Category: Technology

Critical Vulnerabilities Patched in New Version of Adobe Flash Player

In the security bulletin released on 12 May 2011, Adobe announced to have fixed critical Flash player bugs of version and earlier for Windows, Macintosh, Linux and Solaris, and earlier for Chrome and and earlier versions for Android. These vulnerabilities could cause the application to crash and also potentially allow an attacker to take control of the affected system.

Adobe also reported to have heard about a malware exploit, through a Flash (.swf) file embedded in a MS Word (.doc) or MS Excel (.xls) file delivered as an email attachment, targeting the systems running on Windows OS. So make sure you are not opening attachments from unknown emails until you update flash.

The new versions for various platforms are as follows:

  • For Windows, Macintosh, Linux and Solaris OS –
  • For Android –

The Flash player for Chrome has been updated via the new version 11.0.696.68. Other users can use Flash Player Download Center to get the latest version. For Android users, the update is available in Android market place.

Adobe rates the severity of the vulnerabilities as critical and recommends to update newer versions at the earliest possible.


New Chrome version released – 11.0.696.68

As expected, Google released its new version v11.0.696.68, after the claims from VUPEN security researchers to have pwned Chrome. The new version of Chrome comes with the updated Adobe Flash Player 10.3.

As a reply to the claims on pwn of Chrome, security researcher Dan Kaminksy said that if VUPEN used vulnerability in Flash to bypass sandbox, then it is not the Chrome hack alone. Another security researcher from Google Tavis Ormandy said in a Twitter post that “VUPEN misunderstood how sandboxing worked in chrome, and only had a flash bug.” Google is still researching on VUPEN claims.

The new Chrome version addresses two high risk security vulnerabilities – corrects integer overflows in VSG filters and bad casts in Chromium WebKit glue and the bug fixing of Flash player plugin. Google also added the new ClearSiteData API in Chrome, so that users can manage and remove Flash cookies (Local Shared Objects).

Security Vulnerability found in Google Chrome Running on Windows

The most secure features of Google Chrome, including Sandbox, ASLR and DEP, were simply bypassed by VUPEN security researchers. The vulnerability is for the most latest version of Google Chrome (v11.0.696.65) for Windows.

The vulnerability is found to be impacting all Windows based computers running 32 bit as well as 64 bit OS. The vulnerability was exploited by just making the user visit a specially prepared web page containing a sophisticated code that will execute various payloads to ultimately download and start any program. The program runs silently without even crashing Google Chrome after executing the payload. The program launches outside the sandbox but at medium integrity level. However, most malware today doesn’t necessarily need to have a high integrity level to run.

As the vulnerability is not publicized, Chrome users can stay out of panic.

Top Countries Hosting Phishing Websites – H1 2011

A recent report from Websense shows the alarming rate of increase in cyber crime activity in Canada. While US still stands as the major hub of hosting phishing websites, Canada occupies second place followed by Egypt. Comparing with the Opendns report published recently on top countries hosting phishing websites in 2010, Germany falls back to forth position from second.

The following are top countries hosting phishing websites in first part of 2011 (i.e., January 2011 to May 2011):

  1. United States
  2. Canada
  3. Egypt
  4. Germany
  5. UK
  6. Netherlands
  7. Russia
  8. South Korea
  9. France
  10. Brazil

The intense evaluation of IP addresses in China and Eastern Europe seems to be the major reason for the shift in cybercrime activities to Canada. Canada has now jumped to #6 position in the world, in terms of hosting cybercrime, from #13 in 2010.

The anti-spam law, been introduced in Canada recently in December 2010, will come into effect from September 2011. It was the last of the G8 countries to introduce its very own anti-spam law, which addresses a number of online threats, including spyware, malware, pharming, phishing and even gives individuals the private right to sue spammers.


Is Your Genuine Antivirus Protecting Your Computer from All Online Threats?

A person may be using a genuine operating system, applications and of course a world class antivirus software – all of them purchased for few thousands of rupees or hundreds of dollars and nothing for free. But still he is not 100% safe in the wild west of Internet today. Because it is not just virus, trojan or any such malware – it is social engineering.

With the robust and genuine software and hardware security applications the cost of computing is going too high. The vendors are no more struck in pleasing their consumers with just the usability features. They have tightened the technology and even releasing numerous updates though they seem overwhelming to their customers. In this kind of situation, finding out new vulnerabilities in software and them trying to exploit them with viruses and trojans are not viable for the hackers. It is here where they figured a new strategy – exploiting the weakest link of a sturdy technical security system. Guess who? The human of course… It can be the administrator of the PC or a corporate network. Even luring a small employee of a corporate network into downloading something infects the network.

Kevin Metnick, a security consultant, mentions in his CSEPS Course Workbook that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.

Social engineering explained
The concept of Social Engineering is to directly trick the user of the computer to download malware or to reveal sensitive information under the auspice that they are doing something perfectly innocent. The task is too simple and many fall out for it for the lack of awareness on the scams being played on.

With a world class antivirus that gets 1st rank in all AV-tests and a best team releasing realtime AV definitions everyday or a robust firewall from the industry leader, is simply not helping the administrator of the computer. Because it is himself who is infecting the PC. The job of the attacker is to simply lure him to do it. However, it may not be downloading malware that the attacker wants every time. He may just lure the user into giving away some sensitive information. It ranges from SSN to credit card number.

The hacker hijacks a genuine domain or creates a genuine-looking one by himself. It is a part of website spoofing. Once the user enters the domain they are either lured into providing their personal details or download something. Selling scareware is also a part of social engineering. In fact Google reported that 90% of all domains involved in distributing fake antivirus software used social engineering techniques.

Why your antivirus can’t keep up?
Each hacker holds a number of domains under him. If one is identified and taken down, the other goes up. The malware mutation used here is also rapid. Though you have the latest version of antivirus called Internet security suite, it may be too late before the vendor identifies and releases a fresh virus definition. Microsoft has gathered information about few billions of downloads over the past two years, and roughly 1 out of every 14 program downloads are later identified as malware. In few cases, just clicking on the background of the malicious site will initiate a download.

Anti social engineering: Should it be from your computer and AV or You?
You computer security is only as robust as your security awareness. Any computer, be it running on Windows XP, Vista or Windows 7, the software will not allow any data to enter your system unless you permit it by initiating its download. And if somebody tries upload any corruptive data to your system, it wouldn’t work because you never initiated it in the first place.

The popular browsers today are designed not to download blindly anything, even if it is initiated by the user himself. The browser does its job perfectly by alerting the user with details of the initiated download. (You might remember the classic pop up of the browser with a OK and Cancel options on it.)

But the hacker is clever enough to give a set of instructions including a message saying “You will receive a warning about this control. Ignore the warning and click OK”. The user unaware of the situation clicks OK and downloads the malware. The PC is now infected under the full authorization of its administrator.

In other situation, the user might get an email saying its from his bank (email spoofing from the hacker) informing that he has withdrew a huge amount from his account and a link to site what looks like his banking website. The scared user is now tricked into typing his account details and the password. In the next few hours, the account gets emptied by the hacker.

Most of the social engineering techniques run in the same way. Agreed that genuine antivirus is required to protect your PC, but it is not designed to tackle situations like this.

Here are few tips that help you help from preventing social engineering to some extent:

  • The awareness of the user is the key here. Keep yourself updated on the online scams.
  • Avoid using administrator privileged account for PC, unless for updating the security patches.
  • Beware of unknown websites and emails that prompt you for personal information.

Most of the people fall victim for social engineering tactics either out of stupidity or greed. And unfortunately, we don’t have patches or hot-fixes for either of them. The person should also have a proper mindset to deal with social engineering tactics. A mature person is less likely to get enticed and fall for online scams.


WINS bug patch for Windows Servers

On contrary to the gigantic updates on the previous Patch Tuesday, Microsoft has released only 2 critical updates this month – one of the lightest Patch Tuesdays in recent years.

What seems interesting here is the fix for Windows Internet Name Service, which allows the NETBIOS devices to communicate on the network. As per the bulletin MS11-035, the flaw in WINS (Windows Internet Name Service) enables malformed WINS packets to allow remote code execution attacks. The flaw is on both Windows Server 2003 and 2008 servers, but only if they are running WINS. Most of the servers these days are not running WINS anymore, as it is not considered as safe as DNS. It is not even installed by default on these operating systems. Thus, the update is for only those who installed it manually.

Another bulletin MS11-036, releases patch for two vulnerabilities in MS PowerPoint that could allow remote code execution attacks if a user opens a malicious ppt file. Though the attacker is limited to the locally logged on user’s privileges, it is important to patch this up too.

Overall, 3 vulnerabilities are taken care of with the 2 security bulletins released on this Patch Tuesday.

Ransomware: Trojan asks to reactivate Windows

A new mutation of ransomware, which asks for reactivation of Windows, has been reported by F-secure. The user gets a blue screen, saying that the Windows license has been locked. The message screen exactly looks like the Windows screen during installation of OS. There is even a Windows logo on the top-right corner of the screen, to make the message look authentic.

