Firefox to block content based on Java, Reader, and Silverlight

Mozilla engineers plan to disable Java, Adobe Reader, and Microsoft Silverlight capabilities in their flagship Firefox browser in a move aimed at improving security and performance.

By default, Firefox will load content based on all three plugins only after users click an icon that explicitly permits it. This feature, known as click to play, was introduced late last year. Until now, it disabled out-of-date plugins to prevent hack attacks and browser crashing. Sometime soon, it will begin blocking all plugins except for the most recent version of Adobe Flash.

"One of the most common vectors against users is drive by exploitation of vulnerable plugins," Michael Coates, Mozilla's director of security assurance, wrote in a blog post announcing the change. He was referring to website attacks that surreptitiously install malware on end-user computers by targeting security bugs in the browser components that process Java- and Flash-based content. "The click to play feature protects users in these scenarios," he added.

Read 2 remaining paragraphs | Comments

IPS Countermeasures Fight Obfuscation, Evasion

Before the advent of intrusion detection systems (IDS) and intrusion prevention systems (IPS), firewalls served as the primary technology to help organizations block unwanted traffic. With application-layer protocols lacking detection, attackers were able to disguise malicious traffic and remotely exploit applications. To stop these kinds of attacks, the security industry created IPS/IDS technologies to detect these attacks and block connections before any exploitation could occur.

Since the introduction of IPS, attackers have tried to find new ways to evade detections by these systems. One technique is fragmentation: The data that is normally sent in the channel is fragmented and is reconstructed only at the receiver’s end. It is possible to add the malicious traffic as part of the data that gets fragmented. When the data is reconstructed at the receiver, it can exploit the targeted application. Such fragmentation techniques could be applied in various protocols of the application layer.

The focus of IPS vendors recently is to address these issues and also stay ahead of attackers in spite of their obfuscation techniques. These evasions continued to evolve as attackers attacked application-layer protocols. By parsing client application-layer data, IPS can identify any payload that is injected and reduce the number of attacks.

The high number of attacks that the security industry has witnessed in the last few years shows the sophistication involved in writing the exploit code (malware, malicious scripts). Attackers reverse-engineer the workings of IPS detection mechanisms and develop attacks that fully understand the security application, and that take advantage of its features. Evasion has become a key strategy for attackers to avoid detection.

In a series of blogs we will look at the evasion technique of encoding, the process in which one character is paired with a code. When this character is encoded, the equivalent code for the character is displayed; this can be converted back to the original character by the process of decoding. Employing this technique, attackers have encoded complete payloads, thereby hiding the presence of exploit code. Encoding has become one of the major challenges of detection.

In this series we will explain the current methodologies employed in evading detection and prevention systems, an ideal system to detect and prevent these attacks, and McAfee’s solution to prevent these attacks.

Backdoor.Barkiofork Targets Aerospace and Defense Industry

Contributor: Joseph Bingham

A few weeks ago, we observed a spear phishing campaign targeting groups in the aerospace and defense industry. We identified at least 12 different organizations targeted in this attack. These organizations include aviation, air traffic control, and government and defense contractors.
 

Figure 1. Spear phishing email targeting aerospace and defense industry
 

In choosing their targets, the attackers identified individuals in important roles, including directors and vice presidents. The content of all the emails were identical. The attackers used a report published in 2012 regarding the outlook of the aerospace and defense industries as the lure. The intention of the attackers was to make it seem as though this email originally came from the company that authored the report. The emails were also crafted to look as though they were being forwarded by internal employees or by individuals from within the industries identified.

When the malicious PDF attached to the email is opened, it attempts to exploit the Adobe Flash Player CVE-2011-0611 'SWF' File Remote Memory Corruption Vulnerability (CVE-2011-0611). If successful, it drops malicious files as well as a clean PDF file to keep the ruse going.
 

Figure 2. Clean PDF file displayed to the user
 

The clean PDF file that is dropped is the industry report identified as the lure, however, it curiously has been modified by the attackers to remove some branding elements.

In addition to the clean PDF file, the threat drops a malicious version of the svchost.exe file. This file then drops a malicious version of ntshrui.dll into the Windows directory. The threat leverages a technique known as DLL search order hijacking (the ntshrui.dll file is not protected by KnownDLLs). When the svchost.exe file calls the explorer.exe file, it will load the malicious ntshrui.dll file in the Windows folder instead of the legitimate ntshrui.dll file in the Windows system directory. Symantec detects both the svchost.exe and ntshrui.dll files as Backdoor.Barkiofork.

This version of Backdoor.Barikiofork has the following capabilities:

  • Enumerates disk drives
  • Contacts the command-and-control (C&C) server at osamu.update.ikwb.com
  • Steals system information
  • Downloads and executes further updates

This spear phishing campaign continues to show the sophistication and preparation of attackers, especially gathering intelligence on what social engineering will best entice targets.

Organizations should ensure proper email security is in place and also make patch management a priority, as the vulnerability exploited here was patched in 2011.

Mali Jihadists Support Their Struggle Online

Yesterday in Lille, the 5th CyberSecurity International Forum (FIC2013) ended with a speech by Manuel Valls, the French Minister of the Interior. Among the subjects, the Minister informed the audience about the increasing dangers of cyberjihad.

Since January 11, France has been engaged in Mali. The Africans had appealed for urgent military aid to halt the jihadist rebels advance in the northern part of the country. The conflict is taking place both on the ground as well as online, and terrorists are intensifying their activities in the latter area.

The jihadists are using the Internet for propaganda. Lots of pictures like the following are available for download and redistribution.

FP_BLOG_130129_1

Terrorists have also threatened France and its inhabitants. Their leaders–or people who say they represent them–have created videos like the one below that I discovered during my searches. (This is a “Message to France from a mujahideen.”)

FP_BLOG_130129_2

Like cybercriminals and many law-abiding people, jihadists use forums to communicate. In the past, these were publicly available. Today they are closed, and new members are now accepted only by invitation.

FP_BLOG_130129_4

The terrorists do not hesitate to spread offensive photographs. Some were distributed not so long ago via a Twitter account driven by Somali militants with links to al Qaeda. They showed a dead white man wearing military pants and a blood-soaked shirt surrounded by three guns, ammunition clips, and protective gear. The message claimed it was a French soldier killed in the failed January 12 rescue mission of a fellow countryman held hostage. (Out of respect for the families and at the request of French authorities, we will not post these pictures.)

FP_BLOG_130129_3

Defacing websites is another frequent activity. On January 16, cyberjihadists attacked the sites of some French socialist deputies, modifying the welcome pages with propaganda images. The jihadists claimed responsibility on their websites.

FP_BLOG_130129_5

They have also threatened distributed denial of service attacks. A DDoS attack on the French Defense Ministry website was announced on a private forum on January 17.

FP_BLOG_130129_6

The Internet is also a popular tool for collecting money and recruiting volunteers. The promise of entering paradise as a martyr appears to inspire recruits.

FP_BLOG_130129_7

These examples demonstrate that terrorists can use the Internet in their struggles. These efforts are not truly cyberterrorism, but they are apparently effective.