Symantec Intelligence Quarterly - EMEA April - June 2010

Transcription

1 Symantec Intelligence Quarterly - EMEA

2

3 Quarterly Report: Symantec Intelligence Quarterly - EMEA Symantec Intelligence Quarterly - EMEA Contents Introduction Highlights Metrics Overview: The Microsoft Help and Support Center Zero-day Vulnerability Overview: The Adobe Flash Zero-day Vulnerability Overview: The Month of PHP Security Credits

4 Introduction Symantec has established some of the most comprehensive sources of Internet threat data in the world with the Symantec Global Intelligence Network. More than 240,000 sensors in over 200 countries and territories monitor attack activity through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services, Norton consumer products, and third-party data sources. Symantec also gathers malicious code intelligence from more than 133 million client, server, and gateway systems that have deployed its antivirus products. Additionally, the Symantec distributed honeypot network collects data from around the globe, capturing previously unseen threats and attacks and providing valuable insight into attack methods. Spam and phishing data is captured through a variety of sources including: the Symantec probe network, a system of more than 5 million decoy accounts; MessageLabs Intelligence, a respected source of data and analysis for messaging security issues, trends and statistics; and, other Symantec technologies. Over 8 billion messages (as well as over 1 billion Web requests) are processed each day across 16 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and over 50 million consumers. These resources give Symantec security analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. This regional report will discuss notable aspects of malicious activity that Symantec has observed in Europe, the Middle East, and Africa (EMEA) in the second quarter of 2010 (April to June). An important note about these statistics The Symantec Global Intelligence Network uses automated systems to map the IP addresses of the attacking systems to identify the country in which they are located. However, because attackers frequently use compromised systems situated around the world to launch attacks remotely, the location of the attacking systems may differ from the location of the attacker. Highlights In EMEA, Germany was the top country for malicious activity during this quarter, accounting for 13 percent of the global total; In EMEA, the top Web-based attack for the quarter was related to malicious PDF activity, which accounted for 42 percent of the total; Globally, credit card information was the most commonly advertised item for sale on underground economy servers known to Symantec in this quarter, accounting for 28 percent of all goods and services; Symantec created 457,641 new malicious code signatures during this quarter from all worldwide sources of data; In EMEA, the most common malicious code sample by potential infections during this quarter was the Sality.AE virus; Globally, Symantec observed 12.7 trillion spam messages during this quarter, accounting for approximately 89 percent of all messages observed; 1

5 Globally, the majority of brands used in phishing attacks this quarter were in the financial sector, which accounted for 73 percent. Metrics Malicious activity by country This metric will assess the countries in which the highest amount of malicious activity took place or originated in EMEA during this quarter. Rankings are determined by calculating the average of the proportion of malicious activity that originated in each country. Germany was the top ranked country in EMEA for malicious activity this quarter, accounting for 13 percent of the total (table 1). Within specific category measurements, Germany ranked first in phishing website hosts, and bots. Table 1. Malicious activity by country, EMEA The United Kingdom had the second highest amount of malicious activity in EMEA this quarter, accounting for 9 percent of the total. Within specific category measurements, the United Kingdom ranked first in attack origin. Top Web-based attacks This metric will assess the top distinct Web-based attacks that originate either from compromised legitimate sites or malicious sites that have been created to intentionally target Web users. In this quarter, the top Web-based attack was related to malicious PDF activity, which accounted for 42 percent of Webbased attacks (table 2). Attempts to download suspicious PDF documents were specifically observed. This may indicate attempts by attackers to distribute malicious PDF content to victims via the Web. The attack is not directly related to a specific vulnerability, although the contents of the malicious file would be designed to exploit an arbitrary vulnerability in an application that processes it. This attack may be popular due to the common use and distribution of PDF documents on the Web and the practice of configuring browsers to automatically render PDF documents by default. 2

6 Table 2. Top Web-based attacks, EMEA The second most common Web-based attack this quarter was associated with the Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness, 1 which accounted for 33 percent of the total globally. The weakness allows attackers to install malicious files on vulnerable computers when users visit websites hosting an exploit. To carry out this attack, an attacker must exploit another vulnerability that bypasses Internet Explorer security settings, allowing the attacker to execute malicious files installed by the initial security weakness. This issue was published on August 23, 2003, and fixes have been available since July 2, The continued popularity of this Web-based attack may indicate that many computers running Internet Explorer have not been patched or updated and are running with this exposed weakness. Underground economy servers goods and services available ailable for sale This section discusses the most frequently advertised items for sale observed globally by Symantec on underground economy servers, which are online black market forums for the promotion and trade of stolen information and services. In this quarter, the most frequently advertised item observed on underground economy servers globally was credit card information, accounting for 28 percent of all goods (table 3). Prices for credit card information ranged from $1 to $30 depending on the type of card, the country of origin, and the amount of bundled personal information used for card holder verification. 2 Symantec observed bulk purchase offers of 1,000 credit cards for $1, All currency in U.S. dollars 3

7 Symantec Intelligence Quarterly - EMEA Table 3. Goods and services available for sale on underground economy servers, globally The second most commonly advertised good on underground economy servers globally during this quarter was bank accounts, which accounted for 24 percent of all advertised goods. The advertised price for bank accounts ranged from $10 to $125 and bank balances ranged from $373 to $1.5 million. Top malicious code samples The most common malicious code sample by potential infections in EMEA during this quarter was the Sality.AE virus (table 4).3 This virus infects executable files on compromised computers and removes security applications and services. Once the virus is installed, it also attempts to download and install additional threats onto infected computers. Table 4. Top malicious code samples, EMEA The second ranked malicious code sample causing potential infections in EMEA during this quarter was Mabezat.B.4 This worm propagates by copying itself to any mapped or remote drives. It also attempts to copy itself to network shares by attempting to connect with weak passwords. The worm attempts to propagate through , modifies the built-in

8 Microsoft Windows CD burning feature to include the worm in burned CDs, and also encrypts numerous different file types. Top phishing sectors The majority of brands used in phishing attacks worldwide this quarter were in the financial services sector (table 5). These attacks accounted for 73 percent of the total reported phishing attacks observed globally by Symantec. The financial sector is commonly the largest sector targeted in phishing attacks because the various associated services are the most likely to yield data that could be directly used for financial gain. Many phishing attacks that spoof financial services brands will prompt users to enter credit card information or banking credentials into fraudulent sites. If these tactics are successful, the phishers can then capture and sell such information in the underground economy. Table 5. Top phishing sectors The second largest percentage of brands used in phishing attacks observed globally was in the ISP sector, accounting for 10 percent of the total number of phishing attacks reported this quarter. ISP accounts can be valuable to phishers because they may contain accounts, Web-hosting space, and authentication credentials. Overview: The Microsoft Help and Support Center Zero-day Vulnerability On June 9, 2010, a third-party researcher reported a zero-day vulnerability affecting the Help and Support Center application in Windows Server 2003 and Windows XP. Help and Support Center is the default application used for handling access to online Microsoft Windows documentation. Documentation can be accessed directly through other applications such as Web browsers by using Help and Support Center protocol (HCP) URIs. When the application receives an HCP request, the requested file is verified using a whitelist to restrict untrusted sites from accessing unauthorised data. The reported vulnerability occurs because of a flaw in the way that the application handles errors while checking the whitelist. By adding specially crafted data to an HCP URI, the flaw can be manipulated to bypass restrictions that are defined by the whitelist. This can result in unauthorised access to restricted help documents. The report included a proofof-concept URI to demonstrate exploitation of the vulnerability. Limited, targeted attacks using the proof-of-concept code were confirmed in the wild by June 15. 5

9 An attacker can exploit this issue by enticing a victim to follow a malicious URI. A successful attack would grant the attacker unauthorised access to restricted help documents on the victim s computer. The attack could be combined with exploits of other vulnerabilities such as the Microsoft Help and Support Center sysinfo/sysinformation.htm cross-site scripting weakness to execute malicious code on the target computer. An attacker who successfully exploits this issue can gain control of target computers and carry out additional malicious activities, such as stealing confidential information or using the victimised computers to send spam . On June 10, Microsoft released a security advisory to acknowledge its awareness of the report and that it was investigating the issue. Microsoft is currently developing a security update to address the vulnerability; in the interim, an automated workaround solution is available immediately to mitigate the vulnerability by unregistering HCP. Overview: The Adobe Flash Zero-day Vulnerability On June 4, 2010, Adobe issued a security bulletin indicating that they had received reports of the exploitation of an unpatched, previously unknown zero-day vulnerability affecting its Flash Player application. 5 As security researchers scrambled to identify the problem, knowledge of the bug spread to more attackers, slowly exacerbating the situation. With limited mitigations available, security vendors were under pressure to release detections and mitigation procedures, and for the vendor to create, test, and distribute an out-of-band patch. Timeline June 4, 2010 Adobe receives information that an unknown, unpatched issue exists in Flash Player; 6 June 4, 2010 Symantec issues BID 40586; 7 June 4, 2010 Adobe issues security advisory APSA10-01; 8 June 7, 2010 Adobe indicates that its quarterly security update regularly scheduled for July 13 would be pushed up, to June 29 for Adobe Reader and to July 10 for Flash Player; 9 June 10, 2010 The Metasploit Project publishes a reliable public exploit; 10 June 10, 2010 Adobe provides an update for Flash Player; Reader is still vulnerable; 11 June 14, 2010 Symantec analysts identify link between this vulnerability and IEPeers targeted attacks, and possibly other targeted attacks, from as far back as 2008; 12 June 29, 2010 Adobe issues an update for Reader. 13 Vulnerability The bug is a class of vulnerability referred to as an invalid or dangling pointer. 14 Discovering these bugs using binary static analysis is difficult, but not impossible. 15 The Flash file used in this attack came from a public source and it is highly the exploitation details of which can be found on the Symantec Security Response blog at 15-Static analysis is a technique for software verification that relies on analyzing the application without executing it. 6

10 unlikely that the file was originally intended to be malicious. 16 However, a specific, single-byte modification to the file results in an easily exploitable condition. There is a high possibility that this bug was found using a fuzzer tool. 17 Vulnerabilities in Flash are valuable to attackers. Flash is prolific and there are versions for virtually every browser on all major operating systems. The wide distribution of Flash, combined with the number of affected operating systems, make it an appealing target for attackers. The return on investment for this vulnerability is very high, especially if it was discovered using a fuzzer, because this often requires less time investment on the attacker s part. An exploitable weakness in Reader is also highly attractive to attackers because Reader is widely used for rendering PDF files and PDFs can contain embedded content. For example, Reader can render an embedded Flash file inside a PDF. Unlike JavaScript, there is currently no easy way to disable Flash from the user interface in Reader, which means the process of mitigating a Flash vulnerability in Reader is difficult for less technical users. Attacks Upon initial disclosure of the vulnerability, Symantec identified two cases in the wild that exploited Web and PDF documents, respectively. While these attacks exploited the same vulnerability, they did so in different products, with each having a separate, specific goal. Both attacks appeared to use the same malicious Flash file, with only slight variation (the Flash file had to be tweaked slightly to be used either in a PDF or in a Web browser). Although they appeared to use the same Flash file, each attack delivered a unique piece of malicious code, using radically different pieces of shellcode. 18 PDF-based attack While a good file format exploit 19 will replace a malicious document with a benign one, post-exploitation, this particular PDF attack made no such attempt. This could be a sign that the attacker was either not very sophisticated or was not concerned about the vulnerability being discovered and fixed. An unpatched vulnerability is a commodity for an attacker. There is a correlation between the number of people that know about an unpatched vulnerability and the value that it has. For example, an unpatched vulnerability that is exploitable and known by only a select few people has high value, while conversely, a vulnerability that is known by many and readily patched has low value. Often, once a bug is publicly known and more attackers gain access to it, there will be a surge of attacks that attempt to exploit any remaining unpatched systems. These attacks often lack the finesse of the original, with less regard for protecting the vulnerability because it is already well known (at least to more knowledgeable users). The shellcode in this attack made use of return oriented programming (ROP) techniques to disable Data Execution Prevention (DEP) on Windows XP systems, indicating some technical prowess. The malicious PDF was delivered to victims as an attachment, while the message was crafted to lure the victim into opening the attached malicious PDF. The malicious code installed by the PDF attack was unremarkable. It provided a rudimentary backdoor to attackers, but did not include direct functionality to harvest credentials or obtain sensitive information in an automated fashion. Web-based attack The Web-based attack was tailored toward users of Microsoft Internet Explorer. While the bug could be used against any browser that supports Flash, due to the nature of the vulnerability, making it work on different browsers required Fuzzers test an application for buffer overflows, format string vulnerabilities, and other errors that can subsequently be exploited; see 18-A shellcode is an assembly language program that executes a shell; shellcode can be used as an exploit payload 19-A file format exploit is a software exploit that makes use of a maliciously crafted file format used by the affected application 7

11 additional modifications. The way the Web-based attack was written implied a greater desire to protect the vulnerability. Whoever developed the shellcode implemented a number of checks to ensure that the application terminated quickly and without generating a crash report to leave few traces about the nature of the bug. Interestingly, high-quality exploits are usually those that attempt to continue execution of the application uninterrupted. An application that terminates immediately after loading a new file usually indicates that there is something amiss. Additionally, unlike the PDF-based attack, the shellcode did not attempt to disable DEP. The IEPeers-targeted attack link The shellcode used in the Web-based attack is eerily familiar to that used in the targeted attacks against the Microsoft Internet Explorer iepeers.dll Remote Code Execution Vulnerability, 20 which occurred in March 2010, and which targeted attacks against the Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability. 21 The only major differences in this shellcode appeared to be reliability enhancements. Attackers sharing and reusing shellcode is common and often not a definitive sign of the same exploit author; however, there are some convincing similarities in the malicious code used in the two attacks. For example, once a computer is compromised, the malicious code injects a DLL file named wshipm.dll into applications such as Internet Explorer, Firefox, and Outlook. Comparing this file at the binary level with the DLL that is used in the IEPeers targeted attack shows a number of distinct similarities in the source code. This lends credibility to the possibility that the malicious code in this attack is a derivative of the same malicious code used in the IEPeers targeted attacks. Whoever wrote the code for this attack definitely had access to the source code for portions of the malicious code used in the IEPeers targeted attack. As with the IEPeers attack, sensitive information can be harvested from the exploited applications and sent to the attacker in a remote location. Conclusion While these attacks exploited the same vulnerability, they did so in different ways with different agendas. The Web-based attack appears to be more tailored to obtaining sensitive information, while the PDF-based attack simply provided limited backdoor functionality, possibly for building a bot network or for the later distribution of additional malicious code. The Web-based attack appears to have been much more targeted and is far more sophisticated in both its attempts to hide the vulnerability and its post-exploitation activity. Overview: The Month of PHP Security The disclosure of security vulnerabilities in software has historically been a contentious topic between security researchers and software vendors. Vendors often do not want to publicly discuss security problems in their products on the chance that doing so will harm sales, make customers unhappy, and give hackers a vector to target with an exploit. Security researchers, even those who practice responsible disclosure, often feel frustration that vendors reveal few of the details about vulnerabilities, or hold the perception that some vendors do not take security seriously. In 2006, the first Month of Bugs project was launched as a way to increase awareness of security vulnerabilities in Web browsers. 22 The Month of Browser Bugs was a series of exploits published every day for a month against Internet Explorer, Mozilla Firefox, Apple Safari, and Opera. This project helped bring some publicity to browser security and may have

12 impelled vendors into fixing the issues faster than they normally would have. Other researchers have since used this strategy to help improve the security of various technologies; this includes the Month of Kernel Bugs, the Month of Apple Bugs, and the Month of PHP Bugs. The latest installment, in May 2010, was the Month of PHP Security (MoPS). The purpose of MoPS was to improve the security of PHP and the PHP ecosystem by disclosing vulnerabilities in PHP and PHP applications. The result was the disclosure of 60 security issues and the publication of a number of additional articles about PHP application security or tools specific to PHP security. Notably, the majority of the disclosed issues are not considered exploitable vulnerabilities, because a developer essentially must "attack themselves." Most of the issues involved interrupting internal functions by using a deprecated feature known as call-time pass-byreference. These bugs require that the "allow_call_time_pass_reference" configuration option is enabled, that an attacker has local access to his or her Web server, and that the server is configured to permit the execution of custom code. Of the remaining issues, 10 apply to applications that use PHP: Campsite 23 is prone to an SQL-injection vulnerability affecting the 'article_id' parameter; 24 ClanSphere 25 is prone to SQL-injection vulnerabilities that affect the CAPTCHA generator and the MySQL driver; 26 Clantiger 27 is prone to an SQL-injection vulnerability affecting the 's_ ' parameter; 28 DeluxeBB 29 is prone to an SQL-injection vulnerability affecting the 'memberid' cookie parameter; 30 efront 31 is prone to an SQL-injection vulnerability affecting the 'chatrooms_id' parameter; 32 Xinha 33 and Serendipity 34 are prone to a vulnerability that permits attackers to upload arbitrary files; 35 Cacti 36 is prone to an SQL-injection vulnerability affecting the 'rra_id' parameter; 37 CMSQlite 38 is prone to an SQL-injection vulnerability and a local file-include vulnerability; 39 e is prone to an SQL-injection vulnerability and a vulnerability that allows attackers to execute arbitrary PHP code. 41 The most serious of these issues is the arbitrary PHP code-execution vulnerability against e107, a popular content manager. Proofs-of-concept are available and the issue has not yet been patched by the vendor. Administrators of e107-based sites should disable bbcode functionality until a vendor patch is available. At the very least, restrict access to trusted networks, deploy network intrusion detection, and be sure only to run the application as a non-privileged user. In PHP itself, four vulnerabilities were reported: An integer-overflow vulnerability affects the 'php_dechunk()' function. 42 This function is used to decode remote HTTP chunked encoding streams. To exploit the issue, a PHP script must interact with a malicious Web server and

13 Multiple vulnerabilities that allow code-execution affect the PHP sqlite module. 43 The vulnerabilities reside in the 'sqlite_single_query()' and 'sql_array_query()' functions, and can be triggered if the 'rres' resource is not properly initialised before it is used. Multiple format-string vulnerabilities affect the PHP 'phar' extension. 44 The phar extension gives developers a way to place entire PHP applications into a single file i.e., a PHP archive. The vulnerabilities affect several functions within the extension that supply unsafe data to the core 'php_stream_wrapper_log_error()' function. PHP has addressed these issues with patches applied to the project's SVN repository. Multiple vulnerabilities affect the PHP 'Mysqlnd' extension. 45 This native driver extension is a replacement for the MySQL client library libmysql. The four reported vulnerabilities consist of three buffer-overflow vulnerabilities and an information-disclosure issue that lets attackers harvest the contents of heap-based memory. Only the issues affecting the 'phar' extension have been addressed by PHP so far. PHP administrators should implement the following mitigations: Run PHP with the least privileges possible; Deploy NIDS to monitor network traffic for signs of malicious activity; Implement nonexecutable and randomly mapped memory segments if possible; Restrict access to PHP-based sites to trusted networks and computers only. PHP servers can be made more secure in general by disabling global variables, using a chroot jail, and restricting file uploads

14 Credits Marc Fossi Executive Editor Manager, Development Dean Turner Director, Global Intelligence Network Amanda Andrews Editor Eric Johnson Editor Trevor Mack Editor Téo Adams Threat Analysis Engineer Joseph Blackbird Threat Analyst Brent Graveland Threat Analyst Darren Kemp Threat Analyst Debbie Mazurek Threat Analyst 11

15

16 About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA USA +1 (650) (800) Symantec helps organizations secure and manage their information-driven world with security management, endpoint security, messaging security and application security solutions. Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. NO WARRANTY. The information in this document is being delivered to you AS-IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the information contained herein is at the risk of the user. This document may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. 7/