The Anonymous ‘Movement’?

I’ve been reading way too much of this garbage on the Internet lately, and it is starting to stick in my craw.  Crap like this.  It seems that everyone has accepted that the hacking group Anonymous is above the law, and has some special insight that makes them a voice of reason.  21st century Robin Hoods.  I hope that this is just the result of sensational journalism, and not what people are really believing.

“The beginning years have intensified their activities demonstrating great technical skills.”

No, what it has demonstrated is a disregard for your privacy, a lack of moral fiber, a little too much technical knowledge, and the patience that is common in a good criminal.

“As always, the movement gives voice to social dissent and protest against amendments and decisions of governments guilty of not listening to the masses.”

The Movement?  What bloody movement?  This is a bunch of self-entitled, self-indulgent, egotistical miscreants that are incapable of operating within the confines of the law or rules of society.  These are people that have an abundance of tools, have found cracks in programs and protocols, and are taking advantage of those flaws.  They are no more a movement than the clowns that walk into a bank with a note in one hand and a formiddable looking pocket in the other. Continue reading →

New Exploits Released For SCADA Systems

Wired reports a group of researchers have discovered serious security holes in 6 of the top industrial control systems used in critical infrastructure and manufacturing facilities.  They have also made it easier for hackers to attack systems before they can be patched or otherwise remediated.  They’ve packaged up the exploits in nice little modules for the MetaSploit tool so that any script-kiddie or organized crime team can just point and click.

The vulnerabilities exist in programmable logic controllers made by GE, Rockwell, Schneider Modicon, Koyo Electronics and Schweitzer Engineering Laboratories.  Apparently, the SCADA vendors were not quick enough for the researchers’ liking to acknowledge the vulnerabilities or release patches.  PLCs are used in industrial control systems to control functions in critical infrastructure such as water, power and chemical plants, gas pipelines, nuclear, and manufacturing facilities.

The various vulnerabilities provide backdoors, as well as authentication and encryption by-passes that could allow attackers to gain access to systems, and the ability to send malicious commands in order to crash, halt, and interfere with specific critical processes, such as the opening and closing of valves.

Nice…  Time to examine your SCADA environments and mitigate these vulnerabilities ASAP, and start elevated monitoring.  I don’t believe that this is the way to move vendors forward, but that is just me I suppose.  What do I know?  I wonder if there are any good litigation lawyers out there that might want to monitor the exploitation of some critical infrastructure and take action against those who provide such tools to the masses when harm is done to the public?

Quick Follow-up – Symantec Source Code

Just a quick note to share the updated intell from a previous post; it would appear that Symantec has come clean, the hacker that claimed to have and threatened to release Symantec’s Norton Anti-Virus source code did indeed have it.  However, it is old code, it is not the source code from the current version.  The source code that was exposed was for Symantec Endpoint Protection 11.0, used to prevent outgoing data from being leaked.  It was four years old and had been updated regularly.  The source code for Symantec Antivirus 10.2 is five years old, and has been discontinued and no longer on sale for some time, althoughit is still being serviced and used.

It does make the current product somewhat suspect in my opinion, until Symantec has had a chance to rewrite and release a completely new version.  Having the source code for an application makes it simple to write exploit code to take advantage of the app, to silently turn it off, or to make it do some unexpected things.  The limit is your imagination, really, since A/V software runs so close to the kernel, and has so many privileged hooks.

I can’t say that I’m too happy about this, I am very surprised that the source code was allowed to languish on a 3rd party server, belonging to Indian Military Intelligence.  If you are using either of Symantec’s products, I would suggest you upgrade to the latest version, and pressure the vendor to release a new version that they guarantee is not based on this compromised code-base.

http://news.cnet.com/8301-1009_3-57353814-83/that-stolen-symantec-source-code-its-for-older-enterprise-products/

Amnesty International Serving Malware

Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. The attack appears to be part of a malicious scheme to target human rights workers.  Krebs’ blog reports that the site’s home page has been booby trapped with code that pulls a malicious script from what appears to be a hacked automobile site in Brazil. 

The auto site serves up a malicious Java applet that uses a public exploit to attack a fairly new Java flaw. The applet in turn retrieves an executable file detected by Sophos antivirus as Trojan Spy-XR, a malware variant first spotted in June 2011.  This Trojan provides remote access connectivity handling, Denial of Service (DoS) or Distributed DoS (DDoS) capabilities, keyboard input capture, file or object deletion, process termination for getting rid of those end-point pesky security controls.

 

Adobe 0-Day Patches Released

There have been reports of two critical vulnerabilities being actively exploited in targeted attacks against Adobe Reader 9.x on Windows.  These vulnerabilities could cause a crash and may allow an attacker to take control of the affected system.

Today’s updates address these vulnerabilities in Adobe Reader and Acrobat 9.x for Windows.  Version X has protected mode available that prevents this type of attack.  Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Windows update to Adobe Reader 9.4.7. Adobe recommends users of Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows update to Adobe Acrobat 9.4.7.

 http://www.adobe.com/support/security/bulletins/apsb11-30.html

Adobe “PIDIEF” 0-Day

On December 6, Adobe announced that a zero-day vulnerability in all supported versions of Adobe Acrobat and Reader is being exploited in the wild.  No patch is currently available.  Apparently, Lockheed Martin reported the issue, indicating this may have been used in an attack on the defense technology company.  Targeted attacks were reported in the first week of November, so this one has been active a while.

The vulnerability is being exploited in the wild through PDF attachments to e-mails containing what Symantec is calling “Pidief“, listed as a family of Trojans that drop or download additional malware on to a compromised computer.  The malware agent is reportedly dropping “Sykipot” once initially compromised, providing a backdoor into the system for remote control.

Adobe expects to have a patch released for Reader and Acrobat 9 by the week of December 12, and will update Reader/Acrobat X as part of its regular quarterly patch cycle January 10th, 2012.  Adobe recommneds that in the meantime, use Reader and Acrobat X’s protected mode or sand-box capabilities to protect users.

• Exercise extreme caution when handling PDF files.  Any PDF email attachments should be treated suspiciously. Email attachments are a common vector for targeted attacks withg this kind of vulnerability.
• Instruct users to use extreme caution when opening PDF files from unknown or untrusted sources, especially email attachments.
• Upgrade to Adobe Reader X and Adobe Acrobat X, which provide a built in sand-box enabled by default.
• Apply the patch from Adobe as soon as it becomes available.

Carrier-IQ SmartPhone Monitoring Analysis

I am sure that everyone who reads this has already heard that there is a big gaffuffle raging over the potential monitoring and eavesdropping of smartphone based phone calls, text messages and even keystroke logging claims.

.

.

.

.

According to Dan Rosenberg’s blog, he has done some detailed analysis on the software, and has found the following to be true on his Samsung handset:

• CarrierIQ (on his particular phone) can record which dialer buttons are pressed, in order to determine the destination of a phone call.
• CarrierIQ cannot record any other keystrokes besides those that occur using the dialer.
• CarrierIQ cannot record SMS text bodies, the contents of web pages, or email contents, even if carriers and handset manufacturers wished to.  There is simply no “metric” designed to carry this information.
• CarrierIQ (on this particular phone) can report GPS location data in some situations.
• CarrierIQ can record the URLs that are being visited (including for HTTPS resources), but not the contents of those pages or other HTTP data. Continue reading →

Duqu Using Zero-Day To Spread

Symantec reports that the group that originally uncovered the Duqu malware binaries has located an installer for the threat.  No one had been able to recover the installer as it would delete itself after attempting infection, so it was unclear how Duqu was infecting systems.

The installer file is apparently a legitimate Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability in Windows allowing code execution.  The Word document is targeted towards the intended receiving organization, and the shell-code only installs during a specific time window. 

Microsoft is currently working on a patch and advisory for release ASAP.  When the Word file is opened, the exploit executes and installs the main Duqu binaries.  The chart below from Symantec’s website explains how the exploit in the Word document file eventually leads to the installation of Duqu. Continue reading →

MySQL Site Serves Malware

InfoWorld is reporting that hackers have compromised the website hosting Oracle’s open-source MySQL database management system.  It was serving up malware today, silently infecting vulnerable browsers and plug-ins.  MySQL.com was infected with “mwjs159”, a type of drive-by malware.  People visiting the site were being redirected to a site that installs malware using code from the “Blackhole exploit kit”.

Compromised visitors don’t need to click or agree to anything, simply visiting mysql.com with a vulnerable browsing platform will result in an infection.

 

Shady RAT Follow-up

McAfee’s Dmitri Alperovitch has said that he,”divides the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know,” regading the Operation Shady RAT compromises.  The recent report named only a few of the 72 organizations known to have been targeted by the attackers.  McAfee has notified all 72 organizations of the intrusions, but has also said that the analyzed logs date back only to 2006, allowing the possibility that there were previous compromises with evidence unavailable to them.  There has also been evidence of intrusions into many other networks found in the logs, but in insufficient quantity to accurately identify the targets.

So, what can you do to determine if your company has been one of the mystery targets?  Security vendor Seculert has provided a simple, web-based tool to check if your computer has been in contact with the Shady Rat Command & Control server.  You can only check one IP at a time, and a negative result means that just that one particular computer hasn’t been in contact.  If it’s positive, the tool will tell you how many times it communicated with the C&C server, and when it did so for the first time.  Sufficient information to enable and begin a forensic audit and incident response cycle.

According to Computerworld, the C&C server involved in these attacks is still online, and the logs remain accessible.  It is located in the US, and since the authorities have been notified and will be taking an interest in this case, it is impossible to tell for how long it will remain available.