CyberInsecure.com

Archive for June, 2009

Websense Security Labs has discovered that the Web site of Fort William Mountain Bike World Cup 2009 (fortwilliamworldcup.co.uk) has been hijacked by attackers, and redirects users to rogue AV sites if they visit the site through well-known search engines such as Google, Yahoo, and MSN.

This site has been injected by the Nine-Ball malicious code twice this month. Now, the injected code has been cleaned but system control has been lost without the administrator’s knowledge. Once the attackers gained system control, they likely made small changes to the configuration of the Web server to redirect any visitors to rogue AV Web sites if arriving at the site via search engines. We would like to remind Web masters that a full examination of the whole system is necessary after removing code injections.

Credit: Websense Security Labs

Adobe’s Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from the software maker. According to Adobe, 450 million Internet-enabled desktops have installed Adobe Shockwave Player.

This issue is remotely exploitable and affects Adobe Shockwave Player 11.5.0.596 and earlier versions. According to Adobe’s advisory, this vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe has provided a solution for the reported vulnerability (CVE-2009-1860). This issue was previously resolved in Shockwave Player 11.0.0.465; the Shockwave Player 11.5.0.600 update resolves a backwards compatibility mode variation of the issue with Shockwave Player 10 content.

To resolve this issue, Shockwave Player users on Windows should uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available at http://get.adobe.com/shockwave/.

Credit: ZDNet.com Security BLogs

The recently exposed as vulnerable to trivial remotely exploitable flaws Chinese censorware Green Dam, has silently patched the security flaws. However, not only is the latest Green Dam v3.17 version still vulnerable to remotely exploitable flaws, but also, for over a week now a working zero day exploit (Exploit.GreenDam!IK; W32/GreenDam.A) has been circulating in the wild.

Green Dam intercepts Internet traffic using a library called SurfGd.dll. Even after the security patch, SurfGd.dll uses a fixed-length buffer to process web site requests, and malicious web sites can still overrun this buffer to take control of execution. The program now checks the lengths of the URL and the individual HTTP request headers, but the sum of the lengths is erroneously allowed to be greater than the size of the buffer. An attacker can compromise the new version by using both a very long URL and a very long “Host” HTTP header. The pre-update version 3.17, which we examined in our original report, is also susceptible to this attack.

According to Green Dam’s official web site, the latest 3.17 version which still remains exploitable, has already been downloaded 426,138 times, combined with raw data on over 7,172,500 downloads of the previously vulnerable version, the current situation could easily turn the “Great Botnet of China” from theory into practice if the exploits ends up embedded within a web malware exploitation kit.

Credit: ZDNet.com Security Blogs

Researchers from Computer Associates and Sophos are reporting on three currently active malware campaigns using fake Microsoft patch themes as a social engineering tactic to spread over email.

The first one is spreading as an “Important Windows XP/Vista Security Update” and is offering a bogus Conficker removal tool, the second is using an “Outlook re-configuration” — also spammed earlier this month — and the third one is using an out-of-the-band “Update for Microsoft Outlook / Outlook Express (KB910721)” theme, which in reality is nothing else but a trojan.

The fake Conficker removal tool campaign has been active for over a week now, with Symantec pointing that not only are the authors unable to make the difference between Troj/Brisv.A and Conficker, but also, they misspelled Conficker as ConFlicker in between attaching their malware to Symantec’s original removal tool in an attempt to build more legitimacy into the campaign.

A similar fake “Conficker Infection Alert” spam campaign redirecting to scareware took place in April, however, despite the fact that cybercriminals continue sticking to the cyclical pattern of the “Microsoft security update/patch” social engineering theme, compared to previous campaigns where the timing was perfect, in this latest one it thankfully isn’t.

The second, Outlook re-configuration campaign is serving Outlook_update.exe through several legitimate and logically compromised web sites, next to the purely malicious ones. Interestingly, the third campaign promoting the fake Outlook critical update has directly attached the executable officexp-KB910721-FullFile-ENU.exe to the email, indicating their lack of experience in such campaigns.

Credit: ZDNet.com Security Blogs

The Iranian opposition coordinated a cyber attack yesterday that has successfully managed to disrupt access to major pro-Ahmadinejad Iranian web sites, including the President’s homepage which continues returning a “The maximum number of user reached, Server is too busy, please try again later…” message.

Through a combination of DIY (do it yourself) denial of service attack tools (DDoS), multiple iFrame loading scripts, public web page “refresher” tool, and a much more effective PHP script, the participants have already prompted some of the major Iranian outlets to switch to “lite” versions of their sites in an attempt to mitigate the attack.

The campaign appears to have been organized through Twitter, which despite public reports that the site has been banned in Iran, appears to be still accessible through a a persistent supply of proxy servers on behalf of the opposition.

Moreover, the ongoing distributed denial of service attacks, are using techniques which greatly resemble those used in last year’s Russia vs Georgia cyber attack, and the ones Chinese hacktivists used back in 2008 in order to temporarily shut down CNN, with a single exception - there’s no indication of a botnet involvement in the present attack.

Instead, the attack relies on the so called people’s information warfare concept, which is the self-mobilization of individuals, or their recruitment based on political/nationalistic sentiments by a third-party, for conducting various hacktivism activities such as web site defacements, or launching distributed denial of service attacks.

The following are some of the sites that are currently under attack, remain totally unresponsive, or return “server is too busy” error messages:

Ahmadinejad.ir - Mahmoud Ahmadinejad’s Official Blog - under attack
Leader.ir - Office of the Supreme Leader, Sayyid Ali Khamenei - under attack
President.ir - Presidency of The Islamic Republic - under attack
Farsnnews.com - Fars News Agency - under attack
Irib.ir - Islamic Republic of Iran Broadcasting - under attack
Kayhannews.ir - News Portal - “Service Unavailable”
Irna.ir - Islamic Republic News Agency - “service unavailable”
Mfa.gov.ir - Ministry of foreign affairs , Islamic Republic of Iran - under attack
Moi.ir - Ministry of Interior - under attack
Police.ir - National Police - under attack
Justice.ir - Ministry of Justice - under attack
Presstv.ir - Iranian Press TV - “server is too busy”

Among the first web-based denial of service attack used, is a tool called “Page Rebooter” which is basically allowing everyone to set an interval for refreshing a particular page, in this case it’s 1 second. Pre-defined links to the targeted sites were then distributed across Twitter and the Web, through messages link the following :

“Please spread word about a cyber effort to exert pressure on the paramilitary in Iran. They have launched denial of service attacks on US websites that are run by live bloggers feeding us up to the minute information about what is going on in Iran on the ground. To fight back, open these two URLs in as many tabs/windows as possible and simply leave your computer running overnight! We must show solidarity with them in their quest for freedom! The 2nd link targets PressTV, the mouthpiece of Ahmadinejad and Khamenei.”

The second stage of the campaign consisted in the distribution of a multiple iFrame loading script which was automatically refreshing farsnews.com, irna.ir and rajanews.com. The script has since changed its location and is advertised under a new domain.

The third stage included a combined attack, this time including DIY (do-it-yourself) denial of service tools (DDoS), which despite their primitive nature are indeed causing server overload for their targets. Each of the tools is distributed with a simple manual, including links to large images at the targeted web sites, one which the software using proxies will attempt to obtain automatically.

The tools themselves, BWRaeper.exe (detected as Worm.AutoIt.AA); PingFlooder.exe (flagged as banker malware); Server_Attack_By-_C-4.exe (Riskware.ServerAttack.F) and SupportIran.php, have already been picked up by antivirus vendors. The last tool is a basic PHP script targeting those running a server that supports PHP in order to use it.

SupportIran.php has also been released as an improved version to the multiple iFrame loader, and is currently used in the attack as well, having the following sites pre-defined to attack simultaneously - khamenei.ir; presstv.ir; irna.ir; president.ir; mfa.gov.ir; moi.ir; police.ir; justice.ir; live.irib.ir.

There have already been speculations that the magnitude of these local attacks — Iranian users targeting Iranian web sites – is contributing to the “strange changes in Iranian traffic transit” reported during the last couple of days. The attacks are still ongoing.

Credit: ZDNet.com Security Blogs

Mozilla has released a new version of its Firefox browser that plugs nine security holes, four of which are rated “critical,” the foundation’s highest vulnerability level.

Version 3.0.11 squashes a javascript chrome privilege escalation bug, which Mozilla said allows attackers to execute malware on the computers of end users. Exploits would work by manipulating chrome privileged objects, such as a browser sidebar.

Other critical vulnerabilities include stability bugs in the browser engine, crashes that caused memory corruption and a race condition while accessing the private data of a NPObject JS wrapper class object. A complete list of fixes is available here.

Mozilla said some of same bugs have been fixed in version 2.0.0.22 of Thunderbird, but at time of writing, the most current version of the email application was 2.0.0.21. We wouldn’t be surprised if an update was released soon.

As usual, the update will be pushed directly to Firefox users and requires only a simple restart of the browser to be installed.

Credit: The Register

Mac fans are targeted via a pair of new malware-themed attacks, one of which is on offer through what purports to be a portal for adult videos.

The Jahlav-C Mac-specific Trojan poses as an ActiveX update needed to watch grumble flicks. The same booby-trapped website, which runs code to detect whether surfers are using Mac or Windows PCs, is a equal opportunity infector that also deploys code designs to infect Windows PCs using similar social-engineering trickery.

In addition to the Trojan, Sophos discovered a new strain of the Mac OS X-specific Tored worm on Thursday.

Mac-specific malware remains a rarity compared to the hundreds of thousands of Windows-specific virus strains, of course. However, it would be a mistake for Mac fans to think they are immune from malware when downloading warez or hunting for porn. “It is becoming more and more common for hackers to use social engineering tricks - like telling surfers that they need to download a plugin on their Mac to watch a video - to weasel their way onto computers,” said Graham Cluley, senior technology consultant for Sophos.

“Once the malware is running on your computer, it can download further code from the internet - opening the door for your computer to be infected by scareware, send out spam, or become part of a zombie botnet. Windows users are used to fighting malware, but many Mac users are oblivious of the battle taking place for control of the public’s computers.”

Credit: The Register

A large internet service provider said data for as many as 100,000 websites was destroyed by attackers who targeted a zero-day vulnerability in a widely-used virtualization application.

Technicians at UK-based Vaserv.com were still scrambling to recover data on Monday evening UK time, more than 24 hours after unknown hackers were able to gain root access to the company’s system. The attackers were able to penetrate his servers by exploiting a critical vulnerability in HyperVM, a virtualization application made by a company called LXLabs. Vaserv.com got hit by a zero-day exploit in version 2.0.7992 of the HyperVM application.

No one could receive a response to inquiries sent to LXLabs company, which according to its website is located in Bangalore.

Data for about half of the websites hosted on Vaserv was destroyed all at once sometime Sunday evening, shortly after administrators noticed “strangeness” on the system. The attackers had the ability to execute sensitive Unix commands on the system, including “rm -rf,” which forces a recursive delete of all files.

Some 50 percent of Vaserv’s customers signed up for unmanaged service, which doesn’t include data backup. It remains unclear of those website owners will ever be able to retrieve their lost data. As a result, at least half the websites that were hosted on the site remain offline.

“Since last night, I’ve had probably 40 phone calls from clients saying ‘Why is my website down,’” said Daniel Voyce, a web developer for Nu Order Webs who uses Vaserv to host customer sites. “It’s making me look bad.”

Voyce said the hackers, given the high level of server access they gained, were likely able to intercept a wealth of sensitive data stored on Vaserv’s servers. Voyce said his customers are safe because all sensitive information was encrypted.

Little is known about the people who attacked the site. So far, there are no known reports of individuals taking credit for the hack. The breach was likely the result of a SQL injection attack that penetrated Vaserv’s central management software and removed vital binaries and data for about half of all user data stored by the service.

Vaserv specializes in low-cost web hosting using VPS, or virtualized private servers. Virtualization features in LXLabs’ HyperVM helped Vaserv provide the service, which costs a fraction of the price of dedicated server hosting.

It remains unclear how other webhosts using the HyperVM have been affected.

Update: On Monday, the boss of LxLabs was found dead in a suspected suicide. Reports of the death of K T Ligesh, 32, come in the wake of the exploitation of a critical vulnerability in HyperVM. The effect of his death on the development of updated software by LxLabs is unknown at time of writing.

Ligesh was found hanged in his Bangalore house on Monday morning, after a late night drinking session. The Times of India reports that he was upset with the loss of a recent contract. Ligesh was also still coming to terms with the suicides by hanging of his sister and mother five years ago.

Security researchers at Milw0rm warn that the Kloxo (formerly Lxadmin) web hosting platform from LxLabs contains 24 security vulnerabilities and exploits. The flaws include SQL injection vulnerabilities and flaws that create a way for hackers to gain file access to files hosted on a vulnerable system.

The vulnerabilities are confirmed to affect Klaxo version 5.75, though other versions may also be affected. Milw0rm went public with an alert on the vulnerability last Thursday after failing to hear back from LxLabs in what it considered to be a timely manner.

LxLabs recently said that more than 30,000 virtualized private servers (vpses) were managed by HyperVM, and more than 8,000 servers running Kloxo. The largest single installation of hyperVM centrally manages more than 4000 VPSes.

Virtualization features of HyperVM allow hosting firms such as VAserv to provide low-cost web hosting at a fraction of the price of dedicated server hosting.

Credit: The Register

New types of denial of service attacks threatened the security of mobile data networks, a senior telecoms security researcher warned last week.

Krishan Sabnani, vice president of networking research at Bell Labs, said inherent weaknesses in the mobile IP protocol allow the launch of attacks that are relatively straightforward to mount but hard to detect and thwart.

The attacks would take the form of repeatedly setting up and releasing connections, for example, a form of attack analogous with the SYN Flood assaults that have long being a problem on the fixed-line (wired) internet. Other attacks might rely on preventing mobile devices from going into a dormant mode, thereby draining battery life.

“We need to especially monitor the mobile networks – with limited bandwidth and terminal battery — for DOS attacks,” Sabnani said during a session at the Cyber Infrastructure Protection Conference at City College of New York last Thursday, Network World reports.

Worse still the resources needed to launch an attack might be out of all proportion to the damage that could be inflicted, Sabnani suggested.

“One cable modem user with 500Kbps upload capacity can attack over one million mobile users simultaneously,” he said.

Sabnani outlined various types of attack against mobile IP networks: re-establishing connections after they have been released to create congestion at radio network controllers, thereby causing problems for legitimate subscribers; sending packets to prevent a mobile device from going into sleep mode; placing rogue devices on a network that generate spurious traffic that can be hard to pin down; and excessive port scanning as a result of connected devices that are infected with computer malware.

Bell Labs’ is using Sabnani’s research into DOS threats to develop security appliances designed especially for mobile network architecture and protocols, marketed by Alcatel-Lucent as the 9900 Wireless Network Guardian.

“We have developed algorithms based on traffic profiling and statistical models that can detect low-volume wireless DOS attacks,” Sabnani explained. “The system detects and mitigates traffic that will cause RNC signaling overload, unnecessary airlink usage, paging overload, and unnecessary subscriber battery drain.”

Credit: The Register

A recent McAfee service pack led to systems being rendered unbootable, according to posts on the security giant’s support forums.

The mandatory service pack for McAfee’s corporate Virus scanning product, VSE 8.7, was designed to address minor security bugs but instead tagged windows system files as malware. The software update was issued on 27 May and pulled on 2 June, after problems occurred. Users were advised to keep the patch if they’d already installed it in a low-key announcement on McAfee’s knowledge base.

Posts on McAfee’s support forum paint a different picture of PCs and server left unbootable after the update had automatically deleted Windows systems files wrongly identified as potentially malign. Users described the incident as a “massive fail” by McAfee and reports that sysadmins are angry that a long awaited patch turned out to do more harm than good.

In a statement, McAfee acknowledged potential problems but said that these were rare. It said it planned to reissue the service pack once glitches with the software were ironed out.

McAfee removed Patch 1 for McAfee VirusScan Enterprise 8.7i from its download servers out of precaution after a potential issue with the update was discovered. A very small number of customers reported trouble with the patch on a limited number of computers.

Once the cause of the problem has been identified and the issue has been resolved, we will repost Patch 1. Customers should contact McAfee support if they have any questions regarding this issue, and check the McAfee ServicePortal for further updates.

Problems with anti-virus scanner definition updates that result in false alarms against harmless files are a well known Achilles’ heel of security software. The issue causes more trouble in cases where system files are flagged as potentially malign. The problems with McAfee’s enterprise security software are arguably even worse than that because they involve a service pack and not just regular definition updates.

McAfee users have every right to ask tough questions about the security giant’s quality assurance and testing regime even if, as McAfee states, only a small percentage of users ran into problems.

Credit: The Register