Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Phish ‘n’ Exploit

Created: 21 Feb 2008 08:00:00 GMT • Updated: 23 Jan 2014 18:42:08 GMT
Nishant Doshi's picture
0 0 Votes
Login to vote

How many of us click on the links sent tous by trusted friends? Does the trust implicitly extend to the linksthey are sending? This trust is precisely what phishers take advantageof. Traditionally phishers have mainly used instant messaging (IM) andemail to take advantage of the average user. However, with the rise insocial networking sites the phishers have bought themselves a brand newplaying field.

Symantec has recently observed millions of user profiles of acertain social networking site carrying malicious links. Here is anexample of one of them:

comments1.JPG

The interesting thing here is that the malicious link appears to bea comment from a trusted friend. In most cases the trusted friend isnot the perpetrator behind these attacks. The most likely scenario isthat the trusted friend’s social networking site credentials have beencompromised and used by the phishers to post malicious comments toeveryone in the compromised contact list. In an earlier blog, Web 2.0 - Copy and Paste, I discussed some ways in which the user's credentials could have been compromised.

With some more research we discovered more than five million user profiles carrying these malicious links:

infectedprofiles.JPG

Another interesting thing to note here is the anatomy of the link.The phishers registered a domain similar to the legitimate link thatwould have been used on that social networking site, except that theyreplaced slashes with dots. This could fool even the savviest user,because the links look “almost” legitimate.

It turns out that just plain old phishing wasn’t good enough for thephishers and they decided to add a few exploits to the mix. So, uponvisiting the site not only does the user get phished, but also served avariety of exploits.

The exploits are obfuscated and exploit the following vulnerabilities:

• MS06-14 (MDAC Create Object)
• BID 21060 (WinZip FileViewCtrl)
• BID 19030 (WebViewFolderIcon)
• BID 21829 (Apple QuickTime RTSP)

Here is a snapshot of what the exploit looks like on de-obfuscation:

Symantec has built a number of excellent Web-browsing protectionsinto our Norton 2008 products. The Web protection is immune to scriptobfuscation and masquerading and identifies the signatures of knownInternet Explorer browser vulnerabilities. It also blocks exploitsusing these vulnerability signatures as soon as they are released. Allof these exploits were detected by Symantec’s browser protectionsolution and intrusion prevention solution.

So, the moral of this blog is to trust your friend but not all of the links that are sent your way!