Category Archives: Emerging Threats

Yay! A Winning Anti-Virus Check! Or Not…

Posted on by
Reply

So today on my RSS feeds, I saw that a new version of the Sub7 trojan has been released. This new version, called “legends” has some new features and such for exploitation and maintaining control over infected systems.

Being curious, I uploaded the installer to VirusTotal to see what kind of hit ratio I would get. To my surprise, ~96% of the AV software there detected Sub7!

There are two ways to look at this, I suppose. It sure seems like a victory when you get such a high hit rate, but on the other hand there are likely some elements of this extremely well known code that haven’t changed since it first emerged on the scene in the 90’s. So, I would hope that we could detect it with a high accuracy rate. In fact, I had really hoped we could detect it at 100%, but it seems that some AV vendors still miss it. Still 96% is far better than the ~15% detection rate I got on another test like this, just a little bit ago.

The second way to look at it is that we still have long known malware that is not detected by some AV products. Now, given, that is a small percentage, but after all of this time, they can not detect Sub7? That would be pretty horrible if you happen to be a customer of theirs and your data is at risk. Compound this with the data from the breach reports that show increases in custom malware being used in attacks and you can see the problem from a new perspective. If we can’t detect malware from the 90’s across the board, then how can AV hope to continue to be seen as the magic bullet defense against increasingly complex and dynamic attack code in the future? Of course, the answer is, it can not. It NEVER HAS BEEN THE MAGIC BULLET THAT MANY IT FOLKS AND MANAGEMENT FOLKS BELIEVE IT IS.

Where does that leave us? Somewhere between victory and defeat? Right where we have always been, but maybe, just maybe, with a little more argument and knowledge for those “magic bullet” folks!

PS – Here is my VirusTotal submission if you want to check it out.

Remote Access Challenges in Pandemic Planning

Posted on by
Reply

One of the tools that organizations are leaning on for pandemic responses is remote access to computing systems. Technologies such as VPNs, Citrix servers, terminal servers and other forms of remote access are widely appearing in the plans we are reviewing and are among the most discussed items in the planning sessions we have been holding with clients.

However, there are some issues that are emerging around many of these tools. To start, they can introduce a great deal of risk to the IT infrastructure and security posture if they are not deployed and managed properly. For example, blindly exposing terminal services, SSH and other remote access technologies to the Internet is a common path to compromise. Attackers are very good at finding these services and exploiting them, either with technical exploits or through credential discovery via social engineering, browser attacks and/or brute force. These exposures are often present in the major data breaches and serve as a danger point for organizations.

Blindly exposing remote access mechanisms such as these is usually a pretty bad approach. A better approach is to leverage a stronger access method such as VPN. VPN technologies are typically built around stronger security platforms and with greater security in place to protect the users and the organizations they serve. They will require a bit more “care and feeding” than blind port forwarding deployments, but they are a much safer solution for remote access to your environment.

VPN technologies also do not need to be expensive. Projects like OpenVPN and other open source approaches have reduced the costs to deploy VPN access to the lowest of levels. Basically, the cost of hardware and the human resources to install and support the system are the only costs involved. Many tools exist in this family and more are emerging every day.

Another significant issue to consider when looking at the remote access capability of your pandemic plan is capacity. More than likely, your solutions were implemented, as are most, with the idea that a somewhat limited subset of your entire employees would be using the access tools at any given time. That may not be the case in the event of a pandemic. The number of employees accessing the system may exceed your current designs and testing, so be sure you think through how you can expand that capacity, rotate shifts or use other techniques to plan for the impact from the surge in demand.

Lastly, be sure and test these mechanisms before you need them. Things in life often don’t work as planned the first time around, so practice for pandemics before one arrives. Have dedicated work from home days, plan for teams or lines of business to practice their plans and create lessons learned feedback loops to capture issues and work on minimizing them.

Preparation will likely pay off, both in the continued operation and bottom line of your business and in the reduction of panic should a pandemic every rear its ugly head. Thanks for reading, and let us know if we can assist you in planning or testing with pandemics in mind. Please, stay tuned to the blog for more information on the possible H1N1 pandemic, pandemic planning and other security issues that might emerge. At MSI, we are dedicated to helping you establish the means and mechanisms to keep your business, your business…

Your Next Security Threat May Not Involve Attackers

Posted on by
Reply

I was astounded when I read this article that includes a 2 BILLION estimate on the number of H1N1 cases that the WHO is expecting. Even worse, at 30% of human population on the planet, many are calling that number conservative. Some members of the medical community say that 45-50% may be likely!

In either case, the good news is that SOME vaccine is likely to be available to those in the Northern Hemisphere before Autumn arrives. The bad news is that there will likely not be an abundance of it, and that means some will not have access.

This is where the DR/BC planning comes in. By now, you probably have heard a little bit about pandemic planning and hopefully have created processes for remote working, containing illness and ensuring that you can operate with reduced staff. If you haven’t done this yet, NOW IS THE TIME to get this started.

If you do already have a plan, now might be a good time to do some rudimentary testing. Maybe declare a couple of reduced staff days, test the load on the VPN and remote access servers and such. This testing effort will likely reveal a few holes in these plans, but it is much better to learn about them and mitigate them now than when the real thing is going on.

Clearly, from the evidence presented by the WHO, this is something we should be paying attention to. Those who lack the focus or resources to take it seriously may well find themselves in troubling times when the weather turns colder and folks in the office begin to sneeze….

Get Ready, Here Comes the MS Web Office Bot-Nets!

Posted on by
Reply

Just as we expected, the exploit for the Web Office 0-day has been integrated into existing bot-net spread attacks. SANS and other folks began reporting that SQL injection compromises have now been tuned to include defacements with the embedded Web Office exploit.

These SQL injection attacks that lead to defacement, along with the recent spate of Cold Fusion defacements have been leveraged to spread malware for some time. However, this new “upgrade” to the malicious javascript the defacements leverage to infect browsers is likely to be much more effective with the Web Office exploit in place, given that no real patch is available and that the exploit code is so easy to use, stable and effective.

If you have not yet deployed the kill bit solution referenced in this article: https://stateofsecurity.com/?p=709, you should do so immediately. Mass, wide-scale, exploitation of this issue is likely beginning and will continue for some time.

It would also be very wise to educate your staff about this issue since they will need to activate the kill bits on home systems as well until a patch becomes available.

Please note that you must reboot systems before they become immune to the exploit once the kill bits are installed in the registry.

Let us know if you have any questions or desire any assistance with the kill bit solution.

Risk Assessment and Mitigation for the MS Web Office Issue

Posted on by
Reply

Here is a PDF of the risk assessment and review of this emerging vulnerability. Please check it out if you are working on mitigating this issue.

While the corporate risk is identified as an overall medium, there is a high risk of workstation infection from this problem.

Check out the document here.

Vuln RA 071409 – MS Web Office 0-day

If you would like to follow the emerging threat, the SANS Internet Storm Center is the best place to get current news about the outbreaks and exploitation. You can also follow me (@lbhuston) on Twitter for more information as it comes in.

UPDATES:

7/14 – 2:17pm Eastern –

SANS has gone back to green status and is posting that they hope awareness has been raised.

Nick Brown wrote in to tell us that the exploit in MetaSploit is easy to use and very effective against most XP workstations. He also warns home users to be on the lookout as this is very likely to turn into a worm or automated bot-net attack very soon. He agreed that the MetaSploit exploit is unlikely to affect servers as we expressed in our assessment. Lastly, he wanted us to remind everyone that using the kill bits, REQUIRES A REBOOT OF THE SYSTEM BEFORE IT IS IMMUNE.

Adam Hostetler also found this site, which has some interesting ways of identifying vulnerable hosts: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

We have scheduled a FLASH Campfire chat for a threat update and discussion at 4pm Eastern today. The URL for that chat is: https://microsolved.campfirenow.com/ccf03

Thanks for reading and for all of the excellent feedback!

Update2: Here is the transcript from the public chat. Thanks to all who attended. Hopefully, it will be helpful for folks who are working on the issue.

Transcript

New Web Scanner Patterns

Posted on by
Reply

The HITME has begun to pick up a new web scanning pattern from sources primarily in Europe. The pattern is assuming the spread and slow increase as usual with these simple PHP or web application scans.

Here is the list of targets that the scanner is checking for:

//phpMyAdmin/main.php

//phpmyadmin/main.php

//pma/main.php

//admin/main.php

//dbadmin/main.php

//mysql/main.php

//php-my-admin/main.php

//myadmin/main.php

//PHPMYADMIN/main.php

Note that this scanner does not have the big two scanning signatures that we are used to seeing from Toata and Morfeus. No scanner name or identifier is sent during the probes.

Web Admins should check their servers for these signatures. You can do so using our BrainWebScan tool if you would like. (FREE) I will publish a brain file for this as soon as possible, or you can cut and paste the signatures from this page.

Lessons From a Reputational Risk Audit

Posted on by
Reply

Here is a recent lesson from one of our new Reputational Risk Audits that we have begun performing. The client, a financial services company, hired us to check out how their brand was being used online. They were very interested in possible risks that extend from the use of their brand and their online reputation.

We offer this service in three levels of research focus:

1. Basic web research and profiling only.

2. Inclusion of blogs and social networks.

3. Inclusion of peer to peer networks for leaking documents, pirated code, etc.

Our services look at many facets of online reputation and many mechanisms that DLP tools and the like might miss.

In this particular case, the client wanted us to focus in on the 1st and 2nd levels of our service. After a couple of weeks, we met to present our findings. There were several. I am at liberty to share one, in particular, with the public.

The client had a customer service person, we will call Sheila. Sheila had been with their organization for a little over 5 years and was considered to be a senior level customer service representative. She was very helpful and had great rapport with their customers. Unfortunately, Sheila had also recently discovered social networks and took it upon herself to create a customer support profile on a well known social media network. Her profile was linked to the brand and site of our client financial services company. Sheila did what she thought was an admirable thing and established the profile as an interface (albeit unsanctioned) for working with her customers.

Sheila was trying to do the right thing. She really wanted to use social media to talk to her customers, help them resolve their problems and truly help progress the image of the company she worked for. There were just a few issues with this approach:

1. She was asking customers confidential questions and receiving their information on a public service. This exposed the personal information of the customers to search engines, attackers and other online crimes.

2. She failed to obtain permission to use the brand of the organization she worked for and in doing so, caused harm to her customers AND the very company she was trying to help.

There are other issues as well, but these are the primary ones. Needless to say, our client was not thrilled when we detailed this for them. Talks with Sheila ensued and much discussion with attorneys, HR, regulators and eventually the customers were required. In the end, Sheila kept her position and while her management applauded her initiative and attention to the customers, she was sharply rebuked for causing the disclosures. Many customers were also furious as they were notified of the issue.

The moral of the story is that reputational risk is real. How your brand, online presence and service organization presents itself online has a huge impact on your customers, reputation and bottom line. Have you checked out your security policies around blogs, social media and/or online brand use? Have you sifted through the Internet to see what your organization looks like to the public, your customers and your employees? If you want to discuss reputational risk and how to help manage it, give us a call. We would be happy to talk you through some of the ways that you can tackle this growing issue. In the meantime, have a talk with your employees, especially customer service folks. Help them to understand that while they may want to “go the extra mile” to help their customers, they have to remain well within the boundaries of security and safe interaction. Sheila was trying to do the right thing, just like the folks on your team!

Microsoft IIS 6.0 WebDav Vulnerability – Urgent

Posted on by
Reply

We recently received a report of a vulnerability we thought everyone should be aware of. The vulnerability is in the Microsoft IIS 6.0 implementation of the WebDAV protocol. According to Wikipedia, “Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files collaboratively on remote World Wide Web servers.” A common tool used as a WebDAV client, is Microsoft’s FrontPage.

The vulnerability describes a way for an attacker to retrieve protected files without any authentication. From a technical standpoint, all an attacker needs to do is insert a certain unicode character in the URI request. This make this vulnerability trivial to exploit. The vulnerability allows attackers to list all of the files in the WebDAV folder, and then access them individually.

As of this morning, there is no known mitigation for this vulnerability save disabling WebDAV for the time being.

Businesses employing an IIS 6.0 Web Server with WebDAV authoring method should carefully analyze their need for such service, and disable it if possible until a fix is released.

New HoneyPoint Add On Helps Organizations Fight Sniffer Attacks

Posted on by
Reply

MSI is proud to announce a new add-on tool for HoneyPoint Security Server that is designed to help organizations fight the threat of sniffers that might be in use on their networks. Dubbed HoneyBees, these special pieces of code are configured to work with deployed HoneyPoints and send simulated sessions to the HoneyPoints at intervals. These pseudo-sessions contain false credentials that appear to be real to sniffing software, especially attack tools and malware that may have infiltrated network defenses. When attackers try to use these captured credentials to authenticate to the HoneyPoint, they are immediately identified and the security administrator is notified.

“Given the recent events with data compromises stemming from sniffer-based attacks, we thought it was time to give organizations a new tool to help fight this threat. Detecting sniffers can be pretty tough in a complex network environment with traditional methods, but our approach is an easy, low resource, effective way to help level the playing field.” said Brent Huston, CEO of MicroSolved, Inc. “By adding HoneyBees to the power of HoneyPoint Security Server, we continue to erode the ability for attackers to believe what they see. Our aim has been, since the introduction of HoneyPoint, to introduce additional risk into the attacker’s perspective. We want to make each and every step that they take to steal data more dangerous for them in terms of getting caught.”, he explained.

HoneyBees will be available beginning in April and will be licensed separately. Existing HoneyPoint Security Server users (prior to the end of April) will receive three free HoneyBees to compliment their existing deployments.

“This is just one more way that MSI is working with our clients to help them find creative solutions to their security problems.”, Huston added.

For more information about HoneyBees or any of the HoneyPoint line of products, please give us a call at (614) 351-1237. We look forward to answering any questions you may have.

FREE HoneyPoint to Capture Conflicker Infections

Posted on by
7

MSI is proud to announce the instant availability of a LINUX ONLY HoneyPoint GUI tool to capture Conflicker scans and probes.

Conflicker is a significant threat and is expected to wreak havok on April 1, 2009. You can find a ton of information about Conflicker here from various vendors via SANS.

The HoneyPoint Special Edition: Conflicker runs in Linux and is easy to use with just about any LiveCD distro (including Puppy/DSL/gOS, etc.) and should make it easy for organizations to monitor their network spaces with a scattersensing approach. We chose not to release an OS X version to avoid issues with root authentication and Windows was not possible, since the detection requires binding to port 445/TCP which Windows uses for CIFS.

This application is our attempt to help organizations around the world defend themselves and their assets against this bleeding edge threat using rational, safe and effective detection mechanisms at the network level.

You can download the zip file from here.

Please let us know your thoughts.