Threatpost for B2B

Android has long been the outcast of mobile device security largely because hackers have been adept at getting malware onto the platform via third-party application marketplaces and lax submission policies on Google Play. The security of the operating system itself, however, hasn’t been challenged any more than Apple iOS or even BlackBerry OS, forever a staple inside the enterprise.

The U.S. Department of Defense’s announcement last week that the Pentagon has given it the green light to bring Android in-house in the form of Samsung’s KNOX platform, currently supported on the Galaxy S4, is a huge bound forward for Android. DoD employees will now have a full range of mobile platforms to choose from; Apple is expected to get similar approval soon. The Pentagon also gave its blessing to BlackBerry’s new smartphones, the Z-10, and Playbook tablets running the BlackBerry 10 operating system.

KNOX is a locked down version of Android that enables business and work data to coexist on separate partitions within the same device. Known as containers, these partitions have their own encrypted file systems separate from any applications outside the container. There is also an on-demand VPN client, Per-App VPN. Samsung said the VPN can be configured and provisioned on a per-application basis, and supports Suite B cryptography which should be attractive to federal agencies, Samsung added.

The long-standing criticism around Android security stems from the overwhelming number of malicious applications developed for the platform. Android malware zoomed in 2012; Kaspersky Lab researchers detected nearly 45,000 samples last year, up from well under 10,000 in 2011. Since Android has the largest market share and is open source, users are able to download applications from a number of third-party sources, many of which don’t have the security standards in place that Google Play would, for example. Even Google Play had its shortcomings, most notably in its vetting of application developers.

Before recent policy changes, a developers license cost $25 and a credit card was the only means of identification required of someone trying to submit an app to Google Play. Malware writers also exploited the fact that they had the ability to modify features in runtime, meaning they could submit benign apps to the marketplace, and then add a malicious payload once the app was downloaded to the phone.

This is very much in contrast to Apple, which requires valid identification, including either a driver’s license or articles of incorporation for a business developer’s license. Also, Apple requires all code be digitally signed, something Google did not require.

Google, however, did enact some forceful policy changes recently that prohibit developers from sending users who download apps from Google Play off the marketplace for updates. The Google policy change states that any app downloaded from Google Play may not modify, replace or update its Android Application File (APK) binary code using an update method other than Google’s.

Security researcher Adam Gowdiak and his team at Security Explorations have discovered another batch of issues that stem from the way Java is implemented in certain versions of software, in this case, IBM’s SDK.

Gowdiak wrote Monday on the Full Disclosure mailing list about the issues, seven in total, that affect IBM and how its Java Technology Edition software is implemented. All of the vulnerabilities – codenamed issues 62-68 by Security Explorations – allow a Java VM sandbox bypass and all were tested to work on IBM SDK, Version 7.0 SR4 FP1 for Linux (32-bit x86), build pxi3270sr4fp1-20130325_01(SR4 FP1).

Like many flaws previously discovered by Security Explorations, a bulk of them rely on the insecure implementation of Java Reflection API.

Gowdiak, who also acts as CEO of the Polish company, claims IBM was forwarded information about all the vulnerabilities, including source and binary codes for proof of concept codes, including security bypass issues and broken fixes, on Monday morning.

In addition to the new vulnerabilities, four outstanding issues (33-49) that were initially sent to IBM in September 2012, still remain unfixed according to Gowdiak.

“Upon simple exploit codes modifications they can be still used to achieve a complete compromise of a target IBM Java environment,” he wrote Monday, insisting that the company appears to only fix one specific exploit vector and “miss many other scenarios.”

IBM claimed it was able to replicate the vulnerabilities in September 2012, that it developed solutions for them and pushed fixes in October and in November, readied them for download, according to Security Explorations’ vendor status page.

IBM did not immediately respond to an email request for comment when asked about the status of both new and old vulnerabilities Monday.

Gowdiak has proved quite adept at digging up Java bugs. It wasn’t even two weeks ago that he and his team reported a similar flaw that also involved the Java Reflection API to Oracle. The vulnerability notification, which Oracle says it will patch later this week on May 10, was on the heels of a massive patch update that saw the company patch 42 bugs.

Security Explorations has spent the bulk of this year going back and forth with Oracle about vulnerabilities, patches and the company’s checkered Java security as of late.

The scope of a watering hole attack targeting the U.S. Department of Labor website widened significantly over the weekend. Researchers are reporting that as many as nine websites, including a European aerospace, defense and security manufacturer as well as a number of non-profit organizations have also been compromised and are redirecting visitors to a website hosting malware.

Microsoft, meanwhile, released an advisory warning Internet Explorer 8 users that the attackers are exploiting a zero-day vulnerability in Internet Explorer 8, and not CVE-2012-4792 as originally was reported. Yesterday morning, a Metasploit module was released for this vulnerability, heightening the likelihood of additional attacks or inclusion into a commercial or private exploit kit.

Microsoft urges IE 8 users to upgrade to a newer version of the browser—IE 6, 7, 9 and 10 are not vulnerable—and that it will either release an out-of-band patch or address the flaw in an upcoming Patch Tuesday release. The next scheduled Microsoft security updates are next week.

The original outbreak was made public May 1 when it was reported that the DoL’s Site Exposure Matrices website was infected and attackers had injected javascript via an iFrame that redirected site visitors to a site hosting the Poison Ivy remote access Trojan.

The espionage malware was originally thought to be exploiting a use-after free memory corruption vulnerability that Microsoft had patched earlier this year. The DoL’s SEM site is a repository of data on toxic substances present at facilities run by the Department of Energy, and researchers at Invincea speculated that the attackers’ targets were downstream employees of the Department of Energy who work on nuclear weapons programs.

Invincea CTO and founder Anup Ghosh confirmed that a previously unreported use-after free vulnerability was being exploited in this attack and that only IE 8 was affected. Ghosh said his researchers were still able to reproduce an infection on a Windows XP machine running Windows 8 that was patched with MS13-008 that addressed CVE-2012-4792.

Microsoft confirmed in its advisory that this is a remote code execution vulnerability, and that IE does not properly handle objects in memory that have been deleted or not properly allocated. Microsoft suggests that users take caution when sent links via email or IM messages. In the meantime, Microsoft suggests setting Internet and local intranet security zones to “high” to block ActiveX Controls and Scripting, as well as to configure IE to prompt before running Active Scripting.

The malware drops an executable called conime[.]exe onto the infected computer and opens remote connections on ports 443 and 53, Invincea said, adding there were two redirects present on the DoL page sending visitors to dol[.]ns01[.]us. Once the user is redirected, a file is executed, ports are opened and registry changes are made to maintain persistence on the machine. Ghosh said that one of the command and control servers had already been blacklisted by Google.

Alien Vault Lab manager Jaime Blasco said that researchers had detected redirects to another server at sellagreement[.]com. That domain was also serving some of the malicious payloads found on dol[.]ns01[.]us. Blasco recommends checking logs for connections to either of those domains.

From the initial analysis of the javascript on the DoL site, it collects system information checking for a number of antimalware programs, as well as third-party software such as Flash and Java, likely in order to launch further exploits. Blasco added that the command and control protocol used in the attack matches that of a Chinese espionage gang known as DeepPanda; other characteristics of this attack match those used against a Thai human rights nongovernment organization website.

The Poison Ivy RAT, meanwhile, is a backdoor that an attacker can use to remotely access compromised machines and add or delete files, edit Registry files, view or kill running processes, network connections and services, and add or delete applications. It can be used for espionage as well as some variants have the capability to start remote command shells, take screenshots, start audio or video recordings and drop keylogging software.

Four months after he was arrested in Thailand, a man suspected of being one of those running the SpyEye botnet appeared in court late last week in Atlanta to answer charges that he was part of the crew using the malware to steal millions of dollars from victims worldwide. Hamza Bendelladj was indicted in late 2011 and U.S. authorities have been trying to extradite him from Thailand for several years now, and Bendelladj is facing more than 30 counts related to the botnet and bank fraud.

SpyEye is one of the more notorious pieces of financial malware in use in the last few years. It gives attackers the ability to steal online banking credentials from infected PCs and some versions of SpyEye also can bypass the use of two-factor authentication. The SpyEye Trojan is closely associated with Zeus malware, and the two code bases were merged a couple of years ago. There still are separate versions of each Trojan and there are many different versions of both SpyEye and Zeus sold in the underground. Security researchers and law enforcement officials have focused a lot of attention on Zeus for several years now, and SpyEye has been a little less conspicuous. No longer.

Law enforcement officials say that Bendelladj’s arrest is part of a larger focus on cybercrime.

“Bendelladj’s alleged criminal reach extended across international borders, directly into victims’ homes.  In a cyber-netherworld, he allegedly commercialized the wholesale theft of financial and personal information through this virus which he sold to other cybercriminals.  Cybercriminals take note; we will find you.  This arrest and extradition demonstrates our determination to bring you to justice,” United States Attorney Sally Quillian Yates said.

The indictment against Bendelladj alleges that he was involved in a group responsible for developing and selling the SpyEye Trojan and also for helping other attackers find command-and-control servers to manage their botnets. Bendelladj, who researchers say used the alias Bx1 online, is accused of advertising SpyEye for sale, and he’s now appearing in Georgia court because one of the C2 servers he allegedly operated is in that state.

“The indictment charges Bendelladj and his co-conspirators with operating servers designed to control the personal computers of unsuspecting individuals and aggressively marketing their virus to other international cybercriminals intent on stealing sensitive information.  The extradition of Bendelladj to face charges in the United States demonstrates our steadfast determination to bring cybercriminals to justice, no matter where they operate,” said Acting Assistant Attorney General Mythili Raman.

Bendelladj, who is Algerian, was arrested in Bangkok in January and has been in jail there since. He is facing as many as 30 years in prison if convicted on all charges.

Most publicly known malware attacks are disruptive in nature, for example causing the interruption of online banking services or taking websites temporarily offline. Few attacks cause actual physical damage to computers where hard drives are damaged and data lost or destroyed.

The Shamoon virus is one notable exception. Considered a state-sponsored attack, Shamoon infected the Saudi oil production company Aramco and damaged upwards of 30,000 computers last August. The virus overwrote the Master Boot Record on tens of thousands of machines, rendering them useless.

While oil production was not impacted, the attack did cause a week of downtime and cost the plant significantly.

This week, ICS-CERT revised a bulletin originally issued in September, updating recommendations for industrial control system operators to avoid Shamoon infections. In addition to overwriting MBR, Shamoon also targets partition tables and files with random data; the files are then no longer recoverable. The malware also spreads via network shares, trying to hit other computers on the same network.

“Because of the highly destructive functionality of the Shamoon ‘Wiper’ module, an organization infected with the malware could experience operational impacts including loss of intellectual property (IP) and disruption of critical systems,” ICS-CERT warned. “Actual impact to organizations vary, depending on the type and number of systems impacted.”

Most of the recommendations are common sense measures any enterprise should have in place already, including a handful around account privilege restrictions, enforcement of password policies, regular backups, log monitoring and analysis, patch management, and isolation of critical networks from business networks. ICS-CERT also recommends that enterprise servers and workstations be kept directly off the Internet, and that content filtering and firewalls should guard any proxy servers.

With phishing attacks the point of entry for targeted attacks, attackers are keen to mine social networks for any bits of data that can help them find viable targets or information that will help them craft convincing messages from supposedly trusted sources. The updated bulletin urges policy implementation and enforcement to limit the use of social networks such as Facebook and Twitter, as well as personal email and instant messaging.

“If a valid business case exists for use, implement a guidance/policy that reduces the risk of data loss and malware threats,” the ICS-CERT alert said.

Shamoon wasn’t the last instance of Wiper malware. In March, attacks against media outlets and a number of financial systems in South Korea were pinned on Wiper malware. More than 32,000 computers were overwritten with nonsense data rendering the computers unusable.

The hijacking of high-profile Twitter accounts belonging to the Associated Press and Guardian UK newspaper brings to light numerous security shortcomings, namely the susceptibility users still have when it comes to phishing attacks, their propensity to use weak passwords, and the inability to detect anomalous behavior on social networks until it’s too late.

Cracking a big-name Twitter account, as it turns out, isn’t just a cute stunt anymore; last week’s hoax tweet declaring President Obama had been injured in an explosion near the White House triggered a temporary plunge on the American stock markets. While the markets recovered almost as quickly once the hoax was revealed, the attack and a similar one this week against the Guardian, allegedly by pro-Syrian hacktivists, exposed how a number of glaring weaknesses can lead to unexpected consequences.

The knee-jerk reaction, in the meantime, has been to ask why Twitter hasn’t implemented two-factor authentication—something they’re reportedly working on—if for no other reason than to put up another roadblock in front of hackers. Yet while some experts back this notion, many believe it won’t work because the number and scale of Twitter users prohibits rolling out tokens or smart card readers, for example, and SMS-based one-time passwords would be cumbersome inside large and small corporations that share accounts for marketing or customer service purposes.

In the case of the attack on the Associated Press, like many targeted attacks, a phishing email was the root cause. PhishMe CTO and cofounder Aaron Higbee said his company has seen the email which he said was fashioned to look like it came from someone internally at the AP. The message contained a link purporting to be to a Washington Post article. Instead, the victim was taken to a phishing site and asked to authenticate with a Twitter handle to proceed.

Higbee said that two-factor authentication could become unwieldy for users, and in the case of the AP attack, likely wouldn’t have helped matters. For example if an authentication token is sent to the victim via SMS, they’re likely going to use it on the phishing site. The attacker, then having access to it, could automate and replicate its use while the token is valid, likely for 24 hours.

“Twitter was not meant for group use,” said Higbee, pointing out that many other online services allow users to authenticate to them via social network passwords. “A lot of companies that need to interact with Twitter share passwords. That’s what most SMBs are doing, or are paying for a management suite, and a lot of companies don’t need those features so they fall back to sharing.”

The Syrian Electronic Army has claimed responsibility for the latest spate of attacks, primarily on media companies such as the AP, Guardian, National Public Radio, the BBC and al-Jazeera among others. The pro-Syrian group isn’t the first hacktivist organization to take aim at high-profile entities. Since last fall, a group calling itself al-Qassam Cyber Fighters, has been running denial of service attacks against major U.S. banks in protest of the movie “Innocence of Muslims,” though some analysts believe the group is too well funded to be socially motivated and is just a cover for Iranian state-sponsored hackers. Meanwhile, the Chinese have also targeted media, namely the New York Times and Washington Post, with espionage malware allegedly in an effort to learn more about sources the newspapers used in exposes of high-ranking Chinese government officials.

Researchers Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna of the University of California-Santa Barbara and Manuel Egele of Carnegie Mellon University may have an answer. The team presented a paper at a conference in February explaining a tool called COMPA that they developed which detects compromised social network accounts.

Stringhini told Threatpost that he ran COMPA against the tweet sent out by the hacked AP account.

“The tweet was considered as very anomalous by our system,” he said. “First of all, the message was written using the Twitter website, while the AP operators usually use SocialFlow, which is a commercial social network client. Second, the tweet did not include a URL, which is very anomalous for news-related Twitter accounts: typically, the tweets posted by such accounts include the title of a news article, and a URL to the full article.”

COMPA models messages against a number of features to build a baseline profile, including the time of day tweets are normally sent; the source of the message (whether it’s sent from an app or the Web); language; topic, whether there are links in the tweet; whether direct messages are sent; and proximity. The model scores messages sent over social networks and after building a consistent behavioral profile, can flag any anomalies.

“The application that the messages are sent from is a very strong indicator. If a user always posts from Twitter for iPhone, it is very anomalous if suddenly a message comes from a different client,” Stringhini said. “The people that a user mentions in her tweets are also very important, as well as the domain of the URLs that are included in the messages; a link pointing to an obscure domain is very anomalous, and might be a sign of an attempted attack.”

Perhaps the biggest challenge with COMPA, as with any anomaly detection tool, is to account for temporary changes in behavior.

“We found out that many users show an anomalous behavior all the time, but for legitimate reasons. For example, a user subscribing to a third-party application, such as Foursquare, might raise an anomaly, because the application would start sending tweets on behalf of the user,” Stringhini said. “For these reasons, COMPA works well in detecting anomalies for high-profile accounts (such the AP one), because they have a consistent behavior, but generates many false alarms if ran on regular users. To mitigate this problem, we aggregate similar messages sent by Twitter users, and we flag the accounts as compromised only if a large fraction of the tweets in the group are anomalous, given the behavioral profile of the users that generated them.”

Adobe is planning to patch a fairly low severity security vulnerability in all of the current versions of Reader and Acrobat that could enable an attacker to track which users have opened a certain PDF document. The vulnerability can’t be used for code execution, but researchers say it could be used as part of a larger attack.

The vulnerability was discovered and disclosed in late April by researchers at McAfee, who had been watching the behavior of some odd PDF samples in recent weeks. They noticed that all of the samples had a similar, weird characteristic, leading them to investigate and discover the vulnerability.

“Recently, we detected some unusual PDF samples. After some investigation, we successfully identified that the samples are exploiting an unpatched security issue in every version of Adobe Reader including the latest ‘sandboxed’ Reader XI (11.0.2). Although the issue is not a serious problem (such as allowing code execution), it does let people track the usage of a PDF. Specifically, it allows the sender to see when and where the PDF is opened,” Haifei Li of McAfee wrote.

“When a specific PDF JavaScript API is called with the first parameter having a UNC-located resource, Adobe Reader will access that UNC resource. However, this action is normally blocked and creates a warning dialog asking for permission…The danger is that if the second parameter is provided with a special value, it changes the API’s behavior. In this situation, if the UNC resource exists, we see the warning dialog. However, if the UNC resource does not exist, the warning dialog will not appear even though the TCP traffic has already gone.”

Adobe on Thursday acknowledged the issue and said that it will patch the vulnerability in its next scheduled Reader update on May 14.  Although neither McAfee nor Adobe consider the vulnerability to be serious, Li said that it could be used as one piece of a larger attack, as a method of gathering some intelligence on a target.

“Malicious senders could exploit this vulnerability to collect sensitive information such as IP address, Internet service provider, or even the victim’s computing routine. In addition, our analysis suggests that more information could be collected by calling various PDF JavaScript APIs. For example, the document’s location on the system could be obtained by calling the JavaScript “this.path” value,” Li wrote.

A company known for burying bad information to improve its customers’ online images let everyone know this week its network was hacked. Reputation.com sent e-mails to thousands of customers in more than 100 countries to let them know of the attack.

In a message sent earlier this week, the company said a security team discovered the breach as it was underway and thwarted thieves’ efforts before more damaging data could be swiped. What was stolen were names, e-mail and postal addresses and, in some instances, telephone numbers, dates of birth and occupational information.

A “small minority” also had salted and hashed passwords pilfered, but as a precaution the company reset everyone’s passwords.

No financial information such as credit card data was taken since that data is stored on another system. Additionally, the company said it does not require users to submit Social Security numbers or driver’s license numbers.

Given the nature of the company, the e-mail assured clients that account details, such as the reason for retaining Reputation.com’s services and messages exchanged with representatives, were never accessed. Both individuals and companies hire Reputation.com to manage their online reputations using tools that suppress negative online content so more positive pieces pop up first during Web searches.

The company did not post any information about the breach on its Web site as of Thursday, but customers and security outlets posted the notification on blogs. The company emphasized in its message that it was going beyond legal notification requirements in the mass-mailed alert.

“At Reputation.com, transparency and openness are part of our culture,” according to the message. “That’s why, although the extent of the breach and the limited kind of information accessed during this attack did not legally obligate us to provide notice to our users, we nevertheless felt it was important to let you know that this event occurred.

It appears that of all the locations in the world where our affected users reside, only the jurisdiction of North Dakota requires us to disclose information about this incident to its residents. However, out of an abundance of caution and due to our strong interest in transparency, we are notifying affected users, regardless of location.”

In addition to the notification and password resets, the company is offering a year of free credit monitoring to impacted customers who request the service within 30 days.

For at least the third year in a row, the number of serious vulnerabilities per website has fallen. That sounds like good news until you look at the numbers and realize that the average website carried an astonishing 56 holes in 2012, according to statistics compiled by WhiteHat Security researchers Jeremiah Grossman, Matt Johansen, and Gabriel Gumbs and based upon data gathered from tens of thousands of websites.

Sure, 56 is better than the 79 flaws per website reported in 2011, and it’s an enormous improvement on the 230 vulnerabilities per site reported way back in 2010, but, if WhiteHat Security’s sample is representative of the whole Internet, then we’re still working with an Web on which 86 percent all websites contain at least one serious vulnerability.

Serious vulnerabilities are defined by WhiteHat as “those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news.”

Some 61 percent of the vulnerabilities uncovered by WhiteHat researchers were eventually resolved, though it took, on average, 193 days to move from vulnerability detection to resolution. On the other hand, just 18 percent the sites they examined spent fewer than 30 days vulnerable. For the mathematically challenged, this means that a staggering 82 percent of websites spent somewhere between 31 and 365 days of last year vulnerable to at least one serious flaw. 33 percent of all the websites in the report were vulnerable every day of 2012.

For what it’s worth, entertainment and media sites had “the highest remediation rate,” meaning they were the best about resolving vulnerabilities in a timely fashion. Government and gaming sites followed closely behind entertainment and media sites in that category. Education, healthcare, and insurance websites were slowest to plug up holes. Gaming, telecommunications, and energy sector sites fixed the highest percentage of their vulnerabilities while non-profits, social networks, gaming, and food and beverage companies were the worst about supplying patches for their bugs.

Information technology and energy sector sites stood out in the report as the two industries that actually had more vulnerabilities per site in 2012 than 2011. IT reportedly took tops with an average 114 vulnerabilities per site – narrowly beating out retail sites, which allegedly contained 110 vulnerabilities on average. Despite persistent accusations of inefficiency, Government sites contained the fewest vulnerabilities followed closely by banking sites, with eight and 12 per respectively. Banks, traditionally the best sector as far as vulnerability remediation goes, did a poor job with that this year, fixing only slightly more than half of the bugs they encountered.

Among the sites analyzed by WhiteHat, every manufacturing, education, energy, government, and food and beverage website had at least one serious vulnerability.

WhiteHat also surveyed some 75 organizations. 57 percent of those had some sort of “instructor-led” software security training. Those organizations hosted sites with 40 percent less vulnerabilities, which they resolved 59 percent faster, but also had a 12 percent lower-than-average remediation rate. While this statistic seems to suggest that following “best practices” improves an organizations overall security posture, other findings indicated otherwise. Organizations that performed of static code analysis and implemented Web application firewalls had more vulnerabilities on their sites and lower remediation rates.

The top ten most common vulnerability classes uncovered by WhiteHat in 2012 were information leakage in 55 percent of sites, cross-site scripting in 53 percent, content spoofing in 33 percent, cross-site forgery requests in 26 percent, brute force in 26 percent, fingerprinting in 23 percent, insufficient transport layer protection in 22 percent, session fixation in 14 percent, URL redirector abuse in 13 percent, and insufficient authorization in 11 percent. SQL injection vulnerabilities are no longer among the top ten most common types of vulnerabilities.

The United States Department of Labor website is the latest high-profile government site to fall victim to a watering hole attack. Researchers at a number of security companies reported today that the site was hosting malware and redirecting visitors to a site hosting the Poison Ivy remote access Trojan.

The malware has since been removed and law enforcement is investigating.

The attackers inserted javascript onto the DoL’s Site Exposure Matrices (SEM) website that sent visitors to another site hosting an exploit for CVE 2012-4792 targeting Windows XP users running Internet Explorer versions 6-8. The vulnerability, a user-after free memory vulnerability in the browser, enables attackers to remotely run code on a compromised machine. This has been exploited in the wild since December and was patched earlier this year by Microsoft.

“This profile fits the enterprise user machine profile typical of large enterprise and government agencies,” said Invincea founder and CEO Anup Ghosh.

The DoL’s SEM site is a repository of data on toxic substances present at facilities run by the Department of Energy.

The malware drops an executable called conime[.]exe onto the infected computer and opens remote connections on ports 443 and 53, Invincea said, adding there were two redirects present on the DoL page sending visitors to dol[.]ns01[.]us. Once the user is redirected, a file is executed, ports are opened and registry changes are made to maintain persistence on the machine. Ghosh said that one of the command and control servers had already been blacklisted by Google.

Alien Vault Lab manager Jaime Blasco said the attacker also collects a bit of system information including whether a number of antivirus programs, Flash, Java, and Microsoft Office are running, and sends that data to the remote server. Blasco added that the command and control protocol used in the attack matches that of a Chinese espionage gang known as DeepPanda; other characteristics of this attack match those used against a Thai human rights nongovernment organization website.

Watering hole attacks have been used primarily by state-sponsored attackers to spy on rival governments, dissident citizen groups and manufacturing organizations. Rather than rely on spear phishing, attackers infect websites of common interest to their targets, generally with javascript via an iframe that redirects the victim to a site hosting espionage malware. Some high-profile watering hole attacks have been carried out this year against the Council on Foreign Relations website and a popular iOS mobile developer forum that snared a number of victims at Facebook, Apple and Twitter.

In this case, it’s likely the targets were Department of Labor employees and other federal employees tied to the DoL and Department of Energy.

“It is important to note that most websites are vulnerable to exploit. As a result, exploiting legitimate websites have become a common vector for penetrating enterprise networks and individual machines,” Ghosh said. “The Department of Labor is no exception.”

Internet companies are making it a standard practice to publish transparency reports and advocate for users’ privacy concerns with law enforcement and legislators. And while some do it well, there’s plenty of room for improvement among ISPs such as AT&T and Verizon, and large companies such as Apple, Amazon and Yahoo, according to an Electronic Frontier Foundation report published yesterday.

The EFF’s third annual “Who Has Your Back?” report evaluates service providers’ transparency and privacy with regard to government requests for access to user data. This year, 18 companies were evaluated in six categories, and only Twitter and Sonic.net met all six criteria sufficiently to merit recognition.

Others such as Dropbox, Google, and LinkedIn also rated highly. Google, which has been a forerunner in the past about its openness around government requests for data, took a couple of steps backward, in particular in the area of informing users of law enforcement demands. The EFF notes a change in its policy that introduced a level of ambiguity not present before. The policy change reads: “We notify users about legal demands when appropriate, unless prohibited by law or court order.”

“The nebulous language of ‘when appropriate’ is not the firm commitment that should be the gold standard for transparency around handing data to the government,” the EFF report said. “While we’re disappointed by Google’s decision to make its policy language so open-ended, we hope the strong commitments made by other major Internet companies will inspire Google to adopt a clearer public stance in the years to come.”

Twitter and LinkedIn, for example, state in their policies they notify users of requests unless prohibited by law enforcement or a court order.

Google, on the other hand got high marks for its stance on providing data around National Security Letters. In early March, Google revealed that it received fewer than 1,000 requests from federal authorities for financial communications data in 2,000 people; the national security letters, also sometimes called warrantless requests, circumvent judges or grand juries citing possible national security threats. They’re also accompanied by gag orders. Google’s revelation was a first for a major Internet company.

“Google deserves special recognition this year for challenging a National Security Letter,” the EFF report said. “Not every company has had the opportunity to defend user privacy in the courts, and sometimes companies will fight for users in court but be prevented from publicly disclosing this fact. However, we award a star in this category when a company goes above and beyond for its users, as Google did this year.”

The EFF evaluated the 18 companies in six categories: require a warrant for content of communications; tell users about government data requests; publish transparency reports; publish law enforcement guidelines; fight for users’ privacy rights in court; and fight for users’ privacy rights in Congress. The EFF said its evaluation was conducted by looking over each company’s terms of service, privacy policies, transparency reports and guidelines for law enforcement requests. They also took into consideration the companies’ public record in court and whether they are members of the Digital Due Process coalition which lobbies Congress on the need to improve communications law.

Since the EFF’s first report in 2011, it has noted a few trends, including the fact that more companies are giving users notice of law enforcement requests and that transparency reports are becoming standard practice; Microsoft and Twitter published their first reports this year. Seven of the 18 also published law enforcement guidelines that explain how they respond to demands for data.

This is also the first report where companies were evaluated as to whether they require a warrant supported by probable cause for content. Facebook is singled out as a leader in this category, which the EFF said was inspired by the 2010 U.S. v. Warshak decision that upheld that the Fourth Amendment protects email stored with email service providers and a warrant is required before seizure of any messages. The EFF said 11 of the 18 companies follow the Warshak rule: Dropbox, Facebook, Foursquare, Google, LinkedIn, Microsoft, Sonic.net, SpiderOak, Tumblr, Twitter and WordPress.

While there a number of privacy success stories, the EFF expressed concern over the poor showing by large ISPs, namely Verizon and AT&T. Verizon did not merit a rating in any of the six evaluation criteria, while AT&T was recognized for fighting for its users in Congress. Others with similar showings included Yahoo, Apple and Amazon.

“While there remains room for improvement in areas such as the policies of location service providers and cellphone providers like AT&T and Verizon,” the report says, “certain practices — like publishing law enforcement guidelines and regular transparency reports — are becoming standard industry practice for Internet companies.”

Oppressive governments have not been shy about using surveillance software to monitor dissidents’ activity. Like cybercriminals, these governments have been accused of using any means at their disposal to implant the spyware on computers.

One tactic, uncovered by Citizen Lab, Munk School of Global Affairs at the University of Toronto, used in attacks alleged to have been carried out by the Malaysian and Bahraini governments, involves embedding the notorious FinSpy program in a document masquerading as a copy of the Firefox Web browser. In a paper published yesterday documenting abuses of lawful intercept products that essentially behave as malware, researchers Morgan Marquis-Boire, Bill Marczack, Claudio Guarnieri, and John-Scott Railton, expose the commercialization of these products and how citizens’ lack of awareness of its use and abuse, and how to challenge it.

“Once a boutique capability possessed by few nation states, commercial intrusion and monitoring tools are now being sold globally for dictator pocket change,” wrote Marquis-Boire, noting how tools such as FinSpy, which is part of the FinFisher kit, are targeting not only oppressed people, but activists, journalists and human rights workers. “While this technology is frequently marketed as lawful intercept capability, in countries where criminal activity is broadly defined, or dissent is criminalized, these tools are used as a mechanism for repression. The concept of ‘lawful interception’ does not apply in countries where the rule of law is absent.”

Mozilla immediately took action, and has sent a cease-and-desist letter to Gamma International, the UK and German makers of FinFisher. Alex Fowler, Mozilla chief privacy officer, said Mozilla will not tolerate abuses of its brand for illegal practices.

“We cannot abide a software company using our name to disguise online surveillance tools that can be – and in several cases actually have been – used by Gamma’s customers to violate citizens’ human rights and online privacy,” Fowler said.

Fowler said the spyware not only tricks users into downloading the program, but that it is related to Mozilla and Firefox, giving it an air of trustworthiness. Mozilla alleges that Gamma International misrepresents FinSpy as Firefox.exe within the program’s properties and includes a Firefox version number and copyright and trademark claims from Mozilla developers.

“For an expert user who examines the underlying code of the installed spyware, Gamma includes verbatim the assembly manifest from the Firefox software,” Fowler said.

In addition to the attacks allegedly carried out in Bahrain and Malaysia, a promotional demonstration developed by Gamma International also demonstrates how abuse of Mozilla’s brand is a design feature of the spyware, Fowler said.

“Each sample demonstrates the exact same pattern of falsely designating the installed spyware as originating from Mozilla,” Fowler said. “Gamma’s own brochures and promotional videos tout one of the essential features of its surveillance software is that it can be covertly deployed on the person’s system and remain undetected.”

