This Month in the Threat Webscape

Month of April 2010

Major hits

Palm's mobile platform named WebOS failed many basic security measures. White hat hackers found that WebOS could be exploited by specially crafted text messages (SMS). The Apache Foundation's web servers were compromised in an attack that used a combination of cross-site scripting (XSS) vulnerabilities and a URL shortener (TinyURL). In other news, 1.5 million Facebook accounts were up for sale in the malicious underground. The price per 1,000 compromised accounts was segmented by how many friends each compromised account had (the more friends, the more valuable the account).

Web 2.0 uh oh

There was a mass-compromise of fully-patched WordPress installations hosted by Network Solutions. It turns out that the passwords were stored in plain text in a config file that is supposed to be set to be readable only by Apache (and not anyone else), but victims incorrectly set the file permissions so that it was readable by the attacker. The attacker then inserted an iframe that led to a malicious web site. Ever wonder if bad guys are using Twitter's API? We do. Here's an analysis of how malicious web sites are using Twitter's API to make it appear that their operations are unpredictable.

Browser and friends

A Java zero-day vulnerability has been exploited in the wild. The vulnerability was discovered by two researchers independently (Tavis Ormandy and Ruben Santamarta), and Tavis Ormandy informed Oracle. Details were published and a demo of the exploit was made available (this will make the calculator execute). Pity that Oracle's patch arrived a little late; Websense found dozens of web sites that contained the exploit code before the patch was available. Please keep your Java application updated.

Adobe released a new update for Adobe Reader that patched 15 vulnerabilities.

Apple patched vulnerability CVE-2010-1120 in the Safari browser. This was discovered by Charlie Miller, who used the vulnerability in hacking a fully-patched Macbook at 2010 Pwn2Own. A patch for Quicktime also was delivered this month; 16 vulnerabilities were fixed.

Mozilla also give a quick response to the vulnerability discovered at 2010 Pwn2Own. The vulnerability was fixed in Firefox 3.6.3.

Microsoft

April's Patch Tuesday included fixes for several drive-by remote code execution vulnerabilities affecting Windows, Microsoft Exchange, and Office.  Security researchers at Blackhat EU released a proof of concept exploit demonstrating an XSS flaw in the Internet Explorer filter designed to protect against them.  Microsoft plans to release a patch in June.  One of the Patch Tuesday fixes, addressing a remote code execution bug in Windows Media Services (MS10-025), failed to fix the underlying vulnerability and was re-released two weeks later, on April 27.

Hello ThreatSeeker. You've got mail!

Who says that you can't teach an old dog new tricks!  This month one of the longstanding and more popular threats showed why it's still used so much, by using another new tactic.  We reported on the Zeus gang sending out new types of PDF attacks.  These attacks used a variation of the /Launch attack (reported by Didier Stevens earlier in the month) to attempt to socially engineer the victim into running an embedded executable. The messages contained these poisoned PDF attachments and enticed a user into opening the PDF by making the victim think that there was a report of a missed package in the PDF file.

In another interesting campaign, there were spam messages that looked as though they came from Twitter.  Each message spoofed the "From" address to trick recipients into thinking that it was a legitimate message coming from Twitter's support team. The content of the messages was very believable, because they were basically a scrape of legitimate emails from Twitter, notifying users that they had messages at Twitter.  However, the <href> tags in the messages were modified, so that the link would actually lead to bogus pharmaceutical sites.

Security Trends

According to the Microsoft Malware Protection Center (MMPC),  the hit by the latest wave of zero-day malware attacks targeting a flaw in the Internet Explorer browser spanned over 50 countries. Most frequently targeted were computers in China and Korea, with the US trailing a distant third.

Hackers discovered a way to run an embedded executable within a PDF file without using any JavaScript and without having to exploit any vulnerabilities. Didier Steven’s Escape From PDF hack  and Jeremy Conway's POC show a way to control the message presented to the end user.  When combined with clever social engineering techniques, PDF readers could potentially allow code execution attacks if a user simply opened a rigged PDF file.

Speaking of running an embedded executable within a PDF file, the Zeus malware attacks are now using the “/launch” command feature in Adobe Reader to launch malicious attacks without exploiting a vulnerability in the software. The PDF file contains another PDF file as an attachment that has been compressed inside the file. This attachment is actually an executable file that, if run, will install the Zeus bot.

Google’s Security Team is about to release the results from their 13-month study into the growth of Fake AV. The analysis shows that Fake AV currently accounts for 15% of all malware that Google detects on the web, and is responsible for 50% of all malware delivered via advertisements. Also, Fake AV attacks account for 60% of the malware discovered on domains that include trending keywords.

 


This month's contributors:

– Chris Astacio (Security & Technology Research)

– Erik Buchanan (Security & Technology Research)

– Lei Li (Security & Technology Research)

– Ulysses Wang (Security & Technology Research)

– Jay Liew (Security & Technology Research)

Read More »