We've been using it to track worms. If a worm contacts our monitoring system, its IP address is logged and is then converted to latitude and longitude. It alls goes into an XML feed that we use with Google Earth's network links.
It looks something like this:
Click the image for a 1400x1050 view.
And while that's pretty neat, worms aren't really today's threat. So we're working on some new data feeds.
Lets take spam. This is what the source of spam from a single personal account looks like:
There are reports of a critical vulnerability affecting current versions of Adobe Flash and evidence of it being exploited in the wild. Versions including and previous to 220.127.116.11 are reported to be at risk. However — chatter on the security lists we frequent suggest version 18.104.22.168 is not vulnerable and that the attacks are only reliably effective against version 22.214.171.124 and earlier (using CVE-2007-0071).
In any case — we are seeing Flash exploits being used in combination with SQL injection attacks. See Patrik's May 13th post for more information on the SQL attacks. Many/most people probably don't update Flash every time there's an update. This in combination with the SQL injection attacks against tens of thousands of hacked sites is cause for concern. Many, many users could be at risk and should update their Flash software. Shadowserver has a good post highlighting some domains pushing Flash exploits.
In the meantime, there may be some mitigating strategies you'd like to employ.
First of all you can uninstall Flash. But that can be somewhat aggravating as you'll then be prompted frequently to install Flash from numerous websites. So another option is to update and then disable your current installation.
If you have Flash installed on your Windows computer, Add/Remove Programs includes a "Click here for support information" link.
For Internet Explorer, you can use the Manage Add-ons option to disable Flash:
But then you'll get this annoying prompt on Flash enabled sites:
An alternative is to use registry (.reg) files. This file disables Flash and this file enables Flash in IE. Right-click, save, and place the files in a convenient location and you can toggle Flash on/off as needed.
NoScript is an excellent plugin and will block Flash from any untrusted sites. But be careful whom you trust. Remember, even trusted sites can be hacked. Still, it's a must have plugin for security conscious individuals. You can install it from noscript.net.
Flashblock prevents all Flash content from loading. It inserts a placeholder that then allows the user to toggle only the desired Flash. You can install it from flashblock.mozdev.org.
Adobe Flash version 126.96.36.199 is NOT vulnerable to the exploits that we're seeing in the wild. But there are a large number of sites hosting exploits for earlier Flash versions, so there is risk. We strongly advise updating your Flash installation as a minimum measure.
Home users can use our free Health Check service to assist in scanning and updating their systems.
The vulnerability allows remote attackers to execute arbitrary code on vulnerable Motorola Razr firmware based cell phones.
A corrupt JPEG received via MMS can cause a memory corruption which can be leveraged to execute arbitrary code on the affected device.
So some user interaction is required — accepting the MMS. However, people by and large generally trust image files so that isn't a difficult social engineering challenge.
On a positive note, the Razr uses a proprietary OS and the "knowledge base" is limited to enthusiasts and modders. But there are modders are out there. Popular hardware always generates a crowd of recreational hackers, e.g. iPhone.
Perhaps we'll see this JPEG exploit used to simplify unlocking older Razrs. Jailbreaking the iPhone was simplified by a TIFF handling exploit after all.
We probably won't see any malware as a result of this vulnerability. Still, one interesting thing to consider is that if a Razr were to be exploited by this, the user wouldn't be able to undo the damage without a reinstall of the firmware. Being a closed OS, there is no hard reset available as there are with many smartphones.
It doesn't always have to be the latest and greatest zero-day exploit that causes you to lose control of your computer or server to external attackers. Today's example comes in the relatively ancient form of brute force SSH.
We recently received a sample containing several different files:
A psyBNC installation; legitimate software used by many for normal purposes, but it's also a common tool in an attacker's toolkit.
And a collection of scripts, binaries, and password files that were used to scan for machines that have their SSH port open.
The binaries that were used maliciously in this case were connecting to a large public IRC network. We see quite many such as these, all headed for the same network even though it does have a working abuse address and the network's administrators actually do something to the botnet channels that get reported. In our experience, the botnets are most often run by various small gangs coming largely from eastern Europe; notably from Romania.
