November 12, 2010

This Month in the Threat Webscape - October 2010

Jay Liew

Month of October 2010

Major Hits

Websense Security Labs discovered that the official Web site of the Nobel Peace Prize was compromised by malicious hackers. The hackers inserted code that infects visitors using Mozilla Firefox. This zero day vulnerability has since been patched.

The exploitation of vulnerabilities in Java has spiked dramatically, as brought to light by Holly Stewart from the Microsoft Malware Protection Center (see chart below). 

The attacks can largely be attributed to 3 vulnerabilities:

A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.


Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.


Another deserialization issue, very similar to CVE-2008-5353.

(Image and stats from Microsoft)

Web 2 dot uh oh

The Web site of the popular and perhaps most-used Facebook API Open Graph, opengraphprotocol.org, was compromised leading users to a standard Rogue AV landing page.  The same malcode were seen on every single page of the Web site.

Lindsay Lohan is the celebrity decoy of October's social engineering scheme.  Fake Facebook invites enticed users to view sex tapes about the controversial actress.  Links included in the invitations turn out to be a typical survey spam page at the time.

Towards the end of the month, a cross-platform Facebook worm that mimics some Koobface qualities heated up the information security sphere.  Facebook users received messages with links to a video. This worm, known as Boonana, lured users into installing a Java applet when the link enclosed with the message was clicked.  When users allowed the installation, other malicious components downloaded.  A closer look at the Boonana code sparked further interest since it contained codes indicating that it was targeting Mac OS X. 

A new zero-day vulnerability (CVE-2010-3654) was discovered in Adobe Flash Player at the end of October. The vulnerability caused a crash and potentially allowed an attacker to take control of the affected system. Here are some details. A PDF file with an embedded flash file object exploited this vulnerability. And another zero-day vulnerability (CVE-2010-3653) was found in Adobe Shockwave Player. Here, a remote attacker could exploit the vulnerability to execute arbitary code or cause a denial of service. This was done via a director movie with a crafted rcsl chunk. The exploit code is published here. Also a new mega patch for Adobe PDF Reader was released, and 23 security holes have been fixed. 

Mozilla released 9 bulletins in the middle of October, including 5 critical updates. The Noble Peace Prize's Web site was compromised, 0 day vulnerability (CVE-2010-3765) in Firefox was exploited to drop a Belmoo trojan on unsuspecting visitors' systems, and Mozilla patched the vulnerability very quickly. 

Google released a security update for its Chrome browser to fix 11 vulnerabilities. 

Oracle delivered a mega patch for Jave SE and Java for business. 29 security vulnerabilities were fixed. And the patch for Java on Mac OS was released here

According to RealNetworks, 7 vulnerabilities in RealPlayer were fixed here.



Microsoft sent out an astounding 16 bulletins meant to patch 49 vulnerabilities in the Windows operating system, Internet Explorer, .NET framework and Microsoft Office on October's Black Tuesday.  Patches for vulnerabilities that could allow remote code executions in Internet Explorer (MS10-071), Media Player Network Sharing (MS10-075), Embedded OpenType Font Engine (MS10-076) and .NET Framework (MS10-077) are deemed to be the most critical fixes and should be treated with high priority this month. 


Hello Threatseeker. You've got mail!

This month, Websense Security Labs saw spammers returning to some of their trickiest treats to fool email recipients.  Sorry, I couldn't resist the Halloween reference since it's October.  We saw that spammers were stuffing their messages with legitimate content to try and evade spam filters.  With one of the many campaigns we saw this month, the messages were leading to an unfamiliar target called World Pharmacy.  These messages were interesting because they were abusing legitimate site reputations much in the same way malicious attackers usually do.  The links in the messages were leading to URLs injected into legitimate sites which were meant to simply redirect to these World Pharmacy spam sites.  In an extension to this campaign, we also saw that spammers were attempting to take advantage of the ultimate reputation by using Google Translation services to redirect to software sites. 





Security trends

A PDF vulnerability was found on BlackBerry Enterprise Server that the BlackBerry Attachment Service runs on. Thissecurity hole discovered in the PDF distiller could allow a malicious individual to cause buffer overflow errors, leading to a Denial of Service (DoS) condition or possibly arbitrary code execution.This occurred when users opened PDFs on their Blackberries. 

Microsoft has added Zeus disinfection instructions onto its malicious software removal tool (MSRT). It nuked Zeus (also called Zbot) 281,491 times from 274,873 computers in one week. MSRT scans Windows computers for infections by specific, prevalent malicious software. This tool is updated and released on the second Tuesday of each month, and Zbot is the latest addition to MSRT’s ever-growing list of malware. 

A vulnerability for iPhone was posted to a MacRumors forum by a New Zealand iPhone user who figured out a sequence of key taps that rendered the passcode useless. It's a trivial way to bypass the four-digit passcode lock on fully patched iPhone (iOS 4.1) devices.

Security researchers found that the first version of the Koobface malware targeting Mac OS X users was spreading via links in messages on social networking sites such as Facebook, MySpace, and Twitter. The malicious Web sites attempted to trick Mac OS X users into running the Java applet  to open a video file.

The past few months have been very busy with zero-day flaws affecting popular products. In total, those vulnerabilities accounted for 108 non-patch days - that's 88.5% of vulnerable time in 4 months.

Murofet malware is similar to Conficker in that it generates thousands of domains daily that it then contacts for updates. 

This month's round up contributors

  • Ulysses Wang
  • Lei Li
  • Mary Grace Timcang
  • Chris Astacio
  • Jay Liew

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.