Nyotron Information Security, Ltd.

Professional Arena

Attack Tool Exploits SSL Vulnerability to Create DoS Attack
Security Week, 2011-10-27

A German hacker group has released a new proof-of-concept tool for denial of service (DoS) attacks that exploits a weakness in SSL.

According to the group, known as The Hackers Choice (THC), the SSL vulnerability can be used to kick a server off the Internet.

“We decided to make the official release after realizing that this tool leaked to the public a couple of months ago,” an unidentified member of THC said in a blog post.

DDoS has become a favorite tool of hacktivists, and gained significant media attention during the WikiLeaks-related protests last year, when Websites belonging to WikiLeaks critics were hit with attacks.

In a description of the tool published by the group, THC contends that establishing a secure SSL connection requires 15x more processing power on the server than on the client. The tool exploits this by overloading the server and knocking it off the Internet, the group explained, adding that vendors have been aware of this problem since 2003 and that the topic “has been widely discussed.”

“This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection,” the group said.

The tool works best if the server supports SSL renegotiation. If SSL renegotiation is not supported, some modifications and more bots are required before an effect can be seen, the group said.

“Renegotiating Key material is a stupid idea from a cryptography standpoint. If you are not happy with the key material negotiated at the start of the session then the session should be re-established and not re-negotiated,” according to the group.

The tool is currently available for Windows and Unix. For those concerned with mitigation, THC said disabling SSL renegotiation and utilizing SSL accelerator hardware can serve as a stop-gap solution. Both countermeasures however can be circumvented by modifying the tool, the group said.

Avira anti-virus detects itself
The H Security, 2011-10-27

A recent signature update to Avira's anti-virus solution caused the software to detect itself as a trojan or spyware. Due to a bad update, Avira detected its own AESCRIPT.DLL file as "TR/Spy.463227".

A company spokesperson confirmed the problem in the Avira Support Forum, noting that the affected AntiVir Virus Definition (VDF) file has already been pulled from circulation. All users are advised to update their definitions to the current version, 7.11.16.146, which addresses the issue.

New Mac OS X backdoor trojan "Tsunami" discovered
SC Magazine, 2011-10-27

A trojan that has been targeting Linux users for several years is now setting its sights on the Mac OS X, security researchers warned.

The so-called “Tsunami” backdoor trojan, detected as OSX/Tsunami.A., is derived from an older Linux malware family that has been around since at least 2002, Robert Lipovsky, researcher at anti-virus company ESET, said in a blog post Wednesday. It enables infected machines to participate in distributed denial-of-service (DDoS) attacks intended to flood websites with traffic.

Once it has made its way onto a system, the malware attempts to connect to an IRC channel, where it can receive further commands. Besides enabling DDoS attacks, it can be used to download additional malware and take control of an affected machine.

Graham Cluley, senior technology consultant at security firm Sophos, told SCMagazineUS.com in an email Wednesday that none of his company's customers have reported their computer infected by Tsunami.

"The sky is not falling," he said.

Even so, Mac malware is a real problem, though much less prevalent than Windows threats, Cluley said in a blog post Tuesday. Last week, for example, researchers discovered a separate Mac trojan, which was crafted to disable the anti-malware protection Apple has built into its OS X platform.

Money Mule Leader Pleads Guilty for Part in Global Fraud Scheme Powered by Zeus
SecurityWeek, 2011-09-26

On Friday, the last of 27 defendants arrested in connection with a global cybercrime operation that compromised dozens of accounts and used false identities to open hundreds of bank accounts, pled guilty and now faces up to 45 years in prison.
Nikolay Garifulin, 22, of Volgograd, Russia, pled guilty last Friday in Manhattan federal court to conspiracy to commit bank fraud and possess false identification documents for his role in the scheme that made use of the popular Zeus malware and a network of “money mules” to steal over $3 million from dozens of U.S. accounts that were compromised by malware attacks.
According to the U.S. Attorney’s Office, the cyber-attacks originated in Eastern Europe and utilized the Zeus Trojan to record victim’s keystrokes, arming the cyber-thieves with the information needed to take over the victims' bank accounts, and make unauthorized transfers to accounts controlled by the co-conspirators.
These receiving accounts were set up by a network of money mules responsible for retrieving the stolen funds and transferring the money overseas. To carry out the scheme, the money mule organization recruited individuals who had entered the United States on student visas, providing them with fake foreign passports, and instructing them to open false-name accounts at U.S. banks.
Acting as leader in the money mule network, Garifulin collected funds that had been withdrawn by money mules from the fraudulent accounts in the United States, transferred the funds to Eastern Europe as requested by the organization’s leader. Garifulin also arranged for fake passports to be transferred to mules in the United States from Eastern Europe.
Idan Aharoni, Head of Cyber Intelligence for the FraudAction Intelligence team at RSA, and a SecurityWeek contributor, says it’s impossible to talk about the world of fraud without mentioning mules. “When it comes to infrastructure, mules are just as important - if not more important - than having a botnet or a phishing attack set up,” Aharoni writes. “Being such a pivotal part of the fraud process, it’s no surprise that fraudsters go to great lengths to recruit and control mules. If in the past mule recruitment was done mostly in the real world - where potential mule candidates were preyed on due to poverty in most cases - today, fraudsters employ much more sophisticated methods for mule recruitment. Not only do these methods void the need for the fraudster to be physically present in the country, but they also increase the bandwidth of the mule recruitment. In cases where these methods were problematic to implement, the recruiters improved the existing methods and added a new layer of sophistication."
In connection with the global cybercrime ring, charges were filed against 37 defendants back in September 2010. Including Garifulin, 27 defendants pled guilty, and two defendants have entered into deferred prosecution agreements. Eight defendants are fugitives and are wanted in the United States and abroad.
Two other leaders of the mule organization also pled guilty and have been sentenced, including Kasum Adigyuzelov and Dorin Codreanu. Adigyuzelov was sentenced in May 2011 to 48 months in prison and Codreanu was sentenced in July 2011 to 20 months in prison.
Garifulin will be sentenced on January 13, 2012.

VPN provider helped track down alleged LulzSec member
The H Security, 2011-09-26

UK VPN and web proxy service provider Hide My Ass! (HMA) says that it helped identify the alleged member of the LulzSec hacker group who was arrested by the FBI last week. The company explained that it had complied with a court order to disclose the IP address that the suspect used to log into HMA.
HMA says that the issue first came to its attention through a LulzSec IRC chat log that was released on the web; in this chat log, users discussed various VPN services, including HMA, in early June. Among the chat members was a user who went by the online nickname of Topiary and who was arrested by the UK police at the end of July, as well as a person called "Recursion"; allegedly, the user behind this nickname is a 23-year-old man who has now been arrested by the FBI. HMA said that the chat conversation itself wasn't illegal and didn't warrant a response by the company, but that a court order to disclose the data was received later.
HMA has justified the disclosure by pointing out that, according to its terms of service and privacy policy, the service is not to be used for illegal activity. The company said that if anyone uses the VPN service for criminal activities, HMA will cooperate with the authorities. LulzSec has allegedly been responsible for a number of illegal activities including a Distributed Denial-of-Service (DDoS) attack on the UK Serious Organised Crime Agency (SOCA), the defacement of the web sites of The Sun and The Times newspapers, and an attack on Sony's PlayStation Network.
HMA logs a user's IP address at the beginning and at the end of a VPN session. The company said that the main reason for doing this is so that users who misuse the VPN service can be identified. HMA assured its users that it only complies with UK law and will only respond to court orders issued by a UK court. "If a request for information is sent to us from overseas, we will not accept this request unless it is sent through the appropriate UK channels", it added. HMA said that UK law doesn't prohibit foreign nationals from using VPN or web proxy services to bypass censorship in their home countries.

Mac trojan spreads under guise of PDF document
SC Magazine, 2011-09-23

A Mac OS X trojan, disguised as a PDF file, is duping users into loading a backdoor onto their machines, according to researchers at F-Secure.
The trojan is emulating a tactic used for years in delivering malware to Windows systems, by which a PDF file containing a seemingly legitimate extension and icon is employed.
But, this targeting of the Mac OS is rather unusual, Chet Wisniewski, senior security adviser at Sophos, told SCMagazineUS.com on Friday. Up to this point, most Mac malware has tried to push fake anti-virus products on users, but this is one of the first strains that is using this type of social engineering.
"The PDF lure is a good trick to get people to install the trojan," he said. "You think you're opening a document, when you're installing malware."
Mikko Hypponen, chief research officer at F-Secure, told SCMagazineUS.com on Monday that attacks on the Mac OS are still a rare occurence. However, he said it is getting more common, though attacks on OS X are still nowhere near the amount of activity on Windows XP. "In fact, we see more new Android malware than Mac OS X malware," he said.
Once a user is tricked into loading the malware by clicking on the PDF, which contains Chinese language, a trojan dropper installs a backdoor program. From that point, the attacker can gain full control of the user's system.
Usually, backdoors are employed to communicate with a remote command-and-control (C&C) server, which is capable of instructing the payload to siphon off data from the infected computer back to the attackers. However, F-Secure found that the C&C server is a bare Apache installation, not yet capable of communicating with the backdoor.
McAfee, in its own blog post on Sunday, rated the threat as "low risk" because it is not taking advantage of any vulnerability. The PDF file does not actually contain a trojan, and merely acts a decoy so additional "rogue" services can be installed without the user's knowledge.
The good news, McAfee said, is that a properly configured Mac will mitigate the malicious installer.
No matter the level of risk, the threat to the Mac OS may be an indication of things to come, Wisniewski said.
"This exploit could be a one-off, but our suspicion is that the model has been established, and we will see more criminal gang activity," he said.
Clearly, though, the sky is not falling. Windows iremains the preferred target of cybercriminals, who create tens of thousands of new malware threats each day for the platform.

VPN Service Snitched on Alleged LulzSec Member
SecurityWeek, 2011-09-23

Yesterday, Cody Kretsinger, a 23-year-old from Phoenix, Arizona was arrested and charged with conspiracy and the unauthorized impairment of a protected computer, according a federal indictment.
How did the Feds track down the alleged LulzSec member? It turns out that a VPN service reportedly used to mask his online identify and location was the one who handed over data to the FBI.
According to the federal indictment (embedded below), Kretsinger registered for a VPN account at HideMyAss.Com under the user name “recursion”. Following that, the indictment said that Kretsinger and other unknown conspirators conducted SQL injection attacks against Sony Pictures in attempt to extract confidential data.
According to a blog post from HideMyAss, they realized that LulzSec members had been utilizing its service after seeing leaked IRC chat logs. The company said it took no action after discovering the hackers had been using its services to hide, saying, there was no evidence to suggest wrongdoing and nothing to identify which accounts they were using.
“At a later date it came as no surprise to have received a court order asking for information relating to an account associated with some or all of the above cases,” they wrote in the post this morning. “As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order (equivalent of a subpoena in the US).”
The blog post, titled “Lulzsec fiasco” also added the following: “Our VPN service and VPN services in general are not designed to be used to commit illegal activity. It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences. This includes certain hardcore privacy services which claim you will never be identified, these types of services that do not cooperate are more likely to have their entire VPN network monitored and tapped by law enforcement, thus affecting all legitimate customers.”
You can be sure that HideMyAss is not the only provider to be hit with subpoenas and essentially being forced to hand over user data. It’s likely the FBI and other officials are digging deep and requesting similar information from other VPN providers and online services such as Pastebin, Twitter, and other tools and web services commonly used by hackers.