Archived Blog

Month of July 2009

This July we highlighted a few examples of high-profile Web sites that were compromised with malicious code. These particular threats are certainly interesting from a trend perspective, but in recapping the month of July, we would label it as a huge month for zero-day attacks and critical vulnerabilities.

We received reports of an Adobe zero-day in the wild, affecting Adobe Reader and Acrobat 9.2, as well as Flash Player 9 and 10, for Windows, Macintosh, and Linux operating systems.

We also tracked legitimate sites that were compromised to lead to a zero-day exploit targeting an Internet Explorer vulnerability. The compromised sites led to a handful of payload sites hosting the exploit code, which targeted an ActiveX control for streaming video. This and other zero-day vulnerabilities in Microsoft Office Web Components caused Microsoft to issue a rare out-of-band patch. More interesting news below...

Major Hits

Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, was compromised and injected with malicious code this July. ThreatSeeker Network also discovered that the Center for Defense Information (CDI) Web site was compromised.

ImageShack, one of the Web's largest image-hosting services was broken into by a malicious hacker group. The group replaced all images hosted by ImageShack with an image containing their manifesto (screenshot). If one of the largest image-hosting services could have been taken over this easily, what's to stop these bad guys from going even further? The manifesto image could very well have been a maliciously-crafted image that could lead to the infection of the casual surfer's computer, merely from visiting a Web site that linked to an image from ImageShack. The idea of opening up your data and services for re-use by others is by definition a Web 2.0 thing to do—and "with great power, comes great responsibility."

Provocative stories sell. Even if they are fake. This month, we saw malicious hackers fabricating an outright lie—and a juicy headline too, for the sake of furthering their agenda (of getting more people infected with malware, of course!) The topic of the hoax was the death of Emma Watson, star of the famous Harry Potter movie series. We discovered that top results in Google on this topic led to malicious, fake anti-virus Web sites. This is not the first time malicious campaigns have used fake headlines, nor will it be the last.

Web 2 Dot Uh-Oh

The use of URL shortening services by spammers and malware authors was still a hot topic this month. Koobface added Twitter to its list of target networks, initially sending identical tweets, then varying both the tweet message content and the included, shortened URL to stay ahead of detection. Short URLs in these tweets point to sites spoofing Facebook Video (more convincingly than the earlier YouTube spoofs) and trick users into infecting their machines. Twitter is suspending any accounts found to be sending Koobface tweets.

The Twitter API environment was the subject of Aviv Raff's The Month of Twitter Bugs, which uncovered a mass of XSS and CSRF bugs. Encouragingly, most were quickly patched.

Details emerged via Techcrunch of just how Twitter was hacked back in May, resulting in the leaking of a large number of internal Twitter documents stored in the cloud. In a nutshell, a number of poor security practices led to the initial access and subsequent account compromise:

• Individuals reusing easy-to-guess passwords and security questions for many different services
• Expired free webmail accounts being configured as recipients for password reset emails
• Storing lists of credentials in emails or documents, which were available because of the above

This earned Twitter the Pwnie for Most Epic FAIL at the Black Hat USA conference.

We also saw trends of celebrity Twitter accounts compromised, creating fake celebrity accounts, and retweeting trendy keywords with malicious links. Stalwart topics such as celebrity news or naked videos were again popular topics. The most common destinations for links in these cases were sites hosting malware or fake AV.

Away from Twitter, privacy on Facebook again attracted attention, with the (mis)use of photos by third-party advertisers and the release of a critical report from the Canadian Privacy Commissioner.

Browsing for Dirt

Critical security patches were released for all the main browsers in July, but attention was particularly focused on zero-day exploits against Internet Explorer, Firefox 3.5, and various Adobe plugins.

The release of Firefox 3.5 this month was accompanied by a batch of bug fixes, with six rated "critical" and one "high," according to the Mozilla Foundation Security Advisories:

• MFSA 2009-34 Crashes with evidence of memory corruption
  
• MFSA 2009-35 Crash and remote code execution during Flash player unloading
  
• MFSA 2009-36 Heap/integer overflows in font glyph rendering libraries
  
• MFSA 2009-37 Crash and remote code execution using watch and __defineSetter__ on SVG element
  
• MFSA 2009-39 setTimeout loses XPCNativeWrappers
  
• MFSA 2009-40 Multiple cross-origin wrapper bypasses
  
• MFSA 2009-41 Corrupt JIT state after deep return from native function (introduced with the new TraceMonkey JIT compiler)

It must be pretty tough for the Firefox developers, but it's not over yet. Six additional issues were fixed for the Firefox patches released early in August, with four critical fixes included.

Not to be left out, Google fixed memory corruption and JavaScript regular expression overflow issues in Chrome (CVE-2009-2556), and Apple patched Safari for XSS and memory corruption issues.

