Wiz's Computer and Website Security Blog

A few days ago I discovered an email scam that tries to directly deliver the BlackHole Exploit Kit to victims, inside the message body of those emails. The Subject used was: "Re: URGENT" and the sender addresses spoofed Twitter, LinkedIn and sbcglobal.net customers. In all cases, the hostile code was no longer reached via links, but simply by opening the email in your email client, with HTML display enabled and iframes allowed.

Rather than delving into a big technical discussion about the exploit itself (which I have covered numerous times), this article will attempt to help protect you from being exploited by it, or another like it.

We first need to define how the attack inside these email messages is triggered. This is accomplished by a two pronged attack. One is the exploit code itself is embedded inside the message body, inside <script> tag sets. The second is by means of an HTML "iframe" tag, with the "src" (source) being a remote server or website that is hosting the BlackHole attack kit.

The criminals that sent this to you are hoping to exploit you if your email reader is set to render HTML and scripting. Many users allow these things by default. The second method is used to attack you in the event you disallow scripting, but do allow iframe contents to be rendered. This is a tricky one-two punch.

Here are some ways you can protect your computers from being exploited by the embedded BlackHole attacks.

The by far simplest way to block all scripted and iframe attacks is by setting your email client to display email in plain text. Plain text cannot render scripts, iframes, or any other HTML formatting. It cannot even display inline images. It's boring, but safe.

Explore the options or preferences available for your email system and apply Read in Plain Text, if it is available. Webmail users will often have a link on the upper right side labeled (Email) Options or Preferences, or similar. Outlook Express and Windows Live Mail users can easily make this change by locating their Options > Email > Read and change the reading format to "Read all messages in plain text," then apply the change.

However, plain text will mangle the content of an HTML formatted message. It is just as safe for Outlook Express and Windows Live Mail users to allow HTML messages, but check the box to render them in the "Restricted Sites Zone." In Windows Live Mail, this is found by clicking the down arrow in the blue button on the upper left side (just under the title bar), which drops down several options. One is labeled "Options." Click on Options and select the Safety Options choice. Click the Security tab. Under: "select the security zone to use" - check "Restricted sites zone (More secure)" - then click Apply, at the bottom right corner.

Make sure that you have not loosened the restrictions in the Restricted Sites Zone. This is found by means of either Internet Explorer's Internet Options, or Control Panel's Internet Options. From Internet Explorer, click on Tools > Internet Options > Security tab. Click on the Restricted sites icon (red circle with slanted line) and if not already there, set the slider to High, then click Apply to save the the change. Also, if you see the checkbox to Enable Protected Mode, check it and apply.

In both instances, you need to close and re-open your email client or browser.

If you use Firefox as your browser and email reader, install the NoScript Add-on and enable it. By default, it blocks JavaScript, Java, Flash and iframes, among many other known exploit vectors.

For other desktop email clients, search for your options, as they apply to safety, scripting, HTML and iframes and tighten them to the highest level you can tolerate.

You must have anti malware protection nowadays. Free anti-virus is either barely adequate, or useless altogether. In order to keep pace with the rapidly morphing malware attacks, one needs commercial security software, with definitions in the cloud, in addition to onboard. I have chosen Trend Micro to protect all of my computers.

Finally, even with heightened security settings, I do not trust Windows Live Mail 100%. I run Firetrust's MailWasher Pro ahead of Windows Live Mail. It checks mail on the interval I set, inspecting the number of lines of code I deem important, then classifies each incoming message according to my own custom spam filters, my own blacklisted and whitelisted senders, its built-in spam learning filter, online spam blocklists, and other criteria. Most spam and malware threats are automatically deleted instantly. Others are marked as either spam, or unclassified, drawing my attention. If they are threats or spam, I delete them manually, while also reporting them to SpamCop.

Only after dealing with spam, scams, malware and read messages, do I manually check for new mail in Windows Live Mail (turn OFF checking on any interval in WLM, or OE). Note, that WLM and OE still forcibly run a check for new mail every 8 hours, even with interval checking unchecked! Just keep this in mind.

If you use Microsoft Outlook, there are plenty of options available for safely displaying possibly dangerous content. Go through your program's email options.

Oh, and just because an email sender name is one you recognize, do not automatically assume that they sent it knowingly. Spammers spoof sender names and accounts to trick recipients, This after hacking those user's email accounts to steal their contact lists.

I hope this helps to protect you from the criminals behind the BlackHole Exploit Kit and similar exploit kits.

Posted by Wiz at 1:22 PM | Permalink

back to top ^

June 12, 2012 was a huge Patch Tuesday, with Adobe, Microsoft and Oracle all releasing patches to fix critical vulnerabilities in their software. The affected programs include Adobe Flash, Oracle Java and Microsoft's Windows Kernel, Internet Explorer, .NET and Remote Desktop software.

I have already published a blog article today about the Java update on 6/12/2012. You need to update Java now, if you have it installed. The BlackHole Exploit Kit is targeting vulnerabilities just patched.

If you have Windows computers, running on XP (w/SP 3), Vista, 7 or Server 2003 or 2008, you need to use your Windows Update link on the Start Menu, or in Control Panel, to check for and install between 7 to 11 or more patches, rated from Important to Critical. The actual number of patches you receive depends on what, if any, Office and .NET programs you have installed, You will need to restart the computer to complete the updates. If you use Internet Explorer, you can go to Windows Updates via a link in the Safety menu item.

Adobe Flash was simultaneously updated on the 12th, to version 11.3.300.257 for most users. An Adobe Security Advisory describes how previous versions are being exploited and how this new version plugs those holes. It also lists the affected versions for other operating systems and devices, like Mac and Android. If you use Flash at all, it needs to be updated NOW. Malware exploit kits have been updated to target the vulnerabilities that were just patched.

To update Flash, go to www.adobe.com, click the link for Flash, then download the version for your browser. If you use Internet Explorer and Firefox, Safari, Opera or Chrome, there are separate downloads. IE uses an ActiveX version, while Firefox, Safari and Opera use another plug-in version and Google Chrome uses a special, bundled version, requiring you to update Chrome itself ( go to Tools > About Google Chrome and it will begin checking and updating if necessary).

After you update Flash in all of your browsers, they need to be closed for the upgrade to take. You may even need to reboot the computer to flush out a previous version if it was in use during the update process.

I believe it is a good thing that these major software vendors have released critical updates on the same day and time period. This allows users to perform multiple security updates sequentially or simultaneously, restart once, then get back to work.

All of the above updates require Administrator privileges. While you can perform these updates as a Standard User, via "Run As Administrator" it is really best to log into an actual Administrator level account first, since you will have to reboot after installing these updates.

Posted by Wiz at 12:08 PM | Permalink

back to top ^

On June 12, 2012, Oracle released patched versions of its Java SE and FX software, patching 14 security holes. Oracle proudly proclaims that over 3 billion devices run on Java, so it's a reasonable bet that you use Java on some of your Internet capable digital devices. You may not even be aware that you have Java installed.

In case you didn't know, Java is the number one targeted browser plug-in in all of the current malware attack kits, distributed in spam email blasts. It is specifically targeted in the notorious BlackHole Exploit Kit, which I write about often.

The problem with running vulnerable versions of Java is that a successful exploit can cause a scripted attack to jump out of the safe area known as the "sandbox" in a browser and penetrate to the operating system. Once it gains access to the O.S., anything goes. This usually ends up with the PC, or smart-phone becoming botted, rooted (rootkit), Trojanized (e.g.: ZeuS banking Trojan, rogue anti-virus, ransom-ware) and used as both a spam sending and DDoS attack tool.

In the Patch Advisory for June, 2012, Oracle enumerates the software packages updated and the threats these patches fix. This patch affects the versions of Java (SE or JRE) used by most consumers in their browsers, as well as developer versions of Java. Oracle is quite clear in urging all users of affected versions of Java to upgrade as soon as possible. Here is a quote from the latest advisory:

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible. This Critical Patch Update contains 14 new security fixes across Java SE products.

Note: Java SE fixes in this Update are cumulative; the latest Critical Patch Update includes all fixes from the previous Critical Patch Updates.

Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows platform can also use automatic updates to get the latest release. Go to Start > Control Panel > View by: (change to) large icons ( or Classic View). If you have Java installed there will be an icon labeled Java. Click to open it and you can see the installed version on the opening tab, by clicking About Java. Updates can be scheduled or checked for on the spot under the Updates tab. I recommend scheduling daily checking for updates at a time when the computer is normally on. This way you won't miss a critical, sudden Java patch because the original setting was monthly.

Do not wait for exploit attacks before you patch Java. The latest versions in the patches are Java 6 - update 33 and Java 7 - update 5. Visit Java.com and click on the "Do I Have Java" button to see if you do have Java installed and active and which version it is. You will receive instructions for updating to the latest patched version for the operating system or device you are using when you go to that page. You can also download various versions of Java, from the Oracle SE Downloads web page.

Posted by Wiz at 1:05 AM | Permalink

back to top ^

6/10/2012

I just received a spam email in my Junk folder, which claimed to come from Foursquare ([email protected]). The Subject is: "Ailsa Hill is now your friend." The body text said: "Hey there - Just a heads up that Ailsa Hill has approved your friend request on foursquare." If get one of these, no matter what the name is, be suspicious. Here's why...

I opened the "Properties" of this email so I could read the actual headers and found the following details.

The From: foursquare <[email protected]> line is fake, spoofed. here's why:

The final "Received from" line is not from foursquare.com, nor from Amazon, their web host. Rather, the sending server was: serveur.maven2-20.com ([46.105.104.199]). Running a Whois on that domain reveals that it is hosted in France, on OVH Systems, a web hosting provider. There is no website configured at that IP, or domain, just a few files.

Also, the following line was inserted by the mail server that delivered the message to my account: X-AUTH-Result: FAIL

So, the email definitely did not come from Foursquare. It is spam or a scam. Who did send this message and why?

Let's look at the links hidden in the message source to find out where they lead.

The message body is loaded with images stolen from the actual Foursquare website, to make it look authentic to the casual recipient. But the links spoof foursquare.com, while leading to a different domain. Look at this source code for the first action link presented to the victim:

View their profile: <a href="http://shabdayoga.com/supplement.html">https://foursquare.com/user/28519394</a>

You can see that the link claims to go to: https://foursquare.com/user/28519394
If you hovered your pointer over the above link, in the original message, the actual URL: shabdayoga.com/supplement.html would be displayed in your status bar.

What do we find if we investigate the source code for shabdayoga.com/supplement.html? Nothing but JavaScript to redirect visitors to another website, named "drugstorewichi.com" and, should you have JavaScript disabled, a manual link with the word "Enter" and nothing else.

What is http://drugstorewichi.com? A fake pharmacy! The images and copyright claim that you've landed on Toronto Pharmacy, supposedly selling Canadian prescription drugs. If that were so, the website would be registered and hosted in Canada.

So, Whois drugstorewichi.com? The website belongs to someone named Georgij Kiosov - who claims to reside at: Orekhovy proyezd d.37 korpus 1 kv.168, Moscow,115573, RUSSIA.

The domain is not hosted in Canada, but in Poland, at: 194-28-50-114.arpa.teredo.pl (Site Stats tab).

So, we have a spam email spoofing Foursquare, with a link that redirects to a fake Canadian pharmacy registered to a Russian citizen, living in Russia, with his web hosting in Poland. This is part of a fake pharmacy affiliate program based in Russia.

All of the claims made on these websites are fraudulent. The drugs, should one even receive them, are counterfeit. The payments are made to payment processors who are friendly to cyber criminal gangs in Russia. If anybody is foolish enough to actually purchase anything from scammers like this, your credit or debit card details, along with your mailing address and phone number are now in the hands of hardened fraudsters in Russia.

Posted by Wiz at 3:07 PM | Permalink

back to top ^

For the past few days I have been receiving email scams claiming to come from LinkedIn, some of which are password reset scams, with the latest being an invitation to join somebody's LinkedIn network. Both are scams, with links leading directly to a compromised website that is hosting the BlackHole Exploit Kit.

