Archive for the ‘Security’ Category

Wedding Bells Ringing in Malware

Wednesday, August 18th, 2010

by Barracuda Labs

Weddings are joyous affairs, happy occasions for celebration. When friends find a soulmate and announce their intentions to the world, it’s exciting. We’re thrilled for them and we want the details right away.

Well, not so fast.

Barracuda Labs spam honeypots have recently detected spammers sending multiple wedding-themed emails, hoping to catch people with their guards down.  The messages can be quite convincing, but there is no “happily ever after” in the malware that is attached to them.

Consider this wedding invitation:

"Wedding Invitation" email

If the attached “Wedding Card” is opened, it launches a fake antivirus – SecurityTool:

Wedding Card results
Result of opening the “Wedding Card”

In addition to dropping SecurityTool on the system, the Wedding Card also downloads Trojan.Fitmu.A:

Download of password stealer

This program quietly runs in the background looking for usernames and passwords to steal.  In particular it steals FTP passwords, and stolen FTP passwords are the most common way that sites are hacked.

The spammers are casting a broad net, even targeting users who might be planning their own wedding. Say you are busy trying to arrange a venue, finalize a contract for catering, find music and a photographer, and then receive an email such as this:

"Wedding Contract" email

Upon first glance and a quick scan, it could appear as your legitimate contract (of course, hopefully the users will notice if the venue is not one they have been reviewing!). If the attachment is opened, it does not appear to do anything at all.  Nothing displays.  However, more is going on behind the scenes.

The attachment is actually a Zeus Trojan, a password stealer that specializes in online banking passwords.  The traffic here shows the Trojan retrieving its configuration and checking in with its command and control server.

The bottom line? Stay alert, scrutinize emails carefully and spread the word to your friends and co-workers. Being aware of these spam attacks helps prevent their success.

Barracuda Spam & Virus Firewall, Barracuda Web Filter and Barracuda Web Filtering Service customers are protected from this attack.

  • Share/Bookmark

Tags: , , , , ,
Posted in Email Security, Security, phishing | No Comments »

The Wireless Router Insecurity You Might be Overlooking

Tuesday, June 15th, 2010

By Barracuda Labs

Many savvy computer users have experience setting up a wireless access point in their home or office. It’s not that hard, really. Change the SSID, change the password, and perhaps change the channel. Set the IP and you’re good to go.

But if that’s all you’ve done, you could be leaving open an attack vector that malware authors have been targeting for years. They’re still targeting it today.

Many routers, including those that are part of wireless access points, implement the Universal Plug and Play (UPnP) interface. This interface allows programs running on computers connected to the router to control the router.  No authentication is necessary. The bad news is that this makes it easy for malware to change router settings.

While scanning for malware, we found this bogus forum post pretending to be a video recipe for Yankee Pot Roast. However, when looking a bit closer, it revealed itself as TROJ_TDSS.AKA, a downloader that initially downloads a fake antivirus but, as demonstrated, also tries to open a port in the gateway, leaving your computer and personal information exposed.

Malware automatically opening a port in the gateway is significant because most router users, particularly most home wireless access point users, assume a few simple security steps are all they need – enable WEP or WPA, set a strong password and you’re good (enough) to go. The UPnP vulnerability doesn’t have very high non-geek visibility, even though it’s still being exploited – and by Conficker no less.  And despite it having been around for quite a while now (referenced in this ZDNet article at http://www.zdnet.com/blog/soho-networking/wi-fi-routers-vulnerable-to-upnp-attack-from-hackers/120), it’s still alive and incredibly widespread. In fact, Google gives approximately 1,870,000 results for sites linking to the primary attack site, hxxp://vixensandschoolgirls.com.

Users should check to see if their routers allow for more secured startups. For example, it is recommended to disable UPnP and to use forced static IP so that the system will not be subject to unannounced attacks leaving the DHCP server open to assign an IP to any system that breaches your WiFi security.

Further, this once again reiterates the importance of knowing the source of information online, and to not click on links from unknown sources.

Screenshots of the attack follow for reference.

1)  Clicking on this ‘video’ brings up another window displaying a video prompt.

