General Discussion

[Multi-browser hole exploited by banking trojan]

FYI...

Multi-browser hole exploited by banking trojan
- http://news.cnet.com/8301-27080_3-10363836-245.html
September 29, 2009 - "Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log in credentials but actually steals money from your account while you are logged in and displays a fake balance. The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available. It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera, and it is different from previously reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including malicious JavaScript or an Adobe PDF, he added. The specific Trojan Finjan researchers analyzed targeted customers of unnamed German banks, according to the latest Finjan report*. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the Trojan software sitting inside infected PCs. Finjan has notified German law enforcement... This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said. People should keep their antivirus, operating system, browser and other software up to date to protect against this type of attack, he said."
* http://www.finjan.com/Content.aspx?id=1367
"... cybercrooks used a combination of Trojans and money mules to rake in hundreds of thousands of Euros and to minimize detection by the anti-fraud systems used by banks. After infection, a bank Trojan was installed on the victims’ machines and started communication with its Command & Control (C&C) server for instructions. These instructions included the amount to be stolen from specific bank accounts and to which money mule-accounts the stolen money should be transferred. The use of this Anti anti-fraud method signals a new trend in cybercrime."
- http://www.finjan.com/MCRCblog.aspx?EntryId=2345
Sep 30, 2009

 

[Rogue AV spreads thru XSS attacks in browsers]

FYI...

Rogue AV spreads thru XSS attacks in browsers
- http://www.theregister.co.uk/2009/12/16/rogue_av_attacks/
16 December 2009 - "Malware purveyors are exploiting web vulnerabilities in appleinsider .com, lawyer .com, news .com.au and a dozen other sites to foist rogue anti-virus on unsuspecting netizens. The ongoing attacks are notable because they use exploits based on XSS, or cross-site scripting, to hide malware links inside the URLs of trusted sites... As a result, people who expect to visit sites they know and trust are connected to a page that tries to trick them into thinking their computer is infected... The links work because appleinsider .com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. More about the attack is available from the Zscaler blog here*."
* http://research.zscaler.com/2009/12/xss-embedded-iframes.html

> http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios

> http://en.wikipedia.org/wiki/Browser_exploit

 

[Malicious JavaScript infects websites]

FYI...

Malicious JavaScript infects websites
- http://blog.trendmicro.com/malicious-javascript-infects-websites/
Dec. 31, 2009 - "Trend Micro threat analysts were alerted to the discovery of several compromised websites inserted with a JavaScript. The JavaScript is detected by Trend Micro as JS_AGENT.AOEQ. When executed, JS_AGENT.AOEQ uses a defer attribute, which enables it to delay executing its routine, that is, -redirecting- the user to several malicious websites. This is done so users will not suspect that they are already infected. In addition, this malicious JS is hosted on PHP servers. If a user visits an infected website, it will display a white screen... Upon analysis, it was observed that the code (found on most infected sites) begins with /*GNUGPL*/try{window.onload=function(){var or /*CODE1*/ try{window.onload = function(){va. According to the Unmask Parasites blog*, the cybercriminals behind this attack incorporated certain legitimate sites’ names such as Google, Bing, and WordPress, among others, in their code to appear as a legitimate URL..."
* http://blog.unmaskparasites.com/

 

[Browser -redirects- on the Web...]

FYI...

Browser -redirects- on the Web...
> http://boards.cexx.org/index.php?topic=17533.msg80261#msg80261
January 25, 2010 - "It has been a month since we added detection for Troj/JSRedir-AK* and figures generated today show that over 40% of all web-based detections have been from this malicious code. Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK... will redirect the web browser to other malicious websites..."

Q4 '09 web-based malware data and trends
> http://boards.cexx.org/index.php?topic=17533.msg80274#msg80274
January 26, 2010

 

[Safari v4.0.5]

FYI...

Safari v4.0.5...
- http://secunia.com/advisories/39670
Last Update: 2010-05-18
Criticality level: Highly critical
Solution Status: Unpatched...
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1939
CVSS v2 Base Score: 7.6 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1940
CVSS v2 Base Score: 4.3 (MEDIUM)

Firefox v3.6.3...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1986
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1987
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1988 CVSS v2 Base Score: 10.0 (HIGH)
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1990
Last revised: 05/21/2010
- https://wiki.mozilla.org/Releases
Firefox 3.6.4 - June 1 ...

IE 6, 7, and 8
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1991
Last revised: 05/21/2010
CVSS v2 Base Score: 5.0 (MEDIUM)

 

[Browser security update tricks]

FYI...

