Deciders such as Dave Willner, not yet even 30 years old, who began his career at Facebook on the night shift answering questions about its photo uploader. Five years later, he's the head of Facebook's Content Policy.
A guy who studied anthropology and archeology. That guy, and others like him in Silicon Valley are the ones deciding on freedom of expression's future on "the web". Or then, maybe not the web as so many consumers now spend a significant amount of their time in one walled garden or another. But "cyberspace" at least.
Free Speech on the Internet: Silicon Valley is Making the Rules.
Those who care about future online expression should read Jeffery Rosen's:
Last week, we got a tip from Kafeine about hacked sites serving injected iframes leading to an exploit kit. We thought it was quite interesting so we looked at one of the infected websites and found this sneaky piece of code:
The deobfuscated code shows the location from where the injected iframe URL will be gathered from, as well as the use of cookie to allow the redirection. It also shows that it only targets to infect those browsing from IE, Opera and Firefox.
And now for some good old snippet from the source site and infected site:
When an infected website successfully redirects, the user will end up with a Neutrino exploit kit that is serving some Java exploit:
We haven't fully analyzed the trojan payload yet, but initial checks showed that it makes HTTP posts to this IP:
Early this week, when it probably was not in full effect yet, the injected URLs were leading to google.com. However, it went in full operation starting yesterday evening when it began redirecting to Neutrino to serve Java exploits.
Based on that timeline, we plotted the location of all the IP addresses that visited the infected sites to a map. These IPs are potential victims of this threat. There were approximately 80,000 IPs.
We also plotted the location of the infected websites and so far, there were around 20,000+ domains affected by this threat. The infected sites appear to be using either WordPress or Joomla CMS.
You can also find other information about this threat in Kafeine's blog post.
Samples related to this post are detected as Trojan:HTML/SORedir.A, Exploit:Java/Majava.A, and Trojan:W32/Agent.DUOH.
Here's a question we're often asked: what's the economic cost of malware?
We recently assisted in a joint investigation with the Finnish Police and CERT-FI. And in this particular case — we estimate that just one gang of "police" (themed) ransomware could be responsible for more than 800 million dollars worth of damage and losses.
We'll translate the basics: a single gang using Reveton "police" ransomware netted more than 5 million victims worldwide, with more than 30,000 computers in Finland affected.
Reveton's current "fee" is 300 USD:
The going rate in Europe is EUR 100:
At 100 euro each, the 30,000 Finnish victims alone represent three million euro of potential profit. Between North America and Europe — it's altogether something in the neighborhood of 600 million euro or more than 800 million dollars.
Now of course, not everybody pays Reveton's random (though quite many do). So that potential profit isn't actually realized. But what about economic costs? The victims need to spend time and money to repair and recover their computers.
Some folks will have lost data in the process. And how much is that worth?
Last year, a friend's hard drive, full of family photos, crashed. The cost of repair? More than 6,000 USD! If just one percent of the Reveton gang's more than 5 million victims lost similar collections of photographs — that's equal to 300 million USD in lost data.
Disregarding data loss, the time spent on recovery is easily worth the same as the ransom payment.
Bottom line: ransomware is very costly.
Which is why we're highlighting the issue at ransomware.fi as part of cyber security awareness month.
Are you ransomware aware? From now until the end of October, you can ask our own Antti Tikkanen and Paolo Palumbo questions about Reveton and other ransomware threats in our Community's Ransomware Q&A.
Here's a handy link you can share: bit.ly/RansomQA
There's an Apple event scheduled for tomorrow which will showcase this year's iPad lineup. Among the more credible rumors is that at least one version of the iPad will include Apple's Touch ID, its fingerprint identity sensor.
And so it seems somewhat inevitable that all of our "smart" devices will soon include fingerprint readers.
That being the case, we strongly recommend the following by @dustinkirkland:
We came across some "installation guides" for a spyware app called "StealthGenie" today.
It's kind of interesting to note the viewing stats. Even though Android has a bigger marketshare, the Android Installation Guide video doesn't have so many more views relative to the iPhone's.
Blackhole exploit kit has always been a favorite example when discussing the impact of kits to Internet users. We've previously mentioned in our posts how fast it was in supporting new vulnerabilities, how it was related to Cool, and that it was the leading kit in our telemetry data. Blackhole and Cool almost always had special mentions in our Threat Reports. So you can just imagine how closely we follow this topic.
Early this week, Maarten Boone Tweeted groundbreaking news regarding Paunch's fate, the mastermind behind Blackhole and Cool. Though no further details were provided, it has been confirmed that Paunch was recently arrested in Russia.
With this news, we decided to look at our telemetry data once again. The graphs below show Blackhole and Cool turning from being at the top of the ranks to being negligible.
It's as dramatic as a graph can get. From dominating the exploit kit charts, Paunch's brainchild, Blackhole, is slowly fading away with its master's arrest.
So what does the future look like? Will the numbers even out among the different exploit kits out there? Will one exploit kit arise to take over Blackhole's place? Will a new exploit kit come out and take over the market? We can only speculate. But one thing that we do hope though, is that other exploit kit authors will take the hint, that even if they may enjoy a few years of invincibility, they are not unreachable by the long arm of the law.
Installing the updates as soon as possible is highly recommended because one of the patched vulnerabilities in Internet Explorer, CVE-2013-3893, is already being exploited in the wild. A Metasploit module for exploiting CVE-2013-3893 has also been released. But today is key, as the bad guys will almost certainly now reverse engineer the patches in order to develop exploits for the other vulnerabilities as well.
Building protection against exploits by creating vulnerability-specific defenses one at a time is not really sustainable. More proactive protection can be achieved by putting focus on the exploitation techniques. With this in mind, the key feature we introduced in version 5 of our behavioral technology — DeepGuard — is behavior-based exploit interception. By monitoring the behavior of commonly exploited software, e.g., web browsers, we can protect users against threats we have not yet seen — including zero-day exploits.
Here's a brief video of DeepGuard protecting the system from compromise via an exploit based on the CVE-2013-3893 vulnerability. The IE version in the video is vulnerable, i.e., the system does not have today's updates installed. The exploit in the video has been used in real attacks and is very similar to ones mentioned by FireEye and Dell, right down to the runrun.exe payload encrypted with 0x95 XOR key. The attack is replayed from a webserver on an isolated test network.
The exploit sets and checks a cookie to avoid exploiting the same system twice. Once DeepGuard has blocked the exploit and forced the tab to close, IE will try to reopen the tab. Because the cookie was set, the JavaScript code skips the exploit and simply redirects the user to naver.com.
The United States government may have "shutdown" on October 1st… but that didn't stop the U.S. Senate Judiciary Committee from holding a hearing on FISA Oversight of the NSA on October 2nd.
"Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders."
Encrypted passwords and credit/debit card numbers, et cetera. So therefore you may also wish to monitor any cards which were on file at adobe.com. Resetting your password is a straightforward process.
Microsoft's Security Advisory (2887505), regarding a vulnerability in Internet Explorer, was issued just over two weeks ago. We added exploit detection soon thereafter. At the time, Microsoft reported that exploitation of the vulnerability was in limited use.
Since then, evidence of attacks on Japanese targets via media sites has surfaced.
And in the last week, our customer upstream data indicates limited use within Taiwan.
Most importantly, there is now Metasploit support for CVE-2013-3893. So it's only a matter of time before it's added to popular exploit kits such as Blackhole. If not this week, then almost certainly a day or two after Microsoft releases its patch next Tuesday.
We recommend avoiding IE (if possible) until it's updated. If you manage a network, Microsoft has a Fix it tool available.
In March of this year, researchers on Symantec's Security Response team began looking at ways in which they might be able to "sinkhole" (takedown) ZeroAcess — one of the world's largest botnets. But then… in late June, the botnet started updating itself, removing the flaw that the researchers hoped to take advantage of. Faced with the choice of some or nothing, the team moved to sinkhole what they could. And that was over 500,000 bots.
A very commendable effort!
Ross Gibb and Vikram Thakur are presenting a paper about lessons learned at this year's Virus Bulletin.
Unfortunately, the bulk of ZeroAcess is still with us…