Amnesty International’s UK website has been compromised and is serving drive-by downloads. Historical data indicates the website AIUK was compromised on or before Friday, December 16.

Details:

Visiting hxxp://www[.]amnesty[.]org[.]uk loads hxxp://3max[.]com[.]br/cgi-bin/ai/ai.html via an iframe. 3max.com.br, which itself is a legitimate but compromised Brazilian automotive website, loads malicious Java content (stolen from the Metasploit project), which targets CVE-2011-3544. If the exploit is successful, malware is installed on the visitor’s system.

Details of Vulnerability Targeted by the Exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544
VirusTotal Detections for Exploit
http://www.virustotal.com/file-scan/report.html?id=1cc214cee10f02d37359c0e3d04fd57899333c4b1eaa81489c74e5c2fa17c3a8-1324068153
VirusTotal Detections for Exploit Payload
http://www.virustotal.com/file-scan/report.html?id=0e53832e1c36d34a3d05c05f73ebab22a74ade95c5f3b7d9f74fad4f56d10023-1324067892

The exploit payload possesses properties of targeted malware but is being served by an exploit of a popular, public website. The working theory for this anomaly relates to Amnesty International as a human rights non-governmental organization. To explain, certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists. Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.

Amnesty International UK has been notified about the compromise.

Launching a new Web app today comes with a few certainties, and one of them is, “I will be a target for hackers” for sure.  So when an app as large and as high profile as Google+ launches, it will surely be one of the top targets for malicious activity.  This happened to Facebook the more popular it grew and it still is a favorite platform for malicious activity.  I did some analysis of the HTTP traffic between Google+ and the browser and found that Google is off to a good start in regards to browser security. Below are several take-aways:

Only SSL!
All Google+ traffic is sent over SSL and non SSL is not even an option.  This protects users’ traffic from getting sniffed and their sessions from being hijacked.  It is good to know that Google understands that sensitive information is being shared and SSL is really the only option for transmitting data.

Secure Headers
Here is what a typical response looks like from Google+:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 184942
Set-Cookie: ULS=somehash; Path=/; Secure; HttpOnly
Date: Fri, 15 Jul 2011 14:29:05 GMT
Expires: Fri, 15 Jul 2011 14:29:05 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

There are a few headers in this response that are specific to browser security, for example:

Set-Cookie Secure – This tells the browser to only send cookies over a secure (SSL) connection.  So if the site happens to hit a page that is not SSL, then the cookie will not be sent.

Set-Cookie HttpOnly – This prevents the cookie from being accessed by client side script.

Both of these cookie attributes help to prevent  session hijacking by only sending cookies when appropriate.

X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type.  For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image.  So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html.

X-Frame-Options: SAMEORIGIN – This tells the browser to only render frame pages from the URL hosting the main page.  This prevents Clickjacking attacks against the user.  Clickjacking is a browser-based attack that tricks the user into clicking on one thing but then performs a different action, such as following a user on Twitter.

X-XSS-Protection: 1; mode=block – This allows the browser to detect a cross site reflection attack.  If the browser sees a potential reflection attack, it will prevent the page from rendering in the browser.  Instead, you will see something similar to this depending on the browser:

What about Facebook?
While these preventions are by no means ground breaking or new, the fact that Google is thinking about and using them is a good step.  In contrast, let’s look at a typical Facebook response:

HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Content-Type: application/x-javascript; charset=utf-8
Expires: Fri, 22 Jul 2011 14:46:37 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
X-Frame-Options: DENY
Set-Cookie: _e_syaN_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
X-FB-Server: 10.52.238.45
X-Cnection: close
Date: Fri, 15 Jul 2011 14:46:37 GMT
Content-Length: 24032

It is surprising that Facebook has not taken the same simple precautions that Google+ has taken. Here, we can see the differences:

In fact, just yesterday Microsoft’s Vulnerability Research team released advisory MSVR11-007: “Clickjacking Vulnerability in Facebook.com Could Allow Account Compromise”.   According to the advisory, Facebook has resolved the issue.  I did another check of the headers and still did not see any change to the response.  It is possible that Facebook closed the hole on the server side with input validation in order to prevent the malicious data from entering their database, but they still did not implement the simple browser precautions that Google+ has.   Here is the link to the official MSVR advisory:
http://www.microsoft.com/technet/security/advisory/msvr11-007.mspx

The folks from SecTheory/WhiteHat Security have an excellent write-up on Clickjacking.  For detailed information on this vulnerability visit:
http://www.sectheory.com/clickjacking.htm

Conclusion
Unfortunately, not all of these headers are supported in all browsers, meaning any of you still using IE6 won’t be able to take advantage of these headers.  What’s this mean for you? Make sure you are using an up-to-date browser to take full advantage of these protections.

Do these security measures make Google+ impervious to malicious activities?  Absolutely not.  Is it a good start?  Yes, it is. And further, it is good to see an app make its debut with security in mind.  It actually gives us Infosec folks a bit of hope that developers are listening and doing the right thing.

Fake antivirus scams are designed to scare innocent computer users with exaggerated displays of virus activity in the hope that they will hand over their credit card numbers to make it go away.   They’ve been around for years and the most prevalent ones use a freely available JavaScript design that mimics the Windows user interface, as seen here:

Fake Antivirus that mimics Windows

When these pages pop up on Macintosh computers, it’s immediately obvious that something isn’t right.

Last quarter, Apple set a new record (3.47 million sold in the quarter) with a growth rate of 33% over the prior year’s quarter.  Apple has about 10% of the computer market in the United States, and that doesn’t even include iPads.

That market share has been noticed by the fake antivirus scammers, and this week they have added a new JavaScript design that mimics the Macintosh interface, as seen here:

Fake antivirus that mimics Macintosh

Drive-by download sites now serve up this page if they detect access from a MacOS computer while Windows users still see a Windows style page.   The example above is called “Apple Security Center” but similar templates have been seen named MacDefender.

Since this is just JavaScript, the correct move at this point is to refuse the download and browse elsewhere.  Accepting the download and running it installs “Mac Protector” which displays pornographic images and promises to remove them for a credit card payment.

The initial infection vector is poisoned entries in Google search results.  We’ve talked extensively about poisoned search results and this represents another example of where otherwise normal Web sites are compromised and made to serve up bogus pages that are well ranked by Google. When one of these links is clicked, the compromised Web site detects a visit from Google search results and sends the visitor to a server that presents the fake antivirus. The recent change in Google content ranking has not stymied these attacks – the malicious link we tested was on page 1 of our search results:

Malicious link in Google results

Past Search Engine Optimization campaigns targeted very popular search terms such as celebrity sightings or breaking news events.  The poisoned links mentioned in this post are more likely to show up in the results for more mundane search terms so as to attract less attention, but they’re still getting plenty of traffic.

This is turning out to be a big problem for Apple. It has been conventional wisdom for years that one of the simplest Internet security solutions is to “just buy a Mac” and stop worrying.  Now that the most common drive-by attack vectors are serving up malware, unwary Mac users are being exposed to the harsh world that Windows users have dealt with for years, and are going to have to learn the same lessons.  Don’t believe everything that pops up on your screen, and don’t run any software unless you know where it came from and what it will do.

Barracuda Networks Barracuda Web Filters and the Barracuda Web Security Flex stop the download of this threat.

Wow.  What a weekend.  In case you haven’t heard, Barracuda Networks was the latest victim of a SQL injection attack on our corporate Web site that compromised lead and partner contact information.  The good news is the information compromised was essentially just names and email addresses, and no financial information is even stored in those databases. Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords.  However, all active passwords for applications in use remain secure.

