ProSecure Security Blog

Threat Lab Report: The First iPhone Worm Hits the Mobile Scene

2009-11-17T18:13:19Z

Due to the iPhone being a hit in the smartphone market, network security researchers warned that the iPhone's popularity will lead to cyber-criminals to taking an interest in mobile phones. With the increase in horsepower and functionality in smartphones phones, they are essentially mini computers. We all know the types of threats and vulnerabilities computers face and our phones are no exception.

Recently, some iPhone users were attacked by a worm - the first of its kind found on the iPhone. The virus automatically replaces the iPhone wallpaper with a photo of 80's pop singer Rick Astley and displays a message "Never give up your" (ikee is never going to give you up), but stops there and does not perform further attacks on the iPhone. The worm was written by a 21-year-old Australian hacker Ashley Towns to prepare, Towns said the production of the worm is to have iPhone users realize the risks of not changing the default root password.

However, only jailbroken iPhones are vulnerable to the worm virus. Jailbreaking is a process that allows iPhone and iPod Touch users to run homebrew apps on their devices by bypassing Apple's App Store. Once jailbroken, iPhone users are able to download homebew applications as well as cracked applications through unofficial installers such as Cydia, Rock App, Icy, and Installer. Jailbroken versions of Apple's iPhone is eligible for technical support and Apple has many times through software upgrades prevented users from cracking their iPhones. Apple also noted that Jailbreaking an iPhone is illegal. Users who jailbreak their iPhone, installed SSH, and did not change their default root password "alpine" were found with the worm. Once infected, the worm will attempt to search and spread to other jailbroken iPhones in the same network. This threat can be mitigated by changing the default password of their iPhone.

Prior to this incident, iPhone users have already been the target in attacks. A week ago, Dutch users received messages from an the attacker that warned of a security vulnerability in their cell phone and requested that these users donate 5 Euros each to a PayPal account. The attackers have since apologized and provided a fix. This is an example of an attacker who exploited the same flaw but not in the form of a virus or worm.

Web Browser Vulnerability Report - Firefox Leads the Pack at 44%

2009-11-11T20:13:56Z

A recent report by Web application security vendor Cenzic pointed out that in the first half of 2009 Firefox totaled for 44% of all vulnerabilities amongst popular Web browsers. Also somewhat surprising is Safari coming in at 35% due to iPhone Safari vulnerabilities (that's another story in itself). IE came in third at 15% and Opera at 6% (BTW, where was Chrome?).

Firefox (by the way, I've been a Firefox user since its debut) is an open source browser which has marketed itself as a "safer" alternative to Microsoft's Internet Explorer. Early on that was true, however when Firefox started to gain popularity, hackers began shifting focus to it and Firefox became "less safe".

Two factors contribute to the amount of vulnerabilities we are seeing in the browser today. Number one, the browser is relatively young, so there are naturally more holes in it. This will get better as the browser further matures. Second of all, Firefox is open-source and has a flexible add-on architecture where basically anyone who can code (and even some who can't) can make an add-on for Firefox. While this architecture and open source in general bring flexibility, functionality, and scalability to the browser, many of these add-ons are not "hardened" and could introduce security loopholes into Firefox. Also, due to the open-source nature of Firefox,hackers can study the browser source code inside out and find holes that way.

Regardless, I will continue to use Firefox. However, I'll also make sure that my security surrounding the browser is up to snuff. I suggest you do too.

Threat Lab Report: TLS/SSL 3.0 Vulnerability Announced

2009-11-10T21:08:12Z

At the Black Hat conference held in Las Vegas August of this year, security experts discovered many holes in the SSL encryption protocol - the very protocol that secures most Internet communications. On November 4th, security researchers from Phone Factor Marsh Ray and Steve Dispensa disclosed to the public the vulnerability in TLS / SSL that would allow for Man-in-the-Middle (MITM) attacks.

The vulnerability has the following characteristics:
1. It is a vulnerability in the protocol itself and not limited to certain applications
2. There is no concrete solution as of yet, still waiting for vendor patches
3. Affects a multitude of upper-layer protocols, including HTTPS, IMAP, SIP, etc...

Man-in-the-Middle Attacks (referred to as "MITM attacks") are "indirect" types of attacks where the attacker, through a variety of technical means gains access to the network communications between computers. This computer is known as the "middleman." This computer/intruder then masquerades as one or both of the victim computers, so that the "middleman" can establish an active connection with the victim computer(s). The "middleman" is now able to read or tamper with the communications between the two victim nodes. But the two victim computers still think they are talking directly to each other. This type of attack is not very easy to detect therefore, it has long been used by hackers and even to this day, is still commonly used to gain access to data or cause harm.

