Web

You are currently browsing the archive for the Web category.

Following the Trail of Web-based Malware

December 14, 2011 in Hacking, Web, Web Application Security

Recently a client of mine alerted me to an email that was received by one of their HR staff members. The body of the email is shown below:

Despite having received security awareness training, the staff member clicked on the link thinking this was a document that needed to be reviewed. In actuality, it was a link to a malicious site. Fortunately, there were technical controls in place that prevented the user’s machine from being compromised, but I thought it would be illuminating to follow the trail of this attack.

Step 1

The email bypassed the client’s anti-spam and anti-malware defenses most likely because the link in the email was actually to a legitimate website rather than a known malicious site, the email came from a well known email provider, and there was little else in the message. Below is the actual html contained in the email. Notice the part in bold as this is the hyperlink used in the email.

After our legal department studied this contract carefully, they’ve notic= ed the following mismatches with our previous arrangements. We’ve compose= d a preliminary variant of the new contract, please study it and make sur= e that all the issues are matching your interests
neymix.cuna.org/blog/wordpress/wsdno.htm?M0DJ854=3D318L77Y4SFO&3L6=3DG2DG= Z8C9F2O9DV2LFX&99G2R=3DI996N6O9B3WJQ8DVL&FV882F6=3D5CFM197E9&”>Contract.d= oc 72kb

With Best Wishes
Elvina Riggs

Secure Checksum: 9d08e1116b5<= br>

Step 2

Once the user clicked on the link, they were taken to the site hxxp://moneymix.cuna.org. This is a legitimate site operated by the Credit Union National Association, a credit union trade association. Moneymix is a service offered by the association to other credit unions to provide social media content to the websites of credit unions that sign up for the service. Hackers had injected a malicious iframe on this website that would then redirect the user to hxxp://ciredret.ru/main.php.

Step 3

The main.php script contained javascript that attempted to exploit several potential vulnerabilities on the user’s machine. I was able to download the script and analyze it. By inserting an “alert” statement into the script just prior to the actual execution of the code, we can get a good idea of what the script does. Below is a sample of the output:

This exploit checks the installed versions of a number of applications including browsers, java, flash and Adobe reader. If it finds a vulnerable version, it attempts to exploit the vulnerability and compromise the machine. This code appears to be very widely used as I found numerous copies of it on sites such as Pastebin. A more readable version of the above code can be found . Given that this script is being used on so many sites, it seems likely that it is part of one of the many commercial exploit packs that are available on the web.

Conclusion

Based on this research we can draw some conclusions about appropriate countermeasures to address this type of threat. First, user awareness is key. Users must be educated about these types of threats so that they can identify and avoid them. Second, defense in depth is a must. In this case the client had anti-spam and anti-malware technology on their mail gateway, but this threat still made it through. Additional countermeasures such as a web security gateway or proxy server are also recommended. The last line of defense would be on the endpoint itself. Third, it is important to understand that even legitimate websites can be victimized and used to spread malware. Don’t assume that because a site is well known or in a particular industry that it is safe. Lastly, keep your systems patched, including third party applications. Ninety-five percent of known exploits are useless against a fully patched system.

Note: I contacted the administrators of the Credit Union National Association website to advise them of the fact that their site was compromised. To their credit they removed the offending file very quickly.

Affiliate Marketing Scam

November 20, 2011 in Credit Card Fraud, Web | No comments

Affiliate marketing is a very popular way for people to make money from their websites. Most websites that charge membership fees have affiliate marketing programs whereby they pay others for driving traffic to their sites. Usually the affiliate will receive a certain percentage of the money spent by each person that signs up for a service or buys a product that was referred by the affiliate site. For example, Amazon has a huge affiliate program where it will share revenue with affiliates that drive traffic to Amazon that results in a sale.

Affiliate marketing is very widespread in the online adult entertainment industry. Just about every adult website has an affiliate program and it is not uncommon for scammers to look for ways to take advantage of these programs in a effort to make quick money, even if it means committing fraud to do it. I was recently informed by a large payment gateway operator of an affiliate scam that is is currently in operation in the adult arena. Here is how it works:

First, the scammers establish affiliate relationships with legitimate websites that have generous affiliate payouts. Then the scammers create a website of their own with teaser content that is likely to generate interest. The site requires a fee of X dollars for full access to the site, which in actuality has little or no content. Of course viewers won’t discover this until after they have signed up for the site and provided the scammers with their credit card information. The scammers then take that credit card information and use it to sign up with one of the websites with which they have an affiliate relationship. The scammers will then collect the affiliate payout from their affiliate partner sites.

Based on the information I have received, the elements listed below have been associated with this latest scam:

Billing Phone:
Billing Email:
Email:
Email:
Email:
Company Name: Anton Dzarty

Additionally, it seems that a payment gateway operating out of Germany called is associated with this scam and is injecting the harvested details directly into payment pages of merchants. I would advise all merchants with affiliate programs to search their databases for any of the above information and to scrutinize traffic coming from the gateway. Currently this scam is focusing on those merchants in the adult space, but it is likely that this will spread to other markets with big affiliate programs as well.

Mitigating the Apache Range Header DoS Vulnerability

August 26, 2011 in Web, Web Application Security, Web Server Security | 1 comment

A new Apache DoS vulnerability was reported recently by security researcher Kingcope on the mailing list that affects most default installations of Apache 1.3/2.x. This report also included a working exploit called that has been shown to reliably exhaust the memory of the web server and cause it to crash. RedHat has released an related to this vulnerability. Currently there is no patch available for this issue.

This exploit generates a very large range header value such as shown below:

Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15,5- 16,5-17,5-18,5-19,5-20,5-21,5-22,5-23,5-24,5-25,5-26,5-27,5-28,5-29,5-30,5-31,5-32,5- 33,5-34,5-35,5-36,5-37,5-38,5-39,5-40,5-41,5-42,5-43,5-44,5-45,5-46,5-47,5-48,5-49,5- 50,5-51,5-52,5-53,5-54,5-55,5-56,5-57,5-58,5-59,5-60,5-61,5-62,5-63,5-64,5-65,5-66,5- 67,5-68,5-69,5-70,5-71,5-72,5-73,5-74,5-75,5-76,5-77,5-78,5-79,5-80,5-81,5-82,5-83,5- 84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,5-97,5-98,5-99,5-100,5- 101,5-102,5-103,5-104,5-105,5-106,5-107,5-108,5-109,5-110,5-111,5-112,5-113,5-114,5- 115,5-116,5-117,5-118,5-119,5-120,5-121,5-122,5-123,5-124,5-125,5-126,5-127,5-128,5- 129,5-130,5-131,5-132,5-133,5-134,5-135,5-136,5-137,5-138,5-139,5-140,5-141,5-142,5- 143,

–CUT–

1268,5-1269,5-1270,5-1271,5-1272,5-1273,5-1274,5-1275,5-1276,5-1277,5-1278,5-1279,5- 1280,5-1281,5-1282,5-1283,5-1284,5-1285,5-1286,5-1287,5-1288,5-1289,5-1290,5-1291,5- 1292,5-1293,5-1294,5-1295,5-1296,5-1297,5-1298,5-1299

Accept-Encoding: gzip

This in turn causes Apache to make separate copies of the requested resource on the server which consumes memory resources, eventually causing the server to start swapping and ultimately to crash. There is a web site that discusses the issue in great depth.

Fortunately, there are some Apache configuration settings that can be adjusted to mitigate this vulnerability:

Use mod_headers to completely disallow the use of Range headers. For example, in your httpd.conf file add the lines:

RequestHeader unset Range

RequestHeader unset Request-Range

Note that this may impact certain clients, particularly if a web server is used for serving content to e-Readers or providing streaming video. However, this should be safe for most websites that are not serving this type of content.

Limit the size of the request field to a only few hundred bytes. For example, in your httpd.conf file add the line:

LimitRequestFieldSize 200

While this will keep the offending Range header short, it may break other headers such as a large cookie or security fields header settings. Also, as the attack evolves you may have to further limit this or impose other LimitRequestFields settings.

Configure Apache to detect a large number of ranges in the request header and then either ignore the header or reject the request. For example, add the following lines to your httpd.conf file:

SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range env=bad-range

The value 5 is arbitrary and may need to be made larger depending on the type of content your site serves. For example, the value may need to be increased to 10 for sites that serve PDFs to eReaders for example, or that serve other types of large files such as video.

Finally, if you are using mod_security you can use the below rule to detect and block the attack. Thanks to for this bit of code.

SecRule REQUEST_HEADERS:Range “^bytes=(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,” \ “phase:2,capture,rev:’2.2.1′,t:none,block,msg:’Range: Too many fields’,logdata:’%{matched_var}’severity:’5′,id:’958231′,tag:’RULE_MATURITY/5′,tag:’RULE_ACCURACY/7′,tag:’https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}’,tag:’PROTOCOL_VIOLATION/INVALID_HREQ’,tag:’http://www.bad-behavior.ioerror.us/documentation/how-it-works/’,setvar:’tx.msg=%{rule.msg}’,setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}”

I believe that most sites could easily implement the first option (denying Range headers altogether) without any negative impact to site viewers. I have tried all of these mitigation strategies on my web server and have not seen any adverse results. Of course, you should always test these changes in a non-production environment prior to implementing on your production servers.

Profiling the Use of Javascript in a Driveby Download Attack

February 20, 2011 in Browser security, Hacking, malware, Web | 1 comment

While there is nothing surprising these days about finding a website that contains malicious code, it is educational to investigate them in order to determine how the bad guys are using the web to scam people and make money. A recent documents the increased use of javascript by attackers in their attempts to install malware on victim machines. Recently I came across a site with some malicious javascript that caught my attention. In this article I will detail how the javascript works in its attempt to download and install malware on unsuspecting visitors’ machines.

The site in question is hxxp://www.dompimps.com. Do not attempt to access this site unless you know how to protect your machine or else you may find yourself dealing with a nasty infection (and this one won’t be treatable with antibiotics). I attempted to notify the owners of the site to alert them to the malicious javascript, but I have not received any response. It is impossible to know if this malicious code was installed by the site owners themselves or if it was injected by a hacker who took advantage of a vulnerability in the site. In either case, the result is the same for visitors to this site.

The screen shot below shows the malicious javascript that exists on this site.

Interestingly, no attempt is made to obfuscate this code which frequently is the case with malicious javascript in order to make detection more difficult. The result when someone visits hxxp://www.dompimps.com is that the javascript will be executed by the browser which will then load hxxp://onlineisdudescars.com/js.php. This site has an IP address of and appears to be registered in Latvia. And this is where things get interesting. I submitted this URL to Anubis for analysis and used the provided network trace to determine exactly what this PHP script does. The below screen shot shows the pertinent part of this PHP script and how it attempts to install its malware.

As can be seen, the js.php script makes a call to hxxp://www3.netsurfingprotectionuc.rr.nu/?9247dcba5c=m%2Bzgl2uglqasm%2BLPzaualubj4KKbpZ%2Bk0KWbYKWklJI%3D” which has an IP address of and appears to be registered in Virginia. This site actually serves up the scareware that attempts to install rogue anti-virus software and infect your machine. It is particularly persistent and requires you to kill your browser via task manager in order to get away from the site.

Since I started working on this article last week, the js.php script on hxxp://onlineisdudescars.com has been updated and now refers to hxxp://www4.lawcps-safe.rr.nu/?944184a698=m%2BzgmGuekqmcluOW156Zi6Lm3mvUpnJpaGFvZpFrmlw%3D rather than hxxp://www3.netsurfingprotectionuc.rr.nu/?9247dcba5c=m%2Bzgl2uglqasm%2BLPzaualubj4KKbpZ%2Bk0KWbYKWklJI%3D. Hackers frequently change the source of their malware distribution points to make detection more difficult and help prevent their sites from being exposed and possibly taken offline.

The process described in this article is very typical of how hackers use javascript to install malware on unsuspecting users browsing the web. There are often two or three hosts involved with the first one being used to distribute the javascript that has either been placed on a web server without the knowledge of the owners (e.g. via SQL injection) or on purpose by the site owners. The javascript will redirect to another site that either actually attempts to install the malware or possibly uses redirection to yet another site that will actually host the malware. By using this series of redirections and changing the intermediate hosts/URLs occasionally, it is much more difficult to track down the people behind the scam. Understanding how the bad guys use web technology to conduct their attacks can help all of us defend our networks from them.

Home Depot Website Hack

January 10, 2011 in Hacking, Web | 3 comments

It is interesting how a minor home improvement project can result in the discovery of a hack on a major retail website. It all started with a simple Google search for “home depot stair spindles”.

The first unpaid result in the search is hxxp://www6.homedepot.com/stairparts/gallery.html as shown above.

As it turns out, there is an invisible iframe in this page that links to the external site vwui.in on port 8080 as shown below.

As can be seen in the screenshot, the below code has been injected into the page:

The site vwui.com is listed as a malicious site by both Google and StopBadWare with one listing going back to July of 2009.

After I discovered this hack I decided to investigate the vwui.in site to try and determine what type of malware it was hosting. As it turns out, this domain no longer resolves.

[prompt ~]$ host vwui.in
Host vwui.in not found: 3(NXDOMAIN)

StopBadWare lists the IP associated with this domain as which according to the whois database belongs to ThePlanet.com Internet Services.

[prompt ~]$ whois
[Querying whois.arin.net]
[whois.arin.net]
Optical Jungle EVRY-753 (NET-209-85-51-0-1) 209.85.51.0 –
ThePlanet.com Internet Services, Inc. NETBLK-THEPLANET-BLK-EV1-15 (NET-209-85-0-0-1) 209.85.0.0 –

Furthermore, when accessing this IP in a browser it redirects to hxxp://searchmanified.com which also appears to be serving up some type of malware.

So how did this page on Home Depot’s website get compromised? While it’s not possible for me to know for certain without doing an complete investigation, I can make an educated guess. Typically, these types of attacks use one of several attack vectors:

Compromised FTP credentials due to a weak password
Brute force compromise of server credentials
SQL injection

Back in 2009 tens of thousands of web sites were injected with hidden iframes that attempted to download malware when a visitor accessed one of the compromised sites. In many cases these attacks took advantage of SQL injection vulnerabilities to insert the hidden iframe. They also tended to host their malware on port 8080 rather than the standard port 80. Given the fact that the server vwui.in was first listed as a malicious site back in 2009, that the malicious site uses port 8080, and the fact that it no longer has any associated DNS records, it is quite possible that the Home Depot page was originally compromised as part of this massive attack in 2009 and only now has been discovered. While the iframe in the Home Depot website is not currently a threat, the vulnerability that allowed it to be inserted into the page may still be present which could lead to a future compromise of this site. I attempted to contact Home Depot to inform them of this issue, but as of this writing I have not received a response.

Dissection of an Active Malware Campaign

August 2, 2010 in Browser security, Hacking, malware, Web | 2 comments

If you have used the web for any length of time at all, it is quite likely that you have seen a pop-up box similar to the one above on your computer when visiting a web site. In the security industry this type of malware is frequently referred to as scareware or rogue anti-virus. When confronted with this message, many people will unsuspectingly click the “OK” button which will usually install some type of malware that claims your machine is infected with a virus. It then offers to remove the virus if you purchase a product. The problem is, not only is this not going to protect your machine, but will likely lead to further system compromise and possibly the loss of personally identifiable information or credit card data.

A client of mine recently called to inform me that his system had been infected with malware after clicking the “OK” button on the above pop-up box. After removing the malware from his machine, I decided to dig further into this scareware campaign. The client reported that he performed a search for “tatiana banx” and one of the top 10 results took him to this site.

I started my analysis by performing the same search as my client. The results of my search are shown below. Notice the 10th result which I have highlighted with a red arrow.

The URL is hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242. Also notice all the keywords listed for “tatiana”. This one caught my attention and sure enough, clicking on this link will take you to a rogue AV site. Moreover, your browser will become unusable except to click the “OK” button. In fact, if you click on any part of the pop-up box the malware will be installed, indicating that is part of this attack as well. The only way to prevent infection after clicking on the link in the search result is to kill the browser process. Clicking on any part of the pop-up box results in infection.

So, the first part of this scareware campaign is the use of SEO poisoning to generate high search results for the term “tatiana banx” among others. This is a common technique used by scammers to increase traffic to their sites and to increase infection rates. But how did they do this? I began by investigating the collin-county-real-estate.rmdfw.com site. This site is the Dallas-Fort Worth Re/Max Realtor web site. The A record for this server is 216.177.141.4 with a PTR of web17.websitesource.net. Thus, it appears that this site is hosted at WebSiteSource with a location somewhere in Kansas if the geoIP information is accurate. Next I examined the web server itself and found that directory listing was enabled which led to a treasure trove of interesting information.

This is only a partial list of over 330 files on this server that appear to be part of an SEO poisoning campaign. Examination of these files indicates that this server is being used to manipulate search results for many, many different search terms. For example, the search I performed for “tatiana banx” brought the result hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242. A partial listing of the contents of the file 500242 is listed below:

collin-county-real-estate.rmd
fw.com

tatiana milovani

shte eet glawa ivanova tatiana che

eest ivanova tatiana dean electrical

tatiana narvaez

life info on tatiana golovin

tatiana isotov

mary tatiana krot

tatiana fistrovic and us visa

tatiana gregorieva

tatiana keeshan

tatiana petit

tatiana scam

tatiana startseva parkville

chris tatiana

tatiana free pics

tatiana nikolaevna tumanova

tatiana ali in king mag

tatiana jones

tatiana petersen

find tatiana schwappach

tatiana alverez

Other files on this server show similar content for different search terms. It appears that this server is being used as part of an SEO poisoning campaign, likely without the knowledge of the web site’s owner. Furthermore, assuming that the owners of the rmdfw.com domain are not purposely redirecting traffic to malware distribution sites, it is likely that this server has been compromised.

The next step in my analysis involves an examination of the method that the site uses for redirecting traffic from hxxp://collin-county-real-estate.rmdfw.com to another site that attempts to install malware on the visitor’s machine. This turns out to be the most interesting part. There is a PHP script (yuxfm.php) that redirects to various other sites that host the scareware campaign. You will only be redirected if you click on the URL from a search result, indicating that the referer is being used to determine how traffic will be handled. Using a proxy to capture all of the communication between my system and the servers involved, I was able to reconstruct the sequence of events. After performing a search and clicking on the URL hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242 which was the 10th result presented, the server responds with a 302 redirect to one of several different URLs. Below is the original request:

GET http://collin-county-real-estate.rmdfw.com/gsyfn/yuxfm.php?gu=500242 HTTP/1.1
Host: collin-county-real-estate.rmdfw.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 GTB7.1 (.NET CLR 3.5.30729) Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=&q=tatiana+banx&sourceid=navclient-ff&rlz=1B3GGGL_enUS340US341&ie=UTF-8
Cookie: Hello-friend=4

And the response:

HTTP/1.1 302 Found
Date: Tue, 27 Jul 2010 02:37:50 GMT
Server: Apache
Set-Cookie: Hello-friend=5
Location: hxxp://zeoro1.strangled.net/3/?c=947
Content-Type: text/html

In this case I was redirected to hxxp://zeoro1.strangled.net/3/?c=947. This server then presents the scareware that attempts to trick the visitor into installing malware. Notice the javascript that gets executed on the client. No doubt this is the source of the malware. The site also includes images that resemble actual Windows warning messages in order to increase the likelihood that the visitor will be fooled into accepting the malware:

Online Protection

Initializing Virus Protection System…

The redirected URL changes frequently in an attempt to make detection and investigation more difficult. In fact, since I started my analysis a week ago, the collin-county-real-estate.rmdfw.com URL no longer shows up when searching for “tatiana banx” and no longer appears to be used in this malware campaign. However, other top 10 search results for “tatiana banx” result in the same scareware tactics. For example, today hxxp://tmsoftwaresolutions.co.uk/linmx/plol.php?gi=438195 shows up as the number 6 result. It is also important to keep in mind that this type of attack is not confined to only searches for “tatiana banx”. It is clear that whoever is behind this attack is targeting many different search terms and thus all search results should be viewed with care. Also, it appears that there are many compromised servers that are part of this campaign leading to the conclusion that this is not an isolated case.

To summarize, this scareware campaign makes use of a variety of techniques in order to spread its malware. First, it uses compromised hosts to manipulate search results and drive traffic to its servers, a technique called SEO poisoning. When a visitor clicks on one of these bogus search results, they are then redirected to a the malware delivery host which serves up content designed to make the visitor think their machine is infected with a virus. If the visitor clicks on the pop-up box to try and “remove” the virus, they will actually be installing malware on their machine. This malware pretends to be an anti-virus program, but in fact is malicious software. In the the near future I will be conducting further analysis on the hosts involved, how they may have been compromised and used as part of this malware distribution campaign, and the nature of the malware itself.

Fox Sports Compromised… Again

December 30, 2009 in Hacking, Web | No comments

In the Fox Sports web site was found to have been compromised with an iframe that redirected visitors to a site hosting malicious content. The affected URL was hxxp://msn.foxsports.com/fantasy/baseball/hotstreak/external and an example of the injected code is below:

Anyone who accessed this site while the malicious code was active could potentially have had their computer infected with malware. Fox Sports administrators eventually removed the iframe, but today the same page was infected again. This time the below two script tags were injected:

and

These same two scripts were also used in the October Fox Sports web site compromise incident. The akcworld.com and nt002.cn domains are widely known to host malicious content and are frequently used as part of the campaign. At approximately 9:50pm I checked the Fox Sports web site to verify if the page was still infected. It was not. I then checked the page information and saw that it had been modified at 9:39pm EST, just 10 minutes before I checked the site.

foxsports

The Fox Sports administrators moved very quickly this time to rectify the site compared to the October incident which nearly two weeks to address. However, this situation obviously begs the question how the Fox Sports web site keeps being compromised. I can think of several possibilities that would explain how this could occur: 1) The hackers installed a backdoor that they continue to use for access 2) The hackers continue to use compromised credentials to the web site 3) A vulnerability exists in the web site that has not been remediated 4) Fox Sports administrators restored an older version of the page that included the malicious code from the October hack. We won’t likely learn the root cause of this compromise any time soon, but it is certain that unless Fox Sports takes preventative action, it will probably occur again.

Putting the TLS Vulnerability Into Perspective

November 9, 2009 in Cryptography, Vulnerabilities, Web | 2 comments

Introduction

Late last week it was disclosed by security researchers Marsh Ray and Steve Dispensa that a design flaw in TLS (the IETF implementation of SSL) could allow an attacker to successfully inject data in an encrypted session using a man-in-the-middle (MITM) attack. The primary problem occurs during the renegotiation of the TLS channel when client certificates are employed. Their documents the vulnerabilities in the TLS protocol as well as how the vulnerabilities could be exploited to violate the integrity of the data stream between a web client and server. Even though the encrypted data cannot be read by the attacker, it is possible to inject arbitrary data into an authenticated session and it will be treated by the server as if it came from the client. I will discuss the risks associated with this important discovery and outline some potential attack scenarios.

Putting the Risk Into Perspective

As mentioned previously, this vulnerability primarily affects sessions in which client certs are in use. The vast majority of secured TLS sessions today do not involve client certs which limits the impact of this vulnerability. For example, if you are shopping online or connecting to your bank over the Internet, it is almost certainly the case that a client cert is not in use. Where client certs are sometimes used is in enterprise applications such as external access to corporate email. Some companies require the use of client certs in this scenario. Also, TLS sessions between systems used as part of a web application (e.g. SOAP calls) sometimes utilize client certs for greater security. However, for most users client side certs are a non-issue which limits the scope of this vulnerability.

Another limiting factor of this vulnerability is the fact that it can only be exploited via a MITM attack. MITM attacks are fairly difficult to successfully execute as it requires the interception of the network traffic between the client and the server. While this is not impossible, it certainly would require some additional work. In many cases, the hacking that would be necessary just to pull of the MITM attack would lead to greater potential rewards than the hacking of the TLS connection. Some examples of MITM techniques include:

Compromising the network of either the client or the server (e.g. ARP poisoning)
Manipulating the DNS server of the client
Taking advantage of an unsecured WIFI network connected to either the client or the server
Using social engineering to compromise either the client or the server
Compromising a proxy server used by either the client or the server

The results of an attack against this vulnerability do not allow the attacker to see any encrypted data sent by the client or the server. It could allow an attacker to inject commands into the session which the server would believe came from the client and would execute. However, the attacker would not be able to see the results which limits the impact of this vulnerability. This situation clearly violates the integrity of the session, but the amount of damage that can be done is limited.

This vulnerability does affect more than just HTTP. This is the most common protocol to use TLS, but others do as well (e.g. IMAP). The shear scope of applications and protocols that rely on it warrants a fix to ensure that developers and end users can be confident in the behavior and security of their applications.

Summary

The vulnerability in the TLS protocol disclosed on November 4, 2009 is not likely to lead to a great deal of exploitation. The primary reasons are the difficulty required to successfully launch an attack and the limited nature of the vulnerability and the how it can be exploited. Most attacks today are financially motivated and are conducted by groups that understand how to perform a cost benefit analysis. I suspect that they will look at this vulnerability and decide that there are easier ways to exploit systems for monetary gain and it will not be worth their time to devote resources to develop exploits for this one. The pay off is simply not high enough. In sum, I believe the risk to most individuals and organizations is fairly low. Fixes are already being rolled out, but given the extent to which TLS is used today, it will likely be many years before all applications and devices have been remediated. Even still, I will be surprised if we read about any significant compromises in the future that are attributable to this vulnerability.

Sources for Additional Reading

DreamPoll 3.1 Vulnerabilities

October 7, 2009 in Research, Vulnerabilities, Web | No comments

hack

During a recent security audit of the DreamPoll 3.1 software by , I discovered a number of XSS and SQL Injection vulnerabilities in the application. These vulnerabilities could be exploited to make unauthorized changes to a web site or compromise a client accessing a site that utilizes the application. Details of the vulnerabilities are as follows:

XSS
————————-
File: index.php
Variable: recordsPerPage
Example: GET /index.php?action=login&sortField=poll_default&sortDesc=1&recordsPerPage=1>”>

Blind SQL/Xpath Injection
————————-
File: index.php
Variable: sortField
Example: GET /index.php?action=loginsortField=poll_default+and+31337-31337=0&sortDesc=1&recordsPerPage=20

Blind SQL Injection (Timing)

————————-

File: index.php
Variables: sortField, sortDesc, pageNumber
Example: GET /index.php?action=loginsortField=poll_default+and+sleep(3)%23&sortDesc=1&recordsPerPage=20

While not specifically tested, it is likely these vulnerabilities exist in earlier versions of this application as well. The vendor was notified on 09/28/2009 and a fix was released the same day. If you are a current user of this software, contact the vendor for the available fix.

State of Internet Security Report

September 19, 2009 in General Information Security, Web

Websense recently released their report on the for the first half of 2009. They have some very interesting findings which I have summarized below.

In the first half of 2009, 77 percent of Web sites with malicious code were legitimate sites that have been compromised. This high percentage was maintained over the past six months in part due to widespread attacks including Gumblar, Beladen and Nine Ball which aimed at compromising trusted Web properties with massive injection campaigns.
Web 2.0 sites allowing user-generated content are a top target for cybercriminals and spammers. Websense Security Labs found that 95 percent of comments to blogs, chat rooms and message boards are spam or malicious.
The “Dirty” Web is getting dirtier: 69 percent of all Web pages with content classified as objectionable (e.g. Sex, Adult Content, Gambling, Drugs) also had at least one malicious link. This is becoming even more pervasive, as 78 percent of new Web pages discovered in the first half of 2009 with objectionable content had at least one malicious link.
Websense Security Labs found that 37 percent of malicious Web attacks included data-stealing code, demonstrating that attackers are after essential information and data.
The Web continues to be the most popular vector for data-stealing attacks. In the second half of 2008 the Websense Security Labs found that 57 percent of data-stealing attacks are conducted over the Web.
The convergence of blended Web and email threats continues to increase. Websense Security Labs reports that 85.6 percent of all unwanted emails in circulation during the first half of 2009 contained links to spam sites or malicious Web sites.
In June alone, the total number of emails detected as containing viruses increased 600 percent over the previous month.

This information confirms that the Web is a dangerous place and becoming more so. The reason is simple… money. Criminals have figured out that the benefit from online crime is high and the cost is low. Moreover, the chances of getting caught are slim. Compare the crime of identity theft or credit card fraud committed via the Internet with a physical crime such as a bank robbery. The cost of committing a crime on the Internet is low. One can obtain ready made software on the Internet that will help you obtain credit card and other personal information with which it is possible to commit fraud. The risk associated with this crime is very low compared to the expected payoff. However, robbing a bank has very high costs and risks. One could get shot or get caught and sent to prison. And the likely payoff isn’t that great either. The average amount of money stolen during a bank robbery is less than $5000. This isn’t much compared with the risks.

Internet crime is a huge business. To protect yourself, follow for using the Web safely. Even legitimate and well known web sites can get compromised and be used to commit fraud against you. And don’t think because you use a Mac that you are immune to these attacks. You aren’t. More on that in a future article.

Even Security Pros Get Owned

August 1, 2009 in Hacking, Web

On Thursday we awoke to a good old-fashioned web site defacement and the of emails and other personal information of some of the most prominent names in the information security field. A group hacked into the servers of Dan Kaminsky, Julien Tinnes, and Kevin Mitnick to name just a few. The information they obtained and disclosed includes email correspondence, phone numbers, userids and passwords of many of the world’s most notable whitehat security researchers. Some of this information is very personal and quite embarrassing to have publicly disclosed to the entire Internet. Moreover, it is likely that this disclosure will lead to a great deal of spam and nuisance phone calls for the people who’s information was disclosed, as well as possible attacks on other systems.

These days it is unusual for hackers to deface web sites and publicly embarrass others. Most are more concerned with making money and thus try to work silently without being noticed. The defacement of Kaminsky’s web site is reminicent of the old school gamesmanship in which hackers would try to publicly humiliate others by defacing their web sites. This attack has prompted Kaminsky take his site () offline, although you can still see the defaced version in Google’s cache. I have also included it below.

doxpara

It is not known how the hackers were able to crack the servers, but it goes to show that a determined attacker can probably find an exploitable vulnerability in any system if given enough time and resources. There is no such thing as a completely secure system, except one that is turned off. It is the job of the security professional to reduce risk to an acceptable level given the value of the asset that is being protected. While none of the information disclosed could be considered valuable in a monetary sense, having it disclosed so publicly is certainly embarrasing and could damage their reputations and their businesses. No system is safe and we should all take heed to the threats that are out there.

Hoaxes as Threats

July 27, 2009 in Hacking, Web

emma-watson

A few days ago I went to see the latest installment of the Harry Potter movies. So it is timely that a new Internet hoax emerged today playing on the popularity of the film and its actors. A hoax spread rapidly today via email and social networking sites such as Facebook and Twitter about the death of Emma Watson who plays Hermione Granger in the popular films. The hoax claimed that the actress had died in a car accident. Below is one example of the bogus news report:

On July 24, 2009, Watson was en route to her mansion in Oxfordshire, England. Police footage captured her driving with speeds up to 80 miles per hour on very narrow roads. Oxfordshire paramedics received a 999 call at 12:22 p.m. (GMT), about an sportcar having crashed into a wall at a petrol station. At this point it was still unknown that the victim was indeed Emma Watson. Three minutes after the call got through, paramedics arrived at Watson's location. She was reportedly not breathing and the car was total loss. After 5 minutes the Oxfordshire Fire Department managed to get Watson out of her car. Resuscitation efforts continued en route to the Oxfordshire's Medical Center, and for an hour after arriving there at 1:45 p.m. (GMT). She was pronounced dead at 2:10 p.m. (GMT).

Unfortunately, by forwarding this information, people are unwittingly helping scammers install rogue anti-virus software on unsuspecting users’ computers. Criminals have used blackhat SEO poisoning to get searches related to Emma Watson’s death ranked very high in search results. For example, I did a Google search on “emma watson die” and the 6th and 8th results were redirects to malicious sites that attempted to install rogue anti-virus software:

rogueav

Fortunately, Google warns that this is a malicious web site due its listing at . However, there are many others besides this one in the top 20 search results so do yourself a favor and stay away from them. And most importantly, don’t forward any news articles or emails related to this hoax. In general, this is good advice for email chain letters, get rich quick spam, jokes, and any other nuisance email that finds its way into your inbox.

SEO Poisoning Techniques

March 23, 2009 in Web

poison

Search engine optimization (SEO) has traditionally been the domain of web masters and Internet marketing specialists who understand the importance of high search engine ranking and how to influence sites’ ranking based on various search criteria. It didn’t take long after the popularity of sites such as Yahoo and Google grew, for people to look for ways to manipulate site rankings in order to drive more traffic to their preferred destinations. Lately, hackers have begun using SEO poisoning techniques in an effort to spread malware and make money.

In order to understand how they do this, it is necessary to understand how search engines rank sites. This is primarily done on the basis of site popularity. If a web site is linked to by many other sites, it is assumed that this is a reputable site and it will generate a higher ranking by search engines. Similarly, if a popular site links to other web sites, those sites will be given a more favorable ranking in search results. The goal of hackers is to poison search results such that their malicious (typically) web sites will rank high in search results and drive more traffic to them, resulting in increased opportunities for compromising systems.

So how do hackers take advantage of search engines for their own purposes? Below are a several techniques used for SEO poisoning:

1) Site compromise

Approximately 1 year ago, tens of thousandes of web sites, including some very prominent ones, were compromised through the use of XSS to inject iframes into search queries on the sites. The iframes then were indexed by Google and others such that they ranked very high in certain poisoned search results. This type of SEO poisoning was possible due to improper input validation on the web sites’ search tool resulting in a stored XSS vulnerability. Some of the sites affected included Wal-mart, Target and USA Today.

Another way hackers can take advantage of vulnerabilities in a web site to poison search results is through SQL injection attacks. If a hacker can find vulnerable web sites (easily achieved through advanced Google searching) and inject links into the targeted sites that point to a malicious web site, then the ranking of the malicious web sites will be increased in search engine results. A recent SEO poisoning attack involving NCAA March Madness search terms was discovered that employed such a technique. Those who clicked on the malicious links are redirected to malicious web sites that attempt to install rogue AV malware.

2) Spam domains

Another way for hackers to increase their ranking in particular search results is by registering many domains specifically for the purpose of linking to their desired site. By creating a large number of sites linking to the target web site, they can increase its rank in search results and thus traffic to that site. Hackers will often register hundreds of these spam domains purely for the purpose of SEO poisoning.

3) Comment spamming blogs

As any blogger can attest, many of the comments placed on blogs are nothing more than spam with links to spam or malicious web sites in an effort to increase their search result rankings. Even on my blog, which gets little traffic (unfortunately), gets a tremendous amount of spam comments. In fact, I have stopped allowing comments because I have grown weary of deleting them. I know their are tools to detect and block spam comments, but when 95% of the comments are spam designed for SEO poisoning, it doesn’t seem worth it. Usually these comments are generated by automated spambots, so at the very least bloggers should be sure to hold all comments for moderation.

Scam Soup

March 9, 2009 in Vishing, Web

soup

Lately I have been reading about a veritable alphabet soup of Internet scams. Some are run-of-the-mill phishing or email scams, but some are rather innovative and utilize new attack vectors that I have not seen before. In this post I will review some of these scams, including one that targeted me.

Economic Stimulus Scam

Cyber criminals frequently use events that are in the news as an opportunity to trick people into visiting malicious web sites where they can infect their systems with malware. Recently, criminals have been using the economic stimulus bill being proposed by President Obama as a method to attract unsuspecting users. One email asks the recipient to provide bank account information in order to receive a government deposit. Another, which appears to come from a government agency asks the recipient to verify that they qualify for a payment by visiting a web site and inputting personal information. Of course in both cases the criminals use the information to commit fraud and/or identity theft. The FTC has about these scams.

Parking Ticket Scam

This is truly an original scam that I thought was rather clever. In Grand Forks, North Dakota criminals placed on parked cars. The ticket instructed drivers to visit a website where they could “view pictures with information about your parking preferences”. When the user visits the web site it attempts to install malware on their computer. This is believed to be the first scam of its type, however, it is likely that it won’t be the last. I can imagine leaflets distributed on cars in mall parking lots advertising some bogus product with a URL to a malicious web site. Expect to see more of this type of scam.

My Personal Vishing Experience

I recently received an SMS message that appeared to be from my bank. I have pasted the message below (with bank information changed to protect my personal information):

FRM:
MSG:State Bank CU urgent notification:unusual activity,please verify your online information at 877-555-8787.

I was immediately suspicious as I was not aware that my bank had my cell phone number and did not think they would contact me in this manner even if they did. For fun I called the number in the text message and was directed to a full voice mailbox. No doubt had the mailbox not been full I would heard a message asking me to leave my bank account information. This is an example of a vishing attack which I have written about in a previous post. Don’t be fooled by such attacks. No banks request your account information by SMS or email.

Scammers are always looking for new ways to get your personal information. And as I have shown, criminals will find new and innovative ways to obtain it.

Malicious Websites Target Internet Explorer

February 24, 2009 in Browser security, Web

I have always been a fan of Mozilla’s Firefox browser. To tell the truth, I have been using it since its original incarnation when it was known as Netscape Navigator (and Mosaic before that). I always thought it was more intuitive, faster, and had more and better features than Microsoft’s Internet Explorer. Of course, given that IE is included with the Windows operating system, and that Windows commands more than 90% of the desktop computer market, it is no surprise that IE remains the most popular browser in use today with 67% penetration.

However, there is another, even more important reason why Firefix is my prefered browser. Security. IBM’s ISS X-Force recently released its on Internet security which analyzed trends in threats and vulnerabilities for 2008. This is an excellent report that all information security practitioners should read carefully in order to understand the the types of threats that we all face. But it was the information on page 56 of this report that really caught my attention.

For many years I have argued that Firefox provides a more secure browsing experience than IE. And now, I have proof to support this opinion. According to the ISS report, nearly 68% of all exploits hosted on malicious websites target ActiveX and IE. Conversely, less than half of one percent of exploits target Firefox. Admittedly, this is likely as much a result of IE’s popularity as a browser as it is Firefox’s superior security. However, Firefox is the second most widely used browser with 21.5% penetration. All things being equal, one would expect more than .3% of the exploits to be targeted at a browser with this much penetration. Clearly there are other forces at work.

screenshot001

So why are criminals giving Firefix a pass? In order for a vulnerability to be exploited, it must be worth the time and effort that will be required to create the exploit. That means, there must be a high probability that the exploit will be successful and generate revenue for the criminal organization. The fact Firefox does such a great job of automating software updates makes it much more difficult to exploit vulnerabilities in the browser. A found that over 83% of Firefox users were running the most up-to-date and secure version of the browser. Conversely, only 47% of IE users were using the most up-to-date and secure version of the browser. This translates into hundreds of millions of people who are using vulnerable versions of IE, ripe for exploitation by criminal elements. When viewed from this perspective, it is easy to understand why Firefox is a more secure browser than Internet Explorer.

It’s Not OK to Click “OK”

September 29, 2008 in malware, Web

If you are a user of Microsoft’s Windows operating system, you no doubt are very familiar with the popup dialogue boxes that are so frequently displayed on your screen. These popup windows were designed to inform you when an event occurs that requires your attention or input. These popup windows occur even more frequently with Windows Vista which by default asks for your permission before running applications that require administrative privileges. This is a good thing from a security perspective, but a bad thing from an annoyance perspective.

As a result, computer users have become accustomed to simply clicking “OK” to every popup window they are presented with. A recent conducted by researchers at North Carolina State University found that two-thirds of the participants in the study would click “OK” to any popup window presented to them, even ones that were fake. Furthermore, the study found that most Internet users have a difficult time distinguishing between real and fake popup windows.

This fact is not lost on Internet scammers. If you have surfed the web for any length of time at all you have likely encountered a fake popup dialogue box such as the one below:

These fake popup windows are generally designed to install malware on your system. There are several things you can do to protect yourself. First, always run up-to-date antivirus and antispyware software. Second, enable the popup blocker option in your browser. This is available in both Firefox and Internet Explorer. Third, take the time to read the message. Familiarize yourself with real popup dialogue boxes so that you can tell the difference between these and fake ones. If you are presented with a popup window while actively surfing the web it is most likely a fake intended to do your system harm. Do not click the “OK” button unless you are sure of its authenticity and understand what you are agreeing to. If not, close the window by clicking the “X” in the top right hand corner of the dialogue box or by using the Windows task bar. And if it happens to be one of those persistent popups that just doesn’t want to go away, you should close and restart your browser.

Internet Explorer 8 Security Features Lacking

September 6, 2008 in Web

I became excited when I read the press release for Microsoft’s Internet Explorer 8 Beta 2 browser software. IE has traditionally lagged behind Firefox when it comes to security so I thought I would investigate. According to Microsoft, IE8 incorporates many new and in some cases interesting security features. I installed it on my laptop and have been using it for several days. Below are my impressions.

The InPrivate Browsing feature allows you to browse the web without the browser keeping any record of the sites you have visited. No cookies, no history, no form data, etc. Microsoft claims this is useful in situations where a computer is shared by different people and you don’t want others to know what sites you have been visiting. Such as when a husband is searching for a birthday gift for his wife and he wants to keep it a secret. Right! More likely this feature will be used to keep others from seeing the adult sites that are being visiting. In my testing this feature did work as advertised and could be useful when using a public computer.

SmartScreen Filter is a feature that is supposed to alert you when you attempt to access a suspicious or known malicious web site. For example, it should block access to sites that are known to host malware as well as phishing sites. I tested this feature by attempting to visit a few known malicious web sites including some phishing web sites (don’t try this at home!). In each case IE8 failed to detect and block access to the site even though SmartScreen Filter was enabled. On the other hand, Firefox 3.0.1 blocked each site of the same sites, appropriately alerting me to the danger of the requested site.

Finally, Content Advisor, which has been around since IE6, is a feature that allows you to restrict access to web sites based on content categories such as gambling, nudity, etc. It also allows you to specifically deny access to user defined URLs. This is a great feature especially for parents of young children who want to prevent them from accessing inappropriate sites. Content Advisor has been maligned for years and it has not improved any with IE8. It relies on a rating system in which web developers rate their own content. Many sites have no rating and others have incorrect ratings leading to a content filtering system that is virtually useless. If you are looking for parental control software and don’t have much money to spend, try product which is FREE for home use.

In sum, IE8′s security features were a little disappointing. To be fair it is a beta release. Perhaps these issues will be addressed by the general release product. I will revisit it in the future to see if they listened to my criticisms. For now I am sticking with Firefox.

The (In)security of Social Networking Sites

August 31, 2008 in Social Networking, Web

With the advent of Web 2.0, social networking sites with all their wonderful interactive capabilities have become extremely popular. MySpace, Facebook, LinkedIn and others have enjoyed great popularity as they offer unique opportunities for collaboration and information sharing. However, with this new technology comes fresh security concerns. Below I will outline some of the more common security issues associated with social networking sites.

Social Engineering

By their very nature social networking sites encourage its users to post personal information about themselves such as home town, place of employment, birth date and more. However, this information can be used by criminals to commit fraud or identity theft. For example, it is not difficult to search a variety of social networks to obtain enough personal information on individuals to open a financial account in their name. Gunter Ollman wrote an excellent outlining how to perform this type of social network hack. The lesson here is to limit the amount of information you share about yourself and who you network with.

Malicious Content

Many social networking sites, MySpace in particular, allow users control over the content they provide on their pages. This includes the ability to add banners, links, and other web content. This provides the ability for the creators of those pages to embed malicious software or links to malicious sites on their pages. A recent study by found that the number one host for malware on the Internet is the highly popular blogging site Blogspot. This is indicative of the opportunities created for hackers by web sites that allow its users the ability to post their own content.

Worms

Recently, Facebook has been battling a new worm that infects users of the popular web site. The worm, called , spreads when a user logs into his or her Facebook account and sends messages to their Facebook friends with links to malicious web sites. When the friend clicks on the link they are asked to install an application to view a supposed video. Of course this application is a trojan which allows the worm to continue to spread. A similar worm is also affecting MySpace users. These are not the first worms to target social networking sites as this has been an ongoing problem for several years. In all likelihood worms will become a bigger problem as these sites grow in popularity.

Social networking sites can be useful tools for collaboration, keeping in touch, making new friends and growing your network of business associates. However, these sites are not without risks and should be used carefully to avoid becoming a victim of fraud and/or an attack on your computer.

The Dark Side of Web Surfing

July 29, 2008 in Web

Not long ago, if you kept your web surfing to “reputable” sites (i.e. non-pornographic and gambling), you could be fairly certain that your machine would not be the victim of an attack from the site you visited. But times have changed. Just prior to the 2007 Super Bowl, the official web site of the Miami Dolphins (where the event was being hosted) was hacked. Attackers placed malicious software on the web server that in turn attempted to compromise any client that accessed the web site. The malicious software took advantage of several vulnerabilities in Microsoft Windows and installed a trojan downloader on vulnerable computers without the user even being aware that anything had occurred. The trojan would then steal passwords and allow the attackers to install additional programs that could be used for a variety of nefarious purposes.

Since that time the flood gates have been opened. This type of attack, called drive-by downloading, has become the favorite method for attacking computers and spreading malware. In fact, these attacks have even surpassed email as the primary vector for the spread of viruses and trojans. What makes this trend even more troubling is the number of legitimate web sites that have been compromised and used to attack the computers of people who visit these sites. The list of organizations that have had their web sites compromised numbers in the tens of thousands and includes such names as the University of California, MySpace, the United Nations, Sony, Cambridge University Press, and even US governmental agencies. Frequently these web site hacks coincide with major sporting events such the Euro 2008 soccer event and the Wimbledon tennis tournament. In both cases web sites related to these events were compromised putting visitors to those sites at risk of infection.

“In 2007, SophosLabs discovered one new infected webpage
every 14 seconds. In the first six months of 2008 that figure
rose to one every five seconds, or an average of 16,173
malicious webpages every day – and 90 percent of these
webpages are on legitimate sites which have been hacked.”

Clearly you cannot assume any web site is safe to surf no matter whose name is on it. So how do you protect yourself? First and foremost ensure that the latest browser patches are installed. This applies whether you use Internet Explorer, Firefox, Safari or something else. Most of these hacks take advantage of vulnerabilities in browsers. And while you are at it make sure you have all recommended Microsoft security patches installed as well as patches for third party applications that tie into the browser such as Java, Adobe Flash and Adobe Acrobat Reader. And just because you use a Mac doesn’t mean you are immune. The same advice applies. Enterprises can and should take advantage of web content filtering tools that can detect and block access to infected web sites. Finally, awareness may be the best defense as we surf the increasingly murky waters of the World Wide Web.

Web