Last Updated: 2009-07-11 02:48:03 UTC
by John Bambenek (Version: 2)
A quick update on the DDoS of various govermental/commercial sites in the US and South Korea. At this point, the security researcher community is still working on the particular malware involved, the sites involved and how to remediate the ongoing threat. However, what is clear is that more or less well-known techniques are being used to debilitate the online presence of the aforementioned governmental/commerical entities.
First, the government is still operational. This attack, while problematic, doesn't stop the country from working. If ftc.gov is offline, the economy doesn't crash. Based on that alone, this attack cannot be labelled as cyberwarfare. That isn't to say it isn't significant or a problem. However, the key takeaway is that the governments of the US and S. Korea are still working and still operational. They do not rely on their public facing websites to work.
While more technically specific writeups are conducted (and conference calls and the like are being held around the clock on this one), some quick points. It does not seem that any new novel techniques are being used. A new DDoS toolkit, perhaps, but well-known attacks. Simply flood the target with requests beyond that which it can handle.
This leads to a lose-lose proposition. Do nothing and those who accumulate a botnet of not remarkable size being able to debilitate the ability of entities from operating online. The other side is spending enough resources to be able to handle the traffic which imposes costs on the victim which is still a "success" for the bad guys. On the one hand, no service, on the other hand, very excessive cost to provide service. No matter which path we choose, we lose. It's just a question of how much.
The core problem is that bandwidth is limited but the ability to control a vast army of machines (i.e. botnets) is trivial. The solution to this problem isn't remediating DDoS per se, it's remediating the triviality of getting lots of end-users to get themselves infected with malware. This latest denial of service is just another indicator of the core problem.
The problem is that end-users cannot (nor should not be expected to) secure their home hardware. They simply lack the skills (and we shouldn't lament this, these skills being a scarce commodity allows us to demand high salaries after all). The responsibility must be shifted to the person closest to the user with the resources and skills to remediate this problem, namely, the ISPs. Until we get to that point, these problems will keep recurring.
Until then, researchers continue to work around-the-clock to play whack-a-mole to the latest attempts. Thankfully, they are few and far between but in an increasingly "cyberwarfare" oriented world, that won't be for long.
UPDATE 07.10.09 @ 0100 GMT - Shadowserver has a nice writeup of the attack and a good analysis. Key takeaway, there is NO EVIDENCE that N. Korea has launched a cyberwar against the United States. Ignore the media and the "Fire up the B-52s" crowd.
bambenek /at/ gmail /dot/ com
Last Updated: 2009-07-09 08:40:37 UTC
by Bojan Zdrnja (Version: 1)
For the last couple of days we've been all witnesses of FUD surrounding a supposed 0-day exploit for OpenSSH skyrocketing.
At this moment, it definitely looks like we're dealing with a hoax – even more, it's not the first time someone said they have a 0-day exploit for SSH. So, let's see some facts about this.
It appears that the whole story started after a post to the Full-Disclosure mailing list on the 4th of July (http://seclists.org/fulldisclosure/2009/Jul/0028.html). The post supposedly shows a hacker group using a 0-day exploit for SSH to compromise a server. After doing some research here, it appears that this is a long standing argument between two guys (or groups). One of our readers submitted the following URL address (http://flx.me/astahack2.txt), which shows another hack.
The "exploit" used in that file is a brute force attack for sure, as can be seen below:
anti-sec:~/pwn/xpl# ./openPWN -h 220.127.116.11 -p 2222 -l=users.txt
See the "-l" option? That supplies the list of users it will try to brute force.
Additionally, a bit below it even prints which user was hacked:
uname: Linux srv01.webhostline.com
18.104.22.168-hostnoc-3.1.7-libata-grsec-32 #1 SMP Mon Feb 11 06:36:58 EST 2008 i686 i686 i386 GNU/Linux
Now, what has been posted on the Full-Disclosure list (the supposed
exploit) looked like this:
anti-sec:~/pwn/xpl# ./0pen0wn -h xx.yy.143.133 -p 22
Same group, same server, same directory – different file name. Why didn't they use the mighty 0-day first time? They brute forced into the server and then had to jail break.
This looks very much like a hoax to me – and this is the only evidence we have about a 0-day? A post from an anonymous e-mail address (hushmail) to the Full-Disclosure mailing list (which, we all have to admit, isn't the best source of verified information)? And this was even enough for some web hosting companies to *shut down* their SSH service? I find this unbelievable.
Finally, OpenSSH developers would probably agree with me – one of the developers sent an e-mail to the Openssh-unix-dev mailing list (http://lwn.net/Articles/340483/) also stating the obvious.
So, I'd like to ask everyone not to spread the FUD anymore. Every piece of evidence we received so far points only to brute force attacks on SSH servers (which have been around for years!). Do keep an eye on your server and install all patches. We will post more information if we receive it, but until then I think there was enough of this FUD.