As we prepare for the year ahead, let us take a look at some of the Trend Micro 2011 predictions that came true and how we contributed to the security industry’s wins against the continuing war against cybercrime.

 

Though we didn’t foresee hacktivism coming to the fore in 2011, we witnessed a slew of mass compromises result from AntiSec and LulzSec attacks against various entities. Armed with politically charged agendas and disgruntled with varying issues, hacktivist groups continued to fling attacks at users.

2011, however, wasn’t all bad, as we also garnered some wins in our never-ending battle against cybercrime. In close collaboration with our industry partners and law enforcement authorities, Trend Micro was at the forefront in what has been dubbed the “Biggest Cybercriminal Ring Takedown”—Operation Ghost Click—to date. As individuals and organizations alike embark on the cloud journey, we at Trend Micro, along with our fellow cybercrimefighters in law enforcement and the security industry, will continue to serve our customers by providing data protection from, in, and for the cloud.

For more details on what 2011 was like, take a look at the 2011 security roundup report, A Look Back at 2011: Information Is Currency.

Post from: TrendLabs | Malware Blog - by Trend Micro

2011: The Year of Data Breaches

Microsoft starts the year right by addressing eight vulnerabilities in its January 2012 round of patches. This update includes fixes for one Critical bulletin, while the rest are rated Important.

This month’s update covers several vulnerabilities in Microsoft Windows, including those found in Windows Object Packager, Windows Media Player, and Windows Object Packager.

The only bulletin rated Critical was ‘Vulnerabilities in Windows Media Could Allow Remote Code Execution’. The vulnerabilities included in the said bulletin could allow remote code execution when users open a specially-crafted media file.

Also corrected in this patch Tuesday release is the way Media Player handles specially-crafted MIDI files and the way DirectShow parses media files. This update applies to all versions of Windows, including Windows 7.

In addition, MS12-006 fixes the BEAST vulnerability in SSL/TLS protocols, which potentially allowed a malicious user to conduct man-in-the-middle attacks on secure traffic.

Microsoft was not the only one to release fixes, as Adobe also published their own security updates to address vulnerabilities found in Adobe Reader and Acrobat. Most of the vulnerabilities addressed could lead to code execution when abused. Detailed information on the vulnerabilities can be found here.

To lean more about Microsoft support for the affected software, more details on the security bulletins for January 2012 can be found in their official bulletin summary. Users may also refer to our Trend Micro security advisory page.

Users of Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in can also find updates to their products that will protect them from threats exploiting the vulnerabilities made public today, in advance of IT administrators being able to roll out these patches.

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Releases 7 Bulletins for First Patch Tuesday of 2012

In recent years, we have seen client-side software heavily targeted by hackers in search of vulnerabilities. 2011 saw these threats become more complex and sophisticated. We saw attackers increasingly use zero-day vulnerabilities, some of which have been particularly critical. Examples of these include the vulnerability Duqu exploited (CVE-2011-3402); a Java vulnerability (CVE-2011-3544); or Adobe zero-day vulnerabilities, which were exploited in the wild.

The exploit attacks we saw this year were targeted, original, sophisticated, and well controlled.

Among the applications most targeted in the wild were Adobe Acrobat, Reader, and Flash Player; Java Runtime Environment (JRE)/Java Development KIT (JDK); and Internet Explorer. Exploit kits like Black Hole and Phoenix were really prompt to pick exploits for these applications and go after users with high success rates. We also saw browser vendors release patches several times within the year to patch critical vulnerabilities.

Attacks were successful because a high percentage of users still used unpatched versions of vulnerable software. According to a CSIS study, 37% of users still browse the web with unsecured Java versions. A Zscaler survey also reported that 56% of enterprise users utilize vulnerable versions of Adobe products, putting the onus on security administrators to deploy virtual patching products such as Trend Micro Deep Security or the OfficeScan IDF plug-in.

Server Vulnerabilities

Having said that, there’s an ugly side to server/OS vulnerabilities as well. Things largely remained the same in this space, as shown by the number of vulnerabilities in Windows Server 2008 and Red Hat.

Credit to CVE Details as source of the above data

Cybercriminals also exploited vulnerabilities in web applications. SQL injection attacks were used to compromise millions of web pages. In two separate mass SQL injection attacks, malicious scripts were inserted into legitimate websites. The first one in July hit 8 million websites. A second wave in October affected 1 million websites. Apart from SQL injection attacks, attacks exploiting cross-site scripting (XSS), cross-site request forgery, Directory Traversal, and other vulnerabilities in web applications (e.g., PHP, WordPress, Joomla, etc.) also occurred in large numbers and will continue to do so next year.

Some of the 2011 vulnerabilities worth mentioning are:

What Can Users Do?

To protect against attacks exploiting the above-mentioned and similar vulnerabilities, a good patch management strategy is required. To mitigate any damage during the patch cycle, a virtual patching solution should be deployed as well.

The trends that we saw in 2011 are going to continue in 2012. We will see attacks become more complicated. The defenses against these threats will have to evolve and adjust to keep users protected in 2012.

Post from: TrendLabs | Malware Blog - by Trend Micro

2011 in Review: Exploits and Vulnerabilities

The root cause of the problem lies in hash collisions. Most web applications use hashes to store user supplied inputs/form parameters. The inputs are supplied by users; hence attackers can control what values are eventually filled in the hashes. In this particular attack, the attacker sends too many key value pairs with colliding keys. If the hash implementation of the language is not randomized, it can result in numerous hash collisions, given that a lot of colliding entries are sent. The resolution of these collisions results in very high CPU usage.

An interesting aspect of this attack is that it doesn’t only affect Microsoft products. Several other web applications, such as Apache Tomcat, Apache Geronimo, Oracle web applications, PHP using python, ruby, Java are also vulnerable to this same issue. It’s not a specific vulnerability but a fundamental software flaw with the implementation of hash algorithms.

Trend Micro customers need not worry, as Deep Security provides protection with the rule 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414). For more details, user may refer to Trend Micro security advisory page in our Threat Encyclopedia.

Because of its severity, users are also advised to immediately update their systems before they usher in the new year.

Update as of January 9, 2012,11:00 PM PST

The Microsoft out of band update also addressed three other vulnerabilities:

CVE-2011-3415:

This vulnerability is a domain spoofing/open redirect vulnerability in Forms Authentication feature in the .Net Form Authentication. An attacker can use crafted URL to redirect the users to any website without the users’ knowledge. The attack vector can be a crafted link, which leads to a phishing attack to steal the sensitive information from the user like login credentials.

Websites with ASP.Net installed are at risk from this vulnerability. Microsoft .NET Framework 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 are also vulnerable to this.

CVE-2011-3416:

This vulnerability is an authentication bypass flaw in ASP.Net. An attacker who successfully exploited this vulnerability can gain complete access to targeted users’ accounts and run any arbitrary commands with its privileges.

Trend Micro Deep Security provides zero day protection against such attacks using it’s heuristic based rule like ‘1000128 – HTTP Protocol Decoding‘.

CVE-2011-3417:

This vulnerability pertains to a specific configuration of ASP.Net. A system with sliding expiration enabled is only vulnerable to this. Once successfully exploited, an attacker can gain access to arbitrary user accounts on the system by sending specially crafted requests.

The following rules in Trend Micro Deep Security provide protection to Trend Micro customers:

• 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414)
• 1004887—Microsoft ASP.NET Framework Forms Authentication URI Spoofing Vulnerability (CVE-2011-3415)
• 1000128—HTTP Protocol Decoding

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Releases Out of Band Update Before Year Ends

This .PDF exploit technique is similar to other commonly-used exploits. It contains a malicious JavaScript which executes a shellcode that decrypts and installs an embedded binary in the PDF. Below is the embedded binary, which is detected by Trend Micro as BKDR_SYKIPOT.B.

Trend Micro protects its customers from this attack via the Trend Micro™ Smart Protection Network™ infrastructure by blocking all related files and URLs.

Threat Discovery Appliance (TDA) is also able to detect traffic related to the malicious sites through TDA Rule 18 NCCP – 1.11525.00, while Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in provides protection through the following rules:

• 1004871 – Adobe Acrobat Reader U3D Component Memory Corruption Vulnerability (CVE-2011-2462)
• 1004873 – Adobe Acrobat Reader U3D Component Memory Corruption (CVE-2011-2462)

Users can remain informed by taking a look at the Adobe security advisories page for more information on this zero-day vulnerability.

Post from: TrendLabs | Malware Blog - by Trend Micro

Adobe Zero-day Vulnerability Installs Backdoor – Another Targeted Attack?

Microsoft released 13 bulletins today instead of 14, as announced in the Patch Tuesday announcement some days ago. In their final Patch Tuesday for the year, Microsoft addressed bugs in Windows, Internet Explorer, and Microsoft Office, while adding in a fix for DUQU in the bulletin MS11-087, which is also known as the DUQU zero-day remote code execution flaw. Attackers embedding specially crafted TrueType fonts in documents can exploit this vulnerability in the Windows kernel. MS11-087 was given a ‘Critical’ rating.

MS11-092 also deserves attention in this security bulletin as it affects Windows Media Player and also allows an attacker remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. Microsoft also includes fixes for Active Directory, OLE and the Windows kernel.

To lean more about Microsoft support for the affected software, more details on the security bulletins for December can be found in their official bulletin summary. Users may also refer to our Trend Micro security advisory page.

Users of Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in can also find updates to their products that will protect them from threats exploiting the vulnerabilities made public today, in advance of IT administrators being able to roll out these patches to their systems.

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Releases 13 Bulletins to Close 2011

The Microsoft Security Bulletin Summary for November 2011 tackles and addresses multiple vulnerabilities in Microsoft Windows. According to the notice, one of the bulletins is rated “critical”, while two are rated “important” and remaining one is rated “moderate.”

Majority of the bulletins apply to newer versions of Windows and require a reboot. The critical bulletin only affects Windows Vista, Windows 7, and Windows 2008 Server R2.

This Patch Tuesday gave a break to many IT administrators, however the real question on everyone’s mind is zero-day vulnerability related to DUQU. The vulnerability is exploited through a malicious Microsoft Word document. When opened, a zero-day kernel vulnerability is taken advantage of to execute malicious code. Microsoft did not release a patch in this cycle but has already issued a temporary fix for the exploit found here. The advisory provides a workaround by disabling the rendering of embedded TrueType fonts.

Additionally, Microsoft also raised their concern on the exploitability of MS11-083, giving it an Exploitability Index of “2″. They gave several scenarios wherein the vulnerability is exploited, and eventually used to achieve remote code execution.

Users are advised to immediately download and apply these patches as soon as possible. For more information regarding this month’s Patch Tuesday release, visit the Trend Micro security advisory page.

Post from: TrendLabs | Malware Blog - by Trend Micro

Light Patch Tuesday for November 2011

This is a technical analysis of a recently discovered vulnerability in one of the most-used web browser: Mozilla Firefox.

This Mozilla Firefox vulnerability was discussed by Charis Rohlf and Yan Lvnitskiy during their presentation, Attacking Clientside JIT Compilers at the Black Hat Conference in Las Vegas earlier this year.

This vulnerability, identified as CVE-2011-2371, lies in the Js3250.dll library and Js3250!array_reduceRight function in Mozilla Firefox, and affects versions earlier than 3.6.18, as well as versions 4.0 through 4.0.1. Two proofs-of-concept for this vulnerability were already disclosed publicly earlier this month by Matteo Memelli and metasploit.

We performed some analysis through reverse engineering and tested with the published proof of concept. Through this, we were successfully able to execute arbitrary remote code on Firefox 3.6.16.

Vulnerability Analysis

The following is a sample exploit code:

If the JavaScript shown above is loaded through the JIT engine by Firefox, the js3250!array_reduceRight function will be executed. It will call the js3250!array_extra function after setting ArrayExtraMode as 2.

Whenever any vulnerability is found, the first thing that always comes to mind is what we can do to protect users from threats that will make use of that vulnerability. For users, to default call for action during such circumstances is to check if they are affected by the vulnerability, and to patch their system.

However, security updates are not always available immediately. Also, for network administrators, patch management is at times difficult since it requires testing processes to make sure it won’t affect the network in an unfavorable way.

Using a security product that shields networks and systems from threats that leverage on vulnerabilities can help the networks and systems protected before the vulnerabilities are patched. For example, if a network administrator uses Trend Micro Deep Security, then he or she does not need to hurry to apply patch and save times until patch test has been finished.

For this specific vulnerability, users are advised to upgrade their Mozilla Firefox browser to the latest version, and to refrain from accessing untrusted links or opening emails from untrusted senders. Network administrators are also advised to maintain minimal system privilege for users.

Enterprises already using the Trend Micro Deep Security and IDF are already protected from exploits leveraging on this vulnerability, provided that they’ve applied virtual patch that includes the rule 1004722-Mozilla Firefox ‘Array.reduceRight()’ Remote Code Execution, which was released in July 2011.

Post from: TrendLabs | Malware Blog - by Trend Micro

Technical Analysis for Mozilla Firefox Array.reduceRight() Vulnerability

Microsoft issued a new batch of security bulletins for October with fixes for several vulnerabilities in software products used by millions of computer users worldwide. Eight security bulletins have been released, which include patches for 23 vulnerabilities for software such as Microsoft .NET Framework, Microsoft Silverlight, Internet Explorer, Microsoft Forefront United Access Gateway, and Microsoft Host Integration Server.

Six out of the eight bulletins are rated “important” while two are rated “critical.” Some of the patches indicated a required restart after updating the machine with the affected software. Users and administrators are advised to immediately address these security flaws.

Users may refer to our vulnerability page for more information.

With a plethora of devices now entering the work environment, consumerization proves to be an IT nightmare and an increasing security risk, especially in terms of making sure all devices connected to the network are updated accordingly. With that, a lack of strategy could prove devastating and user-liable devices can get infected simply by surfing the Web or by being used in an unsecure environment. It is critical for users who bring their personal devices to their workplace to make sure that they update their systems with the latest security updates as soon as these are made available.

To learn more about Microsoft support for the affected software, more details on the security bulletins for October can be found in the vendor’s official bulletin summary.

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Releases Eight Bulletins for October Patch Tuesday

One of the six, a cross-site scripting (XSS) vulnerability identified as CVE-2011-2444, is reportedly being exploited in the wild. The bug is reportedly being used in targeted attacks that involve malicious links sent out to targets via email.

Adobe attributed the discovery of CVE-2011-2444 to Google, who, in response to finding the vulnerability, issued an update for the Google Chrome browser to prevent attackers from exploiting the security hole.

Users are strongly advised to apply the patches as soon as possible, especially since exploiting any of the addressed vulnerabilities can lead to either remote code execution or to information disclosure.

Note that users who utilize multiple browsers may need to separately update their other browsers. Users can visit this page for all of their browsers to check if they have the latest version of Adobe Flash Player installed and this page to update. Here is the list of Adobe Flash Player versions affected by vulnerabilities addressed by this update:

• Flash Player 10.3.183.7 and earlier
• Flash Player 10.3.183.7 and earlier for network distribution
• Flash Player 10.3.186.6 and earlier for Android
• Flash Player 10.3.183.7 and earlier for Chrome

We will update this post once we find more information about the exploit.

Post from: TrendLabs | Malware Blog - by Trend Micro

Adobe Releases Out-of-Band Patch