Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2012
    S M T W T F S
    « May   Jul »
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for June, 2012




    The month of June is turning into a very bad month for password security. Last week three major sites – Linkedin, eHarmony, and last.fm – all suffered from major leaks that put millions of user passwords online. Earlier this week, it was revealed that the game League of Legends has also suffered its own flaw which put customer data – including passwords – out into the open.

    What have we learned about password security from these incidents? That people are still using woefully insecure passwords. Too many people are still using frightfully short passwords like 1234, or words that are too short/guessable (examples would be job or linkedin). Even some too-clever-at-first-glance passwords were cracked (name-and-site combinations like davidlinkedin and boblinkedin were found; site-related puns like leakedin and linkedout were part of the list as well).

    Attackers now have overwhelming amounts of computing power at their disposal thanks to GPUs, which can be trivially repurposed towards conducting brute-force attacks. This makes securely storing passwords a lively topic of debate that involves both security researchers and IT administrators. However, this is something that users have no control over.

    What users can do is improve the passwords they are using. Here’s our advice for how to do just that:

    • Phrases, not words.Having a longer password is an essential part of improving user passwords. Ten to twelve characters is a good start; for your most sensitive sites (like banks) longer passwords should be considered.Of course, if your passwords are really that long you should be using passphrases, not passwords. Overly long words like supercalifragilisticexpialidocious may be a bit… difficult to remember accurately. Wrong spelling is likely to result. Pick completely random (even nonsensical) phrases that you can remember in some… creative and personal way and stay away from potential passphrases that are “in the wild” like movies and other parts of today’s pop culture. For example, ZombiesWantBrains would probably not be a good password. A more suitable passphrase, as it is more random, is ComputerSwimmingMelonLamp.
    • Recycling is good. Except for passwords. Whatever you do, don’t recycle passwords. At the very least, a cracked password is likely to be added to the list of “known” passwords that would-be attackers would try first. If the user’s log-in name was compromised as well, then the attacker would be able to have a user name+password combination that is sure to be used elsewhere. In short: don’t recycle the same password across multiple sites.

    Of course, these tips are fundamentally based around the limitations of the most people’s ability remember passwords. Password managers such as DirectPass can also help in reducing the burden on users by storing the passwords for them; in addition by storing the passwords in the cloud these become accessible across multiple devices, whether they be PCs, smartphones, or tablets.

     



    Banks and other financial institutions have put in stricter controls in an attempt to minimize losses that phishing attacks cause. Cybercriminals have not taken this sitting down by producing a new tool to automate online banking fraud — automatic transfer systems (ATSs).

    In the past, malware families like ZeuS and SpyEye used Webinject files to modify the websites of targeted organizations such as banks. A Webinject file is basically a text file with JavaScript and HTML code that contains the code the attacker wants to insert into the targeted websites.

    With ATS, however, attackers have taken things to the next level. Instead of merely passively stealing information, ATSs allow cybercriminals to instantly carry out financial transactions that could deplete users’ bank accounts without their knowledge. No longer needing user intervention to key in user names and passwords, ATSs allow cybercriminals to automatically transfer funds from victims’ accounts to their own ones without leaving traces of their presence.

    This research paper contains our preliminary research on ATSs. In the process of conducting research, we were able to find key aspects of ATS attacks, determine some known targets, and dig into the murky underground engaged in producing and selling ATSs.

    Our full findings can be seen in the research paper, “Automating Online Banking Fraud,” which you may download by clicking the image below:

    An infographic illustrating the ins and outs of this attack can be seen below:

     
    Posted in Hacked Sites, Malware | Comments Off



    Recently, security researcher Sergei Golubchik reported a security issue in MySQL in which an attacker could log in to a MySQL database using literally any password. With this entry, I would like to take some time to explain the issue to our customers. The problem is serious in affected systems – but the exposure surface is not very large.

    First things first: to exploit the vulnerability, all you need to know is a valid user name on the target MySQL database. The user name root would be available in most cases but it can be any user. Once you have that, a one-liner shell script can try repeated login attempts for you. Within seconds, you will be through with the welcome message from MySQL server and it will be waiting to accept your commands. The metasploit module dumps the password hashes and one can crack all the passwords after stealing the hash.

    The root cause of the vulnerability is that when a hash calculated on the user supplied credentials is checked against the actual hash. While comparing the hashes using memcmp, it is assumed that the return value would be -1, 0 or 1. But this changes if gcc, a popular C language compiler, uses SSE optimization which improves standard compiler. Without the optimization, the function memcmp would return only -1, 0 or 1. By using the SSE optimization, however, the generated return values can be higher than 1. But since the return value is collected in a bool (a char variable actually), only the last byte is collected. If that value turns out to be 0, the authentication would go through.

    Vulnerability Limited to Linux Systems

    Fortunately, only a small subset of MySQL versions is vulnerable. Note that the official MySQL builds are not affected. The exposure is limited to systems running on Linux, which have their glibc optimized with SSE. If you are running MySQL on Windows, there’s no need to worry at all. Red Hat Enterprise Linux (RHEL) has officially confirmed that they are not vulnerable. For reference, a list of affected and non-affected platforms is available on HD Moore’s blog.

