Information Security Newsletter

Bulletins posted 2/20/2009

Nokia Symbian Mobile Phone Malware Notice
A new worm targeting mobile devices running Nokia's Symbian OS is spreading in China in a unique way: through malicious links contained in text messages. So far there are no reports of this outside of China, but we could see this here as well so we wanted to inform you.

Up until now, most insidious mobile malware has propagated through attachments in multimedia messaging service (MMS) messages, which are similar to email messages and allow attachments, Derek Manky, cybersecurity and threat researcher at FortiGuard Global Security Team told SCMagazineUS.com Thursday. But this new worm is more effective and spreads in a way that has never been seen in mobile malware propagation before, relying on short message service (SMS), or text, messages.

It propagates by repeatedly sending SMS messages containing a malicious URL to the phone numbers stored in an infected device. If internet browsing is enabled on the device, when a user clicks on the message, they are directed to a web server to download a copy of the worm. Since the malicious messages are sent to all the contacts in an infected user's phone, the worm conceivably could spread to users in other countries. As of now, the worm is only present on Nokia 3250 handsets but there is no reason it can't affect other devices or carriers.

This worm relies on social engineering to lend credibility. Since it looks like it is coming from someone the recipient knows, odds are a user will click on the link and become infected. Since this is someone you're acquainted with, the chances are that you will drop your guard.

Once a user is infected, the worm aims to gather information on the victim, including the phone's serial and subscription number, and posts this information to a remote server likely controlled by cybercriminals

Always be careful opening attachments or following links - this now applies to your mobile phone as well as on your desktop browser.

Adobe Reader Exploit In the Wild
Adobe has released a security bulleting for a critical vulnerability today. The bulletin alerts users of a vulnerability in Adobe Reader and Acrobat. This vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. Adobe indicates that it has received reports of active exploitation.

The following actions are recommmended by US-CERT to mitigate the risk of exploitation of this vulnerability.

• Review Adobe Security Bulletin APSA09-01
• Disable JavaScript in Adobe Reader and Acrobat. Acrobat JavaScript can be disabled in the General preferences dialog (Edit, Preferences, JavaScript, and un-check "Enable Acrobat JavaScript")
• Prevent Internet Explorer from automatically opening PDF documents. To disable the displaying of PDF documents in the web browser go to the the General preferences dialog (Edit, Preferences, Internet, and un-check "Display PDF in browser").
• Use caution when opening untrusted PDF files
• Make sure your antivirus software is installed, running and up to date with the latest virus signature files

NOTE: City of Seattle computers will have these mitigations completed by Information Technology staff - City employees should not make changes to your City computer.

Bulletins posted 2/19/2009

Twitter Clickjacking Attack May Be Sign of Problems to Come
A worm that forced a wave of people to unintentionally broadcast messages on microblogging site Twitter shows the potential of a vulnerability known as clickjacking to dupe large numbers of internet users into installing malware or visiting malicious pages without any clue they're being attacked.

The outbreak was touched off by tweets that led Twitter readers to a button labeled "Don't click." Users that clicked on the button automatically posted messages that posted yet more tweets advertising the link. The attacks persisted even after Twitter added countermeasures to its site and proclaimed the issued fixed. Twitter has once again managed to block the attack but there could be many more coming its way.

These Web 2.0 technologies create wonderful new communications opportunities, but also enable the bad guys with a whole new set of tools. Be extremely careful if you use Twitter, Facebook, or any of the other new communications mediums.

New Exploit Targets IE 7 Hole Patched Last Week
Cybercriminals are exploiting a critical hole in Internet Explorer 7 that was patched recently by Microsoft, security firm Trend Micro warned on February 17.

The malicious code, which Trend Micro named “XML_DLOADR.A,” is hidden in a Word document. On unpatched systems, when the file is opened an ActiveX object automatically accesses a Web site to open a backdoor that installs a .DLL (dynamic link library) file that can steal information, according to a Trend Micro blog entry. The code sends stolen data to another Web address via port 443, Trend Micro said. As a result of the back door, “anybody can run commands on the affected system,” said a senior threat analyst and researcher at Trend Micro. Microsoft released a security patch for the vulnerability, and others, recently. The vulnerability arises from the browser’s improper handling of errors when attempting to access deleted objects.

The exploit is similar to politically motivated attacks that were seen before the Olympics last year in which PDF files and Word documents contained exploit code and automatically connected computers to malicious Web sites, he said. It appears that the site directed to is in China and there is Chinese terminology in the code, according to the analyst. That and the fact that the 50th anniversary of the Tibetan uprising is approaching, on March 10, suggests that this attack could be politically motivated as well, he said.

First, you should all have applied the latest Microsoft patches by now. Second, don't ever open an attachment that you can't be absolutely sure is legitimate. If you aren't sure, call the person who sent it to verify its authenticity before opening it. If they didn't sent it, you will have done both of you a big favor, by letting them know they are infected and by avoiding becoming infected yourself!