Adobe PDF Exploit Code Analysis

02.25.2009 - 8:00 AM
Websense® Security Labs™ ThreatSeeker™ Network has been monitoring [ 1 2 3 ] the malicious use of the now widely known zero-day vulnerability (CVE-2009-0658) affecting Adobe Reader 8.x and 9.x since last week. Adobe has released a security bulletin APSA09-01 describing the vulnerability and has stated that it will have a fix out by March 11th. We have categorized the sites that we have found to be hosting this vulnerability.
Read more »

Microsoft's CAPTCHA revolutions busted by spammers - again and again

02.15.2009 - 4:40 PM
Spammers have once again ramped up the siege on Microsoft's Live Hotmail services, by busting Microsoft's latest, redesigned CAPTCHA system.

Near the end of 2008, Microsoft reworked its CAPTCHA authentication, attempting to prevent further automatic registrations by computer programs and automated bots, and preserve CAPTCHA's usability and reliability. As the latest attack shows, those efforts have failed.
Read more »

This Month in the Threat Webscape

02.11.2009 - 11:30 AM
Month of January 2009

This month ushers in a new age for the United States. Malicious hackers did not fail to capitalize on this opportunity to parade their usual dog-and-pony-show around President Obama's especially Internet-savvy supporters. In a twitter-storm of irony, a phishing campaign for Twitter accounts was found spreading on Twitter itself, via its "direct message" feature. The Conficker worm continues to make strides despite the release of an official patch last October, leaving Redmond still feeling con'ed. 

Major hits this month include various official political Web sites, popular portals, and socialite Paris Hilton's Web site—now that's hot. 

Parasitic Infector Analysis II: What changed?

02.09.2009 - 8:00 AM
Back in October 2006, I wrote an analysis of a PE infector called Virut. The analysis looked at the very first, rather simple, version of that virus (virut.a). This time, I'll look at the evolution of this file infector, and talk about what has changed since the first analysis. You may want to start by reading that blog post first.

Most of the features from the old version, such as the IRC bot component, are still present. The code for that particular feature hasn't changed a lot, and a lot of code from the very first variant is still used. On the other hand, a few features appeared, including, but not limited to, memory residency, htm, php and asp infection and pseudo polymorphism.

Web 2.0 Phishing Leading to Multi-vector Attacks - Part 2

02.05.2009 - 4:40 PM
Part 2 of 2

From a fraudster's perspective, creation of Blogger phishing splogs and splogospheres using services supplied by legitimate Web-hosting providers is an initial success. It may be difficult and time-consuming to track-down and remove such pages, because they are not hosted or provided by Google's services. The splogs can be hosted and associated with multiple Web-hosting services through complex link farms.
Read more »

Web 2.0 Phishing leading to Multi-vector Attacks - Part 1

02.03.2009 - 4:40 PM
Part 1 of 2

During 2008, online fraudsters worldwide demonstrated their adaptability by defeating a range of email and Web filtering services offered by different security vendors. From the fraudsters' perspective, the attack strategy includes more than registering fake accounts or email addresses, sending mass emails over the Internet, infecting thousands of user machines, and stealing information. It also involves switching things up with a combination of different tactics, all with a consistent goal of targeting or reaching their prospective users over different areas of Internet.

Online fraudsters have continued to increase and expand their efforts, increasing the sophistication of their attack strategy by using Web 2.0 functionality. Their apparent goal is to expand their threatscape over various Web-based services.
Read more »

The way to a zero-day

02.02.2009 - 8:00 AM
So how do attackers go and hunt for a vulnerability?

Some of them start by reverse engineering the target application. Some just go and try the easy ways, one of which is to go and surf the Web!

You may say, "What?? Surfing the Web for a zero-day?"

Well, the idea is this: the attacker knows that when developers have a problem, they post it on forums, asking for help.

Some of them complain that the browser crashes when they do this or that. Another case will be "kids" who post code on how to "crash" something. Most of those kids or developers don't realize that the problem they have may be a security issue.

But, guess what. The attacker knows, and he loves it!
Read more »