Earlier this month, Adobe addressed a vulnerability issue that affects three products: Flash Player, Reader and Acrobat. While the Flash Player issue was fixed rather quickly, refer to Adobe Flash Player 10.1.53.64 Security Update, the latter two products did not receive similar love as their updates were only promised to be available at a later date, on June 29, 2010.
As promised, the security updates for Adobe Reader and Acrobat have finally arrived. Download the latest version for applicable product, which are available here.
Ace from our Kuala Lumpur lab has written a technical white paper on the internals of the highly advanced TDL3 trojan. The paper goes deep into the features of this advanced backdoor/rootkit.
You can download "The Case of Trojan DownLoader TDL3" from here [2MB PDF file].
In some ways, TDL3 is similar to the infamous Mebroot rootkit. For a thorough discussion on Mebroot, see our presentation from 2008.
We've previously shown screenshots of document files used in targeted espionage attacks. Most often, those have been PDF files, as they are the most commonly used filetype in such attacks.
But here's a fresh set of attacks done with XLS files instead.
This is some sort of personnel list. Like the other examples here, it drops and runs a backdoor when viewed.
An apparent agenda. Looks fairly normal and innocent:
This one seems to contain some sort of a list of organizations:
A budget file.
How timely! FIFA World Cup 2010 match schedule.
The exploit in these files targets Excel Pointer Offset Memory Corruption Vulnerability CVE-2009-3129.
As you can see, such attack files can look like perfectly normal and credible document files.
The hashes of the files are: 362d2011c222ae17f801e3c79e099ca7 97a3d097c686b5348084f5b4df8396ce d076187337b7a5c74401770e2e7af870 8f51b0e60d4d4764c480af5ec3a9ca19 0c1733b4add4e053ea58d6fb547c8759
Jarno Niemel� from our lab did a study on malicious Windows binaries that have been signed (with Microsoft Authenticode).
Turns out, we have copies of tens of thousands of malware samples that have been signed.
Malware authors are attempting to use code signing techniques to their advantage.
Details of this surprising find are presented in Jarno's presentation file, which can be downloaded from here (PDF). It was first presented in the CARO 2010 Technical Workshop in May 2010.
When a company is hit with a cross-site scripting (XSS) attack, the natural reaction is to downplay the significance of the incident.
After all, an XSS vulnerability on a site does not mean that the site could be hacked or shut down. A typical XSS demonstration showing a funny dialog box on somebody else's site just emphasizes how harmless such an attack looks.
However, XSS is not harmless. We were just hit by one last night. And we do not want to downplay it.
The vulnerability on f-secure.com was found by security researcher Xylitol. He reported it yesterday evening. Xylitol is well-known for finding XSS vulnerabilities on sites such as army.mil, ibm.com and nasa.gov.
The problem was on a download page for our Mobile Anti-Theft product (anti-theft-download-wizard.html). With some clever tinkering, it was possible to create a web link that would point to our site, but when clicked, it would execute JavaScript controlled by the attacker.
Above: result of accessing www.f-secure.com/en_EMEA/products/mobile/anti-theft-download/anti-theft-download-wizard.html?hidManufacturer=%27%22%3E%3C/title%3E%3Cscript%3Ealert%28/Mikko%20rulz/%29%3C/script%3E before the page was fixed. Screenshot from xssed.net.
We almost got it right. In fact, the script on our page does successfully filter out control characters and other dangerous content. Unfortunately, almost doesn't count. We do the filtering right once, and wrong once.
Apparently we added a feature to the page as an afterthought, and that feature did not go through code review or testing.
The problem has been fixed now. It was limited to our static Mobile Anti-Theft pages, and did not give access to any of our systems. This problem has not been used to do any harmful activities.
In any case, we were burned.
So, what could have been done with this vulnerability? Well, for example, somebody could have sent out a spam campaign, claiming to be from F-Secure, pointing to a link apparently at www.f-secure.com. And when that link would have been clicked, it would have downloaded malware (from some other site) to the user's computer. XSS vulnerabilities can be used to create serious problems. Luckily, in this case nothing bad happened.
Here's the time line of the incident:
• Xylitol published an article on the problem at early evening on 17th June • We noticed the article at 20.51 EEST 17th June • We started fixing the problem at 02.15 EEST 18th June • We shut down the Mobile Anti-Theft page temporary for fixing and isolating problem at 02.45 EEST 18th June • Page was republished at 06.05 EEST 18th June
Zynga's FarmVille is a popular social networking game and perhaps it should come as little surprise that many players want to learn FarmVille secrets and cheats. And so they turn to search engines to find them.
Currently, "farmville cheats" is a highly ranked suggestion:
Sad but true.
Anyway, we searched for farmville cheats and readily discovered farmville-secrets.spruz.com:
Spruz.com has removed the page for violating their terms of use policy, so it's no longer hosted, but beware of Google's cache.
Here's what the site looked like:
The "Click Here" button opens a download dialog for a file called FarmVille_autobot.exe.
An autobot sounds like a convenient way to cheat, right? Only in this case the cheater will get more than they asked for because the file includes a variant of TDSS, an advanced backdoor rootkit. Best kept secrets indeed!
The MD5 of the file we analyzed (thanks JoJo) is 9c7812efa218ab3750e570a93015e884 and is detected as Trojan:W32/TDSS.FZ.
Adobe released a critical Flash update on June 10th. If you haven't seen it yet, this is the update notification:
Do you know what Flash version you have installed? No? Then use Adobe's version test page.
Once you have the current version, you may also wish to adjust your configuration. Flash's settings are rather curious as the controls themselves aren't located on the computer but are instead accessed through a Flash object hosted by Adobe.
Adobe: "The Settings Manager is a special control panel that runs on your local computer but is displayed within and accessed from the Adobe website. Adobe does not have access to the settings that you see in the Settings Manager or to personal information on your computer."
Right-clicking a Flash object and selecting "Global Settings" opens a page to Adobe's Flash Player Settings Manager.
On the Setting Manager page you'll find links to the Notifications panel.
It's interesting to note that Flash maintains its own selected history.
Updated to add: A reader noticed that Adobe's Flash support page, linked above, does not correctly list the current versions. Use Adobe's About Flash Player page instead. Thank you, Paul!
Beta testers receive a six month subscription and the opportunity to influence the final release.
The biggest new feature from the lab's point of view is our "DeepGuard 3" technology which utilizes cloud based reputation systems, prevalence, source, age, et cetera.
The end result is that if we don't know or trust it — it'll be blocked before it can do harm.
Here's an example screenshot that shows a "rare" file being blocked from an "unrated" site. This is a familiar malware/scareware scenario: short lived, unrated sites which use frequently produced and rare installation files.
We welcome you to give it a try. The download page includes links to the release notes and feedback forms. Cheers.
There's yet another Facebook spam application on the run.
It uses this string of text to lure folks: "I am shocked!!! The teacher nearly killed this boy: http://bit.ly/aWeBMl - Worldwide scandal!"
If you click on the link, you're directed to this application:
How many have clicked on the link so far?
Almost 140 thousand.
Hopefully not as many people allowed the application to access their profiles:
Updated to add: Now it's more than 140 thousand clicks and the applications page indicates almost 59 thousand active users. That indicates that about 40% plus of the users exposed to this lure are falling for it!
Today, in 2010, we're more likely to see Search Engine Optimization (SEO) attacks as folks search for news and information on the matches and players. So avoid too many web searches if you can.
June 11th kicks off the 2010 FIFA World Cup, and not surprisingly, we're seeing a rise in related spam.
It's still just a small percentage of spam overall (under 2%) but when comparing the first three days from the last six months, we see a doubling in volume and 74 times the number of hits on related keywords from January to June.
As the tournament continues from June to July 11th, we expect to see more related threats.
The timing of this spam run seems a bit odd as it isn't using the current vulnerability, but perhaps the gang which uses this particular tactic knows that there's about to be a big push to update Adobe Reader. Current versions of Reader include the Trust Manager feature, and so this gang's window of opportunity will be narrowing soon.
We already detected this threat as Exploit.PDF-Dropper.Gen with our Internet Security 2010.
The PDF's MD5 is cff871a36828866de1f42574be016bb8. If allowed to run, the exploit will drop an alureon/dnschanger trojan.
Our telemetry indicates that several thousand customers have already been exposed to the exploit. We have no hits on the payload so we know that our generic detection is blocking the threat.
Hydra detection for the attachment/payload was published with database version 2010-06-08_03.
Updated to add: Here's a screenshot of the PDF attachment. The PDF is based on a resume/CV pulled from the Internet, and the /launch prompt is rather noisy.
There's going to be numerous updates published tomorrow by Microsoft.
But you'll more likely want to keep an eye on Adobe. Current versions of Flash are vulnerable.
"A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems."
The vulnerability is currently being exploited in the wild. You can determine your version of Flash here.
As for Flash… well, unless you're Steve Jobs, you probably need or want to have Flash installed, at least sometimes. Adobe Labs has prereleases available here. The 10.1 release candidate does not appear to be vulnerable.
If you don't regularly use Internet Explorer, why not go ahead and uninstall or disable the Flash ActiveX control. What's the point of having it if you don't use it?
If you're a Firefox user, you could consider installing a Flash blocking add-on such as Flashblock. It's very simple to configure, unlike NoScript, easy to use and does its job well.
Well, while Windows 7 does significantly improve the AutoPlay/AutoRun user experience, it isn't bulletproof. There's a small, not likely to be exploited, loophole.
Virtual CDs.
For example, Western Digital USB hard drives ship with Virtual CDs on board to install WD's SmartWare software.
You can see the CD device here along with the Passport:
This is how a default Windows XP installation handles the Virtual CD's autorun.inf:
It just launches the installer program, no questions asked.
Now this is how Windows 7 AutoPlay handles the Virtual CD's autorun.inf:
The installer on the Virtual CD is the default option, but it doesn't launch.
On the plus side, AutoPlay functionality can easily be turned off in Windows 7:
Do note that this isn't a Windows 7 vulnerability.
From Microsoft's Security Research & Defense blog: "It is worth noting that some smart USB flash drives can pose as a CD/DVD drive instead of standard ones (see http://en.wikipedia.org/wiki/U3 for an example). In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level."
This is just a curiosity to be aware of — not a flaw.
Bottom-line, don't let Windows 7's improved handling of AutoPlay give you a false sense of security. There are more and more USB drives shipping with Virtual CDs, and sooner or later, one of them will be infected during the manufacturing process.
To quote Intego: "OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia."
Back in March we said that Macs are generally safer but that doesn't mean more secure: "Houses located in a safer neighborhood are not technically more secure from burglary. Most of today's Macs just happen to exist in a safer online environment and aren't being targeted by cyber-criminals. Criminal's return on investment is simply better in the PC world."
Looks as if another threat is checking out the neighborhood.
Our F-Secure Mac Protection Beta, available here, detects the spyware as Spyware:OSX/OpinionSpy.A and Spyware:OSX/OpinionSpy.B. You'll find the release notes here.
More and more mobile phones are shipping with Windows installation files on microSD cards rather than on CD-ROMs. All that's needed to sync your phone with your PC is to connect the phone, detect it as a removable USB drive, and then run the installer. Many phone vendors also include an autorun.inf file to assist the process.
Unfortunately, autorun.inf files can be infected during the production process, and microSD cards aren't read-only.
Engadget is reporting that at least some German models of Samsung's Wave, a Linux based "iPhone killer", are shipping with an infected autorun.inf and a file called slmvsrv.exe.
The file's MD5 is bb9818d76fe60e68608e2a1e7bc6666b and we detect it as Trojan.Generic.3932466. We have telemetry indicating this is in the wild (but quite limited).
There's been a great deal of discussion (controversy?) recently regarding personal privacy and the pursuit of profit. Many pundits are concerned that businesses are putting personal data at risk for financial gains.
And so the question is being asked: Are Facebook and Google contributing to an erosion of personal privacy?
So let's take a look at that, shall we? If you want to find personal information about somebody, are you really dependent on Google? Or Facebook? Really? No… not really.
In fact, there's LOTS of personal information that's been available to academics and demographers for years.
For example, take the State of North Carolina, USA. The NC State Board of Elections website is a great place to start as it provides a form for checking *my* registration. And only two bits of data are required — first and last names.
Let's take a look at a public figure, Richard Burr. He's North Carolina's senior Senator.
Look what's available: his full name, voter registration number, registration date, address and race.
Let's see you get that info from Facebook. Not likely.
Now we know his home address is in Forsyth County, so let's visit the Forsyth County Tax Administration website and use their Geo-Data Explorer. It's super cool.
All you need the street address and presto, you get an aerial view with the property lines, the home value, property value, owners, et cetera.
Historical information is also available.
And check out this street view! Man, that beats Google's street view, hands down. No comparison at all. Google's an amateur.
Next, let's take a look at an online phone book, White Pages dot com.
Again, using very little information, just first name, last name, city and state, we get these results:
Richard Burr's work (local office) and home numbers.
There's tons of information on this guy, and on non-public figures as well. Resources such as this can be found all over the Internet.
Companies such as LexisNexis specialize in the collection and sale of data access and they started long before Sergey M. Brin, Lawrence E. Page and Mark Zuckerberg were even born.
So how exactly is Google and Facebook eroding privacy? Because they do in the open do what others do behind closed doors? Because they are trying to invent something new?
Guess that depends on what you consider privacy.
Governments have always known your personal details. Making some information public contributes to an open and healthy democracy. So many things aren't really private, are they? Someone, somewhere already knows plenty of things about you.
At least you get something, services, for using Google and Facebook. LexisNexis and others aren't going to give you a cent for your information.
And consider this, posting messages in online forums, commenting on blog posts and sharing links with your friends is kind of like having a private conversation in a public shopping mall. Sure, you can have a personal conversation at your local coffee shop, but do you really expect that conversation to be secure?
If somebody overhears your conversation, are you going to blame the shop owner for not protecting your personal information? No, of course not.
Facebook and Google are INTERNET services. Internet equals public space. Or at least, people should consider it to be so.
It's more accurate to say that information technologies are eroding the length of time that is required to access your data.
Yes, that does have an impact on our online and real-world lives. But should we panic about it?
Should we be pointing the finger at Facebook and Google saying that they're to blame because they are making business decisions? Don't think so, information technologies are going to continue to open up personal information regardless of whether or not Google and Facebook are trying to make a profit.
Do you want data and personal privacy protections? Then pass a law protecting personal privacy from being misused by employers. That's what people really care about — their jobs and their livelihood — not being marketed to.
Perhaps that's something Senator Burr will consider during his reelection campaign.
On Tuesday, Mac security firm Intego 
More and more mobile phones are shipping with Windows installation files on microSD cards rather than on CD-ROMs. All that's needed to sync your phone with your PC is to connect the phone, detect it as a removable USB drive, and then run the installer. Many phone vendors also include an autorun.inf file to assist the process.
