How to Ensure Vulnerabilities Are Not a Gateway to Blackhole Exploits

Co-Author: Peter Coogan

Earlier in 2012, a patch was issued to correct a potential vulnerability in Parallels Plesk Panel version 10.3 or earlier, helping secure unauthorized access to the website control panel. While it is believed that this potential vulnerability is now patched, administrators who have applied this fix may have already been the victim of a compromise and had their login credentials stolen. Best security practice would be for administrators using Parallels Plesk Panel 10.3 or earlier to ensure they have up-to-date patches and change any login credentials that may have been exposed as a result of this vulnerability. They can learn more by reading Securing Parallels Plesk Panel: Best Practices to Prevent Threats.

Reports stated that, following a compromise, heavily obfuscated JavaScript is injected into HTML pages on the server. Once evaluated, the deobsfucated code generates a unique iframe using the code snippets shown in the image below each time the compromised Web page is visited. This injected code is similar to code we have talked about before in a blog post about the Blackhole Exploit Kit. Symantec customers visiting these compromised Web pages containing the injected code are protected by several IPS signatures, including Web Attack: Blackhole Toolkit Website 10.


As seen in the image for generating the iframes, there is a string of ‘runforestrun’ that remains constant in all the generated iframes.

Example generated iframe domains:

Symantec’s telemetry for July 2012 alone demonstrates we have protected customers against over 68,000 unique URLs containing this string which were leading to the Blackhole Exploit Kit. The following world heatmap indicates that the U.S. has seen the most detections:


Our telemetry in total for 2012 has also identified over 17100 unique IPs for the referral URLs leading to the generated iframes detected by Symantec. While we cannot definitively say how all the servers related to these IP addresses were compromised to serve up the generated ‘runforestrun’ iframes, it does show the relative size and success of this campaign. The following world heatmap shown below indicates once again that the U.S has hosted the majority of the referral URL IPs:


The injected iframes at one time followed link to a number of sites that contained redirects and forwards in order to deliver the final payload of Downloader.Parshell (a small executable that contains a hardcoded URL to effectively download additional malware onto the unsuspecting user’s computer). Among the additional malware downloaded are Trojan.FakeAV and Trojan.Maljava. Protection against a new variant of this Downloader is also available as Downloader.Parshell!gen1.

Symantec customers who use our Network-Based Protection Technology are proactively protected from the Blackhole Exploit Kit. If you are concerned that you may have been compromised after visiting a website, you can download Symantec’s free Power Eraser tool to aid in the removal of any infections.

Password “8861” Used in Targeted Attacks

Symantec has continuously observed targeted attacks in the wild since around mid-July that utilize password-protection of malicious Excel spreadsheet files. Coincidentally, all of the samples that we have analyzed so far use the 4-digit password “8861”, which is provided within the body of the email containing the Excel file attachment.  So why “8861”, you may ask? I couldn’t figure out if it has any meaning, but if someone out there is aware of the significance of this number, please send us a note. The name of the file, the content of the spreadsheet, and the malware that is dropped onto the computer all vary from sample to sample.

This is not the first time that passwords have been used for targeted attacks. In fact, back in December 2011, I blogged about document files using the same tactic. However, I cannot recall any attacks that have continuously used the same password over and over to target a variety of organizations around the globe.

The purpose of the attacker using the password is most likely to enable malware to evade detection, whether on the gateway or on the desktop, since the password feature encrypts the files. It may also make security researchers’ work or automatic analysis difficult since the password is required to decrypt the file before investigation can be performed. The usage of the password might also make the recipients feel safe about the file as passwords are generally used for security measures. Let’s think about it for a moment. The password for the attached Excel spreadsheet is given in the email that contains the actual attachment. Typically, passwords are communicated in a different form or at least in a separate email—otherwise the password protection of the file is meaningless.

The attacks themselves are no different from typical targeted attacks except for the use of the password. Although scanning the typical password-protected file is not possible, security products can still prevent infection by detecting the dropped or downloaded files just like with other types of targeted attacks. With the implementation of multi-layered defense, one should not be in more danger than someone being attacked by typical targeted attacks.

It is now more common to see password-protected malware attached to emails, so users need to watch out not only for Excel files, but any type of files with passwords that are attached to unsolicited emails. The Excel spreadsheet files discussed in this blog are detected as Trojan.Mdropper and the dropped files include: Trojan Horse, Backdoor.Darkmoon, and Backdoor.Trojan.

Sophos Offers Free Android Antivirus App

Sophos seems to be a lot more aggressive recently when it comes to the consumer market, they used to be a hardcore enterprise only solution when they first started out. I guess they’ve realized where the money is. Back in 2010 they one of the first to come out with a free Antivirus solution for [...] The post Sophos Offers Free Android...

Read the full post at

Credit Card Roulette: Payment Terminals Pwned in Vegas

Video: MWR Labs – Pin Pad Racer from Nils on Vimeo.

LAS VEGAS – At least three widely used credit and debit card purchasing terminals in the U.S. and U.K. have vulnerabilities that would allow attackers to install malware on them and sniff card data and PINs.

The vulnerabilities can also be used to make a fraudulent card transaction look like it’s been accepted when it hasn’t been, printing out a receipt to fool a salesclerk into thinking items have been successfully purchased.

Or an attacker can design a hack that would invalidate the chip-and-PIN card system, a security feature that is standard in Europe but only nascent in the U.S. It uses cards embedded with a chip and requires cardholders to enter a PIN to validate a transaction.

The hacks were demonstrated at the Black Hat Security conference last week by Rafael Dominguez Vega, a Spanish security researcher and consultant for MWR InfoSecurity, and a German researcher who goes by the name Nils, who is head of research for MWR. Nils cemented his security bona fides in 2009 when he hacked three browsers at the Pwn2own contest at the CanSecWest conference.

The team purchased three point-of-sale terminals on eBay, one of which is widely used throughout the U.S. and comes with a touchscreen and a feature for capturing cardholder signatures; the other two are used in the U.K. and have a port for inserting chip-and-PIN cards, as well as a mag stripe reader to process bank cards from the U.S. and other countries that do not yet use chip-and-PIN cards.

To demonstrate their control of the latter machines, the researchers loaded a racing game onto one of the devices, which Nils then played using the device’s keypad (see video above). The game consisted of an “X” simulating a car, that Nils maneuvered on a road lined with trees. When his vehicle reached the end of the road, he printed out the game score from the terminal’s receipt printer.

Although the researchers declined to name the brands of terminals they examined, and had taped over the names on the devices to prevent audience members from seeing them, VeriFone’s name popped up on the touchscreen device after the system rebooted and the firmware displayed its launch page. The device is VeriFone’s MX780 point-of-sale terminal. The other two devices match Vx models of terminals made by VeriFone.

According to the researchers, the MX780 model, widely used in the U.S., has remote administration capability that allows the devices to communicate regularly with a server. But the researchers found that the terminals do not authenticate the servers with which they communicate, so the researchers were able to design a man-in-the-middle attack that tricks the terminal into communicating with their rogue server and allows them to download malware to the device.

Although an attacker would have to be on the same network as the device to conduct this attack, the devices are set up to periodically connect to the remote server as well as connect during reboot, providing easy access to the machines once the attacker is on the network. The researchers noted that there are also wireless versions of the terminals that communicate with a store’s network via WiFi.

Once they have access to the device, the researchers found that the terminals, which use an operating system based on Linux, have a vulnerability that would allow an attacker to change applications on the device or install new ones in order to capture card date and cardholder signatures.

A VeriFone spokesman said that the demonstration on the MX780 used an older version of the system’s software, and that the “issue is not present on subsequent systems software.” He did not respond to questions about when the fix had been made.

The other two models of terminals, designed for use with chip-and-PIN cards, have different vulnerabilities being exploited.

Chip-and-PIN cards became mandatory in the UK in 2006 and will become widely deployed in the U.S. over the next year. Both MasterCard and Visa announced earlier this year that they would be migrating U.S. consumers to chip-and-PIN cards by April 2013.

The cards contain an embedded security chip that verifies the customer’s PIN when he or she enters it on a keypad. The chips also hold a secret key that validates the card to the bank. The key is supposed to ensure that fraudsters who know a bank customer’s PIN can’t simply embed the data into any chip-enabled blank card and use it to withdraw money from the customer’s account.

The attack the researchers used involved a stack-based buffer overflow vulnerability in the EMV protocol that is used to process chip-and-PIN cards. Using that vulnerability the researchers were able to install malware on the machines to take full control of the terminals, by simply inserting a rogue payment card containing the malware into the smartcard reader.

Because the devices allow only signed applications to run on them, the researchers weren’t able to alter the firmware itself, so they placed their rogue code into the device memory instead. Once in memory, the malware recorded card data and PINs for any cards subsequently inserted in the device and stored it in the device’s memory. To collect the data in storage, the researchers simply inserted a different card in the device afterward, and collected the card data that had been siphoned.

The terminal produces an “invalid card error” when the rogue cards are inserted, but otherwise Nils said there is no indication that anything has occurred. Because the malware prevents the device from connecting to backend systems when rogue cards are inserted, there is no lingering record in the system that two invalidated transactions occurred.

There is one limitation to this kind of attack, however. Because the malware runs in the device’s memory, it would be deleted each time the terminal was rebooted, forcing an attacker to re-install his malware.

The researchers found they were also able to subvert the chip-and-PIN function on readers to get at the magstripe data printed on cards.

In order to be compatible with ATMs in the U.S. and elsewhere that read only magnetic-stripe cards, chip-and-PIN cards currently have a backup magnetic stripe on them. Until now, thieves have been using skimmers and hidden cameras installed at ATMs to capture the mag stripe data as well as the customer’s PIN as he or she typed it on the keypad.

In the attack designed by Nils and Vega, however, the same data is stolen without a skimmer, simply by writing malware that cancels the chip-and-PIN transaction after the customer types the PIN, and produces an error message instructing the cardholder to swipe the card through the mag stripe reader, thus allowing the attacker to clone the card data from the mag stripe and use it with the stolen PIN.

A VeriFone spokesman said that the vendor is working on a patch for the vulnerabilities used in this hack.

UPDATE 7.31.12: Story updated to indicate that the two models used in the UK also process bank cards from the U.S. and to add late comment from VeriFone.