October 24, 2007

Attack of the PDFs

October 23rd, 2007

Posted by Ryan Naraine @ 1:13 pm

Attack of the PDFsLess than 24 hours after Adobe shipped a fix for a gaping hole affecting its Reader and Acrobat software, PDF files rigged with malware are beginning to land in e-mail spam filters.

The discovery of the active attacks have underlined the need for Windows users to immediately scan machines for vulnerable software (I recommend the Secunia’s free software inspector) and immediately apply all necessary patches.

According to Erik Kamerling, an analyst in Symantec’s DeepSight Threat Management System team, the e-mail-borne attack is using the ‘mailto: option’ vulnerability discussed by Petko D. Petkov in September and confirmed earlier this month by Adobe.

[ SEE: Free utility looks for missing security patches ]

Symantec has tagged the threat as Trojan.Pidief.A, a malware file that’s being used to lower security settings and download more malicious executables on to the compromised computer.
The rigged document is delivered as a piece of spam with a filename such as ‘BILL.pdf’ or ‘INVOICE.pdf’.

When executed, Kamerling said the malicious code tries to disable the Windows Firewall with a ‘netsh firewall set opmode mode=disable’ command, and then downloads a remote file via FTP from 81.95.146.130 (the remote file is ‘ldr.exe’ and is a Downloader trojan).

At 4:00 PM EST, the host 81.95.146.130 is alive and still currently serving ‘ldr.exe’ over FTP. This server is known for hosting malicious software, Kamerling warned.

The DeepSight team is recommending that network administrators:

  • Block the delivery of PDF files in email.
  • Advise employees to not read or execute PDF files from unknown or untrusted sources.
  • Block access to the network and IP address involved in this attack.
  • Apply the patches outlined in Adobe Advisory APSB07-18 as soon as possible.

Ken Dunham, director of global response at iSIGHT Partners, said the attackers are using two rootkit files to sniff and steal financial and other valuable data from hijacked computers. The rootkits are installed in the Windows directory as 9129837.exe and new_drv.sys.

[SEE: ‘High risk’ zero-day flaw haunts Adobe Acrobat, Reader ]

“Anti-virus detection is extremely poor for the exploit files and payloads involved in this attack, averaging cialis daily 5mg only 26 percent out of 39 updated programs tested during the time of attack,” Dunham said, nothing that the two attack servers are linked to the notorious Russian Business Network (RBN).

Dunham has found linkages between this attack and the zero-day Vector Markup Language (VML) attacks from September 2006. “Servers in the attack are also linked back to other malicious attacks involving Animated Cursor exploitation and Snifula and CoolWebSearch installations of code,” he said.

* Ryan Naraine is a freelance writer specializing in Internet and computer security issues. He can be reached at naraine SHIFT 2 gmail.com. See his full profile and disclosure of his industry affiliations.

Permalink • Print • Comment

October 11, 2007

Greetings…you’re infected

By William Kilmer, News.com

Published on ZDNet News: Oct 8, 2007 4:00:00 AM

 

The Storm Worm ranks as one of this year's most virulent and persistent viruses. After making a January debut, transported by e-mail, the virus was notable for the more than 50,000 variants that it subsequently spawned.

 

The Storm Worm has since continued unabated, most recently in the form of Web-based attacks. E-mails, socially engineered to look like electronic greeting cards and linked to a Web site containing malware, completely avoided traditional e-mail antivirus gateways. The Storm Worm's course change to the Web reflects a growing trend of malware Web-based attacks launched through e-mail.

 

The simple logic behind these e-mail-based blended threats is astoundingly effective: no attachment means no antivirus block. And when combined with a user-friendly invitation, it creates the opportunity for a high infection rate.

 

Blended threats easily lead people to Web sites where malware gets downloaded–often without user interaction or knowledge. The industry is just now realizing the severity of the problem,

Researchers at Google recently published a paper concluding that approximately 10 percent of reviewed URLs contained "drive-by downloads" of malware binaries (PDF) and many more that were flagged as suspicious.

 

Malware once lurked in the dark corners of the Internet, but recent hacks have shifted it to the places we all frequent.

 

buying generic cialis 9pt; margin: 0in; font-family: Verdana” align=”justify”>Our research at Avinti examined URLs being "advertised" through e-mail by spammers, and we found similar results: 40 percent of all e-mails contain at least one URL, and of those, approximately 7 percent linked to a malware site.

 

Malware once lurked in the dark corners of the Internet, but recent hacks have shifted it to the places we all frequent. For evidence, look no further than this year's hacking of the Web site for Dolphin Stadium, home to Super Bowl. Or the Sydney Opera House. Even popular social-networking sites like MySpace and Facebook have been platforms for exploits. Yes, the sites we frequent daily and trust may be the biggest threats we face in the future and we may be lured there by an innocuous e-mail link to view a greeting, blog or video.

 

The new Web (2.0) is a fertile breeding ground for malware. Links, blog postings, shared applications and syndicated traffic are all backdoor opportunities for unknown exploits to invade legitimate sites.

 

At the same time, traditional tools such as Web filters, originally built for blocking objectionable content, struggle to catch these attacks as much as antivirus products do in keeping up with ever-changing e-mail-borne attacks. Spammers and hackers have automated the process so that these sites can be up and running and then down in a matter of hours long enough to carry out their attacks. Like the Storm Worm variants, these sites may be up, active and out of business before a bad URL or IP address is ever logged.

 

Given the frequency of hackers hijacking a legitimate Web site to insert malware, such as an attack spoofing the Better Business Bureau, blocking a domain or subdomain is becoming more problematic. What about linked pages? Are they blocked by association or if they serve up the malicious link? What if a single IP address hosts sites for both malware and non-malware sites? Without proper control, we may end up either blocking too much, or jeopardizing our trust in valid Web sites.

 

Fortunately, there is some light now that we have recognized the problem. Organizations like Stopbadware.org and Google are beginning to address ways to share information on malware sites. More vigilance by social sites and IT directors on patching and maintaining their Web sites is going to become more critical than ever.

 

In addition, there is a greater realization among vendors that since hackers and spammers don't look at e-mail, IM, or the Web independently, they can't afford to either. What we need now are proactive solutions that are as dynamic as the attacks they are trying to prevent; that can detect both known and unknown threats, whether on the Web, e-mail, or IM. Until then, beware the next time you get an e-mail greeting card.

 

Pasted from <http://news.zdnet.com/2010-1009_22-6211929.html?tag=nl.e550>

 

Permalink • Print • Comment
« Previous Page
Made with WordPress and a healthy dose of Semiologic • Sky Gold skin by Denis de Bernardy