Archive for November, 2012

Latest Java zero-day exploit renews calls to disable it

Thursday, November 29th, 2012

Oracle contributes to the problem by not working more closely with the security industry on Java defenses, one security expert said

A zero-day Java exploit found for sale in the criminal underground has renewed calls to disable the cross-platform runtime environment in Web browsers.

The latest exploit of a vulnerability not yet publicly known was reported on Tuesday by Brian Krebs, author of the KrebsonSecurity blog. An established member of the Underweb forum, an invitation-only site, was selling the exploit for Java JRE 7 Update 9, the latest version of the platform. The expected price was in the “five digits.”

The flaw was in the Java class “MidiDevice.Info,” a component that handles audio input and output, Krebs said. The seller claimed “code execution was very reliable” on Firefox, Microsoft Internet Explorer and Windows 7.

The latest exploit discovery comes three months after two other zero-day vulnerabilities and exploit code were found, one by a security researcher at Accuvant and the other by a developer at Immunity. The flaws were in Java 7 and affected Windows, Mack OS X and Linux operating systems running a browser with a Java plug-in.

The latest exploit was unusual because they are seldom sold in such an open manner, said Chester Wisniewski, a senior security adviser for Sophos. “Granted it is on a members only criminal forum, but it sounds like the post was rather straight forward.”

Java is used in 3 billion devices worldwide, says its steward, Oracle. The platform’s ubiquity makes it a favorite hacker target, along with the fact that the platform often goes unpatched in people’s computers. Security company Rapid7 estimates that 65 percent of the installations today are unpatched.

“Many people don’t even know Java is installed on their computers and browsers, and that’s a huge problem,” said Andrew Storms, director of security operations at nCircle.

Oracle contributes to the problem by not working more closely with the security industry in building better defenses in Java, Storms said. The company shares very little information with security experts between patches.

[See also: Oracle knew about currently exploited Java vulnerabilities for months, researcher says]

“We could all benefit by Oracle stepping up the game to engage the community at large,” Storms said.

Experts recommend disabling Java in Web browsers, unless it is needed to access specific business applications. In the latter case, a separate browser should be dedicated for the sole purpose of accessing those applications.

“IT departments should really consider if users need to access Java for business critical applications, otherwise, they should get rid of it,” said Rob Rachwald, director of security strategy at Imperva.

Another option is to configure a client firewall to block a browser’s Java plug-in from accessing the Internet, unless the destination site is on a whitelist.


Yahoo! email zero-day exploit being sold for $700

Tuesday, November 27th, 2012

In an unusually candid look at the underground operations of black market exploit selling, there is one user who has been caught selling a major exploit for Yahoo! email accounts for $700 to all interested parties. So far, Yahoo! has not been able to nail down exactly what is causing the vulnerability.

In other words, these transactions have been exposed and are taking place right out in the open, and yet the practice is still ongoing. The user, who goes by the online handle TheHell, gloats the capabilities of his hack saying that it is a “stored XSS” (cross-site scripting) flaw. This means that once a user clicks on a malicious link in an email, the code is injected and permanently stored in the email client’s server and there is very little they can do to reverse its effects. It is also something only Yahoo! can fix internally.

In an interview with KrebsonSecurity, Yahoo! director of security Ramses Martinez said that the issue is now known and his team is working to fix it, but it is very difficult to nail down exactly where it came from and what the best course of action is.

These exploits are not as rare as you might expect, although it is uncommon for them to be exposed as openly as this one is without any immediate fix or patch. TheHell is based in Egypt, which means it would be very difficult to take any sort of legal action that would put at least a temporary end to his behavior.

Krebs also mocked up a video to make it look similar to the one TheHell is using to entice customers. Check it out below, and in the meantime, always remember to be wary of clicking any links inside an email that appear unusual or are from people you do not know.


Linux users targeted by mystery drive-by rootkit

Wednesday, November 21st, 2012

The malware is aimed at the 64-bit Debian Squeezy kernel and is distributed to would-be victims via an unusual form of iFrame injection attack

Security researchers have discovered what appears to be an experimental Linux rootkit designed to infect its highly select victims during a classic drive-by website attack.

Posted anonymously to Full Disclosure on 13 November by an annoyed website owner, the rootkit has since been confirmed by CrowdStrike and Kaspersky Lab as being distributed to would-be victims via an unusual form of iFrame injection attack.

Aimed specifically at users of the latest 64-bit Debian Squeezy kernel (2.6.32-5), the rootkit has been dubbed ‘Rootkit.Linux.Snakso.a’ by Kaspersky Lab.

After trying to hook into important kernel functions and trying to hide its own threads, Snasko sets out to take over the target system. Exactly what purpose lies this general ambition is unclear although the researchers suspect a conventional rather than political or nuisance motive.

The good news is that the rootkit looks like a work in progress, and contains enough programming rough edges to mark it out as ‘in development’.

The malware”s relatively large binary size of 500k, and the inclusion of debug code, is another giveaway that this might be a work in progress.

As significant as its design is where it might have come from. In the view of the CrowdStrike analyst, Russia is the most likely origin which would put it in the realm of the professional cybercriminals.

“Considering that this rootkit was used to non-selectively inject iframes into nginx webserver responses, it seems likely that this rootkit is part of a generic cybercrime operation and not a targeted attack,” notes CrowdStrike.

“However, a Waterhole attack, where a site mostly visited from a certain target audience, would also be plausible.”

It is at this point in any Linux malware story that we point out the complexity of targeting the platform not to mention the vanishingly small number of examples that have been documented.

The most recent was the ‘Wirenet’ Trojan in August, a browser password stealer discovered by Russian firm Dr Web. Other examples have been based on cross-platform Java malware.

What is apparent is that criminals now have more than a passing interest in the platform and its admin-dominated user base.

“This rootkit, though it’s still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future,” said Marta Janus of Kaspersky Lab.


Hackers break into two FreeBSD Project servers using stolen SSH keys

Monday, November 19th, 2012

Users who installed third-party software packages distributed by are advised to reinstall their machines

Hackers have compromised two servers used by the FreeBSD Project to build third-party software packages. Anyone who has installed such packages since Sept. 19 should completely reinstall their machines, the project’s security team warned.

Intrusions on two machines within the cluster were detected on Nov. 11, the FreeBSD security team said Saturday. “The affected machines were taken offline for analysis. Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precaution,” said a message on the project’s public announcements mailing list.

The two compromised servers acted as nodes for the project’s legacy third-party package-building infrastructure, the FreeBSD Project said in an advisory posted on its website.

The incident only affected the collection of third-party software packages distributed by the project and not the operating system’s “base” components, such as the kernel, system libraries, compiler or core command-line tools.

The FreeBSD security team believes the intruders gained access to the servers using a legitimate SSH authentication key stolen from a developer, and not by exploiting a vulnerability in the operating system.

Even though the team did not find any evidence of the third-party software packages being modified by the hackers, they cannot exclude this possibility.

“We unfortunately cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through or one of its mirrors,” the team said. “Although we have no evidence to suggest any tampering took place and believe such interference is unlikely, we have to recommend you consider reinstalling any machine from scratch, using trusted sources.”

The package sets currently available for all versions of FreeBSD have been validated and none of them have been altered in any way, the team said.

As a result of the incident, the FreeBSD Project plans to speed its process of deprecating legacy distribution services, like those based on CVSup, in favor of the more robust Subversion system. The advisory includes several recommendations about the tools users and developers should use for updates, source code copying and signed binary distribution.

This is not the first time an open-source software project had to deal with an intrusion because of compromised SSH authentication keys. In August 2009, the Apache Project was forced to shut down its primary Web and mirror servers after discovering that hackers used an SSH key associated with an automated backup account to upload and execute malicious code on some of the servers.

“This is a hearty reminder that a chain is only as strong as its weakest link,” said Paul Ducklin, the head of technology for Asia Pacific at antivirus vendor Sophos, in a blog post Sunday. “In particular, never forget that the security of your internal systems may very well be no better than the security of any and all external systems from which you accept remote access — whether those are servers, laptops or even mobile devices.”


Malware uses Google Docs as proxy to command and control server

Monday, November 19th, 2012

Backdoor.Makadocs variant uses Google Drive Viewer feature to receive instructions from its real command and control server

Security researchers from antivirus vendor Symantec have uncovered a piece of malware that uses Google Docs, which is now part of Google Drive, as a bridge when communicating with attackers in order to hide the malicious traffic.

The malware — a new version from the Backdoor.Makadocs family — uses the Google Drive “Viewer” feature as a proxy for receiving instructions from the real command and control server. The Google Drive Viewer was designed to allow displaying a variety of file types from remote URLs directly in Google Docs.

“In violation of Google’s policies, Backdoor.Makadocs uses this function to access its C&C [command in control] server,” said Symantec researcher Takashi Katsuki, Friday in a blog post.

It’s possible that the malware author used this approach in order to make it harder for network-level security products to detect the malicious traffic, since it will appear as encrypted connections — Google Drive uses HTTPS by default — with a generally trusted service, Katsuki said.

“Using any Google product to conduct this kind of activity is a violation of our product policies,” a Google representative said Monday via email. “We investigate and take action when we become aware of abuse.”

Backdoor.Makadocs is distributed with the help of RTF or Microsoft Word documents, but does not exploit any vulnerability to install its malicious components, Katsuki said. “It attempts to pique the user’s interest with the title and content of the document and trick them into clicking on it and executing it.”

Like most backdoor programs, Backdoor.Makadocs can execute commands received from the attacker’s C&C server and can steal information from the infected computers.

However, one particularly interesting aspect of the version analyzed by Symantec researchers is that it contains code to detect if the operating system installed on the target machine is Windows Server 2012 or Windows 8, which were released by Microsoft in September and October respectively.

The malware doesn’t use any function that’s unique to Windows 8, but the presence of this code suggests that the analyzed variant is relatively new, Katsuki said.

Other strings from the malware’s code and the names of the bait documents suggest that it’s being used to target Brazilian users. Symantec currently rates the distribution level of the malware as low.


Coca-Cola ‘targeted’ by China in hack ahead of acquisition attempt

Tuesday, November 6th, 2012

Chinese hackers have been blamed for infiltrating confidential systems within Coca-Cola for more than a month, Bloomberg has reported.

The fizzy drink firm was breached in 2009 when a malicious link was emailed to a senior executive.

Hackers were able to spend a month operating undetected, logging commercially sensitive information.

The US Securities and Exchange Commission (SEC) said Coca-Cola did not publicly disclose the attack.

Last year the SEC outlined guidelines for companies who had been hit by cyber-attacks, saying that transparency on the issue was in the interest of investors and other stakeholders.

However, companies have so far been reluctant to do so – fearing for reputational loss and negative impact on stock price.

“Investors have no idea what is happening today,” Jacob Olcott, a former cyber policy adviser to the US Congress told the financial news agency.

“Companies currently provide little information about material events that occur on their networks.”

Collapsed deal

In Coca-Cola’s case, hackers masqueraded as Coca-Cola’s chief executive, sending an email to Paul Etchells, Coca-Cola’s deputy president for the Pacific region.

The email contained a malicious link which was clicked on – allowing for hackers to install keyloggers and other forms of malware on Mr Etchells’ machine.

In the days that followed, hackers took emails and stole passwords to give themselves administrative privileges on the network.

The infiltration was – according to internal documents seen by Bloomberg – blamed on state-backed Chinese attackers.

The hack came at a time when Coca-Cola was looking to acquire the China Huiyuan Juice Group for about $2.4bn. Had the takeover happened, it would have been the largest foreign takeover of a Chinese company.

However, the deal collapsed three days after the cyber-attack, Bloomberg said, citing internal sources.

Coca-Cola told the BBC in a statement: “Our company’s security team manages security risks in conjunction with the appropriate security and law enforcement organisations around the world.

“As a matter of practice, we do not comment on security matters.”

Source:  BBC

Virtual machine used to steal crypto keys from other VM on same server

Tuesday, November 6th, 2012

New technique could pierce a key defense found in cloud environments.

Piercing a key defense found in cloud environments such as Amazon’s EC2 service, scientists have devised a virtual machine that can extract private cryptographic keys stored on a separate virtual machine when it resides on the same piece of hardware.

The technique, unveiled in a research paper published by computer scientists from the University of North Carolina, the University of Wisconsin, and RSA Laboratories, took several hours to recover the private key for a 4096-bit ElGamal-generated public key using the libgcrypt v.1.5.0 cryptographic library. The attack relied on “side-channel analysis,” in which attackers crack a private key by studying the electromagnetic emanations, data caches, or other manifestations of the targeted cryptographic system.

One of the chief selling points of virtual machines is their ability to run a variety of tasks on a single computer rather than relying on a separate machine to run each one. Adding to the allure, engineers have long praised the ability of virtual machines to isolate separate tasks, so one can’t eavesdrop or tamper with the other. Relying on fine-grained access control mechanisms that allow each task to run in its own secure environment, virtual machines have long been considered a safer alternative for cloud services that cater to the rigorous security requirements of multiple customers.

“In this paper, we present the development and application of a cross-VM side-channel attack in exactly such an environment,” the scientists wrote. “Like many attacks before, ours is an access-driven attack in which the attacker VM alternates execution with the victim VM and leverages processor caches to observe behavior of the victim.”

The attack extracted an ElGamal decryption key that was stored on a VM running the open-source GNU Privacy Guard. The code that leaked the tell-tale details to the malicious VM is the latest version of the widely used libgcrypt, although earlier releases are also vulnerable. The scientists focused specifically on the Xen hypervisor, which is used by services such as EC2. The attack worked only when both attacker and target VMs were running on the same physical hardware. That requirement could make it harder for an attacker to target a specific individual or organization using a public cloud service. Even so, it seems feasible that attackers could use the technique to probe a given machine and possibly mine cryptographic keys stored on it.

The technique, as explained by Johns Hopkins University professor and cryptographer Matthew Green, works by causing the attack VM to allocate continuous memory pages and then execute instructions that load the cache of the virtual CPU with cache-line-sized blocks it controls. Green continued:

The attacker then gives up execution and hopes that the target VM will run next on the same core—and moreover, that the target is in the process of running the square-and-multiply operation. If it is, the target will cause a few cache-line-sized blocks of the attacker’s instructions to be evicted from the cache. Which blocks are evicted is highly dependent on the operations that the attacker conducts.

The technique allows attackers to acquire fragments of the cryptographic “square-and-multiply” operation carried out by the target VM. The process can be difficult, since some of the fragments can contain errors that have the effect of throwing off an attacker trying to guess the contents of a secret key. To get around this limitation, the attack compares thousands of fragments to identify those with errors. The scientists then stitched together enough reliable fragments to deduce the decryption key.

The researchers say it’s the first demonstration of a successful side-channel attack on a virtualized, multicore server. Their paper lists a few countermeasures administrators can take to close the key leakage. One is to avoid co-residency and instead use a separate, “air-gapped” computer for high-security tasks. Two additional countermeasures include the use of side-channel resistant algorithms and a defense known as core scheduling to prevent attack VMs from being able to tamper with the cache processes of the other virtual machine. Future releases of Xen already include plans to modify the way so-called processor “interrupts” are handled.

While the scope of the attack remains limited, the research is important because it opens the door to more practical attacks in the future.

“This threat has long been discussed, and security people generally agree that it’s a concern,” Green wrote. “But actually implementing such an attack has proven surprisingly difficult.”


The Russian underground economy has democratised cybercrime

Friday, November 2nd, 2012

If you want to buy a botnet, it’ll cost you somewhere in the region of $700 (£433). If you just want to hire someone else’s for an hour, though, it can cost as little as $2 (£1.20) — that’s long enough to take down, say, a call centre, if that’s what you were in the mood for. Maybe you’d like to spy on an ex — for $350 (£217) you can purchase a trojan that lets you see all their incoming and outgoing texts. Or maybe you’re just in the market for some good, old-fashioned spamming — it’ll only cost you $10 (£6.19) for a million emails. That’s the hourly minimum wage in the UK.

This is the current state of Russia’s underground market in cybercrime — a vibrant community of ne’er-do-wells offering every conceivable kind of method for compromising computer security. It’s been profiled in security firm Trend Micro‘s report, Russian Underground 101, and its findings are as fascinating as they are alarming. It’s an insight into the workings of an entirely hidden economy, but also one that’s pretty scary. Some of these things are really, really cheap.

Rik Ferguson, Trend Micro’s director of security research and communications, explains to that Russia’s cybercrime market is “very much a well-established market”. He says: “It’s very mature. It’s been in place for quite some time. There are people offering niche services, and every niche is catered for.” Russia is one of the major centres of cybercrime, alongside other nations like China and Brazil (“the spiritual home of banking malware”).

Russian Underground 101 details the range of products on offer in this established market — Ferguson says that they can be for targeting anyone “from consumers to small businesses”. He points to ZeuS, a hugely popular trojan that’s been around for at least six years. It creates botnets that remotely store personal information gleaned from users’ machines, and has been discovered within the networks of large organisations like Bank of America, Nasa and Amazon. In 2011, the source code for ZeuS was released into the wild — now, Ferguson says, “it’s become a criminal open source project”. Versions of ZeuS go for between $200 (£124) to $500 (£309).

Cybercriminal techniques go in and out of fashion like everything else — in that sense, ZeuS is a bit unusual in its longevity. That’s in large part because viruses and trojans can be adapted to take advantage of things in the news to make their fake error messages or spam emails seem more legitimate. For example, fake sites, and fake ads for antivirus software, aren’t as popular as they once were because people are just more computer literate these days. Exploits which take advantage of gaps in browser security to install code hidden in the background of a webpage have also become less common as those holes are patched up — but programs which embed within web browsers still pose a threat, as the recent hullabaloo over a weakness in Java demonstrates.

Ferguson points to so-called “ransomware” as an example of a more recent trend, where the computer is locked down and the hard drive encrypted. All the user sees on the screen is that tells them that their local law enforcement authority (so, in the UK, often the Metropolitan Police) has detected something like child pornography or pirated software on their PC, and if they want to unlock it they’ll have to send money to a certain bank account. No payment, no getting your hard drive back.

Amazingly, if you pay that “fine”, then you will actually get your information back, says Ferguson. “But you’ve labelled yourself as an easy mark, and there’s no telling if they haven’t left behind a backdoor which will let them come back and try again,” he says. Child pornography and pirated software have been in the news a lot over the past few years, for obvious reasons, and that kind of thing directly influences the thinking of hackers and programmers.

Taking the time to adapt these tools to recent trends can be very lucrative. DNSChanger, a popular trojan from 2007 to 2011, would infect a machine and change its DNS settings. When the user went to a webpage with ads on it, that traffic would give affiliate revenue to the scammers. One prominent DNSChanger ring (Rove Digital) was busted in Estonia in 2011 — the FBI had been tracking them for six years, and during that time it was estimated that they’d earned around $14 million (£8.7 million) from this little trick. It also meant that the FBI was left with some critical web infrastructure on its hands — those infected machines (which included machines at major organisations) could only access the web through those Rove Digital servers. Months were spent trying to get people to check their computers for infection and ensuring that when those Estonian servers were shut off, it didn’t take down, say, a bank.

The most recent trends in cybercrime, though, are very much focused on mobile — particularly Android, Ferguson explains: “We’ve seen so far 175,000 malicious threats for Android, and we expect that to be a quarter of a million by next year. Those threats come from malicious apps — if you want to stay safe, stick to official channels like Google Play, don’t just download from any site. Similarly, there aren’t any malicious iOS apps in the wild, on the App Store, but that only applies to iPhones aren’t jailbroken — downloading from other places puts your phone at risk.”

These threats aren’t going away, either. In fact, according to Ferguson, “prices are going down” across the Russian underground: “Let’s not pretend that these people aren’t taking advantage of technology just like normal businesses — improvements in technology are getting faster, and there are things like cloud services which they also use. The bad guys are using technologies to drive down costs in the same way businesses are.”

Ferguson cites the recent case of someone claiming to have bought the personal information of 1.1 million Facebook users for only $5 (£3.19) as further evidence of the growing problem of online information leaking into the hands of these cybercrime communities. Hackers and other cybercriminals make it their job to analyse security measures and find ways around them, because that information is where the value lies.

While hackers and other cyber criminals can save by buying in bulk, the cost to the individual (or the business) that falls victim to one of these techniques is potentially much higher. So, be vigilant, OK?

Here’s some of what you can buy on the Russian underground…

Basic crypter (for inserting rogue code into a benign file): $10-$30 (£6.19-£19)
SOCKS bot (to get around firewalls): $100 (£62)
Hiring a DDoS attack: $30-$70 (£19-£43) for a day, $1,200 (£742) for a month
Email spam: $10 (£6.19) per one million emails
Expensive email spam (using a customer database): $50-$500 (£31-£310) per one million emails
SMS spam: $3-$150 (£1.86-£93) per 100-100,000 messages
Bots for a botnet: $200 (£124) for 2,000 bots
DDoS botnet: $700 (£433)
ZeuS source code: $200-$500 (£124-£310)
Windows rootkit (for installing malicious drivers): $292 (£180)
Hacking a Facebook or Twitter account: $130 (£80)
Hacking a Gmail account: $162 (£100)
Hacking a corporate mailbox: $500 (£310)
Scans of legitimate passports: $5 (£3.10) each
Winlocker ransomware: $10-20 (£6.19-£12.37)
Unintelligent exploit bundle: $25 (£15)
Intelligent exploit bundle: $10-$3,000 (£6.19-£1,857)
Traffic: $7-$15 (£4.33-£9.29) per 1,000 visitors for the most valuable traffic (from the US and EU)

Source:  Wired