Websense and IBM released security reports this week covering topics from spam to research on the impact of publicizing software vulnerabilities.

In his Security Fix blog post, Brian Krebs continues his coverage on badware distribution, prompted by the release of the report from Websense that includes data from the 40 million websites scanned hourly to collect computer security data. According to the Websense report, three quarters of all web sites containing badware, malicious downloads, are legitimate sites that have been hacked, and 60 of the Top 100 most visited websites have at one point during the last year “either hosted malware or forwarded visitors to malicious sites.”

Krebs writes that spam is still a major conduit to disseminate links to dangerously hacked websites:

According to Websense, nearly 30 percent of those links lead to sites that try to plant software which steals passwords and other sensitive data from victims. The remainder of the spam links attempt to install software that lets attackers control the systems from afar, and/or install additional software without the owner’s knowledge.

Badware authors target legitimate sites, using the prior relationship of trust established between that website and computer users to find holes in security system. Users who are familiar with programs such as NoScript, which blocks Javascript, Java, and Flash from executing without express permission of the user, will know that it is possible to allow scripts for specific trusted websites.

Network World’s Ellen Messmer discusses results from both of the reports. The IBM report tracked statistics relating to 3,534 disclosed software bugs. Messmer writes that “[a]ccording to IBM, 95% of all browser-related online exploits occurred within 24 hours of official vulnerability disclosure.”

On a more positive note, the IBM report finds that the incidence of image spam has been reduced, which has forced spammers for now to return to earlier methods. Yet spam and badware are driven by innovative badware writers, who work hard to stay ahead of security researchers. These reports highlight how important it is for computer users to be aware and use aggressive caution. Krebs recommends two excellent pointers to maintaining the sanctity of your computer:

1. Disable automatic downloads.
2. Browse the internet while using a User account that does not allow downloading or changing passwords or computer keys. This tip is applicable in any operating system, and protects users from absent-minded clicks that may lead to future infestation.

Software company Intego found this Mac Trojan masquerading as a poker game. The Trojan actually transmits the user’s name, password, and IP address to an external server which it acquires through clever social engineering:

“A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.

Computer World wrote on Friday that SecureMac reported finding another Trojan circulating in the wild. “Its researchers had found a Trojan horse, dubbed ‘AppleScript.THT,’ being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple’s instant messaging and video chat software, were also taking place.” Updating that warning today, SecureMac shared that the source code for the Trojan has been distributed, which increases the likelihood of derivative Trojans appearing soon. They write:

“The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items… Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name AStht_06.app.”

Sandi, blogging at Spyware Sucks, opines that Trojans like this demonstrate that social engineering transcends computer platforms. She emphasizes that sharing information about badware can help to build and reinforce a level of user awareness and suspicion about entering personal information while downloading software (and ideally when deciding to download software in the first place). Sandi also comments on complaints that these Trojans were discovered by companies developing Apple security products.

While there may be a financial benefit to those companies, the goal of the security community is to maintain computers as free of badware as possible, and sharing information about risks with professionals and users-at-large focuses attention on problems so that they can be solved or avoided as efficiently as possible.

Targeted spear phishing campaigns are using money to lure victims. Brian Krebs blogged this week about a two part spear-phishing attack targeting small and medium sized businesses. The attack focuses on gaining access to circumnavigating two-part authentication used in banking security.

The scam begins with an email containing specific information about the user, their business, and the bank. This email requests that users click to view or download an attached object, which installs a keylogger, according to iDefense, and a browser helper object enabling attackers to modify webpages in real time. When a user with an infected computer attempts to log into their bank account, Krebs writes that a “message is inserted into the body of the bank’s actual Web page.” The interstitial message appears to originate from the bank since it is displayed within the body of the bank’s website, and requests that the user wait 15-30 minutes before logging on. The attackers use this time, after they have intercepted the user’s authentication information, to empty the associated bank accounts.

Quoting Matt Richard, of iDefense, “If a bad guy has malicious code on a customer’s machine, no matter what you do, he’s going to have some way to get in to the customer’s account. The best you’ll be able to do is try to stop the money transfers.”

As something of a coup de grace, Krebs writes “Before the Trojan download, the attacker attempts to get the user to install their bogus root CA certificate with the ‘VeriSign Trust Network’ name.” Combining malware with a new root certificate makes it easier for the attacker to re-infect a computer in the future. Sunbelt has also spotted fake banking certificates in their blog.

In a similar attack noted by McAfee’s Avert Labs last month, a number of spear phishing emails have been playing on an ubiquitous fear: the Tax Court. So many of these emails spoofing petition requests have been received that the US Tax Court website provides a clear warning that “[t]he Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court.”

Kevin McGhee writes, “The scammers do their homework when it comes to spear phishing. Instead of pumping out millions of emails to anybody and everybody, spear phishers send out their scams only to people they know will be susceptible to the scam. In this case a top executive–rather than the average employee–is much more likely to be involved in a court case of this nature.”

Over the last several weeks, users downloaded more than they were bargaining for from several P2P networks. TechNewsWorld reported on McAfee’s Avert Labs that more than 500,000 computers have been infected. Users download a faux-mp3 file from a legitimate music group, which initiates a request that users download a codec offering free mp3s. By clicking on the EULA and authorizing the download, users are actually downloading a host of executables.

Craig Schmugar, a researcher for McAfee Avert Labs, wrote on that blog, “In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.” During further investigation, Schmugar found that hundreds of infected files were circulating on the internet. Many of those sites pointed to freemp3player.com or “different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files.” The fake mp3 files were actually ASF files instructing media players to navigate to specific urls rife with downloads to further corrupt users’ computers.

More recently, Trend Micro researcher Ivan Macalintal found a malicious script inserted into “various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program.” The drive-by-download directed users to a compromised site which downloaded TROJ_ZLOB.CCW onto unprotected computers. Trend Micro notes that Zlobs in general, and this one in specific, change DNS and browser settings which further open the computer to future infections.

Both of these incidents reinforce the need to keep your security software updated. Downloading files from unknown sources carries with it inherent risk. Badware production has developed into an expanding economy that relies on a sense of inherent security associated with internet use.

Click safely!

Two noteworthy exploits have surfaced recently. This blog post will cover: first a server-based attack-tool and second the discovery of a now-patched vulnerability in Flash.

First:

Tornado, a web-based exploit tool, can exploit more than a dozen browser vulnerabilities. ITNews Australia explains that the tool “is commonly installed on a server by a single ‘administrator,’ who then offers accounts on the server to other attackers.” This structure protects the proprietary code and protects it from being released “underground.”

The seller is also able to discriminate between clients, which Liam O’Murchu, a Symantec researcher, sites as a reason that the exploit has remained undiscovered for so long. Shaun Nichols of ITNews writes that Tornado “offers attackers a full set of traffic statistics and options for selecting which exploits can be conducted.”

Second:

Robert Jaques reports for ITNews that a new Flash vulnerability has been discovered by Tier-3. This issue arises from the use of “NULL pointers,” software code which points to specific locations in a computer’s memory. Geoff Sweeney, an executive at Tier-3, is quotes as saying,

“Buffer overflows are still an issue, but they are a problem that has been tackled by the industry for many years. NULL pointer de-referencing has not received anywhere near the same level of attention, which means that users need to be more vigilant than ever.”

A recent paper by Mark Dowd, a researcher at IBM Internet Security Systems, provides a detailed example of this type of exploit. The Matsano Chargen blog explains Dowd’s achievement while claiming that Dowd was “sent back through time to kill the mother of the person who will grow up to challenge SkyNet.” And his accomplishment does inspire some awe. In brief:

“Dowd’s exploit uses a NULL pointer write32 to knock the locks off the bytecode interpreter in Flash, so that his SWF file can run bytecode that will rewrite the system stack.”

So the NULL pointer presents an entry point for Dowd to run his exploit, and this entry exists on Internet Explorer and Firefox, which have compatible internal addressing, and Vista.

According to DailyTechNotes Adobe has already released a patch for the vulnerability and you should download it now. They explain the risk,

“Vulnerabilities in various online software is nothing new. But what makes vulnerability in flash so much damaging is that flash is installed on almost all browsers and it is independent of the operating system you are running.”