Posted by Laureli Mallek
Mon, 19 May 2008 17:09:00 GMT
You may recall that StopBadware.org recently played a role in successfully encouraging Apple to improve its disclosure in pushing the Safari web browser to users through its Apple Software Update application. Now, Nitesh Dhanjani, a security researcher, writes about his recent interaction with Apple. Dhanjani alerted Apple to several potential issues that he discovered in the company’s web browser, Safari, most notably the potential for a “Safari Carpet Bomb.”
He writes that Safari “cannot be configured to obtain the user’s permission before it downloads a resource,” and provides this example:
Now assume that http://malicious.example.com/cgi-bin/carpet_bomb.cgi is the following:
#!/usr/bin/perl
print “Content-type: blah/blah\n\n”
Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served.”
CNET commented that files downloaded by Safari to the desktop on Windows, or the Downloads folder on Mac OS, create the potential for multiple files of unknown nature to mingle with legitimate downloads.
The Apple security team replied to Dhanjani’s emails courteously, but making it clear that this is not a security priority for the company:
We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.
Assuming Nitesh’s analysis is accurate, “unwanted downloads,” as Apple calls them, represent a serious security threat to users, who can be easily tricked into executing a malicious file. StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is.
Posted in all | Tags apple, browser, by, download, drive, security
Posted by Laureli Mallek
Tue, 13 May 2008 20:13:00 GMT
Over the last several weeks, users downloaded more than they were bargaining for from several P2P networks. TechNewsWorld reported on McAfee’s Avert Labs that more than 500,000 computers have been infected. Users download a faux-mp3 file from a legitimate music group, which initiates a request that users download a codec offering free mp3s. By clicking on the EULA and authorizing the download, users are actually downloading a host of executables.
Craig Schmugar, a researcher for McAfee Avert Labs, wrote on that blog, “In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.” During further investigation, Schmugar found that hundreds of infected files were circulating on the internet. Many of those sites pointed to freemp3player.com or “different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files.” The fake mp3 files were actually ASF files instructing media players to navigate to specific urls rife with downloads to further corrupt users’ computers.
More recently, Trend Micro researcher Ivan Macalintal found a malicious script inserted into “various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program.” The drive-by-download directed users to a compromised site which downloaded TROJ_ZLOB.CCW onto unprotected computers. Trend Micro notes that Zlobs in general, and this one in specific, change DNS and browser settings which further open the computer to future infections.
Both of these incidents reinforce the need to keep your security software updated. Downloading files from unknown sources carries with it inherent risk. Badware production has developed into an expanding economy that relies on a sense of inherent security associated with internet use.
Click safely!
Tags badware, by, download, drive, security, trojan
Posted by Laureli Mallek
Wed, 16 Apr 2008 16:58:00 GMT
Last week Symantec Corp released a security report summarizing findings from the last six months of 2007. Similar to findings in StopBadware’s Trends in Badware 2007 report, Symantec finds that badware, malware, spyware, and bots develop rapidly in the current internet environment.
Symantec reports that the second have of 2007 has seen a rapid expansion in the amount of bad code generated:
“In the second half of 2007, 499,811 new malicious code threats were reported to Symantec, a 136
percent increase over the first half of 2007.” Within this sample, the report states that:
- “Symantec identified 11,253 site-specific cross-site scripting vulnerabilities in the last six months of 2007, compared to 6,961 in the first half (though with measurement beginning only in February).”
Site-specific cross-site scripting is a technique used to initiate drive-by downloads, an increasingly popular method of distributing malicious code to users. These downloads can be executed in a variety of ways with iframes located within the body of a website or hidden in third party advertising.
- “The Symantec Probe Network detected a total of 207,547 unique phishing messages, a five percent increase over the first six months of 2007. This equates to an average of 1,134 unique phishing messages per day for the second half of 2007.”
- “Threats to confidential information made up 68 percent of the volume of the top 50 potential malicious code infections reported to Symantec.”
This threats relates to identity theft, bank or Paypal account information. In short, badware producers maintain their focus on these types of data, but are developing new methods of accessing it.
The Symantec report documents a shift towards organization, refinement, and a trend towards organization similar to legimitate industry. Matt Hines at PC World writes:
“From the groups of exploit developers marketing malware toolkits to aspiring attackers to the people buying and selling stolen credentials, the entire landscape of electronic crime is taking off and increasingly resembles the security software community that is working to thwart it.”
The report also discusses an evolution occuring in Botnets. The number of command-and-controlled servers associated with botnets has declined, while the number of operational botnets has remained higher than expected. Symantec attributes decreases in the prevalence of botnets to “better detection solutions and methods,” and suggests that botnets are now being controlled through methods such as HTTP or P2P, both of which are currently more difficult to detect.
Tags botnet, by, download, drive, security, stopbadware
Posted by Laureli Mallek
Mon, 14 Apr 2008 15:39:00 GMT
Social networking sites are fun. I’ve spent unknown hours procrastinating with them and my experiences have generally been favorable. Logging onto my account recently, I found multiple private and public messages from a contact, a high-school friend, who was trying to sell me sunglasses, lots of sunglasses, a variety of designer frames at discount prices that I could purchase by clicking the link in the post. Instead I clicked through to her page and realized that her account had been used to message all of her contacts with this dubious message.
A recent Security Fix post by Brian Krebs at the Washington Post reviewed Symantec’s findings that phishers are actively targeting social networking sites. “Spreading malware via hijacked social networking accounts is ideal because people are far more likely to click on a link recommended by someone in their close circle of friends than they are a link that arrives in a message from a complete stranger,” writes Krebs. The phishers ride on the trust established by a normally benign networking site to lower a user’s suspicion of unknown links. These sites are also extremely popular; four out of the 10 most visited websites are focused on social networking.
These links can initiate drive-by downloads, which StopBadware has reported on in detail as part of the Trends In Badware 2007 report. Drive-by downloads are a major, and continually growing trend in badware distribution. The report writes: “As in offline drive-by attacks, the victim is going about his normal life and is simply in the wrong place at the wrong time.” These attacks function with a minimum of user interaction, as the linked-to website may contain an invisible iframe or other gateway for malicious intervention.
Although the techniques are new, the goals of malware writers have stayed the same. Krebs writes:
“Cyber crooks are still principally out to steal financial and personal data that can be resold to identity thieves or converted into cash. And data-stealing computer viruses remain among the most expedient way to extract that data from victims.”
As badware production evolves, threats become more difficult to detect as obvious signals such as messages from an unknown users and limited language proficiency are avoided. Maintaining a level of skepticism while browsing is essential to the safety of you, and your entire social network.
Tags by, drive, socialengineering
|
