web.luchs.at News Service

Instant Messaging Malware

Mon, 08 Mar 2010 22:54:19 CET

Instant Messaging (IM) has become a major communication method for teams inside, outside and across companies. It is used to exchange information quickly and to publish the availability of team members. Malware authors have taken advantage of IM networks and their clients. They use it to coordinate actions of their software. The Internet Relay Chat (IRC) was the first protocol to be used. Now it's time for an upgrade. The Austrian CERT.at has analysed an IM robot used with the Skype telephony network.

The following report analyzes the Skype Instant Messenger Bot (“Skype IMBot”, a variation of the W32.Nytemare trojan) and reports our reverse engineering efforts. One peculiar aspect of Skype IMBot was the way it controlled Skype (and other Instant Messengers) – simulating user input and user keystrokes. … This trojan is in some aspects very simple and not surprising, In other aspects it is quite aggressive in defending itself. The report closes by offering an outlook on further IMBots and gives some advice for mitigation.

If you are using IM for your business or even privately, then you might want to take a look at this publication. The paper contains advice for mitigation. It also serves as an eye opener for the dangers of modern communication technology. If you are designing corporate security policies you have to take IM protocols into account. They are more than just a simple telephone line.

Squid proxy using Ext4 for cache storage

Tue, 15 Dec 2009 11:07:31 CET

We already wrote about the Linux Ext4 filesystem. Storage using Ext4 has grown. We have storage device of varying sizes using Ext4, ranging from a few Gigabyte up to 8 Terabyte. The performance is good for different workloads (database server, virtualisation hosts, workstations, web server, file server). What about HTTP caches such as the Squid proxy software? Cache use a lot of inodes because they store a lot of small files and have a multi-layered directory structure. What happens to an Ext4 filesystem with a Squid on top that is used every day for millions of requests per month?

A small maintenance window give a short answer. Bear in mind that this is neither a test nor a benchmark. It is just the output of a filesystem check of the partition holding the Squid cache directories. The proxy was in continous use for over 9 months. The configuration sets the maximum cache size to 300 GiB. The partition has space for 412 GiB. mkfs was used with no special inode tuning. The fsck output is here:

proxy:~# time fsck.ext4 -C 0 -D -v /dev/mapper/spool-srv
e2fsck 1.41.3 (12-Oct-2008)
/srv has gone 283 days without being checked, check forced.
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure                                           
Pass 3: Checking directory connectivity                                        
Pass 3A: Optimizing directories                                                
Pass 4: Checking reference counts                                              
Pass 5: Checking group summary information                                     
                                                                               
/srv: ***** FILE SYSTEM WAS MODIFIED *****

 1592563 inodes used (5.81%)
   16770 non-contiguous inodes (1.1%)
         # of inodes with ind/dind/tind blocks: 0/0/0
         Extent depth histogram: 1592189/364
40351177 blocks used (36.81%)
       0 bad blocks
       1 large file

 1526728 regular files
   65826 directories
       0 character device files
       0 block device files
       0 fifos
       0 links
       0 symbolic links (0 fast symbolic links)
       0 sockets
--------
 1592554 files

real    3m11.178s
user    0m30.042s
sys     0m2.592s
proxy:~#

That's about three minutes for a Ext4 with over a million inodes having lots of small files in the cache structure of the proxy. The device /dev/mapper/spool-srv is based on four disks storing the data on two RAID1 partition, both combined by LVM. The server ran Linux kernel 2.6.30 and was upgraded to 2.6.32 in order to use the recent patches for Ext4.

Who needs SPDY if you can have a Squid sitting on Ext4? Speeding up web content delivery is a question of infrastructure.

New dependency for HSO module in Linux kernel

Tue, 08 Dec 2009 22:38:15 CET

In case you use the USB version of the Globetrotter HSDPA Modem (bus ID 0af0:6971) and you compile your own Linux kernels, make sure that the RF kill option is set in your configuration. Newer kernels after 2.6.31 do not show the HSO module if you have disabled the RF kill option.

We noticed this change when the automatic builds of our kernel test system suddenly left out the HSO module. Of course you only hit this "bug" if you use the HSDPA modem. ☺ A simple quick check is to look out for the devices /dev/ttyHS0, /dev/ttyHS1 and /dev/ttyHS2 after activating the device (i.e. after inserting the USB modem). If these devices are not present, then the hso is missing. The actual number of device entry depends on the device you are using, but /dev/ttyHS1 should at least be present. It is the control device and reacts to AT commands. You also might want to check out the Ozerocdoff utility if the modem has a "built-in CD-ROM".

Apart from this little oversight (by us, of course) we can readily recommend running 2.6.32!

SSL/TLS Design Flaw Used to Attack Web Sites

Mon, 16 Nov 2009 17:25:19 CET

The design weakness of the SSL/TLS protocol is currently being analysed by security experts. The initial assessment limited the attacks to web content being protected by access to client certificates only mixed with anonymously accessible content. In this case a TLS renegotiation takes place and can be exploited. A Turkish researcher now found a way to use the design weakness against the Twitter API.

It works by injecting HTTP GET or POST requests into the data stream. The Twitter API uses REST, so there is no bidirectional communication taking place. This means that simple injections can be done, contrary to Cross Site Requests Forgery (CSRF) where a security token can be deployed as a defence.

The SSL/TLS weakness should not be taken lightly. There's currently only the fix of the OpenSSL team that disables TLS renegotiation completely. If you're in a position to filter or check the HTTP headers, then the risk can be lowered. APIs using one-way traffic and simple commands can be attacked more easily.

Cell phone as bugging device

Fri, 23 Oct 2009 09:14:49 CET

Most people think of cell phones as secure. GSM communication features encryption, and cell phones are quite sophisticated. In terms of security this doesn't mean anything, it only gives you a false sense of security. A proof of concept attack in order to raise awareness was recently published by a Indonesian security researcher.

Sheran Gunasekera wrote a software called PhoneSnoop for RIM Blackberry devices. The code turns the favourite toy of managers into a remote bugging device. If a preconfigured phone number calls the phone, the tool silently turns on the speakerphone. An attacker can then monitor all conversations within earshot of the device. To quote from The Register® article:
"What I wanted to do was bring some awareness to this problem, so I'm releasing it pretty much for free and trying to show them that this can be done," said Gunasekera, who is director of security for Hermis Consulting in Jakarta, Indonesia. "It's not well known that these threats exist."

Awareness is an important step. If you want to learn more about attacks on mobile devices, cell phones and more, then we recommend to take a look at the schedule of the DeepSec In-Depth Security Conference. The DeepSec takes place in Vienna from 17 to 20 November. The schedule is packed with high-quality information presented by experts.

Netgear releases pseudo "Open Source" router with severe security bugs

Thu, 08 Oct 2009 22:27:33 CET

Netgear just released their new WNR3500L router and invites hackers to join the flock and take advantage of its Open Source. Unfortunately the product contains proprietary code that covers one of its key components (the wireless and ethernet hardware). This has severe security implications, because upgrading the Linux® kernel depends on the support of Broadcom's binary drivers. If this support stops, you are stuck and plainly out of options regarding security upgrades. This is the kind of vendor lock-in Free Software protects you against. Sadly the WNR3500L router ignores these advantages.

The worst problem is the list of missing feature you are told about when downloading the OpenWRT Firmware for NETGEAR WNR3500L (BETA) packages. The first missing feature is listed as shortcoming: WPA and WPA2 are not working. This means that the router is basically totally worthless. WPA and WPA2 encryption are basic feature of wireless hardware. Any vendor rolling out a product without this is playing cruel jokes on its customer base. Of course, you can amend this shortcoming by using additional encryption, but that's not the point. Wireless hardware is expected to master WPA and WPA2. Most of the Linux® kernel's wireless drivers (and hardware vendors) learned this the hard way. You don't sell hardware to customers and lock the hardware's features with proprietary code.

Don't forget: Anyone can label software as Open Source, but only Free Software gives you complete control over the features, ranging up to the security of the product. Free Software is not only for hobbyists, it performs many highly security-critical tasks in big enterprises. Apparently Netgear has no interest in deploying high quality network solutions.

Linux® Foundation aquires patents from Microsoft®

Wed, 16 Sep 2009 23:07:43 CET

Microsoft® likes to stir fears and doubt when it comes to GNU/Linux® systems and reliability, especially in the light of legal threats. Steve Ballmer claims that the Linux® kernel violates more than 200 patents. Of course he doesn't explain his statement any further. This sounds a lot like the SCO story that fortunately ended a while ago. GNU/Linux® is legally sound. This is no accident, this is a major effort. The Linux Foundation is hard at work to fullfill its mission goal: The Linux Foundation also manages the Linux trademark, offers developers legal intellectual property protection and a legal defense fund and coordinates industry and community legal collaboration and education.

