Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar   May »
  • Email Subscription

  • About Us

    Archive for April 28th, 2014

    The recent Internet Explorer and Flash zero-days were not the only zero-day threats that hit recently. Last Friday, the Apache Struts group released an advisory (S2-021) detailing two vulnerabilities (CVE-2014-0112 and CVE-2014-0113), and potential mitigation steps until an official patch is issued.

    Apache Struts is a framework used to build and deploy Java-based web applications. In Apache Struts2, most of the core functionality is implemented as Interceptors. These can execute code before and after an Action is invoked and each Interceptor can be mapped to one or more Actions. Two security issues exist in Struts 2 due to improper handling of user supplied parameter values to ParametersInterceptor and CookieInterceptor.

    • CVE-2014-0112 was due to incomplete security fix for another recent vulnerability : CVE-2014-0094, which was reported in early March and discussed in S2-020. The vulnerability is caused due to improper handling of class parameter values of the ParametersInterceptor class, which is directly mapped to the getClass() method. Successful exploitation will allow remote attackers to manipulate the ClassLoader objects used by the application server and leads to arbitrary code execution. ParametersInterceptor is one of the in-built Struts interceptors which set all parameters on the value stack and gets them evaluated.
    • CVE-2014-0113 is similar to the previous vulnerability. CookieInterceptor is another in-built Interceptor used to set values in the stack/action based on cookie name/value. The Java ClassLoader objects can be manipulated via CookieInterceptor, similar to ParametersInterceptor, when it is configured to accept all cookies (when “*” is used to configure cookiesName param).

    Both these vulnerabilities affect Apache Struts versions from 2.0.0 until It is strongly advised that Strust users upgrade to Struts Otherwise, the user can exclude the class parameter from the default configuration as given below.

    <interceptor-ref name=”params”>

    <param name=”excludeParams”>(.*\.|^|.*|\[(‘|”))(c|C)lass(\.|(‘|”)]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>


    We have released the following new deep packet inspection (DPI) rules to protect against exploits leveraging these vulnerabilities:

    • 1006015 – Restrict Apache Struts ‘class.classLoader’ Request
    • 1006029 – Restrict Apache Struts ClassLoader Manipulation Via HTTP Cookie Header
    Posted in Vulnerabilities | Comments Off on Season of Zero-Days: Multiple Vulnerabilities in Apache Struts

    Adobe has released a security advisory regarding a zero-day vulnerability (CVE-2014-0515) found in the program Adobe Flash. According to the advisory, the updates pertain to “Adobe Flash Player and earlier versions for Windows, Adobe Flash Player and earlier versions for Macintosh and Adobe Flash Player and earlier versions for Linux.”

    Adobe has also acknowledged that an exploit for this zero-day exists, targeting Flash players on the Windows platform. If exploited, the zero-day could allow a remote attacker to take control of the system.

    Users should install the update as soon as they can. They can check out the version of Flash installed through a page in the Adobe website. Updates for Flash via Internet Explorer and Google Chrome will be done automatically but you may require restarting the browser. For users who rely on browsers other than Internet Explorer, they will need to install the update twice (one for IE and another for the other browser). Microsoft has also released a security advisory related to this vulnerability. For downloading updates, we encourage users to rely on Adobe’s official site as “Adobe updates” are often used by bad guys to deliver malware and other threats to users.

    We will continue to monitor this threat and provide new information as necessary.

    Update as of May 2, 2014, 4:00 AM PDT

    We have obtained samples of this attack in the wild. We detect these malicious files as SWF_EXPLOIT.RWF. We believe that this is being used in targeted attacks, as a specific version of Cisco MeetingPlace Express has to be installed for this attack to work.

    In addition to detecting these malicious files, our browser exploit prevention technology (present in Titanium 7) has rules that proactively detect websites that contain exploits related to this vulnerability. Products with the ATSE (Advanced Threats Scan Engine), such as Deep Discovery,  have heuristic rules which detect attacks using this vulnerability. These attacks are detected as HEUR_SWFJIT.B with ATSE pattern 9.755.1107 since April 22.

    Update as of May 07, 2014, 10:48 P.M. PDT

    Trend Micro Deep Security and OfficeScan Intrusion Defense Firewall (IDF) have released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

    • 1006031 – Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515)
    • 1006044 – Restrict Adobe Flash File With Embedded Pixel Bender Objects

    5:54 am (UTC-7)   |    by

    The Russian Underground has been around (in an organized manner) since 2004, and has been used both as a marketplace and an information exchange platform. Some well-known centers of the Russian underground include zloy.orgDaMaGeLab, and XaKePoK.NeT. Initially, these forums were used primarily to exchange information, but their roles as marketplaces have become more prominent.

    Many parts of the Russian underground today are now highly specialized. A cybercriminal with ties to the right people no longer needs to create all his attack tools himself; instead he can buy these from sellers that specialize in specific products and services. For example, you see groups that do only file encryption, or DDoS attacks, or traffic redirection, or traffic monetization. Groups are able to specialize in each of these items do what they do best and produce better, more sophisticated products. 

    Perhaps the most popular product in the Russian underground economy today is traffic and various traffic-related products. Examples include traffic detection systems (TDSs), traffic direction, and pay-per-install (PPI) services. This purchased Web traffic not only increases the number of cybercrime victims; it may also be used to gather information about potential targeted attack victims.

    Like any other economy, the laws of supply and demand are followed in the Russian underground. As we mentioned last week, the prices of underground goods have dropped across the board. This is generally because of the increased supply for these goods available – for example, stolen American credit cards are widely available; as a result the price has fallen. This is evident in the following chart of stolen credit card prices:

    Figure 1. Prices for stolen credit cards

    The same is true for stolen accounts:

    Figure 2. Prices for hacked accounts

    With falling prices, however, comes a loss in reliability: goods or services are not always as high-quality as advertised. Sometimes, escrow providers (known as garants) are used to try and give both parties (buyer and seller) reassurances that neither party is scamming the other.

    Today, we released our updated look at the Russian Underground titled Russian Underground RevisitedThis is an update to our earlier paper discussing the items which are bought and sold in various parts of the Russian underground. For this edition, we have clearly outlined the products and services being sold and what their prices are. In addition, we discuss the changes since the original paper to highlight the continued evolution of the cybercrime threat landscape.

    This is part of the Cybercrime Underground Economy Series of papers, which take a comprehensive view of various cybercrime markets from around the world.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice