Language Selection

English French German Italian Portuguese Spanish

Drive-by Trojans exploit browser flaws

Filed under
Security

Trojans - malicious programs that pose as benign apps - are usurping network worms to become the greatest malware menace. Sixteen of the 50 most frequent malicious code sightings reported to Symantec in the second half of 2004 were Trojans. In the first six months of last year, Trojans accounted for just eight of the top 50 malicious code reports.

Symantec blames Trojans for an upsurge in client-side exploits for web browsers. Trojans create the means to deliver malicious code onto vulnerable Windows PCs. Browsers are the primary target, but flaws in email clients, peer-to-peer networks, instant messaging clients, and media players can also be exploited in this way.

Between July and December 2004 Symantec documented 13 vulnerabilities affecting Internet Explorer and 21 vulnerabilities affecting each of the Mozilla browsers. Six vulnerabilities were reported in Opera and none in Safari.

Of the 13 vulns affecting IE in 2H04, nine were classified as "high severity". Of the 21 vulnerabilities affecting the Mozilla browsers, Symantec classified 11 as "high severity". Firefox users enjoyed an easier ride with just seven affecting "high severity" vulns over the report period.

Symantec says there have been few attacks in the wild against Mozilla, Mozilla Firefox, Opera, or Safari, but the jury is still out on whether these browsers represent a more secure alternative to IE.

Nigel Beighton, Symantec’s director of enterprise strategy, EMEA, told El Reg that choice of browser is less important than activating seldom-used security zones features to limit exposure. "If you don't set trusted sites and stick by default browser security it's like surfing everywhere on the net with your wallet open," he said.

Symantec's Internet Threat Report, published Monday (21 March), brings together data gleaned from the security firm's SecurityFocus and managed security services division. The report found that financial service industry was the most frequently targeted sector in internet attacks, followed by hi-tech and pharmaceutical firms. "Attacks are becoming more targeted and specific," said Beighton.

For the third straight reporting period, the Microsoft SQL Server Resolution Service Stack Overflow Attack (formerly referred to as the Slammer Attack) was the most common attack, used by 22 per cent of all attackers. Organisations reported 13.6 attacks per day, up from 10.6 in the previous six months. The United States continues to be the top country of attack origin, followed by China and Germany.

Variants of NetSky, MyDoom, and Beagle, dominated the top ten malicious code samples in the second half of 2004. Symantec documented more than 7,360 new Win32 viruses and worms, 64 per cent up on the first half of the year. Two bots (malicious code that turns infected PCs into zombies under the command of hackers) were present in the top ten malicious code samples, compared to one in the previous reporting period. There were 21 known samples of malicious code for mobile applications, up from one in June 2004.

Symantec also noted a marked rise in email scams over second half of 2004. The firm's BrightMail anti-spam filters blocked an average of 33 million phishing emails a week in December 2004 compared to nine million a week in July 2004.
Symantec documented 1,403 new vulnerabilities in the second half of 2003, up 13 per cent from the first six months of last year. The vast majority (97 per cent) of the vulns recorded between July and December 2004 were either moderate or high risk.

In addition, over 70 per cent of these security flaws could be exploited using readily available tools or without the need for any attack code. The time between the disclosure of a vulnerability and the release of an associated exploit increased from 5.8 to 6.4 days.

Continuing a recent trend, web applications were a particular source of security problems. Almost half - 670 of 1,403 - of the security bugs logged by Symantec in 2H04 affected web applications. ®

Source.

More in Tux Machines

Programming: GCC, RcppEigen and Python

  • Introduce a new GCC option, --record-gcc-command-line
    I would like to propose the following patches which introduce a compile option --record-gcc-command-line. When passed to gcc, it saves the command line option into the produced object file. The option makes it trivial to trace back how a file was compiled and by which version of the gcc. It helps with debugging, reproducing bugs and repeating the build process.
    
    This option is similar to -frecord-gcc-switches. However, they have three fundamental differences: Firstly, -frecord-gcc-switches saves the internal state after the argv is processed and passed by the driver. As opposed to that, --record-gcc-command-line saves the command-line as received by the driver. Secondly, -frecord-gcc-switches saves the switches as separate entries into a mergeable string section. Therefore, the entries belonging to different object files get mixed up after being linked. The new --record-gcc-command-line, on the other hand, creates one entry per invocation. By doing so, it makes it clear which options were used together in a single gcc invocation. Lastly, --record-gcc-command-line also adds the version of the gcc into this single entry to make it clear which version of gcc was called with any given command line. This is useful in cases where .comment section reports multiple versions.
    
