IT Security Blog

According to this ThreatPost article the main web site for apache.org was hacked earlier today through an SSH key compromise where the intruder was able to gain root access to Apache's server.  The current apache.org site has been redirected to one of its European mirrors while the other server has been taken offline.

While on the machine the attacker was able to replace the ssh (Secure Shell) client and server applications with versions that would log the usernames and passwords of those who were to access that machine.

Although the Apache folks believe that they identified and remediated the vulnerability quickly, and that no software available on the site was compromised, if you have recently downloaded software from the Apache web site, you might want to take a cynical approach and remove and reinstall the software from the uncompromised site that Apache has up now. 

Information is still slowly coming out about this story, and we will likely know more in the coming days.  It is important to note at this point that although Apache believes that they identified and fixed the problem quickly, the possibility remains until we hear otherwise that this server may have been compromised by hackers for some time and that many software downloads had potentially been affected if any publicly available software was modified. 

My advice: Be over-protective.  Keep a close eye on the traffic coming in and going out of your network to look for anything suspicious.  With over 50% of the web server installations worldwide, Apache is a potential high-value target for criminals as any infected software downloads could lead to backdoors in systems that install binaries with embedded trojans.

Do we really know?  Recent research would say that we don't.

In late April two conflicting articles were published: One was an article was posted at IT Brief which appears to have been supported by AVG that states 250,000 malicious web sites are created every day and another article was published by Security Pro News that says MessageLabs claims 3,500 new malicious sites daily. 

So, which is it?  The truth in my opinion is that we don't really know.  Also, what neither of these articles discuss is the increase in compromise of legitimate sites due to trojans like Gumblar.  The number of compromised legitimate sites is also harder to quantify because it is likely there are a lot more of them out there than are currently known. 
One thing appears to be for certain and that is that we have reached the tipping point with the web being used as the primary threat vector for the distribution of malware ahead of email.

My apologies for being a bit light on posting this week.  I have been in Amsterdam for the 16th MAAWG Conference.  It's been a great conference with some outstanding presentations, but I am looking forward to being home tomorrow!

It looks like the Outlook Reconfiguration Malware from last week has returned for another round, this time claiming that other user mail clients are in need of reconfiguration.

This one is fairly interesting because it seems to be rather confused as to which mail client is supposed to be reconfigured.  Many of the samples that I have reviewed use different mail client names between the message subject and the body.  A couple of examples:

Message Subject: Microsoft Outlook Setup Notification
Message Body:

You have (6) message from Outlook Express.

Please re-configure your Microsoft Outlook again.

Download attached setup file and install.

Message Subject: TheBat Setup Notification
Message Body:

You have (9) message from Microsoft Outlook.

Please re-configure your TheBat again.

Download attached setup file and install.


Notice that between the message subject and the first and second sentence of the message it might tell you that you are receiving a setup notification for TheBat (a legitimate mail client frequently spoofed in spam), tell you that you have X messages from Microsoft Outlook, and tell you that you need to reconfigure TheBat again.  I am not sure if this is intentional or not (it is sloppy work on the part of the spammer if it is) or if it is just a piece of broken spamware.

These messages have an attachment of client_update.zip and has an md5 checksum of a50838afddd97a744804bdb6b153b101. 

Virustotal reports (as of the time of this writing) that only about 60% of the antivirus engines are detecting this malware, which is better than we typically see in the early stages of a new attack.  This lends itself to the theory that this new malware is close enough to the one seen last week where the old signatures might still be catching it.

Either way, be on the lookout for this respin of last week's news. 

 

Just about anyone and everyone who is active on the internet is either using, has used, or at least has heard of Twitter, the micro-blogging service that grew in usage by 752% in 2008 and is poised to grow even more in 2009. 

