Page 1 of 7 12345 ... LastLast
Results 1 to 10 of 61

Thread: Browsers under attack - archive

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Browsers under attack - archive

    FYI... http://www.theregister.co.uk/2008/02..._exploitation/
    15 February 2008 - "Cybercriminals are stepping up their efforts to exploit vulnerabilities in web browsers to spread malware using drive-by download techniques. Research by Google's anti-malware team on three million unique URLs on more than 180,000 websites automatically installed malware onto vulnerable PCs. Hackers are increasingly trying to trick search sites into pointing surfers onto maliciously constructed sites. More than one per cent of all search results contain at least one result that points to malicious content, Google reports*, adding that incidents of such attacks has grown steadily over recent months and continues to rise. Google's team also reports that two per cent of malicious websites are delivering malware via tainted banner ads. Israeli security firm Finjan has also observed a rise in the tactic over recent months, noting that many malicious ads are served from legitimate websites. A security report from IBM's X-Force division said cybercriminals are "stealing the identities and controlling the computers of consumers at a rate never before seen on the internet"..."
    * http://googleonlinesecurity.blogspot...int-to-us.html

    >>> (Keep things patched! Is your browser up-to-date?...)

    Cumulative Security Update for Internet Explorer
    - http://www.microsoft.com/technet/sec.../ms08-010.mspx

    Firefox v2.0.0.12 released
    - http://www.mozilla.com/firefox/

    Opera v9.26 released
    - http://www.opera.com/download/

    Safari -not- recommended by PayPal
    - http://preview.tinyurl.com/yr8d4z
    February 27, 2008 (Computerworld) - "...Safari doesn't make PayPal's list of recommended browsers because it doesn't have two important anti-phishing security features, according to Michael Barrett, PayPal's chief information security officer. "Apple, unfortunately, is lagging behind what they need to do, to protect their customers," Barrett said in an interview. "Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera." Safari is the default browser on Apple's Macintosh computers and the iPhone, but it is also available for the PC. Both Firefox and Opera run on the Mac. Unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites, Barrett said. Another problem is Safari's lack of support for another anti-phishing technology, called Extended Validation (EV) certificates. This is a secure Web browsing technology that turns the address bar green when the browser is visiting a legitimate Web site... Barrett says data compiled on PayPal's Web site show that the EV certificates -are- having an effect..."
    * https://www.paypal-media.com/inthenews.cfm

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI..

    - http://www.secprodonline.com/articles/58887/
    February 28, 2008 - "...Hacking continues to evolve in sophistication and the Web browser now presents an opening for sensitive information to be stolen by increasingly simple methods. This includes basic coding that allows malicious Web sites to automatically steal sensitive information from visitors. Commonly associated with "seedy" Web sites ("warez," gambling and pornography), the threat of browser-based attacks has expanded to more "acceptable" sites that might include social networking, religious organization and university sites. Further complicating the issue is the high demand for browser functionality that often outweighs the demand for security. Many well-known and useful technologies that are integrated with current browser environments, including Flash, ActiveX, QuickTime, Java and JavaScript, each pose a potential attack vector into the enterprise. Other vulnerabilities include how browsers themselves handle particular pieces of code, such as iFrames, whose weaknesses have been known to cause massive incidents in enterprises when exploited... To help thwart browser-based security threats, IT security professionals increasingly are focusing resources and attention at better protecting the Web browser through hardy URL filtering solutions. These Web content filtering solutions block sites that are not related to business activities, greatly reducing the risk of browser-related infections. However, simple filtering methods will not completely eliminate the malware danger. More sophisticated solutions, such as anti-malware, automated code filtering and botnet detection, are currently being added to Web filtering technologies in an effort to thwart complex browser-related attacks."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://blog.trendmicro.com/arsenal-f...erves-malware/
    February 28, 2008 - "Sports fan sites being compromised by malicious authors is not unheard of. We’ve seen it happen to a Jets fan site in early January this year, and we’re seeing it again in another fan site – this time of Arsenal, a popular English soccer team. The compromised Web site in this case is Onlinegooner.com, which was reported by ScanSafe OI to be “maliciously active.” STAT* confirmed that the fan site had been injected with malicious code..."
    * http://preview.tinyurl.com/ytkm9m
    February 22, 2008 (Scansafe blog) - "...STAT discovered the site had been the victim of a code injection compromise. Visitors to the site are subjected to exploits which lead to the initial download of malware ...(hosted in Thailand). That malware then attempts to download additional malicious files ...(hosted in Hong Kong) and ...(another, hosted in Moscow, Russia). Installed malware includes a kernel-mode rootkit, keylogger, backdoor, and a DNS client used for ARP poisoning and DNS spoofing (Man-in-the-Middle attacks). Capabilities of the DNS client include intercepting, interpreting and rerouting of MX (email), NS (specifies authoritative nameservers), A (resolves hostnames to IP address), CNAME (resolves multiple hostnames to a single IP), and PTR (reverse lookups). Detection among traditional antivirus vendors is extremely low with only 8/31 scanners detecting the initially downloaded malware and 4/31 scanners detecting the maliciously installed DNS client used in the man-in-the-middle attacks. The attack itself is silent thus visitors to the site who have been impacted will unlikely be aware that some pretty severe malware has just been foisted onto their system..."

    Leading nominee for "Worst 'drive-by download' of the Year"...

    Last edited by AplusWebMaster; 2008-02-29 at 22:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MBR rootkits - multiple drive-by exploit sites...

    FYI...

    - http://www.f-secure.com/weblog/archives/00001393.html
    March 3, 2008 - "...The MBR is the rootkit's launch point. Therefore it doesn't need to make any registry changes or to modify any existing startup executables in order to launch itself. This means that the only hooks it needs to make are used to hide and protect the modified MBR. Essentially this means that the rootkit hooks only two DWORDs from the disk.sys driver object... It is known that the rootkit's main purpose is to act as an ultimate downloader. To be stealthy and effective it is essential that the rootkit does not trigger nor is blocked by personal firewalls... During the weekend our Security Lab started to receive information about multiple drive-by exploit sites spreading the latest version... The actual site hosting the exploit code utilizes the following exploits:
    Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)
    AOL SuperBuddy ActiveX Control Code Execution vulnerability (CVE-2006-5820)
    Online Media Technologies NCTsoft NCTAudioFile2 ActiveX Buffer Overflow (CVE-2007-0018)
    GOM Player "GomWeb3" ActiveX Control Buffer Overflow (CVE-2007-5779)
    Microsoft Internet Explorer WebViewFolderIcon setSlice (CVE-2006-3730)
    Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow
    DirectAnimation.PathControl KeyFrame vulnerability (CVE-2006-4777)
    Microsoft DirectSpeechSynthesis Module Remote Buffer Overflow ...
    The downloaded payloads seem to clearly target online banking and other financial systems. We detect the latest MBR rootkit variant as Backdoor.Win32.Sinowal.Y. The exploit site is currently resolving to an IP address of 216.245.195.114 and seems to still be active..."

    (Screenshots available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Unhappy

    FYI...

    Google - scope of drive-by malware is 'significant'
    - http://preview.tinyurl.com/2ks9cw
    03/03/2008 (Network World) - "How ironic that Google allows you to initiate a Web search by clicking on a button labeled "I'm Feeling Lucky." The button is supposed to take you to the first Web site that turns up in your search. Instead, it just might take you to malware hell. In a preliminary report issued by Google in early February (see All Your iFrames Point to Us in the Google blog*), researchers reveal the depth of the worldwide malware problem and conclude “the scope of the problem is significant”... Not long ago, wide-scale attacks that took aim at overwhelming computing resources were the preferred game plan. Such attacks use a “push” model. As network tools got better at defending against denial-of-service attacks, the bad guys adopted a “pull” model that has users inadvertently downloading unwanted payloads... For example, clicking on a link to an e-card that turns out to be bogus. The second, more ominous method is to automatically deliver the payload when the user lands on a compromised Web page. Worst of all is that landing on a malicious site is often completely out of the hands of the Web surfer, as he may actually be taken there without his knowledge... Seemingly benign Web sites – perhaps the kind that you visit everyday for work or pleasure – have the ability to deliver dangerous malware payloads. Suddenly, I don’t feel so lucky anymore..."
    * http://googleonlinesecurity.blogspot...int-to-us.html

    Last edited by AplusWebMaster; 2008-03-04 at 01:22.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation ZDNet Asia - iFRAME redirects

    FYI...

    - http://www.f-secure.com/weblog/archives/00001396.html
    March 5, 2008 - "ZDNet Asia is one of my bookmarked online resources that I frequently visit. The site is NOT compromised per se; rather, their site's search engine was abused by an attacker with queries of popular keywords. Leveraging on the fact that the site is, legitimate, and has high page ranks, the popular search engines are returning some of these 'iFRAME'ed results in the first few pages of the search results. And the objective? To get the unsuspecting user to click on the link... The last time we checked, 20,600 cached pages loading the iFRAME was found. Upon clicking on the malicious link, you get redirected to some Russian Business Network's IPs and RBN* is notoriously known for hosting not only malware but also rouge antivirus and antispyware applications. At the end of the redirects, the unsuspecting user might be a victim of a Zlob trojan. We detect it as Trojan-Downloader:W32/Zlob.HOG."
    (Screenshot available at the URL above.)

    * http://www.shadowserver.org/wiki/pmw...endar.20080301

    Last edited by AplusWebMaster; 2008-03-05 at 14:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation (Today's tally...) "101,000 Google search results..."

    FYI...

    - http://www.theregister.co.uk/2008/03..._piggybacking/
    6 March 2008 - "Updated: Hackers have found a new way to get Google to point to malicious websites with the help of unwitting websites such as TorrentReactor, ZDNet Asia and several other CNET-owned properties. As a result, more than 101,000 Google search results that appeared to lead to pages of legitimate sites actually directed end users to sites that attempted to install malware... Almost 52,000 Google results contained such redirects for ZDNet Asia... There were almost 50,000 poisoned links for TV.com sites and a handful for News.com and MySimon.com..."

    Last edited by AplusWebMaster; 2008-03-07 at 02:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post

    FYI...

    - http://www.securitypark.co.uk/securi...8&Categoryid=1
    March 7, 2008 - "Today, e-crime is the domain of organised gangs, often from eastern Europe or China. They have just one motive. Now it’s all about making money. The main targets of today’s hackers are e-commerce web sites and the customer databases behind them. Databases that hold credit card numbers, expiry dates, PINs, addresses, and everything else that’s needed to empty a victim’s bank account. Their operations are so slick that stolen data is exploited within seconds of it being submitted by unwitting victims. The big growth area in e-commerce right now is in the use of web-based applications to replace traditional over-the-counter or telephone-based transactions. Hackers have, understandably, latched onto this. According to Gartner, 75% of security breaches are due to flaws in software. Primarily because those applications have been put together as quickly as possible in order to get a working system out there, without due regard being given to the security implications. As the hackers continually attempt to up their game, the securities and futures industry in the US recorded, in 2007, a 150% annual increase in the amount of suspicious activity detected on its systems... To assist developers in ensuring that they write secure applications, various companies produce automatic software solutions that can help. These include code analysers that automatically scan source code for possible security issues. Others sit between web browser and server on your development network, analysing data flows and highlighting any potential problems, such as an opportunity for a hacker to redirect a web form to their own site. The internet is here to stay, as is internet crime..."
    Last edited by AplusWebMaster; 2008-03-07 at 17:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post Hacks move from SMTP to HTTP to FTP...

    FYI...

    - http://www.f-secure.com/weblog/archives/00001398.html
    March 7, 2008 - "A year or two ago, the malware author's preferred way of spreading their wares was via e-mail attachments. We all remember mass outbreaks like Bagle, Mydoom and Warezov. Well, sending EXE attachments in e-mail doesn't work anymore. Almost every organization is now dropping such risky attachments from their e-mail traffic. So virus writers have made a clear shift away from e-mail attachments to the Web: drive-by-downloads. This attack often still starts with an e-mail spam run; there's just no attachments in the e-mail anymore as it has been replaced by a web link. Some of these malicious web sites use exploits to infect you just by visiting a web page, others use compelling stories to fool you into downloading and running a program from the page. Many have missed this shift of attacks from e-mail to the web. There's a lot of companies measuring their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't. Those organizations that are not scanning their web traffic for malware should seriously consider starting to do it, right now. However, virus writers are moving again. We're now seeing more and more malicious e-mails that link to malware — not via HTTP but via FTP links. Case in point, a fake Hallmark greeting card spam we saw today... the link takes you to an owned computer which has an FTP site setup on it. And when the executable is downloaded, it turns out to be a Zapchast mIRC-bot variant. Better make sure your gateway scanner is configured to scan FTP traffic as well..."

    (Screenshots available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post

    Another option...

    - http://www.secureworks.com/research/...hp/2008/03/07/
    March 7, 2008 - "...The modern web browser is an incredible, complicated piece of software with a large attack surface. Throw on some third party software like ActiveX controls (most of which are chock full of buffer overflows) and you have a hacker’s playground. To make matters worse, all modern day browsers contain JavaScript interpreters which give attackers the ability to obfuscate their attacks in an infinite number of ways. Luckily there is a method for users to fight back against the majority of these JavaScript- based attacks: No Script (Firefox) and Trusted Sites (Internet Explorer). These methods take the same approach to security: Enumerating the good. Instead of playing whack-a-mole with all the new type of attacks that appear you allow the list of sites where JavaScript is allowed to come from.
    To do this with Internet Explorer you must first disable active scripting for web sites in the “Internet” zone and then add trusted commonly access pages to the “Trusted Sites” zone. This change can be done through Active Directory and pushed out to all computers in your organization.
    To achieve the same effect in Firefox you must install the No Script extension. By default this plug-in will block all JavaScript, java and flash (no more flash ads) content. You can then enable this content on a per page basis or import a list of trusted sites. By using either one of these methods you will be able to block the vast majority of browser-based attacks."

    NoScript: http://noscript.net/

    Using group policy to manage the list of trusted sites: http://support.microsoft.com/kb/816703
    Last edited by AplusWebMaster; 2008-03-08 at 20:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •