There’s already a frenzy of speculation, analysis and, probably, development of malware surrounding the announcement of SockStress–the proof-of-concept program developed by two Dutch researchers to exploit an apparently heretofore unknown vulnerability in the TCP/IP stack. It started when they let the cat out of the bag in an interview that got the attention of Slashdot. I’m not going to dive in and add my opinion to the frenzy; however, this incident reinforces the idea that data and network security require constant vigilance and attention to protecting the data first (See The #1 Security Priority: Protect The Information).
Steve Gibson of Gibson Research Corporation presents a good sampling of the news surrounding this issue. There’s a lot that is (and isn’t) being said. The bottom line is that it’s a nasty vulnerability. It’ll be interesting to see how this develops.
Criminals are targeting Google AdWords customers with phony emails requesting the victim download a 128-bit SSL certificate. A client received this version (there are quite a few variations):
From: Google Adwords account [mailto:firstname.lastname@example.org]
Sent: Monday, September 29, 2008 8:52 PM
To: <potential victim>
Subject: Google Adwords Alert
Attention GOOGLE ADWORDS Customers!
For certain services, such as our advertising programs, we request 128-bit SSL security information which we maintain in encrypted form on secure servers.
We take appropriate security measures to protect against unauthorized access to our unauthorized alteration, disclosure or destruction of data.
Please download latest SSL protection certificate
Unprotected browsers will not be able to Log in after September 30, 2008
Sincerely, Genaro Escobar.
2008 Google Adwords, Developing new services.
Unsuspecting victims who click on the “Read more” link are taken to a malicious website where their machine is infected with a keylogger rootkit. The URL of the site varies, but is similar to this one:
Of course, the actual domain the person arrives at isn’t google.com, but, in this case, mekefri.com.
A good rundown on this attack can be found at: Digital Certificate Spammer Goes for Google Adwords
According to US-CERT‘s latest alert, “Multiple Web Browsers Affected by Clickjacking,” there’s a new cross-browser exploit technique called “Clickjacking.” One report suggests that, “With Clickjacking attackers can do quite a lot. Some things that could be pretty spooky.” According to the CERT article:
Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page. A separate report indicates that this flaw affects most web browsers and that no fix is available, but that disabling browser scripting and plug-ins may help mitigate some of the risks.
A ZDNet blog posting, Firefox + NoScript vs Clickjacking, The Firefox plugin NoScript, written by Giorgio Maone, is effective against the most dangerous aspects of the exploit. In an email to ZDNet blogger Ryan Naraine, Maone said this about the exploit:
1. It’s really scary
2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
3. For 100% protection by NoScript, you need to check the “Plugins|Forbid iframe”[options]
Understandably, there’s not much specific information available about the exploit, but most experts agree that there’s no simple fix for it. In his blog post, Naraine said “I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed ‘very, freaking scary’ and ‘near impossible’ to fix properly.”
For now, everyone should immediately disable scripting and iframes in whatever browser they’re using. Firefox users should install NoScript and set the “Plugins | Forbid iframe” option as noted above. I also recommend that everyone review US-CERT’s article “Securing Your Web Browser” to insure maximum protection against this and other security risks.
I’ll keep you posted on further developments and suggestions for additional protection as the story unfolds.
I stumbled across this nifty free tool when running an online scan at Trend Micro’s HouseCall site. Botnets are a big problem, accounting for most of the spam on the Internet, not to mention their use in stealing financial information and launching denial-of-service (DoS) attacks. RUBotted (Beta) “…monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.” Note that this tool doesn’t clean anything–you still have to use antivirus software. Alternatively, you can take advantage of one of the many online malware scanners.
The tool runs on Windows 2000, Windows XP Home and Professional, Windows 2003 Server, and Windows Vista (32-bit only), providing the latest service packs are installed. There’s one caveat, however: Trend says, “RUBotted cannot protect computers running Panda Internet Security 2008.”
I hope that this effort by Trend starts a trend (pun intended) of vendors providing similar secure computing software, perhaps incorporating bot removal tools to boot. We’ll see.
A variant of Win32/Zlob is being spread by cybercriminals via the fake video codec trick. Through misdirection or outright deception (including social engineering), users are sent to a site that has what appears to be embedded video. When they arrive at the page, there’s a message in the viewer similar to the one shown at “The ZLOB Show: Trojan Poses as Fake Video Codec, Loads More Threats.” If the user falls for the trick, Zlob trojan is downloaded and installed.
The variant, posing as “MediaTubeCodec.1.220.2.exe”–a name that should arouse suspicion in savvy users, but probably looks “official” to the unenlightened–was recently analyzed by Microsoft (see “Another Reason to Avoid Piracy” in their Microsoft Malware Protection Center blog). Microsoft updated its detection signatures to detect this variant as TrojanDownloader:Win32/Zlob.gen!CD. If diagnostics on a user’s PC (netstat, for example) reveal connections to any of the following, assume infection and take appropriate action:
According to the blog, “Only the first two are responding at the time of writing—both appear to be running nginx [pronounced "engine X"] (a lightweight web/mail server), one server is hosted in the USA and the other in China. So please folks—avoid piracy, and be wary when a website insists that you download a new codec in order to watch a video or listen to a song.”
Security’s a serious subject sometimes causing us to get a bit too deep in concern over the potential and real threats we face. So, today I’m going to lighten it up with a bit of humor. In the sixties and seventies, it was common to see this sign posted in mainframe computer rooms:
Alle touristen und non-technischen lookenpeepers! Das machine is nicht fur fingerpoken und mittengrabben. Is easy schnappen der springenwerk, blowenfusen und poppencorken mit spitzen sparken. Das machine is diggen by experten only. Is nicht fur gerwerken by das dummkopfen. Das rubbernecken sightseeren keepen das cottenpicken hands in das pockets. Relaxen und watchen das blinkenlights.
I was amused to find that there’s now an Internet version:
Das Internet is nicht fuer gefingerclickend und giffengrabben. Ist easy droppenpacket der Routers und overloaden der Backbone mit der spammen und der me-tooen. Ist nicht fuer gewerken bei die Dummkopfen. Die mausklicken Sightseeren keepen das Bandwidth-spewen Hands in die Pockets muss; relaxen und watchen das cursorblinken.
When I get a round tuit, I’m going to do a security version.
According to US-CERT, the cybercriminals who are foisting fake antivirus programs, such as Antivirus XP 2008 and 2009 off on innocent users, are now doing more than just ripping people off for the purchase price of their worthless programs–they’re going after personal and financial information. “If the user purchases the bogus software, the attacker may be able to obtain personal and credit card information for use in additional scams and fraudulent activity,” US-CERT reports. Their site has some recommendations on preventive measures to take.
US-CERT encourages users to perform the following preventative measures to help mitigate the risks:
- Install legitimate antivirus software from a trusted vendor, and keep its virus signature files up-to-date.
- Do not follow unsolicited web links found in email messages or instant messages.
- Use caution when visiting untrusted websites.
- Do not install untrusted software.
My bootable linux thumb drive virus scanner will remove this infection, but the best thing is not to get infected in first place.
Be careful out there.
When I discuss security with people who aren’t security-focused, they often ask where I get my information. I usually generalize, telling them I subscribe to several security newsletters and check the web frequently. I do that to avoid a long-winded discussion of the whys and wherefores of my sources, not to hide them. This post will serve as a good reference for those who are truly interested in learning more about security in general and security issues in particular. So, I present my top five security information resources:
- Security Now! podcast produced by Leo Laporte of Twit.tv with Steve Gibson of GRC.com. The longest running security podcast on ‘Net with Episode 161 just released. Thousands of individuals, sys admins, and other security-minded professionals–many of whom have been listening to the podcast since Episode 1– rely on Steve’s unique insight into security issues.
- SANS Institute. As their site asserts, and I concur, “SANS is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system – Internet Storm Center.”
- Dark Reading.com. In-depth security news, analysis, opinion, and product reviews.
- The Register–Security. Lots of IT news with an edge. Check it out and you’ll see.
- Secunia.com. If not the leading vulnerability intelligence provider and distributor in the world, they’re very close. Their advisories are top notch; their software advisor is a must-use tool.
What sources do you rely on? Comments welcome.
It’s funny how sometimes we take for granted things like Microsoft’s Malicious Software Removal Tool (MSRT). That’s probably because it doesn’t do much to make its presence known. Every month, Microsoft offers MSRT (890830) through automatic updates and on the Windows Update site. Once installed, the tool runs in the background and quietly does its job. Many people don’t even know that MSRT can be run from the Microsoft.com website or downloaded and run at will.
System administrators and security researchers benefit from the reporting component that MSRT uses to send malware data to Microsoft. The Microsoft Malware Protection Center Threat Research & Response Blog regularly provides reports on the state of security and is an excellent resource for Internet security issues. “Cleaning Over 10 Million IRC Bots,” posted on September 8, 2008, for example, has a graph that clearly shows a general downward trend in IRC bots activity.
No doubt about it: MSRT and the related websites are powerful additions to anyone’s secure computing toolkit.
Forgive me if I brag a bit in this post, but I think I earned the right. You be the judge.
Last weekend, I noticed strange behavior on my home system. ESET Smart Security kept reporting that it had “found and quarantined m.exe, probably a variant of Win.Qhost trojan.” Every time I plugged in a USB thumb drive, ESET would pop up with the message. I couldn’t run HijackThis. If I tried to go to certain antivirus websites–Avira in particular–my browser closed. Sysinternals Process Explorer wouldn’t run. My thumb drive showed two hidden files: Autorun.inf and m.exe. Hmmm. Running ipconfig /displaydns revealed multiple connections to porn and malware sites. Searching Google led me to some tools that eventually fixed my problem at home. Turns out I had a bigger problem.
Apparently, I had picked up the infection from a client’s Exchange server and during my weekly tour there, I found that the tools I used on my XP machine wouldn’t run on Windows Server 2003. I tried everything in my arsenal; no tool found anything wrong. This thing was very stealthy; even Safe Mode didn’t disable it. I was about to give up. Then I remembered that I’d recently finished making up a bootable Linux thumb drive virus scanner using the AntiVir rescue CD, a tool that allows offline scanning (thank you, Avira, you made it a little easier for me). I booted the server to the thumb drive, ran the scan, rebooted the server, and voila! The infection was gone.
There’s a whole backstory to this incident that I won’t bore you with. Suffice it to say that I’m glad I put in the hours of hacking and research to come up with a really useful tool that I was able to use to help a client. Veni! Vidi! Vici!