Fake ADP and FDIC Notifications Leading Users to Blackhole Exploit Kit

With the latest iteration of the Blackhole Exploit Kit hitting the web this week, attackers are going to great lengths to spread around links to get unsuspecting victims to click through to the first version of the kit.

E-mail notifications claiming to come from Microsoft Exchange, ADP, the Federal Deposit Insurance Corporation and other purported “trusted sources” have been spotted this week leading web users to pages hosting the original exploit kit.

A post by Ran Mosessco, a Security Analyst at Websense on the firm’s Security Labs blog breaks down some of the deceptive emails.

A notification claiming to come from payroll services company ADP tries to trick employees into clicking through to what appears to be their Online Invoice Management account to “protect the security of [their] data.”

Elsewhere an email disguised as a voicemail notification from Microsoft Exchange Server tries to get users to double click a link to listen to a voicemail and an email that appears to come from the FDIC tries to get users to follow a link to download “a new security version.”

 

While all these links eventually lead to pages hosting the Blackhole Exploit Kit, Mosessco writes that it likely won’t be long until they begin directing to Blackhole 2.0. The latest version of the kit surfaced online earlier this week and was updated to remove old exploits that have already been fixed. It also came with new features that make it tricky for researchers to reverse-engineer the kit.

 

Courtesy By Christopher Brook

Black Hole Exploit Kit 2.0 Released

The developer behind the notorious Black Hole exploit kit has released a new version of the software, adding in several new features designed to prevent security researchers from getting access to new exploits or reverse-engineering the kit's inner workings. Conveniently, the pricing for Black Hole has stayed the same, so hackers get more value for the same amount of money.

Black Hole is one of a number of readily available exploit kits distributed in the cybercrime underground that make it simple for attackers of all skill levels to exploit a wide variety of vulnerabilities. With a few mouse clicks, users can pick out a specific exploit, say the recently disclosed CVE-2012-1723 Java vulnerability, and begin compromising vulnerable browsers. The kit has been around for some time, as have similar kits such as the Phoenix exploit kit and Eleonore, and the trend of late has been that exploit code for newly discovered bugs is being added more and more quickly to Black Hole.

The new Black Hole version 2.0 release was announced recently on underground site Exploit.In, and the list of new features and functionality is extensive. One addition to the main Black Hole software is the use of short-term random URLs for delivering the exploits in the kit. Attackers often will compromise legitimate Web sites via SQL injeciton or some other common method and load their malicious code on the sites and rig it to attack users' browsers with specific exploits as they hit the site. One problem with this technique from the attacker's point of view is that if the compromised page is detected or removed for some other reason, the attack dies.

Enter random domain generation. This feature will generate a new, random URL for the attacker's code to live on, sometimes with a shelf life of just a few seconds. This makes detection of malicious pages far more difficult for site owners and security companies. There's also a new feature that obfuscates the outgoing traffic from a compromised site, making it more difficult to identify.

 

Black Hole 2.0 also removes all of the old exploits for vulnerabilities that have been fixed--even though those can still be useful against many users--and includes a new batch of exploits. The new release also includes the ability to recognize more types of operating systems, including Windows 8 and several mobile operating systems, giving the attacker the ability to break down the amount of traffic he's getting from machines running each individual OS.

"To the list of operating systems added to Win 8, and mobile devices, in order to see how much of your traffic is mobile, and mobile traffic, you can redirect to the appropriate affiliate," a translated version of the original Russian announcement says. The announcement was posted on the Malware Don't Need Coffee site on Wednesday.

All of this functionality doesn't come for free, of course, but the prices for various iterations of Black Hole have stayed the same as they were for version 1.0. So an attacker wanting to rent an instance of Black Hole from the author's server will pay $50 per day, up to 50,000 hits. A monthly rental will run you $500 with a limit of 70,000 hits per day. A one-year license for unlimited domains is $1,500.

This article was updated on Sept. 12 to correct the source of the Black Hole 2.0 announcement and details about the domain-generation algorithm.

Courtesy by Dennis Fisher

Attackers Using Anime Character to Spread Malicious Android App

Symantec is warning Android users of a new malicious application posing as a famous Anime character that steals personal contact information stored on the device and sends it to a third party.

The Anaru application is in fact the Android.Maistealer malware, a Trojan designed to steal data such as contact names and email addresses from Android mobile devices.  It is now hosted on third-party marketplace designed to look like Google Play. Symantec researcher Joji Hamada said the app is not available on Google Play. Upon its discovery July 24, the initial infection rate was low, but now that it has a dedicated site from which it's distributed, a ramp-up is expected.

Users are unaware the application, which features one of the lead characters in a popular 2011 Japanese anime, is malicious. It behaves as promised by allowing the user to manipulate the character Anaru's body by touching the device screen.

The problem, however, appears much earlier during installation when the app asks the user to allow it access to storage, network communication and personal information, Symantec said, adding that such an application would have no need for access to personal information.

The same group is also spreading the Android.Enesoluty data-stealing Trojan via spam messages enticing recipients to download a phone battery-saving application called EnergyHelper1 from another phony marketplace. Symantec said these battery-saving applications are becoming popular among scammers.

We now know that this criminal group was not just playing around with the Anaru app in July," Hamada said. "They have been busy developing another app, as well as setting up dedicated sites to imitate legitimate app markets."

Courtesy by  Michael Mimoso

Google Adds Online Malware Scanner VirusTotal To Security Lineup

Google made a significant addition to its security lineup Friday with its acquisition of online malware scanning service VirusTotal. Experts say the malware intelligence Google will have at its disposal would enhance not only existing products and services, but will backbone site safety rankings.

Terms of the deal were undisclosed.

VirusTotal's service allows users to upload files or URLs that are scanned for malware. The five-year-old company uses more than 40 antimalware engines on the back end to perform scans. VirusTotal shares data with affected security companies as well in order to enhance scanning capabilities on both sides.

"Given Google's visibility to everything, having a service like this lets them see and possibly interpret malware long before they might have recognized it themselves," said IANS CTO Dave Shackleford. "With their efforts to notify Google users of nation state attacks and other security events, this adds some serious heft to their response and notification efforts."

 

Google, a VirusTotal partner before today, already flags suspicious sites and files in its search queries. It also offers the Safe Browsing Diagnostic tool which scans websites and returns data as to the safety of the page, including current status, whether a site is hosting or distributin malware and whether it has done so in the past.

“Security is incredibly important to our users and we’ve invested many millions of dollars to help keep them safe online," a Google spokesperson said in a statement. "VirusTotal also has a strong track record in Web security, and we’re delighted to be able to provide them with the infrastructure they need to ensure that their service continues to improve.”

A post on the VirusTotal site welcomed the acquisition and said the company will continue to operate independently and maintain existing partnerships with other security companies.

"This is great news for you, and bad news for malware generators, because the quality and power of our malware research tools will keep improving, most likely faster; and Google’s infrastructure will ensure that our tools are always ready, right when you need them," the post said. "This is an exciting step forward. Google has a long track record working to keep people safe online and we look forward to fighting the good fight together with them."

Google has made several high-profile security acquisitions since picking up sandboxing specialist GreenBorder and messaging security service provider Postini in 2007. Two years later, Google added reCAPTCHA as a CAPTCHA technology for its services. Last year, it scooped up Zynamics, a vulnerability research company that specializes in reverse engineering software.

 

 

Courtesy by Micharl Mimoso

Newest Java 7 Update Still Exploitable, Researcher Says

Oracle last week patched the two zero-day vulnerabilities in Java that attackers had been exploiting in targeted attacks, but it didn't take long for researchers to poke more holes in the software. A new bug that allows a complete Java sandbox escape has been identified already, the latest in what has become a long line of flaws haunting the Java software running on hundreds of millions of machines.

Adam Gowdiak, a researcher at Security Explorations, a Polish firm that said it sent more than a dozen security vulnerabilities in Java to Oracle several months ago, said that upon downloading and inspecting the Java 7 update 7 file, he found that one of the changes made to the application as part of the update enabled another bug to become exploitable.

"One of the fixes incorporated in the released update also addressed the exploitation vector with the use of the sun.awt.SunToolkit class. Removing getField and getMethod methods from the implementation of the aforementioned class caused all of our full sandbox bypass Proof of Concept codes not to work any more (please note, that not all security issues that were reported in Apr 2012 got addressed by the recent Java update)," Gowdiak wrote in a post on BugTraq.

"Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012). The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again."

In addition to the newly disclosed vulnerability in Java 7, the team at Security Explorations says that it sent a number of other bug reports to Oracle in April--including the initial report of the CVE-2012-4681 bug--some of which have not yet been addressed. 

Gowdiak said via email that the vulnerability he found in Java 7 is an entirely new issue and not just a reemergence of an older bug.

"That's a completely new vulnerability. It however makes our past, not yet addressed issues possible to exploit again in the environment of the recent Java 7 Update 7," Gowdiak said.

He also said that the company has not received any indication from Oracle when this flaw might be addressed with a patch.

"We only received information from Oracle that it planned to address the remaining 25 issues by the means of Oct 2012 and Mar 2013 Java CPUs," Gowdiak said, referring to the larger group of bugs that Security Explorations reported to Oracle earlier this year.

Courtesy by Dennis Fisher

Mobile Malware Is Up - Way Up - in McAfee Q2 Threat Report

McAfee Labs researchers today announced a surge in malware samples this year - particularly threats that take advantage of mobile networks to launch drive-by downloads, control botnets using Twitter and spread ransomware that locks down infected machines and demand payments from users.

The Santa Clara-based company released its Q2 Threat Report, in which its researchers say they've unearthed 1.5 million new pieces of malware this year, or an average of nearly 100,000 malware samples a day. More and more malicious code is targeting Google's Android OS, though Apple users are far from immune too. More than 100 new Mac-oriented samples were discovered last quarter.

"Attacks that we've traditionally seen on PCs are now making their way to other devices. For example, in Q2 we saw Flashback, which targeted Macintosh devices and techniques such as ransomware and drive-by downloads targeting mobile," said the Labs' senior vice president, Vincent Weafer, in a prepared statement.

The findings in today's report come from McAfee Labs' 350 researchers scattered across 30 countries.

 

Among the emerging threats gaining traction is "signed malware," in which attackers attempt to evade detection and encourage open rates by using digital signatures from stolen certificates. "In our 2012 Threats Predictions we predicted that this technique, likely inspired by the success of Duqu and Stuxnet, would rise in 2012. That opinion seems to be a successful example of crystal-ball gazing," researchers wrote in the quarterly report.

The past quarter was also the busiest ever for ransomware, which holds part or all of a victim's data hostage and demands anonymous payment methods to restore it.

"Ransomware is particularly problematic because the damage is instant and commonly a machine is rendered completely unusable. So not only is the victim’s data destroyed, but some of the victim’s money is also gone if he or she attempts to pay the attacker’s ransom. And although it is a personal disaster for a home user to lose years’ worth of data, pictures, and memories, the situation can be much worse in an enterprise if the malware encrypts all the data that a victim has write-access to on a corporate network," the report  states. The authors advise users to be be careful opening file attachments and back up systems regularly. Enterprise-level admins should consider establishing access protection rules in their security products.

Botnets reached a 12-month high last quarter, with more attackers using Twitter to send out commands and get all infected devices to follow them. Additionally, thumb drives containing malware - particularly password-stealing code - remain a popular conduit to infect machines.

Spams growth rate slowed in most parts of the world, with the exceptions being Columbia, Japan, South Korea and Venezuela. Among those with more than 10 percent growth in spam, social media proved a useful channel to peddle adult products, drugs, lonely women and phish scams.

More Web sites that host malware are gaining bad reputations. "Reputations can be based on full domains and any number of subdomains, as well as on a single IP address or even a specific URL. Malicious reputations are influenced by the hosting of malware, potentially unwanted programs, or phishing sites. Often we observe combinations of questionable code and functionality. These are several of the factors that contribute to our rating of a site’s reputation. By the end of June, the total number of bad URLs referenced by our labs overtook 36 million! This is equivalent to 22.6 million domain names."

The authors note that their figure is at odds with the 9,500 new malicious web sites Google announced in a June blog post.

Courtesy by Anne saita

Survey Tracks Security’s ‘Bad Mood’ Trend, Need for Improvement

The bulk of security teams face a relentless uphill battle when it comes to dealing with security risks and are sorely lacking when it comes to tracking, measuring and maintaining data access, according to new research.

The majority of those interviewed in a survey published today, “The Buried Truth: State of Security Information and Even Management Processes,” carried out by security firm Sensage, found that security professionals are having a rough go of it these days. It’s the third time the California-based firm has polled the industry but the first in which the survey’s results have marked such a downward slide for its respondents.

This downward trend was clear after Sensage analyzed what it’s referring to as security’s “bad mood.” After taking respondents’ optimism and other factors into account, the firm notes the mood is likely reflective of increasingly complex threats and a decrease in confidence. The mood continues to trend downward when looking at the last three years of responses.

“By 2012, proactive teams were starting to do the heavy-lifting needed to absorb and analyze data across more systems, processes and people than they considered doing in the past,” one part of the survey reads.

That “heavy lifting” refers to the need for better coordination, compliance reporting, incident response and data access.

Fully 79 percent of the survey’s respondents claimed they need better, faster data access and analysis - a big jump from last year, when only 57 percent of security teams claimed they wanted more trustworthy data.

When it comes to tracking improvement, security teams continue to be at a loss. A mere five percent of those who answered the survey felt like they had a “consistent and adequately staffed process improvement program.” Those numbers weren’t great to start with; the statistics are down from a measly 18 percent in 2010. Conversely, only 40 percent of respondents asserted that their security teams maintained consistent process improvement, down from 65 percent last year.

Overall, 96 percent of those who answered claimed their teams either had no process improvement, inconsistent process or understaffed process.

Some of these security teams aren’t entirely equipped to handle problems that come their way. Seventy-eight percent of security practitioners who responded claimed they were under less than ideal circumstances when it comes to dealing with security risks.

Less than a quarter, 22 percent, said they were “very effective” when tackling security risks.

Courtesy by Christopher Brook