    While there are also similarities between the implementations of these two options, they are completely independent. These commands can be used separately or together without issues. I used the same section that -frecord-gcc-switches uses on purpose. I could not use the name -frecord-gcc-command-line for this option; because of a {f*} in the specs, which forwards all options starting with -f to cc1/cc1plus as is. This is not we want for this option. We would like to append it a filename as well to pass the argv of the driver to child processes.
    
    This functionality operates as the following: It saves gcc's argv into a temporary file, and passes --record-gcc-command-line <tempfilename> to cc1 or cc1plus. The functionality of the backend is implemented via a hook. This patch includes an example implementation of the hook for elf targets: elf_record_gcc_command_line function. This function reads the given file and writes gcc's version and the command line into a mergeable string section, .GCC.command.line.
    
    
  • GCC Developers Discuss New Option For Recording Compiler Flags / Details In Binaries

    GCC developers recently have been discussing a new proposal over an option for preserving the command-line flags/options used when building a binary as well as the associated compiler version. The proposal sent out last week was over a --record-gcc-command-line option to save the compiler options into the produced object file. The proposal is in the name of helping debugging, reproducing bugs, and repeating build process. There is already a -frecord-gcc-switches option that is somewhat similar in behavior but with key differences as explained in the proposal.

  • RcppEigen 0.3.3.7.0

    A new minor release 0.3.3.7.0 of RcppEigen arrived on CRAN today (and just went to Debian too) bringing support for Eigen 3.3.7 to R. This release comes almost a year after the previous minor release 0.3.3.5.0. Besides the upgrade to the new upstream version, it brings a few accumulated polishes to the some helper and setup functions, and switches to the very nice tinytest package for unit tests; see below for the full list. As before, we carry a few required changes to Eigen in a diff.

  • “Higher Performance Python” at PyDataCambridge 2019

    I’ve had the pleasure of speaking at the first PyDataCambridge conference (2019), this is the second PyData conference in the UK after PyDataLondon (which colleagues and I co-founded 6 years back). I’m super proud to see PyData spread to 6 regional meetups and now 2 UK conferences.

today's howtos

Games: Baba, Dicey Dungeons, Factorio and Enabling GameMode

  • Excellent rule-changing puzzle game Baba Is You is getting an official level editor

    Baba Is You, the truly excellent puzzle game where you have to break the rules of each level to beat them is getting a big update soon. See Also: previous thoughts on it here. How do you break these rules? Well, on each level there's logic blocks you can push around to change everything. Turn yourself into a rock, a jellyfish, make it so touching a wall wins instead of a flag you can't access and all kinds of really crazy things it becomes quite hilarious.

  • Dicey Dungeons outsold Terry Cavanagh's last two Steam games in the first month

    Terry Cavanagh, the indie developer behind VVVVVV, Super Hexagon and the latest Dicey Dungeons has a new blog post out talking about how well Dicey Dungeons has done and what's to come next. Leading up to the release, Cavanagh was doing a blog post each day for seven days. This latest post from yesterday then, is long overdue considering Dicey Dungeons launched in August.

  • Factorio is leaving Early Access in September next year

    As a result of the team behind Factorio feeling like it's going on for too long, they've now set a proper release date. In their latest Friday Facts update, they mentioned how their "when it's done" approach has served them well to create a high-quality game "but if we continued this way, we would be doing it basically forever". Part of the issue is that they want to work on new features and add content, instead of constant polishing. So they're setting a date publicly now "so we have to stick with it". With that in mind, it's going to leave Early Access on September 25, 2020. Development is not ending once they hit the big 1.0, they also don't want to say it's 100% finished either. Like a lot of games, as long as the money keeps coming in they will likely keep adding to it.

  • Enabling GameMode on Linux for best gaming performance

Red Hat Enterprise Linux and CentOS Now Patched Against Latest Intel CPU Flaws

After responding to the latest security vulnerabilities affecting Intel CPU microarchitectures, Red Hat has released new Linux kernel security updates for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 operating systems to address the well-known ZombieLoad v2 flaw and other issues. The CentOS community also ported the updates for their CentOS Linux 6 and CentOS Linux 7 systems. The security vulnerabilities patched in this new Linux kernel security update are Machine Check Error on Page Size Change (IFU) (CVE-2018-12207), TSX Transaction Asynchronous Abort (TAA) (CVE-2019-11135), Intel GPU Denial Of Service while accessing MMIO in lower power state (CVE-2019-0154), and Intel GPU blitter manipulation that allows for arbitrary kernel memory write (CVE-2019-0155). Read more