CyberInsecure.com

Archive for the ‘Mass Web Attacks’ Category

Apple released a security update for OS X Java on Tuesday, plugging a security vulnerability exploited by the latest Flashback Trojan. The latest variant of the Mac-specific malware appeared on Monday and targeted a vulnerability in Java (CVE-2012-0507) which was patched on Windows machines more than six weeks ago.

Apple’s new version of Java for OS X 10.6 (Snow Leopard) and 10.7 (Lion) offers Mac users equivalent protection.

Doctor Web, a Russian anti-virus vendor, conducted a research to determine the scale of spreading of Flashback Trojan in Mac OS X. Now BackDoor.Flashback botnet encompasses more than 550 000 infected machines, most of which are located in the United States and Canada. This once again refutes claims by some experts that there are no cyber-threats to Mac OS X.

Systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit. Doctor Web’s virus analysts discovered a large number of web-sites containing the code. The recently discovered ones include:

godofwar3.rr.nu
ironmanvideo.rr.nu
killaoftime.rr.nu
gangstasparadise.rr.nu
mystreamvideo.rr.nu
bestustreamtv.rr.nu
ustreambesttv.rr.nu
ustreamtvonline.rr.nu
ustream-tv.rr.nu
ustream.rr.nu

According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com.

Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507). The vulnerability has been closed by Apple only on April 3 2012.

The exploit saves an executable file onto the hard drive of the infected Mac machine. The file is used to download malicious payload from a remote server and to launch it. Doctor Web found two versions of the Trojan horse: attackers started using a modified version of BackDoor.Flashback.39 around April 1. Similarly to the older versions, the launched malware first searches the hard drive for the following components:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If the files are not found, the Trojan uses a special routine to generate a list of control servers, sends an installation success notification to intruders’ statistics server and sends consecutive queries at control server addresses.

It should be noted that the malware utilizes a very peculiar routine for generating such addresses. It can also switch between several servers for better load balancing. After receiving a reply from a control server, BackDoor.Flashback.39 verifies its RSA signature and then, if successful, downloads and runs payload on the infected machine. It may get and run any executable specified in a directive received from a server.

Each bot includes a unique ID of the infected machine into the query string it sends to a control server. Doctor Web’s analysts employed the sinkhole technology to redirect the botnet traffic to their own servers and thus were able to count infected hosts.

Over 550 000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback modification. Most infected computers reside in the United States (56.6%, or 303,449 infected hosts), Canada comes second (19.8%, or 106,379 infected computers), the third place is taken by the United Kingdom (12.8% or 68,577 cases of infection) and Australia with 6.1% (32,527 infected hosts) is the fourth.

In related news, Mozilla introduced changes in Firefox on Monday that will block older versions of Java that harbour critical vulnerabilities, specifically the increasingly infamous CVE-2012-0507 security flaw. “Blocklisting” forbids outdated plugins from running, unless specific approval is given. Mozilla has only introduced the technology into Windows versions of its open-source browser software, leaving Mac users without the added safety net.

Java is not needed to surf the net, with the exception of applications on some e-banking websites. Security firms – including F-secure, Sophos and others – have begun advising users to disable the technology in their browsers as a largely unnecessary security risk.

Credit: The Register
Credit: news.drweb.com

Security solutions provider Comodo released a free service called SiteInspector, designed to scan websites for pieces of malware and compare them against a range of blacklisting services, such as the ones offered by Google Safe Browsing, PhishTank or Malwaredomainlist.

Drive-by-download malware attacks launched from websites that fall victim to mass infections are highly common these days. SiteInspector allows users to choose 3 pages on a domain that they want monitored. If the service identifies any trace of malicious elements, the customer is immediately notified via email.

In these situations, one of the main problems is that the owner doesn’t even know that his site is altered to serve pieces of malware. Another issue is that once the site is infected, blacklisting services, such as the ones run by Google, will restrict the traffic, a measure that can have devastating consequences for the business workflow.

This is why security firms come up with such tools and services. SiteInspector can take that burden off the shoulders of the administrator and automatize the malware scanning and blacklist monitoring process.

“SiteInspector dramatically reduces the time between problem identification to problem resolution for business websites,” Melih Abduhayoglu, Comodo CEO and chief architect, revealed. “No longer will businesses have to wait for angry customers to complain that their website contains malicious content. To take advantage of this essential service, webmasters just need to take a few minutes to sign up and configure the service. SiteInspector will do the rest.”

The service includes features such as automatically recurring daily scans on three webpages, daily verifications against blacklists, email notification in case of an infection, threat mitigation advice in the situation where a malicious element is found, and an easy-to-use interface for users.

Website owners and administrators can sign up for the service right away at siteinspector.comodo.com.

Credit: Softpedia.com News

A new mass injection attack has infected over 28,000 pages and even made its way to iTunes according to security researchers from Websense.

Dubbed LizaMoon, after the domain hosting the malicious code, the attack uses SQL injection techniques to insert a rogue script element. Users who land on one of the compromised pages get redirected through several domains and finally land on a scareware site.

These sites mimic antivirus scans and tell visitors their computers are infected with malware in an attempt to convince them to download fake security programs. The programs display even more false warnings and ask users to pay for a license in order to clean their machines.

One interesting aspect of this attack is that malicious code also landed on iTunes podcast pages, although in a form that is harmless.

“The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code,” says Patrik Runald, senior manager for security research at Websense.

“The good thing is that iTunes encodes the script tags, which means that the script doesn’t execute on the user’s computer. So good job, Apple,” he adds.

Mass injection attacks are a common malware infection vector. The hackers exploit the trust users associate with the infected sites in order to push scareware or launch drive-by downloads.

In other circumstances, the search engine rank of compromised sites can be exploited to poison search results for popular keywords with malicious links in what is known as black hat SEO attacks.

Users are strongly advised to always surf with an up-to-date antivirus program capable of scanning Web traffic and to remain vigilant on all websites, regardless if they’ve used them before or not.

Credit: Softpedia.com News

According to notifications from Google’s Safe Browsing service, openx.org, home to a leading open source ad server package, might be used as an intermediary for malware. In addition to developing the actual OpenX ad server software, the company also runs its own advertising network through which webmasters can sell advertising space on their websites.

The problem was observed by researchers from Web security company Sucuri, which provides a website integrity monitoring solution. “We are tracking a few sites that are currently blacklisted and showing a warning from Google that openx.org (home of a popular open source ad server) is the site responsible for the infection,” warns Sucuri researcher David Dede.

Indeed, the Google Safe Browsing diagnostic page for openx.org claims that “over the past 90 days, openx.org appeared to function as an intermediary for the infection of 82 site(s).”

This doesn’t mean that openx.org is hosting the malware itself, only that it is serving as a doorway. This could point to malicious ads being served via the OpenX network.

It certainly wouldn’t be the first time when cybercriminals manage to introduce malicious ads on an advertising network. Just recently there was a case where drive-by download attacks were launched via malvertizements served by Google and Microsoft.

OpenX also had malvertizing problems in the past, not through its ad network, but because of vulnerabilities in the software. Hackers exploited the security holes to compromise OpenX-based ad servers run by other websites and push malicious ads onto them.

A wave of such attacks took place in September and some of the victims included high profile sites like The Pirate Bay, Tucows, Popbitch.com, eSarcasm.com and AfterDawn.

“We are still tracking to see which ads are causing the issue, or if the openx servers themselves are compromised. If you include the tracking code from openx.org, we recommend that you check to see if there isn’t any malicious code being pushed to your users,” Sucuri advises.

Credit: Softpedia.com News

Security researchers have identified a sophisticated mass injection attack that uses polymorphic obfuscation and so far has targeted WordPress blogs at an US-based hosting provider.

According to Fraser Howard, a principal virus researcher at Sophos, the attacks began a few weeks ago and they all seem to affect websites running the popular blogging platform. Successful infection will result in one or several .php files being dropped on the Web server in multiple WordPress directories.

However, despite the .php extension, these rogue files actually contain malicious JavaScript code obfuscated with a technique that makes every one unique. In the security world this is known as polymorphic code and is used to evade antivirus software and intrusion detection systems.

The second step of the attack is to inject code in legit .js files used by WordPress, like the jQuery library, with the purpose of loading the .php files along with them.

Finally, when the obfuscated JavaScript makes it onto the pages parsed by the visitors’ browsers, it generates a hidden iframe element. This element is meant to load malicious content from remote servers in an attempt to infect computers with malware.

“Earlier today I queried all of the sites that we have seen hit in this attack over the past 7 days, identifying almost 600,” writes Mr. Howard. “When looking at the GeoIP data for these sites I found that 97% of them were hosted by the same provider!” he adds.

