AVG Web Intelligence Report

Add comments
Apr 162010

AVG

Web Intelligence Report

April 2010

The Epidemic of CVE-2010-0806 following a Public Disclosure




Introduction

Cybercriminals keep on targeting innocent online users. They refine their methods, and search for new ways to maximize their illegal profit while minimizing their chance of detection. In this report, we will show you how hackers managed to infect computers with their malware while taking advantage of an unpatched Internet Explorer vulnerability (zero-day) that was disclosed to the public. We will expose the epidemic of this zero-day vulnerability on the web and the impact it has on users browsing the web without protection.

Our research shows that a public disclosure information about an un-patched vulnerability (zero-day) leads to a swift response by hackers. The disclosed information was embedded in an Exploit toolkit known as Neosploit and used by several cybercriminal gangs around the globe. The exploit toolkit Neosploit is software written by hackers and sold online to cybercriminals who use it to infect innocent web users with their malware. The toolkit includes everything the cybercriminal needs to operate its attack – the malware, the exploit code, the statistic reports etc.

How did these cybercriminals find the information about the unpatched vulnerability? What means and methods did they use to infect users? What is the epidemic rate of this attack? What can users do to protect their digital assets?

In this report, we will shed some light on these questions, including the cybercrime toolkits they used.

CVE-2010-0806 and Public Disclosure

On March 9th Microsoft released an advisory regarding a vulnerability in its Internet Explorer products, versions 6 and 7. According to the information provided on this advisory, the vulnerability could allow remote code execution (RCE). RCE means that an attacker who successfully exploits this vulnerability could gain the same user rights as a logged-on user. For example, if the user is logged on with administrative user rights, an attacker who successfully exploits this vulnerability could take complete control of an infected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

Following the Microsoft advisory, CVE-2010-0806 was published to alert the public about the existence of such vulnerability.

Typically, public vulnerability disclosures trigger security researchers to rush in and find out ‘what is under the hood’.  The race to find where exactly the vulnerability stands and how to exploit it was the obvious next step. The ‘race’ ended with a report from a security researcher who managed to find a site exploiting this vulnerability already and used it for creating a public Proof-of-Concept (PoC) and module for the popular open source penetration testing platform, Metasploit.

The debate as to whether such public disclosure is valuable to the security community or not has been around for years. Some claim it helps the community to provide immediate protection against threats while others claim it helps cybercriminals to trigger their attacks. We believe a responsible disclosure in the security community is a better way to go.

The Epidemic of the Vulnerability as Detected by AVG

Not long after the PoC was published on the web, AVG spotted a major spike in compromised websites serving the exploit code targeting the zero-day vulnerability. We concluded in our research that the exploit is being served by an Exploit toolkit dubbed “Neosploit.” Neosploit has been known for some time already, however its price on the black market started to decline because of the relatively old vulnerabilities it tries to exploit. It appears that the people behind ‘Neosploit’ added this new exploit to its arsenal to increase its ‘market price’ again.

Number of exploit serving websites following the public disclosure

Number of exploit-serving websites following the public disclosure

Example of Compromised Website Serving the Exploit

Many users believe they can tell if a website is a legitimate one or a malicious one just by visiting it.

There are two false assumptions by this statement:

  1. Today’s malicious code is invisible to users. Usually it’s a code embedded on the webpage that executes behind the scene while the user just visits the web page. This is known as a ‘drive-by’ download.
  2. Hackers are compromising legitimate websites and insert their malicious code into them. The reason is simple: users are visiting legitimate sites more often than other sites.

Below is an example of a compromised website we spotted that automatically attempts to infect the user with an exploit. Can you tell if this site is legitimate or one that serves malicious code? Probably not.

Can you tell if this site is legitimate or one that serves malicious code?

Screenshot taken from Zeus Tracker website indicating on the served malware



Here is the code behind this web page ….

Here is the code behind this web page …

Code snippet of Neosploit version for CVE-2010-0806.

The Malicious Code Hackers Tried to Install on the End-user PC

As you can see at the bottom of the page, the hacker who compromised this website inserted a code that tries to infect the user – this was probably not part of the original code the website owner wanted to have.

For security researchers the highlighted code is very common, but for the average web developer it will look suspicious or unknown.

In order to minimize detection of the exploit code by security products, the hackers tried to hide their actions. The served exploit code in this example was obfuscated. The main reason for obfuscating the code is to avoid detection of it by traditional signature matching techniques used by security products.

Infecting legitimate websites and serving code that exploits the CVE-201-0806 unpatched (zero-day) vulnerability was not the main motivation of the hackers. They are looking to achieve another goal – to run a password stealing malware on the end user PC. The password stealing malware is focusing on stealing the online banking credential of the users. The malware that was used in the cases we investigated was the known Zeus bank Trojan.

How Can Users be Protected from These Attacks?

As indicated above, if attacks are designed to avoid detection by security products how can security products provide protection?

This is a common question asked by many users. And the answer is simple: by using multiple security layers. Multiple protection layers enhance the security as each layer is focusing on a different area than the other.

At AVG Technologies we have several layers that can detect such attacks, in real-time, by using:

  1. Exploits detection layer using AVG LinkScanner
  2. Code behavior layer using AVG IDP Engine
  3. Heuristics analysis
  4. Incoming and outgoing traffic inspection by AVG Firewall
  5. URL reputation by AVG Data Feed
  6. …and the traditional signature-based detection by AVG Anti-Virus

Blending together these six different protection layers and not relaying just on one layer (e.g. signatures) is our approach to protecting against today’s web attacks. Below are two examples indicating how AVG security product successfully detected and prevented the Exploit code and the actual malware used by the hacker.

The first is an example taken from AVG’s backend system. AVG LinkScanner reports back to our backend on each exploit it detects on web pages that our users are visiting. Based on that data in this system we have real-time visibility into the state of the Web, and we can identify new attacks worldwide. The screenshot below shows a site using Neosploit and attempting to exploit the end user browser with the password stealing malware called Zeus.

The second example is a report from VirusTotal, indicating that AVG’s heuristics based detection managed to detect the served malware as well.

In this report we managed to visualize what happens between the time that a vulnerability is discovered and used by hackers in-the-wild, until a security patch become available by the product vendor. Knowing that users’ PCs are vulnerable, hackers are rushing to ‘color’ the Web with their attacks.  Even non technical hackers can join the ‘party’ by distributing the exploits using readily available attack toolkits software packages.

Cybercriminals use this window of time to infect PCs and steal valuable personal, financial and business data that they can use or trade for profit. The critical time puts a strain on users looking to protect their assets.

We at AVG Technologies provide users with a FREE product that detects and prevent such zero-day exploits, even when the patch is still not available. Thanks to our 6 layers of protection and our unique LinkScanner exploit detection, users can protect their PCs and minimize their risk while online.

Share and Enjoy:
  • Twitter
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Slashdot
  • LinkedIn
  • Suggest to Techmeme via Twitter
  • Print

Related posts:

  1. New M86 Security Labs Report Reveals Spam Volume Drop, Third-Party Phishing Increase and More Sophisticated Exploit Kits
  2. F5 Networks on Security Threats for 2012
  3. M86 Security Provides Virtual Appliance Version of its Award-Winning Secure Web Gateway, Enhances Protection Against Dynamic Threats
  4. New Suite from Norman Security
  5. Panda Software is giving away a PlayStation Portable every day during FIFA World Cup 2006

Leave a Reply

(required)

(required)

WordPress Appliance - Powered by TurnKey Linux