Feb 28 2013

Exploit lets websites bombard visitors’ PCs with gigabytes of data

A Web developer has demonstrated a simple-to-execute exploit that allows websites to surreptitiously bombard visitors' storage devices with gigabytes of junk data.

As its name suggests, FillDisk.com loads an almost unlimited amount of data onto hard drives of people who access the site. It requires no user interaction and works with the Google Chrome, Microsoft Internet Explorer, and Apple Safari browsers. It adds 1GB of data every 16 seconds on a MacBook Pro Retina equipped with a solid state drive, according to Feross Aboukhadijeh, the Web developer and computer science grad student who created the proof-of-concept site.

FillDisk.com manipulates the Web Storage standard included in the HTML5 specification. This standard is designed to make websites easier to use by allowing them to store data on visitors' hard drives. The functionality can be useful when end users are filling out long forms; if the browser crashes before the form has been completed, the data that's already been entered will be available when the person visits the site later. The creators of the standard specifically warn that browser developers should take steps to ensure websites can't abuse the feature by writing unlimited amounts of data.

Read 3 remaining paragraphs | Comments

Feb 28 2013

Oakland mayor apologizes for promoting local lockpicking class

The City of Oakland is both wonderful and problematic, as Ars editor Joe Mullin and I can attest, given that we're both denizens of this fine city. It has incredible natural beauty and vibrant culture, but also a notoriously mismanaged police department and a climbing crime rate.

It’s understandable, then, that some Oakland residents would be slightly annoyed at an upcoming workshop entitled “Introduction to Lockpicking,” which was mentioned in Mayor Jean Quan’s weekly newsletter (PDF) this week. The class is one of a larger "Workshop Weekend," to be held at Tech Liminal, an Oakland co-working space, and Sudoroom, a relatively new hackerspace in downtown Oakland. (Disclosure: I am a paying member at Sudoroom.)

According to the Oakland Tribune, some Oaklanders are miffed that the city would seem to endorse such a practice—the mayor has subsequently apologized.

Read 5 remaining paragraphs | Comments

Feb 27 2013

Flash Player Update Fixes Zero-Day Flaws

Adobe has released an emergency update for its Flash Player software that fixes three critical vulnerabilities, two of which the company warns are actively being exploited to compromise systems.

brokenflash-aIn an advisory, Adobe said two of the bugs quashed in this update (CVE-2013-0643 and CVE-2013-0648) are being used by attackers to target Firefox users. The company noted that the attacks are designed to trick users into clicking a link which redirects to a Web site serving malicious Flash content.

Readers can be forgiven for feeling patch fatigue with Flash: This is the third security update that Adobe has shipped for Flash in the last month. On Feb. 12, Adobe released a patch to plug at least 17 security holes in Flash. On Feb. 7, Adobe rushed out an update to fix two other flaws that attackers were already exploiting to break into vulnerable computers.

Updates are available for Windows, Mac and Linux installations of Flash (see the chart below for the appropriate version number).  This link should tell you which version of Flash your browser has installed. The most recent versions are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Chrome and Internet Explorer 10 have built-in auto-update features that should bring Flash to the most recent version. The patched version of Flash for Chrome is 11.6.602.171, which Google appears to have already pushed out to Chrome useres. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

afp213

Feb 27 2013

Fake Adobe Flash Update Installs Ransomware, Performs Click Fraud

Adobe Flash is one of the most widely distributed products on the Internet. Because of its popularity and global install base, it is often a target of cybercriminals. Cybercriminals are using social engineering methods to distribute their malware through fake Flash update sites, often compelling unsuspecting users, who may be in need of a software update, to unknowingly install malware.

Recently, we came across the following site masquerading itself as an Adobe Flash Player update page:

http://16.a[REMOVED]rks.com/adobe/
 

Figure 1. Fake Adobe Flash update page
 

The attacker has created what appears to be a rather convincing landing page; however, there are a few inconsistencies. Most of the links resolve back to the attacking domain and all of the links within the page—besides the link to the malware itself—resolve back to the root directory of the site, resulting in a 404 error.

The attacker’s main goal is to make sure that a successful installation occurs, and presents two options to the user for maximum return.

Option 1 is a pop-up message that requests the user to download a file named flash_player_updater.exe.

Option 2 is the “Download Now” button that requests the user to download a file named update_flash_player.exe.

Symantec currently detects both of these files as Downloader.Ponik.

During our analysis we found that, in addition to stealing passwords, these files appear to be looking for FTP/telnet/SSH credentials for all of the popular clients currently in use. They also monitor for SMTP, IMAP, and POP3 credentials.

Although these files are the same, they exhibit different behaviors. Option 1 installs ransomware, while Option 2 installs an ad-clicking component, both for illegal revenue generation.
 

Option 1
 

Figure 2. Command-and-control (C&C) server
 

The flash_player_updater.exe file opens a /POST request on port 8080 to the following URL:

http://lum[REMOVED]th.com/forum/viewtopic.php

The Trojan then receives commands to download files from the following locations:

  • http://ocean[REMOVED]ba.co.za/
  • http://sys[REMOVED]55.info/
  • http://topaz[REMOVED]al.net/

All three files are identical and are used by the attacker to enhance the resilience of the threat by providing further locations for the threat to contact should any one particular site be inaccessible for any reason. Symantec detects these files as Trojan.Ransomlock.Q.

Once these files are executed on the computer, a new variant of Trojan.Ransomlock.Q appears on the compromised computer.

Next, the Trojan connects to the following command-and-control (C&C) server in order to download an encrypted file onto the compromised computer before the computer is locked:

http://c[REMOVED]l.ru
 

Figure 3. Downloading an encrypted file
 

Figure 4. Ransomlock screen displayed after several minutes
 

Figure 5. Note the misspelling of “cibercrime” at the bottom of the page
 

Another interesting observation is that the malware will detect what brand of antivirus is running on the compromised computer, and will overlay the default Windows logo with the logo of relevant anti virus company. As we already have protection in place for this threat, to test this feature properly we had to temporarily disable Norton 360 during analysis.
 

Figure 6. Ransomware with the Norton logo overlaying the Windows logo
 

Out of curiosity, we wanted to see what would happen if we were to enter some random 14-digit code, as MoneyPak uses 14 digits. A random 14-digit code was entered and the following screen was displayed:
 

Figure 7. A promise to unlock the computer that will be unfulfilled
 

This communication data is then sent back encrypted to the C&C server at the following location and stored for retrieval:

http://c[REMOVED]l.ru

Good luck getting your computer unlocked.
 

Option 2

The update_flash_player.exe file opens a /POST request on port 8080 to the following URL:

http://lum[REMOVED]th.com/forum/viewtopic.php

The Trojan then receives commands to download files from the following locations:

  • twinp[REMOVED] ng.com/
  • labos[REMOVED]ra.eu/
  • ftp.calm[REMOVED]ge.com/

These files are then installed on the compromised computer and run silently in the background to perform click fraud.
 

Figure 8. Click-fraud traffic
 

Symantec has protection in place and detects these files as Trojan Horse.

To ensure that you do not become a victim in the first place, please ensure that your antivirus definitions are constantly updated and that your software packages are also regularly updated. Do not download updates from third-party sites and always double check the URL of the download that is being offered.