Thursday
21Jan2010

Microsoft Releases Out-of-Band IE Patch 

Microsoft has released MS10-002 in response to zero day exploits alleged to have been used in attacks on Google, Adobe, and numerous other companies in early December. Described as a 'cumulative security update for Internet Explorer', the patch includes fixes for at least 8 separate vulnerabilities impacting nearly all versions of Internet Explorer from 5 through 8.

Thursday
14Jan2010

McAfee Claims IE, not Adobe Flaw, to Blame

Antivirus vendor McAfee is disputing earlier reports that a zero day vulnerability in Adobe products was to blame for the attacks on Google. According to a statement by George Kurtz of McAfee, the vendor is "working with multiple organizations that were impacted by this attack as well as the government and law enforcement. As part of our investigation, we analyzed several pieces of malicious code that we have confirmed were used in attempts to penetrate several of the targeted organizations." (McAfee has dubbed the incident "Aurora").

The McAfee report also stated that the malware they observed was targeting Internet Explorer 6. Microsoft has confirmed the vulnerability and released security advisory 979352 regarding the incident. However, it is not clear from the McAfee statement whether Google is among those companies working with McAfee.

Compounding the question, of course, is the delicate matter of forensics. Even with very straightforward Web attacks, the attackers frequently switch out the malcode. In a highly targeted attack, every aspect of the attack can be swapped out for each specific target. On any given day, even with the most routine of compromises, malware and exploits used are often swapped to avoid detection, hamper forensics, or up the ante.

Further, exploits today are hardly static. The exploit that gets delivered is usually entirely dependent on the configuration of the victim's computer. It seems highly improbably that an attack described as "highly sophisticated and highly targeted" would rely solely on a zero day vulnerability in an outdated browser.

Compounding matters, Google discovered the additional corporate victims in the course of their own investigation, which obviously would have taken place after the breach was discovered. These victims were then notified by Google, thus any forensics they would have done would have been well after the fact and likely would not pertain specifically to the attack as it took place live. As such, despite the eagerness of all the fringe investigators, likely the only ones who actually know what zero day exploits were truly involved are the attackers themselves.

Wednesday
13Jan2010

Adobe Flaws Alleged in Google Attacks

According to Verisign iDefense, the targeted attacks reported against Google were made possible due to zero day vulnerabilities in Adobe Reader and Acrobat. Yesterday, Adobe released its own announcement acknowledging that Adobe has also been victim of the targeted attack. Also yesterday, Adobe released a critical security patch to address vulnerabilities in Adobe Reader and Acrobat that could lead to malicious code execution. Adobe has not confirmed whether the patch was related to the same flaws exploited in the recent Google / Adobe targeted attacks. An anonymous source has told IDG News that the Google attacks breached "internal interept systems" which IDG explains are "used to help Google comply with search warrants by providing data on Google users." It is not yet known what systems at Adobe were breached.

Tuesday
12Jan2010

Google Attack Reflects Sophistication of Today's Malware

Google is evaluating a "new approach to China" after the Internet giant suffered "a highly sophisticated and targeted attack...originating from China that resulted in the theft of intellectual property from Google."  The Google announcement, written by Google's Chief Legal Officer David Drummond, notes that the attack was not just on Google, but also targeted "at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors."

This industry targeting is not new to ScanSafe. In late 2008, ScanSafe released a report that discussed our analysis of Web malware encounters among 21 industry verticals, including evidence of specific targeting of highly sensitive verticals. The ScanSafe Vertical Risk Assessment discusses those risks in detail.

Further, we've warned for some time that even mass-distributed malware becomes targeted once that malware gets into the corporate network - its actions will change depending on who the company is or to which industry they belong. As we blogged in Password Stealers: Few Names, Many Flavors, "most of the password stealers that are actively circulating via the Web allow for custom configuration. Once on the system, the password stealer typically opens a port to listen for remote commands and then downloads a custom configuration file that specifies the information to be harvested. Obviously this can allow for a high degree of focused targeting."

Unfortunately, much of this potential likely gets overlooked thanks to innocuous sounding malware detection names such as PWS.Lineage or WoWStealer which unfortunately imply the only targets are online gaming credentials. Nothing could be further from the truth.

 

Thursday
17Dec2009

Amazon Cloud has Rained Malware Before

This past Wednesday, researchers from CA reported what they described as the "first instance" of a malicious website hosted on Amazon's EC2 cloud service. But contrary to the reports, malware distributed via Amazon's cloud-based services isn't a new phenomenon - it's been happening in steady doses since at least June 2007 on Amazon's S3 service and since February 2008 on Amazon's EC2 service. Antivirus vendor Sophos even reported on one of the earlier EC2 attacks in July 2008.

In the past three years, ScanSafe has recorded 80 unique malware incidents involving amazonaws, 45 of which were in 2009, 13 in 2008, and 22 in 2007.

Unlike real estate, when it comes to malware, location is no guarantee of security. A link to a file hosted on amazonaws should be treated as catiously as an unexpected link pointing to any other unfamiliar source. On the plus side, when malware is distributed through amazonaws, it's significantly easier to put a stop to it. As Amazon explains, "Abusers who choose to run their software in an environment like Amazon EC2, make it easier for us to access and disable their software."