Rogue antivirus spoofs Firefox, Google attack warning pages

» VIEW ALL POSTS Oct 20 2010   2:03PM GMT

Posted by: Robert Westervelt
Rogue Antivirus, Phishing, malicious URLs, malware

Spoofed warning page includes a download link attempting to trick users with a phony browser update.

Security researchers at F-Secure and Websense have discovered cybercriminals pitching rogue antivirus software using a spoofed version of attack warning pages used in Firefox and Google Chrome designed to block users from visiting malicious websites.

The phony attack page includes a download link that purports to be a browser update, but instead downloads rogue antivirus software, according to F-Secure.

According to F-Secure:

If your scripts are enabled, you don’t even need to click on the “Download Updates!” button. It will just offer the rogue AV to you.

It then refuses to let the user cancel the download.

In addition, Websense researchers found an iFrame that installs the Phoenix exploit kit from a different domain. Phoenix is used by cybercriminals pimping rogue AV to harvest data on infected machines and dupe the end user into buying the antivirus software. The kit consists of nine exploits for browser vulnerabilities, Java flaws, Flash errors and Adobe Reader bugs.

             

View the original article here

Rogue antivirus spoofs Firefox, Google attack warning pages

» VIEW ALL POSTS Oct 20 2010   2:03PM GMT

Posted by: Robert Westervelt
Rogue Antivirus, Phishing, malicious URLs, malware

Spoofed warning page includes a download link attempting to trick users with a phony browser update.

Security researchers at F-Secure and Websense have discovered cybercriminals pitching rogue antivirus software using a spoofed version of attack warning pages used in Firefox and Google Chrome designed to block users from visiting malicious websites.

The phony attack page includes a download link that purports to be a browser update, but instead downloads rogue antivirus software, according to F-Secure.

According to F-Secure:

If your scripts are enabled, you don’t even need to click on the “Download Updates!” button. It will just offer the rogue AV to you.

It then refuses to let the user cancel the download.

In addition, Websense researchers found an iFrame that installs the Phoenix exploit kit from a different domain. Phoenix is used by cybercriminals pimping rogue AV to harvest data on infected machines and dupe the end user into buying the antivirus software. The kit consists of nine exploits for browser vulnerabilities, Java flaws, Flash errors and Adobe Reader bugs.

             

View the original article here

Google antimalware efforts rely on website malware detection

TORONTO -- Google Inc. Tuesday revealed how it detects websites infected with malicious code, part of its effort to protect users from drive-by downloads and other malicious content.

Fabrice Jaubert of the Google antimalware team presented details about Google's antimalware efforts, Tuesday, at the SecTor 2010 conference. The team uses proprietary algorithms to identify malware distribution sites and sites that have been infected with malicious code. While Google's technical efforts succeed in identifying and blocking millions of websites suspected of hosting malicious code, Jaubert described the process as a typical cat-and-mouse game, in which savvy cybercriminals find ways to avoid detection.

"We may be better or worse [at detecting infected websites] on any given day," Jaubert said. "It's very much like the antivirus lifecycle. … We get better at detection and then the bad guys find a better hiding spot."

Jaubert said in the past 12 months, attackers have been redirecting their "infected" distribution servers to other "innocent" servers to try to avoid detection. Another problem has been the recent rise in sites peddling fake antivirus programs. Rogue antivirus programs are mutating at such a rate that Google is finding antivirus signatures unable to keep up with the changes. With antivirus signatures becoming less effective, Google is tweaking its internal algorithms in an attempt to detect and identify sites hosting fake antivirus downloads.

"Today's fake AV sites go up and down in about an hour," Jaubert said, "so it is very difficult [to stop them]."

Jaubert said Google's website malware detection pipeline begins with Internet-connected virtual machines running Windows and Internet Explorer that monitor and log all network traffic. All new processes, newly written files and registry writes are flagged, along with the infected website, and downloaded files are scanned with antivirus software. The collected information is then blended with data collected by Google's crawlers.

Despite Google's efforts, Jaubert said up to 1.5% of Google search results include a link to malware distribution sites. A substantial number of infected webpages are spam and are removed from Google's search index by a team of engineers. But webpages hosting malware typically remain in the index; if they are detected by Google's algorithm, Google uses a warning page in those search engine results.

Finding legitimate websites that contain malicious code is becoming more common, Jaubert said. "There's really no safe harbor on the net and your browsing habits are not a safe harbor in keeping you safe," he said.

Jaubert said Google is working on technical solutions to eradicate malware, but a broader approach is needed. Even if Google eradicated all sites that contained malicious code, cybercriminals would use social engineering tactics to trick users and infect their systems, he said. There's a need for a "multidisciplinary approach with a coalition of different actors" to combat the problem, he said. The United States can begin in its own backyard, he said. Twenty-five percent of malware distribution servers are located in the U.S.

"Although we do need global cooperation to address the problem fully," Jaubert said, "there are definitely servers within our reach that we can try to shut down."

View the original article here

Google antimalware efforts rely on website malware detection

TORONTO -- Google Inc. Tuesday revealed how it detects websites infected with malicious code, part of its effort to protect users from drive-by downloads and other malicious content.

