Web tools create XSS headaches

Adobe Flash files created by a number of Web authoring platforms could be co-opted by an online fraudster to conduct a cross-site scripting attack, security researchers stated last week.

A paper authored by Google security researcher Richard Cannings found that the Flash files created by at least five Web site authoring systems, including Adobe Dreamweaver and InfoSoft FusionCharts, could be used to to bypass anti-phishing measures. By creating a link that passes Javascript code to the Flash files, an attacker can cause a victim to run malicious code in the security context of a potentially trusted Web server, Canning stated in a summary of his findings.

While pinpointing which sites are running vulnerable Flash files is difficult, hundreds of thousands of Web sites could be affected, Web security researcher Jeremiah Grossman wrote on his blog this weekend.

"Because this issue is NOT a universal XSS as it is the case of the Adobe PDF bug, issues are going to be harder to track down," wrote Grossman, who is the chief technology officer for WhiteHat Security. 'We’re going to have to figure out ways decompile (or) reverse engineer Flash files to determine what authoring tool was used and update our vulnerability scanners so that Flash files can be tested in much the same ways as a web application."

The issue is separate from a vulnerability in Flash files that Adobe fixed last month, the researchers said. Adobe issued a patch in December to fix ten critical vulnerabilities in its Flash software, among them modifications to eliminate cross-site scripting attacks using the asfunction: protocol handler (corrected) and navigateToURL() function. On December 24, InfoSoft fixed its cross-site scripting issue by allowing only the loading of relative URLs, not absolute URLs.

Grossman stressed that vulnerable Flash animations will remain on the Web for some time, as Web developers first have to patch their authoring tools, then create new Flash files and upload those files to their sites. In many cases, a third-party developer maintains the Web site, which will increase delays, he said.

Fake codecs continue to plague searches

Trojan horse programs dressed up like video decoders, or codecs, have become a popular way to attempt to infect the computers of unwary Web surfers.

Research by antispyware firm Sunbelt Software found that a number of sites hosted by blog service provider Blogger, a subsidiary of Google, contained fake video files that, if clicked on by a visitor, would prompt the victim to download and install a video helper application. In reality, the application is a Trojan horse program designed to infect the victim's PC, CEO Alex Eckelberry stated in the blog post.

"I wouldn't put this in the same league as the massive Google poisoning we saw last month -- that was an epic attack, using exploits and all kinds of nasty tricks," he said. "However, this is something to be aware of, and hopefully the good folks at Google will take them down lickety-split."

Some basic searches uncovered more than 30 blogs that hosted the files, the posting stated.

Video players have become a major vector for attacks against computer users over the past year. In October, the first significant Trojan horse aimed at users of the Mac OS X operating system masqueraded as a plug-in for playing video files. Security researchers have worried about the increasing use of video files as a means of attack for more than a year.

In November, Sunbelt Software found that fraudsters had attempted to poison Google's search rankings and put a large number of sites hosting fake codecs high up in searches for common words. Google regularly combs its search results for malicious sites.

Storm Worm offers coal for Christmas

Security firms warned users this week to watch out for the Storm Worm after online fraudsters revised the malicious software with a Christmas hook.

The fraudsters behind the crime-focused program began sending out a massive wave of e-mail messages over the weekend with subject lines such as "Season Greetings" or "Looking for something hot for this Christmas" but that, in reality, would lead to a hostile Web site, according to advisories by antivirus firm McAfee, security firm Symantec and other antivirus companies. The Web site, which sports a woman clad in revealing Christmas wear, attempts to infect the visitor's PC with the latest version of the Storm Worm, also known as Nuwar and Peacomm.

The program's authors continue to focus on adding exploits that take advantage of third-party applications, Roger Thompson, founder of Exploit Prevention Labs, stated on his blog.

"This is kind of interesting, and either means that Microsoft is patching faster than the exploits are coming out, or 3rd parties are not patching fast enough, or perhaps both," he wrote on Monday.

The Storm Worm caught the attention of antivirus researchers nearly a year ago and, due to ongoing development efforts by its authors, has continued to be an effective way to create and expand botnets. The program originally attempted to overwhelm antivirus software by creating so many variants -- releasing hundreds or thousands every week -- that virus analysts would be swamped. Later versions married the software to spam networks to more effectively find victims. The software authors have also built in a system that can attack back at investigators that attempt to find infected computers.

It's unknown whether the program's latest attack has been successful. Subject lines include “Merry Christmas To All,” “Warm Up this Christmas,” “Mrs. Clause Is Out Tonight!” and “The Twelve Girls Of Christmas."

The Storm Worm is called Nuwar by McAfee and Peacomm by Symantec, the owner of SecurityFocus.

Dutch police nab ABN Amro hackers

Dutch authorities have arrested 14 suspects accused of allowing their ABN Amro accounts to be used by cyber-criminals to store and transfer illegal funds.

According to reports, fraudsters based in Russia and Ukraine set up bogus ABN Amro websites to lure the bank's customers and harvest security details to access accounts and steal money.

Several of the sites were hosted on the Russian Business Network, an ISP which is alleged to host illegal and dubious businesses, including phishing and malware distribution sites.

The stolen funds were then allegedly placed in the bank accounts of the 14 ABN Amro customers, and these 'mules' subsequently transferred the money overseas to Russia and other countries.

"While these 14 suspects may not have actually carried out the phishing attacks themselves, they played a key role in the crime by allowing the fraudsters to use their bank accounts," said Mark Harris, global director of Sophos Labs.

"However, in these situations it can be tricky to prove the deliberate involvement of the account holder as it is quite easy for them to claim that they are simply the victim of identity theft."

Sophos experts noted a growing trend among cyber-criminals to recruit ordinary people to help them move their illegal profits around the world.

Sophos Labs detected an unusual 419 email scam this month which, instead of offering the typical promise of grant, lottery or prize money, purported to come from the American Red Cross.

The email offered the recipient a job as a 'donation collector', accepting and shipping donations to 'people in need' for various EU projects.