Maarten at the Internet Storm Center shows us another targeted attack. As usual, a social engineering part is involved and this time it's the protests in Tibet. He shows us the result of his ppt sample (reports_of_violence_in_tibet.ppt MD5 977a4ac91acf5d88044a68f828154155) submitted to virustotal and as we have seen before, it's not that good. Only five scanners out of 32 will detect it. F-Secure and McAfee did a similar analysis within the same context but with .chm files.
One of the possible new reasons why detection is deteriorating is the rise in use of custom packers. Sophos has an interesting article on it: Packer r(evolution).
Eddy from Wavci gives us some other details from this targeted attack (UPDATED):
The exploit silently runs a keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org. And 8800.org is a Chinese DNS-bouncer system that, while not rogue by itself, has been used in various targeted attacks. The vast majority of control servers were identified on Chinese netblocks. However, servers have been identified in the USA, South Korea and Taiwan. The host names pointing to these servers are often configured on dynamic DNS services such as 3322.org. While these services in themselves are not malicious, they are heavily used in these specific attacks.According to Maarten, you should keep an eye out for the following files:
- CHM Help files with embedded objects;
- Acrobat Reader PDF exploits;
- Microsoft Office exploits;
- LHA files exploiting vulnerabilities in WinRAR;
- Exploitation of an ActiveX component through an attached HTML file.
According to a January article in Air Force Online, a series of e-mail attacks originating in China targeted 28 defense contractor locations in the United States late last year. The story named specific Beijing-based Internet addresses that the FBI later determined were the origin of the attacks.
Van Horenbeeck, who provides security and technical advice to several Tibetan groups, said he has uncovered evidence that those same numeric Internet addresses were used in targeted attacks against Students For a Free Tibet, another New York-based human rights group.
The attacks on pro-Tibet organizations are not the first to be tied to computers in China. The Washington Post reported March 21 that the FBI is investigating whether hackers in China targeted a group working for human rights in Darfur, the war-torn province of Sudan. China has economic and strategic interests in the African nation's oil fields.
Van Horenbeeck said the danger with the e-mail viruses involved in the attacks is that they are so hand-crafted and new that they usually go undetected by dozens of commercial anti-virus scanners on the market today.
"Last week, I had two of these samples that were detected by two out of 32 different anti-virus scanners, and another that was completely undetected," he said.
The specificity of information sought in the targeted attacks also suggests the attackers are searching for intelligence that might be useful or valuable to a group that wants to keep tabs on human rights groups, said Nathan Dorjee, a graduate student who provides technology support to Students for a Free Tibet. (Full article here.)
Especially this part was very interesting:
Dorjee said the attacks have been unsettling but ineffective, as the Students for a Free Tibet network mostly operates on more secure platforms, such as Apple computers and machines powered by open source operating systems.
"The fact that we're being attacked with the same resources thrown at multi-billion defense contractors is flattering," said Lhadon Tethong, executive director of Students for a Free Tibet. "It shows that we really are an effective thorn in the side of a repressive regime."
I wouldn't be overconfident about running on alternative OS'es. As Diniz Cruz told me once, you can get equally owned on Mac but at least you get owned in style. ;-)
See: Apple Patches 93 Security Holes and Anti-virus on a Mac? (Washington Post).
Now there seems to be yet another 0-day vulnerability in Word. Or should I say through Word. From McAfee Avertlabs:
In several recent-yet limited-attacks, exploits were crafted to attack an MS Jet Database vulnerability through Word. The Word docs are coded to reference Access database files regardless of extension (which allows attackers to circumvent content filters looking for specific email attachment extensions).
Full article.An attack scenario looks like this:
- A user receives an email message with 2 attachments (one of which is a Word document)
- The email client saves the attachments to the same directory
- The user opens the Word document, which in turn opens the Access database containing the exploit code
You can also find more information in the Microsoft Security Advisory (950627). Apparently, the guys at Microsoft are working during Easter weekend because of this.
Customers running Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not vulnerable to the buffer overrun being attacked, as they include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.
Customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1 are vulnerable to these attacks.
In the last weeks, Zone-H released their statistics on web defacements and observed a large decrease for the first time in years. Now, this is not a good thing.
At that time and before, website defacement was mainly a Brazilian business where hundreds of Brazilian crackers groups were causing havoc to the web. They were all coordinating between each other using the most famous Brazilian IRC network, called Brasnet. One day in year 2005, the Brazilian police seized the logs of the conversations between the Brazilian defacers and started to distribute punishments to some of them. The reaction was quite immediate: most of the crews quit their own IRC Brasnet channels, some of them decided to quit defacing and some of them moved to different servers, trying to look for "secrecy" on private IRC servers.
Regardless, the path was already traced, defacing was maybe something funny to do for Brazilians but more interesting activities were profiling at the horizon, such scamming, phishing, carding and banking. From hacking for fun, soon the Brazilians efforts were targeted to hacking for money. So much that today, there is no more activity in regards of defacements coming from Brazil. Sure, the Turks inherited the defacing business from Brazilians, nowadays most of the website defaces are coming from the land of Ata Turk.
As I said in my last presentation, hacking for fun is fading out. It's all for the money now. So be safe and know your risks.
Previous posts:
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment