For the Fallen Laurence Binyon (1869-1943)

12:34:56 07/08/09

1 2 3 4 5 6 7 8 9

This will never happen our lives again!

During a break after I presented a talk on Cyber warfare last night, I had a number of questions relating to the proported meltdown today -

• “Should we keep our machines off?”
• “How do we stop this?”
• “How do I stop getting infected?”
• “What antivirus must we buy?”

Here in deepest darkest africa, we have two unintended benefits that come form the general means of network engineering done here. Both stem in reality from the paucity of real bandwidth currently (and historically available).  The first is that most organisations block direct port 80/tcp (http) and related port access to the Internet, forcing the requirements to use proxy servers. This cuts off confickers ability to update. In the resedential SOHO market, theoreticlaly direct end to end port 80 access is possible , but more often than not there is a transparent proxy in the way. I doubt ISPs are doing any domain filtering on these however. What works as a means of self limitation is that fact that should any massive wave of attacks spring forth from the SOHO /Residential type users, it will be cut short as they rappidly burn though their “bandwidth cap” – in most cases 1-3 Gig.

What is interesting is what the actual next move will be.  I think its highly unlikley that this will be used for an all-out offensive and then disposed of. The authors have carefully engineered through four releases of the Hybridised Malware, and in essence have made a fairly substantial investment.   The most likely scenario is that tis is yet another botnet for sale – albeit a potentially massive one.

Botnets themselves are nothign new, we have seen what Storm has done ( and is still doing).

For  now we bunker down and wait…..

Zone-H defaced

No Details on this as yet. Hackers blog has more on the Kaspersky hack which seems to be good old SQL injection.

I’ve been patiently waiting for three years to catch a new worm on my telescopes, so I I’m ready and waiting.

Windows 2000, XP and Server 2003 are all listed as critical targets, with Vista and Server 2008 being vulnerable as well, but potentially able to limit the damage due to their newer some what more modular and layered security design.  For Operating systems other than the latter two, this release also effectively updates MS06-040

Christopher Budd from the Microsoft Security Response Center has a nice little writeup about it, with further details on the Official release notes for MS08-67. Also from a Microsoft Perspective, Michael from the Security Develoment Lifcycle has a nice piece titled MS08-067 and the SDL in which he actually explains the bug itself.

Microsoft have also gone as far as to provide a webcast on the subject.

Update: Infosec blogspace is all a twitter with this.  I’ll add relecant content as I find it.

1. Admit that you are powerless over bots.
2. Believe that a power greater than yourself exists and is necessary to identify and eliminate malware, botnets, and the Windows hosts that contain them.
3. Make a decision to turn your will and your life over to ShadowServer, Malfease or another similar volunteer effort.
4. Make a searching and fearless inventory of your Windows machines.
5. Admit to another security expert that you [have/do] run Windows.
6. Demonstrate readiness to remove Windows from your PC.
7. Humbly ask other experts to remove Windows from your machine.
8. Make a list of all other machines you’ve infected.
9. Make amends to those infected, i.e. with Mac OS, Ubuntu, FreeBSD or similar.
10. Continue to inventory remaining Windows hosts, and when infected, format & re-install.
11. Seek through prayer, meditation and continuing malware research to improve your understanding of the growing malware threat as we know it.
12. Having had a spiritual awakening, carry this message to other Windows users.

What I found interesting despite the obvious humour, is that it left me wondering as to just now many of the 19 million connects form the last 3 years I was processing earlier are actually from enslaved bots or zombies…

http://www.ctan.org/tex-archive/biblio/bibtex/utils/misc/rfc2bib.awk

Or other CTAN mirrors closer to you.

DARB: so…wordpress hey?
BVI: I got over writing my own code
BVI: now I’m waiting for my blog to be 0wn3d
DARB: you know wordpress is the equivalent of an 8ft tall ogre that stands outside looking pretty, smashes tables when he tries to sit down, and needs 20kg of food every day…and offers little or no protection on the side entrance to your establishment?
BVI: exactly!
DARB: lolz
BVI: mine has a spiked collar and a beware of the ogre sign :-)
DARB: that only scares away legitimate users…bandits read that sign as “come on in, we left the side door open”
BVI: yeah
DARB: I love wordpress docs and plugins
DARB: “just chown your /tmp file, and then chmod 777 everything”

Well not 20 minutes later I noticed a number of Remote file inclusion attacks coming in. Nothing like the ogre having sent out an invite to all and sundry. Attacks were coming looking as follows:

• /blog/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /blog/archives/5/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /blog/archives/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /blog/?flav=rss/wp-content/plugins/myflash/myflash-button.php?wpPATH=foo
• /wp-content/plugins/myflash/myflash-button.php?wpPATH=foo
• /blog/wp-content/plugins/myflash/myflash-button.php?wpPATH=foo
• /blog/archives/14/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=foo
• /blog/archives/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=foo
• /blog/archives/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=foo

In the above the actual path for the exploit codes been replaced with foo, but is of the form of http://site/somepath/tx.txt????, or similar.

Ive now seen this form over eighty different systems. The include file seems to vary ( see below) but the same plugins are being targeted. No real surprise as they have been known exploitable for a while.

• myflash < v1.1 01 May 2007 ISS-XForce
• wordtube < 1.43 01 May 2007 ISS X-Force
• mygallery ≤ v 1.2.1 29 April 2007 ISS-X-force FRsirt

All the requests were may using libwww-perl/5.810, so most likely come from compromised unix systems. the payload file being referred to has been removed, but I found some others, which are no doubt similar. The algorithm being used for the brute forcing is rather dumb. of the entries listed above, only two relate to viable targets for my given install. I found the request for “blog/?flav=rss/….” rather amusing. Another interesting observation is the number of requests centered around http://lair.moria.org/blog/archives/14 my post relating to Windows XP failing to hibernate. I have yet to see hits on any other particular posts.

Looking at the payload code form some of the other similar attacks, I found the following one interesting, as a more human driven recon script providing information for making a value judgment on the target site rather than an automated assault. (When will these people learn that StudlyCaps isn’t really that cool )

echo "BraT<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "user: $alb9<br>";
echo "phpv: $alb6<br>";
echo "SoftWare: $alb5<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
echo "NigeriaN HackerS TeaM<br>";

Others are not quite so benign, providing command shells, and in some cases drive by exploits using a number of different tools to try download further payloads onto the system or upload password files, webserver configurations and other sensitive information. c99madscript.php really seems to be the flavour of the month with these, although it has been around a while.

What all these attempts that Ive seen do have in common are the trailing “???” or “?????” irrespective of the payload contents of filename. The purpose of these to me is unclear, surely its a pain to type. Is it a bug ina script, or are people trying to do something else.

• 69.90.132.19
• 69.90.132.22
• 66.152.91.84
• 208.122.204.181
• 69.90.132.22
• 69.90.132.31
• 216.131.106.249
• 216.131.84.26
• 67.55.105.252
• 208.64.44.102

Standard sort using sort –n only sorts on the first octet, and although it’s a improvement on alphabetic sorting its not ideal. The solution comes in specifying a pile of switches to sort:

sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4

This gets it sorted in Numerical order, by octet, using a period (dot) as a separator between octets. Combining this with a –u flag gives one a nicely sorted, unique list of IP addresses. This could probably be extended to IPv6 without too much hastle.

Quite a bit of content has been preserved, and will be being loaded over the next few weeks, as and when the need for WAB, occurs while I’m writing.