M32 Security

phpMyAdmin Exploit Used To Launch New SSH Brute-Force Attack

Kyle — Fri, 13 Aug 2010 01:55:13 +0000

An older vulnerability in phpMyAdmin (CVE-2009-1151) is now being exploited by a botnet known as dd_ssh. Details are still emerging, but it appears that this new bot originated from 91.193.157.206 according to SANS. If the exploit of CVE-2009-1151 is successful on vulnerable phpMyAdmin installs, the files vmsplice.txt, dd.txt, and, in some instances, vm.c are downloaded from the aforementioned IP. The last of those files mentioned contains the vmsplice local root exploit (CVE2008-0600). After being compromised, the infected installations start making connections to multiple addresses on ports 54509 and 54510; most likely for command & control. SANS ISC is actively monitoring this apparent new botnet and has noticed a notable up-tick in machines scanning SSH lately.

More Info Over at SANS ISC and thanks goes to Briareos over at BroadBand Reports for the quick fact-finding and possible discovery.

June Security Advisory posted by F5 on identifying any suspicious activity and mitigating the exploit

Zeus v3 Trojan Silently Siphoning Money From UK Bank Accounts

Kyle — Thu, 12 Aug 2010 03:19:40 +0000

Security research firm M86 Security (no relation) has posted a whitepaper outlining how cyber-criminals started utilizing the Zeus v3 trojan in conjunction with the Eleonore, Phoenix, and Siberia Exploit Kits to siphon £675,000 (~$1.05 million USD) so far from UK victims’ systems that have been compromised. The attack started on July 5th and has continued silently ever since. The main reason why the theft hasn’t been successfully mitigated thus far is because of the Zeus trojan’s extreme difficulty to detect by antivirus solutions. The Zeus trojan, also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber is sold as a kit to people willing to pay a price for the latest code known as Zeus v3. It primarily infects a machine through exploiting un-patched versions of Internet Explorer to gain control.

The Zeus trojan has been known to steal user data in the past, but has never been used in such a direct manner. In the US, there are believed to be 3.6 million infected machines by the malware alone, which makes it arguably one of the world’s most dangerous trojans/botnets in terms of potential damage. The Daily Mail has a good article outlining the exact details.

M86 Security Whitepaper (PDF)

Conficker: The Proactive Worm Ahead Of The Curve

Kyle — Sun, 08 Aug 2010 19:26:15 +0000

An interesting article over at The Register shows how the now infamous ~6 million strong Conficker botnet/worm stays ahead of the curve in terms of Information Security by staying proactive and paranoid in how it is managed. Although the classification of the worm only goes from A through E, the botnet itself is ever-evolving; creating a nightmare for researchers world-wide in detection and cleansing of infected machines. It is unknown who runs the botnet, but it is known that the technical skill behind its command is very much on the bleeding-edge of security as well as social engineering. For instance, the worm uses simple exploits to infect Windows machines, but it phones home to domain names which can no longer be predicted and shut-down to receive new instructions and updates to the code that infects the machine. It has used scareware in the past to spread as well, such as bogus security software. It has even gone so far as to actually remove or fix other security threats on an infected machine to avoid detection. It constantly stays up-to-date and often mitigates even the newest anti-malware tools designed to remove it.

What makes it so hard to remove is its inability to be cracked. It has used the MD6 cryptographic hash function that was a candidate for the NIST SHA-3 Hash Competition with a 4096-bit RSA key. Even when a buffer-overflow vulnerability was discovered in MD6, the botnet’s owner corrected the implementation within a matter of days. There is an entire working group called The Conficker Working Group tasked entirely to the botnet, which has yet to break-in and take any sort of control away from whoever runs it.

In-depth article at The Register

Snort 2.9 Beta & 2.8.6.1 update released

Kyle — Fri, 30 Jul 2010 04:46:51 +0000

Snort is a registered trademark of Sourcefire, Inc

Sourcefire has been busy as ever keeping their second-to-none Snort® IDS/IPS system at the forefront of network security technology. Yesterday they released an update to the 2.8 family of Snort®, bringing it to version 2.8.6.1. It brings some fixes to the installer package, fixing some issues with detecting false-positives in pattern matching & FTP string format verification, and incorrect handling of empty FTP response codes to data transfer commands commands.

Snort® 2.9 has officially gone Beta. 2.9 includes a myriad of new features such as a robust IPS mode for inline deployments, a new common API for all active response, a new response module that is backward-compatible with resp and resp2 syntax, a new preprocessor for inline deployments to interpret packets the same way a host would, and a new Data Acquisition API that supports multiple packet access methods for better & easier integration with existing infrastructure, updated HTTP Inspect, updated & more robust SMTP preprocessor, the ability to test drop rules for inline mode before implementation, and greatly improved overall IPv6 support. Also new is integration with Intel’s Quick Assist technology.

Find it all and more on the release page over at Sourcefire

Microsoft LNK vulnerability exploit spreading quickly

Kyle — Thu, 29 Jul 2010 05:14:41 +0000

At last writing, the Microsoft LNK vulnerability that was originally used to target SCADA systems by the Stuxnet worm in Iran, India, and Indonesia was slowly gaining speed and the exploit had a proof-of-concept in the open. Now it is accelerating. It is now being picked up by old virus/worm/malware families and incorporated into their arsenals to take new victims; some using social engineering, some using their own unique tactics. While the exploit method itself hasn’t changed, the exploiters using it are vigorously churning out new versions of their software. I think it’s safe to say Madagascar will be closing its ports soon. (Warning: addictive)

New detected malwares are Chymine, Vobfus, Sality, Zeus, and most recently, Downloader-CJX

Technet article on Vobfus

The Register on LNK exploit activity

F-Secure blog entry

New rogue AV targets Firefox users as bogus Flash update

Kyle — Thu, 29 Jul 2010 04:31:36 +0000

It seems the makers of the all-too-familiar-now rogue AV are now targeting the more web-saavy of users; those who use Mozilla Firefox.