    Although this exploit is limited to specific platforms, we recommend that users should regularly update their servers and observe best computing practices. The server should allow connections only from localhost or specific IPs, which really need to communicate to the server. These can be changed in the MySQL settings.

    Trend Micro customers using Deep Security should apply the update 12-015 and apply the following two rules to detect and prevent the possible use of this technique to attack your server.

    • 1005045 – MySQL Database Server Possible Login Brute Force Attempt
    • 1005063 – Restrict MySQL Database Access
     
    Posted in Exploits, Vulnerabilities | Comments Off



    We’ve been tracking and informing customers about current Black Hole Exploit Kit Spam Run activity and noted that spammers have been changing their methods to better achieve their goals. The most recent development is the aggressive turn in tactics used in these spam runs, which makes it easier for infection to occur. With the latest technique used by spammers, users only need to open the email and connection to the URL where malware downloaded is automated.

    New Techniques to Increase Probability of Infection

    These emails are different than previous spam as users are no longer required to click a URL before proceeding to a malicious website. A reliance on users to fall for social engineering schemes has been discarded in this campaign in favor of automated connection to malicious websites for infection. Once the email is opened, connection is made to a compromised website that redirects to another compromised website, and finally to the malicious website.

    The infection chain is the same as those we observed for the Twitter and Airline Ticket Black Hole Exploit Kit spam. Some of the compromised websites have been previously used and newly compromised websites are also being used. Spammers are now using iFrames and embedded JavaScript that automatically connect to malicious websites for infection. This means infection can occur if this spam is read in email clients that support HTML and allow iFrames, such as some versions of Outlook and Outlook Express. Email clients such as Hotmail and Lotus Notes 7 and 8.5 use features such as SafeHTML to prevent infection.

    Sample of Latest Turn – No Click, Automated Connection to Malicious Site

    The following is a sample of this new type of Black Hole Exploit Kit spam:

    The following is the infection chain:

    We are continuously monitoring and ensuring effective solutions for these spam runs. As we’ve pointed out in our previous post, there is a better way of handling Black Hole Exploit Kit than focusing on the infection point. In an upcoming blog post, we will discuss more about the effectiveness of our solution to this threat. Trend Micro™ Smart Protection Network™ blocks black hole exploit kit spam, detects and removes malware associated with black hole exploit kit infections, and blocks access to malicious URLs and website redirections.

     
    Posted in Bad Sites, Exploits, Malware, Spam | Comments Off



    Apart from the regular monthly patch release Microsoft issued yesterday, which included a patch for relatively large number of vulnerabilities in Internet Explorer (MS12-037), Microsoft also reported another IE vulnerability that has no patch available yet. MS Security Advisory (2719615) specifically identifies the Microsoft XML (MSXML) Core Services as the vulnerable part. MSXML provides a set of W3C compliant XML APIs which allows users to use JScript, VBScript and Microsoft development tools to develop XML 1.0 standard applications.

    There exists a remote code execution vulnerability in Microsoft XML Core Services due to accessing a COM object in an uninitialized memory. When successfully exploited, an attacker could execute arbitrary code in the context of the logged-on user.

    As mentioned above, MSXML Core Services also provides a set of APIs to access certain COM objects to simplify Document Object Model tasks such as managing namespaces. An attacker can craft these websites to host a malicious webpage invoking affected MSXML APIs, which in turn accesses a COM object in memory that has not been initialized. The vulnerability is exploited when a user opens these crafted webpages using IE. Users might stumble upon these pages as clickable links in a specially crafted email or instant message.

    Trend Micro Deep Security customers should apply the rule 1005061 – Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889) to block the access to websites serving malicious webpages invoking affected MSXML COM objects that access vulnerable JavaScript methods. In addition, protection for vulnerabilities in MS12-037 are found in this Threat Encyclopedia page. Both rules are also available for OfficeScan with the Intrusion Defense Firewall plugin.

    We are investigating reports of attacks where these two vulnerabilities are supposedly being used. This entry will be updated for developments on the investigation.

    Update as of 2:38 PM PST

    Trend Micro detects and removes the malware JS_DLOADER.HVN, which is found to exploit the vulnerability in MS Security Advisory (2719615). More information on the malware will be posted in succeeding updates.

    Update as of June 14, 2012, 7:51 AM PST

    The malware JS_LOADER.HVN is found to exploit the vulnerability in CVE-2012-1875, which is included and patched in MS12-037 bulletin. This malicious script downloads other malware on affected systems. Trend Micro users are protected from infections of this malware.

    Update as of June 15, 2012, 1:37 AM PST

    • The initially given detection name (JS_DLOADER.HVN) has been replaced with JS_LOADER.HVN.
    • JS_LOADER.HVN exploits CVE-2012-1875 and not CVE-2012-1889, as stated in the previous update.
     
    Posted in Malware, Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice