Tuesday, January 19, 2010

Super Bowl Associations: football, nachos, big screens and … malware?

The Super Bowl is the one of the biggest and most watched television events of the year in the United States. People everywhere scour the internet looking for predictions, gambling spreads and news before the event and scores, stories and clips after the event.  In anticipation of the increased search traffic for Super Bowl related terms, cybercriminals have shown themselves to be well-organized and planning ahead.  Search results for Super Bowl related search terms are already turning up top-ten results linked to malicious websites.

Among the poisoned search terms detected by eSoft are: 
Super bowl 2010 score
Super bowl 44 MVP
Super bowl 2010 entertainment
Super bowl champions 2010

For some of these searches, the top result is malicious.  It seems that this round of poisoning is, so far, being done by the Rogue AV outfits as these links lead to sites with fake antivirus software and low detection rates from legitimate anti-virus software:


Poisoned search results are becoming commonplace.  Most recently searching for information on the earthquake in Haiti returned large numbers of poisoned results.  Getting bogus search results to the top of the rankings is commonly achieved by linking to the site from compromised sites or fake blogs and thereby boosting the apparent popularity of the bogus site.  The bogus site is then used to compromise the machine of visiting users through social engineering tricks and browser or browser-plugin exploits.

eSoft’s automated systems quickly identify these risky websites and block them for customers and partners.

eSoft recommends confining Super Bowl searches to news search engines such as Google News.  These results tend to be safer since the sources have gone through an approval process.

Monday, January 18, 2010

Lack of Egress Filtering Spurs Success of Injected IFrame Attack

The security community at large and the eSoft Threat Prevention Team have recently noticed an uptick in sites compromised by a new injection attack that results in an injected iframe.  This attack can be recognized by its attempts to masquerade the malicious script as GNU GPL or LGPL.  GPL and LGPL refer to public licenses for open source software and add a veneer of legitimacy to the malicious files.

The attacks in themselves are not new or novel, but their success seems to be in part because the iframes point to websites on non-standard ports.  In particular, the attackers are hosting browser exploits and social engineering tricks on servers running on port 8080. Such as this one shown below:

(note also the trusted domains that have been added to the URL to get the casual user to trust the link)

As secure web filtering is added to anti-virus products and makes inroads in gateway security products, attackers are trying to circumvent the web filters with this age-old technique.  Frequently these secure web filters only operate on common ports such as port 80.  By hosting a web server on an alternate port, the security may be bypassed.

For this reason, it is essential that administrators who deploy secure web filtering lock down any ports not expressly being scanned.  In other words, egress firewall rules that block outbound traffic on ports that don't have some security and content filtering, will save networks from this attack and ones like it.

At present, eSoft is detecting dozens to hundreds of newly compromised websites that have fallen victim to this attack and become conduits for attacks against their site's visitors.  More detailed information on how the attack is spreading and its links to gumblar can be found on the Unmask Parasites blog.