Websense.com / Security Labs / Blogs / This Month in the Threat Webscape

Archived Blog

This Month in the Threat Webscape

02.10.2010 - 11:48 AM

Month of January 2010

The major drive-by attack that compromised global technology behemoth Google raised further awareness that one can get infected by merely surfing Web. Blackhat SEO campaigns were a record high this month, with scammers capitalizing on hot topics like Haiti's earthquake, the release of Avatar, and the release of the Apple iPad. We know for sure that on the Web, where the eyeballs go, a malicious trail will sure to follow.


Major Hits


Operation Aurora took the headlines this month, sending the mainstream media into a frenzy with wild speculations. In short, Google announced that it was one victim of a highly targeted attack from China that also hit numerous other U.S. companies. U.S. Secretary of State Hillary Clinton issued a statement asking the Chinese government for an explanation. It was later discovered that the attackers had exploited a vulnerability (CVE-2010-0249) in Internet Explorer, which Microsoft admitted to being aware of since September 09. Websense did discover this attack in the wild, and has written more about the technical details of the attack here.

In other news, the DNS records of Chinese search engine Baidu were hijacked by a group calling themselves the Iranian Cyber Army. Oklahoma state tax payers should be cautious of visiting the state's tax commission Web site, as the site was found compromised and laden with malicious code. SOHU, one of the biggest portals in China with an Alexa rank of 43 was compromised and hosting an exploit for Xunlei Thunder DapPlayer, a popular download manager and BitTorrent client.

Search Engine FAIL


Haiti, iPad, Avatar, and icy weather in Europe! What do they have in common? These hot news items were taken advantage of in several Blackhat SEO attacks. All victims have to do is search for information about Haiti, iPad, Avatar, or freezing Europe using a reputable search engine. The poisoned search results redirect victims to the infamous rogue anti-virus sites, which infect them with malware with relatively low detection.

In addition, be careful of what you search for on Office.Microsoft.com, or you just might end up with the pesky fake anti-virus program on your computer (video).

Browser and friends



Adobe has released a new update for Adobe Reader 9.2 and Acrobat 9.2. 8 vulnerabilities have been patched, including a vulnerability exploited in the wild, CVE-2009-4324, which we mentioned in our monthly roundup blog in December 2009. Also two vulnerabilities for Adobe Shockwave Player were patched in January. In order to guard against the vulnerability more effectively, a new update mechanism called the Acrobat Refresh Manager has been tested It is intended to make it easier for Reader and Acrobat users to keep their products up-to-date, according to Brad Arkin, Adobe's director of product security and privacy.

Congratulations to Mozilla! They have released their newest version, Firefox 3.6. We have been notified that two new security features have been integrated into the browser: Plugin Checker and Component Directory Lockdown. Plugin Checker will keep installed plug-ins up to date, enabling the browser to prompt the user to apply a patch via a one-click interface. Component Directory Lockdown will prevent developers from sneaking add-ons into the program and lock out rogue Firefox add-ons.

A zero day vulnerability has been found in QuickTime. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

RealNetworks has also upgraded their RealPlayer with 11 vulnerabilities patched.


Microsoft


Microsoft had planned on taking a break from critical remote code execution vulnerabilities in January, limiting the "Critical" updates for its Embedded OpenType Font Engine to Windows 2000 (details). However, a critical vulnerability in all versions of Internet Explorer that allows browse-by remote code execution attacks forced Microsoft to release an out-of-band patch. The vulnerability was reported to Microsoft last September and was reportedly used in the targeted attacks against Google, Adobe, and other major companies. The patch was finally published after proof-of-concept code was released and the attack was integrated into the Metasploit framework.

Hello ThreatSeeker. You've got mail!


There was lots of news this past month regarding vulnerabilities in commonly-used software, and spammers were keen to capitalize. Taking advantage of the Internet Explorer 0 day news, spammers began to send out spoofed Microsoft update messages. The messages contained a malicious payload attached in a .zip file. We also saw targeted emails that used Web links containing MS10-002 exploit code. Any recipients who clicked on links in these emails who had Internet Explorer would have had their computer compromised.

Spammers also kept up with their ongoing social engineering tactics with emails for Facebook updates and AOL updates. These socially-engineered update messages contained links which not only provided malicious executable payloads for the victim to download on their own, but also provided client-side exploit code. This means that user interaction might not be necessary for attackers to compromise victim computers. A simple click of a links could be enough. We also saw the return of a very clever social engineering tactic for encouraging users to download malicious code. These spam messages are especially dangerous because they are so believable.

 


 


 


 


 

Security Trends


According to Net Applications' figures based on monitoring Web site usage, Internet Explorer 8 is now the world's top browser. NetApps reckons IE8 had 22.31% of the market, with IE6 at 20.07%. Firefox 3.5 took third place with 17.01%, ahead of IE7 (14.58%), Firefox 3.0 (5.29%), Google Chrome (3.92%), and Apple Safari (3.55%).

The Gartner Data Center Conference in Las Vegas in December, 2009 shown light on some topics related to virtualization and cloud computing. The session on virtualization security highlighted a disconnect between the IT folks dealing with applications and storage and those dealing with security. The virtualization train is running full steam ahead, but the security teams are running to catch up and come to grips with the security implications of virtualization.

Not too long ago, GSM cellphones were vulnerable to attacks as the whole GSM 64-bit A5/1 algorithm was cracked. What followed was 3G encryption, which, unsurprisingly, has been beaten. It looks like 3G networks rely on a KASUMI system that only needs a couple of hours from a well-coordinated hacker to be cracked.

According to the APWG Phishing Activity Trends Report for Q3 of 2009, the overall number of infected computers used in the sample decreased compared to previous quarters. However, 48.35% of the 22,754,847 scanned computers remain infected with malware.


Thanks to the following contributors for this month's roundup:

- Jay Liew (Security & Technology Research)
- Lei Li (Security & Technology Research)
- Ulysses Wang (Security & Technology Research)
- Saeed Abu-Nimeh (Security & Technology Research)
- Chris Astacio (Security & Technology Research)
- Erik Buchanan (Security & Technology Research)

Bookmark This Post: