Archived Blog
This Month in the Threat Webscape
06.09.2009 - 12:35 PMThe story of the "Beladen" and "Gumblar" attacks, both mass injections of malicious code onto hundreds of thousands of everyday Web sites that many average people visit, made a splash in this month's Web security highlights. Twitter, with its massive number of users, continues to serve as a thriving, malicious petri dish for malicious hackers, with spammers harvesting email addresses from tweets, and random malicious links popping up in the sea of tweets. More than 80% of phishing sites are hosted on legitimate, everyday Web sites that many people visit, and more Adobe PDF/JavaScript headaches are emerging for IT security managers.
In other events this month, the Security Labs presented a talk at AusCert 2009 titled "P0wning The Programmable Web". Thanks for watching, and we hope to see all you good folks again next year!
Major Hits
Tens of thousands of Web sites were compromised this month, in a mass injection attack that made headlines all over the globe (see Beladen and Gumblar). The malicious hackers' modus operandi is as follows:
- Break into Web sites where prospective victims commonly visit. These sites don't even have to be massively popular to be effective (although popularity certainly helps)—the classic Long Tail approach.
- Plant a small code snippet that is obfuscated, so that its true intention is not obvious. This code will pull more of itself from another Web site (set up in advance by the attackers). Only a small stub is placed at first, so that it easily goes unnoticed.
- When an unsuspecting victim visits a favorite morning-read Web site, the victim's computer silently pulls exploit code from the malicious server set up by attackers and attempts to execute these instructions.
- The malicious JavaScript code typically attempts to exploit multiple bugs in various applications on the victim's machine, such as Adobe PDF, Adobe Flash, and even operating system bugs (such as unpatched vulnerabilities in Microsoft Windows).
- Of all the attempts tried, it takes only one successful try to get the malicious Win32 .exe malware installed on the victim's machine (typically a Trojan horse).
- With the Trojan now happily residing on the victim's machine, the attacker is free to pilfer juicy PayPal, eBay, Facebook/MySpace, Web email, and banking passwords from the victim. What a nice recurring revenue stream!
And that is why mass infections work. If you use your computer and the Internet for any serious business at all, make sure you are as protected as you possibly can be. The browser is merely the "tip of the iceberg" (see Google's research on the dangers here). In our ongoing effort to be on top of all threats that can be delivered by the Web, we have shared our analysis with the public, because education/awareness is the first step: US-CERT's advisory on Gumblar can be found here.
Web 2 Dot Uh-Oh
Yet another "worm" was reported making its way on Twitter. This time, clicking on a link in someone's tweet would get your computer compromised. Yes, it's just that simple. See the step-by-step in screenshots here. While the presence of a true computer worm (by definition) was technically debatable, one thing is clear: a true worm or not, the victims who clicked on the link (a Russian .ru domain) in the tweet could get their computers infected with malware. Twitter's official "Nike" response: "Just don't" (don't click on the link).
In other "oops, I Twit it again!" stories, Twitizens who ever tweeted "Email me at" followed by their real email addresses in the tweet got their email addresses harvested by spammers—who would never turn down a free Viagra sales lead.
In other news, Koobface continues its run (launching its 56th version), while the world's number-one video-sharing site, YouTube, where most office workers go to fight off their post-lunch drowsiness, was discovered to have its video comments filled with links leading to malware.
Browsing for Dirt
Two months ago, exploit code for a zero-day vulnerability in Adobe's PDF reader was made publicly available (CVE-2009-1492). After a window-of-exposure of almost two weeks, Adobe released a patch (at least, "part 1" of it).
Now, how do IT managers really feel about this? ZDNet's Ryan Naraine captured the feelings of Erik Cabetas, a security officer for a NYC-based e-commerce company. Erik says, "This does not work, it does NOT disable JavaScript. It merely prompts the user with a vague dialog box stating that there is something they can’t see because JavaScript is disabled. Guess what? Most users click to allow JavaScript!" Erik said he wrote a script to "disable" JavaScript across the company. The result was hearing employees ask, "If I should click yes when opening this PDF from a friend". Erik adds that the rest of the employees did not even bring the matter up, because they are already conditioned to click "yes" at security prompts.
In other news about little-known dangers from Web surfing,
- A serious Mac OS X Java vulnerability (CVE-2008-5353) is still unpatched by Apple, after it has been public knowledge for almost 6 months. The vulnerability exists in Apple's implementation of Java, and the net result is that visiting a malicious Web site with a Java applet containing this exploit could lead to the compromise of your desktop. US-CERT's advisory can be found here.
- Apple patched libxml (CVE-2008-3529) and WebKit (CVE-2009-0945). In both cases, viewing a malicious Web site could potentially lead to the desktop's compromise.
- Google silently patched one critical (CVE-2009-1441) and one high-risk (CVE-2009-1442) bug in Chrome.
Microsoft
Do you view QuickTime files on your machine, maybe to view a recording of a presentation or to view an interesting movie? At the end of May, Microsoft Security Response Center announced that specially crafted QuickTime files were exploiting a vulnerability in Microsoft DirectShow in Security Advisory 971778. You can find the details here. No patch is available yet, but the advisory does include workarounds that may be appropriate for your organization.
The month of May also saw a patch for numerous PowerPoint vulnerabilities (listed in MS09-017) that covered a zero-day vulnerability being targeted since April. A vulnerability affecting IIS v6 and v5 that could lead to Elevation of Privilege has yet to be patched. Details are available at Microsoft Security Advisory 971492.
So long, and thanks for all the phish
According to the latest global phishing report of the Anti-Phishing Working Group (APWG), a staggering 81% of phishing Web sites were hosted on legitimate Web sites that have been hacked (see PDF report). This is further proof that security based on an IP address or a Web site's reputation alone is inadequate—attackers are clearly leveraging the clean reputation of legitimate Web sites to evade such filters. Disclosure: Websense is an APWG research partner.
Scammers and malware authors are still going after the millions of users who make use of social networking sites such as Facebook and Twitter. Our HoneyJax system has detected malicious Facebook messages using URL shortening services to disguise links, as others have also observed. We are also seeing malicious URL campaigns spreading throughout Twitter using redirection services such as TinyURL. Read more about HoneyJax here (PDF).
SEO poisoning, the act of creating a Web site in such a way that it shows high in search results when a user searches for certain keywords, was rife in May with Swine Flu-themed domains being created for that very purpose. Expect more of the same in future months.
Data leakage prevention
Data Leaks via Web Site Updates: Is There an Anti-Doh! to this Poison?When it comes to data loss from from the enterprise, much is said about clueless employees or devious outsiders sending data out via email or various Web applications. But as recent embarrassing news reminds us, sometimes these data leaks can occur from Web site administrators tasked with updating a company's Web site with legitimate, publicly viewable information.
This recent event highlights how sensitive data on US civilian nuclear sites was posted to the Government Printing Office Web site. Doh!
So how could this have been avoided, apart from requiring reviews of new content on staging sites? Continuous monitoring of network Web traffic, along with a practice of regularly fingerprinting known, sensitive data, would have caught the attempted post and blocked it from taking place—all automatically. Certainly this is a strategy being pondered by those involved, as they deal with the fallout from this breach.
Security Trends
Security-savvy Web surfers already know that blindly clicking on search engine results may unearth nasty surprises. But do some searches yield more nasties than others? The answer is yes. A study by McAfee showed that searching for lyrics keywords and the word "free" resulted in disproportionately more malicious results. The full PDF report is here.
Bonus eye-candy: Pictures from inside a botnet, courtesy of the folks at ZDNet.
Thanks to the following contributors for this month's roundup:
- Gargi Mitra (Data Loss Prevention)
- Carl Leonard (Security & Technology Research)
- Jay Liew (Security & Technology Research)