Flash Player vulnerabilities, Poisoned Websites and Virtual Machines

The sites

I first saw it mentioned on Slashdot earlier this year but I only experienced it a month ago. Legitimate websites, with “infected” javascript. For example, it’s the standard swfobject.js but with a long line of obfuscated code at the beginning, looking like this:

document.write('<script language="javascript">$="%64b%3d%22%3c7`7%3c [lots of code deleted] %3b";eval(unescape($));document.write($);</script>');

What it does is to create a hidden div, which contains an iframe, which links to a malicious website.

Then I wondered how could all these sites become poisoned (according to various sites, the number of compromised websites range from 10,000 to 100,000 – see this article on BBC). One popular theory is SQL Injection. In some cases however, I knew the sites and their owners; we’re talking about flash sites, with no database and even no server-side scripting – plain html and/or flash. In these cases, I think malware such as ldPinch might have been used. Trojanized cracked software could lead to sites ftp passwords being stolen and allowing attackers to “poison” the websites. Oh, Linux servers are vulnerable too.

The Poison – a.k.a. attack vector

The site to which the hidden iframe points may use various exploits – I’ve seen Quicktime exploits and Adobe Reader exploits. This is interesting (and worrying) because it doesn’t matter what browser you use – if your version of Reader is vulnerable, you could be using Opera or Firefox. It would work even with javascript turned off. I’ve read about trojans for Mac OSX being used too but I didn’t test myself.

Even more worrying (and the reason for this article) is the increasing number of flash player vulnerabilities reported, culminating with the one reported in April 2008, which lead to the new flash player version 9.0.124.0 – get the whitepaper from IBM or the explanation of the attack. Just one month later, flash is hit again with a remote code execution vulnerability, which at the time of this writing is being investigated by Adobe. What’s really scary is that this vulnerability is already being exploited ‘in the wild’ so compromised web sites are already serving it via MPack. UPDATE: Flash player 9.0.124.0 is not affected, the vulnerability targets earlier versions.

If you’re still unconvinced of the seriousness of the situation, some light read about MPack may help (adapted from Wikipedia):

MPack is a PHP-based malware kit produced by Russian hackers. First released in December 2006, it’s being updated monthly and is thought to have been used to infect more than 100,000 computers with backdoors.

MPack is sold as commercial software for about $1000 and is provided with technical support and regular updates and add-ons, with variable cost depending on severity of the exploit and the ability of antivirus software to detect it.

The server-side part customizes attacks for browsers including IE, Firefox and Opera. MPack generally works by being loaded in an IFrame attached to the bottom of a hacked website. When a user visits the page, MPack sends a script that loads in the IFrame and determines if any vulnerabilities in the browser or operating system can be exploited.

The kit includes a management console, which allows the attacker to view statistics about the computers that have been infected.

If you had any doubts: malware is no longer a hobby – it’s an industry; it’s organized crime.

Protection

15 years ago it was enough to have an up-to-date antivirus. 5 years ago, an antivirus and a good firewall/NAT would have been adequate. Nowadays we need multiple levels of protection just to decrease the likehood of being infected.

Hardware NAT/Routers/Firewalls are a good solution to prevent against remote attacks via worms by blocking unused ports and separating the internal network (NAT = network address translation; several computers in a network will share one external IP; from outside the NAT, no one can target a computer inside the network). They don’t protect at all against local exploits (viruses, trojans, etc.)

Stateful firewalls and antispyware can alert the user for suspicious activity – programs trying to send to the internet when they are not supposed to, etc., but some programs are expected to use the internet (if you grant your ftp program access to the internet, if it’s trojanized it could send saved passwords as well, unless you monitor every port and every remote address).

Antiviruses work against viruses and other malware but guess what – the malware makers test their ‘products’ with the antiviruses too and are doing their best to make their stuff as difficult as possible to detect.

Running as a limited user (not as root/Administrator) is a sensible thing to do and may limit the damage if the malware get through the other layers. It’s still not bullet proof.

Educating the user to avoid downloading pirated software or to install codecs requested by movies from bittorrent or to open executable files is necessary too, although by itself it doesn’t do much.

Virtualization

Lately, virtualization is being promoted as a method to limit malware’s damage. The concept is to put a whole operating system inside a virtual machine. For the host OS, it’s just an application, the virtual harddrive is just a file. The guest OS is mostly unaware that it’s not running on a real computer and has access only to those devices and resources permitted by the host.

There are a number of virtualization solutions, from the ubiquitous VMWare to the little VirtualPC to the enterprise-grade, OS-integrated Hyper-V.

I have a number of virtual machines for testing purposes – ranging from a Windows XP used to test new software, to a CentOS running a LAMP (Linux, Apache, MySQL, PHP) environment.

Virtualization is currently hailed as a ‘safe’ way to work. It makes sense in theory – software running inside a VM can’t “escape” in the real world. Or can it? The flash player is a VM, and code running on it could compromise the host OS. Malware can determine if it’s running on a virtualized system (most of them run additional tools to aid integration, such as VMWare Tools or Virtual Machine Additions and the virtual hardware configuration can provide hints). Specially-crafted code could compromise the virtual machine itself and allow for arbitrary code execution – it already happened for all VM software.

The Future

It’s an escalating battle. For years, viruses were made by teenagers, mostly for fun. Now it’s all about money (via stolen e-bank password, spyware, pop-ups and who knows what else), so the malware creators are organized and unfortunately it’s looking like a losing battle, in that it requires increasing effort to protect oneself, and I haven’t even discussed about botnets.

If we look at email and spam, we can see where this is leading. Sure, we use spam filters, greylisting, SPF (sender policy framework), CAPCHAs and more, making our lives miserable in the process and spam still gets through in our inboxes (including GMail), in blogs and everywhere.

I may be in a pessimistic mood, but it looks to me that the bad guys are winning. Prove me wrong. Please.