Malicious libraries and plugins

How closely do you inspect what 3rd party plugins and libraries you use with software and development? We kind of tend to take for granted that once we vet a library or plugin and add that into our usage, then it’s likely to never be a threat in the future. However, over the last few years attackers have started increasing abuse of this trust. A type of watering hole attack that reaches a larger amount of people than a typical focused attack.

There’s 3 main ways this has happened:

  • Attackers buy the plugin/library from the original author or assume control of one that is abondened
  • Development system or other system in chain is compromised by attacker
  • Attackers create releases that mimic popular and established libraries/plugins in name and function

This has affected a wide range of software, from web applications to web browsers to text editors/IDE’s. Let’s take a brief look at a few instances.

WordPress Display-Widgets plugin. This plugin was sold by the original developer, and at that time had several hundred thousand active installations. The new developers then added code to it that downloaded and installed a plugin that added spam the site.

The Node.js package repository was found to have malicious packages that looked like real packages, differing slightly in the name in an attempt to fool anyone trying to find specific packages. The malicious packages generally tried to send sensitive environment data back to a server.

Python also experienced something very similar. Package uploaded in an attempt to fool anyone not paying close enough attention. Not relying on just misspelling the name, but with names that look legitimate, such as “bzip” for the real package “bzip2file”.

Those are just a few examples, Chrome and Firefox have both had similar issues multiple times as well. So how do we protect against this? Partly some of this has to be on the software that allows the plugins to run. There are some bad policies and practices here, such as WordPress letting anyone claim “abandoned” plugins.

Some things you can do yourself are to install any libraries/plugins (for python, ruby etc) with your systems package manager. If you use pip, gem or the like, make sure you are using the correct plugins, avoid misspellings or “close enough” names. Check the reputations of plugins via Twitter or search for reviews and info on plugins, by name, in your search engine. If you find any  anomalies report them on social media and forums associated with your language. Try not to use plugins that have been abandoned and recovered by another developer with no reputation.

HoneyPoint Security Server Console 4.1 Released

MSI is proud to announce the immediate availability of the HoneyPoint Console version 4.1!

The new version of the Console for HPSS is now available for Windows, Linux and Mac OS X.

The new Console includes the ability to bypass local event logging and instead send the events directly to syslog or to be processed by the plugins. This allows the Console to work with a SIEM, other monitoring tools, or any centralized log management system without worrying about managing the local event database. Several improvements in the GUI console have been made, the ability to test email servers has been added, and multiple bugs have been addressed.

To obtain the new Console files or installer, refer to your QuickStart Guide on how to access the HoneyPoint Security Server distribution site. No changes to the database or license key are required, however, you must have a current license to qualify for the upgrade. An in place upgrade can be performed or the installer can handle the upgrade on Windows. As always, we recommend backing up the database and any plugins and logs before upgrading.

Thanks, as always, for choosing HoneyPoint Security Server and MSI. We value your partnership and trust.

HPSS and Splunk

We’ve had a few users ask how to feed alerts from the HPSS Console into a SIEM. In these cases it was Splunk, so I will show how to quickly get a feed going into Splunk and some basic visualizations. I chose Splunk since that’s what I helped the users with, but any SIEM that will take syslog will work.

The first step is to get the HPSS Console set up to externally log events. This can be enabled by checking the “Enable System Logging” in the preferences window. What happens with the output depends on your OS. On Windows the events are written to Event Log, and on Linux/MacOS they are handled by the syslog daemon. Alternatively you can use the Console plugins system if syslog/eventlog is not flexible enough.

HPSS Preferences Window

Before we go further, we’ll need to configure Splunk to read in the data, or even set up Splunk if you don’t have an existing system. For this blog post, I used the Splunk Docker image to get it up and running a couple minutes in a container.

In Splunk we’ll need to create a “source type”, an “index” and a “data input” to move the data into the index. To create the source type, I put the following definitions in the local props.conf file located in $SPLUNK_HOME/etc/system/local (you may need to create the props.conf file)

[hpss]
EXTRACT-HPSSAgent = Agent: (?P<Honeypoint_Agent>[^ ]+)
EXTRACT-Attacker_IP = from: (?P<Attacker_IP>[^ ]+)
EXTRACT-Port = on port (?P<Port>[^ ]+)
EXTRACT-Alert_Data = Alert Data: (?P<Alert_Data>.+)
TIME_PREFIX = at\s
MAX_TIMESTAMP_LOOKAHEAD = 200
TIME_FORMAT = %Y-%m-%d %H:%M:%S

This tells Splunk how to extract the data from the event. You can also define this in the Splunk web interface by going to Settings -> Source Types and creating a new source type.

Source Type definition

Next create the Index under Settings -> Indexes. Just giving the index a name and leaving everything default will work fine to get started. 

To create a Data Input, go to Settings -> Data Inputs.  I’m going to set it up to directly ingest the data through a TCP socket, but if you already have a setup to read files from a centralized logging system, then feel free to use that instead.

 Set the port and protocol to whatever you would like.

For the source type, manually typing in “hpss” (or whatever you named it) should bring up the already defined source type. Select that, and everything else can remain as is. Then go to review and finish. It’s now ready for you to ship the events to it.

Lastly, we need to get the logs from the Console system to Splunk. Again, this will differ depending on your OS. I will show one way to do this on Windows and one for Linux. However, there are numerous ways to do it. In both cases, replace the IP and Port of your Splunk instance.

On Windows you can use NXLog or another type of eventlog to syslog shipper. After installing NXLog, edit the following into the configuration file.

define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="HPConsole">*</Select>\
</Query>\
</QueryList>
SavePos TRUE

</Input>

<Output out>
Module om_udp
Host 192.168.232.6
Port 1514
</Output>

<Route 1>
Path in => out
</Route>

On Linux with rsyslog, create a conf file with the following

:msg,contains,"HPSS Agent" @@192.168.232.6:1514

Now Splunk should be receiving any HPSS events sent to it and storing them in the defined index, and extracting the fields during search queries.

In the future we can look at creating some graphs and analyze the events received. If there is any interest, I can look at creating a Splunk app to configure all of this for you.

Splunk 4 Review

For this weeks tool review, we’re looking at Splunk. Splunk is a log collection engine at heart, but it’s really more than that. Think of it as search engine for your IT infrastructure. Splunk will actually collect and index anything you can throw at it, and this is what made me want to explore it.

Setting up your Splunk server is easy, there’s installers for every major OS. Run the installer and visit the web front end, and you are in business. Set up any collection sources you need, I started off with syslog. I started a listener in Splunk, and then forwarded my sources to Splunk (I used syslog-ng for this). Splunk will also easily do WMI polling, monitoring local files, change monitoring, or run scripts to generate any data you want. Some data sources require running Splunk as an agent, but it goes easy on system resources as the GUI is turned off. Installing agents is exactly the same process — you just disable the GUI when you’re finished setting up; however you can still control Splunk through the command line.

Splunk can also run addons, in the form of apps. These are plugins that are designed to take and display certain information. There are quite a few, provided both by the Splunk team and also some created by third parties. I found the system monitoring tools to be very helpful. There are scripts for both Windows and Unix. In this instance, it does require running clients on the system. There are also apps designed for Blue Coat, Cisco Security and more.

In my time using Splunk, I’ve found it to be a great tool for watching logs for security issues (brute forcing ssh accounts for example), it was also useful in fine tuning my egress filtering, as I could instantly see what was being blocked by the firewall, and of course the system monitoring aspects are useful. It could find a home in any organization, and it plays nice with other tools or could happily be your main log aggregation system.

Splunk comes in two flavors, free and professional. There’s not a great difference between them. The biggest difference is that with the free version Splunk is limited to 500MB of indexing per day, which proves to be more than enough for most small businesses, and testing for larger environments. Stepping up to the professional version is a lot easier on the pockets than might be expected, only about $3,000.

What We Love About Netsparker

Netsparker Professional Edition, by Mavituna Security, is a web application scanner focused on finding unknown flaws in your applications. It can find a wide range of vulnerabilities including SQL injection, cross-site scripting, local and remote file inclusion, command injection and more.

Installation of the software was easy, and as Mavituna Security touts, the license is non-obtrusive. Starting the application you are presented with a nice well designed gui, that shows quite a lot of information. To start a scan, it can be as simple as just putting in a URL. It is very easy for non-security professionals to setup and use. There are also profiles you can configure and save. It’s possible to configure a form login through a very well designed wizard.

The main draw of Netsparker is the confirmation engine, which is how Netsparker claims to be false positive free. The confirmation engine takes the vulnerability and actually confirms that it’s exploitable. If it’s exploitable, it’s definitely not a false positive. A neat feature of identified SQL injection vulnerabilities is the ability for Netsparker to allow you to exploit them right through the scanner. You can run SQL queries, or even open a shell (depending on DB and configuration of it). Directory traversal vulnerabilities can be exploited to download the whole source of the application since Netsparker already knows all the files, and other system files can also be retrieved and saved through the interface.

We set Netsparker to scan our Web application lab which contains known vulnerabilities that cover the OWASP Top Ten Project. We noticed that Netsparker did a very good job at spidering and finding a high number of attack surfaces. On vulnerabilities, Netsparker did a great job of finding SQL injections, cross site scripting, and directory traversals. On one vulnerability, I thought I may have made Netsparker report a confirmed false positive, but it turns out I was wrong after I used the built in query maker and ran one and got data back.

Overall I think Netsparker is an excellent tool, especially effective at finding SQL injections and cross-site issues. Of course, I wouldn’t say it was the only scanner you should have, but definitely consider adding it to your repertoire.

McAfee Update Causing System Problems

McAfee’s Anti-Virus update for today (5958 DAT April 21, 2010) is causing systems to be stuck in an infinite reboot cycle. If your systems have not updated yet, it is highly recommended to prevent them from doing so, disable automatic updates and any pending update tasks.

The issue comes from the update detecting a false positive on systems. It appears that only Windows XP SP3 systems are effected. McAfee detects this false positive in the file C:/WINDOWS/system32/svchost.exe and thinks it contains the W32/Wecorl.a Virus. The machine then enters a reboot cycle.

McAfee has released a temporary fix to suppress the false positive. To use the fix with VirusScan Enterprise Console 8.5i or higher, Access Protection must be first disabled by following this knowledge base article here. (Alternate Google cache page, site is very busy here.)

To correct a machine with this issue, follow these steps:

1. Download the EXTRA.DAT file here. (Or from the KB article)
2. Start the effected machine in Safe Mode
3. Copy the EXTRA.DAT file to the following location:
\Program Files\Common Files\McAfee\Engine
4. Remove svchost.exe from the quarantine.

If You’re Still Using IE6, Read This!

We still see an alarming number of users visiting our sites using Internet Explorer 6 (IE6). Although for the first time, IE8 and IE7 both had a slightly higher share than IE6.

We urge users who continue to use IE6 to update to IE7 or IE8, or switch to an alternative as soon as possible. There are numerous reasons for this. IE6 has been shown many times to be insecure, lacking privacy options, has no protection from XSS or phishing attacks, and it’s not compliant with common web standards. It’s also much slower than modern browsers, particuarly with javascript.

Upgrading your browser can have many benefits. The most important being enhanced security and privacy. Other benefits include a better browsing experience through better compliance and faster rendering. So please, upgrade your browsers!

Malware Attacks Through Ads On The Rise

Traditionally, we thought malware spreading ads were relegated to the sketchy dark corners of the Internet. Lately though, malware spreading ads have increasingly popped up on sites such as eweek.com, bostonherald.com, and foxnews.com.  How is this happening?

In this case, it’s not a vulnerability on the sites in question. The attackers have turned their attention to the ad networks themselves. In some cases, attackers are submitting ads to the ad networks and having them served.  In some other cases, it seems that the ad networks are suffering from vulnerabilties that are being exploited, allowing the attackers to insert malicous code into otherwise legitmate ads.

The malicious ads are doing a variety of different things to attack the end user. The most recent one makes a popup that looks very much like the real Windows Security Center, detailing that your system is infected with some large number of trojans and viruses. The ad claims that it can ‘fix’ your system by installing a tool. Ads have also been seen that were sending a PDF that contains exploits for the recent Adobe Acrobat vulnerabilties.

The best defenses against these attacks are following the tried and true measures. Make sure your OS, browser, and all software is as up to date as possible. Using anti-virus software, as well as regular anti-malware/spyware scans will also help. Consider using a tool such as Secunia PSI, to help make sure 3rd party aps are up to date. Always use safe browsing sensibility, don’t click on anything suspicious, even if it’s from a website you would normally trust. Remember, there are no safe websites.

Holiday Reminder

Just a little Holiday reminder. As we get nearer to popular Holiday’s we normally see an increase in malware attacks. Remember not to open any “e-cards” or other assorted potentially malicious email from random addresses, and closely examine any that appear to come from a trusted source, such as a co-worker.

Spam Bots

We are continuing to see more and more spam bots. Spammers are not letting up and are still actively researching and breaking “captchas”. We have seen several of them broken within the past few weeks. It seems it’s about time to adopt a new system of anti-bot measures for registration forms, or increase the complexity of the captcha (while also increasing user frustration).

That reminds me of a study I was reading about spam though. The researchers in this study found that only about 1 in 12.5 million spams result in a sale of whatever was being spammed about. However, even with this atrocious rate, the spammers are estimated to be generating around $7,000 a day!