Archive

Archive for the ‘Java’ Category

Keeping Adobe Flash Player

Years ago, Java exploits were a primary attack vector for many attackers looking to infect systems, but more recently, Adobe Flash Player took that mantle.

After accounting for almost half of object detections during some quarters in 2014, Java applets on malicious pages decreased to negligible levels by the end of 2015, owing to a number of changes that have been made to both Java and Internet Explorer over the past two years.

In January 2014, Java Runtime Environment was updated to require all applets running in browsers to be digitally signed by default. Later that year, Microsoft published updates for Internet Explorer versions 8 through 11 that began blocking out-of-date ActiveX controls. Windows 10’s default browser, Microsoft Edge, does not support Java or Active X at all, and other browsers like Google’s Chrome and Mozilla’s Firefox are doing the same.

With defenses against Java attacks gaining the upper hand, Flash Player objects have become the most commonly detected threat hosted on malicious web pages by an overwhelming margin. This type of exploit has led the way in each of the past four quarters, from a low of 93.3 percent in the first quarter of 2015, to an all-time high of 99.2 percent last fall.

Adobe Flash

While this information may be unsettling for security teams whose web sites and applications rely on Flash functionality, it’s clearly an important piece of intelligence. Knowing where attackers are targeting their cyber threats makes it easier to plan mitigations to defend against malicious web pages. It also illustrates the importance of keeping your full technology stack – including Adobe Flash Player – updated. And fortunately, as with Java, modern browser mitigations are beginning to turn the tide against Flash exploits as well.

Both Internet Explorer 11 and Microsoft Edge on Windows 10 help mitigate many web-based attacks. For example, Internet Explorer 11 benefits from IExtension Validation, which can help defend against Adobe Flash malware.

Real-time security software can implement IExtension Validation to block ActiveX controls from loading malicious pages. When Internet Explorer loads a webpage that includes ActiveX controls, the browser calls the security software to scan the HTML and script content on the page before loading the controls themselves. If the security software determines that the page is malicious (for example, if it identifies the page as an exploit kit landing page), it can direct Internet Explorer to prevent individual controls or the entire page from loading.

For a thorough analysis on the state of malware in the latter half of 2015, take a look at our latest Security Intelligence Report. And for a high-level look at the top ten trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

Watch out for fake Java updates

January 28th, 2013 No comments

You may have seen reports about security alerts for Java recently. Java is a commonly used piece of software from Oracle, so there’s a good chance you have it installed on your computer. Cybercriminals often use fake virus alerts to lure you into buying fraudulent antivirus software. These alerts state that your computer or other device is at risk, but clicking a link in one of them could lead you to downloading malicious software.

In the case of the fake Java updates, cybercriminals are taking advantage of news about security vulnerabilities in Java and recommendations to update Java immediately. We agree that if you use Java on your device you should update it directly from the Oracle website:  

If you don’t, then it’s a good idea to uninstall older versions of Java and disable Java in your browser like you would for any unused software.

Java is just one piece of software that cybercriminals target. It’s important to keep all the software installed on your system up to date. For Microsoft software, you can use the Microsoft Update service.

If you think you have a virus, visit the Microsoft Security Support Center for assistance.  

Watch out for fake Java updates

January 28th, 2013 No comments

You may have seen reports about security alerts for Java recently. Java is a commonly used piece of software from Oracle, so there’s a good chance you have it installed on your computer. Cybercriminals often use fake virus alerts to lure you into buying fraudulent antivirus software. These alerts state that your computer or other device is at risk, but clicking a link in one of them could lead you to downloading malicious software.

In the case of the fake Java updates, cybercriminals are taking advantage of news about security vulnerabilities in Java and recommendations to update Java immediately. We agree that if you use Java on your device you should update it directly from the Oracle website:  

If you don’t, then it’s a good idea to uninstall older versions of Java and disable Java in your browser like you would for any unused software.

Java is just one piece of software that cybercriminals target. It’s important to keep all the software installed on your system up to date. For Microsoft software, you can use the Microsoft Update service.

If you think you have a virus, visit the Microsoft Security Support Center for assistance.  

Economies of scale: A perspective on cross-platform vulnerabilities

July 31st, 2012 No comments

A year ago, we published a blog post titled ‘Backdoor Olyx – is it malware on a mission for Mac?‘. It explored the intriguing questions that lay behind this backdoor’s discovery, delivery and targets. We provided our observations and analysis, and suggested that this threat was used in a targeted attack against unknown victims. However, we found no clue at that time as to ‘how’ the threat was installed to its targets – an important missing piece that we’ve continued to investigate over time.

As shown in the timeline below, a succeeding variation of threats can be identified with the same suggested attack tactic – exploiting known vulnerabilities in software to install a backdoor to its target.

Upon closer inspection of this event, we observed that this malicious code may be delivered via the Web by exploiting Java vulnerabilities (referred to in CVE-2011-3544 and CVE-2012-0507). The second form of delivery we observed was via email attachment, where the malware distributors may attempt to take advantage of known Word document vulnerabilities (referred to in CVE-2010-3333) and the vulnerabilities resolved with the release of Microsoft Security Bulletin MS09-027. It is also important to point out that these vulnerabilities affect multiple platforms, and in this case, affect both Windows and Mac.

This observation is limited and based on the samples we identified, acquired and processed, however, this understanding provides us with an opportunity to recognize a trend we can describe as economies of scale in cross-platform vulnerabilities. This method of distribution allows the attacker to maximize their capability on multiple platforms. Thus, regardless of a particular attacker’s motive, the value and demand for these vulnerabilities is likely to persist – we know for a fact that Java vulnerabilities CVE-2011-3544 and CVE-2012-0507 are widely used by cybercriminals’ in exploit kits, such as Blacole/Blackhole.

If we look at this trend, then we start to notice that the following vulnerabilities in Java, Adobe PDF and Flash, and Microsoft Office documents, listed in the table below, may be used to target and attack multiple platforms. Note that these vulnerabilities have been patched; appropriate security updates for them have been released.

This highlights the importance of keeping security software up-to-date, and ensuring operating system and 3rd party security patches are installed (soon after they become available) in order to reduce the risk of malware infection. And, this best practice should extend to all devices and platforms, especially those in large enterprise networks.

Methusela Cebrian Ferrer
MMPC Melbourne

New Interoperability Solutions for SQL Server 2012

March 22nd, 2012 No comments

I am excited to share some great news about how we are opening up the SQL Server data platform even further with expanded interoperability support through new tools that allow customers to modernize their infrastructure while maximizing existing investments and extending virtually any data anywhere.

The SQL Server team today introduced several tools that enable interoperability with SQL Server 2012.

These tools help developers to build secure, highly available and high performance applications for SQL Server in .NET, C/C++, Java and PHP, on-premises and in the cloud.

These new tools include a Microsoft SQL Server 2012 Native Client, a SQL Server ODBC Driver for Linux, backward compatibility with ADO.Net and the Microsoft JDBC Driver 4.0 and PHP Driver 3.0.

You can find more information on all this goodness on the SQL Server blog here.

Get gamed and rue the day…

October 26th, 2011 No comments

As we discussed last week, socially engineered threats are specially crafted threats designed to lure the eye and trick the mind – they look legitimate or benign, and in worst case, may take advantage of a trusted relationship, by utilizing a compromised account or familiar website. Social engineering techniques may be used in isolation, but are often used by attackers in tandem with other types of exploit in order to perform the attacker’s real purpose – delivering the payload. What follows is a typical example that illustrates how attackers attempt to exploit both people and systems in order to achieve their goals. 

Last month, Worm:Win32/Gamarue, a bot-controlled worm, was discovered as the payload of a series of browser-hijacks and traffic redirects to malicious servers hosting and performing multiple browser-based exploit attacks.
The initial trigger event was identified as shared content, commented on a social networking site.

 

When users clicked on a link in a comment from a contact in order to see more information, they were first directed to another profile and then encouraged to click on another link. 

 

However, this second link directed affected users to malicious content that loaded a hidden iframe (detected as Exploit:JS/BlacoleRef.D SHA1 8da25114758b2e3f454af0346ce7e716ac91c829). This iframe referenced an exploit server hosting a version of the ‘BlackHole’ exploit kit (detected as Exploit:JS/Mult.DJ SHA1 4cba7b2385b7ee7a84992ddaf77aa6d85b72b5ce).  The exploit server attempted to exploit multiple known vulnerabilities in the affected user’s browser, until a successful compromise could be achieved. In our example, a malicious Java applet stored within a Java Archive (.JAR) (detected as Exploit:Java/CVE-2010-0840.FK SHA1 87800737BF703002263E3DBA680E4EE9FE9CA5B0) was observed being loaded on browsers with enabled vulnerable versions of the Java plugin. This Java vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system outside its “sandbox” environment.  The final result? The installation of Worm:Win32/Gamarue.A (SHA1 427fa7d7aa1e4ee8a57516979711e11e59e51559). When it first appeared this threat did not appear to be detected by any known scanners.

