Tuesday, January 16, 2007

Exploits, and Russians and Brazilians, Oh My!

Hi folks,

Well, it's been an interesting day today. Firstly, a public exploit has been published for this months VML vulnerability. Microsoft patched it on January 9, and the public version came out on January 16th. Pretty quick, really. Fortunately, this version doesn't work all the time on English/ US versions of XP, but we should assume that all the Bad Guys are anxiously trying to fix that right at this moment. Last September's VML exploit is pretty much a standard part of the major web exploit gang's reportoires. Naturally, we've released a signature for it, so LinkScanner users have little to fear.

And not only that, but just yesterday the boys over at WebSense noticed that, arguably for the first time, Brazilian hackers were using using exploits, notably WebAttcker, to install their banking trojans. Up until now, they mostly just tried to trick people into installing the trojan, and the use of WebAttacker was a significant escalation.

The second interesting event for the day is that today we have another example of Russians teaming up with Brazilians to use exploits to install banking trojans. This time it's the venerable MS06-014, which still seems to work great on people who do their banking at work (because corporates don't patch very often).

The scam works like this ... first they set up a bogus greeting card site on something like geocities in Brazil, and simply send out a fake greeting card. The victim clicks the card and is taken to the fake site. If they're not patched ... voila... they have some new programs, downloaded from somewhere in Russia, installed for free. MS06-014 is not really that important, but it means the Brazilian Carders are really investigating using exploits and vulnerabilities. It's another escalation.

Keep safe,


Monday, January 15, 2007

Blogger can have javascript embedded?

Hi folks,

I guess other people knew this, but I did not. It turns out that if you own a blog, using the new version of Blogger, you can embed javascript, by adding Page Elements in the layout screen.

What this means is that, if you wanted to, you could embed exploits. Now, to be fair, it's only in your own blog, and an exploit might get shut down pretty quickly, but on the other hand, some exploits are pretty subtle, and some will not be noticed until long after someone has surfed off somewhere else. And, of course, if it's a rootkit, it might not be noticed at all.

So far we have not found any overt exploits, but we do keep finding obfuscated automatic redirects to bogus search engines or porn pages.

How it works is this ... They first go to the trouble of setting up a fairly legitimate looking page. Probably they just "borrow" one from a legitimate site, such as Royal Caribbean Tours. This ensures that when the google bots come to index them, they will have lots of good keywords to be indexed on. Then, by adding a small javascript, they automatically redirect any visitors to the real target.

I guess they consider that it's marketing, but being the kindest that you can, it's bait and switch at a minimum.

Naturally, we've taken the precaution of preemptively blocking those scripts, but it's easy to see how that school teacher recently got into trouble for having porn on the computers under her control.



Saturday, January 13, 2007

Yay! Winbudget is installed!

Hi folks,

In the last day or so, there has been some discussion, particularly in EDU circles, about some sort of bot programs infecting computers and displaying "Yay". (The Attentive Reader will be amused that malcode would actually announce its presence, but that's beside the point). It's not yet clear where they're getting the Yay-bot from, but part of the mystery is now solved. The purpose of the Yay-bot is to install a piece of adware/spyware called WinBudget. This is a Browser Helper Object that appears to monitor all the major search engines, and hijack the search results, displaying its own popups as well.

I guess we can speculate that the dork^h^h^h^h programmer who wrote the installer must have been a bit of a newbie, and was thrilled to find his code actually worked... thus the "Yay". The BHO, however, works quite well and is a real nuisance, and we've taken the precaution of blocking the BHO install site.