Security Blog
November 6, 2009
Critical SSL Vulnerability Discovered
A critical vulnerability in SSL was discovered in August of this year by Marsh Ray and Steve Dispensa of PhoneFactor. These findings were made public on November 4th.
Basically they uncovered a flaw in the SSL protocol itself - a gap in SSL authentication during renegotiation between client and server. This unauthenticated request allows the man-in-the-middle (MITM) attacker to inject specially crafted plaintext into the application protocol stream, which can be used to exploit different applications.
Folks, this is a vulnerability of epic proportions we have here. Online banking, online shopping, cloud computing, remote services all are based on the fact assumption that SSL is secure. How would you feel going to bed every night when you know your front door lock can be easily picked?
The good news is that vendors have been working on patches to the problem for a few months now. The bad news is, so much of our Internet infrastructure utilizes SSL. It will be impossible to patch everything. I bet cyber criminals are also scrambling to come up with ways to exploit this vulnerability before the patches arrive. This is going to be a very interesting few months. Stay tuned.
Posted by: Pete at 9:57 PM
Categories: General
November 6, 2009
Threat Lab Report: Troj.Downloader.JS.Agent.bgt
Description of Report (Troj.Downloader.JS.Agent.bgt):
This malicious program exploits vulnerability CVE-2008-4699.
The Peachtree Accounting ActiveX control (PAWWeb11.ocx) with CLSID:2BCEAECE-6121-4E78-816C-8CD3121361B0 is prone to a remote code-execution vulnerability. The vulnerability is caused due to the PAWWeb11.ocx ActiveX control containing the insecure method "ExecutePreferredApplication()". By persuading a victim to visit a specially-crafted Web page, an attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the user.
Affected Version: Peachtree Accounting 2004
Posted by: Netgear Threat Lab at 1:37 PM
Categories: Malware , Netgear Threat Lab , Viruses
November 3, 2009
Trick or Treat - International Kill-A-Zombie Day
I hope everyone enjoyed their Halloween and their fair share of candy. And no, we are not talking about killing "REAL" zombies (the ones in flesh, or rotten flesh to be more exact) here.
As we've mentioned time and time again, zombies are a growing problem in today's Internet. Once a PC has been infected, it joins the ranks of the fellow infected as zombies who respond to any command a hacker might give it. They are used to send spam (yes, the spam you get everyday comes from a zombie, NOT a mailman in cyberspace), carry out denial of service attacks, and many other mischievous deeds.
Our friends at Sophos have designated October 31st as the International Kill-A-Zombie Day (images of Resident Evil, Zombieland, and Night of the Living Dead just pop into my mind saying that). They've come out with two very interesting videos to promote zombie awareness. Have a look and join the fight!
">
">
Posted by: Pete at 1:37 PM
Categories: General , Malware , Spam
November 3, 2009
Threat Lab Report: Troj.Downloader.JS.Agent.eda
Description of Report (Troj.Downloader.JS.Agent.eda):
This malicious program exploits vulnerability CVE-2008-4728.
The DeployRun.DeploymentSetup.1 (DeployRun.dll) ActiveX control with the CLSID:7F9B30F1-5129-4F5C-A76C-CE264A6C7D10 is prone to some vulnerabilities in the Hummingbird Deployment Wizard. The vulnerabilities are caused due to the DeployRun.DeploymentSetup.1 ActiveX control providing insecure "Run()", "SetRegistryValueAsString()", and "PerformUpdateAsync()" methods. The vulnerabilities allow remote attackers to execute arbitrary programs via the Run() and PerformUpdateAsync() methods, and modify arbitrary registry values via the SetRegistryValueAsString() method.
Affected Version: Hummingbird Deployment Wizard 2008
Posted by: Netgear Threat Lab at 1:34 PM
Categories: Malware , Netgear Threat Lab
October 30, 2009
This Week in Phishing
I just received this email in my Yahoo mailbox:
What do you guys think? Should I email Mrs. Elizabeth and claim my 11 million?
I could really use the extra cash right now.
Posted by: Pete at 4:59 PM
Categories: General , Phishing , Spam
October 30, 2009
Threat Lab Q3 Report: Malware and Phishing Web Sites
Based on data collected in Q3 2009, we found that business related sites were most likely to host malware. Pornography and sexually explicit sites came in at number 2 this quarter. As a sign of the economic times, real estate, shopping, and travel sites also made the top 10.
As for sites manipulated by phishing, health & medicine related sites still top the list, followed closely by sex education and finance. The rest of the top 10 contained no surprises, however we do see a drop in social networking phishing sites. That may be due to more awareness on the existence of such sites being exploited for phishing.
Posted by: Netgear Threat Lab at 3:16 PM
Categories: Malware , Netgear Threat Lab , Phishing
October 30, 2009
Threat Lab Q3 Report: Spam
In Q3, Pharmacy spam returned to the top spot with 68% of all spam messages. Last quarter's top spam subject, enhancers, fell from 46.2% to 11% of all spam messages this quarter.
Spam levels averaged 83% of all email traffic throughout the quarter, peaking at 97% in July and bottoming out at 71% in August.
Source: Commtouch Labs
Posted by: Netgear Threat Lab at 3:01 PM
Categories: Netgear Threat Lab , Spam
October 30, 2009
Threat Lab Q3 Report: Pharma spam masquerading as Facebook message
Spammers are continually looking for ways to hide their true identity to bypass content filters, and ways to employ social engineering to bypass human filters (i.e., judgment) that can often distinguish if something is spam just by looking at it. The message pictured here was circulated in the third quarter.
This message, with its familiar blue header, was designed to fool people and spam filters that may not properly identify image-based spam, since all the actual content was in an image. The image itself is typically blocked by email clients like Microsoft Outlook, until the user downloads the image. However since the email appears to be legitimate, the user may download the image, revealing that it is actually pharmaceutical spam. The only content that text-based filters can identify in such a message is the traditional Facebook text, such as..."if you do not wish to receive this type of Facebook mail in the future" making it appear legitimate.
The message was not actually sent from Facebook - if it had been, the return address would have been Facebook, and not "Tammi Manley". Also, all the links within the message, such as "Unsubscribe" and "More info", lead to the pharmaceuticals site pictured in the advertisement.
Source: Commtouch Labs
Posted by: Netgear Threat Lab at 2:48 PM
Categories: Netgear Threat Lab , Phishing
October 29, 2009
AV-Test /Tolly Report: UTM Virus Detection Comparison
AV-Test.org and Tolly have released their UTM virus detection comparison report. In the report the ProSecure UTM10 was pitted against all-in-one solutions from Sonicwall, Fortinet, and Watchguard.
The test consisted of two parts:
1. Wildlist malware detection
2. Zoo malware detection
The results really highlight the lack of emphasis on the "security" aspect of existing all-in-one solutions.
While we see a big emphasis being put on throughput, the truth is, throughput from existing multifunction firewalls is fine at our current WAN connection speeds - even with all security enabled.
What you need is better protection.
And our ProSecure UTM was architected from the ground up to provide you just that.
You can download the full report here
Posted by: Pete at 5:05 PM
Categories: General , Malware , Viruses
October 26, 2009
Threat Lab Report: Troj.Downloader.JS.Agent.edg
Description of Report (Troj.Downloader.JS.Agent.edg):
The Office OCX Word Viewer OCX ActiveX control with the CLSID:97AF4A45-49BE-4485-9F55-91AB40F288F2 is prone to a remote code-execution vulnerability. The vulnerability is caused due to the use of the insecure OpenWebFile() method. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to download arbitrary executable files to the victim's system and execute arbitrary code on the system with the privileges of the victim.
Affected Version: Office OCX Word Viewer OCX 3.2
Posted by: Netgear Threat Lab at 5:28 PM
Categories: Malware , Netgear Threat Lab , Viruses
