Recently a client of mine alerted me to an email that was received by one of their HR staff members. The body of the email is shown below:
Despite having received security awareness training, the staff member clicked on the link thinking this was a document that needed to be reviewed. In actuality, it was a link to a malicious site. Fortunately, there were technical controls in place that prevented the user’s machine from being compromised, but I thought it would be illuminating to follow the trail of this attack.
Step 1
The email bypassed the client’s anti-spam and anti-malware defenses most likely because the link in the email was actually to a legitimate website rather than a known malicious site, the email came from a well known email provider, and there was little else in the message. Below is the actual html contained in the email. Notice the part in bold as this is the hyperlink used in the email.
After our legal department studied this contract carefully, they’ve notic=ed the following mismatches with our previous arrangements. We’ve compose=d a preliminary variant of the new contract, please study it and make sur=e that all the issues are matching your interests neymix.cuna.org/blog/wordpress/wsdno.htm?M0DJ854=3D318L77Y4SFO&3L6=3DG2DG=Z8C9F2O9DV2LFX&99G2R=3DI996N6O9B3WJQ8DVL&FV882F6=3D5CFM197E9&”>Contract.d=oc 72kb
With Best Wishes Elvina Riggs
Secure Checksum: 9d08e1116b5<=br>
Step 2
Once the user clicked on the link, they were taken to the site hxxp://moneymix.cuna.org. This is a legitimate site operated by the Credit Union National Association, a credit union trade association. Moneymix is a service offered by the association to other credit unions to provide social media content to the websites of credit unions that sign up for the service. Hackers had injected a malicious iframe on this website that would then redirect the user to hxxp://ciredret.ru/main.php.
Step 3
The main.php script contained javascript that attempted to exploit several potential vulnerabilities on the user’s machine. I was able to download the script and analyze it. By inserting an “alert” statement into the script just prior to the actual execution of the code, we can get a good idea of what the script does. Below is a sample of the output:
This exploit checks the installed versions of a number of applications including browsers, java, flash and Adobe reader. If it finds a vulnerable version, it attempts to exploit the vulnerability and compromise the machine. This code appears to be very widely used as I found numerous copies of it on sites such as Pastebin. A more readable version of the above code can be found . Given that this script is being used on so many sites, it seems likely that it is part of one of the many commercial exploit packs that are available on the web.
Conclusion
Based on this research we can draw some conclusions about appropriate countermeasures to address this type of threat. First, user awareness is key. Users must be educated about these types of threats so that they can identify and avoid them. Second, defense in depth is a must. In this case the client had anti-spam and anti-malware technology on their mail gateway, but this threat still made it through. Additional countermeasures such as a web security gateway or proxy server are also recommended. The last line of defense would be on the endpoint itself. Third, it is important to understand that even legitimate websites can be victimized and used to spread malware. Don’t assume that because a site is well known or in a particular industry that it is safe. Lastly, keep your systems patched, including third party applications. Ninety-five percent of known exploits are useless against a fully patched system.
Note: I contacted the administrators of the Credit Union National Association website to advise them of the fact that their site was compromised. To their credit they removed the offending file very quickly.
While there is nothing surprising these days about finding a website that contains malicious code, it is educational to investigate them in order to determine how the bad guys are using the web to scam people and make money. A recent documents the increased use of javascript by attackers in their attempts to install malware on victim machines. Recently I came across a site with some malicious javascript that caught my attention. In this article I will detail how the javascript works in its attempt to download and install malware on unsuspecting visitors’ machines.
The site in question is hxxp://www.dompimps.com. Do not attempt to access this site unless you know how to protect your machine or else you may find yourself dealing with a nasty infection (and this one won’t be treatable with antibiotics). I attempted to notify the owners of the site to alert them to the malicious javascript, but I have not received any response. It is impossible to know if this malicious code was installed by the site owners themselves or if it was injected by a hacker who took advantage of a vulnerability in the site. In either case, the result is the same for visitors to this site.
The screen shot below shows the malicious javascript that exists on this site.
Interestingly, no attempt is made to obfuscate this code which frequently is the case with malicious javascript in order to make detection more difficult. The result when someone visits hxxp://www.dompimps.com is that the javascript will be executed by the browser which will then load hxxp://onlineisdudescars.com/js.php. This site has an IP address of and appears to be registered in Latvia. And this is where things get interesting. I submitted this URL to Anubis for analysis and used the provided network trace to determine exactly what this PHP script does. The below screen shot shows the pertinent part of this PHP script and how it attempts to install its malware.
As can be seen, the js.php script makes a call to hxxp://www3.netsurfingprotectionuc.rr.nu/?9247dcba5c=m%2Bzgl2uglqasm%2BLPzaualubj4KKbpZ%2Bk0KWbYKWklJI%3D” which has an IP address of and appears to be registered in Virginia. This site actually serves up the scareware that attempts to install rogue anti-virus software and infect your machine. It is particularly persistent and requires you to kill your browser via task manager in order to get away from the site.
Since I started working on this article last week, the js.php script on hxxp://onlineisdudescars.com has been updated and now refers to hxxp://www4.lawcps-safe.rr.nu/?944184a698=m%2BzgmGuekqmcluOW156Zi6Lm3mvUpnJpaGFvZpFrmlw%3D rather than hxxp://www3.netsurfingprotectionuc.rr.nu/?9247dcba5c=m%2Bzgl2uglqasm%2BLPzaualubj4KKbpZ%2Bk0KWbYKWklJI%3D. Hackers frequently change the source of their malware distribution points to make detection more difficult and help prevent their sites from being exposed and possibly taken offline.
The process described in this article is very typical of how hackers use javascript to install malware on unsuspecting users browsing the web. There are often two or three hosts involved with the first one being used to distribute the javascript that has either been placed on a web server without the knowledge of the owners (e.g. via SQL injection) or on purpose by the site owners. The javascript will redirect to another site that either actually attempts to install the malware or possibly uses redirection to yet another site that will actually host the malware. By using this series of redirections and changing the intermediate hosts/URLs occasionally, it is much more difficult to track down the people behind the scam. Understanding how the bad guys use web technology to conduct their attacks can help all of us defend our networks from them.
It is interesting how a minor home improvement project can result in the discovery of a hack on a major retail website. It all started with a simple Google search for “home depot stair spindles”.
The first unpaid result in the search is hxxp://www6.homedepot.com/stairparts/gallery.html as shown above.
As it turns out, there is an invisible iframe in this page that links to the external site vwui.in on port 8080 as shown below.
As can be seen in the screenshot, the below code has been injected into the page:
The site vwui.com is listed as a malicious site by both Google and StopBadWare with one listing going back to July of 2009.
After I discovered this hack I decided to investigate the vwui.in site to try and determine what type of malware it was hosting. As it turns out, this domain no longer resolves.
[prompt ~]$ host vwui.in
Host vwui.in not found: 3(NXDOMAIN)
StopBadWare lists the IP associated with this domain as which according to the whois database belongs to ThePlanet.com Internet Services.
[prompt ~]$ whois
[Querying whois.arin.net]
[whois.arin.net]
Optical Jungle EVRY-753 (NET-209-85-51-0-1) 209.85.51.0 –
ThePlanet.com Internet Services, Inc. NETBLK-THEPLANET-BLK-EV1-15 (NET-209-85-0-0-1) 209.85.0.0 –
Furthermore, when accessing this IP in a browser it redirects to hxxp://searchmanified.com which also appears to be serving up some type of malware.
So how did this page on Home Depot’s website get compromised? While it’s not possible for me to know for certain without doing an complete investigation, I can make an educated guess. Typically, these types of attacks use one of several attack vectors:
Compromised FTP credentials due to a weak password
Brute force compromise of server credentials
SQL injection
Back in 2009 tens of thousands of web sites were injected with hidden iframes that attempted to download malware when a visitor accessed one of the compromised sites. In many cases these attacks took advantage of SQL injection vulnerabilities to insert the hidden iframe. They also tended to host their malware on port 8080 rather than the standard port 80. Given the fact that the server vwui.in was first listed as a malicious site back in 2009, that the malicious site uses port 8080, and the fact that it no longer has any associated DNS records, it is quite possible that the Home Depot page was originally compromised as part of this massive attack in 2009 and only now has been discovered. While the iframe in the Home Depot website is not currently a threat, the vulnerability that allowed it to be inserted into the page may still be present which could lead to a future compromise of this site. I attempted to contact Home Depot to inform them of this issue, but as of this writing I have not received a response.
If you have used the web for any length of time at all, it is quite likely that you have seen a pop-up box similar to the one above on your computer when visiting a web site. In the security industry this type of malware is frequently referred to as scareware or rogue anti-virus. When confronted with this message, many people will unsuspectingly click the “OK” button which will usually install some type of malware that claims your machine is infected with a virus. It then offers to remove the virus if you purchase a product. The problem is, not only is this not going to protect your machine, but will likely lead to further system compromise and possibly the loss of personally identifiable information or credit card data.