Fabrice Jaubert of the Google antimalware team presented details about Google's antimalware efforts, Tuesday, at the SecTor 2010 conference. The team uses proprietary algorithms to identify malware distribution sites and sites that have been infected with malicious code. While Google's technical efforts succeed in identifying and blocking millions of websites suspected of hosting malicious code, Jaubert described the process as a typical cat-and-mouse game, in which savvy cybercriminals find ways to avoid detection.

"We may be better or worse [at detecting infected websites] on any given day," Jaubert said. "It's very much like the antivirus lifecycle. … We get better at detection and then the bad guys find a better hiding spot."

Jaubert said in the past 12 months, attackers have been redirecting their "infected" distribution servers to other "innocent" servers to try to avoid detection. Another problem has been the recent rise in sites peddling fake antivirus programs. Rogue antivirus programs are mutating at such a rate that Google is finding antivirus signatures unable to keep up with the changes. With antivirus signatures becoming less effective, Google is tweaking its internal algorithms in an attempt to detect and identify sites hosting fake antivirus downloads.

"Today's fake AV sites go up and down in about an hour," Jaubert said, "so it is very difficult [to stop them]."

Jaubert said Google's website malware detection pipeline begins with Internet-connected virtual machines running Windows and Internet Explorer that monitor and log all network traffic. All new processes, newly written files and registry writes are flagged, along with the infected website, and downloaded files are scanned with antivirus software. The collected information is then blended with data collected by Google's crawlers.

Despite Google's efforts, Jaubert said up to 1.5% of Google search results include a link to malware distribution sites. A substantial number of infected webpages are spam and are removed from Google's search index by a team of engineers. But webpages hosting malware typically remain in the index; if they are detected by Google's algorithm, Google uses a warning page in those search engine results.

Finding legitimate websites that contain malicious code is becoming more common, Jaubert said. "There's really no safe harbor on the net and your browsing habits are not a safe harbor in keeping you safe," he said.

Jaubert said Google is working on technical solutions to eradicate malware, but a broader approach is needed. Even if Google eradicated all sites that contained malicious code, cybercriminals would use social engineering tactics to trick users and infect their systems, he said. There's a need for a "multidisciplinary approach with a coalition of different actors" to combat the problem, he said. The United States can begin in its own backyard, he said. Twenty-five percent of malware distribution servers are located in the U.S.

"Although we do need global cooperation to address the problem fully," Jaubert said, "there are definitely servers within our reach that we can try to shut down."

View the original article here

Google extends bounty program for Web application bugs

Search giant Google Inc. Monday extended its Google bug bounty program, adding rewards for bug hunters who find serious Web application flaws in Blogger, Orkut and YouTube.

The move is an expansion of Google's current bounty program, which was launched in February to reward security researchers who reported Chrome browser flaws. Google said it would reward as much as $3,133.70 for significant flaw finds. The number pays homage to "eleet," sometimes identified as 31337, an alternative alphabet used by coders on the Internet.

"Any Google Web properties that display or manage highly sensitive authenticated user data or accounts may be in scope," Google said in an announcement on its security blog. "For now, Google's client applications (e.g. Android, Picasa, Google Desktop, etc.) are not in scope. We may expand the program in the future."

Google said it is difficult to provide a definitive list of vulnerabilities eligible for a reward, but added a number of categories that would be rewarded, including cross-site scripting errors, cross-site request forgery flaws and authorization bypass bugs. To be eligible for a reward, researchers must privately report the bugs using Google's security contact list.

"It's our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered," Google said. "Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify. This includes both full public disclosure and limited private release."

The base reward for qualifying bugs is $500. At each bug hunter's discretion, Google will publicly credity the finds if the flaws are deemed legitimate. Google said each submission will be evaluated by a security expert panel, which "may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward." In addition, bug hunters can donate rewards to charity, through Google.

Google said it chose to extend the bounty program for Web application bugs because it received a sustained increase in the number of high-quality reports from researchers on bugs found in the Chromium browser, the open source browser on which Google Chrome is based. Those bugs can be reported using the Chromium bug tracker system and include flaws discovered using plug-ins shipped with the Chrome browser by default.

Some other software makers offer similar programs. Mozilla announced its Security Bug Bounty Program in 2004, funded by Linux distributor Linspire (now owned by Xandros Inc.) and Mark Shuttleworth, the founder of the Ubuntu Project. Under Mozilla's program, reporters of valid, critical security bugs nowreceive a $3,000 cash reward and a Mozilla T-shirt. The maximum cash reward was increased from $500 in July.

By contrast, Microsoft refuses to reward bug hunters with cash prizes. In an announcement in July regarding responsible disclosure, Dave Forstrom, director of Microsoft's Trustworthy Computing Program, said such programs run counter to Microsoft's vulnerability research efforts and ultimately don't help the customer.

"We don't think it's in the customer's best interest to offer a per-vulnerability bounty," Forstom said in an earlier interview. "There are a number of ways that we work with the researcher community that we think best serves the community: everything from acknowledging our work together, to all of the sponsorships of conferences that we do further develops the community."

View the original article here