[SecurityRatty] tag: mil

In the great NAC debate, Snyder KOs Stiennon in the first round!

Wed, 23 Jul 2008 20:13:54 +0000

Just got done reading the transcript of yesterdays great NAC debate between Joel Snyder and Richard Stiennon. As I predicted Snyder scored a knockout early on and it was mostly over from that point on. The knockout came earlier than I expected though, right off the first question. Each combatant was asked to define NAC and that was when it happened. Richard brought an EPAC (end point access control) to a NAC fight. That was akin to him bringing a rubber knife to a gun fight. A quick bullet between the eyes by Snyder and it was almost painlessly over for Richard.

I have been preaching for some time about what I call complete NAC. That is a complete network access control solution, not just network admission control and certainly not end point access control. It is not an evil plot to extend Cisco/Microsoft dominance and most importantly Richard, no one and let me say this again, no one has ever said that NAC negates the need for a layered security model. NAC is just another layer in that model. Richard’s comments deriding the .edu and .mil markets were also laughable. Richard, have you ever heard the term military grade? Are you seriously trying to say that enterprises take security more seriously than the military does? Come on now Richard.

The bottom line is Joel Snyder is not only a sharp dude technically, but is street savvy enough to run circles around my friend Richard. He made Richard stay focused on the question at hand, did not let him wander and so Richard had to face reality a bit. I am sure Richard will still say NAC is useless and will admonish people about hanging out with the likes of the StillSecure crowd, but I guess some things will just never change. Except, I don’t think Richard will be in anymore of these bouts. Maybe he can start selling a grill that takes the fat out of meat or perhaps a reality TV show like the other washed up palookas ?

Fed Watch

Sat, 24 May 2008 19:00:51 +0000

I was curious to see what government agencies might me using my site for training. I also wanted to learn PHP + MySQL a little better, so I wrote this project. It takes my logs and shows all of the hosts names ending in .mil or .gov, and what pages they visited. I obfuscated the first part of the host names, and the last two octets of the IPs so as to not "drop their docs" so to speak.

Fed Watch

Sat, 24 May 2008 19:00:51 +0000

Fed Watch

Sat, 24 May 2008 19:00:51 +0000

$160 Billion Robotic Army Network Passes First Big Test. Kinda.

Wed, 30 Apr 2008 00:00:00 +0000

A van full of insurgents speeds through the desert. They do not notice a series of networked ground sensors that have begun tracking their every move.

Hovering somewhere overhead, a tiny robot points its camera at the van and takes note of its color scheme and markings. An even bigger drone, thousands of feet above its hovering kin, maintains a God’s-eye vigil on the whole hunt.

Everything these robots see is radioed to monitors thousands of miles away -- and into the targeting systems of a B-52 bomber winging, silent and nearly invisible, several miles overhead.

This scenario, played out at a remote Nevada facility last week, was the first major test of the Army’s $160-billion, 20-year plan to build a high-tech family of networked robots and hybrid-electric armored vehicles. The “Future Combat Systems” program, co-managed by Boeing and consultants SAIC, aims to equip roughly a third of the Army with 14 new vehicle types that are connected constantly to a vast communications net.

The theory behind the FCS is that dispersed, intelligent robotic systems plugged into a universal communications network can help small numbers of U.S. troops riding in new vehicles to control huge swaths of terrain. Any ship, airplane or tank fitted with the FCS network devices will be able to see everything the others see.

The SkyNet-like network and dynamic coordination “is the most important thing,” Brigadier General James Terry says.

This is “a big deal for joint fires,” Army spokesman Paul Mehney told Wired.com.

“Joint fires” is mil-speak for getting all the military services to share info and coordinate their attacks. That kind of teamwork is a big factor in the U.S. military’s combat prowess. And if FCS works out as planned, the five U.S. military branches will team up better than ever.

Did the test work? Kinda.

The robots spotted the van; their targeting data bounced to a nearby unit of specially-equipped Humvees, then across the network to an Air Force intelligence cell in Langley, Virginia, then back to the B-52 -- all in just seconds. The bomber simulated dropping a guided bomb to “destroy” the van.

The Nevada test proved it was possible, according to Mehney.

But one critic says the test essentially was rigged -- that the conditions were too easy.

“There is ‘works’ and then there is ‘works,’” John Pike, an analyst with Globalsecurity,org, told Wired.com.

“A considerable fraction of the FCS network hardware does not currently exist,” Pike said. And the integration of that hardware that does exist has been touch-and-go.

In February, when testers “flipped the switch” for the first time on the network radios, there was a collective sigh of relief that the radios even worked -- this according to one FCS insider who spoke on background.

Last week’s desert test comes at a critical time for Future Combat Systems. Mounting criticism from the GAO plus the growing cost of fixing and upgrading the Army’s current war-weary vehicle fleet -- $120 billion over 10 years, according to the GAO -– has put the squeeze on the futuristic program. “It is not yet clear if or when the Army and [its contractors] can develop, build, and demonstrate the … network,” the Government Accountability Office reported in March.

One powerful congressman, nominally a supporter of FCS, has proposed injecting extra money into the program in order to rescue some of its technologies before canceling the rest.

Rep. John Murtha (D-PA), chair of the defense appropriations subcommittee, promised an extra $20 billion this year for FCS, provided the Army could use the money to wrap up the program quickly. “We need to accelerate FCS if we ever want to see anything accomplished,” Matt Mazonkey, a Murtha staffer, told Wired.com.

The Army is still preparing its response to Murtha’s query, Mehney said. Regardless, the service’s position on FCS has never wavered. The Army says that FCS is on-budget, on-schedule, and with continued funding will deliver on its promises to connect the ground service to itself and to all the other military branches.

And to ensure smooth progress despite a combined $900 million budget cut last year, the Army this month asked Congress to “re-appropriate” $250 million of other Army funds into FCS coffers.

More High Profile Sites IFRAME Injected

Wed, 12 Mar 2008 06:49:36 +0000

The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object. These are the high profile sites targeted by the same group within the past 48 hours, with number of locally cached and IFRAME injected pages within their search engines :

NCSU Libraries - lib.ncsu.edu - 372,000 pages
FullDownloads.us - fulldownloads.us - 13,000 pages
Central Statistics Office Ireland - cso.ie - 10,300 pages
DBLife Frontpage - dblife.cs.wisc.edu - 1,130 pages
School of Mathematics and Statistics - www-history.mcs.st-andrews.ac.uk - 1040 pages
eHawaii Portal - ehawaii.gov - 992 pages
The World Clock - timeanddate.com - 944 pages
Boise State University - boisestate.edu - 471 pages
The U.S. Administration on Aging (AoA) - aoa.gov - 425 pages
Gustavus Adolphus College - gustavus.edu - 312 pages
Internet Archive - archive.org - 261 pages
Stanford Business School Alumni Association - gsbapps.stanford.edu - 157 pages
BushTorrent - bushtorrent.com - 147 pages
ChildCareExchange - ccie.com - 131 pages
The University of Vermont - uvm.edu - 120 pages
Hippodrome State Theatre - Gainesville, FL - thehipp.org - 112 pages
Minnesota State University Mankato - mnsu.edu - 94 pages
The California Majority Report - camajorityreport.com - 16 pages
Medicare.gov - medicare.gov - 12 pages
USAMRIID - usamriid.army.mil - 3 pages

This sample of the newly introduced .info domains reside on the same netblock as the previous ones - 75.125.181.0/255 a KISS strategy making it easier to respond to this incident. Best of all, they further expand the campaign since they're injected in plain text, next to javascript obfuscated, this time embedded malware :

hickey.info

kbst.info

sezejc.info

mloqrd.info

mqghrd.info

ymrxwd.info

fsqpsm.info

haxkwd.info

aagpcw.info

zdksgj.info

cgjttz.info

hkedny.info

kbsxet.info

wapdjw.info

kbsxet.info

tdwham.info

mqghrd.info

dhqjdz.info

bhrsaa.info

jramae.info

wmtwes.info

tacpmh.info

qwhhxq.info

gmjett.info

hkedny.info

rerkqz.info
bhrsaa.info

txmwxb.info

psyckr.info

jramae.info

nhwdrh.info

cqqxkh.info

stysqf.info

tgzyqz.info

kbsxet.info

cgjttz.info

tazbhk.info

kbsxet.info

Each of the these is loading a secondary domain, which is then taking us to two more before finally reaching the Zlob variant. In this case it's radt.info (75.125.208.243) with several campaigns currently up and running, pointing to the same fake codec. And the samples redirects upon visiting these as follows :

seivomerutam.info/Free-Paris-Hilton-Nude-Pics/
seivomerutam.info/spam/

all of which ultimately redirect to :

porn-popular.com (64.28.185.78) where the Zlob variant in the face of a fake codec, is downloaded from democodec.com/download/ democodec1292.exe (64.28.184.168) via an Active X object.

Scanner results : 22% Scanner(8/36) found malware!

File Name : democodec1292.exe

File Size : 74823 byte

MD5 : 30965fdbd893990dd24abda2285d9edc

SHA1 : 53eacbb9cdf42394bd455d9bd2275f05730332f7

Downloader.Zlob.ZV; Trojan-Downloader.Win32.Zlob.eie; TrojanDownloader.Zlob.epx

It gets even more interesting as according to Computer Associates :

"This fake codec is actually a hijacker that will change your DNS settings whether you are aquire your IP settings through DHCP or set your IP information manually. This hijacker will attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121. If you use a static IP address, CA AntiSpyware will set your DNS server to 198.6.1.1 to prevent your DNS queries from continuing to go through the rogue DNS servers. Please change your DNS server to the DNS server provided by your IP or Network Administrator."

What this means is that known Russian Business Network netblocks are receiving all the re-routed DNS queries from infected hosts, thereby setting up the foundations for a large scale pharming attack by infecting the weakest link, the end user from the perspective of using rogue DNS servers, a much more effective but noisy approach.

To sum up - it's a mess that I'll continue trying to structure, and it's a single group exploiting input validation capability within the sites' search engines we're talking about. With this segmented targeting of sites with high page ranks, and their persistance, is already positioning hundreds of thousands of keywords within the top search results, with the targeted sites are acting as the redirectors to the malware locations.

Wired.com and History.com Getting RBN-ed

Mon, 10 Mar 2008 11:20:33 +0000

Monitoring last week's IFRAME injection attack at high page rank-ed sites, reveals a simple truth, that persistent simplicity seems to work. The attack is still ongoing, this time successfully injecting a multitude of new domains into Wired Magazine, and History.com's search engines, which are again caching anything submitted, particularly not validated input to have the malicious parties in the face of the RBN introducing a new malware, in between the pharmaceutical scams that they serve on the basis of an affiliation model. So, after "CNET stops IFRAME site attacks - who's next?" in terms of high-profile sites, that is Wired.com and History.com

Key summary points :

- the same malicious parties behind the CNET and TorrentReactor's IFRAME injection are also the ones behind Wired.com and History.com's abuse of input validation

- the IFRAME injection entirely relies on the lack of input validation within their search engines, making executable code possible to submit and therefore automatically execute upon accessing the cached page with a popular search query

- many other domains have been introduced within the IFRAMEs, a complete list of which you can find in this post, several directly hosted within RBN's network

- the main domain serving the heavily obfuscated VBS malware is located within the Russian Business Network's known netblocks

- given the high page ranks of the current and the previous targets, it is evident that the malicious parties are prioritizing based on the possibility to abuse input validation on high page rank-ed sites, presumably in an automated fashion

- Keep it Simple Stupid works, as since they cannot find a way to embedd the IFRAME at these hosts, a clear indicating of the fact that they've breached them, they figured out a way to inject the IFRAMEs and again take advantage of the high page ranks to attract traffic by gaining on popular key words, or any kind of key words that they want to

Sites currently affected next to Wired.com and History.com :
fhp.osd.mil

hcc.cc.gatech.edu
buffalo.edu
uninews.unimelb.edu.au
uvm.edu
jurist.law.pitt.edu
bushtorrent.com
torrentportal.com

Newly introduced domains within the IFRAMEs :

f3w.info (74.54.95.242)

chdjzn.info (75.125.181.78)

gmjett.info (75.125.181.89)

yscmps.info (75.125.181.124)

egkjnx.info (75.125.208.242)

qkecep.info (75.125.181.99)

qxdprq.info (75.125.181.113)

yscmps.info (75.125.181.124)

mqghrd.info (75.125.181.82)

yydcaj.info (75.125.181.122)

ecwrhk.info (75.125.181.86)

zdksgj.info (75.125.181.112)

stysqf.info (75.125.181.67)

egyffr.info (75.125.181.112)

prnprn.info (75.125.181.106)

fast-look.com (195.225.176.25)

fami4ka.net (217.20.127.217)

looseais.info (70.47.105.5)

my-ringtones.org (78.108.182.164)

eyzempills.com (81.222.139.184)

leohin.com (58.65.239.10)

is-t-h-e.com (69.50.167.165)

89.149.220.85

Where are the IFRAMEs relocating the visitor to?

search-vip.org/pharmacy/search.php?q= (195.225.178.19)

pharma-cist.com/item.php?id=156 (81.222.139.93)

vip-pharmacy.org (195.225.178.19)

adultfriendfinder.com/go/g665961
gift-vip.net/images/index1.php

Where's the malware?

The malware is loading from gift-vip.net/images/index1.php (195.225.178.19) where upon loading another IFRAME pointing to e.pepato.org/e/ads.php?b=3029 (58.65.238.59) which is using HostFresh proving hosting, dns services courtesy of INTERCAGE-NETWORK-GROUP, or the The Russian Business Network in all of its netblock diversity. It seems that pepato.org, currently hosted on one of RBN's netblocks, also made an appearance at malware embedded attack at a .gov site recently.

Scanner results : 3% Scanner(1/36) found malware!

File Size : 16643 byte

MD5 : 99eae1a189443c1a87681579cb4b5dbd

SHA1 : 89a04c4d06f51aa6d6cb54925a2c84d2bbdba06b

Arcavir - Trojan.HTML.JScript.Freebs.gen.9 under the JS:Feebs family; W32/Feebs-Fam ;JS.Feebs.Gen

Several more currently active internal pages serving variants :

e.pepato.org/e/ads.php?b=3029

e.pepato.org/e/ads_nl.php?b=1006

e.pepato.org/e/ads.php?b=1004

e.pepato.org/e/adsr.php?t=0

e.pepato.org/e/mdqt.php

e.pepato.org/e/e1004.html

Monitoring these connected incidents will continue, particularly the RBN connection, and other high profile sites' susceptibility to their attack methods.

Related embedded malware research :
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Yet Another Massive Embedded Malware Attack
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two

Related RBN research :
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

Phishers, Spammers, and Malware Authors Clearly Consolidating

Sun, 09 Dec 2007 18:14:53 +0000

In a recent article entitled "Popular Spammers Strategies and Tactics" I emphasized on the consolidation that's been going on between phishers, spammers and malware authors for a while :

"The allure of being self-sufficient doesn’t seem to be a relevant one when it comes to a spammer’s results oriented attitude. Spammers excel at harvesting and purchasing email addresses, sending, and successfully delivering the messages, phishers are masters of social engineering, while on the other hand malware authors or botnet masters in this case, provide the infrastructure for both the fast-fluxing spam and scams in the form of infected hosts. We’ve been witnessing this consolidation for quite some time now, and some of the recent events greatly illustrate this development of an underground ecosystem. Take for instance the cases when spam comes with embedded keyloggers, when phishing emails contain malware, and a rather ironical situation where malware infected hosts inside Pfizer are spamming viagra emails."

The recently uncovered breach at the U.S Oak Ridge National Laboratory is a perfect example of some of the key concepts I covered in the article, namely, harvesting of the emails courtesy of the spammers, segmenting the emails database for targeted mailings on a per company, institution basis, and malware authors eventually purchasing the now segmented databases for such targeted attacks with the spammers earning a higher profit margin for providing the service of segmentation :

"The unknown attackers managed to access a non-classified computer maintained by the Oak Ridge National Laboratory by sending employees hoax emails that contained malicious attachments. That allowed them to access a database containing the personal information of people who visited the lab over a 14-year period starting in 1990. The institution, which has a staff of about 3,800, conducts top-secret research that is used for homeland security and military purposes."

And, of course, there's a Chinese connection, but thankfully there're articles emphasizing on the concept of stepping-stones before reaching the final destination, with China's highly malware infected Internet population acting as the stepping-stone, not the original source of the attack :

"Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location."

Publicly obtainable research, and common sense state that malware coming through email attachments is slowing down, and is actually supposed to be filtered on the gateway perimeter by default, especially executables. Even the first round of Storm Worm malware in January, 2007, concluded that email attachments are not longer as effective as they used to be, and therefore migrated to spamming malware embedded links exploiting outdated vulnerabilities.

How such type of targeted malware attack could have been prevented?

- ensure that the emails are harvested much harder than they are for the time being, in this particular case, a huge percentage of the emails account, thus the future contact points for the malicious parties to take advantage of ornl.gov can be harvested without even bothering to crawl the domain itself through web scrapping ornl.gov

- a freely avaivable, but highly effective tool to evaluate whether or not your mail server filtering capabilities for such type of content work, is PIRANA - Email Content Filters Exploitation Framework :

"PIRANA is an exploitation framework that tests the security of a email content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA's goal is to test whether or not any vulnerability exists on the content filtering platform. This tool uses the excellent shellcode generator from the Metasploit framework!"

Taking the second possible scenario, namely that it wasn't a targeted attack, but malware attachments "as usual", mostly because the fact that modern malware automatically excludes mailings to .gov's .mil's and the majority of known to them anti-virus vendor's related email addresses, hoping to infect as much people as possible before a reactive response is in place.

If it were a spammed malware embedded link, the chances are the receipts followed it, but a spammed malware as an attachment is too Web 1.0 for someone to fall victim into, and it's rocket scientists we're talking about anyway.