Browsers under attack - archive
FYI... http://www.theregister.co.uk/2008/02..._exploitation/
15 February 2008 - "Cybercriminals are stepping up their efforts to exploit vulnerabilities in web browsers to spread malware using drive-by download techniques. Research by Google's anti-malware team on three million unique URLs on more than 180,000 websites automatically installed malware onto vulnerable PCs. Hackers are increasingly trying to trick search sites into pointing surfers onto maliciously constructed sites. More than one per cent of all search results contain at least one result that points to malicious content, Google reports*, adding that incidents of such attacks has grown steadily over recent months and continues to rise. Google's team also reports that two per cent of malicious websites are delivering malware via tainted banner ads. Israeli security firm Finjan has also observed a rise in the tactic over recent months, noting that many malicious ads are served from legitimate websites. A security report from IBM's X-Force division said cybercriminals are "stealing the identities and controlling the computers of consumers at a rate never before seen on the internet"..."
* http://googleonlinesecurity.blogspot...int-to-us.html
>>> (Keep things patched! Is your browser up-to-date?...)
Cumulative Security Update for Internet Explorer
- http://www.microsoft.com/technet/sec.../ms08-010.mspx
Firefox v2.0.0.12 released
- http://www.mozilla.com/firefox/
Opera v9.26 released
- http://www.opera.com/download/
Safari -not- recommended by PayPal
- http://preview.tinyurl.com/yr8d4z
February 27, 2008 (Computerworld) - "...Safari doesn't make PayPal's list of recommended browsers because it doesn't have two important anti-phishing security features, according to Michael Barrett, PayPal's chief information security officer. "Apple, unfortunately, is lagging behind what they need to do, to protect their customers," Barrett said in an interview. "Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera." Safari is the default browser on Apple's Macintosh computers and the iPhone, but it is also available for the PC. Both Firefox and Opera run on the Mac. Unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites, Barrett said. Another problem is Safari's lack of support for another anti-phishing technology, called Extended Validation (EV) certificates. This is a secure Web browsing technology that turns the address bar green when the browser is visiting a legitimate Web site... Barrett says data compiled on PayPal's Web site show that the EV certificates -are- having an effect..."
* https://www.paypal-media.com/inthenews.cfm
:fear::spider:
MBR rootkits - multiple drive-by exploit sites...
FYI...
- http://www.f-secure.com/weblog/archives/00001393.html
March 3, 2008 - "...The MBR is the rootkit's launch point. Therefore it doesn't need to make any registry changes or to modify any existing startup executables in order to launch itself. This means that the only hooks it needs to make are used to hide and protect the modified MBR. Essentially this means that the rootkit hooks only two DWORDs from the disk.sys driver object... It is known that the rootkit's main purpose is to act as an ultimate downloader. To be stealthy and effective it is essential that the rootkit does not trigger nor is blocked by personal firewalls... During the weekend our Security Lab started to receive information about multiple drive-by exploit sites spreading the latest version... The actual site hosting the exploit code utilizes the following exploits:
Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)
AOL SuperBuddy ActiveX Control Code Execution vulnerability (CVE-2006-5820)
Online Media Technologies NCTsoft NCTAudioFile2 ActiveX Buffer Overflow (CVE-2007-0018)
GOM Player "GomWeb3" ActiveX Control Buffer Overflow (CVE-2007-5779)
Microsoft Internet Explorer WebViewFolderIcon setSlice (CVE-2006-3730)
Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow
DirectAnimation.PathControl KeyFrame vulnerability (CVE-2006-4777)
Microsoft DirectSpeechSynthesis Module Remote Buffer Overflow ...
The downloaded payloads seem to clearly target online banking and other financial systems. We detect the latest MBR rootkit variant as Backdoor.Win32.Sinowal.Y. The exploit site is currently resolving to an IP address of 216.245.195.114 and seems to still be active..."
(Screenshots available at the URL above.)
:fear::spider::fear:
ZDNet Asia - iFRAME redirects
FYI...
- http://www.f-secure.com/weblog/archives/00001396.html
March 5, 2008 - "ZDNet Asia is one of my bookmarked online resources that I frequently visit. The site is NOT compromised per se; rather, their site's search engine was abused by an attacker with queries of popular keywords. Leveraging on the fact that the site is, legitimate, and has high page ranks, the popular search engines are returning some of these 'iFRAME'ed results in the first few pages of the search results. And the objective? To get the unsuspecting user to click on the link... The last time we checked, 20,600 cached pages loading the iFRAME was found. Upon clicking on the malicious link, you get redirected to some Russian Business Network's IPs and RBN* is notoriously known for hosting not only malware but also rouge antivirus and antispyware applications. At the end of the redirects, the unsuspecting user might be a victim of a Zlob trojan. We detect it as Trojan-Downloader:W32/Zlob.HOG."
(Screenshot available at the URL above.)
* http://www.shadowserver.org/wiki/pmw...endar.20080301
:fear:
(Today's tally...) "101,000 Google search results..."
FYI...
- http://www.theregister.co.uk/2008/03..._piggybacking/
6 March 2008 - "Updated: Hackers have found a new way to get Google to point to malicious websites with the help of unwitting websites such as TorrentReactor, ZDNet Asia and several other CNET-owned properties. As a result, more than 101,000 Google search results that appeared to lead to pages of legitimate sites actually directed end users to sites that attempted to install malware... Almost 52,000 Google results contained such redirects for ZDNet Asia... There were almost 50,000 poisoned links for TV.com sites and a handful for News.com and MySimon.com..."
:fear::fear:
Hacks move from SMTP to HTTP to FTP...
FYI...
- http://www.f-secure.com/weblog/archives/00001398.html
March 7, 2008 - "A year or two ago, the malware author's preferred way of spreading their wares was via e-mail attachments. We all remember mass outbreaks like Bagle, Mydoom and Warezov. Well, sending EXE attachments in e-mail doesn't work anymore. Almost every organization is now dropping such risky attachments from their e-mail traffic. So virus writers have made a clear shift away from e-mail attachments to the Web: drive-by-downloads. This attack often still starts with an e-mail spam run; there's just no attachments in the e-mail anymore as it has been replaced by a web link. Some of these malicious web sites use exploits to infect you just by visiting a web page, others use compelling stories to fool you into downloading and running a program from the page. Many have missed this shift of attacks from e-mail to the web. There's a lot of companies measuring their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't. Those organizations that are not scanning their web traffic for malware should seriously consider starting to do it, right now. However, virus writers are moving again. We're now seeing more and more malicious e-mails that link to malware — not via HTTP but via FTP links. Case in point, a fake Hallmark greeting card spam we saw today... the link takes you to an owned computer which has an FTP site setup on it. And when the executable is downloaded, it turns out to be a Zapchast mIRC-bot variant. Better make sure your gateway scanner is configured to scan FTP traffic as well..."
(Screenshots available at the URL above.)
:fear: