The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity levels remained consistent with those from previous weeks. The activity levels for the first quarter of 2009 were significantly lower that those from the first quarter of 2008. Despite the low activity levels, IntelliShield observed an inordinate amount of activity from the Conficker,W32.Ackantta@mm, and the Waledac families of malicious code.

On April 1, 2009, W32/Conficker.C (W32.Downadup.C) was scheduled to change its activity. As expected, the worm began to poll 500 domains per day out of a list of 50,000 domains. However, the authorof the worm did not update any of the domains that W32/Conficker.C attempted to contact and therefore the worm had very little impact. The Conficker Work Group played a major role by preventing the malicious domains from being registered. As a result of this global effort to combat the worm and a heightened state of awareness, there was limited activity with little or no impact observed on April 1. While the activation date has passed, millions of systems still remain infected. So until these machines have been cleaned, the worm may still be considered a threat. This worm is documented in IntelliShield Alert 17121.

On April 2, 2009, Microsoft released a security advisory to address the arbitrary code execution vulnerability in Microsoft Office PowerPoint. A remote attacker could exploit this vulnerability by convincing a user to access a malicious PowerPoint file. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user, in some cases taking complete control of the targeted system. This vulnerability is described in IntelliShield Alert 17966. Attackers have incorporated an exploit for this vulnerability into a variant of the Trojan.PPDropper family of trojans. The attackers are using the trojan to conduct targeted attacks against user systems. This family of malicious code is described in IntelliShield Alert 10845.

Also in malicious code activity is a website that attempts to trick users into downloading fake HDTV software that is actually a trojan, The website mimics the real Blaze HDTV player website and hosts trojans for Apple Mac OS X systems and Microsoft Windows systems. What makes the threat unique is its ability to determine if a user visits the site using a system running one of these operating systems and serve the appropriate trojan. Systems running Microsoft Windows are presented with a .exe file and systems running Apple Mac OS X are presented with a .dmg file. The .exe file is currently being detected as a variant of the Backdoor.Tidserv family of trojans as documented in IntelliShield Alert 16700. The .dmg file is currently being detected as OSX/Puper.a as documented in IntelliShield Alert 17958.

IntelliShield published 139 events last week: 58 new events and 81 updated events. Of the 139 events, 109 were Vulnerability Alerts, 11 were Security Activity Bulletins, 10 were Malicious Code Alerts, four were Threat Outbreak Alerts, four Security Issue Alerts, and one Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day	Date	New	Updated	Total
Friday	04/03/2009	5	29	34
Thursday	04/02/2009	12	21	33
Wednesday	04/01/2009	12	5	17
Tuesday	03/31/2009	18	5	23
Monday	03/30/2009	11	21	32
Weekly Total	—	58	81	139

 

2009 Monthly Alert Totals

Month	New	Updated	Monthly Total
January	148	392	540
February	227	249	476
March	222	335	557
Totals	597	976	1573

Significant Alerts for March 30–April 5, 2009

Microsoft Office PowerPoint Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17966, Version 2, April 03, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0556

Microsoft Office PowerPoint contains a vulnerability that could allow a remote attacker to execute arbitrary code with the privileges of the user. Malicious code exists that leverages this vulnerability to conduct targeted attacks. Microsoft has confirmed this vulnerability; however, updates are not available.

Previous Alerts That Still Represent Significant Risk

Worm: W32/Conficker.worm
IntelliShield Malicious Code Alert 17121, Version 16, April 1, 2009
Urgency/Credibility/Severity Rating: 4/5/3

W32/Conficker.worm is a worm that is propagating across many networks. The worm has reportedly infected millions of systems. One of the worm's propagation routines involves exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability, which is described in IntelliShield Alert 16941. The worm prevents infected systems from accessing certain antivirus and security-related websites, which could make diagnosis and removal efforts more difficult. Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks and to take steps to isolate systems that may be infected until they can be fully restored.

Adobe Acrobat Products PDF File Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 17665, Version 10, April 2, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0658

Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is currently being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and has released updated software.

Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17689, Version 5, March 6, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0238

Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available.

Misconfigured Router Causes Increased BGP Traffic and Isolated Outages for Internet Services
IntelliShield Security Activity Bulletin alert 17657, Version 2, February 20, 2009
Urgency/Credibility/Severity Rating: 2/5/3

On Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates, as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router that issued routing announcement updates that contained overly long Autonomous System (AS) paths. Cisco Security Intelligence Operations has released additional technical information and workarounds to mitigate denial of service conditions that result from overly long AS paths. This information is available in IntelliShield Alert 17670. OpenBSD has fixed a similar flaw, which is described in IntelliShield Alert 17658.

Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 17519, Version 6, March 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0075

Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that uses a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and deliver the malicious documents via e-mail or host them on websites. Several antivirus vendors are reporting the activity.

Physical

G20 Summit Demonstrations

The Group of 20 (G-20) summit was held Thursday, April 2. The summit attracted protestors to central London on Wednesday during a news conference held by Prime Minister Gordon Brown and President Barack Obama. Protests turned violent as the police established barricades in front of the Bank of England. Demonstrators responded by throwing paint, eggs, and fruit at the police. The Royal Bank of Scotland was targeted by a group of protestors who stole equipment, broke windows, and attempted to set fire to the building. One fatality occurred during the protests as medics were hit with bottles while trying to save a man.
Read more
Additional information

IntelliShield Analysis: The economic situation has been a rally point for protests and demonstrations around the world, such as those that recently took place in France, where people continue to target corporate businesses and financial entities. Additional demonstrations and protests will most likely continue until the unemployment rate decreases and economy begins to recover. Public resentment has been on the rise, and many had high hopes for the summit, bordering on the unrealistic. Banking reform and global regulation was not a topic that all parties were able to agree upon, but positive action was taken to strengthen the International Monetary Fund (IMF).Businesses with strong ties to the financial system should keep their business continuity and response plans up-to-date in case demonstrations escalate.

Legal

Couple Sue Acer Over Vista System

A couple from Ohio has sued Acer America Corp. over a Vista PC they had purchased. The PC was preloaded with the Microsoft Vista Premium operating system, but had only one gigabyte of random access memory (RAM).The couple ran into repeated crashes with the system, and overall poor performance. The system also has a graphics adapter which utilizes some of the system memory, further impacting performance when graphic intensive applications are used. The couple is arguing that the system is inherently defective. Read more

IntelliShield Analysis: Acer is claiming that they have not sold a defective product. The argument seems to stem from what parts of Vista are functional on a system with less that one gigabyte of memory available, as in this case. For full functionality of Vista Premium, Microsoft recommends that a user installs one gigabyte of system memory and at least 128 megabytes of video memory. With a sluggish economy vendors and consumers are looking to save money and cut costs, both of which can impact purchases within the tech industry. The couple is attempting to convince a judge to grant the case class-action lawsuit status, but the judge has not yet decided. Organizations should carefully compare software requirement with system hardware, especially when considering less expensive systems.

Trust

Researchers Uncover "GhostNet" Computer Compromises Sensitive Systems

Recently, two university research organizations, one from the University of Toronto and the other from Cambridge, described a network of more than 1,000 compromised systems across 103 countries they named GhostNet. The network contains a significant amount of systems that could have a very high value for attackers who are motivated by government, military, political, or economic ends.
Read more
Additional information

IntelliShield Analysis: The discovery of the GhostNet has uncovered compromises on some very sensitive systems throughout the world. The GhostNet has a fairly large size, compared to the effort each infection represents. The communication and control structure also hints at a level of sophistication among the attackers. Yet, at only over 1,000 systems, most organizations are not likely to have been compromised by this particular network. Although, the methods used to compromise these systems could be leveraged by a determined attacker that is focused on committing such espionage. Organizations should consider implementing security capabilities that monitor for and protect against undisclosed threats like these targeted attacks.

Identity

Symantec Call Center Breach

The British Broadcasting Corporation (BBC) reported that they were able to purchase credit card numbers from Saurabh Sachar, a group operating in the United Kingdom. The BBC has stated that the credit card information was obtained from Symantec’s call center in India, who has responded by sending out letters warning customers that their credit card numbers may have been stolen from a call center. A spokesperson for Symantec has stated that the letters were sent to a little over 200 customers. Most of the customers that were notified where located in the United States; however, Symantec also notified some customers in the United Kingdom and Canada.
Read more
Additional information

IntelliShield Analysis: The breach potentially exposed the credit card information of Symantec customers, but there are no reports of identity theft activity in the United States resulting form this breach; however, affected customers should continue to closely monitor their credit reports for a period of at least one year. Outsourcing certain functions can be cost-effective, but customer data protection needs to be taken into consideration as outsourcing can introduce additional risks and attack surface area. Apart from the risk to customers, such incidents expose affected companies to negative publicity, as the public is becoming increasingly wary of identity theft. This is a small instance of what is believed to be a much larger and continually growing problem, where the majority of these breaches are believed to go unreported.

Human

Poisoned Search Engine Results Propogate Malicious Code

Attacks that use poisoning tactics on search engine results to propagate malicious code are on the rise. One common tactic involves monitoring the most popular search topics, such as Conficker, Robert Madoff, or various holidays and events, and then create malicious websites that mirror the content of legitimate sites that provide information about the search topic. This tactic allows the malicious website to appear near the top of search rankings. Users that attempts to browse to the malicious website could then have their system infected with malicious code that is hosted on the malicious website.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Many users treat popular search engines such as Google and Yahoo! as trusted websites. This trust relationship is often extended to any search results produced by the search engine. Attackers are taking advantage of this trust relationship by poisoning search cache results. Taking advantage of popular topics to propagate malicious code is not a new tactic. Malicious code such as Storm and Waledac have both used e-mail messages that mention popular topics in their propagation routines. Poisoning search engine results allows attackers to continue to use this tactic while bypassing some content filtering routines such as e-mail filtering, while continuing to expose the malicious sites to a large number of users. User awareness and web reputation capabilities can aid in mitigating these attacks.

Geopolitical

North Korea Missile Launch Puts Word on Notice

On Sunday, April 5, 2009, North Korea launched a multi-stage rocket which the country claims placed a communications satellite into orbit. South Korea, Japan and the United States issued statements indicating that the rocket, which they believed was intended to demonstrate North Korea’s ability to launch a long-range ballistic missile armed with a nuclear warhead, failed to put any object into orbit. The launch was likely one of the most closely-watched launches ever, with the U.S. and Japan using the opportunity to showcase cutting-edge reconnaissance and communications capabilities.
Read more
Additional information

IntelliShield Analysis: The partially-successful test confirms that North Korea, which performed an unsuccessful underground nuclear weapon test in 2006, may soon theoretically have the capability to launch a long-range, multi-stage ballistic missile armed with a nuclear warhead. North Korea’s decision to proceed with the test, despite threats of a United Nations Security Council (UNSC) censure and added economic sanctions, indicates a political calculation of brinkmanship that would earn the country the attention they seek more effectively than economic or diplomatic engagement. It also provides further political impetus for Japan to strengthen its offensive military capability after decades of strict pacifism, and puts China, which has long supported North Korean, in a delicate position. For South Korea, which is planning its first-ever satellite launch within the coming months, the launch was something of an embarrassment. These regional dynamics suggest North Korea’s defiant actions may provide a longer term competitive push among its neighbors to demonstrate space-worthy military and communications capabilities.

Upcoming Security Activity

Black Hat Europe 2009: April 14–17, 2009
RSA Conference 2009: April 20–24, 2009

Because of the potential for increased risk on multiple vectors, organizations’ security teams should be aware of and consider making special preparations for the following dates:

United States NCAA basketball tournament: March 19–April 6, 2009
United States income tax day: April 15, 2009
India general elections: April 16–May 13, 2009
South Africa general election: April 22, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

---

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top