If you were searching the Internet for videos of the American Idol TV show, you might have received a bigger dose of reality than you were expecting. Unfortunately, one of the more popular video link aggregators was hosting infected advertisements on their site.
Advertising networks are a popular platform with malicious code authors when trying to gain a widespread distribution of their malware. They provide advertising networks with a URL that is supposed to point to their advertisement, but instead of only displaying an ad, they redirect the users to a rogue website. In this case, the advertisement was redirecting Web browsers to a PDF file that was using the Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability to install a malicious executable on the browser’s host system. (Please note that this vulnerability is resolved in Adobe Reader 8.1.3 and Adobe Reader...
The MPack toolkit has received a fair amount of media attention causing it to become oneof the most desired Web browser exploit toolkits in the undergroundhacker scene. The original author was selling the MPack toolkit for$1000 USD, including a year of free support, and additional exploitmodules for around $100 USD.
However, considering the toolkit is written in a script language, itis easy to redistribute and modify. The toolkit is being sold by othersnow for as low as $150 USD. That is a whopping 85% off. Talk aboutclearance sale. The sellers likely didn't even need to buy itthemselves, but rather probably found some of the multiple Web sitesthat did not employ standard Web site protections, allowing them todownload the whole kit for free.
With the toolkit available in the underground scene and evenavailable to almost anyone for a mere...
Just hours after Apple released Safari for Windows and I wrote about the potential for associated exploits, multiple exploits have been released. This currently includes:
Details on the first one have already been released publicly and theother two have been reportedly disclosed to Apple. We have not seenthese being used maliciously in...
We have received some additional Worddocuments that exploit an unpatched Microsoft Word vulnerability. Thesedocuments are detected as Trojan.Mdropper.X. We believe this is a newvulnerability, making it the fifth currently unpatched Office fileformat vulnerability. While these documents are being used in atargeted attack consistent with previous cases, we have receiveddifferent documents that use this same exploit from multipleorganizations. The documents have been each designed specifically forthe targeted organization in both language and content.
The vulnerability could be a slight variation or may be covered bythe existing CVEs and we are awaiting confirmation from MicrosoftSecurity Response Center. Nevertheless, no patches appear to beavailable, so, as always, be careful opening unsolicited Word documents.
Update - Feb 1st, 2007 11:40 UTC: We have receivedconfirmation from Microsoft that the vulnerability being used in...
An exploit has been spotted in the wild foran unpatched vulnerability in the Microsoft XML core services, whichallow developers to create XML-enabled applications. All supportedversions of Internet Explorer (including IE7) make use of thisfunctionality and are likely to be possible vectors of attack.
While the exploit has been spotted in the wild, it has only beenseen on a single Web site and Symantec has no confirmed infectionreports from customers. Nevertheless, as always, be cautious whensurfing the Web.
Over the weekend, the Google blog was hacked and someone made a fake post stating Google was discontinuing their Click-To-Call service. A few weeks ago, Randy Charles Morin's blog was reportedly hacked using a new unknown and unpatched exploit by Jason Schramm known as the Host Overflow Application eXception.
Now,some people are putting one and one together and assuming Google's blogwas hacked via the unpatched Host Overflow Application eXception. Theproblem? The Host Overflow Application eXception appears to be a HOAX(follow the capital letters). Jason followed up with a post to his blogwith a supposed patch. The patch itself just would add a footer to...
Over the last few weeks we've been trackingattacks coming from Gromozon.com. These attacks have actually beenhappening for a few months now, but the number of reports has recentlyescalated. In particular, a variety of Italian blogs and message boardshave been spammed with links to hundreds of different URLs over thelast week. These URLs all eventually point to gromozon.com and after anextensive trail of code downloading other code, one ends up infectedwith LinkOptimizer, which dials a high-cost phone number and then displays advertisements when browsing the Internet.
Whenyou visit one of these malicious links, it eventually loads a page fromgromozon.com that determines which browser you are using. If you areusing Internet Explorer, it attempts to exploit a Internet Explorervulnerability. The exploit has changed over time, but is currently...
We've been watching Wargbot for the past week to monitor its activities. As noted in our previous blog entry, Wargbot was being used to send spam. I wanted to provide some statistics and anecdotes on Wargbot's activities.
As part of our standard intelligence gathering, we monitor a varietyof botnets. Usually, these botnets don't stay up too long because ISPsrespond to our shutdown notices, but servers related to Wargbot havebeen up for a week already and have been quite active. In particular,Wargbot downloads Backdoor.Ranky, which converts the infected machineinto a proxy for spam. Since the spam started coming through, we'veseen tens of thousands of spam messages being pumped through ourhoneypot; we actually take all of these spam messages and redirect themto the Symantec Email Security Group. The Email Security Group...
The recent Yahoo! Mail worm, JS.Yamanner@m, is symptomatic of our increased usage and reliance on Webapplications. This past weekend we saw a similar attack, but this timeit was on the MySpace social networking site. Web applications are justas vulnerable to certain exploits, and even more so in some cases. Inparticular, services that allow people to author and post content underthe service domain must always neuter any active content such asJavascript. MySpace fails to do so, allowing an attacker toautomatically hijack any user's MySpace page as soon as they visit aninfected MySpace page.
The attack works by using anembedded Shockwave Flash file. The MySpace site allows members to postembedded content, such as movies and Shockwave Flash files, via an HTML“embed” tag. Shockwave Flash files can contain scripting that is simplya variant of JavaScript (known as Action...
