[ Security Alert ] 26 March, 2013 15:45

    Several weeks ago, all security researchers failed to crack Google's Chrome OS at CanSecWest Pwnium3 in Vancouver, even the deadline extended from 2pm to 5pm due to researchers' request. But, unfortunately, the Chrome browser was compromised by MWR Labs at Pwn2Own 2013 which sponsored by HP and Google. This contest proves that Google Chrome was vulnerable.

Following is our analysis for chrome browser security:

 

 

    Chrome browser was developed by Google and now is one of the most popular web browser in the world. It includes Google search, youtube and many Google proprietary services. In personalization, Chrome web store provides abounding extensions to modify and enhance the functionality of the Chrome browser. 

    Extensions are small software programs and bundle all their files (manifest.json, picture, js and CSS...) into a single file that the user downloads and installs. This bundling means that, unlike ordinary web apps, extensions don't need to depend on content from the web.

 

 

manifest.json provides important information including name, description, version, language and permission...

The following code shows the supported manifest fields. (http://developer.chrome.com/extensions/manifest.html )

 

 

The only fields that are always required are name and version. Here we take content_scripts, permissions and update_url to explain the attribute and function as following:

content_scripts: They are JavaScript files that run in the context of web pages. By using the standard Document Object Model (DOM), they can read details of the web pages the browser visits, or make changes to them.

update_url: Setting URL for update checking

permissions: To use most chrome.* APIs and extension capabilities, your extension must declare its intent in the manifest, often in the "permissions" field. For example, Google mail Checker mush have 2 permissions as following:

1. access your data on *google.com

2. access your tabs and browsing activity 

 

  

 

 

    An user might see a dialog for permission request when installing an extension. If the permission improperly assigned and content_scripts include malicious code, the extension can do anything to your system.

    For example:  Malicious extension auto posts and spreads malicious links on Facebook. (Security Alert 2013-02-06: Watch out for Facebook video link). Also, the malicious extension will auto update by “update_url” setting to change to another hacking jobs.

 

    Chrome browser adds extension function from version 4.0. The extension was easy to develop, but also easy to exploit. Old version of google Chrome permits related extensions auto setup when Windows application installing. It is easy to install malicious extensions to victim's system without user permission

 

    So, google chrome enhances extension management from ver 25.0. Only extensions from Chrome Web Store are available and no more auto installation. Every extension must be permitted by user before installation. However, there can be no assurance that all extensions in Chrome Web Store are secure.

 

    On faceook, the attacker pretends to be victim's friend which shares attractive themes to lure victims to click the hyper link and install malicious extension. Then the victim will post many malicious link to his friends. So the malicious extensions spread constantly by victim's curiosity. The victim misunderstood his account was stolen and changed password, but it was not workable. The victim has to remove malicious extension from chrome browser.

    For more detail scenario, please refer to our previous post: 

Security Alert 2013-02-06: Watch out for Facebook video link

Security Alert 2013-02-22: Malicious Chrome extensions   

 

    Web browser plug-ins are additional pieces of software that add extra capabilities to your web browser, such as the ability to view movies, run Java applets, or see Flash animations. Unfortunately, since plug-ins run with all the privileges of real applications, they can do absolutely anything to your computer. The year past, so many 0-day vulnerabilities were reported in Java and many security experts strongly recommend disabling it. 

 

    As seen from the above analysis, the Extensions and Plug-ins are two vulnerable points in Chrome browser. For Chrome more secure, Google Web Store should inspect all extensions strictly, moreover, we would like to remind our customer:

1.Do not install any extensions from untrusted resource. 

2.Notice that permission request is normal or not when extension installing.

3.Do not install unnecessary plug-ins as possible. If your have any plug-in installed, keep up to date. 

 

by AegisLab

 

[ Security Alert ] 21 March, 2013 15:33

  As many of you would probably know several South Korean banks and local media organizations have been impacted by a critical cyber attack. The all victims did not boot anymore.

 

 

 

 

AegisLab has got the virus samples from crashing of computer network of major South Korean banks and TV Broadcasters. 

As the sample we got, the virus overwrites the system's MBR (Master Boot Record) with string "HASTATI".

 

 

The partition table was also destroied.

 

 

The virus include 3 jobs as following:

1. taskkill /F /IM pasvc.exe  => terminate %u300CAhnLab Policy Agent%u300D. (Top Anti-Virus software in South Korea)

2. taskkill /F /IM Clisvc.exe  => terminate%u300CViRobot%u300D(Famous Anti-Virus software in South Korea) 

3. shutdown -r -t 0  => reboot immediately  

 

Obviously, the attack was focus on South Korea.

 

After executing "shutdown -r -t 0" , the blue death screen appears ...

 

 

reboot and then...

 

 

For your internet security, we urge our anti-virus customer to keep signature up to date as possible.

by AegisLab

 

[ Security Alert ] 22 February, 2013 16:17

Following previous post, we have found some malicious extensions in Chrome browser to turn Likes into real results on Facebook.

Once you click the malicious links embedded in spam mail, messages or any hyperlinks, and download the extensions, the malware monitor your browser activity. If you are logged into Facebook with Chrome browser, it will GET hxxp://goo.gl/iiWeL? (also hxxp://fastotolike.com/yeni.php!)

The content of son.js in extension as following:

 

 

There two functions abone and sayfa2 in "hxxp://fastotolike.com/yeni.php", the partial content as below:

 

The function abone is tracking someone:

 

 

The function sayfa2 is turning Likes for someone:

 

 

Why did malwares turn Likes on Facebook? As we know, "On underground forums in Russia, a page with 100,000 likes sells for about $150 to $200", a security researcher said. Yes, for the money obviously. 

 

For your internet browsing security and prevent malicious connection, we urge our customer to keep WebGuard signature up to date. 

by AegisLab," 

 

[ Security Alert ] 06 February, 2013 13:45

AegisLab got some malicious video links from Facebook as following:

hxxp://www.facebook.com/pages/Videos-choquantes/115875135259062?sk=app_208195102528120

hxxp://www.facebook.com/pages/Videos-choquantes/116032281910520?sk=app_208195102528120  

 

They all take advantage of your curiosity for unknown video, and lure you to execute malicious package

The analysis as below: 

 

 

   

The subject is "This girl has a spider under the skin and makes it removed!"  and the messages shown in pop up window: 

Update Needed

to watch the latest videos on Facebookyou must install this update package.

To begin, click on the button below:  

   

Obviously, the devil wants to lure you to execute the malware.

If "OK" button clicked, you'll get a malicious file: hxxp://dl-b.uni.me/updates/fr_FR /fb13.4.4_fr.exe

  

 

After running this file, the message "update already done" shown in pop up window as following: 

  

 

 

And then browser Chorme was added one more extension:

  

 

the content of this extension

  

 

Chrome's extension was defined the  by manifest.json, and this extension was malicious scripts injected.

  

 

To analyze manifest.json, we found:

1. permission: allow any URL connection

2. main program: call.js

3. malicious URL for update: http://du-pont.info/updates/fr_FR/update.xml

  

 

 

The partial main program call.js:

  

   

The malicious extension will collect your contacts in facebook and add to fans, and then spreads malicious links to them.

The best way to lower down the risk from malicious links is checking browser's status bar before clicking OK button as possible.

For your internet browsing security and prevent malicious connection, we urge our customer to keep WebGuard signature up to date. 

 

by AegisLab 

 

[ General ] 30 November, 2012 11:28

  Piwik is a free software web analytics system written by a team of international developers, and runs on a PHP/MySQL webserver. 

Per Official Piwik Blog Security Announcement:

  Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker  added a malicious code in the Piwik 1.9.2 Zip file for a few hours.

  You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC.

  If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.

 

The victim's info will be sent to hxxp://prostoivse.com/x.php! The malicious code analysis is as following:

 

 

To check if your Piwik is affected, open the file piwik/core/Loader.php, where as a compromised Loader.php would contain the following code at the end of the file:

  

   

Piwik has suggested the following steps to fix this issue. 

- Backup piwik/config/config.ini.php

- DELETE the piwik/ directory

- It is important to DELETE the directory and all piwik files, to ensure any malicious script is deleted as well.

- Download latest Piwik from piwik.org

- Unzip and Upload the piwik/ directory  on your server

- Copy the config.ini.php back in /piwik/config/

- Go to Piwik, it should display the dashboard as expected 

 

In order to prevent malicious connection, we urge our customer to keep WG signature up to date. 

by AegisLab

 

[ Security Alert ] 16 November, 2012 11:27

An Indian security researcher Shubham Upadhyay aka Cyb3R_Shubh4M, reported a new permanent XSS affecting the products listings on eBay.com. 

AegisLab also test again immediately, so far, this vulnerability is currently unfixed!!

Here is the page with XSS injection code: 

 

 

For this flaw, you need a eBay seller account, login to your account on eBay and create a listing for sale. Then put XSS code into HTML.

 

 

  

 

The news of XSS vulnerabilities is nothing new, but still so dangerous. What are the threats of XSS? Everything from account hijacking, shopping, payment, changing of user settings, cookie theft/poisoning, or false advertising is possible.

 

by AegisLab

 

1 2 3 ... 18 19 20  Next»