April Security “Incidents” Worth Noting

1. Although not an incident the DNS redirect identified by Kaminsky (here) is the perfect storm of stupidity and greed on the part of ISPs resulting in bad mojo for the rest of us.

At issue is a growing trend in which ISPs subvert the Domain Name System, or DNS, which translates website names into numeric addresses.

When users visit a website like Wired.com, the DNS system maps the domain name into an IP address such as But if a particular site does not exist, the DNS server tells the browser that there’s no such listing and a simple error message should be displayed…

The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain webmale doesn’t exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it’s the official Google site…

The hacker could, for example, send spam e-mails to Earthlink subscribers with a link to a webpage on money.paypal.com. Visiting that link would take the victim to the hacker’s site, and it would look as though they were on a real PayPal page.

2. Mass SQL injections identified by F-Secure (here)

F-Secure estimates 510,000 affected pages, you may be thinking “so why is this news worthy” mass events are worthy for 2 reasons 1. They do not receive much press lately and that has a negative impact on the understanding of threat by executives – they have a security incident memory half-life of 6 months before they decide to stop funding security projects and 2. This exploit coupled with another could result in mass damage.

As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it’s crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.

Unless that data is sanitized before it gets saved you can’t control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):

DECLARE @T varchar(255)’@C varchar(255) DECLARE Table_Cursor
CURSOR FOR select a.name’b.name from sysobjects a’syscolumns b
where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35
or b…

What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.

So far three different domains have been used to host the malicious content — nmidahena.com, aspder.com and nihaorr1.com. There’s a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you’re a firewall administrator we recommend you to block access to them

3. Targeted malware laden subpoena (here)

This is newsworthy because it was highly targeted at a user population that traditionally subverts security controls based on their role in the organization – the CEO – because it was so legitimate looking (no spelling errors, good logo’s) and because it spoke to a basic human desire to not get sued. It is also an example of yet another piece of malware that most of the AV companies didn’t have signatures to detect and clean until after the infections began.

We’ve gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information. One problem, it’s total bogus. It’s a “click-the-link-for-malware” typical spammer stunt. So, first and foremost, don’t click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It’s very highly targeted that way.

TECHNICAL DETAILS: The malicious code that gets downloaded is a CAB with acrobat.exe inside. There is good AV coverage of this right now it looks like. The malware then creates a Browser Helper Object (BHO) at %WINDIR%\system32\acrobat.dll and opens a hidden IE window to communciate to the command and control server. The BHO will also steal any installed certificates installed on the system. The C&C server is hard-coded to an ISP in Singapore at this time. (Thanks to Matt Richard of Verisign for the info).

There were other incidents, as there are every week, but these are worth understanding better as part of an organizations overall security initiatives. Of course as bad as it is in cyberspace we can take comfort in the fact that it will never get this bad…

Lynchings in Congo as penis theft panic hits capital (here)

KINSHASA (Reuters) – Police in Congo have arrested 13 suspected sorcerers accused of using black magic to steal or shrink men’s penises after a wave of panic and attempted lynchings triggered by the alleged witchcraft.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s