Archive

Archive for February, 2014

Malicious Proxy Auto-Config redirection

February 28th, 2014 No comments

Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as Fareit, Zbot or Banker. A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user’s banking credentials is through malicious Proxy Auto-Config (PAC) files. Normally, PAC files offer similar functionality to the hosts file, allowing IP/website redirection, but only for the browser. Unfortunately, they can also be used for nefarious purposes.

When a user is infected with a malicious PAC and visits an internet banking website, the browser is usually redirected to a fake website that mimics the intended banking website. This may result in credentials being stolen – or worse, online account hijacking.

The most common infection scenario is shown in figure 1 below:

 

Common infection scenario 

Figure 1: A common PAC infection scenario

A user is infected through a drive-by attack or by other malware and a malicious PAC file is installed onto their computer. When the victim visits a targeted website, their browser is redirected to a fake website that will record their login details. The infection is silent, the user is not notified of the change in configuration (see figure 5).

Our telemetry shows the following country domains are the most targeted by malicious PAC files:

Infection telemtery 

Figure 2: Countries most targeted by malicious PACs

Analysis of the malicious PAC files show that cybercriminals target mostly banking websites in Brazil and Russia, but many attacks are not limited to just online banking entities. We have also seen malicious redirection against other payment methods, such as credit cards, e-mail providers, social networking websites, antivirus products and education institutions. Our TrojanProxy:JS/Banker.gen!A description has a detailed list of the targeted entities.

One important user mitigation comes directly through the browser. What a user would experience when browsing the real website is shown below:

browser unsecure 

Figure 3: Web page without PAC redirection

browser secure 

Figure 4: Web page with malicious PAC redirection

You can see above that the original website has an authenticated certificate and appears in a green address bar. The original website is also using HTTPS (secure communication).

Any PAC file installation (legit or otherwise) can be manually checked in Internet Explorer by opening the Tools menu, then selecting Internet Options, clicking the Connection tab, and selecting LAN Settings. If you see something similar to the following picture and you didn’t install a PAC file, then you might be infected. Keep in mind that the PAC file can also be installed from the internet (using a  http:// address), not only as a local file.

Pac installed 

Figure 5: LAN setting showing a PAC file installed

Deleting the file entry in “Use automatic configuration script” (or disabling it) and the local file referenced can help mitigate an attack.

In order to deal with these malicious PAC files we have added several detections, such as TrojanProxy:JS/Banker.AC and TrojanProxy:JS/Banker.gen!A, and we will continue adding detections for any malicious PAC files we find in the wild. To better protect yourself against these threats, we recommend installing an up-to-date real-time security product, such as Microsoft Security Essentials.

MMPC Munich

Categories: Uncategorized Tags:

MS14-009 – Important : Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2901128 update for Microsoft .NET Framework 4.5.1 on Windows 8.1 for 32-bit Systems, Microsoft .NET Framework 4.5.1 on Windows 8.1 for x64-based Systems, Microsoft .NET Framework 4.5.1 on Windows Server 2012 R2, and Microsoft .NET Framework 4.5.1 on Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft .NET Framework. The most severe vulnerability could allow elevation of privilege if a user visits a specially crafted website or a website containing specially crafted web content. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker’s website.

Categories: Uncategorized Tags:

MS14-007 – Critical : Vulnerability in Direct2D Could Allow Remote Code Execution (2912390) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2912390 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to view specially crafted content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker’s website, or by getting them to open an attachment sent through email.

Categories: Uncategorized Tags:

MS14-005 – Important : Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2916036 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services included in Microsoft Windows. The vulnerability could allow information disclosure if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to view specially crafted content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker’s website, or by getting them to open an attachment sent through email.

Categories: Uncategorized Tags:

MS13-098 – Critical : Vulnerability in Windows Could Allow Remote Code Execution (2893294) – Version: 1.3

Severity Rating: Critical
Revision Note: V1.3 (February 28, 2014): Bulletin revised to announce a detection change in the 2893294 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.

Categories: Uncategorized Tags:

MS13-095 – Important : Vulnerability in Digital Signatures Could Allow Denial of Service (2868626) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2868626 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service when an affected web service processes a specially crafted X.509 certificate.

Categories: Uncategorized Tags:

MS13-090 – Critical : Cumulative Security Update of ActiveX Kill Bits (2900986) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2900986 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability exists in the InformationCardSigninHelper Class ActiveX control. The vulnerability could allow remote code execution if a user views a specially crafted webpage with Internet Explorer, instantiating the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

Microsoft Security Advisory (2862152): Vulnerability in DirectAccess and IPsec Could Allow Security Feature Bypass – Version: 1.1

Revision Note: V1.1 (February 28, 2014): Advisory revised to announce a detection change in the 2862152 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: Microsoft is announcing the availability of an update for all supported releases of Windows to address a vulnerability in how server connections are authenticated to clients in either DirectAccess or IPsec site-to-site tunnels.

Categories: Uncategorized Tags:

2862152 – Vulnerability in DirectAccess and IPsec Could Allow Security Feature Bypass – Version: 1.1

Revision Note: V1.1 (February 28, 2014): Advisory revised to announce a detection change in the 2862152 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: Microsoft is announcing the availability of an update for all supported releases of Windows to address a vulnerability in how server connections are authenticated to clients in either DirectAccess or IPsec site-to-site tunnels.

Categories: Uncategorized Tags:

MS14-009 – Important: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2901128 update for Microsoft .NET Framework 4.5.1 on Windows 8.1 for 32-bit Systems, Microsoft .NET Framework 4.5.1 on Windows 8.1 for x64-based Systems, Microsoft .NET Framework 4.5.1 on Windows Server 2012 R2, and Microsoft .NET Framework 4.5.1 on Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any actioned.
Summary: This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft .NET Framework. The most severe vulnerability could allow elevation of privilege if a user visits a specially crafted website or a website containing specially crafted web content. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit the compromised website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker’s website.

Categories: Uncategorized Tags:

MS14-005 – Important: Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2916036 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services included in Microsoft Windows. The vulnerability could allow information disclosure if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to view specially crafted content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker’s website, or by getting them to open an attachment sent through email.

Categories: Uncategorized Tags:

MS14-007 – Critical: Vulnerability in Direct2D Could Allow Remote Code Execution (2912390) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2912390 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to view specially crafted content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker’s website, or by getting them to open an attachment sent through email.

Categories: Uncategorized Tags:

MS14-009 – Important: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2901128 update for Microsoft .NET Framework 4.5.1 on Windows 8.1 for 32-bit Systems, Microsoft .NET Framework 4.5.1 on Windows 8.1 for x64-based Systems, Microsoft .NET Framework 4.5.1 on Windows Server 2012 R2, and Microsoft .NET Framework 4.5.1 on Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any actioned.
Summary: This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft .NET Framework. The most severe vulnerability could allow elevation of privilege if a user visits a specially crafted website or a website containing specially crafted web content. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit the compromised website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker’s website.

Categories: Uncategorized Tags:

MS14-005 – Important: Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2916036 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services included in Microsoft Windows. The vulnerability could allow information disclosure if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to view specially crafted content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker’s website, or by getting them to open an attachment sent through email.

Categories: Uncategorized Tags:

MS14-007 – Critical: Vulnerability in Direct2D Could Allow Remote Code Execution – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2912390 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to view specially crafted content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker’s website, or by getting them to open an attachment sent through email.

Categories: Uncategorized Tags:

2862152 – Vulnerability in DirectAccess and IPsec Could Allow Security Feature Bypass – Version: 1.1

Revision Note: V1.1 (February 28, 2014): Advisory revised to announce a detection change in the 2862152 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: Microsoft is announcing the availability of an update for all supported releases of Windows to address a vulnerability in how server connections are authenticated to clients in either DirectAccess or IPsec site-to-site tunnels.

Categories: Uncategorized Tags:

MS13-095 – Important: Vulnerability in Digital Signatures Could Allow Denial of Service – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2868626 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service when an affected web service processes a specially crafted X.509 certificate.

Categories: Uncategorized Tags:

MS13-090 – Critical: Cumulative Security Update of ActiveX Kill Bits – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2900986 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability exists in the InformationCardSigninHelper Class ActiveX control. The vulnerability could allow remote code execution if a user views a specially crafted webpage with Internet Explorer, instantiating the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

Vulnerability in Windows Could Allow Remote Code Execution – Version: 1.3

Severity Rating: Critical
Revision Note: V1.3 (February 28, 2014): Bulletin revised to announce a detection change in the 2893294 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.

Categories: Uncategorized Tags:

Vulnerabilities in .NET Framework Could Allow Elevation of Privilege – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2901128 update for Microsoft .NET Framework 4.5.1 on Windows 8.1 for 32-bit Systems, Microsoft .NET Framework 4.5.1 on Windows 8.1 for x64-based Systems, Microsoft .NET Framework 4.5.1 on Windows Server 2012 R2, and Microsoft .NET Framework 4.5.1 on Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any actioned.
Summary: This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft .NET Framework. The most severe vulnerability could allow elevation of privilege if a user visits a specially crafted website or a website containing specially crafted web content. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit the compromised website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker’s website.

Categories: Uncategorized Tags: