Information at your fingertips

Posted on 2012/04/13 by R Sachin

In the world ruled by 0′s and 1′s, Information sharing is the most important aspect and has become an inseparable part of our daily life. For past few months we have been working on this concept and to begin with, we decided to arrange all the information which passes though us into a more concise and readable format.

Whether it is the online presence or information for technical support engineers, who put in a great deal of effort to ensure prompt service for our clients, or be it the admins who handle our products; everyone needs relevant information.

For those who actively follow this blog, you may be thinking about the long delays in the blogposts, well the answer lies partly in this blog entry.

I am pleased to inform that we have made available a new section to handle the FAQs for our products. It was a daunting task but everyone pitched in and this will be an ever growing database of knowledge base.

http://faqs.escanav.com

Our intention to provide FAQs has already been reaping benefits, with our end-users actively submitting their queries and assisting us in making this a success. I thank you all.

Coupled with this, I have been working on merging the information available over the net with twitter and thereon the same information being segregated into quick readable formats.

You may follow me on

Twitter handle (@escan_sachin)

Scoop.it

Tweeted-Times

Paper.Li

For automation http://www.ifttt.com and http://www.ping.fm, are great tools, you can use the RSS feeds, google custom searches, and tweet only the relevant topics or update the facebook status/messages.

The content of the above mentioned links are curated on daily basis to provide you with the latest happenings in the world of IT Security.

Posted in eScan 11 | Leave a comment

DNSChange Botnet

Posted on 2012/02/24 by R Sachin

Very recently, there was a huge uproar about DNS Change Botnet, which functioned in the same manner as explained in my previous blog-post about DNS-MITM attack, but instead of targeting only the CPE, it targeted the DNS entries within the infected PC too. The payload in this case was once again Ad Click Fraud.

Click fraud is a type of Internet crime that occurs in pay per click online advertising when a person, automated script or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad’s link. Click fraud is the subject of some controversy and increasing litigation due to the advertising networks being a key beneficiary of the fraud.

FBI had initiated Operation Ghost Click and took over the DNS infrastructure of the Botnet and replaced it with legitimate servers.  This was done to ensure that users and businesses affected by the bot get ample time to clean up their systems before the complete infrastructure is taken down.  But this act by FBI was legally bound with a specific time-frame, which was set to expire on 8Th March 2012. FBI has now sought an extension to keep this surrogate infrastructure alive for next few more months. For more information on detection you may download the article published by FBI.

Had they not sought an extension then, the infrastructure would have been pulled down, which in turn would have affected thousands of infected PCs worldwide.

Whether CPE’s DNS is changed or that of the PC, the end-user is affected. We just cannot rely on Court orders to ensure the smooth functioning of Internet and its users.

There have been instances, wherein an entire ISP was affected by DNS Cache Poisoning attacks, These type attacks target the vulnerable DNS servers and the cache of these servers are poisoned with malicious records pointing to malicious web-servers.

Three different methods but the end-result is the same.

In order to target these attack scenarios, we have added the logic to check for DNS poisoning and correct the same too within our MWAV toolkit. The toolkit can be downloaded from here.

Posted in AntiVirus, Miscellaneous, botnet, eScan 11 | Tagged , , , | 2 Comments

Exceptional – Botnets and Exploit Kits

Posted on 2012/02/14 by R Sachin

Exploit Kits and Botnets are synonymous to each other. If one is responsible for infecting then the other is utilised for generating revenue, they just cannot co-exist without each other.

For past few weeks, we have been observing a new wave of infection. Win32.XPAJ . This is a polymorphic file infection virus which after successful infection turns into a bot-net client.

There are many things which have been observed are new to this virus

As with every piece of technology, evolution is a must and Win32.XPAJ is not far behind. The method used to infect is highly complex and every bit of care has been taken to protect itself from detection by Anti-Viruses.

Most Antiviruses detect by using MD5 signatures or by inspecting the internals of the file. Secondly, based on the number of computer systems / networks or a geographical area which are infected by a particular trojan/malware, the threat factor is decided.

Computer Domains such .gov and .mil are related to governments and military, which already are paranoid about such threats and if infected the threat level posed by such a trojan/malware is raised exponentially.

Organizations such as Google and some of the AV product developers, which are known to aggressively deny access to websites which host these exploit kits or incorporate detection algorithms are the number two enemy of such Exploit kits and Botnet Clients.

The success of Exploit Kits is based on

A: Evasion- How can this piece of code evade the existing technologies during all the stages of infection?
B: Stealth- How can it not raise suspicion after delivering and for what period?
C: Penetration – How many computer systems/networks can it exploit?

Win32.XPAJ has done it all.

Before infecting any system/network, Win32.XPAJ verifies the domain and exits if it finds .mil or .gov. It just refuses to infect these domains.

It also verifies the country in which the computer is located by way of IP address geo-location and doesn’t infect certain European Countries and a few others. In other words, it chooses who should be infected and who shouldn’t be.

Entry point is changed and payload resides in the different parts of the infected executable / DLL. Thus ensuring that detection by an Anti-virus is difficult if not impossible.

Its very rare to find a trojan/virus/phishing site which is selective in nature (country specific , domain specific).

A few hours ago, Cryptome.org was hacked and infected with Blackhole Exploit Kit.

According to Wikipedia

Cryptome is a website hosted in the United States since 1996 by independent scholars and architects John Young and Deborah Natsios that functions as a repository for information about freedom of speech, cryptography, spying, and surveillance.

Targeting this website ensures infecting a select group of individuals and organizations but there is a similarity between Win32.XPAJ and BlackHole exploit Kit residing on Cryptome Servers.

No need for guessing, its “Exception“. This infection on Cryptome avoids attacking Google IP addresses while Win32.XPAJ goes one step ahead by not attacking .mil .gov and certain countries.

Since, a security related web-site was targeted, it has ensured a prompt reaction from the whole community.

The future of “Threat Escalation” is going to change as we will come across more and more exploit kits and trojans / viruses which are selective about their targets. We will have to change our perspective and segregate the threat based on global and geographically specific attacks.

We have seen a lot of Phishing Sites employing such “Exception” based techniques, and Win32.XPAJ is not the last.

Win32.XPAJ, upon infection converts itself into a botnet client and the payload this time is Ad-Click fraud.

For the year 2012, we had said that India would be the largest hub of botnets and with Win32.XPAJ, this will soon become a reality as most of the infected computers are based in India. My previous blog on DNS MITM is a bleak reminder.

Posted in Miscellaneous, Phishing, Security, botnet, eScan 11 | Tagged , , , , | Leave a comment

Disclosure : Router based DNS MITM Attack

Posted on 2012/01/12 by R Sachin

—[ Attacked Hardware ]

CPE Router, which provides Internet Access over ADSL.

—[ Severity level ]

Severity level    :   Critical
Impact        :   DNS Injection MITM
Access Vector    :   Network exploitable

—[ Hardware Description ]

CPE Routers which are used to provide Internet access and are directly connected with the ISPs. These routers are specifically used by millions of home users and organizations world-wide, to connect with the ISP. These devices also act as a NAT Device, providing a rudimentary DMZ, a DHCP server being embedded into the OS of these routers, is shipped out by all the CPE manufacturers.

—[ Attack Description ]

We have observed an attack vector, targeting CPE Routers used for facilitating ADSL connectivity.

The Victim, when browsing or accessing internet is directed to a server, which does not belong to the requested Domain.

The Victim has enabled DHCP on the client machine, the DNS server IP address and the Machine IP address is provided by the embedded DHCP server residing on the affected hardware.

Normally, DNS server IP address is configured at the time of installation and once the initial configuration is complete, no one bothers to make any changes to this configuration, including the configuration access password.

The attacker gained access to the router, changed the DNS server to 109.74.196.50 and also changed the password of the router. Effectively taking over the control of the DNS queries by a rogue DNS server and a Rogue IP which accepts connections.

109.74.196.50 has “A records” for in.yahoo.com, indiatimes.com and rediff.com pointing to 212.113.36.83.

In the past, we have observed DNS Cache Poisoning attacks, modification of “hosts” file but, modifying the DNS server IP of a router and also deploying a Rogue DNS server is  first of its kind for me. This type of attack, opens up the flood-gates for a lot of different attack vectors.

The web-server IP address in question has links to below mentioned advertising links

Link 1:

hxxp://www.googleadservices.com/pagead/aclk?sa=L&ai=BQpZjMbYOT_X7KoeGiAfcmLQSweK0kQOps6idQ8CNtwHwkwkQARgBIO3RuBo4AFCDsfy1-_____8BYOXS5oO8DqABh_vn2gOyAQ0yMTIuMTEzLjM2LjgzugEKMzAweDI1MF9hc8gBAtoBFW
h0dHA6Ly8yMTIuMTEzLjM2LjgzL4ACAagDAcgDFegDNegDBegDDfUDAAAAwPUDAABAEIgGAaAGAg&num=1&cid=5GgGexj0cW8pXlxeTn4aLTAP&sig=AOD64_2XdwXuNKwt_zLnH8ll-xvW1vQTlg&client=ca-pub-3451543299263350&adurl=http://www.softlayer.com/lp/singapore-hosting&nm=2

Link 2:

hxxp://www.googleadservices.com/pagead/aclk?sa=L&ai=BVmcsMLYOT8CPLeOBiAe5ldX5D_mWm68CiYLLmSSRh5GDY-D2xQIQARgBIO3RuBo4AFDL6Y3g-P____8BYOXS5oO8DqABn6uj5wOyAQ0yMTIuMTEzLjM2LjgzugEKMzAweDI1MF9hc8gBAtoBFWh0dHA6Ly8yMTIuMTEzLjM2LjgzL-ABAoACAakClWJAw222VD7AAgaoAwHIAxXoAzXoAwXoAw31AwAAAMT1AwAAQBCIBgGgBgI&num=1&cid=5GiWmEtBLveZ3g0hCcQDaPyc&sig=AOD64_08TL32M9LfVt6X-FYMbanPfO4ysg&client=ca-pub-3451543299263350&adurl=http://www.bigrock.in/discounted-dot-com-domains.html%3Fa_aid%3D4d2c643cb0d0a%26location%3DIN%26chan%3Dga_sit_tar%26ad%3Dga_sit_tar&nm=9

The targeted domains are
1: in.yahoo.com
2: indiatimes.com
3: rediff.com

As of this moment, this seems to be an India Centric Operation, with very few domains but may increase over a period of time. But the scope of the method used by this attack vector is global.

—[ Available Information ]

Google Adsense ID    : ca-pub-3451543299263350

IP Address 1        : 109.74.196.50 DNS Server
Cloud based Service provided by linode.com is being used to deploy the DNS server. This is a paid Service

IP Address 2        : 212.113.36.83 Web Server
This server is located in JSC Ukrtelecom Data Center (Ukraine) as per the robtex records.

—[ Mitigating the Attack ]

In my previous blog-posts I had mentioned about CPE Routers being the least protected IP Device, with the least amount of security features, yet an attack vector of this type changes the security perception of the entire community. One fact which is never taken into consideration is that Firewalls, IPS, IDS are all residing behind the router.

So, how do we protect a router?

Recently, there was a telnet bug which had surfaced, hence how secure are these embedded devices, is a question everyone should ask. I am yet to ascertain, whether this bug existed in the CPE.

Secondly, if these embedded devices are affected by the bug then changing the password, as a method to mitigate the attack, doesn’t make any sense.

To mitigate this type of attack

1: Manually assign the DNS server IP address. In my case, I used 8.8.8.8

2: DeSOPA the firefox extension. Initially this Firefox extension was used to circumvent SOPA related DNS Blocks, but we have used it for circumventing the DNS MITM attack.

3: Change the router access password and ensure that telnet port is available from the internet network.

—[ The Future ]

As of this moment, it is an Advertising Revenue Generation Site but future possible scenarios are as follows:

1: Phishing Site (Cloned Web-Site) – This would be very difficult to detect as the browser’s url will be a valid but the IP would be incorrect.

2: Drive-By Download with Cloned Site

3: Transparent Proxy with http interception capabilities.

4: Tunnels? I haven’t yet come across any low-end router with tunneling capabilities but mid-range to high-end routers with telnet bug / weak passwords, do have this capability. Would anyone ever attempt redirecting the traffic?

A Network Diagram will be uploaded.

—[ The Proof ]

Screen-shot from affected system:

Victim's Machine
Screen-Shot from a non-affected system

Rogue DNS Server

[UPDATE]

http://www.ipillion.com/ip/212.113.36.83 this IP has been tagged with loads of complaints.

[UPDATE]

This is the final post on DNS MITM topic. http://blog.escanav.com/?p=946

Posted in Miscellaneous, Security, eScan 11 | Tagged , | 16 Comments