Information Security Blog | Perimeter E-Security » Vulnerability Assessment Tools

FBI Takes Down Coreflood Botnet, But Many Companies Remain Vulnerable

ajaquith — Fri, 15 Apr 2011 21:27:05 +0000

By Harald Wilke, Security Analyst, Perimeter E-Security
with Richard S. Westmoreland, Lead Security Analyst and Andrew Jaquith, Chief Technology Officer

On Wednesday April 6th the Federal Bureau of Investigation (FBI) seized control of 5 servers used to control as many as 2 million computers infected with Coreflood malware. This malware, also known as AFCore, quietly steals personal and financial information from the computer and forwards the information to the criminal ring leaders. The attackers use the information collected by AFCore to conduct fraudulent wire transfers, emptying the users’ bank accounts. The botnet is suspected to have existed since at least 2002, and has evolved over the years from using IRC based command and control and selling DDOS/anonymity services, to HTTP based command and control and performing fraud.

Using a similar approach used to take down the Bredolab botnet, US federal investigators were granted special authorization by the Department of Justice to substitute their own Command and Control server for the hosts operated by the criminal organization. When the bot of the infected machine checks into the new C&C it is simply given a command to shutdown. The DNS records used by the bots have also been pointed to Shadowserver’s sinkholes.

Seizing control of the C&C servers by law enforcement is now preventing the criminals from accessing any information already harvested by the infected computers. It also keeps them from covering their tracks by deleting files and terminating processes. However, the millions of Coreflood infections remain intact and still require intervention by a trained security analyst or antivirus program with signatures to detect it. Investigators are also alerting the Internet Service Providers of the compromised machines and requesting they inform their customers.

More information about the takedown can be found here:

Perimeter’s Security Operations Center is actively monitoring for outbound activity known to be associated with the Coreflood botnet. In one instance, minutes after adding inspection for the redirected C&C check-in, alerts indicated a single customer network to have 17 actively compromised hosts. Here’s a sample screenshot from our SOC’s Security and Information Event Management System:

Coreflood Botnet Traffic, from Perimeter SOC

Looking at the raw event logs, we can see that the compromised host is attempting direct HTTP connections to a sinkhole IP. The URI confirms the activity to be related to a bot C&C check-in:

Recommendations for Perimeter customers

Although the FBI has taken ownership of the Command and Control and are issuing shutdown commands to the active bots, the malware is still installed on the compromised machines and reactivated at bootup. Analysis of this Coreflood variant indicates the C&C domains change monthly and have been pre-registered in countries that are outside of United States jurisdiction. There still remains a possiblity of the criminal ring regaining control of the botnet. Perimeter strongly recommends customers take the following actions to stay protected:

Use Web Content Filtering to lockdown Internet usage by enforcing user authentication and blocking of categories not critical to business
In particular, customers are strongly advised to block access to unclassified sites, which commonly harbor malware and C&C servers
Use standard best practices such as Network IPS and Network/Desktop AV to help prevent infections
In cases where infections do occur, a strong WCF policy will help prevent theft of data, and will provide additional logging information used by the Perimeter’s Security Operations Center

Thanks for your time and attention, and stay safe.

What Are the Three Pillars for Creating Value in Security – Interview with Andrew Jaquith, Chief Technology Officer of Perimeter E-Security

Perimeter — Fri, 04 Mar 2011 15:32:28 +0000

RSA Conference | February 16 – 18, 2011

By Tom Field, Editorial Director, Information Security Media Group

The three pillars on how organizations can be secure today and to participate better in the changing economy:

Reduce Risk
Cut Cost
Enable New Business Opportunities (i.e. Cloud Computing and Mobility)

National Cyber Warfare and Vulnerabilities

Perimeter — Thu, 22 Jul 2010 14:52:56 +0000

Those interested in learning a bit more about national cyber warfare and vulnerabilities that the US has in this regard should watch the CBS program, 60 Minutes, where they discussed this. Most of their sources are very credible and I heard very little that wasn’t a current reality.

North Korea is probably not to blame for the DDOS attacks in 2009

Perimeter — Tue, 13 Jul 2010 16:19:26 +0000

Many of you might remember the distributed denial of service (DDOS) attacks that hampered several US websites about a year ago. The source of the attacks appeared to come from North Korea. Now, the US says that there is no conclusive evidence that the attacks came from North Korea at all. This is very common. A good hacker will attack a system from a non-friendly nation state. In other words if you want to attack the U.S., use a North Korea computer to do it because there is little if any cooperation in working to identify the culprit. Of course the computer in North Korea would be controlled by one in the U.K. which would be controlled by one in Iran, etc. These are the standard tactics experienced hackers use to keep from getting caught. In this particular DDOS attack case they say that it is very unlikely that the culprit will ever be found.

Apple isn’t more or less secure than other operating systems

Perimeter — Fri, 09 Jul 2010 15:42:08 +0000

I am not saying that Apple isn’t more or less secure than another operating system. But I do run across those that feel Apple can do no wrong and that the Apple operating system and other software that Apple creates is nearly bug free and vulnerability free. All software has bugs and vulnerabilities and Apple is no different. For example, a couple weeks ago, Apple issued an updated version of its Safari web browser that fixes AT LEAST 48 security flaws. All software has vulnerabilities and all software needs to be patched. Don’t get in the mindset that you are using something that is exempt.

Malicious websites continue to be hackers’ weapon of choice

Perimeter — Wed, 07 Jul 2010 17:10:32 +0000

For a couple of years now I have been explaining how the weapon of choice for hackers is to use malicious websites. It is exponentially easier for them to exploit systems and these methods completely bypass traditional network firewall and intrusion detection and prevention systems. Take for example, the series of attacks that were reported June 9, 2010. Tens of thousands of webpages were found to be infected with malware. So the hackers discovered a vulnerability in Microsoft IIS that they could exploit in an automated way. They then infected the website to redirect visitors to malicious servers where malware is installed to the users desktop. A redirection is very easy to do and takes only a single line of code. There were more than 100,000 web pages that were compromised in this attack alone. These aren’t just unknown sites either, it includes The Wall Street Journal and many other sites that many of your users access every day. Organizations need to think beyond the network-based intrusion detection system if they really want to protect their networks.

Identifying security vulnerabilities is only the first step

Perimeter — Tue, 29 Jun 2010 17:26:51 +0000

Most information security experts talk about vulnerability management quite a bit. This includes using external vulnerability assessments and penetration testing to determine your level of exposure to outside hackers and the like. Unfortunately, that is where vulnerability management ends for many organizations and by itself offers little threat mitigation. Identifying the vulnerabilities is step 1 but there are several other steps if you want this information to improve your security posture. Determining the legitimacy and reality of identified vulnerabilities for your organization is another step. Prioritizing patching and other mitigation strategies is another. And finally, implementing the fixes where needed is the final step. Most organizations don’t do these additional steps which at a minimum don’t do anything to improve their security and could in fact increase their liability if an information data breach occurs (knowing the vulnerability existed and doing nothing about it). This issue gets more complicated for organizations that need to comply with various regulations or requirements. For example, those that must adhere to the PCI DSS are required to do quarterly vulnerability assessments. All-too-often the emphasis is placed on doing whatever it takes to pass an audit as opposed to what it takes to be the most secure. I thought this article from Dark Reading was good at highlighting the issues.

Cyber Security Risks for SEC Filings

Perimeter — Fri, 25 Jun 2010 15:42:57 +0000

If you belong to a public company, you are familiar with the SEC filing requirements you have to disclose risks to the stock and bottom line. Many public companies have now started including cyber security risks as part of those SEC filings. This includes Google after hackers compromised internal systems. The Google SEC filing states “because the techniques used [by hackers]…change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures.” If you are part of a public company, you may want to consider something similar.

Subscribers information wasn’t the only thing captured in the Apple data breach

Perimeter — Tue, 22 Jun 2010 19:13:11 +0000

Goatse, the hacking firm that discovered the vulnerability on AT&T’s website that found 144,000 iPad subscriber’s information including name, account number and email address does not like how AT&T has portrayed them. They wrote an explicit response to that letter here . I still think Goatse could have done things a bit differently. According to them, they notified a third party, who Goatse claims was a journalist, and then promptly destroyed the data. In other reports that I read, there were several third parties that were notified. I don’t have any idea if they were all journalists or not. The proper way to handle situations like this (if you aren’t trying to get free publicity and truly just trying to do the right thing) is to contact AT&T directly and work with them until the vulnerability is fixed. Then you can disclose what happened. This is of course much easier than it sounds but I still don’t think that Goatse followed the right steps. But that doesn’t put them in the wrong either. They could have done much worse with the vulnerability they discovered and information they gathered.

