August 12, 2010

This Month in the Threat Webscape - July 2010

Jay Liew

Month of July 
This month the world saw the Microsoft Windows LNK shortcut flaw bring a smile to black hat hackers running Stuxnet, Chymine, Vobfus, Sality and Zeus, as they quickly updated their malware to leverage the vulnerability. In addition, we'll talk about banking Trojans piggy-backing on social-networking sites, the YouTube XSS vulnerability, malicious browser add-ons, brand-jacking, and more.

Also this month, the Websense Security Lab researchers presented at Black Hat Las Vegas and Hack In The Box in Amsterdam.

Major Hits

Ever wonder where your search engine stands relative to others based on malicious links they serve up in their search results? A two-month study by Barracuda Labs provides these estimates (be careful clicking those links!). Total malware by search engine:

  • Google: 69%
  • Yahoo: 18%
  • Bing: 12%
  • Twitter: 1%


The Windows LNK shortcut flaw (CVE-2010-2568) made a huge splash this month, a problem exacerbated by a computer worm dubbed Stuxnet that uses this flaw as one of the worm's propagation methods. Stuxnet targets Siemens SCADA systems, used to control production at industrial plants.

Strictly speaking, the LNK files themselves were correctly formatted (as opposed to a file crafted to exploit a buffer overflow) and they were legitimate .lnk files, except that they were allowed to link to (and run) executable files located elsewhere -- an ugly design flaw. The bad guys simply took the opportunity to make shortcuts to malware, and sent these shortcuts around to victims. The shortcuts could be activated without actually clicking on them. Using Windows Internet Explorer, merely browsing to the folder containing the malicious .lnk file triggered the bad stuff. Here is our technical analysis on the Microsoft LNK vulnerability.

Hot on the heels of Stuxnet, malware makers of Chymine, Vobfus, Sality, and Zeus updated their unwanted products to benefit from this vulnerability. Additional mitigation advice can be found here: US-CERT VU#940193


Web 2 dot uh oh

Last month in this section we mentioned that new ways to exploit social networks continue to surface. This month was more of the same. The RSA FraudAction Research Lab was among many to observe social sites being used to operate a banking Trojan virus. Once the Trojan infects a user's computer, the virus accesses a specific social profile, Google Group, or even a Twitter feed, all set up by the controller of the virus. From these sites, the virus, trained to parse text, can receive instructions embedded in posts, feeds, etc. This sophisticated exploitation of social sites bypasses the cost and maintenance of independent servers dedicated to doing the same thing. Using these free sites, communication with the Trojan can be done for no cost with little risk. It is up to the site to remove these malicious throw away accounts.

The other notable exploit of Web 2.0 functionality in July was YouTube's XSS vulnerability.  The visual effects of this vulnerability were seen by many users when only the top few comments of a post were loaded, along with a script comment regarded mostly as spam. Fortunately this was the extent to which the vulnerability was exploited before Google patched the YouTube service. Potentially this could have been used to force the browser to execute embedded malicious script code disguised in the YouTube page.


Browser and friends

Mozilla has blacklisted a third-party add-on called "Mozilla Sniffer". The add-on submits the login form of any website, with the password field, to a remote location. The add-on has been downloaded about 1800 times. Those who installed it are advised to change their password in case of attack. Mozilla also released two security updates this month; 15 vulnerabilities have been patched.

It has been disclosed by researcher Jeremiah Grossman that the "autofill" feature in Apple Safari has a security vulnerability. The autofill feature can be hacked to steal data from the computer's address book. Apple provided a quick response; a patch was released a few days later. In all, 15 vulnerabilities were fixed this month, including the autofill problem.

Google released a security update for Chrome. Five bugs were fixed in the patch.

The good news from Adobe is that Adobe Reader is going to add Protected Mode in the next version. Protected Mode is a sandboxing technology based on Microsoft's Practical Windows Sandboxing technique. It is similar to the Google Chrome sandbox and Microsoft Office 2010 Protected Viewing Mode. All operations required by Adobe Reader to display the PDF file to the user are run in a very restricted manner inside a confined environment. More good news is that Adobe will join Microsoft Active Protections Program (MAPP), in which vulnerability information is shared to security software providers in advance.



Aside from the major LNK vulnerability brouhaha mentioned above in the Major Hits section, Microsoft patched a vulnerability in Windows Help and Support Center (MS10-042), Canonical Display Driver (MS10-043), MS Office Access ActiveX Control (MS10-044), and MS Office Outlook (MS10-045). The Windows Help and Support Center  zero day (MS10-042) saw at least 25,000 attacks as confirmed by Microsoft, largely in Russia and Europe.


Hello Threatseeker. You've got mail!

This month there was a lot of follow up on the previous month's email threats.  In addition, there was no shortage or end to the abuse of social networking sites such as Facebook and hi5.  The more interesting attacks within the email space were focused on "brand-jacking" where Gumblar seem to have made a come back impersonating Amazon.com.  The aim of the campaign was to trick unsuspecting users to visit a client-side exploit serving URL.

Other attacks include but are not limited to the influx of Youtube themed spam requesting users to confirm their email address, the fake ImageShack Registration emails, and Welcome to My Opera account activation. 






Security Trends

A low-cost, home-brewed GSM hacking device, developed by researcher Chris Paget, mimics more expensive devices already in use by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content.

According to Secunia’s recently released report, between 2005 and 2010 Apple Inc. had the most reported security vulnerabilities.

Some motherboards in 4 models of Dell PowerEdge servers were shipped to customers with malware code on the embedded server management firmware. A Dell representative confirmed the issue on Dell’s community forum.

fake technical support phone call was used to spread malware. The attackers in this scheme cheated targeted users by calling them and helping them to install malware, remote desktop applications etc.

The Secunia Half Year Report 2010  asserts that a typical end-user PC with 50 installed programs had 3.5 times more vulnerabilities in the 24 third-party programs than in the 26 Microsoft programs.


Thanks to this month's roundup contributors:

* Lei Li

* Douglas Libby

* Amon Sanniez

* Ulysses Wang

* Jay Liew

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.