In this month 1352 security incidents were reported to CERT-In from various National/ International agencies. As shown in the figure, 89 % incidents related to Spreading of malware through website compromise were reported in this month. 03 % incidents related to spamming, 02 % phishing incidents , 02 % incidents related to virus/worm under the Malicious code category, 03 % unauthorized scanning, 01 % incidents related to technical help under the Others category were also reported in this month.
In this month CERT -In tracked 188295 bot -infected computers existing in India . The concerned ISPs were intimated to dis -infect the bot infected systems and C&C servers to mitigate botnets.
| 762 Indian websites were defaced during August 2009. The vulnerabilities which might have been exploited for the defacements : |
|
Vendor/Product |
Title of Vulnerability |
References & Patch Information |
| Joomla! |
Cross-site scripting (XSS) vulnerability in Joomla! allows remote attackers to inject arbitrary web script. |
|
| Microsoft -IIS |
Remote Authentication Bypass Vulnerability in Microsoft IIS 6.0 WebDAV |
|
| Apache |
Apache "Options" and "AllowOverride" Security Bypass Vulnerability | |
| Joomla! |
SQL injection vulnerability in the Ice Gallery (com_ice) component 0.5 beta 2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php. |
|
| Joomla! | com_php for Joomla "id" Parameter Remote SQL Injection Vulnerability |
|
| PHP | CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin |
|
| PHP | Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 |
Any proxy server that doesn't restrict its client base to its own set of clients and allows any other client to connect to it is known as an open proxy server. An open proxy server will accept client connections from any IP address and make connections to any Internet resource.
CERT -In tracked 213 open proxy servers functioning in India during August 2009. All the concerned ISPs were alerted immediately to shut down the open proxy servers. A bar chart of open proxy servers tracked during this year is shown in the figure.
Statistics of Open Proxy Servers tracked during August 2009
Series of Mass iframe Injection on Websites-Serving Blended Malware
It has been observed that a number of websites have been compromised and infected with iframe script tags pointing to malicious JavaScript file
" x.js ", hosted on domain " a0v [d0t] org ". Remote attackers launched successful attacks on the web servers running ASP and inserted iframe script tag " script src=http://a0v [d0t] org/x [d0t] js " into the web pages.
Virus Induc
It has been observed that a virus named Induc is spreading. It infects software built with the Delphi programming language at compilation time.
The malware first checks to see if the Delphi version is between 4 to 7, then replaces $DELPHI_DIR$\source\rtl\sys\SysConsts.pas by its own malicious code. The malware then deletes SysConsts.pas file.
Koobface is a worm propagating through social networking sites such as Facebook, MySpace, hi5, Bebo, Friendster and Twitter etc.
The worm spreads by sending spam to contacts containing a catchy message with a link to a “video.
Series of Mass iframe Injection on Websites-Serving Blended Malware
During last week of August 2009, it has been observed that thousands of websites have been compromised and infected with iframe script tags linking users to malicious JavaScript file hosted on domain " a0v [d0t] org ". It has been found that most of the websites running in support of ASP engine are infected. Details of multiple redirections and infection is illustrated in CERT-In Case Study
CICS-2009-01.
Workshop on " Computer Forensics " on August 27-28, 2009
A two day workshop on “Computer Forensics” was conducted on August 27-28, 2009. The objective of the workshop is to create awareness on computer forensic investigation process and to train officials from law enforcement agencies to act as first responders as well as to investigate & handle the cyber crime cases in a forensically sound manner for collecting and analyzing electronic evidence through hands-on practicals. Delegates were from Forensic Science Laboratories, Cyber crime investigation cells and states police departments.
Workshop on " Threat Infiltration and Mitigation " on August 3, 2009
A one day workshop on “Threat Infiltration and Mitigation” was conducted on 3rd August 2009. The objective of the workshop is to create awareness on latest security threats & challenges and mitigation techniques. Delegates were from Government, Corporate and critical sector organizations.
The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered during August 2009 and their countermeasures along with wide-spreading malicious code like virus/ worm/Trojan are given below :
Microsoft Windows Remote Desktop Connection Remote Code Execution Vulnerabilities
KOOBFACE WORM
The worm spreads by sending spam to contacts containing a catchy message with a link to a “video.
W32/Koobfa-Gen (Sophos)
W32.Koobface.A(Symantec)
W32/Koobface.worm(McAfee)
WORM_KOOBFACE.DC (trendMicro)August 07, 2009
Virus Induc
It has been observed that a virus named Induc is spreading. It infects software built with the Delphi programming language at compilation time.
The malware first checks to see if the Delphi version is between 4 to 7, then replaces $DELPHI_DIR$\source\rtl\sys\SysConsts.pas by its own malicious code. The malware then deletes SysConsts.pas file.
