2010-01-14

On Tuesday, 13th of January, Google announced that their security experts detected targeted attacks on Google's employees. The attackers successfully gained access to sensitive data about certain users of the Gmail service provided by Google. The attacks were carried out in second half of December last year and, according to a report by iDefense, attackers used malicious PDF documents to exploit client machines. The malicious PDF documents were sent as e-mail attachments.

Exploitation of vulnerabilities in the Adobe Reader and Acrobat applications became very common in last couple of years due to a high number of identified vulnerabilities in these products. Infigo's security researcher Bojan Ždrnja published several analysis of malicious PDF documents on SANS' Internet Storm Center website; the analysis can be seen at the following URLs: http://isc.sans.org/diary.html?storyid=7867 and http://isc.sans.org/diary.html?storyid=7984. It is assumed that similar malicious PDF documents were used in published attacks.

Google also announced that they detected attacks on over 30 other companies and that the attackers, which are suspected to come from China, managed to gain access to sensitive intellectual property such as application source code. INFIGO IS is urging customers to install the latest available patches for the Adobe Reader and Acrobat applications and to disable JavaScript in these applications as well.

Researchers from Microsoft recently unearthed exploits targeting the CVE-2010-0188 vulnerability.

On February 16, Adobe released a security advisory describing a vulnerability in Adobe Reader and Acrobat 8.X and 9.X. Once the vulnerability is exploited, attackers gain the capability to perform denial-of-service (DoS) attacks on affected systems. Doing so can cause applications and even systems to crash. Attackers can also execute arbitrary code on affected systems.

Trend Micro detects the exploit binary as TROJ_PIDIEF.EXP, a specially crafted .PDF file. It belongs to a family of known exploits that target Adobe Acrobat and Reader vulnerabilities. This family is also capable of dropping other malicious files such as spyware and backdoors onto affected systems.

Users are advised to update to the latest versions of the aforementioned Adobe products to secure their systems from attacks related to this vulnerability.

Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and executing the malicious file via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

More Adobe Exploits in the Wild

Hot on the heels of the Patch Tuesday announcements yesterday (see blog or links to vulnerability assessment pages), came the announcement of a new zero-day in Internet Explorer (CVE-2010-0806).

Whilst checking through some URLs supposedly serving up malicious code to exploit this vulnerability, I noticed a link to some spam runs from earlier in the week. On March 8th SophosLabs saw spam messages attempting to trick the recipient into visiting rogue web pages. Messages used at least two social engineering tricks to lure victims into clicking the malicious link.

Example messages are shown below.

In either case, clicking on the link takes the victim to a web page which kickstarts the infection process.

Generic detection for the exploit scripts seen thus far has been added as Troj/ExpJS-R. A script used to query the browser/OS version before loading the exploit script (or redirecting to a games site) has been added as Troj/JSRedir-AW.

The malicious payloads installed in such attacks are liable to change of course, but the ones seen thus far have been either proactively detected as Mal/Dropper-Y, or added as Troj/Dloadr-CYS.

SophosLabs will continue monitoring for new attacks looking to exploit this vulnerability. In the interim, aside from keeping your protection up to date, take note of the following from the Microsoft announcement:

Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected.

If you are an IE user and have not yet upgraded to version 8, take a hint! It is strongly recommended that you do so. Aside from not being affected from this particular issues, there are a whole bundle of other security related features you are missing out on otherwise.

The SophosLabs vulnerability assessment page for the IE 0-day vulnerability will be updated accordingly.

A new wave of spammed messages posing as mail service notifications targeted antivirus companies, including Trend Micro. These messages ask the receivers to update their mailbox settings by opening and executing the attachment.

The two samples above TrendLabs obtained were sent to domains that belonged to Trend Micro. The file attachment does not contain any mailbox settings but instead a malicious file detected as TROJ_FAKEAV.EAO.

This spam run is similar to a run that TrendLabs earlier reported wherein Trend Micro Advanced Threats Researcher, Joey Costoya, said the subdomains may have been tailor-made, depending on the recipients’ email addresses. That spam run was actually part of a phishing attempt that targeted employees of various companies, including Trend Micro.

The Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from reaching users’ inboxes via the Web reputation service and by detecting and removing the malicious file via the file reputation service.

Non-Trend Micro product users can also stay protected by using eMail ID, which prevents fake messages from reaching their inboxes. It also helps users quickly find legitimate messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

Spammers Target Antivirus Companies