Gumblar Invades Best Buy

Earlier today, Trend Micro Technical Account Manager Fioravante Souza in Brazil spotted a (potentially harmful) URL that redirects users from the Best Buy domain site.

Users who visit www.bestbuy.com, as it turns out, are redirected to the URL, hxxp:// pics.bubbled.cn/gallery/hardcore/?23c4f60c1b9f604d6ffb21cba599301f. The compromised page in the domain is found to be the landing page where visitors can choose the language to be used as they browse within the site. Threat Research Manager Ivan Macalintal further identifies that a GEO-IP check happens prior to displaying the said landing page.

“If (the) requesting IP is from the Latin America Region (LAR), users are redirected to the ‘choose English or Spanish’ page—and then bingo!” Macalintal says.

Below is a screenshot of the landing page and its source code:

Figure 1: The “language option” landing page in the Best Buy domain site. This page is found to display only if the requesting IPwww.bestbuy.com is from LAR.

Figure 2: The source code of the landing page. It shows a garbled set of code found at the bottom of the script, a clear sign of code obfuscation. Beneath a 3-layer obfuscation, an iframe redirects the user to a Luckysploit-laden site. The Luckysploit web exploit kit and the obfuscation seen is reminiscent of that found in Gumblar.

Figure 3: WHOIS screenshot of the China site stating that the said .CN has been created just last June 4, 2009.

Same old criminals

Figure 4: Further investigation shows that the first .CN site is actually located in Germany and is used by attackers in Ukraine. Suffice to say, the Russkranians are the culprits once again.

Best Buy has been informed of the said URL redirections and is resolving the matter as of this writing.

More information to follow.

Hat tip to Advanced Threat Researcher Paul Ferguson for providing more information.

Post from: TrendLabs | Malware Blog - by Trend Micro

Gumblar Invades Best Buy

News ::  trendmicro



Povezani zapisi:

08-18-2010 18:24

HP's Fortify buy puts spotlight on obscure -- but important -- niche

HP's Fortify buy puts spotlight on obscure -- but important -- niche

BestCrypt 8.20.7

Mobile Web Application Best Practices (Draft)

Mobile Web Application Best Practices has been published as a last call working draft by the W3C Mobile Web Best Practices Working Group.

Mobile Web Application Best Practices is intended to to aid the development of rich and dynamic mobile web applications. It includes guidance sections concerning application data, security & privacy, user awareness & control, (conservative) use of resources, user experience and handling variations in the delivery context.

The document defines "web application" as:

A Web page (XHTML or a variant thereof + CSS) or collection of Web pages delivered over HTTP which use server-side or client-side processing (e.g. JavaScript) to provide an "application-like" experience within a Web browser. Web applications are distinct from simple Web content (the focus of BP1) in that they include locally executable elements of interactivity and persistent state.

However it also states the 32 best practices are equally applicable to other kinds of web run-time, such as widgets and vendor-specific initiatives.

Unfortunately there is only one recommendation relating to security & privacy. If I had to choose just one security or privacy aspect to raise with mobile web application developers, I don't think it would be "Do not Execute Unescaped or Untrusted JSON data". From a business risk point of view, injection flaws would probably be my choice, and that may also be the same from the user's perspective. Worrying about privacy options is irrelevant if someone can steal all the information from the databases. Of course choosing just one is difficult but I believe additional, perhaps broader, guidance is needed here.

The W3C are seeking comments on the document which should be sent to public-bpwg-comments@w3.org before 6th August 2010. There are specific instructions for feedback from mobile web application implementers.