Pushdo Update

Published: 2010-02-02
Last Updated: 2010-02-14 06:13:05 UTC
by Johannes Ullrich (Version: 2)
1 comment(s)

As mentioned in an older diary [1], "www.sans.org" is one of the targets singled out by the Pushdo bots. At this point, it is not clear what the intention is of the this botnet. If its intention is a denial of service attack, then it failed. It does not appear that any of the sites listed experiences significant Pushdo related outages. We reported earlier about a Bank of America outage, but in hindsight, this outage appears to be unrelated to Pushdo and has been resolved.

We took the opportunity presented by pushdo attacking "www.sans.org", and collected some traffic for further analysis. www.sans.org receives a good amount of legitimate https traffic as well, which made isolating the Pushdo traffic a bit challenging. We focused on a slice of about 10 minutes worth of traffic to ease analysis.

I used the following two snort rules to isolate the traffic:

alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (flow:from_server,established; content: "|15 03 00|"; depth: 3; msg: "SSL 3 Illegal Parameter"; sid: 1000001)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 ( msg:"Pushdo DoS Request - July 17, 1970 timestamp"; flow:to_server,established; content:"|16|";
     depth:1; content:"|01|"; within:6; content:"|01 01 01 01|"; within:16; sid:10000002;)


One pattern Pushdo exhibits is the use of malformed SSL Helo requests after the TCP connection is established. The server will respond to these requests with an SSL error. The first rule tries to match the SSL error, while the second rule looks for the Pushdo request.

The most aggressive pushdo infected hosts appear to establish a connection about once a minute. We identified about 10k host attacking www.sans.org. According to some reports, Pushdo will also just establish a TCP connection, and then just sit without actually sending the SSL Helo message. 

All this is consistent with Pushdo being a simple DDoS bot. The impact is limited at this point, in part due to the firepower of the botnet being spread across a large number of targets. For more details on Pushdo, see Shadowserver's blog posting [2].

[1] http://isc.sans.org/diary.html?storyid=8125
[2] http://www.shadowserver.org

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: bot ddos pushdo
1 comment(s)

Cisco Secure Desktop Remote XSS Vulnerability

Published: 2010-02-02
Last Updated: 2010-02-02 23:58:13 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

This vulnerability (CVE-2010-0440) could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has released patches to address the vulnerability as well as workaround to mitigate this risk. The Cisco alert is available here.

The following versions are vulnerable:

- Cisco Secure Desktop versions prior to 3.5
- Cisco ASA appliances are vulnerable only if the Cisco Secure Desktop feature has been enabled
- Cisco ASA appliance versions prior to 8.2(1), 8.1(2.7), and 8.0(5) are vulnerable


-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

0 comment(s)

Twitter Mass Password Reset due to Phishing

Published: 2010-02-02
Last Updated: 2010-02-02 21:47:04 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

Twitter is sending out a large number of e-mails, asking users to reset their passwords. It appears a large number of passwords got compromised in a recent phishing incident (mine included).

When I received the message at first, I considered the e-mail a phishing attempt in itself. But all the links appeared to be "good". If you receive an e-mail like this, I recommend the following procedure:

  1. delete the e-mail
  2. go to twitter by entering the link in your browser. Best: use https://www.twitter.com (httpS not http) (hey. I got a link for you to make it easier ;-) https://www.twitter.com
  3. change your password.
  4. do not reuse the password, do not use a simple password scheme (like "twitterpassword" and "facebookpassword")

I know it is hard. A lot of people will advice against writing the password down, or using a "password safe" application. But considering the risks, I am tend to advice people to rather write down the passwords or use a password safe application compared to using bad / repeating passwords.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

8 comment(s)
New IPv6 Screencast Videos: http://isc.sans.org/ipv6videos (Today: blocking and detecting IPv6 in Linux)

Adobe ColdFusion Information Disclosure

Published: 2010-02-02
Last Updated: 2010-02-02 01:22:06 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Adobe has released information on an important vulnerability (CVE-2010-0185) identified in ColdFusion 9.0. This could allow access to collections created by the Solr Service to be accessed from any external machine using a specific URL.

Adobe recommends that users update their product installations using the instructions provided here.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Le cours SANS SEC 503 sera offert en français en mai 2010 à Nice, France. Pour plus d'information, suis ce lien.

Keywords: Adobe Coldfusion
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives