Conficker/Downadup Evolves To Defend Itself
Mar 12,2009
Worm develops ability to disable antimalware tools, switch domains more frequently
----------
Major Cybercrime Busts Take Place In Romania
----------
Government Needs To Get Its Cybersecurity In Gear, Experts Tell Congress
Mar 10,2009
Security industry leaders agree that White House should lead revamped cybersecurity effort
----------
When web application security, Microsoft and the AV vendors all fail
I just spent some time analyzing yet another incident and I was actually shocked about how the combination of relatively weak defenses led to a system being completely compromised.The three main actors in this movie were a web application with a security vulnerability, Microsoft’s server class operating systems with an unpatched local privilege escalation vulnerability and the last line of everyone’s defense, the AV vendors.
The story started more or less like hundreds of recently seen incidents. A web application had a vulnerability that allowed a remote attacker to upload files to the server. As the files were not validated, the attacker was able to upload a .NET Webshell. This webshell is known as ASPXSpy, it’s an ASPX program that allows easy control over the compromised server. The attacker can now upload files through the browser and execute them.
However, the attacker still does not have total control over the server as the IIS service runs under an unprivileged account. This is where the local privilege escalation vulnerability comes into play. The attackers uploaded a local exploit called Churrasco2. This is a PoC created by a well known researcher Cesar Cerrudo and published back in October 2008. What makes it even worse is that it work on both Windows Server 2008 and Server 2003. The exploit creates a backdoor shell after it steals the SYSTEM token. The program’s usage description says it all:
/Churrasco/-->Usage: Churrasco2.exe ipaddress port
After this, it was game over. The attacker had a backdoor to the server running as SYSTEM. The next steps were very obvious and included installation of another Trojan as well as a keylogger.
Finally, the last line of defense, the anti-virus program, failed as well. Although the AV vendors typically include detection for exploits, it’s clear that they missed this one. I ran it past VirusTotal and the results where … well … horrible is an understatement – 0 AV programs detected this: http://www.virustotal.com/analisis/4f48b73697428888f338bf66fa1eb92a
So, what can we learn from this example? The attacks I described are in the wild and are abused. The first line of defense, in this case the web application’s security, must be made as secure as possible – secure coding standards, penetration tests and whatever else you can do are justified. As we saw from this example, other defenses failed. And the security of your web application depends only on you.
This doesn’t mean that other two actors should just sit and do nothing. Microsoft should really fix this vulnerability and pay more attention to local privilege escalation vulnerabilities. While MS released an advisory with suggested workarounds (available at http://www.microsoft.com/technet/security/advisory/951306.mspx), I don’t think enough people know about this.
Finally, the AV vendors should be more proactive (instead of reactive) and follow exploit research developments so they can add detection for similar exploits early and protect their customers.
----------
Massive ARP spoofing attacks on web sites
----------
Russian youth organization cops to 2007 Estonian cyberattacks
Nearly two years after Estonian government sites were brought to their knees by a DDoS attack, a high-ranking official over the Russian youth group Nashi has admitted that his organization was behind the attacks. Nashi maintains that it acted without authorization from the government, but will the Russians move to punish those responsible in a tense political situation?
----------
The March 2009 release contains 3 new bulletins, 1 of which has a maximum severity of "Critical".
MS09-006 - Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)
MS09-007 - Vulnerability in SChannel Could Allow Spoofing (960225)
MS09-008 - Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)
We also revised bulletin MS08-052 Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593), to note a revision to some of the packages associated with this bulletin (specifically 938464).
----------
Hacking iTunes Gift Cards, and an iTunes Update
Recently, several media outlets have been running a fascinating story about hackers making oodles of money selling iTunes gift cards activation codes at online auctions, supposedly after cracking the secret algorithm Apple uses to generate voucher codes for iTunes gift cards.
But a blog post published today by one of the security industry's most prominent researchers suggests that the real hack here is far simpler: The crooks are merely using stolen credit cards to purchase and resell the iTunes gift cards.
Permalink
----------
The Doghouse: Sentex Keypads
It has a master key:
Here's a fun little tip: You can open most Sentex key pad-access doors by typing in the following code:
***00000099#*
The first *** are to enter into the admin mode, 000000 (six zeroes) is the factory-default password, 99# opens the door, and * exits the admin mode (make sure you press this or the access box will be left in admin mode!)
----------
Former FBI Director calls for decentralisation of cybersecurity responsibilities
Former FBI director, Louis Freeh warns that security problems on networks are too complex for the National Security Agency (NSA) alone, to resolve more…
----------
"The French national police force, the Gendarmerie Nationale, has spoken about their migration away from the Windows platform to Linux. Estimated to have already saved the force 50 Million Euros, the migration is due to be completed on all 90,000 workstations by 2015. Of the move, Lt. Col. Guimard had this comment: '"Moving from Microsoft XP to Vista would not have brought us many advantages and Microsoft said it would require training of users. Moving from XP to Ubuntu, however, proved very easy. The two biggest differences are the icons and the games. Games are not our priority."'"
Read More...
----------
BBC buys a botnet, DDoSes security firm
Dancho Danchev: A team at the BBC's Click purchases a botnet of 22,000 malware-infected PCs, self-spams themselves on a Gmail account, then DDoS-es security company Prevx. Is this anyway to fight cybercrime?
----------
Be Careful What You Search For
March 11, 2009
Several Search Engine Optimization schemes are being used to attract search engine users to fake anti-virus web sites.
----------
CLIENT ALERT:
Musicians Lobbying For Approval Of Ticketmaster-Live Nation Merger Forget To Mention Massive Conflict Of Interest
----------
Visa: Heartland, RBS WorldPay no longer PCI compliant
Dan Kaplan March 13, 2009
Visa has removed Heartland Payment Systems and RBS WorldPay -- two payment processors that have announced massive data breaches in recent months -- from its list of service providers compliant with payment industry guidelines.
----------
Web malware, more advanced and targeted than ever
Dan Kaplan March 12, 2009
The prevalence of web-based malware massively rose last year -- and the state of the economy is likely a big reason, according to an annual threat report from ScanSafe.
----------
Spot the Tiny Phishing Trick
Phishers are abusing the useful TinyURL service to hide phishing links. Here's how to spot the ruse.
----------
Apple Security Update Fixes ITunes Vulnerabilities
Update fixes a pair of security concerns, and adds support for its new line of iPod shuffles.
----------
D.C.'s top IT security official charged with bribery
Federal law enforcement officials filed bribery charges today against the District of Columbia's acting chief security officer, along with a one-time D.C. government employee who owns an IT outsourcing company that runs offshore operations in India. Both were later arraigned in federal court.
----------
The three astronauts on board the International Space Station today were forced to seek shelter in a "lifeboat" when space debris came hurtling dangerously close to the orbiting outpost.
Two American astronauts and a Russian cosmonaut took refuge in the Soyuz TMA-13 Capsule, which is what they would use if they needed to return to Earth, according to Josh Byerly, a NASA spokesman. They were in the capsule from 12:34 a.m. to 12:45 a.m. Eastern time today when they received an all-clear from Mission Control.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment