Archive for August, 2012

Attack targeting critical Java bug added to hack-by-numbers exploit kit

Wednesday, August 29th, 2012

A comparison of code found in BlackHole and code published earlier as a proof-of-concept exploit.

Online attackers have wasted no time seizing on a critical vulnerability in Oracle’s Java software framework that makes it possible to install malware on computers running Windows, Mac OS X, or Linux.

So far, all of the exploits reported to be in the wild attack Windows PCs, but according to Errata Security CTO David Maynor, it’s not hard exploit Mac and Linux machines that have the latest version of Java from Oracle installed. Neither platform has it installed by default, however. The vulnerability has nothing to do with JavaScript.

On Monday night, about 24 hours after the vulnerability became public, attack code exploiting it was added to BlackHole, an exploit kit sold in underground forums, security researchers said. A quick inspection of the BlackHole attack by antivirus provider F-Secure found it used many of the same coding conventions contained in a proof-of-concept exploit published earlier by security researcher Joshua Drake. It also added to the Metasploit exploit framework used by penetration testers and hackers.

“There being no latest patch against this, the only solution is to totally disable Java,” F-Secure researchers wrote. “Since this is the most successful exploit kit + zero-day… que [sic] horror. Please, for the love of your computer disable Java on your browser.”

Researchers from Symantec on Tuesday reported two websites that are actively wielding the exploit, up from the single site discovered on Sunday.

The vulnerability is breathtaking for the way it almost completely subverts the security “sandbox” that is supposed to prevent malicious Java code from accessing sensitive operating-system functions. Exploiting it allows attackers with an unsigned, unprivileged process to overwrite the Java security context token with reflection. According to Symantec: “The vulnerability consists of a privilege escalation due to a class that allows access to protected members of system classes, which should not be accessible. Because of this, malicious code can bypass the restrictions imposed by the sandbox and use the ‘getRuntime(0.exec()’ function.”

Immunity Inc. researcher Nico Waisman spectacular deep dive into the vulnerability is here. Researchers from Kaspersky Lab have additional details here about exploits being served in the wild.

Multiple reports claim it doesn’t affect Java 1.6 and earlier versions, but rolling back to an older release could create other security problems. KrebsonSecurity has useful suggestions for disabling or limiting Java use here.


No more VRAM: VMware abandons controversial pricing model

Tuesday, August 28th, 2012

VMware customers will no longer be penalized for using more virtual memory.

Just over a year ago, VMware shocked many of its longtime customers with a new pricing model that charged customers based on the amount of virtual infrastructure they used instead of the amount of physical infrastructure. By charging customers based on use of virtual memory, or VRAM, VMware seemingly penalized customers who succeeded in deploying many virtual machines on few physical servers.

After a customer outcry, VMware raised the VRAM “entitlements” to make the change less punitive. Today, VMware did away with the VRAM pricing model altogether.

At VMworld in San Francisco, newly minted VMware CEO Pat Gelsinger referred to VRAM as a four-letter, dirty word. “Today I am happy to say we are striking this word from the vocabulary,” he said, drawing an extended ovation from the crowd. VMworld is being attended by 20,000 people, and a huge portion of them attended this morning’s keynote.

From now on, pricing will be all per-CPU, and per-socket, Gelsinger said. By moving back to a pricing model based on usage of physical infrastructure, VMware is once again encouraging users to get as many virtual servers as they can out of each physical machine, which is the point of virtualization in the first place.

Gelsinger never mentioned specific pricing, but a press release provided a few details about the new pricing of vSphere, VMware’s flagship virtualization software.

“VMware vSphere pricing starts around $83 per processor with no core, vRAM or number of VM limits,” VMware said. “VMware vSphere Essentials is $495, and VMware vSphere Essentials Plus is $4,495. All VMware vSphere Essentials Kits includes licensing for 6 CPUs on up to 3 hosts.”

This new, hardware-based pricing applies both to the forthcoming version 5.1 of vSphere and the existing version 5.0. More details can be found in this VMware pricing document. There is also vCloud, a broader software suite including vSphere and numerous other data center automation tools. Prices for vCloud 5.1 will start at $4,995 per processor.

VMware said version 5.1 of vSphere will become generally available on September 11. It has enhancements including the ability to perform live migrations of virtual machines without the need for shared storage. We’ll have more details from VMworld as the conference goes on.


VMware virtual machines targeted by “Crisis” espionage malware

Wednesday, August 22nd, 2012

Malware may be the first to target virtual machines, long used to block attacks.

Researchers have uncovered a single espionage malware attack that is capable of infecting multiple platforms, including computers running the Windows and Mac OS X operating systems, Windows-powered mobile devices, and VMware virtual machines.

When Ars first chronicled the trojan backdoor known as Morcut last month, we reported that it turned Macs into remote spying devices that were capable of intercepting e-mail and instant-message communications and using internal microphones and cameras to spy on people in the vicinity of the machine. Since then, researchers have developed a more comprehensive view of the malware, which is known by the name “Crisis.” A JAR, or Java archive, file that masquerades as a legitimate Adobe Flash installer allows attacks to infect a much wider variety of platforms, including virtual machines, which many people use to protect themselves from infection when performing online banking or while researching malicious websites.

“This may be the first malware that attempts to spread onto a virtual machine,” Takashi Katsuki, a researcher with antivirus provider Symantec, wrote in a blog post published on Monday. “Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors.”

When encountering a Windows-based PC, Crisis actively searches for VMware virtual machine images. When they’re found, the malware copies itself onto an image using VMware Player, a tool that makes it easy to run multiple operating systems at the same time on the host machine.

