“There is no delight in owning anything unshared.”

Latest

Cyberattacks November 2012 Part II – Spoofed DNS Service Attack

Spoofed DNS traffic is an observation traffic from Black Lotus Communications’s IP with source port 53.This traffic indicates backscatter from an attack on Black Lotus’s customers.In other words, some of the IP addresses are being spoofed by the attacker for DNS reflection attack on TCP port 53 (DNS)

Black Lotus

Backscatter is a side-effect of a spoofed denial of service (DoS) attack where the attacker spoofs the source address in IP packets sent to the victim in order for the victim to responds to the spoofed packets where these response packets are known as backscatter. The backscatter response packets from the victim will be sent back to the spoofed destination.

Spoofed DNS
A DDoS mitigation services provider will need to validate the real source of the DNS reflection attack by responding to the spoofed packets.This explained the appearance of IP(s) from Black Lotus Communications with source port 53.

Block Black Lotus Communications IP(s):

  • 199.59.160.0 – 199.59.167.255
  • 208.64.120.0 – 208.64.127.255

Advisories
Configuring Unicast Reverse Path Forwarding (URPF) on network routers to prevent IP address spoofing.

Advertisements

Cyberattacks November 2012 Part I – #opleak Targets Financial Institutions in Asia

#opleak is an operation originating from the hacker group – xl3gi0n, which had hacked, defaced and leaked databases information of four financial institutions in Asia.

xlegion

The Hacker Group are targeting

  • The Victims: The Asian Banker, Kumari Bank, Midwest Bank and Procredit
  • The Targets: Web servers running on Apache with PHP installed with MySQL
  • The Method : SQL Injection
  • The Tool: Havij – automated SQL injection tool

A good Defenses references from OWASP:

Primary Defenses:

  • Option #1: Use of Prepared Statements (Parameterized Queries)
  • Option #2: Use of Stored Procedures
  • Option #3: Escaping all User Supplied Input

Additional Defenses:

  • Also Enforce: Least Privilege
  • Also Perform: White List Input Validation

Advisories:

  • Ensure web portals sanitize user inputs to ensure data input are as they should be. Limit the use of SQL queries from applications through the use of stored procedures.
  • Webmaster can configure their web server to block access traffic from client where the HTTP User Agent header contains ‘Havij’, although this may be changed.
  • Ensure the systems are using an up to date version of the software and have had all vendor supplied patches applied, especially for the systems which are running Apache, PHP and MySQL.

 

More details from  OWASP SQL Injection Cheat Sheat

opleak

Cyberattacks October 2012 Part (II) – A very Social Malware (Facebook??)

Despite Facebook being not a new attack vector, there is a new kind of malware spreading through Facebook. This malware is protected against both debugging and network traffic analysis. In order to protect binary code from reverse engineering, it was obfuscated using a special Protector. Network traffic is encrypted (even the DNS queries!) and produced in excess. VirusTotal results for this malware sample:

It spreads through Facebook, by writing a chat short chat message and posting following message on a wall:

http://xxxxxxxx.com/xxxxxxxx.php?ref=facebook&w=%5Brandom characters]&resource=youtube&w=[name] :* favourite [random characters] 😀

Then, it sends a following Skype message:

youtube favourite [random characters]! http://xxxxxxxx.com/xxxxxxxx.php?ref=facebook&w=%5Brandom characters]&resource=youtube&w=[name]

Finally, it sends an MSN message

:* http://xxxxxxxx.net/xxxxxxxx.php?ref=facebook&w=%5Brandom characters]&resource=youtube&w=[name] youtube hit [random characters] 😀

If user clicks on the link, malware is downloaded to the victim’s computer.

Kindly refer to the following link for details analysis and further explanation: (Analysis of a very social malware):

https://www.cert.pl/news/5587/langswitch_lang/en

Cyberattacks October 2012 Part (I) – Skype Viruses

You may be surprised that Skype could compromise your computer security. The more you know about these threats, the better prepared you will be.They are malware, so you should avoid them with just as much caution.

As soon as the worm has infected a system it tries to automatically spread itself by sending out a message to all the Skype contacts of the affected user. The message currently says:
“hey is this your skype profile pic?”
Then a link to the picture in question follows and at the end of each link the Skype nickname of the targeted user is included:
http://xxxxxxxxxx.xxx/xxxxxx?image=%5BSkype nickname of target]” (Link removed)
Please be very careful when opening links that were sent to you by your friends and acquaintances.

If this warning didn’t reach you in time and your system has already been infected, you can join the discussions in the following thread in order to figure out how to get rid of the worm in its current version:

http://www.pokerstrategy.com/forum/thread.php?threadid=210062

Since a couple of days, CERT Polska has also been taking an active role in disabling the Dorknet worm. A Polish security portal Niebezpiecznik.pl (article in Polish) mentioned that it also targets Polish users. We acquired a sample of this malware (called “Dorkbot”). This dropper was detected by 28 out of 44 antivirus used by the VirusTotal service:

Darkbot has a very wide range of spreading capabilities and has several different malicious behaviors. As is stated in other news reports, it is most widely present on Skype.

How can you protect yourself?

Firstly, please do not click on any links that seem suspicious to you. Remember that even your friends can be infected and become a part of a botnet. You also should have an updated antivirus software and operating system.

Samples malicious was named

  • skype_08102012_image.exe.
  • unpacked Dorkbot (unpacked.exe)
  • (downloaded.exe) downloaded by Dorkbot.

Cyberattacks September 2012 – IE Zero-Day Exploited in the Wild

A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild affecting IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system. Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named ‘exploit.html’ is the entry point of the attack … According to analysis by VUPEN, the exploit takes advantage of a ‘use-after-free vulnerability’ that affects the mshtml.dll component of Internet Explorer. Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems.

This new vulnerability exploitation consists of a few malicious files which include exploit[dot]html, Moh2010[dot]swf, Protect[dot]html and 111[dot]exe.

Each of the files plays its own role:

  • exploit[dot]html – Loads the flash file Moh2010[dot]swf as an initial vector for exploitation.
  • Moh2010[dot]swf – Facilitates arbitrary code execution (heap spray), loads Protect[dot]html, encrypted using DoSWF
  • Protect[dot]html – Checks for IE version and Windows OS and execute the malicious payload – 111[dot]exe if the criteria are matched.

The payload executed is poison Ivy RAT. It is a dropper similar to the one found in the Java Zero-Day exploit .

Eric Romang, co-founder of ZATAZ.com had tested the exploits and it seems to work on an up-to-date Microsoft Windows XP Pro SP3 with an up-to-date Adobe Flash (11,4,402,265). Alien Vault Labs further verified this via its blog where it mentioned that this zero-day appears to affect Internet Explorer 7 and 8 and seems to be exploitable at least on Windows XP. Furthermore, Metasploit had integrated this exploit into its framework, and it had demonstrated a successful attack against a Windows 7 machine with Internet Explorer 9 installed.

So far, the C&C servers involved are ie[dot]aq1[dot]co[dot]uk and hello[dot]icon[dot]pk which are resolving to a same IP address 12.163.32.15 located in USA.

Advisories:
Stop using Internet Explorer 7, 8 and 9 until Microsoft releases a new patch
Block 12.163.32.15 – ie[dot]aq1[dot]co[dot]uk and hello[dot]icon[dot]pk.

Cyberattacks August 2012 – Java Zero-Day Exploited in the Wild

This new vulnerability exploitation consists of two phases. The first phase will download a malicious Java applet from ok[.]aa24[.]net with IP address 59.120.154.62, which currently resolving to an IP address in Taiwan. Once the first exploitation is successful, it will download and execute a dropper on the infected host. The dropper appears to be poison Ivy RAT variant, which likely to be detected by many antivirus vendors. The dropper will then call to a C&C server, with domain hello[.]icon[.]pk. Currently, this domain is resolving to an IP address 223.25.233.244 located in Singapore.

Sources from Internet indicated that the exploitation seems to work on Internet Explorer, Firefox and Google Chrome, and it affects Java 7 (1.7) Update 0 to 6. Metasploit later integrated this exploit into its framework, and it was told that the attack is successful against a fully patched Windows 7 SP1 with Java 7 Update 6. Another additional landing page “62[.]152[.]104[.]149/public/meeting/applet[.]jar” which is serving Java Zero-Day Exploit (CVE-2012-4681).

The landing page ok[.]aa24[.]net looks like a blank page. Sometimes we may see the word “Loading”.

Advisories:
Disable Java plugin from your browser or uninstall it from your computer completely.
*[http://krebsonsecurity[.]com/how-to-unplug-java-from-the-browser/]
Block 59.120.154.62 – ok[.]aa24[.]net and 223.25.233.244 – hello[.]icon[.]pk.
*However attackers are not limited to the current domains and IP addresses.

Cyberattacks July 2012 – DNSChanger Malware(Countdown to July 9th)

DNSChanger is malicious software (malware) that changes the infected computer’s Domain Name System (DNS) server settings to replace the Internet Service Provider’s (ISP) good DNS servers with bad DNS servers operated by the criminal.

Back in November 2011, the FBI had uncovered a network of rogue DNS servers under Operation Ghost Click. Six Estonian nationals have been arrested and charged. The FBI’s investigation showed that the DNSChanger botnets are operated under the company name “Rove Digital” which was based in Estonia. According to a press release by the FBI, DNSChanger will cause the following:

Click Hijacking
When the user of an infected computer clicked on a search result link displayed through a search engine query, the malware cause the computer to be re-routed to a different website. Instead of being brought to the website to which the user asked to go, the user was brought to a website designated by the defendants. For instance, when the user of an infected computer clicked on the domain name link for the official website of Apple-iTunes, the user was instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software.

Advertising Replacement Fraud
By using the DNS Changer malware and rogue DNS servers, the cyber syndicate replaced legitimate advertisements on websites with substituted advertisements that triggered payments to them. For example, when the user of an infected computer visited the Amazon.com website, a prominent advertisement for Windows Internet Explorer 8 had been fraudulently replaced with an ad for an email marketing business.

Besides, there is a high possibility where an infected computer may also be infected with other malware. This is because in some case, the DNSChanger Malware had the additional effect of preventing users’ anti-virus software and operating systems from updating

How Do I Know if My Computer Is Infected?

You can check to see whether your computer is infected on http://dcwg.org/ by DCWG.

If the page is green, you’re in the clear. If it’s red, your computer is infected.