This Month in the Threat Webscape - September 2010
Month of September
Stuxnet was the major story last month. After the presentations at Virus Bulletin 2010 [1,2] Stuxnet has gotten even more attention. CVE-2010-2883, a 0-day in Adobe Reader, was another major story.
A malicious injection targeting Song Lyrics put Google users at risk, thanks to Google Instant. Finally, Google Code was found to be hosting malicious Web content, specifically the Ultimate BlackHat Tool Kit.
Web 2 dot uh oh
"Links lead to more Links" - you are just 2 clicks away from being infected. Use of Link Analysis to find objectionable or malicious content and ACE (Advanced Classification Engine) technology gives us in-depth insight into security threats on the social Web and helps protect our users. Over 40 percent of Facebook posts contain a URL and 10 percent of those are either spam or malicious. Take a look at some tips for avoiding the potential dangers of user generated content in our Websense Insight: Link Analysis blog. Visit Defensio.com for the only social media threat detection application that protects social media sites and Facebook pages from spam or profanity.
Browser and friends
A number of security flaws on some of the most-used media players - Apple's iTunes and QuickTime, and Real Network's RealPlayer, hit the September headlines. While RealPlayer and iTunes released patches for known vulnerabilities,QuickTime faced a classic drive-by 0-day that may lead to arbitrary code execution by visiting malicious Web sites or images. Websense® ACE (Advanced Classification Engine) identified and protected our customers against this attack at least a month before this news broke out.
Google Chrome marked its 2nd birthday by delivering patches on 15 known vulnerabilities. Firefox also released patches for 15 vulnerabilities, including fixes for the DLL load hijacking issue. Apple released patches for 3 security holes in its Safaribrowser, 2 of which affects Safari and iTunes' open-source rendering engine Webkit.
A security update for Adobe Flash Player was released mid-September for a 0-day that allowed the attacker to gain control of affected systems. CVE-2010-2884 affects Flash Player version 10.1.82.76 and earlier, Adobe Reader 9.3.4 and earlier, and Adobe Acrobat 9.3.4 and earlier.
Major DLL load hijacking issues crossed over from the end of August to the beginning of last month affecting not only Microsoft, but other popular vendors as well. Microsoft then released a one-click 'Fix It' tool a day after the delivery of theCWDIllegalInDllSearch utility, which secures the system by rejecting unsafe DLL loading behavior. Both tools work hand-in-hand to protect users against the latest DLL load hijacking issues that ultimately lead to remote code execution attacks.
10 bulletins meant to fix at least 11 known vulnerabilities in Windows and MS Office Suite were dispatched in this month'sPatch Tuesday, 7 of which are for remote code execution. Critical patches are for Print Spooler Service (MS10-061), MPEG-4 Codec (MS10-062), Unicode Scripts Processor (MS10-063), and Microsoft Outlook (MS10-064).
Hello Threatseeker. You've got mail!
The start of the month saw the use of an old trick involving an .scr file masquerading as a .pdf file using the "Here You Have" malicious emails. It is interesting that there is no need to re-invent the wheel when you can simply recycle methods and processes, in this case the use of an old worm being spread using different means. Surprisingly, this escaped most AV engines as verified on VirusTotal.
Jumping on the band wagon of using any means to get users' attention and to propagate attacks, this month saw further blended attacks employing everyday tools we have grown accustomed to, such as Skype-themed malicious emails and Facebook password reset emails leading users to rogue AV downloads.
There is no shortage of the use of social networking sites or related emails to spread malware. However, the intriguing aspect of these attacks is that they are blended; what happens in the background, unknown to the user, is pertinent. One might think they have been redirected to a rogue AV site and that is all, but they could have potentially kicked off a chain reaction with redirects to an exploit site where an exploit kit or other damaging content would be downloaded to the user's machine.
Later in the month, there was the use of tragic news to spread malicious content, as in the case of the death of Daniel Covington. The blended attack in this case did not only take users to a Rogue AV download page but also downloaded the Phoenix exploit kit.
This month teaches us two things in our opinion, "Spammers will use any means to propagate their malware" and "We need to pay special attention to blended attacks"
The Route to Malware shows that just 2 clicks can get to malicious code on an infected Web site. Websense researchers looked at how most Internet users were only 2 clicks away from malicious content in one of three ways: from top sites, poisoned search results, and malicious links.
Fake warning pages start displaying on a user's browser. The trick was used by a new rogue criminal as a social engineering scheme in order to trick users into downloading and installing the rogue. The fake warning pages are so similar to the real thing that it can trick even highly-trained eyes.
Security vulnerabilities prevent companies from adopting Web 2.0 in their business practices. McAfee released their Global Web 2.0 Report in September. As they said, the top perceived threats of Web 2.0 usage by employees are malicious software (35 percent were concerned about it), viruses (15 percent), overexposure of information (11 percent), and spyware (10 percent).
This month's roundup contributors:
- Saeed Abu-Nimeh
- Artem Gololobov
- Mary Grace Timcang
- Amon Sanniez
- Lei Li
- Jay Liew