 |
Malware in Unexpected Places, Part II: Threats in "Trusted" Applications
By David Marcus,
Director, McAfee® Avert® Labs Communication
September heralds back-to-school days for students all over the world, so we thought it would be a propitious time for us to share some new things we’ve learned at McAfee® Avert® Labs. In Part II of this month’s Malware in Unexpected Places series, we’ll be revealing recent findings about new vehicles for malware that have evolved during the last year or so—trusted applications and file formats.
Normally, you won’t think twice about opening up an Adobe PDF or Microsoft Word document attachment or downloading a music file, video file, or toolbar from your favorite social networking site. But since cyber crooks have resorted to using these formats and applications as carriers for malicious code, our advice is caveat emptor when it comes to downloading or opening such files from emails coming from unknown recipients and even reputable domains and web sites.
Here are some recent examples discovered by our threat experts and other organizations:
- A real-life example of a RealPlayer exploit—This summer, one of our researchers witnessed an exploit in action at a friend’s house. The friend was running Microsoft Vista, and the attack was targeted at RealPlayer. Unfortunately, our researcher’s buddy made a huge mistake: he had disabled the Vista’s User Access Control because he was bothered by the alerts, so he didn’t receive warning prompts except when a message box showed that RealPlayer would close before the malicious code ran. Thereafter, a variety of suspicious processes occurred. Windows Vista has the best security available among the Windows family of operating systems, so none this would have happened if the alert function had been enabled. A word to the wise!
- Caffeine attack—A piece of malware on the loose named MachineDog has attracted attention within the China security community. The malware itself appears to be a finely-crafted tiny rootkit. It has the special feature of being designed to penetrate the hard disk. Most Internet cafes rely on hard disk protection software only, and café owners mistakenly believe this is a replacement for security software, and believes the system to be secure. MachineDog takes advantage of this scenario. The attack is so insidious, that once it successfully loads its driver into the kernel, most hard disk protection software will be nothing but an empty shell, and the administrator has no idea that the systems are unprotected. This is enough to make some café owners rip out their equipment and stick to selling lattes—unless they are McAfee customers, of course, in which case, they are protected from the threat by .DAT 5337.
- Bogus Flash players—Adobe issued a warning this August regarding comments being posted to social networking sites that contain hyperlinks to imposter updates for the company's popular Adobe Flash Player plug-in. When users click on the link, they think they’re downloading and installing the latest version of their Flash players, but in fact, they are inviting malicious code into their computers.
David Lenoe wrote about this on Adobe's Product Security Incident Response Team blog (subscribe via Atom). Lenoe stresses the importance of verifying the authenticity of the Flash Player download: “… all Adobe software for Windows is signed with a digital certificate that is validated by Windows when you install our software. The Publisher will always be 'Adobe Systems, Incorporated', and you can verify this when you double-click the installer, or by right-clicking on the installer, selecting 'Properties', and going to the 'Digital Signatures' tab.” (Source: http://www.informationweek.com/blog/main/archives/2008/08/adobe_fake_flas.html)
What Lenoe means by software that is “signed” has to do with Adobe’s digital certificate signed by VeriSign, a recognized authentication company. According to Lenoe, when you install Adobe's Flash Player on Windows, the process should be interrupted with a verification dialog that looks like the image below. If this dialog box does not appear, then you should be suspicious.
On a general note, it’s important to point out that not all legitimate software or update installers have digital certificates, so that’s not necessarily the best way to guarantee that the installer comes from the source it claims to come from, even if you do get it from the right domain. Hackers can potentially compromise the download directory of a real domain and replace downloads with malicious imposters. We recommend that you exercise caution when you download and install unsigned software to your PC. The way to ensure the safety of software downloads is to go directly to the software company’s website rather than just click on a link.
Trust Not, and Take Precautions
The examples we’ve described are only the tip of the iceberg. Following the Olympics, for example, a spate of malware buried in PDF and Microsoft Word .doc files related to the games and the Tibetan issue were unleashed as attachments accompanying spam. And, here at Avert Labs, we’ve detected more than 500,000 incidents of a Trojan disguised as music or video files loaded onto popular media sharing sites like LimeWire and eDonkey. We can’t say with certainty that we’re in the midst of an epidemic, but we can safely say that cybercriminals are increasingly drawn to using application files and formats to hide malware.
As always, our best advice is to educate yourself about these kinds of new developments by reading the McAfee Avert Labs blog and your favorite security-related publications and to keep your eyes wide open when you’re downloading files or software. Always make sure attachments come from a trusted source, and download software directly from software vendors’ web sites.
You never know where malware will strike next! |
 |
