Tag Archive for Security

Worm Takes Advantage Of Microsoft Flaw

Just as I had predicted it would happen, there are already reports that a worm exploiting the hole in the “Server Service” has been seen in the wild. Microsoft released yesterday a critical “out-of-band” patch (MS08-067) release having known about the issue for a while.

Milw0rm, an exploit tracking Internet site has posted the exploit code required to overflow the stack. The code can be downloaded here.

Symantec is tracking an exploit “Bloodhound.Exploit.212”, via Bugtraq ID 31874 using this vulnerability, but they report it is still not widespread. Other reports points to a certain file “n2.exe” being downloaded to compromise computers, as McAfee has been tracking here.

The worm as already received several names including Gimmiv and Dropper. The guys over at Threat Expert Blog have a pretty detailed explanation of how the code works and what it does.

Both Symantec and McAfee said Friday that they had seen only a very small number of attacks based on this exploit, but Symantec says that, starting Thursday evening, they found a 25 percent jump in network scans looking for potentially vulnerable machines. That could be a sign that more attacks are coming.

It is not likely that large networks will have ports 139 and/or 445 open to the Internet and even most DSL/Cable modem router will not allow this kind of inbound traffic either, but I have no doubt this will cause a false sense of security among pseudo-system admins and as this worm evolves and becomes more sophisticated, it will transverse corporate perimeter firewall through malware and spyware and then spread within the network wreaking havoc.


Microsoft Releases Emergency Patch

The same principals behind gaining a root shell for a Unix system, apply for Windows systems allowing the attacker to execute remote code.

Today Microsoft release an emergency patch with a maximum severity rating of “Critical”, for Windows 2000 SP4, Windows XP SP1, SP2 and SP3, and Windows 2003; and with a severity rating of “Important”, for Windows Vista and Windows 2008 servers.

In this particular instance the attacker would craft RPC connection to TCP port 139 and/or 445 on a target system, looking to overflow the buffer, thus gaining access to execute remote code. This would allow the attacker to gain full access to the system, with the ability to install programs, view, change and/or delete data, or create accounts.

The Microsoft Security Bulletin MS08-067, provides details on the issue as well as the download links to the patches for the affected platforms.

This particular vulnerability makes use of a buffer previously unchecked in the “Server Service”, which provides RPC, file and print, and named pipe sharing support over the network.

Microsoft has acknowledged that over the last three weeks, criminals have been targeting systems using this vulnerability, but decided to rush out the patch since after handling close to a 100 incidents relevant to this flaw, had seen that number rise significantly.

As I wrote in my past blog on Root Shell – The Holy Grail, it is very likely that a worm will surface on the Internet taking advantage of the gap between the patch release date and when this patch is actually applied by IT departments worldwide.

Install the patch immediately if you are running any of the affected systems and if you are running anything older then upgrade.


UPDATE: 9:21pm – Definitely did not expect it to happen this soon, but the New York Times is reporting that attack code to exploit the vulnerability has surfaced just hours after the patch was announced. This vulnerability is so serious that a worm with viral characteristics could be Blaster all over again.

Employees Cause Most Corporate Data Loss

According to a new study (PDF, info required) from Compuware, IT departments should take a bow—only 1 percent of corporate data losses this past year were due to hackers. Unfortunately, the good news mostly ends there. Negligent employees are far and away the largest cause of data breaches, but IT managers also listed outsourcing and malicious employees (possibly ex-employees as well, one assumes) as two significant reasons why data breaches often occur.

Security threats have been and continue to be ignored by corporations and institutions, despite a laundry list of laws that mandate data be kept safe and private. This is most prevalent in smaller private companies and institutions, were unfortunately management just don’t care.

I have been in many potential “whistle blower” situations and gone to great lengths to explain imminent dangers, their fixes and the law. Unfortunately since my interpretation of the law goes against management’s self-indulgent wishes, the risks persisted.

It is a well known fact that even though a good perimeter firewall/IDS combination will deter most attacks, the probability of attacks originating from within and thus defeating the firewall, more than double threats from outside the network.

Whether its an infected laptop from a visitor, a key-logger on an administrative system or a disgruntled employee engaging in a deliberate attack; the potential for a security breach from inside the network is much more likely.

Several steps must be taken in order to protect the data and all revolve around taking information security serious.

  • Training, Training, Training
    In my experience one of the biggest security risks anywhere is the lack of understanding regarding computer systems and the technical aspects of data security. Users are told how important “safeguarding” data is, but not technical reasons for why data should be stored in a specific place.
  • Network Access Control
    Not knowing who is on your network is like not knowing who is in your building. Let’s ponder about this statement a little more. How valuable is client information, customer credit cards or social security numbers? Is it as valuable as money? Would you leave money laying around? Would the money be in a safe or vault?
    Wouldn’t it be important for you to know who is near or in the safe?
    I would be willing to bet what I would hear from a network admin, if I asked who/what is on your network. An empty stare with “Sounds of Silence”.
  • Policies and Procedures
    Here’s a novel idea. Let’s put all the money in the bank vault and not leave it in drawers or on desks!

    The best chances of protecting something are achieved if its all in one place. Remember, security is only as strong as the weakest link. In order to accomplish this outcome, confidential data should not be stored on individual computer systems and as computer equipment leaves the company any remaining data must be erased.
    A popular application to deal with this is Identity Finder, which scans your PC for confidential information including credit card, Social Security Numbers, etc. giving you the capability to permanently delete it from the hard drive.

Identity theft statistics point to over 226 million data records of U.S. residents having been exposed due to security breaches since February 2005, which is extremely alarming.

The most common forms of identity theft:

  • Credit card fraud (25%)
  • Phone or utilities fraud (16%)
  • Bank fraud (16%)
  • Employment fraud (14%)
  • Government documents/benefits fraud (10%)
  • Loan fraud (5%)


Root Shell – The Holy Grail

The “Holy Grail” of any attack is the creation of a root shell. On UNIX/Linux, the “root” user is a superuser account that has the capability of running any process on the machine. An exploit will attempt to gain root access to a system by obtaining a root shell prompt from which any command can be executed.

The hacker will attack a system running an exploit script that breaks into the system, following with establishment of a root shell bound to a TCP connection, which will then allow the attacker to remotely enter commands into the system.

There are basically three way that these shells can be bound to a TCP connection:

  1. Conversion – The TCP connection used to exploit the server (such as SMTP, DNS, FTP) is converted to a shell prompt.
  2. Listen – The most popular method is to register a shell (/bin/sh, /bin/ksh, etc.) within a service bound  to a particular port.
  3. Connect – This exploit will create a outbound connection back to the attacker.

In the early days, these exploits were developed by the “Leet” hackers using either reverse engineering and/or a trial and error approach to see how applications/systems behaved when unexpected packets were sent their way.

Later tools started to appear in the wild on the Internet, which then prompted the existence of the term “Script Kiddie“; allowing people without the ability to write hacking programs on their own to target machines on the Internet.

On the security consultant side, vendors in the late 80s and early 90s provided extremely expensive equipment/software such as NetTest, NetScout Systems and Sniffer Technologies as well as automated scanning tools such as ISS’ Internet Scanner.

Online vulnerability repositories like http://rootshell.org were used target specific applications to determine actual levels of threat probabilities.

With the open source initiative, many of these high-end tools have become widely available and have even matched and in some cases mastered their proprietary counterparts. Examples of these are Ethereal which then became Wireshark, Nmap, Nessus.

Rootshell.org has since disappeared and been replace by Milw0rm.com, an online exploit database. Hacking tools have become much more sophisticated in methods and automation, for instance the “Metasploit Project” providing information about security vulnerabilities and aiding in penetration testing with the capability of querying exploit databases in real-time to scan and attack for the most recent exploits.

This without a doubt raises serious questions on the approach security professional and system administrator need to take to protect and guard their systems.

We are well past the point when hacking was for the elite, when ill-intentioned people can monitor the release of security patches released by vendors and using the window of time between the patch release date and when patches are actually applied to make mischief.