Debian's OpenSSL packages versions 0.9.8c-1 up to 0.9.8g-9 are affected by a highly critical vulnerability which may lead to weak cryptographic keys and potentially compromise the system.
The vulnerability is due to the random number generator in Debian's OpenSSL package being more predictable which might lead an attacker to conduct brute force guessing attacks and decipher cryptographic keys used in SSH, OpenVPN, DNSSEC, X.509 certificates, and session keys used in SSL/TLS connections.
Also, an unspecified weakness in the Datagram Transport Layer Security implementation can be exploited by remote attackers to cause a denial of service condition and potentially compromise the vulnerable system.
Update the OpenSSL package from Debian and recreate all cryptographic keys to mitigate.
It's time once again for monthly updates from Microsoft.
Microsoft Office Word and Publisher reportedly have Remote Code Execution vulnerabilities which could be exploited by remote attackers. Various Office versions are affected.
The three vulnerabilities are highly critical and we recommend users to apply the latest updates.
Microsoft Malware Protection Engine, a component of their antivirus products, reportedly has two denial of service vulnerabilities. The vulnerabilities can be exploited remotely and can cause the malware engine to stop responding or to restart while scanning a specially-crafted file. It may also exhaust available disk space.
The issue of specially-crafted files affected all antivirus vendors. We fixed it a few months ago with automatic hotfixes. You can read the Security Bulletins here and here.
The mass SQL injection attacks we've mentioned here and here are increasing in number and we're seeing more domains being injected and used to host the attack files. We believe that there is now more than one group using a set of different automated tools to inject the code.
Previously, these attacks have primarily pointed to IP addresses in China and we've seen the following domains being used in addition to the ones we've mentioned previously:
We've now seen other domains being used as well such as direct84.com which is inserted by an SQL injection tool (detected as HackTool:W32/Agent.B) distributed to the Asprox botnet. SecureWorks has a nice write-up available. The direct84.com domain fast-fluxes to several different IPs in Europe, Israel and North America.
The injected link eventually leads to a backdoor detected as Backdoor:W32/Agent.DAS.
This is a good time to again mention that it's not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you are an administrator of a website that is using ASP/ASP.NET, you should make sure that you sanitize all inputs before you allow it to access the database.
There are many articles on how to do this such as this one. You could also have a look at URLScan which provides an easy way to filter this particular attack based on the length of the QueryString.
It's a provocative essay… that fails to convince us of the need for an AF.MIL botnet.
Quoting the colonel:
"The U.S. would not, and need not, infect unwitting computers as zombies. We can build enough power over time from our own resources."
In that case the AF.MIL botnet might be missing a key element of success. Criminal botmasters don't use their own resources. Criminals steal resources from geographically diverse locations. Their crimes are international and they can be exceedingly difficult to trace back to their origins. They often avoid resources in their own countries so as to avoid local law enforcement action.
"The truly difficult problems come in defending against attack from devices adversaries have captured from U.S. or allies' civilians."
This isn't just difficult — this is likely to be the main problem that any credible cyber-threat would present. Using the criminal's model of success, an enemy nation-state will just infect resources belonging to others. And in that case an AF.MIL solution would be fuel for the fire by cannibalizing its own and/or other nation's networks without counterattacking the true source of the threat.
In his essay, Col. Williamson uses a fortress analogy. He suggests that the military age of the fortress is over because air power can travel over fortress walls. Military forces respond to such threats by attacking the enemy's airfields from which the attacks are launched. So to extrapolate, AF.MIL botnet would attack the locations from which DDoS attacks are being launched.
However, Col. Williamson seems to have overlooked something from his own essay:
"Homer's epic poems describe how fortified Troy held out against the united Greek armies for 10 years until Troy finally fell when it foolishly brought the threat inside its own walls by falling for the enemy's masquerade in the form of a giant wooden horse."
Trojans are precisely the point. Social engineering, exploits, and trojans are used to create the enemy within. The enemy's launch point will be from within the fortress walls.
It's quite possible that any threat big enough to warrant the use of an AF.MIL botnet would largely come from within the borders of the United States.
Let's take AKILL for example. Owen Thor Walker, an 18 year old bot herder from New Zealand was arrested as a result of last year's Bot Roast II. He controlled a network of one million computers. A failed botnet update resulted in a DDoS on the University of Pennsylvania. The failure led to the arrest of a partner and then Walker himself.
Now let's suppose that instead of Walker being some Kiwi kid interested in making lots of money, that he was an enemy of the state bent on attacking the USA. Do you think his arsenal was located in New Zealand? It wasn't. So what's the military target? UPenn?
"[A smart enemy] could even craft his packets to make it appear the attack was coming from inside U.S. military networks so that if we merely captured the apparent source IP address and used that to aim the attack we would fire our botnet at our own computers."
A smart enemy might not need to spoof US military networks. A herder known as SoBe, whose real name is unknown since he is a juvenile, pleaded guilty in February for helping to herd more than 400 thousand computers along with Resjames. He also admitted to damaging US military computers.
If SoBe can infect the military, a "smart enemy" will do so as well in an attempt to win the cyber-battle before it's even fought.
"The best defense is a good offense" may not apply very well to cyber-threats if you're really planning to play by the rule of law.
First discovered on March 26th, Mozilla Thunderbird reported cross-site scripting and security bypass vulnerabilities which can be exploited by remote attackers. Mozilla recently (May 1st) released version 2.0.0.14 to mitigate these vulnerabilities.
A couple of weeks ago we blogged about mass SQL injections. After that it went quiet but the attacks have now started again, this time pointing to several different domains.
During the last few days we've seen the same type of encoded SQL script as in the previous case being inserted into ASP/ASP.NET pages. The scripts point to the following domains:
We're seeing some new BBB trojan attacks going around.
This attack method is well-known and has been occurring for months: A high-level executive inside an organization receives an e-mail that mentions a complaint supposedly made to the Better Business Bureau (USA). The e-mail appears to be credible and links to a site in order to download the complaint. The download claims to require IE and ActiveX in order to succeed. Once ActiveX is enabled, the sites drops a backdoor on the system.
The message looks like this:
This would be fairly convincing to most recipients, especially since the real company and individual names are used.
The message links to a page under us-bbb.com (the real BBB site is at us.bbb.org).
The site was running over the weekend, was down today on Monday and then just reappeared — with a modified version of the malware.
If the recipient enables ActiveX, the site sends the system a CAB file which gets automatically installed as Acrobat.exe — and displays this:
In reality, it's just installed a backdoor (which we detect as an Agent variant).
Internet Security 2009 Beta was released on April 28th.
IS 2009 contains many new features including DeepGuard 2.0 and new engine technologies.
There's been a great deal of work put into our back-end systems that will directly impact the effectiveness of IS 2009. We're looking forward to its potential here in the lab.
The readership of this blog has been a very useful resource to the Internet Security project team in the past. They welcome you to try out 2009 and to provide feedback. Those that provide excellent feedback will be entered into a drawing. The team is still determining the prizes (it's budgeting time) but will probably come up with a couple of cool iPods and some free twelve-month licenses.
You can read the current release notes and sign up for the download from our Technology Preview pages.
And while on the topic of new technologies… if you don't have a machine to test our new beta, you can still try some of the technologies that will be included in Internet Security 2009.
Our Online Scanner 3.3.0 was released with a new mix of technologies.
It's *free* to use (requires Internet Explorer). Custom Scan options are possible. You can scan your entire system or a single folder.
Try Online Scanner from our support pages. If you're curious about some of changes made, check out the details in the scan report.