“It does not use a vulnerability in the VMware software itself,” Katsuki wrote. “It takes advantage of an attribute of all virtualization software: namely that the virtual machine is simply a file or series of files on the disk of the host machine. These files can usually be directly manipulated or mounted, even when the virtual machines is not running.”

As illustrated in the image above, the JAR file first determines whether it’s present in a Mac or Windows environment. When loaded onto an OS X machine, Crisis accesses a Mach-O file that’s capable of running on Macs. When loaded into a Windows environment, the malware uses a standard Windows executable file to infect PCs, the VMware Player attack to infiltrate virtual machines, and a module that targets Windows Mobile devices when they’re connected to a compromised Windows computer.

So far, Crisis has been detected on fewer than 50 machines worldwide, according to data from Symantec. But given its ability to infect Macs and Windows PCs with a backdoor that taps communications sent by Skype, Adium, MSN Messenger and other apps, Crisis was already considered to be important. It’s even more noteworthy now that its virtual-machine capabilities have been uncovered.


Mystery malware that targeted energy group contains amateur coding goof

Wednesday, August 22nd, 2012


The date-comparison bug is further evidence that Shamoon isn’t state sponsored.

The mystery malware that recently wreaked havoc on energy sector computers contains an amateur programming error that’s not typical of state-sponsored attacks, security researchers said.

The flaw, which was reported in a blog post published on Tuesday by researchers from Russia-based Kaspersky Lab, was found in “Shamoon,” a piece of malware that wipes data from infected computers and also prevents them from booting up. It struck computers in at least one organization tied to the energy industry. After the word “wiper” was found embedded in the underlying binary, some researchers questioned whether the malware was linked to an earlier attack by that name that was used to destroy data belonging to Iran’s oil ministry.

Kaspersky researchers later dismissed those suspicions after finding significant differences in the way the two pieces of malware behaved. Kaspersky’s post on Tuesday introduced yet more evidence that Shamoon wasn’t state sponsored: a programming routine that fails to accurately determine if a specified date has come. The date hard-coded into the malware is August 15, 2012. If the month of the current date falls in 2013 or later, but the calendar month is earlier than August, the malware treats the date as coming before the August 2012 checkpoint value. The flaw is the result of corrupted logic.

“This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian Systems,” Kaspersky Lab researcher Dmitry Tarakanov wrote. “Wiper is presumed to be a cyber-weapon and, if so, it should have been developed by a team of professionals. But experienced programmers would hardly be expected to mess up a date comparison routine.”


Mystery malware wreaks havoc on energy sector computers

Friday, August 17th, 2012

Like malware that attacked Iran, Shamoon permanently destroys hard disk data.

Malware researchers have uncovered an attack targeting an organization in the energy industry that attempts to wreak havoc by permanently wiping data from an infected computer’s hard drive and rendering the machine unusable.

The computer worm, alternately dubbed Shamoon or Disttrack by researchers at rival antivirus providers Symantec and McAfee, contains the string “wiper” in the Windows file directory its developers used while compiling it. Combined with word that it targeted the energy industry, that revelation immediately evoked memories of malware also known as Wiper that reportedly attacked Iran’s oil ministry in April and ultimately led to the discovery of the state-sponsored Flame malware.

In a blog post published Thursday, researchers from Russia-based Kaspersky Lab said the file and service names in the original Wiper aren’t present in Shamoon. They also noted that Wiper uses a different pattern when destroying disk data. As a result, they said the two pieces of malware are likely not connected.

“It is more likely that this is a copycat, the work of script kiddies inspired by the story,” members of Kaspersky’s Global Research & Analysis Team wrote. Kaspersky researchers were instrumental in uncovering Flame, which like Stuxnet, Duqu, and Gauss, is highly sophisticated malware believed to have been sponsored by one or more nations to spy on or attack Iran or other countries.

None of the researchers identified the victim or victims of the latest attack except for a brief mention in a blog post by Symantec that said they included “at least one organization in the energy sector.” McAfee’s report is here.

Saudi Arabia-based Saudi Aramco, the world’s largest crude exporter, was reportedly hit by a computer virus this week that entered its network through personal computers, according to Bloomberg News. Additional details about that malware attack weren’t available, although the company said parts of its network linked to oil production weren’t affected and its systems will resume full operations soon.

Shamoon is unusual because it goes to great lengths to ensure destroyed data can never be recovered, something that is rarely seen in targeted attacks. It has self-propagation capabilities that allow it to spread from computer to computer using shared network disks. It overwrites disks with a small portion of a JPEG image found on the Internet.

It also uses what appears to be a legitimate system driver to gain low-level access to a hard drive so it can wipe the master boot record Windows machines rely on to boot up. The driver, according to Kaspersky, was digitally signed using the private cryptographic key belonging to a company called EldoS Corporation.

The malware also reports back to the attackers with information about the number of files that were destroyed, the IP address of the infected computer, and a random number. Information the malware authors used when developing it shows it resided in the Windows directory C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb. Shamoon could be a reference to the Shamoon College of Engineering in Israel, although that’s highly speculative, since Shamoon is the Arabic equivalent of the name Simon, Kaspersky’s report said. It’s unknown if Arabian Gulf has any connection to the malware attack on Saudi Aramco.

Shamoon was discovered on Thursday and has infected fewer than 50 systems. That’s a tiny number, but given its focus on energy companies and its resemblance to software that reportedly targeted Iran’s oil ministry, it’s worth keeping an eye on.