Let's take a look at the most recent LinkedIn scam: "Join my network on LinkedIn"

The email Subject is: Join my network on LinkedIn.
The (spoofed) From (sender) address is: [email protected].
The Reply_to address is spoofed as: [email protected]
The first Received from line, from the final mail server is:
Received: from [182.182.16.190] (port=1664) - which is definitely not LinkedIn.com. Further details reveal that the message was sent from mail.bucklerboots.com, not LinkedIn.com.

The message body is loaded with images drawn from LinkedIn and text containing the following come-on:
"Mimi Kauffman has indicated you are a Friend ... I'd like to add you to my professional network on LinkedIn.- Mimi Kauffman ... View invitation from Mimi Kauffman (has payload link) ... WHY MIGHT CONNECTING WITH Mimi Kauffman BE A GOOD IDEA? Mimi Kauffman's connections could be useful to you After accepting Mimi Kauffman's invitation, check Mimi Kauffman's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future."

My apologies to Mimi Kauffman, whoever you are. Contrary to the claim in the message, we are NOT friends and do not know each other. Spammers are using your harvested name in scams, just like they might be using mine or anybody else's. It is a tactic used to gain trust; a con game; "a Joe Job."

The text is much like what a LinkedIn member would receive in a legitimate request. Spammers join LinkedIn so they can gather templates from actual email messages, for use in scam campaigns. Then, they substitute their own poisoned links for LinkedIn links, to drive victims to booby-trapped websites.

The hostile links

I noted in the quoted section that the words "View invitation from Mimi Kauffman" were wrapped in a link. If this had been an actual LinkedIn email, the link would have started with http://www.linkedin.com/... However, this link and the others that followed it go to a compromised WordPress website, at h**p://www.nabytok.ws/wp-content/themes/esp/page9.htm. The file named page9.htm contains the BlackHole Exploit code, which targets Java and Flash (and sometimes Adobe Reader and certain brands and versions of browsers), looking for an unpatched version of that software on a victim's computer.

If the victim's computer does have a vulnerable version of Java, which is the first item attacked, the BlackHole will attempt to silently install a Trojan downloader. If successful, the next step is to install a rootkit, then to download additional malware, which might include banking Trojans, like ZeuS, or fake security programs, or spyware. In all cases, the package includes a botnet module, so that the computer can be used to host exploits, send spam, or join in DDoS attacks on other systems.

Note, it is possible to use code to try to load an out-dated version of Java from its default installation path. Even legitimate programs have been known to do this, to use special features present in certain versions of this highly exploited software. In the past, one had to manually uninstall out-dated versions of Java. Now, the installation of a new version will remove older versions, back to a certain point. Windows users need to go to Control Panel > Add/Remove) Programs (and Features), and see if they A: have Java installed at all - and B: if more than one version is listed. If it is installed and older versions are also listed, uninstall all but the most recent version, for your own safety. Then visit www.java.com and see if your remaining version is the most recent one available for your operating system or device. If not, update it immediately and if necessary, manually remove the previous version.

If you don't know of any programs you use, or websites you always visit which run Java Applets you deem important, just uninstall Java altogether and eliminate that attack vector. You probably won't even miss it.

Note: Java is not the same as JavaScript. They are completely different things.

LinkedIn users are just one of many specifically groups of people targeted in recent spam blasts. LinkedIn is a major social network, like Facebook and Twitter, so cyber-criminals frequently attempt to violate the trust some members have with those networks. Further, LinkedIn members tend to be professionals in their fields, making them a juicier target for cyber-thieves.

My advice to LinkedIn members and everybody else reading this is to always hover over links in emails before clicking on them. This will usually cause the actual destination URL to be displayed in a "Status bar" on the bottom of your browser (for Webmail) or email client. If the link displayed is not going to the domain indicated in the text or graphics in the message, assume it is hostile, meant to infect your computer and force it into a malware botnet.

Posted by Wiz at 12:11 PM | Permalink

back to top ^

Earlier today I published a blog article detailing why Microsoft has issued an out-of-band patch that plugs a vulnerability used by the Flame malware, as one means of installing itself. Now, I have learned how the malware is exploiting these certificates and what the patch does to stop this method of exploitation.

According to recent analysis of the Flame malware, by Kaspersky Labs, one of the methods used by the Flame to propagate inside a network is to present a forged signed-by-Microsoft digital certificate when trying to install itself on an uninfected PC. The certificate is used to install a fake Windows Update component deceptively named "Desktop Gadget Platform" - which lies to you by claiming it: "Allows you to display gadgets on your desktop."

