Computer Security Articles

The upcoming summit of the G-20 major economies in Korea has been used in limited spam attacks. Trend Micro received the following spam sample:

The spam supposedly came from the Japanese finance ministry and contains comments on several issues related to the upcoming summit. Tellingly, however, the link to the said comments does not even claim to have a URL related to an official website. The link actually goes to a .ZIP file detected by Trend Micro as TROJ_DROPPER.WTH. When run, it opens a Word document in order to trick users into thinking that nothing malicious happened. In reality, however, it drops a malicious file detected as TROJ_AGENT.JAAK. The registry has also been modified so that the malicious file is run at every startup.

Further analysis of this threat is ongoing though Trend Micro users are already protected. The spam, the malicious URL, as well as the malicious files are all detected and blocked by Trend Micro products via the Smart Protection Network™.

View full post on TrendLabs | Malware Blog – by Trend Micro

PC Magazine – Malware slips in via many weak points. It can come via e-mail, drive-by downloads, or ill-advised clicking—perhaps on a misleading popup. Increasingly, it also comes via USB devices.

View full post on Yahoo! News: Security News

Recent reports noted the spread of malware targeting multiple computing platforms. In a recent incident, Macs appear to have been specifically hit with a new variant of the KOOBFACE worm family. (KOOBFACE is a notorious family of malware that primarily spreads via social networking sites like Facebook.)

However, these particular incidents are not actually isolated attacks. Rather, these only form the tip of the iceberg of several attacks involving compromised and malicious sites. Cybercriminals are increasingly making browser and OS detection part of their standard attacks.

The malicious sites, payloads, and redirection chains change on a daily basis. Let’s look at one of the malicious sites we recently saw:

The code itself is reasonably simple—it sends users to various malicious sites that vary, depending on what browsers and OSs they run. In this particular attack, Internet Explorer and Firefox users received FAKEAV variants similar to those seen in earlier attacks, as documented in “FAKEAV Update: Java Vulnerabilities and Improved Fake Alerts.”

Mac and Linux users were sent to the RSS feed of a site scraper. This site appears to periodically capture high-ranking keywords from Google Trends and use one of these keywords as the subject of a new blog post. The “post” contains, among others, high-ranking items from a Google Images search using the captured keywords. It’s possible that the site in question has been “parked” while malware is not being delivered.

Users who didn’t fall into any of these categories proceed along “standard” FAKEAV redirection chains.

While this particular attack involved only FAKEAV, the particular sites used change on a daily basis. Thus, other malware may be served just as easily to other users. This same technique was used to spread KOOBFACE to Mac users last week. We have also seen it used to deliver other malware families such as:

• BREDOLAB
• CUTWAIL
• TDSS
• ZBOT

While the vast majority of attacks delivered this way still use FAKEAV, the fact that malware families that are part of the traditional botnet business model have picked up these “customized” malware attacks is troubling and points to widespread exploitation down the road.

Users have to be cautious, as these “customized” attacks mean that malicious sites are likely to resemble legitimate ones more easily. Distinguishing legitimate pages from malicious ones by eye will be a challenge. Web blocking will become more important for protecting users, as customized malware attacks allows for even more malicious files to be used in these attacks. This emerging trend in Web threats is one that we will be on the lookout for to help protect users against this latest development.

View full post on TrendLabs | Malware Blog – by Trend Micro

Malware slips in via many weak points. It can come via e-mail, drive-by downloads, or ill-advised clicking—perhaps on a misleading popup. Increasingly, it also comes via USB devices.

View full post on PCMag.com Security Coverage

Microsoft has warned users of all supported versions of the Internet Explorer browser that an unpatched vulnerability exists in the product that is being actively exploited by malicious hackers in targeted attacks.

The zero-day vulnerability, described in a Microsoft’s security advisory, allows cybercriminals to execute code on remote users’ computers without their permission.

In other words, simply clicking on a link in an email could take you to a webpage which would silently install malicious code (such as a backdoor Trojan horse) onto your computer. In short, you could be one click away from having a hacker access your computer or comandeer it into being part of a botnet.

