Archived Blog

This Month in the Threat Webscape

01.11.2010 - 11:00 AM

Month of December 2009

This month, Fox Sports and NASA discovered that their Web sites were compromised. Web 2.0 widget-maker RockYou suffered a major security breach where it was discovered that RockYou failed to apply the simplest security best-practice: encrypting the password of their users. Twitter suffered a DNS hijacking, Amazon EC2 was used by the Zeus bot network, there were more Adobe PDF and browser vulnerabilities... read on for more.

Major hits

The high-profile Web site for Fox Sports was compromised. This division of the Fox Broadcasting Company's Web site was a victim in the larger Gumblar attack.

Miscreants used Brittany Murphy's death to peddle fake antivirus software via search engine optimization; Google searches for "Brittany Murphy death" contained several links that redirected to fake antivirus sites.

A CERT advisory was released that warns against using clientless SSL VPN products. In short, these products circumvent the browser's same origin policy and open up a slew of security holes that cannot be protected against effectively.

A massive SQL injection attack compromised over 125,000 web pages. The pages contain a malicious iframe that attempts several exploits in order to install the Buzus trojan.

Two NASA-run Web sites were hacked due to SQL injection and XSS vulnerabilities.

A severe cache poisoning vulnerability was found in BIND 9 for users that have DNSSEC validation turned on. Security fixes have been released; there are no known active exploits.

Cisco released an advisory stating that buffer overflow vulnerabilities that could be used for remote code execution were found in Cisco's WebEx WRF player. They released a new version of WebEx that fixes the vulnerabilities.

Web 2 dot uh-oh

Social application site RockYou was hacked, and the information of over 32 million user accounts was compromised. All their user information, including passwords, was stored in cleartext. The breach was compounded by the fact that they stored plaintext user credentials for partner sites as well, including social networking sites such as Facebook, Myspace, Hi5, Friendster, Orkut and Bebo. RockYou has posted a security notice that details the steps they are taking to fix their security problems and urges users to change their passwords.

Users were briefly unable to access Twitter after it became the victim of a DNS hijacking attack.

The increasingly bold Koobface gang wished the security industry a happy holidays, thanking security researchers for "[their] help in bug fixing, researches (sic) and documentation for our software." They took advantage of the holiday season by switching to a Christmas theme. The gang also began experimenting with client-side exploits (drive-by downloads), a change from their previous modus operandi of employing strictly social engineering tactics.

As part of a trend of cloud computing resources increasingly being used for malicious purposes, the Zeus bot network was observed hosting its command and control server on Amazon EC2.

Browsing for dirt

A new Adobe zero-day vulnerability (CVE-2009-4324) has been discovered and exploited with malicious intent. The zero-day hole, which affects Reader and Acrobat versions 9.2 and earlier, could crash the system and allow an attacker to take control of the computer. The malicious PDF files are distributed via an email attachment: when the attacker has lured the customer into opening the attachment, a malicious executable file is dropped and run on a fully patched system. The patch will be available on January 12, 2010 according to Adobe.

Adobe also released an security update for Adobe Flash Player version and earlier. Seven vulnerabilities have been patched.

Microsoft Internet Explorer was given a cumulative security update (MS09-072) for various flaws, involving memory corruption and ActiveX. All of these could be used by malicious hackers to booby-trap Web sites that infect visitors - merely by accidentally loading the malicious Web site in the browser.

Mozilla shipped Firefox 3.5.6 to patch seven vulnerabilities, three of them critical. Mozilla is distributing the patches via the browser's built-in automatic update mechanism.


Microsoft issued six bulletins with patches for a total of 12 vulnerabilities on Patch Tuesday, December 8th..  Three of them were rated “critical”. The most serious issues (MS09-072) affects all supported versions of Internet Explorer, including the newest IE 8 on Windows 7. Microsoft Internet Authentication Service update (MS09-071) patches fixed two potential flaws that could allow remote code execution if incorrect messages are received when Internet Authentication Service server is handling PEAP authentication attempts. The third critical bulletin (MS09-074) patched a security flaw in the Microsoft Office Project software which could allow remote code execution if a a specially crafted project file is opened.

Microsoft Office 2003 users who had protected their documents using the Rights Management Service (RMS) feature were locked out from their own documents from December 11th. The problem was down to an expired security certificate. There is a hotfix available now.

Hello ThreatSeeker. You've got Mail!

This month, malicious hackers built their social-engineering campaign around 2 themes: (1) The H1N1 scare and (2) Facebook password reset confirmation. In the first tactic, spammers sent emails masquerading as the CDC (Center for Disease Control), calling recipients to "follow this link" for a "vaccination profile". The link leads to a fake CDC Web site where visitors may be infected. The email subject line changes: variations include "Governmental registration program on the H1N1 vaccination" and "Your personal vaccination profile".

The second tactic was an email purporting to be from Facebook (but it's really not - surprise, surprise) with a malware attachment. The email claims that the recipient's Facebook password has been reset for security reasons and that the recipient should open the attachment to find the new password. Riiight. Nobody opens attachments to get their new password (just don't). Victims would find themselves infected with the Bredolab Trojan Downloader.

Can people tell the difference between a real and fake Web site? A recent study discovered that about 45% of the time, people end up submitting their information to a phishing site.

In other news, proof that there is no honor among thieves: Phishers get their results of their labor stolen by other malicious hackers. See a video of thieves stealing from thieves (something dubbed the "Auto Whaler") in action.

After last being seen in 2007,  MP3 spam campaigning was back again in December, leading to fake Canadian Pharmacy sites. Though the campaign lasted only for one day,  over 500 million messages were seen - which comprised over 1.2% of the global spam volume for that period of time.  A report suggests Cimbot botnet was in charge of this campaign, the same bot network that previously used image spam to advertise fake Pharmacy sites.






Security Trends

According to a note by the Internet Crime Complaint Center (IC3), the FBI is aware of losses in excess of $150 million due to fake/rogue antivirus software. Rogue AV is considered much more profitable than spam, because most people who do visit a spam site don't open their wallets, but rogue AV victims are more likely to pay to make the aggressive annoyance go away. Thus the "sale" conversion rate is much higher.

Malicious hackers are stepping up their game in growing their business, upping the ante by now becoming their own ISP. This makes it harder for security researchers to ask for take-downs from ISPs (since it's unlikely that the bad guys will simply comply). The black hats now have their own IP spaces and are setting up their own data centers.

Thanks to the following contributors for this month's roundup:

- Lei Li (Security & Technology Research)
- Ulysses Wang (Security & Technology Research)
- Sebastian Becerra (Security & Technology Research)
- Artem Gololobov (Security & Technology Research)
- Jay Liew (Security & Technology Research)

Bookmark This Post: