Flash, PDF are growing malware targets

By Neil Roiter, Senior Technology Editor, Information Security magazine 09 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers are finding new ways to stay one step ahead of security, exploiting ubiquitous Adobe Flash applications and PDF files, which many organizations and end users incorrectly assume are safe against compromise.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In its Q4 Web Security Trends Report, Finjan Inc. says its Malicious Code Research Center (MCRC) has found that millions of PCs have been compromised by either Flash- or PDF-borne Web exploits, as crimeware writers widen their attack vectors and find new ways to evade detection and snare user machines.

Flash, of course, is widely used to add animations in ads and other Web page components. The report says Adobe has done a good job of addressing known Flash vulnerabilities -- they're not the problem. The Flash exploits rely on basic Adobe ActionScript functionality to exploit browser vulnerabilities.

Related information: Web app attacks grow, but developers may fight back: Web application security expert Ryan Barnett explains why Web servers are under attack, whether developers will create more secure code and the benefits of virtual patching. Spam declines, Web-based attacks rise, says MessageLabs: Spam was down 3.4% in 2008, but attacks on social networks and flaws in websites are rising, according to an annual report from Symantec's MessageLabs. Hacker server contains thousands of sensitive business, healthcare files: A rogue server controlled by an unsophisticated hacker contained email and web-based data stolen from thousands of personal and business computers.

As antimalware products become more sophisticated by inspecting JavaScript for malicious code, cybercriminals are using ActionScript to deliver payloads because the Flash file format is binary. Antimalware products can't inspect them easily, so they have to watch script behavior as it executes on the PC, when detection is trickier and the malware is closer to delivering its payload.

Flash malware is commonly delivered through malicious banner ads, which ad content networks serve up. Although most networks inspect the ads for security risks, their efforts are often insufficient. Adobe recommends a simple remedy, but it's often ignored in practice, allowing Flash exploits. A parameter, "AllowScriptAccess," should be set to "never," but is more typically set to "always." This allows ActionScript to inject an IFRAME, which can then pull in malicious content and infect the end-user machine.

"When Finjan looked at some of the top ad networks on the internet, we realized they didn't follow Adobe guidelines," said Yuval Ben-Itzhak, chief technology officer of Finjan. "Leaving the door open letting this interface between flash and the hosting page remain active."

PDF on the other hand, which have long been believed to be a safe file format, can be exploited through a pair of buffer overflow vulnerabilities. Adobe has patches for these flaws, but many machines aren't up to date. Starting with version 1.4, the PDF format includes JavaScript capabilities.

SearchSecurity radio:

The problem is exacerbated by the availability of cheap, easy-to-use crimeware toolkits, such as Neosploit and Fiesta, which now include PDF components that enable attackers to obfuscate scripts within PDF files to execute Web exploits.

Signature-based detection is not generally effective against these attacks, so antimalware engines must rely on real-time detection. Finjan recommends updating Adobe Reader with the PDF fixes, and training users not to assume that PDF files are always safe.

Organized crime expands.

In general observations, the Finjan report says that organized crime continues to expand its Internet business, using what Finjan calls a criminal-to-criminal model (C2C) using Trojans, silent installations and drive-by downloads. Those $100-$200 off-the-shelf toolkits help make cybercrime more accessible and pervasive. Finjan observed a trend of unemployed IT workers purchasing these toolkits, and expects this trend to grow as the weak global economy persists in 2009.

"We believe that having layoffs in the U.S. and other parts of the world, more people will at least give it a try," Ben-Itzhak said. "More people will become cybercriminals. You don't need to be a professional hacker: These toolkits have really changed the way people are turning to cybercrime."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Malware, Viruses, Trojans and Spyware,  Identity Theft and Data Security Breaches,  Emerging Information Security Threats,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe ColdFusion websites being compromised PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Malware, Viruses, Trojans and Spyware How to get rid of malware, botnets on a hospital IT network Should a national cybersecurity strategy include offensive botnets? How to prevent mobile phone spying How can search results lead to malware? How to defend against rogue DHCP server malware New Trojan stealing FTP credentials, attacking FTP websites Cybercriminals exploit Michael Jackson, Farrah Fawcett deaths When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus Identity Theft and Data Security Breaches TJX to pay $9.75 million for data breach investigations Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Courts turn aside data breach suits

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary