Monthly Archives: October 2011

Outdated Operating System? This BlackHole Exploit Kit has you in its sights

Posted on by

By Mike Johnson

Several weeks back, I was presented with a group of snapshots from an active BlackHole Exploit Kit 1.2 Control Panel.

As with other toolkits I’ve seen in the wild, this one has all the makings of some real bad medicine. The authors have yet again gone to the trouble of making this toolkit incredibly easy to use and widely available for a price. Just a little unsavory web hosting in a country with few or no diplomatic relations and off to the races they go.

It appears this toolkit is configurable in both Russian and English, making one wonder its true origins.

I’ve slowly tracked URLs accompanying this toolkit and watched it dish out some very widely undetected malware, such as:

Information Stealing/Banking Trojans:
SpyEye
Zeus
Carberp
Mebroot Rootkit

Another more popular rootkit we’re seeing very widely on the Webroot realtime watch is: vSirefef.B/Zero-Access.

BlackHole toolkit preys on only two items in a user’s machine:

1) Unpatched operating system exploits

2) Internet browsers, add-in and plugin exploits such as Adobe and Java Software

Here are some of the known exploits the kit can execute on a victim’s machines.

Windows Operating Systems:
CVE-2010-1885 HCP (Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003)

http://technet.microsoft.com/en-us/security/bulletin/MS10-042

CVE-2006-0003 IE MDAC

http://technet.microsoft.com/en-us/security/bulletin/ms06-014

Adobe Software:
CVE-2008-2992 Adobe Reader util.printf
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2007-5659 Adobe Reader CollectEmailInfo

Java Software:
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-1423 Java argument injection vulnerability in the URI handler in Java NPAPI plugin

The basic view the bot controller has is of the statistics page, which should indicate why I listed some of the expoits this toolkit is using. Not surprisingly, for as young as the kit is, you can see that both the Java and Adobe softwares are exploited far more than any others.

I’m sure some think they are safe using a browser other than Internet Explorer but it appears from this image there isn’t alot of difference in how this toolkit has  behaved between the three browsers it’s touched.

As the authors have made this toolkit easy to use, they have also made it easy to maintain a low detection rate on the binaries by using an antivirus scanning service which does not share any binaries collected with the AV industry.

The easy-to-read statistics page make it simple for the controller to view and monitor how well or poor the current bot is doing – how many operating systems it’s infected, what type of operating systems were infected, and in which countries they’re located.

Continue reading

Awake at all hours during Cyber Security Awareness Month

Posted on by

By Jacques Erasmus

I’ve been having trouble sleeping lately, and last night I pinpointed why. October has presented me with a perfect storm of Internet security developments: I embarked on my first few weeks as chief information security officer for Webroot amidst the most significant consumer product launch the company has ever had.

These activities alone would’ve been enough to keep corporate security top of mind 24/7, but their occurrence during Cyber Security Awareness Month further drove it home for me. So I thought perhaps it may be cathartic for me, and helpful for you, if I shared some of the risk scenarios I’ve been thinking about, and best practices for protecting yourself and your organization from them.

Scenario One: Network-based infections.
Many organizations have solid standards for securing all of the desktop and laptop computers their employees use to locally and remotely access the corporate network. But all it takes is one contractor with an infected laptop to connect to the corporate network and expose sensitive corporate and customer information to malware. Think of it from a physical security aspect: like strangers in the building, you’d want to prevent rogue access points. The way we’re protecting ourselves at Webroot is by using our SecureAnywhere anti-malware technology to interface with network access control devices to ensure they’re clean before connecting to the network.

Scenario Two: Web app vulnerabilities.
SQL injections enable criminals to harvest passwords, bank account numbers and other personal information you may use for online transactions on seemingly safe sites. Man in the middle attacks — in which an attacker intercepts a communication between a customer and the server it’s intended to reach – are made possible by poor coding standards or poor input validation on web forms. Gaps like these enable injectors to change the fields where you enter your validation information in order to facilitate the heist. To the user, the site URL also may appear dodgy. Developers, it’s critical that you employ secure coding standards for web applications.

Scenario Three: Targeted Attacks.
This last scenario is more like a billion rolled into one; IT administrators as well as individual web users should have a healthy dose of concern about targeted attacks. Malware authors can customize Trojans for the specific environment they want to attack and the specific data they plan to steal, such as source code, financial information and customer data. 

Advanced persistent threats like this typically penetrate organizations via social engineering tactics like spoofed emails that are designed to look like they’re coming from a trusted source. Employees who receive one of these emails and do what the message asks them to do are unwittingly triggering an exploit; clicking a link or opening a PDF, flash or QuickTime file leads to a drive-by download.

Here’s a real-world example that will give you a good idea of why the targeted attack is the most dangerous risk scenario of them all:

Bank tellers at a financial institution we were working with received an email under the name of someone at the company they knew and trusted. The email claimed their CEO was going to appear on TV and they’d need to register for a certain website in order to view the show online at their desks. A few of the tellers clicked a link in the email and landed on a website which told them to install a tool to view videos.

 It turns out the tool the tellers installed was actually the SpyEye Trojan, and the criminal had done his homework. He knew this bank had an international wire transfer interface; he also knew that in order to use the bank’s wire transfer interface, you need to be inside the bank’s network to initiate the transfers, and you’d need to infect more than one teller because the bank uses dual control to enable a wire transfer. So infecting two employees was the ideal entry point.

While the tellers were working, the criminal created a second online session and made three very sizeable transfers to three remote geographies. And since the crime happened late on a Friday, the financial institution was unprepared to stop the transfers, ultimately losing thousands and thousands of dollars.

The good news is a number of measures can thwart this kind of attack:

IT administrators, keep in mind the easiest point of entry for a cybercriminal is your weakest link: Your employees. Educate your employees on spotting a fake.

Web users, if you’re online at work or at home and aren’t sure if the URL in a suspicious email is dangerous, check it out on whois.net or DomainTools.com. If you’re sending emails or transacting online outside of the office, make sure the sites you’re using are https websites. Otherwise your password can be sniffed on an unsecured network.

A look inside the SpyEye Trojan admin console

Posted on by

By Michael Johnson

At Webroot we’ve been researching and chronicling developments with SpyEye since we first saw it in April 2010. This nasty Trojan is the successor to the Zeus Trojan, and it became essentially the main rootkit available for sale after the author of ZeuS left the underground market and sold ZeuS sources to the SpyEye team.

Over the last six months, through Webroot’s real-time watch technology and through my own adventures hunting malware proactively in my spare time, I’ve noticed an extreme escalation of SpyEye infections.

Last week I came across a URL for a password-protected site and at first didn’t think very much of it. But once I logged in, I realized I was on the administrator’s page of a SpyEye Panel, with what appeared to be full access. The administration panel was so easy to run, a fifth grader could do it.

At first glance, there were about 3,000 bots with approximately 600 active at the moment I was looking. The site was moved four days later which at that point, the number of bots was quickly approaching 10,000.

Now some of this is started to make sense. The authors of SpyEye have made it so simple to operate and  in case of any trouble, apparently provide support promptly. Their selling points are working quite effectively and a lot of the wrong type of people are able to acquire the builders, Command and Control Servers for a small amount of money.

Taking a look at some of the screenshots, it doesn’t look very nice from any view.

Continue reading

Non-executable malicious files and code – Thre@t Reply

Posted on by

By Nathan Collier


.exe, PHP, HTML, and the list goes on. How many different kinds of files and code can potentially infect your PC? Webroot threat research analyst Nathan Collier explains a few of the the types of potentially dangerous files, other than the common executable (.exe) that can be found on a Windows PC and cause harm to it.

If you have a question you want answered by one of our threat experts send it to us! Comment below, tweets us (www.twitter.com/webroot), or email it to us (blog@webroot.com).

HTC acknowledges security flaw, plans update to fix

Posted on by

By Armando Orozco

A couple of days ago researchers for Android Police wrote about a security vulnerability in several HTC phones. The vulnerability lies with logging tools installed by HTC. These logging tools collect personal data like user accounts, email addresses, GPS info and SMS data. Having these tools logging users data is one thing but the fact that they are left unsecured and available to be exploited by a 3rd party app is a big blow to the device manufacturer. A 3rd party app would only need to request the INTERNET permission to gain access to the information collected by the tools. Why HTC has these tools in place hasn’t been answered, an answer they’ll have to provide to their customers at some point.

 
HTC’s public statement: “In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.”

 

The update will be sent over-the-air and users will receive a notification to install. No word on when the update will be available.

 
We all have a role to play in keeping our computing secure, but developers have a key role in that they need to ensure their applications are secure when it comes to customer’s data. This happens a lot, most recently with Skype, hopefully with more and more big name vendors being called out we’ll see developers tighten up their code.

 

Affected phones

EVO 4G

EVO 3D

Thunderbolt

EVO Sensation

MyTouch 4G slide