Monthly Archives: June 2007

Malicious space on MySpace

Posted on by
Reply

Last Wednesday (June 13th), SecureBrowsing has alerted us on a “cute” MySpace profile being used as a malicious code attack vector. This is not the first catch by SecureBrowsing, but to see one on MySpace this late into 2007 was a bit of a surprise.

We have been talking about the risks of Web2.0 in terms of user contributed content (actually since our Q3-2006 trends report), and have been watching the space for the upraise (remember Wikipedia) and downfall (sites started paying more attention to the stuff they publish that was directly contributed by users) of malicious code on such sites.

The security violations were found on two different profiles, and contained two different malicious attacks (see below) – the first picture shows a QuickTime exploit that contained a Trojan Downloader, and the second one is a WMA exploit containing – a Trojan Downloader…

MySpace001

MySpace002

The MySpace abuse team was fairly quick to take down the malicious code (in less than 24 hours) – good job guys!

Obviously our customers have been protected from these kind of attacks for a long time, and can fearlessly browse the internet, as well as SecureBrowsing users who got alerted on the specific profile that contained the malicious code in real-time and without the need to update or look up in some kind of database…

Have something to hide? make a lot of noise about it!

Posted on by
1

There has been a lot of noise on the web over the past few days in regard to the MPack toolkit being used in the Italy region. Everyone has been talking about it vigorously: From the washington post, WebSense, TrendMicro, so eventually even Slashdot picked up on it.

The interesting thing is, no one is actually talking about what MPack can do. They are all saying “oh my god, they are attacking Italian websites by the masses”, “iframes are inserted to benign sites and users are getting infected”, and so on, and so forth. Great. Have anyone bothered to mention the more acute risks of MPack? besides the obfuscated code (a long time de-facto standard in web-bourne threats), and specific exploit delivery (black hat “customer service”), MPack is tracking users IPs and will actually refuse to provide malicious code to an IP who already got it (evasive in order to minimize code exposure).

And on a final note – It’s great to see all the media circling the issue, but please – don’t leave the reader with a block of obfuscated code to look at – show what’s behind it (obfuscated code is so 2006…).

For our FULL analysis of the real threats in MPack (not just the toolkit, but the methodology being used on all toolkits like it) see our Q2 Trend report, and take a look at the Malicious Page of the Month of May 2007 (as I said – MPack is just ONE toolkit, there are more like it, and they all use the same evasive attacks techniques).