The researcher also notes that the hosting provider, which he intentionally doesn’t name, was involved in similar incidents in the past.

When considering this and the fact that even WordPress installations running the latest version were affected, there is a strong possibility that the vulnerability lies with the company’s own infrastructure and not the blogging platform itself.

Credit: Softpedia.com News, Sophos Naked Security Blog

The Distributed Denial of Service (DDoS) attack launched by Anonymous against the Australian Federation Against Copyright Theft (AFACT) yesterday, has ended up affecting almost 8,000 unrelated websites.

Operation Payback, the DDoS campaign led by Anonymous against anti-piracy groups and entertainment industry associations is now over a week old.

Since September 18th, when the coordinated attacks started, the group has hit websites belonging to the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), the International Federation of the Phonographic Industry (IFPI), the British Phonographic Industry (BPI) and the Dutch Bescherming Rechten Entertainment Industrie Nederland (BREIN).

Two UK-based law firms and an Indian company called Aiplex Software involved in anti-piracy efforts have also been attacked. In fact, the actions of Aiplex, which openly admitted to DDoSing torrent sites on behalf of film studios, is what triggered this retaliation from Anonymous in the first place.

Yesterday, the group has turned its weapons against the Australian Federation Against Copyright Theft (AFACT), who’s website went offline under the flood of requests pretty fast.

However, the attack also affected AFACT’s hoster, a company called Netregistry, which offers similar services to many Australian businesses and government agencies. “A DDoS attack began to take place at approximately 8:30AM AEST, with a group of hackers attacking the firewall by flooding it with connections attempting to take down all servers.

“They had achieved success in disabling all access to some of the client facing services behind the firewall,” an announcement posted on the company’s website, reads.

The hosting provider summed up the damage by saying that “Websites running on the Zeus cluster (PHP clients not utilising Apache) experienced timeouts, webmail connections experienced timeouts and some other errors [and] access to TheConsole [control panel] was slow to none.”

According to Panda Security, which monitored most attacks since Operation Payback started, afact.org.au suffered three separate service interruptions and a total downtime of 4 hours and 27 minutes.

Credit: Softpedia.com News

According to Web security vendor Dasient, a number of 1.3 million Web sites were infected by almost 200,000 different threats during Q2 2010. This quarter marks a significant spike in the number of infected websites – almost double the number of the previous quarter.

“Hackers have been very busy and are constantly coming up with new attacks,” the vendor writes in its latest quarterly report. In addition, the company points out that this is the first quarter when the number of infected websites has passed the one million mark.

The second quarter was also significant because the large number of new unique infections – over 58,000, of which 43,000 JavaScript and 15,000 IFrame injections.

Overall, the number of JavaScript injections has grown by 19% and that of malicious IFrames has decreased by 11%, clearly suggesting that attackers favor the first. JavaScripts have access to the DOM elements in the rest of the page, thereby giving attackers more information and more capability to ‘muck’ with the page.

“Scripts sourced in via IFRAMEs, by comparison, do not have the capability to access or communicate with the rest of the page,” the Dasient researchers explain.

The number of attacks that involve malicious advertisements was also on the rise. The company estimates that 1.6 million malvertisements are served on a daily basis, which is an increase of 20% over a mid-Q2 estimate. In addition, the lifespan of malvertizing campaigns has increased by over 50% and is now 11.5 days. A tendency to launch such attacks during weekends has also been observed.

The main issues leading to malicious code injections appear to be structural vulnerabilities. According to Dasient’s findings, 75% of websites use remote JavaScript widgets, 42% use external advertising services and 91% use outdated third-party applications.

A noteworthy increase in the number of .info malicious domains was also recorded, however .com and .cn remain the TLDs preferred by attackers.

Credit: Softpedia.com News

Tucows is the latest victim of hackers, who exploit a recent OpenX vulnerability to push malicious code onto legit websites in the form of advertisements. The vulnerability in a component of the OpenX advertising platform has been exploited by hackers to tamper with ad serving on multiple websites including The Pirate Bay, eSarcasm and AfterDawn.

The affected component, called Open Flash Chart 2, is developed by a third party, but has been included by default in OpenX since last December. Malvertizements are ads riddled with malicious code, which either exploit vulnerabilities in outdated software to install malware or promote rogue applications (scareware).

According to a recent report from Web security vendor Dasient, as much as 1.6 million malvertisements are served on a daily basis to Web users.

