January 16th, 2008 by Paul Ferguson (Advanced Threats Researcher)
Earlier this month, you may recall that there were several reports of a large-scale compromise of thousands of Web pages (some search results indicate upwards of ~100,000 pages) via a mass SQL injection attack, which placed malicious JavaScript redirects to malware. These Web pages included those belonging to Fortune 500 corporations, state government agencies, and schools.
Today, we see yet another example that it is not only small or isolated Web sites that are affected (or targeted), but also popular trade-press Web sites with a very large readership. We were alerted to the fact that BusinessWeek was also compromised in a similar fashion, since it has the identical malicious JavaScript that has been surreptitiously inserted into at least one page on their website.
This is just an illustration of how serious this problem really is — Web site administrators must do a much, much better job to ensure that their Web sites are secure. Otherwise, they run the risk of unwittingly exposing their readers to serious malicious threats that could result in personal financial loss, identity theft, or worse.
Unfortunately, we seem to be seeing that the problem with compromised Web sites is getting worse, not better, and the Internet experience and trust factor for the casual user will suffer as a result.
Note: We’ve contacted BusinessWeek and alerted them of the problem. Let’s hope they get it cleaned up and fix the original vulnerability so it doesn’t happen again.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
January 16th, 2008 by Trend Micro
The 2007 Internet weather report is in: It was the Stormiest we have seen. The security arena endured a year of Storm — the ever-changing pool of malware with a propensity to keep its calendar busy and rain on the AV parade. This was where its seeds were planted and where it was already noted for its enhanced social engineering, plus its multi-component, complex techniques for profit.
Its dark clouds started to form in October of 2006 when the WORM_NUWAR family first started spreading doomsday messages like the alleged death of the incumbent US president, the Third World War, and an imminent nuclear war.
It would not be heard from again until January 2007, when it earned its “Storm” stamp for squatting on the real-world European storm Kyrill. The spammed email messages that it sent out contained a Trojan that creates a unique P2P-like botnet and downloads files, including a worm that mass-mails itself. Its use of fake eCards and timely events as social engineering techniques were also observed, as well as its bid for Web world domination as it attacked the STRAT malware family.
From then on, it lived up to its name by maintaining a year-round bad weather for the Internet and its users. The skies were relatively clear until April 2007, when new worm variants were spammed via email messages with subjects referring to the US-Iran conflict, missile strikes, and World War III being started by the US, Iran, or Israel. After that, it was a series of hitchhikes on whatever big-calendar events passed. Its spam runs often coincided with or anticipated holidays like the Fourth of July, Labor Day, the NFL season, Halloween, Christmas, and the New Year (even managing an early Valentine’s 2008 treat).
Its arsenal of nifty social engineering techniques also included offering free games, posing as notifications from antivirus companies, or pretending to be a YouTube video file. We have seen it move from an attachment-based attack to one that is Web-based; from its links pointing to a domain instead of single IP addresses; from being one big botnet to a segmented one; and so on.
It was last October when researchers found reason to believe that there was more than met the eye in its attempts at victimizing users, for it looked like the massive Storm botnet that was already under scrutiny by the security industry is breaking down into smaller segments. Although seemingly counter-intuitive, given that botnets grow stronger with each new addition of infected computers, this tactical move seems to suggest that botnet herders are ready to go into (bigger) business by renting out its bots to other spammers.
True enough, analysts found phishing pages early this month that were hosted on known Storm-related domains. The difficulty in pinning down these malicious domains lies in the recently observed fast-flux technique. With these subsequent discoveries of clues about the bigger agenda on the minds of Storm’s creators and operators, researchers believe that this 2008, Storm’s armies of botnets will come up with craftier social engineering techniques to more easily evade file scanning and fool automated crawlers used by security companies, making analysis even harder for anti-malware engineers.
Looking back, like a real natural calamity, Storm’s impact is unforgettable. It has been a year since it first unleashed its power over the computing community and the cyber cyclone is not about to stop. In fact, it may be whipping up new winds of infections at the moment. Clearly, Storm watchers have their work cut out for them as the security industry stands ever more vigilant, creating technologies that continue to protect users from becoming casualties along Storm’s path of destruction.
“The bad guys behind this resilient Web threat appear to have a knack for knowing just what buttons to push year-long to social-engineer users into getting themselves mired in its wake,” says Trend Micro Research Project Manager Jamz Yaneza. He adds, “The security industry isn’t as near as it would like to be at this point, but we’re getting there. After all, there must be a rainbow after this Storm!”
