By

Let’s be careful out there

If you’ve read anything online, undoubtedly there have been headlines about exploits, vulnerabilities, identities stolen and other compromises.

Are you one of the 9.3% using Internet Explorer 10 (IE10)? Hopefully, you keep your software updated, as Microsoft did squeak in a patch last Tuesday. However, if you haven’t, please stop reading this and update it and all other Microsoft patches immediately.

FireEye recently found a combination of watering-hole attack and drive-by download that utilizes the exploit in IE10.

You don’t know what a watering-hole attack is?

Let’s say the hackers find an exploit in a particular browser and they want to use that to infect the computers of people most likely to use that browser. They will find one or more websites that focus on that particular group of people. The hackers will then try to infect those websites with some drive-by download code. This means that anyone visiting those websites will be subject to the download which will infect their computer.

After the websites have been infected with the drive-by download code, hackers will blast out a series of SPAM emails that include a link to one of their infectious sites. The SPAM will be targeted to people in the targeted industry. This is called a watering-hole attack.

Just so you don’t think I’m focusing on Microsoft, these same types of attacks happen on FireFox, Chrome and yes, even on Macs.

Your best defense against these and other attacks is to keep your software updated – constantly. This doesn’t mean just your browser, but all Adobe products, your operating system and all other software programs installed on your computer.

April of 2014 will see the end of support for Windows XP and Office 2003. If you haven’t upgraded these yet, you should make plans. Without support from Microsoft, you will no longer get updates to that software. Hackers know there will be many people refusing to upgrade so not upgrading will make you the “low hanging fruit” for hackers.

In addition to keeping your software updated, please let everyone you know to use strong passwords. This cannot be emphasized enough. About 30% of the websites we clean are the result of compromised passwords. Make it at least 9 characters long and DO NOT use common, related words.

A recent informal survey we conducted shows that many passwords end with either the year, 123 or the exclamation mark (!). If this sounds familiar, please change your passwords immediately.

One other key point that we’ve been “pushing” for some time now is to schedule daily full system scans with your anti-virus software.

Here’s why.

If the anti-virus company finds a new virus “in the wild” on Monday, they will analyze it and create a rule to detect that virus. Then on Tuesday, you update your anti-virus software – either automatically or manually, this means your computer is protected from getting infected by that virus from Tuesday moving forward. However, if your computer was infected by that virus on Monday, your anti-virus program won’t remove it until you run a full system scan.

That’s why it’s critical that you run full system scans – EVERY DAY!

If you have any questions, please either email me at: traef@wewatchyourwebsite.com or post a comment.

Let’s be careful out there, huh?

Thank you for reading.

By

Internet Storm Center sets Threat Level to Yellow

Due to the appearance of exploits targeting the vulnerabilities in Internet Explorer 8 and Internet Explorer 9, Internet Storm Center (http://isd.sans.edu) has raised the Threat Level to Yellow.

You can read their write-up here:

https://isc.sans.edu/forums/diary/Threat+Level+Yellow+Protection+recommendations+regarding+Internet+Explorer+exploits+in+the+wild/16634

As always, update your browsers daily.

You know hackers will be infecting websites with code that will be targeting this vulnerability. This means that if your website is infected, anyone visiting your site while using Internet Explorer 8 or 9 could have their computer infected.

Please post back if you have any questions or comments.

Thank you.

 

By

The new Attack – d0lphin.biz

We recently came across a number of websites that have been injected with malscript iframes that load malware from d0lphin.biz. Following is our report on this attack.
 
Cybercriminals appear to be using their network of infected PCs to modify “hacked” websites and turning them into infectious websites – attempting to infect many more PCs.
  
This attack appears to only infect index pages; index.htm, index.html, index.php. That’s all we’ve seen thus far.
 

The malicious code that gets injected into these webpages is the following:

body of injected script

Which deobfuscates to:

deobfuscatedscript

The usual iframe malscript parameters: width=1, height=1 style=’visibility:hidden’
 

 What was interesting is that we had to use a valid browser user agent to obtain the in.php file. We used: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0) as our user-agent string. Other similar user-agents worked as well, but they had to be MSIE and Windows compatible so we knew it had to be a Microsoft specific exploit they (the hackers) were attempting on unsuspecting visitors.

You’ll see from the above iframe that the file it references is in.php. Here is the code for in.php:

 

in.php malscript (click to enlarge)

 

Which deobfuscates to:  

in.php deobfuscated

As you can see, there are 2 other files that this malscript tries to load:

load.php (which is actually a Windows executable)

and

pdf.php (which is an actual PDF file that uses ActionScript to try and infect the visitor’s PC).

