It isn't every day you get to see what a real Trojan attack looks like.
When you do, there's seldom time to even take screenshots: you just want to get the heck out of Dodge.
But, this time, in putting together material for our upcoming free workshop when I happened across a real attack I was able to record it.
If you've ever wondered what an attack looks like, here's your chance to see one.
Here's the best/worst part: nothing stopped it.
- Not our Internet Security Software.
- Not any of our browsers' built-in malware protection
- Not even Windows 10 built-in security.
See for yourself how it happened and what you can do to stop it.
This file opens in a new tab / Window for you.
Fans of Internet Explorer, rejoice!
Well, sort of.
NSS Labs, one of the top independent security research labs in the world, just put each of the top web browsers for Microsoft Windows PCs on their test bench to see how they fared against socially engineered malware.
Long lambasted for being insecure and weak in its ability to thwart malware, Internet Explorer actually landed at the front of the pack in this particular test which included:
Their report, "Web Browser Security, Socially Engineered Malware Protection," looked specifically at social engineering malware (SEM) attacks, which
...remains the most common security threat facing Internet users today.
"Recent studies show that users are four times more likely to be tricked into downloading malware than be compromised by an exploit.
How much better did IE fare? At the risk of editorializing, it was an absolute landslide. (Politicians dream of this kind of lopsided victory.)
|Effectiveness of Top Web Browsers at Blocking Social Engineering Malware Attacks|
|Web Browser||Malware Blocking Efficacy|
|Microsoft Internet Explorer 9||99.2%*|
|Google Chrome 12||13.2%|
|Apple Safari 5||7.6%|
|Mozilla Firefox 4||7.6%|
|* With both URL and Application Reputation enabled during testing, which provided 96% and 3.2% of protection respectively.|
Now for the one caveat: this only measured the efficacy of blocking social engineering malware and didn't test any of the browsers abilities (or likelihood) of being attacked through a security exploit.
What does that mean?
For starters, it means stopping viruses and other malware isn't as easy as running one web browser vs. another.
While Internet Explorer 9 might do very well at blocking social engineering malware, other browsers have historically done significantly better at stopping attacks that come through security exploits.
So, what's the best, most secure web browser?
There's no simple answer. I'd really encourage you to take a close look at the NSS Web Browser Security Report.
Another thing not covered is the effectiveness of antivirus software at blocking these types of threats.
In our tests, we consistently saw the software we tested with the best malicious website filtering giving added protection above and beyond what the web browsers themselves provided.
Blogger Dan Goodwin at The Register talks about how browser malware is growing.
For a while now, ads that pimp malware disguised as antivirus "fix-it" software have typically been customized to give the appearance of belonging to Microsoft's Internet Explorer and Windows operating systems.
Well...not so anymore.
With the popularity of Google's Chrome, Mozilla's Firefox, and Apple's Safari browsers, these fake antivirus pimps are working harder to target the browser that's actually in use by the victim.
Senior security researcher at Zscaler.com, Julien Sobrier, says it looks like a crafty, targeted, browser-specific malware campaign pushing the fake antivirus software.
Here's what the malware looks like in various web browsers:
Internet Explorer users get the typical Windows 7 Security Alert.
Interestingly, Firefox users will see Firefox elements (which also appear in the source code). Additionally, the security warning normally shown gets spoofed when Firefox detects the user attempting to navigate to a known malicious site.
Google's Chrome users get a customized popup window -- complete with the Google Chrome logo and an unsuspecting warning. The positive side to this is Chrome identifies the page reporting this falsehood.
If the user clicks "ok", then a Chrome-looking window opens shows a fake scan taking place.
Finally, Safari also gets spoofed and shows the Safari logo in fake pop-up alerts, but ultimately it looks and feels like IE.
These ads are intended to lead surfers into believing they've been infected and that the system can and will be cleaned by the (fake) antivirus software being offered. Since the popup warnings are tailored to look as though they're being presented by the browsers themselves, there appears to be a higher chance of success for the malware hackers.
I've seen malicious pages tailored in the past, but they were mostly fake Flash updates or fake codec upgrades for Internet Explorer and Firefox.
"I've never seen targeted fake AV pages for so many different browsers.
According to Dan Goodwin, some sites that redirect to this scam are:
If you're successfully redirected, the site tries to upload and run InstallInternetDefender_xxx.exe, where the xxx is a frequently changing number.
At the time of Sobrier's piece, VirusTotal scan claims this malware is only detected by just 9.5 percent of 42 AV programs tested, although that number is sure to increase quickly.
It's clear, fake antivirus scams is getting more sophisticated. The good news is, legitimate Internet security software is evolving, too.
In a recent post to its security blog Symantec, makers of Norton antivirus revealed,
a new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well.
The announcement of the Internet Explorer exploit was surprising to many because of how it targets Cascading Style Sheets, something that hasn't typically been used in these types of attacks.
The exploit got notoriety when a security researcher has published code that could allow an attacker to take over an unsuspecting user's Internet Explorer and install code on the person's computer and then when Symantec took notice and began doing research of their own.
There has always been--and likely always will be--a large degree of controversy around so-called "full-disclosure" security like this because one group of people believe that it's most responsible for the researchers to first notify the manufacturers about the vulnerability so that things can be kept quiet 'til patches are ready.
The other group believes that it's most responsible for the researchers to first notify the community about the vulnerability so that users can take steps to protect themselves against attack.
The debate is though that on one hand if you're only disclosing to the manufacturers and don't notify the community, there could very well be active exploits in the world that other hackers are already using. So, if you don't notify the community, you're being irresponsible by holding back information that may users to protect themselves.
In contrast, if you don't first notify the manufacturers and immediately post the exploit, you're allowing hackers to get information on how to take over your computer without giving any chance for the manufacturers to develop patches.
There are definitely valid points to both sides of the debate, regardless, though in this case the exploit was released to the community first and not to the manufacturer, in this case Microsoft, so there's a new attack on Internet Explorer for which there's no patch available yet.
The good news is that it appears that the best antivirus software is already able to protect against this exploit. Symantec for instance on their Security Blog says,
"Symantec currently detects the exploit with the Bloodhound.Exploit.129 antivirus signature and is working on new signatures now.
"A new IPS signature, HTTP IE Style Heap Spray BO, has also been created for this specific exploit.
As of the writing of this post, there's still no patch; however, by following the steps recommended by Symantec users should be reasonably well protected against this exploit.
We got wind today of a research project out of the University of California Santa Barbara (UCSB) that took over one of the most notorious botnets, Mebroot.
In an article on the takeover of the Mebroot botnet, the scope of the Mebroot problem is revealed:
They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites.
The idea behind such an attack was for the cybercriminal botnet operators to have a massively distributed network for attacking PCs visiting a range of legitimate websites, and thus for it to be much, much harder to stop and much, much more likely to be a stable place for them to get more end users' PCs to do their real bidding: cybercrime.
"'Once upon a time, you thought that if you did not browse porn, you would be safe,' says Giovanni Vigna, a UCSB professor of computer science and one of the paper's authors.
"'But staying away from the seedy places on the Internet is no longer an assurance of staying safe.'"
So the botnet worked like this:
- Take over legimate websites
- End users' PCs are then infected via a drive-by-download that silently takes over the visitors computer
- Use these end users' infected PCs to perform their cybercrimes (i.e. credit card theft, password theft, bank fraud, identity theft, etc.)
The article closes with this not-so-surprising detail:
"The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems.
"About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit.
"The research suggests that users need to update more often, says UCSB's Vigna.
"'Patches are very good at reducing the exposure of the end users, but users are not very good at updating their system,' he says."
The notion of patching more frequently is one we've covered in our site numerous times, and it's a message that warrants repeating regularly.
Why computer users, regardless of whether or not they're running the latest antivirus firewall software or not, don't do so is puzzling.
Updating your OS is an extremely simple process and is well worth the few minutes of time it takes in most cases. (Even when it takes longer, it's still worth it vs. the consequences of not doing so, and having your computer be more susceptible to takeover.
- Open Internet Explorer
- Click 'Tools' in the upper menu
- Click 'Windows Update'
- Click Express Update (or Custom Update to get full details on what you're updating
- Install any updates that Microsoft recommends
Typically, you'll have to reboot after this. Then do it again, as some updates cannot be installed concurrently with others, so sometimes a couple of update cycles are needed.
Sad to say, the bad guys are at it again.
Computerworld brings news of a new, as yet unpatched ActiveX bug that's being exploited to compromise PCs.
Already because of these attacks, threat conditions have been raised by several antivirus vendors including, Sunbelt, makers of VIPRE; Symantec, makers of Norton AntiVirus; and makers of McAfee VirusScan.
|Antivirus Vendor||Threat Details Page|
|Sunbelt||Sunbelt Security Blog|
|McAfee||McAfee Avert Labs|
Additionally, SANS.org's ISC (Internet Storm Center), temporarily went to condition yellow, with the release of this ISC Diary Entry called, Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution.
Here are some key highlights from ISC's Diary entry,
- "The vulnerability is being actively exploited on web sites."
- "One other obvious mitigation step is to use an alternate web browser (as in other than IE) that does not make use of ActiveX." [AVR Editor's Note: If you haven't already tried Mozilla Firefox, we recommend you download Firefox and give it a try.]
- Attack vectors include,
"A .cn [Chinese] domain using a heavily obfuscated version of the exploit." [AVR Editor's Note: The key word here is "obfuscated." You may not even know you're on a Chinese domain being infected with this virus when it happens.]
- Another attack vector mentioned was, "A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML.
"This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient.
"Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server."
Regrettably, as with many things, the bad guys beat Microsoft to the punch, and a patch for the security vulnerability hasn't yet been released.
In the mean time, Microsoft has a manual Active X Vunlerability Workaround [AVR Editor's Note: Look for 'Enable workaround' beneath the 'Fix it for me' section'.]
Here are further details of Microsoft Security Advisory on the MS Office ActiveX Vunerability.
BBC News covers the IE security flaw and brings these details:
'"In this case, hackers found the hole before Microsoft did," said Rick Ferguson, senior security advisor at Trend Micro. "This is never a good thing."
As many as 10,000 websites have been compromised since the vulnerability was discovered, he said. (We just covered these Internet Explorer security issues.)
"What we've seen from the exploit so far is it stealing game passwords, but it's inevitable that it will be adapted by criminals," he said. "It's just a question of modifying the payload the trojan installs."
Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."' (emphasis ours)
The article goes on to quote another security pro, PC Pro magazine's security editor, Darien Graham-Smith, who added,
"The message needs to get out that this malicious code can be planted on any web site, so simple careful browsing isn't enough."
For anyone reading this who isn't running:
1.) antivirus software
2.) a hardware firewall
This is your wake-up call.
Finding the right antivirus software for your money isn't hard to do. Some versions even include both, making them antivirus firewall software in one.
We know we beat the same drum day-after-day here, but we do so because it can't be said enough: run antivirus software, which can often stop attacks like these in their tracks.
We also saw this in a related Computerworld article on the IE flaw:
'Carsten Eiram, chief security specialist at Secunia, in a post to the security company's blog early Friday. "It turned out that a lot of available information and assumptions were wrong."
Among those, said Eiram, was the belief that the vulnerability existed only in IE7 and was related to XML processing -- as some, including Secunia, first thought.
Also incorrect, or at least partly so, is the idea that setting IE's Internet security zone to "High" and disabling scripting will keep one safe from attack, added Eiram. "Technically no ... it is still possible to trigger the vulnerability," he said. "However, it does make exploitation trickier as it protects against attacks using scripting."'
The long-story-short: This means even if you've cranked your settings up in IE, you're still at risk.