In a recent Reuters article, Italian security researcher Rosario Valotta described a new zero-day attack on Microsoft’s Internet Explorer (IE) browser that he has named “cookiejacking.”  The main idea behind cookiejacking has actually been around for several years now—better-known names for this technique are side-jacking or session hijacking. However, what Rosario discovered is a new delivery for this attack that is based on social engineering users to help the attacker exploit a bug in IE.

According to the report, the vulnerability affects all versions of IE, including IE 9, on every version of the Windows OS. To exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC’s screen before the cookie can be hijacked.

The researcher cited an example where he used social engineering in the form of a puzzle to entice users to “undress” a photo of an attractive woman. For those of you interested in reading the full details of the attack, you can find it here.

Read the rest of this entry »

Yesterday, I read an article that reported how our counterparts at Sophos “slammed Microsoft” over its reported malware blocking stats for SmartScreen® Application Reputation built-in Internet Explorer (IE) 7, 8, and 9.

This issue was much too interesting for me to not follow up with my own thoughts.

Having also read the Microsoft blog article as well as media reports, I was enticed to run a few checks.

I took a look at Trend Micro’s own internal competitive benchmarking results. As you can see from the chart below, of those companies whose products we tested against, the security company closest to Trend Micro’s own blocking rate was, in fact, Kaspersky.

In our test, IE9 achieved a less than 10 percent success rate for malicious URL blocking. So, while we cannot comment on the exact methodology used in Microsoft’s own tests, we have to agree with Sophos’ questioning of the rather surprising results Microsoft published.

Note: Internal benchmarking results (Figure 1) updated to include additional company (May 25, 9:07 PM UTC-7).

Read the rest of this entry »

The Mariposa botnet made headlines when three of its alleged operators were arrested in Spain prior to its supposed shutdown. This was followed by a sudden and drastic decrease in Mariposa-related incidents, which was very understandable because the botnet was reported to have already been taken down.

Lately, however, we’ve been seeing a strange increase in activity related to WORM_PALEVO—the Trend Micro detection name for malware related to the Mariposa botnet. The increase started late in the fourth quarter of 2010.

It seems that despite the Mariposa botnet takedown in early 2010, some of its command-and-control (C&C) servers are still very much alive. Our findings were further verified, as according to abuse.ch, there are currently 89 active Mariposa C&C servers. This number is also steadily growing, as we’ve found 116 active C&C servers as of this writing. The list even includes the infamous URL that was responsible for the botnet’s name—Mariposa.

Read the rest of this entry »

Wouldn’t it be cool if you had immediate access to your favorite music and bands? What if these are readily available on your favorite social networking site?

Unfortunately, spammers also find this cool. We recently noted messages and wall posts circulating on Facebook that promote a supposed new music player feature. Below is a screenshot of what these spammed messages typically look like.

Read the rest of this entry »

A couple of days ago, my colleagues reported an attack that appears to be targeted and that involves email messages sent through a Webmail service. Upon further investigation, we were able to confirm that this attack exploits a previously unpatched vulnerability in Hotmail. Trend Micro detects the malicious email messages as HTML_AGENT.SMJ.

The said attack simply requires the targeted user to open the specially crafted email message, which automatically executes the embedded script. This then leads to the theft of critical information, specifically email messages and information about the affected user’s personal contacts. The stolen email messages may contain sensitive information that cybercriminals can use for various malicious routines.

The script connects to http://www.{BLOCKED}eofpublic.com/Microsoft.MSN.hotmail/mail/rdm/rdm.asp?a={user account name}{number} to download yet another script.

The nature of the said URL strongly suggests that the attack is targeted. The URL contains two variables—{user account name}, which is the target user’s Hotmail ID, and {number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as we’ve found that the information theft routines are only executed when certain numbers are in the {number} field.

The URL leads to another script detected by Trend Micro as JS_AGENT.SMJ. The script triggers a request that is sent to the Hotmail server. The said request sends all of the affected user’s email messages to certain email addresses. The email message forwarding, however, will only work during the session wherein the script was executed and will stop once the user logs off.

The attack takes advantage of a script or a CSS filtering mechanism bug in Hotmail (CVE-2011-1252). Microsoft has already taken action and has updated Hotmail to fix the said bug.

Read the rest of this entry »