Chris Mosby at myITforum.com

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: January 20, 2010

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (979682)

- Title: Vulnerability in Windows Kernel Could Allow

Elevation of Privilege

- http://www.microsoft.com/technet/security/advisory/979682.mspx

- Revision Note: V1.0 (January 20, 2010): Advisory published.

* Microsoft Security Advisory (979352)

- Title: Vulnerability in Internet Explorer Could

Allow Remote Code Execution

- http://www.microsoft.com/technet/security/advisory/979352.mspx

- Revision Note: V1.2 (January 20, 2010): Revised Executive

Summary to reflect the changing nature of attacks attempting

to exploit the vulnerability. Clarified information in the

Mitigating Factors section for Data Execution Prevention

(DEP) and Microsoft Outlook, Outlook Express, and Windows

Mail. Clarified several Frequently Asked Questions to provide

further details about the vulnerability and ways to limit the

possibility of exploitation. Added "Enable or disable

ActiveX controls in Office 2007" and "Do not open unexpected

files" to the Workarounds section.

Reports of DEP being bypassed

Yesterday we heard reports of a commercially available exploit that bypasses DEP. This exploit was made available to a limited number of major security vendors (Antivirus, IDS, and IPS vendors) and government CERT agencies. We wanted to use this opportunity to give an overview of current customer risk related to this DEP bypass.

Real-world attacks so far still only effective against Internet Explorer 6

We have seen an increase in attacks attempting to exploit the vulnerability detailed in Security Advisory 979352. However, all attacks we have seen so far still target Internet Explorer 6 - this is also confirmed by the attack samples our Microsoft Active Protections Program (MAPP) partners have sent in.

While we have not seen real-world attacks for any other platform, we have seen researchers poking at other platforms and have seen the following:

• Private proof-of-concept code exploiting IE7 on Windows XP for arbitrary code execution
• Private proof-of-concept code exploiting IE7 on Windows Vista without DEP enabled for code execution within the Protected Mode sandbox. We are not aware of any proof-of-concept code exploiting Windows Vista with DEP enabled.
• Commercial, limited distribution proof-of-concept code exploiting IE8 on Windows XP with DEP enabled for arbitrary code execution.

State-of-the-art of attacker research on various platforms

Here’s the current state-of-the-art on each platform:

Other mitigations (besides DEP)

We have discussed DEP at length in this blog. As you can see in the table above, two other mitigations help prevent or limit the impact of attacks on later platforms.

• Internet Explorer Protected Mode limits the impact of Windows Vista and Windows 7 exploits. Attackers who are able to successfully exploit Internet Explorer on those platforms are stuck in a “sandbox”, potentially able to read data but unable to install programs or change system configuration.
• Address Space Layout Randomization (ASLR) makes exploiting vulnerabilities more difficult by relocating normally-predictable code locations pseudo-randomly in memory. ASLR re-bases DLL’s to random locations in memory, making ret2libc type attacks unreliable. Due to ASLR we believe exploits for Internet Explorer 8 on Windows Vista or Windows 7 could result in limited code execution for less than 1% of attempts.

Out-of-band update coming tomorrow

We’ll be releasing a comprehensive, well-tested security update tomorrow morning PST to address this vulnerability. In the meantime, we hope this information helps you assess risk and protect your environment.

Acknowledgements

Thanks Matt Miller and John Lambert for help with the ASLR arithmetic and other feedback. 

- Jonathan Ness, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: January 20, 2010

********************************************************************

Security Advisory Updated Today

==============================================

 * Microsoft Security Advisory (979352)

  - Title: Vulnerability in Internet Explorer Could

    Allow Remote Code Execution

  - http://www.microsoft.com/technet/security/advisory/979352.mspx

  - Revision Note: V1.2 (January 20, 2010): Revised Executive

    Summary to reflect the changing nature of attacks attempting

    to exploit the vulnerability. Clarified information in the

    Mitigating Factors section for Data Execution Prevention

    (DEP) and Microsoft Outlook, Outlook Express, and Windows

    Mail. Clarified several Frequently Asked Questions to provide

    further details about the vulnerability and ways to limit the

    possibility of exploitation. Added " Enable or disable

    ActiveX controls in Office 2007" and " Do not open unexpected

    files" to the Workarounds section.   

********************************************************************

Microsoft Security Bulletin Advance Notification for January 2010

Issued: January 20, 2010

********************************************************************

This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010.

The full version of the Microsoft Security Bulletin Advance Notification for January 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx.

This bulletin advance notification will be replaced with the January bulletin summary on January 21, 2010. The revised bulletin summary will include the out-of-band security bulletin, as well as the security bulletins already released on January 12, 2010.

For more information about the bulletin advance notification service, see http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications on http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host a webcast to address customer questions on the out-of-band bulletin on January 21, 2010, at 1:00 PM Pacific Time (US & Canada). Register for the Security Bulletin Webcast at http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

This advance notification provides a number as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier. The security bulletins for this month are as follows, in order of severity:

Critical Security Bulletins

===========================

IE Bulletin

- Affected Software:

- Internet Explorer 5.01 Service Pack 4 when installed on

Microsoft Windows 2000 Service Pack 4

- Internet Explorer 6 Service Pack 1 when installed on

Microsoft Windows 2000 Service Pack 4

- Internet Explorer 6 for

Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Internet Explorer 6 for

Windows XP Professional x64 Edition Service Pack 2

- Internet Explorer 6 for

Windows Server 2003 Service Pack 2

- Internet Explorer 6 for

Windows Server 2003 x64 Edition Service Pack 2

- Internet Explorer 6 for

Windows Server 2003 with SP2 for Itanium-based Systems

- Internet Explorer 7 for

Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Internet Explorer 7 for

Windows XP Professional x64 Edition Service Pack 2

- Internet Explorer 7 for

Windows Server 2003 Service Pack 2

- Internet Explorer 7 for

Windows Server 2003 x64 Edition Service Pack 2

- Internet Explorer 7 for

Windows Server 2003 with SP2 for Itanium-based Systems

- Internet Explorer 7 in

Windows Vista,

Windows Vista Service Pack 1, and

Windows Vista Service Pack 2

- Internet Explorer 7 in

Windows Vista x64 Edition,

Windows Vista x64 Edition Service Pack 1, and

Windows Vista x64 Edition Service Pack 2

- Internet Explorer 7 in

Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 7 in

Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 7 in

Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Internet Explorer 8 for

Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Internet Explorer 8 for

Windows XP Professional x64 Edition Service Pack 2

- Internet Explorer 8 for

Windows Server 2003 Service Pack 2

- Internet Explorer 8 for

Windows Server 2003 x64 Edition Service Pack 2

- Internet Explorer 8 in

Windows Vista,

Windows Vista Service Pack 1, and

Windows Vista Service Pack 2

- Internet Explorer 8 in

Windows Vista x64 Edition,

Windows Vista x64 Edition Service Pack 1, and

Windows Vista x64 Edition Service Pack 2

- Internet Explorer 8 in

Windows Server 2008 for 32-bit Systems and

Windows Server 2008 for 32-bit Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 8 in

Windows Server 2008 for x64-based Systems and

Windows Server 2008 for x64-based Systems Service Pack 2

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 8 in

Windows Server 2008 for Itanium-based Systems and

Windows Server 2008 for Itanium-based Systems Service Pack 2

- Internet Explorer 8 in

Windows 7 for 32-bit Systems

- Internet Explorer 8 in

Windows 7 for x64-based Systems

- Internet Explorer 8 in

Windows Server 2008 R2 for x64-based Systems

(Windows Server 2008 Server Core installation not affected)

- Internet Explorer 8 in

Windows Server 2008 R2 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

0-day vulnerability in Internet Explorer 6, 7 and 8

Published: 2010-01-14,
Last Updated: 2010-01-14 22:19:56 UTC
by Bojan Zdrnja (Version: 1)

1 comment(s)

Microsoft just published an advisory about a critical security vulnerability in all versions of Internet Explorer (apart from 5 – but no one has that around anymore, right?).

