http://www.maximumpc.com|JAN 2011|MAMAMAXIMXIMXIMXIMUUUUMMPPPCC| 29
JAVASCRIPT JavaScript is the root of many threats, since it is uni-
versally used by many applications such as web browsers and document
readers. The Gumblar botnet is an active botnet that uses server-side
polymorphic JavaScript code to infect machines, thus leveraging the
language to start its dirty work. This means that each time you visit an
infected Gumblar site, a new (previously unseen) script is sent to your
browser that will begin fi ngerprinting—looking for software vulnerabili-
ties. Once fi ngerprinted, the JavaScript will then attempt to serve up
malicious exploits through other vectors such as PDF/Flash.
PDF/FLASH VULNERABILITIES There have been many
zero-day vulnerabilities disclosed (and exploited) in 2010 based on
PDF/Flash. These exploits have pioneered new attacks that bypass
enhanced security measures such as address space layout ran-
domization (ASLR) and data execution prevention (DEP). Due to the
ubiquity of PDF/Flash technology, attackers use these vulnerabilities
as a favorite way to infect machines. Oftentimes, end users think
they cannot become infected through document/media fi les (only
executables); this mentality needs to change quickly, because these
vulnerabilities now present a very real and serious threat.
BOTNETS Once a machine is infected, there is another threat
vector that exists—a botnet’s command and control (C&C) channel.
Every botnet needs to phone home in order to receive commands
and send stolen data. We see this as a potent threat vector, since if
this channel is blocked, no instructions can be carried out, and no
stolen information can be sent. There are lots of innovative ways
that botnets try to discretely access C&C channels, but the most
prevalent way remains HTTP, and, as a result, we deem the HTTP
protocol itself a nasty threat vector. Most botnets will simply use
RFC-compliant HTTP POST/GET commands; however, some will
encrypt the payload to avoid detection.XSS HOLES Cross-site scripting (XSS) holes have always been on
the radar as one of the most dangerous web-based threats and continue
to enjoy success because plenty of holes still exist on the web. A great
example is a worm that hit Twitter in September 2010, where malicious
tweets were sent out utilizing a freshly discovered XSS hole. While Twitter
took quick action to shut this down, the worm was highly effective since it
only required a user to roll their mouse over a link without having to click
(it used the JavaScript onMouseOver technique). By doing so, the worm
would then send further malicious tweets on that user’s behalf.
Persistent and nonpersistent XSS holes exist because of develop-
ment oversights when implementing websites. Because they have existed
for a while, and continue to be a problem, it is important to underscore the
necessity of safe development practices to mitigate these threats.THUMB DRIVES USB drives are actually one of, if not the most,
common ways you can infect a network from inside a fi rewall. There
are several reasons for this: They’re cheap, small, hold a lot of data,
and can be used among multiple computer types. The ubiquity of
thumb drives has driven hackers to develop targeted malware, such
as the notorious Confi cker worm, that can automatically execute
upon connecting with a live USB port. What’s worse is that default
operating system confi gurations typically allow most programs
(including malicious ones) to run automatically.PRESENT OFFENDERSToday's Top 5 Threat Vectors
Scan Your Network
for Intruders and
Piggybackers
If a neighbor has broken into your network
so he or she could download movie torrents,
how would you know? Since most home
networks use DHCP, go into your browser’ssetup screen and check the DHCP screen to
see how many IP addresses are assigned.
Then, try to match those up with the systems
on your network. If you have more IP
addresses assigned than devices (remember
that your smartphone will eat an IP address
if it’s using Wi-Fi), you may have an intruder.
Another option is to use RogueScanner
(www.paglo.com), a free tool that will querydevices on your network and compare them
to an online database of devices to help you
identify the machines.
So what do you do if you have an in-
truder or suspect one? Since the person has
likely infi ltrated your network via wireless,
you’ll want to lock down your wireless by
switching to WPA2 and using a very long
and very random key.BY DEREK MANKY
FORTIGUARD LABSDerek Manky is project manager and cyber security and threat researcher at
Fortinet’s Fortiguard Labs, and author of Fortinet’s monthly Threat Landscape
Report.