Recently the Linux Foundation aquired patents from Microsoft® that could have been used to harm the deployment of GNU/Linux® systems (at least in the USA). Apparently these patents were for sale and were saved from falling into the hands of "law terrorists". A blog has the details:
The details are that Microsoft assembled a package of patents “relating to open source” and put them up for sale to patent trolls. Microsoft thought they were selling them to AST, a group that buys patents, offers licenses to its members, and then resells the patents. AST calls this their “catch and release” policy. Microsoft would certainly have known that the likely buyer when AST resold their patents in a few months would be a patent troll that would use the patents to attack non-member Linux companies. Thus, by selling patents that target Linux, Microsoft could help generate fear, uncertainty, and doubt about Linux, without needing to attack the Linux community directly in their own name.

It seems that Microsoft® is very concerned about the high-quality of GNU/Linux-based systems and cannot compete technically with them. This move is a strong indication for this theory. In contrast the Linux Foundation shows that there is a real effort going on to support Linux® and enable it to act as a solid foundation for mission critical data and applications.

DeepSec 2009 - Schedule with Talks published

Tue, 11 Aug 2009 14:35:27 CET

The DeepSec In-Depth Security Conference has published its schedule of talks for the upcoming conference. DeepSec 2009 will take place from 17 to 20 November.

The presentations and workshops cover a wide variety of threats for networks, server infrastructure and users alike. The spectrum ranges from #Twitter, GSM networks, printer firmware, social engineering, physical security, exploitation of databases, cloud computing, rootkits inside Virtual Machines and eVoting to protocol analysis of TCP/IP and deployment of secure protocols. A denial of service attack against GSM networks will be demonstrated. A corresponding workshop offers a deeper insight into the world of mobile communication. Some presentations also address developers. The talk Top 10 Security Issues Developers Don’t Know About puts their knowledge to the test. Another presentation explores the perils of Unicode transformations.

Security threats are more important than before. The financial crisis delivers new motivation for relying on espionage and networked attacks on crumbling companies. Make sure you get in contact with the experts that can help you first!

How to set up a local TOR node

Sat, 04 Jul 2009 13:22:03 CET

The threats to privacy when using the Internet grow day by day. We are used to the fact that many Arab states, China and North Korea maintain a tight control over communications networks. The monitoring doesn't stop there. Recently the German parliament has decided to implement Internet censorship by the German Federal Police. Australia maintains a censorship list, too. The European Union dictates the implementation of interfaces for Lawful Interception of data and voice transmissions in cellular network equipment.

We focus on setting up a TOR node that can be used by local web clients. If you use an operating system based on Debian, the software is already packaged. You will need tor for running a TOR node, and you will need privoxy in order to connect your web browser to the TOR network.

The tor package will keep all its configuration in the directory /etc/tor/. The most important file is called torrc. You don't need to change all parameters. You only need to define which networks should be allowed to use your TOR node (contrain it to 127.0.0.0/8 if you use it locally). We have prepared a template configuration and marked everything that needs attention with the word NOTICE.

The proxy software privoxy needs only one configuration parameter. Edit the file /etc/privoxy/config and insert the line forward-socks4a / 127.0.0.1:9050 .. The IP address must point to your TOR node (we use 127.0.0.1 here). That's it.

All you need to do now is to use TOR. Configure a proxy server in your web browser. privoxy listens on port 8118/TCP. All TCP connections will be transmitted through the TOR network. If you want to use DNS over TOR as well you need to configure the TOR button or Vidalia in your web browser.

Important notice for Machine Check Exception on x86_64 servers

Wed, 01 Jul 2009 15:06:45 CET

Most modern CPUs support Machine Check Exceptions (MCEs) in order to signal unrecoverable hardware problems. This is very useful to detect failures and get more hints for troubles during normal server operation. In case you run your GNU/Linux system on x86_64 servers you might be interested in installing the mcelog utility written by Andi Kleen. To quote from the Debian description of the package:

Starting with version 2.6.4, the Linux kernel for x86-64 no longer decodes and logs recoverable Machine Check Exception events to the kernel log on its own. Instead, the MCE data is kept in a buffer which can be read from userspace via the /dev/mcelog device node. You need this tool to collect and decode those events; it will log the decoded MCE events into /var/log/mcelog. Currently, mcelog can decode MCE from AMD K8 and Intel P4 (including Xeon) processors.

