eWeek Security Watchtag:securitywatch.eweek.com,2009:/132009-11-07T00:43:10ZMovable Type Pro 4.32-enNew Attack Abuses Web Browser Cookiestag:securitywatch.eweek.com,2009://13.308812009-11-06T20:32:14Z2009-11-07T00:43:10ZA new attack outlined at the ToorCon conference in October allows attackers to use vulnerabilities on Website subdomains to reach the parent domain.Brian Prince
Bailey wrote in a paper (PDF) on the issue. "This can in turn be used to perform multistage session fixation and cross-site scripting attacks.
"For example, www.advertising.expedia.com contained an XSS hole," he wrote. "Using that hole, one could poison the global cookies for the expedia.com domain. The main Expedia Website (www.expedia.com) would use those cookies in the body of the Web page, without proper escaping, and permit an attacker to inject malicious JavaScript into that application. This would allow the attacker to fully compromise the user's session on the Website, and the payload would persist until the user cleared his cookies or the server overwrote them, which may take months."
Part of the attack's success lies in the fact that for many businesses, there is a perception that applications on subdomains are isolated from the rest of the Website, Bailey told eWEEK.
"According to the structure of DNS [Domain Name System] this should be true, but Web browsers, and specifically their implementations of cookies, create implicit trust relationships that are ripe for abuse," he explained.
Users can mitigate the attack by using the 'Private Browsing' features of Internet Explorer, Mozilla Firefox and other browsers, he said. But there are still scenarios where the attack could work despite that capability.
"While it may keep sensitive information from being leaked through cookies, it will not prevent cookies from being poisoned," Bailey said. "The consequences of this are application-specific, but the end result is the same: Private browsing [modes] cannot be assumed to fully protect the user from these attacks."
Blocking cookies will also help prevent the attacks, but will disable the functionality that these attacks abuse, he added.
"For example, if a Web browser does not store session data, there will be no sessions to attack, but it also will not be able to use those sessions to maintain state," he said. "Disabling cookies may be effective, but it is not practical."
Bailey did however outline some solutions in his paper. Any vulnerability on an untrusted subdomain can affect a trusted domain, so administrators should pay careful attention. All applications should be reviewed for common vulnerabilities such as cross-site scripting and cross-site request forgery, and administrators should be wary of third-party servers and applications. The researchers also recommend that high-value DNS records be audited to locate unused servers and IP addresses.
"Security people often make the comment that you are only as secure as the weakest link in the chain, and that is now literally true," Mike Murray, chief information security officer of Foreground, told eWEEK. "Your weakest-security subdomain Website can compromise your highest-security one."
]]>
Malware SEO: Gaming Google Trends and Big Birdtag:securitywatch.eweek.com,2009://13.308682009-11-05T12:24:57Z2009-11-05T12:33:15ZAttackers are now working to tailor new threats to online news trends on a daily basis using indicators including Google Trends.Matthew Hines
news item worldwide, from natural disasters to celebrity gossip stories, attackers will be hot on the heels of legitimate reports in attempting to create campaigns that suck in end users seeking information on the publicized events.
However, the evolution of the crimeware underground has reached the point where this isn't just a pattern that ties itself to a handful of major news events each month, or week, but instead attempts to tap into whatever the big news is each day.
This is perhaps best personified by attackers' work to ride the coattails of yesterday's celebration of the 40th anniversary of the debut of seminal children's television show Sesame Street. As reported by Webroot blogger Andrew Bryant, among others, a spate of rogue AV threats popped up on Wednesday as legitimate properties including Google marked the show's anniversary in one form or another.
"The black hat SEO gangs that have been manipulating Google results for the better part of the year have seized on a new target from which they've launched their current salvo of rogue antivirus guano," noted Bryant in a blog post. "That's right, the lovable, giant jaundiced avian friend to child and adult alike is being used to hijack searches and rope unsuspecting users into a vortex of popups and fake scans."
Yes, he's talking about Big Bird.
The researcher notes that the Sesame St.-driven attacks are really just further proof that malware purveyors are looking at Google Trends each day and formulating new social engineering angles based on whatever the hot topics may be.
This shift from monthly or weekly attack customization shows how granular attackers' efforts have truly become, he said.
Of course, underlying the up-to-the-moment engineering are many of the same rogue AV scanner threats we're seeing all the time, with the "Internet Antivirus Pro" program among those in distribution yesterday, delivered on the wings of Sesame St.'s massive winged mascot.
The use of a children's TV show to pass along the threats also highlights the need to educate children to the perils of following unfamiliar links, or opening unsolicited messages, Bryant notes.
Attackers have also become so skilled at gaming Google's SEO patterns that they were able to plant threats as high as the seventh result for Sesame St. related results on Wednesday, he said.
"Disgusting? Yes. Surprising? Hardly," the expert wrote. "Hooking your scumbag wares to celebrity deaths, peephole videos, and high profile arrests is one thing. But as far as I'm concerned, a line has been crossed. Yes, the dark back-alleys of the Internet are pretty far afield from Sesame Street. But nobody messes with the Bird."
What's next? A phony Match.com profile on the longtime co-habitation and apparent bliss of "roommates" Bert and Ernie?
Shameless!
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.]]>
Facebook Campaigns Serve Up Nasty Cocktailtag:securitywatch.eweek.com,2009://13.308582009-11-04T12:25:44Z2009-11-04T12:33:24ZThe Facebook phishing campaign landing in your in-box is more than just a social networking password thieving scheme, according to researchers with McAfee.Matthew Hines
social networking site, it's pretty clear that the campaign is nothing but an attack in waiting, but many of the messages do feature a fairly believable level of polish, using the same logo images and fonts typically employed by the networking site itself.
Having taken a closer look at the widespread attack, researchers with McAfee are warning that the threats actually serve up far more than just a Facebook password phishing scheme, but also a dangerous cocktail of malware infections that will leave many affected endpoints squarely in the hands of electronic assailants.
In a blog post authored by McAfee AVERT Labs researcher Arun Pradeep, the multi-tiered level of sophistication involved in the Facebook campaign is spelled out.
First off, in addition to seeking people's Facebook data, the threat downloads a keylogger malware attack that is aimed at stealing people's credit card, social security, and banking passwords from their machines.
And, almost predictably at this point, the attack also loads a rogue AV scanner application which also disables applications including Windows Notepad and Wordpad until users agree to pay for additional malware cleansing tools.
"Phishing campaigns on social networking sites are not new," Pradeep notes. "[But] scammers are not satisfied only pushing spam to sell 'Canadian' pills. Now they also want to sell fake security products, and they need all of our passwords," the expert said.
In terms of its delivery model, once a user opens the attached zip file claiming to offer the password update info, they are served up a spreadsheet file that, once opened, drops the actual malware cocktail onto their machine.
After the malware takes root, it establishes a connection to the attacker's server through the HTTP port and attempts to download more payloads, including the aforementioned keylogger. The attack then forwards any data that it can gather to a remote server through a backdoor.
In terms of the phony AV angle, the rogue application enters through the same backdoor and then "covertly" installs itself before running and killing many applications that might be open, including Notepad, Calculator, Registry Editor, Task Manager, and others, Pradeep said.
The attack does not go after Internet Explorer because it needs IE to communicate back with its malware server.
So there you have it, if you've been wondering what all those Facebook spam notes were up to, McAfee's taken off the wrapper for us. If you've already fallen for the ruse, it might be time to call in your IT staff, or to merely toss your PC out the window and start over.
Just kidding. Sort of.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.]]>
Dutch Attacker Hijacked iPhones, Demanded Ransomtag:securitywatch.eweek.com,2009://13.308532009-11-03T22:54:30Z2009-11-04T02:23:09ZA Dutch teenager has backed away from plans to extort users of jail-broken iPhones in Netherlands. The teen had compromised the phones via the default root password.Brian Prince
Apple iPhone users.
The scheme was uncovered Nov. 2 when reports surfaced that an attacker was compromising iPhones and holding them for ransom. After using port scanning and OS fingerprinting to find iPhones in T-Mobile's 3G IP range, the attacker took advantage of the default root passwords of iPhones jail-broken through OpenSSH.
According to reports, the owners of the phones received a message on their screens that the attacker had control of their devices. To get it back, they were told to visit a Website, where they were told to send about $5 in euros to a PayPal account in exchange for instructions on how to remedy the situation.
The message on the Website reportedly read as follows:
"Your iPhone is not secure. That's the reason your visiting this page, isn't it? Well you can pay me $4,95 at my paypal account PureInfinity92@mailinator.com, and I'll mail you very easy instructions on how to secure your iPhone. You can also contact me at
PureInfinity92@gmail.com
If you don't pay, it's fine by me. But remember, the way I got access to your iPhone can be used by thousands of others. And they can send text messages from your number (like I did..), use it to call (or record your calls), and actually whatever they want, even use it for their hacking activities!'
I can assure you, I have no intention of harming you or whatever, but, some hackers do! It's just my advise to secure your phone."
In a twist of fate for victims, the attacker for what ever reason changed his or her tune and posted instructions for changing the phone's SSH password. Users who changed the default password were not subject to the attack.
]]>
McAfee: Piracy Sites Jump 300 Percent tag:securitywatch.eweek.com,2009://13.308462009-11-03T14:22:07Z2009-11-03T14:30:43ZAccording to research from McAfee, the number of file sharing sites hosting copyrighted content has increased 300 percent in the past few months.Brian Prince
The Pirate Bay shutdown didn't slow piracy. In fact, according to McAfee, the number of new file-sharing sites hosting unauthorized, copyrighted content shot up in the past three months.
In their Third Quarter Threats Report, researchers at McAfee took a look at piracy scene. What they found was that cyber-criminals are taking advantage of The Pirate Bay shutdown to the tune of a 300 percent jump in the creation of file-sharing sites.
Over at V.i. Labs, which specializes in anti-piracy software, file hosting services are a significant piracy distribution threat. In a report earlier this year V.i. found that all the pirated product releases it searched for on search engines, index sites and BitTorrent tracking sites were available on Rapidshare, which has an Alexa traffic rank of 17 - a number that surpasses Amazon.com.
"There is little hope for organizations to eradicate references to the actually links to the pirated software on file hosting sites and other Web portals," said Victor DeMarines, vice president of products, V.i. Labs. "Organizations can try and scour the internet and write DMCA notices to these piracy channel sites, but given that pirated software can be renamed, re-packaged or zipped to bypass detection this is not feasible."
DeMarines said he would like to see the DMCA (Digital Millennium Copyright Act) Safe Harbor provisions tightened to crack down on sites like Rapidshare that profit through the distribution of pirated content.
"Notification of DMCA infringements place too much ownership on the copyright holders," he said. "By not providing any accountability for who is uploading and/or downloading content from these servers, file host provides a perfect medium to propagate pirated content. At a very minimum these services are used to advertise what the top downloaded files are to allow vendors or copyright owners to focus their review of what is available on these sites."
]]>
Inside the Elite Control Botnettag:securitywatch.eweek.com,2009://13.308442009-11-03T12:23:55Z2009-11-03T12:32:31ZExperts have unwrapped the Elite Loader botnet only to find that it's a pretty sophisticated attack. And that it's becoming even easier for less advanced attackers to get their hands on such threats.Matthew Hines
botnet, allowing for a closer look at the attack's underpinnings and capabilities.
TrendLabs Advanced Threats Researcher Maxim Goncharov detailed his findings in a recent blog post after coming across a free copy of the botnet's source code on a Russian malware forum, and he contends that the threat is a pretty tough customer all around.
Luckily for us, the researcher's ability to gain access to the code gave him all the important details needed to understand its make-up, including instructions from the botnet's designer on how to utilize Elite Control command and control servers.
In addition to dropping malicious files onto affected devices, Goncharov noted that the botnet program also allows those people controlling the threat to channel secondary programs to the devices to steal passwords, turn the machines into spambots or even use them in DDoS campaigns.
In another nod to its sophistication, the expert said that the attack offers its users an impressive array of reporting capabilities, including stats and advanced log filtering to help botnet controllers manage downloads closely, on a regional basis, for instance.
And impressively, even with all that potential, the botnet program weighs in at a small 8kb, making it even harder for security programs to detect, he said. According to Goncharov, in fact, the threat still effectively evades Microsoft XP Service Packs 1-3 along with Microsoft's Vista OS.
Based on his ability to unearth Elite Control so completely, and that it was relatively easy to find in the underground, the researcher also submits that the malware community is becoming increasingly brazen and public in its overall nature.
