Monthly Archives: April 2009

Adobe Acrobat Hit Again

Leave a reply

It’s true.

Adobe Acrobat is vulnerable once again. This is getting ridiculous. They have enough money to buy up software companies but yet they can’t invest the time and money to harden their existing products?

They worked so hard to get everyone to use their software. It’s standard on computer installs now. Who doesn’t have Adobe Acrobat Reader on their computer?

With this latest “hole”, I’ve started looking for alternatives and I’ll let you know if and when I find one. But in retrospect, I’d rather stay with a company that is solidly locked into the software market and has a lot to lose if they don’t fix their vulnerabilities, than one that might be a fly-by-night company and leaves me standing out in the cold.

Many in the security community have even coined an acronym for this scenario – YAPE (Yet Another PDF Exploit). You know things are bad when the security community assigns an acronym to it.

Adobe is again recommending that you disable Javascript in Adobe Acrobat. If you followed my instructions last time, you still have Javascript disabled so you’re safe. If for some reason, you didn’t read my last warning about Adobe Acrobat here are the steps to follow:

To turn off Javascript follows these steps:

  1. Launch Adobe Acrobat Reader
  2. Select Edit -> Preferences
  3. Select the Javascript category
  4. Uncheck the “Enable Acrobat Javascript” option
  5. Click “Ok”

It begs the question, “Why does anyone need Javascript in a reader for locked files anyway?” To me, it’s technology looking for a reason.

When Adobe first introduced the Javascript ability, I looked for a way to turn it off. I don’t need it. I don’t want something in my software that allows other people to control what I’m doing.

As of this writing, Adobe is working on a patch. All versions of Adobe Acrobat, on every platform; Mac, Linux and Windows are vulnerable.

I will keep you updated on this situation or you can follow it on Adobe’s website here:

http://www.adobe.com/support/security/

As always, I recommend you apply the patch as it becomes available as this exploit will allow an attacker to remotely execute commands on your computer and the exploit code is already available.

Our honeypots have not detected any new waves of infectious PDFs in the wild – yet. But sure as, well you know, they will be forth coming.

Please feel free to pass the link to this posting to your friends and family.

The Internet Explosion

Leave a reply

According to research, there are approximately 162 million websites on the Internet as of April 2008. To put this into perspective, in 1996 there were only 100,000.

Talk about a meteoric rise.

The cause of this growth has many roots.

First there are Internet Marketers (IMs) promoting “how to make money online”. This of course requires a website or more. Frequently IMs suggest you should have more than one website. These are referred to as “micro” sites. Micro sites are nothing more than a website with one or two web pages that get people interested in a “micro” niche to click over to your main site.

These micro sites are targeted with very specific, narrowly focused keywords to draw people in.

With unemployment so high, we have many people looking to make money online so the IMs are growing constantly which means the number of websites are growing as well.

Secondly, (notice I didn’t use “firstly” above – ugh) we have software makers pumping out “design a website in 30 minutes or less” products.

This makes many non-web developers think they can become web developers with no proper training. Many of the people in this category will remain self-proclaimed web developers and actually do more harm than good.

Also in this category we have many IMs creating websites that offer to help create websites – “with little or no training.” This is scary. Productive, but scary.

Note: Even my daughter has a website as a Math Teacher and my wife’s Aunt has developed a website for their vacation property. Their self-education is never ending and should be applauded. Both of these websites are under constant watch by me so I know they’re safe. [wink]

Third, we have the huge blog explosion.

There are so many blogs that Google has a separate category for searching through bl0gs on their Google Toolbar. (I know this because I use it frequently)

Why all of this concern about how many websites there are and how easy it is to create them?

I’m glad you asked.

This phenomenal growth of epic proportions has opened the door to cybercriminals. (You knew I was going to bring this around to hackers didn’t you?)

Really, it has.

Think about it. When the automobile was in it’s infancy and people could buy them without understanding them, owners had to bring them to specialists to fix them. Then as the market matured, people learned how to fix them themselves. Markets flourished with “how-to” books and auto parts stores.

In today’s world, auto mechanics are PhDs and knowledgeable in all things mechanical, electrical and electronic – the market has gone full circle. Once again fixing an automobile requires a specialist.

The Internet is the same way.

In the beginning web developers were in charge. The world couldn’t produce enough of them as the “dot com” bubble grew and grew and grew. The software tools weren’t what they are today. In 1998 you couldn’t take a course in Web Development – they simply weren’t offered.

Today, you can’t even watch the news on TV without the newscasters talking about following them on Twitter or Facebook. I see people at the gym on the treadmills using their cellphones to keep up on their Facebook friends. The Internet has reached epic proportions.

What the courses in Web Development don’t teach however is how to design a website that can’t be hacked. This is the real tragedy of this incredible growth.

Hackers know that with a potential pool of 162 million websites, they’re going to find many vulnerable to one of their attack methods. Cybercriminals know that many websites are created by non-specialists.

Not to say that all compromised websites serving malscripts to every Tom, Dick and Harry is the fault of web developers – it’s not. But even many experienced web developers lack proper security training.

Would you change your brake pads without bleeding the brake lines? (My father-in-law says “no”) Any good mechanic would tell you that just isn’t smart. That wouldn’t be safe.

We’ve been seeing a phenomenal growth in the number of websites serving up malscripts. Malscripts are made by hackers, inserted into legitimate websites that do nothing more than infect visitors with some remotely stored virus that gives the hacker remote control of the infected computer.

We frequently see requests like this in public forums and blogs:

“About a week ago Google posted a “this website might be harmful” message with our website listing. After review we have found out that someone has added damaging code to our software. we have been told it is http://removeddomain/E/J.JS/

IS THERE anyone out there that has experienced or knows this code and has advice on how to find and fix the problem. This is causing damage to our good name and service.”

The guy who owns this website is trying to conduct business on the Internet and hackers decide to make money off of him and in the process damage his company’s good name and service.

Now don’t you think that someone should have been watching that website? His concern is about his company and his reputation online but what about those who visited his website? Many of them probably don’t even know that just by visiting his website they were subjected to a computer infection.

Would you drive your car for years without ever bringing it in for service? Don’t you depend on those little indicator lights on your dashboard that tell you when your car needs servicing?

Why website owners aren’t more vigilant about their websites will remain a mystery to me. I guess many of them are so focused on their business that they don’t think about their website getting hacked.

That’s just my opinion.

Well, enough.

This rant will be closed with this erudite philosophy (thanks Ed):

“There is much to be said for modern journalism. By giving us the opinions of the uneducated, it keeps us in touch with the ignorance of the community. ” (Oscar Wilde)

The above post is my opinion – uneducated or not. You have now been kept in touch with the ignorance of the community.

Don't Open That File!

Leave a reply

Yes, just when you thought it was safe to open Adobe Acrobat files (with a .pdf extension), it’s not.

Everyone who reads this should update their Adobe Acrobat Reader here: http://www.adobe.com/support/security/bulletins/apsb09-04.html

Hackers (or as some prefer – cybercriminals), have found a new way to use pdf’s to infect computers (CVE-2009-0927) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927. By using a legitimate website, or websites, hackers can reach many more unsuspecting web users.

What the cybercriminals are doing is finding legitimate websites they can hack and replacing any pdf files with their infectious pdf’s. Anyone who opens that pdf, either on screen or by downloading it and then opening it, will be subjected to this exploit and could face infection.Some websites have various forms they use for reports, registrations or any of a number of uses.

Frequently the infected webpage is designed to open automatically when you visit the page. Rarely will the website owner know they have an infectious website. Often times the infectious website won’t actually contain the malicious code. The webpage will have a line of javascript that downloads the malicious code from some server in a land far far away.

I usually hear people saying, “I scanned my website with 5 different anti-virus programs and nothing was detected.”

While this doesn’t hurt, rarely will this action find the infected webpage because only the javascript code that “reaches” out to the far away server is on the webpage – and it’s heavily encrypted to avoid easy detection. The actual virus or other malicious code is located on their server and often it’s polymorphic – it changes it’s shape and size for each time it’s downloaded on a user’s PC. This “strategy” helps the infectious code in evading detection by most anti-virus programs.

Hacking of a legitimate website is nothing new in distributing malware as I’ve written about numerous times in other blog postings here.

Update your Adobe Acrobat Reader now!

Let’s be careful out there, huh?

Thank you.

Paul McCartney's Web Site Hacked – "Back in the USSR"

1 Reply

Yes it’s true. The rock n roll icon Paul McCartney had his website hacked. (This attack isn’t necessarily originating in Russia, but I couldn’t refuse the obvious opportunity.)

It’s amazing how certain hackings follow the news. It was just a couple days ago when I was watching the news on TV (yes that old, outdated media) and learned that Paul McCartney and Ringo Starr were going to get back together for a “reunion” tour.

The website hacking could have been purely coincidental, as the toolkit planted on his website – Luckysploit, has been used in many, many recent website malware distributions. It could be that the cybercriminals behind this exploit  just happened to find this site vulnerable to their recent attack. I believe it’s irrelevant how or why, their timing was impeccable.

This is another example of social engineering used successfully to infect more computers.

Think of the millions of Beatle’s fans (my father-in-law is one of them – a fan not a virus victim) hearing about this reunion and flocking to Mr. McCartney’s website to find out where their concerts will be performed only to find out at the next anti-virus scan that they’ve been compromised by a bank login and password stealing virus.

