November 6th, 2008 . by DarkFiber Consulting
DarkFiber Consulting is aware of public reports of a high volume of financial accounts compromised by the Torpig (also known as Sinowal or Anserin) Trojan horse. This Trojan horse uses HTML injection to add fields to web pages in order to convince users to provide additional user credentials or financial account information. Systems compromised by this Trojan horse are being used by attackers to obtain FTP credentials, email addresses, and digital certificates of the current user.
This Trojan horse uses an MBR rootkit known as Mebroot. This rootkit contains configuration information for the Trojan horse as well as techniques used to keep the Trojan horse undetectable.
DarkFiber Consulting encourages users to do the following preventative measures to mitigate the security risks:
- Install antivirus software, and keep the virus signatures up to date.
- Investigate anomalous or slow-running machines, looking for unknown processes or unexpected Internet connections as this may be a sign of malicious programs operating in the background.
- Examine firewall logs of systems for connections to or from anomalous IP addresses.
- Consider traffic analysis to identify compromised systems that are exfiltrating data.
August 26th, 2008 . by DarkFiber Consulting
DarkFiber Consulting is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed.
Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.
Detection of phalanx2 as used in this attack may be performed as follows:
- “ls” does not show a directory “/etc/khubd.p2/”, but it can be entered with “cd /etc/khubd.p2″.
- “/dev/shm/” may contain files from the attack.
- Any directory named “khubd.p2″ is hidden from “ls”, but may be entered by using “cd”.
- Changes in the configuration of the rootkit might change the attack indicators listed above. Other detection methods may include searching for hidden processes and checking the reference count in “/etc” against the number of directories shown by “ls”.
DarkFiber Consulting encourages administrators to perform the following actions to help mitigate the risks:
- Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
- Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
- Review access paths to internet facing systems and ensure that systems are fully patched.
If a compromise is confirmed, DarkFiber Consulting recommends the following actions:
- Disable key-based SSH authentication on the affected systems, where possible.
- Perform an audit of all SSH keys on the affected systems.
- Notify all key owners of the potential compromise of their keys.
DarkFiber Consulting will provide additional information as it becomes available.
July 23rd, 2008 . by DarkFiber Consulting
DarkFiber Consulting released a Current Activity entry and a Vulnerability Note on July 8, 2008 regarding deficiencies in DNS implementations. These deficiencies could leave an affected system vulnerable to cache poisoning. Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch systems or apply workarounds immediately.
A number of patches implement source port randomization in the name server as a way to reduce the practicality of cache poisoning attacks. Administrators should be aware that in infrastructures where nameservers exist behind Network Address Translation (NAT) and Port Address Translation (PAT) devices, port randomization in the nameserver may be overwritten by the NAT/PAT device and a sequential port address could be allocated. This may weaken the protection offered by source port randomization in the nameserver.
DarkFiber Consulting encourages users to consider one of the following workarounds:
- Place the nameserver outside of the NAT/PAT device in the network infrastructure.
- Configure the NAT/PAT device to perform source port randomization.
- Configure the NAT/PAT device to preserve the source port assigned by the nameserver.
Additional information can be found in DarkFiber Consulting Vulnerability Note VU#800113.
More information will be provided as it becomes available.