Press Releases
CRIMEWARE RESEARCHERS AT EXPLOIT PREVENTION LABS DISCOVER CYBER CRIMINALS USING ECARDS TO DELIVER MALICOUS ROOTKIT AND KEYLOGGER EXPLOITS
Thousands in Australia Affected, Malicious eGreetings now being Spammed to Inboxes around the World
September 22, 2006 – Atlanta, GA – Researchers at Exploit Prevention Labs (http://www.explabs.com), the leading developer of anti-exploit software, recently uncovered a major cyber criminal ring operating in Australia using what appear on the surface to be Yahoo Greetings ecards to infect thousands of computer users with malicious keylogger malware, which was then used to steal credit card numbers, bank account usernames and passwords, and other personal information. Although the total number of affected users remains unclear, Exploit Prevention Labs researchers were able to confirm that accounts at nearly every Australian bank were affected. Exploit Prevention Labs researchers quickly contacted Australian police authorities, who coordinated with banks and other institutions to protect affected users.
Earlier this week, Exploit Prevention Labs researchers discovered further evidence that malicious eCard spammers have expanded their operations beyond Australia and Yahoo Greetings, with confirmed targets in North America, Europe and Asia using a variety of eCard supplier accounts.
Roger Thompson, Exploit Prevention Labs’ CTO, discovered the Australian eCard scam and has been tracking the evolving threat.
“The user receives an eCard in their email inbox,” said Thompson. “The card appears to come through one of the major eCard companies, so it is assumed to be safe, despite the user not recognizing the sender’s name on the card. The user clicks the link to view the card, which doesn’t tell you who it’s really from, so they just close it and continue with whatever they were doing before. Unfortunately, what’s actually happened is that a rootkit has been delivered to the user’s PC before they even pick up the card.”
The Australian eCard scammers placed a malicious hyperlink in the email, which first sends the user’s web browser to an exploit server. The exploit server checks to see if the user’s web browser has been patched for the latest software vulnerabilities, and if it’s unpatched, the server silently force-downloads a rootkit and a keylogger onto the user’s computer before redirecting the web browser to an authentic Yahoo Greetings card.
The actual exploit, known as MDAC, has been gaining in popularity among cyber criminals. The MDAC exploit code is launched by a WebAttacker script, which was developed by Russian cyber criminals. According to Exploit Prevention Labs’ most recent Exploit Prevalence Report (http://www.explabs.com/ss/threatCenter.html) published September 12, WebAttacker is the most prevalent Internet-borne exploit generator; it was also behind the new VML exploit, which made news earlier this week.
Systems that are up to date on patching should not be vulnerable to the original version of this eCard exploit, but according to Thompson, the latest version of the eCard scam is significantly different, and is indicative of an escalation of the threat.
“We started tracking MDAC back in June, shortly after WebAttacker was upgraded. Initially, it was just a tiny blip on the radar, registering 0.5% in our Exploit Prevalence Survey for that month. In July, it was up to 3.51%, and last month it reached 6.69%. If that pattern continues, we can expect to see both vendors and traditional anti-malware vendors experiencing significant problems in trying to keep up with the threat.”
Further information about the threat can be found in Thompson’s blog at http://explabs.blogspot.com.
SocketShield and LinkScanner Protect Against eCard Threat
Exploit Prevention Labs offers two reliable solutions to help protect users against the threat. SocketShield (free 30-day trial: http://www.explabs.com/ss/trial.html) is the industry’s first reliable solution to protect Internet users against the growing threat of zero-day and malicious web sites that target vulnerabilities in unpatched Windows software.
SocketShield provides a critical layer of security that complements the defenses provided by traditional security solutions. Firewalls cannot stop exploits, because exploits enter within the trusted communications stream of the user’s browser connection. Anti-virus and anti-spyware applications can’t protect against exploits because they must wait for the malware code to hit the hard disk in order to detect it, and by that time most exploits have already executed their payload. Patch management systems can’t distribute a patch until the application vendor releases it. And patching as a general practice, while critical, often fails because it relies on users taking action of their own volition. Furthermore, after a new zero-day exploit is discovered, it typically takes software vendors several weeks to several months to develop, test and release a patch.
LinkScanner (http://linkscanner.explabs.com/linkscanner), Exploit Prevention Labs’ free URL scanning service, also protects against the eCard scam.
About Exploit Prevention Labs
Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops security software to protect against Web-based exploits and malicious web sites. SocketShield, the company’s flagship product, provides patent-pending protection against zero-day exploits during the critical risk window between the announcement of a vulnerability and the provision of a patch by the vendor. Exploit Prevention Labs also offers the free LinkScanner url checker that determines whether or not a web site is distributing exploits. More information about Exploit Prevention Labs and SocketShield may be found on the company’s website at http://www.explabs.com.
###
Media Contact:
Tim Shisler
Dovetail Public Relations
408.395.3600
xpl@dovetailpr.com |