The nerve of these hackers. Using something so “in the news” to lure millions of people to  infectious websites that have been planted with malicious code, appearing to be legitimate websites, for the sole purpose of delivering a virus that is currently evading detection by many anti-virus programs.

Is there no shame?

This attack is being carried out by the Zeus botnet. Yes while everyone was watching out for Conficker, many forgot about the other botnets out there.

It’s easy to spot the infectious malware code in the “source” of the web page. All you have to do is look for something that’s impossible to read because it is encrypted and obfuscated to avoid easy detection. Luckily for us, we don’t look for specific infections while scanning websites. Our systems are based on any changes to a website. We pay close attention to changes that include specific keywords, but our alert system is based on any changes made to a website.

Once again the cybercriminals use a popular event to spread their malware. This particular infection will steal banking credentials which are then sold on the open black market. This is one of the cybercriminals profit centers. They have many.

Be careful when using the Internet, you never know if you’re getting more than you bargained for.

Other Beatle’s songs that come to mind with my sub-titles:

“Do You Want to Know a Secret” (about my malware)

“Don’t Ever Change” (my website)

“Don’t Let Me Down” (please click on this infectious link)

“Eight Days a Week” (and I’ll infect you every one of them)

“Everybody’s Got Something to Hide Except Me and My Monkey” (okay maybe my monkey has some malware to hide too)

“Fixing a Hole” (in your website)

“Free as a Bird” (free as in free malware)

“From Me to You” (more malware from me to you)

“Get Back” (to where you can get infected)

“Got To Get You Into My Life” (so I can hack you some more)

“Help!” (I need the services of WeWatchYourWebsite)

“I Am the Walrus” (I live Belarus) (okay you find something that goes with Walrus)

I could go on, but the Beatles wrote a lot of songs and I need to save server space.

Let’s be careful out there…

What Conficker was – and wasn't

Leave a reply

Well, the big April 1st “dooms day” has come and gone.

I’ll admit that even though we really didn’t think anything malicious was going to happen, we did add a Conficker scanner to The Box (our security appliance at www.ebasedsecurity.com) so we could scan our client’s systems.

Let me explain our thinking.  We’ve been following Conficker all along the way. From the first strain to the most recent, we’ve been watching with our honeypots – collecting data and samples and determining what could happen. We’ve seen the changes, what it does and how it communicates with it’s “mother ship” waiting for it’s next set of instructions.

When news of Conficker hit mass media, (60 Minutes did a piece on it) our non-technical gut feeling was that the cybercriminals wouldn’t actually do anything malicious with their code. There was too much public awareness.

Keep in mind that if they had, they could have created some real havoc on the Internet. Some experts (my Dad’s definition of an expert is: an ex is a has been and a spirt is a drip under pressure) estimate that anywhere from 10 million to 100 million PCs are infected with Conficker.

If a cybercriminal or a group of cybercriminals have remote control of that many PCs and they decided to launch an attack against some main Internet servers, they could overload them with so much bogus traffic as to basically eliminate them from accessibility.

Now, if they attacked the main DNS servers on the Internet (the servers that convert domain names to IP addresses) could they slow down or shut-down the Internet? Possibly.

However, nothing happened.

Or did it?

What actually happened might be exactly what the cybercriminals wanted.

How many of you did Google searches for Conficker over the past week (the week before April 1)?

Many, many (our research showed that over 1.7 million ) people searched for “conficker scanner” or “conficker removal”, “remove conficker”, “find conficker” and numerous other terms.

Did you realize that many of the search results were offering solutions that actually infected your PC? Many of the websites that were displayed as a result of those search terms were created by the cybercriminals!

Could this have been the real intention of the cybercriminals? If so, this could be the biggest social engineering hack of all time. We examined many of these sites and found a number of them (64%) were selling Conficker scanners and removal tools. All of these “tools” we found were actually RATs (Remote Access Trojans) which actually provided the cybercriminals with remote control of the PC it was installed on.

And, “they” (the cybercriminals) got you to pay for it!

Are these guys geniuses or what?

Many of the sites that weren’t selling bogus removal tools tried to infect any PC that visited their site. These infected webpage sites used a variety of sneaky methods to infect PCs. One instance we found actually tried 17 different attacks on all the PCs visiting it’s infectious website.

If you’ve been following us, you know that legitimate websites serving malware are increasing. This coupled with infected websites serving malware makes the Internet a very dangerous place.

Fortunately for all of our clients with The Box, they don’t have to worry about things like this because The Box doesn’t allow downloads from non-whitelisted websites. What a concept.

That’s what Conficker was and what it wasn’t.

Anyone have comments? (comments that aren’t SPAM)