Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-03-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Gozi Trojan Steals SSL Encrypted Data for Fun and Profit

Published: 2007-03-23
Last Updated: 2007-03-24 01:16:18 UTC
by John Bambenek (Version: 1)
0 comment(s)
A few days ago Secureworks had a good write up on the Gozi trojan (thanks to ISC readers Bob and BB for pointing it out). This Russian malware beauty was doing the rounds and went undetected for some time. An estimate says the black market value of the data stolen is $2 Million. It spread through IE web browser exploits and was able to steal SSL encrypted traffic using Winsock2. The days of the keylogger look to be over, the game got more interesting.

Basically, what this malware did was insert itself between Internet Explorer and the socket used to send data.  It then stole the data prior to encryption and sent it to your happy local Russian hacker. While (I believe) this is the first real slick attempt to steal SSL data by inserting a listener to take the data pre-encryption, the technique is not new.  In fact, I wrote about this same tactic almost 2 and half years ago.

Encryption is meaningless if one of the endpoints of the communication is compromised. If you tunnel your transaction over SSL to a vendor who happily takes your data and sells it, the SSL won't help you.  The same goes true for home PCs which according to any definition of security are completely untrustworthy. There are plenty of techniques to grab data before it is encrypted. The neanderthal way is to use a keylogger. Now there are other techniques in use.

Until we find a way to get consumer PCs secure, or better yet, find a way for private financial data to be transmitted through a PC without the untrusted PC being able to compromise it, no electronic financial transaction will be secure. If the home PC isn't secure, all the encryption in the world won't help.

UPDATE: ISC Reader Nick suggests "Man at the Endpoint" as a name for this kind of attack.

--
John Bambenek / bambenek (at) gmail.com
University of Illinois at Urbana-Champaign
Keywords:
0 comment(s)

The rise of the botnets

Published: 2007-03-23
Last Updated: 2007-03-23 21:28:02 UTC
by John Bambenek (Version: 1)
0 comment(s)
According to data by Shadowserver, the number of botnet-controlled machines has tripled in the last month. Specifically the jump seemed to start on March 8th or so and has kept going ever since.  For the most part, they haven't tracked a significant increase in the number of botnets (only about a 20% jump), just the number of machines. The biggest C&C nets are near New York, Southern California, and near Germany. The biggest concentrations of botnet infected machines are in China, Brazil, and Argentina.

So it appears botnet controllers are getting better at increasing the size of their herds.

--
John Bambenek / bambenek /at/ gmail.com
University of Illinois at Urbana-Champaign
Keywords:
0 comment(s)

New SCADA Vulnerabilities in OPC Servers

Published: 2007-03-23
Last Updated: 2007-03-23 19:12:34 UTC
by John Bambenek (Version: 1)
0 comment(s)
Last night, 6 e-mails hit the Bugtraq list detailing vulnerabilities in OPC (OLE for Process Control) servers made by Takebishi Electric (vuln 1, vuln 2, vuln 3, vuln 4, vuln 5) and NETxAUTOMATION (vuln 1). The CVE entry for this is CVE-2007-1319 (for Takabishi) and CVE-2007-1313 (for NETxAUTOMATION).

OPC servers are used in SCADA systems (power grid, water system, etc) to consolidate network device info. These vulnerabilities allow for remote access to memory and could be used for remote code execution.  Authentication would be bypassed and an attacker could potentially take complete control of the OPC server. Because of the kind of applications OPC servers are used in, this vulnerability is important to remediate.

In all 6 cases, the vendor has an updates available for users to upgrade to.  The vulnerabilities were found during an OPC server assessment by Neutralbit for one of their customers. At present, there is no known exploit code in the fild.

If you are running either of these two vendors in your environment, you should upgrade immediately.
--
John Bambenek  bambenek /at/ gmail.com
University of Illinois at Urbana-Champaign
Keywords:
0 comment(s)
Diary Archives