Security Blog
Recently in Netgear Threat Lab Category
November 17, 2009
Threat Lab Report: The First iPhone Worm Hits the Mobile Scene
Due to the iPhone being a hit in the smartphone market, network security researchers warned that the iPhone's popularity will lead to cyber-criminals to taking an interest in mobile phones. With the increase in horsepower and functionality in smartphones phones, they are essentially mini computers. We all know the types of threats and vulnerabilities computers face and our phones are no exception.
Recently, some iPhone users were attacked by a worm - the first of its kind found on the iPhone. The virus automatically replaces the iPhone wallpaper with a photo of 80's pop singer Rick Astley and displays a message "Never give up your" (ikee is never going to give you up), but stops there and does not perform further attacks on the iPhone. The worm was written by a 21-year-old Australian hacker Ashley Towns to prepare, Towns said the production of the worm is to have iPhone users realize the risks of not changing the default root password.
However, only jailbroken iPhones are vulnerable to the worm virus. Jailbreaking is a process that allows iPhone and iPod Touch users to run homebrew apps on their devices by bypassing Apple's App Store. Once jailbroken, iPhone users are able to download homebew applications as well as cracked applications through unofficial installers such as Cydia, Rock App, Icy, and Installer. Jailbroken versions of Apple's iPhone is eligible for technical support and Apple has many times through software upgrades prevented users from cracking their iPhones. Apple also noted that Jailbreaking an iPhone is illegal. Users who jailbreak their iPhone, installed SSH, and did not change their default root password "alpine" were found with the worm. Once infected, the worm will attempt to search and spread to other jailbroken iPhones in the same network. This threat can be mitigated by changing the default password of their iPhone.
Prior to this incident, iPhone users have already been the target in attacks. A week ago, Dutch users received messages from an the attacker that warned of a security vulnerability in their cell phone and requested that these users donate 5 Euros each to a PayPal account. The attackers have since apologized and provided a fix. This is an example of an attacker who exploited the same flaw but not in the form of a virus or worm.
Posted by: Netgear Threat Lab at 10:13 AM
Categories: Netgear Threat Lab , Malware
November 10, 2009
Threat Lab Report: TLS/SSL 3.0 Vulnerability Announced
At the Black Hat conference held in Las Vegas August of this year, security experts discovered many holes in the SSL encryption protocol - the very protocol that secures most Internet communications. On November 4th, security researchers from Phone Factor Marsh Ray and Steve Dispensa disclosed to the public the vulnerability in TLS / SSL that would allow for Man-in-the-Middle (MITM) attacks.
The vulnerability has the following characteristics:
1. It is a vulnerability in the protocol itself and not limited to certain applications
2. There is no concrete solution as of yet, still waiting for vendor patches
3. Affects a multitude of upper-layer protocols, including HTTPS, IMAP, SIP, etc...
Man-in-the-Middle Attacks (referred to as "MITM attacks") are "indirect" types of attacks where the attacker, through a variety of technical means gains access to the network communications between computers. This computer is known as the "middleman." This computer/intruder then masquerades as one or both of the victim computers, so that the "middleman" can establish an active connection with the victim computer(s). The "middleman" is now able to read or tamper with the communications between the two victim nodes. But the two victim computers still think they are talking directly to each other. This type of attack is not very easy to detect therefore, it has long been used by hackers and even to this day, is still commonly used to gain access to data or cause harm.
OpenSSL has already released a patch, but this patch does not fix the loopholes found in the protocol, but rather only turned off renegotiation by default. Users can obtain this patch by going to OPENSSL's official website: http://www.openssl.org/source/
Posted by: Netgear Threat Lab at 1:08 PM
Categories: Netgear Threat Lab
November 6, 2009
Threat Lab Report: Troj.Downloader.JS.Agent.bgt
Description of Report (Troj.Downloader.JS.Agent.bgt):
This malicious program exploits vulnerability CVE-2008-4699.
The Peachtree Accounting ActiveX control (PAWWeb11.ocx) with CLSID:2BCEAECE-6121-4E78-816C-8CD3121361B0 is prone to a remote code-execution vulnerability. The vulnerability is caused due to the PAWWeb11.ocx ActiveX control containing the insecure method "ExecutePreferredApplication()". By persuading a victim to visit a specially-crafted Web page, an attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the user.
Affected Version: Peachtree Accounting 2004
Posted by: Netgear Threat Lab at 1:37 PM
Categories: Malware , Netgear Threat Lab , Viruses
November 3, 2009
Threat Lab Report: Troj.Downloader.JS.Agent.eda
Description of Report (Troj.Downloader.JS.Agent.eda):
This malicious program exploits vulnerability CVE-2008-4728.
The DeployRun.DeploymentSetup.1 (DeployRun.dll) ActiveX control with the CLSID:7F9B30F1-5129-4F5C-A76C-CE264A6C7D10 is prone to some vulnerabilities in the Hummingbird Deployment Wizard. The vulnerabilities are caused due to the DeployRun.DeploymentSetup.1 ActiveX control providing insecure "Run()", "SetRegistryValueAsString()", and "PerformUpdateAsync()" methods. The vulnerabilities allow remote attackers to execute arbitrary programs via the Run() and PerformUpdateAsync() methods, and modify arbitrary registry values via the SetRegistryValueAsString() method.
Affected Version: Hummingbird Deployment Wizard 2008
Posted by: Netgear Threat Lab at 1:34 PM
Categories: Malware , Netgear Threat Lab
October 30, 2009
Threat Lab Q3 Report: Malware and Phishing Web Sites
Based on data collected in Q3 2009, we found that business related sites were most likely to host malware. Pornography and sexually explicit sites came in at number 2 this quarter. As a sign of the economic times, real estate, shopping, and travel sites also made the top 10.
As for sites manipulated by phishing, health & medicine related sites still top the list, followed closely by sex education and finance. The rest of the top 10 contained no surprises, however we do see a drop in social networking phishing sites. That may be due to more awareness on the existence of such sites being exploited for phishing.
Posted by: Netgear Threat Lab at 3:16 PM
Categories: Malware , Netgear Threat Lab , Phishing
October 30, 2009
Threat Lab Q3 Report: Spam
In Q3, Pharmacy spam returned to the top spot with 68% of all spam messages. Last quarter's top spam subject, enhancers, fell from 46.2% to 11% of all spam messages this quarter.
Spam levels averaged 83% of all email traffic throughout the quarter, peaking at 97% in July and bottoming out at 71% in August.
Source: Commtouch Labs
Posted by: Netgear Threat Lab at 3:01 PM
Categories: Netgear Threat Lab , Spam
October 30, 2009
Threat Lab Q3 Report: Pharma spam masquerading as Facebook message
Spammers are continually looking for ways to hide their true identity to bypass content filters, and ways to employ social engineering to bypass human filters (i.e., judgment) that can often distinguish if something is spam just by looking at it. The message pictured here was circulated in the third quarter.
This message, with its familiar blue header, was designed to fool people and spam filters that may not properly identify image-based spam, since all the actual content was in an image. The image itself is typically blocked by email clients like Microsoft Outlook, until the user downloads the image. However since the email appears to be legitimate, the user may download the image, revealing that it is actually pharmaceutical spam. The only content that text-based filters can identify in such a message is the traditional Facebook text, such as..."if you do not wish to receive this type of Facebook mail in the future" making it appear legitimate.
The message was not actually sent from Facebook - if it had been, the return address would have been Facebook, and not "Tammi Manley". Also, all the links within the message, such as "Unsubscribe" and "More info", lead to the pharmaceuticals site pictured in the advertisement.
Source: Commtouch Labs
Posted by: Netgear Threat Lab at 2:48 PM
Categories: Netgear Threat Lab , Phishing
October 26, 2009
Threat Lab Report: Troj.Downloader.JS.Agent.edg
Description of Report (Troj.Downloader.JS.Agent.edg):
The Office OCX Word Viewer OCX ActiveX control with the CLSID:97AF4A45-49BE-4485-9F55-91AB40F288F2 is prone to a remote code-execution vulnerability. The vulnerability is caused due to the use of the insecure OpenWebFile() method. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to download arbitrary executable files to the victim's system and execute arbitrary code on the system with the privileges of the victim.
Affected Version: Office OCX Word Viewer OCX 3.2
Posted by: Netgear Threat Lab at 5:28 PM
Categories: Malware , Netgear Threat Lab , Viruses
October 12, 2009
Threat Lab Report: New Adobe Vulnerability Prevention Tips
Adobe officials have confirmed that a new vulnerability exists in Windows, Macintosh, Unix versions of Adobe Reader and Acrobat 9.1.3 and earlier versions (CVE-2009-3459). Adobe Reader and Acrobat 9.1.3 users running Windows Vista with DEP should be protected from the vulnerability. Turning off JavaScript in Adobe Reader and Acrobat also avoids the use of the code affected by this attack, the steps to disable Javascript are as follows:
1.Run Acrobat or Adobe Reader
2.Go to Edit -> Preferences
3.Select "JavaScript" type labels
4.Uncheck the "Enable Acrobat JavaScript" option
5.Click "OK"
Vendor solution:
Adobe will release a corresponding patch on 2009-10-13. Users should contact the vendor to obtain the appropriate patch:
Posted by: Netgear Threat Lab at 12:25 AM
Categories: Malware , Netgear Threat Lab
August 28, 2009
Microsoft Announces August Security Patches
Microsoft announced 9 security patches in August. Of the 9, 5 were of the level "Critical", including a fix to the mass exploited Office "memory corruption" zero-day vulnerability, as well as another serious Windows security hole affecting Mac users.
This security update (named as MS09-043), not only fixes a security vulnerability in multiple versions of Office, but also involves VisualStudio.NET 2003 SP1, ISA Server 2004 SP3 / 2006 SP1, and BizTalkServer2002 as well as other Microsoft products, thereby reducing number of users of these products that are at risk to remote code execution attacks.
On July 14th Microsoft released an emergency update immediately available to customers worldwide numbered as "973,472". This security bulletin recognizes that some versions of Office Web Components ActiveX control (this control is mainly used for Web page display, release forms, charts, and databases) contained loopholes that hackers could exploit by constructing a malicious Web page (i.e. "hang Ma page") to gain control of the visitor's computer and execute arbitrary code. Up to now, there have been several million Web pages used by hackers to exploit the Office loophole "hanging horse". We are able to detect and deal with this specifically crafted Trojan. The virus is named Trojan.Win32.Monder.cqjp in our virus library.
In the patch containing the fix for the aforementioned Office memory corruption vulnerability also contained eight other patches for Windows2000, XP, Vista, and even Windows Server 2008, as well as fixes to dozens security vulnerabilities for software applications such as Outlook Express and Windows Media Player. These vulnerabilities may lead to remote code execution, privilege escalation, denial-of-service attacks, and other hacker attacks.
With the Black Hat and DefCon security conferences taking place earlier this month in Las Vegas, there was a large gathering of the world's hackers, disclosing and sharing all kinds of information on security vulnerabilities. We expect this to dramatically amplify the amount of potential threats on the global Internet. Seems like Microsoft has also taken notice shown by their increased intensity for August security updates.
Posted by: Netgear Threat Lab at 2:06 PM
Categories: General , Netgear Threat Lab