A client of mine recently called to inform me that his system had been infected with malware after clicking the “OK” button on the above pop-up box. After removing the malware from his machine, I decided to dig further into this scareware campaign. The client reported that he performed a search for “tatiana banx” and one of the top 10 results took him to this site.
I started my analysis by performing the same search as my client. The results of my search are shown below. Notice the 10th result which I have highlighted with a red arrow.
The URL is hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242. Also notice all the keywords listed for “tatiana”. This one caught my attention and sure enough, clicking on this link will take you to a rogue AV site. Moreover, your browser will become unusable except to click the “OK” button. In fact, if you click on any part of the pop-up box the malware will be installed, indicating that is part of this attack as well. The only way to prevent infection after clicking on the link in the search result is to kill the browser process. Clicking on any part of the pop-up box results in infection.
So, the first part of this scareware campaign is the use of SEO poisoning to generate high search results for the term “tatiana banx” among others. This is a common technique used by scammers to increase traffic to their sites and to increase infection rates. But how did they do this? I began by investigating the collin-county-real-estate.rmdfw.com site. This site is the Dallas-Fort Worth Re/Max Realtor web site. The A record for this server is 216.177.141.4 with a PTR of web17.websitesource.net. Thus, it appears that this site is hosted at WebSiteSource with a location somewhere in Kansas if the geoIP information is accurate. Next I examined the web server itself and found that directory listing was enabled which led to a treasure trove of interesting information.
This is only a partial list of over 330 files on this server that appear to be part of an SEO poisoning campaign. Examination of these files indicates that this server is being used to manipulate search results for many, many different search terms. For example, the search I performed for “tatiana banx” brought the result hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242. A partial listing of the contents of the file 500242 is listed below:
Other files on this server show similar content for different search terms. It appears that this server is being used as part of an SEO poisoning campaign, likely without the knowledge of the web site’s owner. Furthermore, assuming that the owners of the rmdfw.com domain are not purposely redirecting traffic to malware distribution sites, it is likely that this server has been compromised.
The next step in my analysis involves an examination of the method that the site uses for redirecting traffic from hxxp://collin-county-real-estate.rmdfw.com to another site that attempts to install malware on the visitor’s machine. This turns out to be the most interesting part. There is a PHP script (yuxfm.php) that redirects to various other sites that host the scareware campaign. You will only be redirected if you click on the URL from a search result, indicating that the referer is being used to determine how traffic will be handled. Using a proxy to capture all of the communication between my system and the servers involved, I was able to reconstruct the sequence of events. After performing a search and clicking on the URL hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242 which was the 10th result presented, the server responds with a 302 redirect to one of several different URLs. Below is the original request:
In this case I was redirected to hxxp://zeoro1.strangled.net/3/?c=947. This server then presents the scareware that attempts to trick the visitor into installing malware. Notice the javascript that gets executed on the client. No doubt this is the source of the malware. The site also includes images that resemble actual Windows warning messages in order to increase the likelihood that the visitor will be fooled into accepting the malware:
Online Protection
Initializing Virus Protection System…
The redirected URL changes frequently in an attempt to make detection and investigation more difficult. In fact, since I started my analysis a week ago, the collin-county-real-estate.rmdfw.com URL no longer shows up when searching for “tatiana banx” and no longer appears to be used in this malware campaign. However, other top 10 search results for “tatiana banx” result in the same scareware tactics. For example, today hxxp://tmsoftwaresolutions.co.uk/linmx/plol.php?gi=438195 shows up as the number 6 result. It is also important to keep in mind that this type of attack is not confined to only searches for “tatiana banx”. It is clear that whoever is behind this attack is targeting many different search terms and thus all search results should be viewed with care. Also, it appears that there are many compromised servers that are part of this campaign leading to the conclusion that this is not an isolated case.
To summarize, this scareware campaign makes use of a variety of techniques in order to spread its malware. First, it uses compromised hosts to manipulate search results and drive traffic to its servers, a technique called SEO poisoning. When a visitor clicks on one of these bogus search results, they are then redirected to a the malware delivery host which serves up content designed to make the visitor think their machine is infected with a virus. If the visitor clicks on the pop-up box to try and “remove” the virus, they will actually be installing malware on their machine. This malware pretends to be an anti-virus program, but in fact is malicious software. In the the near future I will be conducting further analysis on the hosts involved, how they may have been compromised and used as part of this malware distribution campaign, and the nature of the malware itself.
