Archive for June, 2012

Email-Based Malware Attacks

June 22, 2012

Nearly every time I write about a small- to mid-sized business that has lost hundreds of thousands of dollars after falling victim to a malicious software attack, readers want to know how the perpetrators broke through the victim organization’s defenses, and which type of malware paved the way. Normally, victim companies don’t know or disclose that information, so to get a better idea, I’ve put together a profile of the top email-based malware attacks for each day over the past month.

Top malware email attacks in past 30 days. Source: UAB

This data draws from daily reports compiled by the computer forensics and security management students at the University of Alabama at Birmingham. The UAB reports track the top email-based threats from each day, and include information about the spoofed brand or lure, the method of delivering the malware, and links to, which show the percentage of antivirus products that detected the malware as hostile.

As the chart above indicates, attackers are switching the lure or spoofed brand quite often, but popular choices include Amazon.comthe Better Business BureauDHLFacebookLinkedInPayPal,Twitter and Verizon Wireless.

Also noticeable is the lack of antivirus detection on most of these password stealing and remote control Trojans. The average detection rate for these samples was 24.47 percent, while the median detection rate was just 19 percent. This means that if you click a malicious link or open an attachment in one of these emails, there is less than a one-in-five chance your antivirus software will detect it as bad.

According to UAB, about two-thirds of the top email-based malware attacks in the past month have used exploit kits, and most frequently that kit was BlackHole. Exploit kits are made to be sewn into the fabric of hacked or malicious sites, so that visiting Web browsers are checked for close to a dozen outdated plugins; any insecure plugins found can be used to silently install malicious software on the vulnerable machine.

It’s not hard to see why so many small to mid-sized organizations get hit with these attacks. When the malware slips past their antivirus, it is often just a question of whether the organization has someone or something in place that is vigilant about applying security updates for things like FlashJava, and Adobe Reader and a host of other programs that hook into the browser.

This is why I continuously implore small business owners to bank online using only a dedicated system that is carefully maintained and not used for anything other than transacting with the bank’s Web site. For those who don’t have a spare computer handy, a Live CD version of Linux may be the best way to go.

If anyone wants to view the spreadsheet above in a downloadable format, here is a PDF versions of it.


Apple, Oracle Ship Java Security Updates

June 13, 2012

There must have been some rare planetary alignment yesterday, because the oddest thing happened: Apple and Oracle both shipped software updates for the same Java security flaws on the very same day.

I’ve taken Apple to task several times for its unacceptable delays in patching Java vulnerabilities. Oracle is the official producer of Java, but Apple maintains its own version, and it has consistently lagged months behind Oracle in fixing security bugs. This failure on Apple’s part finally caught up with Mac OS X users earlier this year and turned into a major embarrassment for Apple, when the Flashback malware infected more that 650,000 Mac systems using a vulnerability that Oracle (but not Apple) had patched roughly two months earlier.

Well, it seems that Apple learned a thing or two from that incident. The update Oracle released yesterday, Java 6 Update 33 and Java 7 Update 5, fixes at least 14 security flaws in the oft-attacked software that is installed on more than three billion devices worldwide. Apple’s Java update brings Java on the Mac to 1.6.0_33, and patches 11 of the 14 security vulnerabilities that Oracle fixed in Tuesday’s release. It’s unclear whether those other three flaws simply don’t exist in the Mac version of Java, but we’ll take progress where we can get it.

Regardless of which operating system you use, if you have Java installed, I would advise you to update it, neuter it or remove it as soon as possible. The reason I say this is that Java requires constant patching, and it appears to be the favorite target of attackers these days.

Windows users can find out if they have Java installed and which version by visiting and clicking the “Do I have Java? link. Mac users can use the Software Update feature to check for any available Java updates.

If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I  would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox (from the Add-ons menu, click Plugins and then disable anything Java related, and restart the browser), and then using an alternative browser (ChromeIE9Safari, etc.) with Java enabled to browse only the site that requires it.

Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the software framework when users access webpages that use it. The latest iteration of Java for OS X configures the Java browser plugin and Java Web Start to be deactivated if they remain unused for 35 days.

Microsoft Patches 26 Flaws, Warns of Zero-Day Attack

June 12, 2012

Microsoft today released updates to plug at least 26 separate security holes in its Windows operating systems and related software. At the same time, Microsoft has issued a stopgap fix for a newly-discovered flaw that attackers are actively exploiting.

The security fixes are included in seven security patch bundles, three of which earned Microsoft’s most dire “critical” label, signifying that attackers can exploit them without any help on the part of the user.  Redmond patched vulnerabilities in Windows, Internet ExplorerDynamics AXMicrosoft Lync(Microsoft’s enterprise instant message software), and the Microsoft .NET Framework.

Microsoft called out two patches as particularly important: the Internet Explorer bundle (MS12-037), which addresses 13 issues; and a critical flaw in the Windows remote desktop protocol (RDP). Updates are available for all supported versions of Windows, via Windows Update or Automatic Update.

In a separate advisory published today, Microsoft warned that it is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0., 4.0, 5.0. and 6.0. This is a browse-and-get-owned flaw that can be triggered when an Internet Explorer user on any supported version of Windows visits a specially crafted Web page. Microsoft does not have an official patch available yet for this flaw, but it has issued a FixIt tool workaround that effectively disables the vulnerable component. The vulnerability was discovered by Google, which said it saw the flaw being exploited in the wild in targeted attacks.

A summary of the patches released today — with links to the individual patch advisories — is available here. As always, if you experience any issues applying these patches, please sound off in the comments below.

Firefox 13 Now Available

June 4, 2012

With a New Start Page, Lots of Speed Improvements

Windows/Mac/Linux: If you’ve been frustrated with Firefox’s slowness lately, you may want to check out the newest version, which brings in a number of speed boosts as well as a new start page for quick access to all your most-visited sites.

One of the biggest speed boosts come from Firefox’s new method for managing tabs. When you first start up the browser, it will only load your pinned tabs and the one you’re currently viewing. It will then load other tabs as you click on them, saving the browser from slowing down when you first start it up (much like the popular BarTab extension). It’s also implemented the SPDY protocol, which is a big performance booster for some sites, along with other memory management and speed-boosting tweaks.

Lastly, Firefox 13 also includes a new “Speed Dial”-style new tab page that shows you your most visited sites, which you can “pin” to the page for easy access. Firefox 13 also includes the new Firefox Reset feature to help you troubleshoot problematic installations. It hasn’t been officially announced by Mozilla yet, but you can download it from their servers by clicking the links on Download Crew’s page below. If you want to wait for the official release and release notes, you can check back on Mozilla’s site tomorrow, or just wait for Firefox to update automatically.

Firefox 13 download