 

At the time of our investigation, the malware load.php was only detectable by 2 out of 41 anti-virus companies. Here is the VirusTotal report on that little gem:

load.php VirusTotal Results

 

 

And pdf.php was detectable by 11 out of 41 anti-virus programs. Here is the Virus Total report on that file:

pdf.php VirusTotal Results

 

Inspecting the FTP log files for the infected website we found that the majority of the FTP traffic on the day the infected files were modified was from the following IP addresses:

89.36.84.249 which is Bucharest, Romania
98.209.145.133 which is Michigan, United States
74.211.69.79 which is New Mexico, United States
85.122.6.86 which is Bucharest, Romania
123.236.139.33 which is India
91.105.112.220 which is Great Britain, United Kingdom
96.20.117.224 which is Montreal, Canada
119.171.100.108 which is Tokyo, Japan
71.65.72.159 which is Ohio, United States
97.84.174.241 which is Michigan, United States
 

The interesting thing about this FTP traffic from various places around the world is that the exact same FTP username and password were used. There weren’t any failed login attempts with this username for the prior 6 months so we didn’t feel it was a brute force or dictionary attack on a weak password. This leads us to believe that this infection is another case of compromised FTP credentials.

Another interesting point is that the FTP traffic from these various IP addresses happened within minutes of each other and the number of files transferred from each IP address was 2. It appears from this information that the attackers were using a distributed network of compromised PCs (read botnet) to send the modified files to the website server.

This could be for a number of reasons.

But the one reason that seems most obvious is that the attackers know many people try to block their IP addresses. By using a botnet of remotely controlled PCs a website owner would have to block dynamic IP addresses. Would you block a range of IP addresses from a DSL connection in the United States? Probably not.

Having a website means handling traffic from visitors all over the world. If you’re going to start blocking groups of IP addresses, how will you know when you’re blocking innocent visitors? Wouldn’t that hurt your business?

The IP address that d0lpin.biz is hosted on show this for their whois:

 whois-d0lphin.biz

The whois on the domain d0lphin.bz is:

whois-domain-d0lphin.biz

Google’s report on the network hosting d0lphin.biz shows:

google-diags-network

FIRE’s maliciousnetworks.org shows this information for the network d0lphin.biz is hosted on:
 
FIRE-d0lphinNetwork
 
You see that their report shows 2 C&C Servers (Command and Control – the servers hackers use to control their botnets) and 2 exploit servers – both bad stuff.
 
Prevention of this type of attack on your website is simple. Keep your PCs clean of viruses. If want to be sure you’re PC is clean, don’t use an administrator account for your daily activities. If you can’t install software as your currently logged in user, neither can a virus.
 
What’s your thoughts on this new attack? Is there any further information you’d like to know? Let me know…

By

Adobe Acrobat Hit Again

It’s true.

Adobe Acrobat is vulnerable once again. This is getting ridiculous. They have enough money to buy up software companies but yet they can’t invest the time and money to harden their existing products?

They worked so hard to get everyone to use their software. It’s standard on computer installs now. Who doesn’t have Adobe Acrobat Reader on their computer?

With this latest “hole”, I’ve started looking for alternatives and I’ll let you know if and when I find one. But in retrospect, I’d rather stay with a company that is solidly locked into the software market and has a lot to lose if they don’t fix their vulnerabilities, than one that might be a fly-by-night company and leaves me standing out in the cold.

Many in the security community have even coined an acronym for this scenario – YAPE (Yet Another PDF Exploit). You know things are bad when the security community assigns an acronym to it.

Adobe is again recommending that you disable Javascript in Adobe Acrobat. If you followed my instructions last time, you still have Javascript disabled so you’re safe. If for some reason, you didn’t read my last warning about Adobe Acrobat here are the steps to follow:

To turn off Javascript follows these steps:

  1. Launch Adobe Acrobat Reader
  2. Select Edit -> Preferences
  3. Select the Javascript category
  4. Uncheck the “Enable Acrobat Javascript” option
  5. Click “Ok”

It begs the question, “Why does anyone need Javascript in a reader for locked files anyway?” To me, it’s technology looking for a reason.

When Adobe first introduced the Javascript ability, I looked for a way to turn it off. I don’t need it. I don’t want something in my software that allows other people to control what I’m doing.

As of this writing, Adobe is working on a patch. All versions of Adobe Acrobat, on every platform; Mac, Linux and Windows are vulnerable.

I will keep you updated on this situation or you can follow it on Adobe’s website here:

http://www.adobe.com/support/security/

As always, I recommend you apply the patch as it becomes available as this exploit will allow an attacker to remotely execute commands on your computer and the exploit code is already available.

Our honeypots have not detected any new waves of infectious PDFs in the wild – yet. But sure as, well you know, they will be forth coming.

Please feel free to pass the link to this posting to your friends and family.