Usually, when finding an infected web site, I treat it in a professionally-strict manner; a thorough investigation is done, and when necessary, measures are taken. As part of our ongoing research, I got to check the famous TV show’s “Heroes” fans website ;-). I was very much disappointed to see the site is infected with malicious code.

Today Finjan’s MCRC has revealed that the famous radio and television network, CBS, was compromised as a result of malicious activity. According to Alexa.com the Cbs.com website has a traffic rank of: 964

Every day, Finjan SecureBrowsing™ system loads me with malicious URLs that it detected “in the wild”. This morning, one of the URLs I received looked very similar to many others I have seen before, so I decided to research this particular one a bit further.

In general, it is a well-known practice for anyone who ever had to create a password, to opt for a complex (and therefore hard to guess) password for using on-line services. Such passwords are supposed to ensure that any adversary who is wielding brute force to guess the user password would miserably fail. Furthermore, if the password is complex enough, other methods such as dictionary attacks would be doomed as well.

As seen before, popular websites, especially news website, are prime targets for cybercriminals. During our research, we checked out the “Times of India”- website that was victimized in the past.

I love to run. Running is part of my morning routine – it energizes me for my working day. One of my favorite running shoe brands is Saucony. I regularly visit their website to check out the latest models. Last Saturday, I visited their US website looking for running shoes. To my surprise, my Finjan SecureBrowsing alerted me that the website is serving malware!

As you probably know, most of the web attacks conducted nowadays are using crimeware toolkits . Most of these toolkits have stunning online reporting capabilities to provide cybercriminals with real-time data about how many users it managed to infect with its malware.

Recently, the popular social media service site, imeem.com, was compromised by permanent XSS attack – this attack is very similar to the one we discussed few month ago - XSS attack optimized by SEO techniques . Fortunately, for most cases, the XSS attack on imeem.com did not work, as the malicious IFrame was injected to the page HTML Title tag (which is being rendered as text by popular web browsers). The search term along with the malicious IFrame were also appended to the bottom of the page, this time in HTML escape form, which neutralize the attack.

As covered in my previous post a new round of mass Web attacks has started during May 2008. Hackers successfully compromised a large number of government and top businesses websites worldwide to infect visitors with malware. The attack toolkit being used (which is aliased as “Asprox”) has been around for few years; however, during the last year we have noticed a rise in the number of attacks using it. The attack toolkits is designed to first search Google for webpages with the file extension [.asp] and then launch SQL injection attacks to append a reference to the malware file using the SCRIPT tag.

It looks like the new AV buzzword of “in-the-cloud-service” has gathered momentum among Anti- Virus vendors. On June 30, 2008 an interview with Trend Micro’s CEO was published on Zdent.co.uk titled “Antivirus industry lied for 20 years “– it makes me wonder what is going to be changed in the 21st year? In the interview Trend Micro’s CEO unveiled the new vision of her company - moving to “In the Could Service” e.g. “throws all the unknown samples up into the cloud for deeper and faster pattern recognition”. What will happen if I’m offline...?.

A couple of years ago, credit card numbers and bank account PINs were traded for $100 or more on sites selling that kind of stolen information. But nowadays prices have dropped to $10-$40 per item.

In our recent MPOM report, we reported on a Crimeserver hosting 1.4G of unprotected stolen data, including passwords, medical data, emails etc. Many people asked us how we found the data. Was the data secure or not?

During our ongoing research we came up against one curious site. The site is hacking/security oriented, and is located in Russia (hmm... the previous time i've cheked it was in Netherlands), and not significantly different from many other similar sites.

During our research for the latest Malicious Page of the Month that has just released, we came across a domain that was being used as a command and control for the Crimeware that was executed on attacked machines. This domain was also used as the “drop site” for private information being harvested by that Crimeware.

There are some things in common to most of the attack toolkit, one of which is exploit against the MDAC vulnerability (patched in 2006), MDAC is also in many cases the first exploit the attacker is trying to use.

Following up on my last post, after filing a complaint with the abuse department of privacyprotect.org (and blogging about the problem), I have just received an update noting that:

As part of the “closure” on the February Malicious Page of the Month, which involved meoryprof.info (taken down), and spywaresafe.net we have contacted the appropriate parties in order to notify them that these websites contain malicious code.

We here at the MCRC conduct independent vulnerabilities research once in a while, in order to provide our customers the best protection we can offer. The last MS security update included fixes for 2 vulnerabilities in the MS Office Web Component that we have discovered, one of which (CVE-2007-1201) was reported to Microsoft two years ago (!!). This means a 2 year long window of vulnerability. Needless to say, Finjan customers have been protected for the last 2 years against exploitation of this vulnerability, even at times when this vulnerability has been used in the wild with no patch available.

We have been working recently on a XSS attack that impacted a huge number of potential victims, as the attack itself has been “optimized” by SEO (Seacrh Engine Optimization) practices that pushed it to Google’s indexes.

I’m not about to discuss the pros/cons regarding full disclosure, just to show an amusing example of it: A 0day vulnerability was discovered in “Rising” – a Chinese AV product (insecure method vulnerability) and a PoC was published at milw0rm.com. Today we found a site trying to exploit the vulnerability, but the funny thing is, it used the PoC as is (changing only the payload URL, and using obfuscation to hide it) leaving the original function name (test ) and “GO !” button to trigger it (e.g. the exploit will only run once the user clicks the “GO !” button ). Needless to say, the exploit is served as a hidden IFrame so the user won’t even see the button.

While conducting research for the latest Malicious Page of the Month we have just released, we tried to track down the origins of the crimeware.

As part of our on-going research we had the chance to “meet in person“ some parts of the server side operations behind the new version of the NeoSpolit toolkit.

We have been watching in amazement what kind of impact our latest Malicious Page of the Month have had on the industry and media.

Not a virus. Not even a malware. Neither is the runner up... It's the method of how malware is populated.