Krebs on Security

Microsoft Issues Fix for Zero-Day IE Flaw

January 14, 2013

Microsoft today deviated from its usual monthly patch cycle in issuing an emergency security update to fix a critical security hole in its Internet Explorer Web browser that attackers have been exploiting to break into Windows PCs.

The update, MS13-008, addresses a single vulnerability in IE versions 6 through 8, and is available through Windows Update. The patch comes a little more than two weeks after security firms began seeing evidence that hackers were leveraging the vulnerability in targeted attacks. Microsoft maintains that it has seen only a limited number of attacks against the flaw, but acknowledged in a blog post that “the potential exists that more customers could be affected.”

Prior to today, Microsoft released a stopgap Fix It tool to help blunt attacks against the IE flaw. According to Microsoft, “if you previously applied the Fix it offered through the advisory, you do not need to uninstall it before applying the security update released today. However, the Fix it is no longer needed after the security update is installed, so we are recommending that you uninstall it after you have applied the update to your system.” Users who applied the Fix It solution can uninstall it by clicking the Fix It icon under the words “Disable MSHTML shim workaround” at this page.

Oracle Ships Critical Security Update for Java

January 13, 2013

55 Comments

Oracle has released a software update to fix a critical security vulnerability in its Java software that miscreants and malware have been exploiting to break into vulnerable computers.

Java 7 Update 11 fixes a critical flaw (CVE-2013-0422) in Java 7 Update 10 and earlier versions of Java 7. The update is available via Oracle’s Web site, or can be downloaded from with Java via the Java Control Panel. Existing users should be able to update by visiting the Windows Control Panel and clicking the Java icon, or by searching for “Java” and clicking the “Update Now” button from the Update tab.

This update also changes the way Java handles Web applications. According to Oracle’s advisory: “The default security level for Java applets and web start applications has been increased from “Medium” to “High”. This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation.”

It’s nice that Oracle fixed this vulnerability so quickly, but I’ll continue to advise readers to junk this program altogether unless they have a specific need for it. For one thing, Oracle tried (and failed) to fix this flaw in an earlier update. Also, it seems malware writers are constantly finding new zero-day vulnerabilities in Java, and I would not be surprised to see this zero-day situation repeat itself in a month or so. Also, most users who have Java installed can get by just fine without it (businesses often have mission-critical operations that rely on Java).

If you need Java for a specific Web site, consider adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.

What You Need to Know About the Java Exploit

January 12, 2013

73 Comments

On Thursday, the world learned that attackers were breaking into computers using a previously undocumented security hole in Java, a program that is installed on hundreds of millions of computers worldwide. This post aims to answer some of the most frequently asked questions about the vulnerability, and to outline simple steps that users can take to protect themselves.

Update, Jan. 13, 8:14 p.m. ET: Oracle just released a patch to fix this vulnerability. Read more here.

Q: What is Java, anyway?
A: Java is a programming language and computing platform that powers programs including utilities, games, and business applications. According to Java maker Oracle Corp., Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices. It is required by some Web sites that use it to run interactive games and applications.

Q: So what is all the fuss about?
A: Researchers have discovered that cybercrooks are attacking a previously unknown security hole in Java 7 that can be used to seize control over a computer if a user visits a compromised or malicious Web site.

Q: Yikes. How do I protect my computer?
A: The version of Java that runs on most consumer PCs includes a browser plug-in. According to researchers at Carnegie Mellon University‘s CERT, unplugging the Java plugin from the browser essentially prevents exploitation of the vulnerability. Not long ago, disconnecting Java from the browser was not straightforward, but with the release of the latest version of Java 7 — Update 10 — Oracle included a very simple method for removing Java from the browser. You can find their instructions for doing this here.

Q: How do I know if I have Java installed, and if so, which version?
A: The simplest way is to visit this link and click the “Do I have Java” link, just below the big red “Download Java” button.

Q: I’m using Java 6. Does that mean I don’t have to worry about this?
A: There have been conflicting findings on this front. The description of this bug at the National Vulnerability Database (NVD), for example, states that the vulnerability is present in Java versions going back several years, including version 4 and 5. Analysts at vulnerability research firm Immunity say the bug could impact Java 6 and possibly earlier versions. But Will Dormann, a security expert who’s been examining this flaw closely for CERT, said the NVD’s advisory is incorrect: CERT maintains that this vulnerability stems from a component that Oracle introduced with Java 7. Dormann points to a detailed technical analysis of the Java flaw by Adam Gowdiak of Security Explorations, a security research team that has alerted Java maker Oracle about a large number of flaws in Java. Gowdiak says Oracle tried to fix this particular flaw in a previous update but failed to address it completely.

Either way, it’s important not to get too hung up on which versions are affected, as this could become a moving target. Also, a new zero-day flaw is discovered in Java several times a year. That’s why I’ve urged readers to either uninstall Java completely or unplug it from the browser no matter what version you’re using.

Q: A site I use often requires the Java plugin to be enabled. What should I do?
A: You could downgrade to Java 6, but that is not a very good solution. Oracle will stop supporting Java 6 at the end of February 2013, and will soon be transitioning Java 6 users to Java 7 anyway. If you need Java for specific Web sites, a better solution is to adopt a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.

Q: I am using a Mac, so I should be okay, right?
A: Not exactly. Experts have found that this flaw in Java 7 can be exploited to foist malware on Mac and Linux systems, in addition to Microsoft Windows machines. Java is made to run programs across multiple platforms, which makes it especially dangerous when new flaws in it are discovered. For instance, the Flashback worm that infected more than 600,000 Macs wiggled into OS X systems via a Java flaw. Oracle’s instructions include advice on how to unplug Java from Safari. I should note that Apple has not provided a version of Java for OS X beyond 6, but users can still download and install Java 7 on Mac systems. However, it appears that in response to this threat, Apple has taken steps to block Java from running on OS X systems.

Q: I don’t browse random sites or visit dodgy porn sites, so I shouldn’t have to worry about this, correct?
A: Wrong. This vulnerability is mainly being exploited by exploit packs, which are crimeware tools made to be stitched into Web sites so that when visitors come to the site with vulnerable/outdated browser plugins (like this Java bug), the site can silently install malware on the visitor’s PC. Exploit packs can be just as easily stitched into porn sites as they can be inserted into legitimate, hacked Web sites. All it takes is for the attackers to be able to insert one line of code into a compromised Web site.

Q: I’ve read in several places that this is the first time that the U.S. government has urged computer users to remove or wholesale avoid using a particular piece of software because of a widespread threat. Is this true?
A: Not really. During previous high-alert situations, CERT has advised Windows users to avoid using Internet Explorer. In this case, CERT is not really recommending that users uninstall Java: just that users unplug Java from their Web browser.

Continue reading →

Zero-Day Java Exploit Debuts in Crimeware

January 10, 2013

73 Comments

The hackers who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they’ve added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java.

The curator of Blackhole, a miscreant who uses the nickname “Paunch,” announced yesterday on several Underweb forums that the Java zero-day was a “New Year’s Gift,” to customers who use his exploit kit. Paunch bragged that his was the first to include the powerful offensive weapon, but shortly afterwards the same announcement was made by the maker and seller of Nuclear Pack.

According to both crimeware authors, the vulnerability exists in all versions of Java 7, including the latest — Java 7 Update 10. This information could not be immediately verified, but if you have Java installed, it would be a very good idea to unplug Java from your browser, or uninstall this program entirely if you don’t need it. I will update this post as more information becomes available.

Update, 8:47 a.m. ET: Alienvault Labs say they have reproduced and verified the claims of a new Java zero-day that exploits a vulnerability (CVE-2013-0422) in fully-patched versions of Java 7.

Update, 11:46 a.m. ET: As several readers have noted, Java 7 Update 10 ships with a feature that makes it far simpler to unplug Java from the browser than in previous. Oracle’s instructions for using that feature are here, and the folks at DHS’s U.S.-CERT are now recommending this method as well.

Police Arrest Alleged ZeuS Botmaster “bx1”

January 10, 2013

24 Comments

A man arrested in Thailand this week on charges of stealing millions from online bank accounts fits the profile of a miscreant nicknamed “bx1,” a hacker fingered by Microsoft as a major operator of botnets powered by the ZeuS banking trojan.

Photo: Bangkok Post

As reported by The Bangkok Post, 24-year-old Hamza Bendelladj, an Algerian national, was detained this weekend at Bangkok’s Suvarnnabhumi airport, as he was in transit from Malaysia to Egypt. This young man captured news media attention when he was brought out in front of Thai television cameras handcuffed but smiling broadly, despite being blamed by the FBI for hacking into customer accounts at 217 financial institutions worldwide.

Thai investigators told reporters that Bendelladj had amassed “huge amounts” in illicit earnings, and that “with just one transaction he could earn 10 to 20 million dollars. He’s been travelling the world flying first class and living a life of luxury.”

I didn’t fully appreciate why I found this case so interesting until I started searching the Internet and my own servers for his email address. Turns out that in 2011, I was contacted via instant message by a hacker who said he was operating botnets using the Zeus and SpyEye Trojans. This individual reached out to me repeatedly over the next year, for no apparent reason except to brag about his exploits. He contacted me via Microsoft’s MSN instant message platform, using the email address daniel.h.b@universityofsutton.com. That account used the alias “Daniel.” I later found out that Daniel also used the nickname bx1.

According to several forums on which bx1 hung out until very recently, the man arrested in Thailand and bx1 were one and the same. A review of the email addresses and other contact information bx1 shared on these forums suggests that bx1 was the 19th and 20th John Doe named in Microsoft’s 2012 legal suit seeking to discover the identities of 39 alleged ZeuS botmasters. From the complaint Microsoft submitted to the U.S. District Court for the Eastern District of Virginia, and posted at Zeuslegalnotice.com:

“Plaintiffs are informed and believe and thereupon allege that John Doe 19/20 goes by the aliases “Daniel,” “bx1,” “Daniel Hamza” and “Danielbx1” and may be contacted at messaging email and messaging addresses “565359703,” airlord1988@gmail.com, bx1@hotmail.com, i_amhere@hotmail.fr, daniel.h.b@universityof sutton.com, princedelune@hotmail.fr, bx1_@msn.com, danibx1@hotmail.fr, and danieldelcore@hotmail.com. Upon information and belief, John Doe 19/20 has purchased and used the Zeus/SpyEye code.”

The Daniel I chatted with was proud of his work, and seemed to enjoy describing successful attacks. In one such conversation, dated January 2012, bx1 bragged about breaking into the systems of a hacker who used the nickname “Symlink” and was renowned in the underground for writing complex, custom Web injects for ZeuS and SpyEye users. Specifically, Symlink’s code was designed to automate money transfers out of victim banks to accounts that ZeuS and SpyEye botmasters controlled. Here’s an excerpt from that chat:

(12:31:22 AM) Daniel: if you wanna write up a story

(12:31:34 AM) Daniel: a very perfect

(12:31:34 AM) Daniel: even Interpol will get to you

(12:31:35 AM) Brian Krebs: ?

Continue reading →

Facebook, Yahoo Fix Valuable $ecurity Hole$

January 9, 2013

3 Comments

Both Facebook and Yahoo! recently fixed security holes that let hackers hijack user accounts. Interestingly, access to methods for exploiting both of the flaws appears to have been sold by the same miscreant in the cybercrime underground.

According to Softpedia, Facebook has addressed a serious vulnerability after being notified by independent security researcher Sow Ching Shiong.

Image: http://chingshiong.blogspot.ro/

“The security hole allowed hackers to change the passwords of accounts they had compromised without knowing the old passwords. Whenever users change the password that protects their Facebook account, they’re required to enter the current password before they can set the new one. However, the expert found that cybercriminals could change a user’s password without knowing the old one by accessing the “https://www.facebook.com/hacked” URL, which automatically redirected to the compromised account recovery page.”

Information obtained by KrebsOnSecurity indicates that this “exploit” was being sold to a handful of members of an elite underground forum for $4,000 per buyer. The individual selling the exploit is the same hacker that I reported last year as selling access to a vulnerability in Yahoo! that let attackers hijack email accounts.

In late November 2012, I wrote about a cross-site scripting (XSS) vulnerability in Yahoo! that was being sold for $700 in the underground by an Egyptian hacker named TheHell. Shortly after that story, the hacker changed his nickname, but continued selling the exploit. Earlier this week, The Wall Street Journal‘s AllThingsD blog reported that Yahoo! had fixed the flaw I pictured in the video from that blog post.

“Web giant Yahoo just confirmed that it has been dealing with a vulnerability to its email service that may be connected to a surge in breaches of email accounts that are being used to send spam and other annoying content,” wrote Arik Hesseldahl. “I just got a statement from a Yahoo spokeswoman saying that the vulnerability seen in a video has been fixed.”

Adobe, Microsoft Ship Critical Security Updates

January 8, 2013

29 Comments

Adobe and Microsoft today separately issued updates to fix critical security vulnerabilities in their products. Adobe pushed out fixes for security issues in Acrobat, Adobe Reader and its Flash Player plugin. Microsoft released seven patches addressing at least a dozen security holes in Windows and other software, although it failed to issue an official patch for a dangerous flaw in its Internet Explorer Web browser that attackers are now actively exploiting.

Two of the patches that Microsoft issued today earned a “critical” rating, signifying that these vulnerabilities could be exploited to fully compromise vulnerable Windows systems without any help from users. Microsoft called special attention to two critical bugs in its XML Core Services component; the company said it is likely that malware or miscreants will figure out a way to exploit these flaws in active attacks sometime within the next 30 days.

Unfortunately, Microsoft did not offer an official fix for a critical Windows flaw that malware and miscreants are already exploiting. In late December, Microsoft acknowledged that attackers were using a previously undocumented security hole in Internet Explorer versions 6 through 8 to break into Windows PCs. Microsoft later issued a stopgap “FixIt” tool to help lessen the vulnerability on affected systems, but researchers last week demonstrated that the FixIt tool only blocked some methods of attacking the flaw, leaving other ways unguarded. Meanwhile, a working copy of the exploit has been folded into Metasploit, a free penetration testing tool.

Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, said the zero-day IE vulnerability affects 90% of the IE install base at this time.

“Microsoft is not providing a patch today, though they have provided a Fix-It for the issue,” Kandek wrote in a blog post. “The vulnerability should be tracked closely, as a large percentage of enterprises still run the affected versions.”

Users who wish to continue browsing the Web with IE should upgrade to IE9 if possible (IE10 on Windows 8 also is not vulnerable). Users still on Windows XP will not be able to update to IE9, but may be able to derive some protection from the FixIt tool and by using Microsoft’s EMET tool. XP users may be better off, however, browsing with Firefox or Chrome with some type of script blocking and/or sandbox in place. More information on how to use EMET and script blocking options is available in my Tools for a Safer PC primer. More details about today’s updates from Microsoft can be found at the Microsoft Security Response Center blog and in the security bulletin summaries for each patch.

The Adobe Flash patch fixes at least one critical vulnerability in the media player plugin. Updates are available for all supported versions of Flash, including for Windows, Mac, Linux and Android. See the chart below for the latest version number broken down by operating system.

Continue reading →

‘Value of a Hacked PC’ Graphic Goes Global

January 8, 2013

17 Comments

The Value of a Hacked PC graphic, which I published on this blog a few months ago to explain bad guy uses for your PC, is getting a makeover. I’m honored to say that the SANS Institute, a security training group, has taken the idea and run with it as an educational tool, and is in the process of translating it into 17 different languages.

A graphic put together by the SANS Institute, based on a diagram produced by KrebsOnSecurity.com.

A high-resolution version of the poster above is available from SANS’s Securing the Human Web site.

Crimeware Author Funds Exploit Buying Spree

January 7, 2013

19 Comments

The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.

Cool Exploit Kit.

An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed. In early October 2012, security researchers began noticing that a new exploit pack called Cool Exploit Kit was showing up repeatedly in attacks from “ransomware,” malicious software that holds PCs hostage in a bid to extract money from users.

“Kafeine,” a French researcher and blogger who has been tracking the ties between ransomware gangs and exploit kits, detailed Cool’s novel use of a critical vulnerability in Windows (CVE-2011-3402) that was first discovered earlier in the year in the Duqu computer worm. Duqu is thought to be related to Stuxnet, a sophisticated cyber weapon that experts believe was designed to sabotage Iran’s nuclear program.

About a week after Kafeine highlighted the Duqu exploit’s use in Cool, the same exploit showed up in Blackhole. As Kafeine documented in another blog post, he witnessed the same thing happen in mid-November after he wrote about a never-before-seen exploit developed for a Java vulnerability (CVE-2012-5076) that Oracle patched in October. Kafeine said this pattern prompted him to guess that Blackhole and Cool were the work of the same author or malware team.

“It seems that as soon as it is publicly known [that Cool Exploit Kit] is using a new exploit, that exploit shows up in Blackhole,” Kafeine said in an interview with KrebsOnSecurity.

As detailed in an excellent analysis by security firm Sophos, Blackhole is typically rented to miscreants who pay for the use of the hosted exploit kit for some period of time. A three-month license to use Blackhole runs $700, while a year-long license costs $1,500. Blackhole customers also can take advantage of a hosting solution provided by the exploit kit’s proprietors, which runs $200 a week or $500 per month.

Blackhole is the brainchild of a crimeware gang run by a miscreant who uses the nickname “Paunch.” Reached via instant message, Paunch acknowledged being responsible for the Cool kit, and said his new exploit framework costs a whopping $10,000 a month.

At first I thought Paunch might be pulling my leg, but that price tag was confirmed in a discussion by members of a very exclusive underground forum. Not long after Kafeine first wrote about Cool Exploit Kit, an associate of Paunch posted a message to a semi-private cybercrime forum, announcing that his team had been given an initial budget of $100,000 to buy unique Web browser exploits, as well as information on unpatched software flaws. Here is a portion of that post, professionally translated from Russian:

Continue reading →

Turkish Registrar Enabled Phishers to Spoof Google

January 3, 2013

31 Comments

Google and Microsoft today began warning users about active phishing attacks against Google’s online properties. The two companies said the attacks resulted from a fraudulent digital certificate that was mistakenly issued by a Turkish domain registrar.

In a blog post published today, Google said that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the “*.google.com” domain.

“We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority,” wrote Adam Langley, a Google software engineer. “Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.”

Langley said that Google responded by Chrome on December 25 to block that intermediate CA, and then alerted TURKTRUST and other browser vendors. “TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates. On December 26, we pushed another Chrome metadata update to block the second mistaken CA certificate and informed the other browser vendors.”

Separately, Microsoft has issued an advisory with a bit more detail, saying it is aware of active attacks using one of the fraudulent digital certificates issued by TURKTRUST Inc.

“This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows,” the software giant warned. Continue reading →

Last »