Posts Tagged ‘Internet Security’

Newer Entries »

Gawker Compromise, Password Lessons

Tuesday, December 14th, 2010

by Daniel Peck, Research Scientist

Today any news/blog site remotely technical most likely has a blurb about about the recent Gawker media compromise.  Most people are making a big deal out of the release of the password files, but honestly, there’s not a lot to that part.  These were clearly very low priority passwords for almost everyone using them. While there was probably some amount of password reuse between Gawker sites and the users’ email addresses, the overlap is still relatively small.

But everyone loves a few stats, so here we go… Out of 188,281 passwords (this is from the parsed_db.txt file in the torrent floating around) the top passwords used are:

3057 – 123456
1955 – password
1119 – 12345678
661 – lifehack
418 – qwerty
333 – abc123
311 – 111111
300 – monkey
273 – consumer
253 – 12345
247 – letmein
241 – trustno1
233 – dragon
213 – baseball
208 – superman
202 – iloveyou
202 – 1234567

Additionally,

~50k of the accounts had a Gmail address, ~45k had a Yahoo address, and ~29k had a Hotmail account.

855 of the passwords contained one of George Carlin’s 7 Dirty Words.

930 contained Love.

And honestly, I’m a bit surprised that that many people who comment on blog sites are into baseball enough to have it as a password.

The bigger story should be about how complete the compromise appears to be.  All of the source code Gawker owns appears to have been released, and that is a very large piece of intellectual property out there for anyone to take apart.  Not only does it allow others to find problems in the source code, but it also allows them to see what Gawker is planning for in the future, what capabilities they have but haven’t unlocked, and of course allows any hacker worth his salt to find vulnerabilities in the code for future attacks.  All around, this is not a good situation for any company to be in and will likely lead to a major code rewrite/audit in order to deal with this effectively.

So in light of recent events, now is as good of a time as any to share some good password advice:

1. Developers – Hash your passwords using salt.  It seems (though, I haven’t verified this yet) that this database was simply DESing the passwords without doing any sort of salt using a username/etc.  This is bad since it means that a simple rainbow table can be looked up, and that collisions are much easier to come by.

2.  Users – Don’t use easy-to-guess passwords (if your password is in the Gawker list, that’s bad.)   An easy way to make a strong password is to start with an easy-to-remember phrase, like “The quick brown Fox jumped over the lazy Dog.”  Then take the first letter from each word, like so – “TqbFjotlD”.   Add in a number such as your age and you have a fairly strong password that’s still easy for you to recall.

3.  Users – Don’t share passwords between sites.  Instead, use the technique in item 2 to create a strong password “root” which you can reuse on sites by appending a special character such as @ and a two or three letter mnemonic for the site.  For example, the above password root could be “TqbFjotlD32@GM”  for Gmail,  “TqbFjotlD32@HM” for a home computer, and even “TqbFjotlD32@GK” for Gawker media.

I’m sure we will be hearing more about the Gawker compromise over the next few days, and will keep you updated if anything interesting pops up.

Share

Tags: , , , ,
Posted in ID Theft, Internet Security Tips, Research, Security, Uncategorized, Web Security | No Comments »

Wikileaks Saga

Friday, December 10th, 2010

By Nidhi Shah, Research Scientist

Wikileaks, an information disclosure site, continues to top the headlines with the disclosure of some ~250,000 confidential U.S. government embassy cables. Since then, the site has been struggling to stay alive. While not getting into the politics of it, it’s truly fascinating to see an attack/counter attack game of keeping a site up against all adversaries.

Let’s take a look at the timeline* of events that have been kicked off since Wikileaks first announced the disclosure.

Nov 28, 2010

- Wikileaks started releasing ~250,000 U.S. embassy cables

Dec 1, 2010

- Amazon removed Wikileaks contents from its EC2 cloud

- Data visualization service Tableau Software (company that provided visualization for navigation into leaked cables) withdraws its support for Wikileaks

Dec 3, 2010

- EveryDNS.com experiences DoS attempts and withdraws its support for Wikileaks

- Wikileaks shifts to backup domain hosted in Switzerland (Wikileaks.ch)

Dec 4, 2010

- Paypal stops processing donations for Wikileaks

Dec 5, 2010

- French company OVH (hosted contents for Wikileaks) goes offline

- Pirate Party of Sweden takes over

Dec 6, 2010

- Mastercard stops processing payments for Wikileaks

- Wikileaks’ server in Sweden gets DDoSed.

- Postfinance closes Wikileaks founder Julian Assange’s account

Dec 7, 2010

- Visa stops processing payments for Wikileaks

- Wikileaks mirrors start to show up

Dec 8, 2010

- DDos against Mastercard services takes it down briefly

Dec 9, 2010

- Amazon survives DDos attacks

Tech View:

Wikileaks.org is down after its hosting providers kicked it out. However, in order to take it down, authorities had to go beyond the normal fare of DDos attacks and such. Instead, they had to use a power play to ensure that servers are not hosting it. The reason authorities had to use this power play is because cloud hosting services typically have better resilience toward such DoS attempts.

Regardless of how Wikileaks.org went down, the digital nature of the contents is still keeping it alive. Wikileaks.ch is now hosting the contents. Plus, there are some ~1100 mirrors of Wikileaks.org already available (and counting).

Warning for Users:

1. While Paypal and Mastercard have withdrawn their support for Wikileaks donations, other relatively unknown agencies have popped up to show their support. It is conceivable that attackers would try to take advantage of this situation to phish out those donations, so be on the look out for these sites.

2. There are many anonymous retaliation groups that are setting up botnets for facilitating DDoS attacks against organizations withdrawing their support for Wikileaks. They are recruiting into their bot army by requesting people to download an executable that will let their machine become part of the botnet. However, getting involved in any such activity would a) be illegal and b) potentially compromise the machine with some virus/spyware or other malicious program. Downloading these executables might open up a user’s system for further malicious gateways. In short, don’t download these executables.

3. While most mirrors are claiming to host the original contents, there is no assurance that the material is legitimate. Further, mirrors are not vetted and it is very much possible that malicious groups can later use them to achieve their malicious intentions. Contents distributed as torrents are signed with a public key; however, Web sites are not. That said, be on the watch for these.

*NOTE: Most of the time line data is from

http://www.guardian.co.uk/media/2010/dec/07/wikileaks-under-attack-definitive-timeline.

Share

Tags: ,
Posted in Internet Security Tips, Security | No Comments »

Malicious Microsoft Imposter Locks Your Desktop

Tuesday, October 19th, 2010

By Dave Michmerhuizen, Security Researcher

Barracuda Labs researchers have recently seen a particularly nasty variant of Trojan.FakeAV  spreading in the wild.  We have seen this fake antivirus malware delivered both by way of  drive-by exploits and by way of direct links embedded in enticing spam emails.  The first sign of infection is the display of a very convincing copy of a Microsoft Security Essentials alert.   The malware then prevents the victim from running most programs on their desktop.

When the real Microsoft Security Essentials antivirus program  encounters malware on a computer it displays an alert such as this one:

Valid Microsoft Security Essentials alert

Valid Microsoft Security Essentials alert

A computer that has been attacked by this strain of Trojan.FakAV immediately displays the following very similar alert:

Fake alert

Fake alert

The difference is that the second alert will continue to reappear even if the user closes it.   Any attempt to run Outlook or Internet Explorer, open a command window or even run the Task Manager will be intercepted and the alert will re-display. The inability to run most common programs on the computer leaves the uninformed user with no alternative but to explore the alert.   Choosing “Clean Computer” or “Apply Actions” brings up an interesting scan dialog:

"Online Scan" results

"Online Scan" results

A large list of  antivirus product trademarks is displayed.  Unfortunately, none of the well-known products seem to be able to find any problems. Cleverly interspersed with the reputable programs are images for five bogus antivirus ‘products’ including:

AntiSpy Safeguard
Major Defense Kit
Peak Protection
Pest Detector
Red Cross

Of course, no scanning ever happened, and the programs listed above are all built directly into the malware. They all appear identical except for a name change.   If the user installs the first one, this is displayed:

Fake AV "Install" dialog

Fake AV "Install" dialog

We were particularly amused by the wholesale theft of the GNU “free software” license agreement.  Behind the scenes, the installation of any of these bogus ‘products’ sends messages across the Internet to IPs  85.234.191.174 and 85.234.191.180, both of which are located in Latvia.  The first is the home of a malicious fake porn site and the second hosts a site whose main page simply reads “There is nothing here”.

Once ‘installed’ the program goes right to work fixing ‘problems’.   Unfortunately some of those problems require a missing “heuristic module”.

Fake AV "scan"

Fake AV "scan"

Ignoring this requirement results in an error message. Outlook, Internet Explorer, Task Manager – the most basic Windows programs still will not run. Eventually the user might be tempted to click the purchase button for that module:

FakeAV "money screen"

FakeAV "money screen"


Fixing the Problem

While it is not possible to open many programs, it is possible to open the  file explorer.  The malware file is found in the users Application Data folder, which is hidden by default.  Once the file is renamed it will no longer be loaded on reboot, and the machine can be cleaned using a reputable antivirus program.

Barracuda Web Filters and the Barracuda Web Filtering Service stop the download of this threat.

Share

Tags: , , , ,
Posted in Internet Security Tips, Security, Uncategorized, Web Security | No Comments »

HTML is Not Harmless – Email Security Update

Thursday, September 23rd, 2010

By Dave Michmerhuizen, Security Researcher

Barracuda Labs has seen an enormous increase – in fact, well over one million instances a day – of spam containing malicious HTML attachments. The attackers are trying every trick in the book, from using trending news topics to sending deliberately vague messages, with the hope that users will be curious enough to open the HTML. After all, what harm can an HTML file do?

The answer is - plenty.

For years computer professionals have been telling email users to be particularly careful with emails from sources they do not recognize, and to even be careful with unusual looking email from sources that they do trust.  Users have been warned of the potential dangers associated with clicking on a file or link that arrives in an email. But many people assume that an HTML file is just a webpage and that webpages are safe. This assumption is misleading, and the examples below show why HTML attachments are just as serious of a threat as other attachment types.

On September 16, this particular campaign started with spams tied to current Google trending topics:

Attracting attention by latching on to the latest breaking news is a technique that attackers have been using for quite some time. In fact, several examples of SEO poisoning and search malware are explored throughout barracudalabs.com and this blog. Google hot topic search results frequently are littered with links to hacked sites that serve up malicious JavaScript.  Now, the attackers are taking that a step further and not requiring the user to come to their hacked sites but rather simply emailing the same malicious JavaScript sites straight to an inbox.

These campaigns evolved slightly over the following days, with the subject lines changing from trend topics to more nonspecific email subjects that one might receive from a business associate:

With messages to match:

These emails are presented as something just innocent enough that a user might allow curiosity to overrule caution and click “open”.  However, once that happens, the HTMLs suddenly don’t seem so harmless.

The attachments include 100% obfuscated JavaScript – JavaScript deliberately made confusing to read or scan in order to make it harder for anti-virus products to identify it.

When opened in a browser window, this JavaScript sends the browser to a variety of destinations depending on the spam flavor of the moment. In some instances, that is fake pharmacy sites which are harmless:

In others, it may be fake codec sites which are harmless as long as the fake codec is not downloaded (note: a codec should never be downloaded in this manner):


And finally, some instances lead to fake anti-virus sites which can carry a variety of problems:

Consider the HTML behind the fake anti-virus site redirect:

The HTML that serves this redirect also contains an IFRAME element that attacks the browser and installs a backdoor, as seen below:

What makes this a real problem is that although the fake anti-virus site can be defeated by simply terminating the browser, the backdoor has already quietly been installed.

After several days, the spammers then shifted gears and started embedding the malicious JavaScript directly in otherwise innocent looking HTML files:

This is what the email attachment looks like when viewed with JavaScript disabled.   This inclusion strategy helps disguise the JavaScript from email scanners and reassure users whose email clients preview HTML content without evaluating JavaScript.

But there is malicious JavaScript inside, just waiting for the attachment to be opened in a browser:

In a browser, this displays the seemingly legitimate attachment very briefly and then blanks out the screen.  Once the screen is blank, the malicious code is busy exploiting the browser and downloading malware culminating in the installation of a Trojan from the Zeus family.

The absence of any significant visual feedback means the user typically has no idea what has just happened or that they have contracted one of the most dangerous pieces of malware on the Internet.  Zeus Trojans are a stealthy family of malware that steal online credentials, particularly those used for online banking.

So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless.

Barracuda Spam & Virus Firewalls block these emails, and Barracuda Web Filters and the Barracuda Web Filtering Service stop the malicious traffic.


