Java: No Longer a Low Profile Exploit Target
Better late than never, Apple has been releasing updates to its customized OSX build of Java, kind-of-fast on the heels of a new malware nemesis, Flashback.K. Windows users have had access to Java version 6.30 since Oracle released that operating system’s update to the ubiquitous runtime engine in February, but Mac users have been hanging in limbo, waiting for Apple to release the update. Well, not exactly waiting on the edge of their seats.
In February, I described some of my experiences investigating botnets (and the schemes which result in infections) in a webinar cohosted with Sonicwall (free registration required to view). The webinar has a “pop quiz” feature, so I preconfigured a bunch of poll type questions, to keep the audience engaged. The response to one question really floored me, though. I had asked the audience members to choose what they thought was the software component of a Windows computer they thought was the most “attacked” or targeted by malicious code.
As you can see in the screenshot above, lots of people chose the “E: All of them” answer, but that’s really just a throwaway. I was honestly shocked to see that none of the (admittedly small) number of people people who completed this survey question chose Java (or, to be more specific, application/java-archive) as the MIME type most frequently abused by exploit kits. Not even a single person, and this among an audience of security professionals at least some of whom investigate precisely these kinds of infections in the course of their duties.
If this doesn’t demonstrate some of the more harmful risks posed by compromise of FTP credentials, I don’t know what will. A spam email that’s been circulating since the beginning of the month leads unwary victims not to one or two traps, but nineteen different URLs, all pointing to legitimate Web sites that have been compromised, and (at the time, anyway) hosted malicious content.
The spam poses as an AT&T bill for $920.30, and seems engineered to inspire the classic freakout reaction from the recipient. As a con, it wouldn’t work so well if it wasn’t a plausible scenario. Who hasn’t received one of those panic-moment mobile bills at one time or another?
Within a day, the dangerous links were shut down, but their variety and quantity in a single – and to be honest, kind of terse – email surprised me. As you can see from the screenshot, hotlinked text throughout the message body leads the recipient to believe the links point to various parts of the AT&T Web site. In fact, they point to myriad others.
With the RSA Conference and Security B-Sides San Francisco just around the corner, I’d like to invite readers of the blog to a webinar I’m cohosting tomorrow morning with Sonicwall’s Daniel Ayoub. The talk, titled Today’s Threats Are Overachievers–Are You Prepared to Respond, will feature a deep dive into examples of really fresh malware attacks and their aftermath.
The talk topic is especially intriguing because Sonicwall’s technology is capable of eliminating the vast majority of known threats that traverse a network. However, modern threats evolve more rapidly than the speed at which even the best systems can adapt and block those threats. Those infections which make it through the sieve are more dangerous, because once they run the gauntlet, their presence may remain concealed for some time, posing an ever-greater risk. The current threat climate is such that being prepared to respond to an attack is fast becoming a requirement, a must-do rather than a nice-to-do. Having a complete, easily searched, reconstructable record of network traffic makes it easy to answer the “how long” and “what was stolen” questions that keep IT people awake at night.
If you’re interested in learning about the intersection of social engineering and malware techniques, and what you can do about it, come and check it out. For those following along on Twitter, please use the hashtag #solera if you post about it. Thanks!
A small trickle of badly-malformed spam email turned into a flood last week as hundreds of copycat messages per minute flooded inboxes we use to collect samples. The malware delivered by the spammed links isn’t your garden variety bank phishing Trojan. This one has its eyes on a specific prize: It wants the credentials for online banks that cater specifically to business users — both the employees’ passwords and those of the banks’ customers.
The campaign, covered in its early stages in the previous post, employs Google’s shortlinking service, goo.gl. The exploit, delivered at the other end of that shortlink, rapidly snares victims. In several test runs, the victim computer was infected in well under 30 seconds.
The first malware payload appears to function as a traffic controller of sorts, helping guide additional payloads to the victim PC. It does this work at the behest of a botmaster using 95.57.120.104, an IP address that geolocation services place in Kazakhstan. The malware communicates with its command-and-control server using SSL encryption, but we have a secret weapon: We can decrypt your CnC traffic, and we see what you did here.
LinkedIn Blackhole Spam Fails the Smell Test
Looks like someone’s spam campaign got up on the wrong side of the bed this morning: A badly malformed message appears to be trying to convince the reader it originates with LinkedIn, the business-centric social network.
Hardly any message at all, the spam body consists entirely of ReportIDA161580AD75, which precedes a goo.gl shortlink. The laughable pidgin-English quality of the spam’s subject – last login was Failed xxxxxxxxxxxxx — breaks the illusion completely. The fact that whoever sent this didn’t even try to mask the message’s true origin (a Yahoo mail account) just makes this kind of sad, really.
And yet, on any campaign such as this, some people will be taken in by this phony, broken down soundstage of a ruse, peeling paint and all. When that happens, if those likely-victims happen to click the wrong link in the wrong spam, on a computer with a vulnerable browser, and do so quickly enough to hit the malicious Web site while it’s still online. Well, it’s a bit like this.
Digitally Signed Rogues: As Dumb As The Rest
Both the installer and payloads of a rogue system utility named System Restore (a type of fraudulent software that, in this case, is named exactly like the Windows system utility) sport an unusual characteristic: a digital signature. Digitally signed Trojans such as these are less rare than they used to be, but still unusual, so it was notable that the entire soup-to-nuts infection package being delivered to victims since November uses signed executables.
