Sep 08
Sep 08
%%1%%Today Adobe put out an advisory for a previously unknown zero-day in its PDF Reader/Acrobat software.
This vulnerability is actively being exploited in the wild.
The exploit is pretty basic. What’s interesting about it is that it makes use of Return Oriented Programming to bypass the ASLR and DEP mitigation technologies in Windows Vista and 7.
More widespread usage of ROP for exploits is something I’ve been expecting for a while. Why? Because Windows 7 is gaining more and more traction in both the consumer and corporate space.
While most malicious PDFs download their payload, this time the PDF has malicious content embedded. The PDF drops an executable into the %temp% directory and tries to execute it.
The file it drops is digitally signed with a valid signature from a US-based Credit Union!
Take a close look at the screenshots and you’ll see that not only is the certificate valid, but it really does belong to Vantage Credit Union. This means that the cybercriminals must have got their hands on the private certificate. Remind you of anything? If you say Stuxnet (where compromised Realtek and JMicron certificates were used to sign files) then we’re clearly thinking on the same lines.
It’ll be interesting to see if Stuxnet has started a trend or if these cases are just a flukey coincidence. I suspect they’re not – I think the use of valid, stolen certificates to sign malware will really take off in 2011.
Both Verisign and Vantage Credit Union have been notified so that they can take action.
Sep 08
%%1%%Google just released its brand new search technology labeled “Google Instant,” which works by dynamically accelerating search results as you type into the Google search box. Google Instant essentially predicts what users will type and rapidly makes suggestions on which search term is most relevant to what is being typed in real time.
So what? Well, we’re kind of concerned…
If you’ve followed our blog in the past, then you know that Google hasn’t done a great job in mitigating Blackhat SEO threats, which have plagued search results for years. As a test, I thought I’d search for “antivirus” and see what suggestions came up. Lo and behold, Antivir Solution Pro, a well known Rogueware infection was amongst the suggested search terms.
Let’s segway from the problem of malicious search suggestions and get right down to the real problem here. I’m more concerned how this new technology can potentially improve existing Blackhat SEO campaigns. We know for a fact that most Blackhat SEO campaigns automatically query Google’s trending topic results and now it seems that Google Instant will be suggesting those trending phrases (verbatim), potentially putting millions of victims directly in cyber criminals cross hairs.
Only time will tell, but we can see Google Instant aiding Blackhat SEO campaigns real soon.
Stay safe out there!
