Evilgrade: Exploit toolkit pwns insecure online updates

Malcode distribution framework releasedA security research outfit in Argentina has released a malcode distribution toolkit capable of launching man-in-the-middle attacks against popular products that use insecure update mechanisms.

The toolkit, called Evilgrade, works in conjunction with man-in-the-middle techniques (DNS, ARP and DHCP spoofing) to exploit a wide range of applications, according to a post on the Metasploit blog.

The first version of the toolkit ships with exploit modules for several widely deployed software, including Apple’s Mac OS X and iTunes, WinZip, Winamp, OpenOffice and Sun Java.

A demo video provides a scary look at how a sophisticated blended attack can be used to target millions of Windows users.

In the video, Evilgrade uses HD Moore’s recent DNS exploit in tandem with Sun’s Java update mechanims to execute code and hijack a fully patched Windows machine:

Exploit toolkit pwns insecure online updates

Exploits are also available for the Linkedin Toolbar, DAP, Notepad++, and Speedbit.

From the Evilgrade README document:

ISR-evilgrade: is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates. It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of the victim dns traffic.

See more in this slide deck (pdf).

[Source: zdnet]

Safari browser flaw: Session fixation attacks possible

Another day, another unpatched Safari browser vulnerability.

According to this flaw warning found on the NVD (National Vulnerability Database), Apple’s flagship browser is vulnerable to session fixation attacks because of the way it handles cookies in country-specific top-level domains.

[ SEE: Microsoft issues Safari-to-IE blended threat warning ]

Heise Security breaks down the attack vector:

Apple’s Safari web browser, when handling cookies in multipart top level domains (TLDs), contains a vulnerability that potentially allows attackers to access the web services used by the victim. Safari handles multipart TLDs like .co.uk or .com.au differently from normal TLDs like .de or .com. According to a report, this allows attackers to inject the browser with a cookie which Safari will subsequently use for log-in authentication at other servers in the same TLD.

Alex “Kuza55,” a hacker who appeared at Microsoft’s Blue Hat summit, is credited with discovering this Safari vulnerability. It carries a CVSS Base Score of 6.8.

[Source: zdnet]

Oracle ships emergency workaround for zero-day exploit

Oracle ships emergency workaround for zero-day exploitFor the first time since the introduction of its quarterly Critical Patch Update process, Oracle has released an emergency alert to offer mitigation for a zero-day exploit that’s been posted on the Internet.

The emergency workaround, available here, addresses an unpatched vulnerability that’s remotely exploitable without authentication ( it may be exploited over the network without the need for a username and password) and can result in compromising the confidentiality, integrity, and availability of the targeted system.

[ SEE: Hacker finds 492,000 unprotected Oracle, SQL database servers ]

Oracle’s Eric Maurice says the vulnerability carries a CVSS Base Score of 10.0, the maximum severity rating:

When Oracle became aware of this issue, our security and development teams worked diligently to develop an effective workaround to prevent a successful exploitation of the vulnerability. Detailed instructions for this workaround have been posted on the eSupport site, and Oracle has already issued a Security Alert to all WebLogic customers to let them know about this workaround. In addition, Oracle will also issue an out-of-cycle security patch for this vulnerability as soon as the fix has been produced for all supported version-platform combinations. We expect this fix to be ready very soon, and we will issue an updated Security Alert to let customers know about its availability. In the meanwhile, we recommend that all customers implement the recommended workaround.

Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers. In addition, the vulnerability was made public shortly after the publication of the July 15th Critical Patch Update, therefore prompting Oracle to issue an out of cycle security update.

This IBM ISS alert provides some technical details:

Oracle WebLogic Server (formerly known as BEA WebLogic Server) is vulnerable to a buffer overflow, caused by improper bounds checking by the Apache Connector. By sending a specially-crafted HTTP POST request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.

The emergency alert comes less than two weeks after the database server giant shipped patches for a total of 45 security vulnerabilities, bringing the vulnerability count for 2008 to a whopping 112.

* Photo credit: eMaringolo’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

Exploit published for buffer overflow in BEA WebLogic

A hacker known as KingCope has discovered a potential buffer overflow in BEA WebLogic which can at least trigger system crashes, but may also be exploited to remotely inject and execute arbitrary code. The flaw is caused by Apache Connector which appears not to check certain POST requests sufficiently.

According to comments the published exploit is "broken" and doesn't function properly. Nevertheless, security providers FrSIRT and Secunia have rated the vulnerability as critical and highly critical respectively. According to Secunia, versions 5 to 10 are affected. No patch has so far become available. The only protection currently available is to filter the server's network traffic in order to minimise the risk of an attack.

See also:

[Source: heise-online]

Speculation over possible Skype backdoor

Speculation erupts over Skype backdoor There’s growing speculation coming out of Europe that there’s a backdoor in Skype that allows remote eavesdropping of telephone conversations.

A report in the reputable Heise Online says the issue was discussed at a meeting with ISPs last month where high-ranking officials at the Austrian interior ministry claims “it is not a problem for them to listen in on Skype conversations.”

The report said a number of others at the meeting confirmed that claim.

Heise Online said Skype officials declined to give a detailed response to specific queries as to whether the popular Internet telephone service contains a backdoor and whether specific clients allowing access to a system or a specific key for decrypting data streams exist.

The response from the eBay subsidiary’s press spokesman was brief, “Skype does not comment on media speculation. Skype offers no further comment at present.” There have been rumors of the existence of a special listening device which Skype is reported to offer for sale to interested states.

Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open, the report said.

It also cited public broadcast reports that Austrian police are able to listen in on Skype connections.

* Photo credit: re-ality’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

Apple looking to hire iPhone hacker

Apple looking to hire iPhone hacker Apple is in the market for someone capable of hacking into the iPhone.

According to this job listing, the company is looking for an iPhone Security Engineer capable of, among other things, developing “proof of concept” attacks on the device’s current security mechanisms.

The successful candidate will be tasked primarily with validating the security architecture for the iPhone.

Some responsibilities:

  • Review and provide feedback on security mechanisms implemented in OS X
  • Provide risk analysis of potential security threats to our embedded products
  • Develop “proof of concept” attacks on the current security mechanisms
  • Come up with new and innovative ways of increasing security while preserving ease-of-use and increasing the quality of the end-user experience.
  • Work cooperatively with other parts of CoreOS on cross-functional technologies and initiatives to enhance security and security policies

[ SEE: Apple caught neglecting iPhone security ]

This moves comes amidst news that the latest versions of iPhone are vulnerable to vulnerabilities that could aid phishing and spamming attacks.

Apple has also been criticized in the past for inordinate delays in shipping iPhone patches, a problem caused mostly because Apple’s agreement with carriers require every minor release is reviewed and approved, a mind-numbingly slow/exhaustive process.

* Photo credit: quinn.anya’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

|)ruid and HD Moore release part 2 of DNS exploit

[Updated 07/24/2008: Gallery images of diffs of code revisions has been included and will be updated as things change, see here.]

Earlier today, noted researchers |)ruid and HD Moore released exploit code for the Metasploit tool for attacking the DNS flaw that was originally reported by Dan Kaminsky. The release was only part of the bigger picture of the exploit; however, and the second piece of exploit code has been released on the Computer Academic Underground blog and on Full-Disclosure. There is a subtle but important difference in the two pieces of exploit code, which is only readily apparent from reading the comments in the source code. Part 1 of the exploit, released earlier today, is commented as below:

This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single malicious host entry into the target nameserver by sending random sub-domain queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for the domain which contain a malicious host entry for the hostname to be poisoned in the authority and additional records sections. Eventually, a guessed ID will match and the spoofed packet will get accepted, and due to the additional hostname entry being within bailiwick constraints of the original request the malicious host entry will get cached.

Part 2 of the exploit, released just moments ago, is commented as follows:

This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target domains nameserver entries in a vulnerable DNS cache server. This attack works by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and the nameserver entries for the target domain will be replaced by the server specified in the NEWDNS option of this exploit.

So let’s analyze this a bit, see if we can figure out what’s different. Good friend and noted researcher, Billy Rios, assisted me with some code review, and we tried to find as much as we could about this new twist on events. We found several things of note. The most obvious, the exploit just got worse. Now the code will use spoofed replies to hijack the name server entries for a target domain, allowing control over an entire domain, whereas the original hijacked an individual host. For example, before, we could hijack www.myaddress.com, now we can hijack all of myaddress.com.

Further, within the credits portion of the code, |)ruid adds credit to a new researcher for “helping with the NS injection” confirming the idea that this is now about attacking nameserver entries, and not just address records. The credits are listed below:

Dan Kaminsky is credited with originally discovering this vulnerability. Cedric Blancher figured out the NS injection method and was cool enough to email us and share!

Rios and I suspect that Cedric probably made use of the following from RFC 1035:

NS authoritative name server, code 2. Specifies a host name (which must have an A record associated with it), where DNS information can be found about the domain name to which the NS record is attached. NS records are the basic infrastructure on which DNS is built; they stitch together distributed zone files into a directed graph that can be efficiently searched.

Next, Rios clued me into a very interesting observation… as he said, “it went from rev 5585 5591 that’s 6 different changes in a few hours… it’s still being tuned.” Which means it’s going to get faster. Dan originally stated he could pull this off in a matter of seconds. With able programmers refining the existing code, it’s only a matter of time before this exploit becomes lightning quick.

Work to make the exploit quicker may be confirmed by noting that there has been changes to the rand code for the xidbase.

So things are getting worse. If you have not patched by now… well, you’re on your way to being pwned, so I’d get to it ASAP.

[Source: zdnet]

Attack code published for DNS flaw

Exploit posted for DNS cache poisoning vulnerability The urgency to patch Dan Kaminsky’s DNS cache poisoning vulnerability just went up a few notches.

Exploit code for the flaw, which allows the insertion of malicious DNS records into the cache of the target nameserver, has been added to Metasploit, a freely distributed attack/pen-testing tool.

According to Metasploit creator HD Moore (left), who teamed up with researcher |)ruid to create the exploit, a DNS service has also been created to assist with the exploit.

[ SEE: Vulnerability disclosure gone awry: Understanding the DNS debacle ]

The code, available here, takes aim at known deficiencies in the DNS protocol and common DNS implementations that aid in serious cache poisoning attacks.

This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.

In an IM exchange, Moore told me his exploit takes about a minute or two to poison a DNS cache but said he is working to improve it in version 2.0.

Kaminsky in on record as saying it is possible to launch a successful attack in a matter of seconds.

Patch now! Please.

[Source: zdnet]

iPhone vulnerable to phishing, spamming flaws

Security researcher Aviv Raff (left) has discovered a pair of basic design flaws that could turn your iPhone into easy bait for malicious phishing and spamming attacks.

According to an advisory from Raff, the iPhone’s Mail and Safari applications are susceptible to a URL Spoofing vulnerability which allow attackers to conduct phishing attacks.

By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.).

When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

[ SEE: Apple hasn’t learned from past security mistakes ]

iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability. Apple’s security team has confirmed the vulnerability. Raff says he is withholding details until after a patch is released. In the meantime, iPhone users should avoid clicking on links in the Mail app that refers to trusted sites.

A second vulnerability in the iPhone Mail application that could help spammers was also reported and acknowledged as a security issue by Apple. Raff describes this as “a basic security design flaw which might already be exploited in-the-wild.”

I have seen proof-of-concept code for both vulnerabilities and can confirm that the iPhone is potentially a phisher’s/spammer’s best friend.

ALSO SEE: Apple caught neglecting iPhone security

[Source: zdnet]

Researchers borrow from Google PageRank for network defense service

Researchers borrow from Google PageRank for network defense serviceUsing a link analysis algorithm similar to Google PageRank, researchers at the SANS Institute and SRI International have created a new Internet network defense service that completely revamps the way network blacklists are formulated and distributed.

The service, called Highly Predictive Blacklisting (.pdf), will be unveiled next week at the Usenix 17th Usenix Security Symposium. An experimental version is currently available for free to all DShield contributors.

The skinny:

Highly Predictive Blacklists (HPBs) represent a radically different approach to blacklist formulation. HPBs are derived uniquely per DShield contributor, and rank each attacker in the blacklist based on an estimation of the probability that the attacker will visit the contributor’s network in the future. The HPB algorithm exploits a correlation relationship observed when compiling firewall logs from thousands of Internet contributors.

The idea is to exploit the relationships between networks that have been attacked by similar Internet sources as a means for predicting which attack sources are likely to attack which networks in the future.

Much like Google PageRank, which is used to increase the relevance of search results, researchers say the new HPB service will employ a link analysis algorithm to cross-compare firewall logs of DShield contributors with one another in search of overlaps among the attackers they report. The attacker addresses included within an HPB are selected by favoring the inclusion of those attackers who have been encountered by other contributors who share degrees of overlap with the HPB owner.

DShield is the data collection engine behind the SANS Internet Storm Center (ISC).

* Image source: Wikimedia Commons (Creative Commons 2.5)

[Source: zdnet]

Heap-based buffer overflow reported in RealNetworks RealPlayer

Update 07/25/2008: Aaron Portnoy of TippingPoint’s security research group was kind enough to point out that I’m actually not affected by this, since I’ve installed the newest version of RealPlayer. From Aaron’s email:

Notice the Secunia advisory states it affects RealPlayer 10.5… the latest is 11.x, which now uses the adobe module located in your system32 directory. If you don’t have the adobe flash player installed, it should prompt you to install it. Real no longer ships their really-really-really buggy swf parser.

So, it’s likely that bug doesn’t affect the RealPlayer you installed assuming you installed the latest.

My bad for not checking the version on my system, but, that said, many of you still may be vulnerable as people tend to patch things like video players pretty infrequently… which tends to be a bad idea considering how buggy they are (see QuickTime). Thanks Aaron!

RealPlayer Secunia Research is reporting a heap-based buffer overflow vulnerability in the widely used RealPlayer video player. I can only say this would’ve been nice to have had patch before I installed RealPlayer to listen to the Black Hat webcast, but I’m scrambling to uninstall now, so hopefully all is well.

FYI a patch does not currently exist, so you may consider at least a temporary uninstall.

Click read more for the details.

The details are provided from Secunia below:

Affected Software
RealNetworks RealPlayer Version 10.5 Build
NOTE: Other versions may also be affected.

Rating: Highly critical
Impact: System access
Where: From remote

Description of Vulnerability
Secunia Research has discovered a vulnerability in RealPlayer, which can potentially be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to a design error within the handling of frames in Shockwave Flash (SWF) files and can be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is fixed in an upcoming release.

Time Table
16/11/2007 - Vendor notified.
22/11/2007 - Vendor notified again.
26/11/2007 - Vendor response and request PoC.
29/11/2007 - Sent PoC to vendor.
03/01/2008 - Confirmation that vendor able to reproduce vulnerability.
27/05/2008 - Requested update from vendor.
07/07/2008 - Vendor confirms update is pending.
23/07/2008 - Vendor confirms disclosure date.
25/07/2008 - Public disclosure.

[Source: zdnet]

IDA Disassembler on the iPhone? Yep.

Ilfak Guilfanov has reported that IDA has been ported to the iPhone. Unbelievable? Yes. Is it useful? Who cares! IDA on the iPhone is hot!

Don’t act like you don’t want IDA for your iPhone, you know you do.

From the “Hex Blog”:

Good news for real iPhone fans: we ported IDA to iPhone! It can handle any application and provides the same analysis as on other platforms. It is funny to see IDA on a such small device:

Ilfak says only the heartiest of researchers and iPhone fans will use it as the interface is clumsy and done through terminal emulation. Here’s a shot from Ilfak’s blog on the tool actually running on the phone:

All I can ask is that this soon be sent to the Apple App Store or linked to in some other way, it will be the first thing I put on my new iPhone.

To Ilfak, well done, you’ve made my Friday!

[All images courtesy of Ilfak’s blog]

[Source: zdnet]

How OpenDNS, PowerDNS and MaraDNS remained unaffected by the DNS cache poisoning vulnerability

The short answer is being paranoid about tackling a known vulnerability. It’s 2001, and Daniel J. Bernstein (DJB),Daniel J. Bernstein (DJB) author of the then popular djbdns security-aware DNS implementation, is applying basic math principles to raise awareness on what’s to turn into the “sky is falling” critical Internet vulnerability in 2008, in an email on the unix.bind-users newsgroup :

“I said “cryptographic randomization.” The output of random() is not cryptographically secure. In fact, it is quite easily predictable. This is a standard exercise in first-semester cryptography courses. Randomizing the port number makes a huge difference in the cost of a forgery for blind attackers—i.e., most attackers on the Internet. It’s funny that the BIND company has gone to so much effort to move from the first line to the second, but now pooh-poohs the third line. Do you think that “RSA” is a magic word that makes security problems disappear? Without a central key distribution system—a system that doesn’t exist now and won’t exist for the foreseeable future—DNSSEC doesn’t stop forgeries.”

The skeleton from the closet makes another appearance in January 2005, according to Marcus H. Sachs, Director, SANS Internet Storm Center, in the face of Ian Green’s GIAC Security Essentials Certification (GSEC) submitted paper detailing the same vulnerability :

“Three years ago Ian Green, then studying for his GIAC Security Essentials Certification (GSEC), submitted a paper that details the same DNS spoofing vulnerability, the SANS Institute’s Internet Storm Centre notes.In order to spoof a DNS request it’s necessary to “guess” both the Query ID and the source port. The query ID is 16 bits long, and the UDP source port also has over 60,000 potential option. But as Green noted back in January 2005, DNS transactions are incremented by one for each subsequent query while the UDP source port remains the same during a session.”

Apparently, OpenDNS, PowerDNS and MaraDNS were all aware of the possibility for abuse here, and took action long before the recent vulnerability disclosure and coordinated multi-vendor patching initiated by Dan Kaminsky took place. How did they do it, and what’s the current state of the coordinated patching campaign across the Internet?

On July 8th, David Ulevitch at OpenDNS posted a statement that OpenDNS isn’t vulnerable :

“I’m very proud to announce that we are one of the only DNS vendor / service providers that was not vulnerable when this issue was first discovered by Dan. During Dan’s testing he confirmed (and we later confirmed) that our DNS implementation is not susceptible to the attack that was discovered. In other words, if you used OpenDNS then you were already protected long before this attack was even discovered.

In fact, for those of you who were listening in on the Microsoft press call this morning, you’ll note that OpenDNS was suggested as the easy and simple solution for anyone who can’t upgrade their DNS infrastructure today. Pointing your DNS servers to forward requests to OpenDNS and firewalling all other DNS traffic off at your server will help mitigate this risk.” Bert Hubert, author of PowerDNS, alerted me to the fact that PowerDNS was also not vulnerable when this issue was discovered. That’s not surprising considering Bert is one of the authors of the wonderful DNS forgery resilience Internet Draft that has recently been published. :-) I updated the statement in bold appropriately.”

On July 9th, Sam Trenholme at MaraDNS pointed out that the service is too, immune to the new cache poisoning attack :

“MaraDNS is immune to the new cache poisoning attack. MaraDNS has always been immune to this attack. Ditto with Deadwood (indeed, people can use MaraDNS or Deadwood on the loopback interface to protect their machines from this attack). OK, basically, this is an old problem DJB wrote about well over seven years ago. The solution is to randomize both the query ID and the source port; MaraDNS/Deadwood do this (and have been doing this since around the time of their first public releases that could resolve DNS queries) using a cryptographically strong random number generator (MaraDNS uses an AES variant; Deadwood uses the 32-bit version of Radio Gatun).”

And while these DNS services and secure DNS implementations like MaraDNS in this case, weren’t susceptible to the DNSDNS Fix Causes Huge Surge in DNS traffic in the Internet cache poisoning, during that time, across the Internet a synchronized patching was causing a lot of DNS anomalies, the direct effect of the ongoing patching in progress. According to Narus’s Supranamaya Ranjan, they saw a 1000x increase in aggregate volume of anomalous DNS traffic between Julu 7th and 11th :

“Look at the figure below, which shows the aggregate volume (in Mbits/hour) over time for the DNS anomalies seen between July 7th and 11th. Clearly, before the CERT announcement and release of the patches, there were no anomalies. But after the announcement on July 8th, NSS saw a 1000x increase in aggregate volume of anomalous DNS traffic. NSS defines a traffic event as an anomaly if the amount or behavior of traffic heading to an ip-address exhibits sudden changes. A further analysis of the sources of these queries shows that they were being originated from open DNS proxies on the Internet and from DNS clients from well-reputed institutions from around the world. The reputation of the anomaly sources leads to the conclusion that these anomalies were not really attacks, but a side-effect of the synchronized patching.”

The most recent study on the state of patching vulnerable DNS servers, was released today courtesy of Austria’s CERT, stating that :

“The conclusions are rather grim so far – more than two thirds of the Austrian Internet’s recursive DNS servers are unpatched while at the same time the upgrade adoption rate seems rather slow. Our findings are matched by the observations of Alexander Klink of Cynops GmbH who analyzed the results of the online vulnerability test on Dan Kaminsky’s doxpara site.”

The big picture? It seems that it’s not just At&T’s DNS servers which are susceptible to DNS cache poisoning, but many other like the following according to a request for self-auditing initiated by the Register :

“Skybroadband, Carphone Warehouse Broadband, Opal Telecom, T-Mobile, Videotron Telecom, Roadrunner, Orange, Enventis Telecom, Earthlink, Griffin Internet and Jazztel.”

Publicly available exploits for remote DNS cache poisoning

With three publicly available exploits for remote DNS cache poisoning released during the last three days “in the wild”, it remains yet to be seen whether or not malicious attackers would take advantage of the window of opportunity, or continue using the “cybercrime as usual” attack tactics.

[Source: zdnet]

GMail adds “https:”-only connections but still not by default

Google has added a new “Browser Connection” feature to GMail to allow users to force e-mail sessions to always use the more secure “https:” protocol but, strangely, this is not turned on by default.

In the Settings tab, at the very bottom, GMail users can now select an “Always use https” option for stronger security, especially when connecting via Wi-Fi.

-only connections

This should help reduce exposure to things like sidejacking and cookie theft attacks.

Google explains:

If you sign in to GMail via a non-secure Internet connection, like a public wireless or non-encrypted network, your Google account may be more vulnerable to hijacking. Non-secure networks make it easier for someone to impersonate you and gain full access to your Google account, including any sensitive data it may contain like bank statements or online log-in credentials. We recommend selecting the ‘Always use https’ option in Gmail any time your network may be non-secure. HTTPS, or Hypertext Transfer Protocol Secure, is a secure protocol that provides authenticated and encrypted communication.

But, beware, there may be errors if you enable this setting in the GMail for Mobile application.

Excellent move by Google but I wish they would go the extra step turn it on by default for all GMail connections.

* Hat tip: Mike Gunderloy at WebWorkerDaily.

[Source: zdnet]

Microsoft joins ‘patch DNS now’ chant; Apple patch missing

On the heels of the release of weaponized exploit code for the DNS cache poisoning vulnerability, Microsoft has joined the chorus of security pros pleading with DNS server providers to immediately apply patches to protect users from malicious attacks.

Microsoft joins ‘patch DNS now’ chant; Apple patch missing

The Redmond, Wash. security giant issued a formal security advisory advisory today with a terse warning that “attacks are likely imminent” because of the availability of exploit code:

Since the coordinated release of these updates, the threat to DNS systems has increased due to a greater public understanding of the attacks, as well as detailed exploit code being published on the Internet.

Microsoft is not currently aware of active attacks utilizing this exploit code or of customer impact at this time. However, attacks are likely imminent due to the publicly posted proof of concept and Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

[ SEE: Attack code published for DNS flaw ]

The company said its investigation of the exploit code, which was included in Metasploit, has verified that it does not affect Microsoft customers who have installed the updates detailed in Microsoft Security Bulletin MS08-037.

However, as Dan Goodin reports, some of the world’s biggest ISPs are still very slow to ship fixes to protect customers. Goodin found that the tardy ISPs included AT&T, Time Warner and Bell Canada.

My own testing of AT&T’s network on the iPhone returned conflicting results. Dan Kaminsky’s Doxpara DNS checker said AT&T was vulnerable but the same test at the DNS-OARC’s DNS checker and got this: (schinetdns.mycingular.net) appears to have GREAT source port randomness and GREAT transcation ID randomness.

[ Vulnerability disclosure gone awry: Lessons from the DNS debacle ]

According to Rich Mogull, Apple is also among the tardy vendors:

Apple has yet to patch the vulnerability which affects both Mac OS X and Mac OS X Server. While individual computers that look up DNS are vulnerable, servers are far more at risk due to the nature and scope of the attack.

Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date.

All users of Mac OS X Server who use it for recursive DNS must immediately switch to an alternative or risk being compromised and traffic being redirected. Installing the above-mentioned BIND should be relatively trivial for anyone who can compile software at the command line. The Mac community could take this up if someone created a compiled version of BIND 9.0.5-P1 and distributed it for simpler installation.

With active exploit code available in a common attack tool, it is imperative that Apple fix this vulnerability. Due to their involvement in the process and the ability of other vendors to fix their products in a timely fashion, it’s hard to imagine any possible justification for Apple’s tardy behavior.

I have confirmed at least three publicly available exploits for this vulnerability and there are reliable behind-the-scenes mumbling that others are on the way.

Dan Kaminsky gets the last word: “Less drama, more patching.”

[Source: zdnet]

Gaping holes in RealPlayer patched

RealPlayer patches 4 serious flawsDigital media delivery firm RealNetworks has shipped a high-prority patch to cover four gaping holes in its flagship RealPlayer software, warning that the vulnerabilities could put users at risk of code execution attacks.

The patch comes a few hours after Secunia released an advisory warning for one of the vulnerabilities, a heap-based buffer overflow caused by a design error within RealPlayer’s handling of frames in Shockwave Flash (SWF) files.

According to RealNetworks, at least one of the four bugs affects all platforms — Windows, Mac OS X and Linux.

[ SEE: IE users beware: RealPlayer zero-day flaw under attack ]

Details are only available for these two vulnerabilities:

  • CVE-2008-1309: The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer 11.0.1 build does not properly manage memory for the Console property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory. CVSS Base Score 9.3.
  • CVE-2007-5400: The vulnerability is caused due to a design error within the handling of frames in Shockwave Flash (SWF) files and can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code.

In its advisory, RealNetworks also lists CVE-2008-1309, a RealPlayer ActiveX controls property heap memory corruption; and CVE-2008-3064, a local resource reference vulnerability.

[Source: zdnet]

TV News Presenter Accused of Hacking an E-mail Account

Larry Mendte, who used to work as a news presenter for a Philadelphia TV station, somehow managed to gain access to the e-mail of his co-presenter, Alycia Lane. The information he had access to for a period in excess of two years was later on leaked to abloids and resulted in
Lane's downfall. Since the start of this year and until the month of May, Mendte fraudulently accessed the e-mail account 537 times. The former newscaster is now under federal investigation and risks spending up to six months in jail if he is found guilty in a court of law.

Here is what U.S. attorney Laurie Magid comments on the case, "The mere accessing and reading of privileged information is criminal. This case, however, went well beyond just reading someone's e-mail. It's no different than someone stealing your locked briefcase, containing information from your lawyer, prying it open and helping themselves to the contents".

At the TV station in question, which is called KYW-TV and is an affiliate of CBS, Larry Mendte and Alycia Lane worked together over a period of four years, until this January. Mendte, aged 51, stopped working at the end of June, the current year, after the fact that the FBI was investigating him come to light. His last time on air was on the 29th of May.

Why would the aging newscaster resort to such actions? The reason seems to be envy. Mendte could not handle the fact that he was earning about $680,000 per year, about $100,000 less than his beautiful co-presenter. According to Paul Rosen, Lane's attorney, the fact that her career was going the right way determined Mendte to undermine her. Perhaps he would not have been able to hack her account if she had followed our advice on how to come up with a super strong password.

Michael Schwartz, legal council for Mendte, explains, "As we continually have said from day one, Larry has been cooperating fully with the investigators. He continues to cooperate and will accept full responsibility for his actions". Taking such a responsibility may very well get him a six-month incarceration sentence, according to the federal law.

KYW-TV had nothing to comment on the recent incident involving its former employee, but we can expect Lane to sue the TV station for "wrongful termination".

[Source: softpedia]

Sabre Security CEO Figures Out DNS Vulnerability

Recently, the DNS flaw discovered by Dan Kaminsky made all the headlines, first of all because of its gravity, and secondly because the Director of Penetration Testing for IOActive would not release specific, technical details about the flaw. Kaminsky stated on numerous occasions that he would disclose all the information on the 6th of August, at the BlackHat Security Conference in Las Vegas. But it seems that Thomas Dullien, CEO and head of research with Sabre Security has figured it all out, even though he admits he is not an expert in DNS.
Halvar Flake may have discovered how the DNS flaw works
This is the message posted on the Matasano Security blog in regard to Dullien's discovery: "The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat". Halvar Flake is the hacker alias used by Thomas Dullien. It must be noted that the blog post presented above was posted for about five minutes and then it was taken down.

Thomas Ptacek from Matasano Security has posted another statement on the site, saying that they "dropped the ball" and it was all a regrettable error. "Earlier today, a security researcher posted their hypothesis regarding Dan Kaminsky’s DNS finding. Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error. We regret that it ran. We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread," says Ptacek.

According to Halvar Flake, there is no good reason behind Kaminsky's request not to publicly speculate on the DNS vulnerability. He agrees that Kaminsky did the right thing by not disclosing the vulnerability and getting the industry heavyweights to come up with a fix, but by not speculating you are not buying the user any time. "In a strange way, if nobody speculates publicly, we are pulling wool over the eyes of the general public, and ourselves," says Halvar Flake.

Dan Kaminsky did not confirm or deny the fact that Hlavar Flake had indeed discovered the DNS vulnerability that he came upon earlier this year, and he is urging all users to update, if they haven't done so already. On the 24th Kaminsky will do a webcast for BlackHat, but he says this opportunity will not be used to disclose details on the DNS vulnerability. All those interested in the issue will have to wait until the 6th of August.

[Source: softpedia]

No URLs in Recent Phishing Attempts

According to research conducted by Internet security company TrendMicro, phishers are resorting to new ways of fooling users. The ever present URL to the phishing site has no longer been seen in numerous messages analyzed by TrendMicro. It would seem that instead the user is provided with a legitimate e-mail address.

A run of the mill phishing attempt involves the user receiving a spam message that directs that user to a phishing site. You will receive a message that goes something like "you need to update your bank account info, please click on the following link", but by doing so you will be directed to a web page that looks very similar to the one of your bank. And by filling in the requested information you are only playing into the hands of the phisher.

"But now, there’s no URL seen in new phishing email samples we’ve discovered. They display instead a legitimate email address. This is to trick users that the recipient of the user name and password they will send is a legitimate user, but looking at the source code of the mail, it would go to an individual email address, the phisher’s," says Aivee Cortez from TrendMicro.

One such spam message circulating on the Internet lately was informing users that they needed to upgrade their EarthLink account. As you might have already figured it out, the user is not asked to click on a link and visit a phishing site, but instead is asked to forward the username and password of the account to what seems to be the customer support e-mail address. Just to make sure the phishing attempt is successful, the message informs you that your account will be deleted unless you send out that information.

It even goes as far as to say "this is an Administrative Message from EarthLink. It is not spam. From time to time EarthLink will send you such messages in order to communicate information about your subscription." By simply claiming not to be spam and to originate from the actual site, the message seems authentic. But as a rule of thumb you should never send out security credentials such as username and password, no matter who asks for it. It is one of the basic rules of keeping your data nice and safe.

[Source: softpedia]

New Trojan Guaranteed to Bypass Detection

The Trojan in question has been named Limbo 2, and according to the people who came up with it, the best 10 security software solutions on the market today are not capable of detecting it. Acquiring this malware will set you back about $1,300, but for that amount of money you will get a software product that is unique, customized to your personal requirements, and guaranteed to run under the radar of most security solutions.

"Each variant sold is built anew and has to be customized to incorporate the domain of where all the information is to be sent back to. These are then sold on to websites or botnets to infect individuals," says Prevx, the security company that discovered the threat.

What does the Trojan do? Once it manages to infect a system, it goes to work whenever it detects that the user has accessed an online banking service. Not only does it record the regular login info, it also adds spoofed information boxes which ask you to provide additional information in regard to your bank account. All the gathered security credentials are then sent to the person that bought Limbo 2, so that it can be used for whatever malicious purpose that person has in mind.

"This is one of the most dangerous Trojans out there at the moment. The strength of this piece of malware lies in its versatility, even if it is recognized up by an anti-virus company it can be changed so as to be invisible again within hours. There are likely to be so many variants out there that they will never all be detected, which is a scary thought as it is designed to steal bank details," says Jacques Erasmus, Director of Malware Research with Prevx.

According to Erasmus, this is a very lucrative piece of software, earning the designer of Limbo 2 a few thousand pounds every day. Since it has not yet been detected how the malware propagates, it is safe to assume that the source of infection is a malware spreading site.

[Source: softpedia]

Several SQL Injection Vulnerabilities Discovered in Zoph -

According to an advisory recently released by Secunia, an attacker can manipulate data from a remote location thanks to multiple SQL injection vulnerabilities found in Zoph (Zoph Organizes Photos). The vulnerability has been deemed "moderately critical" by Secunia, but a new version of Zoph, which addresses the security issue, has been made available.

SQL injection attacks have been on the increase lately, and numerous sites have consequently become infected. In the case of Zoph, "certain unspecified input is not properly sanitized before being used in SQL queries" and thus an attacker can inject arbitrary SQL code to manipulate SQL queries. This vulnerability has been detected in all Zoph versions prior to

As of yesterday, the 20th of July, Zoph has released version and users are well advised to update as quickly as possible. "During development of Zoph, I found a couple of possible SQL injections. Although most are not exploitable or only exploitable by an admin user, I have created an updated release for Zoph: v0.7.0.5. I recommend everyone upgrading to this version. The release also includes a number of extra 'safety nets' that will make exploiting any future SQL injections a lot harder. It also fixes a number of bugs in the 0.7 release," says Jeroen Roos from Zoph.

Those of you who are unfamiliar with Zoph must know that it is a web based application that one can use to manage all their digital images, or in layman's terms, an open source photo album. You can use Zoph to organize your increasing photo database, generate thumbnail galleries, record additional info in regard to your pictures, and even control access to said pictures.

The security industry started to detect a large number of SQL injection attacks back in March, the current year. The following month, in April, these attacks started to target trusted, well known sites that attracted a large number of visitors. By June, the number of infected sites had risen to a staggering 76%, according to reports from security company ScanSafe.

[Source: softpedia]

President of Georgia Web Page Down after Hacker Attack -

Over the weekend, the web page of Mikhail Saakashvili, the president of Georgia, has been under an intense DDOS (denial-of-service) attack, which caused it to temporarily shut down. According to the Shadowserver Foundation, the attack began on Saturday morning and rendered the web page unavailable for a period of about 24 hours. Here is an example of the commands the foundation has detected so far: "flood http www.president.gov.ge/".

The server that hosts the Presidential web page also harbors the Social Assistance and Employment State Agency website, as well as other sites that have become unavailable due to the attack.

Steven Adair from the Shadowserver Foundation comments: "Who else have these guys been attacking with this MachBot C&C server? The answer is no one. This server recently came online in the past few weeks and has not issued any other attacks that we have observed until recently. All attacks we have observed have been directed right at www.president.gov.ge."

What is the reason for this multi-pronged distributed denial of service attack? Since the Shadowserver Foundation has yet to provide a precise answer, we can only speculate. What we do know is that political relations between Georgia and Russia have been quite tense recently. There are reasons to believe the attack originates from Russia and, as the attack on Lithuania has proven, this is the usual manner in which Russian hackers respond to political tensions.

"We do not have any solid proof that the people behind this C&C server are Russian. However, the HTTP-based botnet C&C server is a MachBot controller, which is a tool that is frequently used by Russian bot herders. On top of that the domain involved with this C&C server has seemingly bogus registration information but does tie back to Russia," says Steven Adair.

The Shadowserver Foundation is made up of several security pros that voluntarily monitor online traffic in an effort to detect malware, botnet activity, and electronic fraud. People must be made aware of the threats they may encounter while surfing the web, threats that range from malware spreading sites to compromised servers.

[Source: softpedia]

New Storm Spam Campaign Exploits NACU Rumors -

TrendMicro, company that specializes in Internet content security, reports that the Storm botnet is once again attempting to propagate its malicious software. The means to do so is by sending out spam messages which inform about a financial crisis that will engulf the world's economy. A link is of course provided and you are invited to click on it, but by doing so you may become infected with the Storm worm, and your computer will end up as just another zombie in the Storm botnet.

TrendMicro detects new Storm spam campaign

According to the spam message, the NACU (North American Currency Union) is secretly planning to bring the currencies of North America, Canada and Mexico together, and come up with a new currency called "amero".

Here is an excerpt from the spam message itself: "You can forget about dollars. The U.S. Government began to realize the plan to replace the Dollar with the "Amero", the new currency of the North American Currency Union. Canada, the United States of America and Mexico have resolved to unit in order to resist the Worldwide Financial Crysis. You can become acquainted with the plan of the implementation of Amero, just click on the icon underneath this text."

Users should be warned that there is no such organization, and there never was. It is all noting but a clever scheme that the spammer has come up with in order to make the message seem believable.

"Neither amero nor the North American Currency Union exists of course, as these remain ideas only, at least for today. Conspiracy theories abound, however; there are rumors about secret pacts between the United States, Canada, and Mexico, but these remain unsubstantiated. Last year, there were reports of the United States Treasury issuing amero coins, but this was later proven to be untrue," says Jake Soriano from TrendMicro.

As a rule of thumb you should not open unsolicited mail, but if you can’t resist the temptation, you should at least not click on any links provided in said mail. Keep in mind that believable, accurate news come from trusted sites and news portals, not from spam messages. Not only will you be misinformed, you will become infected and aid in the expansion of the Storm botnet.

[Source: softpedia]

Malaysian ISP Records Torrent Tracker Traffic

Shinjiru is an Internet service provider (ISP) from Malaysia that succumbed to pressure from the Government last month and consequently shut down the web pages of several BitTorrent trackers. Although most of these sites are now up and running as if nothing ever happened, TorrentFreak has discovered that Shinjiru is secretly monitoring the activity of several torrent sites.

A sysop from tbkresources.org became suspicious when he discovered that "an external disk was suddenly mounted on our box." Curious to find out the purpose of the disk, the sysop contacted Shinjiru's customer support, but they could not provide an explanation. It was later revealed that the Shinjiru legal team had installed the previously mentioned disk, but nobody seems to know the exact reason for that.

It would seem that Shinjiru believes these torrent trackers are in breach of current legislation, copyright infringement to be more precise, has launched an investigation, and copying data from the servers is part of said investigation. The curious thing is that the ISP is doing all of this in secrecy, trying not to draw any attention to its actions.

"This is important to get out as they are most probably doing this to every site they know about, and users are being recorded. We have destroyed the data on their USB connected disk, destroyed our site backups on it and truncated and deleted all tables, to ensure the protection of our users. As I have stated it was done with out warning nor consent," says the sysop as cited by TorrentFreak.

Because the Malaysian Government was to blame for the recent tracker shut down, it is believed that it is behind the current situation as well. But since the ISP is copying data from its own clients, it should have first issued a warning, or at least an informative note about its plans. An official reply from the Malaysian ISP has yet to be released to the public.

[Source: softpedia]

Iranian Hackers Try to Silence Malcolm Hoenlein

According to Ohad Rosen, the web page that he administrates has recently come under constant hacker attack, presumably of Iranian origin. The cause of the attack is a message posted on the site, from Malcolm Hoenlein, executive vice chairman of the Conference of Presidents of Major American Jewish Organizations, addressed to the Iranian people. In the message, which is subtitled in both Arabic and Persian, Hoenlein states that the Iranian Government does not have the best interests of the people at heart.

Here is an excerpt from the message, which is two and a half minutes long and was posted on the Israeli site on the 18th of June: "We want to work with you. It is regrettable that you have a leadership that does not care about your welfare, and the conditions under which you live, but rather exploits it in search of extremist goals," says Malcolm Hoenlein.

The web page in question is called Jersulameonline.com and Rosen says that in the short amount of time the message has been posted, a "dozen" hacker attacks have been recorded. Although these attacks have not been successful and the content on the web page has not been significantly altered, Google has labeled the site as "dangerous". The hackers did not manage to take down the message, but instead deleted pictures on the site and tampered with some links.

One of the main reasons the hackers have not been able to accomplish their goal, is the fact that Itai Green has set up tighter security measures. Itai is the site's director and according to him the security measures have been upgraded in order to prevent future hacker attacks to considerably damage the site. One thing is for sure, Itai is determined not to take down the message, no matter how many attacks are recorded.

The political relationships between Israel and Iran are quite tense, and have been like that for quite some time now. On numerous occasions Mahmoud Ahmadinejad, the President of Iran, has said "it should be wiped off the face of the earth" when talking about Israel.