Once one of the botnet channels has been suppressed, it takes only a few hours for a new one to pop up in the same IRC network but under a different channel name.
The botnet in this case was made up of about forty infected Linux machines, and judging by their DNS Resource Records, most of them are either webservers or mail servers, which usually have a bit fatter Internet connection than you average Joe Consumer.
The moral? Even unsophisticated attackers don't need the latest and greatest techniques if the target's passwords are weak.
Living in Finland can sometimes be a challenge (winter). But then some people make opportunities from those challenges.
Here's the winter commute:
Finland also has its rewards (summer). The weather is excellent right now and the days are getting ever longer.
Here's the office's summer parking lot:
Working for F-Secure provides many interesting challenges and also has its rewards. We're hiring and there are two positions in the Helsinki Research and Response Labs.
The Security Research Program needs a capable antivirus engine developer to produce code that is efficient, high performing, innovative, and robust. You don't necessarily need to know that much about malware to start, but you should be ready for the challenge and eager to learn (and have some fun).
Our Lab Development is seeking a software developer. LabDev builds and designs all of our Response systems that we require to contain, analyze, and fight malware. The team is very active as there's no shortage of ideas for new systems in the lab.
Let's say that you want to phish for PayPal accounts. One might attempt to register something such as paypol-sevice.com. But that's too obvious and is likely to be discovered and abused before the phishing even begins.
See this example, created one day and abused on the next:
Clearly that technique is now well guarded against. So instead of a clever misspelling, more obscure URLs such as paypalcom.cq.bz are required.
However, even obscure URLs can be taken offline quickly as they have no legitimate functions. Sending a message to the host providers with a request that the entire bogus site be taken offline does the trick.
So what next?
Instead of setting up their own sites, we're seeing more and more evidence of phishing from hacked sites; legitimate sites that are unknowingly hosting phishing. And then the site cannot simply be pulled offline without collateral damage to the legitimate business. So the website's administrator must be contacted to repair the damage.
Sites such as bbcsales.com, a 15 year old business with a long-standing Web presence.
Debian's OpenSSL packages versions 0.9.8c-1 up to 0.9.8g-9 are affected by a highly critical vulnerability which may lead to weak cryptographic keys and potentially compromise the system.
The vulnerability is due to the random number generator in Debian's OpenSSL package being more predictable which might lead an attacker to conduct brute force guessing attacks and decipher cryptographic keys used in SSH, OpenVPN, DNSSEC, X.509 certificates, and session keys used in SSL/TLS connections.
Also, an unspecified weakness in the Datagram Transport Layer Security implementation can be exploited by remote attackers to cause a denial of service condition and potentially compromise the vulnerable system.
Update the OpenSSL package from Debian and recreate all cryptographic keys to mitigate.
It's time once again for monthly updates from Microsoft.
Microsoft Office Word and Publisher reportedly have Remote Code Execution vulnerabilities which could be exploited by remote attackers. Various Office versions are affected.
The three vulnerabilities are highly critical and we recommend users to apply the latest updates.
Microsoft Malware Protection Engine, a component of their antivirus products, reportedly has two denial of service vulnerabilities. The vulnerabilities can be exploited remotely and can cause the malware engine to stop responding or to restart while scanning a specially-crafted file. It may also exhaust available disk space.
The issue of specially-crafted files affected all antivirus vendors. We fixed it a few months ago with automatic hotfixes. You can read the Security Bulletins here and here.
The mass SQL injection attacks we've mentioned here and here are increasing in number and we're seeing more domains being injected and used to host the attack files. We believe that there is now more than one group using a set of different automated tools to inject the code.
Previously, these attacks have primarily pointed to IP addresses in China and we've seen the following domains being used in addition to the ones we've mentioned previously:
We've now seen other domains being used as well such as direct84.com which is inserted by an SQL injection tool (detected as HackTool:W32/Agent.B) distributed to the Asprox botnet. SecureWorks has a nice write-up available. The direct84.com domain fast-fluxes to several different IPs in Europe, Israel and North America.
The injected link eventually leads to a backdoor detected as Backdoor:W32/Agent.DAS.
This is a good time to again mention that it's not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you are an administrator of a website that is using ASP/ASP.NET, you should make sure that you sanitize all inputs before you allow it to access the database.
There are many articles on how to do this such as this one. You could also have a look at URLScan which provides an easy way to filter this particular attack based on the length of the QueryString.
It's a provocative essay… that fails to convince us of the need for an AF.MIL botnet.
Quoting the colonel:
"The U.S. would not, and need not, infect unwitting computers as zombies. We can build enough power over time from our own resources."
In that case the AF.MIL botnet might be missing a key element of success. Criminal botmasters don't use their own resources. Criminals steal resources from geographically diverse locations. Their crimes are international and they can be exceedingly difficult to trace back to their origins. They often avoid resources in their own countries so as to avoid local law enforcement action.
"The truly difficult problems come in defending against attack from devices adversaries have captured from U.S. or allies' civilians."
This isn't just difficult — this is likely to be the main problem that any credible cyber-threat would present. Using the criminal's model of success, an enemy nation-state will just infect resources belonging to others. And in that case an AF.MIL solution would be fuel for the fire by cannibalizing its own and/or other nation's networks without counterattacking the true source of the threat.
In his essay, Col. Williamson uses a fortress analogy. He suggests that the military age of the fortress is over because air power can travel over fortress walls. Military forces respond to such threats by attacking the enemy's airfields from which the attacks are launched. So to extrapolate, AF.MIL botnet would attack the locations from which DDoS attacks are being launched.
However, Col. Williamson seems to have overlooked something from his own essay:
"Homer's epic poems describe how fortified Troy held out against the united Greek armies for 10 years until Troy finally fell when it foolishly brought the threat inside its own walls by falling for the enemy's masquerade in the form of a giant wooden horse."
Trojans are precisely the point. Social engineering, exploits, and trojans are used to create the enemy within. The enemy's launch point will be from within the fortress walls.
It's quite possible that any threat big enough to warrant the use of an AF.MIL botnet would largely come from within the borders of the United States.
Let's take AKILL for example. Owen Thor Walker, an 18 year old bot herder from New Zealand was arrested as a result of last year's Bot Roast II. He controlled a network of one million computers. A failed botnet update resulted in a DDoS on the University of Pennsylvania. The failure led to the arrest of a partner and then Walker himself.
Now let's suppose that instead of Walker being some Kiwi kid interested in making lots of money, that he was an enemy of the state bent on attacking the USA. Do you think his arsenal was located in New Zealand? It wasn't. So what's the military target? UPenn?
"[A smart enemy] could even craft his packets to make it appear the attack was coming from inside U.S. military networks so that if we merely captured the apparent source IP address and used that to aim the attack we would fire our botnet at our own computers."
A smart enemy might not need to spoof US military networks. A herder known as SoBe, whose real name is unknown since he is a juvenile, pleaded guilty in February for helping to herd more than 400 thousand computers along with Resjames. He also admitted to damaging US military computers.
If SoBe can infect the military, a "smart enemy" will do so as well in an attempt to win the cyber-battle before it's even fought.
"The best defense is a good offense" may not apply very well to cyber-threats if you're really planning to play by the rule of law.
First discovered on March 26th, Mozilla Thunderbird reported cross-site scripting and security bypass vulnerabilities which can be exploited by remote attackers. Mozilla recently (May 1st) released version 188.8.131.52 to mitigate these vulnerabilities.
We're seeing some new BBB trojan attacks going around.
This attack method is well-known and has been occurring for months: A high-level executive inside an organization receives an e-mail that mentions a complaint supposedly made to the Better Business Bureau (USA). The e-mail appears to be credible and links to a site in order to download the complaint. The download claims to require IE and ActiveX in order to succeed. Once ActiveX is enabled, the sites drops a backdoor on the system.
The message looks like this:
This would be fairly convincing to most recipients, especially since the real company and individual names are used.
The message links to a page under us-bbb.com (the real BBB site is at us.bbb.org).
The site was running over the weekend, was down today on Monday and then just reappeared — with a modified version of the malware.
If the recipient enables ActiveX, the site sends the system a CAB file which gets automatically installed as Acrobat.exe — and displays this:
In reality, it's just installed a backdoor (which we detect as an Agent variant).