Tag Archive for hack

Worm Uses Social Engineering

A new worm has hit the Internet and its taking its toll on computers worldwide. It has been reported that over 9 million computers have already been infected.

The worm called “Downandup”, “Conficker” or “Kido” by different anti-virus vendors uses the Microsoft vulnerability which I blogged about here (Worm Takes Advantage Of Microsoft Flaw) and here (Microsoft Releases Emergency Patch).

The worm mostly spreads across networks, turning off the system restore and deleting the restore points, blocks access to security website, download additional malware from the author, attempts to infect other computers by scanning network shares and scheduled a task to re-infect the computer if removed.

What is interesting is that it can also spread by USB memory keys or devices making use of social engineering which makes it more dangerous to the untrained eye. When a USB drive is inserted it shows a modified AutoPlay screen seen below which will install the worm when the users inadvertently clicks on it.

According to SANS Internet Storm Center, one of the reasons the worm is infecting so many machines is that “Conficker” uses multiple infection vectors:

  1. It exploits the MS08-067 vulnerability,
  2. It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally
  3. It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.

Characteristics –

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

  • hxxp://www.getmyip.org
  • hxxp://getmyip.co.uk
  • hxxp://checkip.dyndns.org
  • hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

  • hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.

Suggestions –

  1. Disable AutoPlay in your environment.
  2. Run a good security suite.
  3. Keep your computer updated with the latest patches.
  4. Be PROACTIVE and look for the worm in your environment.




    Locking Down The Blackberry Network

    Early last year India threatened to discontinue Blackberry service if Research In Motion (RIM), the company behind the Blackberry did not allow the Indian Government to monitor the Blackberry network traffic raising serious security concerns. Here are a few articles from PCWorld, InfoWorld, and CNet.

    Now president-elect Barack Obama vows to keep his Blackberry despite hacking fears and concerns by the Secret Service.

    This will not only be a headache for the Secret Service but its pretty likely that hacking attempts towards the RIM network will increase exponentially.

    Generally people just don’t think about the risk that a smart-phone poses, specially if its connected to a Blackberry Enterprise Server. How could my phone be a risk to anyone? Well a smartphone is not just a phone, but rather a miniature computer that is not just capable of making calls but it also an un-metered gateway into the corporate network.

    In order to understand what actions to take to protect a smart-phone, in particular the Blackberry you have to understand how it works and how it interacts with the Blackberry Enterprise Server.


    • Lack of authentication
    • Lack of encryption
    • Lack of mobile code execution controls
    • Difficult to enforce controls
    • Peripheral devices introduce additional vulnerabilities
    • Infrastructure vulnerabilities service specific operating systems, platforms, applications, etc.
    • Small size is prone to theft and loss
    • All devices may not be corporate owned
    • Multiple configurations of the Blackberry Enterprise Server (BES) architecture
    • Limited centralized update mechanisms
    • Limited IT/CIO Control

    Sources of Recommended Controls and Security Guidelines:

    • The Vendor (Microsoft, Treo, RIM, etc.)
    • SANS (www.sans.org)
    • NIST has a great publication
    • Other existing guidelines
    • 3rd Party Solutions often fill the gaps

    Once the vulnerabilities have been identified we proceed to implement controls and audits.


    Controls will include policies, standards, practices, procedures, guidelines, awareness, authentication, encryption, and asset management.


    Once the scope has been defined, allow to review the implementation of policies between the BES, servers, Blackberry devices, and Blackberry desktop agents. Audits also allow the review of configuration and options to ensure that security is not just available but implemented. Additionally configurations pushed down to end devices need to be audited as well.

    The infrastructure design and configuration of network components (firewalls, routers, switches, VLANs, etc.) will need to be audited as they play an intricate part of the overall security of the system.

    Risk Assessment:

    Although this requires additional resources and expertise, its a must in certain environments like corporate or government. A risk assessment will identity security vulnerabilities and provide a 2nd chance to identify all “assets”.

    Once this has been completed, validating the risk by performing an “ethical hack” will remove any uncertainty by proving the vulnerabilities identified actually exist.


    Providing documentation on the findings is vital. The documentation required will contain an executive summary, action items and details for system administrators, and a clear and concise report with both the good and the bad findings.

    A couple of things that should not fall through the cracks are ensuring that the corrective actions are implementable within the organization and the next audit scheduled.

    Sample Policy:

    Sample Blackberry Enterprise Server Policy


    Its the FMI’s Turn at Being Hacked

    Within weeks of the World Bank’s story breaking about its computer systems being breached by hackers, Fox News has reported here that Cyber-Hackers have broken into the IMF computer system.

    The International Monetary Fund (IMF) is an international organization that oversees the global financial system by following the macroeconomic policies of its member countries, in particular those with an impact on exchange rates and the balance of payments. It also offers financial and technical assistance to its members, making it an international lender of last resort. Its headquarters are located in Washington, D.C., USA.

    The IMF of course absolutely denies that the event took place. The spyware discoveries came at a particularly sensitive time for the international bailout institution, which along with the World Bank is expected to play a central role in trying to combat global financial turmoil.

