Subscribe to RSS - Planting of Malware

Planting of Malware

Share/Save

The register reports that Digital Spy, a high profile UK gossip site carried banner inflicting ads. Digital Spy has acknowledged the issue and said it promptly addressed it, however details on the source of the malicious banners is still not availalbe.

Malware distribution through ad programs is a borderline phenomenon. While there is no question that malware distribucion is malicious, and in most geographies illegal, in many cases the site owners are not technically responsible for the content of the ads they serve  as the ad content comes directly from a 3rd party. The question whether they are legally responsible is open.

Another issue is defining a malware. Many times ads are used to entice users to download and install programs that are questionable. a rootkit installed through a known browser vulnerability is a malware, however the distinction between adware and malware is many time blurred and depends on:

  • The ratio between benefit to the user and benefit to the software distributor,
  • The clarity in which the benefit to the software distributor is explained to the user, and lastly:
  • The legality of this benefit

 

 

Attack Method: 
Incident Outcome: 
Share/Save

Updated (Feb 22nd 2009) - the Washington Post updates that the hack exploited a problem with the default configuration of the authentication module used for authenticating remote administrators. As a result we categorized this incident under "insufficient authentication" and "misconfiguration".

Incident Outcome: 
Share/Save

XSSed reports another XSS worm in Orkut. Since Orkut is big in Brazil, it is quite natural that a Brazilian group created the worm.

I have used this occasion to sort out worms reporting in WHID.

  • A worm is now considered an attack method rather than an outcome. If nothing else, the outcome of a worm is "planting of malware": itself.
  • I have added a "Web 2.0" organization type as many of the XSS worms infect Web 2.0 sites.
Share/Save

Websense reports that my.barackobama.com, an open blogging service which is part of Obama's campaign web site has been used to point users to malware infecting content.

The scam is a good example of the dangers of Web 2.0 user generated content and mashups. There was no malicious code on the Obama's site, however an allowed HTML code looking like a YouTube embedded flick pointed to an external site which carried the malware.

Attack Method: 
Incident Outcome: 
Share/Save

Ismael Valenzuela sent us a story about yet another malware through iFrame serving site. This time it is an official one, belonging to the Indian government official branch in Spain - it's embassy.

We can hardly include every malware service site in WHID, after all there are hundred of thousands, if not millions, of those. Why pick on the Indian embassy in Spain? One good reason is that we finally got in an input from a reader and wanted to honor the event and include the incident. But there is another more important reason.

First, hacked embassy sites are becoming a major issue which points to a much larger issue: cyber crime is endangering the Internet as we know it. While we come to rely on the web to provide us with all the information and services that we need, we do not have the tools to make it a safe place, and embassy web sites are a good example.

Practically the only way to provide sufficient security to a web site is not to have it in the first place. Instead small organizations must rely on the services of huge brokers, such as Amazon, eBay or Google sites. However not everyone can use this services. Embassies are a good example as they need to be "doubly localized" for both the originating and target countries which makes it nearly impossible to create a uniform service for them. Therefore even embassies of larger countries need to create small home made and insecure web sites, as they need to adjust their site content, language and site look to the local community served.

Thechnical analysis of the planted malware was done by Trend Micro.

Attack Method: 
Incident Outcome: 
Share/Save

MetaFilter philosophy is that social norms and peer pressure, referred to as "self-policing", will ensure the quality of the content of the site. However is seems that this philosophy does not extend to hackers who abuse the site's software to plant Malware affecting MetaFilter users.

Attack Method: 
Incident Outcome: 
Share/Save

The infamous SQL injection bot has hit TrendMicro, worrying considering the fact that TrendMicro is there to protect us from malware. Unfortunately it seems that web security is still underrated  outside of a small group of experts, even though it fast becomes the modern day equivalent of the now declining viruses and worms.

Attack Method: 
Incident Outcome: 
Share/Save

This gem is taken out of a press release issued by a hosting provider. According to the press release, InfoGov, a UK provider of risk management solutions, switched hosting its sites to a new provider because the previous one did not provide adequate solution to an SQL injection attack that penetrated the site and inflicted Malware on InfoGov customers.

Probably yet another fallout from the on going Asprox attack, this incident is interesting as it emphasises the responsibility that customers expect service providers to take in protecting from web based attacks.

Attack Method: 
Share/Save

In an attack with an alarming similarity to the COX incident (WHID 2008-45), but with a far greater potential damage, hackers changes the DNS records for CheckFree, the largest bill payment service in the USA. Customers where redirected to servers in the Ukraine, which attempted to install a password login software on their computers.

The change was done using correct credentials to login to the administrative web site of Network Solutions, CheckFree domain registrar. It is yet unknown how the hackers got the credentials. Since Phishing attacks against domain registrars including Network Solutions have started to surface recently, a good guess is that it was through a Phishing attack.

According to CheckFree report to the authorities, it estimates that around 160,000 customers where expoesed to the attack, and informed 5 million potential victims who may have been among this group.

Additional information:

Attack Method: 
Share/Save

Like many Asprox bot SQL injection attacks, the one on NDTV.com, a New Delhi TV station's web site has its unique aspects.

First, the attack came at absolutely the wrong time, just when all eyes (and mouse clicks) where turned to the Olympic games in Beijing, the NDTV web site which carried real time information from the games was hacked, greatly extending the infection rate.

In addition, the information was syndicated from a French news agency. While apparently the agency did not have anything to do with the hack, the did catch some fire over the incident as some experts suggested it should help its customers to protect their systems.

More information:

Attack Method: 
Incident Outcome: 

Pages