Adobe fixed some critical cross-browser, cross-platform Flash Player/Adobe Reader vulnerabilities in a security update APSB09-10; these were already being exploited in the wild and received much coverage. Adobe also examined the Impact of Microsoft ATL vulnerability on Adobe Products and patched the Flash and Shockwave ActiveX plugins accordingly.

Finally, discussions stemming from a generic Cross-Platform, Cross-Browser DoS Vulnerability suggest that many such resource exhaustion issues are likely to exist, but are unlikely to be exploitable.

Microsoft

Microsoft released rare out-of-band patches for the Visual Studio Active Template Library (ATL) and, in order to mitigate threats to ActiveX controls created with the vulnerable library, also to Internet Explorer. The ATL vulnerability was at the heart of zero-day exploits, pushed via SQL-injection attacks on Web sites, against the Microsoft Video ActiveX (msvidctl.dll) plugin. The ATL vulnerability was also covered in a popular talk at the Black Hat conference.

Zero-day exploits targeting the Microsoft Office Web Components Control were also seen in the wild and widely followed.

Hello ThreatSeeker, You've Got Mail!

The month of July saw the highest percentage of spam email in any month so far this year - 89.3% of all email was spam. We also saw an increase in phishing attacks through email at 3.5% this month. This is a slight increase over previous months, showing that in the continued economic climate, spammers and scammers are working to make a profit through fraudulent means.

With Independence Day in the United States came a new Waledac campaign the day before the holiday celebration. This time we saw an enticement to view a video displaying a fireworks display. Unprotected users would have been able to double-click the video and would have been incorporated into the Waledac botnet. You can see what we found on our alert here.

Here are some threats "in the mail" this month:

• 3.7 billion messages processed by the Hosted Infrastructure (over 119 million per day)
• 89.3% of all email was spam
• 88.6% of spam included an embedded URL
• 154 thousand instances of 41 unique zero-day threats stopped by ThreatSeeker before AV
• 3.5% of spam emails were phishing attacks

 

 

 

So long, and thanks for all the phish

According to the latest threat reports, spam and phishing attacks soared in July. In their July Online Fraud Report, RSA revealed that phishing attacks increased 10% compared to the previous month. In addition, the number of brands attacked in June increased by 11% compared to May 2009. Moreover, phishers are now using translation tools and templates to launch scams in different languages, to globalize their attacks. MessageLabs Intelligent Report revealed that 5% of the spam detected nowadays is non-English.

Data Leakage Prevention

Before you hit send...

As reported in the Washington Post this month, an employee with the U.S. National Finance Center sent an Excel spreadsheet with the names and social security numbers of over 27,000 Commerce Department employees - to a legitimate recipient, but without encrypting the attachment. This put the identities of these employees at risk and prompted the department to urge employees to set up personal tracking alerts with credit reporting agencies. Also in response, the department is working with a 'data tracking' company to monitor for cases of identity theft.

Based on the news story, it sounds as if an encryption solution was available but not used by the employee. It also sounds as if the department's response is to monitor employee data after it may have already left the company network. Interesting that no mention was made of monitoring email transactions for this sensitive data and automatically encrypting it. What if you got an email from HR tomorrow, saying that you should start monitoring for identity theft because one piece of your personal information was 'accidentally' emailed without protection?

Is it realistic for companies to expect users to pause before they hit Send?

Security Trends

With Conficker in the headlines during the past few months, you might think - is it over? Not quite. At the beginning of July it was reported that the network of Manchester's city council in the UK was massively compromised. The compromise resulted in a great deal of money loss, and clean-up fees summed to about 1.5 million GBP. The infection was suspected to have broken because of the worm's ability to spread via USB sticks.

Google has announced that it's going to make its own operating system. Developing it as part of the Chrome project, Google is putting its gloves on to enter the same arena with Microsoft. As announced, the new operating system will be open-source and Linux-based, offering most of the user experience functionality from the Web. Google also added that the new OS will be designed to offer maximum speed and security. It will be interesting to see the security functions the new OS will have, and just how popular it might get, perhaps tilting cybercrime a bit more towards Linux-based malware.

If you are interested to know what the security community was discussing at Black Hat and DefCon in the last week of July, you should definitely read the Security Labs blog that reviews the items here.

---

Thanks to the following contributors for this month's roundup:
- Carl Leonard (Security & Technology Research)
- Tim Xia (Security & Technology Research)
- Saeed Abu-Nimeh (Security & Technology Research)
- Elad Sharf (Security & Technology Research)
- Jay Liew (Security & Technology Research)
- Gargi Mitra (Data Loss Prevention)
- Matthew Mors (Public Relations)