Archived Blog

This Month in the Threat Webscape

09.09.2009 - 4:49 PM

Month of August 2009

A massive DDoS (Distributed Denial of Service) attack on Twitter, Google Blogger, LiveJournal, and Facebook centered around 1 person: Cyxymu, a pro-Georgia blogger who is an active critic of Moscow's politics. The attack wreaked havoc for the rest of the world as they experienced disruptions to their favorite Web 2.0 service, whether for pleasure or business. Other big name entities riddled by assorted Web threats include the UK's Ministry of Defence, WordPress, and the Mozilla Foundation.

Major Hits

Over 55,000 Web sites were discovered to have been broken into and injected with malicious code designed to infect their visitors. For a detailed story of how this attack unfolded, see our blog post here. As usual, the targets of these infections were reputable Web sites that netizens commonly visit, including Web sites belonging to health care organizations and charities. A cross-site scripting vulnerability (XSS) was found on the UK Ministry of Defence's Web site by a group of hackers, who also claimed responsibility for finding XSS flaws on Web sites belonging to the World Health Organization and the MI5. This is not the first time an XSS flaw has been found on the Ministry of Defence's Web site.

Popular blogging software WordPress suffered from a simple password reset flaw, whereby anybody can easily reset the administrator password and gain full control of the WordPress installation with administrator privileges. The Mozilla Foundation took the Mozilla Store out of service upon discovery that a third party vendor they used (GatewayCDI) to run the backend of the store suffered from a security breach. At the time of writing, the store remains closed.

Web 2 dot uh-oh

A massive DDoS attack on several major Web 2.0 sites such as Twitter, Google Blogger, LiveJournal, and Facebook made the headlines this month. Reports indicate that the attacks were aimed at Cyxymu, a pro-Georgia blogger critical of Russia's policy towards Georgia. That said, the DDoS attack inflicted pain on more than just the pro-blogger, as the online community was also caught in the crossfire.

But problems did not stop there for Twitter. It was also discovered that Twitter did not fully address a XSS vulnerability on its Web site. Twitter's 3rd-party application economy continues to thrive. Malicious hackers have now found a new use for Twitter: as a medium for organizing their botnets. Jose Nazario from Arbor Networks reports that the malware uses the Twitter status update messages in its infostealer operation.

Rik Ferguson from Trend Micro shone a light on a few popular Facebook apps that actually turned out to be malicious. These malicious apps led to a phishing site where unsuspecting victims would enter their Facebook credentials. Using these credentials, the malicious app would send spam to the user's friends on Facebook with malicious content, thus repeating the vicious cycle.

Browsing for dirt

Adobe's products have been increasingly targeted by attackers. Several vulnerabilities have been discovered in Adobe's products, and most of the exploit sites take advantage of those vulnerabilities. In our alert The Cell Phone Forums of Injection, two of six vulnerabilities used by the exploit kit are targeting Adobe's products. Why is Adobe becoming more and more popular among attackers? This research by Trusteer may explain the situation. According to the research findings, 79.5% of users run a vulnerable version of Adobe Flash, and 83.5% are also running a vulnerable version of Acrobat. That's why it is extremely efficient to target vulnerabilities in Adobe Flash and Acrobat.

Google has released a patch for Google Chrome to fix two flaws in this month:

  • CVE-2009-2935 (High Severity) A flaw in the V8 Javascript engine might allow specially-crafted Javascript on a Web page to read unauthorized memory, bypassing security checks.
  • CVE-2009-2416 (High Severity) Pages using XML can cause a Google Chrome tab process to crash.

Mozilla also patched two critical flaws in Firefox:

Apple released Safari 4.0.3 to fix six vulnerabilities. Here is the link to download Apple's Safari 4.


Malicious hackers launched a fake Microsoft patch malware campaign (like a fake antivirus campaign, but for a Microsoft patch) and timed it to coincide with Patch Tuesday. Whether you are installing new or updating existing software, remember to always get it from the official source; that is, always go to the vendor's official Web site. Be wary of intermediaries, and especially links to download directly from email.

Moving on to Microsoft's real patch announcement for Patch Tuesday this month, five of the nine security bulletins were rated Critical and the rest were rated Important. Here are some of the Web security highlights:
  • MS09-043 - Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638). Exploitation in the wild confirmed by Microsoft.
  • MS09-037 - Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908). This vulnerability is exploitable from a maliciously crafted Web site. Victims who visit such a site could load the attacker's malware.
  • MS09-038 - Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557). Loading a maliciously crafted .AVI file would allow the attacker full control of the victim's computer.
  • MS09-044 - Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927). This vulnerability is also exploitable from merely visiting a malicious Web site (even though the vulnerability name reads "Remote Desktop").
And as all of us in the security research business know, it's common to see live exploits in the wild immediately after a patch cycle (because the baddies are reverse-engineering the patches); this month we saw the MS09-039 vulnerability being exploited only about 7 days after the patch was released. Sometimes these attacks happen sooner. It's increasingly important to reduce your risk from this window-of-exposure by updating as quickly as possible.

So long and thanks for all the phish

In email security this month, we detected a spam campaign by the attackers that were also behind the DDoS attacks on Twitter, Google Blogger, LiveJournal, and Facebook in their attempt to silence a pro-Georgia blogger who was critical of Russia's politics. It has been suggested that the spam campaign was launched to discredit him.

A social-engineering penetration test by a security testing organization, MicroSolved, resulted in the issuance of a fraud alert by the National Credit Union Administration (NCUA). The security testing company sent a mail package that was received by a credit union client, who reported it to the NCUA fraud hotline. The package contained a fraudulent letter from the NCUA and two CD-ROMs. Security researchers thought that this was a great exercise to increase security awareness.

Hello ThreatSeeker. You've Got mail!






Data Leakage Prevention

In social networking, hackers are using fraudulent "phishing" sites and fake DNS servers to steal data: 135,000 users of were compromised and lost their login details. Visitors are advised to be more cautious when logging in and browsing on the site. Internet users are advised to be suspicious about the spelling of URL, the interface and the general login prompts. Phishing sites usually look near-identical to the official Web site to confuse users; however, they usually contain subtle differences or defects that could cause doubts. Internet users are constantly facing risks from losing personal information to the loss of personal assets simply through negligence.

For online merchants, big or small, data security is critical. If hackers got into accounts with high accessibility, it would be very easy to modify their transaction records or copy vital personal information. Recently, eBay found a vulnerability in its Developers Program account, and members are required to change their passwords. If data is lost, what should be done?

With the advent of Internet phones, wiretap is no longer limited to using hardware to monitor the telephone and mobile: software tapping devices can do the same. Many calls are made using VoIP applications such as Skype, and trojans can now log VoIP conversations. It's not only usernames and passwords that are at risk with traditional keyloggers: private phone conversations, phone banking, or even business conversations could be recorded as a mp3 file and transported into the wrong hands.

Security Trends

According to statistics published by Microsoft, MSRT detected 383,378 infected computers in China (ranked second in the list), followed by 282,152 in Brazil, 278,207 in the UK, and 262,539 in Korea. The US ranked first with a total of 2.18 million infected computers, compared to a combined total of 1.87 million in other countries. China and Brazil fell victim for quite different reasons. Password stealers are targeting accounts for online games in China, while in Brazil, they are looking for bank accounts.

Microsoft published a new virus signature in August to a trojan called Win32/FakeRean, and 162,328 computers were detected as being infected by this rogue antivirus program within the first two weeks. A worm known as Win32/Taterf was also quarantined from 463,000 PCs. This worm is designed to steal login and account data for popular online games.

Users of popular social networking site found that their accounts were offering a video clip of the Pink Floyd classic "Wish You Were Here". This was a cross-site scripting worm that spread through a user's friends list when visited. Antivirus vendors defined this worm as PinkRenren. PinkRenren is not harmful, as text in the script ("I'm not a malicious worm") also announced, but the technique is potent.

Thanks to the following contributors for this month's roundup:
- Saeed Abu-Nimeh (Security & Technology Research)
- Lei Li (Security & Technology Research)
- Ulysses Wang (Security & Technology Research)
- Jay Liew (Security & Technology Research)
- Matthew Mors (Public Relations)
Bookmark This Post: