Twitter’s Red Carpet Era – Celebrities and Criminals

March 9th, 2010

Posted by: Barracuda Labs

As part of an ongoing effort to make the Web a safer place for both business and casual users, Barracuda Labs decided to take a deeper look at one of the Web’s fastest growing social networks, Twitter. We reviewed growth drivers, usage trends and the overall crime rate, analyzing both legitimate and malicious users for 2009. Today, we published our findings as part of our Barracuda Labs Annual Report.  This report revisits an analysis completed by the team in June 2009, following the launch of TweetGrade (www.tweetgrade.com), and coincides with recent accounts of Twitter’s explosive growth – reportedly reaching 50 million tweets per day.

Our analysis is based on nearly 19 million Twitter accounts, in which we analyzed the frequency and content of tweets, user-to-user interactions, and each account’s overall activity level.

The bottom line is this: users are more active on Twitter; more users joined Twitter in 2009 following a massive influx of celebrities to the site; and sure enough, the criminals followed the users in a forceful way causing the overall Twitter Crime Rate to spike.

So let’s dig into the results…

HOW PEOPLE ARE USING TWITTER

Twitter Follower vs. Following Trends – What’s a True Twitter User?

Notably, people are using Twitter more actively. For the purpose of this exercise, we define a True Twitter User as someone who has three main attributes:

  1. Has at least (≥) 10 followers
  2. Follows at least (≥) 10 people
  3. Has tweeted at least (≥) 10 times

Interestingly, our study shows that only 21 percent of Twitter users fall within our definition parameters and are True Twitter Users.

What do we mean by “more active” on Twitter? Essentially, this means that:

  • Users are following more user accounts
  • Users are being followed back by more user accounts and more often
  • Users are tweeting more.

Today, only 17 percent of Twitter users have zero followers, which is a 40 percent increase in the number of users that now have “more” followers (i.e. ≥ 10 followers) when compared to 30 percent in June 2009.

Our analysis also found:

  • 26 percent of users now have at least (≥) 10 followers, showing a 30 percent increase since June when only 20 percent of users had at least (≥) 10 followers.
  • 40 percent of users are following at least (≥) 10 user accounts, showing an 18 percent increase since June.
  • 27 percent of users have tweeted 10 times or more, showing a 29 percent increase since June.

Additionally, today there is a trend toward users actually using Twitter as a two-way communication tool versus as an RSS feed or “information fire hose.”  In fact, 36 percent of Twitter users today have more followers than the accounts they are following, showing an 80 percent increase since June when that number was only 20 percent.

Twitter Users More Active

Not only are people becoming more connected on Twitter, they also are becoming more active:

  • 27 percent of users have tweeted at least (≥) 10 times, which is a 29 percent increase since June.
  • Moreover, today there are 34 percent of users who have not tweeted since they created an account. While that still seems like a fairly high percentage of inactive accounts, it shows an eight percent decrease (down from 37 percent) since June 2009, demonstrating that people are becoming more active.

What’s even more interesting is that the most active users on Twitter are not the ones with the most followers.

  • Users with an average of 1,000 followers actually tweet the most, as compared to those with fewer than 100 followers or more than 100,000 followers.

TWITTER GROWTH & THE TWITTER RED CARPET ERA

Further, some remarkable trends emerge as we review how Twitter’s growth has taken shape. Based on when a member joined Twitter, we plotted a Twitter growth chart. This chart illustrates a very concentrated growth spurt during the early part of 2009 – a time period which we define as the “Twitter Red Carpet Era.”

The Twitter Red Carpet Era falls between November 2008 and April 2009. This is the period of time during which a handful of ‘celebrities’ – including 27 of the top 50 and 48 of the top 100 most followed Twitter users – joined.

  • In the beginning of 2008, Twitter was growing approximately 0.31 percent per month. By November 2008, that growth increased to 1.95 percent per month.
  • After December 2008, Twitter’s growth exploded from nearly two percent per month, and rising to approximately three-to-four percent per month, before finally peaking at nearly 20 percent per month in April 2009.
  • At the end of the “Twitter Red Carpet Era,” growth appears to have normalized, dropping back to 0.34 percent by December 2009.

The following graph illustrates the Twitter Red Carpet Era and the significant impact that these celebrities had on Twitter’s growth as they brought their fan bases with them from the real world to Twitter.

TWITTER CRIME RATE

As millions of users flocked to Twitter during the Twitter Red Carpet Era, so too did the criminals. During this time, numerous accounts were used for malicious purposes such as poisoning trending topic threads with malicious URLs (hidden by the ever popular URL shortening services) aimed at luring Twitter users to sites carrying malware or other malicious content.

The Twitter Crime Rate is defined as the percentage of accounts created per month that are eventually suspended for malicious or suspicious activity, or otherwise misused.

  • In 2006, the Twitter Crime Rate was only 1.2 percent.
  • By 2007, the Twitter Crime Rate increased slightly to 1.7 percent.
  • In 2008, the Twitter Crime Rate averaged around 2.2 percent.

During the Twitter Red Carpet Era, the Twitter Crime Rate increased from 2.02 percent to 3.36 percent, showing a 66 percent increase in the overall Twitter Crime Rate.

As more users joined Twitter in 2009, the Twitter Crime Rate continued to escalate reaching 12 percent     in October 2009. This means that one in eight accounts created was deemed to be malicious, suspicious or otherwise misused and was subsequently suspended – clearly showing that the criminals do, in fact, follow the users online.

Twitter’s proactive response to keep its users’ social networking experience safe is admirable; however, it remains unclear how efficient Twitter is in detecting a malicious account.

Why should you care about how Twitter is used?

At Barracuda Labs, we’re constantly monitoring the Web ecosystem and tracking new trends in malware and other attacks.  Social networking platforms like Twitter and Facebook provide a perfect opportunity for attackers to find their victims, leveraging what users assume to be a “safe” environment. This is evident through the Twitter Crime Rate mentioned above. Attackers employ various techniques to build up their follower list, poison trending topic threads, or initiate other campaigns which can increase the visibility of their tweets, and therefore draw users in to suspicious sites, malicious downloads or other malevolent activity. As social networks continue to gain momentum – and millions of users – there is no doubt that criminals will look to create more sophisticated and serious social engineering attacks against unsuspecting users.

For a deeper dive into these social networking, Web and email attacks, download the Barracuda Labs Annual Report or feel free to drop us a line in the comments section below. We look forward to working with you to solve these problems and make the Web a safer place for corporate and casual users. Meanwhile, be sure to think twice before following someone you don’t know and check out their user profile at TweetGrade.com.

Posted in Internet Security Tips, Research, Security, Tweet Grade, Web Security | No Comments »

Scammers Cashing in on Facebook ‘Un named’ App Hoax

January 30th, 2010

Posted by: Barracuda Labs

On Wednesday, a seemingly harmless application listing glitch sent numerous users into believing there was a Spybot attack ongoing on Facebook. Due to the bug, an application listed as ‘Unnamed App’ appeared in some users’ application settings. Some of the users took this as the presence of a spybot which would steal their account details / passwords and perform malicious activities on their computer. Those users warned other users about it and hence the word about ‘Un named App’ spread like a fire in few hours.

Ultimately, this was a harmless bug; however, curious users turned to Google to learn more about it, and scammers saw this as a golden opportunity. The scammers soon harnessed the search query ‘unnamed app’ and poisoned search results to include sites that would redirect users to a Rogue AntiVirus serving site instead. This has become a very popular technique used by scammers in the past few months.

Clicking on search results titled ‘Unnamed App’ redirects user to Rogue AV:

Scam artists also attempted to hide from the research community by selectively redirecting only users who visited straight from Google by clicking one of the search results. Visitors (mostly researchers) who attempted to go to the malicious search result directly were redirected to http://www.cnn.com instead.

There are multiple ways to achieve this. In this case, attackers reviewed the referrer-header to check from where the user came.

Hence what was seemingly a harmless bug, was still able to perform some damage to the innocent users’ browsing experience today.

Users of the Barracuda Purewire Web Security Service are protected from this attack.

Posted in Research, SEO Poisoning, Web Security | No Comments »

Online Safety: Tips to Protect Your Information

December 21st, 2009

Posted by: Barracuda Labs

With the increased awareness and attention around incidents of identity theft, consumers are becoming more vigilant in how they provide personal information online. At the same time, businesses that require such information to complete a transaction also must evaluate how they collect that information online from consumers.

For example, a colleague recently forwarded the email below from Southwest requesting personal information to complete the Transportation Security Administration’s (TSA) Secure Flight verification. Because the email was sent after the flight reservation was booked, it was unclear to the recipient whether or not the email was legitimate. Upon examination, it is clear that this is a legitimate email from Southwest; however, it is one that could easily be forged by a spammer or hacker attempting to collect a user’s personal information.

As people are making final travel arrangements and gift purchases online in this last week leading up to the holidays, Barracuda Networks has compiled a number of tips to help consumers discern legitimate emails and Web sites from malicious attempts, as well as recommendations for businesses to better serve their consumers online.

Online consumer safety:

1. Real or fake? Do not click on links included in an email. Instead, type the address directly into your Internet browser.

2. Email security and anti-virus solutions up-and-running. Make sure you have a strong email security solution in place that can block spam and phishing emails as well as detect and block viruses and other malware (including malicious Web links) contained in the email. As an extra precaution, make sure your desktop anti-virus protection is up-to-date and running. This will keep any viruses/malware not sent over email from infecting your computer or adding you to a larger botnet.

3. Strong Web filtering. Having a strong Web filter in place will allow you to block access to potentially dangerous Web sites. Web filters can block downloads by file type and applications that access the Internet (i.e. IM, music services, etc.) that are often used by hackers as a means of transporting malware onto your computer.

4. When in doubt, check it out. If you receive an email from a business that you recently have done an online transaction with – retail, bank, airline, etc. – and are not sure of its authenticity, check it out. Call or email the business to verify that the request is legitimate. Also, you can go directly to that company’s Web site to look for warnings listed of recent Web scams that have targeted the business.

Helping businesses serve customers:
1. On-site, at-once. Request all necessary customer information at the time of purchase, while the consumer is on the Web site. In the case of the Southwest email, if the consumer had been directed to the “MySouthwest Account” to provide this information at the time of flight reservation and purchase, it would have expedited the process for the consumer and eliminated the need to send a follow up email that raised the suspicion of the recipient.

2. Avoid follow up email. Consumers are likely to be more suspicious of emails requesting that they log back into – or create – an account to provide personal information.

3. Provide clear instructions. If sending a follow up email to complete the transaction is unavoidable, provide a clear message to the consumer at the end of the initial online transaction – before they leave the Web site – so that they know to expect an email that will require additional information and what that required information will be.

4. Privacy Policy. Be sure to provide a privacy policy that’s easy to find and is clear on what the Web site will and won’t do with the information entered.

5. Protect customer information on your site. Businesses are responsible for ensuring that the customer information that it collects online is protected from those with malicious intent. Implementing a strong Web application firewall protects the business Web site from being hacked and customer information from being stolen.

The underlying goal here is to enure that businesses that legitimately require user information receive it in a timely and secure fashion. That will keep the bad guys out of consumer’s wallets and bank accounts, and from stealing their identities.

If you look at the email you will see that we have identified the hyperlinks take you to a legitimate Southwest domain. We know it is a legitimate Web site because the URL contains the Southwest domain.

Posted in Email Security, ID Theft, Internet Security Tips, Security, Web Security | No Comments »

Yet Another Reputable Site Asks You to Install Rogue AV

December 18th, 2009

Posted by: Barracuda Labs

Yet another reputable site has fallen victim to compromise — University of Arkansas.

This Tuesday, Barracuda’s Malicious Javascript Detection engine (MJD) identified Rogue AV software being distributed from a page that belongs to the University of Arkansas Web site. When users accessed a particular page from the university Web site, it opened a window warning them about their computer being infected with viruses and then subsequently downloaded an anti-virus software which was identified to be a fake anti-virus software.

A forensic analysis of the attack revealed that the user requested the following:

hxxp://bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which in turn requested a javascript from a malicious domain via script include:

hxxp://xrusx.com/counter.php?sref=bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which contained further malicious javascript includes that generated fake warning messages on the user’s computer.

And ultimately attempted to download setup.exe:

setup.exe was linked off another malicious domain:

hxxp://www.loker.us/forum/attachments/setup.exe

While investigating deep into the tracks of the user to determine how the user got to this page, we made yet another interesting discovery. Our investigation could not find user browsing a page linking directly off Universityof Arkansas linking the malicious page that was distributing the Rogue AV. Instead, it was a Bing search result that lead user to this page. Specifically, one customer using the Barracuda Purewire Web Security Service searched for ‘georigainmatequery’ on Microsoft Bing search engine.

hxxp://www.bing.com/search?q=georgiainmatequery

Which yielded following results:

As you can see, the malicious link from uArk.edu shows up in the bing search results — and in the number two spot. The page is leveraging uArk.edu’s reputation ranking in what we’ve previously reported on as SEO poisoning (see previous post). This is becoming increasingly more popular as hackers are targeting vulnerabilities in legitimate Web sites since it makes the malicious page more likely to be visited. While search engines have been proactively adding malware scanning in their arsenal, legitimate Web site owners also need to take proactive steps to keep their site free of such malicious content.

Customers using the Barracuda Purewire Web Security Service are protected from this attack.

Posted in Research, SEO Poisoning, Security, Web Security | No Comments »

Web Security: Be Careful Clicking on the Google Doodle

December 15th, 2009

Posted by: Barracuda Labs

It’s been widely reported that Google sponsored links are being used for malicious purposes. Once again, Google is an easy target and consumers are vulnerable. Rogue AV continues to be a big business, and the criminals are taking advantage of the more popular (and trafficked) areas to spread their wares.

Today, December 15, 2009, is the 150th birthday of LL Zamenhof, the inventor of Esperanto (an international auxiliary language).

Google celebrated by decorating its logo with the flag of Esperanto, turning it into what is called a Google Doodle (Google often uses its logo to celebrate various historical events etc http://www.google.com/logos/).

Clicking on the Google Doodle performs a search for the term “LL Zamenhof” – making it remain steady in the top 5-10 most popular searches of the day. Malware distributors have recognized this significant opportunity to concentrate their poisoning efforts on popular search terms. This is just another egregious act of criminals using these Google popular search terms – and SEO poisoning – as vehicles to carry out their malicious intent.

On page one of the search results, one of the examples falls under the domain rubbermouse.com —- The poisoned results point to legitimate domains that have been compromised. This leverages the site’s already good Google reputation so that the results do not appear with a Google safesearch alert. This is becoming increasingly more common for almost any popular search term.

Once the user clicks on the link, he/she is then re-directed to a Rogue AV site (hxxp://antyspywaretoday.net….). On this page, the user is given a warning that the computer might be infected, a fake scan ensues, then the user is prompted to purchase the AV software — regardless if the user clicks on the “OK” or not.

How prevalent is this? First 100 results, there are 31 poisoned sites. Even better, first 50 results, there are 27 poisoned sites. These criminals get search engine optimization – and are good at it!

The sites are hard to identify – and hard to remove – since they are designed to re-direct to multiple sites (some with malicious intent such as selling Rogue AV, and some offering up nothing more than a waste of time via a fake search site). Regardless, these rogue orphan pages exist and are under the control of those who can, with the push of a button, offer up dangerous exploits to attack users, steal information, and damage corporate networks.

What’s most concerning about this – Google is posting its Doodle, inviting users to click (out of their own curiosity, they will), and then serving up more than half of the results as malicious. What does that say about the current state of search and SEO?

Below are several screenshots taken from this experiment.

GoogleDoodle1 – Google Doodle from today 12/15/09.

GoogleDoodle2 – First results: at first, these look good. Upon further review, the entry with the link sio.ucsd.edu/cop15/newsroom/?byza=6 shows that it’s gibberish… The site is most likely compromised, but it’s down as of this writing.

GoogleDoodle3 – Most of the results in this image are poisoned and clicking on the rubbermouse.com link provides GoogleDoodle4 (see below).

GoogleDoodle4 – Once clicking on rubbermouse, the user is then redirected to the fake antivirus site regardless of which button is pressed.

GoogleDoodle5 – This additional prompt attempts to reassure the user about downloading the payload. Until the payload is downloaded, the user is not really infected.

GoodleDoodle6 – This Web page is carefully crafted to mimic the Windows look and feel, but it’s still a Web page. A javascript animation makes it look like the user’s computer is being scanned and threats are being found. Nothing of the sort is taking place.

GoogleDoodle7 – Once it’s done “scanning” the user is then served this page — and there are no mouse options at this point.

GoogleDoodle8 – This is an attempted delivery of the payload. Until the user clicks “run” on one of these dialogs, he/she is not infected. If the user does click, the program will install (in this case, Internet Antivirus Pro) but does nothing real other than nag the user for money so that it can be ‘activated’ for use. These fake antivirus programs (Rogue AV) purport to find many threats, but in fact do not find or fix anything at all.

GoogleDoodle9 – This image shows the Internet traffic generated by this click. From the compromised site rubbermouse.com, it goes to a free Webhost in Poland which redirects the browser to an intermediary, godotscan.com. This site then redirects the browser to the final malicious site, docipge.cn. This site will most likely be active for only a few days before it’s replaced by a new landing site.

Posted in Research | No Comments »

Preview to a Possible Future of Rogue AV

December 2nd, 2009

Posted by: Barracuda Labs

Yesterday, Purewire’s Malicious Javascript Detection (MJD) engine identified the following malicious URL:

hxxp://unsoft.eu/hitin.php?affid=02992

The site uses a now ubiquitous social engineering lure: fake javascript-generated alerts that claim the user’s system is infected with malware:

If the user believes these alerts to be genuine, the following Rogue AV software (called “Privacy Center”) will end up installed on their system:

The above screenshots well-represent what Rogue AV looks like today. But what about the Rogue AV of tomorrow? The investigation of other malicious domains related to unsoft.eu yielded the discovery of one such future vision of rogue software.

The story of this vision begins at newtunesclub.com, which resolves to the same IP address as unsoft.eu. However, instead of serving the user fake pop-up scanners and alert notifications, the site claims to act as a media distribution portal:

In addition, unlike some rogue software operations, newtunesclub.com is well put-together and includes a functioning search engine. As an example, the top result of a search for “Troy” is the 2004 movie of the same name; clicking on the result presents the user with accurate release and cast information, a series of movie stills, and a link to download the movie:

Yet, instead of a large movie, a small executable is served when the user clicks on the Download button. This executable has the same icon as the Rogue AV software served off of unsoft.eu:

In addition, about half of the few VirusTotal detections identify the above Troy executable as Rogue AV:

http://www.virustotal.com/analisis/4f40e8bb48d660a8b3d13d19f401a2f831469e
aa7dd6607be872860d0c7ef1c3-1259366297

However, the similarities between these two binaries end at identical icons and similar AV detections. When Troy.exe is run, a larger executable is downloaded from the following location:

hxxp://iqmediamanager.com/download/0

This larger binary is automatically executed and installs an interesting type of rogue software (called “IQ Manager”) on the user’s system:

Before IQ Manager even attempts to connect outbound, a child window appears, stating that there are “no empty spots” in the “shared channel”, and that the user must “wait their turn” or “activate the VIP Channel”. Activation, of course, requires a credit card.

However, even if the user decides not to perform activation, the download proceeds:

Upon completion, the resulting file was indeed a playable copy of the 2004 movie Troy. Subsequent investigation into IQ Manager’s operation revealed that it acts as a BitTorrent client, using torrents offered by the popular tracker thepiratebay.org.

While current Rogue AV software offers the user almost nothing, newtunesclub.com and the IQ Manager software collectively provide a functional (if illicit) download service that will meet many users’ expectations. If this model proves financially successful for the criminals behind it, “pay for free” software could become a standard that forms the face of tomorrow’s rogue software.

Users of the PWSS are protected from this emergent threat.

Posted in Research | No Comments »

Fake Microsoft Outlook Updates Spread Rogue AV

October 16th, 2009

Posted by: Barracuda Labs

Yesterday, a Purewire employee received an email claiming to offer an update to his Microsoft Outlook configuration:

From: < redacted >
Date: Thursday, October 15, 2009 2:12 PM
To: < redacted >@purewire.com
Subject: Microsoft Outlook Notification for the < redacted >@purewire.comYou have (6) New Message from Outlook Microsoft

- Please re-configure your Microsoft Outlook Again.
- Download attached setup file and install.

The email was accompanied by a zip file that contained an executable with a business-looking smart phone icon.

Install Icon

Instead of a configuration update, the file was actually a malware downloader. When executed, it downloads and installs additional malicious software from the following URL:

hxxp://uvgadferbotario.com/X1j0uHc5Htr8Lw0i4Wv6Jz7Ha

AV detections for the second-stage executable are poor:

http://www.virustotal.com/analisis/027bd581ec937628b5fd187b72a95a99f397e9f
2bcb1f6d6c8d757c872af2176-1255724269

In this case, the second-stage malware is a brand of Rogue AV software called Antivirus Pro 2010; a screenshot with examples of the different types of bogus alerts it generates is shown below.

Antivirus Pro 2010

This brand of fraudware is particularly aggressive; its tactics include the production of fake errors (about every 30 minutes) that require the user to either purchase the full version of the software or reboot their system.

Users of the PWSS are protected from this threat.

Posted in Research | No Comments »

Twitter Trending Topics Used to Propagate Rogue AV

September 18th, 2009

Posted by: Barracuda Labs

Last night, a Purewire employee was directed to a Rogue AV website after clicking on a link in a tweet that matched a popular topic. Subsequent analysis uncovered an active Rogue AV propagation campaign that attempts to lure users to malicious websites via tweets that contain popular terms searched on Twitter.

The malicious tweets draw part of their word content from Twitter’s Trending Topics list; a screenshot of the list at the time of this writing is shown below.

Twitter Trending Topics

Searches that use some of the above topics lead to these tweets, as shown in the following examples:

hxxp://securityland.cn/?uid=144&pid=3&ttl=31c48520c54

which acts as a traffic distribution system for a Rogue AV operation; the chain of redirections ends at one of the following Rogue AV distribution points:

All of the above sites serve javascript-based fake system scanners:

which attempt to compel the user to download Windows PC Defender, a brand of Rogue AV software. AV detections for the Rogue AV malware instance served are non-existent:

http://www.virustotal.com/analisis/9a155d62af5b43be29018f7d0f52875503c6d15a3
c891cb5807ed123398889ca-1253323103

Users of the PWSS are protected from this campaign.

Posted in Research | No Comments »

PBS Website Compromised, Used to Serve Exploits

September 16th, 2009

Posted by: Barracuda Labs

On Monday of this week, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious activity originating from a page that belongs to the popular website pbs.org. Specifically, attempts to access certain PBS website pages yielded javascript that serves exploits from a malicious domain via an iframe.

A forensic analysis of this attack revealed that the user requested the following:

hxxp://www.pbs.org/parents/curiousgeorge

which in turn requested:

hxxp://dipsy.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

instead of:

hxxp://www.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

Accessing the image off of dipsy.pbs.org requires login credentials, as shown in the following screenshot.

PBS Login Prompt

If correct credentials are not provided, dipsy.bps.org serves an error page that looks normal:

… until you look under the hood. The end of the error page’s source:

contains obfuscated javascript placed there by a malicious third party. Deobfuscated, this code writes an iframe that loads malicious javascript from the following malicious URL:

hxxp://qxfcuc.info/f.cgi?jzo

The above URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).

The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to “Send a message to ICQ #559156803; stats available under ststst02.

Users of the PWSS are protected from this campaign.

Update, Sep 18, 2:49PM ET: PBS has notified Purewire that the malicious javascript has been removed from its site.

Posted in Research | 2 Comments »

The Fragus Exploit Kit

August 25th, 2009

Posted by: Barracuda Labs

Recently, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious URLs backed by what was found to be Fragus, a new exploit kit that appeared in late July 2009. An example of a Fragus URL and a screenshot of its admin control panel login page are shown directly below.

hxxp://blt.kz/1/show.php?s=5015ba5606

Fragus Admin Control Panel Login

As with most modern exploit kits, Fragus serves not one, but a grab bag of exploits that attack the browser, ActiveX controls, and third party plugins. Deobfuscating the javascript served off of the above URL revealed the following function names (bodies omitted), which each attempt to exploit one or more different vulnerabilities:

directshow(): Performs heap spraying, then serves hxxp://blt.kz/1/directshow.php, which targets the Microsoft Video (DirectShow) ActiveX control vulnerability (a.k.a., MS09-032).

pdf(): Serves hxxp://blt.kz/1/pdf.php?eid=3, which targets Acrobat Reader vulnerabilities in util.printf, Collab.getIcon, and Collab.collectEmailInfo (a.k.a., CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659, respectively).

flash(): Serves hxxp://blt.kz/1/swf.php?eid=4, which targets the Adobe Flash Player integer overflow vulnerability (a.k.a., CVE-2007-0071).

aolwinamp(): Performs heap spraying, then attempts to exploit the AOL Radio AmpX (AOLMediaPlaybackControl) ActiveX control vulnerability (a.k.a., CVE-2007-6250).

snapshot(): Targets the Microsoft Access Snapshot Viewer ActiveX control vulnerability (a.k.a., MS08-041) in an attempt to have hxxp://blt.kz/1/load.php?e=6 executed.

spreadsheet(): Performs heap spraying, then attempts to exploit the Microsoft Office Web Components ActiveX control vulnerability (a.k.a., MS09-043).

ms09002(): Performs heap spraying, then attempts to exploit the Microsoft Internet Explorer 7 memory corruption vulnerability (a.k.a., MS09-002).

The above set of exploits motivates mention of two observations about the continuing evolution of the web threat landscape. First, given that Fragus targets vulnerabilities in at least seven different software components, viewing a given vulnerability as being more or less exploited than another is increasingly incompatible with the way in which it is used. Modern exploit kits will target any and all vulnerabilities that have a reasonable chance of successfully compromising a system, and unfortunately, the presence of just one vulnerable, out-of-date software component is required for that compromise to occur. Second, as one of the above vulnerabilities (MS09-043) is less than a month old, the length of time between the discovery of a vulnerability and its widespread use by criminals is shrinking. The creators of malware infrastructure are now rapidly integrating recently-discovered vulnerabilities into do-it-yourself exploit kits, and security companies must be increasingly quick to respond.

Users of the PWSS are protected from this threat.

Posted in Research | No Comments »

« Older Entries