Recently I decided that I would no longer maintain my subscription to the local newspaper, . Like many people I find that I get most of my news online these days and didn’t want to continue paying for something I didn’t use. I decided to look at their web site to see if I could cancel my subscription online. This is where I discovered that the newsandobserver.com uses a terrible authentication mechanism that can lead to the disclosure of personal information and unauthorized changes to paper delivery and other subscription options.
The crux of the problem is that the web site relies on publicly available information to authenticate subscribers. Below is a screenshot of the subscriber login screen.
As you can see, all that is required to login to a subscriber account is a phone number and house number. Both of these pieces of information are easily obtained online for most people. After authentication, you have access to the subscriber’s account where you can gain additional information about the them. The most important information that you can get access to is the subscriber’s email address. This would be useful to scammers who could setup a fake site that resembles the real newsandobserver.com, send the subscriber an email telling them that they need to update their account information, and then obtain their credit card or other financial account data. Below is a screenshot of my account home page.
Another thing that you can do within the subscriber section is manipulate delivery options. For example, you can put stops on delivery or extend your subscription. This would allow an unauthorized person to put a hold on someone else’s paper delivery or even change the length of their subscription, both of which could have a financial impact on the subscriber. Below is a screenshot showing the ability to change these options.
Lastly, subscribers are able to change their personal information such as email address and phone number. There is also a check-box to disable email notification of account changes. A scammer could use this option to prevent notifications from being sent to the subscriber after he made changes to the account. By updating the email address and phone number to one of his choosing, he may even be able to use social engineering to obtain credit card information from an N&O customer service representative. Below is a screenshot of the page that allows a subscriber to change personal information.
Such a weak authentication mechanism is inexcusable for the second largest newspaper in the state of North Carolina. With over 750,000 print and online readers, there are many opportunities for scammers to use this weakness to obtain subscribers’ personally identifiable information and potentially additional financial information. It would not be difficult to automate a process for gathering phone numbers and house numbers for prominent people in North Carolina, many of whom are likely to subscribe to the News and Observer, attempt to login as these individuals, and obtain their email addresses. With such a list in hand, it would be possible to send them fake emails appearing to be from the N&O that could trick them into divulging their credit card numbers.
I have contacted the NewsandObserver.com to report this vulnerability to them. Remediation is not difficult. There are many types of authentication mechanisms that work well and the OWASP has a dedicated to this topic. I hope that they take advantage of it to correct this issue.
In the Fox Sports web site was found to have been compromised with an iframe that redirected visitors to a site hosting malicious content. The affected URL was hxxp://msn.foxsports.com/fantasy/baseball/hotstreak/external and an example of the injected code is below:
Anyone who accessed this site while the malicious code was active could potentially have had their computer infected with malware. Fox Sports administrators eventually removed the iframe, but today the same page was infected again. This time the below two script tags were injected:
and
These same two scripts were also used in the October Fox Sports web site compromise incident. The akcworld.com and nt002.cn domains are widely known to host malicious content and are frequently used as part of the campaign. At approximately 9:50pm I checked the Fox Sports web site to verify if the page was still infected. It was not. I then checked the page information and saw that it had been modified at 9:39pm EST, just 10 minutes before I checked the site.
The Fox Sports administrators moved very quickly this time to rectify the site compared to the October incident which nearly two weeks to address. However, this situation obviously begs the question how the Fox Sports web site keeps being compromised. I can think of several possibilities that would explain how this could occur: 1) The hackers installed a backdoor that they continue to use for access 2) The hackers continue to use compromised credentials to the web site 3) A vulnerability exists in the web site that has not been remediated 4) Fox Sports administrators restored an older version of the page that included the malicious code from the October hack. We won’t likely learn the root cause of this compromise any time soon, but it is certain that unless Fox Sports takes preventative action, it will probably occur again.
On Thursday we awoke to a good old-fashioned web site defacement and the of emails and other personal information of some of the most prominent names in the information security field. A group hacked into the servers of Dan Kaminsky, Julien Tinnes, and Kevin Mitnick to name just a few. The information they obtained and disclosed includes email correspondence, phone numbers, userids and passwords of many of the world’s most notable whitehat security researchers. Some of this information is very personal and quite embarrassing to have publicly disclosed to the entire Internet. Moreover, it is likely that this disclosure will lead to a great deal of spam and nuisance phone calls for the people who’s information was disclosed, as well as possible attacks on other systems.
These days it is unusual for hackers to deface web sites and publicly embarrass others. Most are more concerned with making money and thus try to work silently without being noticed. The defacement of Kaminsky’s web site is reminicent of the old school gamesmanship in which hackers would try to publicly humiliate others by defacing their web sites. This attack has prompted Kaminsky take his site () offline, although you can still see the defaced version in Google’s cache. I have also included it below.
It is not known how the hackers were able to crack the servers, but it goes to show that a determined attacker can probably find an exploitable vulnerability in any system if given enough time and resources. There is no such thing as a completely secure system, except one that is turned off. It is the job of the security professional to reduce risk to an acceptable level given the value of the asset that is being protected. While none of the information disclosed could be considered valuable in a monetary sense, having it disclosed so publicly is certainly embarrasing and could damage their reputations and their businesses. No system is safe and we should all take heed to the threats that are out there.
A few days ago I went to see the latest installment of the Harry Potter movies. So it is timely that a new Internet hoax emerged today playing on the popularity of the film and its actors. A hoax spread rapidly today via email and social networking sites such as Facebook and Twitter about the death of Emma Watson who plays Hermione Granger in the popular films. The hoax claimed that the actress had died in a car accident. Below is one example of the bogus news report:
On July 24, 2009, Watson was en route to her mansion in Oxfordshire, England. Police footage captured her driving with speeds up to 80 miles per hour on very narrow roads. Oxfordshire paramedics received a 999 call at 12:22 p.m. (GMT), about an sportcar having crashed into a wall at a petrol station. At this point it was still unknown that the victim was indeed Emma Watson. Three minutes after the call got through, paramedics arrived at Watson's location. She was reportedly not breathing and the car was total loss. After 5 minutes the Oxfordshire Fire Department managed to get Watson out of her car. Resuscitation efforts continued en route to the Oxfordshire's Medical Center, and for an hour after arriving there at 1:45 p.m. (GMT). She was pronounced dead at 2:10 p.m. (GMT).
Unfortunately, by forwarding this information, people are unwittingly helping scammers install rogue anti-virus software on unsuspecting users’ computers. Criminals have used blackhat SEO poisoning to get searches related to Emma Watson’s death ranked very high in search results. For example, I did a Google search on “emma watson die” and the 6th and 8th results were redirects to malicious sites that attempted to install rogue anti-virus software:
Fortunately, Google warns that this is a malicious web site due its listing at . However, there are many others besides this one in the top 20 search results so do yourself a favor and stay away from them. And most importantly, don’t forward any news articles or emails related to this hoax. In general, this is good advice for email chain letters, get rich quick spam, jokes, and any other nuisance email that finds its way into your inbox.
If you manage a system connected to the Internet that allows inbound SSH traffic, and you check your system logs periodically, no doubt you have noticed the failed login attempts from rogue systems trying to brute force your machine. These brute force attempts are typically generated by systems that have been compromised themselves (bots) and are attempting to infect more systems to add to the botnet. They generally are not very tactful, generating lots of logs and setting off any IDS that may be monitoring the network. Below is an example of the logs generated by such brute force attempts on a RHL compatible system:
Dec 8 13:28:51 websrv1 sshd[14407]: Failed password for invalid user test from
port 55732 ssh2
Dec 8 13:28:54 websrv1 sshd[14409]: Failed password for invalid user anda from
port 56250 ssh2
Dec 8 13:28:58 websrv1 sshd[14411]: Failed password for invalid user jb from 20
1.47.187.138 port 56723 ssh2
Dec 8 13:29:02 websrv1 sshd[14413]: Failed password for invalid user cvsuser fr
om port 57255 ssh2
Dec 8 13:29:05 websrv1 sshd[14415]: Failed password for invalid user cvsuser1 f
rom port 57761 ssh2
Dec 8 13:29:09 websrv1 sshd[14417]: Failed password for invalid user mana from
port 58263 ssh2
Dec 8 13:29:13 websrv1 sshd[14420]: Failed password for invalid user mysql from
port 58810 ssh2
Dec 8 13:29:17 websrv1 sshd[14422]: Failed password for invalid user mysql from
port 59342 ssh2
Here you can see that the host tried to login as the user mysql, mana, cvsuser1, cvsuser, jb, anda, and test all in the space of about 26 seconds. And this was just one snippet of logs from Dec 8. This happens everyday, many times per day, and from many different attacking systems. Large networks frequently have intrusion detection/prevention systems to help block these types of attacks. But what should administrators of small networks, with few resources do to combat these brute force attempts?
First, you have to check your logs. Manual scanning of logs is fine, but there are tools that can make this task much easier. One example of such a tool is which comes as part of many Linux distributions. It will analyze your logs and send you reports of system activity which will help you spot these types of events. Second, keep the number of accounts that are allowed to login to the system via SSH to a minimum. Always use the “AllowUsers” option to specify which accounts are allowed access remotely and absolutely, do not allow root to login via SSH. This is the first account bruters attempt to crack when trying to exploit your system. Finally, take advantage of iptables to block access to those systems that are attempting to access your system illegally. You can either do this manually or write a script to block them automatically based on log entries. There are also a number of available on the Internet that provide a good starting point of hosts/networks to block even if they have not tried to brute force your machine (yet).
attempt to be more subtle in the hopes that the attackers will not be noticed by IDPS systems. However, they are still easy to spot with human analysis and the techniques mentioned above. Stay alert and keep your systems secure. We are all in this together.
When I visit the local farmers market with my family, my children are always excited to buy a couple of honey sticks from the local bee keepers. These are essentially plastic tubes about the size of a straw filled with honey. Unlike these delicious treats, there is another type of honey stick that isn’t so tasty and could be very harmful to your computer. The , which was started earlier this year, is a research project designed to determine how many people will plug a USB thumb drive that they find in a random place into their computer. These USB drives have a program on them to “phone home” so that the researcher can determine what percentage of thumb drives distributed to random locations will be accessed. The results so far? Out of 33 deployed honey sticks, 42% of them have been accessed.
You may be wondering what the issue is with plugging a found thumb drive into your computer. I mean hey, who wouldn’t want a free thumb drive, right? Unfortunately, by installing a thumb drive from an unknown source into your computer you are putting your system at risk of infection by a virus or trojan. The autorun feature of many operating systems can automatically execute a malicious program on the drive which could lead to the compromise of the machine. Such a compromise could lead the theft of your bank account information, personal information, usernames, passwords and more. So if you ever find a USB drive or any other type of media (CDROM, DVD, etc), don’t put it in your machine unless you are feeling very lucky that day.
A well known technique used to test the security of a company’s network is to distribute a few thumb drives in the parking lot of the target company. These thumb drives will have software on them that will automatically install when the drive is plugged into a computer leading to the compromise of the system and potentially other systems within the corporate network. Many unsuspecting people will see these thumb drives while walking through the parking lot, pick it up and plug it in to their computer. Our curiosity often gets the best of us leading to unintented consequences (like a visit from the corporate security administrator).
Recently a virus was detected on laptops used in the . It is suspected that they were transmitted via shared USB drives. There was nothing sweet in those sticks!
On Friday, August 22, Red Hat on its web site that one or more of the servers used as part of the Fedora project had been compromised by hackers. Even more troubling is the fact that the compromised servers included one that was used to signed Fedora packages. Company officials claim to be confident that the passphrase that protects the private key used to sign the packages was not obtained. However, the company did reinstall the affected systems and issued new keys for the signing of the packages as a precautionary measure which meant downtime for the affected servers.
But the hack did not stop there. Red Hat also that a breach occurred on some its production systems which allowed the intruder to create and sign some OpenSSL packages for Red Hat Enterprise Linux 4 and 5! According to Red hat:
In connection with the incident, the intruder was able to sign a small
number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only). As a precautionary measure, we are releasing an
updated version of these packages, and have published a list of the
tampered packages and how to detect them at .
At this point Red Hat does not believe that its Red Hat Network (RHN) service, which allows customers to download packages from Red Hat, was compromised. As a result, they do not think that the tampered packages have been widely distributed. Let’s hope they are right.
The problem with type of situation is that it is very difficult to tell the extent of the damage. Red Hat believes they caught the intrusion quickly and rectified the situation. But what if this has been going on for months. It seems at least possible that other packages may have been hacked, signed and distributed without their knowledge. This demonstrates one of the major security issues for software vendors. How to write, maintain and distribute software in a secure manner. By all accounts Red Hat was following good practices. They signed all their packages with their private key so that those who downloaded them could verify their authenticity and integrity. But when your signing server is compromised all bets are off.
Red Hat is not the first company to be facing such issues. In 2004 hackers were able to steal 800MBs of source code from Cisco leading to wide speculation about the security of their products. A similar theft of source code occurred with Microsoft in that same year. Software vendors must be extremely vigilent in protecting their products. One tampered package that goes unnoticed could lead to backdoors in thousands of systems. Let’s hope that this did not occur with Red Hat.
