|
|
08-31-2009
Registered User
26,240,
27
Weekly Summary of the "DHS Daily Open Source Infrastructure Report"
The DHS Daily Open SourceInfrastructure Report covers the publicly reported material for the precedingday(s) not previously covered. This weekly summary provides a selectionof those items of greatest significance to the InfoSec professional.
A lookinto the future.
36. August19, DarkReading - (International) Rare malware a hint of threatsto come. While pervasive, widespread malware attacks like Conficker get allthe attention, there is another generation of obscure and dangerous malwarethat so far is too rare to be considered a threat - but could provide a hint ofthings to come. Security researchers are seeing some intriguing malware insmall pockets. One piece of malware found on a desktop machine during aforensics investigation was actually pre-coded to steal specific informationfrom the victim's organization, says the CEO and founder of HBGary, whosecompany sees about 5,000 new pieces of malware a day. “It knew what it waslooking for,” he says. And the malware was disposable so that it coulddisappear without a trace after doing its dirty work. A common thread amongmost of these unusual or odd malware samples that typically fly under the radaris that they are all about going after specific information or data, ratherthan more general attacks that cast a wide net and make the headlines. And thewriters of these lesser-known and uncommon malware packages are using newmethods to keep the attacks alive longer - even if it means brazenly attackingresearchers who try to study them. Even so, most attacks over the next fiveyears will still come from the morphing malware variants that are common today,but in higher and higher volumes, experts say. “We're going to have to dealwith more volume and attacks. And at the same time, there will be instances ofreally high quality attacks, where the attackers have thought things through -and not for a quick buck, but for something sustainable,” says the chiefsecurity advisor for F-Secure. “We'll see more malware families that aretechnically advanced and stay around for longer periods of time,” he says.“Instead of recompiling variants of existing [malware], they will be refinedslowly but surely, in a controlled manner” with new features, as Conficker andTorpig were, he says. Source: http://www.darkreading.com/security/...leID=219400756
How many wireless routers do youhave installed? Are they vulnerable?
34. August 21, The Register - (International) Open-sourcefirmware vuln exposes wireless routers. A hacker has discovered a criticalvulnerability in open-source firmware available for wireless routers made byLinksys and other manufacturers that allows attackers to remotely penetrate thedevice and take full control of it. The remote root vulnerability affects themost recent version of DD-WRT, a piece of firmware many router users install togive their device capabilities not available by default. The bug allowsunauthenticated users to remotely gain root access simply by luring someone onthe local network to a malicious website. Messages sent through the DD-WRTwebsite to the software designers were not returned by time of publication, butcomments posted to this user forum thread said the vulnerability affected themost recent builds, prompting a user by the name of autobot to declare thevulnerability a “mini code red.” Source: http://www.theregister.co.uk/2009/07...t_router_vuln/
Hmmm. Could this be a problem for you?
32. August 24, Register - (International) Massinfection turns websites into exploit launch pads. Malicious hackers havemanaged to infect about 57,000 web pages with a potent exploit cocktail thattargets a variety of vulnerable applications to surreptitiously install malwareon visitor machines. The exploits install an assortment of nasty software,including Gologger, a keystroke logging trojan, and a backdoor that attempts toconnect to a website hosted in China, according to a researcher at ScanSafe, acompany that protects end users from malicious websites. The attackers wereable to plant a malicious iframe in the pages by exploiting SQL injectionvulnerabilities. Once in place, the script silently pulls down javascript froma0v.org that silently runs while people are visiting one of the infectedwebsites. Affected sites included health care organizations such as the NewYork Methodist Hospital, charitable and nursing facilities such ashowellcarecenter.com, sweetgrassvillagealf.com, foodsresourcebank.org, andmorningsideassistedliving.com, and others, according to web searches. The vastmajority of search results returned by Google and Yahoo failed to detect thethreat despite the use of technology on both sites that's supposed to preventusers from clicking on malicious links. Source: http://www.theregister.co.uk/2009/08...web_infection/
Two issuesfollow that warrant your attention! Evenmore are contained in the original report. Check it out at: http://dhs-daily-report.blogspot.com...7_archive.html
40. August 25, Softpedia - (International) Over62,000 new URLs serving exploit cocktail. Security researchers advise thata new mass compromise attack is underway and has affected over 62,000 URLs todate. A rogue IFrame injected into the compromised Web pages loads a cocktailof exploits and malware from other domains. Web security company ScanSafe hasbeen monitoring this new threat and advises that the infection pattern is ahidden IFrame loading JavaScript content from a domain called a0v.org. A Googlesearch for “script src= reveals 62,100 results. A senior security researcher atScanSafe, has told The Register that the infections are the result of SQLinjection attacks. The x.js called from a0v.org has the role of loadingexploits from a number of seven other domain names. At the moment of writingthis article, Google's Safe Browsing was tagging a0v.org as malicious. “Themalware hosting domains were registered on or after August 3, 2009 and include:ahthja.info, gaehh.info, htsrh.info, car741.info, game163.info, car963.info,and game158.info. The most prolific observed by ScanSafe thus far has beenahthja.info,” the researcher writes on the company's blog. If exploitation issuccessful, several malware installers are dropped and executed onto thevictim's computer as drive-by downloads. The security researcher warns that“post infection, additional malware may also be downloaded” from a differenthost. The exploits target vulnerabilities in popular software, includingInternet Explorer, Mozilla Firefox, Adobe Flash Player, Adobe Reader and Acrobator avast! Antivirus. AV detection rates for the malicious executablesdownloaded during the attack range from poor to moderate on Virustotal. Source:http://news.softpedia.com/news/Over-...l-120006.shtml
41. August 25, Softpedia - (International) NewChinese social networking worm discovered. Security researchers warn that anew worm has been spotted on Chinese social networking website Renren.com. Theworm masquerades a flash music video of Pink Floyd's Wish You Were Here andspreads by exploiting a cross-site scripting hole. The message has the title“Pink Floyd - Wish You Were Here” and it contains a maliciously crafted Flashcomponent loaded with AllowScriptAccess=“always” parameter. According to Adobe“When AllowScriptAccess is ‘always', the SWF file can communicate with the HTMLpage in which it is embedded even when the SWF file is from a different domain thanthe HTML page.” The flash file is used to execute the JavaScript code presentin the message body and load a script called evil.js from an external domain.As researchers indicate, the JavaScript code is used to exploit a cross-sitescripting (XSS) flaw present in the website and spread the worm through itsAPI. Social networking worms have been increasing in number for the past fewyears, suggesting that these new platforms are good hunting grounds forcybercrooks. Boris Lau, a virus researcher at antivirus vendor Sophos, whichdetects this new threat as W32/Pinkren-A, points out that “this is sametechnique used back in 2007 by the Okurt worm.” Renren is a Facebook-likewebsite very successful in China. Such local threats are important to theWesterners as well, because Chinese computers compromised by worms like thesewill join to form large botnets. These armies of zombie computers will then beused to send spam and perform distributed denial of service attacks globally.Source: http://news.softpedia.com/news/New-C...d-120021.shtml
Are you sure that you can defeatConflicker?
44. August 26, New York Times - (International) Defyingexperts, rogue computer code still lurks. The rogue software program knownas Conficker that glided onto the Internet last November has confounded theefforts of top security experts to eradicate the program and trace its originsand purpose, exposing serious weaknesses in the world's digital infrastructure.Conficker uses flaws in Windows software to co-opt machines and link them intoa virtual computer that can be commanded remotely by its authors. With morethan five million of these zombies now under its control - government, businessand home computers in more than 200 countries - this shadowy computer has powerthat dwarfs that of the world's largest data centers. Computer security expertsdecoded the program and developed antivirus software that erased it frommillions of the computers. Researchers speculate that the computer could beemployed to generate vast amounts of spam; it could steal information likepasswords and logins by capturing keystrokes on infected computers; it coulddeliver fake antivirus warnings to trick naive users into believing theircomputers are infected and persuading them to pay by credit card to have theinfection removed. There is also a different possibility that concerns theresearchers: That the program was not designed by a criminal gang, but insteadby an intelligence agency or the military of some country to monitor or disablean enemy's computers. The experts have only tiny clues about the location ofthe program's authors. The first version included software that stopped theprogram if it infected a machine with a Ukrainian language keyboard. There mayhave been two initial infections - in Buenos Aires and in Kiev. The program isprotected by internal defense mechanisms that make it hard to erase, and evenkills or hides from programs designed to look for botnets. A member of thesecurity team said that the FBI had suspects, but was moving slowly because itneeded to build a relationship with “noncorrupt” law enforcement agencies inthe countries http://www.nytimes.com/2009/08/27/te...27compute.html
Note: The DHS only maintains the last ten daysof their reports online. To obtain copies of earlier reports or completesummaries, go to:
More...
