Flash, PDF are growing malware targets

By Neil Roiter, Senior Technology Editor, Information Security magazine 09 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers are finding new ways to stay one step ahead of security, exploiting ubiquitous Adobe Flash applications and PDF files, which many organizations and end users incorrectly assume are safe against compromise.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In its Q4 Web Security Trends Report, Finjan Inc. says its Malicious Code Research Center (MCRC) has found that millions of PCs have been compromised by either Flash- or PDF-borne Web exploits, as crimeware writers widen their attack vectors and find new ways to evade detection and snare user machines.

Flash, of course, is widely used to add animations in ads and other Web page components. The report says Adobe has done a good job of addressing known Flash vulnerabilities -- they're not the problem. The Flash exploits rely on basic Adobe ActionScript functionality to exploit browser vulnerabilities.

Related information: Web app attacks grow, but developers may fight back: Web application security expert Ryan Barnett explains why Web servers are under attack, whether developers will create more secure code and the benefits of virtual patching. Spam declines, Web-based attacks rise, says MessageLabs: Spam was down 3.4% in 2008, but attacks on social networks and flaws in websites are rising, according to an annual report from Symantec's MessageLabs. Hacker server contains thousands of sensitive business, healthcare files: A rogue server controlled by an unsophisticated hacker contained email and web-based data stolen from thousands of personal and business computers.

As antimalware products become more sophisticated by inspecting JavaScript for malicious code, cybercriminals are using ActionScript to deliver payloads because the Flash file format is binary. Antimalware products can't inspect them easily, so they have to watch script behavior as it executes on the PC, when detection is trickier and the malware is closer to delivering its payload.

Flash malware is commonly delivered through malicious banner ads, which ad content networks serve up. Although most networks inspect the ads for security risks, their efforts are often insufficient. Adobe recommends a simple remedy, but it's often ignored in practice, allowing Flash exploits. A parameter, "AllowScriptAccess," should be set to "never," but is more typically set to "always." This allows ActionScript to inject an IFRAME, which can then pull in malicious content and infect the end-user machine.

"When Finjan looked at some of the top ad networks on the internet, we realized they didn't follow Adobe guidelines," said Yuval Ben-Itzhak, chief technology officer of Finjan. "Leaving the door open letting this interface between flash and the hosting page remain active."

PDF on the other hand, which have long been believed to be a safe file format, can be exploited through a pair of buffer overflow vulnerabilities. Adobe has patches for these flaws, but many machines aren't up to date. Starting with version 1.4, the PDF format includes JavaScript capabilities.

SearchSecurity radio:

The problem is exacerbated by the availability of cheap, easy-to-use crimeware toolkits, such as Neosploit and Fiesta, which now include PDF components that enable attackers to obfuscate scripts within PDF files to execute Web exploits.

Signature-based detection is not generally effective against these attacks, so antimalware engines must rely on real-time detection. Finjan recommends updating Adobe Reader with the PDF fixes, and training users not to assume that PDF files are always safe.

Organized crime expands.

In general observations, the Finjan report says that organized crime continues to expand its Internet business, using what Finjan calls a criminal-to-criminal model (C2C) using Trojans, silent installations and drive-by downloads. Those $100-$200 off-the-shelf toolkits help make cybercrime more accessible and pervasive. Finjan observed a trend of unemployed IT workers purchasing these toolkits, and expects this trend to grow as the weak global economy persists in 2009.

"We believe that having layoffs in the U.S. and other parts of the world, more people will at least give it a try," Ben-Itzhak said. "More people will become cybercriminals. You don't need to be a professional hacker: These toolkits have really changed the way people are turning to cybercrime."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Malware, Viruses, Trojans and Spyware,  Identity Theft and Data Security Breaches,  Emerging Information Security Threats,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary