A whole bunch of Windows applications is vulnerable to a so-called binary-planting attack which allows for remote code execution. Microsoft released a security advisory about this issue which isn’t easy to fix properly. This issue arises due to the (defined and well documented) behavior of Windows when loading libraries by an application. A .dll to load gets searched in a certain standard path list. This list also includes the current working directory, which is the place a document gets opened from for example. When a file with the name of a DLL which the corresponding application needs to load is placed into the working directory, it will get loaded – this can be a malicious DLL though.

Microsoft offers a patch as workaround which adds a registry key influencing this DLL search path. Unfortunately, the changed behavior of DLL loading breaks several Windows programs. Now the company released a Fix-it tool which can be executed after the patch has been applied. It lessens the restrictions introduced by the patch so that most applications do work again. Windows then still blocks loading DLLs from network shares or WebDAV, but if a malicious DLL is located within a local working directory, an attack may still succeed. Anyhow, this may be the only workaround option which is usable.

Administrators and users are well advised to apply the patch (and in most cases, lessen the restrictions with the Fix-it-tool) so the attack surface gets minimized.

Dirk Knop
Technical Editor

We received a large amount of Phishing emails targeting the Postbank customers in Germany. Well, perhaps targeting is too much said, maybe annoying is better. Just have a look at the way the email is presented.

Because the email was sent in large amounts, I decided to follow the link to see if it was still online. And it was, despite the fact of being addressed via a dynamic DNS name which are, usually, very volatile. The computer seems to be located in Canada.

The faked Postbank page located on that computer was flawless. A perfect copy of the Postbank online banking page. After entering some junk into the fields and clicking the button to login, I noticed that there is a flickering of the page – and the web browser  got redirected to the official page of Postbank.

This looks like a classical trick, but it was very, very fast. So, I decided to dig deeper into this. In the source code the following code can be seen:

<form name=”loginForm” method=”post” action=”index/main.php”>
<script type=”text/javascript”>

There is something saved and then the browser is redirected. While trying to fetch the php script, I saw the following (the name of the address is replaced with x and the IP address with a.b.c.d):

wget http://x.static.privatedns.com/~smile/banking.postbank.de/index/main.php
–09:24:53– http://x.static.privatedns.com/~smile/banking.postbank.de/index/main.php
=> `main.php’
Resolving x.static.privatedns.com… a.b.c.d
Connecting to x.static.privatedns.com| a.b.c.d |:80… connected.
HTTP request sent, awaiting response… 302 Moved Temporarily
Location: https://banking.postbank.de/app/login.do [following]
https://banking.postbank.de/app/login.do: Unsupported scheme.

As suspected, there is a forced redirect taking place. On this occasion I noticed something interesting in the way Firefox with activated Google Safe Browsing is working: Firefox completely deactivates the JavaScript interpreter for that page if the page is reported as Web Forgery and the user wants to browse it anyways despite the warning. Nicely done Mozilla developers! This way also the curious users are protected.

As usual, Avira users are on the safe side: The emails are marked as phishing and the URL is blocked by Avira products.

Sorin Mustaca
Data Security Expert

Our spam traps started to receive a bunch of Phishing emails like the one below, having no link inside. We know many tricks how to hide the URL (JavaScript, form, etc.) but this one was new: Pretending to be an invoice in HTML format, the attached HTML document displays the same content as in the mail body and immediately redirects to the fake website.

The email looks quite usual for spam or Phishing on first sight, but the interesting part comes after analysing the attached HTML document. The document contains, inside the row of a table, a piece of obfuscated JavaScript code.

In simple terms, the JavaScript code uses the property of each document called “location” to redirect the web browser to the fake website.

The first idea coming to mind is that almost no modern email client executes JavaScript when rendering an HTML document. However, even if the email client (Outlook, Windows Mail, Thunderbird, etc.) doesn’t execute the script, the web browsers does. As soon as the user opens the attachment with a double click, the web browser opens it an gets immediately redirected to the fake website.

The website wasn’t available anymore when we started to analyze the emails.

Sorin Mustaca
Data Security Expert

There is no technology yet which can be compared to or replace parental advice and supervision. Nevertheless, protecting the children while using the computer using software is also very important. There can be two parts identified where the protection should take place: locally and online.

Local Security

There is no online protection when the local computer is infected with malware. Thus the first thing you must do is to install an antivirus product on your computer. Second, keep your operating system always up to date using automatic updates.

Also part of the local security layer is the creation of a special user account on the computer, one for each child using it. This way, even if any damage is done, the impact is limited on that account.

Please try not to give your children administrative accounts, because this way you make sure they can do anything you can with that computer.

Online security

It is important to specify that there is no de facto standard about how to ensure browsing security. Each browser producer has different settings and features (IE8 uses ICRA3, for example. Usually, diversity is good in the software industry, but this time, I don’t know if this is so good.)

For explaining the details of how to configure these settings, I am going to use two of the most popular browsers around: Internet Explorer 8 and Firefox.

Internet Explorer 8

Using Internet Explorer 8, parents can specify to which extent the children may get exposed to websites containing alcohol, drugs, guns, nudity and sexual material, gambling, violence, bad language content and so on. To do this, you have to go to Tools -> Content -> Content Advisor and click on Enable.

You can set a level for each of these settings. Default is “None”. IE8 also has false positives and blocks perfectly suitable web sites; that’s why Microsoft thought that a whitelist would be a good idea.

Unfortunately, blacklisting a website is not possible, but one can configure the browser to block access to any website which doesn’t have a rating. There is no way to report a wrongly categorized website to Microsoft.

There is one more thing which, in my opinion, is at least as dangerous as the content of the websites: these are the Security and Privacy settings of the browser. Under the tab Security, the default of the browser is Medium-High, which for most of the adults is a good compromise between usability and security. For children, I find this a little problematic because the browser asks for permission for several things. I recommend to set the level to High for children. The same applies to the Privacy settings, which controls browser cookies that potentially can collect information that would make possible to identify the user.

Firefox

Using Firefox, there is not built-in control for website content except for websites that contain malware and phishing. However, due to its extendable architecture, it is possible to install third party add-ons which can, at least theoretically, provide the same functions as those of Internet Explorer 8.

Mozilla recommends the “ProCon” Extension for parental controls, which is a simple, but effective keyword and URL filter. It can block certain websites only, but it also can block all traffic except for those websites whitelisted.

Once enabled, you see a small green shield on the right-bottom corner of the Firefox window. When a website is blocked, it displays a line of text on the top of the windows, explaining the reason for which it was blocked.

Regardless of which browser your children are using, it is important to monitor them regularly. Check the “Browsing History”, a feature which any browser has now. Make sure that the kids don’t use “Private browsing” which doesn’t record the browsing history, or that they erase the history. As soon as you notice any strange sites, talk to your children and explain them why isn’t recommended to visit that site in the future.

Use 3rd party security software to control access to the Internet, like Avira Premium Security Suite, which can filter the websites visited for any web browser used and additonally lets you control how much time the children are allowed to spend online, simplifying these tasks greatly.

Privacy and Education

We are experiencing an explosion of the usage of social media websites like Twitter, Facebook, Hi5, and so on. Children, and unfortunately also some adults, don’t realize that they can expose everything they do and say to the entire world, when they only intend to communicate with their friends. There are many articles on the web that explain how to set the security settings for these websites. Please do read them, make your kids understand them and then apply those settings to your children’s accounts.

Understanding the risks of Internet usage is the best method to prevent any problems, because you can be sure that, sooner or later, the children will find a method to overcome that protection, no matter where or how it is installed.

Sorin Mustaca
Data Security Expert

We collect URLs (web addresses) pointing to Malware files and Phishing sites from various sources. That enables us to get a good insight into the “Malware and Phishing Market”, and now we noticed an interesting trend: For the first time this year we’ve seen that the amount of these malicious websites is going down.

After a peak in June for Malware URLs, we thought that counting less URLs in May than in the months before was just a random incident. But now the trend is showing clearly: The amount of malicious files available on websites really went down significantly.

For Phishing, the same trend can be observed, despite the fact that the difference is not that huge. Considering the observation that Phishing is currently being faked and often really “just” spam, this comes without too much of a surprise. The decreasing trend for Phishing started actually from the beginning of the year, being now on its lowest point since September 2009.

One aspect which we should not forget is holidays season – because of that there is less activity on the Internet currently. At the beginning of September we should see if this proves true – there should be a significant increase in the Internet usage and thus in the amount of Malware files and Phishing sites reported. We will keep you updated.

Sorin Mustaca
Data Security Expert

Drive-by-downloads that use exploits to infect the visitor of a website are a very popular distribution method for malware authors. In the last days we detected thousands of websites which are infected with a hidden, invisible iframe.

Searching for similar iframe infections shows that Google lists about 47,300 hits.

The target server and script this iframe points to are currently offline; the injection scripts of the malware authors may be inactive at present. Some of these infected sites had a more than one iframe injected into them though. They were infected with three or more scripts which all point to Russian servers.

This looks like a mass infection of websites which are created with a certain content management system (CMS). Usually, such mass infections are done with so-called SQL injections through security holes in these CMSes. Website administrators should always take care to have the latest version of their CMS and the needed scripting languages like PHP and Perl installed so that such mass SQL injections don’t have a chance.

The malware authors didn’t take the effort to properly track their infections, as the observation of multiple injections with the same iframe show.

Avira is protecting from such infected websites proactively: the anti-malware solutions detect them with a generic detection routine as HTML/Infected.WebPage.Gen2.

Thomas Wegele
Virus Researcher

For some time, alleged phishing mails targeted various institutions but aren’t really phishing for the victims’ credentials, but are redirecting them to a fake Canadian Pharmacy website, are very widespread. (Don’t get this wrong, we are not missing “real” phishing where a fake email takes the recipient to a website almost identical to the real one in order to make you login.)

The method stays the same, but the targets are changing now. Over the weekend plenty of phishing emails that on first sight are targeting amazon.com, which really redirect to a software shop then though, found their way into our spam traps.

In the past, for example for some Facebook Phishing / spam, the spammer played everything on one card by using the same domain everywhere. That changed now. All the pictures referred in the email are from the amazon.com website. A nice way of improving the ROI, by minimizing the cost for the bandwidth. The final target link is also, as in the previous example, pointing to a dedicated domain.

Searching for some information reveals a correctly registered domain name in the Ukraine, but owned by a private person from Moscow, Russia.

Apparently, there is no connection to the previous owner. But this doesn’t mean that they aren’t part of the same group.

We have noticed a very interesting issue with both websites: If you click anywhere on the links, the subsequent pages will be displayed in the language of the country you are located. In my case, I’ve seen the pages in German.

Being a software shop, and seeing on the front page that they sell nearly everything, I tried to search for Avira software. And I found Avira AntiVir Premium and Avira Premium Security Suite – in version 9. In April 2010 we released version 10 of our software and version 9 is not being sold anymore (but we offer a gratis upgrade to v.10). However, there is a “mistake” there: AntiVir Premium costs 19.95 EUR on Avira’s website and not 29.95 EUR. They got, however, the pricing of the Avira Premium Security Suite right.

The point is to show people that you offer a great discount and they will forget about the “rest” (like the real price) and concentrate only on what they have in front of them. The “rest” in our case is also: A fake shop which will, probably, steal your credit card data and misuse them, illegal/pirated/malware infected software and so on.

Please try to find discounts for these products somewhere else, because the same Avira Premium Security Suite will detect this email as Phishing and the URL as spam.

Sorin Mustaca
Data Security Expert

Facebook just introduced what they think is a great new feature called “Places”. Places is about sharing your current location with your friends: “you can share where you are and the friends you’re with in real time from your mobile device.”

As soon as Facebook releases something new, this rises suspicion how the company deals with the feature security- and privacy-wise. To get a better insight, we used two different accounts to see what Facebook thinks are good default values for a new component. One freshly created account and one with tightened security and privacy settings.

In the fresh account, these settings are set as defaults:

The good news is that only Friends can see the current location by default. Nicely done this time, Facebook!

The bad news is that users are automatically signed in to this service as soon as they start the application. Preferably Facebook should have the default setting “deactivate”, though.

The same is valid for the option “Friends can check me in to Places”. It stays unclear what the setting “Select one” means – whether users then get asked each time before the location gets published or if it is necessary to choose one of the other settings.

Now, after seeing the default settings for an account which was just created, we have had a look at an existing account with more strict privacy settings – and now comes the surprise! They are exactly the same, despite the fact that everything was configured manually in order to have more privacy.

To stay in control about one’s privacy it’s recommended to choose stricter settings:

We recommend these settings as we think that privacy is a serious issue nowadays. Just think about these points:

• I want to be in control of what is shared about me on the Internet, may it be posted from friends or not.
• If I would want to share my position to someone, I would have created an account on sites like Foursquare, which do offer such a service for much longer time than Facebook.
• Over-sharing can have dramatic consequences for me and those I care about. What if a burglar gets this information and breaks into my house while I am away? And what if my family is at home while I am not?

Even if Facebook learned something from the past and chose already some privacy in the default settings, they should reconsider their attitude regarding that. Else they might face the same problems as Google currently does with its StreetView service in Europe.

Sorin Mustaca
Data Security Expert

Adobe has released version 9.3.4 and 8.2.4 of Adobe Reader and Acrobat for Windows, Mac OS X and Unix operating systems. According to Adobe’s security advisory, this release fixes critical vulnerabilities which allow for remote code execution:  “These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.” This can happen by just browsing through the Internet or with malicious email attachments, for example. They were made public on the Black Hat conference three weeks ago.

The new software will be released in the Adobe Reader Download Center on 31st of August. Users and administrators should download the current version now though either via the automatic update mechanism (which can be manually toggled by choosing “Check for Updates” from the Help-Menu within the Reader) or from the links above and install the updated software as soon as possible.

Dirk Knop
Technical Editor

It’s time for our monthly threat landscape overview again. Here are our statistics for July 2010!

Most phished brands statistics

Paypal continues to be the most phished brand around, followed now with a long distance by Facebook which continues to be quite a lot under attack.

Because of the holiday season, many people started to buy games and spend more time in the social media websites, so the increase in attacking such web sites comes quite naturally.

Note that the top 10 names have remained almost the same compared to June but the amount of phishing has grown.

Most abused TLDs

Not much changed from last month, despite the fact that there were some fluctuations in the top 5. Of some concern is the fact that the “.de” domain has reached place 6 this month, stepping up 5 positions from June. The amount of 2.62% in total is so little though that this might be usual fluctuation.

Extension statistics for malware URLs

The distribution didn’t change so much from last month, most important variation being registered in the scripts ending in JSP, CSS, ASP and in the JPG extension.

Spam categories statistics

The spam mails sent in July where mostly Online Pharmacy related, followed by Casino spam. Interesting enough is the fact that the Casino spams increasingly are sent in the German language and less are English. This is probably related to the fact that some of our spamtraps are hosted on German servers; but this also means that spam got adopted better to the “target audience mother tongue” in July 2010.

URL Shorteners used in malicious activities in July 2010

Since our statistics about URL shortener services abused in malicious activities are new, there isn’t much that can be told about this category yet. It can be observed that the url shorteners are almost always the same for Phishing and Malware. There are little variations, but there are always the same websites in the top 5. Probably the reason for this is that the distribution is being made by an organized group of people, almost always the same. The future statistics will show if this is the case.

Sorin Mustaca
Manager International Software Development