    This is too much of a coincidence in my opinion. Any information taken by the attackers will likely be used as leverage to blackmail the institutions rather than being made public to embarass them.

    In fact, the computer assaults on the World Bank and the IMF are only part of a rash of sensitive cyber-burglaries that even reached into the U.S. presidential campaign. Both London’s Financial Times and Newsweek recently reported that the computer network of the White House, and the Obama and McCain campaigns, were seriously breached.

    The Pentagon claims the Chinese army has established units to develop viruses to attack enemy computer systems. Chinese hackers penetrated the Pentagon last year, in an attack that obtained e-mails from the system serving Defense Secretary Robert Gates.

    Despite vigorous Chinese denials, “everyone in the intelligence community knows that China is the biggest player in cyber espionage,” says John Tkacik, a former head of China intelligence for the U.S. State Department. Tkacik told FOX News that later this month, President-elect Obama will be presented with a new top-secret National Intelligence Estimate (NIE) report that “will cause the scales to drop from his eyes” regarding Chinese cyber-espionage.

    “What the Chinese are particularly interested in at the IMF is what loans the IMF is likely to give to other countries,” says Nick Day, a former British intelligence officer who runs Diligence, a private investigative firm that does extensive work for many international corporations and institutions.

    “The geopolitics of this is that essentially you’ve got a few countries in the world that are stacked on huge foreign capital reserves — Russia, China, Japan, the Middle East — and the rest of us are pretty much borrowers to those lenders.


    World Bank Hacked

    Earlier this year, the World Bank suffered a server security breach in which hackers were able to compromise critical servers.

    In what Fox News characterized as an “Unprecedented Crisis“, were one of the largest repositories of sensitive data about the economies of every nation, had been raided repeatedly for more than a year.

    It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.

    In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

    In a frantic midnight e-mail to colleagues, the bank’s senior technology manager referred to the situation as an “unprecedented crisis.” In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public.

    • Click here to see the e-mail.

    The crisis comes at an awkward moment for World Bank president Robert Zoellick, who runs the world’s largest and most influential anti-poverty agency, which doles out $25 billion a year, and whose board represents 185 member nations. This weekend, the bank holds its annual series of meetings in Washington — and just in advance of those sessions, Zoellick called for a radical revamping of multilateral organizations in light of the global economic meltdown.

    The bank’s chief information officer, Guy De Poerck, has engaged Price Waterhouse Coopers to do a confidential million-dollar assessment that is expected to tell him what’s going on in his own department.

    What is very peculiar about this story is that no other news agency has reported the event and that Fox News was able to acquire internal e-mails and memos regarding the attack.
    Jack Conde, Senior Enterprise Risk Management Officer at World Bank shared with executives on July,10, the extent of the breach here. According to the memo at least 17 servers were breached and were slowly being taken offline to perform forensics.

    The memo goes on to say what steps they will take in the future to prevent information leaving the network, like implementing an outgoing firewall rule preventing communications being initiated from within the network.

    A major effort is underway to implement a firewall rule that will bar all outbound traffic from server networks to the internet with exceptions made for servers with a legitimate reason to make such connections. To this end, ISG staff is creating a daily report of traffic which will be vetted by ISG service managers and OIS to insure that all exceptions are explained and justified. The rule will be implemented on Friday. This effort will curtail any data lost from production servers in the future.

    This a normal reaction to a breach, were measures that should have been in place were not, but any such action should always be considered carefully to determine if it will actually prevent data loss or provide a false sense of security.

    In the age of spyware, malware, keyloggers and hamachi, the biggest threat to corporate data comes from within.

    What would be achieved by a firewall rule restricting Internet access? Well, absolutely nothing when the servers have access to every PC on the internal network and subsequently these PC’s have inherent access to the Internet.

    In this particular situation were the attacker was able to compromise in excess of 17 servers and go undetected for so long, can only lead to 2 conclusions. Either the security guys are clueless or the attacker or attackers knew what they were doing.

    In plainspeak: “They had access to everything,” says the source. “They had the keys to every room at the bank. And we can’t say whether they still do or don’t until we fully and openly address what’s happening here.”

    Now this is not a small business, a law firm, or a retail chain. This is the World Bank, so I am inclined to believe that the keepers of the data are professionals and subsequently it would be wise to think that the attacker is not stupid.

    Having access to the servers that were compromised and knowing that sooner or later someone was going to discover the breach, it wouldn’t be far fetched that the attacker would create false accounts and personnel records to back them up in the SAP (ERP), HR and Secure ID systems of the 10,000 plus employee organization.

    This would give an attacker the capability to restore access once the breach was discovered triggering the containment plan. Additionally the attacker had gained system administrator access providing access throughout the corporation, providing the potential of creating backdoor’s into virtually any desktop computer in the network.

    After FOX News published its story, a World Bank spokesman issued the following statement:

    “The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context.

    “Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these. But at no point has a hacking attack accessed sensitive information in the World Bank’s Treasury, procurement, anti-corruption or human resources departments.”

    In the security field, you have to be paranoid and levelheaded, specially if you are working in an outfit like this.

    Hey World Bank…. if you need a hand… drop be a line.