Security Watch

VB 6 Can Come Visually Flawed

VBP files might not be as they seem. Plus: MySpace ad fix; Max Vision gets locked up.

• By Russ Cooper
• 10/22/2007

Although VB6 is now nine years old, VB source files are all over the Internet to aid people in learning how to program in VB. Current versions of VB, via Visual Studio, support VB6 VBP files which are converted as soon as they are opened. As such, there may be a legitimate reason for users to obtain VBP files from unknown sources. VBP files are plain text files -- as such, those files should always be opened in Notepad prior to opening them in VB to ensure their contents are as expected. Examination of any criminally crafted VBP file will quickly reveal shellcode used to execute the criminal’s intent.

If you must allow VB6 VBP files in your environment, ensure users are made aware that they should be cautious. Exploit code has been published.

Bad Exposure on MySpace
According to content filtering provider ScanSafe, ads being served up on MySpace and other sites via banner ad provider RightMedia were laced with criminal malware using an iframe that attempted to serve up numerous exploits. ScanSafe said they believed the ads were being served for at least several weeks, suggesting that millions were exposed to them. Photobucket "attackers code inserted into the hostile ads was designed to recognize the difference between one of their ads served to a regular Web site visitor and RightMedia's scanning servers," said one Washington Post blogger here.

Allegedly the ads were being delivered to RightMedia via a third-party server. RightMedia claims to have mechanisms in place to scan ads for malware, but ScanSafe claim the ads contained code that recognized when they were being inspected by RightMedia’s malware detectors, and delivered just the benign ads to RightMedia.

Clearly there’s a significant problem with the banner ad deliver mechanisms. RightMedia should not be relying upon its own detection mechanisms if those detection systems are not dynamic. It would be trivial to have an ad that simply detects the IP addresses used by RightMedia, for example, to avoid delivering criminal content to inspection systems. Criminals have been hiding themselves from systems that inspect code for years, so it’s not like this is a new idea.

RightMedia said it could not control what happens elsewhere on the Internet, but if it's going to deliver content, even content that it received from a third party, then RightMedia must be prepared to accept responsibility for whatever it is sending. That means the company should have stricter contracts with those third parties to ensure it has some means of redress in the event a criminal submits a Trojan to RightMedia, directly or not.

Maxed Out on Credit Card Theft
Max Butler, also known as “Max Vision” and several other online names, has been arrested and charged with three counts of wire fraud and two counts of transferring stolen identity information, according to this report from ComputerWorld. This is the same guy who, in 2000, was convicted of hacking into government computers and installing back doors.

As I always say: once a criminal, always a criminal. In 2000, Butler continually said he was innocent, and nothing more than a security researcher trying to secure sites by discovering vulnerabilities and “patching” them. He served 18 months in prison and got three years probation, and it would seem that shortly after his probation was up he went right back to doing what he knew best -- namely, breaking into computers. He now faces up to 40 years in prison and could be fined up to $1.5 million. Meanwhile, the site he frequented to exchange information with other criminals has publicly stated that it's erasing all of the information and recommending those that participated in the site do the same. We can only hope that group is arrested for destroying evidence.

McKesson Loses Patient Info
McKesson, a health-care services company, had two computers stolen from its offices. The company isn't sure how much patient information was on either of the systems or whether the info was encrypted, says this article in InformationWeek, and so are alerting everyone whose name was on either. McKesson is providing free credit monitoring services for one year for any patient who requests it.

Think about how insecurely this patient data was being stored. Not only do they not know precisely what data was there: potentially, it included diagnoses, prescriptions and dosages information, as well as personally identifiable details like addresses, birth dates and Social Security numbers. The company also don’t know which computer the data was stored on, and whether or not it was encrypted. One could argue that this is merely a record-keeping issue, but more realistically it sounds like it simply had no procedures in place to ensure the patient data was safe. Don’t let this happen to you!