Thursday, September 29, 2011

CVE-2011-3192 - Apache Killer DoS Vulnerability and Patch

Byterange filter in Apache HTTP Server prior to HTTP Server 2.2.20 allow remote attackers to cause Denial of Service ( DoS ) which cause memory and CPU consumption , exploited in the wild in August 2011.

As patch for this vulnerability been released by Apache last week. Prior to official patch, there have solution was suggested and discussed to mitigate this problem. 

Official Mitigation by Apache (https://httpd.apache.org/security/CVE-2011-3192.txt), Web administrators who use Apache HTTP Server are advised to apply the patch as soon as possible. 


Mitigation:
===========

There are several immediate options to mitigate this issue until a full fix
is available. Below examples handle both the 'Range' and the legacy
'Request-Range' with various levels of care.

Note that 'Request-Range' is a legacy name dating back to Netscape Navigator
2-3 and MSIE 3. Depending on your user community - it is likely that you
can use option '3' safely for this older 'Request-Range'.

0) Consult http://httpd.apache.org/security/CVE-2011-3192.txt for the most
   recent information (as this is the final advisory).

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
   either ignore the Range: header or reject the request.

   Option 1: (Apache 2.2, requires mod_setenvif and mod_headers)

          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (?:,.*?){5,5} bad-range=1
          RequestHeader unset Range env=bad-range

          # We always drop Request-Range; as this is a legacy
          # dating back to MSIE3 and Netscape 2 and 3.
          #
          RequestHeader unset Request-Range

          # optional logging.
          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

   Above may not work for all configurations. In particular situations
   mod_cache and (language) modules may act before the 'unset'
   is executed upon during the 'fixup' phase.

   Option 2: (Pre 2.2, requires mod_rewrite and mod_headers)

          # Reject request when more than 5 ranges in the Range: header.
          # CVE-2011-3192
          #
          RewriteEngine on
          RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
          RewriteRule .* - [F]

          # We always drop Request-Range; as this is a legacy
          # dating back to MSIE3 and Netscape 2 and 3.
          #
          RequestHeader unset Request-Range

   The number 5 is arbitrary. Several 10's should not be an issue and may be
   required for sites which for example serve PDFs to very high end eReaders
   or use things such complex http based video streaming.

   WARNING These directives need to be specified in every configured
   vhost, or inherited from server context as described in:
   http://httpd.apache.org/docs/current/mod/mod_rewrite.html#vhosts

2) Use mod_headers to completely dis-allow the use of Range headers:

          RequestHeader unset Range

   Note that this may break certain clients - such as those used for
   e-Readers and progressive/http-streaming video.

   Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific
   legacy header - add:

          RequestHeader unset Request-Range

   Unlike the commonly used 'Range' header - dropping the 'Request-Range'
   is not likely to affect many clients.

4) Deploy a Range header count module as a temporary stopgap measure.

   A stop-gap module which is runtime-configurable can be found at:

     http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/
   A simpler stop-gap module which requires compile-time configuration 
   is also available:

     http://people.apache.org/~dirkx/mod_rangecnt.c



Exploit:
For study and researching purpose, source code for this vulnerability can be obtained from "CVE-2011-3192 (“Apache Killer”) Exploit in Ruby", "Apache HTTP Server Byte Range DoS Manual Check" and PoC for this exploit code by Exploit-db.com




Tuesday, September 27, 2011

Mozilla Firefox 7 Released!


Mozilla, a global, non-profit organization dedicated to making the Web better, today released an update to Firefox for Windows, Mac and Linux. Mozilla Firefox provides a speedy Web browsing experience for users and new tools to help developers create faster websites and Web apps.

Firefox manages memory more efficiently to deliver a nimble Web browsing experience. Users will notice Firefox is faster at opening new tabs, clicking on menu items and buttons on websites. Heavy Internet users will enjoy enhanced performance when lots of tabs are open and during long Web browsing sessions that last hours or even days.

New tools in Firefox make it easier for developers to build snappy Web experiences for users. A new version of hardware-accelerated Canvas speeds up HTML5 animations and games in Firefox. This allows developers to build more compelling and interactive Web experiences like Angry Birds or Runfield.

Firefox now supports the W3C navigation timing spec API so developers can measure page load time and website navigation against bandwidth speed, website traffic and other factors. This API allows developers to test user experiences remotely and easily and quickly optimize websites and Web apps for different types of users.

To help improve future versions of Firefox, users can opt in to Telemetry. Telemetry is a tool built on Mozilla Privacy Principles that allows users to provide anonymous browser performance data in a private and secure way that they control.


New users can head to the Firefox 7 download page (http://www.firefox.com/)

Reference: Mozilla Website

Phishing Email Scams targets Blizzard WOW


Battle.net, the largest net gaming service, was launched by Blizzard in 1997. For years it has hosted online play for games like Diablo, Warcraft and Starcraft.

