CyberInsecure.com

Archive for the ‘Targeted Attacks’ Category

Israeli hacking group broke into sites of Izz al-Din al-Qassam, the terrorists military wing, and some leftist movements. Hacked websites were defaced and previous information replaced with words of Israeli national anthem. Currently the website of Izz al-Din al-Qassam displays a white screen and words in Arabic announcing technical difficulties.

The hacker group, which calls itself Fanat al-Radical (the fanatical radicals), also said that it broke into additional terror organizations’ sites and those of various leftist movements. According to this group unnamed representative, they searched for relevant sites, whether leftist or anti-Zionist, and looked for loopholes. The group consists of young adults from 16 to 18 years of age.

In addition to the Hamas military wing’s site, they also broke into the Balad political party site (http://arabs48.com/balad), that of the Hagada Hasmalit (the left bank, http://www.hagada.org.il), the Kibush (occupation, kibush.co.il) site and more. The Left Bank site, considered by the group as another site identifying with the left, was defaced “due to its blatant anti-Zionist contents”. The hacked sites are now equipped with an Israeli flag, the words of the Israeli national anthem “Hatikva” with vowels and pictures of Palestinian babies and children dressed as suicide bombers. A short explanation of why this specific site was broken into to begin with is also included.

Fanat al-Radical is a new group of hackers whose members were members of another group called Kamikaz Team. According to them, since they didn’t want to include politics in Kamikaz, a parallel group that supports the destruction of Arab sites was created. The group feels that its first hacking campaign was successful, but they do not intend on stopping here. They said that they plan an additional attack in the future.

Security researchers from SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat, Apple’s instant messaging and video chat software, and Limewire.

SecureMac, a Mac-specific anti-virus vendor, researchers discovered the Trojan in June 19. The Trojan, AppleScript.THT, was classified as a “critical” threat. SecureMac’s warning came one day after an anonymous reader disclosed a few details of the ARDAgent vulnerability on Slashdot.org, and on the same day that rival security vendor Intego provided more information about the bug.

The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger’s and Leopard’s Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

Like any Trojan horse, AppleScript.THT does not spread on its own but relies on user interaction, such as downloading and launching, to infect a machine. Trojans can also be silently introduced on a computer if it’s injected after a successful attack using another vulnerability, such as a browser bug.

Users can protect themselves by removing ARDAgent from its normal location, which is System/Library/CoreServices/RemoteManagement, and archiving the application. MacScan 2.5.2 (a software by SecureMac) can also protect your system against this threat if you got the latest Spyware Definitions update (2008011), dated June 19th. SecureMac recommends that users download files only from trusted sources and sites.

Largest Belgian ISP announced today that 2,000 of its ADSL accounts were compromised earlier this year by hackers. Belgacom discovered details of its subscribers posted on a web page by hackers who are against download limits on Belgacom broadband internet connections.

In Belgium, about 90% of residential ISP customers are connected either via Belgacom or Telenet. Although the connections are fast, both ISPs last year had a maximum download limit of 12 GB/month. Whoever passes this limit gets the speeds dropped to 3 KB/s for the rest of the month, which is not enough for nowadays average online usage.

In December frustrated Belgian internet users signed a petition demanding more reasonable download limits and on 30 December tried to download as much as possible to show Internet traffic wasn’t significantly higher than on other days. Apparently a group of disgruntled users decided that wasn’t enough, and exposed the details 2,000 Belgacom accounts to the web.

Belgacom did not inform the public about this security breach to avoid panic. Belgacom spokesperson said that postal letters were sent to small groups of users since April and asked them to change passwords as a matter of precaution. The site exposing clients details was closed down immediately and there was no abuse reports since then. According to Belgacom it is a minor issue, since they got 1 million ADSL users and stolen details of only 2,000 of them is not a threat.

On Friday, Internet movie database IMDB suffered a sustained distributed denial-of-service (DDoS) attack that coincided with Amazon.com being offline.

A senior member of Narus, a network protection and management company, said in a blog that he found evidence that at least one of the IP addresses used by IMDB fell under a sustained DDoS attack between 10:30 a.m. and 1:30 p.m. PDT Friday.

According to Narus, attempts to load the IMDB page via a direct connection to the Web server under attack (http://72.21.206.70/) did not load any images at all. It seems that IMDB is hosted using Amazon Web Service (AWS) since this IP-address is registered as belonging to Amazon. The duration of the attack on IMDB coincided with the amount of time that Amazon was offline on Friday.

The attacker seemed to open multiple connections with the IMDB’s Web server on port 80 while incrementing his source port for every new connection. The attack’s average rate was 3Mbits/sec, certainly not large enough to cause a complete overload but probably good enough to delay the legit users. However, there might have been other attacks launched at the same time on IMDB which weren’t in the path of Narus probes.

Update (June 10): A new attack hit Amazon’s US and UK sites Monday morning California time and lasted for about an hour, according to Keynote Systems, which monitors website performance. Visitors of the website received the message: “Http/1.1 Service Unavailable.”

In addition to the possibility of a targeted attack, there are speculations that the outage was inadvertently caused by bots programmed to scoop up the Metal Gear Solid 4 bundle, an 80-GB pack for the PlayStation3, which went on sale on Amazon on Friday.

Amazon declined to discuss the cause of the outages.

Comcast.net, the portal of US communications provider Comcast, was hacked on Wednesday night. As a result of the attack Comcast subscribers were unable to access their email or other services through the portal for more than two hours. Comcast is the second biggest ISP in the US and a major provider of cable TV services.

The comcast.net front page was replaced by a greeting from hackers on May 28. The defacement was removed after more than two hours. Users were then confronted by a “page under construction” message before the site was restored in the early hours of Thursday morning. The site remained intermittently unavailable even after this time. The exact mechanism of the attack is still unclear, though an injected iFrame that served up content from sites under the control of hackers is suspected. Some form of DNS redirection attack may also have been involved.

Normally defacement attacks simply involve some text message or an image on a website. However, in the case of the Comcast attack it seems some attempt may have been made to snoop on its users’ login credentials.

There are still a lot of speculations about the details of this and why this happened. The defacement was claimed by 2 hackers who left the following message on a white blank page of Comcast.net: “KRYOGENIKS Defiant and EBK RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven”.

Update: Not only  the hackers hijacked Comcast’s domain name for three hours overnight, they also sent subscribers who tried to access webmail and other services to a rogue site that bragged of the exploit.

Comcast lost control of the comcast.net address after the attackers changed registration information stored by its domain registrar, Network Solutions. The unauthorized change redirected people attempting to visit the site to a page that read: “KRYOGENIKS Defiant and EBK RoXed COMCAST. sHouTz To VIRUS Warlock elul21 coll1er seven.” The page was displayed after the attackers altered the site’s IP resolution information, replacing Comcast’s IP address with the rogue address 209.62.20.186. In addition to their cryptic defacement, they altered the address for Comcast’s administrative contact to “69 dick tard lane, dildo room.”

Comcast said there was no immediate evidence that the attackers’ page tried to install malware or steal user credentials. But some reports claimed that email clients were redirected to the impostor address, requesting their login name and password.

It’s still unclear how the attackers accessed the registration settings on store with Network Solutions. A Network Solutions spokeswoman said the company is working with Comcast to figure out how the hackers obtained the login credentials to the account. Comcast is also working with unnamed law enforcement agencies to track down the attackers.

An attack, demonstrated by Rich Smith from HP Systems Security Lab at the EUSecWest security conference in London, showed that embedded systems hardware can be damaged beyond repair. The attack could be carried out remotely over the internet.

The attack was demonstrated for the first time in London on Wednesday and was called by Smith “permanent denial of service”. The attack thrashes systems by abusing firmware update mechanisms and if successful, the so-called “phlashing” attack would force victims to replace systems and cause financial damage.

Theoretically the attack could be cheaper and more effective (as the damage caused would be harder to recover from) than conventional denial of service attacks, which typically rely on hackers paying to rent control of a network of compromised PCs.

The new approach relies on exploiting frequently unpatched vulnerabilities in embedded systems, such as flaws in remote management interfaces, to get access to a system. That alone wouldn’t be enough, but because firmware updates are seldom secured, the possibility exists of making an update that effectively trashes a system.

Smith is calling on vendors to authenticate the mechanism as one way of defending against such attacks. He is demonstrating a tool to search for vulnerabilities in firmware, as well as an attack mechanism to corrupt vulnerable firmware at EUSecWest.

Another presentation at EuSecWest will demonstrate a proof of concept rootkit capable of covertly monitoring and controlling Cisco routers. The Cisco IOS rootkit software was developed by Sebastian Muniz, of Core Security and was recently reported.

Security researchers have discovered a new technique for developing rootkits, malicious packages used to hide the presence of malware on compromised systems.

Instead of hiding a rootkit in the virtualisation layer, the rootkit can be smuggled into System Management Mode (SMM), an isolated memory and execution environment supported in Intel chips that’s designed to handle problems such as memory errors.

By running rootkits in SMM, miscreants could make hidden malware harder to detect, since they’re hiding code in an area anti-virus scanners don’t check. A proof of concept to be demonstrated at the Black Hat conference in Vegas in August.

SMM code is invisible to the Operating System yet retains full access to host physical memory and complete control over peripheral hardware. A proof of concept SMM rootkit can already function as a chipset level keylogger. The rootkit hides its memory footprint, makes no changes to the host Operating System, and is capable of covertly send sensitive data across the network while evading essentially all host based intrusion detection systems and firewalls.

While keeping the rootkit well away from the operating system makes the malicious code more stealthy, it also introduces problems. Hackers would need to develop device specific driver code, a factor that makes attacks far more difficult.

Websites run by Radio Free Europe have been under a fierce cyber attack that coincided with coverage over the weekend of a rally organized by opposition to the Belarusian opposition.

The distributed denial of service (DDoS) attack initially targeted only the RFE’s Belarus service, which starting on Saturday was inundated with as many as 50,000 fake pings every second. On Monday, it continued to be affected. At least seven other RFE sites for Kosovo, Azerbaijan, Tatar-Bashkir, Farda, South Slavic, Russia and Tajikistan, were also attacked but have mostly been brought back online.

The primary target was the Belarus service, which on Saturday - the 22nd anniversary of the Chernobyl nuclear disaster - offered live coverage of a rally in which thousands of people protested the plight of uncompensated victims and a government decision to build a new nuclear plant. Other Belarusian websites were also hit, including the Minsk-based nongovernmental organization Charter 97. There is no solid evidence, but the Belarusian government might be behind the attacks.

While a state-sponsored attack isn’t outside the realm of possibility, there was no mention that it might be the grassroots work of Belarusian nationalists. Recent attacks against CNN.com, were the work of Chinese hacktivists who downloaded and installed DDoS applications as a way of registering their displeasure of the news site’s recent coverage of demonstrations against the Olympic torch relay.

Attacks such as these were also waged last year against Estonia and are sometimes referred to as “asymmetric” because a relatively small group of individuals with modest means is able to hobble much a bigger target. It’s not hard to imagine that something similar is afoot in Belarus.

Regardless of who is behind the attacks, the result is same, and that is the protest coverage is being disrupted.

A possible spam attack is targeting several Japanese companies according to Symantec. The spam email associated with this attack spoofs itself as an email from a Japanese government agency and entices the user to open the attached .zip file to check organizational changes made recently. The attached .zip file contains 2 files: 0414.xls and 0414.exe. 0414.xls is a legitimate file containing a list of names, addresses, personnel positions, which may or may not really exist. There is no evidence to suggest that any exploit attempts are made on this file.

The other file, 0414.exe, is a variant of Backdoor.Darkmoon, which has a keylogging capabilities. Several variants of Backdoor.Darkmoon associated with this spam attack have been noticed. One variant saves stolen information as the filename msvidctl, sends it to the remote attacker, and awaits further commands from cyhk.3322.org. Another variant sends information as the filename taskame to hi222.3322.org and opens a back door to the same site.

In the past, similar types of attack have occurred many times. Take extra caution and do not open attachments unless they are expected and come from a known and trusted source.

An exploit specifically targeting corporate Computer Associates users has been created some three weeks after a critical vulnerability was identified.

The attack uses an ActiveX Control buffer overflow vulnerability present in 21 CA products, including BrightStor ARCServe Backup for Laptops and Desktops, Unicentre Remote Control, Software Delivery, Asset Management, Desktop Management Bundle and Desktop Management Suite. Buffer overflow error occurs in the ListCtrl.ocx ActiveX Control when handling overly long arguments passed to the “AddColumn()” method. This can be exploited by remote attackers to execute arbitrary code by tricking users into visiting a malicious webpage.

The exploit was rated as critical by the French Security Incident Response Team (FSIRT), which discovered the vulnerability, and allows hackers to launch local and remote attacks such as a denial-of-service (DoS) or a hijack of the affected system.

Attacks will probably become widespread because of the popularity of the exploit’s NeoSploit toolkit delivery system. The Neosploit toolkit is an advanced exploit framework which is used as Common Gateway Interface (CGI) script to deliver randomized executables through malicious Web sites. Exploit code is often obfuscated using custom JavaScript and the function name and local variables are randomized to avoid detection by Intrusion Detection Systems. Vulnerability found in CA products is likely to be quite widespread also because of CA’s size and spread within the corporate market.

As for this moment, CA has not commented on this issue but there will probably be an update or a patch in the near future.

Recently SophosLabs identified a malicious script on the website of a European ticket re-sale company, currently building up to selling tickets for the forthcoming Euro 2008 championships. The site in question (http://en.euro2008.uefa.com/index.html) has a high search engine ranking and a presence among sponsored links, indicating that the hackers may have a huge pool of potential victims.

The site has been compromised in an attempt to create a classic drive-by download attack. Attempting to purchase tickets through the site will expose the user to a malicious script embedded in the pages (detected by Sophos as Mal/ObfJS-R). The script is intended to load further malicious content from a remote site. However, initial analysis suggests the script is somewhat buggy, maybe it broke during obfuscation.

Users may not become infected when browsing the site, in some browsers at least. The site is likely to attract high numbers of visitors as the championships get closer, but contact via email and telephone has thus far been fruitless. Using search engines to find a suitable ticket vendor shows the site has quite a high ranking, including a presence amongst the sponsored links.

It is not the first time we have seen a sporting event involved in an attack - shortly before the 2007 Superbowl the web site of the Miami Dolphins was compromised in order to infect victims logging on in the days leading up to the event. The Superbowl attack was almost certainly targeted, timed just before the event. In contrast the Euro 2008 ticket site has most probably not been specifically targeted, but caught up in a larger, widespread attack.

The huge number of legitimate sites being compromised presents a risk to all of us, even those that are careful.
Sophos urged all computer users to ensure that their security settings are up to date and able to defend against such threats.

Credit: SophosLabs UK

Suspicious port scanning that’s been tracked back to D-Link Inc. routers may mean a worm or bot is on the loose and infiltrating the popular brand’s devices using a three-year-old vulnerability, security researchers at Symantec Corp. said today.

The security company issued a warning Monday night to customers of its DeepSight threat notification service saying that there were “reliable reports” of an in-the-wild worm or bot that was attacking, then installing itself, on D-Link routers. By Tuesday, however, Symantec had taken a step back.

“After looking into it, we decided that that was a little misleading,” said Oliver Friedrichs , a director of Symantec’s security response team. “It’s unconfirmed at this point. But we have definitely seen an increase in attack activity, and that activity appears to be coming from other D-Link devices.” In other words, although Symantec’s researchers haven’t gotten their hands on a worm or bot sample, all the evidence points in that direction. “We suspect that it’s a bot,” he said.

The attacks against the D-Link routers begin with hackers scanning TCP port 23 for an active SNMP (Simple Network Management Protocol) service, a flaw that first showed up in D-Link router firmware in 2005. It looks like they’re exploiting the SNMP vulnerability to reset and reconfigure the administrative password on the routers, perhaps to conduct “drive-by pharming” attacks that change a router’s settings so its users are unknowingly directed to bogus or malicious Web sites instead of the real URLs.

Router vulnerabilities are up and attacks against routers are on the upswing, especially attacks that target devices used by consumers and small businesses to create wireless networks. Attackers are increasingly looking “beyond the desktop” for new places to install (and hide) their malware.

Port scanning activity Symantec is seeing as “moderate” and said the researchers will continue to investigate. He and his team, however, had not been able to verify that the vulnerability had been patched, and if so, when, or which specific models of D-Link’s routers might be at risk.

D-Link officials did not respond to a call for comment.

D-Link router owners: make sure that your SNMP service is not exposed to the Internet.