The security of an Windows machine has multiple lines of defense like a fortress and not surprisingly the first line of defense is our Internet browsers which are built with the security in mind. But, there was not yet produced a bullet proof computer program, although it becomes harder and harder to exploit an operating system or specific program vulnerability because the security patches are made available to the users quicker than before, this practice is widely used by the attackers and the browsers and their space are very often the “gate” for all kind of malware.
First, at browser level are running a lot of third-party technologies aimed to made the websites visitors experience as pleasant as possible. Without help of Java applets and scripts, Adobe Flash Player, Apple QuickTime plugin, your browser act more like a text based browser and offers visitors a deteriorated web experience. A complicated car using a lot of electronics and life improvements has more chances to have something broken than a simple car, the same is in the computers world where the use of multiple technologies that interact with the web has its disadvantages: it gives to the hackers a wider front for attack.
Of course the safest browsers are those text based or with active content disabled(see NoScript add-on for Firefox) but how many are using them? Security vulnerabilities in computer programs are discovered everyday, take a look if you want to Bugtraq , which is an archive with the latest known programs vulnerabilites online since 1993. Bugtraq uses an electronic mailing list to keep the subscribers informed about all the discovered vulnerabilites, methods to prevent exploitation, vendors announcements regarding the computer security and so on.
Another archive related to security vulnerabilities can be found at: http://isc.sans.org/diaryarchive.html.
Each vulnerability poses a high potential risk allowing a lot of destructive things happen in the computer as remote code execution, alteration of computer default security settings rising the probability of a computer infection with nasty trojans. A good example of security vulnerabilites exploitation with malicious purposes is the proliferation of banking trojans. In 2010 the number of attacks against the russian banks using banking trojans was double compared to 2009 and constitute 95% from all forms of attacks.
There were reports saying that Carberp, the well-known banking trojan is the actor of millions of dollars thefts from the banks in several countries: Russia, Ukraine, United States, Spain. Win32/RDPdoor, another trojan uses Microsoft Remote Desktop for its nefarious actions and Win32/Sheldor is exploiting the TeamViewer computer application for its own malicious connections with the Command and Control server. Using Win32/Sheldor banking trojan a malicious group from Russia stole $600 000 in a single transaction. These trojans are sold by their creators with prices varying from $2000 for Win32/RDPdoor and as high as $9000 for Carberp banking trojan, of course it’s about new undetected versions of them. In fact, shares of cybercriminals living in Russia are extimated to increase to 1.8 billions dollars from 1.3 billions in 2010. Statistics says that with 2.5 billions of dollars stolen– 36% of global crime, the russian space is a leader in cyber crime.
One of the most used method to infect computers with these devilish trojans is the use of exploit kits. These are packs of scripts uploaded to hacked servers or hosted on malicious domains that are able to scan silently the visitors computer, find the security vulnerabilities and exploit them if are found. The final result can be a computer infection with a banking trojan leaving the unconscious victim with an empty bank account. The cyber crime is very well organized but not only in Russia, just everywhere where the easy money is an attraction for unscrupulous specimens.
There are groups focused on discovering security vulnerabilities, groups focused on programming stealth trojans and hacking tools and groups focused on malware distribution most likely affiliate programs, they are paid depending of how many computer infections with a specific trojan they produced. We can talk about a whole industry very well organized and why not to say, profitable for a few sinister groups of attackers.
For example, these days a hacking group asks for $20 per 1000 infected computers. A few names for exploits kits are : Impact Exploit Kit, Phoenix Exploit Kit, Blackhole Exploit Kit, Eleonore Exploit Pack, LuckySploit(used to infect computers with Zeus banking trojan), Neosploit and so on. For example, the new version of Phoenix Exploit Kit uses the next security vulnerabilties(or exploits) for its operations :
- -Java for Business JRE Trusted Method Chaining Remote Code Execution Vulnerability – CVE-2010-0840
- -Windows Help and Support Center Protocol Handler Vulnerability – CVE-2010-1885
- -Integer overflow in the AVM2 abcFile parser in Adobe Flash Player – CVE-2009-1869
- -Integer overflow in Adobe Flash Player 9 – CVE-2007-0071
- -IEPeers Remote Code Execution – CVE-2009-0806
- -Internet Explorer Recursive CSS Import Vulnerability – CVE-2010-3971
- -PDF Exploit – collab. collectEmailInfo – CVE-2007-5659
- -PDF Exploit – util.printf – CVE-2008-2992
- -PDF Exploit – collab.geticon – CVE-2009-0927
- -PDF Exploit – doc.media.newPlayer – CVE-2009-4324
- -PDF Exploit – LibTIFF Integer Overflow – CVE-2010-0188
Here is the control panel of Phoenix Exploit Kit :
The attackers use several methods to redirect visitors to malicious domains containing these kind of exploits:
- -Use of trojan viruses
- -Poisoning search engines results (as example poisoning Google Images search results)
- -Hacking legitim websites and inserting malicious code in webpages leading to undesirable browser redirects
- -Posting links on dubious websites
- -Spreading links with irresistible titles(scams) on social networks(Facebook, Twitter..)
The majority of these exploits can be avoided always updating your software but not only you antivirus, an updated browser, using the latest version of Java or Adobe Flash Player have the same importance.
If you want to learn more about applications security vulnerabilities, you can check Metasploit Framework, a free penetration testing-“pentests” platform used mainly to identify the possible security vulnerabilities a computer system poses. As a quick solution to identify the outdated software you may use and possible security holes is advisable to use this site :
http://secunia.com/vulnerability_scanning/online/?task=intro
If the reports generated by these websites recommend to upgrade specific software, the do so as soon as possible to prevent future computer virus infections and even financial loses.
Keep safe !
Leave a Reply