Update on compromised adservers serving malware (eWeek/other Ziff Davis Enterprise sites)

Websense reports the recent eWeek PDF attack via adservers took no user interaction.

eWeek.com is the online version of the popular business computing magazine.

When users browse to the home page of eWeek, a malvertisement hosted on the DoubleClick advertisement network performs a redirect to a malicious Web site through a series of iframes. This causes a redirect to one of two files on hxxp://[removed]inside.com/

Either a pdf document containing exploit code is served, or index.php redirects to the rogue ad-server.

With no user interaction, a file named "winratit.exe" (MD5: A12DA1D62B7335CBE6D6EA270247BBC1) is installed in the user's temporary files folder. Two additional files are dropped onto the user's machine and are bound to startup. The host file is also modified so that if the user tries to browse to popular software download sites to remedy the infected machine, s/he is instead directed to a malicious Web site offering further rogue AV downloads.

The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp://[removed]-site.info/ which has been setup to collect payment details.

Security4all says this isn't the recent 0-day Adobe Reader PDF exploit also served by compromised adservers, but a previous one reported last November. This attack hit eWeek and other Ziff Davis Enterprise site ad servers this week. The goal of this attack is to install fake antivirus software.

Microsoft released a patch to correct the "disable autorun registry key" enforcement.

The details can be found at this link: http://support.microsoft.com/kb/967715

This patch is in response to the Jan. 20 US Cert advisory that Microsoft Windows does not disable AutoRun properly.

The Conficker worm spreads via autorun and many other pieces of malware spread via autorun. Disabling autorun is a first line of defense against these sorts of attacks.

Google, DoubleClick and Akamai hosting malware

I received word yesterday via various sources that Google and DoubleClick are serving malware via ads.

Here's the Google diagnostic page for DoubleClick.net:

Of the 230717 pages we tested on the site over the past 90 days, 24 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-02-25, and the last time suspicious content was found on this site was on 2009-02-24.

Malicious software includes 25 scripting exploit(s), 13 trojan(s), 8 adware(s). Successful infection resulted in an average of 9 new processes on the target machine.

Malicious software is hosted on 7 domain(s), including auctlva.com/, advancedantivirusproscan.com/, liteantivirusproscan.com/.

3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including fitnessfactory.com/, me9x.cn/, www-union.com/.

This site was hosted on 22 network(s) including AS15169 (GOOGLE), AS6432 (DOUBLELCICK), AS20940 (AKAMAI).

Maybe it's time to block all ads in our environments.

OS X , iPhone, and malformed JBIG2 streams

SANS Internet Storm Center has an interesting look at the recent Adobe 0-day and platforms most of us assume are safe: OS X, iPhone, and Linux.

The current version of the post shows some concerning results when viewing PDFs with a malformed JBIG2 streams with OS X and iPhone PDF viewers.

SANS promise Linux results soon.

Attackers using unpatched Acrobat flaw for spearphishing

Security Focus reported yesterday that attackers are using an unpatched Acrobat flaw to target high-ranking people including CEO's. The exploit reported last week is still a 0-day since Adobe is yet to release a patch.

The best defense is not to open PDFs from unknown sources.

Symantec and ZDNet report a new Excel 0-day

ZDNet reported yesterday that Symantec has discovered a remote code-execution vulnerability in Excel 2007 and Excel 2007 SP1. It looks like it is being actively exploited in the wild by a variant of the Mdropper trojan. Attackers can exploit this issue by tricking victims into opening a maliciously crafted Excel file.

The only defense at this point is not to open Excel files unless you trust the source.

CA says the souce of Virut for some infections might have been MySpace

The CA Security Advisor Research Blog says a new infectious version of Virut might have come from MySpace. This blog post is the best technical analysis of Virut, also called Virux by Trend Micro, I've seen. I've posted a number of other bookmarks for information on Virut/Virux on delicious.

There really should be a common naming scheme for viruses and worms. Virux has a number of different names depending on the antivirus vendor: Symantec call it W32.Virut.CF, McAfee calls it W32/Virut.n, Sophos calls it W32/Scribble-A, Microsoft calls it Virus:Win32/Virut.BM, and Trend Mirco calls it Virux. Could this be any more confusing for IT folks and IT security professionals, not to mention non-technical managers?

By the way, it should be noted that Virux is also a Linux distro.

Adobe Zero-Day, Symantec says they've got it covered

SANS Internet Storm Center and Shadowserver report Adobe Arobat 0-day in the wild. Our friends over at Symantec say they've got our back. Estimated time for Adobe to patch is a couple of weeks.

Larry Pesce over at PaulDotCom has an interesting post on how to use metadata as a tool for secuity for auditing this zero-day exploit. He also points out that this problem affects not only Adobe Reader, but also Adobe Standard, Abode Pro, and Adobe Pro Extended releases of versions 7, 8, and 9.