Twitter Filters Tweets

Micro-blogging site Twitter has recently begun filtering tweets containing links to malicious sites.

 

The tactic was first noticed by security researchers on Monday but has yet to be officially announced by Twitter. It has been designed to prevent surfers from being automatically redirected to sites packed with dangerous exploits.

 

The widespread use of URL shortening in tweets (which can be no longer than 140 characters) makes it easy to hide the true destination of links in Twitter. The site has thus adopted this approach, following the increased worm, spam, and account-hijacking attacks targeting it.

 

Whenever a Twitter user attempts to post a link to a known malware/phishing URL, the message “Oops! Your tweet contained a URL to a known malware site!” will appear and, after a few seconds, deletes the tweet.

 

But the question “Does the feature really work?” remains.

 

Trend Micro Advanced Threats Researcher Ryan Flores says, “Twitter is filtering malicious sites as a ‘free service’ so we cannot expect it to provide the best protection. After all, this is not Twitter’s core business, micro-blogging is.”

 

In fact, earlier analysis revealed that the site’s filtering service still cannot block Koobface-related URLs as shown in the figure on the left.

 

Because it has been a favorite cybercriminal target lately, we cannot blame Twitter for trying but we should not expect too much too soon as well. The effort is a good first step for the site but users should not be complacent just because it is trying to block malicious sites (albeit ineffectively) from being posted as legitimate tweets.

 

Trust issues are not fundamentally different from other Web, email, and link techniques out there. It all comes down to context and being sufficiently aware of not blindly opening everything others suggest you do.

 

Sly Spam Run Targets Hotmail Users

Hotmail users need to be wary about a malicious spam run that specifically targets users of the said webmail.

 

Senior Security Analyst Rik Ferguson reports that spam messages arrive with text indicating that it has file attachments that are image files with the JPEG format. In truth however, the file names of attachments are actually links that connect to shortened URLs, which in turn connect to malicious URLs.

Read more

File Reputation The New Smart Protection Network Technology From TrendMicro (Video)

More Zero-Day Exploits for Firefox and IE Flaws

Senior Threat Researcher Joseph Reyes spotted several malicious script files that exploited Mozilla Firefox and Microsoft Internet Explorer vulnerabilities:

• JS_DIREKTSHO.B exploits a vulnerability in Microsoft Video Streaming ActiveX control to download other possibly malicious files.
• JS_FOXFIR.A accesses a website to download JS_SHELLCODE.BV. In turn JS_SHELLCODE.BV exploits a vulnerability in Firefox 3.5 to download WORM_KILLAV.AKN.
• JS_SHELLCODE.BU exploits a vulnerability in Microsoft OWC to download JS_SHELLCODE.BV.

Initial analysis done by Threat Analyst Jessa De La Torre shows that the scripts above may be unknowingly downloaded through either Firefox or Internet Explorer .

According to Mozilla, a Firefox user reported suffering from a crash that developers determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, the just-in-time (JIT) compiler could get into a corrupt state. This could then be exploited by an attacker to run arbitrary code. However, this vulnerability does not affect earlier versions of Firefox, which do not support the JIT feature.

Firefox 3.5 users can avoid this vulnerability by disabling the JIT compiler as described in the Mozilla Security Blog. This workaround is, however, unnecessary for Firefox 3.5.1 users.

On the other hand, the vulnerability in Microsoft Video ActiveX Control allows remote code execution if a user views a specially crafted web page with Internet Explorer, executing the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Microsoft is aware of attacks attempting to exploit the said vulnerabilities and advises its customers to prevent the OWC from running either manually or automatically using the solution found in Microsoft Knowledge Base Article 973472.

Trend Micro advises users to refer to the following pages to download updates/patches for the vulnerabilities the aforementioned script files exploit:

• Firefox: Mozilla Foundation Security Advisory 2009-41
• OWC: Microsoft Security Advisory (973472)
• DirectShow: Microsoft Security Bulletin MS09-032

Trend Micro advises users to download the latest scan engine to protect themselves against the above-mentioned exploits.

Source : Tendmicro by Jovi Umawing

16 July 2009 Microsoft Security Updates

Six security bulletins were released by Microsoft for July, which covers one of the two vulnerabilities exploited by cybercriminals in the last 2 weeks.

The Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution was used in a zero-day attack last week that involved around 967 compromised Chinese websites. A script that triggered the exploit was inserted in the said websites, which when successfully executed drops WORM_KILLAV.AI into the affected system. The security advisory MS09-032 already addresses the vulnerability used in this attack.

Here is the full list of security advisories issued for this month:

• (MS09-028) Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
• (MS09-029) Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
• (MS09-030) Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (969516)
• (MS09-031) Vulnerabilities in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953)
• (MS09-032) Cumulative Security Update of ActiveX Kill Bits (973346)
• (MS09-033) Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856)

The Office Web Components ActiveX vulnerability is the other vulnerability used in a malware attack this month. Similar to the zero-day attack, a script that triggers the exploit was inserted in compromised websites. This placed any visitor of the compromised websites who hasn’t updated their system at risk of being affected by TROJ_DLOADR.DOF, which drops a rootkit component detected as TROJ_ROOTKIT.DOF, and downloads TROJ_DLOADR.UIG and TROJ_INJECT.AKI. A patch for the said vulnerability hasn’t been issued, but Microsoft provided a workaround, to protect users while an update is being developed.

Meanwhile, users are advised to update their systems as soon as possible.

by JM Hipolito from tendmicro

 

Three Months Later: Where’s DOWNAD?

Exactly three months ago, the whole IT sector was waiting with bated breath for April 1. The latest DOWNAD/Conficker variant–WORM_DOWNAD.KK–was poised to strike. We know that on that day, it would attempt to access 500 of 50,000 websites and download new malicious files. This led to fears–somewhat misplaced–that new, possibly damaging payloads could cause severe problems, not just for systems already affected by DOWNAD but the Internet as a whole. Many sectors assumed the worst.

Read more

MSN Bot Plays on Controversy over Michael Jackson’s Death

Following the sudden and shocking death of The King of Pop, Senior Threat Researcher Loucif Kharouni reports that a slew of malicious links related to Michael Jackson’s last moments in the hospital before his death are now being proliferated in the wild via the instant messaging (IM) application, MSN. Below is a sample screenshot of an MSN IM window containing various templates of the said malicious links:

Read more

Autorun Worm Invades ZIP

Stealth technique used by malware is considered a core characteristic which has been developed, improved, redesigned, and reused. Michael Tants, Threat Researcher at Regional TrendLabs in Europe, has notified us of a worm that has a unique way of hiding: on infection, WORM_AUTORUN.JFZ writes a copy of itself in every ZIP-compressed file it finds on a system.

Read more

« Previous Page