Tag Archives: exploit

Everyone has a role in protecting a corporate infrastructure (Part 1)

Posted on by

By Jacques Erasmus

This time of year, those of us in information security become wary of crafty criminals leveraging the winter holidays to prey on our employees’ lack of awareness online in a number of ways. All it takes is for one Trojan to infect a single PC in a company to put an entire infrastructure at risk.

Everyone plays a role in protecting the assets and information of their organization. To help explain what this means for you as an IT manager, an employee or even a home user, we have developed a two-part primer on common threats you may encounter on a daily basis that might pose a risk to you or your company’s infrastructure.

We begin today with part one: Web-based attacks.

From a security awareness point of view, these threats are much harder to spot due to the manner in which they operate. However, this discussion will help you better understand how they work and to know when these attacks take place.

Below is a picture of what the common workflow is for a web-based threat. In the last few years, exploit frameworks have exploded onto the scene as the de-facto way to accumulate many users in a short period of time. The diagram below tries to detail the basic workflow of these to improve your understanding of how you might get infected.


In this example, a user might be using Search to find information on a hot topic such as the iPhone 4S and browse to a website that is totally legitimate. The website, however, might be compromised by a hacker exploiting an outdated or vulnerable version of some package the site is leveraging — let’s use WordPress as an example. A botnet may be used to crawl Search data and popular terms to find websites running vulnerable versions of WordPress. If a blog or website is found that meets this criteria, an IFrame will be injected into the site pointing to the hacker’s exploit server. When you browse to this website, your browser loads the content of the IFrame which, in the background, creates a session to the exploit framework that will in turn try to infect you while you are on a website you assume is safe.

Then, the exploit server, or ‘framework’ in this case, looks for out-of-date versions of popular third party applications such as Adobe Acrobat, Adobe Flash, Quicktime, Media Player, Java (JRE), Webex and a myriad of other applications that may be running on your machine. Third party applications are now a massive vector for attack — in my opinion, bigger than Windows operating system exploits.

How do companies protect against this?

The first step is ensuring that all systems are patched — not just Windows and Office applications updates, but also the auxiliary apps that run on your desktops and laptops. IT departments need to perform regular and rigorous patching.

But that’s not all. Cases exist where a patch does not exist for a particular vulnerability. To circumvent this, IT admins should implement a layered defense system where protection is running on the desktop and layered defenses on the gateway to filter these attacks. Additional monitoring to correlate network forensics into our array of tools to detect these exploits and attacks is also a good idea.

As an employee, the important thing to remember is to be vigilant and report anything suspicious to your IT department. The more disciplined you are on what to look for in a scam, the less potential there is for a company-wide breach of security.

Please stay tuned for part two of this awareness series: email-borne threats.

Outdated Operating System? This BlackHole Exploit Kit has you in its sights

Posted on by

By Mike Johnson

Several weeks back, I was presented with a group of snapshots from an active BlackHole Exploit Kit 1.2 Control Panel.

As with other toolkits I’ve seen in the wild, this one has all the makings of some real bad medicine. The authors have yet again gone to the trouble of making this toolkit incredibly easy to use and widely available for a price. Just a little unsavory web hosting in a country with few or no diplomatic relations and off to the races they go.

It appears this toolkit is configurable in both Russian and English, making one wonder its true origins.

I’ve slowly tracked URLs accompanying this toolkit and watched it dish out some very widely undetected malware, such as:

Information Stealing/Banking Trojans:
SpyEye
Zeus
Carberp
Mebroot Rootkit

Another more popular rootkit we’re seeing very widely on the Webroot realtime watch is: vSirefef.B/Zero-Access.

BlackHole toolkit preys on only two items in a user’s machine:

1) Unpatched operating system exploits

2) Internet browsers, add-in and plugin exploits such as Adobe and Java Software

Here are some of the known exploits the kit can execute on a victim’s machines.

Windows Operating Systems:
CVE-2010-1885 HCP (Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003)

http://technet.microsoft.com/en-us/security/bulletin/MS10-042

CVE-2006-0003 IE MDAC

http://technet.microsoft.com/en-us/security/bulletin/ms06-014
Adobe Software:
CVE-2008-2992 Adobe Reader util.printf
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2007-5659 Adobe Reader CollectEmailInfo

Java Software:
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-1423 Java argument injection vulnerability in the URI handler in Java NPAPI plugin

The basic view the bot controller has is of the statistics page, which should indicate why I listed some of the expoits this toolkit is using. Not surprisingly, for as young as the kit is, you can see that both the Java and Adobe softwares are exploited far more than any others.

I’m sure some think they are safe using a browser other than Internet Explorer but it appears from this image there isn’t alot of difference in how this toolkit has  behaved between the three browsers it’s touched.

As the authors have made this toolkit easy to use, they have also made it easy to maintain a low detection rate on the binaries by using an antivirus scanning service which does not share any binaries collected with the AV industry.

The easy-to-read statistics page make it simple for the controller to view and monitor how well or poor the current bot is doing – how many operating systems it’s infected, what type of operating systems were infected, and in which countries they’re located.

Continue reading

HTC acknowledges security flaw, plans update to fix

Posted on by

By Armando Orozco

A couple of days ago researchers for Android Police wrote about a security vulnerability in several HTC phones. The vulnerability lies with logging tools installed by HTC. These logging tools collect personal data like user accounts, email addresses, GPS info and SMS data. Having these tools logging users data is one thing but the fact that they are left unsecured and available to be exploited by a 3rd party app is a big blow to the device manufacturer. A 3rd party app would only need to request the INTERNET permission to gain access to the information collected by the tools. Why HTC has these tools in place hasn’t been answered, an answer they’ll have to provide to their customers at some point.

 
HTC’s public statement: “In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.”

 

The update will be sent over-the-air and users will receive a notification to install. No word on when the update will be available.

 
We all have a role to play in keeping our computing secure, but developers have a key role in that they need to ensure their applications are secure when it comes to customer’s data. This happens a lot, most recently with Skype, hopefully with more and more big name vendors being called out we’ll see developers tighten up their code.

 

Affected phones

EVO 4G

EVO 3D

Thunderbolt

EVO Sensation

MyTouch 4G slide