Stealsmth
It has been observed that a file infector virus named Stealsmth is spreading. After successful execution the virus attempts to connect itself to remote website to download its latest updates available.
Further it steals confidential information such as user's credentials as soon as user visits to certain websites and sends this information to remote website under the control of the attacker.No aliases found
http://www.symantec.com/business/security_response/
writeup.jsp?docid=2009-083113-4019-99&tabid=2
Auto SQL injection co-opts thousands of sites
[Source: securityfocus.com] 25 August 2009
An automated attack using SQL injection has compromised tens of thousands of Web pages with code that tries to upload a data-stealing Trojan horse program to visitors' computers, security firm ScanSafe said last week.
The attack, which had inserted iframe scripts into as many as 130,000 Web pages as of Tuesday, uses the compromised pages to attempt to infect visitors with a backdoor Trojan horse that includes keylogging and download functionality, Mary Landesman, senior security researcher for ScanSafe, said in an e-mail interview on Tuesday. The initial Web site compromises appear to have been accomplished through an automated database injection attack, which matches with a trend seen by Landesman and others.
"SQL injection attacks are the most commonly observed compromise vector," Landesman stated. "Web attacks have been growing at the rate of 1 percent per day over the past year, with over half of all observed attacks the result of SQL injection.".
WPA TKIP encryption cracked in a minute
[Source:.net-security.org] 28 August 2009
Robert McMillan from IDG News Service reports that two Japanese scientist from the Hiroshima and Kobe Universities found a way to crack the WPA encryption system in wireless routers, and it takes them just about a minute to do it.
For years now the WEP system has been considered completely insecure. WPA with TKIP was the solution that was used instead while waiting for the development of a more secure solution. WPA 2 has been supported on Wi-Fi-certified devices and products since 2006, and this has to be a wake-up call for all to use it.
IIS bug gives attackers com plete server control
[Source: http://www.theregister.co.uk] 31 August 2009
A hacker has uncovered a previously unknown bug in Microsoft's Internet Information Services webserver that in some cases gives attackers complete control of vulnerable machines.
Proof-of-concept code has been confirmed to give remote root access to servers running version 5 of IIS on Windows 2000 with Service Pack 4. And according to Nikolaos Rangos, the hacker who released the exploit, IIS6 is also vulnerable, even when a memory stack mechanism known as cookie protection is enabled.
The vulnerability appears to be triggered only in limited circumstances, specifically when IIS is set to enable the file transfer protocol and there is a writable folder. While that suggests the majority of IIS installations aren't vulnerable, the universe of affected systems is still big enough to give the security conscious pause.
Research: 80% of Web users running unpatched versions of Flash/Acrobat
[Source: blogs.zdnet.com] 25 August 2009
According to a research published by Trusteer earlier this month, 79.5% of the 2.5 million users of their Rapport security service run a vulnerable version of Adobe Flash, with 83.5% also running a vulnerable version of Acrobat.
The company has also criticized Adobe by insisting that their update mechanism “ does not meet the requirements of a system that is used by 99% of users on the Internet and is highly targeted by criminals “, but is praising the update mechanism of Google's Chrome and Firefox, whose silent updates close the window of opportunity for malicious attackers to take advantage of.
Trusteer's research findings come a month after Secunia found out that Adobe is shipping an insecure version of Reader from its official site, justifying the action with the built-in updater, which apparently is not used by the 2.5 million users mentioned in the research, followed by an advice given in the SANS NewsBites newsletter, issue 61, that organizations should limit the use of Adobe products in order to minimize the attack surface.
Apache investigates Web server attack
[Source:. securityfocus.com] 28 August 2009
The Apache Foundation shut down its Web servers early Friday morning after detecting attack code running on the computers, the organization stated in an advisory.
The attack, which started late Thursday night, apparently came from an account used to backup the group's servers automatically to an external hosting service. Using the proper SSH key authentication for the host, the attackers accessed people.apache.org, which acts as a "seed host" for Apache.org's Web sites. The attackers placed script files on the host, which were then synchronized to the Web server, Apache's infrastructure team stated.
Cisco Wireless LANs at risk from 'skyjacking' flaw
[Source: http://www.theregister.co.uk] 25 August 2009
Security researchers have discovered a potential denial of service or information stealing flaw affecting Cisco's wireless networking kit.
The snappily-monikered skyjacking flaw affects lightweight Cisco wireless access points or networks running Over-the-Air-Provisioning (OTAP).
With OTAP enabled, newly connected Cisco access points listen in to an unencrypted multicast data stream to find the address of the nearest controller, which is used to manage access points. Much the same process happens if the established controller temporarily drops offline.
Hackers mailing malware-infested CDs to banks
[Source:.blogs.zdnet.com] 27 August 2009
Reminiscent of the days when viruses were distributed on floppy disks, cybercriminals are currently mailing infected CDs to credit unions and smaller banks as part of a clever offline scheme to load malicious software into computers with valuable data.
