Archived Blog

This Month in the Threat Webscape

05.08.2009 - 5:15 PM

Month of April 2009

This month brought us more examples of Web 2.0 maliciousness, with a public display of multiple Twitter wormlings-a-crawling. Big publicly-traded Internet companies like Amazon.com and Salesforce.com suffered outages from DDoS attacks, major banks world-wide suffered from more financial loss due to phishing attacks and data leaks, and all the opportunistic Swine Flu Web sites (and email!) with malicious content that the world can possibly digest for years to come.

Please pay attention to the Adobe PDF reader attacks if you read PDF documents, as Adobe may not release an official patch until after Mother's Day.

Major Hits

Beatles fans beware, famed singer Paul McCartney's official Web site was discovered to be infected with an exploit toolkit called LuckySploit. Unprotected fans will find their computers compromised by this drive-by attack. More cases of "malvertising" (malicious advertisements) was documented, with the latest incident detected on Foxnews.com (screenshot of fake AV).

Big Internet companies who stand to lose a lot of money if their sites go down saw exactly that. A DDoS attack on managed DNS provider NeuStar UltraDNS knocked major sites like Amazon.com, Salesforce.com, and Advertising.com offline for several hours.

In Latin America, a major Brazilian bank (Bradesco) was plagued by even more fraud resulting from a DNS cache poisoning attack on Brazilian ISP Net Virtua. On the other side of our green planet, New Zealand saw the regional Web sites of major reputable brands like microsoft.co.nz, hotmail.co.nz, sony.co.nz, hsbc.co.nz, and coca-cola.co.nz "defaced" by malicious hackers. Zone-H reports that attackers hijacked the DNS records from NZ registrar Domainz.net by exploiting an SQL injection vulnerability.

Web 2 dot uh-oh

A new worm on Twitter dubbed the "StalkDaily" worm shows how Twitter is like any medium for human communication—if you're going to use it, you're going to have to deal with the good and the bad. In this case, it's the bad. Merely viewing an infected Twitter profile page is all that's needed to have yourself infected. After the worm's debut, multiple variations of the worm soon followed.

The word of this was widely and quick spread by the media, and soon everyone was searching for more information about this new worm. Predictably, the bad guys soon latched on to the search trend and cast their nets for victims, littering Google's search results with their malicious lures. But that's not all. Twitter also had trouble securing its own perimeter, and confirmed an unauthorized security breach. Here are some of the leaked screenshots of Twitter's "employee" admin panel.

On Facebook, another phishing campaign to glean Facebook usernames and passwords made its rounds. The scammers used Facebook's email system, thus increasing the legitimate "look and feel" of the phish email to victims.

Browsing for dirt

The Mozilla Foundation released a flood of patches for Firefox this month, with two rated "critical":

- MFSA 2009-23 Crash in nsTextFrame::ClearTextRun()
- MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)

The MFSA 2009-14 advisory (crashes with evidence of memory corruption) could potentially be exploited to run malicious code. Thunderbird (MS Outlook alternative) shares the same browser engine with Firefox and could potentially be affected if JavaScript is enabled.

In other Web threat news, a proof-of-concept exploit code for a zero-day vulnerability in Adobe's PDF reader was reported. There are actually two distinct zero-days (see US-CERT and ISC reports) that have been confirmed by Adobe officials. Adobe has recommended disabling the JavaScript function in Acrobat and Reader as a stop-gap measure while they work on a real fix. US-CERT Vulnerability Note VU #970180 (Adobe Reader and Acrobat customDictionaryOpen() and getAnnots() JavaScript vulnerabilities) can be found here.

Microsoft

Microsoft announced an unpactched zero-day vulnerability in older versions of PowerPoint that allows attackers to install Trojan dropper malware on the computer of a user who opens a malicious PowerPoint file. Microsoft did release several patches for other previously-reported zero-day attacks however, such as the previously reported Token Kidnapping zero-day exploit, as well as several actively exploited remote code execution vulnerabilities in Excel, WordPad and Internet Explorer.

Conficker

For the first week after the much-hyped April 1st Conficker/Downadup activation date, nothing happened. Then, starting on April 7th, researchers noticed that the Conficker peer-to-peer network was spreading around a new file. The new file is being dubbed the newest Conficker variant, and includes a May third deactivation date and checks some new popular Web sites, including a well-known Waledac site.

Rogue antivirus software distributors have capitalized on the Conficker media hype with fake "Conficker Infection Alert" spam messages. This raises questions about how Conficker will make money and whether the authors are turning to scareware tactics for monetization. We haven't heard much from Conficker since the April 7th update, though a Russian Web site claimed that Conficker was launching DDOS attacks on Russian servers, but researchers at ESET doubt Conficker's involvement. As May 3rd has come and gone, Conficker's propagation phase may be over, but the botnet controllers could change that at any time. And the media isn't the only group taking note of Conficker's growth. As we reported previously, the four-year-old Neeris worm has adapted Conficker's infection techniques, which in turn were adapted from Metasploit techniques.

So long and thanks for all the phish

As usual, phishers continue trying to trick victims by social engineering and by taking advantage of important events. This time, it is the Swine Flu. Phishers have been spamming Swine Flu emails with links or attachments that redirect victims to phishing or malware sites. In addition, a large number of Swine Flu Domains have been registered specifically for use in future attacks. Strangely, most of these domains are linking to Canadian Pharmacy spam pages.

Researchers also discovered malware campaigns targeting Easter. Using malicious search engine optimization (SEO) to boost the rankings of malicious pages in search results, the attackers prey on victims who search for Easter-related terms. The search results yield links to malicious pages that serve the infamous rogue AV.

This month also saw the propagation of a new Waledac email campaign. The new theme is SMS Spy, a Trojan that pretends to be a tool that enables users to spy on friends’ SMS messages. Interestingly, researchers found evidence of an apparent collaboration among Waledac and Conficker authors: the latest Conficker variant was pushing a Waledac sample. Researchers surmise that this was part of a business agreement in which Conficker’s authors were looking for additional ways to monetize the botnet.

Hello ThreatSeeker. You've got mail!

Threats "In the Mail" this month:

· 17 percent of classified Web links within email were malicious
· 87 percent of all email was spam
· 81.3 percent of spam included an embedded URL
· 99.8 percent spam detection rate 

 

 

 

 

 

Data Leakage Prevention

Populist Anger against Credit Card Companies = More Insider Threats?

Public anger on the topic of exorbitant and arbitrary increases in credit card fees has prompted recent legislation to limit these rate hikes. Credit card institutions claim that increased fraud and defaults on payment force them to ‘spread the pain’, but has this exacerbated the problem of credit card fraud?

Will disgruntled card holders and the soon-to-be unemployed spur more insider threats? There is already some data to suggest that is the case, with up to 37 percent of employees indicating malicious intent, given the right incentive. So where does this leave businesses, already contending with tightening budgets?

Big IT security projects don’t make sense, so focus is essential. The real risk is credit card data falling into the wrong hands, so stopping leaks while they’re in progress is top priority. This means monitoring network activity such as Web access and email, not just for PCI compliance reporting, but also for preventing ongoing leaks. This visibility will make it more obvious if sloppy but well-intentioned business practices are the root cause (like emailing a customer’s credit card info to verify their information). But it will also make the malicious cases obvious and help justify budget for real-time, automated blocking of data leaks.

Security Trends

Just as one would avoid bad neighborhoods in real life, our research shows that Web surfers should also avoid straying into the online equivalent as one bad site often leads to even more bad sites. We ran some numbers to find out how effective online communities self-police themselves on some of the hottest Web 2.0 properties like YouTube and Blogspot. Our research concludes that the crowd can effectively prevent 25 percent to 35 percent of objectionable content, but a significant amount still fall through the cracks, presenting a real concern for employers who seek to prevent such content from entering the business environment.

The malware economy grew at a record pace in 2008, as Symantec reports creating 1.6 Mil new signatures in 2008. To picture how fast this is, 1.6Mil is about 60 percent of the total signatures ever created by Symantec. On a related note, Verizon reports 285 Mil records compromised in the same year, greater than the sum of the past four years combined. A study by Gartner shows that phishing attacks actually surged during the recession, creating a new wave of attacks targeting customers of big names like eBay, PayPal, and Bank of America.

Apple Macintosh fanboys should also take note of a new malware circulating that aims to create a botnet of Macs. As the market share of Macs increase, it will only be a matter of time before blackhat hackers begin allocating their engineering resources to target happy Apple owners who still think that Macs have an inpenetratable armor.



Thanks to the following contributors for this month's roundup:
- Gargi Mitra (Data Loss Prevention)
- Erik Buchanan (Security & Technology Research)
- Saeed Abu-Nimeh (Security & Technology Research)
- Jay Liew (Security & Technology Research)

Bookmark This Post: