Fake iTunes e-mail leads to drive-by download

E-mails purportedly coming from iTunes and bearing "iTunes account may be suspended" in the subject line have been hitting inboxes in the last few days.

"Dear iTunes Customer, it is possible that your account password has been stolen. 4 different IP addresses have been used to login to your account within the last 24 hours. Please visit the bellow link and read what to do and how to contact support department," says in the message.

At first glance, this seems a typical phishing e-mail. But no - "iTunes will never ask you for your password or any confidential information," claims the e-mail, and perhaps gains the trust of some users who then proceed to click on the link.

They land on a fake Apple support page, and it doesn't ask them to share any confidential information:

But, unbeknownst to them, the site silently serves a malicious script that tries to exploit vulnerabilities in older versions of Java and Windows Help to gain access to the system and download and install malware. Users that patch their OS and software regularly are safe from this attack.

Drive-By Downloads: Malware's Most Popular Distribution Method

After years of burying malicious software in email and portable storage media, attackers now favor quick downloads via legitimate websites, researcher say.

WASHINGTON, D.C. -- OWASP AppSec DC 2010 -- Why try to fool users into opening email attachments when you can simply drop a Trojan on them from their favorite websites?

That's the question many malware authors and distributors are asking -- and the obvious answer is spurring most of them to try out the emerging "drive-by download" method, according to a speaker here this week.

"What we're seeing is a fundamental change in the method of malware distribution," said Neil Daswani, CTO of Dasient, which offers a service that detects and eradicates Web-borne malware. "In the old days, we saw executable code in a static file, which was originally delivered via floppy disks and then via email attachments. Now we're seeing active content delivered via drive-by downloads at legitimate sites."

A drive-by download typically begins by injecting a Web page with malicious code, often through JavaScript, Daswani explained. The code generally invokes a client-side vulnerability to deliver shell code, such as the JavaScript-based Heap Spray attack, to take control of the user's machine. From there, the attacker can send a "downloader," which is often custom, zero-day code that isn't recognized by traditional antivirus systems.

Once the downloader is in place, the attacker can deliver his malware of choice, Daswani said. Drive-by downloads are particularly effective for delivering code that can steal end user credentials (such as Zeus), launch a fake antivirus scam (such as Koobface), steal server-side administrative credentials (such as Gumblar), steal corporate secrets (such as Project Aurora), or collect fraudulent click revenue (such as clickbot.A), he noted.

While drive-by downloads are often more effective at infecting end user devices than email attachments, they also give the attacker broader reach, Daswani observed. Drive-by downloads can be used to infect thousands of websites at once, often by hiding in common third-party devices that are distributed to many sites, such as advertisements, widgets, images, or third-party applications.

"A lot of user organizations do a great job of scanning the code they put on their own sites, but they may not scan the code they're posting from third parties," Daswani warned. "The marketing people will add an ad or a widget to a site, and the IT people may not vet it before it's posted."

Many well-known sites are infected by malware, and the most popular sites are generally targeted most frequently, Daswani noted. In the past two years, major government sites, such as the Treasury Department and Environmental Protection Agency, have been infected, causing them to serve up drive-by downloads to their users. The National Institute of Health has been infected five times in the past two years, and the state of Alabama's website has been infected 37 times in that same time period, he reported.

"It's time to recognize that this is the method of choice for many distributors of malware," Daswani said.

How to Protect Yourself From the "Here You Have" Virus

A harmful new computer worm infested the computers of large companies and federal agencies through an e-mail attack Thursday, bringing down such major companies as Disney, NASA, Comcast and more.

The worm disguises itself as a benign e-mail message with the subject line "here you have," and replicates itself by tricking you into clicking a link in the e-mail message's body. Then it can disable anti-virus products stored on your computer and send copies of the original, dangerous message to all the contacts in your e-mail address book.

Once the virus infests a computer, it can also spread to the local network -- which can include home and office computers -- surreptitiously copying itself to the shared hard drives of machines.

The threat is rapidly spreading through the enormous quantity of e-mail messages it has generated, said Internet security companies Norton and McAfee Labs, which have detected that many e-mail servers have ground to a halt due to the sheer volume of wire-clogging spam. The Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) even weighed in on the worm, with advice for users.

“US-CERT is in the process of collecting and analyzing samples of the malware and has developed and disseminated mitigation strategies,” spokeswoman Amy Kudwa said. “Basic cyber security practices and hygiene are essential to maintaining the security of networks and individual computers.”

US-CERT recommends that you take more caution with your e-mail than usual, advising not to click on links in unsolicited e-mails, to install anti-virus software and frequently update it, and to turn off an option on your computer that automatically downloads attachments.

Security experts from Norton advise additional, more extreme steps you can take, such as disabling network sharing and disconnecting infected computers from the local network. If you've already gotten a "here you have" e-mail, the company suggested blocking outbound traffic to the domains or IP addresses contained in the e-mail to prevent users from connecting to distribution sites to download.

But the easiest way to protect yourself from this and other viruses is the simplest: Make sure you're running an anti-virus program and make sure it's up to date. PCMag.com security analyst Neil J. Rubenking agreed, stressing the importance of your own actions in keeping you safe.

"People! DO NOT click links in e-mail messages from unknown people. DO NOT even click links in e-mail messages from your friend, since the real source of the message might be a virus. DO keep your computer protected with an antivirus or a security suite," he wrote in an entry on the Security Watch blog.

"That way if you click the wrong link in a fit of weakness, you'll still be protected from whatever new threat replaces 'here you have,'" he pointed out.

Mass Drive-By Attack Used Web Widget

Attackers took a different spin on mass infection, and targeted hosting provider Network Solutions Inc.

A widespread Web attack discovered over the weekend that targeted Network Solutions Inc. customers' parked or "under construction" Web domains used a drive-by download attack more stubborn than the popular and more common mass SQL injection attacks.

The attack, which began with an infected widget on NSI's growsmartbusiness.com website for small businesses, led to a mass infection of NSI customers' reserved domains, according to researchers at Armorize who spotted the attack.

Users get infected merely by visiting a site with the infected widget. So far the researchers have seen the attack exploiting vulnerabilities in Internet Explorer. "They visit a page and end up with malware. There's absolutely no click and no user awareness of anything. They visit the page, the [exploit] attacks a vulnerability inside the browser and takes control of the browser," he says.

Then the attacker writes malicious code to the disk and executes it, he says. The researchers found evidence of fully compromised websites by the attack with a Web "shell," basically a control panel the attackers install once they've fully compromised the site.

"This allows you to do anything you'd like to do, insert any content," he says.

The attackers behind the drive-by attack on NSI's domains appear to be out of Asia. The attack ultimately sends users to phishing sites, Huang says. Armorize actually first saw the attack in May, when researchers found it on the Boingboing.com parked domain. "We didn't realize then that the entire NSI parked domain was infected," Huang says.

Armorize's blog posts and demonstrations of the attacks are here.