Share

Tags: , , , , , , , ,
Posted in Email Security, ID Theft, phishing, Security | 7 Comments »

@zzap is my hero

Tuesday, September 21st, 2010

By Daniel Peck, Research Scientist

Earlier today Twitter was the target/medium of a large scale cross site scripting (XSS) spam/attack demonstration.

In the wee hours of the morning, Pearce Delphin, @zzap, discovered that when embedding a URL in a tweet, script code following an ‘@’ character in the link was executed in the context of the page hosting the link, in this case twitter.com.  Before long, Twitter was ablaze and as of this writing “onmouseover” is still a trending topic.  Throughout the day, people were using the XSS for pranks (rickrolling) to demonstrate cookie theft, to redirect to porn sites, to push quite a bit of spam, and to deliver a few instances of sites hosting exploits.

Several high profile Twitter accounts were hit by the exploit (and in turn began exploiting people themselves) including Sarah Brown, wife of ex prime minister of the UK Gordon Brown, and the official account of the White House (@presssec).

Twitter has fixed the vulnerability, though we’re seeing reports that the patch wasn’t complete and only blocked that particular exploit instead of the vulnerability itself (an all too common problem).  It is unfortunate that just a couple weeks after launching new features on the site that gave users more reasons to use twitter.com, this most recent example of XSS gives users a reason to second guess that and stick with clients for now.

Share

Tags: , , ,
Posted in Security, Social Networking, Uncategorized, Web Security | No Comments »

Phishing Spam Targets Netflix Users

Tuesday, September 14th, 2010

By Dave Michmerhuizen, Security Researcher

Just yesterday, Barracuda Labs intercepted thousands of copies of a spammed phishing attack aimed at customers of the popular online video rental service Netflix. While phishing attacks are nothing new, especially against financial institutions, this attack is particularly well done.

Below we present the details of the attack, showing how the unsuspecting Netflix member might fall victim, as well as what to look for to avoid it.

The email is simple enough and looks convincing:

Taking a deeper look, the recipient will noitice that the email was not sent to anyone by name.  Also, mousing over the link shows that it does not go to Netflix.com. Instead, it goes to a deceptively similar domain, netflixus.com. This could be easily confused by the recipient since it is so similar, and also could be perceived as a geographical notation (US).

Netflixus.com was registered on the same day that the phishing attack began, September 13:



Clicking on the “update” link sends the user to a login page that looks like what one would expect from Netflix:

One exception is the domain in the address bar: still netflixus.com.  Additionally, the protocol used is not HTTPS, which reputable sites always use when asking for login names and passwords or for credit card information. All of the other links on this page and on the following pages point to netflix.com, so if the user mouses over this form it is extremely deceptive. The ‘Continue’ button takes the user to another part of the phishing site.

As part of this experiment, we signed in with a fake username and password:



Once signed in, there is a landslide of warnings. The first is that the user is immediately asked for credit card information:

This page is very well designed, right down to an image of the back of a credit card to help identify the security code.    Netflixus.com still displays in the address bar, and although credit card information is being requested, the HTTPS protocol is not being used.

We responded with a dummy credit card number as indicated below:

Once that happens the site obligingly sends the user’s browser to the real netflix.com home page:

This final step is one last step to make the user feel comfortable with the just completed transaction.

This attack serves as a great reminder to always pay attention online. Regardless of how “real” an email or site looks, users should be especially wary of those requesting the user to click on links to enter credit card information, passwords and so forth. There are several tell-all signs to check legitimacy, many of which we have outlined above.

Customers using the Barracuda Spam & Virus Firewall, Barracuda Web Filter, and/or the Barracuda Web Filtering Service are protected from this attack.

Share

Tags: , , , , , ,
Posted in Email Security, ID Theft, phishing, Security, Web Security | No Comments »

“Here You Have” Spam Teaches an Old Worm a New Trick

Thursday, September 9th, 2010

On September 9, Barracuda Labs witnessed an outbreak of a spammed Trojan dubbed “Here You Have” as the subject line of the emails that are sent. According to Luis Chapetti, lead security analyst at Barracuda Networks, the spam first appeared at 8:44AM PDT and over 200,000 were seen by our email monitoring systems over the following six-hour period. Volume dropped off rapidly once the account hosting the malware was shut down. This volume does not include spams sent within enterprises, which could be a substantial number.

Email worms are nothing new, but in the past they sent their executable program as an attachment to the outgoing email. Computer users have mostly absorbed the lesson that you should be very careful with any file that comes to you via email, especially any .exe and .zip files.

This “Here You Have” email worm was just different enough to persuade many users to download and run the payload. The emails offered up a type of file that people trust – an Adobe PDF – and then delivered a file type that most people are unfamiliar with – a .scr file. The .scr file type is commonly used for Windows screen savers, which are executable programs themselves. What’s more, the payload file was not directly attached to the email. A small HTML file containing a link to the payload is included instead, making it more difficult to see what was actually being offered. And making it more enticing to click.

The campaign included several different messages, with the most common one titled “Here You Have” that presented a vague “document I told you about” theme.

Careful examination of the email shows that what is being offered is not what is being delivered. Saving the file offers further evidence.

What the malware authors are hoping will happen is that the user will simply click on the link.  Doing so does display a Windows Security Warning dialog, and this dialog does indicate that the file is not a PDF – it is a Screen Saver.

The mere presence of this dialog is a dead giveaway that something is wrong. The action for a PDF file is ‘Open’ and not ‘Run’.

If ‘Run’ is clicked, the malware – named VBMania – proceeds to spam itself to everyone in that user’s address book. This can be a particular problem in large enterprises because as a rule, emails passing between users in the same organization are trusted. One infected user spams everyone in the corporate address book, and once only a few more coworkers click on those emails the spam attack snowballs exponentially.

So while email worms are nothing new and most users understand not to click on an attachment that is an .exe or .zip, the payload included here is an .html leaving unsuspecting users vulnerable.

“This outbreak was actually kind of simple,” says Chapetti. “All it did was spam itself out. They could have just as easily added a password stealer to the download list, and with more sophisticated code, dynamically changed the download site and keep the worm alive for a long time.”

Bottom line? The attack itself is simple and could have been much more severe than it was. It is yet another example of spam containing potentially malicious content and a significant reminder to all users to not run anything received via email if the source is not trusted and the content known.

Barracuda Spam & Virus Firewalls blocked these messages throughout the attack.

By Dave Michmerhuizen, Research Scientist

Share

Tags: , , , , ,
Posted in Email Security, phishing, Security | 1 Comment »

Wedding Bells Ringing in Malware

Wednesday, August 18th, 2010

by Barracuda Labs

Weddings are joyous affairs, happy occasions for celebration. When friends find a soulmate and announce their intentions to the world, it’s exciting. We’re thrilled for them and we want the details right away.

Well, not so fast.

Barracuda Labs spam honeypots have recently detected spammers sending multiple wedding-themed emails, hoping to catch people with their guards down.  The messages can be quite convincing, but there is no “happily ever after” in the malware that is attached to them.

Consider this wedding invitation:

"Wedding Invitation" email

If the attached “Wedding Card” is opened, it launches a fake antivirus – SecurityTool:

Wedding Card results
Result of opening the “Wedding Card”

In addition to dropping SecurityTool on the system, the Wedding Card also downloads Trojan.Fitmu.A:

Download of password stealer

This program quietly runs in the background looking for usernames and passwords to steal.  In particular it steals FTP passwords, and stolen FTP passwords are the most common way that sites are hacked.

The spammers are casting a broad net, even targeting users who might be planning their own wedding. Say you are busy trying to arrange a venue, finalize a contract for catering, find music and a photographer, and then receive an email such as this:

"Wedding Contract" email

Upon first glance and a quick scan, it could appear as your legitimate contract (of course, hopefully the users will notice if the venue is not one they have been reviewing!). If the attachment is opened, it does not appear to do anything at all.  Nothing displays.  However, more is going on behind the scenes.

The attachment is actually a Zeus Trojan, a password stealer that specializes in online banking passwords.  The traffic here shows the Trojan retrieving its configuration and checking in with its command and control server.

The bottom line? Stay alert, scrutinize emails carefully and spread the word to your friends and co-workers. Being aware of these spam attacks helps prevent their success.

Barracuda Spam & Virus Firewall, Barracuda Web Filter and Barracuda Web Filtering Service customers are protected from this attack.

Share

Tags: , , , , ,
Posted in Email Security, phishing, Security | No Comments »

Barracuda Labs 2010 Midyear Security Report

Wednesday, July 28th, 2010

 Today Barracuda Labs released our 2010 Midyear Security Report, revealing data from two key areas: search engine malware  and Twitter use and crime rate.

Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage.

Searching for Malware

We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors.  Key highlights:

  • Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
  • The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
  • Over half of the discovered malware had originated between the hours of 4:00 a.m. and 10:00 a.m. GMT.
  • The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Dark Side of Twitter

As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users1, Twitter Crime Rate2, and Tweet Number3.  Key highlights:

  • In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
  • Only 28.87 percent of Twitter users are actual True Twitter Users.
  • Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.
  • One in every eight Twitter users has at least 10 times more followers than they are following.
  • Only one in 10 users is following more than 100 users, and almost half are following less than five.
  • The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

 

We are presenting the findings of both studies, as well as other Barracuda Labs work, at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. Come see us!

Security BSides Las Vegas:

Wednesday July 28 at 3pm PT – The Darkside of Twitter (Dr. Paul Judge, Dave Maynor)

Thursday July 29 at 3pm PT – A Mechanic’s View of SQL Injection (Ray Kelly)

DefCON 18:

Saturday July 31 at 11am PT – Searching for Malware (Dr. Paul Judge, Dave Maynor)

Resources:

Footnotes:

1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.

2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.

3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

Share

Tags: , , , , , , ,
Posted in Uncategorized | 3 Comments »

The Wireless Router Insecurity You Might be Overlooking

Tuesday, June 15th, 2010

By Barracuda Labs

Many savvy computer users have experience setting up a wireless access point in their home or office. It’s not that hard, really. Change the SSID, change the password, and perhaps change the channel. Set the IP and you’re good to go.

But if that’s all you’ve done, you could be leaving open an attack vector that malware authors have been targeting for years. They’re still targeting it today.

Many routers, including those that are part of wireless access points, implement the Universal Plug and Play (UPnP) interface. This interface allows programs running on computers connected to the router to control the router.  No authentication is necessary. The bad news is that this makes it easy for malware to change router settings.

While scanning for malware, we found this bogus forum post pretending to be a video recipe for Yankee Pot Roast. However, when looking a bit closer, it revealed itself as TROJ_TDSS.AKA, a downloader that initially downloads a fake antivirus but, as demonstrated, also tries to open a port in the gateway, leaving your computer and personal information exposed.

Malware automatically opening a port in the gateway is significant because most router users, particularly most home wireless access point users, assume a few simple security steps are all they need – enable WEP or WPA, set a strong password and you’re good (enough) to go. The UPnP vulnerability doesn’t have very high non-geek visibility, even though it’s still being exploited – and by Conficker no less.  And despite it having been around for quite a while now (referenced in this ZDNet article at http://www.zdnet.com/blog/soho-networking/wi-fi-routers-vulnerable-to-upnp-attack-from-hackers/120), it’s still alive and incredibly widespread. In fact, Google gives approximately 1,870,000 results for sites linking to the primary attack site, hxxp://vixensandschoolgirls.com.

Users should check to see if their routers allow for more secured startups. For example, it is recommended to disable UPnP and to use forced static IP so that the system will not be subject to unannounced attacks leaving the DHCP server open to assign an IP to any system that breaches your WiFi security.

Further, this once again reiterates the importance of knowing the source of information online, and to not click on links from unknown sources.

Screenshots of the attack follow for reference.

1)  Clicking on this ‘video’ brings up another window displaying a video prompt.

2) At this point, the astute user might wonder why the Yankee Pot Roast recipe is being offered up by hxxp://vixensandschoolgirls.com, but then the standard Windows warning message appears.

3) Running the offered program doesn’t seem to do anything at first. After a long delay, a fake anti-malware program named Defense Center is downloaded and executed.

4) Meanwhile, behind the scenes, multiple attempts are made against the router, followed by this UPnP payload. The payload changes the firewall settings of the router to open a port for additional malicious traffic. Conficker uses this same internal UPnP attack against routers to open up ports for its peer-to-peer control mechanism. UPnP is sometimes used for file or printer sharing, but in most cases it can be disabled with no ill effects.

5) The setting used on the Linksys router used in testing.

Share

Tags: , , , ,
Posted in ID Theft, Internet Security Tips, Security, Uncategorized | No Comments »

Newer Entries »