IT-ISAC Weekly Assessment Report
Threats Assessed: January 19, 2008 through January 25, 2009
Inauguration Day Issues
Leading up to Inauguration Day 2009, the malware crowd had been busy
working overtime pushing schemes. We reported sites, serving up the
Waledec malware, claiming President-Elect Barack Obama would refuse
to take the oath of office on Inauguration Day. This Trojan is believed to
be created by the same authors responsible for the notorious Storm
Worm. These attacks were being pushed with e-mail spam that contained
a provocative subject and a link to the malicious web pages. In the run up
to this historic occasion, users were warned to be especially wary of
salacious enticing e-mail and advised not to follow links to untrusted sites.
http://www.computerworld.com/action/article.do?command=viewArticleBas
ic&articleId=9126318&source=rss_topic85
http://blogs.pcmag.com/securitywatch/2009/01/beware_of_fake_obamathe
med_sit.php
http://www.f-secure.com/weblog/archives/00001585.html
On Inauguration Day, we reported that large crowds (estimates varied
from 1 to 4 million people) were expected to attend the inauguration and
that this might have an impact on wireless services such as cell phone
networks in the Washington DC area. For example, VeriSign expected
more than 1 billion mobile text messages on Inauguration Day which
would shatter the previous record of 803 million set on US Election Day
(November 4) in 2008. The event was to be highly publicized through
Internet services (video and text) and this had the potential to cause
issues with quality of service in the United States and Internationally. One
news article described the planned coverage as unprecedented and more
challenging to the Internet than the Beijing Olympics coverage. The major
strain was expected to occur during live coverage of the event, but
Internet traffic was also expected to remain high throughout the day.
http://www.computerworld.com/action/article.do?command=viewArticleBas
ic&articleId=9126208&intsrc=hm_list
http://www.eweek.com/c/a/Mobile-and-Wireless/Wireless-Inauguration-
Advice-Text-Dont-Talk/
http://www.eweek.com/c/a/Mobile-and-Wireless/Mobile-Messaging-to-Hit-
Record-on-Inauguration-Day/
Arbor Networks, who have been monitoring Internet traffic for 5 years,
reported that Inauguration Day was one of the single largest one day
spikes in Internet traffic since they began monitoring. They report that
Inauguration Day traffic beat the last Internet traffic record which was set
during the US Open in 2008. A graph in the Arbor report clearly shows the
traffic peak. Arbor notes that, while most US infrastructure appeared to
cope, some issues were observed.
http://asert.arbornetworks.com/2009/01/the-great-obama-traffic-flood/
United States National Counterintelligence Executive on Cyber Attacks
We drew our readers' attention to comments made by Dr. Joel Brenner,
United States National Counterintelligence Executive, during a TV
interview which highlight the importance of cyber security on national and
international levels. The interviewer referenced a scenario of a cyber
attack launched from overseas to disrupt critical computer systems. When
asked why it is important the incoming (Obama) administration is up to
speed on cyber security, Dr Brenner's response was: "Because we're
electronically undressed. Everything we do is done on electronic network.
All the information that we create is created electronically".
The interviewer then showed scenes from the TV show "24", which in the
current season has terrorists breaching a firewall and being able to control
critical systems, to which Dr Brenner offered this comment: "If instead of
attacking the Twin Towers al Qaeda had taken down a major bank, the
economic consequences would have been an order of magnitude ten
times greater than the economic consequences of 9/11. I don't say the
personal physical damage. People were killed in 9/11. But the economic
damage of taking down a piece of our banking system would be enormous
and it would reverberate through the world financial system".
We noted these comments to underscore to our readers the absolute
importance of security consciousness, even at the most basic levels such
as keeping systems patched up to date. Breaches of systems, even non-
critical infrastructure, can have serious impacts and consequences.
http://www.dni.gov/interviews/20090118_interview.pdf
http://www.nation.com.pk/pakistan-news-newspaper-daily-english-
online/International/19-Jan-2009/Cyber-attack-on-US-banking-system-
more-dangerous-than-911-US-intelligence-official
IBM ISS X-Force Alert - Conficker Worm
IBM X-Force released a Protection Alert to address the threat posed by
the Conficker worm, which is building a bot framework that might be used
for spam or stealing confidential information from endpoints. This network
worm spreads by one or more of the following mechanisms: exploiting the
Windows Server Service Vulnerability (MS08-067), dropping a copy of
itself into the network and removable drives and dropping a copy of itself
in network shares with weak passwords. We recommend reviewing the
alert for additional details and continue to encourage members to apply
the MS08-067 patch.
https://www.it-isac.org/postings/cyber/alertdetail.php?id=4537
Disabling AutoRun - Mitigating Conficker
On January 20, 2009, US-CERT issued Technical Cyber Security Alert
TA09-020A regarding Microsoft's guidelines for disabling the Windows
Autorun feature which US-CERT claimed are not fully effective. According
to US-CERT, even if the Microsoft guidelines are adhered to, there are still
situations in which an autorun.inf file could be used to execute code on a
system such as when a user clicks on the icon for a device in Windows
Explorer. This is particularly topical at this time with the
Downadup/Conflicker worm using an autorun.inf file on removable media
as one if its infection vectors.
In an update posted to their Alert on January 21, 2009, US-CERT points to
Microsoft support document KB953252 (September 11, 2008) which
advises the guidance offered in Technet article 91525 did not correctly
disable AutoRun features. Microsoft Article KB953252 provides additional
information and an update for Windows 2000, XP, and Server 2003 which
users need to manually install. Vista users received this update in MS08-
038.
https://www.it-isac.org/postings/cyber/alertdetail.php?id=4536
http://support.microsoft.com/kb/953252
Another Nail in the Coffin of MD5
In a posting to his blog, Didier Stevens demonstrated how to transfer a
Microsoft Authenticode MD5 digital signature from one PE executable file
to another while retaining the validity of the signature. This is possible due
to being able to generate MD5 collisions but does appear to be somewhat
circumstantial. It should also be noted that Microsoft’s codesigning by
default uses SHA1, rather than MD5, and it is not currently thought
possible to forge SHA1 signatures in such a manner. Readers may also
recall the recent presentation at the Chaos Communication Congress
which demonstrated how to create a rogue CA certificate, again through
utilizing an MD5 collision.
http://blog.didierstevens.com/2009/01/17/playing-with-authenticode-and-
md5-collisions/
http://www.phreedom.org/research/rogue-ca/
HP OpenView Vulnerability
HP released a patch (HPSBMA02400 SSRT080144 rev.1) for OpenView
Network Node Manager which addresses a vulnerability that could allow
for the remote execution of arbitrary code. The issue is caused by
boundary overflows in various executable files which could be exploited
via HTTP requests. HP lists the impacted versions as OpenView Network
Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux,
Solaris, and Windows.
Patches are available from HP.
http://support.openview.hp.com/selfsolve/patches
http://secunia.com/advisories/28074
http://www.securityfocus.com/archive/1/500203/30/0/threaded
Apple patch 8 QuickTime vulnerabilities
Apple released QuickTime 7.6 for OS X and Windows which addresses
multiple vulnerabilities in QuickTime. The most serious vulnerability
addressed by the update could allow a remote attacker to execute
arbitrary code on a victim's system. Successfully exploiting these
vulnerabilities would require a victim to open a specially crafted movie file
or RTSP URL. The associated CVE numbers for the vulnerabilities are
CVE-2009-0001, CVE-2009-0002, CVE-2009-0003, CVE-2009-0004,
CVE-2009-0005, CVE-2009-0006 and CVE-2009-0007.
Apple also published a separate update for the QuickTime MPEG-2
Playback Component on Windows. This update addresses an input
validation issue which could lead to the unexpected termination of the
application or the execution of arbitrary code if a user opens a specially
crafted movie file. Apple notes that this component is not installed by
default with QuickTime for Windows. The associated CVE number for this
issue is CVE-2009-0008. We urge users to apply the applicable updates
at their earliest convenience.
http://support.apple.com/kb/HT3403
http://support.apple.com/kb/HT3404
Cisco vulnerabilities patched
Cisco released two security advisories which outline vulnerabilities in the
Cisco Security Manager and the Cisco Unified Communications Manager.
The first vulnerability is in the Unified Communications Manager and is
due to the failure of the Certificate Authority Proxy Function (CAPF)
service to properly handle malformed input. A remote attacker may be
able to exploit this vulnerability to interrupt voice services which is a denial
of service condition. Cisco notes that they are not aware of any public
announcements or malicious use of this vulnerability.
The second issue in the Cisco Security Manager and is caused through
the Cisco IEV (installed by default) failing to close TCP ports on the server
which are opened during sessions with the Security Manager. These open
ports "could allow remote, unauthenticated root access to the IEV
database and server". Cisco notes that if the IEV has never been used on
the system it would not be vulnerable and that this issue was discovered
by Cisco during internal testing. As with the first vulnerability, Cisco states
they are not aware of any public announcements or malicious use of this
vulnerability.
http://www.cisco.com/warp/public/707/cisco-sa-20090121-cucmcapf.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml
Heartland Payment Systems breach
We drew our readers' attention to an IBM ISS X-Force blog article on the
network breach of Heartland Payment Systems. This company delivers
credit/debit/prepaid card processing, payroll, check management and
payments solutions to more than 250,000 business locations across the
United States. This is possibly the largest breach, ever reported.
http://blogs.iss.net/archive/HeartlandDataBreach.html
Debian - Vulnerability could be Exploited in SQL Injection Attacks
Information has been disclosed on a vulnerability in the Debian
"libapache2-mod-auth-mysql" module which is due to insufficient escaping
mechanisms with multibyte character encodings. The vulnerability could
allow a remote attacker, using a web browser, to access or modify data in
an underlying database. This vulnerability may also be exploited in SQL
injection attacks. Currently, it appears the issue is Debian specific and a
link to a patch is included in the published information.
http://permalink.gmane.org/gmane.comp.security.oss.general/1411
http://www.securityfocus.com/bid/33392/discuss
iServices.A - Apple iWork Trojan at work
A trojan, iServices.A, has been discovered in pirated copies of Apple's
iWork 09 which are being distributed through various torrent trackers and
other sites which provide links to pirated software. The trojan is installed
as a startup item with read-write-execute permissions for root, will attempt
to connect to a remote server and provides attackers with the ability to
perform various operations. It may also download additional components.
http://www.intego.com/news/ism0901.asp
http://www.computerworld.com/action/article.do?command=viewArticleBas
ic&articleId=9126609&intsrc=hm_list
http://voices.washingtonpost.com/securityfix/?hpid=news-col-blog
http://ithreats.wordpress.com/2009/01/22/latest-os-x-threat-iworkservices/