Dan's Security Blog

The elusive Conficker worm that exploits the MS08-067 vulnerability for Microsoft Windows has evolved. This worm was released earlier this year, and has infected hundreds of thousands of machines world wide. The new variant of the worm improves upon the already highly infectious Conficker.C variant. One of the improvement include a new domain generation algorithm that will allow the worm to generate 50,000 infectious domains instead of the 500 that it is capable of at this point. Additionally, the new variant of the worm will also have built-in defensive capabilities that will protect itself from various antivirus / anti-malware packages that are capable of disabling or removing it previously. However, the most concerning aspect of the worm is that it does not yet seem to have a purpose. Although numerous machines in the world have already been infected, the infected machines have not been tasked to perform anything major such as an Distributed Denial of Service attack. However, in the up coming months, we can expect to see a something major launched through the Conficker bots, as Conficker continuously increase the reach of its network. In order to properly defend against Conficker, please remember to update your Windows Operating System and keep your antivirus up-to-date.

Last week at the annual Black Hat Federal conference (A conference of hackers and security researchers), A security researcher released a tool that allows an attacker to perform the Man in the middle attacks against SSL encrypted channels in browsers. So what does this mean? In order to understand this, we must first look at SSL.


SSL or Secure Socket Layer, is designed to verify the identity of a site to the user by using a PKI based certificate architecture. An end user would have a certificate that is signed by a trusted third party such as VeriSign or Thawte, while the web content provider have its own certificate that is also verified and signed by the same third party. When the end user communicates with the web content provider, the web content provider will present its certificate to the end user, and the end user will check to see if the certificate is signed by one of its trusted third parties. So in a sense, the third party verifies that the site is who it claims to be.


However, this researcher tool undermines the SSL infrastructure by listening for the SSL encrypted traffic on a network where the tool is installed, once SSL based traffic is detected, the tool quickly responds to the request by offering a similar unsecured HTTP page. Although the page is not secured, it puts a pad lock onto the browser in attempt to trick the end user into thinking the browser is encrypted. an inexperienced end user can easily be fooled into typing his /her user credentials into the unencrypted page, which can then be captured by an attacker. many sites including emails, banks, financial institutions, credit card sites all use SSL to help secure its data transmission with customers.


The release of this tool makes defeating SSL on a network much simpler, and since it offers a fake webpage, it is very difficult for an average user to detect a difference. The exploit is reported to surface in the wild, and in order to stay safe, you must be sure that the page you are visiting have https in the address bar, and the certificate for the site is valid.

According to Trusteer, a security solutions firm that primarily works with banks and financial institutions, a new type of Phishing attack has surfaced in the Internet. This type of attack is referred to as an In-session Phishing attack. In order to understand this attack, one must be familiar with Phishing attacks.


In short, Phishing attacks are one of the primary causes of identity theft, as attackers frequently uses it to steal an unsuspecting victim's information. The method of Phishing varies, but most of which consists of spear phishing, where a phoney email is sent with the attacker posing as an authoritative figure from a bank, recruiting company, prize clearinghouse or any other institution the victim may or may not be affliated with. If the victim believes the false information from the email and clicks on the link, then s/he will be directing the victim to a malicious website where the site then asks the victim to validate or input personal information such as credit card number, bank account information or social security numbers. Once the attackers get the information, they will then attempt to sell the information in underground blackmarkets.


So what makes the new In-Session Phishing attack so much different then the traditional spear Phishing approach? First off, these in-session attacks occurs while the user is logged into his / her online banking or secure sites from other affliated institutions (such as Investment companies or email). The attack usually happens when an unsuspecting victim logs into his banking site, and while logged in, the victim visits some other websites, where one website is compromised by an attacker. Once the attacker's malicious software identifies which website the user is logged onto, it can then draft and deliver a custom message to the victim that indicates that his / her session to the banking or other site has expired and they will have to logon again. Since the victim is on the banking site, s/he is less likely to be suspicious of the message, and will likely to enter the login credentials into the popup window. This entry will then be submitted to the attacker, where s/he can gain unrestricted access to the victim's account.


As mentioned above, this attack can be detrimental to many unsuspecting users of the Internet, and lead the number of identity theft cases to a new height. The attack usually uses a flaw inside of the JavaScript engine of many browsers, where the Java function leaves a small but publicly accessible footprint of the sites the user are logged to, from here the attacker's software can then identify the footprint and deliver a popup that seems legitimate. In order to protect yourself against these attacks, it is very important to:


    1. Always log out of banking or other sensitive websites before conducting any browsing on the Internet.


    2. Keep the Java of your browser up to date. To check for Java updates, you may visit http://www.java.com

    3. Finally, any users should deploy security tools on his / her computer, and be very suspicious of any pop-ups from banking or sensitive websites that requires your information.

According to researchers in RSA, a new password stealing Trojan that disguises itself as a CNN video on the Gaza conflict is on the loose. The Trojan is spread through emails and promises the reader a compelling video on the Gaza conflict if the user clicks on a link. Once the user clicks on the link, s/he will be prompted with a message that asks the user to update his / her Adobe Flashplayer in order to view the video. Once the user clicks on this prompt, the Trojan will be downloaded and installed onto the user's computer. The Trojan attack emerged around 10:00 AM and is spreading rapidly with a number of about 1300 infections within 10 minutes.


The Trojan is designed to search the user's computer for SSL related credentials, especially those used for online financial and banking accounts. Furthermore the URL link in the message changes from email to email, which makes it much harder for security professional to pinpoint and block the site. Furthermore, some security researchers have warned about possible variations of the attack, where other topics such as the economy, inauguration, and the auto industry, or anything else that may catch the user's eyes may also emerge as the "phishing hooks" to lure the user into downloading this Trojan. As a good practice, computer users should always be cautious if the user receives an email from someone unknown, or is not expecting an email from the sender. Red flags should always be raised when links within emails are promising lucrative contents or rewards.

The Identity Theft Resource Center (ITRC) data breach reports extracts data from multiple breach disclosure sources, and is one of the benchmark reports that addresses trends in Information Security. According to the 2008 ITRC data breach report, a shocking 656 data breaches were reported in 2008, which reflects a 47% increase from the 2007 figure of 446 data breaches. Out of all breaches, 86 incidents were related to colleges and Universities alone. The breach of data consisted as high as 2.1 million records in some cases, and the data breaches occurred even in the most prominent Universities such as Harvard, Columbia and Standford. Numerous universities in Virginia were also affected by data breaches that consisted of tens of thousands of records. Considering the proportion of Universities within all U.S. businesses, this figure is shockingly disproportionate. It is in the author's opinion that Schools and Universities must improve the ways to protect affiliates data.

According to numerous security sites and channels, a formerly undisclosed vulnerability in Microsoft Internet Explorer 7 is being used to exploit computers attached to the Internet. The exploit is used to remotely install Malware on an unsuspecting user's computer without the knowledge or approval by the user. In order to be affected by the exploit, the user must first visit a website that is compromised by this exploit. The scary thing is that any website can potentially be compromised by the exploit. As of currently, Microsoft did not issue a patch against this exploit, and it is highly advised for all users to use an alternative browser other than Internet Explorer, such as Mozilla Firefox at this moment.

Technical Details:
The vulnerability is triggered by how Internet Explorer 7 processes certain crafted XML content. The current exploits observed in the wild uses Javascript to perform a browser heap spray before delivering the crafted XML content. Upon successful exploitation, a Windows executable file is downloaded and installed which installs a backdoor on the user's machine. This backdoor can then be used to download other malicious software onto the machine. The most prominent malicious software downloaded through this exploit is a trojan that is capable of killing the antivirus software used on the victim's machine. There is no word from Microsoft as to when a patch will be issued for this vulnerability. Stay tuned for more information.