June 16, 2010

This Month in the Threat Webscape - May 2010

Jay Liew

Major Hits 

A few Web sites belonging to the U.S. Department of the Treasury were compromised and injected with a malicious iframewhich loaded exploit code to visitors (video included). Yet another large scale attack targeting Wordpress installs occurred,leading visitors to rogue AV sites, pharmaceutical spam, Zeus C&C sites, and other shoddy Web sites. PHP-Nuke, a popular PHP-based CMS, had its Web site compromised and injected with a malicious iframe. In case it isn't yet obvious, breaking in to legitimate popular Web sites and then inserting an iframe that loads up exploits is a popular thing among blackhat hackers these days. 

In the UK, search terms relating to the UK General Election were poisoned (blackhat SEO), and unsuspecting Web users clicking on the wrong results in Google would find themselves on fake antivirus Web sites. 

Across the pond in the east, the world's #1 country with the largest number of Web users (that's China) saw at least 2 major infections. The first compromise was Chinaz.com, a famous Web site for Web masters. The second compromise was one of the latest and most influential forums in the country: the game channel of MOP BBS. In both cases, these sites were infecting their own visitors. This appears to be the primary motivation for blackhat hackers to break into popular sites - so that they get the opportunity to infect the site's regular visitors. 

Web 2 dot uh oh 

This month was a banner month of Facebook "oops". First, a flaw in the site exposed live chat sessions and other private user information (video). Then there was an onslaught of malicious links spreading virally within Facebook's platform using social engineering tactics that many Facebook users fall for, unknowingly exposing their own Facebook friends to malicious links.

In all of these cases, the app tricks the user into downloading a malicious .exe file disguised as a "Flash" or "FLV" player. You may also opt to install our security application for Facebook, the world's first and only real-time security app that protects your wall from such unwanted messages. It's available for free at http://defensio.com 

In other news, Dasient reports that 1.3 million malicious ads (malvertising) are viewed each day, with 59% of those resulting in a drive-by download, followed by 41% resulting in fake security software (rogue AV / scareware).


Browser and Friends 

A new security update for Shockwave Player is available; 18 critical vulnerabilities has been patched. Adobe categorized this as a critical update and strongly recommended to install it. And from Brad Arkin, Adobe's Director of Product Security and Privacy, Adobe has considered reducing the update cycles for Adobe Reader from 90 to 30 days to reduce the pressure from customers who have already suffered a lot due to the security vulnerabilities. Flash and Shockwave may also be brought into this update cycle. 

A zero-day vulnerability in the Safari browser has been discovered: the vulnerability may lead to the exposure of sensitive information or even execute arbitrary code. A POC (.rar) has been published here. 

Opera Software has released Opera 10; an "extremely severe" security vulnerability that may lead to remote code execution attacks has been patched.

In October 2009, Mozilla pushed the "Plugin Check" project live, which can check the update information of plugins in Firefox and help customers to update. This was a very good idea as old versions of plugins are a major security hole nowadays. Now, Mozilla has made a great effort and extended the service to other browsers: Safari, Chrome and Opera are now fully supported, and IE has limited support. 

If you're used to just clicking through Java warnings on Web sites that say "This application's signature cannot be verified. Do you want to run this application?", you might want to think twice. We picked up a trend of malicious Java applets that download a malicious .exe file - which is then executed on your desktop.



May's Patch  Tuesday included two remote code execution vulnerabilities, one in their mail clients and the other in Visual Basic. Patch MS10-030 was for vulnerability CVE-2010-0816, an integer overflow bug in Outlook Express and Windows Mail that can lead to remote code execution. Patch MS10-031 was for vulnerability CVE-2010-0815, covering a stack memory corruption problem with the parsing code for ActiveX handling. 

The SharePoint XSS bug we mentioned last month hasn't been patched yet. 

Microsoft also announced an unpatched vulnerability (CVE-2009-3678) in the Canonical Display Driver (CDD) in 64-bit Windows 2008 R2 and Windows 7 using the Aero theme. While remote code execution is possible, Microsoft considers denial-of-service attacks more realistic. While their advisory is still available, Microsoft appears to have retracted theirMSRC/SRD blog post about the vulnerability.

Hello ThreatSeeker. You've got mail!

Malicious social engineering just doesn't seem to go away and looks like it won't any time soon! This month has been a testament to that with all the different tricks being used. We saw lures involving Facebook, iTunes, Amazon, Adobe, and even job applications . 

Early in the month, we reported on a campaign of malicious emails which enticed users into installing a backdoor. The fruit of temptation was a Facebook toolbar which was spread via a link in the email; the link even led to a file named toolbar.exe. We also reported on a campaign of malicious attachment spam which claimed to be iTunes gift certificates. There were also messages from supposed job hunters which were sent out in a large email campaign. The unfortunate victims of this job hunter spam campaign were met with a rogue AV installation. Last, but of course not least, we saw the ever-present threat, Zeus, sending out a clever new campaign of emails. This campaign took great care in tricking victims into downloading malware. These Zeus messages contained a PDF attachment as well as a link to a malicious executable file in the email message. To make the messages more believable, they were made to look like forwarded mail from a security director within your company which explained that Adobe Reader needed to be updated.






Security Trends

Symantec’s recently report (.PDF) said the Zeus crimeware kit and the growth of malicious PDFs based on the integration of Adobe flaws in popular malware kits make it easier for unskilled attackers to compromise computers and steal information.The effectiveness of an up-to-date antivirus against Zeus is just 23%. On the other hand, PDF attacks accounted for 49% of Web-based attacks for 2009. 

Researchers from VeriSign’s iDefense Intelligence Operations Team conclude that the average price of the underground marketplace for renting a botnet is $67 for 24 hours, and $9 for hourly access. The low price of their services were due to a simple fact - based on the increasing supply of malware infected hosts.

According  to the paper (.PDF) published by Electronic Frontier Foundation (EFF), it is possible for Web sites to track users around using the unique fingerprint.

Modularization of malware makes it more difficult for the AV vendors to collect all samples of various modules as the attackers can target them.


This month's contributors:

  • Ulysses Wang
  • Lei Li
  • Erik Buchanan
  • Chris Astacio
  • Jay Liew

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.