So, the bad news is that we made a mistake.  The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8 ) after close of business Pacific time.  Starting Saturday night at approximately 5pm Pacific time, an automated script began crawling our Web site in search of unvalidated parameters.  After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market.  As with many ancillary scripts common to Web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees.  The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later.  We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.

This latest incident brings home some key reminders for us, including that:

• You can’t leave a Web site exposed nowadays for even a day (or less)
• Code vulnerabilities can happen in places far away from the data you’re trying to protect
• You can’t be complacent about coding practices, operations or even the lack of private data on your site – even when you have WAF technology deployed

Before responding prematurely to the press or to anyone else, we wanted to make sure we had time to sift through our logs and do a bit of communication.  We’re glad that the impact will be very minimal, but we’re not happy about the amount of bandwidth we’ve spent assessing what happened, responding to affected parties and putting in place the steps to prevent it in the future.

We are working to notify everyone whose email addresses were exposed, and we apologize for the inconvenience.

Two weeks ago Facebook saw a wave of celebrity like-jacking attacks which Barracuda Labs detailed in a post describing their Open Graph underpinnings.  Those attacks used teen celebrities as their bait – Justin Bieber and Miley Cyrus were prominent themes.

After a slight hiatus, the scammers are back with the same software but a different approach.  They’re targeting a tried and true Internet meme – T & A.

like-jack posts in friends feed

Clicking on one of these links in a friend feed takes you away from Facebook to another site.  In the previous campaign, these throw-away sites were registered with names like girl-gets-caught.info or daddy-bustedonline.info, and the scam pages were formatted to look like YouTube videos.

Now that they’ve added more salacious come-ons, at least some of the pages are formatted to look like gossip sites.

Like-jack attack page

Just as before, this Web page uses the Open Graph API to construct a large ‘like’ button that appears to be a movie preview pane.   Clicking on the preview pane does two things: it posts a ‘like’ message to your own news feed and then serves up a set of scammy surveys and questionable product offerings under the guise of a ‘security check’.

Survey delivery dialog

If you click all the way through any of these offerings, the like-jack page creators are paid a fee.   Entering personal information into any of these ‘surveys’ is a great way to get on spam lists.   Many of them solicit your cell phone number and then sign you up for unwanted premium SMS services which are placed on your cell phone bill each month.

Barracuda Networks recommends you exercise special care when visiting links posted in your friends’ news feeds.    Barracuda Web Filters and the Barracuda Web Filtering Service block access to these sites.

Today any news/blog site remotely technical most likely has a blurb about about the recent Gawker media compromise.  Most people are making a big deal out of the release of the password files, but honestly, there’s not a lot to that part.  These were clearly very low priority passwords for almost everyone using them. While there was probably some amount of password reuse between Gawker sites and the users’ email addresses, the overlap is still relatively small.

But everyone loves a few stats, so here we go… Out of 188,281 passwords (this is from the parsed_db.txt file in the torrent floating around) the top passwords used are:

3057 – 123456
1955 – password
1119 – 12345678
661 – lifehack
418 – qwerty
333 – abc123
311 – 111111
300 – monkey
273 – consumer
253 – 12345
247 – letmein
241 – trustno1
233 – dragon
213 – baseball
208 – superman
202 – iloveyou
202 – 1234567

Additionally,

~50k of the accounts had a Gmail address, ~45k had a Yahoo address, and ~29k had a Hotmail account.

855 of the passwords contained one of George Carlin’s 7 Dirty Words.

930 contained Love.

And honestly, I’m a bit surprised that that many people who comment on blog sites are into baseball enough to have it as a password.

The bigger story should be about how complete the compromise appears to be.  All of the source code Gawker owns appears to have been released, and that is a very large piece of intellectual property out there for anyone to take apart.  Not only does it allow others to find problems in the source code, but it also allows them to see what Gawker is planning for in the future, what capabilities they have but haven’t unlocked, and of course allows any hacker worth his salt to find vulnerabilities in the code for future attacks.  All around, this is not a good situation for any company to be in and will likely lead to a major code rewrite/audit in order to deal with this effectively.

