Posted by Maxim Weinstein
Fri, 27 Jun 2008 18:05:00 GMT
A researcher from security firm Kaspersky reportedly claims that he told Microsoft of a vulnerability in Internet Explorer “a long time ago,” but Microsoft didn’t consider it a security issue. Now, he claims he has found an example of an exploit in the wild that takes advantage of the vulnerability.
The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.
...
Fast forward to the latest site compromise — on a high traffic Web site — where a GIF file containing an embedded iFrame is pointing IE users to a known malicious site. (The malicious site is currently offline but there’s evidence that it’s tied to ID-theft attacks)....
If the researcher’s findings are true (we haven’t confirmed them), then Microsoft should be embarrassed for missing an opportunity to protect its users and should immediately reconsider its position and treat this as the security issue that it is.
Posted in all | Tags ie, microsoft, stopbadware, vulnerability
Posted by Erica George
Fri, 27 Jun 2008 15:54:00 GMT
When I talk to friends about web-based badware, one of the most frequent things I hear is a version of “Oh, I don’t have to worry about that – I don’t go to any sketchy sites.” The security world has known for a while now that even legitimate, trusted websites can be hacked, but that knowledge still hasn’t made its way out to much of the public. It often takes the hacking of a prominent site to shatter the illusion.
This week, the website of ICANN, the Internet Corporation for Assigned Names and Numbers, was hacked and defaced, along with the site for IANA, the Internet Assigned Numbers Authority. ICANN is the group in charge of internet governance at its most basic level, choosing which new top-level domains (like .com or .org) to create, and setting the protocols for how internet addresses work. Ironically, it was the domain name settings for the ICANN and IANA sites themselves that were hacked and redirected to a page with a derisive message.
The hackers fortunately are a group from Turkey apparently more interested in mischief and notoriety than in harming user’s computers, but it would have been easy to redirect ICANN and IANA visitors to a malicious site if that had been the hackers’ goal.
The lesson? As ZDNet’s Dancho Danchev put it:
One thing’s for sure though, if the ICANN and IANA can lose control of their domains, anyone can.
Posted in all | Tags hacking, iana, icann
Posted by Maxim Weinstein
Thu, 26 Jun 2008 19:57:00 GMT
Today, StopBadware.org staff Oliver Day and Brandon Palmen, along with affiliated Harvard researcher Rachel Greenstadt, presented research at the Workshop on the Economics of Information Security, held at the Tuck School of Business at Dartmouth College. A final version of their paper will be available in the proceedings from the conference. For now, here’s an abstract:
Internet end-users increasingly face threats of compromise by
visiting seemingly innocuous websites that are themselves compromised
by malicious actors. These compromised machines are then incorporated
into bot networks that perpetuate further attacks on the Internet. Google
attempts to protect users of its search products from these hidden threats
by publicly disclosing these infections in interstitial warning pages behind
the results. This paper seeks to explore the effects of this policy on
the economic ecosystem of webmasters, web hosts, and attackers by analyzing
the experiences and data of the StopBadware project. The Stop-
Badware project manages the appeals process whereby websites whose
infections have been disclosed by Google get fixed and unquarantined.
Our results show that, in the absense of disclosure and quarantine, certain
classes of webmasters and hosting providers are not incentivized to
secure their platforms and websites and that the malware industry is
sophisticated and adapts to this reality. A delayed disclosure policy may
be appropriate for traditional software products. However, in the web
infection space, silence during this period leads to further infection since
the attack is already in progress. We relate specific examples where disclosure
has had beneficial effects and further support this conclusion by
comparing infection rates in the U.S. where Google has high penetration
to China where its market penetration rate is much lower.
Posted in all | Tags research, stopbadware
Posted by Maxim Weinstein
Thu, 26 Jun 2008 19:28:00 GMT
Over on my own Harvard blog, I’ve started a series of posts about my foray into the field of public health and how it relates to the malware world. If you’re interested, please read along and post your thoughts in the comments.
Posted in all | Tags publichealth, stopbadware
Posted by Maxim Weinstein
Thu, 26 Jun 2008 16:52:00 GMT
Ryan Naraine over at the Zero Day Blog reports that a new vulnerability has been found in Internet Explorer 6 running on Windows XP with service pack 2 or 3:
An unpatched cross-domain vulnerability in Microsoft’s flagship Internet Explorer browser could expose Windows users to cookie hijacks and credentials theft attacks, according to a warning from security researchers.
At the moment, there is no patch:
In the absence of a patch, IE users are strongly encouraged to upgrade to IE 7. Or, as always, consider using an alternative browser.
Posted in all | Tags ie, microsoft, stopbadware, vulnerability
Posted by Maxim Weinstein
Wed, 25 Jun 2008 13:53:00 GMT
StopBadware.org is a member of the Anti-Spyware Coalition (ASC), and I’m currently serving on the ASC’s “global issues subgroup.” The group’s purpose is to try to understand how spyware and other malware are viewed by consumers in other countries.
We’ve put together the following survey to get people’s perspective. If you have insight into a particular country, please send your responses to the survey below to Heather West at heather@cdt.org. Please also feel free to forward the survey along to others who may be able to help.
—
Where are you located?
How big a concern is:
- spyware? malware? viruses?
- privacy of personal information?
- identity theft?
- financial fraud?
- machine slowdown?
Are people worried about doing these things online?
- online banking
- e-commerce
- web based email
- social networking
- blogging
What is the most important/valuable thing users will store on their computer?
What kind of personal information are people worried about keeping safe, in general?
What is the incidence of identity theft?
Do most users own computers?
How do users generally connect to the internet?
Who enforces against deceptive practices or takes action against spyware?
Have any spyware enforcement cases happened in this country?
What laws are in place having to do with computer fraud and cybersecurity?
What are the legal implications of calling programs spyware?
Are there legal protections in place to protect anti-spyware vendors?
Are there legal protections for watchdog groups?
Posted in all | Tags ASC, international, stopbadware, surveys
Posted by Maxim Weinstein
Tue, 24 Jun 2008 18:24:00 GMT
ZDNet blogger Ryan Naraine called us to task today for not calling Apple Software Update badware. Last month, we stopped short of labeling the application badware after Apple made changes to improve the disclosure of applications that were installed under the guise of updates:
Apple clearly responded to the concerns of the community in making these changes, and consumers will benefit. The previous version of Apple Software Update was confusing to users and had the potential to lead users to stop trusting in the update process, a process that is critical to security efforts. With this change, and hopefully additional changes as the community provides additional feedback to this latest iteration, users can feel more comfortable with what they’re agreeing to when installing updates and new software via Apple’s tool.
Naraine feels that the product’s behavior is still “deceptive and irresponsible”. He writes:
That’s 95 MBs, pre-checked by default, bundled into a security patch and ready to hose my machine.
This is clearly badware behavior and it’s shocking to me that Apple gets away with it. I understand the economics of Apple being aggressive to establish a presence on the Windows ecosystem but this is really unacceptable.
In some cases, including the behavior of Apple Software Update before the changes, an application is clearly and unambiguously badware. In others, including the present state of Apple Software Update, there’s some room for discussion. For example, we have not historically considered an option being selected by default to be a badware behavior, particularly if the disclosure about the meaning of the checkbox was clear to the user. I believe Naraine is making the argument that the meaning is not clear in the context of the Update application.
What do you think? Would you consider Apple Software Update badware? What would you change to ensure it is giving users an informed choice about which software is installed on their computers? Let us know in our discussion group.
Posted in all | Tags apple, guidelines, stopbadware
Posted by Maxim Weinstein
Tue, 24 Jun 2008 14:20:00 GMT
StopBadware.org today released a report analyzing over 200,000 sites reported by Google as exhibiting badware behavior.
See the press release and/or the report for more information.
We attempted to contact the owners of the top 10 infected network blocks identified in the report. Note that a network block owner may or may not have control over the content of sites hosted on that block. Here’s what we heard from the companies we reached:
Google:
We take malware blogs very seriously. On a daily basis, malware blogs are created by bad guys, and subsequently detected and deleted by Google. The 4,261 figure represents some of the malware blogs we delete over a 30 day period.
Because we’re very aggressive and very proactive in preventing and detecting harmful content placed on our services, the Blogger numbers are disproportionately higher than they would be on non-Google properties.
Given that there are millions of active blogs in our network, 4,261 is just a very small percentage of the total blogs.
With our aggressive approach, malware blogs, like spam blogs, tend to have short lifespans. WRT to the impact on users, if an existing popular site that gets millions of page views per day gets compromised for a few hours, that represents a huge number of infections compared to one of these blogs.
The Planet:
The Planet provides dedicated, self-managed hosting services to our 22,000 customers, which means they maintain full control of their servers. Many of our customers are resellers, and they lease space on their servers – sometimes to as many as 200 companies per box – to their clients.
Nonetheless, we have an Acceptable Use Policy (AUP) that precludes customers from distributing malware of any kind. Once we are aware of any inappropriate use of our servers, our Abuse Department initiates an investigation. If we identify issues, we proactively work with customers so they meet our AUP.
SoftLayer:
SoftLayer Technologies is a provider of data center services centered around the delivery of on-demand server infrastructure. We do not manage the content or applications hosted from our infrastructure as this is the direct responsibility of our customers, many of which are in fact hosting resellers. Having said that, we also have a very strict acceptable use policy which you can find here: http://www.softlayer.com/legal.html.
We try to be as proactive as possible in eliminating any and all content from our network that breaches the terms of this policy. But, as I am sure you are aware, this is not always an easy task.
I have forwarded your email to our abuse department so that they can start investigating the findings you have suggested below. We will take all necessary actions to remove any malicious material from our network so that we can better serve our customers and the entire Internet community.
iEurop:
Of course we’re interesed in any tool that helps us protecting internet users.
If you can send us any info regarding malware hosted on our machines we’ll be more than happy to remove those websites …
Posted in all | Tags china, reports, stopbadware
Posted by Laureli Mallek
Mon, 23 Jun 2008 19:34:00 GMT
Software company Intego found this Mac Trojan masquerading as a poker game. The Trojan actually transmits the user’s name, password, and IP address to an external server which it acquires through clever social engineering:
“A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.
Computer World wrote on Friday that SecureMac reported finding another Trojan circulating in the wild. “Its researchers had found a Trojan horse, dubbed ‘AppleScript.THT,’ being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple’s instant messaging and video chat software, were also taking place.” Updating that warning today, SecureMac shared that the source code for the Trojan has been distributed, which increases the likelihood of derivative Trojans appearing soon. They write:
“The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items… Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name AStht_06.app.”
Sandi, blogging at Spyware Sucks, opines that Trojans like this demonstrate that social engineering transcends computer platforms. She emphasizes that sharing information about badware can help to build and reinforce a level of user awareness and suspicion about entering personal information while downloading software (and ideally when deciding to download software in the first place). Sandi also comments on complaints that these Trojans were discovered by companies developing Apple security products.
While there may be a financial benefit to those companies, the goal of the security community is to maintain computers as free of badware as possible, and sharing information about risks with professionals and users-at-large focuses attention on problems so that they can be solved or avoided as efficiently as possible.
Posted in all | Tags apple, badware, security, trojan
Posted by Laureli Mallek
Fri, 20 Jun 2008 18:53:00 GMT
Dancho Danchev wrote about a vulnerability found in Zeus, a crimeware kit circulating widely. Danchev explains:
The vulnerability allows the injection of logins and passwords within any misconfigured web interface, due to the way in which Zeus is processing php scripts (web shells and backdoors) from the directory in which it stores the stolen data. Ironically, ‘Zeus users are advised to take care of their directory permissions, and forbid the execution of scripts from the folder holding all the encrypted stolen information’.
“The implications of this flaw are huge, since, what used to be the practice of hijacking someone’s misconfigured botnet a couple of years ago, is today’s hijacking of the malware campaigns’s command and control interface, which on the majority of occasions is left accessible to everyone – including independent researchers and the security community.
The Zeus Trojan kit is available on the market for around $700, and Danchev writes in a previous post that the Zeus kit has been used more than 150 times and attacks around 4,000 computers per day. Similar to popular software receiving unwanted attention from hackers, the prominence of this badware led to increased attention from the security community, leading to the discovery of this vulnerability.
In an additional twist, the Russian Business Network, which has been associated with creation and distribution of the Zeus kit, is actively working to protect their intellectual property from security companies and their customers. RBN has threatened to sue security companies for blacklisting their products.
The RBN even includes an EULA when they sell the crimeware kit:
The help section of the latest version of the Zeus malware states that the client has no right to distribute Zeus in any business or commercial purpose not connected to the initial sale, cannot examine the source code of the product, has no right to use the product to control other botnets, and cannot send the product to anti-virus companies.
The RBN threatens to release information on their customers if they violate this agreement and to require customers to purchase future updates. Would they pursue lawsuits against bot herders who modify their software kit without permission?
Danchev asks what would happen if the security community began unethically pen-testing the Zeus network in order to estimate the size of the botnet. Would the RBN seek to protect its intellectual property, thereby claiming ownership of the Russian Business Network infrastructure (botnet) in order to sue trespassing parties? As crimeware becomes more commercialized, the badware authors have more invested in protecting their investments in intellectual property and infrastructure. It will be interesting to see how the current legal structure can be applied to regulate the development of the malware industry.
Posted in all | Tags botnet, stopbadware, trojan, vulnerability
|