  

Figure 1 – Method of delivery for Worm:Win32/Gamarue.A

A code fragment of this threat suggests that it may be a new bot called “Andromeda”.  Similar to known bots such as Zeus and Spyeye, Andromeda is also a modularized program which  can be functionally developed and supported using plug-ins.  It is also sold via an underground forum, where pricing varies depending on the version of the bot, the number of domains utilized, and the purchaser’s plugin development requirement.

The elaborate methods used to distribute this threat suggest that along with being mindful of illegitimate attempts to convince you to perform particular actions, and keeping your software updated, your choice of browser really matters.  Microsoft recently launched a new website YourBrowserMatters.org, which ranks your browser security from 0-4 and provides information on the risks involved in continuing to use older versions. 

As always, we encourage you to stay safe online.

Methusela Cebrian Ferrer

MMPC

Microsoft Safety Scanner detects exploits du jour

May 25th, 2011 No comments

We recently updated the Microsoft Safety Scanner – a just-in-time, free cleanup tool.  The new version adds support for 64-bit Windows systems and also allows for the download of the tool to run in non-networked systems such as those behind an air-gap network, those within an ISPs walled garden, and those where the infection has impaired internet connectivity.  You can download the Microsoft Safety Scanner (MSS) at www.microsoft.com/security/scanner

Early results have been very positive with this tool and we are actively reviewing telemetry from our customers who use it in order to better understand aspects of threat impact from specific malware families. In addition, we urge our customers to install security updates provided by Microsoft for our operating systems and applications, as well as from other third-party applications and any security updates that may be provided by Internet service providers. Early telemetry gathered from the release of the Microsoft Safety Scanner echoes this continuous messaging.

During the first seven days of the MSS release, there were close to 420,000 downloads, or 60,000 downloads per day, of the product. It cleaned 20,097 infected computers in total, for users that suspected their computers were infected and downloaded MSS to scan their machines. Kudos to these users for having security awareness.

Among the detections, 7 of the top 10 threats are files containing exploits for Java vulnerabilities such as CVE-2008-5353, CVE-2010-0094, CVE-2010-0840 and CVE-2009-3867. (For more information related to these exploits, see the blog post “Have you checked the Java?” by our colleague Holly Stewart.)

Below is a table detailing Microsoft Safety Scanner detections in the first seven days since its release:

 

Threat

Threat Count

Machine Count

Note

CVE-2008-5353

                    7,739

                         2,272

Java Exploit

CVE-2010-0840

                    5,387

                         2,785

Java Exploit

CVE-2010-0094

                    4,744

                         1,579

Java Exploit

OpenConnection

                    3,929

                         2,396

Java Exploit

OpenCandy

                    3,408

                         3,238

Adware

CVE-2009-3867

                    2,759

                         1,445

Java Exploit

Wimad

                    1,658

                            637

Malicious Win Media File

Keygen

                    1,287

                         1,234

Key Generator Hacking Tool

Mesdeh

                    1,156

                            714

Java Exploit

OpenStream

                    1,125

                            759

Java Exploit

 

Of course many of these detections by MSS are the debris or aftermath after the exploit has already executed. By the time a user downloads and runs MSS to detect malware, the machine may have already been infected, if it was vulnerable to the exploit at the time.  For example, aside from additional malicious Java code detections, the following active threats were also reported on machines found to be infected by Exploit:Java/CVE-2008-5353 on April 15 2011:

 

Threat

Percentage of machines
where MSS also detected
Exploit:Java/CVE-2008-5353

Note

Alureon

7.3%

Rootkit Data Stealing Trojan

Zwangi

6.0%

Browser Modifier

Winwebsec

5.7%

Rogue

Hotbar

5.4%

Adware

ClickPotato

5.4%

Adware

FakeRean

5.3%

Rogue

Renos

4.6%

Rogue Downloader

FakeSpypro

4.3%

Rogue

Obfuscator

4.3%

Encrypted Threat

Hiloti

3.6%

Downloader

 

On average, MSS detected 3.5 threats on each of the infected computers.

 

Threat Count

Infected Machine Count

Threats Per Infected Machine

                      69,858

                                         20,097

3.5

 

This won’t surprise you if you have read our newly published Security Intelligence Report (SIR).  For example in the exploit section, the data shows Java exploits uptake in 2010:

Exploits detected by Microsoft desktop antimalware products in 2010, by targeted platform or technology

 

If you are one of these users, we encourage you to apply security updates from Microsoft (and from the ISVs where applicable). In addition, take care and protect your Internet activities.  Install antimalware security software such as Microsoft Security Essentials (or other AVs) to protect your computers proactively using real-time scanning technology.

We want to give a special thanks to Holly Stewart for her assistance in this post.

 

— Scott Wu & Joe Faulhaber, MMPC