Tag Archive for Sophos

| April 2, 2011
Comments Off on Adobe Notes

Adobe Notes

Malicious PDF Files Becoming the Attack Vector of Choice

Adobe PDF ZDNet points out a report from Symantec’s MessageLabs that malicious PDF files outpace other malicious attachments used in targeted attacks and now represent the attack vector of choice for malicious attackers compared to media, help files, HTMLs and executables.

The report says that office-based file formats are a popular and effective choice used in some targeted attacks. Cybercriminals attempt to bypass spam and email filters by distributing the ubiquitous PDF that is often allow to pass through these layers of protection. In 2009, about 52.6% of targeted attacks used PDF exploits, compared with 65.0% in 2010, an increase of 12.4%. MessageLabs Intelligence Senior Analyst, Paul Wood says,

PDF-based targeted attacks are here to stay, and are predicted to worsen as malware authors continue to innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware

Adobe Posts Its First Billion-Dollar Quarter

The New York Times reports that the software maker Adobe posted its first $1 billion quarter in Q4-2010. Revenue rose 33 percent to $1.01 billion from $757 million last year. Adobe, which is based in San José, CA makes Photoshop, Acrobat, and Flash software.

Targeted attacks exploiting PDF bugs are soaring

Help Net Security reports that Adobe is having a hard time fighting its bad reputation when it comes to products riddled with vulnerabilities. Help Net Security references a report from F-Secure’s Lab which says that Adobe Reader exploits are becoming the weapon of choice for many cybercriminals.

F-Secure

This makes patching and updating eminently important. As an example the latest critical vulnerability (CVE-2010-0188) which Adobe warned users to update the software to the latest version. Users who missed the memo are vulnerable, F-Secure (FSC1V) warns it is being exploited in the wild.

Upon loading the PDF file, an embedded executable is dropped on the victim’s hard disc and it immediately tries to connect with tiantian (.) ninth (.) biz to download other files.

F-Secure has warned long ago about security problems plaguing Adobe’s most famous software. The security firm has even advised users to start using an alternative PDF reader. According to Help Net Security Adobe’s, decision to schedule their updates to follow Microsoft’s Patch Tuesday is a step in the right direction.

Malicious PDF spam with Sality virus

Help Net Security highlights a Sophos warning that a malicious email containing the following text has been dropped into inboxes around the world:

Hey man..
Remember all those long distance phone calls we made.
Well I got my telephone bill and WOW.
Please help me and look at the bill see which calls where yours ok..

Sophos logoYou surely don’t remember such an occurrence or the sender of the email, since this is just a ploy to make you open the PhoneCalls(.)pdf attachment, but don’t let your innate curiosity get the better of you.

The attached file can exploit a vulnerability in how Adobe Reader handles TIFF images and proceeds to download and execute a Trojan that loads the Sality virus into your system’s memory. The virus then proceeds to append its encrypted code to executable files, deploys a rootkit, and kills anti-virus applications.

Sophos reminds everyone that opening documents attached to unsolicited emails is like the online equivalent of Russian roulette – the odds are stacked heavily against you.

Adobe, The New King Of Security Holes

Information WeekAdobe reports that Microsoft (MSFT) has spent more than a decade improving its secure software development and its response to security exploits. As a result, Microsoft is losing the lead in security vulnerabilities and being replaced by Adobe (ADBE).

With Microsoft’s improved response to security holes, the pickings in Windows itself are getting slimmer. Attackers don’t have brand loyalty, so they’ve moved on to another company with lots of PC installed base: Adobe. Security holes are being exploited in Adobe Reader and Illustrator. Adobe makes this problem worse because it has bundled unwanted applications and their AIR software platform with their free applications like Adobe Reader. Adobe is looking to create an attractive installed base for their developers, but they are also creating an attractive attack surface for the bad guys.

Protecting yourself from Adobe’s security holes can be difficult.  There are non-Adobe solutions such as Foxit Reader, which is much faster and lighter than Adobe Reader but has had problems with  PDF documents with editable fields. InfoWeek provided some specific tips that may help avoid security problems.