OpenSSL has already released a patch, but this patch does not fix the loopholes found in the protocol, but rather only turned off renegotiation by default. Users can obtain this patch by going to OPENSSL's official website: http://www.openssl.org/source/

Critical SSL Vulnerability Discovered

2009-11-07T05:57:57Z

A critical vulnerability in SSL was discovered in August of this year by Marsh Ray and Steve Dispensa of PhoneFactor. These findings were made public on November 4th.

Basically they uncovered a flaw in the SSL protocol itself - a gap in SSL authentication during renegotiation between client and server. This unauthenticated request allows the man-in-the-middle (MITM) attacker to inject specially crafted plaintext into the application protocol stream, which can be used to exploit different applications.

Folks, this is a vulnerability of epic proportions we have here. Online banking, online shopping, cloud computing, remote services all are based on the ~~fact~~ assumption that SSL is secure. How would you feel going to bed every night when you know your front door lock can be easily picked?

The good news is that vendors have been working on patches to the problem for a few months now. The bad news is, so much of our Internet infrastructure utilizes SSL. It will be impossible to patch everything. I bet cyber criminals are also scrambling to come up with ways to exploit this vulnerability before the patches arrive. This is going to be a very interesting few months. Stay tuned.

Threat Lab Report: Troj.Downloader.JS.Agent.bgt

2009-11-06T21:37:51Z

Description of Report (Troj.Downloader.JS.Agent.bgt):

This malicious program exploits vulnerability CVE-2008-4699.
The Peachtree Accounting ActiveX control (PAWWeb11.ocx) with CLSID:2BCEAECE-6121-4E78-816C-8CD3121361B0 is prone to a remote code-execution vulnerability. The vulnerability is caused due to the PAWWeb11.ocx ActiveX control containing the insecure method "ExecutePreferredApplication()". By persuading a victim to visit a specially-crafted Web page, an attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the user.

Affected Version: Peachtree Accounting 2004

Trick or Treat - International Kill-A-Zombie Day

2009-11-03T21:37:00Z

I hope everyone enjoyed their Halloween and their fair share of candy. And no, we are not talking about killing "REAL" zombies (the ones in flesh, or rotten flesh to be more exact) here.

As we've mentioned time and time again, zombies are a growing problem in today's Internet. Once a PC has been infected, it joins the ranks of the fellow infected as zombies who respond to any command a hacker might give it. They are used to send spam (yes, the spam you get everyday comes from a zombie, NOT a mailman in cyberspace), carry out denial of service attacks, and many other mischievous deeds.

Our friends at Sophos have designated October 31st as the International Kill-A-Zombie Day (images of Resident Evil, Zombieland, and Night of the Living Dead just pop into my mind saying that). They've come out with two very interesting videos to promote zombie awareness. Have a look and join the fight!

"> ">

Threat Lab Report: Troj.Downloader.JS.Agent.eda

2009-11-03T21:34:05Z

Description of Report (Troj.Downloader.JS.Agent.eda):

This malicious program exploits vulnerability CVE-2008-4728.
The DeployRun.DeploymentSetup.1 (DeployRun.dll) ActiveX control with the CLSID:7F9B30F1-5129-4F5C-A76C-CE264A6C7D10 is prone to some vulnerabilities in the Hummingbird Deployment Wizard. The vulnerabilities are caused due to the DeployRun.DeploymentSetup.1 ActiveX control providing insecure "Run()", "SetRegistryValueAsString()", and "PerformUpdateAsync()" methods. The vulnerabilities allow remote attackers to execute arbitrary programs via the Run() and PerformUpdateAsync() methods, and modify arbitrary registry values via the SetRegistryValueAsString() method.

Affected Version: Hummingbird Deployment Wizard 2008

This Week in Phishing

2009-10-30T23:59:09Z

I just received this email in my Yahoo mailbox: What do you guys think? Should I email Mrs. Elizabeth and claim my 11 million?

I could really use the extra cash right now.

Threat Lab Q3 Report: Malware and Phishing Web Sites

2009-10-30T22:16:07Z

Based on data collected in Q3 2009, we found that business related sites were most likely to host malware. Pornography and sexually explicit sites came in at number 2 this quarter. As a sign of the economic times, real estate, shopping, and travel sites also made the top 10.

As for sites manipulated by phishing, health & medicine related sites still top the list, followed closely by sex education and finance. The rest of the top 10 contained no surprises, however we do see a drop in social networking phishing sites. That may be due to more awareness on the existence of such sites being exploited for phishing.

Threat Lab Q3 Report: Spam

2009-10-30T22:01:06Z

In Q3, Pharmacy spam returned to the top spot with 68% of all spam messages. Last quarter's top spam subject, enhancers, fell from 46.2% to 11% of all spam messages this quarter.

Spam levels averaged 83% of all email traffic throughout the quarter, peaking at 97% in July and bottoming out at 71% in August.

Source: Commtouch Labs

Threat Lab Q3 Report: Pharma spam masquerading as Facebook message

2009-10-30T21:48:57Z

Spammers are continually looking for ways to hide their true identity to bypass content filters, and ways to employ social engineering to bypass human filters (i.e., judgment) that can often distinguish if something is spam just by looking at it. The message pictured here was circulated in the third quarter.

This message, with its familiar blue header, was designed to fool people and spam filters that may not properly identify image-based spam, since all the actual content was in an image. The image itself is typically blocked by email clients like Microsoft Outlook, until the user downloads the image. However since the email appears to be legitimate, the user may download the image, revealing that it is actually pharmaceutical spam. The only content that text-based filters can identify in such a message is the traditional Facebook text, such as..."if you do not wish to receive this type of Facebook mail in the future" making it appear legitimate.

The message was not actually sent from Facebook - if it had been, the return address would have been Facebook, and not "Tammi Manley". Also, all the links within the message, such as "Unsubscribe" and "More info", lead to the pharmaceuticals site pictured in the advertisement.

Source: Commtouch Labs

AV-Test /Tolly Report: UTM Virus Detection Comparison

2009-10-30T00:05:03Z

AV-Test.org and Tolly have released their UTM virus detection comparison report. In the report the ProSecure UTM10 was pitted against all-in-one solutions from Sonicwall, Fortinet, and Watchguard.

The test consisted of two parts:

1. Wildlist malware detection

2. Zoo malware detection

The results really highlight the lack of emphasis on the "security" aspect of existing all-in-one solutions.

While we see a big emphasis being put on throughput, the truth is, throughput from existing multifunction firewalls is fine at our current WAN connection speeds - even with all security enabled.

What you need is better protection.

And our ProSecure UTM was architected from the ground up to provide you just that.

You can download the full report here

Threat Lab Report: Troj.Downloader.JS.Agent.edg

2009-10-27T00:28:53Z

Description of Report (Troj.Downloader.JS.Agent.edg):

The Office OCX Word Viewer OCX ActiveX control with the CLSID:97AF4A45-49BE-4485-9F55-91AB40F288F2 is prone to a remote code-execution vulnerability. The vulnerability is caused due to the use of the insecure OpenWebFile() method. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to download arbitrary executable files to the victim's system and execute arbitrary code on the system with the privileges of the victim.

Affected Version: Office OCX Word Viewer OCX 3.2

ProSecure UTM Obtains ICSA Labs Anti-virus Certification

2009-10-23T08:08:34Z

I'm proud to announce that the ProSecure UTM has passed ICSA Labs Anti-virus certification. This is the third certification it has passed in the past month (the other two being West Coast Labs Checkmark and VPNC).

For any new security vendor, the biggest challenge is always the initial step of proving your legitimacy in this space and this is one step forward for us in this regard. Our mission is to provide all businesses with the protection they need in today's Internet, and we will continue to push towards that goal.

Windows 7 is Live

2009-10-22T15:43:54Z

Windows 7 is finally here. I've been using the beta version for a few months now and have been anxiously waiting to get rid of Vista (I still ran XP or Linux on most of my machines but switched to Vista on my main at home). My two copies should be arriving in the mail today so I should have everything up and running tonight when I get home.

You can bet that cyber criminals alike will begin shifting (if they haven't already done so) to Windows 7 as their primary OS of choice and that we'll begin to see Win7 specifically targeted malware in mass soon. Only time will tell if Win7 effectively protect users from malware better than previous Microsoft OS's.

On another note, I'll be trying out Microsoft Security Essentials (basically free AV from Microsoft) soon, and see how it stacks up against offerings from Kaspersky, Symantec, McAfee...etc.