As we know, where there are users, there are hackers.  Any technology that has grown in popularity at the speed of which Twitter has is certain to become a target for information and money stealing cyber criminals.  As such, Twitter has been the target of several application exploits over the last few months including a Samy-like exploit which would force users to follow you, multiple Clickjacking exploits, and two worms dubbed Mikeyy and Stalkdaily just this past weekend.
Funny enough, one of the things that is frequently part of the fallout of numerous security exploits is a drop in brand trust and user confidence.  So far, that fallout does not appear to have taken place with Twitter.  At least based on the reported numbers, Twitter's growth does not seem to have been hampered at all despite the numerous security flaws that have been patched over the past 8 months.  Perhaps this is because there hasn't been a serious incident of data theft or widespread malware infection as a result of one of these exploits.  Rest assured, those are coming!

So, what can we learn as a result of Twitter's recent security woes? 

I believe that one of the most important lessons to be learned from Twitter is the need to ensure security is being built into your product from the concept and design phases, not after the code has been consumed by the public.  This is true for online applications like Twitter as well as boxed software that you buy in the stores.  Don't let your customers be your test bed to identify security risks because you can bet that criminals will find them and exploit them before your customers do.  At that point you have put your customers at risk also.  It is far cheaper and less damaging to your corporate brand and reputation if security risks are identified up front, before any code is launched than to try to retrofit security into a live product.

Up to this point the vulnerabilities exposed on Twitter have largely been considered annoyances.  I was unable to find any reports of identity or financial theft as a result of a Twitter exploit, and again perhaps that is why they haven't been placed under the same microscope that Microsoft and Google have been.  Don't take these proof-of-concept quality threats lightly though as they could easily have been much more nefarious than they were.

Let's take the Mikeyy worm as a primary example.  One of the ways that Mikeyy would spread is by sending Tweets out under the accounts of infected users trying to lure their followers to visit the profile of another Twitter user that exploited a site flaw.  Once that page was visited the user's account was hijacked and Tweets would be sent out as them to their followers trying to trick them into clicking also.  Rinse and repeat.  In this instance the worm was merely spreading out across Twitter to anyone who was fooled into clicking the link presented in the Tweet.  What if this link was forwarding unsuspecting users out to a drive by malware site that installed malware like Storm or Conficker?  In a previous post we discussed how URL abbrevation services can potentially hide an underlying threat vector to redirect users to malware drive-by or phishing sites.  Granted, that example isn't one of a specific Twitter flaw, but it is just another thing that users of the popular service need to be on the lookout for.

In its short existence Twitter has almost single handedly revolutionized how we communicate (in 140 characters or less :) ) online.  Whether you are using Twitter to communicate with friends from school, family, or professionally to keep up on market trends or as another method to increase your brand awareness (a recent report by comScore said that more than 50% of Twitter users are between 25-54 with most users being on the upper end of that scale), Twitter has stormed onto the social media scene and has already become an important part of how people communicate online.  I use it myself.  As such, it creates another avenue by which we need to make sure we educate ourselves and our users about the potential for online threats.

Microsoft has announced that they have added Srizbi botnet code detection to their Malicious Software Removal Tool (MSRT) with its latest update.  As mentioned in the article, Microsoft claimed victory over the Storm botnet by cleaning up over 91,000 Storm infected PCs within 24 hours of their initial Storm heuristics were released back in September 2007.

As with when the original Storm botnet was mostly eradicated, Srizbi isn't a major player in the spam wars these days.  The Srizbi botnet never quite recovered from its days as one of the most prevalent spam botnets after McColo was shut down back in November.  The Cutwail and Mega-D botnets who were also largely affected by McColo are doing quite well for themselves, however.

As Joe Stewart said in the article, Microsoft would have served itself better to go after one of the newer botnets on the scene, like Xarvester or Donbot, or even Cutwail or Mega-D.  With all of the news surrounding Confickr and how that botnet still lies in waiting to come alive that would be another prime candidate to target.  I agree with Joe where he said it will be nice to get these machines cleaned up, but it isn't going to have an affect on spam volumes.

In the event that you were not aware, a new critical update (rated as Important on Vista and Server 2008, but critical for Windows XP, 2000, and Server 2003) has been released as an out of band patch from Microsoft. 

