Ok, maybe this is some days old. The papers for HotBots ‘07 (the First Workshop on Hot Topics in Understanding Botnets) have been made available on their website.
Here you can find download links for several of the most interesting-looking papers:
Some other blogs commented about it first: TaoSecurity, Noticias de Seguridad
Funny :-)
Change control (n.) A carefully defined and measured process of self-delusion.
Compliance solution (n.) Surveillance and behavior control software.
Delete (v.) To remove from view (and archive).
The Devil’s Security Dictionary 2.0
Did you apply the workaround suggested by Microsoft for the DNS RPC vulnerability? Do you think you’re safe because you don’t allow RPC ports at the perimeter firewall?
Do you meet these two conditions?
- I have Active Directory with the usual Windows-based DNS servers
- I have users
If so, you are in deep trouble. Exploit code for the DNS RPC vulnerability has been incorporated to the Nirbot malware, which is self updating. So, if you were already infected, now your zombie machines can own your Domain Controllers.
Game over.
According to Arbor Networks:
The latest turn in the Nirbot saga is that they’ve gone and incorporated the MS Windows DNS RPC interface exploit into their bot. We started seeing this in ATLAS starting Sunday evening GMT and it appears that this flood of MS DNS RPC exploits was seeded into an existing botnet. It appears that one of the public exploits was rolled into the bot over the weekend.
The malware connects to x.rofflewaffles.us at port tcp/8080. Block that. Also from Arbor: “Signs of infections include connections to hosts with that hostname on that port, scans on TCP port 1025 (and other exploits in the bot include SYMC06-010, MS06-040, and weak passwords)“
For those who want to take home or small-office network security seriously, there is a good article by Tim Fehlman at “Daily Cup of Tech”. It covers WiFi security, network firewalls, software firewalls, content-filtering web proxy, anti-spam, password management, backups, etc.
What’s missing, in my opinion, is:
- guidance on “safe browsing” practices
- basic security patch management
- basic network-based Intrusion Detection
But in general it’s a good place to start if you want to lock down your domestic infrastructure…
One of the mitigation actions for the Microsoft DNS vulnerability is the disablement of the RPC Management functionality. Jesper Johansson explains how to do it in a large number of Domain Controllers and DNS servers (thanks Daniel!)
In short, the method consists of generating a text list with all the DNS servers, and then using a short script to remotelly connecto to each one (using Enterprise Admin credentials) to change the registry parameter and restarting the DNS service.
It is recommended to do this until you can patch.
Note about this workaround:
Setting the registry value to 4 will disable remote management and configuration of DNS server functionality using RPC or WMI will be disabled. DNS management tools, will fail to work remotely. Local management and remote management through terminal services can be still used to manage your DNS Server configuration.
You will still be able to use the DNS management MMC Snap-in, DNSCMD.exe, and the DNS WMI provider.
According to Dark Reading, there is a remotely exploitable bug in the madwifi drivers for Linux, discovered by a France Telecom researcher:
A researcher from France Telecom has discovered the first remotely exploitable 802.11 WiFi bug on a Linux machine. The kernel stack-overflow bug, which is in the open-source MadWiFi Linux kernel device driver, lets an attacker run their malicious code remotely on an infected machine — and the infected machine doesn’t even have to be on a WiFi network to get “owned.”
Laurent Butti, senior security expert for France Telecom’s Orange R&D, says all it takes is the client machine’s NIC to be activated and perform its automated scanning feature for WiFi access points in range, and the vulnerability is triggered. The attacker initially must be in wireless range of the victim for the code to execute the exploit, he says.
Read the rest of the article at Dark Reading.
A new excellent article by the (also excellent) Raul Siles at the RaDaJo blog describing a practical demostration of the new kind of WEP-cracking described in the paper “Breaking 104 bit WEP in less than 60 seconds” by Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. Raul uses this information together with the aircrack-ptw tool and the latest release of Backtrack 2 to check the validity of the method.
And guess what? It works beautifully :)
In Raul’s own words: “Awesome results and advancements for auditing the security of WEP-based wireless networks!“
Stop using WEP now. Switch to WPA/WPA2 as soon as possible.
You can read Raul’s post here.
Here is the complete kit:
Download the “Breaking 104 bit WEP in less than 60 seconds paper.
Download the aircrack-ptw tool.
Download Backtrack 2 Stable.
Let’s assume you have the usual “defense-in-depth” security architecture in place. Anti-virus software, perimeter firewalls, machines properly hardened, non-admin users, etc.
Let’s also say you have a serious malware outbreak today. Wait, make that tonight. Your sysadmins call you at night and tell you several thousand clients and servers are infected with something that sneaked past the AV software. What do you do? Do you have a procedure?
These things happen. You might have the best security architecture, follow best practices, have top consultants evaluate your risk periodically, the whole thing. But when push comes to shove, does everyone know what to do? Do they have the tools to do it?
This is a simple checklist. It probably isn’t very complete. But it’s wise to at least think about these questions before lightning strikes. In no particular order:
- Do you have alternative malware cleaning tools?
- Do you have malware-cleaning tools that can run from a bootable CD?
- Do you have admin-level access to all involved machines?
- Can you reach machines in remote locations?
- Do you know the current admin passwords?
- Are there people available with physical access to the machines in remote locations?
- If you have to re-install / re-image some boxes, do you have the relevant installation media?
- Do you have the phone numbers of the important vendor’s support service? Is it 24×7x365?
- Do your operators know how to react? (yes, I know you have a Incident Response document somewhere, but have people actually read it?)
- Do you have access to someone that can take drastic decisions if needed?
Or would all this make life too easy for us? ;)
You probably already heard, but Metasploit Framework 3.0 is out!
An article in Dark Reading comments on the new functionality:
Among the new features for Metasploit 3.0 that weren’t originally shown in the beta are three exploit modules that target WiFi driver vulnerabilities in the Windows kernel. The framework comes with APIs, 177 exploits, as well as modules that handle host discovery, protocol fuzzing, and denial-of-service testing. It’s aimed at researchers, network security pros for penetration testing, system administrators for verifying patch installations, and at vendors testing the security of their products. Metasploit runs across all the main operating systems and works with Unix mainframes and Nokia n800 handheld devices as well.
One feature in the new version lets you manipulate the memory of process that’s running in an exploited system, and another lets you relay attacks through the compromised machine, notes Moore. “From a penetration testing perspective, the most useful features are the combination of the new Meterpreter payload and the ability to relay connections through compromised systems.”
Download Metasploit Framework 3.0 from here.
We have already commented on how pump-and-dump stock scams work, and how much money they provide the scammer when they work.
Symantec, in its latest Internet Security Threat Report talks about underground economy servers which are “used by criminals and criminal organizations to sell stolen information, typically for subsequent use in identity theft.” In the second half of 2006, about half of these servers were located in the USA.
According to the report, these are the current advertised prices for stuff such as credit card information, lists of emails, banking accounts, compromised computers, etc.
You can download the full Internet Security Threat Report (PDF) from Symantec.