2) At this point, the astute user might wonder why the Yankee Pot Roast recipe is being offered up by hxxp://vixensandschoolgirls.com, but then the standard Windows warning message appears.

3) Running the offered program doesn’t seem to do anything at first. After a long delay, a fake anti-malware program named Defense Center is downloaded and executed.

4) Meanwhile, behind the scenes, multiple attempts are made against the router, followed by this UPnP payload. The payload changes the firewall settings of the router to open a port for additional malicious traffic. Conficker uses this same internal UPnP attack against routers to open up ports for its peer-to-peer control mechanism. UPnP is sometimes used for file or printer sharing, but in most cases it can be disabled with no ill effects.

5) The setting used on the Linksys router used in testing.

  • Share/Bookmark

Tags: , , , ,
Posted in ID Theft, Internet Security Tips, Security, Uncategorized | No Comments »

Who can you trust?

Thursday, May 20th, 2010

by Barracuda Labs

In slasher movies, there’s often a scene where terrified teenagers try to trace the phone calls of a homicidal maniac only to discover that the phone calls are coming from inside the building.

A recent spam case that was referred to the Lab reminded us of one of those scenes and underscored the fact that everyone should be suspicious of unsolicited emails. This is especially true of unsolicited emails that ask you to run something on your computer, no matter WHO they come from at any time.

In this particular case, the spam emails were sent to users within a medium-sized professional firm. They were carefully crafted to appear to be an Adobe security update originally sent to the Assistant Director of Information Technology and then individually forwarded from her. (Names and domains in the message have been changed.)

The bulk of the message looks like a security update from Adobe regarding vulnerability CVE-2010-0193. The linked executable actually is a malicious file that installs a Trojan backdoor program. The linked .PDF also contains a clickable link to the Trojan. Adobe already has reported this spam campaign here:

http://blogs.adobe.com/psirt/2010/05/alert_adobe_security_update_em.html

What’s particularly interesting is just above the forwarded message. The information about the sender of the email – Jane Doe, Assistant Director of Information Technology, JaneDoe@phished.com – is ‘real’ data, most likely harvested from elsewhere on the Internet, and would appear to be normal to co-workers within her company. Her email address is used in the body of the forwarded message as well, making it appear that it really was sent directly to Jane and then she is forwarding it along. Except that she isn’t.

The ‘From’ field of the email has been spoofed (i.e., faked), something spammers easily can do. Instead, examination of the internal email headers reveals that the entire message was sent from a compromised computer in West Virginia.

It is common for spam to be sent with faked ‘From’ data; however, this case takes that even a step further. The ‘From’ name was chosen specifically in order to gain the trust of the users at phished.com who received the messages. This was a deliberate and targeted batch of spam, sometimes called “spear” phishing, which demonstrates just how clever the bad guys are and just how cautious we as users have to be.

Barracuda Spam Firewalls block these emails.

Below are various screenshots of the targeted attack in action.

spam email message

The targeted email seemingly coming from inside the organization.

The spoofed "from" address.

The spoofed "from" address, which appears to be correct.

The .PDF mentioned in the email message that contains a malicious link.

The .PDF mentioned in the email message that contains a malicious link.

Malicious file in action: the presumed software license agreement.

Malicious file in action: the presumed software license agreement.

Malicious file in action: setup wizard.

Malicious file in action: setup wizard.

Malicious file in action: accepting terms of the license agreement.

Malicious file in action: accepting terms of the license agreement.

Malicious file in action: ready to install.

Malicious file in action: ready to install.

Malicious file in action: prompt to reboot.

Malicious file in action: prompt to reboot.

Malicious file in action: execution complete.

Malicious file in action: execution complete.

  • Share/Bookmark

Tags: , , , ,
Posted in Email Security, Research, Security, phishing | No Comments »

Warning! March Madness Means March Malware

Friday, March 12th, 2010

By Barracuda Labs

If you’re working on your Atlantic Coast Conference brackets this week, be extra careful where you click. Cybercriminals are up to their old tricks and hoping you’ll make a fast break to their Web sites.

To raise the chances that you will, they’ve taken over popular search terms such as “ACC Tournament Schedule 2010″ and “ACC Tournament Bracket” and inserted poisoned links that lead to Rogue AV sites. SEO poisoning continues to pick up steam as attackers race to re-direct your browser to a Web site serving up various malicious programs. In this case, “CleanUp Antivirus” Rogue AV seems to be the flavor of choice.

As part of this experiment, Barracuda Labs discovered that a Google search for “ACC Tournament Schedule 2010″ returned 23 malicious links within the first 50 results. Unless you know how to tell the difference between the good links and the bad ones, you stand almost a 50% chance of having your computer taken over by “Scareware” that tries to separate you from as much as $90 for the fake software.

We discuss Rogue AV and SEO poisoning in more detail in our 2009 Annual Report released this week. The attacks are becoming increasingly more popular as hackers target vulnerabilities in legitimate Web sites, making it more likely for the page to be visited and the malicious content to be delivered. .

CNBC sites surveys that show almost 45% of American workers participate in March Madness pools at work. Much of this research is happening on company time, causing a significant decrease in employee productivity as loyal fans follow their favorite teams. While the boss may turn a blind eye to that activity, a malware infection sure won’t help your ranking at work.

Barracuda Web Filter and Barracuda Web Security Service customers are protected from this attack.

Below are screenshots that trace the attack.

Top results for ACC Tournament Schedule 2010 from Google

Top results for ACC Tournament Schedule 2010 from Google

Top results for ACC Tournament Schedule 2010 from Google

Beginning at result 11, the links all lead to malicious content.

Beginning at result 11, the links all lead to malicious content.

Beginning at result 11, the links all lead to malicious content.

When the user clicks on a poisoned link, the following page pops up briefly.

When you click on a poisoned link, this page pops up briefly.

When you click on a poisoned link, this page pops up briefly.

Next, an official-looking warning appears.

Next, an official-looking warning appears.

Next, an official-looking warning appears.

Followed by bad news, which is completely untrue.

Followed by bad news, which is completely untrue.

Followed by bad news, which is completely untrue.

The Web page wants the user to run a file. Don’t do this!

The Web page wants you to run a file. Don't do this!

The Web page wants you to run a file. Don't do this!

If the user does run the file, the user will become infected with CleanUp Antivirus.


If you do run the file, you are infected with CleanUp Antivirus.

If you do run the file, you are infected with CleanUp Antivirus.

CleanUp Antivirus repeatedly sends you to this ‘money page’ where the user is asked to submit a credit card.

CleanUp Antivirus repeatedly sends you to this 'money page' where the user is asked to submit a credit card.

CleanUp Antivirus repeatedly sends you to this 'money page' where the user is asked to submit a credit card.

  • Share/Bookmark

Tags: , ,
Posted in Internet Security Tips, Research, Security, Web Security | No Comments »

Twitter’s Red Carpet Era – Celebrities and Criminals

Tuesday, March 9th, 2010

Posted by: Barracuda Labs

As part of an ongoing effort to make the Web a safer place for both business and casual users, Barracuda Labs decided to take a deeper look at one of the Web’s fastest growing social networks, Twitter. We reviewed growth drivers, usage trends and the overall crime rate, analyzing both legitimate and malicious users for 2009. Today, we published our findings as part of our Barracuda Labs Annual Report.  This report revisits an analysis completed by the team in June 2009, following the launch of TweetGrade (www.tweetgrade.com), and coincides with recent accounts of Twitter’s explosive growth – reportedly reaching 50 million tweets per day.

Our analysis is based on nearly 19 million Twitter accounts, in which we analyzed the frequency and content of tweets, user-to-user interactions, and each account’s overall activity level.

The bottom line is this: users are more active on Twitter; more users joined Twitter in 2009 following a massive influx of celebrities to the site; and sure enough, the criminals followed the users in a forceful way causing the overall Twitter Crime Rate to spike.

So let’s dig into the results…

HOW PEOPLE ARE USING TWITTER

Twitter Follower vs. Following Trends – What’s a True Twitter User?

Notably, people are using Twitter more actively. For the purpose of this exercise, we define a True Twitter User as someone who has three main attributes:

  1. Has at least (≥) 10 followers
  2. Follows at least (≥) 10 people
  3. Has tweeted at least (≥) 10 times

Interestingly, our study shows that only 21 percent of Twitter users fall within our definition parameters and are True Twitter Users.

What do we mean by “more active” on Twitter? Essentially, this means that:

  • Users are following more user accounts
  • Users are being followed back by more user accounts and more often
  • Users are tweeting more.

Today, only 17 percent of Twitter users have zero followers, which is a 40 percent increase in the number of users that now have “more” followers (i.e. ≥ 10 followers) when compared to 30 percent in June 2009.

Our analysis also found:

  • 26 percent of users now have at least (≥) 10 followers, showing a 30 percent increase since June when only 20 percent of users had at least (≥) 10 followers.
  • 40 percent of users are following at least (≥) 10 user accounts, showing an 18 percent increase since June.
  • 27 percent of users have tweeted 10 times or more, showing a 29 percent increase since June.

Additionally, today there is a trend toward users actually using Twitter as a two-way communication tool versus as an RSS feed or “information fire hose.”  In fact, 36 percent of Twitter users today have more followers than the accounts they are following, showing an 80 percent increase since June when that number was only 20 percent.

Twitter Users More Active

Not only are people becoming more connected on Twitter, they also are becoming more active:

  • 27 percent of users have tweeted at least (≥) 10 times, which is a 29 percent increase since June.
  • Moreover, today there are 34 percent of users who have not tweeted since they created an account. While that still seems like a fairly high percentage of inactive accounts, it shows an eight percent decrease (down from 37 percent) since June 2009, demonstrating that people are becoming more active.

What’s even more interesting is that the most active users on Twitter are not the ones with the most followers.

  • Users with an average of 1,000 followers actually tweet the most, as compared to those with fewer than 100 followers or more than 100,000 followers.

TWITTER GROWTH & THE TWITTER RED CARPET ERA

Further, some remarkable trends emerge as we review how Twitter’s growth has taken shape. Based on when a member joined Twitter, we plotted a Twitter growth chart. This chart illustrates a very concentrated growth spurt during the early part of 2009 – a time period which we define as the “Twitter Red Carpet Era.”

The Twitter Red Carpet Era falls between November 2008 and April 2009. This is the period of time during which a handful of ‘celebrities’ – including 27 of the top 50 and 48 of the top 100 most followed Twitter users – joined.

  • In the beginning of 2008, Twitter was growing approximately 0.31 percent per month. By November 2008, that growth increased to 1.95 percent per month.
  • After December 2008, Twitter’s growth exploded from nearly two percent per month, and rising to approximately three-to-four percent per month, before finally peaking at nearly 20 percent per month in April 2009.
  • At the end of the “Twitter Red Carpet Era,” growth appears to have normalized, dropping back to 0.34 percent by December 2009.

The following graph illustrates the Twitter Red Carpet Era and the significant impact that these celebrities had on Twitter’s growth as they brought their fan bases with them from the real world to Twitter.

TWITTER CRIME RATE

As millions of users flocked to Twitter during the Twitter Red Carpet Era, so too did the criminals. During this time, numerous accounts were used for malicious purposes such as poisoning trending topic threads with malicious URLs (hidden by the ever popular URL shortening services) aimed at luring Twitter users to sites carrying malware or other malicious content.

The Twitter Crime Rate is defined as the percentage of accounts created per month that are eventually suspended for malicious or suspicious activity, or otherwise misused.

  • In 2006, the Twitter Crime Rate was only 1.2 percent.
  • By 2007, the Twitter Crime Rate increased slightly to 1.7 percent.
  • In 2008, the Twitter Crime Rate averaged around 2.2 percent.

During the Twitter Red Carpet Era, the Twitter Crime Rate increased from 2.02 percent to 3.36 percent, showing a 66 percent increase in the overall Twitter Crime Rate.

As more users joined Twitter in 2009, the Twitter Crime Rate continued to escalate reaching 12 percent     in October 2009. This means that one in eight accounts created was deemed to be malicious, suspicious or otherwise misused and was subsequently suspended – clearly showing that the criminals do, in fact, follow the users online.

Twitter’s proactive response to keep its users’ social networking experience safe is admirable; however, it remains unclear how efficient Twitter is in detecting a malicious account.

Why should you care about how Twitter is used?

At Barracuda Labs, we’re constantly monitoring the Web ecosystem and tracking new trends in malware and other attacks.  Social networking platforms like Twitter and Facebook provide a perfect opportunity for attackers to find their victims, leveraging what users assume to be a “safe” environment. This is evident through the Twitter Crime Rate mentioned above. Attackers employ various techniques to build up their follower list, poison trending topic threads, or initiate other campaigns which can increase the visibility of their tweets, and therefore draw users in to suspicious sites, malicious downloads or other malevolent activity. As social networks continue to gain momentum – and millions of users – there is no doubt that criminals will look to create more sophisticated and serious social engineering attacks against unsuspecting users.

For a deeper dive into these social networking, Web and email attacks, download the Barracuda Labs Annual Report or feel free to drop us a line in the comments section below. We look forward to working with you to solve these problems and make the Web a safer place for corporate and casual users. Meanwhile, be sure to think twice before following someone you don’t know and check out their user profile at TweetGrade.com.

  • Share/Bookmark

Posted in Internet Security Tips, Research, Security, Tweet Grade, Web Security | No Comments »

Online Safety: Tips to Protect Your Information

Monday, December 21st, 2009

Posted by: Barracuda Labs

With the increased awareness and attention around incidents of identity theft, consumers are becoming more vigilant in how they provide personal information online. At the same time, businesses that require such information to complete a transaction also must evaluate how they collect that information online from consumers.

For example, a colleague recently forwarded the email below from Southwest requesting personal information to complete the Transportation Security Administration’s (TSA) Secure Flight verification. Because the email was sent after the flight reservation was booked, it was unclear to the recipient whether or not the email was legitimate. Upon examination, it is clear that this is a legitimate email from Southwest; however, it is one that could easily be forged by a spammer or hacker attempting to collect a user’s personal information.

As people are making final travel arrangements and gift purchases online in this last week leading up to the holidays, Barracuda Networks has compiled a number of tips to help consumers discern legitimate emails and Web sites from malicious attempts, as well as recommendations for businesses to better serve their consumers online.

Online consumer safety:

1. Real or fake? Do not click on links included in an email. Instead, type the address directly into your Internet browser.

2. Email security and anti-virus solutions up-and-running. Make sure you have a strong email security solution in place that can block spam and phishing emails as well as detect and block viruses and other malware (including malicious Web links) contained in the email. As an extra precaution, make sure your desktop anti-virus protection is up-to-date and running. This will keep any viruses/malware not sent over email from infecting your computer or adding you to a larger botnet.

3. Strong Web filtering. Having a strong Web filter in place will allow you to block access to potentially dangerous Web sites. Web filters can block downloads by file type and applications that access the Internet (i.e. IM, music services, etc.) that are often used by hackers as a means of transporting malware onto your computer.

4. When in doubt, check it out. If you receive an email from a business that you recently have done an online transaction with – retail, bank, airline, etc. – and are not sure of its authenticity, check it out. Call or email the business to verify that the request is legitimate. Also, you can go directly to that company’s Web site to look for warnings listed of recent Web scams that have targeted the business.

Helping businesses serve customers:
1. On-site, at-once. Request all necessary customer information at the time of purchase, while the consumer is on the Web site. In the case of the Southwest email, if the consumer had been directed to the “MySouthwest Account” to provide this information at the time of flight reservation and purchase, it would have expedited the process for the consumer and eliminated the need to send a follow up email that raised the suspicion of the recipient.

2. Avoid follow up email. Consumers are likely to be more suspicious of emails requesting that they log back into – or create – an account to provide personal information.

3. Provide clear instructions. If sending a follow up email to complete the transaction is unavoidable, provide a clear message to the consumer at the end of the initial online transaction – before they leave the Web site – so that they know to expect an email that will require additional information and what that required information will be.

4. Privacy Policy. Be sure to provide a privacy policy that’s easy to find and is clear on what the Web site will and won’t do with the information entered.

5. Protect customer information on your site. Businesses are responsible for ensuring that the customer information that it collects online is protected from those with malicious intent. Implementing a strong Web application firewall protects the business Web site from being hacked and customer information from being stolen.

The underlying goal here is to enure that businesses that legitimately require user information receive it in a timely and secure fashion. That will keep the bad guys out of consumer’s wallets and bank accounts, and from stealing their identities.

If you look at the email you will see that we have identified the hyperlinks take you to a legitimate Southwest domain. We know it is a legitimate Web site because the URL contains the Southwest domain.

  • Share/Bookmark

Posted in Email Security, ID Theft, Internet Security Tips, Security, Web Security | No Comments »

Yet Another Reputable Site Asks You to Install Rogue AV

Friday, December 18th, 2009

Posted by: Barracuda Labs

Yet another reputable site has fallen victim to compromise — University of Arkansas.

This Tuesday, Barracuda’s Malicious Javascript Detection engine (MJD) identified Rogue AV software being distributed from a page that belongs to the University of Arkansas Web site. When users accessed a particular page from the university Web site, it opened a window warning them about their computer being infected with viruses and then subsequently downloaded an anti-virus software which was identified to be a fake anti-virus software.

A forensic analysis of the attack revealed that the user requested the following:

hxxp://bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which in turn requested a javascript from a malicious domain via script include:

hxxp://xrusx.com/counter.php?sref=bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which contained further malicious javascript includes that generated fake warning messages on the user’s computer.

And ultimately attempted to download setup.exe:

setup.exe was linked off another malicious domain:

hxxp://www.loker.us/forum/attachments/setup.exe

While investigating deep into the tracks of the user to determine how the user got to this page, we made yet another interesting discovery. Our investigation could not find user browsing a page linking directly off Universityof Arkansas linking the malicious page that was distributing the Rogue AV. Instead, it was a Bing search result that lead user to this page. Specifically, one customer using the Barracuda Purewire Web Security Service searched for ‘georigainmatequery’ on Microsoft Bing search engine.

hxxp://www.bing.com/search?q=georgiainmatequery

Which yielded following results:

As you can see, the malicious link from uArk.edu shows up in the bing search results — and in the number two spot. The page is leveraging uArk.edu’s reputation ranking in what we’ve previously reported on as SEO poisoning (see previous post). This is becoming increasingly more popular as hackers are targeting vulnerabilities in legitimate Web sites since it makes the malicious page more likely to be visited. While search engines have been proactively adding malware scanning in their arsenal, legitimate Web site owners also need to take proactive steps to keep their site free of such malicious content.

Customers using the Barracuda Purewire Web Security Service are protected from this attack.

  • Share/Bookmark

Posted in Research, SEO Poisoning, Security, Web Security | No Comments »

5 Tips For Staying Safe In Social Networks

Thursday, August 13th, 2009

Posted by: Barracuda Labs

In case you haven’t noticed, social networking sites are taking over the Internet. They receive the most traffic; they generate the most media attention, and let’s face it: they’re where all the cool kids are hanging out. Unfortunately, as these sites become more and more popular, they also become more and more attractive as targets for attackers.

So what can you do to protect yourself from attackers? If you’re incredibly paranoid, you can just boycott all social networking sites (that’s what the Marines do). Or if that’s a little too extreme, you can always follow these five simple guidelines for protecting yourself in these environments:

1.) Don’t use “password” as your password. I know it’s easy to remember, but it’s also incredibly easy to guess. Instead, use a strong password with at least 8 characters that consists of numbers, mixed case letters, and special characters. Also, be sure to use a hard-to-guess password reset question (i.e., don’t end up like Sarah Palin’s Yahoo! account).

2.) Don’t use the same password at multiple sites. I realize this is somewhat inconvenient, but consider the alternative. If you use the same password at every site, what happens when one of your accounts is compromised? You guessed it: all of your accounts are compromised! Scary, right?! Now, go change your passwords!!!

3.) Don’t give your username and password to untrusted sites. Some legitimate sites will ask for your username and password (e.g., sites that support Facebook Connect), but you should always verify the trustworthiness of a site before you enter your credentials. When in doubt, err on the side of caution and avoid becoming yet another phishing victim.

