Posts Tagged ‘attackers’
Tuesday, May 14, 2013 @ 05:05 PM gHale
It’s no secret when it comes to attack platforms, Java is tops among the bad guys.
Besides enjoying installation pretty much across the board, it also has what attackers drool over, a ton of vulnerabilities.
RELATED STORIES
IBM Java Sandbox Bypass
Java Patched; New Holes Found
Malware Attacks Hit Constantly
Trojan Hides in File, Evades Sandbox
While Oracle does a fine job fixing holes, bugs, and vulnerabilities, at the end of the day do users actually patch all the issues. Attackers know the answer to that one: No.
Attackers will wait for new patches to come out and then reverse engineer the fixes in order to find the specifics of the vulnerabilities, researchers said. It’s a concern, especially for companies like Microsoft, Adobe and Oracle whose software runs on hundreds of millions of machines and have regular, predictable patch cycles that attackers can depend on. This gives them a monthly or quarterly batch of fixes to reverse engineer. Again, that works because users do not always patch.
Microsoft is very good at getting users to use automatic updates, especially in the enterprise. But there still are plenty of users, particularly consumers, who don’t take advantage of automatic updates, leaving them open to attacks. When it comes to Java, anecdotal evidence has supported the idea that even though there has been a steady stream of new vulnerabilities over the last few years, attackers focus most of their attention on older flaws for which there are already patches.
Research from Microsoft shows there has been a spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity centered on patched vulnerabilities in Java. Part of the reason for this may be attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version.
“In Q3 and Q4 of 2012 two new vulnerabilities, CVE-2012-4681 and CVE-2012-5076, were found. But we didn’t observe any prevalence of Java malware abusing these newer vulnerabilities above malware abusing the older Java vulnerabilities, CVE-2012-0507 and CVE-2012-1723,” said Microsoft’s Jeong Wook Oh. “The reason behind this might be that only Java 7 installations were vulnerable to CVE-2012-4681 and CVE-2012-5076, whereas CVE-2012-0507 and CVE-2012-1723 also target Java 6. As there are still many users that use Java 6, the malware writers might have tried to target Java 6 installations by including older vulnerabilities in the exploit package. We can assume that, for this reason, they didn’t do away with the older vulnerabilities.”
“So there were two kinds of Java vulnerabilities that appeared in 2012 overall: One is the category that applies to both multiple versions of Java including Java 6 and 7, and the other are the vulnerabilities that only applies to Java 7,” the Microsoft researcher said. “So when new vulnerabilities that are only applicable to Java 7 are discovered, the attacker’s strategy was usually to combine it with older vulnerabilities that cover more versions of Java. In that way, they could achieve more coverage than just using a single exploit in one package.”
Oh looked specifically at four Java vulnerabilities from 2012 that malware targeted, only one of which was a Zero Day. The other three flaws already had patches available when the malware targeting them appeared. This is the same kind of pattern followed by malware that targets vulnerabilities in Microsoft products and Adobe applications.
Wednesday, May 1, 2013 @ 02:05 PM gHale
Whether users install a patch or not, attackers like to jump on Adobe Reader vulnerabilities to drop malware onto their targets’ computers.
Quite a few advanced persistent threat (APT) campaigns are now relying on those very security holes.
RELATED STORIES
Reader PDF Tracking Bug
Adobe Patches Platforms
Adobe Fixes 4 Flash Flaws
Flash, Reader, Java Fall in Contest
At least three APTs rely on the CVE-2013-0640 vulnerability to distribute malware, said researches at Trend Micro. This exploit remains well known because it saw use in the MiniDuke campaign.
One of the campaigns that use the PDF exploit is Zegost. Experts identified PDF documents, written in Vietnamese, that are very similar to the files used in the MiniDuke attacks.
The dropped files and data are similar, their number is similar, and their purposes are also very much the same. However, the payload dropped in the Zegost attacks isn’t connected in any way with the MiniDuke malware payload.
Another series of malicious PDFs were in the PlugX campaigns. Cyber criminals, possibly not related to each other, have attempted to drop various versions of PlugX on the computers of users from Japan, India and South Korea.
While there have been some similarities between the Zegost and the MiniDuke operations, the researchers said these PlugX attacks are different.
“Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal,” said Nart Villeneuve, senior threat researcher at Trend Micro.
“At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability. The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158.”
Friday, April 5, 2013 @ 05:04 PM gHale
Bitcoin’s digital currency has not escaped the notice of attackers, many of whom are turning their attention to finding ways to use the system for their own gains like introducing new pieces of malware.
There is now a piece of malware in circulation that is using Skype as a spreading mechanism and then using infected machines’ processing power to mine Bitcoins.
RELATED STORIES
Live Kelihos Botnet Takedown
Stronger, Smarter Botnet Appears
Nap Trojan Copies Times Attack
New Exploit Kit: Whitehole
The new malware is sending links to Skype users with a message encouraging them to click to see a photo of themselves online. The campaign began yesterday and is still ongoing, with thousands of victims clicking on the malicious link every hour, according to an analysis by Dmitry Bestuzhev of Kaspersky Lab.
“The initial dropper is downloaded from a server located in India. The detection rate on VirusTotal is low. Once the machine is infected it drops to the system many other pieces of malware. Downloads come from the Hotfile.com service. At the same time the malware connects to its C2 server located in Germany,” Bestuzhev said.
Once the malware is on the victim’s machine, it goes about the business of usurping the PC’s processing power to mine for Bitcoins. The Bitcoin network relies on a complex system to create each Bitcoin and verify the currency is valid and being spent by the owner of those Bitcoins. Part of that process requires quite a bit of processing power, and that’s what the attackers behind this malware campaign are after.
Here’s how the Bitcoin Project explains the mining process:
“Bitcoin mining is the process of making computer hardware do mathematical calculations for the Bitcoin network to confirm transactions and increase security. As a reward for their services, Bitcoin miners can collect transaction fees for the transactions they confirm along with newly created bitcoins. Mining is a specialized and competitive market where the rewards are divided up according to how much calculation is done,” the Project said.
The malware, identified as Trojan.Win32.Jorik.IRCbot.xkt, causes a massive spike in the CPU usage on an infected machine, Bestuzhev said.
Wednesday, February 20, 2013 @ 03:02 PM gHale
Adobe released a security bulletin today that fixes a vulnerability in its Reader and Acrobat products found just one week ago.
The vulnerability, which attackers are jumping on and taking advantage of, could cause a crash of either and software and potentially allow a bad guy take control of the affected system.
RELATED STORIES
Security Fixes; PDF Viewer in Firefox 19
Developer Site Zero Day Attack Source
Hiding Code into JavaScript
Adobe Mitigation Plan for Zero Day
For PC users, there is a sense of urgency to update as Adobe confirmed attackers are leveraging two of the vulnerabilities (CVE-2013-0640 and CVE-2013-0641) in targeted attacks designed to trick Windows users into opening a malicious PDF file attached in an email.
Mac and Linux users are not immune to this flaw, they just simply are not under attacker’s microscope at this juncture.
The security patches are available for software on Windows, Mac, and Linux. The following is a list of upgrades:
• Users of Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Reader XI (11.0.02).
• For users of Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader X (10.1.6).
• For users of Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader 9.5.4.
• Users of Adobe Reader 9.5.3 and earlier 9.x versions for Linux should update to Adobe Reader 9.5.4.
• Users of Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Acrobat XI (11.0.02).
• Users of Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh should update to Adobe Acrobat X (10.1.6).
• Users of Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh should update to Adobe Acrobat 9.5.4.
Windows and OS X users can use the product’s update feature (Help => Check for Updates).
Monday, February 11, 2013 @ 10:02 AM gHale
Attackers can take advantage of a security hole that affects certain D-Link DIR-300 and DIR-600 routers to execute arbitrary code at the root level.
The issue occurs by missing access restrictions and missing input validation in the cmd parameter, said Michael Messner, the security researcher who found the vulnerability.
RELATED STORIES
Junos OS Open to Attacks
Flaws in Universal Plug and Play
Firewall Passes Tough Testing
SIF Interoperability Test Kit Updated
In addition, Messner found that administrator passwords end up stored in plain text.
Cybercriminals can also easily modify passwords since the current password is not required during the process. The only requirement is for the attacker to have access to an authenticated browser.
Experts from heise Security have also analyzed Messner’s findings. They say D-Link routers can also suffer compromise via the Internet.
Cybercriminals could use this to redirect all the Internet traffic to an arbitrary server.
D-Link knows about the problem, but the company doesn’t plan on doing anything about it, saying “this is a security problem from the user and/or browser.”
Thursday, February 7, 2013 @ 12:02 PM gHale
Microsoft and Symantec teamed to shut down Bamital, a massive click fraud botnet that has been around for four years amassing big profits for the attackers.
The botnet thrived on hijacking clicks on targeted search engine results pages, Symantec said. Clicks on ads and malicious links ended up redirected to the attacker’s server, which correlates the search phrase and where the click came from to redirect the victim.