According to an alert issued by the National Credit Union Association, a credit union reported receiving a bogus fraud advisory accompanied by two compact discs.
The letter advises credit unions to review training material (contained on the CDs). DOING SO COULD RESULT IN A POSSIBLE SECURITY BREACH TO YOUR COMPUTER SYSTEM, OR HAVE OTHER ADVERSE CONSEQUENCES.
The letter contains several spelling and grammatical errors but, as Dennis Fisher points out here, this low-tech attack method can be highly effective because smaller businesses are not properly equipped and educated to deal with these types of threats:
Fake Flash updater monitors Web searches
[Source:.net-security.org] 26 August 2009
According to Mischel Internet Security , there's a new Trojan going around. Detected as TrojanClicker.VB.395 by TrojanHunter, it preteds to be an update for Adobe Flash:
It even looks like it's doing the updating, then tells you to shut Firefox down during the installation process (so it can install a plugin). And it shows it to you, too:
It looks like the real deal and it proclaims to give you "unprecedented creative control with new expressive features and visual performance improvements in Adobe Flash Player ".
IBM report reveals unprecedented state of Web insecurity
[Source:.net-security.org] 26 August 2009
IBM today released results from its X-Force 2009 Mid-Year Trend and Risk Report. The report's findings show an unprecedented state of Web insecurity as Web client, server, and content threats converge to create an untenable risk landscape.
According to the report, there has been a 508 percent increase in the number of new malicious Web links discovered in the first half of 2009. This problem is no longer limited to malicious domains or untrusted Web sites. The X-Force report notes an increase in the presence of malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal Web sites, online magazines and mainstream news sites. The ability to gain access and manipulate data remains the primary consequence of vulnerability exploitations.
Georgian cyber attackers only civilians, report says
[Source: securityfocus.com] 18 August 2009
the attacks against the nation of Georgia, which took place a year ago, were conducted entirely by civilians, although the attackers had close contact with the Russian military, concluded a report published by the U.S. Cyber Consequences Unit .
Evidence collected by the group, which uses open-source intelligence techniques to analyze cyber events and advise the U.S. government, suggests that civilians were recruited through Russian social networks and that the attackers were aided by Russian organized crime. The military's involvement was likely limited to selecting the targets, the US-CCU stated in the report.
"When the cyber attacks began, they did not involve any reconnaissance or mapping stage, but jumped directly to the sort of packets that were best suited to jamming the Web sites under attack," the report stated. "This indicates that the necessary reconnaissance and the writing of attacks scripts had to have been done in advance."
The report arrives as the United States and other nations attempt to figure out their policy regarding cyber conflict and what constitutes cyber warfare. In 2007, cyber attacks against Estonia wreaked havoc among that nation's network. A year later, attackers disrupted Georgian networks just as Russia conducted military operations against the former Soviet state.
Security firms discover botnet on Twitter
[Source: news.cnet.com] 14 August 2009
A Twitter account can be used as the command center for harnessing a "botnet" of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers found an account, @upd4t3, which was tweeting out links to download a piece malware called Downloader.Sninfs. The account has since been suspended by Twitter.
Downloader.Sninfs, also known as Infostealer.Bancos, is a Trojan that uses the guise of a Brazilian banking site to collects passwords and related personal information from infected computers.
Security on Twitter is front and center right now, as the microblogging site was completely downed by a distributed denial-of-service attack last week that was targeting a Georgian political blogger. While other services like Facebook and the Google-owned Blogger were also hit by the attack, Twitter was the only one to suffer a full-out, hours-long outage, and it called into question just how secure the service really is.
Signature-Based Scanners Miss 88% of Gumblar Attacks
[Source: reuters.com] 13 August 2009
jCryption: Javascript HTML form encryption plugin
[Source: .net-security.org] 10 August 2009
jCryption is a javascript HTML form encryption plugin, which encrypts the POST/GET-Data that will be sent when you submit a form. It uses the Multiple-precision and Barrett modular reduction libraries for the calculations and jQuery for the rest.
Normally if you submit a form and you don't use SSL, your data will be sent in plain text. However, SSL is neither supported by every webhost nor it's easy to install/apply sometimes. With this plug-in you are able to encrypt your data fast and simple. jCryption uses the public-key algorithm of RSA for the encryption.
Fake 'Blue Screen of Death' pushing scareware
[Source: .net-security.org] 10 August 2009
Hackers are using the infamous Windows Blue Screen of Death to trick computer users into downloading fake security software (scareware).
According to a discovery by Sunbelt Software, a Windows users are being shown the recognizable blue screen that signifies an operating system crash with a bright red “Security Alert” notice. (click image below for full version)
The rogue security software used in this scam is called System Security. It infects Windows machines via fake codec and fake Flash Player update packages planted on malicious Web sites.