Tuesday, August 28, 2012

Are you vulnerable to the latest Java 0-day exploit? (Updated)

Test to see if you're vulnerable.

You may be aware that a 0-day vulnerability in the latest version of Java is presently being exploited on the Web. This vulnerability affects all versions of Java 1.7 (aka Java 7). Oracle has not yet released a fix and if they stick to their quarterly patch cycle, one isn't likely to emerge until October.

Java has a long history of 0-day vulnerabilities being actively exploited. Exploits are usually drive-by attacks: users get infected by navigating to hijacked websites where an invisible Java applet drops a malicious executable on the user's machine. The very popular, Blackhole exploit kit includes numerous Java exploits.

In 2010, we reported a 300% increase of malicious JAR (Java archive) files. Recently, in March 2012, Java made the news due to the Flashback Trojan, a piece malware targeting an older Java version that shipped with Mac OS X. As can be seen, Java is constantly under attack.

Update: new Java version available

Oracle has released java 1.7.7 and 1.6.35 to fix the vulnerability. You can update your java version from Java.com.

We have updated our Java test page to take the new versions into account.

Are you vulnerable?

The latest iteration of Java is version 1.7 revision 6. This is now the default version on Windows. Mac OS X still uses Java 1.6 (latest version: 1.6.33). Java 1.6.33 is NOT vulnerable to the latest 0-day exploit. However, I would not suggest that anybody downgrade from Java 1.7 to Java 1.6 as it is not yet known if version 1.6 is vulnerable to other flaws fixed in 1.7.

One annoying fact with Java is that new versions are installed on top of each other. As such, you are likely to have multiple versions of Java installed on your system. Internet Explorer may not even be using the latest version of Java that you have installed.

We have created a new page to list all of the versions of Java installed on your computer. You can test your browser here.

Disable Java

To be on the safe side, you can disable Java in your browser to prevent malicious applets from running.


Go to Tools - Add-ons - Plugins

Look for Java Deployment Toolkit and/or Java Platform SE. Disable them all.

Java disabled in Firefox


Go to WrenchSettings and Show advanced settings... - Privacy and Content settings - Plug-ins - Disable individual plug-ins... - Java - disable. It is quite difficult to find!

Java enabled in Chrome

Internet Explorer

Go to Tools - Manage Add-ons. Disable Java(tm) Plug-in SSV Helper and Java(tm) Plug-in 2 SSV Helper.

Java disabled in Internet Explorer 9
Update: To completely disable Java in Internet Explorer, follow the steps at http://www.kb.cert.org/vuls/id/636312#disable_java_in_IE.

Test it

Now go to our Java test page (updated) to ensure that Java has indeed been disabled in your browser.

Click to Play

If you need Java occasionally, you can enable it on-demand with Click to Play. I described Click to Play, a way to manually enable plugins only on visible content, in a previous post. This feature is only available in Firefox, Chrome and Opera.

Firefox also offers several browser extensions to easily enable/disable java with one click. I personally like Quick Java.

Take this opportunity to check all the plugins running in your browser and disable the plugins that you do not really need. Don't give the bad guys an attack surface that's any larger than it needs to be!

Friday, August 24, 2012

Payday loan scam

Weebly is a free platform for website creation. Like many free hosting and DNS providers, it is abused by spammers and scammers. Recently, I found over 400 .weebly.com sub-domains advertising "instant cash loans" and redirecting users to http://paydayloanswww.com/.


Here are some of the 400 sub-domains:
  • loanranger.weebly.com
  • fastapprovalsignaturepersonalloa.weebly.com
  • 750cashloan.weebly.com
  • americangeneralfinance1.weebly.com
  • pdlnow-com.weebly.com
  • globalgrouppaydayloans.weebly.com
  • skyloans01.weebly.com
  • privatelendersstudentloansbadcre.weebly.com
  • loansforretired.weebly.com
  • paydayloanswithmoneygram.weebly.com
  • etc.

The 400+ weebly.com domains have an identical layout with some text at the top, but the majority of the page is simply a large image showing an application form.

the form is actually an image
The image is also a link to the actual Payday loan website. But instead of linking directly to paydayloanswww.com, they link to "custom" shortened URLs. The URLs do not come from legitimate URL shortening services, but rather domains that have been setup by the scammers for the sole purpose of linking to spam/scams. This is a technique used by other spammers, notably fake Canadian Pharmacy, to work around spam filters. Here are some of the domains used for the redirections:
  • eibo.biz
  • h8l.org
  • zsui.org
  • g1o2.info
paydayloanswww.com serves as a broker in finding payday loans for customers. Potential borrowers have to fill out 2 forms and provide very sensitive information including a social security number, bank account information, etc.

Payday loan form, page 1
Payday loan form, page 2

From my experience after filling out the form, and from what I gather from many forums, borrowers get a $200 loan, but here is an $89 charge every time the loan is renewed. The renewal happens automatically every nine days and herein lies the scam: it is apparently very hard to get the company to stop the automated renewal. The $200 loan can get very expensive after a few weeks!

My loan offer (I asked for $800)

The company operates under different names: Brighton Fnl LLC, Kingston Financial, etc. The Better Bureau Business record for Brighton Fnl LLC is not great: eight complaints are currently listed on the BBB website.

After sending a few URLs to Weebly, some sub-domains have been taken down, but most are still up. Weebly is fairly young, it does not look like they have the correct tools and processes in place to respond quickly to this kind of spam. I've offered to send them the full list, but I have not heard back from them yet.

Thursday, August 16, 2012

Zscaler Safe Shopping 1.1 for Internet Explorer: C++ BHO

I released Zscaler Safe Shopping for Internet Explorer in March 2012. This was my first attempt at writing a Browser Helper Object (BHO) and it was written in C#. There are are number of disadvantages to using C#, as I described in my last post. C++ is required for "advanced" features, like intercepting and modifying all HTTP/HTTPS traffic.

Ultimately, I decided to bite the bullet and to learn C++ on Windows in order to deliver some great extensions for Internet Explorer this year. It was quite a steep learning curve to go from from C# and the scripting languages (Perl, Ruby, etc.) that I knew well, to C++. CodeProject turned out to be a great source of sample code for C++ BHOs. Various colleagues also helped to shorten my learning curve. Now here were are and Zscaler Safe Shopping has been rewritten from scratch in C++. If you are using version 1.0, an upgrade to the new 1.1 will speed up your browsing when the extension is in use. C# BHOs require that the .Net framework be loaded first, which takes at least 0.20s-0.30s for every tab. With C++, load time is significantly reduced.

It is very important that the BHO loads quickly, in under about 0.20s so as to not negatively impact the user experience and avoid warning messages. Starting with Internet Explorer 9.0, a warning is shown to the user when the browser opens to disable "slow" add-ons:
Warning about slow add-ons

It is much harder to write browser add-ons for IE than it is for Firefox and Chrome, but you can do quite a lot with IE. Here is the breakdown of the "advanced" features available to add-ons on the three major browsers:

Feature Firefox Internet Explorer Chrome
Modify HTTP requests and responses YES YES YES
Access the file system YES YES NO
Include C++ libraries YES YES* NO
Run executables YES YES NO
Run server inside browser YES YES NO
(* IE add-ons are C++ libraries, of course)

I plan on releasing some exiting browser add-ons for Internet Explorer this year, keep an eye on this blog!

Tuesday, August 7, 2012

Most common threats in top blacklisted sites

The vast majority of the most popular blacklisted websites contain a piece of malicious JavaScript inline. These sites were mostly hijacked by attackers and the malicious code can usually be linked to the Blackhole exploit kit.

Malicious code found on top blacklisted sites
I was surprised to find malicious Java applets in second place, having been found on 10% of the blocked sites. Malicious iFRAMEs were the third most prevalent infection and generally resulted from  mass SQL injection attacks. Only 2% of the sites are trying to foil users into downloading a malicious piece of code through a fake AV, Flash or codec page.

The scam and spam sites are mostly survey scams (the-rewardline.com, station-awardz-central.com, channelrewardscenter.org, etc.) and work-from-home scams (financereports.co). These sites have been blocked by Google Safe Browsing for months.

Since most the blocked sites are legitimate sites with high traffic, they quickly get cleaned up and removed from the Google blacklist. While the average number of days a top-site is blocked by Google is 7 days, the graph below shows that the vast majority are blocked for only a few days:

The number of top-domains blacklisted, can vary considerably on a daily basis, but the trend is upward - from an average of 400 sites in May to more than 1,000 in July.

Number of top-websites blacklisted daily by Google

Here are the top-ranked websites blacklisted by Google since May 2012:

Domain Alexa rank Country
blog.com 681 PT
fatakat.com 699 US
ziddu.com 878 GB
warez-bb.org 1,029 RU
vanguardngr.com 1,528 US
prlog.org 1,555 US
damnlol.com 1,949 US
arabseed.com 2,002 US
h33t.com 2,213 CA
geo.tv 2,606 GB

Small or big, popular or not, all websites are under attack. No domain can be fully trusted and you never know if attackers managed to breach the protections of the website that you're currently on.

Friday, August 3, 2012

80% of "Olympic" domains are scams and spam

Today we looked at all identified domains containing the string "olympics", which had been accessed by our customers over the course of a day. It turns out that 80% of them are scams or spam and they can be classified into three main categories.

Typo squatting

Spammers can take advantage of users making mistakes when typing a domain name directly into the browser address bar by purchasing domain names close to their intended target - for example: gooogle.com (3 letter o's) or gogle.com (1 letter o) for google.com, yaho.com or yaoo.com for yahoo.com, etc.

The main target of typo squatting in the US is the official NBC site for the Olympics: nbcolympics.com. Here are the domains that capitalize on user mistakes:
  • cnbcolympics.com (extra c)
  • nbcolympic.com (missing s in olympics)
  • wwwnbcolympics.com (missing dot between www and nbcolympics.com)
  • msnolympics.com (msn instead on nbc)
  • nbolympics.com (missing c in nbc)
  • nbcolympics.org (.org instead of .com)
  • nnbcolympics.com (2 n's in nbc)
  • mbcolympics.com (m instead of n in nbc)
  • ncbolympics.com (c and b inverted in nbc)
These domains are mostly parked. They are covered with advertising in the hope that users will click on one of those links since there is no useful content on the page.

Domain names cost only about $10 and hosting can be free, so this can an effective way to make some money with a minimal initial investment.

"TV on PC" scam

Scams for receiving Cable/Satellite TV on a PC for a very low monthly fee are not new. Scammers are taking advantage of the Olympics to attract people who are ready to spend a few bucks to watch the games in real time.

Numerous pages, mostly parked on free hosting sites are created to redirect users to the TV scams. These redirection pages may be designed as reviews from users promoting the scam, or simple HTTP redirection scripts with no content actually displayed to the victim.

This technique is used by the largest number of "olympics" domains:
  • londonolympics2012livestream1.webspawner.com
  • london2012olympicslivestreamfreeonline.webspawner.com
  • londonolympic2012tv.com
  • olympics2012onipad.com
  • watch2012olympicsonline.puzl.com
  • olympics.gamelivehd.com
  • londonolympics.chuckduck.info
  • watcholympics2012live.com
  • watchsummerolympics.com
  • watch-olympics-online.info
  • olympicstv.trueonlinetv.com
  • watcholympicslivestreams.us
  • olympic2012.livetelecast.us
  • olympics2012london.tk
  • olympic2012.onlinepremiumtv.com
  • olympics2012live.onlinestreamingfree.net
  • londonolympic.info
  • london2012olympicslivestream.sitew.com
  • olympicgames2012livestream.sitew.com
  • watcholympics2012-openingceremonyonlinefree.sitew.com
  • olympics2012lives.sitew.com
TV scam after redirection: satellitedirect.com

"Made for Adsense" sites

"Made for Adsense" (MfA) sites are highly targeted websites that drive web traffic from search engines. They contain enough content to get listed in search engine results for as a specific query. They contain a lot of ads and encourage users click on them in order to get to some of the more interesting content. MfA sites typically have very few pages.

 Here are some examples related to the Olympic games:
  • olympicstable.com
  • 2012-london-olympics-news.com 
  • olympic-games-2012-london.com
  • olympicsgames.com
  • olympicgames2012.com
  • nbcolympica.com
  • olympiczone.com
More ads than content: 2012-london-olympics-news.com

We've seen a few other scams - mostly old tricks revisited to fit the Olympic games.
  • software to see the Olympic games that is actually spyware/adware: streamolympicsonline.com
  • survey scams: olympics2012videoclips.vidrr.net
I guess the good news is that most of the scams are targeting 'low hanging fruit' and don't involve sophisticated exploits.