-at-the-mouth fanboi would be along and I was trying to get in first and head them off.

    This does a much better job (based on this).

  15. Vic

    > did you bother to read the link?

    Yes, I did.

    > v1.7.6sp2 is not affected.

    I know. That's why I posted my output.

    I wanted to get that in before someone who had not read the link went around telling the whole universe that G/L was forever hopelessly borked...

    Vic.

  16. eulampios

    And your alleged exploit will not work for even the version 1.8 of sudo.

    And GNU/Linux or *BSD iare much more secure than Windows in view of the commented accident:

    1) no one would need a p. of crap like Adobe Reader, people use use evince, kpdf, xpdf or gv

    2) file extension do not determine files permission contrary to windows.

    3) security updates are more quicker to arrive than for MS, where sometimes they might fail to reach the users, the yum/aptitude/dpckg or such are non-existent on MS Windows.

  17. Vic

    > And your alleged exploit will not work for even the version 1.8 of sudo.

    Errr - yes, it will. There are a number of versions where this exploit is real.

    There shouldn't be any still in the wild, though. Many distros aren't using a 1.8 version at all, and those that are should have patched it by now (Fedora certainly has; I haven't checked the rest) because I'm not that interested.

    Vic.

  18. eulampios

    Yes, mine is a different version too:~$ sudo -V

    Sudo version 1.7.4p4

    I heard that it is possible to create an exploit not that it already exists. Can you please point me to such link or tell how to get from ~$ to root#, say, with "sudo -i". Thanks

  19. Anonymous Coward
    Anonymous Coward

    Why one should use GNU/Linux!

    $ ln -s /usr/bin/sudo ./%s

    $ ./%s -D9

    $ ./%s: invalid option -- 'D'

  20. Dan 55 Silver badge

    Disguised as Windows/Microsoft Update traffic

    Extremely hard to do unless the destination is microsoft.com, Shirley?

  21. Paul Crawford Silver badge
    Joke

    @Disguised

    Maybe it was MS doing the spying?

  22. Anonymous Coward
    FAIL

    @Dan 55: Nope !

    Windows update uses cheapo servers to pull the updates from. Just perfom an update and then repeatedly do

    netstat -a

    in a cmd.exe window.

    You will see that the update servers' name does typically NOT end in microsoft.com. Instead (I assume) they use a cheap content distribution service, so that the actual name is something like

    msft08712.cheaperhosting.com.

    Of course, they change these servers every month, so have big fun to maintain a proper firewall whitelist or to even automatically check for malicious traffic. As always, MS cares about $$ revenue, and gives the middle finger when it comes to security. Even humans will be challenged to indentifiy the windows update content distribution server names as being legitimate.

    Big-fat MS security FAIL, I would say.

  23. Gordon Fecyk
    WTF?

    OK how is this Microsoft's fault, really?

    "[msft08712.cheaperhosting.com] Of course, they change these servers every month, so have big fun to maintain a proper firewall whitelist or to even automatically check for malicious traffic."

    They use Akamai, but that's beside the point. The domain is the same (windowsupdate.microsoft.com) even if this is an alias that points to a distribution network. Or they'd have a hard time updating PCs with updated Windows Update software to point it to new servers.

    "OH NO IT USES ADOBE EXPLOITS AND DISGUISES ITSELF AS WINDOWS UPDATE IT HAS TO BE MICROSOFT'S FAULT!!!!!111!!1ONEONE"

  24. Anonymous Coward
    FAIL

    @OK how is this Microsoft's fault, really?

    If the IP of the content distribution server does not reverse-resolve to XXXX.microsoft.com, firewall administrators will have a hard time discriminating the traffic of a virus infection from that of windows update.

    If Microsoft were serious about security, they would not use a plain Akamai (or any other content distribution service), but use a service which would reverse-resolve to a proper microsoft domain. Maybe that would imply that MS itself would do the content distribution, but that is the price of proper security...

    As a security-conscious firewall admin, I always must assume anyone with a valid credit card number can buy webspace with Akamai or similar companies.

    At least, Microsoft could use the same set of Akamai addresses for all of their update traffic, but apparently it changes all the time. So I stand to my characterization of a big MS FAIL here.

  25. Gordon Fecyk
    Thumb Down

    So you blame MS for you not doing your job?

    "At least, Microsoft could use the same set of Akamai addresses for all of their update traffic, but apparently it changes all the time. So I stand to my characterization of a big MS FAIL here."

    Or maybe you, the supposedly security-conscious admin, could restrict WU traffic to a single WSUS server and use that to deploy updates, then block the domain from other clients at your proxy level or whatever device you have for managing web traffic. WSUS is free with Windows Server.

    Take some ownership already. Or are you going to blame MS for not teaching you how to use your non-MS firewall or web filter or whatever?

    But no matter, you and the rest of the crowd here will find some way to pin this on them no matter what rational solutions I could possibly come up with.

  26. Anonymous Coward
    Anonymous Coward

    never been an admin, have you.

    If i set up WSUS to point to a single (currently valid) microsoft update server, and they change it, what are the chances they'll send me a note before they do this? zero, absolutely zero.

    Regarding your MS firewall, what DNS does it rely on to insure that your connection to windowsupdate.micrsoft.com ACTUALLY goes to a microsoft server and not any other server?

    So far, you haven't come up with any rational solutions, and its not you, I don't think there are any rational solutions.

  27. Gordon Fecyk
    WTF?

    Sixteen years admining NT and variants; don't tell me I haven't earned my BS.

    "If i set up WSUS to point to a single (currently valid) microsoft update server, and they change it, what are the chances they'll send me a note before they do this? zero, absolutely zero."

    I don't seem to have such issues. I do run WSUS on a 200+ client multi-site network. Don't dare tell me I've never been an admin.

    "Regarding your MS firewall, what DNS does it rely on to insure that your connection to windowsupdate.micrsoft.com ACTUALLY goes to a microsoft server and not any other server?"

    WSUS packages are digitally signed.

    I only have the DNS root servers to rely on, along with the stability of DNS itself, just like you. DNS is soooooo flawed and subject to hacking, etc etc yet we keep using it. It's certainly not a MS product. Then again, digital signatures are also soooooo flawed and easily forged. We're doomed, I tell you, doomed!!!!!11!one

    "So far, you haven't come up with any rational solutions, and its not you, I don't think there are any rational solutions."

    You saying LA-LA-LA-LA-I-CAN'T-HEAR-YOU doesn't mean the solution doesn't work. Or is the inline web proxy that does filtering by category, by application, by name, and so on not good enough, working in concert with a firewall router blocking un-proxied HTTP? Not mentioning brands but it's non-MS.

    If there are no rational solutions then we're all doomed, pack it in, disconnect from the internet, dismantle the internet as an abject failure. And it's all Microsoft's fault that all of these non-MS services, systems, and so on are a failure.

    Take. Some. Ownership. Blaming the biggest target is a coward's way out and doesn't solve the real problem. The internet itself is the real problem.

    http://vmyths.com/column/1/2001/4/4/

    But that's digressing. Take some ownership.

  28. John Smith 19 Gold badge
    FAIL

    "malware also cunningly attempts to escape detection".. "Windows Update utility. "

    Windows Genuine Advantage?

    I wonder how many people switched off auto update as a result of that PoS.

  29. Anonymous Coward
    Anonymous Coward

    Ahh

    Windows - ever so secure!

  30. zaax
    FAIL

    Windows is so floored that any PC that has information on it that is likely to be of use to the enemy should not use windows.

  31. charlie-charlie-tango-alpha
    WTF?

    Eh? What does that mean in english?

  32. Anonymous Coward
    Anonymous Coward

    Re: English

    I think he wants to say "do not use Windows for confidential data processing".

  33. Anonymous Coward
    Anonymous Coward

    Methinks he confuses "floored" with "flawed". A problem I've noticed affects many English folks; as they don't pronounce their "R"s, they are often unaware that there are any, in certain words. Hence all the people who seem to think they have a chest of "draws" beside their bed.

  34. Tom 13

    Huh. Over he we have people who put extra 'R's into words:

    "Get me a glass of warter.'"

    "Have you done the warsh?"

    Maybe we need to get the two groups together.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2018