All that being said, I found something very interesting in the Goatse response that I hadn’t thought of before. One of the pieces of information that they captured (or rather systematically guessed and then verified through data extraction) is the ICC-IDs. This is the unique identifier on the iPad. Using the ICC-IDs, someone could potentially identify the location of any particular iPad owner and track everywhere the user goes. This could have very serious security ramifications, especially when you consider those that were among that list of 144,000. If this were really possible (which no one has shown that it really is yet), it is certainly a privacy issue but would hedge on a national security problem. Imagine if a foreign government knew exactly where all the top military leaders and the secretary of state were at all times. There are a lot of scary scenarios that we could talk about if this were really possible. But I didn’t think of the risk the ICC-IDs could potentially have when I wrote my initial blog post.

Patch for zero-day Adobe flaws will be available on June 29

Perimeter — Fri, 18 Jun 2010 18:57:20 +0000

There are still many people that do not believe that malware can be installed on their computer unless they perform some action that enables it. For example, they think they have to click on a link, or open a file attachment before they are infected. This simply isn’t the case anymore. Take for example the recent Adobe Flash vulnerability. Specially crafted PDF documents can trigger this malware being installed on your system just by visiting a website. This vulnerability is so critical that Adobe had to accelerate their scheduled quarterly update to reduce the risk since this exploit is being actively seen in the wild. The vulnerability in Flash was available June 10 and the fixes for Reader and Acrobat will be available on June 29.

Security Alert for Windows XP and Server 2003 Users

Perimeter — Tue, 15 Jun 2010 18:51:36 +0000

Perimeter E-Security customers should be aware of a Microsoft Windows XP and Server 2003 exploit. Exploit code has been posted online that shows attackers exactly how to compromise Windows XP and Server 2003 operating systems remotely. This is possible due to a newly discovered security flaw in the way Windows Help and Support Center process links. These systems are supposed to work based on a fixed “whitelist” (a list of approved and authorized URLs), however a security researcher at Google has shown how cyber criminals can add URLs to that whitelist. As a result, an attacker could trick a user into following a link which could download any file the hacker would like. The link and downloaded files can use the same permissions as the systems current user. Many systems are configured by default with the user having administrative privileges.

Microsoft said “Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” this includes worms and a host of other malware that can automatically exploit this code through a variety of methods.

This is worse than most vulnerabilities we see. Most vulnerabilities allow the system to be compromised in a specific way that may allow limited access or flexibility to the hacker. This vulnerability makes it very easy for the cyber criminal to install any software they want as if they are the system administrator.

The solution?

There is no automated fix from Microsoft at this time. However, there is a manual ”work around.”

The manual “work around” involves editing the Registry. Note – only experienced system administrators should manually edit the registry. One wrong move can cause major stability and bootup problems. The details for the registry edit can be found in the Microsoft Security Advisory (2219475).
Beware that Microsoft says that this may break links that you are trying to use in the Help and Support Center. Microsoft has also posted a knowledge base article with a “fixit” here.

Stay tuned for more details from Microsoft

Microsoft is working on a patch. The Google researcher who discovered the flaw has released a fix; however, Microsoft says that this fix is easily bypassed and that users should not rely on the Google fix to resolve the problem.

While Microsoft is working on a patch, Perimeter E-Security continues to encourage users (especially those using XP) to create a limited user account for everyday computing. Read more on this here. This will go a long way to protect systems from this exploit as well as many others we have seen in the past and will likely see in the future.