It is of utmost importance that this vulnerability be patched as soon as you are able to.  The primary reason for this patch being released outside of the typical Patch Tuesday schedule is in response to exploits available in the wild and the potential for damage as a result of becoming infected. 

The vulnerability being patched is a network level vulnerability.  This means that once one machine within the network becomes infected, it will immediately start looking for other vulnerable machines within the network to exploit.  As a result, this exploit could have SQL Slammer like implications.  The primary difference here is that SQL Slammer was an exploit of IIS, an individual application where this exploit is taking advantage of a vulnerability in the operating system which means that the potential attack surface is much larger.

In the past 24 hours our Threat Operations Center has seen over 100,000 emails with attached exploits that appear to be taking advantage of this vulnerability.  All instances that we have seen thus far have been in German so their viability in the United States is limited.  We are on the lookout for additional variants, and will report them as they are seen.

*** UPDATED 10/24/2008 1:06pm MDT *** Upon further review It appears that the German emails are not related to the Microsoft exploit.  We are currently researching whether there is an email delivery vector being used to deliver exploit code to take advantage of this vulnerability.  The German emails are actually a different piece of malicious code.  More information here.  This update is also to correct the brief mention that was made in this morning's edition of the Security Buzz podcast that there might be an email attack vector sending out exploits.  That does not CURRENTLY appear to be the case.

*** UPDATED 10/24/2008 2:20pm MDT *** Exploit code for yesterday's patched vulnerability is freely available via popular security sites like SecurityFocus.  Blocking RPC ports such as 135-139, and 445 at your firewalls will not mitigate this attack.  Now that exploit code is so easily available it is not out of the realm of possibility that attacks will come from many different angles, email included, looking to get into your network.  It is definitely advised that you test and deploy this patch ASAP. 

According to this story posted on Wired yesterday, a keylogger has been found on laptops being used in the space station.  The reported malware, W32.Gammima.AG (see here for description on Symantec's web site), has been around since August 2007 and steals passwords from a few (rather obscure here in the United States) online games.

You are thinking "So what?  What risk does an online game keylogger pose to a laptop on the space station?  Why should I care?"

As you know, we like to think bigger picture here.

Let's start with the obvious question of why the anti-virus software running on the laptop didn't immediately identify and stop a one year old virus?  I don't know about you, but that sends up lots of red flags to me!  This obviously begs the question of how long this keylogger has actually been resident on the laptop and if there are other, yet undetected, rootkits and keyloggers on those machines?  Also, what other computers were potentially exposed to these infected machines that this virus could have propagated to?  What information has been exposed to theft or compromise either from the laptops or from other exposed machines on the NASA network?  What was done with these laptops once the virus was detected?  Were they merely cleaned to the virus scanners standards (which clearly aren't that high!) or was the computer completely taken out of commission so that it could be wiped to Department of Defense specifications and re-imaged before it was redeployed? 
Obviously there are a lot of unanswered questions in relation to this story, and of course NASA will never make the answers to those questions public, but this certainly calls into question the validity of the security measures employed by one of the most important programs of the 20th and 21st centuries.  Where else within the federal government does the potential for similar security breaches exist?   Are potential data leakages like this something that the Department of Homeland Security is focused on preventing?  If not, they should be!  Let's be sure we aren't aiding and abetting the bad guys by giving them the exact information we are looking to protect!

Yet another new twist in the never ending array of Google Spam that we have been seeing over the past 2 months.  The sample that just hit our spamtraps within the last hour has a bit of a new twist to it.

When I first opened this message I thought "Neat!  Google video spam!"  It wasn't until I looked at the source code of the message that I realized that this was just another link to malware redirecting through Google with a fake video as the lure.

Here is a screenshot of the spam:



Clicking any of the links downloads a file named  video_codec-v2.12.384.exe.

So far AV pickup is pretty spotty (stats courtesy of Virustotal):

Antivirus	Version	Last Update	Result
AhnLab-V3	-	-	-
AntiVir	-	-	TR/Dropper.Gen
Authentium	-	-	-
Avast	-	-	Win32:Agent-GPS
AVG	-	-	-
BitDefender	-	-	DeepScan:Generic.Malware.FBldld.D22058AD
CAT-QuickHeal	-	-	-
ClamAV	-	-	-
DrWeb	-	-	-
eSafe	-	-	suspicious Trojan/Worm
eTrust-Vet	-	-	-
Ewido	-	-	-
FileAdvisor	-	-	-
Fortinet	-	-	-
F-Prot	-	-	W32/Agent.Q.gen!Eldorado
F-Secure	-	-	Suspicious:W32/Malware!Gemini
Ikarus	-	-	Virus.Win32.Agent.GPS
Kaspersky	-	-	-
McAfee	-	-	Proxy-Agent.af.dr
Microsoft	-	-	Trojan:Win32/Danmec.gen!A
NOD32v2	-	-	a variant of Win32/Agent.NEQ
Norman	-	-	-
Panda	-	-	-
Prevx1	-	-	Heuristic: Suspicious File With Bad Child Associations
Rising	-	-	-
Sophos	-	-	Troj/Bdoor-AJR
Symantec	-	-	-
TheHacker	-	-	-
VBA32	-	-	suspected of Trojan-PSW.Pinch.12 (paranoid heuristics)
VirusBuster	-	-	-
Webwasher-Gateway	-	-	Trojan.Dropper.Gen

Whether it is iPods being shipped with malware, digital picture frames, navigation systems, or hard drives, the number of incidents of electronic equipment being shipped from the manufacturer with malware is disturbing!

How does this happen?  This is typically a by-product of PCs that are used for things that are outside their intended business purpose.  For example, if a computer's primary business function is to load software onto a digital picture frame or to test the ability of a computer to connect to and transfer files to the frame, then those should be the only parameters by which that machine is used.  It should not be used to plug in external USB drives, download videos and music off of the internet, or to surf porn sites.  Any of these activities are vectors of unnecessary risk and could end up infecting the PC with malware which will subsequently get passed onto other devices.

As the line between what is known as a PC and what actually runs the same type of software as your PC continues to blur you can expect to see more of these types of incidents occurring.  This is unfortunate because as we have become more dependent on technology in our every day lives and as the devices that we used have become more advanced, our level of confidence in those devices to function in a safe, secure, stable manner has declined significantly.  These sorts of compromises represent one of the biggest new threats to corporate networks and will be another one of the avenues used more prevalently by cyber criminals to steal sensitive, confidential, and personal information as malware continues its evolutionary process.

It's been a while since we have seen a good Ransomware trojan. It is too bad for the criminals who wrote this new trojan that they can't spell.

Back in March, 2006 a worm named Cryzip was discovered. If your PC got infected with this worm it would look for files on your PC with certain extensions (.doc, .xls, and .zip, to name a few) on your C drive, encrypt them and leave a text file behind which described how you could get your files back if you paid a $300 "ransom" to an e-gold (anonymous online money transfer service) account.

This new trojan works a bit differently. The new ransomware effectively locks up your PC and demands that in order to get control back you must send $35 (apparently ransoms don't fetch what they used to) to get it back. The cyber criminals probably figured that the $35 figure was low enough such that people would feel that it was easy enough to pay.

The infected machine is also displays an error message window that has the title of "ERROR: Browser Security and Antiadware [sic] Software component license exprited [sic]" Funny...I didn't know my browser security could exprite! This window also tells you that surfing porn and adult sites without security software is "dangerows". Oh no! I don't know what "dangerows" is, but I am pretty certain I don't want any of it!

If you click to activate a new license in the error window you are presented with this window which displays a 1-900 number and a PIN to enter when you call (the cost of the call is $35).

The biggest weakness with Cryzip which used a low-grade encryption key which was actually posted online by security researchers which essentially rendered the trojan and its extortion technique useless. Maybe someone will pay the $35 to unlock their PC infected with this new trojan and post the cleaning instructions online? :)