Information Security Threats

Microsoft Conficker/Downadup infections still not a major threat

I had an excellent briefing with the folks at TippingPoint about Conficker and they gave me access to their ThreatLinQ, a service that helps TippingPoint IPS customers proactively configure their systems. I’ll be writing about Conficker in a news story tomorrow. ThreatLinQ is essentially a portal that shows global threat data caught in TippingPoint’s DVLabs’ IPS filters. It can rank threats on a global scale and threats by country. It also shows how other TippingPoint customers are using their IPS and what is being blocked by default.

Security researcher Derek Brown of TippingPoint’s DVLabs, explained to me that while Conficker/Downadup has spread to an estimated 10 million machines, it reached its peak on Jan. 10. It’s an interesting worm because it can propagate either by exploiting the Microsoft RPC flaw, patched in October with MS08-067, or it can spread via USB sticks and other removable storage devices.

Ten million infections is a lot of computers, but I repeat what I said in an earlier post that most infections have taken place in countries where it took longer to deploy MS08-067. Places where pirated software is rampant; where machines are more likely to go unpatched. TippingPoint’s ThreatLinQ supports this.

Attempts to attack the Microsoft RPC vulnerability ranks No. 5 of all threat’s globally, according to the TippingPoint data. It’s well behind the MS-SQL: Slammer-Sapphire Worm which was picked up globally more than 32 million times in TippingPoint’s honeypots. Slammer ranks No. 1. Conficker was detected about a half a million times, according to the real-time data.

In China, where Symantec ranked Conficker infections the highest, Microsoft RPC attacks ranked ninth, according to the TippingPoint data. In the United States, attacks attempting to exploit the Microsoft flaw didn’t even rank in the top 10.

Conficker is also relatively easy to disinfect using any number of tools including Microsoft’s Malicious Software Removal Tool.

Conficker still fascinates security researchers. It’s got a built in password cracker. Once infecting a machine it seeks out other IP addresses to try to continue to spread. It can spread on shared drives. It also relays location information to the author.

Let me be clear: Derek Brown of TippingPoint’s DV Labs did not downplay the worm. The damage the fledgling botnet inflicts is still unknown. Once the attacker delivers the payload to the infected machines we’ll begin to measure the extent of Conficker’s destruction.

Conficker, Downadup worm hype? Get the facts

Update 1/23: Microsoft has released a blog post explaining everything you need to know about Conficker/Downadup. The bottom line: Ensure that MS08-067 is installed on all machines in the environment, use up-to-date antivirus, ensure you have strong passwords for user accounts, consider disabling AutoPlay.

——————————————————————-
Security vendors from across the spectrum have warned that a stingy worm has been successfully exploiting a hole in Microsoft Windows server service. Known as Conficker or Downadup, the worm spreads by exploiting a remote procedure call (RPC) vulnerability.

The flaw was patched by Microsoft in October. The MS08-067 update was meant to stop the worm in its tracks. Many patching vendors say organizations apparently have been slow to deploy the update.

But that may not be the case. Symantec released data explaining which countries have had the highest worm infection rates. North America does not even rank in the top 10 countries infected by the worm. It has spread in countries where software pirating is rampant. Bootlegged versions of Microsoft Windows won’t receive the latest security updates. Is it a coincidence that the highest infection rates are in China, Russia, Argentina, Taiwan and Brazil? (In that order) China and Russia have been at the top of the list of software pirating countries for years.

So first don’t panic. If you’re running antivirus and it’s up-to-date, you’re probably fine. Second, ensure that the MS08-067 update has been deployed. If it hasn’t deploy it and then do a thorough review of your patch management processes. This patch should have been deployed months ago.

In its latest round of updates, Microsoft security experts addressed the spread of the worm and how people can check to see if their machines are infected. Microsoft advises customers to scan the machine with up-to-date antivirus. The worm also blocks access to a large number of security websites listed by Microsoft.

Also, Microsoft said its Malicious Software Removal Tool completely cleans the registry elements related to the worm.

What’s all the fascination among security researchers about Conficker/Downadup? It’s not necessarily who’s infected, but how they are being infected. As Derek Brown, of TippingPoint’s DVLabs points out, the worm is an example of advanced malicious software coding. Conficker/Downadup can self-propagate by guessing a person’s weak password or it can spread by simply being passed along on someone’s portable storage device. It disables several system services and security products and then signals to its host that it is ready to download additional instructions.

Phishing attack uses pop-up message on bank sites

Researchers at security vendor Trusteer have discovered a new phishing method that forces pop-up login messages to appear on legitimate banking websites.

The messages trick users into giving up passwords, account numbers and other sensitive information. Sometimes the messages appear after they have logged into an online banking or other financial website, Trusteer said.

Trusteer issued an advisory on their find. The technique is called Session Phishing, and is used after attackers inject malicious code into major browsers.

Trusteer CTO Amit Klein said the method makes phishing attacks more likely to be successful because they try to trick people after they have logged into a legitimate website. Klein said the major browser makers have been notified.

I can see how the phishing attack can easily trick people. Trusteer said the pop-up window sometimes requests the user to retype their username and password because the session has expired. How many times have you had that happen? It sometimes also asks users to complete a customer satisfaction survey or participate in a promotion. I typically stay away from those and so should you.

Two researchers recently wrote a report outlining how phishers are failing to make a ton of money. The report, which we wrote about last week, said there were too many phishers driving down the price cybercriminals pay for stolen information. There’s varying opinions on this report and some are immediately doubting it because it came from Microsoft Research. More on that in another post.

Fear and loathing in the Intertubes

One of the peculiar properties of the security research community is the reflexive reactions of some of its members to new work by other researchers. In most cases, researchers tend to compliment one another when they’ve produced something new. But there always seems to be a small subset of researchers who race to be the first one to point out that, regardless of the scope or originality of the work, it is: A. nothing new, B. not as severe as it looks, C. easily defended against, or D. all of the above.

The news this week about the MD5 SSL attack from Alex Sotirov, Jake Applebaum and friends brought out the knives in a sadly predictable way. The team was very careful to point out at every opportunity that its work was based heavily on the previous work done on MD5 collisions by a group of Chinese researchers in 2004, and the further work done by several European researchers in 2007. (In fact, the team that produced the 2007 work, which showed the much stronger likelihood of MD5 collisions, also worked with Sotirov and Applebaum.) The latest research simply extended the earlier work and took advantage of some advances in computing power and technology to take it a couple of steps farther than the previous research could go. But for whatever reason, that wasn’t good enough for some people.

I’ve never really understood this impulse to knock down other people’s work in order to try and look smarter yourself. How does that follow? In other news, there are a number of really well-done and readable analyses of the MD5 attack out there, starting with Eric Rescorla’s. He lays out the attack in layman’s terms and describes exactly what new contributions Sotirov and his team made. Nate Lawson also wrote a very useful description of the attack:

The attack is interesting since they take advantage of more than one flaw in a CA. First, they find a CA that still uses MD5 for signing certs. MD5 has been broken for years, and no CA should have been doing this. Next, they prepared an innocent-looking cert request containing the “magic values” necessary to cause an MD5 collision. They were able to do this because of a second flaw. The CA in question used an incrementing serial number instead of a random one. Since the serial is part of the signed data, it is a cheap way to get some randomness. This would have thwarted this particular attack until a pre-image vulnerability was found in MD5. Don’t count on this for security! MD4 fell to a second pre-image attack a few years after the first collision attacks, and attacks only get better over time.

Helpful, cogent analysis of the problem and its mitigating factors without bravado and sniping. What a concept.

Behind the MD5 attack

When the researchers who produced the elegant MD5 attack I wrote about this morning realized the severity of what they had found, they took two highly unusual steps. First, they consulted with lawyers from the Electronic Frontier Foundation, describing their findings and voicing their concerns about the potential legal ramifications. The researchers were afraid that if the certificate authorities found out about their work and its implications for the security of their digital certificates, the CAs would move to stop the their talk at the 25C3 conference today in Berlin, at the very least, and perhaps sue them for good measure.

Second, the group approached Microsoft and Mozilla, the two dominant browser vendors, and  explained that they had a serious browser security issue they’d like to share. But first, they needed some assurances from the two vendors that they wouldn’t share what they heard with the CAs before the researchers were ready to announce their findings. So they asked Microsoft and Mozilla officials to sign non-disclosure agreements. It was a 180-degree reversal from the way that these things normally work.

In most cases, researchers who approach a vendor with a security problem are asked by the vendor to keep quiet about the vulnerability until a patch is ready. But in this instance, the researchers held the upper hand and chose not to even tell the vendors what the issue was until they had the signed NDAs in hand. Alex Sotirov, one of the researchers involved in the project, said that it took some negotiations to get Microsoft officials to agree to the NDA, but they eventually signed on. As did Mozilla.

During their presentation on Tuesday, the researchers said they were hopeful that other researchers would follow their lead. And Dino Dai Zovi, a researcher who was not part of the project but who was briefed on the team’s work, agreed. “A letter from a lawyer is usually enough to stop any researcher,” he said. “But showing up with your own lawyer changes the balance of power.”