While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default. DEP makes exploitation of this vulnerability more difficult so as a temporary workaround you might want to enable it for older IEs (keep in mind that it might break some add-ons).

Microsoft says that so far they only saw exploits against Internet Explorer 6. In a related post (here) McAfee said that this vulnerability was (one of those) used to compromise Google. So, it appears that it was maybe even a cocktail of 0-day exploits used (IE + Adobe).

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: January 14, 2010

********************************************************************

Security Advisory Released Today

==============================================

* Microsoft Security Advisory (979352)

- Title: Vulnerability in Internet Explorer Could

Allow Remote Code Execution

- http://www.microsoft.com/technet/security/advisory/979352.mspx

- Revision Note: Advisory published.

Secure USB Flaw Exposed

Published: 2010-01-06,
Last Updated: 2010-01-06 18:44:38 UTC
by Guy Bruneau (Version: 1)

0 comment(s) acebook witter

Several ISC readers have written in regarding a security flaw recently exposed on USB flash drive. The issue of the attack is with a software bug in the password verification mechanism. This affects Kingston, SanDisk and Verbatim.

Vendor Information

SanDisk Update Information: http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009
Verbatim Update Information: http://www.verbatim.com/security/security-update.cfm
Kingston Recall Information: http://www.kingston.com/driveupdate/

Binsservicesonline Scam Spreading on Facebook and SEO Poisoning

Date:01.05.2010

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ ThreatSeeker™ Network has discovered several spam messages on Facebook that trick the user into visiting BINSSERVICESONLINE(dot)INFO. When the link in the message is clicked, the Web site redirects the user to an online scam site similar to the one we published in the blog Google Scam Kits in mid-December. The use of Facebook to distribute links that lead to Google scam kits is fairly new, and is sure to trick some users into buying the kits.

A lot of users have apparently received this message, as it quickly became a popular search string on Google. As we've seen in the past, there are criminal groups monitoring the popular search terms on Google and other search engines to start their own malicious attacks, so it didn't take long until we started seeing Google search results for BINSSERVICESONLINE leading to rogue AV products.

Note that the two attacks are done by separate groups of criminals. One group started the spam attacks on Facebook and another started manipulating Google results.

We can see many messages spreading in Facebook, for example:

BINSSERVICESONLINE.INFO redirects to the following scam site:

Google search results for BINSSERVICESONLINE:

The Google Trend showing the hot CTR for BINSSERVICESONLINE:

Report of Java Object Serialization exploit in use in web drive-by attacks

Published: 2010-01-05,
Last Updated: 2010-01-05 17:54:55 UTC
by Toby Kohlenberg (Version: 1)

0 comment(s) acebook witter

We've had a report (thanks Tom!) of a java applet exploiting CVE-2008-5353 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353) as part of a web drive-by attack. While PoC has been around for a long time for this, this is the first time I've heard of it being used in the wild for a general attack. If anyone else has seen this, we'd be interested to hear about it.

The applet is already being detected by some A/V packages according to VirusTotal: https://www.virustotal.com/analisis/d4f5bcc9acecb2f53a78313fc073563de9fc4f7045dd8123a23a08f926a3974d-1262270360

As we get more details on what it does, we'll update this entry with it.

Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324

Published: 2010-01-04,
Last Updated: 2010-01-04 06:29:59 UTC
by Bojan Zdrnja (Version: 1)

0 comment(s) acebook witter

Couple of days ago one of our readers, Ric, submitted a suspicious PDF document to us. As you know, malicious PDF documents are not rare these days, especially when the exploit for a yet unpatched vulnerability is wide spread.

Quick analysis of the document confirmed that it is exploiting this vulnerability (CVE-2009-4324 – the doc.media.newPlayer vulnerability). This can be easily seen in the included JavaScript in the PDF document, despite horrible detection (only 6 out of 40 AV vendors detected this when I initially submitted it here).

After extracting the included JavaScript code, the shellcode that it uses looked quite a bit different than what we can usually see in such exploits: this shellcode was only 38 bytes long! Initially I even thought that it does not work, but after studying it a little bit, I found that this particular PDF document has some very interesting, sophisticated characteristics.

The exploit for this vulnerability is similar to most other exploits: it uses heap spraying in order to redirect the execution to shellcode. The NOP sled in this case actually consists of SBB AL,0x1C and SBB AL,0x0C instructions which do nothing (SBB is Subtract with borrow, from the register AL, so it keeps subtracting two values until it reaches the shellcode). The 38 bytes shellcode can be seen below:

Now comes the interesting part. This is an egg-hunting shellcode: it starts at the memory address ((0x02020200 OR 0xFF) + 0x01) = 0x02020300) and compares content of every 4 bytes with 0x58905090. You can see that initially the attacker moves 0x5890508F into the EAX register, which then gets increased by one – this was probably done to evade detection.

This pattern (0x58905090) corresponds to instructions POP EAX, NOP, PUSH EAX, NOP. Now, once this pattern has been identified in memory, the egg-hunting shellcode passes execution to this, second stage shellcode.

What is interesting about this approach is that the second stage shellcode is included as a different object in the PDF document. While the object is marked as a color object and its contents are inflated, it looks as if it is corrupted: it does not contain any inflated streams. You can see the object and the deflation error printed by pdf-parser, an excellent tool by Didier Stevens whom I wish to thank for useful discussion while I was analyzing this malicious PDF document:

$ pdf-parser.py --object 3 --raw --filter Requset.pdf

obj 3 0
Type:
Referencing:
Contains stream
<</BitsPerComponent 8/ColorSpace/DeviceRGB/Filter/FlateDecode/Height 90/Length 13136/Subtype/Image/Width 60>>
<<
   /BitsPerComponent 8
   /ColorSpace /DeviceRGB
   /Filter /FlateDecode
   /Height 90
   /Length 13136
   /Subtype /Image
   /Width 60
>>
FlateDecode decompress failed
The fact that the decompression fails does not matter – Adobe Reader will open the whole document (mmap it) into memory, including this "corrupted" object so the first stage shellcode will be able to find it and pass execution to it!

The advantage for the attacker is obvious: first, he can modify this object (what the exploit actually does) without having to modify the first stage shellcode. Additionally, this will make automatic analysis impossible for any tool that will use a JavaScript interpreter on the included JavaScript code (such as Wepawet) – the first phase shellcode will work only if the document is loaded in the memory. Sneaky, but that was not all!

The second stage shellcode does something interesting as well. It parses the document name from the command line arguments and opens the PDF document directly. The reason for this is that the PDF document carries two embedded binaries! The first binary (SUCHOST.EXE, b0eeca383a7477ee689ec807b775ebbb) contains a PoisonIvy client which tries to connect to the host cecon.flower-show.org which was down when I analyzed the document. Luckily, this binary has a bit better (but still not good, some major AV vendors missing it!) detection on VT (here). This binary is embedded in the PDF document – we can see it at offset 0x0e65c:

$ hexdump -C -v ../Requset.pdf |less
00000000  25 50 44 46 2d 31 2e 36  0d 25 e2 e3 cf d3 0d 0a  |%PDF-1.6.%......|
00000010  32 34 20 30 20 6f 62 6a  0d 3c 3c 2f 4c 69 6e 65  |24 0 obj.<</Line|
00000020  61 72 69 7a 65 64 20 31  2f 4c 20 39 34 37 32 33  |arized 1/L 94723|
00000030  32 2f 4f 20 32 36 2f 45  20 31 37 38 31 2f 4e 20  |2/O 26/E 1781/N |
...
0000e650  b4 b4 b3 88 8f a0 a0 c0  ca c3 88 8f c8 df 00 00  |................|
0000e660  84 00 00 00 87 00 00 00  7a 7a 00 00 c5 00 00 00  |........zz......|
0000e670  00 00 00 00 c5 00 00 00  00 84 00 00 8b 9a 31 8c  |..............1.|
The binary is XORed with value of 0x85 so the first two highlighted bytes are actually MZ, which is where the executable starts.

The second binary (temp.exe, 980e40cacbc9f898bc08cb453fa2d6bb) was even more surprising. This binary drops a benign PDF document on the machine, called baby.pdf. This PDF document is then opened with Adobe Reader – it just shows a table and, according to the metadata in the document, has been built from an Excel document. This was done by the attackers to make the victim believe as if nothing happened, because the original exploit will crash Adobe Reader and this might make the victim suspicious about what happened.

Additionally, the PDF document contains everything it needs to fully exploit the victim's machine – it does not have to download anything off the net.

Lessons learned

Not only was this a very interesting example of a malicious PDF document carrying a sophisticated "war head", but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims.

Since this exploit has not been patched yet, I would like to urge you all to, at least, disable JavaScript in your Adobe Reader applications. We are getting more reports about PDF documents exploiting this vulnerability, and it certainly appears that the attackers are willing to customize them to get as many victims to open them as possible. Also keep in mind that such malicious PDF documents can go to a great length when used in targeted attacks – the fake PDF that gets opened can easily fool any user into thinking it was just a mistakenly sent document.

If we are to judge the new year by sophistication the attackers started using, it does not look too good.

How Celebrity News Shapes the Spam Landscape

MarissaVicario

December 30th, 2009

Fox Sports Web Site Compromised

Date:12.29.2009

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ ThreatSeeker™ Network has detected that the Fox Sports site has been compromised and injected with malicious code. Fox Sports is a division of the Fox Broadcasting Company. It specializes in the latest sports news and world sports updates. Fox Sports has an Alexa ranking of 330.
Our research shows that the site has been injected with two pieces of malicious code. One of them is the latest Gumblar campaign, and the other redirects individuals to a malicious Web site, whose link was unreachable at the time of this alert.
The ThreatSeeker Network has detected that thousands of Web sites have been compromised by the latest Gumblar campaign. The Gumblar page is highly obfuscated. After deobfuscation, the page uses PDF and Flash exploits to run malware in order to control a victim's computer. In addition, a piece of VBScript is executed to download malware.

Screenshot of Fox Sports Web site: 

Screenshot of malicious injected code: 

Websense Messaging and Websense Web Security customers are protected against this attack.

Twitter outage via DNS hijacking

Published: 2009-12-18,
Last Updated: 2009-12-18 08:37:38 UTC
by Stephen Hall (Version: 1)

5 comment(s) acebook witter

A number of diary readers have submitted that the popular micro blogging site, Twitter.com has been defaced this morning.

The twitter.com status page has the following report:

Update (11:28p): Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.

If we receive any more information concerning the outage, or how the hijacking occured, we shall update the diary during the day. If you have any additional information, please let us know via the contact form.

Update: The following screen grab shows the DNS hijacking as recorded via the PassiveDNS systems. The host www . mowjcamp . org is currently hosting the defacement.

Steve Hall

Adobe flash player and air patched

Published: 2009-12-09,
Last Updated: 2009-12-10 00:54:00 UTC
by Swa Frantzen (Version: 4)

2 comment(s) acebook witter

The almost universally installed flash player of adobe has been update to version 10.0.42.34. Adobe air was upgraded as well to version 1.5.3.

Read more about it in the apsb09-19 bulletin from adobe.

The reason behind it are 7 vulnerabilities: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800 and, CVE-2009-3951 of which 6 lead to arbitrary code execution and the last one is a windows-only issue leading to unauthorized information disclosure, related to CVE-2008-4820.

"Upgrade!" is the loud and clear message should our audience need that encouragement.

At this point we have no guidance for users wishing to know more about version 9 of the flash player aside of considering an upgrade to the latest incarnation of version 10.

Thanks for the heads-up go to David and Andrew.

UPDATE 1:

Martin wrote in with a link to the download page for those with licenses (where you can get e.g. MSI packages) and that states: "As of December 8, 2009, Flash Player 9 is no longer available for distribution. All Licensees should now distribute Flash Player 10". I guess that implies those still holding out on Flash player 9 have but one path forward.

