Category Archives: Emerging Threats

New HoneyPoint Add On Helps Organizations Fight Sniffer Attacks

Posted on by
Reply

MSI is proud to announce a new add-on tool for HoneyPoint Security Server that is designed to help organizations fight the threat of sniffers that might be in use on their networks. Dubbed HoneyBees, these special pieces of code are configured to work with deployed HoneyPoints and send simulated sessions to the HoneyPoints at intervals. These pseudo-sessions contain false credentials that appear to be real to sniffing software, especially attack tools and malware that may have infiltrated network defenses. When attackers try to use these captured credentials to authenticate to the HoneyPoint, they are immediately identified and the security administrator is notified.

“Given the recent events with data compromises stemming from sniffer-based attacks, we thought it was time to give organizations a new tool to help fight this threat. Detecting sniffers can be pretty tough in a complex network environment with traditional methods, but our approach is an easy, low resource, effective way to help level the playing field.” said Brent Huston, CEO of MicroSolved, Inc. “By adding HoneyBees to the power of HoneyPoint Security Server, we continue to erode the ability for attackers to believe what they see. Our aim has been, since the introduction of HoneyPoint, to introduce additional risk into the attacker’s perspective. We want to make each and every step that they take to steal data more dangerous for them in terms of getting caught.”, he explained.

HoneyBees will be available beginning in April and will be licensed separately. Existing HoneyPoint Security Server users (prior to the end of April) will receive three free HoneyBees to compliment their existing deployments.

“This is just one more way that MSI is working with our clients to help them find creative solutions to their security problems.”, Huston added.

For more information about HoneyBees or any of the HoneyPoint line of products, please give us a call at (614) 351-1237. We look forward to answering any questions you may have.

FREE HoneyPoint to Capture Conflicker Infections

Posted on by
7

MSI is proud to announce the instant availability of a LINUX ONLY HoneyPoint GUI tool to capture Conflicker scans and probes.

Conflicker is a significant threat and is expected to wreak havok on April 1, 2009. You can find a ton of information about Conflicker here from various vendors via SANS.

The HoneyPoint Special Edition: Conflicker runs in Linux and is easy to use with just about any LiveCD distro (including Puppy/DSL/gOS, etc.) and should make it easy for organizations to monitor their network spaces with a scattersensing approach. We chose not to release an OS X version to avoid issues with root authentication and Windows was not possible, since the detection requires binding to port 445/TCP which Windows uses for CIFS.

This application is our attempt to help organizations around the world defend themselves and their assets against this bleeding edge threat using rational, safe and effective detection mechanisms at the network level.

You can download the zip file from here.

Please let us know your thoughts.

Toata Update: Smaller Target List for Now

Posted on by
Reply

We caught some changed patterns from the Toata bot-net last night in the HITME. It appears that they have dropped RoundCube from their target probes and are now focusing on Mantis.

The scanning targets list is much smaller this time around, which should increase their speed and efficiency.

Current Toata scanning pattern 03/19/09:

GET HTTP/1.1 HTTP/1.1

GET /mantis/login_page.php HTTP/1.1

GET /misc/mantis/login_page.php HTTP/1.1

GET /php/mantis/login_page.php HTTP/1.1

GET /tracker/login_page.php HTTP/1.1

GET /bug/login_page.php HTTP/1.1

GET /bugs/login_page.php HTTP/1.1

Of course, the scans also contain the string:

“Toata dragostea mea pentru diavola”

You should check your own sites for these issues and investigate any findings as if they were potentially compromised hosts. This is a widely appearing set of probes.

Finding Conficker with HoneyPoint

Posted on by
Reply

With so much press attention to the conficker worm, it is very likely that you have heard of it. What you may not know is that it is a very very advanced piece of code. It is quite capable, able to optimize itself to concentrate its attacks and is being updated fairly routinely by its programmers/owners. Hundreds of thousands of compromised systems are thought to still be online, making for a very risky situation when/if the handlers of the worm decide to put those infected systems to use. Even while we wait for the “other shoe to drop”, these infected systems are likely to continue propagating the worm and present a clear and present danger to other systems that are not under the attacker’s control.

The worm is capable of propagating via several methods, but the most common one is via exploitation of a vulnerability over port 445/TCP. HoneyPoint (Security Server and/or Personal Edition) users can establish HoneyPoints on this port to detect scanning/probing hosts using non-Windows systems. Linux and OS X systems can dilate this port (which can’t be done effectively on Windows without major work and impact on the system) to detect the source IP addresses of infected hosts on the network. Using approaches such as “scattersensing” has proven to be highly effective in identifying compromised hosts around the globe. These infected hosts should be removed from use immediately and should be treated as compromised using your existing incident response/security processes.

As we have said before, scattersensing is an easy, effective and cheap mechanism to gain security insight using older systems, laptops or desktops, a LiveCD (such as PuppyLinux or gOS) and HoneyPoints. You can quickly build a scatter sensor or several and move them around your environment trivially. This makes for a powerful solution to detect malware and insider threats of a myriad of natures.