So in light of recent events, now is as good of a time as any to share some good password advice:

1. Developers – Hash your passwords using salt.  It seems (though, I haven’t verified this yet) that this database was simply DESing the passwords without doing any sort of salt using a username/etc.  This is bad since it means that a simple rainbow table can be looked up, and that collisions are much easier to come by.

2.  Users – Don’t use easy-to-guess passwords (if your password is in the Gawker list, that’s bad.)   An easy way to make a strong password is to start with an easy-to-remember phrase, like “The quick brown Fox jumped over the lazy Dog.”  Then take the first letter from each word, like so – “TqbFjotlD”.   Add in a number such as your age and you have a fairly strong password that’s still easy for you to recall.

3.  Users – Don’t share passwords between sites.  Instead, use the technique in item 2 to create a strong password “root” which you can reuse on sites by appending a special character such as @ and a two or three letter mnemonic for the site.  For example, the above password root could be “TqbFjotlD32@GM”  for Gmail,  “TqbFjotlD32@HM” for a home computer, and even “TqbFjotlD32@GK” for Gawker media.

I’m sure we will be hearing more about the Gawker compromise over the next few days, and will keep you updated if anything interesting pops up.

Barracuda Labs researchers have recently seen a particularly nasty variant of Trojan.FakeAV  spreading in the wild.  We have seen this fake antivirus malware delivered both by way of  drive-by exploits and by way of direct links embedded in enticing spam emails.  The first sign of infection is the display of a very convincing copy of a Microsoft Security Essentials alert.   The malware then prevents the victim from running most programs on their desktop.

When the real Microsoft Security Essentials antivirus program  encounters malware on a computer it displays an alert such as this one:

Valid Microsoft Security Essentials alert

A computer that has been attacked by this strain of Trojan.FakAV immediately displays the following very similar alert:

Fake alert

The difference is that the second alert will continue to reappear even if the user closes it.   Any attempt to run Outlook or Internet Explorer, open a command window or even run the Task Manager will be intercepted and the alert will re-display. The inability to run most common programs on the computer leaves the uninformed user with no alternative but to explore the alert.   Choosing “Clean Computer” or “Apply Actions” brings up an interesting scan dialog:

"Online Scan" results

A large list of  antivirus product trademarks is displayed.  Unfortunately, none of the well-known products seem to be able to find any problems. Cleverly interspersed with the reputable programs are images for five bogus antivirus ‘products’ including:

AntiSpy Safeguard
Major Defense Kit
Peak Protection
Pest Detector
Red Cross

Of course, no scanning ever happened, and the programs listed above are all built directly into the malware. They all appear identical except for a name change.   If the user installs the first one, this is displayed:

Fake AV "Install" dialog

We were particularly amused by the wholesale theft of the GNU “free software” license agreement.  Behind the scenes, the installation of any of these bogus ‘products’ sends messages across the Internet to IPs  85.234.191.174 and 85.234.191.180, both of which are located in Latvia.  The first is the home of a malicious fake porn site and the second hosts a site whose main page simply reads “There is nothing here”.

Once ‘installed’ the program goes right to work fixing ‘problems’.   Unfortunately some of those problems require a missing “heuristic module”.

Fake AV "scan"

Ignoring this requirement results in an error message. Outlook, Internet Explorer, Task Manager – the most basic Windows programs still will not run. Eventually the user might be tempted to click the purchase button for that module:

FakeAV "money screen"

Fixing the Problem

While it is not possible to open many programs, it is possible to open the  file explorer.  The malware file is found in the users Application Data folder, which is hidden by default.  Once the file is renamed it will no longer be loaded on reboot, and the machine can be cleaned using a reputable antivirus program.

Barracuda Web Filters and the Barracuda Web Filtering Service stop the download of this threat.

Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage.

Searching for Malware

We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors.  Key highlights:

• Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
• The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
• Over half of the discovered malware had originated between the hours of 4:00 a.m. and 10:00 a.m. GMT.
• The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Dark Side of Twitter

As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users¹, Twitter Crime Rate², and Tweet Number³.  Key highlights:

• In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
• Only 28.87 percent of Twitter users are actual True Twitter Users.
• Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.
• One in every eight Twitter users has at least 10 times more followers than they are following.
• Only one in 10 users is following more than 100 users, and almost half are following less than five.
• The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

We are presenting the findings of both studies, as well as other Barracuda Labs work, at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. Come see us!

Security BSides Las Vegas:

Wednesday July 28 at 3pm PT – The Darkside of Twitter (Dr. Paul Judge, Dave Maynor)

Thursday July 29 at 3pm PT – A Mechanic’s View of SQL Injection (Ray Kelly)

DefCON 18:

Saturday July 31 at 11am PT – Searching for Malware (Dr. Paul Judge, Dave Maynor)

Resources:

• Download the Barracuda Labs 2010 Midyear Security Report at http://www.barracudalabs.com/research_resources.html.
• View the Barracuda Labs security research portal at http://barracudalabs.com.
• Follow Barracuda Labs on Twitter at @barracudalabs.

Footnotes:

1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.

2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.

3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

If you’re working on your Atlantic Coast Conference brackets this week, be extra careful where you click. Cybercriminals are up to their old tricks and hoping you’ll make a fast break to their Web sites.

To raise the chances that you will, they’ve taken over popular search terms such as “ACC Tournament Schedule 2010″ and “ACC Tournament Bracket” and inserted poisoned links that lead to Rogue AV sites. SEO poisoning continues to pick up steam as attackers race to re-direct your browser to a Web site serving up various malicious programs. In this case, “CleanUp Antivirus” Rogue AV seems to be the flavor of choice.

As part of this experiment, Barracuda Labs discovered that a Google search for “ACC Tournament Schedule 2010″ returned 23 malicious links within the first 50 results. Unless you know how to tell the difference between the good links and the bad ones, you stand almost a 50% chance of having your computer taken over by “Scareware” that tries to separate you from as much as $90 for the fake software.

We discuss Rogue AV and SEO poisoning in more detail in our 2009 Annual Report released this week. The attacks are becoming increasingly more popular as hackers target vulnerabilities in legitimate Web sites, making it more likely for the page to be visited and the malicious content to be delivered. .

CNBC sites surveys that show almost 45% of American workers participate in March Madness pools at work. Much of this research is happening on company time, causing a significant decrease in employee productivity as loyal fans follow their favorite teams. While the boss may turn a blind eye to that activity, a malware infection sure won’t help your ranking at work.

Barracuda Web Filter and Barracuda Web Security Service customers are protected from this attack.

Below are screenshots that trace the attack.

Top results for ACC Tournament Schedule 2010 from Google

Top results for ACC Tournament Schedule 2010 from Google

Beginning at result 11, the links all lead to malicious content.

Beginning at result 11, the links all lead to malicious content.

When the user clicks on a poisoned link, the following page pops up briefly.

When you click on a poisoned link, this page pops up briefly.

Next, an official-looking warning appears.

Next, an official-looking warning appears.

Followed by bad news, which is completely untrue.

Followed by bad news, which is completely untrue.

The Web page wants the user to run a file. Don’t do this!

The Web page wants you to run a file. Don't do this!

If the user does run the file, the user will become infected with CleanUp Antivirus.

If you do run the file, you are infected with CleanUp Antivirus.

CleanUp Antivirus repeatedly sends you to this ‘money page’ where the user is asked to submit a credit card.

CleanUp Antivirus repeatedly sends you to this 'money page' where the user is asked to submit a credit card.