A lookinto the future.
36. August19, DarkReading - (International) Rare malware a hint of threatsto come. While pervasive, widespread malware attacks like Conficker get allthe attention, there is another generation of obscure and dangerous malwarethat so far is too rare to be considered a threat - but could provide a hint ofthings to come. Security researchers are seeing some intriguing malware insmall pockets. One piece of malware found on a desktop machine during aforensics investigation was actually pre-coded to steal specific informationfrom the victim's organization, says the CEO and founder of HBGary, whosecompany sees about 5,000 new pieces of malware a day. “It knew what it waslooking for,” he says. And the malware was disposable so that it coulddisappear without a trace after doing its dirty work. A common thread amongmost of these unusual or odd malware samples that typically fly under the radaris that they are all about going after specific information or data, ratherthan more general attacks that cast a wide net and make the headlines. And thewriters of these lesser-known and uncommon malware packages are using newmethods to keep the attacks alive longer - even if it means brazenly attackingresearchers who try to study them. Even so, most attacks over the next fiveyears will still come from the morphing malware variants that are common today,but in higher and higher volumes, experts say. “We're going to have to dealwith more volume and attacks. And at the same time, there will be instances ofreally high quality attacks, where the attackers have thought things through -and not for a quick buck, but for something sustainable,” says the chiefsecurity advisor for F-Secure. “We'll see more malware families that aretechnically advanced and stay around for longer periods of time,” he says.“Instead of recompiling variants of existing [malware], they will be refinedslowly but surely, in a controlled manner” with new features, as Conficker andTorpig were, he says. Source: http://www.darkreading.com/security/...leID=219400756
How many wireless routers do youhave installed? Are they vulnerable?
34. August 21, The Register - (International) Open-sourcefirmware vuln exposes wireless routers. A hacker has discovered a criticalvulnerability in open-source firmware available for wireless routers made byLinksys and other manufacturers that allows attackers to remotely penetrate thedevice and take full control of it. The remote root vulnerability affects themost recent version of DD-WRT, a piece of firmware many router users install togive their device capabilities not available by default. The bug allowsunauthenticated users to remotely gain root access simply by luring someone onthe local network to a malicious website. Messages sent through the DD-WRTwebsite to the software designers were not returned by time of publication, butcomments posted to this user forum thread said the vulnerability affected themost recent builds, prompting a user by the name of autobot to declare thevulnerability a “mini code red.” Source: http://www.theregister.co.uk/2009/07...t_router_vuln/
Hmmm. Could this be a problem for you?
32. August 24, Register - (International) Massinfection turns websites into exploit launch pads. Malicious hackers havemanaged to infect about 57,000 web pages with a potent exploit cocktail thattargets a variety of vulnerable applications to surreptitiously install malwareon visitor machines. The exploits install an assortment of nasty software,including Gologger, a keystroke logging trojan, and a backdoor that attempts toconnect to a website hosted in China, according to a researcher at ScanSafe, acompany that protects end users from malicious websites. The attackers wereable to plant a malicious iframe in the pages by exploiting SQL injectionvulnerabilities. Once in place, the script silently pulls down javascript froma0v.org that silently runs while people are visiting one of the infectedwebsites. Affected sites included health care organizations such as the NewYork Methodist Hospital, charitable and nursing facilities such ashowellcarecenter.com, sweetgrassvillagealf.com, foodsresourcebank.org, andmorningsideassistedliving.com, and others, according to web searches. The vastmajority of search results returned by Google and Yahoo failed to detect thethreat despite the use of technology on both sites that's supposed to preventusers from clicking on malicious links. Source: http://www.theregister.co.uk/2009/08...web_infection/
Two issuesfollow that warrant your attention! Evenmore are contained in the original report. Check it out at: http://dhs-daily-report.blogspot.com...7_archive.html