4.) Don’t click on that! Never click on links from unknown users because they can lead you to any number of malicious destinations. Even if you trust the user, use caution because you never know when one of your friends has been compromised (not everyone reads this blog :-P ). Also, be extremely careful with shortened URLs because you have no idea where they will lead you. To be on the safe side, use an unshortener (e.g., Untiny, Unshorten, etc.) to determine a shortened URL’s final destination.

5.) Verify the trustworthiness of people by using reputation systems such as Purewire Trust and TweetGrade. Social networking sites are like the Wild Wild West of the Internet, but reputation systems aim to establish a sense of order to these sites so that users can make informed decisions in these environments. Before interacting with unknown individuals in a social networking site, you should check their reputations in one of these systems to safeguard yourself from malicious activity.

If all else fails, just remember to use common sense! When a smoking hot stranger sends you a friend request or a link, just ignore it and keep on moving.

  • Share/Bookmark

Posted in Purewire Trust, Security, Tweet Grade | No Comments »

A month of zero day(s)!

Tuesday, August 4th, 2009

Posted by: Barracuda Labs

July proved to be quite an eventful month for security researchers! First we had 0Day in Microsoft video ActiveX controller exploiting DirectShow discussed here (http://www.microsoft.com/technet/security/advisory/972890.mspx) , then another 0Day in Office Web Component (OWC) (http://www.microsoft.com/technet/security/advisory/973472.mspx) , followed by 0Day in Firefox (http://www.mozilla.org/security/announce/2009/mfsa2009-41.html) and ended with a 0Day in Adobe flash player (http://www.adobe.com/support/security/advisories/apsa09-03.html). Each of these vulnerabilities is being exploited in wild right now and switching from one browser to another is no longer a solution. Instead users should take all precautionary measures suggested by vendors to avoid these exploits and they should also update their systems as soon as the fix is out for vulnerable components.

As for researchers it is interesting to see how quickly attackers are adapting various ways to make sure that exploits execute unnoticed and stay alive to take advantage of the period between advisory and fix or users who don’t update their systems immediately! When we first started following the msVidCtl (DirectShow) exploit, it looked pretty usual heap spray and shellcode injection attack served as javascript include. However, soon attackers started masking javascript as jpg and lying about the content-types so if your scanner only scanned files that are served as javascript extensions, you would be out of luck for any protection at that time. Next they started fragmenting the exploit javascript in multiple smaller javascript includes so looking at just one file you can not determine if it is serving an exploit. Use of various obfuscation techniques for hiding javascript has become very common and it probably needs its own post .. may be next time. We saw similar techniques being employed in OWC exploits and it would not be a surprise if we start seeing them with Firefox exploits or flash exploits.

Another interesting point to notice in all these exploits is their transport mechanism. In most cases attackers try to lure users to visit a site hosting the exploit. However due to diligent work by security researchers it is becoming harder to keep specific malware serving sites up for long time before they get blacklisted! So what does an attacker do? Find a reputable site that can host the malware! Why would a valid site host a malware ? They wont ‘knowingly’ but what if bad stuff gets in their via door site owners don’t know about! Attackers are trying to find holes like SQLInjection in legitimate sites not to steal data but to inject malicious scripts that make their way back to the webpage served to the user when users visit the site.One real world attempt to serve exploit for OWC is reported here (http://isc.sans.org/diary.html?storyid=6811). So this is not all theory but happening now. You can only imagine millions of other websites that are ready to be victims of these kind of exploits. If you have a site make sure you do everything to not become attacker’s accomplice.

For now users can set the killbit for ActiveX controls as suggested by Microsoft for OWC (http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx) and for Microsoft Video control ActiveX component (http://blogs.technet.com/srd/archive/2009/07/06/new-vulnerability-in-mpeg2tunerequest-activex-control-object-in-msvidctl-dll.aspx). Users using Firefox 3.5 should update to 3.5.1 a new release issued by Mozilla fixing the issue. Adobe has released a fix for flash plugin (http://www.adobe.com/support/security/bulletins/apsb09-10.html).

  • Share/Bookmark

Posted in Security | No Comments »