Friday, January 22, 2010

Security alert- new types of attacks

[This is from another university that granted permission to share as long as
I didn't say where it came from.]

Folks,

Over the past week or so, we've seen a marked increase in malicious
advertisements targeting (and exploiting) multiple vulnerabilities -
including ones in Java Runtime Environment (JRE) and Java Development
Kit (JDK)  - to silently download and install malware. We have learned
of three "advertising agencies" that appear to be operated by the same
group, that are completely bogus, and they have gotten their ads
pushed out via the largest advertisers in the business. We've seen
popular local and world news sites, popular greeting card sites,
screen saver sites, and more "displaying" these ads. The number and
size of legitimate advertising agencies that wind up referring users
to these malicious advertisements basically means that every Web site
that outsources advertising should be considered a potential infection
vector.

While malicious ads targeting Adobe Flash Player and Adobe
Reader/Acrobat have been going on for well over a year, this is the
first time I can remember seeing numerous computers becoming infected
daily due to a JRE/JDK exploit.

I was able to successfully recreate an infection simply by visiting a
very popular (legitimate) greeting card site this morning. I did not
get redirected to any visible fake AV site, nor did I have to interact
with anything to become infected. There no visible symptoms of an
infection for several minutes, before the fake AV software finally
reared its ugly head. And it wasn't just a Web page that popped up -
it had been silently installed.

This particular variant prevented many Windows applications from
running, including (but not limited to) Paint, cmd.exe, Control Panel,
and more. This fake AV installs itself in a manner that allows
infection of limited user accounts - admin privileges are not needed.
And the kicker... the sample that I sent to virustotal.com was
detected by one out of 41 AV vendors (Symantec wasn't the one).

We have seen signs that not all hosts infected via these advertising
campaigns get the fake Antivirus software package - however, we are
not sure what is downloaded and installed on those hosts. Assuming it
is malware, it evades all of our existing detection methods.

We've seen Java versions 1.6.x up to 1.6.0_15 become compromised, as
well as several 1.5.x versions. We've seen a host running 1.6.0_17
that did not become compromised, leading us to believe that the most
recent Java security release (1.6.0_17) fixes the vulnerability that
this group is exploiting.

Note that a (presumably) different group of miscreants has been using
bogus advertisements that redirect the browser window to fake AV Web
sites. That site will then try (hard) to convince the user to download
and install their product. That activity is not typically indicative
of an infection - and is an entirely different user experience than
the one I mentioned above. And while we saw a rash of this a few weeks
ago, it seems that almost all of the fake AV we've seen over the past
week was installed silently via drive-by exploits.

I cannot stress enough the magnitude of this situation. The popularity
of the Web sites that we've seen host these "advertisements" is
incredibly high - several of them surely get several thousand hits a
day. Thankfully not everyone who goes to these sites gets the evil ads,
but it is a game of Russian roulette that simply isn't worth playing.

We will be tracking this group as best as we can, and taking
network-wide mitigation steps where appropriate (and possible). But
this group changes their M.O. frequently, and I feel they clearly have
gotten to the point where they aren't going away without handcuffs or
pointy lead.

On a similar note, over the course of the last year or so, several AV
vendors have noticed an uptick in malware that encrypts all of certain
types of data files on the computer, and demands a ransom for the
decryption key. Many folks (including myself) think that it is just a
matter of time before that becomes a much more common payload for
these large drive-by malicious advertising campaigns.

And finally, a personal plea. Please - if you or someone you know
comes across this... don't *ever* decide to purchase the fake AV -
even though it might seem to be the easiest way out. Not only is this
financing their operation, this is giving your credit card info to
some serious (and rather bold) criminals.

No comments: