This Month in the Threat Webscape - February 2010
Microsoft's Ninemsn, one of the most visited portals in Australia (Alexa rank 573), was compromised and injected with malicious code. The malicious code was identified to be part of the Gumblar mass injections. Another regional high profile compromise victim was Bollywood Hungama's Web site, a leading entertainment site (Alexa rank 1592).
There was no shortage of blackhat SEO campaigns this month. Bad guys continue to game Google to get their malicious links to rank high on search results for hot topics, such as the Olympics, the Chilean earthquake / Hawaiian tsunami, the Bloom Box breakthrough technology, and Canadian figure skater Joannie Rochette. Clicking on these infected search results would lead to the usual rogue AV malware with low anti-virus detection rates (video). In the case of the earthquake in Chile, the malicious search results actually led to a PDF file.
A bot network dubbed "Kneber" (Zeus variant) was recently uncovered, stealing financial data and online banking transactions from numerous government and commercial entities.
Web 2 dot uh oh
Google Buzz sent the media abuzz when it launched, complete with the controversial integration with Gmail and attendant privacy concerns. Barely two days after the launch, there was evidence that spammers had already latched on to this new medium for sharing information.
A rogue Facebook app with a "viral marketing" component was discovered, where users are enticed into clicking a link titled "Who is seeing your profile?" The user is then led to through a series of step-by-step instructions to help propagate the app, without realizing what they are actually doing.
Thousands of Twitter users fell for a phishing attack, including some notable victims from the UK, such as the Press Complaints Commission, a BBC correspondent, the Guardian's head of audio, the UK's environment minister, and even a bank.
Browser and friends
Adobe still fights against the vulnerabilities in their products. In February, Adobe delivered a security update for Adobe Flash Player. Two vulnerabilities have been fixed, including a critical one (CVE-2010-0186) that could subvert the domain sandbox and make unauthorized cross-domain requests. Also, an out-of-band security update for Adobe Reader and Acrobat has been released, ahead of the company's usual patch schedule. Two critical vulnerabilities were patched, including CVE-2010-0186 (just mentioned). Lastly, a critical vulnerability in Adobe Download Manager has been patched. This one could potentially allow an attacker to download and install unauthorized software onto a user's system.
Adobe's products were targeted most in 2009 according to Scansafe's report. Malicious PDF files comprised 56% of exploits in Q1 2009, growing to 80% by Q4 2009, while Flash exploits dropped from 40% to 18%. The fact that over 90% of PCs install Adobe products, and that most of the product versions are outdated, may be one reason why Adobe is the most targeted by attackers.
Mozilla has removed two experimental Firefox add-ons that turn out to contain a Trojan: Version 4.0 of Sothink Web Video Downloader, and all versions of Master Filer. But there have already been more than 4000 downloads of each. Mozilla released fixes for five security holes, including three critical vulnerabilities.
A Blackhat DC Presentation demonstrated a data leakage vulnerability that allows an attacker to read any file on a default installation of Internet Explorer on Windows XP (see MS advisory). As we reported, Microsoft's Ninemsn Australia site was compromised by Gumblar, adding to this month's web problems for Microsoft.
This month's Patch Tuesday was another big one, with 13 security bulletins addressing 26 vulnerabilities. These include vulnerabilities in Direct Show, SMB Client, and Windows Shell Handler, along with new Kill Bits and other fixes. Find more discussion from the MSRC team here. A number of companies reported experiencing the infamous Blue Screen of Death when applying the MS10-015 update, which Microsoft confirmed in a blog. However, it turns out that these companies already had a rootkit called "Alureon" on them, which was actually causing the problems. What started out as a bad Windows patch turned out to be a free malware scan!
Hello ThreatSeeker. You've got mail!
Our good friend Zeus is continuing his run around the block. However, we found a twist in this month's spam. Attackers seem to have used Zeus kits to target government and military personnel in the US and UK. One campaign pretended to be from the National Intelligence Council. It enticed victims to download a document about the "2020 project". Another targeted CIA personnel, luring them to download a Windows "update" against an attack. In both cases, victims who fell for the trap found their machines infected with the Zeus malware.
In other news, we also saw an interesting malicious campaign against all you Google fans who have applied for employment with the company.
Apple has fixed five documented vulnerabilities in iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod touch. These vulnerabilities expose iPhone and iPod touch users to malicious attacks when they open audio and image files.
The detailed and publicly obtainable financial data on Blippy can come in handy if spam attackers can obtain the emails of Blippy users.
The Breach Report for 2010 states that, based on the analysis performed by their forensic investigations, 40% of all the attacks relied on SQL injections, with another 20% based on a combination of SQL injection attacks and malware.
A new banking Trojan used by cyber-criminals to steal financial credentials from banks in the United States has been intercepted by malware hunters at SecureWorks.
And finally, Dancho Danchev has published a blog on the top 10 things you don’t know about the Koobface gang.
Thanks to the following contributors for this month's roundup:
- Ulysses Wang (Security & Technology Research)
- Jay Liew (Security & Technology Research)
- Lei Li (Security & Technology Research)
- Erik Buchanan (Security & Technology Research)
- Chris Astacio (Security & Technology Research)