Attack Exploits Windows Zero-Day Elevation of Privilege Vulnerability

On November 27, Microsoft issued a security advisory regarding the recent discovery of a zero-day vulnerability in a kernel component of Windows XP and Windows Server 2003. The advisory states that the Microsoft Windows Kernel 'NDProxy.sys' Local Privilege Escalation Vulnerability (CVE-2013-5065) can allow an attacker to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers.

Symantec is aware of the attacks attempting to exploit the vulnerability and confirms the attacks have been active since the beginning of November. The attack arrives as a malicious PDF file with file names such as syria15.10.pdf or Note_№107-41D.pdf, likely by an email attachment, although there is a possibility that targeted users are being enticed to download the malicious file from a website prepared by the attacker.

Upon successful exploitation of the vulnerability, another malicious file, observed since mid-October, is dropped onto the compromised computer which Symantec detects as Trojan.Wipbot. This Trojan collects system information and connects to a command-and-control (C&C) server. Symantec telemetry is currently reporting a small number of detections for malicious PDFs in various countries including India, Australia, United States, Chile, Hungary, Germany, Norway, and Saudi Arabia.

Figure. Distribution of attacks exploiting the vulnerability

Symantec may also detect this attack as Trojan.Pidief and Suspicious.Cloud.7.F. The following antivirus detection and Intrusion Prevention System (IPS) signature has also been added to detect the exploit code and block any downloads:

No patch is available for the Windows vulnerability, however, Microsoft has provided a workaround in its security advisory.

As always, we recommend computers be kept up to date with the latest software patches and to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of this kind.

TV news team falls for Facebook doppelgänger scam

The doppelgänger Facebook profile scraped from WBAL producer Chris Dachille convinced many of his friends that it was actually him—and then spammed them with requests for money and malicious links.

Reporters and producers at a television station in Baltimore recently found out the hard way that they shouldn't blindly accept Facebook friend requests. Last month, they found that their profiles had been cloned by an attacker who quickly used their network of friends to spread malicious links and ask for money.

Attacks on media organizations' social media accounts have been at an all-time high this past year, including "hacktivist" and state-sponsored attacks on media outlets from the Syrian Electronic Army. But the attack on the staff of WBAL-TV was directed toward staff members' personal accounts. And this initiative was a more workaday one, less targeted at the station itself than the friends, co-workers, and viewers who were connected to the cloned accounts.

Because some of WBAL's staff members mixed their personal and professional social networking together, the attack gave the scammer access to a huge audience's Facebook news feeds. After the attack was discovered, it took weeks for Facebook to shut down the fake accounts.

Read 12 remaining paragraphs | Comments