It isn't every day you get to see what a real Trojan attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop when I happened across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
We'll make this a quick update: go patch your Adobe Reader / Adobe Acrobat. Now.
In fact, don't even bother reading the rest of this 'til you've updated.
Here's where to get the latest versions:
OK, so if you're still reading, you must've patched your Acrobat / Reader.
If not, you're in, "big, big trouble," as Mom would say.
The Register gives the scoop on the Adobe critical update, saying,
We haven't yet seen the exploit ourselves yet, so we don't know if the latest antivirus software updates protect against it, but (again thanks to The Register) we do know,Version 9.4.6 of the programs fix two memory-corruption bugs that Adobe says are 'being actively exploited in limited, targeted attacks in the wild' against machines running Windows.
"The same bugs are present in Mac and Unix versions of the applications, but there are no reports of machines running them being exploited.
"The bugs are also present in Reader X for Windows, but a security sandbox, which Adobe added last year to minimize the damage that results from code flaws, prevents the attacks from working.
...researchers from antivirus provider Symantec [maker of Norton Antivirus]warned that email-born attacks exploiting the flaw to install the Backdoor.Sykipot were detected as early as November 1.
So, if Symantec has been aware of this for more than six weeks, chances are good their software--and that of the other top antivirus software makers--is already protecting against these exploits.
With that in mind anytime I hear that attacks are being exploited in the wild, it means two things: update the affected software and double check that my antivirus software is updated.
By now you've probably gotten notice, as I have, from at least one bank / credit card company / financial institution that, Epsilon, the company they use to send email messages to you had a network breach.
Looking at even a short list of affected firms, Epsilon, a company most consumers have never heard of, appears to have (or to have had) a sizable portion of top banks in the U.S. amongst its client base.
But, it wasn't just banks that were hit.
It's just about every type of business imaginable, and chances are very, very, very high you've dealt with at least one of these companies. (Major hat tip to Brian Krebs of Krebs on Security who has been doing a stellar job keeping atop this list as more companies are added to the growing list of companies affected by the Epsilon break-in.)
|Companies Affected by the Epsilon Break-In (So Far)|
Alright, so what's the big deal?
Well, for starters, it means spear-phishing risk for Y-O-U if you've ever had dealings with any of these firms.
While it's not yet perfectly clear what personal information was stolen from Epsilon, it's definitely clear names and email addresses were. What also isn't clear is if the companies with whom you have the relationships were stolen.
And, that's where a part of this becomes especially tricky.
If the spammers know you're a Target customer, for instance, and they know your name, and of course, your email, they can send you an email that looks perfectly like legitimate email from Target.
(N.B. We use Target only for illustrative purposes in this piece, not for any other reason. You can replace "Target" with the name of any of the other companies above with whom you've personally done business.)
Now image your email sent to firstname.lastname@example.org addressed to YOU in the email and looking and sounding like it's coming from Target.
Imagine something like the following:
|Subject:||Get a $100 Target gift card... on us!|
|From:||Target Stores <"email@example.com">|
|Date:||April 7, 2011|
|To:||Nicole Campbell <"firstname.lastname@example.org">|
Thanks again for your recent Target purchase!
We're writing from the customer satisfaction division with a brief survey of your online or in-store shopping experience.
As a way of saying, "Thank you!" all survey participants will receive a free $100 gift card from Target for use anytime.
Click here to get started.
Your friends at Target and Target.com
And, here's where the scam is just unfolding.
Kroger, for instance, recently saw its customers lured by spams apparently from the Epsilon breach.
Quoting Krebs from his piece, he says,
In most cases, the spam sent to customers of these companies pushed recipients to buy dodgy services and software.
In at least one attempt email recipients were pushed to buy Adobe Reader, which is free software.
Why? How are they making money if the software is free?
There's the catch: in most cases like these, you're not really buying anything, and here's what has happened:
You've just given the spammers/cyberthieves your credit card number and "permission" to charge your card. If you're lucky, they only charge your card for as much as you've given them permission to. If you're really lucky, they don't give you a virus or spyware to download instead of the real software.
Whatever the case, you may be facing a hefty credit card bill and some serious phone calls and letters to your credit card company to get them to absolve you of the charges.
Now, back to our Target example.
There are countless ways the spammers could spin things to get you to (a) give them your credit card number and/or (b) download a virus or spyware
- You need our special free "survey software"
- Your browser needs a special free plug-in to take the survey
- You need to upgrade your Adobe Reader for $10 to take the survey to get the $100 gift card
The list could go on-and-on.
So here are the take home messages from the Epsilon break-in:
- Use your head when it comes to messages emailed to you
- Just because something is addressed to you and addresses you by your name, doesn't make it legit
- Does the email have "free" offers or ways to earn gifts or money for very little work
- Were you expecting to receive the message? (If you just signed up to get coupons, and a coupon email comes five minute later, it's probably safe.)
- How are the grammar and spelling in it? Commonly the bad guys are overseas and their English is often imperfect, and other conventions are often different from ours.
Commonly you'll see a price in a scam email written as 35$ instead of $35 as is the convention here in the U.S.
- Are they asking you to "verify" anything. Let me tell you something: companies don't need you to verify anything. Ever. You got their email, they know who you are. An email asking for verification is almost definitively a scam.
These are just a few things to be on the lookout for. Most importantly of all, especially given the number of banks and credit card companies involved is: never, ever, EVER put your social security number into a link that you clicked on in an email.
I cannot even once think of a legitimate bank or credit card email requiring this.
And lastly, lest it go unsaid, use an Internet security suite. The best ones include good anti-phishing and malicious website filters.
While nothing is perfect, between the filters built into today's top web browsers and top Internet security software, you can offset the threat posed by scammers, the emails they send, and the sneaky websites they setup.
Now that researchers at places like Symantec (makers of Norton Antivirus), have had a chance to delve into the exploit, some theories are starting to come out about who's behind it.
Karthik Selvara, a researcher for Symantec says, in a Symantec blog,
While things had been quiet, we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back, as we've been seeing evidence of their attacks since January....
Where it gets interesting is in the disection Karthik does.
He takes apart various parts of the email, the social engineering, and the exploit itself, and lo and behold, the techniques are eerily similar.
The next quote is a little long, but given how concisely Symantec describes the exploit and attck, we'll let the Symantec blog speak for itself here,
If the above emails look familiar, it is because their style is very similar to the emails used in Hydraq (Aurora) attacks.
"In addition, the use of a zero-day within a PDF, and how the executable is dropped on the system, all match the Hydraq method of operation.
"Furthermore, we have seen a large number of detections of unique versions of the PDF--not yet seen elsewhere in the wild--coming from a single computer in the Shandong Province of China, which is how far back investigators were able to trace the Hydraq attacks. [Editor's Note: Emphasis mine.]
"All of these similarities could be coincidental, but these attacks appear to be from the same perpetrators.
"The PDFs inside all the above emails exploit the same Adobe zero-day vulnerability and each drop similar downloader components, but with different decoy PDFs. Some had different URLs to download additional malware.
Huh. Attacks based in China. Who would have guessed?
Frequent readers may recall a list we shared not long ago of the Top 10 Riskiest Domains by Extensions, where China placed third in this notorious list.
All-in-all, aside from the excellent analysis by Symantec's researchers, we'd also like to echo their equally excellent suggestions about pdfs.
- keep your antivirus software up to date
- exercise caution when dealing with PDF files
One last note, all the major antivirus vendors are detecting this attack, with Norton snaring it as, "Bloodhound.PDF!gen1" and as Bloodhound.Exploit.357.
September is proving to be a busy month for the bad guys. Aside from the latest email worm, dubbed W32/VBMania@MM by McAfee, Adobe is also being exploited by the cyber criminals.
This latest bug (CVE-2010-2883), being called, "Critical," Adobe's highest rating, affects Adobe Reader / Acrobat versions 9.3.4 and earlier on the following platforms:
- Microsoft Windows
- Apple Macintosh
According to Adobe, there are mitigation techniques available for Windows users, though an upgrade is definitely a better choice. Their official announcement warns,
Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited.
"For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited.
"Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.
Possible effects of the exploit?
This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system, so, unless you have some very good reason not to upgrade your Adobe Acrobat/Reader immediately, you should.
For more details, here's a post from Sophos on Adobe Acrobat/Reader exploit and the official Adobe Reader/Acrobat security announcement.
Adobe issued a couple of critical patches this month to its Flash, Acrobat, and Adobe Reader products including one today for its Acrobat and Adobe Reader programs.
Adobe Acrobat & Adobe Reader Flaws and Upgrade/Patch
As for Adobe Reader as of the writing of this piece, the latest version of Adobe Reader is:
Here's how you can check your version and what you should see:
These security flaws in Acrobat and Reader--and Adobe's handling of it--has had fairly widespread discussion including coverage at Kaspersky's 'threatpost' security blog.
Kaspersky's Ryan Naraine in his piece about the Adobe security patches says,
The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.
What's so important about this particular set of updates is the number of different types of systems that are affected, and while some antivirus software may be able to offset some of the threats posed by these security flaws in these programs, it's not worth the risk.
What's already clear is that there are security exploits in the wild that are taking advantage of these security holes, and if you're running Flash, Reader, or Acrobat (about 95% of the world is), your computer may be susceptible, regardless of what type of system you run--even a Mac.
Adobe Flash Player Flaws and Upgrade/Patch
The Flash Player (and the upgrade, of course) and Adobe Reader are free and only take a minute to install. (Adobe Acrobat isn't free but the security patch is.)
Here's the official Version Test for Adobe Flash Player.
On that page, you'll see what version of Flash Player you're running. As of the writing of this piece, the latest version for all systems is:
Don't take our word for it though, here's the official version information page for the Adobe Flash Player
Here's what the page looks like when it tests for your version of Flash Player (click the image below for a larger version plus our notes):
It's worth mentioning in our tests of the newest version of Flash Player, a reboot was sometimes recommended and other times not; regardless of whether or not you're prompted to reboot, it certainly won't hurt.
It's getting more commonplace for a bug to be a security issue on different computers--not just PCs--these days, but in these particular cases, just about every system was affected. Here's a breakdown of what the affected programs and systems looks like:
|Program||Affected Versions||Affected Systems|
|Adobe Flash Player||
Let's cut to the chase: patch your Adobe Shockwave. There are four different critical vulnerabilities in the Adobe Shockwave Player that lets an attacker remotely execute the code of their choosing on your PC.
|Vulnerability Cause||Why It Matters|
an invalid index when handling certain Shockwave content
could be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page
an invalid pointer when processing certain Shockwave content, which could be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page.
an invalid pointer when handling certain Shockwave content, which could be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page.
a memory corruption related to string processing, which could be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page.
It isn't clear how much these threats can be mitigated by Internet security software, but typically the best antivirus firewalls do help mitigate these types of attacks.
Whatever the case though please take a minute now and update your Shockwave player. It's worth the time to eliminate this simple to exploit attack vector.
Ever read .PDFs or watch something in Flash?
Most people do. In fact, something like 99% of all computers have Flash installed likewise a huge portion of computers have Acrobat Reader, too.
As such, if you're in that 99% pool, you're probably vulnerable, as roughly 80% of all computers still are according to internet security firm Trusteer.
A couple of weeks ago, we covered the Flash / Acrobat Reader Security Advisory, and now there's more warning on WebProNews about the same Flash / Acrobat vulnerabilities.
In the posting there by Chris Crum he quotes Trusteer's CEO, Mickey Boodaei, as saying,
"Adobe is facing some major security challenges and one of its biggest hurdles is its software update mechanism.
"For some reason, it is not effective enough in distributing security patches to the field.
"Given the lack of attention this situation has received to date, it appears that few people understand the magnitude of the problem. We recommend that all enterprises and individuals install the latest Flash and Acrobat updates immediately.
[Editor's note: emphasis is mine.]
We originally covered this vulnerability two weeks ago saying,
"...there's an urgent update that Adobe has just made to Acrobat, Flash Player, and Adobe Reader."
So, now that there are others adding their voices to the chorus, and we're all saying this is a big deal, please visit this page on Adobe's site which covers the Acrobat/Flash security update.
If you're reading this article, please, stop what you're doing, go to that URL, *read* it, and follow Adobe's instructions.
Regardless of if the rest of your Windows OS is patched, regardless of whether or not you have a software firewall running, and regardless of whether or not you've installed the best antivirus software or an Internet security suite, you still need to do this.
Acrobat and Flash live outside of the normal Windows Update mechanism, and thus, they can not be upgraded via Windows Update and are best upgraded manually, (i.e. don't rely on the Adobe autoupdater.)
In our humble opinion, this vulnerability has every bit the potential to be even bigger than the Conficker worm from early April this year because of the enormous install base Acrobat and Flash have.
Let's get right to the story here: there's an urgent update that Adobe has just made to Acrobat, Flash Player, and Adobe Reader.
If you have Acrobat, Reader, or Flash installed, which most folks do, you'll want to upgrade NOW. Here's the lead in of the Adobe security announcement.
"A critical vulnerability exists in the current versions of Flash Player (v22.214.171.124 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems.
"This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system.
"There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows."