by Dancho Danchev
How would you convert Facebook users into slaves participating in clickjacking and likejackings scams, next to using them to spamvertise your latest event promotion message?
Presumably by using one of the clickjacking/likejacking distribution platforms promising 100 slaves per day that I will profile in this post.
by Dancho Danchev
Malicious attackers quickly adapt to emerging trends, and therefore constantly produce new malicious releases. One of these recently released underground tools, is the PickPocket Botnet, a web-based command and control interface for controlling a botnet.
Let’s review its core features, and find out just how easy it is to purchase it within the cybercrime ecosystem.
by Dancho Danchev
Security researchers from the Internet Storm Center, have intercepted a currently ongoing SQL injection attack, that has already affected over 200,000 URLs.
The attack was originally detected in early December, 2011. It currently affects ASP sites and Coldfusion, as well as all versions of MSSQL.
Notice someone new on the Webroot Threat Blog? We’re thrilled to introduce Dancho Danchev – independent security consultant, cyber threat analyst and bad-guy chaser extraordinaire – as our new security blogger. Many of you may know Dancho from the security analysis he’s been providing for industry media and on his own blog and since 2007.
We’ve started off the new year on an exciting foot, bringing Dancho on board to chronicle what Webroot is seeing in the cybercrime ecosystem and his insights on the Internet security industry at large. So, stay tuned — and welcome, Dancho.
By Armando Orozco
Are Android phones susceptible to Trojans and other viruses just like computer? How can you make sure your phone doesn’t become infected and if it does, what can you do? Webroot mobile threat research analyst, Armando Orozco answers this question that was asked to our Webroot Threat Research team via Twitter.
By the Webroot Threat Team
Have you ever had the queasy experience of sending a message to someone that you’d rather not have anyone else see, and then hoping that it won’t get passed along? A new system developed by Internet law and security researchers aims to solve the problem, with a light-handed touch.
The Stanford Center for Internet and Society has launched Privicons, an email privacy tool that it describes as a ‘user-to-user’ solution. There are no policy servers, crypto algorithms, or software enforcement agents to worry about. Instead, it relies on good old-fashioned icons.
Webmail users who install the Privicons plugin can choose from a selection of icons that are then pasted into their mail. Each of the icons represents a specific request concerning how the information in the mail is treated. The icons are as follows:
 |
’Keep private’: Don’t pass on the information, or identify the sender. |
 |
’Keep anonymous’: Use the information freely, but don’t tell anyone who sent it to you. |
 |
’Don’t print’: This can be for environmental or security reasons. |
 |
’Delete after reading/X days’: Delete the information to avoid it falling into the wrong hands. |
 |
’Keep internal’: Keep it among a close circle of people. |
 |
’Please share’: Distribute freely. |
By Jacques Erasmus
This time of year, those of us in information security become wary of crafty criminals leveraging the winter holidays to prey on our employees’ lack of awareness online in a number of ways. All it takes is for one Trojan to infect a single PC in a company to put an entire infrastructure at risk.
Everyone plays a role in protecting the assets and information of their organization. To help explain what this means for you as an IT manager, an employee or even a home user, we have developed a two-part primer on common threats you may encounter on a daily basis that might pose a risk to you or your company’s infrastructure.
We begin today with part one: Web-based attacks.
From a security awareness point of view, these threats are much harder to spot due to the manner in which they operate. However, this discussion will help you better understand how they work and to know when these attacks take place.
Below is a picture of what the common workflow is for a web-based threat. In the last few years, exploit frameworks have exploded onto the scene as the de-facto way to accumulate many users in a short period of time. The diagram below tries to detail the basic workflow of these to improve your understanding of how you might get infected.
In this example, a user might be using Search to find information on a hot topic such as the iPhone 4S and browse to a website that is totally legitimate. The website, however, might be compromised by a hacker exploiting an outdated or vulnerable version of some package the site is leveraging — let’s use WordPress as an example. A botnet may be used to crawl Search data and popular terms to find websites running vulnerable versions of WordPress. If a blog or website is found that meets this criteria, an IFrame will be injected into the site pointing to the hacker’s exploit server. When you browse to this website, your browser loads the content of the IFrame which, in the background, creates a session to the exploit framework that will in turn try to infect you while you are on a website you assume is safe.
