Information Security News
A criminal gang recently found an effective way to spread malware that drains online bank accounts. According to a blog post published Monday, they bundled the malicious executable inside a file that installed a legitimate administrative tool available for download.
The legitimate tool is known as Ammyy Admin and is used to provide remote access to a computer so someone can work on it even when they don't have physical access to it. According to Monday's blog post, members of a criminal enterprise known as Lurk somehow managed to tamper with the Ammyy installer so that it surreptitiously installed a malicious spyware program in addition to the legitimate admin tool people expected. To increase their chances of success, the criminals modified the PHP script running on the Ammyy Web server, suggesting they had control over the website.
What resulted was a highly effective means for distributing the banking trojan. That's because the legitimate tool Ammyy provided was in many ways similar to the banking trojan in that they both provided remote access to the computer they ran on. As researchers from antivirus provider Kaspersky Lab explained:
A former executive for the St. Louis Cardinals baseball team, Christopher Correa, was sentenced Monday to 46 months in prison. In 2013, he successfully guessed a password to access an online database for confidential data held by another baseball team, the Houston Astros.
Correa pleaded guilty earlier this year to five counts under the Computer Fraud and Abuse Act, a notorious 1980s-era hacking statute.
“You have made it harder for them to live their lives,” US District Judge Lynn N. Hughes said during the court hearing, referred to the necessity of tighter security around all of Major League Baseball.
HTTPoxy refers to an older vulnerability in how web applications use the HTTP Proxy header incorrectly. The vulnerability was first described in 2001 in libwww-perl, but has survived detection in other languages and plugins until now. The vulnerability can be found in some popular implementations, but is not affecting the vast majority of web applications.
Accordingto RFC 3875, which described CGI (Common Gateway Interface), the content of the Proxy header is assigned to the HTTP_PROXY environment variable. Like all user supplied data, this value needs to be validated, but sadly, some web applications fail to do so
The effect is that outbound web requests from the application may use a proxy provided by the user.
You are vulnerable if you are not validating the Proxy header, AND if you are using specific frameworks for outbound web requests that use the HTTP_PROXY environment variable.
For a full list of affected applications, and more details, seehttps://httpoxy.org . The site also suggests specific mitigation techniques, like removing the Proxy header from all inbound requests, which is probably a sound technique to minimize the impact of this issue.