The year is already halfway through and June was quite a busy month, filled with malware in disguise, compromised websites and a couple of application vulnerabilities. One of the highlights of this month is the attack on legitimate Italian websites through the use of web threat toolkits.
TROJ_PROXY.AFV. Arriving in a spammed email, the subject and content of the email is taken from real news headlines, unlike most spammed messages that rely on bogus events to capture the users’ attention. This calls to mind WORM_NUWAR tactic of parsing news-related websites to gather keywords to be included in the email that it sends out.
TROJ_AGENT.JPO. Last May we discovered a malware that leverages its social engineering tactics by pretending to be a Microsoft Security Console. This June we saw a similar thing in the form of TROJ_AGENT.JPO, which is received in a spammed email disguised as a Microsoft Security Update.
TROJ_STARTPA.QC and TROJ_DROPPER.HRZ. Both of these malware are hosted in websites that took the likeness of download sites for Winrar and Adobe Shockwave Player respectively. Although the Trojans do not automatically download themselves into the user’s system, the look and feel of a trusted website eliminates any form of doubt on the part of the user that (s)he is downloading something that is malicious, making it also as effective as any technological exploit. It seems that crafting the message or a webpage in the likeness of trusted sources and institutions is fast becoming the norm for today’s malware social engineering techniques.
Web Threats: Compromised Websites
NEFCC Website Compromised. This website belongs to the Nigerian Economic and Financial Crime Commission, which is a law enforcement agency that investigates terrorism, cybercrime, scams and financial frauds within their region. Their website has been compromised this June and visitors to the website would find a bunch of Trojans suddenly installed on their systems just by simply viewing the initial webpage alone. It’s an interesting case because the compromised site belongs to an organization that investigates cybercrime. It is highly possible that cybercriminals are retaliating against such institutions.
Another Italian Job. More than 3,000 Italian websites were compromised this June, reminiscent of the Linkoptim attack that happened earlier this year. Legitimate websites were hacked and their HTML content was modified to include an IFRAME tag, one which could redirect the user to a malicious website that would eventually download Trojans into their systems. A lot of websites were compromised in a relatively short time, due primarily to MPACK, which is a web threat toolkit that can be employed to hack into websites. Several days later after the initial attack more web threat toolkits were also uncovered, namely this one and this one.
Yahoo Messenger Webcam Vulnerabilities and Exploits. Two vulnerabilities for Yahoo! Messenger’s webcam feature were discovered this month. A few days after the disclosure, malicious codes were already in the wild , downloading Trojans once the vulnerability was exploited. Fortunately Yahoo released an update for the application to patch the vulnerability
Safari 3 for Windows. Apple released the third version of their web browser, Safari, this June. Just hours after its release, various security researchers discovered vulnerabilities that could allow remote code execution and denial of service attacks. Safari 3 is still in its beta stage and its likely that Apple will release another edition to address the vulnerabilities
So that’s it for the month of June. We’ve still got six more months to go for 2007 and chances are, the new things that we’ve seen will probably turn up again in the remaining months of the year..