Researchers from ParetoLogic, report that software download website Tucows is the last addition to the list and was found serving a drive-by-download-type exploit from advertise.tucows.com.

The malicious code was being loaded from external domains registered to an address in Russia and was targeted the Microsoft Windows Help Center vulnerability patched earlier this year. Successful exploitation led to a variant of the Bredolab trojan being installed on the victim’s computer. This threat is known a distribution platform for rogue antivirus programs.

Andy Walker, Tucows General Manager, confirmed for ParetoLogic that the incident was the result of hackers compromising the OpenX server used by the company to deliver ads. “We detected the intrusion, patched the vulnerability in OpenX and resolved the issue quickly,” the company representative noted.

OpenX is a popular open source platform, which allows webmasters to sell and serve ads without the need of signing up for third-party hosted services like Google AdSense. Two days ago the OpenX development team has released version 2.8.7 of the application in order to patch the vulnerability that enabled this and the previously mentioned attacks.

“It has been brought to our attention that there is a vulnerability in the 2.8 downloadable version of OpenX that can result in a server running the downloaded version of OpenX being compromised.

“To avoid this issue, we recommend that all users immediately upgrade their systems to 2.8.7,” the developers write in a post on the project’s official blog.

Credit: Softpedia.com News

A new mass injection attack has compromised tens of thousands of websites with code that directs visitors to rogue antivirus programs. The attack was detected and reported by security researchers from Websense, a provider of Web and email security solutions.

“Websense ThreatSeeker Network detected this large-scale break out of the campaign recently. The targets are four well-known Web hosting providers: BlueHost, DreamHost, Bizland and Go Daddy,” the Websense experts note.

During last week the number of affected sites varied from 22,000 to almost 39,000 depending on the day, with BlueHost being the most affected hosting company. Statistics compiled by Websense reveal that BlueHost accounted for 38% of compromised sites and was followed by DreamHost with 28%, BizLand with 19% and Go Daddy with 12%.

The attack involves a rogue “script” element being added just before the end of the page body, with the src attribute loading content from several remote addresses.

This external code checks if the user was targeted before and if not it redirects them to websites in the .co.cc domain space, which display fake antivirus warnings commonly associated with scareware campaigns.

The purpose of these bogus alerts is to convince users to install rogue antivirus program, which further bombards them with fictitious warnings in an attempt to trick them into paying license fees.

Two of the malicious domains involved in this attack, whereisdudescars.com and losotrana.com, have participated in a similar mass compromise back in July.

It is highly likely that the same individuals are behind both campaigns. According to Websense, the domains “were registered between May and July by the same person using two free mailboxes.”

Cybercriminals use automatic tools to scan the IP spaces of major hosting companies for vulnerable websites and infect them all at once to target as many users as possible.

Credit: Softpedia.com News

Several websites from the TechCrunch Network, including TechCrunch Europe, MobileCrunch and CrunchGear fell victim to a code injection attack, which served malware to visitors. Founded in 2005, TechCrunch is one of the most popular technology blogs on the Internet. Since then it has evolved into a network or websites operated by the same organization.

Yesterday users started receiving malware warnings from their browsers and antivirus programs when accessing several of these sites.

TechCrunch Europe confirmed the problems on eu.techcrunch.com via its Twitter feed. “We’re aware of the (annoying) malware warning about the @TCEurope site, thanks everyone. Trying to fix ASAP,” the annoucement read.

The warnings were caused by malicious JavaScript code injected into the website’s pages, which was loading an exploit kit hosted on an external domain. The exploits tried to infect visitors with a version of the Zbot trojan, which is commonly used by cybercriminals to steal online banking credentials, credit card details and other sensitive information.

In addition to TechCrunch Europe, MobileCrunch (mobilecrunch.com) and CrunchGear (crunchgear.com) were also affected. The compromises were part of a larger mass injection attack targeting sites hosted at RackSpace.

The corresponding Google Safe Browsing diagnostic pages reveal that all three websites were hosting suspicious content yesterday.

TechCrunch uses WordPress as a platform across its network, but the same infection was reported on sites running Drupal, pointing to a problem within the hosting environment and not the Web applications themselves.

“Ideally TechCrunch will post a message on its site (on the TechCrunch Europe site, at least) informing users about the incident and advising that they check their PCs with an up-to-date anti-virus.

“I don’t see any message to that effect yet on that site – but I’m hopeful,” Graham Cluley, senior technology consultant at Sophos, commented.

Credit: Softpedia.com News