BLADE: Hacking Away at Drive-By Downloads

February 22, 2010

The online version of Technology Review today carries a story I wrote about a government funded research group that is preparing to release a new free tool designed to block “drive-by downloads,” attacks in which the mere act of visiting a hacked or malicious Web site results in the installation of an unwanted program, usually without the visitor’s consent or knowledge.

The story delves into greater detail about the as yet unreleased software, called “BLADE,” (short for Block All Drive-By Download Exploits). That piece, which explores some of the unique approaches and limitations of this tool, is available at this link here.

As I note in the story, nearly all of the sites that foist these drive-by attacks have been retrofitted with what are known as “exploit packs,” or software kits designed to probe the visitor’s browser for known security vulnerabilities. Last month, I shared with readers a peek inside the Web administration panel for the Eleonore exploit pack — one of the most popular at the moment.

The BLADE research group has been running their virtual test machines through sites infected with Eleonore and a variety of other exploit packs, and their findings reinforce the point I was trying to make with that blog post: That attackers increasingly care less about the browser you’re using; rather, their attacks tend to focus on the outdated plugins you may have installed.

Phil Porras, program director for SRI International — one of the research groups involved in the project —  says that so far none of the exploit sites have been able to get past BLADE, which acts as a kind of sandbox for the browser that prevents bad stuff from being written to the hard drive. Yet, because the tool allows the exploit but blocks the installation of the malicious payload, the group has been able to collect a great deal of interesting stats about the attacks, such as which browsers were most often attacked, which browser plugins were most-targeted, and so on.

The following graphs were taken from the latest version of BLADE’s evaluation lab, which is constantly updated with results from new exploit sites. The charts below show the breakdown from 5,154 drive-by download infections blocked by BLADE.

Continue reading

ZeuS: ‘A Virus Known as Botnet’

February 19, 2010

As a journalist who for almost ten years has sought to explain complex computer security topics to a broad audience,  it’s sometimes difficult to be picky when major news publications over-hype an important security story or screw up tiny details: For one thing, Internet security so seldom receives more than surface treatment in the media that the increased attention to the issue often seems to excuse the breathlessness with which news organizations cover what may seem like breaking, exclusive stories.

The trouble with that line of thinking is that an over-hyped story tends to lack important context that helps frame the piece in ways that make it more relevant, timely, and actionable, as opposed to just sensational.

I say this because several major media outlets, including The Washington Post and the Wall Street Journal, on Thursday ran somewhat uncritical stories about a discovery by NetWitness, a security firm in Northern Virginia that has spent some time detailing the breadth of infections by a single botnet made up of PCs infected with ZeuS, a password stealing Trojan that lets criminals control the systems from afar. NetWitness found that this particular variant of the botnet, which it dubbed “Kneber,” had invaded more than 2,500 corporations and 75,000 computers worldwide.

The Post’s headline: More than 75,000 Computer Systems Hacked in one of the Largest Cyber Attacks, Security Firm Says.

From the WSJ: Broad New Hacking Attack Detected: Global Offensive Snagged Corporate, Personal Data at Nearly 2,500 Companies: Operation is Still Running.

Yahoo!’s coverage tells us, Scary Global Hacking Offensive Finally Outed.

After a day of dodging countless PR people pitching their experts to pile on to the story, I finally resolved to add my two cents when I heard this gem from the PBS Newshour with Jim Lehrer: “A major new case of computer hacking has been uncovered. A virus known as botnet invaded the computers and used them to steal data from commercial and government systems. Among other things, the hackers have gained access to e-mail systems and online banking.”

Continue reading

Advertisement

Microsoft: Got Bluescreen? Check for Rootkits

February 18, 2010

Microsoft confirmed today that the recent spate of Windows XP crashes and blue-screens experienced by people who installed this month’s batch of security updates were found mainly on systems that were already infected with a rootkit, a tool designed to hide malware infestations on host computers.

The folks at Redmond initially suspected rootkits may have played a part in the interminable reboot loops that many Windows users suffered from following February’s Patch Tuesday, but the company also said that it couldn’t rule out the possibility that third-party hardware and software conflicts might have also been to  blame. Today, Microsoft rejected the latter possibility, and said it had concluded that the reboot occurs because the system is infected with malware, specifically the Alureon Rootkit.

Continue reading

Security Updates for Adobe Reader, Acrobat

February 17, 2010

Adobe is urging users of its PDF Reader and Acrobat software to install an update that fixes a couple of critical security holes in the products. The patches come amid news that booby-trapped PDF files were responsible for roughly 80 percent of the exploits detected in the 4th quarter of 2009.

The latest update brings Adobe Reader to version 9.3.1, and fixes a pair of vulnerabilities that Adobe has labeled “critical,” which means the flaws could be used to install malicious software on vulnerable systems. Updates are available for Windows, Mac and Linux versions.

Continue reading

‘Time Bomb’ May Have Destroyed 800 Norfolk City PCs

February 17, 2010

The City of Norfolk, Virginia is reeling from a massive computer meltdown in which an unidentified family of malicious code destroyed data on nearly 800 computers citywide. The incident is still under investigation, but city officials say the attack may have been the result of a computer time bomb planted in advance by an insider or employee and designed to trigger at a specific date.

Hap Cluff, director of the information technology department for the City of Norfolk, said the incident began on Feb. 9, and that the city has been working ever since to rebuild 784 PCs and laptops that were hit (the city manages roughly 4,500 systems total).

“We don’t believe it came in from the Internet. We don’t know how it got into our system,” Cluff said. “We speculate it could have been a ‘time bomb’ waiting until a date or time to trigger. Whatever it was, it essentially destroyed these machines.”

Continue reading

Hackers Steal $150,000 from Mich. Insurance Firm

February 16, 2010

An insurance firm in Michigan lost nearly $150,000 this month as a result of a single computer virus infection.

Port Austin, Mich. based United Shortline Insurance Service Inc., an insurance provider serving the railroad industry, discovered on Feb. 5 that the computer used by their firm’s controller was behaving oddly and would not respond. The company’s computer technician scoured the system with multiple security tools, and found it had been invaded by “ZeuS,” a highly sophisticated banking Trojan that steals passwords and allows criminals to control infected hosts remotely

The following Monday, Feb. 8, United Shortline received a call from the Tinker Federal Credit Union at Tinker Air Force Base in Oklahoma, inquiring about a suspicious funds transfer one of its customers had received for slightly less than $10,000.

Continue reading

Warning About ZeuS Attack Used as Lure

February 13, 2010

Criminals have co-opted a column I wrote last week about ZeuS Trojan attacks targeted at government and military systems: Scam artists are now spamming out messages that include the first few paragraphs of that story in a bid to trick recipients into downloading the very same Trojan, disguised as a Microsoft security update.

Hat tip to security firm Sophos for spotting this vaguely elliptical attack. It is sometimes said tongue-in-cheek that plagiarism is the sincerest form of flattery, but I wish these crooks would find some other way of expressing their admiration.

The thing is, these sorts of copycat scams also serve as as a sort of token reputation attack, a sly dig that is often aimed at security researchers. For example, Jeffrey Carr, the author of the recent book Inside Cyber Warfare and a frequent publisher of information on the sources of large scale cyber assaults, told me that a similar spam campaign a few days ago that mimicked the targeted .mil and .gov Zeus attacks was made to look like it came from his e-mail address. Carr said the campaign that abused his name probably was in response to his recent blog post about the .mil and .gov attacks.

Rootkit May Be Culprit in Recent Windows Crashes

February 12, 2010

There are indications that the system crashes and the dreaded blue screen of death (BSoD) that many Microsoft Windows users reported suffering after installing this week’s batch of security updates may be caused at least in part by malware infestations on the affected machines.

Patrick W. Barnes, a systems administrator at Cat-man-du, a technology services firm in Amarillo, Texas, said at least three different customers came into his shop with the same blue screen of death after installing Tuesday’s patches on their systems. Barnes said that on closer inspection, he found that each had been previously infected with a rootkit, a set of tools sometimes installed by malware that are designed to hide the presence of the infection on the host system.

Continue reading

Critical Security Update for Adobe Flash Player

February 11, 2010

Adobe Systems Inc. today released an updated version of its Flash Player software to fix two critical security holes in  the ubiquitous Web browser plugin. Adobe also issued a security update for its Air software, a central component of several widely-used Web applications, such as Tweetdeck.

The Flash update brings the newest, patched version of Flash to v. 10.0.45.2, and applies to all supported platforms, including Windows, Mac and Linux installations. Visit this link to find out what version of Flash you have. The latest update is available from this link.

Continue reading

New Patches Cause BSoD for Some Windows XP Users

February 11, 2010

If you use Windows XP and haven’t yet updated your system with the applicable security updates that Microsoft issued Tuesday, you might want to hold off for a bit. Turns out, a non-trivial number of XP users are reporting that their systems suffer from the dreaded Blue Screen of Death (BSoD) and fall into an interminable reboot loop after installing the latest batch of patches from Redmond.

The problem seems to be affecting only some XP systems. This thread on a Microsoft.com answers forum seems to include a fix that works. However, the fix requires users to have their XP install CD handy (in a practice that should be outlawed, many computer makers get away with shipping systems without an install/reinstall disc)

According to the support forum threads I’ve seen on this, affected users noticed the problem on the reboot following the installation of Tuesday’s patch batch. The folks who complained of the bootup problem said the BSOD error page is accompanied by the message “PAGE_FAULT_IN_NONPAGED_AREA”.

If you’re experiencing the above-described problems after installing Tuesday’s bundle of updates, follow these steps, which a number of affected users have said seem to fix the problem:

Continue reading