Tag Archives: Emerging Threats

Get Ready, Here Comes the MS Web Office Bot-Nets!

Posted on by
Reply

Just as we expected, the exploit for the Web Office 0-day has been integrated into existing bot-net spread attacks. SANS and other folks began reporting that SQL injection compromises have now been tuned to include defacements with the embedded Web Office exploit.

These SQL injection attacks that lead to defacement, along with the recent spate of Cold Fusion defacements have been leveraged to spread malware for some time. However, this new “upgrade” to the malicious javascript the defacements leverage to infect browsers is likely to be much more effective with the Web Office exploit in place, given that no real patch is available and that the exploit code is so easy to use, stable and effective.

If you have not yet deployed the kill bit solution referenced in this article: https://stateofsecurity.com/?p=709, you should do so immediately. Mass, wide-scale, exploitation of this issue is likely beginning and will continue for some time.

It would also be very wise to educate your staff about this issue since they will need to activate the kill bits on home systems as well until a patch becomes available.

Please note that you must reboot systems before they become immune to the exploit once the kill bits are installed in the registry.

Let us know if you have any questions or desire any assistance with the kill bit solution.

Risk Assessment and Mitigation for the MS Web Office Issue

Posted on by
Reply

Here is a PDF of the risk assessment and review of this emerging vulnerability. Please check it out if you are working on mitigating this issue.

While the corporate risk is identified as an overall medium, there is a high risk of workstation infection from this problem.

Check out the document here.

Vuln RA 071409 – MS Web Office 0-day

If you would like to follow the emerging threat, the SANS Internet Storm Center is the best place to get current news about the outbreaks and exploitation. You can also follow me (@lbhuston) on Twitter for more information as it comes in.

UPDATES:

7/14 – 2:17pm Eastern –

SANS has gone back to green status and is posting that they hope awareness has been raised.

Nick Brown wrote in to tell us that the exploit in MetaSploit is easy to use and very effective against most XP workstations. He also warns home users to be on the lookout as this is very likely to turn into a worm or automated bot-net attack very soon. He agreed that the MetaSploit exploit is unlikely to affect servers as we expressed in our assessment. Lastly, he wanted us to remind everyone that using the kill bits, REQUIRES A REBOOT OF THE SYSTEM BEFORE IT IS IMMUNE.

Adam Hostetler also found this site, which has some interesting ways of identifying vulnerable hosts: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

We have scheduled a FLASH Campfire chat for a threat update and discussion at 4pm Eastern today. The URL for that chat is: https://microsolved.campfirenow.com/ccf03

Thanks for reading and for all of the excellent feedback!

Update2: Here is the transcript from the public chat. Thanks to all who attended. Hopefully, it will be helpful for folks who are working on the issue.

Transcript

New Web Scanner Patterns

Posted on by
Reply

The HITME has begun to pick up a new web scanning pattern from sources primarily in Europe. The pattern is assuming the spread and slow increase as usual with these simple PHP or web application scans.

Here is the list of targets that the scanner is checking for:

//phpMyAdmin/main.php

//phpmyadmin/main.php

//pma/main.php

//admin/main.php

//dbadmin/main.php

//mysql/main.php

//php-my-admin/main.php

//myadmin/main.php

//PHPMYADMIN/main.php

Note that this scanner does not have the big two scanning signatures that we are used to seeing from Toata and Morfeus. No scanner name or identifier is sent during the probes.

Web Admins should check their servers for these signatures. You can do so using our BrainWebScan tool if you would like. (FREE) I will publish a brain file for this as soon as possible, or you can cut and paste the signatures from this page.

Lessons From a Reputational Risk Audit

Posted on by
Reply

Here is a recent lesson from one of our new Reputational Risk Audits that we have begun performing. The client, a financial services company, hired us to check out how their brand was being used online. They were very interested in possible risks that extend from the use of their brand and their online reputation.

We offer this service in three levels of research focus:

1. Basic web research and profiling only.

2. Inclusion of blogs and social networks.

3. Inclusion of peer to peer networks for leaking documents, pirated code, etc.

Our services look at many facets of online reputation and many mechanisms that DLP tools and the like might miss.

In this particular case, the client wanted us to focus in on the 1st and 2nd levels of our service. After a couple of weeks, we met to present our findings. There were several. I am at liberty to share one, in particular, with the public.

The client had a customer service person, we will call Sheila. Sheila had been with their organization for a little over 5 years and was considered to be a senior level customer service representative. She was very helpful and had great rapport with their customers. Unfortunately, Sheila had also recently discovered social networks and took it upon herself to create a customer support profile on a well known social media network. Her profile was linked to the brand and site of our client financial services company. Sheila did what she thought was an admirable thing and established the profile as an interface (albeit unsanctioned) for working with her customers.

Sheila was trying to do the right thing. She really wanted to use social media to talk to her customers, help them resolve their problems and truly help progress the image of the company she worked for. There were just a few issues with this approach:

1. She was asking customers confidential questions and receiving their information on a public service. This exposed the personal information of the customers to search engines, attackers and other online crimes.

2. She failed to obtain permission to use the brand of the organization she worked for and in doing so, caused harm to her customers AND the very company she was trying to help.

There are other issues as well, but these are the primary ones. Needless to say, our client was not thrilled when we detailed this for them. Talks with Sheila ensued and much discussion with attorneys, HR, regulators and eventually the customers were required. In the end, Sheila kept her position and while her management applauded her initiative and attention to the customers, she was sharply rebuked for causing the disclosures. Many customers were also furious as they were notified of the issue.

The moral of the story is that reputational risk is real. How your brand, online presence and service organization presents itself online has a huge impact on your customers, reputation and bottom line. Have you checked out your security policies around blogs, social media and/or online brand use? Have you sifted through the Internet to see what your organization looks like to the public, your customers and your employees? If you want to discuss reputational risk and how to help manage it, give us a call. We would be happy to talk you through some of the ways that you can tackle this growing issue. In the meantime, have a talk with your employees, especially customer service folks. Help them to understand that while they may want to “go the extra mile” to help their customers, they have to remain well within the boundaries of security and safe interaction. Sheila was trying to do the right thing, just like the folks on your team!

New HoneyPoint Add On Helps Organizations Fight Sniffer Attacks

Posted on by
Reply

MSI is proud to announce a new add-on tool for HoneyPoint Security Server that is designed to help organizations fight the threat of sniffers that might be in use on their networks. Dubbed HoneyBees, these special pieces of code are configured to work with deployed HoneyPoints and send simulated sessions to the HoneyPoints at intervals. These pseudo-sessions contain false credentials that appear to be real to sniffing software, especially attack tools and malware that may have infiltrated network defenses. When attackers try to use these captured credentials to authenticate to the HoneyPoint, they are immediately identified and the security administrator is notified.

“Given the recent events with data compromises stemming from sniffer-based attacks, we thought it was time to give organizations a new tool to help fight this threat. Detecting sniffers can be pretty tough in a complex network environment with traditional methods, but our approach is an easy, low resource, effective way to help level the playing field.” said Brent Huston, CEO of MicroSolved, Inc. “By adding HoneyBees to the power of HoneyPoint Security Server, we continue to erode the ability for attackers to believe what they see. Our aim has been, since the introduction of HoneyPoint, to introduce additional risk into the attacker’s perspective. We want to make each and every step that they take to steal data more dangerous for them in terms of getting caught.”, he explained.

HoneyBees will be available beginning in April and will be licensed separately. Existing HoneyPoint Security Server users (prior to the end of April) will receive three free HoneyBees to compliment their existing deployments.

“This is just one more way that MSI is working with our clients to help them find creative solutions to their security problems.”, Huston added.

For more information about HoneyBees or any of the HoneyPoint line of products, please give us a call at (614) 351-1237. We look forward to answering any questions you may have.

FREE HoneyPoint to Capture Conflicker Infections

Posted on by
7

MSI is proud to announce the instant availability of a LINUX ONLY HoneyPoint GUI tool to capture Conflicker scans and probes.

Conflicker is a significant threat and is expected to wreak havok on April 1, 2009. You can find a ton of information about Conflicker here from various vendors via SANS.

The HoneyPoint Special Edition: Conflicker runs in Linux and is easy to use with just about any LiveCD distro (including Puppy/DSL/gOS, etc.) and should make it easy for organizations to monitor their network spaces with a scattersensing approach. We chose not to release an OS X version to avoid issues with root authentication and Windows was not possible, since the detection requires binding to port 445/TCP which Windows uses for CIFS.

This application is our attempt to help organizations around the world defend themselves and their assets against this bleeding edge threat using rational, safe and effective detection mechanisms at the network level.

You can download the zip file from here.

Please let us know your thoughts.

Toata Update: Smaller Target List for Now

Posted on by
Reply

We caught some changed patterns from the Toata bot-net last night in the HITME. It appears that they have dropped RoundCube from their target probes and are now focusing on Mantis.

The scanning targets list is much smaller this time around, which should increase their speed and efficiency.

Current Toata scanning pattern 03/19/09:

GET HTTP/1.1 HTTP/1.1

GET /mantis/login_page.php HTTP/1.1

GET /misc/mantis/login_page.php HTTP/1.1

GET /php/mantis/login_page.php HTTP/1.1

GET /tracker/login_page.php HTTP/1.1

GET /bug/login_page.php HTTP/1.1

GET /bugs/login_page.php HTTP/1.1

Of course, the scans also contain the string:

“Toata dragostea mea pentru diavola”

You should check your own sites for these issues and investigate any findings as if they were potentially compromised hosts. This is a widely appearing set of probes.

Finding Conficker with HoneyPoint

Posted on by
Reply

With so much press attention to the conficker worm, it is very likely that you have heard of it. What you may not know is that it is a very very advanced piece of code. It is quite capable, able to optimize itself to concentrate its attacks and is being updated fairly routinely by its programmers/owners. Hundreds of thousands of compromised systems are thought to still be online, making for a very risky situation when/if the handlers of the worm decide to put those infected systems to use. Even while we wait for the “other shoe to drop”, these infected systems are likely to continue propagating the worm and present a clear and present danger to other systems that are not under the attacker’s control.

The worm is capable of propagating via several methods, but the most common one is via exploitation of a vulnerability over port 445/TCP. HoneyPoint (Security Server and/or Personal Edition) users can establish HoneyPoints on this port to detect scanning/probing hosts using non-Windows systems. Linux and OS X systems can dilate this port (which can’t be done effectively on Windows without major work and impact on the system) to detect the source IP addresses of infected hosts on the network. Using approaches such as “scattersensing” has proven to be highly effective in identifying compromised hosts around the globe. These infected hosts should be removed from use immediately and should be treated as compromised using your existing incident response/security processes.

As we have said before, scattersensing is an easy, effective and cheap mechanism to gain security insight using older systems, laptops or desktops, a LiveCD (such as PuppyLinux or gOS) and HoneyPoints. You can quickly build a scatter sensor or several and move them around your environment trivially. This makes for a powerful solution to detect malware and insider threats of a myriad of natures.

Please feel free to give us a call to discuss this solution and enterprise HoneyPoint deployments further should you have any questions. Happy hunting!

DShield Launches Web Honeypot to Gather Attack Pattern Data

Posted on by
Reply

SANS and Dshield today announced the public availability of a new honeypot project for gathering web application attack patterns and trends. The tool is available at no charge and will feed into the ongoing DShield project data stream.

This is a great project and I am very happy to hear that more public attention will be on the use of honeypots to gather real metrics for attacks. This is something I have long stressed as a strength of our HoneyPoint products. I love the fact that they are doing it on a widely distributed basis. I know what kind of data we get from our HITME and I really hope they have much success in gathering that level of insight from a global view. I think the community as a whole will benefit.

Have we entered the age of the honeypot? Are we finally ready to accept the idea that “fake stuff can make us more secure”? I am not sure the public is there yet, but I think this another step closer. What do you think?

Twitter Smurfing or Amplified Twitter Spamming

Posted on by
2

Last night, @mubix pointed out a certain phrase that would result in a re-tweet of the attached content on Twitter. The interesting thing that got me going on this was that the folks in question had established an application to watch the Twitter stream and forward any content that mentioned the phrase to their followers.

Tweet-bots are not new, and I have written about code that could be adapted for this purpose in the past. Bots exist on Twitter for a variety of actions, but thus far, seem to have been relegated to auto-following folks or sending simple data streams to the service.

However, this new type of bot (which there may be others, some even older, of which I was unaware) opens Twitter and its users to a new type of spam. The obvious issue is that you could bait spam content with bot-friendly phrases and get your message sent to a MUCH BROADER coverage of followers than your own. Malicious and rowdy behavior could follow and lot of harassment and criminal activity could be shared by all. Sure, as @mubix said, “this is the open relay of Web 2.0”. I agree, it is just a matter of moments before this is a widely used abuse pattern made all the more powerful by the underlying architecture of trust that is Twitter.

But, while new forms of spam mildly interesting to me, what was interesting was that as I toyed with the bot, I would get MULTIPLE COPIES OF MY MESSAGE RETWEETED. That’s right, sometimes it would take my single message and retweet it multiple times. I could not determine if this was a bug in their implementation or a desired behavior, but it happened. That led me to the idea that you could use these bots as amplifiers. You could, essentially, identify a list of retweeting bots and cascade them to create the modern day version of the smurf attack!

Scanning the Twitter stream for these bots could be pretty easy. You could quickly script and API-enabled tool to tweet dictionary terms or brute force character groups into you found a catalog of retweet terms, then cascade them to cause a “retweet storm” of some sort. Some controls over the process are implicit due to the 140 character max for tweets, but it is likely an interesting experiment. Properly tuned, it might also be a denial of service style attack or a way to spread very small spam messages far and wide.

It should be noted that much of this is theoretical. I did not, nor do I intend, to engage in this type behavior. But, to me, it certainly seems possible. I can see it being used as a platform for spam and social engineering. I also don’t see a lot of controls that could be put in place to stop it.

Let me know your thoughts on this possibility and feel free to leave a comment and disagree or explain why I am wrong. I think there will be some interesting and dangerous times ahead for all social networks and I don’t think Twitter will be an exception.

Thanks to @mubix of Hak5 for the pointer and discussion!