This Month in the Threat Webscape - April 2010
Month of June
Security conferences are a great way to learn about what's on the cutting-edge, germinate and cross-pollinate ideas, and establish real-world relationships within the tight-knit community of white hat hackers. This past month, we presented at both EUSecWest in Amsterdam and SyScan in Singapore.
If you missed us there, not to worry, in just a few weeks we are presenting at Black Hat and DEF CON, both in Las Vegas. Come say hi to us!
Every major event and news item is followed very closely by exploiters looking to achieve some profit. It may be the death of a celebrity or a major event such as FIFA World Cup; the bad guys are always there. With the World Cup still ongoing, we continue to see targeted attacks of known zero-day pdf vulnerabilities, the infamous 419 scam letters, phishing attempts, and of course the more popular than ever Blackhat SEO scareware campaigns.
More than 100k popular Web sites were compromised last month with a mass injection targeting IIS using ASP.net platform. The attack came from Chinese IP addresses and the injected iFrame led to a Chinese-hosted domain http://www.ro[REMOVED]nt.us serving juicy Mal/Behav-290 malware. The majority of Web sites were cleaned up in matter of hours.
Apple, Inc. was accused of a data breach resulting in the loss of 100k email addresses and ICC-ID numbers. A few hours later the finger was pointed to the real miscreant. An AT&T designed and secured Web application allowed the Goatse hacker group to match ICC-IDs with email addresses used by iPad users to access their iTunes accounts. Observations? If you are a developer, carefully design and review for security and secure coding practices. If you are a hacker, do not irritate a giant without very good armor.
Web 2 dot uh oh
It seems like everyone on the Web today is trying to figure out how to leverage social networking tools (Facebook, Twitter) for "viral" marketing. Even the bad guys. This month, the baddies used a clever combination of social and technical tricks to increase their own reputation and get over 15,000 people to 'like' them on Facebook. The social-engineering trick started off with a lure (as they all do) to see the "best passport application rejection in history". Behind the scenes, an invisible Facebook 'like' button follows your mouse cursor, guaranteeing that you'll click on the Facebook 'like' button regardless of where you click on the malicious web site. The consequence of clicking the hidden 'like' button is that a link to this web site is posted on your Facebook profile for all your friends to see - and if they too click on it, the cycle repeats itself.
In a separate Facebook scam involving the lure 'Teacher nearly killed this boy', a rogue Facebook app requested permission to access the viewer's profile information, and permission to post content on the viewer's Facebook wall. Users who don't pay attention and simply click through to get to the video risk the safety of their Facebook friends should they click on something malicious that could be posted by the rogue app from the viewer's wall.
A persistent cross-site scripting (XSS) vulnerability was discovered on Twitter. You may recall a similar incident some time ago, but whereas the previous case involved the application URL, this time around it involves the application name.
A study by ISACA, an international organization that researches IT governance and control just published a research paper that listed viruses and malware, brand hijacking, and lack of control over corporate content as some of the top risks faced by companies using Web 2.0 social media tools.
Is that any surprise?
Browser & friends
Adobe made a big splash in the security market this month. New zero-day vulnerability (CVE-2010-1297) was discovered early in the month. A few days later PDF samples embedded with a SWF file exploiting the vulnerability were found in the wild. The samples spread as an email attachment. And then html pages with exploited SWF files arrived. The more convenient method has been used to attack customers. Details about the zero-day vulnerability can be found here.
In the middle of the month Adobe released a security update for Flash Player that fixes 31 vulnerabilities, including the zero-day vulnerability. At the end of the month Adobe released a security update for Adobe Reader and Acrobat to fix the zero-day vulnerability. You should update your Flash Player and Adobe Reader as soon as possible. Mozilla released 8 security advisories this month, several critical vulnerabilities were fixed in the recent Firefox update. A new feature called Crash Protection, also known as OOPP(Out Of Process Plug-ins) has been added to Firefox 3.6.4. With this feature, the plug-in process is isolated from the browser process. This makes the browser more stable because a plug-in crash should not affect the browser. Apple has patched 48 vulnerabilities for Safari and WebKit.
The two big events this month were Microsoft's busy Patch Tuesday, addressing 34 vulnerabilities, and a zero-day POC released by a Google security researcher.
Among the many fixes this month, Microsoft fixed the SharePoint XSS bug from April and a publicly disclosed data leakage vulnerability in Internet Explorer. Other vulnerabilities affect Windows, Office, Internet Explorer, and the IIS Web server.
Tavis Ormandy, a security researcher at Google, released a zero-day exploit in the Windows Help and Support Center that allows remote code execution. Tavis posted exploitation details to the Full Disclosure list just a few days after notifying Microsoft of the vulnerability. Microsoft released and discussed an advisory on the issue, including a workaround to disable the HCP protocol being exploited until a patch is released.
Hello ThreatSeeker. You've got mail!
Delivering Web sites as an attachment via email is a bit like snail-mailing someone a newspaper clipping when you can just send them the URL. As silly and inefficient as that may be, if the method delivers, then it's well worth it. And that's exactly what the malicious hackers did: deliver malicious Web sites as an attachment via email. In this incident, victims were told their computers were infected and that they needed to open the attachment "Virus Scan.html". This resulted in the computer downloading a malicious PDF and Java .jar file.
The bad guys also capitalized on the official launch of the much anticipated iPhone 4 by delivering scams via email and also posting them on Facebook. The lure enticed users with the chance of receiving a free iPhone 4 (yes, some offers on the Internet are just too good to be true. Always proceed with caution!)
Other assorted unhealthy snacks served up via email this month included the following themes:
- Reset your Twitter password - malicious link to fake AV
- FIFA World Cup South Africa... bad news - malware attachment in a "news.html" file
- Account verification (yeah, this one's subject line is boring in comparison) - malicious link to malware and exploits
- Notice of Underreported Income (masquerading as from the IRS) - malicious link to fake site and malware
Joanna Rutkowska, who is known for her work on virtualization security and low-level rootkits, is building a project named Qubes, which is an open-source OS meant to provide isolation of the OS components for better security.
At the Syscan'10 Singapore conference, security researchers from TEHTRI-Security published twelve zero-day flaws targeting five of the most common Web malware exploitation kits, such as Neon, Eleonore, Liberty, Lucky, and the Yes exploitation kits.
It was observed in a specific malicious spam campaign, that the malicious HTML file attachment used the same obfuscation algorithm as a known mass injection attack on the web.
This month's contributors:
- Lei Li
- Ulysses Wang
- Erik Buchanan
- Ivan Sabo
- Jay Liew