Jump to content

Web Users in Malware Crosshairs


Recommended Posts


However, the biggest catalyst to the advancement of the underground economy remains the ubiquitous nature of software vulnerabilities, allowing hackers to take over legitimate Web sites and online applications to deliver their attacks to unsuspecting users, Huger said.

Symantec is increasingly seeing those types of threats -- most notably cross-site scripting attacks -- outpace the creation of more traditional e-mail based exploits. During the last six months of 2007, Symantec tracked a total of 11,253 site-specific cross-site scripting vulnerabilities, far more than the than the 2,134 traditional vulnerabilities documented by the company during the same timeframe.

And of those cross-site scripting vulnerabilities, only 473 had been patched by administrators of the affected Web sites before the end of the year. Of the 6,961 site-specific vulnerabilities reported by Symantec for the first six months of 2007, only 330 have been fixed thus far.

Even in the cases where site administrators are able to fix the vulnerabilities, Huger said, they are typically slow to do so. However, during the second half of 2007, the average patch development time was 52 days, down from an average of 57 days in the first half of 2007.

Among the most commonly-exploited Web-oriented technologies were browser plug-ins, particularly those using ActiveX. Over the second half of 2007, Symantec documented 239 browser plug-in vulnerabilities, compared to 237 during the first six months of the year. During the second half of 2007, 79 percent of those vulnerabilities affected ActiveX components, compared to 89 percent in the first half.

Link to comment
Share on other sites

New Attack Kit Targets Bag of ActiveX Bugs

The attack framework probes Windows PCs for vulnerable ActiveX controls from software vendors Microsoft Corp., Citrix Systems Inc. and Macrovision Corp., as well as hardware makers D-Link Corp., Hewlett-Packard Co., Gateway Inc.,and Sony Corp., said a Symantec Corp. researcher.

According to Jungles, visitors to compromised Web sites are redirected by a rogue IFRAME to a malicious site serving the package. The attack pack tests the victim's PC for each ActiveX control, detects whether a vulnerable version of a control is installed, then launches an attack when it finds one.

The seven exploited in the package outlined by Jungles are a mix of old and brand-new flaws. For example, Microsoft's own ActiveX vulnerability -- a bug in IE's Speech API (application programming interface) -- was disclosed in June 2007, while the vulnerability in the Citrix Presentation Server Client control harks back even further, to December 2006. Others, such as the ActiveX bugs in D-Link's security Webcams and in Sony's ImageStation, are much more recent, having been revealed in February.

Four of the seven ActiveX flaws -- those in the D-Link, Gateway, Sony and Macrovision products -- have not been patched, said Jungles.

Assuming the exploit framework succeeds in compromising a PC, the hackers drop a Trojan on the machine that turns it into a spam-spewing zombie; the Trojan includes a rootkit component to mask the malware from anti-virus scanners.

Link to comment
Share on other sites

Phishers Use Google to Find Exposed Servers

Three-quarters of phishing sites are built on hacked servers that have been tracked down using pre-programmed Google search terms, according to research from brand-protection firm MarkMonitor.

Researchers compiled a list of 750 Google search terms that are used to track down websites likely to have easily exploitable vulnerabilities -- mostly PHP-based sites.

The search terms return a list of sites likely to have particular vulnerabilities; the attackers then exploit the vulnerability, gain access to the site, and then use it to host malicious code or counterfeit web pages as part of the scam.

The websites exploited tend to be small, local PHP-based sites, which are less likely to have the latest patches installed, and are invaded via one of more than 1,800 known PHP bugs, MarkMonitor said.

Hackers Tuck Attack Code Into UK Government Site

A Welsh government Web site has been hacked to serve up malicious java scri_pt, a sign that the spate of attacks first spotted last month are continuing, analysts from security vendor Sophos warned Friday.

The method of attack is similar to one that recently victimized pages within Trend Micro's Web site, said Graham Cluley, senior technology consultant for Sophos.

Trend Micro's Web site was one of up to 20,000 sites discovered in mid-March where hackers found a weakness in the server's security that allowed them to implant malicious java scri_pt.

If a user visits an infected page, the java scri_pt initiates a download of malicious code from another server.

Hacked Web sites are increasingly being used to infect PCs with malicious software. The attack method can be used to infect fully patched computers. Once the bad java scri_pt runs, a user could be prompted to download a piece of software, which the victim may believe they need in order to access the legitimate Web site, but the software is actually harmful.

In other cases, the java scri_pt could launch an attack that seeks to exploit vulnerabilities in, for example, QuickTime, Cluley said. Earlier this week, Apple issued 11 patches for its media player. java scri_pt could launch QuickTime, and if the application isn't patched, the PC could be infected.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...