Sophos is adding detection of the malicious webapges as Mal/20103962-A, and the Trojan horse that we have seen being downloaded as Troj/GIFDldr-A.

According to Microsoft’s advisory, Data Execution Prevention (DEP) – which is enabled by default in Internet Explorer 8 on Windows XP SP3, Windows Vista SP1, Windows Vista SP2, and Windows 7 – helps to protect against the attacks.

All eyes will now be on Microsoft to see how quickly they can issue a fix for this vulnerability – it would certainly be impressive if they managed to roll-out a patch in time for next Tuesday’s “Patch Tuesday”, but that may be a little optimistic.

View full post on Naked Security

Microsoft today warned that attackers are targeting Internet Explorer (IE) with an exploit of a critical unpatched vulnerability in all current versions of the browser.

View full post on Computerworld Security News

Things have been pretty rough in the Response world the past few weeks. The number of exploits taking advantage of unknown and unpatched vulnerabilities has been breathtaking.

read more

View full post on

Things have been pretty rough in the Response world the past few weeks. The number of exploits taking advantage of unknown and unpatched vulnerabilities has been breathtaking.

One such case started few days ago when we received information about a possible exploitation using older versions of Internet Explorer as targets. Hackers had sent emails to a select group of individuals within targeted organizations. Within the email the perpetrators added a link to a specific page hosted on an otherwise legitimate website. The hackers had gotten access to the website account and uploaded content without the owners knowing. Here is what the email looked like:

The link pointed to a page which contained a script looking to see what version of the browser and Operating System the visitor was using. Since the specific exploit page only worked when someone was using Internet Explorer 6 and 7, the script only transferred the visitor to the page hosting the exploit when this condition was met. In other cases the users didn't see anything but a blank website.

Visitors who were served the exploit page didn't realize it, but went on to download and run a piece of malware on their computer without any interaction at all. The vulnerability allowed for any remote program to be executed without the end user's notice. Once infected, the malware set itself to start up with the computer, along with a service named 'NetWare Workstation'. The piece of malware opens a backdoor on the computer and then contacts remote servers. It tries to contact a specific server hosted in Poland for small files named with a .gif extension. These small files are actually encrypted files with commands telling the Trojan what to do next. It was programmed in a manner to be able to download these small, encrypted files from the following folders on the remote server:

• images
• pic
• image
• binary
• news
• index
• picture
• bbs

We were able to get a network capture of the traffic with a bunch of such .gif (named) files that contained commands. Here is a very short snippet of what the attacker did on an compromised computer:

Looking at the flow of commands it is obvious to us that someone is entering these commands manually from a remote computer.

The files being downloaded by the attacker were hosted on yet another hacked website. The owners of this server were also unaware of their computer being involved in hosting of malicious programs.

In fact, when we contacted the owners of the server which housed the original exploit page and malware, they immediately took down the malicious content. Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations. The files on this server had been accessed by people in lots of organizations in multiple industries across the globe. Very few of them were seen accessing the payload file, which means that most users were using a browser which wasn't vulnerable or targeted.

We informed Microsoft of the vulnerability just as we were able to confirm it, and they were able to confirm our findings about the vulnerability itself. They also confirmed that the vulnerability seems to be limited to IE 6 and 7. Microsoft plans to post an advisory on this subject in the coming hours. Once public, it will be available here. Symantec has detection in place for this IE vulnerability as Downloader. Initial Symantec detection names for the malware served after exploitation were Downloader and Trojan Horse. They have since changed to Backdoor.Pirpi.

I know we normally end such blogs with a little blurb about safe computing. Since you're still reading this article here is one such note to the people who have control of servers facing the Internet—these computers are your responsibility. Make sure you know what is being served off these computers, patch them, install firewalls with appropriate configuration, change passwords regularly, and—most of all—don't allow it to accept connections from the Web unless you know what you're doing.

View full post on Symantec Connect – Security Response – Blog Entries

Recent reports have noted the spread of malware targeting multiple computing platforms. In a recent incident, Macs appear to have been specifically hit with a new variant of the Koobface worm family. (Koobface is a notorious family of malware that primarily spreads via social networks, such as Facebook.)

However, these particular incidents are not actually isolated attacks. Rather, these attacks are only the tip of the iceberg of widespread attacks involving compromised and malicious websites. Increasingly, cybercriminals are making browser and operating system detection part of their standard attacks.

The malicious sites, payloads, and redirection chains change on a daily basis. Let’s look at one of the malicious websites we saw recently:

The code itself is reasonably simple: it sends users to various malicious sites, which vary depending on what browsers and operating systems they run. In this particular attack, Internet Explorer and Firefox users received FAKEAV variants similar to those seen in earlier attacks, as documented in

Mac and Linux users were sent to the RSS feed of a site scraper. This site appears to periodically capture high-ranking keywords from Google Trends, and use one of these keywords as the subject of a new blog post. The “post” contains, among others, high-ranking items from a Google Images search using the captured keywords. It’s possible that the site in question has been “parked” while malware is not being delivered.

Users who didn’t fall into any of these categories proceed along “standard” FAKEAV redirection chains.

While this particular attack involved only FAKEAV, the particular sites used change on a daily basis. Thus, other malware could be served up just as easily to other users. This same technique was used to spread Koobface to Mac users last week; we have also seen it used to deliver other malware families such as:

• BREDOLAB
• CUTWAIL
• KOOBFACE
• TDSS
• ZBOT

While the vast majority of attacks delivered this way are still using FAKEAV, the fact that malware families that are part of the traditional botnet business model have picked up these “customized” malware attacks is troubling, and points to widespread exploitation down the road.

Users have to be cautious, as these “customized” attacks means that malicious websites are likely to resemble legitimate ones more easily. Distinguishing legitimate pages from malicious ones by eye will be a challenge. Web blocking will become more important for protecting users, as customized malware attacks allows for even more malicious files to be used in these attacks. This emerging trend in Web threats is one that we will be on the lookout for, to help protect users against this latest development.

View full post on TrendLabs | Malware Blog – by Trend Micro

An old standby of cyber criminals–the denial-of-service attack–has become a new worry for data center operators.

View full post on Network World on Security

There was no let up in so-called targeted attacks by cyber criminals this month across all sectors and geographies, according to the October 2010 MessageLabs Intelligence Report of Symantec. While some types of attacks saw marginal decreases, the report noted that the threats remain.

View full post on Network World on Security

Adobe has announced that attacks are being committed in the wild exploiting a previously undisclosed vulnerability in current versions of Flash, Reader and Acrobat. (Acrobat and Reader 8.x versions are not vulnerable.)

The company says the attacks are against Reader and Acrobat, indicating that Flash content embedded in a PDF file is the vehicle in the attack. A Flash-only attack may be possible, but none is reported. The vulnerability is rated critical and can lead to remote code execution. All current versions of Flash, Acrobat and Reader for Windows, Mac, Linux and Android are vulnerable.

Adobe says that a Flash update is scheduled for (Patch) Tuesday, November 9. Updates for Acrobat and Reader are scheduled for the week of November 15.

The security advisory defines steps for a mitigation technique of renaming or blocking access to the AuthPlay component of Reader and Acrobat. Utilizing this technique will result in a crash whenever PDF files which contain Flash content are loaded.

View full post on Security Watch

Adobe has announced that attacks are being committed in the wild exploiting a previously undisclosed vulnerability in current versions of Flash, Reader, and Acrobat.

View full post on PCMag.com Security Coverage

A new trojan horse has cropped up that affects Mac OS X (and Windows as well), primarily disguised as a video flitting around social networking sites. When users click an infected link, a Java applet is launched that downloads multiple files, including an installer that runs automatically without users’ knowledge.

The Trojan, dubbed trojan.osx.boonana.a by security firm SecureMac, appears as a message on social networking sites such as Facebook that reads, “Is this you in this video?” When the user clicks the link, a Java applet runs, allowing the system to download several files and install a program that can bypass the usual password verification OS X requires for installation.

The malware launches automatically on startup, communicates with command and control servers, and can also crack user accounts on other sites to continue to spread itself as spam.

SecureMac asserts that because the initial phase of the trojan runs on Java, it can spread itself to both Mac OS X and Windows. SecureMac doesn’t say explicitly how it differs on Windows, only that the payload includes “other files” that are directed at Windows.

Disabling Java in your browser can help you avoid infection, but the problem is solved easily enough—don’t click shady links. For those already under Boonana’s spell, though, SecureMac has created a free removal tool. The company also reminds Mac users that as Apple’s market share grows, they need to be mindful of increased attention from hackers.

Read the comments on this post

View full post on Security

Mozilla says it will patch a new zero-day flaw now being exploited in Web attacks.

View full post on Computerworld Security News

Security experts suggest ways users can protect themselves against Firesheep, the new Firefox browser add-on that lets amateurs hijack users’ access to Facebook, Twitter and other popular services via Wi-Fi.

View full post on Computerworld Security News

When international organised crime groups launched the first wide-scale phishing attacks in 2003, their targets weren’t the United States or the…

View full post on Computer Crime Research News

The sixth video in the series explaining common internet security threats and how to avoid them, looks at one of the media’s favourites…. denial of service attacks..

Reuters – All network security equipment, the strongest of which is used by the financial industry, is exposed to a new kind of online attack, Finnish data security vendor Stonesoft said on Monday.

View full post on Yahoo! News: Security News

Reuters – Cyber attacks, terrorism, inter-state conflict and natural hazards are the top threats to British security, officials said Monday, a day before a major military review due to include deep spending cuts.

View full post on Yahoo! News: Security News

Reuters – Cyber attacks, terrorism, inter-state conflict and natural disasters are the top threats to British security, officials said Monday, a day before a major military review due to include deep spending cuts.

View full post on Yahoo! News: Security News

Is this year turning out to be even worse for getting hacked than last year? That’s what a survey of 350 IT and network professionals indicate, with large companies in particular reporting this to be worse than last in terms of suffering at least one network intrusion of their user machines, office network or servers.

View full post on Computerworld Security News

““Despite successful attacks, we can consider ourselves victorious in conflict merely by surviving… The goal should be minimizing the impact of an attack while allowing operations to continue despite degraded conditions.””

– Ben Tomhave

View full post on Lenny Zeltser on Information Security

A honeypot is a decoy IT infrastructure component that is designed and deployed to be attacked. It can take the form of a system, a network or an application, and may be implemented as a real or emulated resource. Since a honeypot has no other purpose, every attempt to interact with it is suspect.

Honeypots can help discover malicious activities at a lower rate of false positives than traditional intrusion detection approaches. Honeypots can also slow down and mislead the attacker by automatically providing slow responses or incorrect information. Lastly, the logs and artifacts collected by honeypots can be used to learn about the attacker’s capabilities and intentions.

Here are several freely-available honeypot tools specialized for understanding SSH, web and malware attacks:

• Kippo is an SSH honeypot that can log brute force attacks, where remote the remote attempts to guess logon credentials of an SSH server. Best of all, Kippo is able to record and replay the attacker’s interactions with the emulated shell on the fake SSH server.
• Glastopf is a web application honeypot. It emulates often-exploited web vulnerabilities, such as remote and local file inclusion and SQL injection. Glastopf examines the attacker’s HTTP request and attempts to respond according to expectations to, for instance, download malicious files.
• Dionaea is a honeypot for collecting malware. It emulates vulnerabilities in Windows services often targeted by malware, such as SMB, HTTP, TFP and FTP. Dionaea’s handling of the SMB protocol is particularly liked by researchers, as is its ability to emulate the execution of the attacker’s shellcode.
• Jsunpack-n is a client-side honeypot that emulates a vulnerable web browser. It is designed to automatically interact with the malicious website to explore its exploits and malicious artifacts, often in the form of JavaScript.

In addition to these honeypot tools, you might also explore Honeywall, mwcollectd, Honeyd, and INetSim. Additional malware-focused honeypot tools are Omnivora and Amun. For additional pointers, see Wikipedia articles on Honeypots and Client Honeypots. An excellent book on this topic is Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz.

— Lenny Zeltser

View full post on Lenny Zeltser on Information Security