General Discussion

[drive-by download]

FYI...

- http://www.theregister.co.uk/2008/02/15/browser_exploitation/
15 February 2008 - "Cybercriminals are stepping up their efforts to exploit vulnerabilities in web browsers to spread malware using drive-by download techniques. Research by Google's anti-malware team on three million unique URLs on more than 180,000 websites automatically installed malware onto vulnerable PCs. Hackers are increasingly trying to trick search sites into pointing surfers onto maliciously constructed sites. More than one per cent of all search results contain at least one result that points to malicious content, Google reports*, adding that incidents of such attacks has grown steadily over recent months and continues to rise. Google's team also reports that two per cent of malicious websites are delivering malware via tainted banner ads. Israeli security firm Finjan has also observed a rise in the tactic over recent months, noting that many malicious ads are served from legitimate websites. A security report from IBM's X-Force division said cybercriminals are "stealing the identities and controlling the computers of consumers at a rate never before seen on the internet"..."
* http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html

> http://www.us-cert.gov/current/archive/2008/02/18/archive.html#mozilla_firefox_and_opera_browser
February 18, 2008
> http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
MS08-010 - Updated: February 13, 2008

(Keep things patched! Is your browser up-to-date?...)

 

[Opera updated]

FYI...

Opera updated
- http://www.opera.com/download/
Release Date: 2008-02-20


 

[Netscape multiple Vulns - update available]

FYI...

Netscape multiple Vulns - update available
- http://secunia.com/advisories/29049/
Release Date: 2008-02-21
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Netscape 9.x
...can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, conduct spoofing attacks, or to compromise a user's system.
Solution: Update to version 9.0.0.6:
http://browser.netscape.com/downloads
"Official support for all Netscape client products will end on March 1st, 2008..."
http://blog.netscape.com/2007/12/28/end-of-support-for-netscape-web-browsers/

.

[here]

FYI..

- http://www.secprodonline.com/articles/58887/
February 28, 2008 - "...Hacking continues to evolve in sophistication and the Web browser now presents an opening for sensitive information to be stolen by increasingly simple methods. This includes basic coding that allows malicious Web sites to automatically steal sensitive information from visitors. Commonly associated with "seedy" Web sites ("warez," gambling and pornography), the threat of browser-based attacks has expanded to more "acceptable" sites that might include social networking, religious organization and university sites. Further complicating the issue is the high demand for browser functionality that often outweighs the demand for security. Many well-known and useful technologies that are integrated with current browser environments, including Flash, ActiveX, QuickTime, Java and JavaScript, each pose a potential attack vector into the enterprise. Other vulnerabilities include how browsers themselves handle particular pieces of code, such as iFrames, whose weaknesses have been known to cause massive incidents in enterprises when exploited... To help thwart browser-based security threats, IT security professionals increasingly are focusing resources and attention at better protecting the Web browser through hardy URL filtering solutions. These Web content filtering solutions block sites that are not related to business activities, greatly reducing the risk of browser-related infections. However, simple filtering methods will not completely eliminate the malware danger. More sophisticated solutions, such as anti-malware, automated code filtering and botnet detection, are currently being added to Web filtering technologies in an effort to thwart complex browser-related attacks."

 

[Google - scope of drive-by malware is 'significant']

FYI...

Google - scope of drive-by malware is 'significant'
- http://preview.tinyurl.com/2ks9cw
03/03/2008 (Network World) - "How ironic that Google allows you to initiate a Web search by clicking on a button labeled "I'm Feeling Lucky." The button is supposed to take you to the first Web site that turns up in your search. Instead, it just might take you to malware hell. In a preliminary report issued by Google in early February (see All Your iFrames Point to Us in the Google blog), researchers reveal the depth of the worldwide malware problem and conclude “the scope of the problem is significant”... Not long ago, wide-scale attacks that took aim at overwhelming computing resources were the preferred game plan. Such attacks use a “push” model. As network tools got better at defending against denial-of-service attacks, the bad guys adopted a “pull” model that has users inadvertently downloading unwanted payloads... For example, clicking on a link to an e-card that turns out to be bogus. The second, more ominous method is to automatically deliver the payload when the user lands on a compromised Web page. Worst of all is that landing on a malicious site is often completely out of the hands of the Web surfer, as he may actually be taken there without his knowledge... Seemingly benign Web sites – perhaps the kind that you visit everyday for work or pleasure – have the ability to deliver dangerous malware payloads. Suddenly, I don’t feel so lucky anymore..."

 

[ZDNet Asia]

FYI...

- http://www.f-secure.com/weblog/archives/00001396.html
March 5, 2008 - "ZDNet Asia is one of my bookmarked online resources that I frequently visit. The site is NOT compromised per se; rather, their site's search engine was abused by an attacker with queries of popular keywords. Leveraging on the fact that the site is, legitimate, and has high page ranks, the popular search engines are returning some of these 'iFRAME'ed results in the first few pages of the search results. And the objective? To get the unsuspecting user to click on the link... The last time we checked, 20,600 cached pages loading the iFRAME was found. Upon clicking on the malicious link, you get redirected to some Russian Business Network's IPs and RBN*  is notoriously known for hosting not only malware but also rouge antivirus and antispyware applications. At the end of the redirects, the unsuspecting user might be a victim of a Zlob trojan. We detect it as Trojan-Downloader:W32/Zlob.HOG."
(Screenshot available at the URL above.)

* http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080301

 

[101,000 Google search results]

FYI...

- http://www.theregister.co.uk/2008/03/06/googe_iframe_piggybacking/
6 March 2008 - "Updated: Hackers have found a new way to get Google to point to malicious websites with the help of unwitting websites such as TorrentReactor, ZDNet Asia and several other CNET-owned properties. As a result, more than 101,000 Google search results that appeared to lead to pages of legitimate sites actually directed end users to sites that attempted to install malware... Almost 52,000 Google results contained such redirects for ZDNet Asia... There were almost 50,000 poisoned links for TV.com sites and a handful for News.com and MySimon.com..."

- http://www.symantec.com/avcenter/threatcon/learnabout.html
"On March 4, 2008 reports of an IFRAME attack coming from ZDNet Asia began to surface. Attackers appear to have abused the ZDNet search engine's cache by exploiting a script injection issue which is then being cached in Google. Clicking the affected link in Google will cause the browser to be redirected to a malicious site which attempts to install a rogue ActiveX control. On March 6, 2008 the research that discovered the initial attack published an update stating that a number of CNET sites including TV.com, News.com and MySimon.com are also affected by a similar issue.
More CNET Sites Under IFRAME Attack - http://ddanchev.blogspot.com/2008_03_01_archive.html
Fraudsters piggyback on search engines - http://www.securityfocus.com/brief/695 "

 

[here]

FYI...

- http://www.securitypark.co.uk/security_article.asp?articleid=260438&Categoryid=1
March 7, 2008 - "Today, e-crime is the domain of organised gangs, often from eastern Europe or China. They have just one motive. Now it’s all about making money. The main targets of today’s hackers are e-commerce web sites and the customer databases behind them. Databases that hold credit card numbers, expiry dates, PINs, addresses, and everything else that’s needed to empty a victim’s bank account. Their operations are so slick that stolen data is exploited within seconds of it being submitted by unwitting victims. The big growth area in e-commerce right now is in the use of web-based applications to replace traditional over-the-counter or telephone-based transactions. Hackers have, understandably, latched onto this. According to Gartner, 75% of security breaches are due to flaws in software. Primarily because those applications have been put together as quickly as possible in order to get a working system out there, without due regard being given to the security implications. As the hackers continually attempt to up their game, the securities and futures industry in the US recorded, in 2007, a 150% annual increase in the amount of suspicious activity detected on its systems... To assist developers in ensuring that they write secure applications, various companies produce automatic software solutions that can help. These include code analysers that automatically scan source code for possible security issues. Others sit between web browser and server on your development network, analysing data flows and highlighting any potential problems, such as an opportunity for a hacker to redirect a web form to their own site. The internet is here to stay, as is internet crime..."

[drive-by-downloads]

FYI...

- http://www.f-secure.com/weblog/archives/00001398.html
March 7, 2008 - "A year or two ago, the malware author's preferred way of spreading their wares was via e-mail attachments. We all remember mass outbreaks like Bagle, Mydoom and Warezov. Well, sending EXE attachments in e-mail doesn't work anymore. Almost every organization is now dropping such risky attachments from their e-mail traffic. So virus writers have made a clear shift away from e-mail attachments to the Web: drive-by-downloads. This attack often still starts with an e-mail spam run; there's just no attachments in the e-mail anymore as it has been replaced by a web link. Some of these malicious web sites use exploits to infect you just by visiting a web page, others use compelling stories to fool you into downloading and running a program from the page. Many have missed this shift of attacks from e-mail to the web. There's a lot of companies measuring their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't. Those organizations that are not scanning their web traffic for malware should seriously consider starting to do it, right now. However, virus writers are moving again. We're now seeing more and more malicious e-mails that link to malware — not via HTTP but via FTP links. Case in point, a fake Hallmark greeting card spam we saw today... the link takes you to an owned computer which has an FTP site setup on it. And when the executable is downloaded, it turns out to be a Zapchast mIRC-bot variant. Better make sure your gateway scanner is configured to scan FTP traffic as well..."

(Screenshots available at the URL above.)

 

[here]

Another option...

- http://www.secureworks.com/research/blog/index.php/2008/03/07/
March 7, 2008 - "...The modern web browser is an incredible, complicated piece of software with a large attack surface. Throw on some third party software like ActiveX controls (most of which are chock full of buffer overflows) and you have a hacker’s playground. To make matters worse, all modern day browsers contain JavaScript interpreters which give attackers the ability to obfuscate their attacks in an infinite number of ways. Luckily there is a method for users to fight back against the majority of these JavaScript- based attacks: No Script (Firefox) and Trusted Sites (Internet Explorer). These methods take the same approach to security: Enumerating the good. Instead of playing whack-a-mole with all the new type of attacks that appear you allow the list of sites where JavaScript is allowed to come from.
To do this with Internet Explorer you must first disable active scripting for web sites in the “Internet” zone and then add trusted commonly access pages to the “Trusted Sites” zone. This change can be done through Active Directory and pushed out to all computers in your organization.
To achieve the same effect in Firefox you must install the No Script extension. By default this plug-in will block all JavaScript, java and flash (no more flash ads) content. You can then enable this content on a per page basis or import a list of trusted sites. By using either one of these methods you will be able to block the vast majority of browser-based attacks."

NoScript: http://noscript.net/

Using group policy to manage the list of trusted sites: http://support.microsoft.com/kb/816703

[Controlling ActiveX Controls]

FYI...

Controlling ActiveX Controls
- http://www.securityfocus.com/blogs/671
2008-03-13 - "...here are some quick thoughts on why browser accessible ActiveX controls are so frustrating:
   1. ActiveX controls aren’t (usually) tied to the websites that installed them.
Meaning, any website can instantiate one and communicate with it. And by communicate with it, I mean perform memory corruption attacks that lead to remote code execution.
   2. They are often written poorly.
Even more poorly than most 3rd party software. Overflows, arbitrary file access, you name it. You could probably find an ActiveX control that is actually vulnerable to every bug class.
   3. They persist (and can be difficult to remove)...
After they get installed, you forget about it. Forever. Long after you have even logged into the website that convinced you to install it. Just waiting for someone to take advantage of issues 1 and 2 to make you part of their botnet.
   4. They can be difficult to update.
Unlike a lot of software, ActiveX controls rarely have auto-update functionality. As a result, most people that are vulnerable, stay that way.
   5. They are rarely necessary.
The worst part is, ActiveX controls are often add-ons that no one really needed and wouldn’t miss if they disappeared. A lot of times that I have seen them used, they were mostly there to make a UI feel more Win32 and less webby. The risk to benefit ratio has rarely been worth it..."

 

[here]

FYI...

- http://www.symantec.com/avcenter/threatcon/learnabout.html
(03.20.2008) - "...DeepSight Threat Analyst Team is currently monitoring a number of ongoing mass SQL-injection attacks that are manipulating victim servers to host malicious content to browsing clients... Clients are advised to browse using strict security policies. The following list of strategies may prevent or hamper an attack:
- Run browser software with the least privileges possible.
- Disable JavaScript, IFRAMEs, and ActiveX controls.
- Enable OS security mechanisms such as Data Execution Prevention (DEP).
- Ensure that browsing software is up to date.
- Filter all web activity through security products such as an Intrusion Prevention system."

 

[Drive-by-downloads now the primary threat from hacks]

FYI...

Drive-by-downloads now the primary threat from hacks
- http://www.f-secure.com/weblog/archives/00001408.html
March 31, 2008 - "...Nowadays sending .EXE attachments in e-mail doesn't work so well for the criminals because almost every company and organization is filtering out such risky attachments from their e-mail traffic. The criminals’ new preferred way of spreading malware is by drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get infected over HTTP. Infection by a drive-by download can happen automatically just by visiting a web site, unless you have a fully patched operating system, browser and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware. There are several methods criminals use to gather traffic to these websites.
- A common approach is to launch an e-mail spam campaign containing messages that tempt people to click on a link...
- Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for people to visit these sites...
- The third method of distributing malware involves the criminals hacking into existing high profile, high traffic web sites. Unlike the joke defacements that some hackers played on the front pages of prominent web sites in the past, today’s criminal hackers don’t change the front page at all. They simply insert a line of javascript on the front page which uses an exploit to infect your machine when you go there... This has happened to the web sites of some popular magazines which can have a million users every single day...
- Another vector for drive-by downloads are infiltrated ad networks. We are seeing more and more advertising displayed on high-profile websites. By infiltrating the ad networks, the criminals don’t have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of the webmaster of those sites.

It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways. Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't. Individuals and companies should therefore be scanning their web traffic for malware – as well as filtering their FTP traffic. In parallel to the switch from SMTP to HTTP as a way of spreading malware, we are now also seeing more and more malicious e-mails that link to malware via FTP links..."

 

[drive-by-download site]

FYI...

- http://www.f-secure.com/weblog/archives/00001411.html
April 1, 2008 - "We've seen tons of banking trojans lately, but now we've run into something quite unique. This new banking trojan was found today from a drive-by-download site. We've added detection for it as Win32.Pril.A It not only infects the MBR of the machine, but also reflashes the boot code in the Flash BIOS, making disinfection problematic. Once an infected machine is online, the trojan monitors the users actions, waiting him to go to go to one of several hundred online banks, located all over the world. Once the user has logged on, the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan creates a man-in-the-browser attack against the victim. Now, the really surprising part is what the trojan does. Normal banking trojans would insert extra transactions or change the deposit account numbers on-the-fly. However, Win32.Pril.A doesn't withdraw money from you - it actually inserts money TO your account. This looked so weird we had to test it several times, on all of our accounts. The drive-by-download site is still up..."

(Screenshot available at the URL above.)

 

[Drive-by-downloads]

FYI...

- http://www.f-secure.com/weblog/archives/00001412.html
April 2, 2008 - "Injected iframes into legitimate sites are becoming more and more common these days. One of the latest targets is a Chinese government site... Please note that while the site adminstrators have been notified, the injected iframe is still present in the site at the time of this posting. The iframe downloads a page from another chinese site that redirects the browser to a .com site - that contains tons of new iframes. End result of this iframe jungle is that exploits try to download executables to the users computer...  Drive-by-downloads are getting more sophisticated nowadays with this case using several exploits including MDAC and Real Player exploits. As always, remember safe computing pratices even when on familiar grounds, lest you find yourself iframed... Turns out that sony.com.cn seems to have similar iframe's added to some of it's page as well. We have been in touch with Sony and CERTs on this..."