SANS


SANS Consolidated Security News

  1. Vuln: Trend Micro Internet Security Pro ActiveX Control Remote Code Execution Vulnerability (SecurityFocus Vulnerabilities)
  2. CVE-2010-3212 (Natl. Vulnerability Database)
  3. Privacy in iTunes Ping (NetworkWorld Security)
  4. Apple's Ping a Scammer's Haven? Security Experts Say Watch Out (PC World) (Yahoo Security)
  5. TDS Offers Free Webinar to Help Businesses Defend Networks and Outpace Hackers (Yahoo News)
  6. Microsoft hardening tool with graphical user interface (Heise Security News)
  7. Phone bugging scandal reignited as <em>NotW</em> suspends reporter (The Register)
  8. UAE Man-in-the-Middle Attack Against SSL (Schneier blog)
  9. Germany to launch antibotnet program for consumers (NetworkWorld Virus/Worms)


SANS Handler’s Diary

  1. US Department of Defense and National Policy, (Sun, Sep 5th) - A recent article released by the US Department of Defense (DoD) spoke of the worst compromise in DoD history, facilitated by what was said to be the unauthorized use of a USB drive. As a result of this incident, the US government has seen fit to step up the DoD involvement, working with the US Department of Homeland Security (DHS), in an effort to protect critical national infrastructure. The full article (requires registration) by WIlliam J. Lynn, Undersecretary of Defense, speaks of the DoD and it's experiences which makes it uniquely qualified for cyberdefense. Cyberattacks offer a means for potential adversaries to overcome overwhelming U.S. advantages in conventional military power and to do so in ways that are instantaneous and exceedingly hard to trace. Such attacks may not cause the mass casualties of a nuclear strike, but they could paralyze U.S. society all the same, he wrote. In the long run, hackers' systematic penetration of U.S. universities and businesses could rob the United States of its intellectual property and competitive edge in the global economy.
    The announcement by the DoD that within the last 24 months it had suffered it's worst compromise in history would seem embarrassing, but then to announce in the same week that they will become more involved in the protection of national critical infrastructure is disconcerting. The DoD is the US arm for defense of national interests, however I do not believe that makes the DoD the best agency for this role.
    I welcome your comment,

    tony . carothers at gmail dot com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
  2. What's not to Like about "Like?", (Sat, Sep 4th) -





    Get off of my lawn!

    I admidt that I have a suspicous, curmedgeonly streak. I view every new feature-update from Facebook like like it's a vulnerability announcement from Microsoft. I'm concerned not only with what the people behind Facebook may be planning with a feature, but moreso with how other groups might repurpose that feature. The recent expansion of the facebook API is one of those things that gives me concern.


    What happens when you click Like?

    When you click the Like there's an announcement of this activity on your wall, and it's added to your Likes section. People who have common likes can see each other, but only as much as they would share with anyone else who had their Facebook username. That doesn't sound so bad.


    What are people Likeing?

    Normally, a Facebook user could create a group or page to support a product, business or idea such as: Rock Music, Gibson Guitars, or Billy-Bear's Bean Shop. With the update of the Facebook Platform (http://blog.facebook.com/blog.php?post=383404517130) now third party websites can place a Like button on their website. Is this a problem? If I like Nike shoes, why not like nike.com itself?

    What has been triggering my spiedy sense is over the past couple of weeks, my facebook event log has been filling up with people likeing third party pages that are simple messages like: like if you want a long lasting relationship:)! or other simple plattitudes. The first thing that attracted my notice was that they were often mean-spirited, hateful, or had some sort of -ism in it. These were surprising messages to read on a friend or family member's page, so I suspected some sort of hijack or other foul play. Unfortunately I haven't turned up anything to support that theory, my frienda and family, are just mean people I guess.

    There are a handfull of sites that have been recently set up to take advantage of this new feature in the Facebook Platform. Some that I have seen used recently are:

    golikeus.org, 19-JUN-2010, privately registered
    likealike.co.uk, registered 23-AUG-2010, privately registered
    phrasely.net, registered 26-AUG-2010, privately registered


    Each supports a user-created message feature where Facbook users can set up their own message and try to get as many folks to join as possible.

    Recently they've updated their posts so that when the Like message appears on the users' wall the source is obfuscated behind a heart or musical symbol. I saw one that was even hiding behind a bit.ly link.

    So other than the domains being recently registered with no contact information and the simple obfuscation, what evidence do I have that there's evil afoot? None, other than it fires a lot of my rules of thumb I've acquired over the years.


    One last example.

    This week, one of my family member's had this message pop up on my wall:

    WOW, This GUY Went A Little To FarWITH His REVENGE On His EX GIRLFRIEND! (shocking)

    I was certain that they'd be compromised this time. I set up a system and followed the links, capturing pcaps, just waiting for the prompt to download the fake video codec or whatever boobytrap they had waiting for me. The domain, shocking-revenge.info, was barely a day old, and the links went off to pull down content from other free-hosting providers. It had all the hallmarks of a psychological exploit. So I kept clicking like a sucker waiting for the big reward.

    It never came.

    Just more advertisements, and whoever's behind it has a nice bit of demographics for marketing purposes and a channel to distribute more lures and ads.


    The Impact

    So the short story is that there's nothing overtly evil about like links. I also don't see shadows of some large privacy violation or exposure when you click the like button on Facebook-hosted pages or sites that you trust.

    However I do see some risk to clicking on un-trusted third-party likes not because I have any hard data from any cases, but because I've seen this movie before, and I will see it again.

    I'm just disappointed that I have friends/family with *isms. I was really hoping it was malware.
    (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
  3. Investigating Malicious Website Reports, (Sat, Sep 4th) -






    This morning we received a report from Holger about a website that was triggering alerts in Google and his anti-virus applications. I wanted to share my response process.



    My first step is selecting the right responder music. You can't have a good incident reponse montage without your jams.



    Next, it's a bit of domain analysis. There are a number of helpful sites that host whois and dns details about a suspected site. I use domaintools.com, others swear by robtex.com. In this particular case, the domain was registered in 2004. As a generalization, long-lived domains like that do not raise red flags, but the domain expired 30-AUG-2010 (just a few days ago) which could indicate a window of opportunity for a criminal to acquire a nice bit of respectable internet real-estate.



    If you want to interact with the suspected website, you should use something safe. It's a little harder to determine which tool-set is safest when dealing with malicious websites since you don't reliably know what they're targeting most of the time. I went with an OSX image that was pretending to be a windows box.



    Malware authors are catching on to the old wget-with-a-spoofed-user-agent trick. I've taken to synthesizing victim behavior by first starting with some google-searches so that I can build a convincing referer URL. Googleing for the domain turned up mainly the main website and a lot of traffic analysis of the domain from places like Alexa and trafficestimate. I added the inurl: google syntax in the hopes of finding examples where an attacker may have been spamming out links to forums and such to drive attacks to the exploit site. The search didn't turn up many results (something that also didn't raise any red flags,) but when I tried to have Google translatethe site for me (a risky move but I can easily restart the image) I received the Google warning that Holger reported. At this point I have what I need to grab a copy of the potential-exploit. I still use wget, and spoof the user-agent to look like an IE request, and use the referer link from the Google search.



    The request worked, but URL that allegely pointed to a .JPG returned HTML. That's a bit unexpected. By glancing through the HTML results the obfuscated javascript jumps out. A handfull of Math.* calls and document.write statements are a pretty solid flag that something odd is going on. In this case its intent was to create a pop-up to an ad-server.



    The owners of the website claim that the Google and AV alerts about the site are false. I will grant that the intent behind the obfuscated script wasn't overtly criminal in this case, but I wouldn't call it a false-positive result. I would urge the advertising network to be up-front about what they're advertising and where they're advertising it from. There's no reason to use document.write games to set up your javascript calls to your ads.
    (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
  4. Apple Releases Two Security Updates (One for OSX, One for iTunes) : http://support.apple.com/kb/HT4312 and http://support.apple.com/kb/HT4328, (Fri, Sep 3rd) - -- John Bambenek bambenek at gmail /dot/ com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
  5. Microsoft EMETv2 released, (Thu, Sep 2nd) - Today, Microsoft released a new version of their Enhanced Mitigation Experience Toolkit. A rather unwieldy name, but quite interesting technology - with EMET, legacy applications on OS versions as far back as WindowsXP can now also be protected with Data Execution Prevention (DEP), Exception Handler Overwrite Protection (SEHOP) and more, and the application doesn't even have to be DEP-aware. If you have vulnerable legacy apps on Windows that you need to keep alive for a little while longer, I suggest to take a look at EMETv2. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
  6. SDF, please!, (Thu, Sep 2nd) - We're under a targeted malware attack!, a friend of mine yelled into the phone. We are getting lots of oddly named PDFs, attached to personalized emails, sent only to certain employees in our firm!. From some past experience with chewing through our nasty malware repository here at SANS ISC, I had learned a thing or two about malicious PDFs, so I agreed to take a look.
    One hour later, it was clear that the PDFs in this case were free of any exploit, completely harmless, and contained only the average I AM A COUSIN OF THE LATE ZESKEKE NGAGWENE type of Nigerian 419 (advance-fee) fraud spam.
    But the whole episode gave me pause. It really looks like the past two years of never ending new waves of PDF exploits have degraded PDF in the mind of every security analyst to a level somewhere at par with ANI and SCR files: No matter what it claims to be, it ain't nothing good.
    I very much agree with Stephen Northcutt's comment in SANS Newsbites two months ago. He asked: Is there an alternative to a .pdf? It was supposed to be a printable image of what you saw on the screen. At least that was the idea 15 years ago. It should not need launch functions to do that. Do you remember five or six years ago, you weren't supposed to send an excel spreadsheet or a word document because they might contain malware, you were supposed to send a .pdf. Guess that has changed!
    Time for SDF - the Safe Document Format. You know, one that just supports pixels in various shades of gray, and does not need to include the ability to play a movie in 3D accompanied by surround sound. Just a nice plain document that can be opened, read and printed, without any of the nagging feeling of dread that nowadays accompanies clicking on a PDF.
    Anyone?
    (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
  7. Month of Undisclosed 0-day Bugs, (Wed, Sep 1st) - As a heads up, the Exploit Database (exploit-db.com) is publish a month of undisclosed 0day bugs from Abyssec Research. Today there are two bugs published one for cPanel (though it seems more of a bug of fantastico) and one on Adobe Reader and Flash. Expect that the good ones will be weaponized quickly as the disclosures are quite technically detailed and don't take too much thought to put into place. You may wish to keep up with what they publish as awareness for your own networks.
    --

    John Bambenek

    bambenek at gmail /dot/ com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
  8. Microsoft issues updates to sysinternals ProcDump and Process Monitor: http://blogs.technet.com/b/sysinternals/archive/2010/08/30/updates-procdump-process-monitor-and-a-new-mark-s-blog-post.aspx, (Wed, Sep 1st) - -- John Bambenek bambenek at gmail /dot/ com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
  9. VMWARE releases 2 security advisories for ESX Service Console: http://lists.vmware.com/pipermail/security-announce/2010/000103.html and http://lists.vmware.com/pipermail/security-announce/2010/000104.html, (Wed, Sep 1st) - -- John Bambenek bambenek at gmail /dot/ com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
  10. Interesting PHP injection, (Tue, Aug 31st) - PHP injection attacks have become increasingly popular lately. If you look at your web server logs Im pretty sure that you will find dozens of requests for PHP injection, usually by bots that are simply trying some well known (and less known) vulnerabilities.
    One of our readers, Blake, managed to capture some interesting attempts to exploit various PHP injection vulnerabilities on his web site, thanks to installation of mod_security. Contrary to popular PHP injection attempts, where the attacker tries to exploit a variable to get the PHP interpreter to retrieve a remote PHP script, Blake noticed that the attacker tried to exploit a vulnerability in a PHP script through POST request. The attacker submitted a malicious PHP script (with other data) hoping that the PHP interpreter will execute it this vulnerability also exist, although not that common. Here is what the attack looked like in log files:
    POST http://www.hostname.somewhere en-US) AppleWebKit/133.7 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4

    Host: www.hostname.somewhere boundary=---------------------------phpsploit

    Content-Length: 46266


    The POST request contained, besides data needed by the main script, an (of course) obfuscated PHP script that the attacker tried to execute. The deobfuscation part is shown in the picture below where I beautified it a bit and cut the long eval string.

    Now, the interesting part is that the script uses the User-Agent field as the deobfuscation key. If you carefully check the User-Agent shown in above you will see that, while it looks legitimate, it in fact isnt the combination of versions is not legitimate.
    But thats not all the injected PHP script contains multiple eval() calls of which every one uses a different deobfuscation key. This allows the attacker to test only parts of the script and never reveal its true side unless the attack works the part that I was able to deobfuscate is shown below and it just tries to connect to a well known (public and legitimate) IRC server. Very clever, especially if we know that PHP will nicely eat any garbage that it cant parse so the attacker doesnt have to worry about only one eval() call working.

    This attack demonstrated how important it is to use all available protection layers not only Blakes scripts where not vulnerable, but he also ran mod_security which successfully blocked this attack and he was checking his logs, something that a lot of administrators underestimate.
    What do your logs look like? If you find similar attacks or something else that looks interesting, let us know through our contact form available here.



    --

    Bojan

    INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Fark
  • HackerNews
  • Live
  • MySpace
  • Reddit
  • StumbleUpon
  • Technorati
  • Twitter
  • Yahoo! Buzz
  • RSS
  • FriendFeed
  • NewsVine
  • Propeller