Archived Blog

This Month in the Threat Webscape

10.09.2009 - 11:10 AM

Month of September 2009

This month was a busy month for SEO poisoning attacks, with high-ranking search engine results littered with malicious links leading to rogue antivirus. Affected search terms were based on timely events such as 9/11, Labor Day sale, and even around the hype surrounding Google Wave invites. New York Times suffered from a malvertising incident, a worm was found wiggling throughout Wordpress installations, more Microsoft and Apple vulnerabilities—just read on for more. It's a really dangerous Web 2.0 world, and we want you to be protected.

Major Hits

Malicious code that targeted Acrobat Reader and Quicktime vulnerabilities, among others, was injected into the Web site for "Curious George". PBS is a major provider of programming to US public television stations.

Searches for current events often lead to malicious Web sites designed to lead people into installing rogue (fake) security software. It's now a given that whenever a big news story breaks, a big event is happening, or a big holiday is coming up that the bad guys will start populating search results on Google, Bing and other search engines with fake stories. This month we saw fake results in relation to the deaths of Patrick Swayze and Keith Floyd, Labor Day sale, the launch of Microsoft's free anti-virus, and the launch of Google Wave. The manipulation of search results is a highly automated operation and the bad guys monitor Twitter trending topics, Google Trends, and major news sites for topics to use in their activities.

In another instance of so-called malvertising, some major Internet advertisers including Google's DoubleClick, Yahoo's RightMedia, and FastClick were hit by a flood of malicious banner ads. These ads contained a malicious PDF file that installed the Win32/Alureon trojan. The malicious ads ran for a period of 3 days, affecting such sites as DrudgeReport,,, and This is not the first time we have seen this sort of attack.

Web 2 dot uh-oh

A new worm has struck the world's best-known blog publishing application WordPress this month.  (It does not happen often, fortunately, as more than 200 million installed Web sites worldwide is a huge scope for evildoers' propaganda.) Some bloggers had to endure the unpleasant experience of finding the worm deep in their systems before the official upgrade has been announced. If you still use a version older than 2.8.4 do not wait any longer to upgrade.

The previous month was not the last bad one for Twitter. Automatically-registered Twitter accounts have been posting scareware abusing micro-blog trendy topics by pseudo-random generated text. Messages, virtually indistinguishable from real human-generated ones, lure users to proceed to fake Web sites trying to scare them into purchasing a product which "helps". Thinking Twitter has already got enough? Sites built on Ruby On Rails have been discovered to be vulnerable to yet another XSS attack, as discovered by Brian Mastenbrook.

Browsing for dirt

Mozilla released Firefox version 3.5.3, which fixes 10 code execution vulnerabilities. Mozilla is now gently reminding Firefox users to update their Flash Player plug-in (if outdated), with moderate success; up to two-thirds of Firefox users may still be running a vulnerable version of Flash. Adobe's products have been increasingly targeted by attackers, as we detailed in last month's entry.

A fake Flash Player Firefox add-on has been observed in the wild. It masquerades as the Flash Player plug-in, but actually monitors the user's browsing activities and sends this information to a central server. The plug-in is also capable of injecting ads into Google search results.

Apple released security patches to fix vulnerabilities in its iPhone, iPod Touch, and Quicktime products. Several of these vulnerabilities allow for arbitrary code execution. The initial release of Apple's Snow Leopard operating system shipped with an out of date version of Flash Player, even going so far as to downgrade the installed Flash Player for users that upgraded their operating system. This could have serious security implications for users of the operating system, as the old version ( has a number of vulnerabilities.


Windows users faced a barrage of zero-day vulnerability announcements throughout September. They affected JavaScript, Live Messenger, IIS, and various services running on Windows. All of these allow remote users to execute code on unprotected machines.

At least 5 Web-based remote code exploits were patched on September 8, several targeting Internet Explorer users but some affecting passive services like TCP/IP and Wireless LAN AutoConfig.

Microsoft pushed a Windows Live Messenger security patch for a remote code execution Active Template Library bug. Users who didn't upgrade during the optional patch phase will be required to update during the mandatory second phase before they can sign on.

Microsoft also announced a zero-day vulnerability in the FTP service of IIS5 and IIS6, along with a blog with more details and recommendations.

Finally, Microsoft warned of an unpatched vulnerability in the SMBv2 Windows service that could allow remote code execution. Originally just a denial of service problem, researchers at Immunity released a remote execution exploit targeting it that has since been integrated into MetaSploit, hastening its appearance in the wild. Until a patch fixing the flaw is released, Microsoft detailed a work-around with a one-click command to disable the SMBv2 service.

So long and thanks for all the phish

RSA FraudAction Research Lab reported a new type of phishing attack dubbed "chat-in-the-middle phishing". In one of the phishing attack stages, the attacker launches a live chat support window to steal more information from the victim. The live chat window claims to be from the targeted bank, and that it is there to validate the victim's account. The chat messages between the victim and the attacker are processed using an open source instant messaging protocol, namely Jabber. One of the advantages of this technique is the real-time delivery of stolen credentials to the attacker without relying on blind drops. RSA reported that they detected only one instance of this attack.

A new wave of IRS phishing attacks was reported by MX Logic (now McAfee). The attack is delivered by the Cutwail/Pushdo botnet and serves a ZBot variant. The URLs in the phishing emails have the following structure:[domain]/fraud_application/directory/statement.php. Most of the domains associated with this attack were reported and taken down.

Links to YouTube videos advertising “Russian spam” has been seen lately in spam coming from Russia. Web 2.0 technologies are widely used in spam. This 2 min. clip will explain all the “benefits” of spam. The spammers claim that they only use spam to increase sales and don’t send porn or engage in phishing, but how legal and annoying is this to spam recipients?

Hello ThreatSeeker. You've got mail!






Security Trends

While speaking at Virus Bulletin 2009, Bryan Lu pushed for more cooperation within the security industry, pointing out that users can be confused because vendors routinely announce different threat levels on the same day. He suggests that vendors agree on a standard for threat levels.

Mac users are being specifically targeted by a malware affiliate program, which offers 43 cents per infected machine.

A novel rootkit technique has been unveiled that involves hijacking Windows System Restore via a backdoor so that it does not wipe out the malicious software.

The Bahama botnet has been linked to a surge in click-fraud. Infected users that click on organic search results are redirected several times, eventually arriving at an advertiser's page.

Modern banker malware undermines two-factor authentication by simply waiting for users to authenticate themselves before taking action.

The Monkif/DiKhora botnet has a novel approach to C&C: it hides commands as JPEG images.

A study suggests that small DIY botnets are prevalent in enterprise networks. These botnets aim to stay under the radar after gaining a foothold in corporate networks.

First used by the Gimmiv worm and later exploited by the Conficker worm, the MS08-067 flaw continues to be lucrative for attackers.

Thanks to the following contributors for this month's roundup:

- Artem Gololobov (Security & Technology Research)
- Ivan Sabo (Security & Technology Research)
- Erik Buchanan (Security & Technology Research)
- Sebastian Becerra-Licha (Security & Technology Research)
- Patrik Runald (Security & Technology Research)
- Saeed Abu-Nimeh (Security & Technology Research)
- Jay Liew (Security & Technology Research)
- Matthew Mors (Public Relations)

Bookmark This Post: