Adobe number one target for hackers

In the first quarter of 2010, Adobe products were the number one target for hackers.  It is believed the reason for this is because of the multi-platform capability of Adobe products like Flash and Acrobat PDF.   Many users are not aware of the dangers of opening PDF files from unknown parties.

The Adobe Reader & Acrobat exploit Pdfka was by far the most common at 42.97%.  Combining two of the most common exploits for Adobe products yields almost 50% of the total exploits found in that quarter.  Many Adobe users do not frequently update their software to the latest versions much less apply recent patches.

20 Zero Day Security Holes in Mac OS X to be Revealed

Famous Apple security expert Charlie Miller is preparing to announce 20+ new Zero Day security holes in Mac OS X at CanSecWest.  Charlie says “OS X has a large attack surface consisting of open source components, closed source third-party components and closed source Apple components; bugs in any of these types of components can lead to remote compromise.”   He further explains “Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.”  As I have been saying for years, Apple users are currently safer only because hackers see a larger ROI (return on investment) attacking Microsoft Windows based machines.

I have been noticing Apple Mac users more frequently requesting and installing third party anti-virus protection software than in previous years.   More key players in the anti-virus industry are releasing their flagship security products for the Mac OS.   When the Mac OS becomes a key target to hackers the damage caused will be quite significant due to most Apple users not installing third party security software solutions and the general mindset that the Mac OS is secure from hackers and exploits.

1024-bit RSA encryption crackable

1024-bit RSA encryption is used around the world to protect web servers and other devices using OpenSSL.  In the past only the RSA 768-bit version has been crackable using brute force methods with 1,500 years of processing time.  Recently computer scientists from University of Michigan claim they are able to crack OpenSSL  using a full 1024-bit RSA encryption by fluctuating the voltage on the servers power supply.  Although the scientist say this type of attack can be easily prevented by changing the error-checking algorithm, they claim this type of attack is repeatable and consistent and able to be performed in just over 100 hours.  Exponentially quicker than previous successful attacks on weaker key lengths.

Because direct access to the servers power supply is required to perform this attack, it is unlikely this vulnerability will be exploited in the wild on most servers.   Many consumer devices like MP3 players, BluRay players, and mobile phones use RSA encryption to protect intellectual property.   Consumer devices on the other hand are easy to gain physical access to and manipulated to gain access to intellectual property or private data.

More information can be found in their white paper (PDF) that will be presented next week in Dresden at the Design Automation and Test in Europe conference.

OpenSSL has acknowledged this vulnerability and are currently working on a patch.

Poisoning Google with Malware

There is a new threat that is filling Google search results with links to malicious links. CERT warns this threat is spreading quickly, especially over the last few days. According to CERT there are thousands of legitimate sites infected with this threat now called Gumblar attack.

The attack will steal FTP accounts on the victims machine to further spread its reach. It also will take control of the victims browser which is how it replaces Google search results. ScanSafe has reported out of the 3,000 known infected sites, 800 of those are within the last week.

As of right now, the Gumblar attack is considered relatively small scale. With access to victims FTP account information and strong obfuscation, it is expected the growth will continue. Typically the amount of sites infected with a known threat declines, this isn’t the case with the Gumblar attack.

The Gumblar attack uses known flaws in Adobe software products (that typically do not get patched quickly) to install the malicious software.

Crimeware kits for sale

Independent research reports from several different internet security firms are warning about the increased level of technology, sophistication, and organization that criminals are employing in their endeavors to steal, defraud, extort, and otherwise scam individuals and corporate entities for their money. Today’s hacker wannabe doesn’t even have to be particularly skilled technologically. He just has to be willing and able to cough up the money for a good crimeware kit, which can cost upwards of $3000.00 depending on the capabilities desired.

According to Symantec, 3 phishing kits were responsible for over 40 percent of the phishing attacks they observed during a recent 6 month interval. These kits come complete with sample phishing web sites and email messages, and their availability on the black market can be linked to the 53 percent increase in the number of phishing attacks observed during that same period.

Other crimeware kits such as MPack combine multiple attack types, exploiting both web server and client vulnerabilities. Additionally, kits are available that allow criminals to customize Trojans in order to target specific sectors or agencies. Finjan is reporting that these crimeware Trojan kits create new binary files with each use, making signature-based detection extremely difficult. These kits are also capable of generating Command and Control modules for remote control of distributed Trojans, in effect creating botnets.

These kits show all the traits of professionally developed software suites, utilizing the latest web 2.0 programming technologies. This has resulted in skyrocketing infections within the most popular web 2.0 sites, including social networks and P2P file-sharing sites. In fact, according to Websense, 60 percent of the most popular sites on the internet either hosted crimeware, or linked to malicious websites which hosted crimeware during the first 6 months of 2008. Various MySpace hacks for example allowed criminals to view private profiles and capture logon details, enabling the hackers to use the hacked accounts to send spam or host malware.

One of the newest kits available to hackers was discovered by Panda Security in June. It converts traditional Trojans into worms. This means that once a machine is infected with the Trojan, other computers sharing the same network could be infected without the users opening an infected email attachment or visiting a malicious site. Such hybrids spread much more quickly than the original Trojans from which they’re created.

Crimeware kits are distributed to potential buyers, who use private chat facilities to negotiate and consummate the transactions. Sites which host torrent trackers also index many hacking toolkits. Of course, the illegal gangs and cybercriminals have their own distribution and management channels. These organizations seem very much like a cross between modern high-tech business enterprises and mafia-style organized crime. The top managerial tier does not engage directly in hacking activities, but directs middle management layers which control the distribution of crimeware and crimeware kits to lower tiers. These lower tiers are the actual hackers collecting the stolen data, identities, credit card numbers, etc. They also control the botnets which are used to launch attacks, send spam, and expand their networks.

The growing sophistication of crimeware (and the ease with which it can now be developed and deployed), the increased use of blended attacks involving multiple attack vectors, and the continual refinement of the criminal organizations behind cybercrime are all symptoms of the trend away from malware created for glory or anarchistic destruction and toward crimeware geared for stealth and profit.

Sophisticated kits generate custom trojans for stealing data and conscripting into C & C networks (botnets). — Finjan Web Security Trends Report Q2 2008.

Do you have Conficker?

One of the quickest and easiest ways to tell if you are infected with Conficker virus is to look below and see if any of the images from four of the 100+ security sites blocked by Conficker do not load.  I put four images for the following security websites: Kaspersky Lab, F-Secure, Secureworks, and Trend Micro below. If you have any problems loading these images or visiting the sites listed, you may be infected with the Conficker virus. If you are using a proxy server you will likely still be able to load the images and this is not a good test.

If you believe you are infected with Conficker (Kido/Downadup) check out Kaspersky’s KKiller tool to remove it.

Images are trademarks of their respective owners.