Category Archives: Emerging Threats

New Web Scanner Patterns

Posted on by
Reply

The HITME has begun to pick up a new web scanning pattern from sources primarily in Europe. The pattern is assuming the spread and slow increase as usual with these simple PHP or web application scans.

Here is the list of targets that the scanner is checking for:

//phpMyAdmin/main.php

//phpmyadmin/main.php

//pma/main.php

//admin/main.php

//dbadmin/main.php

//mysql/main.php

//php-my-admin/main.php

//myadmin/main.php

//PHPMYADMIN/main.php

Note that this scanner does not have the big two scanning signatures that we are used to seeing from Toata and Morfeus. No scanner name or identifier is sent during the probes.

Web Admins should check their servers for these signatures. You can do so using our BrainWebScan tool if you would like. (FREE) I will publish a brain file for this as soon as possible, or you can cut and paste the signatures from this page.

Lessons From a Reputational Risk Audit

Posted on by
Reply

Here is a recent lesson from one of our new Reputational Risk Audits that we have begun performing. The client, a financial services company, hired us to check out how their brand was being used online. They were very interested in possible risks that extend from the use of their brand and their online reputation.

We offer this service in three levels of research focus:

1. Basic web research and profiling only.

2. Inclusion of blogs and social networks.

3. Inclusion of peer to peer networks for leaking documents, pirated code, etc.

Our services look at many facets of online reputation and many mechanisms that DLP tools and the like might miss.

In this particular case, the client wanted us to focus in on the 1st and 2nd levels of our service. After a couple of weeks, we met to present our findings. There were several. I am at liberty to share one, in particular, with the public.

The client had a customer service person, we will call Sheila. Sheila had been with their organization for a little over 5 years and was considered to be a senior level customer service representative. She was very helpful and had great rapport with their customers. Unfortunately, Sheila had also recently discovered social networks and took it upon herself to create a customer support profile on a well known social media network. Her profile was linked to the brand and site of our client financial services company. Sheila did what she thought was an admirable thing and established the profile as an interface (albeit unsanctioned) for working with her customers.

Sheila was trying to do the right thing. She really wanted to use social media to talk to her customers, help them resolve their problems and truly help progress the image of the company she worked for. There were just a few issues with this approach:

1. She was asking customers confidential questions and receiving their information on a public service. This exposed the personal information of the customers to search engines, attackers and other online crimes.

2. She failed to obtain permission to use the brand of the organization she worked for and in doing so, caused harm to her customers AND the very company she was trying to help.

There are other issues as well, but these are the primary ones. Needless to say, our client was not thrilled when we detailed this for them. Talks with Sheila ensued and much discussion with attorneys, HR, regulators and eventually the customers were required. In the end, Sheila kept her position and while her management applauded her initiative and attention to the customers, she was sharply rebuked for causing the disclosures. Many customers were also furious as they were notified of the issue.

The moral of the story is that reputational risk is real. How your brand, online presence and service organization presents itself online has a huge impact on your customers, reputation and bottom line. Have you checked out your security policies around blogs, social media and/or online brand use? Have you sifted through the Internet to see what your organization looks like to the public, your customers and your employees? If you want to discuss reputational risk and how to help manage it, give us a call. We would be happy to talk you through some of the ways that you can tackle this growing issue. In the meantime, have a talk with your employees, especially customer service folks. Help them to understand that while they may want to “go the extra mile” to help their customers, they have to remain well within the boundaries of security and safe interaction. Sheila was trying to do the right thing, just like the folks on your team!

Microsoft IIS 6.0 WebDav Vulnerability – Urgent

Posted on by
Reply

We recently received a report of a vulnerability we thought everyone should be aware of. The vulnerability is in the Microsoft IIS 6.0 implementation of the WebDAV protocol. According to Wikipedia, “Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files collaboratively on remote World Wide Web servers.” A common tool used as a WebDAV client, is Microsoft’s FrontPage.

The vulnerability describes a way for an attacker to retrieve protected files without any authentication. From a technical standpoint, all an attacker needs to do is insert a certain unicode character in the URI request. This make this vulnerability trivial to exploit. The vulnerability allows attackers to list all of the files in the WebDAV folder, and then access them individually.

As of this morning, there is no known mitigation for this vulnerability save disabling WebDAV for the time being.

Businesses employing an IIS 6.0 Web Server with WebDAV authoring method should carefully analyze their need for such service, and disable it if possible until a fix is released.

New HoneyPoint Add On Helps Organizations Fight Sniffer Attacks

Posted on by
Reply

MSI is proud to announce a new add-on tool for HoneyPoint Security Server that is designed to help organizations fight the threat of sniffers that might be in use on their networks. Dubbed HoneyBees, these special pieces of code are configured to work with deployed HoneyPoints and send simulated sessions to the HoneyPoints at intervals. These pseudo-sessions contain false credentials that appear to be real to sniffing software, especially attack tools and malware that may have infiltrated network defenses. When attackers try to use these captured credentials to authenticate to the HoneyPoint, they are immediately identified and the security administrator is notified.

“Given the recent events with data compromises stemming from sniffer-based attacks, we thought it was time to give organizations a new tool to help fight this threat. Detecting sniffers can be pretty tough in a complex network environment with traditional methods, but our approach is an easy, low resource, effective way to help level the playing field.” said Brent Huston, CEO of MicroSolved, Inc. “By adding HoneyBees to the power of HoneyPoint Security Server, we continue to erode the ability for attackers to believe what they see. Our aim has been, since the introduction of HoneyPoint, to introduce additional risk into the attacker’s perspective. We want to make each and every step that they take to steal data more dangerous for them in terms of getting caught.”, he explained.

HoneyBees will be available beginning in April and will be licensed separately. Existing HoneyPoint Security Server users (prior to the end of April) will receive three free HoneyBees to compliment their existing deployments.

“This is just one more way that MSI is working with our clients to help them find creative solutions to their security problems.”, Huston added.

For more information about HoneyBees or any of the HoneyPoint line of products, please give us a call at (614) 351-1237. We look forward to answering any questions you may have.

FREE HoneyPoint to Capture Conflicker Infections

Posted on by
7

MSI is proud to announce the instant availability of a LINUX ONLY HoneyPoint GUI tool to capture Conflicker scans and probes.

Conflicker is a significant threat and is expected to wreak havok on April 1, 2009. You can find a ton of information about Conflicker here from various vendors via SANS.

The HoneyPoint Special Edition: Conflicker runs in Linux and is easy to use with just about any LiveCD distro (including Puppy/DSL/gOS, etc.) and should make it easy for organizations to monitor their network spaces with a scattersensing approach. We chose not to release an OS X version to avoid issues with root authentication and Windows was not possible, since the detection requires binding to port 445/TCP which Windows uses for CIFS.

This application is our attempt to help organizations around the world defend themselves and their assets against this bleeding edge threat using rational, safe and effective detection mechanisms at the network level.

You can download the zip file from here.

Please let us know your thoughts.

Toata Update: Smaller Target List for Now

Posted on by
Reply

We caught some changed patterns from the Toata bot-net last night in the HITME. It appears that they have dropped RoundCube from their target probes and are now focusing on Mantis.

The scanning targets list is much smaller this time around, which should increase their speed and efficiency.

Current Toata scanning pattern 03/19/09:

GET HTTP/1.1 HTTP/1.1

GET /mantis/login_page.php HTTP/1.1

GET /misc/mantis/login_page.php HTTP/1.1

GET /php/mantis/login_page.php HTTP/1.1

GET /tracker/login_page.php HTTP/1.1

GET /bug/login_page.php HTTP/1.1

GET /bugs/login_page.php HTTP/1.1

Of course, the scans also contain the string:

“Toata dragostea mea pentru diavola”

You should check your own sites for these issues and investigate any findings as if they were potentially compromised hosts. This is a widely appearing set of probes.

Finding Conficker with HoneyPoint

Posted on by
Reply

With so much press attention to the conficker worm, it is very likely that you have heard of it. What you may not know is that it is a very very advanced piece of code. It is quite capable, able to optimize itself to concentrate its attacks and is being updated fairly routinely by its programmers/owners. Hundreds of thousands of compromised systems are thought to still be online, making for a very risky situation when/if the handlers of the worm decide to put those infected systems to use. Even while we wait for the “other shoe to drop”, these infected systems are likely to continue propagating the worm and present a clear and present danger to other systems that are not under the attacker’s control.

The worm is capable of propagating via several methods, but the most common one is via exploitation of a vulnerability over port 445/TCP. HoneyPoint (Security Server and/or Personal Edition) users can establish HoneyPoints on this port to detect scanning/probing hosts using non-Windows systems. Linux and OS X systems can dilate this port (which can’t be done effectively on Windows without major work and impact on the system) to detect the source IP addresses of infected hosts on the network. Using approaches such as “scattersensing” has proven to be highly effective in identifying compromised hosts around the globe. These infected hosts should be removed from use immediately and should be treated as compromised using your existing incident response/security processes.

As we have said before, scattersensing is an easy, effective and cheap mechanism to gain security insight using older systems, laptops or desktops, a LiveCD (such as PuppyLinux or gOS) and HoneyPoints. You can quickly build a scatter sensor or several and move them around your environment trivially. This makes for a powerful solution to detect malware and insider threats of a myriad of natures.

Please feel free to give us a call to discuss this solution and enterprise HoneyPoint deployments further should you have any questions. Happy hunting!

DShield Launches Web Honeypot to Gather Attack Pattern Data

Posted on by
Reply

SANS and Dshield today announced the public availability of a new honeypot project for gathering web application attack patterns and trends. The tool is available at no charge and will feed into the ongoing DShield project data stream.

This is a great project and I am very happy to hear that more public attention will be on the use of honeypots to gather real metrics for attacks. This is something I have long stressed as a strength of our HoneyPoint products. I love the fact that they are doing it on a widely distributed basis. I know what kind of data we get from our HITME and I really hope they have much success in gathering that level of insight from a global view. I think the community as a whole will benefit.

Have we entered the age of the honeypot? Are we finally ready to accept the idea that “fake stuff can make us more secure”? I am not sure the public is there yet, but I think this another step closer. What do you think?

Twitter Smurfing or Amplified Twitter Spamming

Posted on by
2

Last night, @mubix pointed out a certain phrase that would result in a re-tweet of the attached content on Twitter. The interesting thing that got me going on this was that the folks in question had established an application to watch the Twitter stream and forward any content that mentioned the phrase to their followers.

Tweet-bots are not new, and I have written about code that could be adapted for this purpose in the past. Bots exist on Twitter for a variety of actions, but thus far, seem to have been relegated to auto-following folks or sending simple data streams to the service.

However, this new type of bot (which there may be others, some even older, of which I was unaware) opens Twitter and its users to a new type of spam. The obvious issue is that you could bait spam content with bot-friendly phrases and get your message sent to a MUCH BROADER coverage of followers than your own. Malicious and rowdy behavior could follow and lot of harassment and criminal activity could be shared by all. Sure, as @mubix said, “this is the open relay of Web 2.0”. I agree, it is just a matter of moments before this is a widely used abuse pattern made all the more powerful by the underlying architecture of trust that is Twitter.

But, while new forms of spam mildly interesting to me, what was interesting was that as I toyed with the bot, I would get MULTIPLE COPIES OF MY MESSAGE RETWEETED. That’s right, sometimes it would take my single message and retweet it multiple times. I could not determine if this was a bug in their implementation or a desired behavior, but it happened. That led me to the idea that you could use these bots as amplifiers. You could, essentially, identify a list of retweeting bots and cascade them to create the modern day version of the smurf attack!

Scanning the Twitter stream for these bots could be pretty easy. You could quickly script and API-enabled tool to tweet dictionary terms or brute force character groups into you found a catalog of retweet terms, then cascade them to cause a “retweet storm” of some sort. Some controls over the process are implicit due to the 140 character max for tweets, but it is likely an interesting experiment. Properly tuned, it might also be a denial of service style attack or a way to spread very small spam messages far and wide.

It should be noted that much of this is theoretical. I did not, nor do I intend, to engage in this type behavior. But, to me, it certainly seems possible. I can see it being used as a platform for spam and social engineering. I also don’t see a lot of controls that could be put in place to stop it.

Let me know your thoughts on this possibility and feel free to leave a comment and disagree or explain why I am wrong. I think there will be some interesting and dangerous times ahead for all social networks and I don’t think Twitter will be an exception.

Thanks to @mubix of Hak5 for the pointer and discussion!

The New Version of HPPE OR Whoop, Here It Is!

Posted on by
Reply

MSI is very proud to announce the release of HoneyPoint Personal Edition 2.00!

This update to the favorite product of many users, comes with all kinds of new power and flexibility, plus a greatly simplified and user friendly interface. Plus, it now supports Linux and Mac OS X in addition to Windows.

If you are new to the functions and capabilities of HoneyPoint Personal Edition, it basically serves up “fake” services on systems. These services then lie in wait for attackers and malware to probe them. When someone, or something, does interact with the service, all transactions are recorded, including their source IP address and timeline. Users are then alerted to the activity and can take defensive actions as needed. For more insight into how HPPE works, download the PDF we have designed for the product from here.

The new version includes many new features, including:

HornetPoints to leverage “defensive fuzzing” as an automated form of defense against hacker tools and malware

Plugins (just like HoneyPoint Security Server) to automate responses and allow user-designed/custom alerts, etc.

You can download the product from the link above for FREE and give it a try, then purchase a license when you are ready from the online store. Per seat licenses start at only $29.95!

Users with valid licenses of HPPE 1.XX can upgrade to the newest version and receive a new license key for the special upgrade price of $9.95 per seat by using the checkout coupon code “upgrade351” in the Digital River software store on the bottom of the page linked above.

Check out HoneyPoint Personal Edition for insight into just how fake applications can increase your security and help your users make better security decisions. If you would like a more enterprise-centric version or capability, we offer that and much more through HoneyPoint Security Server. Give us a call or drop us a line to learn more about it anytime.