Wednesday, August 31, 2011

Morto worm sets a (DNS) record (Symantec)

There has been a lot of coverage of the recent RDP capable W32.Morto worm, but one of the more interesting aspects of the worm’s behavior appears to have been overlooked. Most malware that we have seen recently has some means of communication with a remote Command and Control (C&C) server. The actual vector of communication tends to vary between threats. For example, W32.IRCBot uses Internet Relay Chat channels whereas the recent high profile threat, Trojan.Downbot, is capable of reading commands embedded in HTML pages and image files. W32.Morto has added another C&C communication vector by supplying remote commands through Domain Name System (DNS) records.
DNS is primarily used to translate human readable URLs, such as “”, into numerical network identifiers ( Every URL on the Internet is eventually resolved to an associated IP address using this system, typically using a DNS A record for IPv4. The A record is what we usually think of when we discuss DNS. These records map domain names to their associated IP addresses with a PTR record used for the inverse operation of IP to host. But DNS is not limited to these records types; there are a number of record types that have been defined in various RFCs over the years to address the changing needs of the system. The record type that W32.Morto uses for its communication protocol is the TXT record. 
The DNS TXT record type was originally used to allow human readable text to be stored with a DNS record andlater evolved to store machine useable data. To experiment with this, you can use the Microsoft nslookup.exe tool. By querying the TXT record type for “” you can retrieve the SPF information associated with the Domain. 

Tuesday, August 30, 2011

DigiNotar reports security incident

Topic which related to DigiNotar's SSL rouge certification were widely discuss and posted in Web post, twitter and other channel as well. DigiNotar finally officially released public announcement to clarify the incident.


VASCO Data Security International, Inc. (Nasdaq: VDSI; today comments on DigiNotar’s reported security incident. DigiNotar is a wholly owned subsidiary of VASCO.

On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including
Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures.
At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time.  After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.

The attack was targeted solely at DigiNotar's Certificate Authority infrastructure for issuing SSL and EVSSL certificates. No other certificate types were issued or compromised. DigiNotar stresses the fact that the vast majority of its business, including his Dutch government business (PKIOverheid) was completely unaffected by the attack.

The company will take every possible precaution to secure its SSL and EVSSL certificate offering, including temporarily suspending the sale of its SSL and EVSSL certificate offerings. The company will only restart its SSL and EVSSL certificate activities after thorough additional security audits by third party organizations.

DigiNotar actively looks for quick and effective solutions for its existing (EV)SSL customers. The company expects to have a solution for its entire customer base before the end of this business week. DigiNotar expects that the cost of this action will be minimal.

The incident at DigiNotar has no consequences whatsoever for VASCO's core authentication technology. The technological infrastructures of VASCO and DigiNotar are completely separated, meaning that there is no risk for infection of VASCO’s strong authentication business.

VASCO expects the impact of the breach of DigiNotar’s SSL and EVSSL business to be minimal. Through the first six months of 2011, revenue from the SSL and EVSSL business was less than Euro 100,000.
VASCO does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans.


Friday, August 26, 2011

Apple iCloud phishing attacks

No surprise if Apple iCloud become of the phishing target by hacker. Below is the post by Sophos about Apple iCloud phishing attacks in details.

When a Naked Security reader forwarded us a suspicious email he received today, it served as a healthy reminder for all computer users to be on their guard against phishing attacks.
The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple's MobileMe service.
Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in 'the cloud' and wirelessly push them to all of your devices).
Understandably, a lot of MobileMe users are interested in how they will migrate to iCloud and this is the issue that the phishing email uses as bait.
iCloud phishing email

Welcome to iCLOUD
Message body:
Important information for MobileMe members.
Dear MobileMe member,
Please sign up for iCloud and click the submit botton, you'll be able to keep your old
email address and move your mail, contacts, calendars, and bookmarks to the new service.
Your subscription will be automatically extended through July 31, 2012, at no additional charge.
After that date, MobileMe will no longer be available.
Click here to update iCLOUD
The Apple store Team


Apache Web Server Vulnerable CVE-2011-3192

Apache Software Foundation announced their Apache Web Server (Httpd) vulnerable (CVE-2011-3192) to attack. According to source, the attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. Patch to fix vulnerability is expected to release by another 46 Hours.

Luckily, there have mitigation steps are in place to counter the attack while waiting for patch to fix the vulnerable Httpd.

Mitigation Steps:

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
   either ignore the Range: header or reject the request.

   Option 1: (Apache 2.0 and 2.2)

          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range

          # optional logging.
          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

   Option 2: (Also for Apache 1.3)

          # Reject request when more than 5 ranges in the Range: header.
          # CVE-2011-3192
          RewriteEngine on
          RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
          RewriteRule .* - [F]

   The number 5 is arbitrary. Several 10's should not be an issue and may be
   required for sites which for example serve PDFs to very high end eReaders
   or use things such complex http based video streaming.

2) Limit the size of the request field to a few hundred bytes. Note that while
   this keeps the offending Range header short - it may break other headers;
   such as sizeable cookies or security fields.

          LimitRequestFieldSize 200

   Note that as the attack evolves in the field you are likely to have
   to further limit this and/or impose other LimitRequestFields limits.


3) Use mod_headers to completely dis-allow the use of Range headers:

          RequestHeader unset Range

   Note that this may break certain clients - such as those used for
   e-Readers and progressive/http-streaming video.

4) Deploy a Range header count module as a temporary stopgap measure:

   Precompiled binaries for some platforms are available at:

5) Apply any of the current patches under discussion - such as:

Another latest research from Netcraft about Web Server Survey, it indicates Apache Web Server still dominate compare to other Web Server (like ngix, Microsoft, Google). It also potentially leaving up 65.86% Apache Web Server vulnerable (CVE-2011-3192) to DoS attack.

Facebook Makes a Move Toward Security

Facebook recently published a guide for it's users on how to secure their online accountsfrom anything that threatens one's Facebook security. Among those covered are Wall, Chat, and Comment spams, weak passwords, fake applications, and account hacking. Personally, I'm quite happy that Facebook is actually doing something that concerns user security, despite it being quite late come to think about it. Still, better to have something than nothing.

The document guide contains practical tips and cases to illustrate the gravity of the attack if ignored. It also has some great, agreeable points that make it a good reference anyone can recommend to their friends and family who are on Facebook. Feel free to download here and distribute. 


Follow Me Not - Microblog SEO Study (Websense)

With the release of Social Web Control, Websense Security Labs looks at the growing trend of how you can optimize your popularity ranking on social Web sites such as Twitter and Sina's Weibo.

Marketeers are heavily tuning social Web sites for Search Engine Optimization (SEO) in a similar way to standard Web sites, where SEO is still the primary source of information traffic. In parallel, cyber-criminals also use BlackHat SEO to spread malware. A high social Web ranking is becoming an important tool to receive constant exposure and get messages out to the desired target audiences, hence the race from both personal and business microblog users to boost their recognition. To attract or to be featured on microblog platforms, you need a very large follower base in a very short time., being one of the largest microblog platforms in China with over 200 million users, attracted a different kind of user. Seeing potentially unlimited business opportunities, many users were spoofing as famous companies and celebrities to publish false messages to the public. Weibo recently enforced true identity verification as identify theft became an increased problem. To counter this, ranking "smoke-screen" services are popping up, leading to the idea to "Shua Fen": purchase followers. The screenshot below shows 2 Weibo accounts with avatars advertising services for "Microblog, get thousands of followers", and "Paid Followers and get verified".