40. August 25, Softpedia - (International) Over62,000 new URLs serving exploit cocktail. Security researchers advise thata new mass compromise attack is underway and has affected over 62,000 URLs todate. A rogue IFrame injected into the compromised Web pages loads a cocktailof exploits and malware from other domains. Web security company ScanSafe hasbeen monitoring this new threat and advises that the infection pattern is ahidden IFrame loading JavaScript content from a domain called a0v.org. A Googlesearch for “script src= reveals 62,100 results. A senior security researcher atScanSafe, has told The Register that the infections are the result of SQLinjection attacks. The x.js called from a0v.org has the role of loadingexploits from a number of seven other domain names. At the moment of writingthis article, Google's Safe Browsing was tagging a0v.org as malicious. “Themalware hosting domains were registered on or after August 3, 2009 and include:ahthja.info, gaehh.info, htsrh.info, car741.info, game163.info, car963.info,and game158.info. The most prolific observed by ScanSafe thus far has beenahthja.info,” the researcher writes on the company's blog. If exploitation issuccessful, several malware installers are dropped and executed onto thevictim's computer as drive-by downloads. The security researcher warns that“post infection, additional malware may also be downloaded” from a differenthost. The exploits target vulnerabilities in popular software, includingInternet Explorer, Mozilla Firefox, Adobe Flash Player, Adobe Reader and Acrobator avast! Antivirus. AV detection rates for the malicious executablesdownloaded during the attack range from poor to moderate on Virustotal. Source:http://news.softpedia.com/news/Over-...l-120006.shtml
41. August 25, Softpedia - (International) NewChinese social networking worm discovered. Security researchers warn that anew worm has been spotted on Chinese social networking website Renren.com. Theworm masquerades a flash music video of Pink Floyd's Wish You Were Here andspreads by exploiting a cross-site scripting hole. The message has the title“Pink Floyd - Wish You Were Here” and it contains a maliciously crafted Flashcomponent loaded with AllowScriptAccess=“always” parameter. According to Adobe“When AllowScriptAccess is ‘always', the SWF file can communicate with the HTMLpage in which it is embedded even when the SWF file is from a different domain thanthe HTML page.” The flash file is used to execute the JavaScript code presentin the message body and load a script called evil.js from an external domain.As researchers indicate, the JavaScript code is used to exploit a cross-sitescripting (XSS) flaw present in the website and spread the worm through itsAPI. Social networking worms have been increasing in number for the past fewyears, suggesting that these new platforms are good hunting grounds forcybercrooks. Boris Lau, a virus researcher at antivirus vendor Sophos, whichdetects this new threat as W32/Pinkren-A, points out that “this is sametechnique used back in 2007 by the Okurt worm.” Renren is a Facebook-likewebsite very successful in China. Such local threats are important to theWesterners as well, because Chinese computers compromised by worms like thesewill join to form large botnets. These armies of zombie computers will then beused to send spam and perform distributed denial of service attacks globally.Source: http://news.softpedia.com/news/New-C...d-120021.shtml
Are you sure that you can defeatConflicker?
44. August 26, New York Times - (International) Defyingexperts, rogue computer code still lurks. The rogue software program knownas Conficker that glided onto the Internet last November has confounded theefforts of top security experts to eradicate the program and trace its originsand purpose, exposing serious weaknesses in the world's digital infrastructure.Conficker uses flaws in Windows software to co-opt machines and link them intoa virtual computer that can be commanded remotely by its authors. With morethan five million of these zombies now under its control - government, businessand home computers in more than 200 countries - this shadowy computer has powerthat dwarfs that of the world's largest data centers. Computer security expertsdecoded the program and developed antivirus software that erased it frommillions of the computers. Researchers speculate that the computer could beemployed to generate vast amounts of spam; it could steal information likepasswords and logins by capturing keystrokes on infected computers; it coulddeliver fake antivirus warnings to trick naive users into believing theircomputers are infected and persuading them to pay by credit card to have theinfection removed. There is also a different possibility that concerns theresearchers: That the program was not designed by a criminal gang, but insteadby an intelligence agency or the military of some country to monitor or disablean enemy's computers. The experts have only tiny clues about the location ofthe program's authors. The first version included software that stopped theprogram if it infected a machine with a Ukrainian language keyboard. There mayhave been two initial infections - in Buenos Aires and in Kiev. The program isprotected by internal defense mechanisms that make it hard to erase, and evenkills or hides from programs designed to look for botnets. A member of thesecurity team said that the FBI had suspects, but was moving slowly because itneeded to build a relationship with “noncorrupt” law enforcement agencies inthe countries http://www.nytimes.com/2009/08/27/te...27compute.html
Note: The DHS only maintains the last ten daysof their reports online. To obtain copies of earlier reports or completesummaries, go to:
More...