Victims of the scam are sent an email purporting to be from Battle.net, requesting a confirmation of the user’s login information. Users are directed to a fake website designed to look like Battle.net, where they are asked to log in. From there, their information is presumably stolen.

World of Warcraft’s popularity makes it a popular target for phishing scams. Blizzard recently announced that the game had 12 million players worldwide. Blizzard’s policy states that its employees will never request a player’s password.



Email Spam URL:
-hxxxp://www.newsletteraccount.net/login/en/login.html.asp?ref=https://us.battle.net/account/management/index.xml&app=bam

-hxxxp://us-account.net/login/en/login.html.asp?ref=https://us.battle.net/account/management/index.xml&app=bam

-hxxxp://us.battle.net.en.eg-wlk.in/login/en/login.html.asp?ref=https://us.battle.net/account/management/index.xml&app=bam

-hxxxp://us.battle.net.wow-admin.net/

-hxxxp://usadminaccount.in/

-hxxxp://admin-wow.net/

-hxxxp://www.admin-wow.net/

Email Phishing format 1


Email Phishing format 2

Email Phishing format 3

Email Phishing format 4

Fake Battle.net

IP neighbor for newsletteraccount.net (173.234.243.61):

517ks.com
admin-wow.net
anshan521.com
at853.com
at853.net
catuba.org
game-10086.com
host64.yydns.net
newsletteraccount.net
wouting.net
www.at853.com
www.at853.net
www.blizzard-battle.net
www.dgut0769.com
www.jade-china.com
www.jn12315.com
www.newsletteraccount.net

IP neighbor for us.battle.net.en.eg-wlk.in (173.208.131.218):

18023.net
admin.zupingan.com
us.battle.net.en.eg-wlk.in
webmaster.zupingan.com

IP neighbor for usadminaccount.in (173.234.243.61):

517ks.com
admin-wow.net
anshan521.com
at853.com
at853.net
catuba.org
game-10086.com
host64.yydns.net
newsletteraccount.net
wouting.net
www.admin-wow.net
www.at853.com
www.at853.net
www.blizzard-battle.net
www.dgut0769.com
www.jade-china.com
www.jn12315.com
www.newsletteraccount.net
us.battle.net.worldofwarcraft.com.admin-war.net
us.battie.net.en.funshud.co.cc

IP neighbor for us.battle.net.wow-admin.net (173.208.131.221):


IP neighbor for usadminaccount.in (173.208.131.220):

Updated: 2-Oct-11
hxxxp://us.battle.net.worldofwarcraft.com.admin-war.net/  - IP Address: 173.234.243.61
hxxxp://us.battie.net.en.funshud.co.cc/ - IP Address: 173.234.243.61


TLS 1.2 in Windows 7


There have few discussion about vulnerability in TLS ( Transport Layer Security ) v1.0 recently, there have security concern over TLS 1.0 when two researchers are demostrating their method "BEAST" to bypass and breaking an encrypted PalPal cookies during Ekoparty conference. This topic also posted in THE REGISTER - "Hackers break SSL encryption used by millions of sites - Beware of BEAST decrypting secret PayPal cookies"

This attack only works for communication encrypted with TLS 1.0 or less version. Currently there have two client browsers support TLS 1.2 which Opera and IE9 only.

By Default, Windows 7 support TLS 1.1 and TLS 1.2 protocol. To enable the use of protocols that will not negotiated by default.Change the DWORD value data of the DisabledByDefault value to 0x0 in each of the following registry keys under Protocols key.

    SCHANNEL\Protocols\TLS 1.1\Client
    SCHANNEL\Protocols\TLS 1.1\Server
    SCHANNEL\Protocols\TLS 1.2\Client
    SCHANNEL\Protocols\TLS 1.2\Server

Those Subkey are located under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL "

Details about thoe to Restrict the Use of Certain Cryptographic Algorithms can be found from Microsoft Support. http://support.microsoft.com/kb/245030

To verify the changes, you may try to test it out on few TLS interop servers in internet.


Updated 13-Oct-2011:

  • Apple iOS 5 added support for TLS1.2

Monday, September 26, 2011

mysql.com javascript compromised with malicious code

Few researchers from Armorize Malware Blog have found mysql.com was compromized with hosting malicious codes. The malicious code was injected to .js file which can be obtained from here.

Basically the decoded script point to "hxxxp://falosfax.in" which will redirecting "302 protocol" to final exploiting websites "hxxxp://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php". The truruhfhqnviaosdpruejeslsuy.cx.cc exploiting client browers plugin like Adobe PDF, Flash, Java and executable malware file.

mysql.com malicious code_remote.js






Right now, the "s_code_remote.js" is clean after removing the code.

mysql.com clean code_remote.js











READ FULL HERE

Friday, September 16, 2011

Mebromi rootkit - BIOS Threat in wild

Researcher from Webroot and Symantec posted about Mebromi rootkits findings. This is first ever BIOS rootkit Mebromi spread in wild. I am not sure how many of PC infected before the finding, I better switched to better OS. :)

                                                  **********************************


There are more and more known viruses that infect the MBR (Master Boot Record). Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them is the notorious CIH appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR.
The threat will drop a driver to %system%\drivers\bios.sys, then stop the beep service and replace %system%\beep.sys with the dropped one. After that it restarts beep service to load the dropped driver.
bios.sys is used to interact with BIOS such as get BIOS info, flash and backup BIOS.

By using bios.sys, the threat will check whether the compromised computer is using Award BIOS. If so, it will save existing BIOS to c:\bios.bin and check whether it is already infected:



READ FULL HERE

                                                         *******************************


In the past few weeks a Chinese security company called Qihoo 360 blogged about a new BIOS rootkit hitting Chinese computers. This turned to be a very interesting discovery as it appears to be the first real malware targeting system BIOS since a well-known proof of concept called IceLord in 2007. The malware is called Mebromi and contains a bit of everything: a BIOS rootkit specifically targeting Award BIOS, a MBR rootkit, a kernel mode rootkit, a PE file infector and a Trojan downloader. At this time, Mebromi is not designed to infect 64-bit operating system and it is not able to infect the system if run with limited privileges.
The infection starts with a small encrypted dropper that contains five crypted resource files: hook.rom, flash.dll, cbrom.exe, my.sys, bios.sys. The goal of these files will be presented later in this analysis.
The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it’s going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus. To gain access to the BIOS, the infection first needs to get loaded in kernel mode so that it can handle with physical memory instead of virtual memory.
Many of you may recall the old CIH/Chernobyl infection, the infamous virus discovered in 1998 that was able to flash the motherboard BIOS, erasing it. Even CIH needed to gain kernel mode access to reach the BIOS, though at the time the virus was exploiting a privilege escalation bug in Windows 9x operating system which allowed it to overwrite the Interrupt Descriptor Table with its own payload from user mode, then triggering the overwritten interrupt handler and its malicious code is executed in kernel mode. Mebromi does not use such kind of privilege escalation trick anymore, it just needs to load its own kernel mode driver which will handle the BIOS infection. To do so, it uses two methods: it could either extract and load the flash.dll library which will load the bios.sys driver, or it stops the beep.sys service key, overwriting the beep.sys driver with its own bios.sys code, restart the service key and restore the original beep.sys code.
The bios.sys driver is the code which handle the BIOS infection. To read the BIOS code, it needs to map the physical memory located at physical memory address 0xF0000, this is where the BIOS ROM usually resides. Once read, the driver verifies if the BIOS ROM is Award BIOS, by checking the presence of the string: $@AWDFLA. If found, the driver tries to locate the SMI port that will be used by the rootkit to flash the BIOS ROM.

READ FULL HERE




Friday, September 9, 2011

Suspicious link 9-Sep-2011


hxxxp://193.105.154.136/w.php?e=2&f=20
hxxxp://www.charlesandrecars.com/wp-content/zeus/ext.exe
hxxxp://gafs.at

hxxxp://posterityn71.com
hxxxp://rifepfl61.com
hxxxp://torpormvp35.com
hxxxp://209.141.60.200


Tuesday, September 6, 2011

TDL-4

Joseph Mlodzianowski from sub0day had did great article about analysis new variant TDL-4 .It worth to read if you following TDL trends.

                                         ******************************************

Attention…  You no longer have to put up with google browser search hijacks, popups or annoying spam email.  The latest and greatest in trojan technology can use your computer to browse silently, visiting hundreds of websites per day earning the attacker thousands of dollars per day* (botnet).  Additionally, it is capable of stealing your email, bank account and other passwords on your system as well using your computer as a proxy, and all with no intrusive popups.
This article will focus on the dissection and analysis of a new TDL-4 ”Variant” I believe I discovered. While performing the analysis, some interesting trends, data and methods the “underground” is using to evade detection and make money were uncovered.
If you’re new to TDL (TDSS variants) malware, or crimeware in general, I suggest several articles written by Sergey Golovanov from Kaspersky Lab that can be found here: http://www.securelist.com/en/userinfo/72


This Stealth trojan malware (TDL4.2) uses the victims computer to browse websites with out any signs. It doesn’t display the common browser redirects or annoying popups, which normally alert users to the fact that they are infected. TDL-4 is detectable and can be removed by Kasperskys TDSS Killer, however, this variant will download and update itself becoming undetectable. [At least for a while]
The malware is very sophisticated in that it utilizes custom encryption and has various methods in which it is capable of avoiding detection. It contains a root kit that infects the boot sector allowing it to load prior to other drivers, etc..
Proxy Service – In addition, this variant downloads and uses Socks.dll, which allows the victims system to be used as a proxy server (AWM Proxy Client), the fine people at awmproxy-dot-com created a convenient plug-in for firefox.  It appears, you can purchase their service and use the plug-in to browse anonymously using tdl infected systems.


READ FULL HERE