Tags: Windows XP exploit, Server 2003 exploit, vulnerability assessment tools, IT security, application penetration testing, managed service providers, intrusion detection system, security penetration testing

Critical Zero-Day Vulnerability in Adobe Reader and Flash Player

Perimeter — Tue, 15 Jun 2010 18:05:46 +0000

There is a critical zero-day flaw in Adobe Reader and Adobe Flash Player that can allow attackers to take full control of vulnerable computers. Of course, because nearly everyone has Adobe Reader and Flash Player, and because it is a 0-day exploit that means that nearly everyone is vulnerable. Well, that isn’t entirely true because it affects only particular versions, but still, it will affect a lot of people. There are some reports that say that the vulnerability is being exploited “in the wild”. The scary thing about application vulnerabilities is that they often affect more than just the operating system. This one is a good example where this flaw exists in Windows, Mac, Linux and Solaris.

iPad Owners Exposed – AT&T and Apple Security Breach

Perimeter — Fri, 11 Jun 2010 13:43:59 +0000

Read about it here. Here is what I think about it.

Poor website security practices by AT&T lead to the breach, but like many breaches, AT&T is just the third party. So when everyone references this breach in the future it will be Apple’s name, not AT&T. That being said, this is somewhat symbolic because emails by themselves usually don’t constitute a data breach. It is unclear what other information, if any, was also captured. This is an interesting case because no other time would anyone care about email addresses being exposed. This isn’t about a data breach, it is about a group being able to capture an exclusive list of America’s most influential people and their private email addresses. A list like this simply doesn’t exist. But Goatse (the security consulting group) was able to write a script that systematically harvested these addresses from the AT&T website for any iPad owners that signed up for the 3G service. While they say 114,000 emails were compromised, it is likely that many others were compromised as well. Personally, this is where I think Goatse stepped over the line. They detected and exploited the vulnerability. They told AT&T about it. They wanted press and they have it. But they said that they gave the vulnerability exploit and script to others. Who are these others? What did they do with this information? It is always a slippery slope when a rogue security firm does this type of thing in the first place. But if you are going to do this and already be in a “grey area”, you really shouldn’t give the script out to others to use. That is what makes it go from grey to black very quickly. Let’s all remember it is just email addresses (as far as we know). It isn’t like someone hacked into the government, took over the presidents “red phone” and called in a nuclear strike. But due to the high profile nature of those compromised (you can’t get much higher profile), AT&T and Apple will take a lot of heat for this.

Network-Based IDS/IPS and Their Value and Challenges in the Current Market

Perimeter — Thu, 03 Jun 2010 12:54:24 +0000

I was recently asked to answer some questions for a magazine article about network-based IDS/IPS and their value and challenges in the current market and environment. These were some of my responses:

What are the greatest challenges now?

Attacks are becoming so sophisticated that hackers have developed methods to bypass or subvert traditional IDS/IPS systems.
Additionally, more and more hackers are using Malware to do their dirty work for them rather than traditional inbound attacks where IDS/IPS systems are most effective. If the hacker can get malware on the internal system, it renders IDS/IPS systems useless. This is why methods to install and spread malware have absolutely exploded; especially malware websites (although this is just one of several methods). Once malware in installed in the local system, the bad guys can create encrypted tunnels back to their command and control networks. IDS/IPS systems cannot read encrypted packets so essentially this all happens “under the radar” from traditional security solutions.

Which industries are most/least vulnerable?

Any industry that houses valuable data is always a greater target. These include anything that can assist in identity theft or fraud for the hackers. Usually this means companies that house financial data or personally-identifying data. So, banks and healthcare providers are at the top of the list.

What are myths and realities about some of the current strategies and solutions?

Unfortunately, people still think that edge-based security solutions are enough to keep the bad guys out. A firewall, network-based IDS/IPS and other technologies that are in the network or “cloud” are still necessary but are far from enough to keep the hackers at bay.

What are the key points you want to make in this interview?

See the answer above to myths and realities again…then…the only effective way to secure sensitive data and mission-critical systems are through the next generation HOST-BASED intrusion prevention system. Rather than network-based systems that can be bypassed or subverted, HIPS can be installed directly on the system you are trying to protect. It can protect it at a much higher level than traditional network-based solutions. It combines signature matching capabilities to behavioral techniques. When combined with 24×7 management and monitoring, it offers the greatest protection for these targeted industries. And, don’t feel like you have to install HIPS everywhere…you only need it on those “mission-critical” systems that if they were compromised by a hacker or were unavailable for a period of time, it would be problematic for your organization.

Network Barometer Report 2010

Perimeter — Thu, 06 May 2010 20:46:18 +0000

There was an interesting study published recently. It is called the Network Barometer Report 2010 which is done by Dimension Data, a global IT solutions and services provider. They perform assessments for organizations and released some of the findings over the previous year. They looked at 235 assessments during 2009 and found that over 38 percent of network devices including routers, switches, and gateway have some security vulnerabilities exposing them to external and internal security attacks. They said there were an average of 40.7 configuration best practice errors per device, 17 (on average) were security related. One of the more interesting aspects of this study was that 35 percent of network devices were found to be past the “end of sale” which means the vendor no longer sells that device and maintenance software and patches will not be available much longer. Of that 35 percent, more than one half were already beyond the end-of-software-maintenance date. These devices are obviously key targets for hackers.

New zero day vulnerability: Java Deployment Toolkit could be exploited to execute malicious code

Perimeter — Wed, 14 Apr 2010 14:11:13 +0000

“A vulnerability in a NPAPI plug-in and ActiveX control called Java Deployment Toolkit could be exploited to execute malicious code. The flaw affects all recent versions of Windows and may affect versions of Linux as well. Attackers can exploit the flaw through maliciously crafted websites that pass commands to Java components that start certain applications, including Internet Explorer and Firefox.

Disabling the Java plug-in does not protect users from attacks.”

Java flaw exposes Windows users to attacks >>

Java Zero-Day Vulnerability Revealed >>

Browser Vulnerability May Expose Your Hard Drive to Hackers

Perimeter — Fri, 05 Feb 2010 17:55:53 +0000

There may be a browser vulnerability that can expose your entire hard drive to hackers. While most people worry about remote code execution or hijacking systems, this vulnerability would simply allow the hacker to access and download the entire contents of your hard drive, simply by accessing an infected or malicious website.

I find this an interesting story because the vulnerability is not traditional. What I mean is that usually there is a bug in a program that is exploited. In this case, there is really no vulnerability in any particular system, but when you use two separate systems (URL Security Zones and IE filesharing protocol) together, this because a serious problem. As of today there is no patch available from Microsoft.

Mobile Devices Threaten Corporate Security

Perimeter — Tue, 20 Oct 2009 15:26:17 +0000

Mobile devices are becoming a bigger and bigger issue as it pertains to vulnerabilities that can lead to exploit. Keeping servers and desktops patched is simply not enough. In our world today, people use their iPhones to access, edit, send and store sensitive data (whether the company knows it or not). In September, Apple released 10 fixes for vulnerabilities in the iPhone. Some of these vulnerabilities could be exploited to access sensitive data that sits on the iPhone. Organizations need to have policies, procedures, and solutions in place that can address the issue of portable media if they want to reduce their exposure to a data security breach.

Microsoft Security Bulletins Raise Questions About Vulnerability Management

Perimeter — Mon, 19 Oct 2009 15:27:07 +0000

More and more vulnerabilities all of the time. Microsoft announced 5 security bulletins that address 8 vulnerabilities. Each of the 5 bulletins had a maximum severity rating of “Critical”. People hear me talk all the time about how on average there are 20 new vulnerabilities found on a daily basis. Now, not all of those 20 affect each and every systems, and not all of them are considered critical; but for Microsoft to announce 5 bulletins, all of which are marked as critical, makes you wonder if we are moving in the right direction when it comes to vulnerability identification and management. All of these flaws could be exploited to gain access to the vulnerable system WITHOUT ANY USER INTERACTION. These are very serious vulnerabilities. Be sure your systems are up-to-date with the latest patches.

Preventing Zero Day Attacks with Behavioral Based System Security

Perimeter — Fri, 09 Oct 2009 15:41:30 +0000

Zero Day vulnerabilities are more prevalent than ever. The very definition of a zero day vulnerability is that there is no patch or fix for available. As a result, we are seeing a greater and greater need for organizations to use different methods to protect their systems and networks. The methods that work best against this type of threat are behavioral in nature and reside right on the system themselves. Host based intrusion detection and prevention is one such technology that can look at the system behavior and say “something doesn’t look right”, or “why would that process be doing that?”. Because the software is configured specifically for that system, it can look for behavioral exceptions and can take action. Behavioral based system security software with 24×7 management and monitoring is going to become more and more necessary to detect and stop these malicious attacks.