InfoSec News

Apple's workaround for an iOS 4 Exchange synchronization issue could improve performance for some users, but a more complete fix is necessary to solve the problem, an expert said Thursday. Such a fix could be on the way.
 
Dell's pending acquisition Scalent will bring it data center virtualization management software
 
Google has reached an agreement to buy ITA Software, a maker of air travel flight-information software whose customers include major airlines and online travel agencies.
 
EMC today announced it is shuttering its Atmos Online storage service and it will not offer any guarantees that anyone who has already stored data through the hosted service will be able to retrieve it in the future.
 
We are bombarded daily with ads about products, white papers, publications, seminars, workshops, market projections and more focused on cloud computing. But if you analyze these messages you reach the conclusion there are many ambiguities and only a few emerging concrete terms.
 
Author Ben Mezrich talked about social networking and his book chronicling his book about Facebook before a keynote audience at the Cisco Live! user conference Thursday.
 
Google has agreed to buy ITA Software, a maker of air travel flight-information software whose customers include major airlines and online travel agencies.
 
Yesterday's post about the Boxee bookmarklet got me thinking about other bookmarklets I love. The first one that popped into my head: GrooveSelect.
 
IBM strikes a deal with Roche to commercialize technology to read genomes,
 
Chalk up a huge win for Firefox in the war against Microsoft’s Internet Explorer – IBM is telling all of its 400,000 employees to make Firefox their default Web browser.
 
The federal government's increasing use of cloud computing services could lead to new data security risks, with agencies compelled to put their trust in vendors' security efforts, several lawmakers and a government IT expert said.
 
The uproar over the new iPhone's reception problems is much ado about nothing, an antenna expert said today.
 
Hewlett-Packard finalized its acquisition of Palm and confirmed it will use the company's WebOS in future tablets and netbooks.
 
A U.S. congressman is set to propose a federal law that would put warning labels on cell phones, just as San Francisco nears enacting an ordinance that would require retailers to post information about cell phone radiation.
 
Gartner has dropped its 2010 IT spending forecast, citing currency fluctuations caused by the European debt crisis.
 
Microsoft's Internet Explorer Web browser turned things around last month, boosting its usage share by a record amount, according to Web analytics firm Net Applications.
 
-- Bojan INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
BigFix provides IBM with software that can identify devices that fail to meet corporate IT policies.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

IBM - BigFix - Hardware - Mainframe - Operating Systems
 
As PC makers expand their lines to include 3D laptops, analysts say these offerings are likely to interest mostly gamers, with broad adoption stymied by a dearth of content, hardware limitations and hefty prices.
 
A survey of 1,165 IT decision makers showed that while storage utilization rates remain low, the amount of data storage capacity is expected to almost double over the next five years.
 
The wrong program opens when Marvin double-clicks a .docx file. He asked the Answer Line forum how to fix this.
 
Cisco System's Cius business tablet has raised questions over how it will be used, especially when compared with the larger-screen Apple iPad.
 
These five tools are a good start if you're seeking work-friendly apps for your Android smartphone.
 
IBM announced plans to buy systems management software vendor BigFix for an undisclosed sum.
 
Key questions answered about the U.S. Consumer Product Safety Commission's recall of Sony Vaio laptops.
 

Two infosec blunders that betrayed the Russian spy ring
Register
Here we present their two most glaring infosec failings. Anna Chapman and her UN-based Russian government handler allegedly held ten meetings around ...

and more »
 
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Mobile phone technology vendor Qualcomm plans to offer an augmented reality platform and software development kit, the company said on at its Uplinq conference.
 
Google rolled out changes to its News page that give users more ways to customize the kinds of headlines they see and easier ways to share stories on social networks.
 
Just six days after the iPhone 4's launch, a pair of Maryland residents sued Apple and AT&T, alleging that the smartphone's defective antenna design drops calls and can't hold a strong signal.
 
Who's on your summer reading list -- Randy Pausch? Malcolm Gladwell? Take a cue from IT types this summer and crack open a good book -- or fire up an e-reader.
 
The status of Google's China-based website, Google.cn, remains in limbo as the search engine giant waits to see if China will renew the company's operating license.
 
President Obama's approach to IT spending showed its teeth this week in a decision to end new spending on about 30 financial systems that cost about $3 billion in annual development.
 
A team of MIT researchers has developed technology that they say not only will make the Internet 100 to 1,000 times faster, but could also make high-speed data access a lot cheaper.
 
InfoSec News: A secure fort?: http://metrospirit.com/index.php?cat=1211101074307265&ShowArticle_ID=11012906100513920
By Corey Pein Metro Spirit Issue #21.49 06/30/2010 - 07/06/2010
Following this month.s arrest of a Keysville man carrying two "flash-bang" grenades and other devices onto Fort Gordon, the Metro [...]
 
InfoSec News: Medical diagnoses for 130,000 people vanish into thin air: http://www.theregister.co.uk/2010/06/30/patient_data_exposed/
By Dan Goodin in San Francisco The Register 30th June 2010
New York-based Lincoln Medical and Mental Health Center has become one of the latest medical providers to expose highly sensitive patient data [...]
 
InfoSec News: Microsoft: 10, 000 PCs hit with new Windows XP zero-day attack: http://www.computerworld.com/s/article/9178768/Microsoft_10_000_PCs_hit_with_new_Windows_XP_zero_day_attack
By Robert McMillan IDG News Service June 30, 2010
Nearly a month after a Google engineer released details of a new Windows XP flaw, criminals have dramatically ramped up online attacks that leverage the bug.
Microsoft reported Wednesday that it has now logged more than 10,000 attacks. "At first, we only saw legitimate researchers testing innocuous proof-of-concepts. Then, early on June 15th, the first real public exploits emerged," Microsoft said in a blog posting.
"Those initial exploits were targeted and fairly limited. In the past week, however, attacks have picked up."
The attacks, which are being launched from malicious Web pages, are concentrated in the U.S., Russia, Portugal, Germany and Brazil, Microsoft said.
PCs based in Russia and Portugal, in particular, are seeing a very high concentration of these attacks, Microsoft said.
[...]
 
InfoSec News: Big security lapses make Mideast firms easy prey: http://gulfnews.com/business/technology/big-security-lapses-make-mideast-firms-easy-prey-1.648615
By Arno Maierbrugger Deputy Business Editor Gulf News July 1, 2010
Dubai: It takes nothing more than a simple Google search and the use of an appropriate keyword string to get access to the web server of some of the largest companies in the Middle East, a recent trial of German web hacking experts has shown.
They said they were able to access web servers of the world's largest oil exploration company, Saudi Aramco, of the Pearl Qatar development and several other regional company networks.
According to a member of the German hacker community, who informed Gulf News but understandably does not want to have his name published, Aramco's "poorly secured" web server is "like an open book" for those who conduct a specially crafted search query to reach file directories. The web specialists were able to access and download confidential documents such as technical drawings, detailed information on oil rigs and even blueprints of the infrastructure, fire protection system and communication network of the world's largest oil field, Al Ghawar. Some of the downloaded documents can be viewed on the hackers' website.
[...]
 
InfoSec News: Russian spy ring needed some serious IT help: http://www.networkworld.com/news/2010/063010-russian-spy-ring.html
By Tim Greene Network World June 30, 2010
The Russian ring charged this week with spying on the United States faced some of the common security problems that plague many companies -- [...]
 
InfoSec News: Lack of Security Focus Puts SMBs In Harm's Way: http://www.darkreading.com/smb-security/security/management/showArticle.jhtml?articleID=225701975
By Robert Lemos Contributing Writer DarkReading June 30, 2010
Demolition firm Ferma nearly failed because its employees lacked a proper security policy. [...]
 
InfoSec News: Laptop with personal data of 24,000 people is stolen: http://news.bbc.co.uk/2/hi/england/humberside/10453067.stm
BBC News 29 June 2010
More than 24,000 people in Hull and Leicester have had information about them stolen, it has been revealed.
Training company A4e said the data was held on a personal computer of an [...]
 
InfoSec News: China nears 800 million mobile phone subscribers: http://www.mis-asia.com/news/articles/china-nears-800-million-mobile-phone-subscribers
By Dan Nystedt MIS ASIA 30 June 2010
TAIPEI - The number of mobile phone subscribers in China reached 796 million as of the end of May, while 3G subscriber numbers have almost [...]
 
In this diary I will continue with the analysis of the PHP script that the RogueAV guys use on their frontend web servers. You can read the first diary at http://isc.sans.edu/diary.html?storyid=9085.
Now that we understand how the poisoning of search engines work, we can see some specifics about the PHP script that the attackers use. As I said in the first question, the script was obfuscated but it was still possible to understand what they are doing. The code snippets I will be showing in this and next diaries were actually beautified and made easier to read by me.
Infecting the whole site


Once the site has been compromised, the attackers install their script in any directory, preferably in a directory that is not accessible directly from the web since they will not need to access it directly.

The next step the attackers do is to infect all (and I mean all!) PHP files on the compromised web site. If it's a shared web site, and the permissions are not setup correctly, they will actually infect absolutely every web site hosted on that machine.
The infection consists of insertion of one line at the beginning of every PHP file, as seen below:

This line (which I deliberately shortened) contains a small PHP script that is just Base64 encoded. So, when any web page on the compromised web site is accessed, the attackers PHP script gets executed first! Below is the decoded script:

The decoded part shows what the attackers do:

If the global msfn variable is not set and the ob_start function exists (it's a standard PHP function) the following code gets executed.
The global variable is set to point to the master PHP script (the one we're talking about called style.css.php in this example). Notice that it can be anywhere on the disk as long as the Apache process has access to it.
If the file exists, it is included. This causes the master PHP script to execute and do main processing. I'll cover this execution process in subsequent diaries.
If the master PHP script ran correctly, it will define functions gml and dgobh so the last line can execute. This is the part that actually displays the original web sites and, if needed, appends the links to search engines I covered this in the previous diary.

This way the attackers made sure that their script will execute whenever another PHP script on the compromised web site is accessed. This allows them unlimited freedom in using different URLs for poisoning search engines but for redirecting users to the sites serving RogueAV (or any other malware). Cleaning a web site after such infection is not too difficult all you have to do is remove the first line, but as with any infection or compromise I would recommend that you restore files off backups (you do make them, right?).
If you wonder how the attackers insert this line into every single PHP file, the answer is simple a special function in the master PHP script takes care of this. It recursively traverses all directories, finds any PHP files and if it can modify them inserts the line at the beginning. Once the attackers installs the master PHP script (style.css.php), all he has to do is call the script with a proper parameter, as you can see in the screenshot below:

This interface is password protected, so you can't access it directly without authenticating first. For those curious, there is also a function that clears the whole site (parameter dgr=1, probably for remove) but access to it is, as well, password protected.
Scared of other attackers?


The master PHP script consists of dozens of functions that take care of various tasks. Today I will cover the first couple of lines that get executed as they are relatively interesting. You can see the PHP code below:

This code does something interesting. It takes the contents of $_GET, $_POST and $_COOKIE superglobals which contain request parameters and (of course) contents of the cookie. Then the code does a bit of shuffling with the content, converts it to all lower case and performs urldecode on it. This will normalize any content (for example, %61 will be converted to lower case a).
Finally, the code compares this content with any of the strings in line 12: 'base64','user_pass','substring(','or id=','eval(','nutch','_users','union all','mid('. If any of these matched, the script exits immediately!
This is interesting as it appears that the author of the script tried to implement a very simple intrusion detection system notice how it contains SQL injection strings or parts of PHP code. This does not make a lot of sense (especially matching of SQL injection) since the master PHP script, for example, does not use a database at all so I wonder if this was part of another program that the author just reused.
And with this we come to the end of the second diary. In next diary I'll go through some advanced functions of the PHP script such as auto-update as well as the administrators interface. Of course, you are always welcome to contact us if you have any questions.


--

Bojan

INFIGO IS

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Amazon.com is keeping up the pressure on competitors in the electronic book market and will launch on July 7 a new version of its Kindle DX that features a better screen and costs US$110 less than the current model.
 

Posted by InfoSec News on Jun 30

http://metrospirit.com/index.php?cat=1211101074307265&ShowArticle_ID=11012906100513920

By Corey Pein
Metro Spirit
Issue #21.49
06/30/2010 - 07/06/2010

Following this month.s arrest of a Keysville man carrying two
"flash-bang" grenades and other devices onto Fort Gordon, the Metro
Spirit decided to revisit a story it ran in 2007 discussing some of the
security issues on base.

-=-

AUGUSTA, GA -- A broken window, a stolen...
 

Posted by InfoSec News on Jun 30

http://www.theregister.co.uk/2010/06/30/patient_data_exposed/

By Dan Goodin in San Francisco
The Register
30th June 2010

New York-based Lincoln Medical and Mental Health Center has become one
of the latest medical providers to expose highly sensitive patient data
after CDs containing unencrypted data sent by FedEx never made it to
their destination.

The breach exposed medical and psychological diagnoses and procedures
for 130,495 patients,...
 

Posted by InfoSec News on Jun 30

http://www.computerworld.com/s/article/9178768/Microsoft_10_000_PCs_hit_with_new_Windows_XP_zero_day_attack

By Robert McMillan
IDG News Service
June 30, 2010

Nearly a month after a Google engineer released details of a new Windows
XP flaw, criminals have dramatically ramped up online attacks that
leverage the bug.

Microsoft reported Wednesday that it has now logged more than 10,000
attacks. "At first, we only saw legitimate researchers...
 

Posted by InfoSec News on Jun 30

http://gulfnews.com/business/technology/big-security-lapses-make-mideast-firms-easy-prey-1.648615

By Arno Maierbrugger
Deputy Business Editor
Gulf News
July 1, 2010

Dubai: It takes nothing more than a simple Google search and the use of
an appropriate keyword string to get access to the web server of some of
the largest companies in the Middle East, a recent trial of German web
hacking experts has shown.

They said they were able to access...
 

Posted by InfoSec News on Jun 30

http://www.networkworld.com/news/2010/063010-russian-spy-ring.html

By Tim Greene
Network World
June 30, 2010

The Russian ring charged this week with spying on the United States
faced some of the common security problems that plague many companies --
misconfigured wireless networks, users writing passwords on slips of
paper and laptop help desk issues that take months to resolve.

In addition, the alleged conspirators used a range of...
 

Posted by InfoSec News on Jun 30

http://www.darkreading.com/smb-security/security/management/showArticle.jhtml?articleID=225701975

By Robert Lemos
Contributing Writer
DarkReading
June 30, 2010

Demolition firm Ferma nearly failed because its employees lacked a
proper security policy.

In mid-2009, an employee at the California firm clicked on a link in an
e-mail message and ended up at a malicious website. The site, run by
online thieves, used a vulnerability in Internet...
 

Posted by InfoSec News on Jun 30

http://news.bbc.co.uk/2/hi/england/humberside/10453067.stm

BBC News
29 June 2010

More than 24,000 people in Hull and Leicester have had information about
them stolen, it has been revealed.

Training company A4e said the data was held on a personal computer of an
employee which was stolen in "an opportunistic domestic burglary".

A4e said the laptop, that was taken on 19 June in London, did not
contain banking or credit information....
 

Posted by InfoSec News on Jun 30

http://www.mis-asia.com/news/articles/china-nears-800-million-mobile-phone-subscribers

By Dan Nystedt
MIS ASIA
30 June 2010

TAIPEI - The number of mobile phone subscribers in China reached 796
million as of the end of May, while 3G subscriber numbers have almost
doubled, the government said Tuesday.

Over 9.4 million new Chinese subscribers signed up for mobile phone
service in May, for an official total of 48.5 million new users so far...
 
Excerpt from Cisco Unified Presence Fundamentals
 

Internet Storm Center Infocon Status