April 12, 2010

This Month in the Threat Webscape - March 2010

Jay Liew

We presented at RSA 2010 and spoke at the Cloud Security Alliance Summit. Here is our recap of the event.

Threat Webscape

Major hits

1. Highlight pwns from CanSecWest's Pwn2Own hacker 2010 contest include:

2. Contest winner (Peter Vreugdenhil): IE 8 vulnerability exploited on a fully patched Windows 7 machine.

3. A malicious Web site that, when visited from a fully patched iPhone, steals the phone's SMS (text messages), including deleted texts, and uploads them to a server of the attacker's choosing

4. A malicious Web site that, when visited from Safari on a MacBook, allows the attacker full control of the Macbook. This is Charlie Miller's hat trick.

5. Mozilla Firefox had a vulnerability exploited with a drive-by download. ASLR and DEP on Windows 7 were bypassed.

In other news, the Sougou BBS Web site was compromised and injected with a malicious iframe. Searching for Corey Haim on Google led to malicious rogue AV Web sites, as did searching for other blackhat SEO poisoned terms like March Madness, and various sensational topics and events.

Web 2 dot uh oh

Last month, we detected that over a quarter million malicious links were posted on various Facebook pages, including those belonging to celebrities like Justin Timberlake. In the blog post, we include a video showing just how quickly the links are spreading. (Note: be careful what you click on!) Websense Security Labs has also been monitoring the latest WordPress attack that saw over 250,000 injections over a span of just 2 weeks

Browser and friends

Is the fully-patched browser safe? Look at the Vancouver Pwn20wn 2010 contest. Fully-patched IE8, Safari, and Firefox have been hacked. The good news is that the zero-day vulnerabilities the hacker used are not spreading in the wild. This will help the browser vendors to complete their products. Apple released security update 4.0.5 for Safari, patching 16 vulnerabilities. Mozilla has also done a lot of work this month, releasing Firefox 3.6.2, which fixed 15 vulnerabilities. Opera released 10.51 for windows with two vulnerabilities patched. According to F-Secure's research, PDF-based targeted attacks have been increasing in the past few years, reaching 61.2% in 2010. A good example of this type of attack is a campaign related to FIFA World Cup 2010 theme that has spread in the wild in March. Victims receive an email containing a PDF that exploits CVE-2010-0188, though the vulnerability was back in February.  


March brought two new Internet Explorer zero-days, one requiring an emergency out-of-band patch and one still unpatched.  The first is a vulnerability in Internet Explorer (CVE-2010-0483) that gives attackers remote code execution capabilities on the machines of IE users who are tricked into pressing the F1 key for help.  The attack involves specially-crafted VBScript and Windows Help Files for IE. While POC code has been released detailing the exploit, no attacks have yet been seen in the wild.  Microsoft plans to release a patch for this bug in April. 

While the F1 zero-day vulnerability wasn't addressed, March's Patch Tuesday did include 2 important remote code execution bulletins.  MS10-016 addresses versions of Windows Movie Maker that ship with Windows XP and Windows Vista, and involve users opening malicious Movie Maker files.  The second bulletin MS10-017 patches all currently supported versions of Microsoft Excel, both on Windows and Mac to protect against attackers convincing users to open a malicious Excel document to exploit their machines. 

The biggest Internet Explorer news this month was a zero-day vulnerability (CVE-2010-0806) involving a use-after-free bug in the Peer Objects component (iepeers.dll) in IE6 and IE7. Microsoft released an advisory providing mitigation options, emphasizing that IE5 and IE8 are unaffected, and stating that they had seen limited targeted attacks in the wild.  An Israeli researcher released working exploit code for the vulnerability, and integrated it into the Metasploit Framework.  Microsoftreleased a quick-fix that disabled the offending component, but was forced to release an out-of-band patch for the actively-exploited vulnerability on March 30. You can find more details about this vulnerability in our detailed analysis of the exploit code found in the wild.  

Hello ThreatSeeker, you've got mail!

This past month has seen some diversification of social engineering in malicious spam. Spammers have abused big brand names to entice possible victims into clicking on URLs in messages. One such example we alerted on was an Apple App Store campaign. With this campaign, spammers abused the good reputation of legitimate sites to host their redirects. Compromised sites were linked in Apple App Store spam and would redirect to the final spam site destination. In some cases there were even client side exploits hosted on the redirect sites! Spammers also tried to lure victims by sending fake Skype toolbars for Outlook. 

A couple of new and interesting spam cases included two countries and a big sporting event. Spammers used scare tacticsas a lure for victims to open malicious ZIP attachments. The emails were spoofed to look as though they were sent from official US intelligence agencies and stated that North Korea had launched a missile at Japan. Riding on the PDF infection train, spammers also sent out targeted attacks containing infectious PDF files. The attacks consisted of FIFA World Cup themed messages with a PDF attachment. These attachments were laced with exploits intended to compromise the end user's computer. 

Spam Inbound email
Spam Detection Rate

Security trends

BeyondTrust collected data from Microsoft Security Bulletins published throughout 2009 and released a report pointing out that  64% of all the reported Microsoft vulnerabilities for 2009 could have been mitigated by using the principle of the least privileged accounts.

By staying well under the radar (unlike obvious and annoying adware) malware writers can now build a residual income stream via our everyday surfing and shopping online. A malware industry chain has formed that extends from malware programming to malware distribution.

A representative from the Russian Association of Electronic Communications (RAEC) admitted that, based on their recently released study, not only are seven of world’s top ten spammers Russians, but also that the world’s number one spammer is a Russian who lives in Moscow.

A Google security researcher "SkyLined" has released  an exploit that uses the ret-into-libc technique to bypass DEP and launch code execution attacks on x86 platforms.

Hackers using the Metasploit point-and-click attack tool can locate and exploit the backdoor Trojan that was recently found in the software included with the Energizer DUO USB battery charger.

An innocuous weather application was used to commandeer about 8,000 iPhones and Android devices in a mobile botnet by a pair of security researchers.

Thanks to the following contributors for this month's roundup:
- Erik Buchanan (Security & Technology Research)
- Lei Li (Security & Technology Research) 
- Ulysses Wang (Security & Technology Research) 
- Jay Liew (Security & Technology Research) 
- Chris Astacio (Security & Technology Research) 
- Ivan Sabo (Security & Technology Research)

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.