Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Microsoft's Security Intelligence Report (SIRv14) released InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft's Security Intelligence Report (SIRv14) released

Published: 2013-04-23
Last Updated: 2013-04-23 06:01:50 UTC
by Russ McRee (Version: 1)
2 comment(s)

Full disclosure: I work at Microsoft.

This past Thursday (17 APR) Microsoft released  volume 14 of its Security Intelligence Report (SIRv14) which includes new threat intelligence from over a billion systems worldwide. 

It should come as no surprise that network worms are on the decrease and that web-based attacks are all the rage. Interesting report highlights include:

  • The proportion of Conficker and Autorun threats reported by enterprise computers each decreased by 37% from 2011 to 2H12
  • In the second half of 2012, 7 out of the top 10 threats affecting enterprises were associated with malicious or compromised websites (see example below)
  • Enterprises were more likely to encounter the iFrame redirection technique than any other malware family tracked in 4Q12
  • One specific iFrame redirection family called IframeRef, increased fivefold in the fourth quarter of 2012 to become the number one malicious technique encountered by enterprises worldwide
  • IframeRef was detected nearly 3.3 million times in the fourth quarter of 2012

The report also takes a close look at the dangers of not using up-to-date antivirus software in an article titled “Measuring the Benefits of Real-time Security Software.” I read this with some skepticism imagining it might be heavily slanted to the use of Microsoft AV products, but read on, it's not. It refers to a ton of data generated via Microsoft telemetry but remains data-centric to point out that, on average, computers without AV protection were five and a half times more likely to be infected (What?! I'm shocked. This is my shocked face surprise). The study also found that 2.5 out of 10, or an estimated 270 million computers worldwide were not protected by up-to-date antivirus software. Now that actually is shocking. Really? What's the matter with people? For more information on that analysis, see details on TechNet.

On the related subject of web-based attacks, I recently completed a forensic review of an elderly Windows XP system that had clearly crossed paths with Blackhole, or as the SIR referers to it, Blacole; said system was infected with Exploit:Java/CVE-2011-3544. The behavior discovered warrants a quick review as it details just one of the plethora of manners in which web-based attacks can own you. Of interest, SIRv14 states that "detections of exploits targeting CVE-2011-3544 and CVE-2010-0840, two vulnerabilities with significant exploitation in the first half of the year, declined by large amounts in 2H12. Both are cross-platform vulnerabilities that were formerly targeted by the Blacole kit but have been removed from more recent versions of the kit." That's in keeping with findings on the machine I analyzed given that the related JAR files had been on the system since February 2012. Nonetheless, at the risk of oversimplifying the analysis, the writeup for CVE 2011-3544 describes a vulnerability that allows a remote attacker to execute arbitrary code on the system, caused by the improper handling of Rhino Javascript errors. Of note when unpacked from the initial JAR file were efira.class and efira.java (the applet). As ripped directly from the conclusion of Michael Schierl's excellent writeup on CVE-2011-3544:

Steps to exploit this vulnerability include:

  1. Assign a toString() method to this that will disable the security manager and then run your payload
  2. Create a new JavaScript error object
  3. Overwrite the error object's message property by this
  4. Return the error object
  5. Create a new script engine and bind the applet to a JS variable (in case your payload needs it)
  6. Evaluate the script mentioned above
  7. Add the resulting object to a JList
  8. Display the JList to the user and wait for the UI thread to render it
Strings analysis of Efira.class (see VirusTotal if you want hashes) returned the requisite steps including:
  • toString() (1)
  • java/lang/Object error (2)
  • javax/script/ScriptEngine (5) 
  • eval (6)
  • javax/swing/JList (7)
And this was but one example of six Java-specific exploits dropped on this victim system during its unfortunate visit to a Blackhole infected site. Stay tuned for new and interesting web-based exploits for 2013.
Takeaways:
1) Run AV
2) Patch
3) Pray 
smiley
 
As always the SIR is a great read. Download it here.
 
 
 
 
2 comment(s)
Diary Archives