July 2008

You are currently browsing the monthly archive for July 2008.

Evilgrade Attacks Automatic Updates

July 30, 2008 in DNS

Last week I wrote about the DNS cache poisoning vulnerability that affects nearly all vendors’ DNS implementations.  If you haven’t patched your servers yet, now would be a good time to do so.  On Monday a security research group in Argentina called Infobyte released a toolkit that uses DNS cache poisoning to fool automatic update utilities into connecting to fake servers where malicious code is installed instead.  The aptly named exploit tool contains modules to mimic the structure of automatic update utilities of such popular applications as iTunes, Java, MacOS, Winzip and many others.  Oh, and if that isn’t enough, it can also use other attack vectors such as ARP and DHCP spoofing.

When using DNS cache poisoning as an attack vector, Evilgrade starts by injecting bogus DNS information into the cache of a vulnerable name server causing the victim’s machine to connect to a server of the hacker’s choosing.  Next, when an application like iTunes attempts to update either automatically or manually, instead of connecting the Apple update server it will connect to a server maintained by the hacker where malicious software will be installed rather than a software update from the vendor.  Nice.  Not only doesn’t the machine get the update it expects, but it gets compromised to boot.

Given that two-thirds of the vulnerable DNS servers on the Internet have yet to be patched, this tool provides the bad guys with an easy method to infect computers.  And given that most of us rely on DNS servers managed by our ISP, there is little we can do to protect ourselves if their name servers are vulnerable.  Let’s all hope this lights a fire under the collective bottoms of DNS server administrators to get this problem resolved.

The Dark Side of Web Surfing

July 29, 2008 in Web

Not long ago, if you kept your web surfing to “reputable” sites (i.e. non-pornographic and gambling), you could be fairly certain that your machine would not be the victim of an attack from the site you visited.  But times have changed.  Just prior to the 2007 Super Bowl, the official web site of the Miami Dolphins (where the event was being hosted) was hacked.  Attackers placed malicious software on the web server that in turn attempted to compromise any client that accessed the web site.  The malicious software took advantage of several vulnerabilities in Microsoft Windows and installed a trojan downloader on vulnerable computers without the user even being aware that anything had occurred.  The trojan would then steal passwords and allow the attackers to install additional programs that could be used for a variety of nefarious purposes.

Since that time the flood gates have been opened.  This type of attack, called drive-by downloading, has become the favorite method for attacking computers and spreading malware.  In fact, these attacks have even surpassed email as the primary vector for the spread of viruses and trojans.  What makes this trend even more troubling is the number of legitimate web sites that have been compromised and used to attack the computers of people who visit these sites.  The list of organizations that have had their web sites compromised numbers in the tens of thousands and includes such names as the University of California, MySpace, the United Nations, Sony, Cambridge University Press, and even US governmental agencies.  Frequently these web site hacks coincide with major sporting events such the Euro 2008 soccer event and the Wimbledon tennis tournament.  In both cases web sites related to these events were compromised putting visitors to those sites at risk of infection.

:

“In 2007, SophosLabs discovered one new infected webpage
every 14 seconds. In the first six months of 2008 that figure
rose to one every five seconds, or an average of 16,173
malicious webpages every day – and 90 percent of these
webpages are on legitimate sites which have been hacked.”

Clearly you cannot assume any web site is safe to surf no matter whose name is on it.  So how do you protect yourself? First and foremost ensure that the latest browser patches are installed.  This applies whether you use Internet Explorer, Firefox, Safari or something else.  Most of these hacks take advantage of vulnerabilities in browsers.  And while you are at it make sure you have all recommended Microsoft security patches installed as well as patches for third party applications that tie into the browser such as Java, Adobe Flash and Adobe Acrobat Reader.  And just because you use a Mac doesn’t mean you are immune.  The same advice applies.  Enterprises can and should take advantage of web content filtering tools that can detect and block access to infected web sites.  Finally, awareness may be the best defense as we surf the increasingly murky waters of the World Wide Web.

The DNS Mess

July 24, 2008 in DNS | 1 comment

This week the details of a major vulnerability in the software that runs the Domain Name System (DNS) were released to the public.  This occurred only a couple of weeks after software vendors released patches to fix the vulnerability.  This bug affects virtually every vendors’ DNS implementation including Microsoft, Cisco and ISC just to name a few.  The details of the bug have been discussed in many places, but the long and short of it is that any DNS server that allows recursive queries (which most of them do) is subject to a cache poisoning attack.

Whenever a DNS server receives a request to resolve a host name for a client, if it does not have it cached it will contact a root name server to find out which DNS server is authoritative for the domain being requested.  Once the DNS server has this information it will then query the authoritative name server for that domain to obtain the address of the server being requested (e.g. infosecstuff.com).  Finally, it will remember (cache) this information for a period of time in case it is requested again in the future.

The DNS vulnerability allows an attacker to make many requests to a recursive name server, spoof responses to that server so that they appear to come from a root name server and thus fool the server to add bogus information into its cache.  The attacker can inject his own DNS server as authoritative for any domain he chooses.  The attacked DNS server will then unwittingly provide this bogus information to clients when they request the address of hosts in the targeted domain(s).

What is the practical effect of this vulnerability?  An attacker could convince an ISP’s name server, for example, that the authoritative DNS server for bigbank.com is the attacker’s machine rather than the actual DNS server for bigbank.com.  Then when you attempt to access your bank account at www.bigbank.com, you will actually be sent to the hacker’s fake bank site (that look slike www.bigbank.com) where you will happily hand over your account credentials to the hacker.  You can guess what happens next.

There is not much that home users can do to protect themselves.  This is a problem for system and network administrators.  Fortunately, patches are available.  If you are responsible for a DNS server, install the patch immediately.  If you manage the IT staff at a company, make sure they have a plan to install the patch.  This is one you don’t want to put on the back burner.

Losing the Patching Game

July 22, 2008 in Patch Management

In my last article I wrote about the need to keep systems up-to-date with the latest security patches from software vendors. This includes not only operating system patches, but patches for third party applications as well.  I have only three computers at my home and at times I find it daunting to keep up with all the patches that need to be applied on a regular basis.  And I’m a security professional with many years of system administration experience.  I imagine that the average computer user has neither the time nor the patience for such matters.  He just wants to use his computer and not worry about such mundane tasks as patch management.  Nor should he have too.

Even if we all acted responsibly and diligently scoured all the security web sites for vulnerability information and proactively installed security patches in a timely manner, we still would have systems getting compromised.  This is because the process of patching flawed software is a little like playing a game of whack-a-mole: by the time one patch is released and installed to fix a vulnerability, another vulnerability has been discovered.  And the time between vulnerability notification and exploit release has decreased dramatically over the last few years.  Estimates vary, but it is safe to say that exploits are typically available within days of the announcement of a vulnerability while it often takes weeks for patches to become available.  And this does not even take into account zero-day exploits for which no patch is available.   The end result is a never ending cycle of software updates that most home users can’t possibly manage.  For that matter, most enterprises don’t do a very good job of patch management either.

So what is the solution?  The long term answer is that software vendors need to enforce secure coding practices in their SDLC (software development life cycle).  Right now there is very little financial incentive for them to do so because we have no legal recourse to damages that occur due to vulnerable software.  If this were to change and vendors could be held legally liable for damages resulting from software vulnerabilities, manufacturers would go to much greater lengths to ensure their software was developed with proper controls in place to minimize security vulnerabilities.

In the meantime, keep applying those patches.  Install host-based firewalls and host intrusion prevention software if possible.  And vote with your pocketbook by patronizing companies with good track records of writing secure code while rejecting those that do not.

The Patching Game

July 21, 2008 in Patch Management

A new study released last week by the SANS Institute’s Internet Storm Center that found that an unpatched computer running Windows XP will be compromised in under 5 minutes if directly connected to the Internet. German PhD candidate and co-founder of the German Honeynet Project, Thorsten Holz, found during his tests that it takes closer to 16 hours for an unpatched PC running Windows to be compromised. In either case, this is bad news.