The rogue installer was delivered by a spam email claiming to originate with the US postal service. The message’s attachment is, allegedly, a PDF document with details about a failed delivery. Of course, as you can see at right, the “PDF documents” are just executable files with an Adobe Reader icon (from the Adobe Reader program, not the icon used by a real PDF document).
One theory that attempts to explain why they’d go to the trouble goes something like this: Some network admins set security policies that only permit digitally-signed executable files to traverse the networks they control. But these policies don’t actually check the validity of the certificates, only that the code itself is signed. Therefore, even invalidly-signed code could, in this hypothetical situation, bypass this rudimentary policy check.
I’m not sure I buy into that. I want to believe that CSOs and IT admins know that such a policy is brain-dead, but you have to assume there’s a reason the malware creator would go to the trouble to generate crypto keys and go through the signing process. However, because we’re talking about subgenius-class malware creators here, it’s not as if this new “feature” bypasses any real security checks. In fact, the certificate is demonstrably false, but it’s only clear this is the case if you go looking for the information.
Security Resolutions for 2012 and Beyond
Welcome back to the office, everyone (except postal and some bank workers). The first Monday after the new year is a great time to jot down a quick list of business-related resolutions. You can even put them into your calendar app, if you’re so inclined, to give yourself an extra nudge.
Here are my (security-themed) new year’s resolutions for 2012:
- I’ll change my passwords at least once a month
This one could be tough, but not to remember. I’m going to schedule the reminder in my phone’s calendar. For my own sake, the password itself has to meet some stringent standards, including a minimum length and some diversity of character types. But what’s tough is the sheer number of passwords this entails. I already use a different password for all of my various online accounts, but the idea of changing them all, so often, seems daunting.
It has to be done, but fortunately, you don’t have to do it alone. In my case, I’m also going to rely heavily on a biometric finger scanner, helpfully preinstalled in the bezel of my laptop, and some third-party password manager software to keep up. You could also use a password manager like KeePass, which generates an optional password “best before” date, to keep you honest.
I’m doing this today, so listen up any criminals who might have been handed on a platter ahem, stolen, or audio-captcha-cracked any of my ‘victim test account’ passwords: use ‘em if you got ‘em.
A Visit from Cyber Nicholas
T’was the night before Christmas, and all over the ‘net
hardly a packet was stirring; Well…’bout 6 gigs a sec.
The Internet background noise whizzes nonstop
– even after the last Admin has punched off the clock.
But buried deep in that noise was a stray protocol.
A command-and-control message within the firewall.
A lone zombie replies to a ping and chirps out
secret signals, to a group who carry some clout.
Legion elves, running ops, scan the networks they’ve pwned;
Seek out mischief, find the troublemakers entrenched in their zones.
With this singular mission they tap at their keys,
and run nmap with umit, and Nessus, as they please.
While sniffing the wires and logging results,
the elf Red Team trades barbs and exchanges insults.
Not with other elves, but with their botmaster rivals,
who work feverishly to pump out some network denials.
For the malware guys knew Santa’s spies were inside,
and they knew their activities they couldn’t hide.
The fat man frowns on phishing, spam attacks,
and false accusations of unpaid income tax.
The bad guys fired off withering DDoS volleys
hoping their adversaries wouldn’t recover from the follies.
But the wily elves weren’t put off by that distraction,
and launched, in return, their own group action:
A packet flood of Christmas cheer so profound
it drove the cybercriminals deeper underground.
It killed all their malware, delisted bad ISPs,
and brought the miscreant operators to their knees.
And today we give thanks to those noble cyberelves,
who took it upon their little elf-hatted selves
to do battle with bad nerds in the middle of the night,
so we could sleep soundly, for once, and with no end in sight.
– Andrew Brandt
(with apologies to Clement Clarke Moore)
If you know me, you know I’m not really prone to spreading security FUD. I’ve been asked to prognosticate a bit about the near-term future, and I have to say, without intending to sound like a fearmonger, the next year is shaping up to be pretty messy from a security perspective. I have a hard time finding any silver linings to the massive storm clouds that seem to hang all around and on top of us.
Right now, the climate for attacks is just brutal. Based on what I’ve been seeing since Halloween, if the pace and volume of attacks keep up, the coming year doesn’t look like it’s going to be pretty. Rampant spam-driven attacks, multiple manifestations of classic social engineering scams, corporate espionage, and malware malware malware look to be on the table for 2012. It was hard to winnow my worst-of-the-worst list down to only five items, but I had to draw the line somewhere, and it seems like a nice, round number.
So, with that in mind, click through the jump to read my top five threats to watch for in 2012.
Someone in the office stumbled upon the domain name Firefox.io and passed the info along to me. Apparently, the person had mistyped the domain name of a Web site (one unrelated to Firefox), adding an additional character. The domain he ended up on was parked, registered but unused; However, one of the ads that loaded on the parked page opened a popunder ad, which redirected this person’s browser to a page on Firefox.io.
This is what he found. I dunno…looks bogus to me. It resembles a really, really out of date Firefox installer download page.
The .io top-level domain, by the way, belongs to the British Indian Ocean Territories, and its TLD is administered from a charming village in England. At least, that’s where they pick up their mail. Not so with Firefox.io.
