Mass Drive-By Attack Used Web Widget

Attackers took a different spin on mass infection, and targeted hosting provider Network Solutions Inc.

A widespread Web attack discovered over the weekend that targeted Network Solutions Inc. customers' parked or "under construction" Web domains used a drive-by download attack more stubborn than the popular and more common mass SQL injection attacks.

The attack, which began with an infected widget on NSI's growsmartbusiness.com website for small businesses, led to a mass infection of NSI customers' reserved domains, according to researchers at Armorize who spotted the attack.

Users get infected merely by visiting a site with the infected widget. So far the researchers have seen the attack exploiting vulnerabilities in Internet Explorer. "They visit a page and end up with malware. There's absolutely no click and no user awareness of anything. They visit the page, the [exploit] attacks a vulnerability inside the browser and takes control of the browser," he says.

Then the attacker writes malicious code to the disk and executes it, he says. The researchers found evidence of fully compromised websites by the attack with a Web "shell," basically a control panel the attackers install once they've fully compromised the site.

"This allows you to do anything you'd like to do, insert any content," he says.

The attackers behind the drive-by attack on NSI's domains appear to be out of Asia. The attack ultimately sends users to phishing sites, Huang says. Armorize actually first saw the attack in May, when researchers found it on the Boingboing.com parked domain. "We didn't realize then that the entire NSI parked domain was infected," Huang says.

Armorize's blog posts and demonstrations of the attacks are here.

7-character passwords soon to be hopelessly inadequate

The increasing processing power and the growing number of processors on graphic cards will soon make 7-character passwords "hopelessly inadequate" to withstand brute force attacks, say scientists from Georgia Tech Research Institute.

No combination of alphanumeric characters and symbols will be save users who choose such a short password, because these stream processors work simultaneously in order to process images, and can try out the various combinations of characters and symbols needed to discover a password in a much shorter time than ever before.

The graphics cards of today have the processing power that a decade ago only multi-million dollar supercomputers had, says Richard Boyd, the leader of the team, for BBC.

The researchers advise users to start using 12-character passwords that combine lower and upper case letters, numbers, and symbols. But ultimately, even this will not be enough. CPU power grows every year, and it's only a matter of time until users are forced to pick entire sentences as passwords.

Seeing how the typical user rarely listens to this kind of advice, I predict that online services will have to mandate a much higher minimum requirement for passwords. But, on the other hand, password strength is a lesser problem than phishing and social engineering schemes at the moment, and that should make user education a primary goal for security professionals.

Facebook Hacker: A dangerous tool

Phishing is known to be the weapon of choice for all cybercriminals that are after login credentials. However, a new attack tool – Facebook Hacker - has drawn attention to the ill-intentioned people in need of passwords and usernames that are not theirs. This do-it-yourself kit helps the wrong doer steal login credentials from whoever was targeted without the user even having to type in any of these desired fruits.


The kit is intuitive, thus extremely easy to configure, just like any do-it yourself hack tool designed with the “skiddie” in mind. There are only two fields that need filling in: a disposable e-mail and a password that will eventually constitute the location where the stolen information is to be delivered to.

After clicking the “build” button, a server.exe file is created and deposited into the facebook Hacker folder along with the initial files. This server.exe file is to be sent to the intended victims.

Once run, the malicious tool will snatch the victim’s Facebook® account’s credentials, along with all the usernames and passwords that we carelessly ask the browser to remember for us. Yes, because facebook Hacker also targets the Internet browser and Instant Messaging clients to pick up the entire list of “remembered” identification data.

In order to successfully collect passwords, the malicious binary includes applications able to squeeze data out of the most popular browsers on the market, as well as of almost all instant messaging clients available. To add insult to injury, the application also enumerates all dialup/VPN entries on the computer and displays their logon details: User Name, Password, and Domain.

To avoid detection, the facebook Hacker will also look for all the processes related to a security suite and kill them upon detection. It is important to mention that it is accessorized with a hard-coded list of processes associated with AV solutions that are to be checked and stopped, if found.

Last but not at all the least, the piece of malware looks for network monitoring applications and terminates them. This is a safety measure that will prevent curious users from seeing their passwords leave the system.

TCP dump of the information sent by the application. Since the SMTP server uses TLS encryption, sniffed traffic will not reveal much of what’s going on.

As it can be seen, the author took a lot of time to think of various elements that could interfere with the smooth operation of this tool and to eliminate them one by one.

The stolen credentials of our test accounts got mailed on the specified address.BitDefender identifies this threat as Trojan.Generic.3576478. In order to stay safe, please ensure that you are running a frequently updated antivirus utility. Also, remember not to run files you may receive as attachments or via IM, or at least, to scan them beforehand.

Android game hides spying application

If you have a game called Tap Snake on your Android handset and you weren't the one who installed it, you are probably getting spied on by someone who had physical access to your device.

According to F-Secure, this game is actually a client for a spying application that goes by the name GPS Spy:

Once installed and run, the game can never be exited. You think you closed it, but it continues to run in the background, restarts every time you restart your device, and every 15 minutes sends GFP coordinates of the current location of your phone to a server where they can be accessed by the GPS Spy application on the perpetrator's mobile device.

This spying application costs only $4.99, and the author is Max Lifshin, a Texas-based Russian developer. F-Secure's Android security solution detects and blocks both the game and the spying application, but they expect Google to react soon and pull them both from the Android Market.

Fake dislike button Facebook scam

Facebook users should be wary of the latest survey scam spreading virally across the network. There are a number of variations of this scam, which sees users unwillingly update their Facebook status encouraging others to get the "official Dislike button".

The scam is spreading quickly as many Facebook users have been calling for the introduction of an official "Dislike" feature which would allow them to express their opinions on other users' posts, links and updates.

Two versions of the scam have been discovered by Sophos, which involve the sharing of messages with the text:"I just got the Dislike button, so now I can dislike all of your dumb posts lol!! LINK"

and

"Get the official DISLIKE button NOW! - LINK"The viral scam, similar to many recent survey scams, tricks users into giving a rogue Facebook applications permission to access their profile, silently posting and promoting the link that tricked the user in the first place and spreading the message virally.

At this stage, the user still does not have access to the "Dislike" feature and the application finally asks them to complete an online survey which makes money for the scammers.

"This bogus feature differs from recent scams as those behind it aren't preying on users' curiosity about shocking videos or celebrity scandals.

This scam is actually posing as something that many Facebook users want," said Graham Cluley, senior technology consultant at Sophos. "Facebook users should think carefully before they click on an unknown link in a friend's status update as these scams are becoming increasingly common. Giving away personal information in a survey and allowing an application access to your profile is extremely risky and Facebook users need to wise up to this rather than just clicking on links that they see, just because they appear to be from a trusted source."

Microsoft Issues Record Breaking Security Update

Patch Tuesday has come and gone, and with it came the biggest Microsoft Update ever seen since they began their monthly update cycle in 2003. The Windows Operating System as well as Internet Explorer, MS Office, MS Office for Mac, MS Works, Silverlight 2 and 3, the .NET Framework and Movie Maker are all affected.

There are 14 new security bulletins released this week, 8 of which are labeled as "critical" and the remaining 6 are labeled "important". These numbers do not include the link vulnerability patch that was released last week, although the Security Bulletin Summary does include that patch with the others. Microsoft is assuring people that of these new vulnerabilities, none have been seen exploited in the wild as of yet.

Of the 8 "critical" bulletins, 4 are listed as high-priority, meaning that they should receive immediate attention.

MS10-052 - This bulletin addresses a vulnerability in Microsoft's MPEG Layer-3 audio codecs. Remote code can be executed through specially crafted media files or streaming content from a website or web application.

MS10-055 - This bulletin addresses a vulnerability in the Cinepak Codec. Remote code can be executed through specially crafted media files or streaming content from a website or web application.

MS10-056 - This bulletin addresses 4 different vulnerabilities in MS Office. An attacker can gain privileges equal to that of the user if that user opens or previews a specially crafted RTF email message.

MS10-060 - This bulletin addresses 2 different vulnerabilities in the .NET Framework and Silverlight. Remote code can be executed when viewing a specially crafted web page in a browser which can run XAML Browser Applications or Silverlight Applications, or if the user runs a specially crafted .NET application. More information on these 4 bulletins, as well as the other bulletins, can be found via the Microsoft Security Bulletin Summary for August 2010.

Phishers target mobile phone users

Mobile phone users in the UK and Norway have been targeted by malicious emails purporting to come from their mobile service providers, claiming that the users have to confirm their billing information, Symantec reports.

The emails contain a link to a legitimate but compromised web page that masquerades as the page for the billing and payment services of the provider:


If the victim fails to notice the unusual URL of the page, he/she will be giving over to the phishers a great amount of personal and financial information that can be effectively used to steal their identity and their money.

After the victims have entered and confirmed the information, the page redirects them to the legitimate site of the provider, thus making the illusion complete.

Microsoft Fixes Most Recent Vulnerability

Microsoft has released a non-standard update to the Windows Operating System. This unusual move was prompted by a slew of highly critical viruses taking advantage of a vulnerability in shortcut links.

On July 16, Microsoft Security Advisory (2286198) was published to Microsoft's website. It explains a problem with the way Windows handles .LNK and .PIF files, which are symbolic links to legitimate programs on a computer. Basically, when the link image was rendered, it allowed the malware embedded in the file access equal to that of the current user and executed malicious code with those abilities. Obviously, users who insist on running with administrative permissions were at a higher risk than those who log on with a regular account.

There are several viruses that have been exploiting this security hole. The first known use of this vulnerability was the Stuxnet worm, which spread via USB drives and stole information from computers running software from Siemens. Since then, there have been other viruses to exploit this same problem. Microsoft blogged about these viruses, including one particularly nasty one known as Sality.AT. Microsoft stated that Sality is "highly virulent," and works by infecting other files, copying itself to removable media, disabling security and finally downloading other malware onto the infected system.