With no ability for law enforcers to actively pursue of prosecute them, malware authors and distributors aren't seemingly trying as hard to cover their tracks these days, he said.
As a result, even advanced threats such as the Elite Loader botnet will find their way into larger numbers of less sophisticated attackers' hands, and faster, the TrendLabs researcher contends.
"Elite Loader, for instance, was published by well-known Lonely Wolf, one of the moderators of the underground forum, DaMaGeLaB, with detailed instructions in the archive and even dedicated thread posts," writes the expert. "This will make it easy even for script kiddies to create their own malicious code."
Sweet.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
]]>
New DHL Notice Campaigns Deliver Backdoor Threattag:securitywatch.eweek.com,2009://13.308212009-10-29T22:31:57Z2009-10-29T22:41:12ZResearchers are seeing an uptick in new phony delivery notice attacks, with more fake AV Trojan threats mixed in for good measure.Matthew Hines
overnight delivery notice attacks, calling out a set of threats currently in circulation that attempt to create backdoors that leave affected machines almost completely under the control of their assailants.
The attacks also utilize popular rogue AV scanner techniques to further entrap users, giving them a decidedly staged effect.
According to a recent blog post authored by BitDefender expert Andrei Berczki, the multi-tiered campaign first arrives in users' in-boxes posing as a notice of a failed package delivery from carrier DHL, encouraging recipients to click and download an attachment that promises to allow them to pick up their shipments in person.
The attachment, obfuscated as a zip file, instead infects their device with a Trojan (labeled as "Trojan.FakeAV.VH") once executed. BitDefender is identifying the involved e-mail/spam campaign as "Glecia" and said that it cannot propagate itself, and is therefore dependent on third party interaction to get passed along among users.
After implanting itself on a device, the attack then operates a typical fake AV scanner approach, marketing itself as "AntiVirus Pro 2010" and eventually launching malware infection warnings that push end users to download additional programs promising to help rid their machines of the reported issues.
People who follow through and download the advertised AV utilities predictably end up with the gaping backdoor, leaving their machines open to a litany of subsequent attacks, Berczki said. The expert noted that the involved attackers have typically employed the access point to attempt to connect infected machines to a Russian domain to receive additional commands.
Among the orders that the researchers have observed being sent back to machines so far include commands to forward additional system information, open specific URLs (likely leading to poisoned URLs or propping up click fraud schemes), delete files, and even delete all files from root, including any resident Windows and Program Files folders.
Attacks that use fake delivery notice and AV scanner techniques to dupe end users may seem like old hat by now to those who follow the crimeware industry actively, but clearly they must be working somewhere for scammers to continue to invest development cycles into the threats.
So, if you're not expecting a package, and don't remember downloading any new AV clients, you're obviously being targeted by attackers if this one shows up in your in-box.
Keep an eye on that backdoor.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
]]>
Cyber-Protesters Hoist New Signs of Innovationtag:securitywatch.eweek.com,2009://13.308022009-10-28T13:42:56Z2009-10-28T13:57:14ZHactivism is showing signs of advancement as protesters employ opt-in botnets and other new means to bring their collective influence to bear in the electronic domain.Matthew Hines
hacktivism" continues to expand and diversify as protesters find new ways to use the electronic realm to display their support or displeasure for offline politics, and researchers with anti-botnet specialists Damballa are following the maturation of some new models for cyber-protesting that they're citing as fairly impressive in terms of their overall advancement of the practice.
Damballa vice president of research Gunter Ollman outlined his presentation delivered on the topic at the CSI 2009 conference - being held in Washington this week, in a blog post that highlights some of the more sophisticated techniques being employed by online hacktivists, charting their work as what he believes to be representative of what we should expect to see from such campaigners in years to come.
Ollman specifically calls to light the use of "opt-in" botnets, through which protestors are increasingly volunteering to donate some of their computing resources to enable cause leaders to carry out DDoS campaigns and other attacks aimed at whatever constituencies they seek to assail.
The expert specifically warns that some corporate entities may need to take a closer look at such capabilities and brace for the day when disgruntled former customers might align to target their operations using such botnets. Thus far most reported hacktivist activities have targeted government entities, such as during the concentrated DDoS campaigns carried out against the government of Estonia in 2007 that were reportedly enacted by Russia-based attackers unhappy with the separatist nation's removal of WWII-era statues and other former Soviet Union iconography.
"It used to be that the disgruntled and disaffected could grab a banner and picket for their cause outside of the local government or global conglomerate headquarters and get their message noticed by all to see," Ollman writes. "You can still do that, but governments and conglomerates have embraced the Internet with their work-from-home policies and technologies so that the only people inconvenienced by these physical protests are the protesters themselves."
Nowadays, it appears that there is growing recognition among protestors that they can have an even more disruptive impact, and further distance themselves from potential prosecution for carrying out their efforts, by enlisting the power of the Web to rattle whomever it is that they seek to object to.
And lest anyone should think that the use of opt-in botnets to carry out hactivism is a far-off concept, the expert said that based on his research people are already lining up to offer their distributed computing capacity to those with whom they've partnered to advance a specific movement.
"We've already seen some of the tools and baby-steps in to taking protesting online, but what will it look like when things get really start to get serious," Ollman observed.
Further, by utilizing the power of social networks to recruit supporters and organize their efforts, those leading electronic protests will likely be able to attract "hundreds of thousands of compatriots" willing to empower their campaigns in an on-demand fashion, he said.
Another likely outcome will be that protestors will move beyond time-honored DDoS techniques such as Web site denials and e-mail flooding to go as far as interrupting VoIP-based telephony services.
If activism is all about getting your voice heard, and drowning out the message of your adversaries, the future for hacktivism would appear to be promising, or threatening, depending on which side you find yourself on.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
]]>
Inside the Clampi Trojan: Using Shellcode to Game Firewallstag:securitywatch.eweek.com,2009://13.307982009-10-27T23:45:44Z2009-10-28T00:04:42ZThe Clampi Trojan attack employs some creative means to run its course and stay undetected, according to experts with Symantec.Matthew Hines
sophisticated techniques to circumvent firewall technologies and communicate with their distributors and/or controllers, but researchers with Symantec have peeled back the layers on the widespread Clampi attack to reveal a particularly innovative approach to defeating such defensive mechanisms.
In a recent blog post, Symantec researcher Nicolas Falliere detailed his latest work in examining the Clampi threat, explaining how the attack employs unique methods to achieve "enhanced stealth," therein defeating common firewalls (most commonly Windows Firewall) and generally making discovery and analysis of its code more difficult for security vendors and practitioners.
For starters, to utilize its "unusual" approach to evading firewalls and delivering its payload, the involved versions of Clampi feature the ability to go far beyond the traditional approach of merely adding new entries to a machine's Windows Registry and instead inject their code directly into Internet Explorer.
This approach alone might constitute a significant step forward compared to most Trojans, but Clampi's nefarious genius goes much deeper, the expert contends.
Rather than leaving its code running in the browser where it may also be somehow detected, for instance, the attackers have also designed Clampi to exercise its capabilities only when necessary, using an API proxy and "stubs" of code injected into IE when it decides to send information back outside to its controllers, to further evade discovery.
Additionally, after its initial execution, Clampi creates its own dedicated IE instance hidden from end users, and then uses advanced shellcode manipulation techniques to further avoid detection. This includes the use of methods that allow the attack to quietly retrieve and execute shellcode, as well as encrypt it to bypass any security controls that
might be watching.
The Clampi Trojan then creates memory maps to exchange information with the instance of IE acting as its proxy, and subsequently executes its API, creating a remote thread in the browser through which to execute its shellcode, Falliere said.
After executing the API, the threat goes back and actively deletes the memory maps it has created therein covering its tracks until the next time that its controllers want to carry out their work.
While other Trojan threats may enlist some of the same techniques to have their way with firewalls and endpoint devices and attempt to hide themselves, few do so as effectively and using such technically forward methods, the Symantec researcher concludes.
"The Clampi gang decided to inject their networking code into Internet Explorer, which is granted Web access by any standard firewall configuration out there," Falliere said. "Fair enough--that's another approach, but not a new one. Yet you've seen these guys don't do things the way other malware authors usually do."
And that's what separates the innovators from the masses.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
]]>
Websites Often Reinfected After Malware Attackstag:securitywatch.eweek.com,2009://13.307882009-10-27T16:35:26Z2009-10-27T17:46:09ZNew research from Dasient suggests website owners need to do a better job of ensuring their sites are truly protected after remediating malware infections. According to the firm, compromised websites were re-infected at a rate of nearly 40 percent during the third quarter of 2009.Brian Prince
New research from Dasient suggests that may happen on the Web more than you think.
In a report on Web security during the third quarter of 2009, the company found that Websites that had been compromised had a reinfection rate of 39.6 percent. Though the company did not point to any one factor for this, researchers believe it could be the combination of the number of attack vectors and the failure of administrators to address the actual vulnerabilities being exploited.
"What we do know is that there are many ways for Web-based malware to get onto Websites, including compromised FTP credentials, Web application vulnerabilities, and sourcing in third-party content (like mashups) or advertisements," a Dasient spokesperson said. "Since the attackers are running automated scripts to inject malware onto Websites, it is likely that Webmasters whose sites were re-infected cleaned up the original infection but (one) did not change FTP passwords and/or remove a keylogger from the admin PC, (two) did not address underlying Web application vulnerabilities, or (three) continues to source in content/ads from third-parties, and is therefore still at risk for getting re-infected."
In some ways, this relates back to a report from SANS Institute that analyzed data from 15,000 organizations and found unpatched applications are plaguing many enterprises. Taken together, the reports underscore the importance of making sure that any security holes are truly plugged, as opposed to just removing infections from systems or sites once they have been compromised.
According to Dasient - whose findings are based on data from its malware-analysis platform - most Web-based malware attacks fall into two categories: JavaScript attacks (54.8 percent) and iFrame attacks (37.1 percent).
The bad news doesn't end there. During the third quarter of 2009, the company estimates that more than 640,000 sites and roughly 5.8 million Web pages were infected.
"There are two forces at play here: One, attackers are seeing success with Web-based malware attacks," the Dasient spokesperson said. "Whenever they see success with an attack vector, they will continue to invest more. And two, modern Websites themselves are becoming more complex and dynamic, and are increasingly sourcing in content from other places (including Websites and even users directly)."
"Mashups, online advertising, and user-generated content have become standards that support rich user experiences, as well as the business models of many Websites," the spokesperson continued. "However, this dynamic functionality also results in more opportunities for attackers to inject malicious code onto Websites."]]>
Botnet Click Fraud Problem Growingtag:securitywatch.eweek.com,2009://13.307662009-10-23T11:33:17Z2009-10-23T11:45:25ZUse of botnets to commit click fraud continues to proliferate, gaining noticeably during Q3 2009, according to researchers.Matthew Hines
botnets by scammers seeking to line their pockets via ill-begotten trade.
Click Forensics, which has been reporting on click fraud data and trends for over four years now, released its figures for Q3 2009 this week. According to the latest figures, botnet-driven traffic accounted for 42.6 percent of all the empty ad traffic between the beginning of July and the end of September 2009.
The results represents a significant increase in such activity, more than doubling botnet-driven click fraud compared to the same period in 2007 and gaining from the 27.5 percent reported for the same quarter in 2008.
Researchers with the company recently issued a report on the use of a sophisticated new click fraud botnet, dubbed Bahama, that is being used purposefully and strategically by scammers to boost their ad impressions and fleece referral networks for more cash.
Along with continued use of Bahama, the traffic patterns that Click Forensics tracked during Q3 across 300 different ad networks indicates that such use of zombie machines to inflate business is only becoming more prevalent and harder to nail down.
"The significant rise in botnet-generated click fraud lines up with recent findings of several well-known malware and online fraud tracking experts," said Paul Pellman, CEO of Click Forensics. "Botnets perpetrating click fraud and other online schemes continue to grow in number and sophistication."
However, despite the increased use of botnets to push click fraud, the overall rate of ad impressions considered to be illegitimate is not gaining rapidly.
Click Forensics reported that the overall industry average of click fraud rate was 14.1 percent during Q3, a smallish increase from the 12.7 percent reported for Q2 2009, and down from the 16.0 percent rate reported for Q3 2008.
In terms of geographic orientation, the countries outside North America producing the highest rates of click fraud in Q3 were the United Kingdom, Vietnam and Germany, respectively, the company said.
As we head into Q4 and the busiest season for online shopping and Internet use by those considered inexperienced users, click fraud will likely run rampant as scammers seek to tap into the increased attention, experts warned.
"Advertisers and ad providers need to be especially vigilant about such activity as we enter the competitive search marketing holiday season," said Pellman.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
]]>
Do You Remember When... We Used to Pwntag:securitywatch.eweek.com,2009://13.305882009-10-22T11:27:04Z2009-10-23T11:43:51ZThe official Web site of singer Van Morrison is being used by attackers to deliver a variant on a long-running iframe infection attack.Matthew Hines
Celebrity sites, at least those using the names and likenesses of celebrities for the sake of drawing in Web surfers, have long been a breeding ground for attacks, with the likes of Pamela Anderson, Paris Hilton and more recently Jessica Biel being used to lure end users into visiting URLs that are primarily used to distribute malware infections.
However, in a new twist, the actual official Web site of at least one rock star is currently being used to attempt to drop badware onto people's computers -- of course without the knowledge of the involved celeb, at least we'd hope not.
Now, I'm not old enough to remember Van Morrison's original heyday, but I've certainly lived through enough classic rock revivals and movie soundtracks to know the difference between "Moondance" and "Brown Eyed Girl." And while Morrison is largely known as a relic of the '60s and '70s, the once-reclusive singer has actually enjoyed something of a recent revival, re-appearing in the pages of Rolling Stone and on local stages while touring in support of his long lost cult hit "Astral Weeks" album.
Well, apparently someone in the crimeware community is either a fan or took note of the recent reprise, and took the liberty of infecting Morrison's official Web site with a variation on a malicious iframe attack.
As first reported on Roger's Information Security Blog and later publicized by researchers at Sophos, Morrison's site is currently hosting code that attempts to add the long-running Mal/iframe-F attack to the singer's page from a remote site when users' browsers download content from the URL.
If users download a PDF file, and likely also an ActiveX control, that VanMorrison.com asks them to accept, their machines will become infected with the attack, researchers said.
Making the attack even more sophisticated, the threat is delivered via a heavily obfuscated script injected into the page that references an iframe, rather than hosting the iframe infection itself, experts at Sophos reported.
So, what this goes to show is that it isn't just fly-by-night fan sites or corny celebrity URLs set up explicitly for the purpose of spreading malware that are proving dangerous for end users. Even those sites belonging to the real celebrities and their marketing teams are being used when attackers can find a vulnerability they can use to launch their attacks.
It's cool to see Morrison re-asserting his place in the rock and roll world after all these years away from the spotlight, he certainly still seems to have a lot of hardcore fans. Let's just hope that his webmasters can prove as diligent in trying to lock down the iconic singer's home on the Web.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
]]>
Diving Deep on Fake AVtag:securitywatch.eweek.com,2009://13.305772009-10-21T12:14:59Z2009-10-21T12:22:00ZPhony AV programs that attempt to infect end users with malware have become an industry unto themselves, according to a new research report from Symantec.Matthew Hines
in-depth report on the subject published by security software giant Symantec, the groups behind the marketing and distribution of the AV-themed threats only continue to grow more advanced and aggressive.
During the period stretching from July 1, 2008, to June 30, 2009, Symantec said that it received reports of some 43 million rogue security software installation attempts involving only 250 distinct samples of the attacks that it had been tracking.
"The continued prevalence of these programs emphasizes the ongoing threat they pose to potential victims despite efforts to shut them down and raise public awareness," researchers noted. "The perpetrators of these rogue security software scams are well-equipped to prey on Internet users. Many of these scams are very lucrative and appear to be run by highly organized groups or individuals who maintain an effective distribution network bolstered by multi-level marketing efforts."
The many distribution models used by attackers trying to deliver phony AV threats include traditional means such as spam, Web pop-up and banner advertisements, and search engine results, but a number of campaigns have now shifted to target users of online forums, social networking sites, and other newer phenomena such as Twitter and URL shortening services, experts said.
As with other popular malware delivery techniques, phony AV has become such a popular vehicle that researchers are now even seeing hard fought competition going on between various groups of attackers, with some scams even advertising to remove rebranded versions of the same misleading application program or versions of others.
"This often occurs once a rogue application becomes prevalent and other scam distributors advertise (misleading) applications that purport to remove the now widespread application," researchers said in the report. "Scam perpetrators seem unconcerned with creating the illusion of a trustworthy brand identity, but instead try to capitalize on the potential confusion resulting from the distribution of numerous rogue security products with similar names and interfaces."
So bad guys are trying to ride on the coattails of other bad guys who are themselves trying to take advantage of the success of other bad guys. I think we can safely say that online security has become something of a mess!
Some of the other conclusions of the report included findings that:
-Some 93 percent of the top 50 most prevalent rogue security applications were distributed as voluntary downloads.
-Another 93 percent of scams in the top 50 most prevalent rogue security applications were advertised through dedicated web sites.
-For rogue security application scams to be successful, the software must be advertised to potential victims. The software must also be reliably hosted in a location where it is available for download.
-Many fake AV GUI templates and cloning techniques are used to help these scams evade detection and be quickly rolled out anew.
-Complicated affiliate networks are in place to organize scam distribution and provide incentives for distributors.
-Malicious advertisements for these scams are often distributed on legitimate Web sites.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.]]>
Spam Uses Conficker Fear to Push Malwaretag:securitywatch.eweek.com,2009://13.305742009-10-20T23:54:25Z2009-10-21T13:27:43ZSpammers are using a fake alert about the Conficker worm to scare users into downloading malware.Brian Prince
The Conficker worm may have faded from news headlines, but that doesn't mean that it has been forgotten. In fact, an ongoing spam campaign is banking on it.
According to Sophos, spammers are blasting out messages urging people to download a security tool the messages say comes from Microsoft's security team. The e-mails actually contain malware detected by Sophos as Mal/ZipMal-C and Mal/EncPk-KP.
The messages typically look like this:
Subject: Conflicker.B Infection Alert
Attached file: install.zip
Message body:
Dear Microsoft Customer,
Starting 18/10/2009 the 'Conficker' worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.
To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.
Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.
Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division
"It goes without saying that opening the attached file is a very bad idea," blogged Graham Cluley, senior technology consultant at Sophos. "By the way, note that the hackers didn't spend much time in their quality control department. The subject line of the spammed out emails refers to 'Conflicker' rather than Conficker."
As I'm sure the spammers are well aware, Conficker is still around doing its best to infect users. According to the Conficker Working Group, as of Oct. 19 there were still more than 6.8 million unique IPs infected with variants A, B or C. Conficker hasn't gone away - but if you are looking for information or tools to clean your system, make sure you are going to somewhere reputable.
]]>
Password Strength Needs a Boosttag:securitywatch.eweek.com,2009://13.305522009-10-16T16:29:17Z2009-10-16T16:37:11ZWeak passwords continue to plague organizations, according to new research from academia. Brian Prince
comes to passwords, users are often the weakest link in the chain.
According to a survey by researchers at the University of Wisconsin-Madison and IT University in Copenhagen found that just four percent of the people surveyed obeyed best practices for passwords. The survey focused on 836 staff members at company handling "very sensitive private information."
What the academics uncovered was that just four percent of those surveyed obeyed best practice rules for passwords. Others frequently did not, doing things such as using the same passwords for different systems or writing their passwords down on post-it notes.
"On an average, respondents have different 4.1 passwords to logon to different computers and/or access different computer applications at work," the researchers state in their paper. "If we include passwords used at home that number increases to 9. Eighteen percent of the respondents always use the same password to access the different computer systems, application or websites, 50% sometimes use the same password and sometimes another password, and 31% always use different passwords."
This study comes on the back of an analysis of the strength of a batch of stolen passwords Acunetix. The company found similarly that many users were utilizing weak passwords to protect their Microsoft Hotmail accounts.
Just what to do about this, beyond continuing user education, is anybody's guess. But the report from IT University and the University of Wisconsin-Madison suggests it may be time to abandon code words for pictures.
"There are also other solutions to overcome human limitations," the report states. "For example several studies have shown that human beings are better at recognizing pictures than words or sentences and pictures are better stored in the long-term memory...Most efficient are two- or three step authentication methods, for example a combination of a token based ands knowledge-based authentication (for example a smart card in combination with a PIN number), a combination of biometrics and passwords, or a combination of token-based authentication and biometrics, depending
on the level of security needed."
The question is, is your enterprise doing enough?
]]>
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=2b448194-7f2c-4829-a569-2c5a647d3939)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=cd1c510f-32cc-42ad-b146-a859b72c2387)