Mozilla Firefox Takes Steps to Block Fraudulent SSL Security Certificates

Mozilla reported on March 22, that they were informed about the issuance of several fraudulent SSL certificates intended for public websites.

These were removed by the issuers which should protect most users. Mozilla has patched their Firefox versions 3.5, 3.6, and 4.0 to recognize and block these certificates, even though it is not a Firefox specific issue.

The effect to users would be that if on a compromised network, they could be directed to sites using the fraudulent certificates and mistake them for legitimate sites. This in turn, could be used to deceive users into revealing personal information like usernames and passwords or downloading malware if thought to be coming from a trusted site.

Although current versions of Firefox are protected from this attack, Mozilla is still evaluating further actions to mitigate this issue.

The Comodo Group, Inc. (the certificate authority) first reported the issue.

A follow up by Mozilla indicated that on March 15 an RA partner of Comodo Group, Inc.--which is a Certificate Authority--suffered an internal security breach, where the attacker used the RA's account with Comodo to get 9 fraudulent certificates to be issued.

The domain names of the certificates were identified as:

  • addons.mozilla.org
  • login.live.com
  • mail.google.com
  • www.google.com
  • login.yahoo.com (x3)
  • login.skype.com
  • global trustee

The attack was discovered immediately by an internal Comodo check, and the certificates were revoked and the RA account suspended.

To date, Comodo reports the only OCSP activity noted relating to these certificates has been two hits, one from the attacker's IP and another from very close by. Additionally, hits incurred from testing by Comodo and the notified companies. This hints that they have not been deployed in an attack, but it is possible the attackers would block OCSP requests as well.

Comodo has identified the IP address as an ADSL connection and originating from Iran. From the OCSP traffic mentioned, Mozilla thinks the attacker is aware the certificates have been revoked.

Mozilla does not believe there has been a root key compromise. However, an attacker armed with fraudulent certificates and an ability to control their victim's network could easily impersonate sites in a very inconspicuous way.

Risk mitigation actions implemented:

  1. Revocation of the certificates
  2. A hard coded blacklist of the certificate serial numbers in Firefox deployed as RC2 of Firefox 4 with two additional code patch releases, released on March 22.
  3. Mozilla released an announcement with some details of the problem.

Mozilla released the patch prior to publishing any announcements out of concern the attackers would be tipped off to blocking the updates.

Mozilla's security blog reported:

Mozilla recognizes that the obvious mitigation advice we might offer (to change Firefox’s security preferences to require a valid OCSP response in all cases, or to remove trust from Comodo’s certificates, or both) risked causing a significant portion of the legitimate web to break as well.

Additionally, neither we nor Comodo have found any evidence of access to their OCSP responder being blocked, either in Iran or anywhere else. We have also found no evidence of any other sort of attack.

In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.

Mozilla has requested that Comodo do the following:

  1. Publish a full account of exactly what happened. (So far: they have published an incident report and a blog post.)
  2. Monitor their OCSP logs for evidence of use of these certificates, or evidence that access to their OCSP responders is being blocked from any geographical locations. (So far: no sign of use or blocking.)
  3. Cancel all relationship with the RA concerned. (So far: the RA is suspended.)
  4. Change their practices to use intermediate certs rather than issuing directly off the root, and use a different one for each RA.

With Internet attackers always on the move, consumers of the Internet should always ensure their PCs are getting the latest updates, including updating Firefox, to protect against security intrusions and malware. Aside from that having solid, trusted, Internet security software can also give peace of mind in holding off these threats.


Hacker Gang Leader Sentenced to 9 Years for Hospital Computer Attacks

Thanks to a piece by Kevin Poulsen at Wired Magazine, we learned about a successful prosecution of a hacker gang leader, who was convicted of installing malware on PCs in a Texas hospital.

Self video of hacker McGraw carrying out hospital computer attack.
(Video: YouTube)

The ringleader of a former online anarchist group called the Electronik Tribulation Army was sentenced on Thursday to over nine years in prison for installation of malware at a Texas hospital.

Hacker Jesse William McGraw, 26, also known as "GhostExodus", was fined $31,881 and ordered to serve three years of supervised release after serving time in prison.

He came to the attention of the FBI in 2009 after shooting and posting a YouTube video of himself "infiltrating" computers by installing RxBot at a medical office building.

According to the government, the Electronik Tribulation Army was creating a botnet to attack rival hacker gangs, which included Anonymous--known more at the time for hardcore pranks than the 'hacktivism' they've been known for since.

Security Researcher McGrew
Computer security researcher Wesley McGrew.
(Photo: Kristen Hines Baker, courtesy Mississippi State University)

In another video, McGraw showed off his personal infiltration gear, which included items such as lock picks, a cellphone jammer device, and falsified credentials portraying the FBI. The videos were shot at the Norther Central Medical Plaza in Dallas, TX.

McGraw was able to do so easily since he was a night security watchman and had unresricted access to the hospital.

He plead guilty last May to computer-tampering charges for installation of malware on a dozen machines which included a nurse's station with medical records. McGraw also installed a remote-access program called LogMeIn on the hospital's MS Window's-controlled HVAC system.

R. Wesley McGrew of McGrew Security in Mississippi, initially contacted the FBI after seeing screenshots of the HVAC access online. McGrew says,

I think the sentence is appropriate. He jeopardized public health and safety with his actions and I think its important to take a really strong stance against that,"

In the wake of McGraw’s arrest, other members of ETA have campaigned to harrass McGrew, which led to FBI raids of three suspected members, but there were no reported charges.

Although the YouTube videos suggest McGraw wasn't necessarily a critical threat to cyberspace, the FBI took note when it was discovered he'd installed a backdoor in the HVAC unit.

They noted that any failure of the unit--which controlled the first and second floors of the North Central Surgery Center--could have adversely affected patients in the hot summer time or caused refrigerated drugs or medical supplies to go bad.

There are a couple of important lessons here:

  1. Never, ever leave a workstation unlocked when you step away from it. Ever. If you give someone physical access to your computer, all bets are off.
  2. Audit your PCs regularly. The most dangerous phrase in security is, "It's not like...."

    Rather than thinking to yourself, "It's not like someone could ever put a virus on my computer without me knowing!" Assume there are people smarter than you, and they will if they can.
  3. Keep your antivirus software updated, set it up to run automatic scans, and run a manual scan, too, every now-and-again just to be on the safe side.


Microsoft Working to Take Down Win32/Rustock Botnet

Microsoft's Jeff Williams gives an update on Microsoft's part in continued action to eradicate the Win32/Rustock botnet.

Over a year ago Microsoft marshalled a unique botnet-fighting team. Made up of others in industry and some folks in academia, they used a combination of legal and technical means to  take control of the Win32/Waledac botnet as the first milestone action in project MARS (Microsoft Active Response for Security.)

A similar action in the past couple of days has had its legal seal opened that allowed Microsoft to talk more openly about the Win32/Rustock botnet.

Sure, Waledac was a simpler and smaller botnet than Rustock, but because of lessons learned with it, Microsoft was able to take on the much larger Rustock botnet.

Rustock is estimated to've infected over a million computers and was spewing out millions of spams daily

In fact, some statistics have suggested that at its peak, Rustock accounted for a staggering 80% of all spam traffic in volume and were sending at a rate of over 2,000 messages per second.

What was so impressive in the botnet takedown was the scope of things: the seizure of command and control servers was under court order from the U.S. District Court for the Western District of Washington; the order was carried out by the U.S. Marshals Service and by authorities in the Netherlands.

That alone would be a fairly big deal, but here's the kicker: investigators are now going through evidence seized from five hosting centers in seven locations to learn more about those responsible and their activities.

This was a collaboration with others such as Pfizer (whose brands were infringed on from fake-pharma spam coming from Rustock), FireEye, and the University of Washington.

All three gave valuable statements to the court on the behaviors of Rustock and also the specific dangers to public health which is in addition to those effecting the Internet.

On Microsoft's side, the efforts are represented by a partnership between Microsoft's Digital Crimes Unit, the Microsoft Malware Protection Center, and Microsoft Trustworthy Computing.

We applaud Microsoft and its partners for pulling this off. Their continued work with CERT and ISPs around the world is the only way to reach those whose computers are infected and help defeat and remove these viruses.


Windows 7 SP1 Security Updates... What's Included?

Among the most important parts of keeping any computer secure is to update the OS when fixes become available. Microsoft Windows 7 SP1 Beta has been available for test release since July of 2010 while the formal release began late last month (Feb 2011).

To update, users can select the Windows 7 SP1 update in Windows Update (which is the easiest way for one PC), or do it manually by downloading and installing as a separate file (which is the easiest way if you have several machines to update).

The x86 version is about 527 MB while the x64 tips the scales around 903 MB.

Besides fixes and improvements for stability, there are about 80 other fixes generally classified into hotfixes and security updates by our friends in Redmond.

The majority of these can be grouped as follows:

  • 25 fixes to help prevent Remote Code Execution  
  • 8 Internet Explorer Updates
  • 7 Kernel fixes to prevent Elevation of Service 
  • 6 .NET framework 3.5, 3.51, and 4.0 fixes
  • 5 Elevation of Service fixes related to various vulnerabilities
  • 5 Vulnerability fixes that could allow Denial of Service
  • 3 Application Compatibility Updates
  • 3 Updates  including Rollup/Security updates for Active X, and
  • 2 Updates for XML Core Services

While we here are all very much proponents and strong advocates of antivirus firewall software to help keep a PC secure, it's an understatement to say it's important to take advantage of security fixes like these, too.

Put another way: if you haven't applied SP1 to your PCs yet, now's a good time to hop to it.


Adobe Warning Issued For Potential of Attacks on Flash Player Vulnerability

Adobe has issued a warning about a critical vulnerability in Flash that impacts Adobe Reader and Acrobat.

Kaspersky Labs' Threat post reports that the Flash Player vulnerability is a bug that can be used by remote attackers to run arbitrary code and that Adobe has already seen some attacks capitalizing on this.

Adobe issued a security advisory that the vulnerability exists in the following software versions:

  • Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player and earlier for Chrome users
  • Adobe Flash Player and earlier for Android
  • The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.

There have been some reports of this vulnerability being exploited by embedding a Flash .swf file within a Microsoft Excel (.xls) file being delivered in an email attachment.

Adobe states they are not aware of specific attacks utilizing Adobe Reader and Acrobat.

A fix for this issue is in the works scheduled for release by March 21, 2011.

Even though the new Flash bug apparently wouldn't be exploitable in Reader X, Adobe plans to update that application in its scheduled quarterly Reader patch release on June 14, 2011.

While you're updating your Flash player, take a peek at your antivirus software and make sure it's up to date, too. After all, it's your last line of defense.

Japanese Earthquake Disaster Scams Exploit at Record Pace

It is astounding how far malware attackers will go to to victimize people by taking advantage of the misfortune of others.

Today, Noriyaki Hayashi reports from Trend Micro's blog that they've discovered a phishing site that poses as a donation site to help the victims of the recent Japanese earthquake. The site http://www.japan{BLOCKED}.com was found to be hosted within the U.S. and was still active as of the time of this writing.

Phishing site posing as donation site

Site shown after clicking 'join now'
Additionally, the same authors of this site abused the blog function to insert advertisement-look-alike posts, presumably to increase the search engine rankings.

Abused blog function on phishing site
Attacks  like this aren't uncommon. (Think back to Hurricane Katrina in 2005, Hurricane Gustav in 2008, the Chinese Sichuan earthquake in 2008, and the Haiti earthquake in 2010.)

Norman Ingal -- threat response engineer at Trend Micro -- also reported on March 11 that immediately after the news broke of the 8.9 Richter scale magnitude earthquake and subsequent tsunami in Japan, several websites popped up with keywords relating to the quake.

One of the sites with the keyword 'most recent earthquake in Japan' led to FAKEAV variants that were identified by Trend Micro as MalFakeAV-25 and later identified as TrojFakeAV.PB.

These blackhat SEO attacks that lead to rogue antivirus downloads continue to be very common.

Many new domains are being created and parked with keywords similar to earthquake and tsunami in Japan. Key words such as help, earthquake, japan, tsunami, relief, disaster, fund, and donations were used.

Perhaps the message here is to be careful when searching for media content by using known trusted media sites.

Facebook pages are being utilized as well.  One claims to contain video footage and lure the visitors to a site called hxxp://www.{BLOCKED}u.fr/view.php?vid=Le-plus-gros-Tsunami-du-Japon-depuis-20-an.

The facebook page is titled  “Japanese Tsunami RAW Tidal Wave Footage!" and a script auto-directs  visitors  to a fake video page where the video is actually a hyperlinked image. Users that click on this get led to a page asking for their cell phone number.

The script also implements a 'Like' and posts a link to the user's wall. Trend Micro Antivirus Software detects this script as HTML_FBJACK.A.

Spammed email messages are being exploited as well. They ask for personal information first with promises of instructions on how to send your donations once the user responds.

Readers should use long-established avenues such as the Red Cross (http://www.redcross.com) and Medical Teams International (http://medicalteams.org) if you wish to donate.

Symantec's Samir Patel (with thanks to Dylan Morss, Christopher Mendes, and Sujay Kulkarn) in a Symantec piece on Japan relief scams says over 50 new domain names have been registered that use the keywords 'Japan tsunami' or 'Japan earthquake'.

These sites are either parked, for sale, or linked to other earthquake websites.

Some example sites include:

  • 3-11-2011-[removed].com
  • 3-11[removed].com
  • earthquake-[removed].com
  • earthquaketsunami[removed].com
  • earthquakerelief[removed].com

Symantec has observed a a 419-type message that capitalizes on the disaster. It is a fake "next of kin" story that purports to settle millions of dollars owing to an earthquake and tsunami victim:

Japan scam message

Attachments and .zip files can be embedded in such emails so beware if the source is unknown.

Activities such as these underscore the importance of keeping antivirus software updated along with a healthy dose of caution when browsing the Internet.


Fake Ads Posing as AV Solutions Target Browsers

Blogger Dan Goodwin at The Register talks about how browser malware is growing.

For a while now, ads that pimp malware disguised as antivirus "fix-it" software have typically been customized to give the appearance of belonging to Microsoft's Internet Explorer and Windows operating systems.

Well...not so anymore.

With the popularity of Google's Chrome, Mozilla's Firefox, and Apple's Safari browsers, these fake antivirus pimps are working harder to target the browser that's actually in use by the victim.

Senior security researcher at Zscaler.com, Julien Sobrier, says it looks like a crafty, targeted, browser-specific malware campaign pushing the fake antivirus software.

Here's what the malware looks like in various web browsers:

Internet Explorer

Internet Explorer users get the typical Windows 7 Security Alert.


Mozilla Firefox

Interestingly, Firefox users will see Firefox elements (which also appear in the source code). Additionally, the security warning normally shown gets spoofed when Firefox detects the user attempting to navigate to a known malicious site.


Google Chrome

Google's Chrome users get a customized popup window -- complete with the Google Chrome logo and an unsuspecting warning. The positive side to this is Chrome identifies the page reporting this falsehood.


If the user clicks "ok", then a Chrome-looking window opens shows a fake scan taking place.

Apple Safari

Finally, Safari also gets spoofed and shows the Safari logo in fake pop-up alerts, but ultimately it looks and feels like IE.


These ads are intended to lead surfers into believing they've been infected and that the system can and will be cleaned by the (fake) antivirus software being offered. Since the popup warnings are tailored to look as though they're being presented by the browsers themselves, there appears to be a higher chance of success for the malware hackers.

Sobrier writes:

I've seen malicious pages tailored in the past, but they were mostly fake Flash updates or fake codec upgrades for Internet Explorer and Firefox.

"I've never seen targeted fake AV pages for so many different browsers.

According to Dan Goodwin, some sites that redirect to this scam are:

  • columbi.faircitynews.com
  • jmvcorp.com
  • www.troop391.org.

If you're successfully redirected, the site tries to upload and run InstallInternetDefender_xxx.exe, where the xxx is a frequently changing number.

At the time of Sobrier's piece, VirusTotal scan claims this malware is only detected by just 9.5 percent of 42 AV programs tested, although that number is sure to increase quickly.

It's clear, fake antivirus scams is getting more sophisticated. The good news is, legitimate Internet security software is evolving, too.