Information Security Newsletter

Bulletins posted 9/24/2009

Drudge Report, Horoscope.com, Lyrics.com all serving malicious ads

We've been seeing a lot of these types of problems with malicious ads lately. Last week it was the New York Times, followed by NPR. Be aware - it could happen to a website near you!

A number of popular websites, including Drudge Report, Horoscope.com and Lyrics.com, inadvertently served users malicious banner advertisements crafted to infect users with a trojan downloader recently, according to security firm ScanSafe.

“The volume [of users who encountered the ad] was probably the highest I've ever seen with malicious advertising,” Mary Landesman, ScanSafe's senior security researcher, told SCMagazineUS.com on Thursday.

The advertisements seem to be delivered to Drudge Report and the other sites through multiple third-party ad networks or other services that are used to help manage the delivery of ads. The services involved in the attack are Google's DoubleClick, YieldManager and ValueClick's FastClick network, Landesman said.

Attackers were somehow able to inject the malicious ads into these systems, which subsequently caused the ads to be delivered to the popular sites, Landesman said.

When a user accessed one of the sites serving the ads, a malicious PDF was dynamically created to exploit known, patched vulnerabilities in Adobe Reader and Acrobat. If a user did not have Adobe Reader and Acrobat, the malicious ad attempted to exploit a known Active X vulnerability in Microsoft's video streaming software DirectShow.

Each PDF was formed differently as a means of avoiding signature detection, Landesman said. In this attack just three of the 41 leading signature virus scanners detected the malicious PDF, she added.

“When a user encountered this, it was a very silent, surreptitious attack,” Landesman said. “…There was no interaction required from the user; this was a silent drive-by download.”

The end goal was to install a variant of the Win32/Alureon trojan, which was designed to download additional malware from the web, monitor browser use and manipulate search results by redirecting users to the sites of an attacker's choosing.

The malicious ads were delivered between last Saturday and Monday; attackers aborted the mission by Tuesday, Landesman said. Attackers tend to run malicious ads over the weekends because consumer-focused sites generally get heavier traffic then, she added.

Critical iTunes flaw exposes Mac, Windows to hacker attacks

Apple has shipped iTunes 9.0.1 to fix a critical security hole that puts Mac and Windows users at risk of computer takeover attacks.

The vulnerability could be used by hackers to launch code execution attacks via booby-trapped “.pls” files, Apple warned in an advisory.

The update is available for Mac OS X v10.4.11 or later, Mac OS X Server v10.4.11 or later, Windows XP, Vista and Windows 7.

Anyone using iTunes should upgrade to the newest version immediately. iTunes will usually prompt you if it has an upgrade available.

Bulletins posted 9/22/2009

Word handling bug shoots down StarOffice

Sun last week pushed out a set of updates designed to fix a flaw in its StarOffice and StarSuite office software packages.

Problems in handling Microsoft Word documents by Sun's open source alternatives created a code injection risk. Users induced into opening malformed documents could wind up with pwned Windows PCs because of the bug, just the sort of thing hackers running targeting attacks might be interested in exploiting

"Users of StarOffice/StarSuite 7, 8, and 9 all need to update their software at http://blogs.sun.com/security/entry/sun_alert_263508_security_vulnerability"

Scammers auto-generate Twitter accounts to spread scareware.
They use bogus accounts, real tweets, to dupe people into installing fake antivirus software

Scammers are increasingly using machine-generated Twitter accounts to post messages about trendy topics, and tempt users into clicking on a link that leads to servers hosting fake Windows antivirus software, security researchers said Monday.

The latest Twitter attacks originated with malicious accounts cranked out by software, said experts at both F-Secure and Sophos. The accounts, which use variable account and user names, supposedly represent U.S. Twitter users. In some cases, the background wallpaper is customized for each account, yet another tactic to make the unwary think that a real person is responsible for the content.

Tweets from those accounts are also automatically generated, said Sean Sullivan, a security advisor with the North American labs of Helsinki-based F-Secure. Some of the tweets exploit Twitter's current "Trending Topics," the constantly-changing top 10 list of popular tweet keywords that the micro-blogging service posts on its home page. Others are repeats of real tweets.

All the tweets include links to sites that try to dupe users into downloading and installing bogus security software, often called "scareware" because they fool users with sham infection warnings, then provide endless pop-ups until people pay $40 to $50 to buy the useless program.

"As fast as Twitter can shut down the accounts, [the scammers] create new accounts," said Sullivan. "Somehow they're getting around the CAPTCHA, but how they're doing it, whether with a bot or by CAPTCHA farms, we don't know."

CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) is the technology that uses distorted, scrambled characters to block automated registration of accounts. The defense, however, has regularly been subverted by hacker-built software, or by humans who contract to decipher the characters manually.

"There's nothing cookie-cutter about these accounts," noted Sullivan, who added that scareware scammers aren't afraid to spend money to make money.

There's a lot of the latter to be had. Last year, botnet researcher Joe Stewart of SecureWorks said there was evidence some hackers were making as much as $5 million a year shilling scareware.

"A lot of these scareware campaigns don't last 24 hours," said Beth Jones, a threat researcher at U.K.-based Sophos. "By the time a [distribution] site is blocked, they've already moved on to something else."

The servers hosting the phony security software behind the Twitter attacks are located in Toronto, said Jones, who said Sophos had been monitoring those systems since June.

Because the scareware tweets use a URL shortening service -- as do most tweets to crowd as much as possible into Twitter's 140-character limit -- it's impossible for users to tell exactly where the link will take them. Jones suggested that users access Twitter with a third-party application, such as TweetDeck, which offers a URL previewer to show the actual destination. Unfortunately, the scammers are using the Metamark shortening service; TweetDeck doesn't support previews for Metamark.

"Scammers are using Twitter because it's a new conduit for spreading their scareware," said Jones. "They go where the money is, which means where people are, and people are on Twitter."

By late Monday, Twitter had deleted the machine-generated accounts spreading scareware that Sophos and F-Secure had revealed, but some tweets with the same malicious URL were still available on the service.

It is suggested that users access Twitter with a third-party application, such as TweetDeck, which offers a URL previewer to show the actual destination.

Bulletins posted 9/18/2009

Mozilla catches half of Firefox users running insecure Flash

More than half of all Firefox users ran an unsafe version of Adobe's Flash Player, according to statistics collected last week as users installed the latest release of the popular open-source browser.

Of the 6 million or so people who upgraded to either 3.5.3 or 3.0.14 of Firefox on its debut last Thursday, slightly more than 3 million of them were found to be running an outdated Flash version, according to Mozilla's Ken Kovash. Sadly, only about 35 percent of those informed they had an insecure installation clicked on a link to upgrade to the latest version.

That suggests that some 2 million Firefox users remained vulnerable to remote exploit attacks even after Mozilla presented them with a warning that said "your current version of Flash Player can cause security and stability issues" and added "you should update Adobe Flash Player right now."

A similar pattern has played out ever since, although the numbers in all three categories were smaller. Over that time, about 10 million users in all clicked on the link, which led to an update page on Adobe's website. The overall click-through rate was about 30 percent.

The statistics were gathered by counting the number of page impressions that are automatically generated when Firefox users install the latest version of the browser. As previously reported, the newest release began checking users' version of Flash and admonishing them to update if it was found to be out of date.

Over the past year, Adobe has faced harsh criticism for pumping out a steady stream of vulnerabilities in its ubiquitous Reader and Flash applications that have allowed criminals to surreptitiously install malware on end users' machines. In addition to poor quality control, much of the problem seems to rest with the difficulty administrators and average users alike have in making sure their computers are running the latest versions.

While a 30-percent click-through may seem small, Kovash said it represented a spike compared with the 5 percent of users who typically click such links.

Given that so many users can't rely on Adobe to help them stay up to date, it's nice to see Mozilla picking up the slack. The foundation plans to warn users when they have other out-of-date plugins, Mozilla's Johnathan Nightingale said here. ®

"Specifically using need to go to http://en-us.www.mozilla.com and update to current versions of Firefox. Users should make sure all software programs are updated. For examaple, users should go to http://www.adobe.com/ for all updates for their Adobe products"

Bulletins posted 9/17/2009

Watch Out For New Phishing Schemes

Multiple "phishing" attempts or "phishing" scams are taking place. A phishing attempt is when someone tries to get a user to give them their log in credentials for an account and personal identifiable information.

The request is usually made by asking a user click on a link and then provide their information.

DO NOT click on any suspicious links and DO NOT fill in the form asking for your personal information or credentials.

"Using should never give out their name, user name, password, and e-mail address. If you have been part of a phishing scam change your passwords immediately."

Google Addresses Two Serious Vulnerabilities in Chrome

The new version of Google Chrome fixes two security issues, which could have exposed users to malicious attacks. Both vulnerabilities allow potential attackers to execute arbitrary JavaScript code inside a visitor's browser.

The first vulnerability involves Chrome's internal feed reader rendering untrusted active content embedded into RSS or ATOM feeds. This means that an attacker can add malicious JavaScript to a feed and then trick a user into opening it into the browser in order for the code to be executed.

Google credits a security researcher going by the only handle of Inferno for the discovery of this flaw, which was reported to the Chrome Security Team on September 7. On his blog, Inferno describes the issue in greater detail and points out that his work is based on older feed reader-related XSS research by James Holderness and James M. Snell.

Moreover, the researcher announces that the Opera browser is also vulnerable and that possible cross-site scripting attacks include session cookie hijacking, browser history spying, mapping webservers on the internal network or display a phising page.

However, it appears that Opera chose to mitigate only one of the exploitation scenarios, from the three presented, considering the rest as being design features of its default feed reader. In comparison, Chrome has disabled ATOM/RSS parsing entirely and displays it as a text/plain MIME type. Because of this, it is now required to use a third-party external feed reader for feed parsing.

This vulnerability is rated medium in terms of severity, due to its low exposure rate. One of the exploitation conditions is for an attacker to inject JavaScript into a feed, but according to the Google Chrome Security Team, "Most web sites are not affected because they do not include untrusted content in RSS or Atom feeds."

The second issue was located in the getSVGDocument method, which apparently lacked an access check. This allowed a potential attacker to bypass the same-origin policy and inject rogue JavaScript code into a website hosting an SVG document. This vulnerability has a severity level of high and a security researcher named Isaac Dawson is credited with its discovery.

Finally, Google's Chrome Program Manager, Anthony Laforge, extends special thanks to CERT's Will Dormann for "working with us to improve the security of the new audio and video codecs in this release."

Users should update to Google Chrome Version 3.0.195.21

MSN Phishing Scam Exploiting Your Curiosity

Who wouldn't want to see who of their friends has blocked them on a social network or as an instant messaging friend? Absolutely everyone! Acting on this, phishers have wheeled out a new phishing campaign specially targeting curious MSN Messenger users. In a post on the Trend Labs Malware Blog, Trend Micro experts revealed how attackers are gathering account credential information from users around the world.

The unsuspecting user will receive an email with the subject “hi o_O,” which contains a link to a page where they can check to see who of their MSN buddies has recently deleted them from their contact list. A piece of advice from us: if an email with this kind of title doesn't come from people you know, DON'T READ THEM, it is more than sure a spam or fishing campaign aimed at getting something from you.

Suspiciously, at the end of the email, there is a line stating “This is NOT Spam.” Another note from us: all spam letters say the same, so don't get fooled by these simple n00b techniques.

If the user gets fooled into clicking that link, they will be redirected to a page containing graphics similar to the MSN theme. On this page, they will be asked to enter their login credentials again, so they can see the list of friends that have betrayed them and deleted them from their contact list. If you haven't recently gone through a major break-up and are suspicious about the fact that your former girlfriend has banned you, don't ever enter any details for an official service if the URL containing the authentication page is not hosted on the service's main domain.

By getting fooled like this, a user will offer their MSN account credentials to attackers that could easily use them to break in and use them as a spam-bot or a relay for other various types of attacks. Users should be vary wary about emails like these, and not enter their passwords, if they use the same password for many other similarly named accounts.

"Users that get a email with the subject “hi o_O,” which contains a link to a page where they can check to see who of their MSN buddies has recently deleted them from their contact list should delete the mail and NOT click on the link."

Bulletins posted 9/15/2009

Beware of Several New Scams

We are seeing some new scams both in email and in the print media that we want to warn you about.

If you are a City of Seattle employee, at your City computer, all of the email scams seem to have been successfully blocked by our SPAM filter, Postini. However, you could get these at home, or you might be tempted to release them from Postini because they look so convincing.

First, with the tough economy we are seeing the growth of email and print media scams advertising 'Work at Home' or 'Secret Shopper' "opportunities". These are basically money laundering schemes where bad guys who make money through illegitimate means use unsuspecting victims to collect and deposit their ill gotten gains into their legitimate accounts. Then they have you send them the majority of the money or re-ship the stolen goods and allow the victim to keep a small portion or some small amount of products for themselves. If you fall for this scam you may well find yourself answering the door one day to a nice officer of the law who will proceed to search your entire home and confiscate all your computers and other digital devices.

Second, we have seen a proliferation of new virus infected emails purporting to be delivery notices from UPS or DHL. These look very official but in fact will infect your computer if you click on the links that say they are the delivery details.

Finally, there have been a lot of "notices" coming from what look like legitimate banks. Again, these are fake but are well designed to look real. Often they say that your account has been compromised or has some other type of problem and if you follow the links they provide, they will pop up a form that asks for your banking or credit card information.

While most of these scams are nothing new, they are becoming more sophisticated and better at targeting their victims. Do not fall for these scams yourselves and let your vulnerable friends and family know about them so they can be safe as well.

Bulletins posted 9/14/2009

Monster security patch batch. Apple unloads 47 fixes for iPhones, Macs and QuickTime.

Apple has issued fixes for more than 47 security bugs in the Mac, iPhone and QuickTime media player, some that allowed attackers to take complete control of the underlying device.

The patches, which were released over a 24-hour period starting Wednesday, fix critical vulnerabilities in a variety software made both by Apple and third parties. OS X components included Alias Manager, CarbonCore, ClamAV, ColorSync, and CoreGraphics and Adobe Flash. The updates were available for both the Tiger and Leopard versions of the OS.

An update for the iPhone patched holes in CoreAudio, WebKit and MobileMail, among other things. A third update fixed four vulnerabilities in QuickTime, some of which allowed attackers to hijack a machine by tricking users into opening specially manipulated H.264 and MPEG-4 files.

For the most part, Snow Leopard, Apple's latest and greatest version of Mac OS X, was left out of the security patch love. It received a single fix that updated Flash to the latest, most secure, version. As previously reported, the new OS shipped with a version of the media player that left users susceptible to attack.

Snow Leopard was also updated to fix a host of non-security issues, including a vexing problem that prevented some users from being able to use the Mac's automatic feature for adding printers.

Scareware scumbags exploit 9/11

Fraudsters have set up websites supposedly containing info about 9/11 but actually geared towards running fake anti-virus (scareware) scams.

Net security firm Sophos reports a number of "9/11-related" webpages that actually host malicious code are using search engine manipulation techniques to boost their rankings on Google. Some of the targeted search terms refer to a woman, called Tania Head, who claimed to have been in the Twin Towers on 9/11 but was later exposed as a fraud.

Visitors to the malicious web pages - whether they are using a Mac or a PC - are confronted with a list of viruses that have supposedly infected their system and invited to try out fake security software of little or no utility. The attack is explained in greater depth in a blog post by Sophos here.

"The websites we've seen point unsuspecting users to a fairly bog-standard fake anti-virus page," explained Graham Cluley, senior technology consultant at Sophos. "The websites check that the page referrer is Google, and the various scripts will not forward to the target site unless Google is the referrer.

This happens a lot with fake anti-virus software attacks - chances are that the sites which are listed on Google have been hacked by the bad guys, with the intention of redirecting users to the scareware pages," he added.

The ruse joins a growing list of incidents whereby unscrupulous cybercrooks latch onto interest in tragedies, natural disasters and other news events to distribute junk. Similar attacks also accompanied the recent death of Michael Jackson and the Indian Ocean tsunami disaster.

Sophos reckons the wrong 'uns running scareware scams appear to be "running a round-the-clock factory, pumping out new websites that exploit the hot trending search terms of the day".

"Clearly, no topical report, however tragic is exempt from the attentions of the criminal mind," writes David Harley, director of malware intelligence at anti-virus firm Eset.

"Using Google and other search engines for information and reports about 9/11 is likely to generate results with a load of links leading to rogue antivirus-related sites."

Firefox updated for security flaws

The Firefox browser has been updated for four security flaws, three of which were rated as “critical,” according to Mozilla.

“Mozilla has released a security advisory to address multiple vulnerabilities,” an advisory from US-CERT said. “These vulnerabilities may allow an attacker to execute arbitrary code, mislead users by spoofing a URL, or cause a denial-of-service.”

Another update from Mozilla addressed problems in an older version of Firefox (3.0.14).

In a post on the Mozilla blog, Nicole Loux, who is "public relations practitioner and messaging masseuse" for Mozilla, encouraged users to upgrade immediately.

“We strongly recommend that all Firefox users upgrade to this latest release,” she wrote. “If you already have Firefox 3.5 or Firefox 3, you will receive an automated update notification within 24 to 48 hours.”

The three “critical” vulnerabilities fixed in the new 3.3.3 version included a chrome privilege-escalation bug, which could be leveraged to run JavaScript code from web content with elevated privileges, and a vulnerability in which the columns of an XML User Interface Language tree element could be manipulated. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on the victim's computer.

Multiple errors in the browser and JavaScript engines were corrected so as to prevent crashes with memory corruption. Under certain circumstances, successful exploitation could permit a hacker to execute arbitrary code.

With the updates, users will be notified if they are running a vulnerable version of the Adobe Flash Player, enabling them to avoid crashes, stability issues and other security problems.

Using need to go to http://en-us.www.mozilla.com and update to new versions of Firefox 3.5.3"

Da Vinci Code Fans Targeted By Real International Conspiracy 9/16/2009

It’s the shocking mystery hidden for a millennium: What will Da Vinci Code author Dan Brown’s next book be about? But, beware, truth seekers: Chasing the latest clues to the upcoming novel The Lost Symbol could expose you to a vast and secret conspiracy that’s been manipulating Google search results to push malicious software.

On Tuesday, NBC’s Today show kicked off a week-long promotion for Brown’s Da Vinci sequel by airing the first of a series of clues to the thriller’s plot, in the form of a tour of a real-life biological research facility nicknamed the “Death Star” because it houses dead animal specimens. Host Matt Lauer challenged viewers to identify the research site and its location, and thereby acquire vital information about the novel. “Suffice it to say, that this facility is a big part of the book,” said Lauer. “So, if I’m in a place called the Death Star, where am I?”

But on Wednesday morning the top Google search result for “death star research” — the logical query — would bring you no closer to unraveling the Lost Symbol mystery. Instead, it produced a malicious website that uses pop-ups, mouse-trapping and a well-executed fake virus scan to trick you into installing a Windows executable that will screw up your computer pretty badly.

The software is a scareware product called Smart Virus Eliminator that pesters you with false virus reports and urges you to pay anywhere from $59 to $79 for a “registered” version of the program. The code does other bad things as well, and is a well-known scam linked to an Eastern European cybercrime group. What’s impressing experts is the rapidity with which those black hats are able to use search engine optimization techniques to plant their flag atop a trending search like “death star research.”

“They stay glued to the news — they’re quick,” says Sean-Paul Correll, a threat researcher at Panda Security, and an expert on the scam. “This gang is basically the biggest cybercrime organization on the internet right now.”

Correll says incidents like the Death Star attack have reached a fever pitch in the last two weeks. Searches on the California wildfires, Ted Kennedy’s death or Hurricane Danny, among others, have all turned up high or top-ranking scam pages delivering the same slick extortion code. Keeping up with the trends mean the attackers are rapidly setting up or reconfiguring networks of thousands of web pages that all link to one another — and the scam sites — using the hot keywords of the moment, thus gaming Google’s page rank algorithm. But apparently it’s worth the effort. A analysis by Panda concludes the rogue business is making as much as $34 million a month through the tactic.

Google, of course, has been working with StopBadware.org to try and warn users about malware-loaded sites. It also generally tries to counter rogue search engine optimizers of all stripes. But as it speeds up its indexing to keep pace with a real-time web, the countermeasures are clearly falling behind.

“These are real timely events,” says Correll. “So if it takes more than 24 hours to take care of, it’s not an effective means of blocking. People are searching today because they want to know what Dan Brown’s next book is going to be.” Tomorrow it’ll be something else.

"Using should not participate in searching for death star research it produced a malicious website that uses pop-ups, mouse-trapping and a well-executed fake virus scan to trick you into installing a Windows executable that will screw up your computer pretty badly."