logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: vulnerabilities | Posted by Avatar Staff 321 days ago
Via: http://www.symantec.com | Tags: phish n exploit comments Discuss  

How many of us click on the links sent to us by trusted friends? Does the trust implicitly extend to the links they are sending? This trust is precisely what phishers take advantage of. Traditionally phishers have mainly used instant messaging (IM) and email to take advantage of the average user. However, with the rise in social networking sites the phishers have bought themselves a brand new playing field.



Symantec has recently observed millions of user profiles of a certain social networking site carrying malicious links. Here is an example of one of them:



comments1.JPG



The interesting thing here is that the malicious link appears to be a comment from a trusted friend. In most cases the trusted friend is not the perpetrator behind these attacks. The most likely scenario is that the trusted friend’s social networking site credentials have been compromised and used by the phishers to post malicious comments to everyone in the compromised contact list. In an earlier blog, Web 2.0 - Copy and Paste, I discussed some ways in which the user's credentials could have been compromised.



With some more research we discovered more than five million user profiles carrying these malicious links:



infectedprofiles.JPG



Another interesting thing to note here is the anatomy of the link. The phishers registered a domain similar to the legitimate link that would have been used on that social networking site, except that they replaced slashes with dots. This could fool even the savviest user, because the links look “almost” legitimate.



It turns out that just plain old phishing wasn’t good enough for the phishers and they decided to add a few exploits to the mix. So, upon visiting the site not only does the user get phished, but also served a variety of exploits.



The exploits are obfuscated and exploit the following vulnerabilities:



• MS06-14 (MDAC Create Object)

• BID 21060 (WinZip FileViewCtrl)

• BID 19030 (WebViewFolderIcon)

• BID 21829 (Apple QuickTime RTSP)



Here is a snapshot of what the exploit looks like on de-obfuscation:





Symantec has built a number of excellent Web-browsing protections into our Norton 2008 products. The Web protection is immune to script obfuscation and masquerading and identifies the signatures of known Internet Explorer browser vulnerabilities. It also blocks exploits using these vulnerability signatures as soon as they are released. All of these exploits were detected by Symantec’s browser protection solution and intrusion prevention solution.



So, the moral of this blog is to trust your friend but not all of the links that are sent your way!
addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security