September 15, 2010

This Month in the Threat Webscape - August 2010

Jay Liew

Month of August 2010


Major hits

Mass compromises & infections 
Network Solutions, one of the oldest domain registrars in the world, was found to be serving up a malicious widget on its customers' Web sites. All sites that opted to display a "Small Business Success Index" widget were infecting their visitors. This includes sites not hosted by Network Solutions itself, such as Google Blogger accounts that installed the widget. Armorize has a more detailed analysis here, and pegged the number of compromised sites at a minimum of half a million (source: Google) or five million (source: Yahoo). It was also discovered that this widget is served up as part of the standard domain parking page for new domains registered.

Web hosting companies Media Template and Rackspace also found themselves compromised and accidentally serving upmalicious code to their visitors. 

DLL Hijacking 
Another tactic to infect users, dubbed "DLL hijacking", grabbed headlines this month. Basically, when you fire up an app in Windows (e.g. Microsoft PowerPoint), more often than not big apps search a series of locations for "helper" libraries to assist with the job. Knowing that the app will search for other libraries to execute, a bad guy can place a malicious binary in the location the app is searching in an attempt to trick the app into thinking that the malicious file is the correct library. This vulnerability has been added to Metasploit; check out this video to see it in action.

iPhone Web drive-by exploit
Usually when we talk about drive-by exploits, it goes without saying that we're referring to something bad that is to be avoided. But what about people who intentionally try to get exploited by a drive-by, whether they understand it in those terms or not?!? Yes, we're talking about the much hyped JailbreakMe Web site for Apple's iOS. Basically, all you need to do is open your browser from your iOS device (iPad, iPhone, etc.) and visit the Web site. With just one click (or "swipe" on the "touch" interface) and the Web site jailbreaks your device (using an exploit). The broader food for thought here is that whereas this Web site prompts for your permission to execute an exploit on your device to do things the owners consent to, the fact that this is technically possible (our research) in the first place opens the door to malicious Web sites that don't have to prompt you for permission to do malicious things on your device that you don't consent to.

In other news, watch out for malicious fake YouTube pages and malicious links that show up in Bing search results, both of which can lead to rogue or fake anti-virus software.


Web 2 dot uh oh

This month saw a huge increase in the number of abused and fake accounts being used for spam propagation such as in the case of the fake Friendster.com accounts that seem to have happened over the course of a few days (blogged abouthere).   

The threat of Web spam seems more real than ever as the world of Web 2.0 and the use of social networking sites becomes ever more popular.  Another way to look at it is that "it is really here to stay".


Browser and friends

At the Black Hat USA 2010 conference, researcher Charlie Miller presented an exploitable vulnerability in Adobe's PDF Reader. Adobe delivered an out of cycle patch in the middle of August to patch the CVE-2010-2862 vulnerability and another critical vulnerability. Adobe also released two security updates this month, one was for Adobe Flash Player, which fixed six critical vulnerabilities, and the other was for Shockwave Player.

A security update for QuickTime was released in early August, to plug a hole that allowed arbitrary code execution. At the end of August, a 0-day vulnerability in Apple's QuickTime player was discovered. The flaw affected the latest version of QuickTime (, an alert was published here.

Google released Google Chrome 5.0.375.127 with patches for 9 security holes. Google paid $10,011 to award those who reported the bugs.

Opera released Opera 10.61 update which fixed three vulnerabilities.



Microsoft had to send out an out-of-band update to patch the LNK vulnerability that was discovered last month. One week after that, Microsoft had a record "patch Tuesday" that included 14 bulletins patching 34 vulnerabilities, eight of them were critical. The patches affected Windows, Microsoft Office, Internet Explorer, SQL and Silverlight. 

However, Microsoft is not alone in the game as Adobe had to patch 10 critical vulnerabilities in Flash Player, Flash Media Server, and ColdFusion.


Hello ThreatSeeker. You've got mail!

This month in the email space saw some of the usual suspects come around again.  There were spoofed Microsoft emailsthat tried to get users to download a spam bot executable.  The attackers tried to make recipients of these emails believe that they needed to patch their systems for a dangerous 0-day attack.  We also saw a large spike in malicious spam that used various subjects which looked personalized as a social engineering trick to entice recipients to open malicious attachments in emails.  

For attackers, every day is tax day as they continued their tax themed social engineering tricks.  This campaign of emails contained variants that told of under reported income warnings or higher tax bracket notifications.  These messages also either contained a link to a malicious executable or an attachment.  

Perhaps the most interesting trend this month was the use of many brands with which to spam people.  This technique is nothing new, but how it was being used was a bit new.  With these messages, we saw the use of malicious links that were meant to download and install Rogue AV software on victim computers.  This is a bit new as most attacks involving Rogue AV used Blackhat SEO as their attack vector.


Security Trends

60GB of accounting data for social networking sites, bank accounts, credit card numbers, and intercepted emails were stolen by a mini ZeuS botnet dubbed Mumba. Thirty three percent of the infected users are based in the U.S, followed by 17 percent in Germany, and 7 percent in Spain. 

The first SMS Trojan for Android OS has been detected as Trojan-SMS.AndroidOS.FakePlayer.a spread in Russia. For now, the Trojan only causes losses for Russian users, and as far as we can tell, it’s currently not being spread via the Android Marketplace.

A kind of Interesting PHP injection has been found by researchers.  The script uses the User-Agent field as the deobfuscation key and the injected PHP script contains multiple eval() calls of which every one uses a different deobfuscation key.

The United States edition of the second annual International Barometer published by Panda Security showed that 46 percent of U.S. small- and medium-sized businesses (SMBs)  have fallen victim to cybercrime, up two percent from last year’s survey.  The group surveyed nearly 10,000 SMBs around the globe and more than 1,500 in the United States.

Innocent companies with good reputations are targeted by identity thieves looking for valid certificates to provide malware authors. There are many possible scams purposely make it very difficult to verify that the CA coming from a company is genuine. This should give us all serious concern about the trustworthiness of code signing in general.
This month's roundup contributors:

  • Saeed Abu-Nimeh
  • Lei Li
  • Ulysses Wang
  • Chris Astacio
  • Amon Sanniez
  • Matthew Mors
  • Jay Liew

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.