Adobe has released its emergency patch after a string of events in the past nearly ten days on dealing with a zero-day vulnerability. This was originally reported by FireEye in a blog post.
The FireEye blog stated the following:
“Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.”
After that was published, the FireEye researchers sent the bug report & sample to Adobe. Soon after, Adobe released a notification that there is a problem.
Eventually, Adobe detailed this past weekend that a patch would be available next week…well it’s here.
Adobe released its patch yesterday, in efforts to remediate the situation.
According to Adobe, the following versions are now available:
- Users of Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Reader XI (11.0.02).
- For users of Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader X (10.1.6).
- For users of Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader 9.5.4.
- Users of Adobe Reader 9.5.3 and earlier 9.x versions for Linux should update to Adobe Reader 9.5.4.
- Users of Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Acrobat XI (11.0.02).
- Users of Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh should update to Adobe Acrobat X (10.1.6).
- Users of Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh should update to Adobe Acrobat 9.5.4.
Well it’s Patch Tuesday, or what some people call “Black” Tuesday.
Seven security bulletins were released for Microsoft products, which were about 11-12 vulnerabilities at least being patched. Could be more on some systems.
Current bulletins for this round:
- MS12-077 Cumulative Security Update for Internet Explorer
- MS12-078 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
- MS12-079 Vulnerability in Microsoft Word Could Allow Remote Code Execution
- MS12-080 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution
- MS12-081 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution
- MS12-082 Vulnerability in DirectPlay Could Allow Remote Code Execution
- MS12-083 Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass
(Key: Important – Critical)
For the December Adobe Updates…The updates are for Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh, Adobe Flash Player 184.108.40.206 and earlier versions for Linux, Adobe Flash Player 220.127.116.11 and earlier versions for Android 4.x, and Adobe Flash Player 18.104.22.168 and earlier versions for Android 3.x and 2.x, Adobe said.
The three updates fix a buffer overflow vulnerability, integer overflow vulnerability and a memory corruption vulnerability, all three of which could lead to code execution, Adobe also said.
This is the description of an attack happening in Brazil since 2011 using 1 firmware vulnerability, 2 malicious scripts and 40 malicious DNS servers, which affected 6 hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems.
We will show how cybercriminals exploited an under-the-radar vulnerability which affected thousands of outdated DSL modems across the country. This enabled the attack to reach network devices belonging to millions of individual and business users, spreading malware and engineering malicious redirects over the course of several months. The scenario was fuelled by the widespread neglect of ISPs, blunders from hardware manufacturers, under-educated users and official apathy.
If you think the task of cleaning up victims of the DNS Changer malware was a big challenge, imagine what it would be like to deal with 4.5 million modems compromised in this attack – all of them in sunny, beautiful Brazil.
In this frequently asked questions post, I will publish some of the questions people ask me, and then will post some answers from my expertise about Sirefef or ZeroAccess.
Q: How to protect from this atrocity?
Q: Are Sirefef and ZeroAccess the same thing?
A: YES! They are both the same, but names different by many antivirus companies. This is sometimes due to language translations and competitiveness.
Q: Can the ZeroAccess virus infect my flash drive?
A: I doubt that the virus could activate on the flash drive, unless you plugged it in while logged on to the infected Windows. If you’re worried about running something accidental on the flash drive, use USB Immunizer from BitDefender to disinfect it.
Q: Should my passwords be changed after the ZeroAccess infection? Is it only active ones to change?
All active passwords and even passive ones need to be changed. If you’re unsure about passive ones, then don’t set a new password based on old passwords. Go all fresh with new passwords. See more on passwords.
Q: What is Sirefef, how did it infect my computer, or when are new variants released?
Sirefef or ZeroAccess is a transitional rootkit, virus, and/or backdoor trojan. It is still being watched and studied constantly, having 2-3 new variants every two weeks. We stay abreast of all changes.
Q: How did Sirefef infect me?
Viruses or other malware get embedded in to webpages through iFrame exploits commonly, or through vulnerable plugin exploitation. For iFrame exploits, malware authors can create a small (1x1px) iFrame, which contains scripts necessary to run malware on a target machine by automatically downloading and installing malware. The vulnerable plugin problem happens when people fail to update Adobe Reader, Adobe Flash Player, Java Runtime Environment, Apple QuickTime, Mozilla Firefox, etc. Many times, malware authors use these vulnerable versions of the plugins to distribute an exploit, which can allow them to take control of a computer.
Other malware can be distributed by means of operating system and program bugs. Sometimes programs and very often, Windows, becomes vulnerable to attacks, because of certain bugs in the code.
Those whom do not have proper Internet security protection will fall victim to exploits.
Many people are being hit with Sirefef because of these exploits. I’d say 3/4 of people I’ve seen here on the forums have out-of-date plugins, inevitably leading to infection. Sirefef is one of the most prevalent and highly engaged malware coded problems in the past year.
It is highly recommended to have proper Internet security protection! We recommend you to read that post and pick out a premium antivirus program for your computer RIGHT AWAY!
Most malware analysis these days targets Windows machines. However, trojans are becoming more interesting. Hackers create these trojans, and want to get backdoor access to any machine.
Trojan malware has stepped up game. Hackers want more access, so trojans are being created to target multiple platforms. Imagine the payload of a trojan being targeted to Windows, Mac, and Linux.
Due to recent discoveries of this multi-platform malware in a Columbian Transport site. A JAR (java archive) is used to detect what OS the user is running, and then the trojan is sent to infect the specific OS. And of course, this is all too similar to the Boonana Worm. Or how about the first cross-platform worm: Badbunny. Yeah, not so dumb now.
Keep an eye out or ear open for the latest in multi-platform malware. Predictions show that this will be an ongoing problem. Good thing we’ve nipped it in the bud. But, of course, studying all of the latest new threats is a key target here at seCURE Connexion.
One of the main things we look for in malware now has to do with whether or not it is multi-platform. If it has different inferences for different platforms, we want to discover it.
Also, one thing to keep in mind, that this is also a way to exploit Java by using it to gain temporary access to the operating system in question, and then gaining permanent access afterward by infecting the system. It’s an exploit-in-depth process to make sure each exploit is targeted at the said platform.
Web-based malware is also increasing, and languages like Ruby, Java, and Flash are all at risk. Since they are web-based languages, they need to be watched for vulnerabilities much closer than basic software languages, such as C++, C#, Delphi, etc.
What is even more interesting is the factors it uses to infect the system as well. Exploit traps work best, when they evade antivirus programs, know what platform they will be working on, and if the vulnerability exists to conduct the exploit. This is what we call “exploit-in-depth” (EID).
How can we counter this EID? By conducting defense-in-depth control over our computers. No matter the type of OS you have, the danger for malware will lurk around.
Today the discussion is about how to control the Internet activities of my small-or-medium business. What is to be said, however, is the loyalty of your employees to your company is what matters most, in which they will stay on task. (Won’t get into that, as that would have to do with business ethics)
Of course, employees love fast Internet connection. They love fast services. But, what can be done to control the Internet connections in your business?
While it’s fine that most companies allow a little browsing by their employees, it’s easy to get wrapped up in the Internet. One great way to fix this issue, is to disallow browsing, or put some control on it. The best control that can be sought is bandwidth limits. Blocking heavy bandwidth sites, and disallowing an employees to use a lot of bandwidth will control their browsing a lot!
Anti-Malware & Anti-Phishing
The other way to control the Internet in your business is to have the proper protection software for each computer. It is not uncommon for a business to have security problems, so it’s a no-brainer to have security software installed for every single computer.
Some of the best tools to use would involve:
- Malwarebytes’ Anti-Malware (corporate licensing available)
- HitMan Pro Enterprise Edition (second opinion anti-malware scanner)
Using these tactics will be able to help control the Internet usage in your business, and ensure your employees are staying on task!
The following are independently reviewed security products – Actual testing data not available
Free antivirus software provides a temporary means to safeguard your computer, while you can save money for a premium investment (below the free ratings)…
- Avast Antivirus Free is growing itself a trend for the best free antivirus. It is thought one of the best promotion techniques they have used in the recent year was contests for their users. From what was seen in our perspective, Avast has an awesomely fast antivirus engine. However, it barely slipped from first place due to its false positives and lack of stronger heuristics needed for the bigger threats. But, since it is free, it goes to show that users need a premium antivirus protection (as we show the rankings for below).
- Microsoft Security Essentials came out as one of the most lightweight and simplistic antivirus programs on the market. Microsoft is the maker of the Windows operating system, of course, so it gave users a trustworthiness factor for Microsoft Security Essentials. And ever since then, it’s been magic. With its ability to detect some rootkits, it comes in second place, but not too far under first.
- Avira Free What is good about Avira Free is that it continually shows good protection against all Windows platforms. What is bad is that it cannot run 100% on heavily infected systems. This is a common problem with antivirus software, but Avira Free has shown to not function very well. May be due to the lack of a well-coded self-protection driver.
- ZoneAlarm Free Antivirus/Firewall
It is assured that ZoneAlarm’s new free program has what it takes to be a good antivirus program. Further testing is needed to rate the overall effectiveness of this program. Stay tuned to our blog for future reviews!
- AVG Antivirus Free ranks in fifth for many reasons. Its good detection and smart heuristics allow it to be a powerful antivirus program, however, it has dealt with false positives on an uncomfortable scale.
Premium (reviews written for the first ten)
Premium antivirus software provides the best antivirus protection and safeguards your computer, your identity, and all of your personal information saved on the computer. Some programs provide extra features, such as free online backup, auto-sandbox (which runs your programs in a safe environment to make sure they are not malicious), and social networking protection.
- Kaspersky Antivirus – For the antivirus program most recommended is Kaspersky Antivirus. It yields the highest results in antivirus testing groups, and is one of the most trusted. Its antivirus product is well worth its cost. What’s even better is the amount of features it has – and the strength of each feature. Each individual feature has a good amount of protection involved. It truly is the pro-active piece of software that every computer needs!
- Norton Antivirus – Symantec’s awesome Norton products have grown up from a nice antivirus to a very awesome powerhouse packed with great features and a cool-looking interface. Although the interface is a little tough for beginners, it sure has the amount of protection-based features needed to keep the viruses out! With its new identity protection interfaces, it deserves spot two!
- ESET NOD32 Antivirus – ESET has done a great job making NOD32 Antivirus in to a lightweight powerhouse! Its lightning-fast response to incoming threats, and economical cost make it the best buy and best protection!
- Avira Premium Antivirus – Avira got very intelligent lately, providing social networking protection, anti-phishing, and pro-active HIPS protection to an already awesome antivirus. It may not be as feature-rich as other programs in its class, but it sure has the knowledgeable databases and program functions to protect the common user. Now, the biggest boost in ranking is its successful rootkit protection interface. It did not block 100% of malware, but came pretty darn close!!
- Avast Pro Antivirus – This antivirus program may very well be the feature-rich program of the year. Improving greatly from previous years, it shows each new year how much it has grown to be a beneficial program for almost any system. The only problem that was seen in Avast Pro Antivirus compared to other ones listed above this one, were the ability to stop a malicious download immediately in its tracks. However, with every new program update comes a much better way to block these infected sites.
- BitDefender Antivirus Plus – Due to the surplus of features that this program encompasses compared to previous years, it got its sixth place spot. It almost came in fifth place, especially because of its brilliant social media protection.
- F-Secure Antivirus – F-Secure software has risen up to become a great competitor to other antivirus vendors. Its feature-rich interface and good heuristics, paired with lightweight performance, makes this program a star! Kudos! Spot seven for F-Secure!!
- AVG Antivirus – AVG for years has provided good protection. It provides great feature rich software. The only takeaway, as described above for the free edition: the problem of false positives. Their response on false positives is not quick enough, which can cause problems with trust. Trust is very important to PC users. This program came in spot eight because of that!
- PC Tools’s Spyware Doctor with Antivirus – Spyware Doctor with AntiVirus delivers powerful antivirus and antispyware protection using layered technologies to defend your PC against malware attacks. Patent-pending ThreatFire™ behavioral intelligence blocks new threats faster than traditional signature methods!! However, due to its poor reliability to new malware, such as zero-day threats, we had to bring it down to spot nine!
- Panda Security’s Antivirus Pro – This one was a hard one to judge. When tested on many different systems in the past, it was recognized to provide good protection and great features, however, it lacked performance. Some of the performance lacks had to do with running on a hostile system around a lot of viruses: the program had slowed to a halt. However, the sandbox system, good heuristics, and overall complete protection let this program take spot ten!
- Agnitum’s Outpost Pro Antivirus
- Webroot SecureAnywhere
- Dr. Web Antivirus
- BullGuard Antivirus
- Rising Antivirus