Because it uses a previously acceptable certificate of authenticity, claiming to have been signed by Microsoft itself, the operating system would allow the installation to take place without a second thought, or any user interaction. But, not any more! Today's critical patch KB2718704 has revoked the digital certificates used by the Flame Worm. Now, if this malware attempts to install, a challenge box will pop-up. It will list the installer as Unsigned or Untrusted, rather than Signed. If you check for a certificate, it will reveal that the certificate used has been revoked by the issuer.

Thus, The out-of-cycle patch that Microsoft released earlier today will block unattended infections that were previously allowed by the fraudulently signed (by Microsoft) certificates. These revocations will stop this attack vector, but not others. It is still unknown how the Flame malware is introduced into a system, to infect the first host. Researchers are currently looking for an unknown zero day exploit. Keep in mind that the forged signed certificates were a form of zero day attack. It took a long time for this vector to be discovered, but only hours to revoke their permissions and plug that hole.

Footnote: The digital certificates used to spread the Flame malware were signed in 2010. This subterfuge was only discovered in the last few days, a full two years after the fact. It is still not known how these fake certs were signed. That will eventually come to light, along with other facts about this new Flame malware burning up the security news channels as The Hot Topic (puns intended)!

My previous article urges all Windows computer owners and Admins to use Windows Update to install Patch KB2718704 as soon as possible. I repeat the call for urgency in patching against this new malware and others like it that are bound to follow. The next Flame might not be an espionage tool but a new form of botnet and attack weapon.

If you operate with less than Administrator privileges, the patch may be pushed to you when you shut down, or log off. If you run Microsoft Security Essentials, it runs with System privileges and may install the patch with no user interaction or restarts at all. It did just that on my XP Pro machine!

Posted by Wiz at 4:51 PM | Permalink

back to top ^

The Flame malware has been a hot topic for the last week, after it was discovered infecting industrial computer systems in the Middle East and Iran. This malware is very high level and is designed for spying on carefully selected industrial and Government systems. It has attracted a lot of attention in the short time it has been known to security companies, and today it got Microsoft's attention.

Today, June 4, 2012, Microsoft has issued an out-of-band patch for one of the vulnerabilities used by the Flame to infect Windows computers. Patch KB2718704 is now being pushed to all supported versions of Windows, via Windows Updates. I just applied it to my Windows 7 PC and it did not require a restart.

What vulnerability does patch 2718704 fix?

According to the aforementioned Microsoft Advisory, one of the infection vectors used by the Flame malware is exploiting an old feature belonging to Windows Terminal Services and used in Remote Desktop connections. Specifically, this is labeled: "Unauthorized Digital Certificates Could Allow Spoofing" - and is defined as follows:

"Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows."

The advisory reveals that at least three unauthorized signed certificates are being used in the Flame attacks. Additionally, this patch addresses unauthorized digital certificates described in previous advisories: Microsoft Security Advisory 2524375, Microsoft Security Advisory 2607712, and Microsoft Security Advisory 2641690.

What does this patch do?

We (Microsoft) have updated the Untrusted Certificate Store to remove the trust in the affected Microsoft certification authorities.

Today's advisory goes on to urge all people running any supported version of Windows, including XP (w/SP 3), Vista, 7, Server 2003, to Server 2008, to run Windows Updates immediately, to install Patch KB2718704.

If the Flame is an industrial espionage Trojan, why should we all have to patch against it?

We have previous experience with another similar computer Worm, discovered in June 2010, which was also designed for industrial espionage. That Worm that was meant to only infect nuclear facilities in Iran, but accidentally broke loose and infected an untold number of business and personal computers around the world, none of which were its intended targets. That malware is known as the Stuxnet Worm and it is still infecting computer systems two years after being discovered.

So, while you and I are probably not an intended target of the Flame malware, now that is is loose, it is prudent that we apply the patch that blocks one of its most common methods of propagating. Go to Windows Updates on all of your Windows computers, check for patch KB2718704 and install it.

Posted by Wiz at 11:53 AM | Permalink

back to top ^