Flash, PDF are growing malware targets

By Neil Roiter, Senior Technology Editor, Information Security magazine 09 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers are finding new ways to stay one step ahead of security, exploiting ubiquitous Adobe Flash applications and PDF files, which many organizations and end users incorrectly assume are safe against compromise.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In its Q4 Web Security Trends Report, Finjan Inc. says its Malicious Code Research Center (MCRC) has found that millions of PCs have been compromised by either Flash- or PDF-borne Web exploits, as crimeware writers widen their attack vectors and find new ways to evade detection and snare user machines.

Flash, of course, is widely used to add animations in ads and other Web page components. The report says Adobe has done a good job of addressing known Flash vulnerabilities -- they're not the problem. The Flash exploits rely on basic Adobe ActionScript functionality to exploit browser vulnerabilities.

Related information: Web app attacks grow, but developers may fight back: Web application security expert Ryan Barnett explains why Web servers are under attack, whether developers will create more secure code and the benefits of virtual patching. Spam declines, Web-based attacks rise, says MessageLabs: Spam was down 3.4% in 2008, but attacks on social networks and flaws in websites are rising, according to an annual report from Symantec's MessageLabs. Hacker server contains thousands of sensitive business, healthcare files: A rogue server controlled by an unsophisticated hacker contained email and web-based data stolen from thousands of personal and business computers.

As antimalware products become more sophisticated by inspecting JavaScript for malicious code, cybercriminals are using ActionScript to deliver payloads because the Flash file format is binary. Antimalware products can't inspect them easily, so they have to watch script behavior as it executes on the PC, when detection is trickier and the malware is closer to delivering its payload.

Flash malware is commonly delivered through malicious banner ads, which ad content networks serve up. Although most networks inspect the ads for security risks, their efforts are often insufficient. Adobe recommends a simple remedy, but it's often ignored in practice, allowing Flash exploits. A parameter, "AllowScriptAccess," should be set to "never," but is more typically set to "always." This allows ActionScript to inject an IFRAME, which can then pull in malicious content and infect the end-user machine.

"When Finjan looked at some of the top ad networks on the internet, we realized they didn't follow Adobe guidelines," said Yuval Ben-Itzhak, chief technology officer of Finjan. "Leaving the door open letting this interface between flash and the hosting page remain active."

PDF on the other hand, which have long been believed to be a safe file format, can be exploited through a pair of buffer overflow vulnerabilities. Adobe has patches for these flaws, but many machines aren't up to date. Starting with version 1.4, the PDF format includes JavaScript capabilities.

SearchSecurity radio:

The problem is exacerbated by the availability of cheap, easy-to-use crimeware toolkits, such as Neosploit and Fiesta, which now include PDF components that enable attackers to obfuscate scripts within PDF files to execute Web exploits.

Signature-based detection is not generally effective against these attacks, so antimalware engines must rely on real-time detection. Finjan recommends updating Adobe Reader with the PDF fixes, and training users not to assume that PDF files are always safe.

Organized crime expands.

In general observations, the Finjan report says that organized crime continues to expand its Internet business, using what Finjan calls a criminal-to-criminal model (C2C) using Trojans, silent installations and drive-by downloads. Those $100-$200 off-the-shelf toolkits help make cybercrime more accessible and pervasive. Finjan observed a trend of unemployed IT workers purchasing these toolkits, and expects this trend to grow as the weak global economy persists in 2009.

"We believe that having layoffs in the U.S. and other parts of the world, more people will at least give it a try," Ben-Itzhak said. "More people will become cybercriminals. You don't need to be a professional hacker: These toolkits have really changed the way people are turning to cybercrime."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Malware, Viruses, Trojans and Spyware,  Identity Theft and Data Security Breaches,  Emerging Information Security Threats,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Latest zero-day attacks only target IE 6, Microsoft says Social networking security: Twitter, Facebook hacker attacks climbing Web application attacks security guide: Preventing attacks and flaws How to stop buffer-overflow attacks and find flaws, vulnerabilities Preventing and stopping SQL injection hack attacks Distributed denial-of-service protection: How to stop DDoS attacks Prevent cross-site scripting hacks with tools, testing Firefox, Opera, Safari browsers top list of high risk software Information security book excerpts and reviews Quiz: How to build secure applications Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Malware, Viruses, Trojans and Spyware Malware in Google attacks uses spaghetti code Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Another PDF attack targets Adobe zero-day vulnerability Security report finds rise in banking Trojans, adware, fewer viruses How to prevent rogue antivirus programs in the enterprise How to stop keylogging malware with more than basic antivirus software, firewalls Conficker-infected machines now number 7 million, Shadowserver finds FBI estimates rogue antivirus losses exceeding $150 million Security researchers continue hunt for Conficker authors Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary