Wiz's Computer and Website Security Blog

Sept 19, 2012

So far today I have received 14 spam email messages, which is way down from the typical two dozen or more. However, of those 14 messages, 10 contained either attachments with, or links to the BlackHole Exploit Kit. The payload for those successfully exploited was the Zeus (Game Over) banking Trojan.

Here is the breakdown of those scams, listed by the brand being spoofed:

• ADP Client Services: 4 scams


• Better Business Bureau: 2 scams


• Facebook Notifications Pending: 1 scam


• American Express Forgotten ID: 1 scam


• Your Flight Order: 2 scams


• The remaining 4 were 1 work at home scam and 3 for Russian fake pharmacies.

The malware scams rely upon two technologies commonly deployed in web browsers, to carry out their attacks. The first is JavaScript, which is normally installed and enabled to add special features and functions to websites. The second is any out-dated version of Oracle's Java Virtual Machine, which many computers have installed, often without the knowledge of their owners. If a victim opens one of these scam emails, then clicks upon their poisoned links, and they have JavaScript enabled, the exploit kit is loaded into an invisible iframe in their web browser. The kit contains long lines of obfuscated JavaScript codes and functions, ending in an "eval" statement.

If the victim also has a vulnerable version of Java installed, the exploit attack is launched with full force, downloading a hostile Java applet. This applet exploits weaknesses in the installed version of Java to jump out of a restricted area in the browser, called the Sandbox, and into the operating system files. The malware then installs a remote access Trojan (RAT), which downloads the real payload: usually the ZeuS banking Trojan.

Note: the BlackHole and other exploit kits also check for the presence of outdated, exploitable versions of Adobe Flash, Reader and Acrobat, plus vulnerable ActiveX controls and certain other now-patched Microsoft technologies. So, while you might be up to date with, or completely without Java, you could be exploited via some other unpatched software that interacts with your browser.

It is of the utmost importance that email recipients have a way to display the actual destination of a link, by hovering over it before clicking on it. Most email clients will have, or create a "status bar" on the bottom, where link URLs are displayed. This way, if a link claims to go to adp.com, but, when you hover your pointer over it the status bar tells you that it goes to a totally non-related location, you should know better than to click on that link! Email clients may be your browser, for "Webmail" systems, or a desktop application, like Windows Live Mail, or Microsoft Outlook, or Mozilla Thunderbird. Most PC based email clients have a status bar on either the main email program interface, or on the bottom of an email message that is opened for reading.

Unfortunately, the email clients that I have seen for Android and iPhone smartphones don't appear to have any status bar (at this time). Hopefully, that will change soon. I do know that the folks who created MailWasher Pro are in the final beta testing process of creating a new version for Android, Apple and Windows smartphones. MailWasher Pro reveals actual link destinations in most cases, plus it blocks spam. I'll post a dedicated article when the Mobile MailWasher app is finalized.

To protect your computers and smart devices from the likes of the BlackHole Exploit Kit, disable the Java plug-in from your web browsers, or uninstall Java completely from those devices. If you use Firefox to browse the 'Net, install the NoScript Add-on. If you prefer Google Chrome, install the ScriptNo Extension. If you browse with Microsoft's Internet Explorer or Apple's Safari browser, pray, or disable all forms of active scripting!

Posted by Wiz at 9:24 PM | Permalink

back to top ^

September 19, 2012

This is an urgent update to a vulnerability alert I published two days ago, on Sept 17, 2012.

Bowing to pressure from concerned organizations around the World, Microsoft has just released a temporary "Fix It Tool" to block the primary attack vector used in the newest zero day attacks targeting Internet Explorer users. This Fix It Tool was released only a few days after the initial publication of the details of the exploit code, on the Metasploit website.

The Fix It Tool is designed to "Prevent Memory Corruption via ExecCommand in Internet Explorer." The details about the vulnerability can be found on this page.

If you use Internet Explorer versions 6, 7, 8, or 9, you are vulnerable. Go to the Microsoft Fix It Tool page and download "Microsoft Fix it 50939" to enable your protection. There is also a second tool to disable the protection: "Microsoft Fix it 50938."

Furthermore, Microsoft has announced that they are preparing to release a comprehensive official patch for Internet Explorer, for all affected and still supported Windows platforms. The official patch is scheduled for release on Friday, September 21, 2012. If you set your Automatic Windows Updates option to automatically check for and download important updates, you should receive the official patch sometime on Friday, this week.