Browser security update tricks
- http://www.symantec.com/connect/blogs/misleading-apps-push-browser-security-update-trick
04 Oct 2010 - "... attackers use social engineering techniques to scare users into purchasing a misleading application. This time around, we have come across a couple of websites that are using a slightly different trick to mislead users. In order to trick users, these websites used bogus pages that look similar to those presented by security features or technologies when one is about to visit a malicious page. However, it presented a “Download Updates!!” button, unlike Google’s “Get me out of here” button... Regardless of what browser is used, the user is presented with the same misleading dialog box that seemingly forces the download of Firefox and Chrome updates. This misleading dialog box keeps on popping up, even if the user clicks on cancel button... The downloaded executable turns out to be a variant of the infamous misleading application called Security Tool. Once executed, it displays exaggerated pop-ups in an attempt to scare users...  Unlike standard misleading application distribution websites, these sites don’t rely only on social engineering tricks to mislead users. If more savvy users don’t download the misleading application executable, then these websites will redirect users to a website that, in turn, further redirects to a malicious website that is hosting the infamous Phoenix exploit kit. Phoenix is an automated exploit kit that uses heavily obfuscated JavaScript code to evade security products... These exploit kits are used to deliver malware after exploiting a vulnerability, mostly those affecting Web browsers. If users don’t somehow fall victim to this latest browser update trick, then the attackers have the fall back of delivering misleading applications through these exploit kits..."
(Screenshots available at the URL above.)

- http://sunbeltblog.blogspot.com/2010/10/securitytool-rogue-begins-using-fake.html
October 07, 2010
- http://sunbeltblog.blogspot.com/2010/10/rogue-downloader-overlooks-ie-users.html
October 19, 2010
- http://www.f-secure.com/weblog/archives/00002051.html
October 20, 2010

 

[here]

FYI...

'Need to stay on top of these updates - hacks do. Bug fixes are "reverse engineered" within -hours- of their release, and hacker exploits go right into production:

60 second check for updates here.
___

Zombie infection kit - Success rates / Victim browser statistics:
- http://labs.m86security.com/wp-content/uploads/2010/10/zombie_browser.png
October 15th, 2010
- http://labs.m86security.com/2010/10/don%E2%80%99t-get-infected-by-zombies/
"... effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched... 15 percent... of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed..."
Zombie infection kit - Success rates / IE6,7,8 - Java - Adobe PDF reader - Flash
- http://labs.m86security.com/wp-content/uploads/2010/10/zombie_nexp.png

 

[Recent Browser updates]

FYI...

'Need to stay on top of these updates - hacks do... so should you. If you haven't updated recently, -now- would be the time.

Recent Browser updates:

60 second check for updates here.
___

Multiple IE 0-day vulnerabilities...

IE drive-by bug ... "FixIt" available ...
- http://boards.cexx.org/index.php?topic=11831.msg81895#msg81895
2011.01.12

IE/MHTML vuln ... "FixIt" available ...
- http://boards.cexx.org/index.php?topic=11831.msg81963#msg81963
2011.01.28
___

Use stats
- http://www.w3schools.com/browsers/browsers_stats.asp

 

[Factsheets By Browser - 2010]

FYI...

• Factsheets By Browser - 2010
- http://secunia.com/resources/factsheets/2010_browsers/

Other software:
- http://secunia.com/resources/factsheets/
Current Factsheets - 2010
• By Vendor
• By Windows Operating System

 

[Browser 'BITB' attack]

FYI...

Browser 'BITB' attack...
- http://www.darkreading.com/taxonomy/index/printarticle/id/229218608
Feb. 14, 2011 - "... spin-off of the proxy Trojan, keylogger, and man-in-the-browser (MITB) attack. The "boy-in-the-browser" (BITB) attack... targeting users visiting their banks, retailers, and even Google... spotted in the wild. BITB is basically a "dumbed-down" MITB in which the attacker infects a user with its Trojan, either via a drive-by download or by luring the user to click on an infected link on a site... Imperva's advisory on the attacks is here*."
* http://www.imperva.com/resources/adc/adc_advisories_Boy_in_the_Browser.html
Feb. 14, 2011 - "... Nine Latin American banks were targeted..."

 

[Malware authors target Google Chrome]

FYI...

Malware authors target Google Chrome
- http://www.zdnet.com/blog/bott/malware-authors-target-google-chrome/3162
April 21, 2011 - "... malware authors have begun preying on users of alternative browsers to push dangerous software, including Trojans and scareware. The problem is that most malware attacks aren’t triggered by exploits that target vulnerabilities in code. Instead, according to one recent study, “users are four times more likely to come into contact with social engineering tactics as opposed to a site serving up an exploit.” I found a perfect example yesterday, thanks to an alert from Silverlight developer Kevin Dente. He had typed in a simple set of search terms—Silverlight datagrid reorder columns—at Google.com, using the Google Chrome browser on Windows... The first page of Google search results included several perfectly good links, but the sixth result was booby trapped... That led to a basic social engineering attack, but this one has a twist. It was customized for Chrome. If you’ve ever seen a Google Chrome security warning, you’ll recognize the distinctive, blood-red background, which this malware author has duplicated very effectively... After the fake scan is complete, another dialog box comes up, warning that “Google Chrome recommends you to install proper software”... When I submitted it to VirusTotal.com*, only five of the 42 engines correctly identified it as a suspicious file..."
(Screenshots available at the URL above.)
* http://www.virustotal.com/file-scan/report.html?id=621583f75348fe4f9a97d44fc325a1283be3661774e50d6ac570433d23eeb22b-1303383008
File name: InstallInternetProtection_611.exe
Submission date: 2011-04-21 10:50:08 (UTC)
Result: 8/42 (19.0%)

 

[SpyEye targets Opera, Google Chrome]

FYI...

SpyEye targets Opera, Google Chrome...
- http://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/
April 26, 2011 - "The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers*... Many people feel more secure using browsers like Chrome and Opera because they believe the browsers’ smaller market share makes them less of a target for cyber crooks. This latest SpyEye innovation is a good reminder that computer crooks are constantly looking for new ways to better monetize the resources they’ve already stolen..."
* http://krebsonsecurity.com/wp-content/uploads/2011/04/spychop.jpg

 

[WebGL - browser security flaw]

FYI...


WebGL - browser security flaw...
- http://www.cio.com/article/681749/WebGL_Hit_By_Hard_to_Fix_Browser_Security_Flaw
May 9, 2011 - "The WebGL graphics technology turned on by default in Firefox and Chrome poses a serious security risk*... WebGL will not, however, run reliably on an unknown number of graphics cards, including Intel's integrated graphics and most ATI chipsets... Disabling WebGL varies from browser to browser but in Firefox involves setting a required value to "false" using the about:config command."
* http://www.contextis.com/resources/blog/webgl/
"... enabled by -default- in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari..." (Flowchart available at the contextis.com URL above.)
- http://www.theregister.co.uk/2011/05/11/chrome_firefox_security_threat/
"... In Firefox 4, type “about:config” (minus the quotes) into the address bar and set webgl.disabled to true. In Chrome, get to the command line of your operating system and add the --disable-webgl flag to the Chrome command. On a Windows machine, the command line would be "chrome.exe --disable-webgl".

> https://wiki.mozilla.org/Blocklisting/Blocked_Graphics_Drivers
___

WebGL Security Risks
- http://www.us-cert.gov/current/archive/2011/05/10/archive.html#web_users_warned_to_turn
May 10, 2011 - "... disable WebGL to help mitigate the risks..."

- http://www.h-online.com/security/news/item/WebGL-as-a-security-problem-1240567.html
10 May 2011
- http://www.h-online.com/security/news/item/WebGL-as-a-security-problem-1240567.html?view=zoom;zoom=2

 

[WebGL security risks - updated]

FYI...

WebGL security risks - updated
- http://www.contextis.com/resources/blog/webgl/faq/
11 May 2011 - "... we are releasing the following further information to aid in the understanding of the issues... in the longer term, Context believes that browser vendors should, by default, disable WebGL from within their web browsers. We would like to see functionality included that would allow users to opt-in for WebGL applications that they trust on a case by case basis... reported these issues and other vulnerabilities to the Mozilla Security group who has raised a number of internal bug reports regarding the issues that we have found, including issues that we have -not- publicly disclosed. They have also passed the information onto Google for Chrome. The Mozilla Security Group has been very receptive to the issues that we have raised and have been very responsive to our concerns."
(More detail at the contextis URL above.)

- https://www.us-cert.gov/current/archive/2011/05/10/archive.html#web_users_warned_to_turn
May 10, 2011 - "... disable WebGL to help mitigate the risks..."

   

[IE 0-day - all versions]

FYI...

IE 0-day - all versions... cookiejacking
- http://www.informationweek.com/news/security/vulnerabilities/229700031?printer_friendly=this-page
May 26, 2011 - "... All versions of Internet Explorer on all versions of Windows are affected by the 0-day vulnerability, and are thus susceptible to cookiejacking. As the name implies, the attack is similar to clickjacking attacks, which trick users into clicking on innocuous-looking graphics or videos, to trigger arbitrary code execution. Cookiejacking takes that type of attack one step further, adding the zero-day vulnerability and some trickery to steal any cookie from a user's PC... To be successful, however, the attack must incorporate two details. First, it needs to know the victim's Windows username, to find the correct path to where cookies are stored... Second, an attacker needs to know which Windows operating system their victim is using, as each one stores cookies in different locations. Browsers, however, typically reveal this information via their navigator.userAgent object..."

- http://blog.trendmicro.com/contrary-to-reports-cookiejacking-presents-a-major-risk/
May 27, 2011