August, 2012


30
Aug 12

Security Fix for Critical Java Flaw Released

Oracle has issued an urgent update to close a dangerous security hole in its Java software that attackers have been using to deploy malicious software. The patch comes amid revelations that Oracle was notified in April about this vulnerability and a number other other potentially unpatched Java flaws.

The patch fixes a critical flaw in the latest version of Java 7 that is now being widely exploited. Users with vulnerable versions of Java installed can have malware silently planted on their systems just by browsing to a hacked or malicious Web site.

The update brings Java 7 to Update 7, and appears to fix the flaw being exploited and several other security holes. Oracle also released a security update for systems running Java 6, which brings that version to Java 6 Update 35.

Today’s patches are emergency, out-of-schedule updates for Oracle, which previously was not planning to release security updates for Java until October. Although it may appear that Oracle responded swiftly to the discovery of extremely dangerous flaws in its software, Security Explorations — a research firm from Poland — says it alerted Oracle about this vulnerability and 30 others back in April. It’s not yet clear how many of those vulnerabilities were patched in this release.

“We … expected that the most serious of them would be fixed by June 2012 Java CPU,” said Security Explorations CEO and founder Adam Gowdiak told The Register’s Neil McAllister. “But it didn’t happen and Oracle left many issues unpatched with plans to address them in the next Java [updates].”

Continue reading →


29
Aug 12

Researchers: Java Zero-Day Leveraged Two Flaws

New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.

Esteban Guillardoy, a developer at the security firm Immunity Inc., said the underlying vulnerability has been around since July 28, 2011.

“There are 2 different zero-day vulnerabilities used in this exploit,” Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353).”

ONE BILLION USERS AT RISK?

How many systems are vulnerable? Oracle Corp., which maintains Java, claims that more than 3 billion devices run Java. But how many of those systems run some version of Java 7 (all versions of Java 7 are vulnerable; this flaw does not exist in Java 6 versions).

To get an idea, I asked Secunia, whose Personal Software Inspector program runs on millions of PCs. Secunia said that out of a random sampling of 10,000 PSI users, 34.2 percent had some version of Java 7 installed. In the same data set, 56.4 percent of users had an update of Java 6 installed. Assuming that Secunia’s 10,000 user sample is representative of the larger population of computer users, more than a billion devices could be vulnerable to attack via this exploit.

Continue reading →


27
Aug 12

Attackers Pounce on Zero-Day Java Exploit

Attackers have seized upon a previously unknown security hole in Oracle’s ubiquitous Java software to break into vulnerable systems. So far, the attacks exploiting this weakness have been targeted and not widespread, but it appears that the exploit code is now public and is being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole.

A Metasploit module developed to target this Java 0-day.

News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

Also, there are indications that this exploit will soon be rolled into the BlackHole exploit kit. Contacted via instant message, the curator of the widely-used commercial attack tool confirmed that the now-public exploit code worked nicely, and said he planned to incorporate it into BlackHole as early as today. “The price of such an exploit if it were sold privately would be about $100,000,” wrote Paunch, the nickname used by the BlackHole author.

Oracle is not scheduled to release another security update for Java until October. In the meantime, it’s a good idea to either unplug Java from your browser or uninstall it from your computer completely.

Continue reading →


27
Aug 12

Dropbox Now Offers Two-Step Authentication

Online file-backup and storage service Dropbox has begun offering a two-step authentication feature to help users beef up the security of their accounts. The promised change comes less than a month after the compromise of a Dropbox employee’s account exposed many Dropbox user email addresses.

Dropbox users can take advantage of the new security measure by logging in at this link, and then clicking the “Security” tab. Under account sign in, click the link next to “Two-step verification.” You’ll have the option of getting security code sent to your mobile device, or using one of several mobile apps that leverage the Time-based One-Time Password algorithm.

If you’re already familiar with the Google Authenticator app for Gmail’s two-step verification process (available for Android/iPhone/BlackBerry) this is a no-brainer: When prompted,  open the app and create a new token, then use the app to scan the bar code on your computer screen. Enter the key generated by the app into your account settings on the site, and you’re done. Other supported apps include Amazon AWS MFA (Android) and Authenticator (Windows Phone 7).

Continue reading →


21
Aug 12

New Adobe Flash Player Update Fixes 6 Flaws

For the second time in a week, Adobe has shipped a critical security update for its Flash Player software. This patch, part of a planned release, closes at least five six security holes in the widely-used browser plugin, and comes just one week after the company rushed out a fix for a flaw that attackers were already exploiting in the wild.

Updates are available for Windows, Mac, Linux and Android platforms. Windows and Mac users will need to update to v. 11.4.402.265 (Linux and Android users should see the advisory for their version numbers). The Flash Player installed with Google Chrome should automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player v. 11.3.31.230 for Windows and Linux, and Flash Player v. 11.4.402.265 for Macintosh. When I composed this post, however, the installation of Chrome on my Mac had not yet updated to the new version Google began pushing out today (a restart of the browser fixed that).