Posted by Wiz at 8:12 PM | Permalink

back to top ^

September 17, 2012
(Updated Sept 19, 2012, to include IE 6, plus tightening the security level of IE browsers)

The security channels are buzzing today with news about a brand new "zero-day" vulnerability in Internet Explorer browsers 6, 7, 8 and 9, which is actively being exploited to load the Poison Ivy Trojan onto victimized computers.

Details are still emerging about the exact method through which Internet Explorer is being exploited. However, one common factor is that the current exploit requires Adobe Flash to also be installed. The term "Heap Spray" is being used to describe the code injection action which leads to the downloading of a Shockwave Flash file by loading an invisible iframe into the browser. The Flash file it downloads then downloads and executes a file which installs the Poison Ivy Trojan.

NEW
A successful exploit of Windows Vista or Windows 7 also requires a vulnerable version of Java to be installed.

All of this happens behind the scenes and runs with the full privileges of the logged in user. This means that if you are lured to this trap and are operating with Administrator privileges and are browsing with Internet Explorer 6 through 9, your fully patched Windows PC may have the Poison Ivy, or some other Trojan silently installed right in front of you.

People who log in to less privileged account types will have to approve the malware installation and provide Admin credentials. While they might be tricked by crafty language, it is less likely that most of them will be fooled. FWIIW, I operate as a Power User (Win XP) and Standard User in Windows 7. Both are less privileged accounts.

A zero-day exploit gives the maker of the exploited software no head-start time to develop a patch. This gives the malware creators more time to infect millions of PCs while the software maker tries to reverse engineer the threat and develop a patch. Microsoft is certainly working on a patch for this vulnerability as I type this (using Firefox).

NEW
Microsoft has published Security Advisory 2757760 about this vulnerability and their plans to deal with it. In a blog post, Microsoft has just promised to release a temporary "FixIt Tool," until an official patch is tested and released via Windows Update Services. That tool should appear soon on the above linked page.

Watch for an out-of-band critical patch from Windows Update Services, any time in the next few days or weeks. Make sure you have Automatic Windows Updates turned on, with the recommended settings, and set the time to check for updates to a time when your PC is normally turned on.

There is an advanced and difficult to understand security tool (EMET) available from Microsoft, which may or may not mitigate this threat, if you can figure out how to use it. But, I recommend that you browse with an alternate browser until a patch is released and you have installed it. Good options are Mozilla Firefox and Google Chrome.

People at risk are using Windows XP, Vista and 7, browsing with Internet Explorer versions 6, 7, 8 and 9. Internet Explorer 10 is NOT vulnerable (Windows 8). Nonetheless, using a different browser for a while seems like a prudent thing to do. Both Firefox and Chrome will offer to import your cookies and bookmarks (Favorites) from Internet Explorer, making your transition easier. I did this several years ago and have been using Firefox browsers exclusively ever since. They get updated almost every month or so.

NEW INFO:
If you must browse with Internet Explorer, set the Security slider to the highest, most restrictive position. This disables ActiveX support and most of what MS calls "active scripting."

I have been reading security blogs and following Tweets from security companies, concerning this new zero-day vulnerability. Most are writing or have written definitions to detect the exploit payload. Trend Micro goes one step farther and blocks access to the servers hosting the malware files. If you use any current version of Trend Micro Internet Security products, you are protected by the Trend Smart Protection Network.

Posted by Wiz at 11:14 PM | Permalink

back to top ^

September 15, 2012

Many of my blog articles involve warnings about vulnerabilities in Java plug-ins for browsers. Criminals love Java because it has so many exploitable code issues that as soon as one is fixed, another is discovered. Successful exploits cause malicious code to jump out of the Java "sandbox" and into your operating system. Security bloggers like me are always advising our readers to uninstall Java for their safety and many are heeding this advice.

If you ready security blogs, like this one, you will often see the term "exploit kit." Usually, we discuss the most common exploit kit in use these days: "The BlackHole Exploit Kit." It is expensive, but gets incredible results because it targets the most recent vulnerabilities found in Java technology. Victims are lured to exploit kits by links in spam emails, or on compromised websites. However, if a potential victim arrives and does not have Java installed, a Java only exploit kit fails to infect that person's computer.

As a backup plan, some exploit kits also test for the presence of Adobe Flash, or Reader, or Acrobat. If any of these are installed and are not the latest, patched version, the computer may be taken over through those plug-ins. But, if the victim's computer is fully patched and is not running Java at all, some exploit writers (Crime Boss Exploit Kit) have found a way to get one more crack at you before letting you move along. How? They tell you that Java is required to view the important details on the (exploit) page and provide a download link to you! Clicking on the download link results in an unsigned certificate alert popping up, warning that you may be downloading harmful software (Windows PCs).

Smart computer users will not fall for this type of ruse. Warn your parents and elderly friends and relatives about these social engineering tricks! The cyber criminals operating exploit kits are mostly looking for low hanging fruit. Un-savvy computer users are an easier target. Savvy users don't usually use Internet Explorer as their default browser, due to its terrible history of exploitability (esp. via ActiveX attacks). All browsers are exploitable to some degree, but unlike IE, Firefox and Chrome are updated so frequently that vulnerabilities have a very short window of opportunity to exploit them.

I'll repeat my previous advice. If you find that your computers have Java installed and you are not on a business network that requires workstations to use Java, uninstall all versions you find listed in your Control Panel (Windows) or Finder (Mac). If you run Linux, check your installed software and remove Java if it is installed. If you must use Java, set it to automatically check for updates on a daily basis, then manually check for updates. Oracle maintains Java and is slow to update it, while criminals are quick to exploit it.

Every single exploit kit I have seen or read about uses "JavaScript" to probe your computer for vulnerable software. If you disable JavaScript for unknown or untrusted websites and get lured to an exploit kit, nothing at all will happen. You will see whatever H1 heading they have written into the code (e.g. "Please wait ... Loading"), but none of the functions and "eval" statements can run. I use the NoScript add-on for Firefox and the ScriptNo extension for Chrome. Both are free and disable Java, JavaScript and Flash by default, unless you explicitly allow them to run for that website.

In addition to uninstalling Java, disabling JavaScript by default and keeping Adobe software updated and your operating system and browsers patched, there is one more step I recommend that you take. If you currently operate an a computer administrator, reduce your privileges to those of a limited user. I have instructions for doing this on my user account privileges page. Any software you attempt to install will present you will hoops to jump through and will require an Admin password before the installation can occur. You might be tricked by a really clever attacker, but they cannot use a silent "drive-by" exploit without your knowledge and interaction.

Finally, make sure you have an active, current version of a major anti-virus and anti-malware program installed and kept updated on a daily basis, or even more often. My anti malware programs are automatically updated on an hourly basis and I have them scan twice a day (morning and night).

Posted by Wiz at 10:19 AM | Permalink

back to top ^

September 3, 2012

On August 29, 2012, I wrote an article about a new zero day exploit of the then latest versions of Java: version 7, updates 1 through 6. One day later, Oracle, the keepers of the mysteries of Java, released a patched version, Java SE 7u7 (update 7). It seems that their patch has still not closed the vulnerabilities exploited in the BlackHole Exploit Kit.

The security firm who first disclosed the new vulnerability used in the "zero day" attacks, did so on April 2, 2012, 5 months ago. During this time, Oracle failed to deliver any patch for that vulnerability. It was only at the very end of August 2012, when the technical details about the new vulnerability were made public and added to the BlackHole Exploit Kit, that Oracle rushed out a sudden patch, on August 30.

The firm who first reported the vulnerability tested the patched version and announced that it failed to block all off the exploit methods which they had already disclosed to Oracle, in April. If this is true, even if you apply the patched version, Java 7 build 7, your devices may be exploitable. So, I repeat my advice, which has been echoed by many others in the computer security field: if you don't really need Java, which is most Internet users, uninstall it! Very few websites are using Java Applets anymore. Most switched to Flash when it was in its heyday. Now, with Flash support dwindling in new devices and virtually all Mac and "i" products, many sites are switching to other emerging technologies, including HTML 5, to render active content.

OTOH, if you do require Java, to run office, intranet, or desktop applications, which don't need a web browser to display, upgrade to the latest version, set it to automatically check for updates every day, then disable the automatically installed Java plug-ins on all web browsers installed on your computer. This protects the web browsers from being exploited by a drive-by attack, or from somebody being fooled into clicking a poisoned link in an email, instant message, or Facebook posting.

See this US-CERT post for the simple details about these Java exploits.

Posted by Wiz at 10:54 AM | Permalink

back to top ^