It must be noted that no site is hack proof, as the recent attack on Kaspersky Malaysia has proven.

[Source: softpedia]

Simpson's Chapter Suspected of Containing Malware

We have already observed that malware creators use any event, “true or fake” news as a social engineering technique to deceive users and install malware in their systems. One of the latest tricks we have seen is the use of one detail mentioned in one of the Simpsons episode, more specifically in Season 14 / 14-8 / EABF03 / The Dad Who Knew Too Little.

In this episode, Homer Simpson reveals that his email address is "chunkylover53@aol.com", and just as matter of interest, this address was actually registered by one of its producers, answering users as if he were Homer himself. For this reason, it is no wonder that many fans have added this address as a contact in their email service.

However, it seems that there are certain AOL accounts that are passing themselves off as the identity of Chunkylover53, in order to deceive users and make them follow a link to infect their computers with a malicious code which is being distributed with the following message via the instant messaging program AIM:

The malware has been detected as Bck/Turkojan.I, as it is a variant created with the Constructor/Turkojan mentioned previously in this blog.

[Source: pandasecurity]

Fake UPS Invoice Email

These last days we have observed several false email messages in circulation which seemed to come from the UPS company. However, they are not related to with this company at all.

The aim of these emails is not to inform us of the impossibility to deliver a postal package, but to entice us to open the attached file to infect our computers (detected as Trj/Agent.JEN).

This malware is copied in the system, replacing the Windows Userinit.exe (this file is the one which runs explorer.exe, the interface of the system and other important processes), copying the legitimate file as userini.exe, so that the computer can work properly.

Additionally, it establishes a connection with a Russian domain, which has been used on some occassions by banker Trojans. From this domain it will redirect the request to a German domain in order to download a rootkit and a rogue antivirus, detected as Rootkit/Agent.JEP and Adware/AntivirusXP2008 respectively.

The following graph represents the evolution of this malware with regard to the samples received in our laboratory during the last days. Before being included in our signature file, it was already detected by our TruPrevent Technologies as a suspicious file.

MD5: 6B4EF50E3E21205685CEA919EBF93476

MD5: C65EBF59203CE3F05861398CC41A976A

MD5: EF6FFCC71B81B53328B63985B20C3871

[Source: pandasecurity]

Fake Fernando Alonso car accident used to distribute a new banking Trojan

We have just discovered another spam message used to fool users into installing a new banking Trojan (Trj/Banker.LGC). This time it passes itself off as if it were a real piece of news from El Pais, one of the major newspapers in Spain. It is about a car accident that would have taken place today in Bilbao and where Fernando Alonso, the two-time Formula 1 world champion has been supossedly seriously injured.

As I'm writing this post from Bilbao, I can guarantee that there has not been any car accident in which Fernando Alonso is involved... ;-)

The link to download the video points to the Trojan. This is a screenshot of the fake piece of news:

Fake new

The banking Trojan targets one of the biggest Spanish banks, which in the past was one of the Fernando Alonso's team sponsors.

This is not the first time we have seen this piece of news used to spread malware though, as a few weeks ago we saw a very similar one, the major difference was that it was trying to install a Gaobot worm instead.

[Source: pandasecurity]

Spam coming from free email providers increasing

After analyzing three weeks of spam data between June 13 to July 3, 2008, Roaring Penguin Software Inc. foundSpam coming from free email providers increasing evidence that spam originating from the top three free email providers (Gmail, Yahoo Mail and Hotmail) is increasing, with spammers in favor of abusing Gmail’s privacy preserving feature of not including the sender’s original IP in outgoing emails :

“Spammers are increasingly using free e-mail providers to avoid IP address-based reputation systems. These systems track mail sent by various IP addresses and assign each IP address a rating. Some anti-spam software operates largely or exclusively on the basis of the IP address rating.

Roaring Penguin’s data shows that over the three weeks from June 13 to July 3, 2008, the percentage of US-originated spam originating from the top 3 free e-mail providers (Yahoo, Google and Hotmail) rose from about 2% to almost 4%. Roaring Penguin believes that spammers are using Google’s service in particular to send spam, relying on the fact that blacklisting Google’s servers is impractical for most organizations. According to their data, the probability that an e-mail originating from a Google server is spam rose from 6.8% on June 13 to a whopping 27% on July 3.”

Spammers and phishers are not just interested in the clean IP reputation of free email providers, they are also interested in taking advantage of the trust they have established among themselves through the use of DomainKeys and Sender ID Frameworks, and by abusing this through the bogus accounts that they’ve automatically registered by breaking the CAPTCHA based authentication, reach the widest possible audience and ensure the successful receipt of their spam/scam.

How are they managing to efficiently abuse these services, and is CAPTCHA breaking for the purpose of automatically registered bogus accounts to blame? The broken CAPTCHAs are only part of the problem. It all starts from the basics, in this case, the companies themselves admitting there’s a problem and how committed they are in not just fighting incoming spam, but also, outgoing spam.

The whole quality and assurance process applied by spammers is nothing new, in fact phishers and malware authors have been putting more efforts into coming up with easier ways to measure the return on investment (ROI) for themselves, and to present clear performance data to those taking advantage of their services. Just because someone has successfully sent several million spam emails, doesn’t mean that the messages didn’t got filtered, and when they did, what number exactly. Coming up with in-depth spam campaign metrics, and processes for verification of delivery, are becoming a top priority for everyone involved in this underground ecosystem.

The problem of spam and phishing coming from free email providers, has had its peaks in the past two years, prompting popular spam blacklists such as SORBS and Spamcop to blacklist entire Gmail servers due to their inability to obtain the real sender’s IP. It’s a signal from the anti spam community, and since Gmail will continue not revealing the real sender’s IP, something they’ve received a lot of criticism from anti spam vendor, but a lot of applause from privacy fighters, the best they can do is balance their incoming VS outgoing spam fighting strategy. Here’s a comment from an anti-spam vendor commenting on the problem back in 2006 :

“Gmail has taken an extreme position on privacy that inhibits the antispam community from doing their job, and it’s ticking people off,” says Tom Gilles, co-founder of IronPort. Some 10% to 15% of the spam IronPort sees comes from free Web-mail accounts, too big a slice to turn a blind eye to. “From time to time, Gmail mail is getting blocked because spam is leaking out of their service,” Gilles says. “Sometimes the babies get thrown out with the bath water, and that is the rub.

It’s difficult to gauge how widespread the problem of missing Gmail is, since no blocking records are available, though experts worry it’s growing along with the Gmail service. Gmail had 6.7 million visitors in February, up 4.1 million from a year ago, according to measurement firm comScore Networks, a jump that suggests lost email has yet to hurt the service’s growth. Yahoo Mail is still nearly 10 times bigger, hosting 64.6 million visitors last month, and AOL and Hotmail are also orders of magnitude larger. The situation reveals again how the studiously iconoclastic search engine is wrangling with where to draw the line on Internet privacy. As in other recent cases, Google is taking a harder line than its peers.”

Moreover, the abuse of the authentication at these free email providers, by either breaking the CAPTCHA images automatically, or outsourcing the process to human CAPTCHA breakers who earn cents to authenticate the registration process for the spammers to abuse, is clearly making an impact. For instance, underground services offering hundreds of thousands of pre-registered bogus accounts are popping up like mushrooms these days, and their maturity into a customer-tailored proposition offering everyone the possibility to pre-register bogus accounts at services and web sites that they are not currently targeting, speaks for the confidence they’ve built into their ability to deliver the goods. The most recent one which I covered in a previous post is continuing to automatically pre-register accounts with its inventory emptying and filling itself automatically in between the customer’s feedback indicating the quality of the service. Here’s a sample of their inventory as of the last five minutes :

  • Yahoo.com - 270,565 pre-registered accounts
  • Hotmail.com - 167,013 pre-registered accounts
  • Gmail.com - 159,892 pre-registered accounts

These is just the tip of the iceberg, with many other such services offering different inventories and using different tactics in the registration process. And while the companies themselves are keeping track of the latest developments in this ongoing abuse of their services, it’s all a matter of drawing the line at a particular moment of time. For instance, a known to be malware infected IP that has repeatedly attempted to send hundreds of thousands of phishing and spam emails on behalf ot the botnet its participates in, shouldn’t be trusted in any authentication or registration attempts if you’re to take the radical approach, or have the end user warned about what’s going on and why is she not allowed to use the site’s services unless action is taken. The point is that, preventing automatic authentication abuse as a process is very similar to preventing click fraud, and fighting spam in general with the only different in the shift of perimeters from applying the techniques on incoming emails, to the authentication process in general.

Most of the human CAPTCHA breakers, and the automated programs will either abuse malware infected hosts as open proxies, or use open proxy lists in order to change their IP on every several registrations. Considering that the majority of malicious activity comes from well known bad parties are often blocked by default at the email gateway without even bothering to inspect the content in email messages coming from their networks/IPs, the same approach, activity from malware infected hosts should be challenged more aggressively than it is for the time being.

The increasing spam and phishing emails originating from legitimate email service providers is prone to increase, and fighting incoming spam should be balanced with fighting outgoing spam. Moreover, email spam is so Web 1.0, that the possibilities for abusing the joys offered by Web 2.0 services are slowly starting to materialize, with spammers being a step ahead of the filtering solutions.

[Source: zdnet]

Has Halvar figured out super-secret DNS vulnerability?

Thomas Dullien Halvar Flake[ UPDATE: Kaminsky has all but confirmed that, yes, the cat is out of the bag ]

It looks very much like the nitty gritty of Dan Kaminsky’s super-secret — and heavily hyped — DNS cache poisoning vulnerability has been figured out by reverse engineering guru Halvar Flake.

Clearly irked by a demand request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a reliable method to forge and poison DNS lookups.

Flake, CEO and head of research at Sabre Security, said his speculation was driven by the need to discuss the vulnerability in public instead of a one-month embargo that culminates with Kaminsky’s presentation at the upcoming Black Hat conference.

[ SEE: Dan Kaminsky breaks DNS, massive multi-vendor patch coming ]

“In a strange way, if nobody speculates publicly, we are pulling wool over the eyes of the general public, and ourselves,” Flake argued, before posting the following hypothesis:

Mallory wants to poison DNS lookups on server ns.polya.com for the domain www.gmx.net. The nameserver for gmx.net is ns.gmx.net. Mallory’s IP is

Mallory begins to send bogus requests for www.ulam00001.com, www.ulam00002.com … to ns.polya.com.

ns.polya.com doesn’t have these requests cached, so it asks a root server “where can I find the .com NS?” It then receives a referral to the .com NS. It asks the nameserver for .com where to find the nameserver for ulam00001.com, ulam00002.com etc.

Mallory spoofs referrals claiming to come from the .com nameserver to ns.polya.com. In these referrals, it says that the nameserver responsible for ulamYYYYY.com is a server called ns.gmx.net and that this server is located at Also, the time to live of this referral is … long …

Now eventually, Mallory will get one such referral spoofed right, e.g. the TXID etc. will be guessed properly.

ns.polya.com will then cache that ns.gmx.net can be found at … Yay.

After the publication of Flake’s summation, Kaminsky gave a no-comment to The Register’s Dan Goodin.

Nate Lawson, head of Root Labs, had this to say: “It’s very plausible; I think he’s nailed it.”

[ SEE: Kaminsky and Ptacek comment on DNS flaw ]

Goodin, one of the more thorough security writers around, made a great point that if Flake’s speculation is unrelated to Kaminsky’s earlier discovery, then there are now two separate issues at play. Only one of the two has been patched!

Perhaps it’s time for Kaminsky to throw his self-imposed embargo out the window and help all of us understand the true severity of this vulnerability.

[Source: zdnet]

Kaspersky’s Malaysian site hacked by Turkish hacker

According to Zone-h.org, Kaspersky’s Malaysian site has been defaced by a Turkish hacker during the weekend, through a SQL injection, leaving the following message - “hacked by m0sted And Amen Kaspersky Shop Hax0red No War Turkish Hacker Thanx to Terrorist Crew all team members“.

The image “http://blogs.zdnet.com/security/images/kaspersky_malyasia_hacked1.JPG” cannot be displayed, because it contains errors.

“The official Malaysian Kaspersky Antivirus’s website has been hacked yesterday by a Turkish cracker going by the handle of “m0sted”. Along with it, the same cracker hacked also the official Kaspersky S.E.S. online shop and its several other subdomains. The attacker reported “patriotism” as the reason behind the attack and “SQL Injection” as the technical way the intrusion was performed.

Both websites has been home page defaced as well as several other secondary pages. The incident, though appearing a simple website defacement, might carry along big risks for end-users because from both the websites, evaluation copies of the Kaspersky Antivirus are distributed to the public. In theory, the attacker could have uploaded trojanized versions of the antivirus, infecting in this way the unaware users attempting a download from a trusted Kaspersky’s file repository (remember the trojan in the Debian file repository?).”

Are users at risk due to the compromise? Not in this case, however, the attack is a wake up call which if not taken seriously enough could result in an ironic situation where a security vendor’s site is infecting its visitors with malware. It has happened before, and it will definitely happen again.

This is not an isolated incident. According to Zone-h’s archive, since 2000 there have been 36 web site defacements of international Kaspersky sites, with Kaspersky’s French site getting hacked and re-hacked on an yearly basis. And while in none of the incidents there was any malicious software served, or a live exploit URL that could have been embedded into the legitimate site, there’s an ongoing trend related to web site defacements in regard to their interest in monetizing the access they have to the vulnerable sites, by injecting malware URLs, hosting phishing pages, and also, locally hosting blackhat SEO junk pages where they would eventually earn money through affiliate based networks.

In the time of blogging there’s no indication of a malware attack at the site, and kaspersky.com.my remains offline, presumably in an attempt to audit the site for web application vulnerabilities before putting it back online.

Related posts :

[Source: zdnet]