The Mystery of Duqu: Part Six (The Command and Control servers)

Posted on November 30, 2011 by mea

The Mystery of Duqu: Part Six (The Command and Control servers) – Securelist.

For our particular server, several spikes immediately raise suspicions: 15 February and 19 July, when new versions of OpenSSH were installed; 20 October, when the server cleanup took place. Additionally, we found spikes on 10 February and 3 April, when certain events took place. We were able to identify “dovecot” crashes on these dates, although we can’t be sure they were caused by the attackers (“dovecot” remote exploit?) or simply instabilities.

Of course, for server ‘A’, three big questions remain:

How did the attackers get access to this computer in the first place?

What exactly was its purpose and how was it (ab-)used?

Why did the attackers replace the stock OpenSSH 4.3 with version 5.8?

Interesting read. Apparently there might have been a zero day exploit in openssh.

From: http://en.wikipedia.org/wiki/Duqu

Duqu is a computer worm discovered on 1 September 2011, thought to be related to the Stuxnet worm. The Laboratory of Cryptography and System Security (CrySyS)^[1] of the Budapest University of Technology and Economics in Hungary, which discovered the threat, analyzed the malware and wrote a 60-page report^[2], naming the threat Duqu.^[3] Duqu got its name from the prefix “~DQ” it gives to the names of files it creates.

Here‘s an interesting comment on slashdot.

by Em Adespoton (792954) writes: Alter Relationship <slashdotonly.1.adespoton@spamgourmet.com> on Wednesday November 30, @11:40AM (#38216224) Homepage Journal

The only things you should need open to the internet are SSH (“the attackers may have used a zero-day in OpenSSH 4.3 to compromise the C&C servers initially”) and/or IPSec/L2TP. Anything else should redirect to a DMZ that does NOT route to the same subnet as SSH/IPSec/L2TP. The DMZ should not have port access to the regular network (everything should be pushed). The firewall should be set to not allow active connections out from the DMZ to anywhere, and any activity should not just be logged, but flagged and sent to the administrator. All devices in the DMZ should log to a remote (to them) syslog that is polled from outside the DMZ.

There… that’s the ideal world. In reality, this doesn’t account for people who don’t have that much hardware/expertise with VMs, for people who don’t keep up with their patches, for those who want to do an end-run around this policy to set up torrents, etc. directly from their working computer, etc.

It also doesn’t help that most gateway routers these days have some full-fledged OS inside and as a result often have exploits that can be leveraged directly against them due to inappropriate default configurations.

Schneier on Security: My Open Wireless Network

Posted on November 28, 2011 by mea

Whenever I talk or write about my own security setup, the one thing that surprises people — and attracts the most criticism — is the fact that I run an open wireless network at home. There’s no password. There’s no encryption. Anyone with wireless capability who can see my network can use it to access the internet.

via Schneier on Security: My Open Wireless Network.

Enterprise Storage Encryption: An Administrator’s …

Posted on October 23, 2011 by mea

Storage encryption has historically proven unpopular because of the issues of managing the keys used in various encryption methods, and the system performance burden that encryption/decryption placed on systems hardware. These issues have been iteratively surmounted in a number of advances. Faster CPUs, disk controllers and host bus adapters (HBAs) and tough-to-break encryption now reduce the burden once placed on subsystem, disk, and device encryption.

via Enterprise Storage Encryption: An Administrator’s … – Input Output.

This is a pretty good article. Here’s one more blurb.

Subsystems are encrypted at the hardware level or at the device group level. Subsystems can also be encrypted by the use of third-party software packages designed specifically for this purpose. Subsystem encryption usually means that a single encryption key is used for the group, and that the private encryption key is stored in hardware or in system firmware. This type of protection means that a drive “stolen” or otherwise removed from the group of storage media can’t be decrypted, even by examining the disk using an identical system, as the identical system would be missing the key that unlocks the data by decrypting it.

This seems like a rather high level of security.

Configure the GRUB boot loader

Posted on October 16, 2011 by mea

Adding a single user mode option to the GRUB menu

password –md5 $1$U$JK7xFegdxWH6VuppCUSIb.

default 0

title Red Hat Linux (2.4.9-21)

root (hd0,0)

kernel /vmlinuz-2.4.9-21 ro root=/dev/hda6

initrd /initrd-2.4.9-21.img

title Red Hat Linux (2.4.9-21) single user mode

lock

root (hd0,0)

kernel /vmlinuz-2.4.9-21 ro root=/dev/hda6 s

initrd /initrd-2.4.9-21.img

via Configure the GRUB boot loader.

How is SSL hopelessly broken? Let us count the ways

Posted on October 15, 2011 by mea

SSL made its debut in 1994 as a way to cryptographically secure e-commerce and other sensitive internet communications. A private key at the heart of the system allows website operators to prove that they are the rightful owners of the domains visitors are accessing, rather than impostors who have hacked the users’ connections. Countless websites also use SSL to encrypt passwords, emails and other data to thwart anyone who may be monitoring the traffic passing between the two parties.

It’s hard to overstate the reliance that websites operated by Google, PayPal, Microsoft, Bank of America and millions of other companies place in SSL. And yet, the repeated failures suggest that the system in its current state is hopelessly broken.

via How is SSL hopelessly broken? Let us count the ways • The Register.

ISC Diary | What’s In A Name?

Posted on October 12, 2011 by mea

This nightmare scenario is, unfortunately, reality for at least 50 organizations – ones that I’ve been able to uncover – and I’m certain that there are many, many more. Each of these organizations has been a victim of a malicious alteration of their domain information – an alteration that added new machine names to their existing information, and allowed bottom-feeding scam artists to abuse their good reputation to boost the search-engine profile of their drug, app, “personal ad,” or porn sites.

via ISC Diary | What’s In A Name?.

This is how Windows get infected with malware

Posted on October 5, 2011 by mea

CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits.

The purpose of this study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk.

via This is how Windows get infected with malware.
I have never been a big fan of constantly chasing patches but this conclusion has me rethinking my thoughts on this…

The reason why patching are essential

The conclusion of this study is that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages.

I think the main problem here is that all these PCs were directly connected to the Internet. The simplest solution of using a hardware router and NAT should stop these kind of attacks from ever hitting the PC. I’m still leery about constantly applying patches because sometimes the patches themselves are buggy and may introduce new vectors into your OS. Software upgrade needs to be planned as a general policy for the entire PC or sets of PCs and not dictated to by a mere application or OS vendor.

Protecting a Laptop from Simple and Sophisticated Attacks

Posted on August 26, 2011 by mea

Some people might say that many of these precautions are over the top and paranoid. I don’t consider myself an “elite hacker”, but I know that I could pull off most of the attacks that I’ve discussed above without much trouble. Cold boot and Evil maid are practical, easy to pull off, attacks. Why wouldn’t I defend against them?

via Protecting a Laptop from Simple and Sophisticated Attacks | Mike Cardwell, Online.

Bucktown Bell

Cut to the chase.

Tag Archives: security