Posts filed under 'News'
May 7th, 2008 by Paul Ferguson (Advanced Threats Researcher)
It would appear that we have a developing issue originating from various locations in China for the past few days that we (security researchers) are still piecing together.
Over at the SANS Internet Storm Center, John Bambenek has posted (and also provided at least one update at this hour) a daily handler’s diary entry explaining that that they have had reports of a possible SQL worm, involving some domains, JavaScript, and URLs that first popped up on our threat radar on Monday (5 May 2008) morning.
Trend Micro has already proactively blocked access to these malicious domains and URLs (and the associated malicious “back-channel” background activity) while we push out a pattern update for malicious file and JavaScript detection.
Having said that, that’s the beautiful thing about hybrid Web Threat Protection (WTP) — we shrink the “time-to-exploit” window immediately by breaking the infection chain.
For now, please be assured that we are burning the midnight oil working on these issues, and will update this blog post as more details become clear. For now, please refer to the SANS ISC Daily Handler’s Diary for details, and we’ll post more as this developing incident unfolds.
One further note: While the numbers are only in the ~4,000 to ~5,000 range (still not small!), there are some very high-profile Web sites that seem to have been compromised in this attack.
PLEASE DO NOT GO SEARCHING FOR WEB SITE COMPROMISES. In this particular case, if you are not adequately prepared and protected, you can become a victim of your own curiosity.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
Image source: Fugato.net
April 29th, 2008 by Paul Ferguson (Advanced Threats Researcher)
While most of the cyber crime activities that we see being conducted on The Internet are being driven by illicit financial incentives, there also appears to be type of malicious activity being driven by other motivations altogether – “Hacktivism”.
Hacktivism is best explained as a combination of “hacking” and “activism”, traditionally rooted in cultural and/or geopolitical unrest. As Wikipedia defines it, Hacktivism is “…the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends. These tools include web site defacements, redirects, denial-of-service attacks, information theft, web site parodies, virtual sit-ins, virtual sabotage, and software development.”
In fact, Hacktivist incidents stretch back over 20 years, but only in the past couple of years have they become more frequent, and more devastatingly malicious.
The most notable incident of regional Hacktivism were the Distributed Denial of Service (DDoS) attacks against government and corporate websites in Estonia in 2007, which actually began a worldwide dialog on the real threat of “Cyber Attacks” and the impact on national infrastructure.
However, the latest victims of Hacktivism appear to be several U.S. websites in Eastern Europe belonging to Radio Free Europe/Radio Liberty. It was reported Monday that “…the attack, which started on April 26, initially targeted the website of RFE/RL’s Belarus Service, but quickly spread to other sites…”
According to a statement on the Radio Free Europe/Radio Liberty website, RFE/RL had been “…hit before by denial-of-service attacks, but this attack was unprecedented in its scale, as RFE/RL websites received up to 50,000 fake hits every second.”
While incidents of Hacktivism are not new, they are beginning to become a lot more frequent — perhaps due to the availability of tools to conduct hacktivist mischief, but also perhaps due to the ubiquitous social networking mechanisms which can now be used as to build consensus when times of cultural or political unrest present the opportunity.
In any event, Hacktivism is becoming a disturbing trend, and one which can have serious ripple effects that interfere with Internet operational continuity — sometimes in ways which we may have not even thought of yet.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
April 29th, 2008 by Jake Soriano (Technical Communications)
Senators Hillary Clinton and Barack Obama battle it out on all fronts, literally. The tight contest, where until now no clear frontrunner emerges, isn’t likely to be dictated by just the debates. So we see extra-political battles in different arenas. The Web would seem one likely sphere where the one hopeful nominee who dominates gains a lot.
The most recent Internet-related clash between these two involved redirection: one candidate’s Web site leads users to the site of the other. Users viewing Obama’s site were redirected to Clinton’s through an attack called cross-site scripting (XSS). Researchers were successful in reversing the attack, too, exploiting vulnerabilities and revealing these glitches to the site owners.
Internet-related incidents are not new in the coming U.S. presidential elections. TrendLabs, as early as November last year, reported on spamming activities that were seen as campaign materials for Ron Paul. Clinton herself was featured in a spam run that spewed malware into systems, turning them into bots to further spread spam.
This time, however, the cross-site scripting attacks are seen as benign as no malware were involved. With the increasing hype around spamming and other malicious activities, this might be a move driven by caution. Those who do it may have realized that malicious activities, once exposed, will inevitably taint individuals and their appearances to the media, or to everyone in general.
Researchers are still investigating how this type of attack could be used in more malicious criminal activity.
April 8th, 2008 by Aileen Clemente (Technical Communications)
Who doesn’t love getting freebies when purchasing a brand-new electronic device? However, it’s another story altogether if the freebie is pre-installed malware.
HP Australia has recently warned the public about an undisclosed number of 256 MB and 1 GB USB keys shipped with some of its Proliant line of servers that come infected with the Fakerecy and SillyFDC malware, which could be transmitted onto the system once the keys are plugged in. These USB keys are to be used by those who want to install optional floppy-disc drives into their server devices. The malware bear file names that could be mistaken for legitimate system files (such as WinUpdter and ctfmon). They are detected by Trend Micro as WORM_AUTORUN.AZB and WORM_VB.BDN.
Although HP and even the Australian Computer Emergency Response Team (AusCERT) assure that this is a low-level threat given the nature of the USB keys’ purpose and capabilities of the malware, this incident once more highlights the growing use of USB devices as a carrier of those undesirable applications. Early in the year, a batch of China-made media players called Victory LT-200 was shipped with a file infector.
To be safe, it is best to check even brand new USB devices for potential infections by scanning them with up-to-date antimalware software before accessing any of its contents. As Forrest Gump was known to have said, “Life is like a box of chocolates, you’ll never know what you’re gonna get.” I guess these days, that goes for USB drives, too.
April 3rd, 2008 by Jake Soriano (Technical Communications)
After the famous two minutes it took three security researchers to hack the equally famous Apple MacBook Air, Computerworld reports that another security researcher accomplished a similar feat, this time on a Vista notebook.
The said notebook was running on the Windows Vista Ultimate platform and comes with an installed Flash Player from Adobe. A critical vulnerability in Flash was successfully exploited by Shane Macaulay, a consultant at Security Objectives, enabling him to break into a Fujitsu U810 running Windows Vista Ultimate SP1, and making him the owner of the notebook as well. Macaulay and two other researchers also received a cash reward for this.
This would be the second high-profile hacking in “PWN to OWN” — a challenge that seeks to expose vulnerabilities and bugs in PCs and laptops. The contest offers prizes to researchers who successfully unveiled unknown system and software glitches that may be exploited by malicious users in the future.
The challenge requires the winners to remain silent about their hacking method until after the vendors of affected software have provided the necessary patches and solutions.
If it would be any consolation, no one won the “PWN to OWN” first day challenge, which required that laptops be broken into without user interaction and using only remote code execution. The two successful exploits were done by tricking users and by replicating their behaviors.
Tend Micro advises users to consistently update patches of all applications installed to address known vulnerabilities.
Previous Posts
