Java Update Clobbers 29 Security Flaws

October 12, 2010
20 Comments

Oracle today released a critical update to its widely-installed Java software, fixing at least 29 security vulnerabilities in the program.

Most consumers on Microsoft Windows PCs will have some version of Java installed (if you’re not sure whether you have Java or what version might be installed, click this link). Existing users can grab the latest version — Java 6 Update 22 — by visiting the Windows Control Panel, clicking on the Java icon, and then selecting the “Update Now” button on the “Update” tab. If you don’t already have this software, I recommend that you keep it that way.

Per Oracle’s advisory, updates are available for Windows, Solaris and Linux versions of Java. Apple maintains its own version of Java for OS X systems, and typically issues fixes for its version several months after the official Java release.

Be aware that Java’s updater may by default also include free “extras” that you may not want, such as the Yahoo! Toolbar or whatever other moneymaker they decide to bundle with their software this time around, so be sure to de-select that check box during installation if you don’t want the add-ons.

Microsoft Plugs a Record 49 Security Holes

October 12, 2010
2 Comments

Microsoft today issued 16 update bundles to fix a record-breaking 49 separate security vulnerabilities in computers powered by its Windows operating systems and other software.

“Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines.”

McAfee notes that today’s release exceeds the previous record of 34 vulnerabilities fixed in one go, which was first set in October 2009, and again in June and August of this year.

Microsoft said at least eight of the vulnerabilities were publicly disclosed prior to the release of today’s patches. The software giant also fixed one of the two remaining zero-day flaws exploited by the Stuxnet worm, a complex family of malware pegged by researchers as a weapon built to attack industrial control systems embedded in facilities like power and chemical manufacturing plants.

At the top of the critical list is an update for Internet Explorer versions 6 through 8 that plugs at least 10 security holes in the default Web browser on Windows, including two flaws that were disclosed previously. Several of the IE flaws are marked critical even on the latest versions of Microsoft’s products, including IE8 running on Windows 7 systems.

Two updates for versions of Microsoft Word and Excel comprise about half of the vulnerabilities addressed in today’s release.

Today’s fixes are available through Windows Update or by enabling Automatic Update in Windows. As always, if you experience any glitches or problems applying these patches, please drop a note in the comments section.

For more information on the patches, check out SANS Internet Storm Center‘s Black Tuesday roundup, as well as Microsoft’s Security Research & Defense blog.

Update, 3:58 p.m. ET: Several readers have pointed out that Microsoft took the momentous step today of adding detection for the infamous ZeuS Trojan to its Malicious Software Removal Tool. The MSRT is offered alongside Windows updates and if approved will scan host computers once a month for a variety of the most prevalent threats. It will be interesting to chart the impact of this welcome move by Microsoft.

Advertisement

Java: A Gift to Exploit Pack Makers

October 11, 2010
69 Comments

I have long urged readers who have no need for Java to remove the program, because failing to keep this software updated with the latest security patches exposes users to dangerous, ubiquitous attacks. In this blog post, I’ll show readers how attacks against Java vulnerabilities have fast emerged as the top moneymaker for authors of the best-selling “exploit kits,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities.

Take one look at the newest kit on the block — “Blackhole” — and it is obvious that Java vulnerabilities continue to give attackers the most mileage and profit, and have surpassed Adobe flaws as the most successful exploit vehicles.

I spoke briefly via instant message with the developer of this Blackhole kit (pictured at right), and he assured me that these images were taken from a working installation. The screen shot here shows the administration panel for this exploit pack, which lists the number of hits (хиты) and downloads (загрузки). The statistics show that on average this kit finds a working exploit that it can use to install malicious software on a visiting host about 10 percent of the time.

Granted, as exploit pack administration pages go, this one is very young (13,289 hits at the time this screen shot was taken), but already some patterns emerge from the data. For example, we can see that Java vulnerabilities are by far the most useful, comprising more than 90 percent of all successful exploits.

This pattern is not confined to Blackhole. Have a look at the following three screen shots, taken from the exploit results pages of three different working installations of SEO Sploit Pack, another common exploit kit. All three screen shots clearly show Java vulnerabilities are the most productive, accounting for between 50 and 65 percent of malware installs or “loads” (thanks to Malwaredomainlist.com for help on this).

Continue reading

Bill Would Give Cities, Towns and Schools Same e-Banking Security Guarantees as Consumers

October 7, 2010
45 Comments

In response to a series of costly online banking heists perpetrated against towns, cities and school districts, Sen. Charles Schumer (D-NY) has introduced legislation that would extend those entities the same protections afforded to consumers who are victims of e-banking fraud.

Under “Regulation E” of the Electronic Funds Transfer Act (EFTA) consumers are not liable for financial losses due to fraud — including account takeovers due to lost or stolen usernames and passwords — if they promptly report the unauthorized activity. However, entities that experience similar fraud with a commercial or business banking account do not enjoy the same protections and often are forced to absorb the losses. Organized cyber thieves, meanwhile, have stolen more than $70 million from small to mid-sized businesses, nonprofits, towns and cities, according to the FBI.

On Sept. 29, computer crooks stole $600,000 from the coastal town of Brigantine, N.J.; seven months earlier, computer crooks stole $100,000 from Egg Harbor Township just 20 miles away. In late December 2009, an organized cyber gang took $3.8 million from the Duanesburg Central School District in Schumer’s home state. In that attack, the bank managed to retrieve some of the money, but the district is still missing roughly $500,000.

The same day as the Brigantine breach, Schumer introduced S. 3898, a bill that would extend EFTA’s Regulation E protections to certain local government entities, including municipalities and school districts. The Board of Governors of the Federal Reserve System is to define which entities are included in the categories of “municipality” and “school district.”

Steve Verdier, executive vice president and director of congressional affairs for the Independent Community Bankers of America, said the thinking behind the current law is that banks can absorb the losses from this type of fraud when it happens to consumers because there is usually a comparatively smaller amount of money involved.

“The bank is probably in no better position to protect against this type of fraud than the [business] account holder,” Verdier said. “Whereas consumers may not be as good a position to protect themselves against these types of losses, you would hope a government or school district would have employee procedures to guard against this type of thing. And if the bank is forced to start making good on these losses, that weakens its ability to serve consumers and they’re going to have to price that risk into all of their services.”

Avivah Litan, a financial fraud analyst with Gartner Inc., said there are a number of promising new technologies that banks can make available to their customers that help guard against these attacks, referring to several products that use specially encoded USB keys to load a virtual operating system on the customers computer and encrypt the keystrokes between the bank and the customer.

“Also, why limit this to schools and municipalities? Small businesses have just as much risk as school districts, as do churches for that matter,” Litan said. “So does that mean that small businesses have more resources to deal with this type of fraud than cities and counties do?”

There isn’t much — if any — likelihood that the bill will be acted upon before the November elections, in which case Schumer will need to reintroduce the bill when the 112th Congress convenes early next year.

A copy of Schumer’s bill is here (PDF).

FCC May Confront ISPs on Bot, Malware Scourge

October 6, 2010
59 Comments

The Federal Communications Commissions (FCC) may soon kickstart a number of new initiatives to encourage Internet service providers to do a better job cleaning up bot-infected PCs and malicious Web sites on their networks, KrebsOnSecurity has learned.

Earlier this year, the commission requested public comment on its “Cybersecurity Roadmap,” an ambitious plan to identify dangerous vulnerabilities in the Internet infrastructure, as well as threats to consumers, businesses and governments. Twice over the past few weeks I had an opportunity to chat with Jeffery Goldthorp, associate bureau chief of the FCC’s Public Safety & Homeland Security Bureau, about some of the ideas the commission is considering for inclusion in the final roadmap, due to be released in January 2011.

Goldthorp said there are several things that the commission can do to create incentives for ISPs to act more vigorously to protect residential users from infections by bot programs.

“Along those lines would be something like an ISP ‘code of conduct’ and best practice-oriented approach that ISPs could opt-in to or not, basically a standard of behavior for ISPs to follow when they find that a user of theirs has been infected,” Goldthorp said. “The goal of that would be to clean up the consumer and residential networks. We’re also very interested in trying to figure out if there are rules we have on our books that stand in the way of ISPs being more proactive and creating a safer environment for consumers online.”

In addition, Goldthorp said the FCC is considering ways to encourage ISPs to be more proactive in dealing with malicious Web sites.

“At the server level, we’re looking at doing things that would allow us in an operational role to apply our jurisdiction with ISPs and try to reduce the time to remediation of things like malicious hosts and phishing or spam sites,” he said. “That’s really an area that [the FCC is] doing nothing in right now. We don’t get any information now about what those sites are and what we could do about them. So, we expect that there will be specific things we’d propose on all those areas of the roadmap.”

Prompted in part by the FCC’s request for comment, I wrote a column for CSO Online last month in which I called on the commission to begin measuring the responsiveness of ISPs in quashing malicious threats that take up residence on their networks. One of the ways I suggested the commission could do that is by publishing data about badness on these networks – data that is already being collected by a myriad of mostly volunteer-led groups that monitor this type of activity.

Continue reading

Reader, Acrobat Patches Plug 23 Security Holes

October 5, 2010
30 Comments

A new security update from Adobe plugs at least 23 security holes in its PDF Reader and Acrobat software, including two vulnerabilities that attackers are actively exploiting to break into computers.

Adobe is urging Reader and Acrobat users of versions 9.3.4 and earlier for Windows, Mac and UNIX systems to upgrade to version 9.4 (Adobe says those who can’t upgrade to the 9.x version should instead apply the version 8.2.5 update).

Adobe says one of the 23 flaws fixed by this new version is being actively exploited. A second zero-day flaw corrected by today’s update — a critical vulnerability in Adobe Flash player that the company fixed in a separate update last month for the stand-alone Flash player — also exists in Adobe Acrobat and Reader, although Adobe says it is not aware of any attacks exploiting this flaw in those products yet.

Continue reading

Spam Volumes Dip After Spamit.com Closure

October 4, 2010
11 Comments

Spam trackers are seeing a fairly dramatic drop in junk e-mail sent over the past few days, specifically spam relayed by one of the world’s largest spam botnets – although security experts disagree on exactly which botnet may be throttling back or experiencing problems.

According to M86 Security Labs, the volume of spam has dipped quite a bit, approximately 40 percent since the beginning of the month by the looks of the graphic the company publishes on its site (pictured at right).

M86 says the decrease in spam is due to a rapid drop in activity from the Rustock botnet (see graphic below left), a collection of spam-spewing zombie PCs that experts say is responsible for relaying about 40 percent of all junk e-mail on any given day.

The decline in spam volume comes at about the same time that the world’s largest spam affiliate program — spamit.com — said it would stop paying affiliates to promote its online pharmacy Web sites — on Oct. 1.

Bradley Anstis, vice president of technical strategy for M86, said the most likely explanation is that the person(s) operating Rustock rented the botnet to a number of spamit.com affiliates, and many of those affiliates have not yet switched over to another pharmacy affiliate program.

“To me, that’s the most logical explanation,” Anstis said. “The timing certainly hooks up well, because we started seeing this decline right around the first of October.”

Continue reading

Comcast Pushes Bot Alert Program Nationwide

October 4, 2010
80 Comments

Comcast, the nation’s largest residential Internet service provider, announced last week that it is expanding an initiative to contact customers whose PCs appear to be infected with a malicious bot program.

The Philadelphia-based cable Internet company is expanding nationwide a pilot program that began in Denver last year, which automatically informs affected customers with an e-mail urging them to visit the company’s security page. The system also sends the customer’s browser a so-called “service notice,” a semi-transparent banner that overlays a portion of whatever page is being displayed in the user’s Web browser.

Customers can then either move or close the alert, or click Go to Anti-Virus Center, for recommended next-steps, which for Windows customers includes:

  • Downloading any missing Microsoft security updates.
  • Making sure the customer has some kind of up-to-date anti-virus software running.
  • Downloading and running Microsoft’s malicious software removal tool.
  • Downloading and installing Secunia‘s free Personal Software Inspector tool, a program that periodically scans the user’s computer for missing security updates for commonly used third party applications, such as Adobe Reader, Flash, and Java, and QuickTime.

Continue reading

Hackers Steal $600,000 from Brigantine, NJ

October 4, 2010
29 Comments

Organized cyber thieves took roughly $600,000 from the coastal city of Brigantine, New Jersey this week after stealing the city’s online banking credentials.

The break-in marks the second time this year that hackers have robbed the coffers of an Atlantic County town: In March, a similar attack struck Egg Harbor Township, N.J., which lost $100,000 in a similar intrusion.

Like the Egg Harbor incident and dozens of others documented here, the loot from the Brigantine heist was sent to multiple “money mules,” willing or unwitting people hired through work-at-home job offers to help computer crooks launder stolen cash.

Brigantine City officials said the incident began sometime before 6 p.m. on September 28th, when TD Bank notified city finance officers that multiple wire transfers had been made from its accounts. Brigantine Police’s Lt. James Bennett said in a written statement:

“Unknown person(s) had apparently obtained a user name and password for the city’s main TD Bank account when our finance personnel attempted to login (through either a fake Web page or an undetectable virus). Then several wire transfers were started with amounts ranging from a few thousand to over $300,000, for a total of about $600,000. The last update from TD Bank was that they were able to recall approximately $400,000 in transfers and were working on recalling the remainder. The investigation is being handled by the FBI, New Jersey State Police with the Brigantine Police Department and TD Bank security.”

The attack occurred in the middle of a week in which federal officials announced dozens of arrests and charges against money mules and the organized criminals responsible for orchestrating these types of break-ins. While it’s unclear whether those responsible for the attack on Brigantine were apprehended or charged this week, the method by which the thieves made off with at least some of the loot bears the same fingerprint as past breaches, including the Egg Harbor attack.

Continue reading

Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists

October 2, 2010
19 Comments

Authorities in Ukraine this week detained five individuals believed to be the masterminds behind sophisticated cyber thefts that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses over the last 18 months, the FBI said Friday.

At a press briefing on “Operation Trident Breach,” FBI officials described the Ukrainian suspects as the “coders and exploiters” behind a series of online banking heists that have led to an increasing number of disputes and lawsuits between U.S. banks and the victim businesses that are usually left holding the bag.

The FBI said five individuals detained by the Security Service of Ukraine (SBU) on Sept. 30 were members of a gang responsible for creating specialized versions of the password-stealing ZeuS banking Trojan and deploying the malware in e-mails targeted at small to mid-sized businesses.

Investigators say the Ukrainian gang used the software to break into computers belonging to at least 390 U.S. companies, transferring victim funds to more than 3,500 so-called “money mules,” individuals in the United States willingly or unwittingly recruited to receive the cash and forward it overseas to the attackers. In connection with the investigation, some 50 SBU officials also executed eight search warrants in the eastern region of Ukraine this week.

Friday’s media briefing at the FBI Hoover building in Washington, D.C. was designed to give reporters a clearer view of the sophistication of an organized crime group whose handiwork had largely escaped broader national media attention until this week. On Wednesday, authorities in the United Kingdom charged 11 people there – all Eastern Europeans – with recruiting and managing money mules. Then on Thursday, officials in New York announced they had charged 92 and arrested 39 money mules, including dozens of Russians who allegedly acted as mules while visiting the United States on student visas.

According to sources familiar with the investigation, the arrests, charges and announcements were intended to be executed simultaneously, but U.K. authorities were forced to act early in response to intelligence that several key suspects under surveillance were planning to flee the country.

SBU officials could not be reached for comment. But FBI agents described the Ukrainian group as the brains behind the attacks. Gordon M. Snow, assistant director of the FBI’s Cyber Division, said the individuals detained by the SBU are thought to have worked with the developer of the ZeuS Trojan to order up custom-made components and versions of ZeuS.

For example, security researchers identified one ZeuS variant that was specific to the Ukrainians known as JabberZeuS because it alerted the gang via Jabber instant message whenever online banking credentials for customers of specific institutions were stolen.

Snow said this week’s law enforcement action was a particularly big deal because of the unprecedented level of cooperation from foreign governments, particularly Ukraine and the Netherlands.

“We worked with legal attachés in 75 countries, and we are very proud of the level of coordination that took place to get this done,” Snow said.

Pim Takkenberg, team leader for the Netherlands Police Agency’s High Tech Crime Unit, said his group played a “small but important role” in helping to identify the hackers by monitoring the miscreants’ use of Dutch infrastructure.

“We helped in connecting all the dots together,” Takkenberg said in a phone interview. “The Netherlands provide for a large portion of the critical internet infrastructure, of which we can monitor certain parts. When criminals are unaware of the fact that they use Dutch infrastructure, that gives us good investigative opportunities. In this particular case we had an interest of our own, since the ZeuS malware made a lot of Dutch victims as well.”

The FBI’s Snow said the investigation began in May 2009, when FBI agents in Omaha, Neb. were alerted to automated clearing house (ACH) batch payments to 46 separate bank accounts through the United States.

I will continue to follow this important story in the days ahead, particularly as more information about the Ukrainian suspects is made public. Stay tuned.