Earlier this week, Microsoft released Microsoft Security Bulletin MS10-046, which is the patch to fix this particular vulnerability. This "out of band" patch came a full week before the regularly scheduled update, due to concern for customers' security. Everyone who has Automatic Updates turned on will already have the patch installed and their system is secured against this particular threat. The only people who need be concerned are those who check for updates manually and those who are still running Windows 2000 or XP Service Pack 2 or earlier, as they are no longer supported by Microsoft.

French watchdog warns of iPhone hacker glitch

PARIS — French authorities and experts warned Thursday hackers could gain control of iPhones and other gadgets made by US tech giant Apple through the Internet, plundering users' data and tapping their calls.

"Two vulnerabilities have been discovered" in Apple's operating system for the iPhone, iPad tablet computer and iPod music player, the French government computer security agency CERTA said on its website.

Apple did not immediately respond when asked on Thursday to comment on the alert, which was issued by CERTA following a warning by experts at the computer security firm Vupen Securities.

One of the soft spots is caused by a glitch triggered when a user views data in PDF-formatted documents, they said.

Hackers could lure web users on their Apple devices onto special websites where they could exploit the PDF glitch to gain access to the device remotely, Vupen's chief executive Chaouki Bekrar told AFP on Thursday.

A second soft spot involves a data error in one of the devices' components which could allow hackers to increase their control once they have gained access to the device, he said.

The two glitches combined could allow a hacker "to access all of the information" on the device, including contacts, emails, documents and functions such as the camera, microphone and GPS navigation, CERTA said.

CERTA said the problems affected iPhones running versions 3.1.2 to 4.0.1 of Apple's operating system, iPads with versions 3.2 to 3.2.1 and iPod Touch devices with version 3.1.2 to 4.0.

"Pending corrective measures by Apple, great care is recommended while opening PDF files," for example by only opening files from known senders, the government watchdog warned.

Apple devices "are generally very secure," but "are becoming a popular target for hackers," who could tap users' telephone conversations or send messages from their mailboxes, Bekrar said.

He said the glitches were brought to light by the online service Jailbreakme which allows owners of the gadgets to download applications other than the ones sold by Apple in its official "App Store".

Facebook rolls out mobile privacy

Facebook is aware that users are becoming increasingly mobile, and to help them to change their privacy settings while on the go, privacy controls are now accessible from any browser-enabled mobile device:


To modify your privacy settings, just go to m.facebook.com/privacy or to the Settings page, and chose for yourself who can see your posts, customize your granular settings and read the privacy guide which has been formatted for mobile devices.

Firefox 4.0 beta download scam on Twitter

A Twitter update hash-tagged "Firefox" spotted by Sunbelt offers a unique opportunity: follow the offered shortened link to download a cracked Mozilla Firefox 4.0 or a key generator for it.

For those who are unaware of the fact, Firefox 4.0 is currently in beta testing, and can be downloaded for free from the official Mozilla web site, so this is an offer that can't stand even a casual check.

Fortunately for the malware peddlers behind this scheme, there are always those who don't bother to check things before downloading - and this time, the malicious file masquerading as the cracked version or as the key generator is a downloader Trojan:

An additional threat comes from trying to download Firefox 4.0 from the site, since the pressing the button redirects the victim to another site that offers other Trojans and viruses masquerading as legitimate programs.

iPhone jailbreaking technique paves way for attacksiPhone jailbreaking technique paves way for attacks

Since jailbreaking iPhones has been declared legal, security experts have been focusing on the techniques used and speculating about the fact that they can be used by criminals to mount attacks and compromise the devices.

A particular group of what seem to be legitimate enthusiasts has been running a site offering to jailbreak Apple devices (located at jailbreakme.com) for a couple of years now and, according to F-Secure, is currently also offering support for iOS 4. The users just need to surf to the page with their devices and run the offered drive-by script.

Security researchers have made it their business to find out just how the script works, and discovered that it uses specially crafted PDF files to first exploit a PDF font parsing vulnerability affecting Mobile Safari to execute malicious code, then a kernel vulnerability that allows the "attacker" to elevate to root privileges and break out of the sandbox.

The thing that should worry Apple users is that the same exploit could be used for decidedly malicious purposes. Also, if the vulnerability is present in the desktop installation of Safari or OS X, the target group for such an attack is even bigger than initially thought.

So far, there are no indications that the vulnerability has been misused by criminals, although I must say that it seems highly likely that it has. Jailbreaking isn't exactly a new practice - especially in countries where the devices are locked to allow its use on just one carrier.

Also, if this site exists since 2007, and the same jailbreaking technique has been used since then, why didn't Apple fix the vulnerability sooner? The company researchers are looking into the issue right now, but it seems impossible they didn't know about it until know.