How the Morris worm foretold the future of computer security

It’s been 20 years since the first major security-related disruption of the Internet, the Morris worm, hit the worldwide network. The natural reaction to anniversaries like this is to look back and say: Look how much has changed since then. But in this case, the more appropriate response would be: Why haven’t things changed?

In what was the first comprehensive analysis of the Morris worm, Gene Spafford of Purdue University, writing just four weeks after the worm’s release, outlines the framework of what has evolved into the longest-running debate in the security community: the disclosure debate.

On November 8, the National Computer Security Center held a hastily-convened workshop in Baltimore. The topic of discussion was the program and what it meant to the Internet community. Who was at that meeting and why they were invited, and the topics discussed have not yet been made public. However, one thing we know that was decided by those
present at the meeting was that those present would not distribute copies of their reverse-engineered code to the general public. It was felt that the program exploited too many little-known techniques and that making it generally available would only provide other attackers a framework to build another such program. Although such a stance is well-intended, it can serve only as a delaying tactic. As of December 8, I am aware of at least eleven versions of the decompiled code, and because of the widespread distribution of the binary, I am sure there are at least ten times that many versions already completed or in progress — the required skills and tools are too readily available within the community to believe that only a few groups have the capability to reconstruct the source code.
Many system administrators, programmers, and managers are interested in how the program managed to establish itself on their systems and spread so quickly These individuals have a valid interest in seeing the code, especially if they are software vendors. Their interest is not to duplicate the program, but to be sure that all the holes used by the program are properly plugged. Furthermore, examining the code may help administrators and vendors develop defenses against future attacks, despite the claims to the contrary by some of the individuals with copies of the reverse-engineered code.

Looking at Spafford’s arguments now, you can see tenets that proponents of full disclosure still use to argue their position. I doubt this was his intention at the time, and I’m not sure where Spafford even stands on the disclosure issue these days, but the fact that this argument still hasn’t been settled to anyone’s satisfaction is sad and endlessly frustrating. Security researchers are so sick of the topic that a lot of them won’t even discuss it anymore, and even a lot of guys in the vendor community have just accepted the fact that there’s little they can do to influence the ways in which vulnerabilities and exploit code are disclosed. I’m interviewing Spafford on Thursday during our Information Security Decisions conference in Chicago and I’m going to have to bring this up, much to his dismay, I’m sure.

There are several other sections of Spafford’s paper that are eerily prescient, as well, including a footnote describing a tactic that would come to be standard operating procedure for attackers:

A devious attack would have loosed one version on the net at large, and then one or more special versions on a select set of target machines. No one has coordinated any effort to compare the versions of the worm from different sites, so such a stratagem would have gone unnoticed. The code and the circumstances make this highly unlikely, but the possibility should be noted if future attacks occur.

Sound familiar?  By the way, if you’re wondering what ever happened to Robert Morris himself, he’s teaching computer science at MIT. How’s that for coming full circle?

Security flaw exposes Google G1 phone to attacks

If you’re planning to bring a new smartphone to market anytime soon, you might want to check with the guys at Independent Security Evaluators first. For the second time in about 15 months, ISE researchers have discovered a security flaw in the operating system of a high-profile smartphone, this time it’s a vulnerability in the G1, also known as the Google phone. Charlie Miller, a well-known security researcher, hacker and principal security analyst at ISE, discovered that in putting together the operating system for the G1, known as Android, Google used some older open-source software that had known flaws, resulting in a vulnerability in Android itself. From Miller’s description of the problem:

A user of an Android phone who uses the Web browser to surf the internet may be exploited if they visit a malicious page. Upon visiting the malicious site, the attacker can run any code they wish with the privileges of the Web browser application. We have a very reliable exploit for this issue for demonstration purposes. This exploit will not be released until a fix is available.

The Android security architecture is very well constructed and the impact of this attack is somewhat limited by it. A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into Web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly. This is in contrast, for example, with Apple’s iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised.

Miller and other ISE researchers last year found one of the first security problems with the iPhone, a  flaw that enabled attackers to compromise the phones using a malicious Web page. The attack allowed an attacker to read the victim’s SMS messages, address book, call log and other stored data.

Google is aware of the problem with the G1 and is working on a fix.

Trojan exploiting MS08-067 RPC vulnerability

There are reports emerging Friday morning of a new Trojan exploiting the MS08-067 RPC vulnerability in Windows that Microsoft patched with an emergency fix yesterday. Known as Gimmiv.A, the Trojan propagates automatically through networks, and also installs a number of small programs on compromised machines. But its most worrisome capability is a feature that enables Gimmiv.A to find cached passwords in a number of locations and then send them off to a remote server. Before sending the data, the Trojan encrypts the passwords with AES encryption.

From the ThreatExpert description of Gimmiv.A:

It starts from probing other IPs from the same network by sending them a sequence of bytes “abcde” or “12345″. The worm then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable Server service. As known, Server service uses a named pipe SRVSVC as its RPC interface, which is registered with UUID equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188.

Next, Gimmiv.A submits a maliciously crafted RPC request that instructs SRVSVC to canonicalize a path “\c\..\..\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA” by calling the vulnerable RPC request NetPathCanonicalize.

Microsoft had some information about Gimmiv.A in its description of the new vulnerability yesterday, saying the company had added signatures for the Trojan to the Microsoft Malware Protection Center and had shared the information with its AV partners as well.
The analysts at F-Secure have a good description of the Trojan’s behavior tool:

On execution, the malware drops a DLL component ( which is also detected as Trojan-Spy:W32/Gimmiv.A ) as

• [System Folder]\wbem\sysmgr.dll

and injects it to svchost.exe. The main executable file will then delete itself.

As part of its routine for connecting to a remote server, the Trojan will take into account both the operating system version and the presence of any security applications in the system. The Trojan checks for the following antivirus programs:

• BitDefender
• avp.exe
• Jiangmin
• KasperskyLab
• Kingsoft
• Symantec
• OneCare Protection
• Rising
• TrendMicro
• dwm.exe

The trojan then connects to:

• http://59.106.145.58/[...].php?abc=1?def=2

The two parameters ‘abc=’ and ‘def=’ are determined by the antivirus program and the operating system version, respectively. For example, if avp.exe is installed on an infected machine that runs Windows XP, then abc=1 and def=2.

The trojan then harvests the following information from the infected machine:

• MSN Credentials
• Outlook Express Credentials
• Protected Storage Information
• Username
• ComputerName
• Patches Installed
• Browser Information
• Username (web browsing)
• Password
• URL

Microsoft said in its advisory Thursday that the MS08-067 vulnerability could be a target for a worm, and other security experts warned of that possibility as well. Gimmiv.A does not seem to be a major threat right now, but these things have a way of gathering steam quickly once they get going.

Microsoft RPC flaw could be worm bait

The vulnerability that Microsoft patched today with an out-of-band patch is about as serious as they come, allowing remote code execution on every supported version of Windows. The rare emergency patch–which is the first Microsoft has issued since early 2007–was prompted by the fact that the company has been seeing targeted attacks against the vulnerability on fully patched machines. The flaw, which is in the Server service, can be exploited through the use of specially crafted RPC requests, and the attacker does not need to be authenticated to exploit the weakness on Windows Server 2000, XP or Server 2003. But Microsoft officials said there are some mitigating factors in place on several versions of Windows. Specifically, Vista’s use of DEP and ASLR make it difficult for an attacker to exploit the flaw, and an attacker must be authenticated on both Vista and Server 2008 in order to reach the RPC service.

An unauthenticated attacker can trigger this vulnerability remotely for code execution on Windows Server 2000, Windows XP and Windows 2003. By default, Windows Vista and Windows Server 2008 require authentication. However, the attacker must be able to reach the RPC interface to exploit the vulnerability. In the default out-of-the-box scenario, the interface is not reachable due to the firewall enabled by default on Windows XP SP2, Windows Vista, and Windows Server 2008. Unfortunately, either one of the following two conditions exposes the RPC endpoint:

1) Firewall is disabled
2) Firewall is enabled but file/printer sharing is also enabled.

The new RPC flaw is causing flashbacks for many in the security community who remember the RPC DCOM vulnerability that the Blaster worm exploited in 2003. That worm hammered networks across the Internet and was one in a years-long line of worms such as Slammer, Code Red and Nimda. Those kinds of worms are largely a thing of the past now, but this latest vulnerability has all the makings of a worm hole.

Critical out-of-band Microsoft patch coming today

Microsoft on Thursday will issue a rare out-of-band patch for a critical flaw that affects all versions of Windows from 2000 forward, including Vista and Server 2008. It’s not known exactly what vulnerability the fix is for, but Microsoft said the flaw allows remote code execution. The company usually issues patches outside of its normal scheduled monthly cycle when there is a vulnerability that is being actively exploited. The patch, which will be available on Microsoft’s security bulletin site later today, is rated critical. The company also will have a special webcast at 4 p.m. EDT today to explain the vulnerability and the patch.