Posts Tagged: sans internet storm center


10
Apr 14

Heartbleed Bug: What Can You Do?

In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here’s a short primer.

The Heartbleed bug concerns a security vulnerability in a component of recent versions of OpenSSL, a technology that a huge chunk of the Internet’s Web sites rely upon to secure the traffic, passwords and other sensitive information transmitted to and from users and visitors.

Around the same time that this severe flaw became public knowledge, a tool was released online that allowed anyone on the Internet to force Web site servers that were running vulnerable versions of OpenSSL to dump the most recent chunk of data processed by those servers.

That chunk of data might include usernames and passwords, re-usable browser cookies, or even the site administrator’s credentials. While the exploit only allows for small chunks of data to be dumped each time it is run, there is nothing to prevent attackers from replaying the attack over and over, all the while recording fresh data flowing through vulnerable servers. Indeed, I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug.

For this reason, I believe it is a good idea for Internet users to consider changing passwords at least at sites that they visited since this bug became public (Monday morning). But it’s important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords. Here are some resources that can tell you if a site is vulnerable: Continue reading →


13
Mar 14

Blogs of War: Don’t Be Cannon Fodder

On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs aren’t used in attacks going forward.

armyAt issue is the “pingback” function, a feature built into WordPress and plenty of other CMS tools that is designed to notify (or ping) a site that you linked to their content. Unfortunately, like most things useful on the Web, the parasites and lowlifes of the world are turning pingbacks into a feature to be disabled, lest it be used to attack others.

And that is exactly what’s going on. Earlier this week, Web site security firm Sucuri Security warned that it has seen attackers abusing the pingback function built into more than 160,000 WordPress blogs to launch crippling attacks against other sites.

Continue reading →


9
Nov 11

Adobe, Apple, Microsoft & Mozilla Issue Critical Patches

Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8.

The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7. Continue reading →


6
May 11

Scammers Swap Google Images for Malware

A picture may be worth a thousand words, but a single tainted digital image may be worth thousands of dollars for computer crooks who are using weaknesses in Google’s Image Search to foist malicious software on unsuspecting surfers.

For several weeks, some readers have complained that clicking on Google Images search results directed them to Web pages that pushed rogue anti-virus scareware via misleading security alerts and warnings. On Wednesday, the SANS Internet Storm Center posted a blog entry saying they, too, were receiving reports of Google Image searches leading to fake anti-virus sites. According to SANS, the attackers have compromised an unknown number of sites with malicious scripts that create Web pages filled with the top search terms from Google Trends. The malicious scripts also fetch images from third-party sites and include them in the junk pages alongside the relevant search terms, so that the automatically generated Web page contains legitimate-looking content.

A Firefox add-on in development shows malicious images in dark red.

Google’s Image Search bots eventually will index this bogus content. If users are searching for words or phrases that rank high in the current top search terms, it is likely that thumbnails from these malicious pages will be displayed beside other legitimate results.

As SANS handler Bojan Zdrnja explains, the exploit happens when a user clicks on one of these tainted thumbnails. “This is where the ‘vulnerability’ is,” Zdrnja wrote. “The user’s browser will automatically send a request to the bad page which runs the attacker’s script. This script checks the request’s referrer field and if it contains Google (meaning this was a click on the results page in Google), the script displays a small JavaScript script…[that] causes the browser to be redirected to another site that is serving FakeAV. Google is doing a relatively good job removing (or at least marking) links leading to malware in normal searches, however, Google’s image search seem to be plagued with malicious links.”

Denis Sinegubko, a Russian malware researcher who has been studying the fake anti-virus campaigns, called this tactic “the most efficient black hat trick ever,” and said it is exceedingly easy to set up. He said he’s received access logs from the owners of several hacked sites, and has used the data to estimate the traffic Google sends to these bogus image search pages. Sinegubko reckons that there are more than 5,000 hacked sites, and that the average site has been injected with about 1,000 of these bogus pages. The average page receives a visitor from Google approximately every 10 days, he said, which means Google is referring about a half million visits to fake anti-virus sites every day, or about 15 million visits each month.

For example, one of the hacked sites Sinegubko said he saw access logs for was in Croatia; It had a Google page rank of zero prior to being compromised with the phony image search scripts. The logs showed that the site had been hacked on Mar. 18, 2011, and that Google began indexing the tainted image pages the next day. “During the next 5 weeks it has indexed 27,200+ doorway pages on this site,” he wrote in a blog post on his findings. “During the same 5 weeks Google Image search has sent 140,000+ visitors to this small site.”

Sinegubko is developing an add-on for Firefox that can flag malicious Google Image search results by placing a red box around images that appear to link to hostile sites; Images with a pale pink box around them are hot-linked and may also be malicious, Sinegubko said. I tested the add-on (which is not ready for public release) searching for the cover art for the album “Kaputt” by the Canadian band Destroyer. As you can see from the image above, most of the images returned link to sites pushing fake anti-virus.

Continue reading →


10
Jan 11

Exploit Packs Run on Java Juice

In October, I showed why Java vulnerabilities continue to be the top moneymaker for purveyors of “exploit kits,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities. Today, I’ll highlight a few more recent examples of this with brand new exploit kits on the market, and explain why even fully-patched Java installations are fast becoming major enablers of browser-based malware attacks.

Check out the screenshots below, which show the administration page for two up-and-coming exploit packs. The first, from an unusually elaborate exploit kit called “Dragon Pack,” is the author’s own installation, so the percentage of “loads” or successful installations of malware on visitor PCs should be taken with a grain of salt (hat tip to Malwaredomainlist.com). Yet, it is clear that miscreants who purchase this pack will have the most success with Java flaws.

This blog has a nice writeup — and an additional stats page — from a compromised site that last month was redirecting visitors to a page laced with exploits from a Dragon Pack installation.

The second image, below, shows an administrative page that is centralizing statistics for several sites hacked with a relatively new $200 kit called “Bleeding Life.” Again, it’s plain that the Java exploits are the most successful. What’s interesting about this kit is that its authors advertise that one of the “exploits” included isn’t really an exploit at all: It’s a social engineering attack. Specifically, the hacked page will simply abuse built-in Java functionality to ask the visitor to run a malicious Java applet.

On Dec. 29, the SANS Internet Storm Center warned about a wave of Java attacks that were apparently using this social engineering approach to great effect. The attacks were taking advantage of built-in Java functionality that will prompt the user to download and run a file, but using an alert from Java (if a Windows user accepts, he or she is not bothered by a separate prompt or warning from the operating system).

“If you don’t have any zero-days, you can always go back to exploiting the human!” SANS incident handler Daniel Wesemann wrote. “This is independent of the JRE version used – with JRE default settings, even on JRE1.6-23, all the user has to do is click ‘Run’ to get owned.  The one small improvement is that the latest JREs show ‘Publisher: (NOT VERIFIED) Java Sun’ in the pop-up, but I guess that users who read past the two exclamation marks will be bound to click ‘Run’ anyway.”

Continue reading →


24
Nov 10

Spear Phishing Attacks Snag E-mail Marketers

Criminals have been conducting complex, targeted e-mail attacks against employees at more than 100 e-mail service providers (ESPs) over the past several months in a bid to hijack computers at companies that market directly to customers of some of the world’s largest corporations, anti-spam experts warn.

The attacks are a textbook example of how organized thieves can abuse trust relationships between companies to access important resources that are then recycled in future attacks. According to multiple sources, the so-called “spear phishing” attacks in this fraud campaign arrived as virus-laden e-mails addressing ESP employees by name, and many cases included the name of the ESP in the body of the message.

The poisoned missives used a variety of ruses, but generally included an invitation to view images at a Web site URL included in the message — such as a link to wedding photos or an online greeting card. Recipients who clicked the links were redirected to sites that attempted to silently install software designed to steal passwords and give attackers remote control over infected systems.

Neil Schwartzman, senior director of security strategy at e-mail security provider Return Path Inc, said the spear-phishing attacks have targeted e-mail marketing companies that manage opt-in campaigns for some of the biggest corporate brands in existence.

“This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems,” Schwartzman said. “Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable.”

Update: Nov. 25, 12:33 p.m. ET: Return Path is now saying that it also was compromised and that its clients are reporting that they have received spear-phishing attacks over the last 24 hours. Read on past the jump for more on this update.

Original post:

Chris Nelson, a security manager at an ESP that was compromised by these attacks, spoke with KrebsOnSecurity.com on condition that his employer not be named. Nelson said he traced the attack used to infiltrate his company’s servers back to Internet addresses in the Netherlands, where he found evidence that at least a dozen other ESPs were similarly compromised. The attacks, he said, appear aimed at gaining control over customer accounts and e-mail address lists that could be used in future spam and scam campaigns.

All of the evidence suggests these attacks have been going on for several months, Nelson said.

Continue reading →


12
Oct 10

Microsoft Plugs a Record 49 Security Holes

Microsoft today issued 16 update bundles to fix a record-breaking 49 separate security vulnerabilities in computers powered by its Windows operating systems and other software.

“Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines.”

McAfee notes that today’s release exceeds the previous record of 34 vulnerabilities fixed in one go, which was first set in October 2009, and again in June and August of this year.

Microsoft said at least eight of the vulnerabilities were publicly disclosed prior to the release of today’s patches. The software giant also fixed one of the two remaining zero-day flaws exploited by the Stuxnet worm, a complex family of malware pegged by researchers as a weapon built to attack industrial control systems embedded in facilities like power and chemical manufacturing plants.

At the top of the critical list is an update for Internet Explorer versions 6 through 8 that plugs at least 10 security holes in the default Web browser on Windows, including two flaws that were disclosed previously. Several of the IE flaws are marked critical even on the latest versions of Microsoft’s products, including IE8 running on Windows 7 systems.

Two updates for versions of Microsoft Word and Excel comprise about half of the vulnerabilities addressed in today’s release.

Today’s fixes are available through Windows Update or by enabling Automatic Update in Windows. As always, if you experience any glitches or problems applying these patches, please drop a note in the comments section.

For more information on the patches, check out SANS Internet Storm Center‘s Black Tuesday roundup, as well as Microsoft’s Security Research & Defense blog.

Update, 3:58 p.m. ET: Several readers have pointed out that Microsoft took the momentous step today of adding detection for the infamous ZeuS Trojan to its Malicious Software Removal Tool. The MSRT is offered alongside Windows updates and if approved will scan host computers once a month for a variety of the most prevalent threats. It will be interesting to chart the impact of this welcome move by Microsoft.


21
Jul 10

Tool Blunts Threat from Windows Shortcut Flaw

Microsoft has released a stopgap fix to help Windows users protect themselves against threats that may try to target a newly discovered, critical security hole that is present in every supported version of Windows.

Last week, KrebsOnSecurity.com reported that security researchers in Belarus had found a sophisticated strain of malware that was exploiting a previously unknown flaw in the way Windows handles shortcut files. Experts determined that the malware exploiting the vulnerability was being used to attack computers that interact with networks responsible for controlling the operations of large, distributed and very sensitive systems, such as manufacturing and power plants.

When Microsoft initially released an advisory acknowledging the security hole last week, it said customers could disable the vulnerable component by editing the Windows registry. Trouble is, editing the registry can be a dicey affair for those less experienced working under the hood in Windows because one errant change can cause system-wide problems.

But in an updated advisory posted Tuesday evening, Microsoft added instructions for using a much simpler, point-and-click “FixIt” tool to disable the flawed Windows features. That tool, available from this link, allows Windows users to nix the vulnerable component by clicking the “FixIt” icon, following the prompts, and then rebooting the system.

Be advised, however, that making this change could make it significantly more difficult for regular users to navigate their computer and desktop, as it removes the graphical representation of icons on the Task bar and Start menu bar and replaces them with plain, white icons.

For instance, most Windows users are familiar with these icons:

According to Microsoft, after applying this fix, those icons will be replaced with nondescript (and frankly ugly) placeholders that look like this:

Continue reading →


21
Apr 10

McAfee False Detection Locks Up Windows XP

McAfee‘s anti-virus software is erroneously detecting legitimate Windows system files as malicious, causing reboot loops and serious stability problems for many Windows XP users, according to multiple reports.

The SANS Internet Storm Center has received dozens of reports from McAfee users who complained that a recent anti-virus update (DAT 5958) is causing Windows xP Service Pack 3 clients to be locked out. According to SANS incident handler Johannes Ulllrich, McAfee is flagging “svchost.exe” as malicious. Svchost is a common system process typically used by multiple legitimate programs on a Windows system (although malware does often inject itself into this process), so having an anti-virus program that flags the process as a threat could cause major problems on a host system, Ullrich said.

“The [reports] keep coming in,” Ullrich said. “Systems either get stuck in a reboot loop, or networking is no longer working.”

One symptom seems to be that McAfee reports that user systems are infected with W32.Wecorl.a. The anti-virus program’s attempts to destroy or quarantine that targeted process then forces the Windows machine into a reboot cycle.

McAfee’s own support forum is currently queuing up with a large number of users piping in with stories about how the incident is affecting their operations. That thread,which began at 9:54 a.m. today, has more than 27,000 views and 83 replies.

Stay tuned for more updates as available.

Update, 1:56 p.m. ET: McAfee released the following statement regarding this event. “McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21. The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2.00 PM GMT+1 (6am Pacific Time).

Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.

The faulty update has been removed from McAfee download servers for corporate users, preventing any further impact on those customers. We are not aware of significant impact on consumer customers and believe we have effectively limited such occurrence.

McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. McAfee apologizes for any inconvenience to our customers.”

Update, 3:51 p.m. ET: McAfee’s main support forum is down due to an “unusually large traffic.” McAfee has posted a separate thread here that includes a couple of workarounds for customers struggling to deal with this problem.


14
Apr 10

Unpatched Java Exploit Spotted In-the-Wild

Last week, a Google security researcher detailed a little-known feature built into Java that can be used to launch third-party applications. Today, security experts unearthed evidence that a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to install malicious software.

On April 9, Google researcher Tavis Ormandy posted to the FullDisclosure mailing list that he’d discovered he could abuse a feature in Java to launch arbitrary applications on a Windows PC using a specially-crafted Web site.  Ormandy said the feature had been included in every version of Java since Java 6 Update 10, and was intended as a way to make it easier for developers to distribute their applications. Along with that disclosure, Ormandy published several examples of how attackers might use this functionality in Java to load malicious applications onto a user’s system.

As of this morning, songlyrics.com, a site that according to traffic analysis firm compete.com receives about 1.7 million visits each month, was loading code from assetmancomcareers.com, a Russian Web site with a history of pushing rogue anti-virus. The domain name servers for assetmancomcareers.com also serve:

spyeraser-security.com
spyeraser-trial.com
spyeraser-software.com

According to Roger Thompson, chief research officer at AVG, the site appears to use the very same code mentioned in Ormandy’s proof-of-concept to silently redirect songlyrics.com visitors to a site that loads the “Crimepack” exploit kit, a relatively new kit designed to throw a heap of software exploits at visiting browsers (see screenshot of a Crimepack administration page below).

It’s unclear whether Oracle plans to change the behavior of this feature in Java. For now, if you have Java installed on your system (don’t know? click here), you might consider implementing one or both of the workarounds mentioned here in a SANS Internet Storm Center writeup on this.

Continue reading →