This is very important. Hopefully you will never get MCE messages, but in case you do the tool suddenly becomes very critical. And while you are busy installing the software, make sure that your kernel has proper support for EDAC (Error Detection and Correction). It can be crucial, too.

Web server log analysis

Sat, 11 Apr 2009 10:52:45 CET

Monitoring a web server for intrusions and abuse can be a lot of work. Of course there are countless of tools and frameworks available for this job. The problem is that no two web applications are the same. Code and layout is frequently modified. The server configuration differs. Maybe even the log formats differ. All these things need to be taken care of. Have we mentioned signatures of possible attacks yet?

Whenever intrusion detection or prevention is an issue we recommend not to be driven into despair by the many details of the implementation. More often than not a simple analysis can be the first stage. You don't want to be overwhelmed by dozens of pages from a reporting tool. The first stage gives you an impression and lets you decide what to do next. All further steps can produce in-depth analysis and deeper insights into your server exposure. By using an implementation in steps you can fit the analysis according to your individual setup.

Make sure you have the right log infrastructure and configure your logging to contain sufficient information. Bad logging can ruin the whole analysis.

DeepSec 2009 - Call for Papers

Tue, 31 Mar 2009 20:32:59 CET

The DeepSec In-Depth Security Conference has announced the Call for Papers for 2009:

The focus of DeepSec will be on subtle dangers, stealthy exploits and things you don't see. If you got something to talk about that doesn't look like a security problem at the first glance, tell us about it. We'd like to hear about underestimated security issues that may be turned into major headaches for computer systems, networks and users alike. Send us stories about single bits that can change our destiny. Failing that we welcome less sneaky approaches, too.

The call for papers is open until 15 July.

Security Bug in Adobe® Reader and Acrobat

Tue, 24 Feb 2009 10:41:58 CET

Version 9 of Adobe's Reader and Acrobat software are prone to a security bug. The software crashes when encountering a malicious PDF document. Attackers may be able to inject code and actively exploit this bug. The Adobe® advisory states:

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe is in contact with anti-virus vendors, including McAfee and Symantec, on this issue in order to ensure the security of our mutual customers. A security bulletin will be published on http://www.adobe.com/support/security as soon as product updates are available.

While Adobe® is preparing a patch you might want to try Lurene Grenier's own patch until the official fix is ready.

Debian Lenny and Ext4 Conversion

Sat, 31 Jan 2009 01:05:16 CET

Debian 5.0 is getting stable. Today we upgraded one of our core servers to Debian Lenny. It worked like a charm. We then used a GRML live-CD in order to convert three heavy-duty partitions from XFS to Ext3 and finally to Ext4 with a shiny 2.6.28.2 kernel on top. The system runs and did not complain once during the procedure.

In order not to spread rumours, XFS does a fine job and we use it, too. It's just that we are testing Ext4 for almost a year now, and we'd like to report that the new file system handles a lot of different work loads, disk sizes and tests very well. It seems to be a perfect successor for the reliable Ext3 file system. You can even convert Ext3 partitions to Ext4 very easy. The recommendation is to populate the Ext4 file system from scratch since formatting enables some features that are not available when doing a conversion.

So if you want to convert file systems or do the next big upgrade as soon as Debian 5.0 is out, let us know. We can help.

Collecting user agent strings

Tue, 30 Dec 2008 20:42:31 CET

Almost every client surfing the World Wide Web sends its name in the form of the user agent string to every web server when requesting content. A lot of web developers use this identification to determine the operating system, client capabilities and other things. In turn administrators monitoring their logs keep a wary eye on the user agent strings seen "in the wild". They like to identify fake user agent strings and track all requests using them. But how do we know how many unique user agents are out there? Well, we collect their identification strings.

The idea is not new. In fact there are two fairly complete listings of user agents. Andreas Staeding maintains a description of spiders, robots, link checkers and other agents on his web site. If you run or use web spidering software, you can drop him an email describing what your tool does. This is very helpful for web site and security administrators.
Then there is the UA Tracker. This site collects unique user agent strings and offers a text version for download. It also keeps track of the sightings by means of timestamps which is quite interesting. The UA tracker does not store any personal data, just the user agent string.

Now we have a third tool - our very own user agent string collector. We do basically the same as the UA tracker does. The only difference is that we keep a separate database and update user agent sightings once per day. We also offer a text version of the collected strings for download. So if you are surfing the WWW with a particular rare or unusual software, make sure to give us the user agent string!