Please feel free to give us a call to discuss this solution and enterprise HoneyPoint deployments further should you have any questions. Happy hunting!

DShield Launches Web Honeypot to Gather Attack Pattern Data

Posted on by
Reply

SANS and Dshield today announced the public availability of a new honeypot project for gathering web application attack patterns and trends. The tool is available at no charge and will feed into the ongoing DShield project data stream.

This is a great project and I am very happy to hear that more public attention will be on the use of honeypots to gather real metrics for attacks. This is something I have long stressed as a strength of our HoneyPoint products. I love the fact that they are doing it on a widely distributed basis. I know what kind of data we get from our HITME and I really hope they have much success in gathering that level of insight from a global view. I think the community as a whole will benefit.

Have we entered the age of the honeypot? Are we finally ready to accept the idea that “fake stuff can make us more secure”? I am not sure the public is there yet, but I think this another step closer. What do you think?

Twitter Smurfing or Amplified Twitter Spamming

Posted on by
2

Last night, @mubix pointed out a certain phrase that would result in a re-tweet of the attached content on Twitter. The interesting thing that got me going on this was that the folks in question had established an application to watch the Twitter stream and forward any content that mentioned the phrase to their followers.

Tweet-bots are not new, and I have written about code that could be adapted for this purpose in the past. Bots exist on Twitter for a variety of actions, but thus far, seem to have been relegated to auto-following folks or sending simple data streams to the service.

However, this new type of bot (which there may be others, some even older, of which I was unaware) opens Twitter and its users to a new type of spam. The obvious issue is that you could bait spam content with bot-friendly phrases and get your message sent to a MUCH BROADER coverage of followers than your own. Malicious and rowdy behavior could follow and lot of harassment and criminal activity could be shared by all. Sure, as @mubix said, “this is the open relay of Web 2.0”. I agree, it is just a matter of moments before this is a widely used abuse pattern made all the more powerful by the underlying architecture of trust that is Twitter.

But, while new forms of spam mildly interesting to me, what was interesting was that as I toyed with the bot, I would get MULTIPLE COPIES OF MY MESSAGE RETWEETED. That’s right, sometimes it would take my single message and retweet it multiple times. I could not determine if this was a bug in their implementation or a desired behavior, but it happened. That led me to the idea that you could use these bots as amplifiers. You could, essentially, identify a list of retweeting bots and cascade them to create the modern day version of the smurf attack!

Scanning the Twitter stream for these bots could be pretty easy. You could quickly script and API-enabled tool to tweet dictionary terms or brute force character groups into you found a catalog of retweet terms, then cascade them to cause a “retweet storm” of some sort. Some controls over the process are implicit due to the 140 character max for tweets, but it is likely an interesting experiment. Properly tuned, it might also be a denial of service style attack or a way to spread very small spam messages far and wide.

It should be noted that much of this is theoretical. I did not, nor do I intend, to engage in this type behavior. But, to me, it certainly seems possible. I can see it being used as a platform for spam and social engineering. I also don’t see a lot of controls that could be put in place to stop it.

Let me know your thoughts on this possibility and feel free to leave a comment and disagree or explain why I am wrong. I think there will be some interesting and dangerous times ahead for all social networks and I don’t think Twitter will be an exception.

Thanks to @mubix of Hak5 for the pointer and discussion!

The New Version of HPPE OR Whoop, Here It Is!

Posted on by
Reply

MSI is very proud to announce the release of HoneyPoint Personal Edition 2.00!

This update to the favorite product of many users, comes with all kinds of new power and flexibility, plus a greatly simplified and user friendly interface. Plus, it now supports Linux and Mac OS X in addition to Windows.

If you are new to the functions and capabilities of HoneyPoint Personal Edition, it basically serves up “fake” services on systems. These services then lie in wait for attackers and malware to probe them. When someone, or something, does interact with the service, all transactions are recorded, including their source IP address and timeline. Users are then alerted to the activity and can take defensive actions as needed. For more insight into how HPPE works, download the PDF we have designed for the product from here.

The new version includes many new features, including:

HornetPoints to leverage “defensive fuzzing” as an automated form of defense against hacker tools and malware

Plugins (just like HoneyPoint Security Server) to automate responses and allow user-designed/custom alerts, etc.

You can download the product from the link above for FREE and give it a try, then purchase a license when you are ready from the online store. Per seat licenses start at only $29.95!

Users with valid licenses of HPPE 1.XX can upgrade to the newest version and receive a new license key for the special upgrade price of $9.95 per seat by using the checkout coupon code “upgrade351” in the Digital River software store on the bottom of the page linked above.

Check out HoneyPoint Personal Edition for insight into just how fake applications can increase your security and help your users make better security decisions. If you would like a more enterprise-centric version or capability, we offer that and much more through HoneyPoint Security Server. Give us a call or drop us a line to learn more about it anytime.

Waiting for the Other Conflicker Shoe to Drop

Posted on by
Reply

OK, so by now you have probably read a 100 articles on Conflicker and the spread of the worm. I warned of impending trouble from the worm, which, thankfully did not emerge over the weekend. I really thought the traffic levels would be of importance, but indeed, there was little impact on global traffic levels. This is one of those cases where I am really glad I was wrong!

Now that the majority of the scanning and traffic spikes are over, we are waiting for the other shoe to drop on this attack. The initial worm spread and compromise was likely only the first phase of the attacker’s plans. They now have an immense network of bot-infected hosts at their command. What they will do with them and how they will focus these systems on compromise remains to be seen. Given the sophistication of Conflicker and the “intelligence” of its design and scanning code, the forthcoming use could be a pretty creative and powerful threat vector. We may well see some new form of attack or probe that we have not encountered before.

It is, of course, critical that organizations and individuals move to identify and mitigate any infected hosts. The less bot-infected hosts for the attackers to command, the better. The problem is that many of the compromised systems are in locales with limited IT knowledge resource levels. In many of the countries where infected systems are concentrated, IT admins and tech savvy users are difficult to locate and even harder to afford. This means that while some of the systems may get cleaned up, there is still likely to be a significant army of infected zombies for the bot-herder(s) to wield.

In general, in this case, other than mitigating compromised hosts, there is little you can do beyond standard security practices. You can deploy detective capabilities around logging and vision-enhancement tools like HoneyPoint, but other than the usual, there is little focused risk minimization you can do for this one.

My best advice is to remain vigilant, keep up to date and keep working to better the security across your organization. Eventually, the other shoe will drop, and when it does, we will have to do our best to turn aside whatever happens.

Danger: Conflicker Growing at Massive Rate **ALERT**

Posted on by
1

Just a quick word of caution, the MSI::HITME (HoneyPoint Internet Threat Monitoring Environment) is getting nailed by Conflicker worm scans. New hosts (not seen in the last 24 hours) are probing the HITME every 5 mins or so! Scanning for port 445/TCP is growing HUGELY, if not EXPONENTIALLY!

This is important to you for the following reasons if you are an IT person or Infosec person:

  • The rate of spread is quite high. Likely, we will see Internet wide traffic impacts over the weekend or by early Monday if it continues at present growth rate.
  • Even when it plateaus and tapers, this will mean a HUGE INCREASE in infected bot-net machines, the likes of which will likely compare to Kraken or Storm
  • On Monday, you should be prepared for worm war. People who took their machines home and got infected over the weekend will be returning it to your office on Monday or when they come back to work. Look for scanning on a large scale in many organizations.
  • You are likely to get “those calls” from a competitor or other company about “why is your network scanning mine” — always fun!

What can you do?

  • HoneyPoint users (Personal Edition and Security Server) should deploy Linux or virtual decoy hosts (no SAMBA/CIFS) with a HoneyPoint listening on 445/tcp. (Note that you can’t bind to 445 on Windows systems as Windows is using it to host the possibly vulnerable service) Investigate any host that probes that open port.
  • Make sure all servers and as many workstations as possible are patched! (do this NOW!!!!!)(Servers first!!!!)
  • Make sure all AV is up to date. Most AV will catch the overt worm, though evolution and mutation seem likely.
  • Prepare yourself and your team for the battle ahead.
  • If you are a NAC person, pray to the various “NAC Daemons” that your solution actually works and is configured to actually protect you in this event.
  • Obviously, make sure all of your Windows hosts are protected by a real firewall and that port 445 is NOT Internet exposed. (Goes without saying, but obviously not…)

Please, pay attention to this one. It looks “slammer/code red” nasty…..

** 1/25 11:00 AM Eastern Update: After talking with many other folks on twitter and with some wonderful visualization help from @pophop, it appears that the growth is linear, AND NOT EXPONENTIAL. Much of the growth is coming from consumer broadband, especially Asia and Europe. Given the oddity of the source host increases and data from other scans, I am wondering if the infection scans for a while and then goes into a sleep mode to await further instructions. More analysis and such on Monday. Thanks to all for the help, especially @pophop and SANS **

3 Links for Securing USB Drives

Posted on by
Reply

This project caught my eye. It is includes crypto and ease of use. It is called geek.menu and is based from the portableapps project. Installed and configured right, it makes an encrypted file system to protect your data if you lose the drive. It also allows you to easily configure some pretty powerful options around the apps you install. Check it out if you are a big thumb drive user.

This article is a great overview of risks from thumb drives. It should be a basic requirement for any user in the organization that gets provisioned one.

Lastly, for those of you want to make the most of security through obscurity to protect your precious USB thumb drive from discovery, check this article out about hiding your drive in the wall.

If you are both a thumb drive (USB drive) and a Windows user, you should probably read about the Conflicker malware. It is currently spreading wildly and can transit itself on USB drives. (Oooops, that was 4….)