UPDATE 2:

We were informed by a reader that the w removed link to the download page for those with licenses is in fact a secret link. From the email adobe sends to their customers getting this link rightfully:

**********
You may not share the above link, share information with others, or publish the above link on websites, blogs, or by any other means that can be publicly accessed. The information contained on this site is meant for your use only in accordance with Adobe Flash Player Distribution License Agreement you accepted. You may direct others to http://www.adobe.com/products/players/fpsh_distribution1.html to request distribution rights.
Regards,
Adobe Systems Incorporated
***********

We didn't know about it being a secret link. And apologize for unknowingly exposing it.

If anybody knows a non-secret link that clearly states Flash Player 9 is at the end of it's updates, please send it to us as it's the kind of pressure some out there need to get to be allowed to upgrade the software.

UPDATE 3:

Flash player 9 updates for unsupported platforms are available in KB 406791. Note that his is intended for those still using unsupported OSes from their respective vendors such as Windows 98, Windows ME, MacOS X 10.1-10.3, and Red Hat Enterprise Linux 3 and 4 operating systems, who cannot run Flash player 10. Note adobe nowheresaid these were updated to fix the same bugs as those fixed in Flash player 10: use at your own risk.

--

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: December 8, 2009

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (977981)

- Title: Vulnerability in Internet Explorer Could Allow Remote Code Execution

- http://www.microsoft.com/technet/security/advisory/977981.mspx

- Revision Note: V2.0 (December 8, 2009): Advisory updated to reflect publication of security bulletin.

* Microsoft Security Advisory (974926)

- Title: Credential Relaying Attacks on Integrated

Windows Authentication

- http://www.microsoft.com/technet/security/advisory/974926.mspx

- Revision Note: V1.0 (December 8, 2009): Advisory published.

* Microsoft Security Advisory (973811)

- Title: Extended Protection for Authentication

- http://www.microsoft.com/technet/security/advisory/973811.mspx

- Revision Note: V1.2 (December 8, 2009): Updated the FAQ with information about three non-security updates relating to Windows HTTP Services, HTTP Protocol Stack, and Internet Information Services.

* Microsoft Security Advisory (954157)

- Title: Security Enhancements for the Indeo Codec

- http://www.microsoft.com/technet/security/advisory/954157.mspx

- Revision Note: V1.0 (December 8, 2009): Advisory published.

Tiger Woods Car Accident Heating Up the Web

Hon Lau

November 28th, 2009

The car accident involving Tiger Woods last night outside his home in Windemere, Florida has been generating a lot of heat as far as Web traffic and searches go. Since the news broke, the top web searches on Google has been related to the this story. Even hours after the break of the story, six out of the top ten search items are still related to this event.  Tiger Woods is obviously a huge celebrity from a sport that has a huge worldwide following. The circumstances surrounding this accident are still as yet unclear.  

From an IT security point of view this unfortunate incident is just another fruit ripe for the picking as far as malware writers are concerned. So it comes as no surprise that the creators of rogue antivirus or misleading application software have already jumped on the bandwagon and attempted to poison web search engine results to take advantage of this spike in web search activity.

We have observed some search engine results redirecting to a few malicious domains which are:

• vir-curemypc-now.com
• egafuki.cn
• online-scanner-free.net

The sites go through the usual fake scanning activity before pointing out a whole host of serious errors and threats that needs to be cleaned from your computer. For a video of how these misleading applications generally behave you can view this video made by my colleague Benjamin Nahorney.

The files on offer on this occasion may be one of the following:

• setup_build6_195.exe (Download.MisleadApp)
• install[RANDOM NUMBER].exe (Detected as Downloader or Trojan.FakeAV)

 

As you already know, taking advantage of celebrity mishaps, major news events or disasters is nothing new. We have seen this kind of activity before in relation to Serena Williams, Farah Fawcett, Michael Jackson, Tsunamis, the list is endless. So this is just another reminder that we always have to be on our guard. When searching for information on the Web, make sure your legitimate antivirus software is updated and if you are ever feel yourself being strong-armed into buying antivirus software from any dubious online sources-Don't do it! Instead go to a trusted source such as your local physical shop.
 

And if you are interested in the real news, try one of these sources:
• Reuters

• CNN

• BBC

Yet Another iPhone Worm?

John McDonald

November 22nd, 2009