Then, the exploit server, or ‘framework’ in this case, looks for out-of-date versions of popular third party applications such as Adobe Acrobat, Adobe Flash, Quicktime, Media Player, Java (JRE), Webex and a myriad of other applications that may be running on your machine. Third party applications are now a massive vector for attack — in my opinion, bigger than Windows operating system exploits.
How do companies protect against this?
The first step is ensuring that all systems are patched — not just Windows and Office applications updates, but also the auxiliary apps that run on your desktops and laptops. IT departments need to perform regular and rigorous patching.
But that’s not all. Cases exist where a patch does not exist for a particular vulnerability. To circumvent this, IT admins should implement a layered defense system where protection is running on the desktop and layered defenses on the gateway to filter these attacks. Additional monitoring to correlate network forensics into our array of tools to detect these exploits and attacks is also a good idea.
As an employee, the important thing to remember is to be vigilant and report anything suspicious to your IT department. The more disciplined you are on what to look for in a scam, the less potential there is for a company-wide breach of security.
Please stay tuned for part two of this awareness series: email-borne threats.
As a follow-up to the Blackhole Exploit posting, I thought I would share one aspect of my job that I truely enjoy: Discovery.
While investigating some active urls being served up via a blackhole kit, I noticed something quite odd, as I would end up on sites that had malicious code injected into their webpages.
Once the redirection to the blackhole kit was initiated, I saw the usual exploits taking place, first being Internet Explorer and Adobe Flash, then onto Adobe Reader and Java.
This time, the kit didn’t stop there. Internet Explorer proceeded to launch Windows Media Player. Since I had never used it on this test machine, the Windows Media Player install sequence initiated, causing the windows media player setup screen to appear in order to finalize its installation.
I became curious as to what Windows Media Player is being used for. Unfortunately in this case, I couldn’t see where any files were called down to the machine and did not have any type of network analyzer running.
By the Webroot Threat Team
It’s a creepy treat, with a serious underlying message. The latest viral website uses a horror movie format to show you just how much the average Facebook application can find out about you.
TakeThisLollipop, which has already received 1.7 million ‘Likes’ on Facebook, uses the social network’s application authentication scheme to find out about users.
Anyone clicking on the lollipop displayed on the site is asked to let the application access a panoply of information about them from Facebook, in addition to other privileges, such as posting as them. If they accept, they get to see the application’s payload: a video in which an unhinged man views their Facebook account, growing increasingly distressed as he looks at their pictures, wall posts, and friends’ status updates.
The whole thing is incredibly well done. It ends with the disturbed Facebook stalker driving towards your location (you knew that Facebook stored your hometown location, right?) and getting out of the car in a menacing fashion. Taped to his dashboard is a Polaroid, containing your profile picture. Chilling stuff.
What is even more chilling is the fact that this website is able to harvest so much information about you after you click the ‘Allow’ button in the dialogue box that it throws up. What else have you allowed access to, and how much do these applications know about you?
There is an even more important question: who is writing these Facebook apps, that harvest your most intimate personal and social data? There are seven million web sites and applications integrated with Facebook, many of which request privileged access to your account data before they will give you what the developers promise. Most people blindly allow these applications access, without thinking about where the information might be going.
It takes almost no effort to become a Facebook developer. The company introduced some basic developer verification procedures last year, such as providing a credit card number, or a mobile phone number. But of course, we know how many credit cards are stolen each year, don’t we? And how many mobile phones are stolen or cloned each week?
Websites Hosting Android Trojans
By Armando Orozco and Nathan Collier
Rogue Android apps are making their way into alternative markets. Yes, we’ve seen some malicious apps trickle through and they can be elusive. But we’re now seeing markets that are only hosting malware. These rogues are of the premium rate SMS variety and request the user to send a bounty if they want the app. The interesting thing is that the websites they’re hosted on are very well put together and you can see that a great deal of time was put into creating them.
The Websites
Click for Full Size
These well-crafted websites follow a similar layout; they have device reviews, app descriptions with screenshots, QR Codes and FAQs. So far, we’ve only found these websites aimed at Russian users, with the web pages written in Russian. The descriptions are similar to those in the Android Market and the screenshots appear to be taken from the market. We are discovering that this network of SMS Trojans is fairly large. Continue reading