  • Uninstall any Adobe Reader version earlier than 9,  and install version 9.
  • With ver. 9 go to the Edit/Preferences menu. Make sure that Security(Enhanced) is turned on; (Adobe ships it turned off).
  • Launch the Updater and be sure you’re checking for updates, install updates ASAP.
  • Go to Trust Manager and uncheck the option for “Allow opening of non-PDF file attachments.”
  • Finally, unless you know you need JavaScript in your Acrobat documents, disable JavaScript.
  • RB- Don’t go to ver. 10, I hate it.
Related articles
  • Iranian Nuclear Program Used as Lure in Flash-based Targeted Attacks (pcworld.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| November 27, 2010
Comments Off on Social Networks Are Risky

Social Networks Are Risky

Social Networks Are RiskyAccording to the Czech security firm TrustPort, social networking’s popularity and ease of use can cause users to forget its risks.  These risks include the loss of private personal data and malware infection.  Even though social networking is new, a recent IBM (IBM) X-Force report says the threats are not.  According to IBM, traditional threats like phishing, malware, 419 fraud schemes, identity theft, data harvesting, and botnets now use social networks as attack vectors.

FacebookMany social networking users fall victim to attackers offering new apps or features for joining the group.  Net Security.org cites the Facebook Stalker Catcher as an example of such a scam.  Even though this malicious app appeared in 2009, Facebook users still fall victim to it.  To start a Stalker Catcher attack, Net Security.org says users are lured to the group on the pretext that they will see exactly who and when is visiting their personal profile.  The alleged instructions for feature activation result in nothing more and nothing less than sending group invitations to all contacts of the victim.

Sunbelt Software reports that the latest scam targeting Facebook users specifically targets kids.  The scam promises a free proxy service for those who want to bypass parental controls and blocks set up by schools.  The scam tempts the victims to try the service at hxxp://myfatherisonline.com to access Facebook in school.  Of course, when the victims visit the website, they can’t find the advertised service.  The researchers instead found a plethora of scam attempts.  The victims are faced with an affiliate site containing malware, surveys, quizzes, and offers for free iPhones that will try to get them to subscribe to a premium rate service or sign up for spam.

The number of users who voluntarily join fraudulent groups and send invitations to all their contacts is strikingly high.  In the Net Security.org article, IBM says the informal feel of social networks is the real risk.

We’re all friends here,” you’re thinking to yourself, and you’re mind chooses to ignore the things that would usually set off alarm bells in your head. Who knows – maybe it’s our inherent sense of safety that we get when surrounded by lot of people? Safety in numbers, so to speak. In any case, most of us are just less careful.

SPAM

These same users then access Facebook at work, exposing their employers to more risks.  The anti-malware firm Sophos recently found that reports (PDF) by companies of spam and malware derived from social networks were up 70 percent from a year earlier and concludes that “Because of this, social networks have become one of the most significant vectors for data loss and identity theft.”

Due to this carelessness, the criminals behind the scams quickly gain large databases of contacts.  These databases are later sold to other cybercriminals and used for sending spam or for further phishing scams.  Some fraudulent groups explicitly invite users to install a particular application, which is even more dangerous.  According to the article, the risk of malware infection should never be underestimated.

rb-

So the important message here is:

  1. Keep your computer up to date
  2. Use regularly updated antivirus and antispyware software
  3. Verify what you are doing before you do it
  4. If it is too good to be true, it probably is

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005.  You can follow him on LinkedInFacebook, and Twitter.  Email the Bach Seat here.

Category: Social Networking | Tags: , , , , , ,
| November 21, 2010
Comments Off on Facebook is Biggest Social Networking Risk

Facebook is Biggest Social Networking Risk

Facebook is Biggest Social Networking Risk Data from anti-malware vendor Sophos2010 Security Threat Report (PDF) says Facebook is the leader in privacy risks, spam, and other malicious activity. 60 percent of the respondents to a Sophos survey identified Facebook as the biggest security risk in social networking, followed by MySpace (18%), Twitter (17%), and LinkedIn (4%).

It is not surprising that users regard Facebook as the top risk. Facebook’s over 500 million users, offer criminals a cornucopia of personal data to exploit. “Computer users are spending more time on social networks, sharing sensitive and valuable personal information, and hackers have sniffed out where the money is to be made,” said Graham Cluley, senior technology consultant for Sophos.

Criminals have focused their efforts on social media

Sophos’ research shows that criminals have focused their efforts on social networking users in the last 12 months creating an “explosion” in social networking spam and malware complaints. Sophos found that 57% of social network users were spammed on one of the sites, an increase of 70 percent compared to last year.  They also found 36%  of social network users reported being sent malware, a 70% increase over last year. “The dramatic rise in attacks in the last year tells us that social networks and their millions of users have to do more to protect themselves from organized cybercrime, or risk falling prey to identity theft schemes, scams, and malware attacks,” Sophos’ Cluley added.

Three things working against Facebook users

There are three things working against Facebook users, themselves, malware, and Facebook. Facebook users typically give away more private information to Facebook than other sites. Though most people’s profiles it is possible to find out their first, last, and maiden names, where they live, where they went to school, and even worse, historical information like where they lived in the past. A lot of this private information is required on many online credit checks, providing a boom for criminals looking to exploit a user’s credit history or steal their identity.

The most common malware used on social networks is Koobface. Koobface can target all the popular social portals, including Facebook, MySpace, Bebo, Friendster, Tagged, and Twitter. According to the report, Koobface is capable of, “... registering a Facebook account, activating the account by confirming an email sent to a Gmail address, befriending random strangers on the site, joining random Facebook groups, and posting messages on the walls of Facebook friends. Furthermore, it includes code to avoid drawing attention to itself by restricting how many new Facebook friends it makes each day.

Another threat is Facebook applications. Criminals can create malicious Facebook applications designed to steal information and they can find holes in pre-existing applications and exploit them. Legitimate Facebook apps will give away your information if you allow them to (as I have written about here and here). Once an app has permission it can harvest all the information in a Facebook profile and send it to criminals. Before users grant an application access to all of their information, they should Google the publisher to see if they are legitimate or not. Any application that starts doing anything strange or suspicious should be removed immediately.

Facebook has tried to address these risks by issuing a new privacy policy. However, Sophos’ Cluley called it a step backward, because the new settings are “encouraging many users to share their information with everybody on the internet.” According to Facebook only 35% of their users actually customized their settings leaving 65% who presumably didn’t change their settings and continue to share valuable data, which is then used to propagate spam and malware.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Social Networking | Tags: , , , , , , , , , , , , ,
| April 10, 2008
Comments Off on Malware to exceed 1 Million in ’08

Malware to exceed 1 Million in ’08

Malware to exceed 1 Million in '08The total number of viruses will reach one million by year’s end, according to Sophos chief technology officer Paul Ducklin in an article in PC World. Most striking to me is that Ducklin claims 25 percent of unique malware have been created in the last six months of its 20-year history. That translates into 250,000 attack vectors in 6 months or nearly 60 unique malware vectors (as defined by Sophos) an hour.

Ducklin offers some hope, “About 85 to 90 percent of malware families have a fix created for them almost immediately,” which leaves over 50 new attack vectors an hour that have to be identified, code written and updates distributed.

In the same PC World article F-Secure Asia-Pacific vice president Jari Heinonen said it logs about 25,000 malware samples each day, the highest on record.

The total number of viruses and Trojans will pass the one million mark by the end of 2008 if this trend continues,” Heinonen said.

Both Sopho’s Ducklin and F-Secure’s Heinonen say that drive-by-downloads of malware, due to iframes vulnerabilities are growing. F-Secure’s Heinonen “Drive-by downloads are the preferred way of spreading malware [because] they happen automatically by visiting a Website unless users have a fully patched operating system, browser, and plug-ins.

Heinonen also predicts that malware will increasingly target the kernel sector through rootkits such as Mebroot, which attacks the bootstrap sector. A resurgent Mebroot was detected last month, some 15 years after the DOS-based malware was created.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , ,
  Recent Entries »