It then prompts the victim to complete activation by calling one of the numbers listed on the screen and get a code. It even says that the phone call is free of charge. However, the call is not free and the victim is charged a hefty bill for the call. The hacker is paid for the call via a technique called short stopping, which involves rogue phone operators routing expensive calls to cheaper countries.

The victim is given the unlock code after 3 minutes of waiting on the call. The unlock code is found out to be 1351236 always. So, the victims can directly use this code number to unlock their PCs without calling the phone numbers.

Emerging Malware Trends: Ransomware

The mutation of malware is happening very rapidly where new types of techniques are evolving to raise money for hackers. Ransomware is a mutation of scareware, where the hacker hijacks a PC by encrypting all its files and demands ransom to unlock or decrypt the files. The infected PC may not send spam mails or track sensitive information for its creator. It is worse than that.

The ransomware came into radar screen of security researchers in 2009, where a Vundo Trojan is found to encrypt all personal files and the users are asked to pay for the key to decrypt them. The earliest form of scareware just used to make people pay for useless software and fake antivirus. The hackers were able to make it sophisticated enough to hold a PC for ransom. Apart from encryption, the ransomware might just block access to all the applications of the system, asking the user to buy a license in order to fix the problem. The hacker might even entice with a 30-day-money-back guarantee message, which is false.

Techniques used to install Ransomware:
Ransomware is just one kind of malware. So all the methods been used to install it in your PC are similar to that of any virus or trojan infection. However, the actual talent of the hacker lies in making the victim to pay the ransom. Heavy techniques of social engineering are used here. The following are a few techniques used by hackers of ransomware:

  • Spam emails with malicious files. The malicious files contain code that exploits the vulnerabilities in the software applications. The code then takes control of the PC denying the access to applications and files.
  • The exploitation of the vulnerabilities in browser due to opening malicious web pages. Then an in-line adult advertisement, is shown in every web page the user opens. It covers main part of the web page which the user can’t get rid off. The text written on the banner will be in a foreign language. The user is also asked to send SMS to a premium rate phone number, to get special code that will make the ad disappear and also receive access to an archive of explicit videos.
  • The user visiting a spoofed site may suddenly see a message that his PC is infected and to download a tool to get rid off it. The downloaded file actually contains ransomware.
  • A malicious .dll file is smuggled into the PC, which manipulates the working of parental controls or Web content filtering features of the PC. When the user tries to open even legitimate sites like Youtube, Facebook, etc from browser, a message in red background is displayed saying: “Restricted Site! This web site is restricted based on your security preferences. Your system is infected. Please activate your antivirus software.” The domains will be allowed to access only of the user purchases a fake AV from the hacker.
  • Another technique includes manipulation of the master boot record, preventing the booting into operating system. A message is displayed saying that the access to the PC is blocked and the user is asked to visit a site. In the site, he will be asked to pay for getting back access to the PC. However, in such cases, the user can just bypass the prompt and restore the master boot record. Rescue disks are very much helpful in these cases.
  • An Instant messaging worm is found to block access to the Facebook account in the infected PC. The message looks as if Facebook itself has blocked the account. The victim is asked to complete answers for a survey within a short period of time. Amid of the survey the victim is tricked to subscribe premium rate services on their mobile phones.
  • Adult websites are main hub for the malware downloads. For example, a piece of ransomware identified as WORM_RIXBOT.A, was downloaded over 137,000 times from a single adult website, in December alone. This worm prevents users from accessing their desktops and asks them to send a text message to a premium number in order to receive unlock code.
  • The recent Japan earthquake also triggered few ransomware infections. The emails sent to the users contain links to fake news articles from where the malware installs in the PC. Then the access to the desktop is seized with a message claiming to be from Federal police saying that some illegal activities are discovered on PC and pay some fine within the given time of they don’t want their hard drive erased.
  • The recent technique of ransomware involves display of a windows reactivation message. The victim is given a toll-free phone number for getting the reactivation code. However, the call will not be free and the hacker is paid indirectly from the victim’s pocket.

In most of the above instances, the files on the hard drive are encrypted. For decrypting the files, a private key is required from the hacker. In such cases, the users must plug off their PC, immediately after seeing the encryption message to stop further encryption of files. This makes sure to save at least some amount of data from getting encrypted. The hard drive should then be removed and installed as a secondary drive in another PC to copy unaffected files into some other storage device. Regular backups are key here to minimize the impact. The encryption can then be cracked down with the help of some security expert.