A Citizen Lab report released in March said that a FinSpy command and control server was found on a Malaysian IP address, kicking off a firestorm of media coverage that the government was using spyware to monitor its citizens, a practice that was immediately denied by the Malaysian Communications and Multimedia Commission. The Citizen Lab report said that shortly thereafter, FinSpy was discovered in a document posing as a candidate list for upcoming elections in the country. Once the document, which was similar to documents used in the Bahraini attacks, was opened, FinSpy was installed in the background. VirusTotal, the report said, said that eight security products detected the document as a dropper program, but none picked it up as FinSpy.

The sample document in the Citizen Lab report was last modified in November, and embeds a copy of the spyware posing as a legitimate Firefox installation. Further investigation discovered that once FinSpy was running, it communicated with command and control servers in Canada, Singapore and the U.S.

“While we cannot make definitive statements about the actors behind the booby-trapped candidate list, the contents of the document suggest that the campaign targets Malay speakers who are interested in Malaysia’s hotly contested 5 May 2013 General Elections,” the report said. “This strongly suggests that the targets are Malaysians either within Malaysia or abroad. We trust that both domestic and international elections monitoring officials and watchdog groups will investigate to determine whether the integrity of the campaign and electoral process may have been compromised.”

FinFisher command and control servers have since been found in 36 countries, many of which, the report says, are hijacked servers while others are in countries with spotty human rights records.

“We hope that civil society groups, as well as the competent regional and domestic authorities, will investigate the deployments we have described in order to determine whether any laws have been broken,” the report said.

Malware developers continue to clone SourceForge Web sites that appear to offer the source code for popular gaming software but are actually peddling malicious code tied to the ZeroAccess Trojan.

Julien Sobrier, a security researcher for San Jose-based cloud security provider Zscaler, on Tuesday outlined several more malicious versions of the popular file-sharing sites, some of which appeared to offer modification code for Minecraft (http://sourceforgeestonia.net/minecraft_xray_texture_pack.exe) and source code for Airport Firefighter Simulator (http://sourceforgeecuador.net/airport_firefighter_simulator.exe ) before they were taken offline.

Sobrier earlier this month discovered similar malware on a fake version of sourceforgechile.net. This past week, in addition to the bogus sites appearing to come from Estonia and Ecuador, fake Web sites were registered in the United States for sourceforgegrenada.net,sourceforgepalau.net, sourceforgeindiana.net, sourceforgemorocco.net, sourceforgemyanmar.net and sourceforgeyemen.net.

The tainted files register as a Windows service and drop malicious binaries in a victim’s Recycle Bin, then hide out with innocuous sounding file names like Desktop.ini. The malware as the ability to inject code into other threads and DLLs and can connect to some 20 IPs using port 16471.

“This malware is related to the ZeroAccess trojan. The malware makes money by clicking on ads (click fraud) and using the infected PC as part of a wider botnet (zombie PC),” Sobrier said in an earlier blog post.

In Tuesday’s blog post, Sobrier warned that more malicious sites may be coming online soon. Because the bogus files mimic the URLs of legitimate ones bearing the same names, users should take precautionary steps to ensure they download files from reputable sites and scan those downloads for malware before an installation.

Nowhere is the cat-and-mouse game between attackers and the security of users more evident than with social engineering schemes. Users’ awareness of phishing campaigns, for example, may be improving, but that’s just forcing attackers bent on identity theft and stealing payment card information to up their games.

Researchers at security company Trusteer report today the last salvo in this back-and-forth, this time with a variant of the Ramnit malware family. Ramnit’s authors have been prolific in moving the malware in many new directions. Variants have been tuned to steal social media credentials, banking credentials, and avoid detection by security companies with rootkit functionality.

The latest variant to be discovered is targeting a number of UK banks with a one-time password SMS attack, Trusteer fraud prevention solutions manager Etay Maor said. Once the malware infects a victim’s computer, it waits for the user to log in to their online bank account to conduct a man-in-the-browser attack, injecting convincing screens into the victim’s browser asking them to configure a new one-time password service.

The service is a legitimate one already in place at the banks in question to initiate transactions. This one differs, however, in that it’s purporting to the user that the bank now requires a one-time password for all operations related to their online accounts. The attackers even went so far as to soothe the potential concerns of any security conscious users by altering the banking site’s FAQ page to reflect the changes implemented by the malware.

“The fact that they’ve changed the FAQ section to support this fake new process is astonishing to me in terms of details,” Moar said. “The attackers are exploiting the trust relationship the user has with the bank. They have no idea the malware is in the middle and injecting new screens. It’s amazing how much effort they put into making sure someone falls victim; it’s a new level of social engineering.”

Once the user logs into their bank account, the malware kicks in and injects a screen with instructions on how to configure a new one-time password service. The user is told that a new single-use destination number will be generated and that they are to enter their one-time password into the input field.

In the background, the Ramnit variant is connecting to the attacker’s server which is sending back details of a money mule account, Maor said. Once that’s complete, a wire transfer is initiated to the mule, but in order to complete the robbery, the user must be tricked into entering the one-time password and sending it to the temporary receiver number, which is the mule’s account number.

“By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalize the payment to the mule account,” Maor wrote in a blogpost. “This is yet another example of how well designed social engineering techniques help streamline the fraud process.”

Maor said that in past attacks he’s studied, attackers have built in pre-defined mule accounts, but that tactic isn’t feasible because those are easier to block and trace than the dynamic list that seems to be integrated into this particular attack.

“Mules are an important part of the process; you cannot cash out without one,” Maor said. “Usually criminals won’t re-use the mule in other attacks; they won’t last too often. Now it’s more dynamic.”

On Friday, Jay Freeman announced on Twitter that he exploited a known vulnerability and subsequently achieved root access to his developer-model of Google Glass – Google’s highly anticipated, wearable, head-mounted computer.
Around the same time, another notable hacker, Liam McLoughlin, tweeted that he exploited the same bug to achieve shell and later root access.

Freeman, a mobile researcher and self-proclaimed technology consultant, is also known by the handle ‘Saurik.’ He is perhaps best known as a jailbreak proponent, having developed Cydia, a popular application that enables the installation of other applications on rooted iOS devices. Jailbreaking is a process through which users exploit hardware or software vulnerabilities to unlock mobile and other computer devices, freeing them from the limitations of built-in, proprietary software.

On Twitter, Freeman wrote that Google Glass runs on Android 4.0.4; a version of the Jelly Bean mobile operating system that apparently contains a restore vulnerability in the Android debug bridge that, if exploited, leads to a race condition.

In an Interview with Forbes’s Andy Greenberg, Freeman explained that he achieved his jailbreak by backing the device up, then modifying the backup file before restoring it to the device. During the restore process, Freeman says he redirected certain restore-data in order to overwrite a critical configuration file. This process tricked Google Glass into thinking it was running a fully-controllable Android emulator that developers use to freely test mobile applications on traditional laptop or desktop environments.

McLoughlin, who is also known by the palindromic handle Hexxeh, tweeted similarly that, “There’s a “debug mode” option on Glass that appears to enable ADB access. I got a shell on my Glass.” He noted that he had not yet achieved root-level access. Shortly thereafter, McLoughlin tweeted that root access was easy as well, claiming that “reboot-bootloader gives you a fastboot original equipment manufacturer (OEM) unlock.”

It should be noted that Freeman and McLoughlin performed their jailbreaks on a pre-release, developer model of Google Glass. The consumer variety of Google Glass will likely differ from the dev-model and it’s hard to say whether these exploits will work on the publicly available model.

In response to the McLoughlin hack, Tim Bray of Google tweeted, “Yes, Glass is hackable. Duh.”

Another Google employee, Dan Morill, was quick to clarify on his Google Plus page that, technically speaking, Freeman’s hack did not achieve root access, but was rather a “fastboot OEM unlock.”

For people of a certain age in the technology industry, one of the ways of establishing a connection with someone is by asking some version of the following question: How long have you been online? Depending upon how you define “online”, the answer can vary from 15 to 25 or even 30 years. But simply replace the word “online” with the phrase “on the Web” and there is an upper bound on the possible answer.
The Web as we know it came stumbling and blinking out into the light 20 years ago today, and it was designed and defined at the time as an open network of free resources. What it’s become in the last two decades, however, is less a global collection of shared knowledge and conduit for the free flow of information and more a fragile tangle of smaller networks that at times is barely usable.

When CERN published the original “Statement Concerning  CERN W3 Software Into Public Domain” on April 30, 1993, the Internet was still a small enough thing that it could be defined and understood in normal terms. There were a few hundred Web servers online at the time, and most of the traffic on the Internet comprised email and remote-access services. Though people now use the terms Internet and Web interchangeably, they are two separate and distinct things. The Internet is the global network of computers and was in existence long before the Web emerged. The Web is built upon the Internet’s infrastructure and couldn’t exist without it. In the 1980s and early 1990s, while the U.S. government and universities still viewed the Internet as primarily a research tool, the folks at CERN in Switzerland were building the software that would eventually make the network usable for billions of people.

The researchers at CERN had developed client and server software for the Web designed to make the publication and retrieval of documents and information on any Web-connected computer easy and fast. There were other similar programs in use, but when CERN released its software into the public domain it marked the beginning of what can be seen now as the existence of the modern Web. One interesting thing in the CERN release document–apart from the awesomely anachronistic use of the term W3 to describe the Web–is the note of optimism in the writing, along with the prescient contemplation of potential problems arising from the release of the software.

“CERN’s intention in this is to further compatibility, common practices and standards in networking and computer supported collaboration,” the note says.

“CERN provides absolutely NO WARRANTY OF ANY KIND with respect to this software. The entire risk as to the quality and  performance of this software is with the user. IN NO EVENT WILL CERN BE LIABLE TO ANYONE FOR ANY DAMAGES ARISING OUT OF THE USE OF THE SOFTWARE INCLUDING, WITHOUT LIMITATION, DAMAGES RESULTING FROM LOST DATA OR LOST PROFITS, OR FOR ANY SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES.”

In language clearly written by a lawyer, CERN was telling future Web users that there were risks associated with the use of the Web, and the lab wanted people to know that up front. The risks that the CERN attorneys had in mind likely had more to do with potential damage to PCs and servers running the lab’s software than with damage to the companies and people who used the Web. But while the former has indeed been a large problem, it’s the latter that emerged as perhaps the biggest detriment to Web usage.

The security and reliability of the Web is a major issue and one that’s getting worse by the day. The open nature of the network, which makes it an invaluable resource for users, businesses, governments and everyone else, also makes it a playground for attackers, criminals and anyone else looking for a broad audience for their scams. If cybercrime were a legitimate industry, it would be one of the larger–and perhaps the most profitable–industries on earth. Untold billions of dollars disappear into the ether every year, winding their way through the wires before ending up as stacks of cash paying for criminals’ bottle service and Caribbean vacations.

But let’s be clear: Crime is a constant; it’s only the means and methods that vary.

The architects of the Internet and World Wide Web said from the beginning that the network was meant to be and should always remain open. You can interpret the word “open” in many different ways, but let’s think of it as meaning accessible and usable for anyone who wants to use it. Certainly the Web is accessible, now more than ever, with smartphones, tablets, TVs and even watches with Web access. There still are many communities around the world with limited or no access to the Web, but they are fewer in number each day.

The second part of the equation–usability–is where things get sticky. The Web is a fragile thing. Servers fall over, the DNS infrastructure comes under fire, DDoS attacks sink online banking systems and utilities fall at the hands of attackers using freely available toolkits. As easy as it is for a user to get online and buy a car on eBay and have it shipped to her house, it’s just as simple for a criminal to hijack that user’s account, ship the car to himself and drive off. And that’s the least of it. Remote attackers can infect and shut down nuclear power plants, financial trading platforms and whatever else they set their sights on. Fast, clean and little chance of detection. The open nature of the Web makes all of this possible.

And yet the openness and interoperability and accessibility that Tim Berners-Lee and Vint Cerf and the other architects of the Web and the Internet envisioned is alive and well. It’s also perhaps more important now than ever before. The Web has become a platform for social activism and change around the world and has given a voice to millions of people who may otherwise never have been heard. The security and crime problems on the Web are real and they’re not going away, but the benefits and value of the Web’s open nature are real as well. It’s those elements that users everywhere should keep in mind and for which they should thank CERN and its researchers.

The popular daily deal site LivingSocial announced Monday it has abandoned the SHA1 hash for Blowfish’s bcrypt following a massive data breach that impacted 50 million customers.

The company confirmed last weekend that its computer systems were attacked and thieves gained access to names, e-mail addresses, date of birth (for some users) and encrypted passwords. The passwords had been hashed and salted, but as a precaution, customers today began receiving e-mail notices to change their passwords in the event the secret codes are unscrambled.

A security notice on the LivingSocial Web site stressed that customer credit card data was not illegally accessed.

However, anyone that uses the same login information for other sites should be prepared to change the passcodes on those sites as well.

“We do not believe that any customer accounts have been compromised due to this incident,” an FAQ states. “It is difficult to decode a password that has gone through the hashing and salting process, and we have not received any abnormal reports of accounts with unauthorized charges or activity. We are enhancing our monitoring of accounts for any unusual activity on an ongoing basis. Out of an abundance of caution, we request that customers create new passwords.”

Explaining the difficulty cyber thieves would have decoding passwords, the company also said it was changing its hash to elevate its password protection policy to the more complex bcrypt algorithm, which is based on the Blowfish cipher.

Bloomberg reported an email from LivingSocial CEO Tim O’Shaughnessy had been sent to all customers except those using subsidiaries in South Korea, Thailand, Indonesia and the Philippines, which were not impacted by the data breach. Those who need to change their passwords include customers in North America, Australia, New Zealand, the United Kingdom and Malaysia. It also impacts LetsBonus users in Southern Europe and parts of Latin America.

Washington, D.C.-based LivingSocial is a rival of Groupon that offers daily coupons on a wide variety of services and was most recently valued at $1.5 billion.

The Google Play store has been an Eden for hackers wanting to get malicious code onto Android devices. A number of things made the marketplace too tempting for attackers to resist, including the open source nature of the operating system, lax vetting of developers, and the ability to modify code in runtime by pushing app updates from outside the store.

Recently, Google took steps to remedy that situation with important policy changes that prohibit developers from sending users who download apps from Google Play to another site outside of the marketplace for updates. The policy change with the most security implications reads: “An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.

APKs are the Android application package file used by Google Play to download or update applications. Hackers have been able to successfully abuse them in a number of arenas, including targeted attacks against Tibetans who exchange app updates via APKs over email attachments because of limited access to the Internet.

“The changes are long overdue,” said Jon Oberheide, cofounder and CTO of Duo Security, a hosted two-factor authentication service for mobile devices. “We first pointed out the security risk of applications downloading new executable code at runtime back in 2009 with a proof of concept app that masqueraded as a Twilight Eclipse app and silently polled at a remote server for exploit payloads to pull down to root the device at an attacker’s whim.”

For the time being, these are paper changes on the part of Google, setting the stage for an automated mechanism down the line. That along with mandatory code-signing, which also makes traditional memory-corruption exploits difficult, would someday bring Google in line with Apple’s submission process.

Apple is much more of a walled garden when it comes to application development and code submission for the App Store. Users must present valid identification, be it a driver’s license or articles of incorporation for a business developers’ license. In Google Play, only a credit card is required to obtain a license. While both Apple and Google do some type of static code review, Apple requires all code be signed, unlike Google. All of these factors have surely cut into the effectiveness of Bouncer, Google’s application malware scanner.

“Eliminating the ability for an app to change its behavior based on external input or runtime environments (the more general problem beyond pulling down new executable code), is much more difficult,” Oberheide said. “Removing the ability to pull down executable code definitely raises the bar and is an additional step toward implementing mandatory code signing, similar to iOS. Even with mandatory code signing, as Apple openly admits, preventing an app from changing its behavior at runtime is near impossible from a theoretical point of view.

“Performing any sort of effective static or dynamic analysis along the lines of Bouncer is intractable if the application you’re analyzing will pull down its real code and exhibit malicious behaviors at some arbitrary point in the future beyond what Bouncer will catch.”

Dennis Fisher talks with Jack Daniel of Tenable about his early days as a car guy, his accidental introduction into security and his second life as an amateur blacksmith.

Download: 06_jack_daniel.mp3

Download: 06_jack_daniel

Image via AJolly‘s Flickr photostream, Creative Commons.

There is a newly identified ongoing attack campaign in which attackers are using compromised Apache HTTP binaries to redirect users to malicious sites serving various flavors of malware, including the Blackhole exploit kit. Rather than going the traditional route of simply injecting malicious code onto target Web sites, this attack crew is replacing the existing Apache binary with a compromised one that contains what security researchers say is a highly sophisticated backdoor.

The backdoor, which researchers are calling Linux/Cdorked, has a number of interesting attributes, but perhaps the most unusual bit is the fact that the backdoor doesn’t write any files to disk and instead uses shared memory as a means of maintaining its presence on the machine. The lack of information left on infected machines makes life difficult for researchers trying to analyze the attack, but what experts have come up with so far shows that there could be as many as several hundred infected servers at this point.

“The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system,” Pierre-Marc Bureau of ESET, which has done analysis of the attack, said in a blog post.

“The HTTP server is equipped with a reverse connect backdoor that can be triggered via a special HTTP GET request. It is invoked when a request to a special path is performed with a query string in a particular format, containing the hostname and port to connect. The client IP of the HTTP dialog is used as a key to decrypt the query string as a 4 byte XOR key.”

The Linux/Cdorked backdoor is interesting on several levels aside from its ability to leave little to no trace on compromised machines. One other odd aspect is the attackers’ decision to completely replace the Apache HTTP binary as part of the attack. This is a more complicated and risky attack scenario than what’s normally seen in code-injection/redirection attacks. Typically, attackers looking to push large numbers of victims to a site they control–such as a porn or gambling site or a malware depot–will look for sites vulnerable to a particular exploit, load their code onto those sites and then have it redirect victims to the target site. A halfway enterprising attacker would have no trouble finding dozens or hundreds of sites on which to bury his malicious redirect code.

But the attackers in this case took the more difficult route, opting to compromise the Web server itself and then fully replace the Apache binary. How they’re compromising the servers to begin with is also still a question. Researchers at Sucuri, who also analyzed the attacks, speculated that the attackers maybe using brute-force attempts on SSH servers as an initial entry point. Once the attackers have the malicious binary on a target server, they appear to be using them selectively. The malicious redirects are only served to each IP address once a day, and the sites from which the binary loads the malicious code appear to be random URLs.

“Once the malware is loaded it will redirect the site to spammy sites (most often porn pages). At the sites we analyzed, they were being pushed to httx://amazingtubesites.org (seems offline now). On some cases we also saw the redirection going to the Blackhole Exploit kit,” Daniel Cid, CTO of Sucuri, wrote.

The backdoor has a list of almost two dozen commands that the attacker can use, and these are sent to the compromised server via an HTTP POST request, ESET’s Bureau said.

“ The request must also contain a cookie header starting with “SECID=”. The query string value must hold 2 hex encoded bytes that are encrypted with the client IP, using the same technique as the shell. The SECID cookie data will be used as arguments to some of the commands. We believe that the URLs to redirect clients are sent to the backdoor using this method. The redirection information will be stored encrypted in the allocated shared memory region. We also believe that the conditions for redirection are set this way, for example, a white list of user agents to redirect can be preconfigured and a black list of IPs to avoid redirection,” he wrote.