A Peek Inside the ‘Eleonore’ Browser Exploit Kit

January 25, 2010

If you happen to stumble upon a Web site that freaks out your anti-virus program, chances are good that the page you’ve visited is part of a malicious or hacked site that has been outfitted with what’s known as an “exploit pack.” These are pre-packaged kits designed to probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to silently install malicious software.

Exploit packs have been around for years, and typically are sold on shadowy underground forums. A constant feature of exploit packs is a Web administration page (pictured above), which gives the attacker real-time statistics about victims, such as which browser exploits are working best, and which browsers and browser versions are most successfully attacked.

One of the most popular at the moment is a kit called “Eleonore,” and I’m writing about it here because it highlights the importance of remaining vigilant about patching. It’s also a reminder that sometimes the older exploits are more successful than the brand new variety that garner all of the headlines from the tech press.

The screen captures in this blog post were taken a few weeks ago from a working Eleonore installation (version 1.3.2) that was linked to several adult Web sites. As we can see from the first image, this pack tries to exploit several vulnerabilities in Adobe Reader, including one that Adobe just patched this month. The kit also attacks at least two Internet Explorer vulnerabilities, and a Java bug. In addition, the pack also attacks two rather old Firefox vulnerabilities (from 2005 and 2006). For a partial list of the exploits included in this pack, skip to the bottom of this post.

It’s important to keep in mind that some of these exploits are browser-agnostic: For example, with the PDF exploits, the vulnerability being exploited is the PDF Reader browser plug-in, not necessarily the browser itself. That probably explains the statistics in the images below, which shows a fairly high success rate against Opera, Safari, and Google Chrome users. In the screen shots below, the numbers beneath the “traffic” field indicate the number of visitors to the malicious site using that particular version of the browser, while the “loads” number corresponds to the number of visitors for that browser version that were found to be vulnerable to one or more of the vulnerabilities exploited by the Eleonore pack. The “percent” fields obviously indicate the percentage of visitors for each specific browser type that were successfully exploited (click for a larger version):

Continue reading

Adobe Ships Critical Shockwave Update

January 23, 2010

Last week, Adobe Systems Inc. shipped critical security updates for its PDF Reader software. Now comes an update that fixes at least two critical flaws in Adobe’s Shockwave Player, a commonly installed multimedia player.

Not sure whether you even have Shockwave Player on your system? You’re not alone. Because of a long history of rebranding between Macromedia and Adobe, the various naming conventions used for this software are extremely confusing. Here’s Adobe’s effort to draw clearer distinctions between the Flash and Shockwave multimedia players:

Continue reading

Advertisement

Cyber Crooks Cooked the Books at Fla. Library

January 22, 2010

Jan. 7, 2010 was a typical sunny Thursday morning at the Delray Beach Public Library in coastal Florida, aside from one, ominous dark cloud on the horizon: It was the first time in as long as anyone could remember that the books simply weren’t checking out.

Sure, patrons were still able to borrow tomes in the usual way — by presenting their library cards. The trouble was, none of the staff could figure out how or why nearly $160,000 had disappeared from their bank ledgers virtually overnight. The money was sent in sub-$10,000 chunks to some 16 new employees that had been added to the usual outgoing direct deposit payroll.

One of those phantom employees was 19-year-old Brittany Carmine, 900 miles to the north in Richmond, Va. Carmine had just  lost her job at a local marketing firm when she received a work-at-home job offer from a company calling itself the Prestige Group. She said after researching the company online, she decided it was legitimate, and filled out the paperwork to begin her employment. Just days later, she received a bank deposit of $9,649, with instructions to wire all but roughly $770 of that to individuals in Ukraine.

Continue reading

The Democratization of Espionage

January 22, 2010

Ten to fifteen years ago, if you were going to be the target of state sponsored or corporate espionage, you yourself were going to be a government or a large corporation that had intellectual property or information that an adversary was going to have to invest a lot of time and effort to pry out of you. What we have seen over the last five to seven years is that the botnet has democratized that process, so that now an individual can commit his own intelligence reconnaissance and espionage, whether at arms length on behalf of a state, on his own, or whether he’s doing it for corporate espionage.

This is an excerpt from a column of mine that appeared today at CSOonline. Read the rest of it at this link here.

Microsoft Issues Emergency Fix for IE Flaw

January 21, 2010

Microsoft has issued an emergency security update to plug a critical hole in its Internet Explorer Web browser. The IE bug is the same flaw that is being blamed in part for fueling a spate of recent break-ins at Fortune 100 companies, including Google and Adobe.

If you use Microsoft Windows, please take a moment now to update your computer. Updates are available for all supported versions of IE and Windows.  The easiest way to install the patch is through Windows Update.  Users who have Automatic Updates turned on may be prompted to download and apply this within the next 48 hours or so, but honestly this is the kind of bug you probably want to quash as soon as possible.

The reason is that this is a browse-to-a-hostile-site-and-quickly-have-a-bad-day kind of flaw. What’s more, Symantec is now reporting that it has discovered hundreds of malicious and/or hacked Web sites are now serving up code that exploits this flaw to download malicious software. While many of these sites are in China, that fact matters little because hackers can always stitch code into a hacked, legitimate site that quietly and invisibly pulls down exploits from other sites. Meanwhile, security firm Websense warns that the targeted e-mail attacks leveraging this flaw continue unabated.

When computer code that exploits this IE flaw was first posted online last week, Microsoft was quick to point out that it had only seen the code working reliably against IE6 users. However, researchers now claim that the exploit can also be made to work against IE7 and even IE8 — the latest version of IE that ships with Windows 7 systems.

The fixes included in this patch aren’t limited to the publicly disclosed flaw: Microsoft has addressed seven other vulnerabilities in this patch as well. More details about this specific update are available at this Microsoft Technet page.

Patch it or Scratch it: RealPlayer

January 21, 2010

Securing your computer isn’t just about making sure the doors and windows into your system are latched and patched: Sometimes, it makes more sense to simply brick up some of these entryways altogether — by getting rid of programs you no longer use.

There are several programs that I’ve mentioned recently and put in this category (Java, QuickTime, Adobe Reader). Allow me to add another program to this list: RealPlayer. If you have this program installed, ask yourself this question: When was the latest time you used it?

Continue reading

New Clues Draw Stronger Chinese Ties to ‘Aurora’ Attacks

January 20, 2010

A leading security researcher today published perhaps the best evidence yet showing a link between Chinese hackers and the sophisticated cyber intrusions at Google, Adobe and a slew of other top U.S. corporations late last year.

In mid-December, Google discovered that its networks had been breached by attackers who appeared by coming from China. A Wall Street Journal article cited researchers saying the attacks — dubbed Operation Aurora — were launched from six Internet addresses in Taiwan, which experts say is a common staging ground for Chinese espionage.

While Google itself has said that the attacks “originated in China,” experts have been quick to point out that attackers commonly route their communications through faraway computers, and that the real attackers may be located anywhere in the world. But new clues about the origins of the malicious software that was used to exploit the as-yet unpatched Internet Explorer vulnerability suggest that the exploit was in fact assembled by Chinese programmers

The evidence comes from forensic work published today by Joe Stewart, director of malware research for Atlanta based managed security firm SecureWorks. Stewart said he found that a snippet of the source code used in the backdoor Trojan horse program planted by the exploit (called “Hydraq” by various anti-virus companies) matched a source code sample that was detailed in a Chinese-language white paper on mathematical algorithms used in electronics.

Stewart said a Google search for one of the key text strings in that code sample shows that it is virtually unknown outside of China, and that almost every page with meaningful content concerning the algorithm is written in Chinese.

Continue reading

Top 10 Ways to Get Fired as a Money Mule

January 20, 2010

Money mules are quite literally the workhorses of the online fraud world. The term “money mule” is borrowed from the nomenclature used to describe the human pack horses of the drug cartels — so-called “drug mules” — people who physically carry illegal substances on their person while crossing the U.S. border.  Some drug mules actually ingest large numbers of tiny bags full of illegal substances, and carry the narcotics in their digestive system on the way into the United States. You can probably guess how the drugs are…er…offloaded by these mules.

Of course, money mules don’t actually ingest the cash they help steal from banks and small businesses that are victimized by criminal gangs, although they do occasionally eat the cost when their bank turns around and holds them liable for the missing money. However, some of the mules — mainly young Eastern European men and women of college age who are here in the United States on temporary J1 visas — do physically carry the cash on their person when they head back home.

Anyway, this blog posts focuses on the former group, those willing or unwitting individuals who stand to very likely make $500-$700 from a single transaction with the crooks. Money mules are recruited through work-at-home job offers that arrive via e-mail, usually claiming that the prospective employer found the recipient’s resume’ on careerbuilders.com, monster.com, or some other job search site. Recruits are told they will be helping to move money for international companies, and are asked to provide their bank account and routing numbers so that they can receive incoming transfers.

Now, technically speaking, most mules are by default fired after their first and only successful job: Each mule is worth slightly less than $10,000 to the cyber gangs, who will cease communicating with a mule the minute after he or she successfully wires the money to the crooks and e-mails the access number the criminals need to pick up the cash.

The mules’ job isn’t that difficult: Wait by the computer between 8 and 11 a.m. for a message saying a deposit is ready for withdraw. The mule is instructed to then go down to their bank, pull out the money in cash, and then wire it abroad via Western Union and Moneygram.

But you’d be surprised at how often the mules screw this up. Here are the Top 10 ways that mules can get fired:

Continue reading

Hundreds of Network Solutions Sites Hacked

January 19, 2010

Web site domain registrar and hosting provider Network Solutions acknowledged Tuesday that hackers had broken into its servers and defaced hundreds of customer Web sites.

The hackers appear to have replaced each site’s home page with anti-Israeli sentiments and pictures of masked militants armed with rocket launchers and rifles, alongside the message “HaCKed by CWkomando.”

According to results for that search term entered into Microsoft’s Bing search engine, there may in fact be thousands of sites affected by this mass defacement.

One of the defaced pages belonged to Minnesota’s 8th District GOP, according to a story in The Minnesota Independent, which said the Arabic writing that accompanies the defaced pages contains the dedication “For Palestine,” and the repeated phrase “Allahu Akbar” [God is great].

Continue reading

Security Updates for Mac OS X Available

January 19, 2010

Apple his shipped a software update that fixes at least a dozen security vulnerabilities in Mac OS X Leopard and Snow Leopard systems. The update applies to OS X 10.5 and 10.6 desktop and server machines, is available through Software Update or from Apple Downloads. More than half of the fixes are to update the Mac version of Adobe’s Flash Player plugin. Check out this link for more nitty gritty on the individual flaws fixed in this update.