To find out what version of Flash is on your system, browse to this link. The latest version is available at this link, which should auto-detect the version of Flash your browser and operating system needs. Windows users take note: Unless you also want McAfee Security Scan Plus bundled with your Flash update, make sure to uncheck that box before clicking “download now.”

Adobe also has released an update that addresses these vulnerabilities in Adobe AIR. Windows and Mac users will want to update to Adobe AIR 3.4.0.2540. Windows users should be able to tell if they have this program installed and its version number from the Add/Remove Programs section of the Windows Control Panel. Determining the presence of AIR and its version number gets a bit more complicated for Mac users.


20
Aug 12

Inside the Grum Botnet

KrebsOnSecurity has obtained an exclusive look inside the back-end operations of the recently-destroyed Grum spam botnet. It appears that this crime machine was larger and more complex than many experts had imagined. It also looks like my previous research into the identity of the Grum botmaster was right on target.

The “Stats” page from a Grum botnet control panel show more than 193,000 systems were infected with the malware.

A source in the ISP community who asked to remain anonymous shared a copy of a Web server installation that was used as a controller for the Grum botnet. That controller contained several years’ worth of data on the botnet’s operations, as well as detailed stats on the spam machine’s size just prior to its takedown.

At the time of Grum’s demise in mid-July 2012, it was responsible for sending roughly one in every six spams delivered worldwide, and capable of blasting 18 billion spam emails per day. Anti-spam activists at Spamhaus.org estimated that there were about 136,000 Internet addresses seen sending spam for Grum.

But according to the database maintained on this Grum control server prior to its disconnection in mid-July, more than 193,000 systems were infected with one of three versions of the Grum code, malware that turned host systems into spam-spewing zombies. The system seems to have kept track of infected machines not by Internet address but with a unique identifier for each PC, although it’s not immediately clear how the Grum botnet system derived or verified those identifying fingerprints.

Some of Grum’s email lists. Most lists contained upwards of 20 million addresses.

The Web interface used to control the botnet was called “Zagruska Systems,” (“zagruska” is a transliteration of the Russian word “загрузка,” which means “download”). The HTML code on the server includes the message “Spam Service Coded by -= ( Spiderman).”

The password used to administer the botnet’s Web-based interface was “a28fe103a93d6705d1ce6720dbeb5779″; that’s an MD5 hash of the password “megerasss”. Interestingly, this master password contains the name Gera, which I determined in an earlier investigative story was the nickname used by the Grum botmaster. The name Gera also is used as a title for one of several classes of forged email headers that the botnet had available to send junk mail; other titles for falsified header types included the names “Chase,” “eBay” and “Wachovia,” suggesting a possible phishing angle.

Continue reading →


14
Aug 12

Critical Security Fixes from Adobe, Microsoft

Adobe and Microsoft each issued security updates today to fix critical vulnerabilities in their software. Adobe’s fixes include a patch for a Flash Player flaw that is actively being exploited to break into Windows computers. Microsoft’s Patch Tuesday release includes nine patch bundles — more than half of them rated critical — addressing at least 27 security holes in Windows and related software.

The most pressing of the updates Adobe released today is the Flash Player patch, which fixes a critical flaw (CVE-2012-1535) in the ubiquitous media player software. Adobe says there are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Microsoft Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

Continue reading →


13
Aug 12

Inside a ‘Reveton’ Ransomware Operation

The U.S Federal Bureau of Investigation is warning about an uptick in online extortion scams that impersonate the FBI and frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content. This post offers an inside look at one malware gang responsible for orchestrating such scams.

Reveton ransomware scam impersonating FBI

Reveton ransomware scam page impersonating the FBI

In an alert published last week, the FBI said that The Internet Crime Complaint Center — a partnership between the FBI and the National White Collar Crime Center — was “getting inundated with complaints” from consumers targeted or victimized by the scam, which uses drive-by downloads to hijack host machines. The downloaded malware displays a threatening message (see image to the right) and blocks the user from doing anything else unless he pays the fine or finds a way to remove the program.

The FBI alert said the attacks have surged with the help of a “new drive-by virus” called Reveton; in fact, Reveton and its ilk are hardly new. These types of attacks have been around for years, but traditionally have targeted European users. The scam pages used in the attacks mimic official notices from various national police or investigatory agencies, corresponding to the country in which the victim resides. For a breakdown of these Reveton-related ransomware scam pages by country, see this comprehensive gallery set up at botnets.fr.

Reveton.A is blamed in these most recent attacks, and the FBI said it appears Reveton is being distributed in conjunction with Citadel, an offshoot of the ZeuS Trojan that I have written about on several occasions. It is certainly possible that crooks are using Citadel to deploy Reveton, but as I’ll illustrate below, it seems more likely that the attackers in these cases are using exploit kits like BlackHole to plant both threats on victim PCs.

INSIDE A REVETON MALWARE GANG

Operations of one Reveton crime group. Source: ‘Kafeine,’ from botnets.fr.

At least that’s the behavior that’s been observed by a ragtag group of researchers that has been tracking Reveton activity for many months. Some of the researchers are associated with botnets.fr, but they’ve asked to remain nameless because of the sensitivity of their work. One of them, who goes by the screen name “Kafeine,” said much of the Reveton activity traces back to a group that is controlling the operation using reverse proxies at dozens of servers scattered across data centers globally (see this PDF for a more detailed look at the image above).

Kafeine said the groups involved in spreading Reveton are constantly fine-tuning all aspects of their operations, from the scam pages to solidifying their back-end hosting infrastructure. The latest versions of Reveton, for example, serve the scam pages from an encrypted (https://) connection, and only cough up the pages when an infected machine visits and sends a special request. Continue reading →


10
Aug 12

‘Booter Shells’ Turn Web Sites into Weapons

Hacked Web sites aren’t just used for hosting malware anymore. Increasingly, they are being retrofitted with tools that let miscreants harness the compromised site’s raw server power for attacks aimed at knocking other sites offline.

It has long been standard practice for Web site hackers to leave behind a Web-based “shell,” a tiny “backdoor” program that lets them add, delete and run files on compromised server. But in a growing number of Web site break-ins, the trespassers also are leaving behind simple tools called “booter shells,” which allow the miscreants to launch future denial-of-service attacks without the need for vast networks of infected zombie computers.

absoboot.com’s configuration page

According to Prolexic, an anti-DDoS company I’ve been working with for the past few weeks to ward off attacks on my site, with booter shells DDoS attacks can be launched more readily and can cause more damage, with far fewer machines. “Web servers typically have 1,000+ times the capacity of a workstation, providing hackers with a much higher yield of malicious traffic with the addition of each infected web server,” the company said in a recent advisory.

The proliferation of booter shells has inevitably led to online services that let paying customers leverage these booter shell-backdoored sites. One such service is absoboot.com, also reachable at twbooter.com. Anyone can sign up, fund the account with Paypal or one of several other virtual currencies, and start attacking. The minimum purchase via PayPal is $15, which buys you about 5 hours worth of keeping a site down or at least under attack.

If you’d prefer to knock an individual internet user offline as opposed to a Web site, absoBoot includes a handy free tool that lets users discover someone’s IP address. Just select an image of your choice (or use the pre-selected image) and send the target a customized link that is specific to your absoBoot account. The link to the picture is mapped to a domain crafted to look like it takes you to imageshack.us; closer inspection of the link shows that it fact ends in “img501.ws,” and records the recipients IP address if he or she views the image. Continue reading →


8
Aug 12

Triple DDoS vs. KrebsOnSecurity

“When nobody hates you, nobody knows you’re alive.” – Diplomacy, by Chris Smither

During the last week of July, a series of steadily escalating cyber attacks directed at my Web site and hosting provider prevented many readers from being able to reach the site or read the content via RSS. Sorry about that. What follows is a post-mortem on those digital sieges, which featured a mix of new and old-but-effective attack methods.

Junk traffic sent by a DNS amplification attack.

I still don’t know who was attacking my site or why. It’s not as if the perpetrator(s) sent a love letter along with the traffic flood. There was one indication that a story I published just hours before the attacks began — about a service for mass-registering domain names used for malware, spam and other dodgy business — may have struck a nerve: In one of the attacks, all of the assailing systems were instructed to load that particular story many times per second.

Oddly enough, the activity began just one day after I’d signed up with Prolexic. The Hollywood, Fla. based company helps businesses fend off distributed denial of service (DDoS) attacks, assaults in which miscreants knock targeted sites offline by flooding them with garbage traffic. Prolexic was among several anti-DDoS companies that offered to help earlier this year, when KrebsOnSecurity.com came under a separate spate of debilitating attacks.

The first DDoS campaigns consisted of several hundred systems repeatedly requesting image-heavy pages on my site. Prolexic’s analysts say the traffic signatures of these attacks matched that of a family of kits sold in the underground that allow anyone to quickly create their own botnet specifically for launching DDoS attacks. Both are believed to have been created by the same individual(s) behind the Dirt Jumper DDoS toolkit. The traffic signatures from the attack strongly suggest the involvement of two Dirt Jumper progeny: Di-BoTNet and Pandora.

Image courtesy Prolexic

Pandora is the latest in the Dirt Jumper family, and features four different attack methods. According to Prolexic, the one used against KrebsOnSecurity.com was Attack Type 4, a.k.a “Max Flood”; this method carries a fairly unique signature of issuing POST requests against a server that are over a million bytes in length.

Pandora’s creators boast that it only takes 10 PCs infected with the DDoS bot to bring down small sites, and about 30 bots to put down a mid-sized site that lacks protection against DDoS attacks. They claim 1,000 Pandora bots are enough to bring Russian search engine giant yandex.ru to a crawl, but that strikes me as a bit of salesmanship and exaggeration. Prolexic said more than 1,500 Pandora-infected bots were used in the assault on my site.

Continue reading →