RELATED STORIES
Spam Botnet also Ships Worm
Successful Botnet Details Emerge
Virut Botnet Goes Down
Malware Spreads through Skype
“As an example, if the end user searched for antivirus and the search engine intended to send the user to a page owned by Symantec, the attacker-controlled server would use this information in its decision logic to redirect the user’s compromised computer to a third-party website that uses the Symantec brand name and peddles fake antivirus programs,” said Symantec’s Piotr Krysiuk and Vikram Thakur in a white paper. “By doing so, Bamital’s operators assume the role of ad-networks and get paid by the advertisers.”
The botnet also generates clicks by pretending to be a search engine; users’ browser sessions end up hijacked and redirected to a set of attacker-owned results. The malware will then click on the search results in a self-initiated browser session.
“While the Bamital botnet defrauded the entire online advertising platform, which is what allows the Internet and many online services to be free, what’s most concerning is that these cybercriminals made people go to sites that they never intended to go and took control of the computer away from its owner,” said Microsoft Digital Crimes Unit assistant general counsel Richard Boscovich. “Much like being coerced through a dark alleyway, this redirection would leave the person whose computer was already infected with Bamital more vulnerable to becoming targeted for other crimes, such as identity theft and additional malware infections.”
Microsoft said this is the sixth botnet takedown it has been involved in during the past three years, and the second with Symantec. Boscovich said Microsoft filed a lawsuit on Jan. 31 against the botnet operators that would allow it to cut off communication between the botnet and compromised computers. On Feb. 6, following a court order, Microsoft and the U.S. Marshals Service seized data and evidence from Web hosts in Virginia and New Jersey.
Microsoft said that search functionality on infected computers will end up broken; the two companies said they have begun informing victims; search queries will go to an official Microsoft and Symantec webpage explaining the situation and how to remove the malware, in conjunction with ISPs and CERT teams.
Symantec said Bamital activity peaked in late 2011 and 2012. Users suffered infection either via drive-by download attacks, or malicious applications downloaded from peer to peer networks.
Symantec said there are three modules present in Bamital infections; one is the framework for the two other components, as well as receiving updates from command and control servers to located updated versions of the remaining modules. Another module monitors and hijacks search engine results performed on Google, Yahoo and Bing. Clicks on results end up hijacked by this module and redirected to an attack site, which then results in a page of the attacker’s choosing, Symantec said.
Monday, January 28, 2013 @ 12:01 PM gHale
Attackers are hitting Web servers with infected Apache modules that also backdoor Secure Shell (SSH) services in order to steal login credentials from administrators and users.
These attackers are replacing all of the SSH binary files on the compromised servers with backdoored versions designed to send the hostname, username and password for incoming and outgoing SSH connections to attacker-controlled servers, researchers from Web security firm Sucuri said.
RELATED STORIES
Apache CouchDB Fixes Holes
Sybase Fixes Database Holes
Linksys Router Zero Day
FBI: Backdoor Free for Hackers
The attack modifies the SSH daemon, and every SSH binary with their main goal being to steal passwords, said Daniel Cid, Sucuri’s chief technology officer.
By doing this, it allows the attackers to regain control of a compromised server if the passwords get changed or to compromise additional servers if users access them from the compromised server via SSH.
In cases investigated by Sucuri, the server administrator removed the rogue Apache module and changed his password, but the infection re-appeared a few days later, Cid said.
Denis Sinegubko, the creator of the Unkmask Parasites website security scanner said there were a wave of incidents that involved attackers obtaining administrator (root) access to Web servers and installing rogue Apache modules during August and September 2012. The purpose of the modules was to inject rogue iframes into legitimate websites hosted on those servers.
This website infection method continued to see use during the following months and the attacks linked to a cybercriminal toolkit called DarkLeech sold on hacker forums.
It’s not clear whether the SSH backdoor is actually a new feature of DarkLeech. The backdoor was not part of an early version of the toolkit analyzed by Sucuri researchers, but it keeps changing so it’s hard to know for sure, Cid said.
It’s hard to say with certainty how the servers with the SSH backdoor suffered compromise in the first place, because in most cases the server logs were gone by the time Sucuri had the chance to analyze them, Cid said. However, the infection ended up on servers that had weak root passwords or were running outdated versions of Plesk — a Web-hosting control panel.
On servers that use the RPM Package Manager administrators should run the “rpm -Va” command in order to check the integrity of their software packages, Cid said. “If you see any change to the SSH binaries, it is a red flag,” he said.
Simply checking when the files were last modified using the “ls -la” command won’t reveal anything suspicious because the attackers change the mtime (last modification time) timestamps of the backdoor files to match those of the original files, Cid said.
If this SSH backdoor is found on a server, it’s better to completely reinstall it from scratch because you never know what else might be there, Cid said.
Monday, January 7, 2013 @ 04:01 PM gHale
There are serious vulnerabilities in Cisco VoIP (voice over Internet protocol) telephones as attackers could easily insert malicious code into a phone and start eavesdropping on private conversations from anywhere in the world.
“It’s not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere and reveal our private communications,” said Columbia University Computer Science Professor Salvatore Stolfo. “It’s relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones—they are not secure.” Stolfo researched the issue with Columbia Engineering’s Computer Science PhD candidate Ang Cui.
RELATED STORIES
Secure Communication Technology
Converting Natural Gas to Chemicals
Peel-and-Stick Solar Panels
Smartphone Sensors Monitor Pollution
Cui and Stolfo analyzed the phones’ firmware (the software running in the computer inside the phone) and they were able to identify vulnerabilities. One concern was with embedded systems widely used and networked on the Internet, including VoIP phones, routers, and printers, and have focused their research on developing new advanced security technology to protect these systems.
“Binary firmware analysis is commonly used to identify faulty software by the ‘white hat’ hackers and security scientists and researchers like our team,” Stolfo said. “We performed this analysis to demonstrate a new defense technology, called Software Symbiotes, (can) protects them from exploitation.”
Software Symbiotes safeguards embedded systems from malicious code injection attacks into these systems, including routers and printers.
“This is a host-based defense mechanism that’s a code structure inspired by a natural phenomenon known as symbiotic defensive mutualism,” Cui said. “The Symbiote is especially suitable for retrofitting legacy embedded systems with sophisticated host-based defenses.”
The researchers see these Symbiotes as a kind of digital life form that tightly co-exists with arbitrary executables in a mutually defensive arrangement.
“They extract computational resources (CPU cycles) from the host while simultaneously protecting the host from attack and exploitation,” Cui said. “And, because they are by their nature so diverse, they can provide self-protection against direct attack by adversaries that directly target host defenses.”
“We envision a general-purpose computing architecture consisting of two mutual defensive systems whereby a self-contained, distinct, and unique Symbiote machine is embedded in each instance of a host program,” Stolfo said. “The Symbiote can reside within any arbitrary body of software, regardless of its place within the system stack. It can be injected into an arbitrary host in many different ways, while its code can be ‘randomized’ by a number of well-known methods.”
The Symbiote, which at runtime must successfully execute in order for the host to operate, then monitors its host’s behavior to ensure it continues to operate correctly, and, if not, it stops the host from doing harm. Removal, or attempted removal, of the Symbiote renders the host inoperable.
“The beauty of the Symbiote,” Cui said, “is that it can be used to protect all kinds of embedded systems, from phones and printers to ATM machines and even cars — systems that we all use every day.”
Cisco released a patch to repair these vulnerabilities but it is ineffective, the researchers said.
“It doesn’t solve the fundamental problems we‘ve pointed out to Cisco,” Cui said. “We don’t know of any solution to solve the systemic problem with Cisco’s IP Phone firmware except for the Symbiote technology or rewriting the firmware.”
Wednesday, January 2, 2013 @ 05:01 PM gHale
A piece of backdoor malware can infect Java-based HTTP servers and allows attackers to execute malicious commands on the underlying systems.
The threat, known as BKDR_JAVAWAR.JG, comes in the form of a JavaServer Page (JSP), a type of Web page that can only deploy and serve from a specialized Web server with a Java servlet container, such as Apache Tomcat, said researchers at antivirus vendor Trend Micro.
RELATED STORIES
Adobe Shockwave Vulnerabilities
Java, Flash Updates Slow
Old VMware Source Code Leaked
New Java Malware Forming
Once this page deploys, the attacker can access it remotely and can use its functions to browse, upload, edit, delete, download or copy files from the infected system using a Web console interface. This is similar to the functionality provided by PHP-based backdoors, commonly known as PHP Web shells.
“Aside from gaining access to sensitive information, an attacker gains control of the infected system through the backdoor and can carry out more malicious commands onto the vulnerable server,” Trend Micro researchers said in a blog post.
This JSP backdoor can undergo installation by other malware already running on the system that hosts the Java-based HTTP server and Java servlet container or it can download when browsing to malicious websites from such a system.
According to Trend Micro’s technical notes, the malware targets systems running Windows 2000, Windows Server 2003, Windows XP, Windows Vista and Windows 7.
“Another possible attack scenario is when an attacker checks for websites powered by Apache Tomcat then attempts to access the Tomcat Web Application Manager,” the Trend Micro researchers said. “Using a password cracking tool, cybercriminals are able to login and gain manager/administrative rights allowing the deployment of Web application archive (WAR) files packaged with the backdoor to the server.”
In order to protect their servers from such threats, administrators should use strong passwords that are not easy to crack by using brute force tools, should deploy all security updates available for their systems and software and should avoid visiting unknown and untrusted websites, the Trend Micro researchers said.