13 Dec Loophole in Safari Vyacheslav Zakorzhevsky
12 Dec Forecasts for 2014 – expert opinion GReAT
11 Dec The inevitable move - 64-bit ZeuS has come enhanced with Tor Dmitry Tarakanov
10 Dec Microsoft Updates December 2013 - Patching Critical 0day Exploited in the Wild Kurt Baumgartner
05 Dec Corporate threats in 2013 - the expert opinion GReAT
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
In our search for various types of malicious code for Mac we recently came across a rather interesting peculiarity in Safari. It turns out that Safari for Mac OS, like many other contemporary browsers, can restore the previous browsing session. In other words, all the sites that were open in the previous session – even those that required authorization – can be restored in a few simple steps when the browser is launched. Convenient? Of course. Safe? No, unfortunately.
So that the browser knows what was open at the end of the previous session, the relevant information needs to be stored somewhere. Obviously, that needs to be somewhere that isn’t easily accessible to just anybody, and the information definitely needs to be encrypted.
Safari, however, doesn’t encrypt previous sessions and stores them in a standard plist file that is freely accessible. As a result, it’s easy to find a user’s login credentials:
It’s pretty clear that the login and password are not encrypted (see the red oval in the screenshot).
The complete authorized session on the site is saved in the plist file in full view despite the use of https. The file itself is located in a hidden folder, but is available for anyone to read.
The system can easily open a plist file. It stores information about the saved session – including http requests encrypted using a simple Base64 encoding algorithm – in a structured format.
There is a function in Safari – ‘Reopen All Windows from Last Session’ – that allows sites to be opened exactly as they were at the end of the previous session. This is the function that uses LastSession.plist.
The function is available in the following versions of Mac OS X and Safari:
You can just imagine what would happen if cybercriminals or a malicious program got access to the LastSession.plist file on a system where the user logs in to Facebook, Twitter, LinkedIn or their online bank account.
As far as we are concerned, storing unencrypted confidential information with unrestricted access is a major security flaw that gives malicious users the opportunity to steal user data with a minimum of effort.
We have informed Apple about the problem.
At the current time we can’t confirm whether or not there is malicious code out there that targets this file, but we’re ready to bet that it won’t be long before it appears.
In 2014 we expect significant growth in the number of threats related to economic and domestic cyber-espionage, with cyber-mercenaries/cyber-detectives playing an active role in such attacks.
The full report is available here
The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications.... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And whatís the most notorious banking malware? ZeuS, of course Ė the trendsetter for the majority of todayís banking malware. Its web injects have become a fundamental must-have feature of almost every banking malware family. And it was only a matter of time until a 64-bit version of ZeuS appeared Ė but we didnít expect it to happen quite so soon.
Thatís because cybercriminals donít actually need a 64-bit version. ZeuS is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks. But nowadays people still use 32-bit browsers Ė even on 64-bit operating systems. So, 32-bit versions of ZeuS have been sufficient to keep the thieves satisfied with their earnings.
Then, out of the blue, we spotted a 32-bit ZeuS sample maintaining a 64-bit version inside. And itís turned out that this 64-bit version has already been recorded being present in the wild at least since June, 2013 and compilation date specified in the sample is April 29, 2013! Moreover, this ZeuS version works via Tor. The initial 32-bit sample injects malicious code into target processes. If the target process belongs to a 64-bit application, ZeuS injects its 64-bit version into the process; otherwise, it pushes the 32-bit version. We ran tests to see how the 64-bit ZeuS works inside a 64-bit Internet Explorer and it demonstrated the usual ZeuS functionality: in any case, the web injects functioned as usual.
This month Adobe's realing fixes for both Flash Player and Shockwave.
The vulnerabilies for Flash Player affect all platforms and concern two CVEs - CVE-2013-5331 and CVE-2013-5332, which both allow for remote code execution. Eploitation of CVE-2013-5331 using Microsoft Word as a leverage mechanism has been observed in the wild. Though Flash 11.6 introduced Click-to-Play for Office, users may still be socially engineered into running Flash content in Office documents. Make sure to apply this patch promptly.
Eight Microsoft Security Bulletins are being pushed out this month, MS13-096 through MS13-106. Five of them are rated "Critical" and another six are rated "Important". The top priorities to roll out this month are the critical GDI+ (MS13-096), Internet Explorer (MS13-097), and Scripting Runtime (MS13-099) updates.
Several of the vulnerabilities have been actively exploited as a part of targeted attacks around the world, and one of them is known to be ItW for at least six months or so.
The GDI+ update patches memory corruption vulnerability CVE-2013-3906, which we have been detecting as Exploit.Win32.CVE-2013-3906.a. We have seen a low number of ITW variations on exploitation of this vulnerability as a malformed TIFF file, all dropping backdoors like Citadel, the BlackEnergy bot, PlugX, Taidoor, Janicab, Solar, and Hannover. The target profile and toolset distribution related to these exploit attempts suggest a broad array of likely threat actors that got their hands on it since this July, and a wide reaching distribution chain that provided the exploit around the world. Considering the variety of uses and sources, this one may replace cve-2012-0158 as a part of targeted attacks in terms of overall volume.
The Internet Explorer Bulletin fixes seven different elevation of privilege and memory corruption vulnerabilities, any one of which effects Internet Explorer 6 on Windows XP SP 3 through Internet Explorer 11 on Windows Server 2012 R2 and Windows RT 8.1. We expect to see exploits for some of these vulnerabilities included in commodity exploit packs.
Finally, another critical vulnerability exists in the Windows Scripting Engine as yet another "use after free", which unfortunately enables remote code execution across every version of Windows out there and can be attacked via any of the common web browsers. Patch!
This post will likely be updated later today, but in the meantime, more about this month's patches can be found at the Microsoft site.
Companies are increasingly falling victim to cyber-attacks. According to a recent survey conducted by Kaspersky Lab and B2B International, 9% of the organizations polled were the victims of targeted attacks - carefully planned activity aimed at infecting the network infrastructure of specific organization. The extensive use of digital devices in business has created ideal conditions for cyber-espionage and the deployment of malware capable of stealing corporate data.
The full report is available here.
Spammers actively spread malware using fake notifications on behalf of various financial and banking institutions, booking and delivery services and other companies. The arsenal of tricks used by cybercriminals is constantly being updated. In particular, in recent years we have registered a number of English- and German-language mass mailings in which the attackers try to hide malware under photos and pictures.
In October, the attackers sent out fake notifications claiming to be from T-Mobile, a telecoms operator in Germany, which told users that they had received an MMS. To make the email look legitimate, the sender address contained the official company domain although the email itself was sent from a different address. The body of the email included a contact phone number for sender of the MMS and some general information related to sending and receiving multimedia messages.
The supposed photo named ‘23-10-2013 13_64_09.jpeg.exe’ was not in the body of the email but in the attached archive ’23-10-2013 43_69_10.zip’. The scammers used the popular JPEG image file format in the name of the malicious file in the hope that it would convince recipients that the archive did in fact contain the photo. However, alert users would notice that the file extension is really .exe. This executable file is detected by Kaspersky Lab as Backdoor.Win32.Androm. This bot program allows the fraudsters to remotely execute commands on the infected computer, for example, downloading and running other malware without the owner's knowledge.
Last week, Kaspersky Lab identified a mass mailing of phishing letters sent in the name of leading IT security providers. The messages we detected used the product and service names belonging to Kaspersky Lab, McAfee, ESET NOD32 and many others.
The text and general layout of each letter followed the same template; only the senders’ names and the IT security solutions mentioned in the text were different. In their messages, the cybercriminals invited the reader to install an important security update for his/her security solution to guarantee protection against a new piece of malware supposedly ravaging the web. To do so, the user simply needed to open the attached ZIP archive and launch the executable file in it. Not surprisingly, the writers urged their victims to act immediately rather than spend time thinking about who might be behind this sudden urgent letter.
Once again, it's time for us to deliver our customary retrospective of the key events that have defined the threat landscape in 2013. Let's start by looking back at the things we thought would shape the year ahead, based on the trends we observed in the previous year.
The full report is available here.
Itís december. While itís getting colder and people prepare and shop for christmas, here in Bergen, a city in Norway, experts from several countries come together talking about Passwords Ė something youíre using while buying christmas presents online for example Ė at the PasswordsCon. This one held at the University of Bergen in the Auditorium Pi.