XSS (Cross-Site Scripting) Very Much Alive and Kicking

We were about to investigate further on malicious activities related to banner82(dot)com/b.js but the URL was already inaccessible around Tuesday. Soon enough the malicious script in www(dot)adw95(dot)com caught our interest. A rough survey of the sites compromised by this script reveal that the sites involved some cross-site scripting (XSS), or SQL injection vulnerabilities, or a combination of both.

XSS Holes Endanger Users with Increasing Risks

I want to shed some light again on XSS because although it has been around for a long time, it has neither become less of an attractive attack method, nor has a fool-proof solution against it has been properly formulated.

XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.

XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.

An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more.

Breaches in the Background

XSS issues can and do exist as well in the underlying Web and application servers too. Most Web and application servers use error mechanisms to display content access error pages, such as “404 page not found “and “500 internal server error”. If these pages reflect back any information from the user’s request, such as the URL they were trying to access, there are even greater chances that they are vulnerable to an XSS attack.

The possibility that a website contains XSS vulnerabilities is extremely high. There are countless ways to mislead Web applications into relaying maliciously injected scripts. Developers and website administrators seem to have a knack for missing these vulnerable application areas in their web implementations, but finding these configuration errors seems to be a walk in the park for attackers, since all they need is a browser and time (time which most of the defenders don’t have).

There are numerous free attack tools available,and worse, the most efficient ones are created by career criminals who happen to be at the disposal of anyone willing to pay for their warez. These tools readily aid in finding these flaws, and are increasing often crafted to inject XSS attacks into a target site.

XSS Vulnerability in Adw95(dot)com Attack

Here’s a closer look at the infection chain launched by the injection of malicious JavaScript into victimized websites:

Mass compromises seem to be all the rage these days, and exploiting XSS vulnerabilities are just one of the methods criminals can employ to silently worm their way into users’ PCs. Please see our Virus Encyclopedia for further details about the malware in this particular infection chain. Trend Micro users with updated patches are protected from these threats as of Pattern 5.305.00.

(Note: Malware may vary or change at any given time as we are still closely monitoring this incident).

Even though Patch Tuesday is still two weeks from now, crimeware authors are already sending out fake Microsoft “critical updates.” The TrendLabs Content Security Team recently found a hoax purporting to be from Microsoft that urges users to update their computers due to a “critical security issue”.

The email, which has the subject heading Important update from Microsoft Windows XP/2003 Professional Service Pack 2(KB946026), urges recipients to install the latest security update to avoid a successful attack which could result in comprising the recipient’s PC.

If the unlucky victim clicks on the file name, WINDOWS-KB946026-X86-ENU, they won’t be getting any security patch — but rather, malware detected by Trend Micro as PE_VIRUT.XZ.

PE_VIRUT.XZ is a pretty old variant that appends its code to EXE and SCR files, making a pretty big mess depending on where it is executed.

Admittedly, we have been seeing these fake security notifications for a long time (we’ve discussed this in the past here and here). But apparentlty, consumers still seem to fall for this trap anyway.

Always keep your OS, third-party applications, and other associated software updated — this is one sound piece of advice that consumers can bank on.

And also make sure to get those Windows updates only from the source, Microsoft Corporation.

Malware criminals generally revert to old-school social engineering as they continually employ another newsworthy item in their latest ploys.

Just recently, TrendLabs Content Security team discovered spam email messages that rode on interest around the case of Alexandre Nardoni. Nardoni, a law consultant, who was accused of allegedly killing his daughter, Isabella Nardoni, in their apartment in Sao Paulo. Later on, he pleaded not guilty and was released from jail.

The email, which claims to be from Youtube News, tricks users into clicking the malicious link that promises actual footage of Nardoni’s arrest. When users click on the link, a dialog box appears requiring the users to save the executable file. The said file, named VIDEO.EXE, is actually a malware detected by Trend as MAL_BANKER.

This is not the first time (and no doubt the last) that malware criminals employ the popularity of current news as previously blogged here and here. Consumers are always advised to be suspicious when opening email messages from unknown senders. Trend Micro users are already protected from this threat, as we detect both the malware and the spam message that carries it.