Recent versions of Firefox have been taking a more proactive approach to keeping Adobe Flash secure by checking the version of Flash installed and informing users that they need to upgrade Flash to a newer version if it is outdated. Simple enough. Perhaps too simple.

Now the makers of the familiar fake Windows Security Alert con and the bogus Anti-Virus malware have begun to craft webpages that look identical to the page that appears after users have started a freshly-upgraded version of Firefox, except they now have to upgrade Adobe Flash. It doesn’t require the user to click on a download link; it tries to start a download immediately upon page load.

Naturally users will download the legitimate looking executable and run it upon completion. In all, it is a very convincing tactic with a pretty flawlessly executed plan besides the URL being not that of a Mozilla Firefox owned domain. Of course, it isn’t a newer version of Flash. It’s the good ‘ol rogue AV that has been creeping into every corner of the web by any means possible, doing all the nasty things it always does. Security vendors are already aware of the threat and rolling out definition updates to detect and thwart this attack.

More on it over at F-Secure with screenshots

LNK Zero-Day Exploit: Siemens WinCC SCADA systems targeted

Kyle — Mon, 26 Jul 2010 05:20:59 +0000

It turns out that the original targets for the highly-dangerous Windows Shell LNK Zero-Day Exploit were Siemens WinCC SCADA systems with hard-coded credentials used in large infrastructure systems like factories and power grids. Once the attacker had successfully executed the LNK exploit, they accessed the Siemens WinCC program and extracted sensitive data from the database the software uses. It is highly suspected that the exploit was explicitly used for espionage toward Iran and Indonesia at the very least, but by whom or what exact purpose is not clear. What is clear is that the Siemens WinCC software was targeted. The Siemens WinCC software has what is considered one of the top vulnerabilities in software according to CWE/SANS, which is the use of fixed-credentials. This type of vulnerability has been publicly disclosed for over two years and the password to this specific software (2WSXcder) has been publicly known since at least 2008. Siemens was made aware of the issue on July 14 and shortly started to asses the problem and notify customers.

In the meantime, a security researcher known as Ivanlef0u has posted a proof-of-concept of the exploit (site is in French), while Win32/TrojanDownloader.Chymine.A and Win32/Autorun.VB.RP are in the wild already actively actively using this exploit according to ESET. Expect to see this exploit to be a bit prolific due to its new and unique nature combined with the relative ineffectiveness of detection/removal systems thus far.

Wired Article on password’s public exposure

ESET Blog on new Zero-day exploit in the wild

Highly-Dangerous Zero-Day Windows Shell LNK Exploit Discovered

Kyle — Sat, 17 Jul 2010 19:38:22 +0000

This one isn’t good. In fact, it’s downright scary. This exploits a vulnerability in Windows’ handling of LNK files. It affects ALL versions of Windows; at least all currently supported versions. No mention all unsupported versions, but assume they are affected as well. It is already being exploited by the Stuxnet rootkit and most likely many more nasty things very, very soon. Microsoft’s solution in Security Advisory 2286198 is to disable AutoRun completely, disable displaying of icons for programs, and disabling the WebClient service. That means disabling WebDAV and pretty much disabling icons for program links. It currently has an extremely high level of impact due to the simple nature of exploit. It is advised that antivirus is updated immediately (as in yesterday) as well as firewall inspection signatures are kept up-to-date to mitigate this.

US-CERT Vulnerability Note VU#940193

F-Secure Notice & Info

Discovered by VirusBlockAda on June 17

CVE-ID CVE-2010-2568

NVD-ID CVE-2010-2568

Article in The Register

CYBERCOM’s Secret Code Demystified

Kyle — Sat, 10 Jul 2010 01:27:36 +0000

As I posted earlier this week, a hexadecimal code was discovered on the gold ring encircling US Cyber Command’s newly released logo. That code was 9ec4c12949a4f31474f299058ce2b22a and it sent the NetSec community on a challenge. To the untrained eye, it looks like just a bunch of numbers and letters. To those in the InfoSec/NetSec field, it looks like a 128-bit MD5-hash. MD5 hashes are derived from an algorithm that “digests” the data into a hexadecimal result like the one here. They are often used in file integrity checks to ensure the data is exactly what it should be without any corruption or tampering.

Around 2004, the MD5 algorithm had started to show vulnerabilities and signs of age. It is now fairly easy to reverse these hashes to reveal the original data. Obviously this is a big security problem. The NIST and DHS has a policy that requires all government agencies to use more complex hashing functions after 2010. Considering US CYBERCOM is one of the most secretive and secured entities of the publicly known US Government and intimately tied to the NSA, I would imagine there may be more than meets the eye to the new logo and we’ll come across more interesting things the geeks over there threw in to challenge us.

CYBERCOM’s Secret Code Demystified.

9ec4c12949a4f31474f299058ce2b22a

Kyle — Wed, 07 Jul 2010 23:51:22 +0000

http://www.niconnect.com/9EC4C12949A4F31474F299058CE2B22A.jpg

Poder Cibernetico = Cyber Power

39 6 31.38,-76 46 12.66 Put that into Google Maps. Haha.

Reverse MD5 comes out as this:

USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.