One could argue with their methodologies and in fact, the conclusions aren’t all that surprising given the configuration of the PCs. First, the PCs were installed with Windows XP without any service packs or security updates. That basically makes the system equivalent to a system installed in 2001 since that is when Windows XP was first released. During the past 7 years numerous worms have been written that take advantage of the vulnerabilities in Windows XP including Sasser, Bagle and Blaster just to name a few. There is little doubt that it is one of these worms that is compromising unpatched systems.

The second issue contributing to the quick compromise of the systems in this study is the fact that they are directly connected to the Internet. This means there is no firewall in front of them to protect them from the worm attacks. This certainly is rare in corporate environments and even in many homes. Nearly all companies use firewalls today as do many home users. Doing so provides a level of protection from infected hosts attempting to worm their way into other vulnerable systems.

It seems clear that patching is an absolute necessity in today’s world. If managing an enterprise network, use patch management tools to keep the systems patched. Home users should take advantage of Windows Automatic update. Enabling this feature will ensure the PC downloads the latest operating system security patches when they are released and will help keep them safe from many of the threats on the Internet today. But don’t stop there, every application installed on the computer must also be kept up-to-date on patches because vulnerabilities in third party applications can also lead to system compromise. This includes applications such as Adobe Acrobat Reader, Microsoft Office, Java, IM Clients, Skype, and any other software installed on the machine. The attackers are frequently targeting these applications as vulnerabilities in Windows are getting harder to find and even harder to exploit.

Sounds like a lot of work, doesn’t it. Well it is. And in my next article I will discuss why this model of patch and pray is flawed.

Phishing for Fun and Profit

July 20, 2008 in Phishing | 1 comment

In my last article I discussed the malicious nature of spam email and how it is frequently used to install malware on unsuspecting email users. Today I will discuss a specific type of email threat that is related to spam, but more insidious. Phishing is a technique used by spammers whereby they send an email that appears to be from a particular business, usually a financial institution. The email will often instruct the recipient to login to their financial institution’s web site and provide account information such as username, password, PIN numbers and other sensitive information. Of course, once this information is disclosed it will be used by criminals to obtain funds from the victim’s account.

Phishing emails are effective because they often include graphics that mimic the logos and graphics used by the actual financial institution. They also frequently include links with deceptive URLs that take you to the scam web site. The URL may appear to be legitimate, but is actually masking the true address of the web site which belongs to criminals. Below is an example of a phishing email that demonstrates these techniques:

A more recent scam that takes phishing to the next level is called Spear Phishing. These emails use the same techniques as phishing, but they target a much narrower audience. Instead of sending the email to millions of people and hoping that some small percentage of people fall into the trap, spear phishers gather the email addresses of specific people and send very customized emails to them. These email may include personal information giving them additional legitimacy. One recent spear phishing attack targeted executive management at a number of large companies and appeared to be from the Better Business Bureau. It advised them that they had been reported to the BBB and should click on a link in the email to address the issue. Of course the link took them to a scam web site that attempted to infect their systems with malware.

There are steps you can take to protect yourself from phishing attacks:

1) Many anti-virus and anti-spyware programs can protect you from phishing attacks. Always run these types of security software and ensure they stay up-to-date.
2) Most businesses (especially banks) will never send you an email asking for personal information such as account numbers, SSNs, etc. If you receive such an email, contact your financial institution to verify the email and/or report the incident. They have staff trained to handle such incidents.
3) The email claims that your account will be closed if you do not respond within a certain period of time (e.g. 48 hours). This is a very common technique used by phishers and should alert you to the fraudulent nature of the email.
4) Frequently phishing emails will use vague terms when addressing you such as “valued customer” rather than your actual name due to the bulk nature of the email.
5) Verify that any link contained in the email is not actually masking a hidden IP address or web site. This can be done by mousing over the link (do not click on the link) and verify that it is the same as it appears in the email. Also ensure that the domain name is correct and has not been altered (e.g. payepal.com instead of paypal.com).

Copyright © 2011 InfoSecStuff.com — All Rights Reserved