Professional Documents
Culture Documents
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
X-Force Threat Insight Monthly
Page 1
The IBM Internet Security Systems™ X-Force® Threat Insight Monthly is designed
to highlight some of the most significant threats and challenges facing security
professionals today. This report is a product of IBM Managed Security Services
and IBM Internet Security Systems (ISS) X-Force research and development
team. Each issue focuses on specific challenges and provides a recap of the most
significant recent online threats.
IBM Managed Security Services are designed to help an organization improve its
information security, by outsourcing security operations or supplementing your
existing security teams. The IBM ISS protection on-demand platform helps deliver
Managed Security Services and the expertise, knowledge and infrastructure an
organization needs to secure its information assets from Internet attacks.
Over the past several years, the security industry has seen a dramatic rise in
cyber-crime for profit. Gone are the days when people sought out vulnerabilities
for intellectual curiosity and bragging rights. Cyber-crime has become a business,
and those that take part in it are driven by the amount of money that can be made.
As a result, cyber-criminals do not always use the latest and most innovative
techniques, but rather they use what is most effective. Recent worms still attempt
to exploit vulnerabilities that have been patched for months or even years and
are successful because a significant portion of users do not patch routinely or
apply adequate protection. As long as these older vectors are still profitable to
cyber-criminals, there is no motivation to expend time and energy on keeping
up with the latest innovations; therefore, the return on investment is not worth
it from a business standpoint.
In recent months, a very old technique has once again reared its head and has
begun to circulate in new malware that has been detected. A new rootkit is hiding
itself in the Master Boot Record (MBR) of the systems that it infects – a technique
that is over a decade old, but has not been put to any widespread practical use for
almost as long.
X-Force Threat Insight Monthly
Page 3
An MBR rootkit works by overwriting the first sector (boot sector) of a storage
device such as a hard disk, USB drive, or floppy disk. This first sector is
significant because it contains the device’s MBR which is a set of instructions
for loading operating systems from other partitions on the device. The code in
the boot sector is the first thing that gets executed after a system is powered on
and the BIOS completes its startup routines. Since the code is executed before
any operating system code has been loaded, it has the opportunity to make
modifications to the operating system as it is loaded.
How it works
Upon initial infection, Troj/Mbroot-A will copy malicious kernel driver code into
unused sectors of the disk. It will also overwrite the MBR sector (sector 0) as well
as sectors 60, 61, and 62. The MBR sector gets overwritten with loader code and is
the first part of the Trojan that gets executed upon a reboot. Additional loader
code is copied into sectors 60 and 61 and is eventually executed to load the
malicious kernel driver code. Sector 62 contains a copy of the original MBR
which is used to hide the fact that a system has been compromised.
Now, whenever the system is rebooted, the code in the malicious MBR will get
executed instead of the original MBR. The malicious MBR code alters the boot
process by hooking int 13h (the interrupt used for low level disk operations),
which allows it to modify the kernel as it is loaded. During this process, Troj/
Mbroot-A will also modify two routines, IRP_MJ_READ and IRP_MJ_WRITE,
which allow the malware to remain hidden and prevent it from being overwritten.
If an API call attempts to access data from the infected MBR sector (sector 0), the
modified IRP_MJ_READ routine will instead return the contents of sector 62
that contains a copy of the original uninfected MBR. Likewise, any attempt to
overwrite the infected sectors will be blocked by the modified IRP_MJ_WRITE.
In order to view the malicious MBR, the infected disk can be mounted from an
external operating system. By doing this, the data on the disk can be read without
actually booting the infected system. The infected sectors can now be compared
with our baseline to reveal the changes. To demonstrate, the infected sectors 0
and 62 are copied to files. A simple test shows if anything has happened:
The diff utility can be used to compare two files to determine whether or not
they differ. If the files match, no output is displayed. As expected, the test above
shows that the infected copies of sectors 0 and 62 both differ from their
originals. Additionally, the infected copy of sector 62 matches the original
(clean) copy of sector 0 which indicates that the original MBR was successfully
copied into sector 62. Viewing the infected MBR (sector 0) clearly shows that it
has been altered from our previous reference.
Although rootkits pose a problem for those that are infected by them, they still
depend on the same attack vectors used by other malware or intruders. The
rootkit must first find its way onto a system by exploiting a vulnerability, or socially
engineering a victim into executing a Trojan horse. The best defense against a
rootkit is to prevent it from infecting a system in the first place. Anti-virus
software is effective at detecting and blocking this type of malware. Additionally,
maintaining up-to-date software and applying security patches also helps protect
a system from compromise.
X-Force Threat Insight Monthly
Page 9
To “fix” the flaw, the vendor applied a patch that removed any possibility of adding
any additional entropy to OpenSSL’s pool of randomness. In other words, the patch
resulted in a critical reduction in the number of possible cryptographic keys that
could be generated. This resulted in only 32,768 possible keys for any given key
type including SSH keys, OpenVPN keys, DNSSEC keys, and key material for
use in X.509 certificates and session keys used in SSL/TLS connections.
X-Force Threat Insight Monthly
Page 10
While the initial flaw and its “fix” were discussed in the open development
forum dedicated to the OpenSSL package, the fault with the fix was not
identified during discussions. This flawed fix was never submitted to the
upstream maintainers as a formal patch to be incorporated into the upstream
development. Subsequently, Debian never followed up on the patch or its
incorporation into the upstream package.
The vulnerability
The predictable pseudo-random number generator (PRNG) is at the core of the
Debian OpenSSL issue. As a result of this weakness, certain encryption keys
are much more common than they should be. A remote unauthenticated
attacker could conduct a SSH brute force attack against an affected application
and potentially guess the correct secret key material. The attacker could then
obtain unauthorized access to the vulnerable system through the affected
service or perform man-in-the-middle attacks.
X-Force Threat Insight Monthly
Page 11
Debian Etch (stable) was released in April of 2007, even though the vulnerable
code was uploaded to test in April of 2006 and subsequently available in Debian
Lenny (unstable) prior to the release of Etch. Distributions such as Ubuntu™
Linux® and Knoppix® released after that time and based on Etch are affected.
Other Debian-based systems may also be vulnerable. In addition, embedded
systems and Run-live CDs and BBCs (Bootable Business Cards) based on
Debian Etch may be impacted by this issue. The old stable distribution (sarge)
is not affected.
While this is a Debian-specific vulnerability, which does not affect other operating
systems that are not based on Debian, other systems can be indirectly affected.
Keys generated by vulnerable systems may also have made their way into other
systems and embedded devices.
As if this disclosure were not detrimental enough, a Perl™ script was made publicly
available soon after that can be used in conjunction with these publicly available
keys to conduct SSH brute force attacks. Our analysts have deployed honeypots to
watch for this type of brute force activity. Though our analysts have not yet observed
any brute force attempts against authentication keys, they believe this could change
with the availability of the vulnerable keys and Perl exploit.
X-Force Threat Insight Monthly
Page 12
Coincidentally, over the last several months, SSH has been one of the most
scanned for services. Any given address or server on the Internet can expect to be
hit with an SSH probe at least 5 to 15 times during the course of a single week. If
the probe encounters an SSH service, a brute force scan then ensues, attempting
to guess root, subsystem administrative, and common user passwords. In this
instance, it appears that the attackers ultimately break in through SSH but not
through any particular vulnerability in SSH. Rather, the attack succeeds through
weak passwords.
Recommendations
This is a rather painful issue for administrators because all keys generated by
the flawed code must be regenerated. Updating the OpenSSL package and/or
changing the passwords is not sufficient. Setting or changing a password has no
effect on the compromised keys. Should a key be compromised, the key must be
regenerated and replaced. All keys, including SSH, OpenVPN, DNSSEC, and key
material for use in X.509 certificates generated under the affected distributions
must be eliminated from all configuration files and regenerated from scratch.10
Regenerated X.509 certificates will need to be recertified by corresponding
certifying authorities and several have stated publicly that they will do this for
their customers at no additional charge.
If SSH public keys and authorized_keys files are centrally managed, it becomes
easier to search for, track down and subsequently remove faulty or compromised
keys. Even if new keys are regenerated, if these faulty keys are left present in an
authorized_keys file on any system, that system remains vulnerable.
X-Force Threat Insight Monthly
Page 13
Those running Debian or Ubuntu systems and using keys for SSH authentication
that were generated between September 2006 and May 13, 2008 are vulnerable.
All Digital Signal Algorithm (DSA) keys must be considered compromised since
the DSA relies on a secret random value used during signature generation. GPG and
GNUTLS keys are not affected because these applications use their own random
number generators and not the one from the vulnerable version of OpenSSL.
Lessons learned
Even though public key cryptography is far superior to reusuable passwords, flaws
can intrude. An error in understanding, coupled with a questionable local patching
policy resulted in a pervasive problem that is going to be difficult to clean up.
While this incident does not imply a general weakness in SSH keys, it does
highlight the occasional need to update keys in response to an actual or suspected
compromise and the difficulty in managing them. At the time of this writing, no
attacks have been detected utilizing the publicly available keys, though this may
be just a matter of time. This incident, however, should not detract from the fact
that SSH authentication keys are vastly more secure than reusable passwords and
should not deter organizations from deployment.
X-Force Threat Insight Monthly
Page 14
Significant disclosures
In June, the X-Force team analysts researched and assessed 640 security
related threats. A significant percentage of the vulnerabilities featured within
the X-Force team database became the focal point of malicious code writers
whose productions include malware and targeted exploits.
1% 0.5%
5% 5%
8%
26% 50%
* Represent unique
4% vulnerability count.
Bypass Security – 5%
An attacker can bypass security restrictions such as a firewall or proxy, an IDS system
or a virus scanner.
File Manipulation – 0.5%
An attacker can create, delete, read, modify or overwrite files.
Gain Access – 50%
An attacker can obtain local and remote access. This also includes vulnerabilities in
which an attacker can execute code or execute commands with the goal of gaining
access to the system.
Gain Privilege – 4%
An attacker can gain privileges on the local system only.
Data Manipulation – 26%
An attacker is able to manipulate data stored or used by the host associated with the
service or application.
Denial of Service – 8%
An attacker can crash or hang a service or system, or take down a network.
Obtain Information – 5%
An attacker can obtain information such as file and path names, source code,
passwords or server configuration details.
Other – 1%
An attacker can perform other, less common attacks, such as price changing. Used when
the other consequences do not apply.
X-Force Threat Insight Monthly
Page 16
On June 10, 2008, IBM ISS disclosed a serious vulnerability, discovered by an X-Force
analyst, affecting Microsoft Windows® DirectX®. This remote code execution
issue is caused by multiple stack-based buffer overflows affecting the Microsoft
MJPEG codec. This codec is a component of Microsoft Media® player, found in
all modern Microsoft operating systems, including Microsoft Windows Vista®.
On the same day the protection advisory was published, the X-Force team also
produced a protection alert to address another remote code execution vulnerability
affecting Microsoft Windows DirectX. The issue is caused by improper validation
of Synchronized Accessible Media Interchange (SAMI) file type parameters. By
persuading a victim to open a specially-crafted SAMI file, a remote attacker could
exploit this vulnerability to execute arbitrary code on the system with the privileges
of the victim.
• A protection alert provided by IBM ISS: Microsoft Windows DirectX SAMI Code Execution14
• IBM ISS Protection Signature:
– SAMI_WMP_Overflow
• Microsoft Security Bulletin MS08-033 – Critical: Vulnerabilities in DirectX Could
Allow Remote Code Execution (951698)15
• CVE-2008-1444 16
X-Force Threat Insight Monthly
Page 17
We encourage our clients to review the June 2008 edition of the X-Force Threat
Insight Monthly to obtain ways to mitigate against this threat. Additionally, the
X-Force protection alert, “Automated SQL Injection Attacks” highlights
associated IBM ISS product coverage.19
X-Force Threat Insight Monthly
Page 19
• Citibank – A server that processes ATM withdrawal stores was breached. This incident
resulted in hundreds of fraudulent withdrawals from New York City ATM machines.20
• Cotton Traders – An attack against the company’s Web site compromised the credit
card details of as many as 38,000 customers.21
• Scottish Ambulance Service – A disc containing the records of close to 900,000
emergency calls, including the name and addresses of patients, has gone missing.22
• Stanford University – A laptop containing sensitive information, including faculty
members’, staffers’ and students’ names, addresses, Social Security numbers, birth
dates, university ID and employee numbers was stolen, potentially compromising
72,000 records.23
• University of Florida – The sensitive information, including Social Security numbers,
names and addresses of 11,000 current and former students was posted online. 24
• University of Utah Hospital – 2.2 million billing records containing the personal
information of patients from the past 16 years have been stolen.25
X-Force Threat Insight Monthly
Page 20
Malcode corner
As part of the continued effort of the IBM ISS X-Force Virus Prevention System
(VPS) team in the strengthening of IBM ISS antivirus, anti-spyware and anti-
malware protection, the VPS team investigated and added another 12,866 new
samples to the malcode zoo in June, 2008.
• Virus – Propagates by infecting a host file and possibly doing some form of damage
to the host file.
• Worm – Self-propagates via e-mail, network shares, removable drives, file sharing
applications or instant messaging applications.
Worm 25.4%
Trojan 20.8%
Backdoor 13.1%
Miscellaneous 9.0%
Password Stealer 8.7%
Downloader 7.6%
Virus 6.9%
Spy 6.0%
Adware 2.0%
Dialer 0.4%
Rootkit 0.2%
X-Force Threat Insight Monthly
Page 22
References
http://www.darkreading.com/document.asp?doc_id=130587
Stoned
3
http://vil.nai.com/vil/content/v_1169.htm
Michelangelo Madness
4
http://www.research.ibm.com/antivirus/SciPapers/White/VB95/vb95.
distrib-node7.html
Troj/Mbroot-A
5
http://www.sophos.com/security/analyses/viruses-and-spyware/
trojmbroota.html
Trojan.Mebroot
6
http://www.symantec.com/security_response/writeup.
jsp?docid=2008-010718-3448-99
StealthMBR
7
http://vil.nai.com/vil/content/v_143908.htm
BootRoot
8
http://research.eeye.com/html/tools/RT20060801-7.html
http://www.pcworld.com/businesscenter/article/145703/hackers_find_a_
new_place_to_hide_rootkits.html
X-Force Threat Insight Monthly
Page 24
11
A protection advisory provided by IBM ISS: Microsoft Windows MJPEG
Codec Multiple Overflows
http://iss.net/threats/294.html
12
Microsoft Security Bulletin MS08-033 – Critical: Vulnerabilities in DirectX
Could Allow Remote Code Execution (951698)
http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx
13
CVE-2008-0011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0011
14
A protection alert provided by IBM ISS: Microsoft Windows DirectX SAMI
Code Execution
http://iss.net/threats/295.html
15
Microsoft Security Bulletin MS08-033 – Critical: Vulnerabilities in DirectX
Could Allow Remote Code Execution (951698)
http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx
16
CVE-2008-0011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1444
17
Microsoft Security Advisory (954462)
http://www.microsoft.com/technet/security/advisory/954462.mspx
X-Force Threat Insight Monthly
Page 25
18
Game, set and match
http://www.sophos.com/security/blog/2008/06/1514.html
19
Automated SQL Injection Attacks
http://iss.net/threats/293.html
20
Citibank Hack Blamed for Alleged ATM Crime Spree
http://blog.wired.com/27bstroke6/2008/06/citibank-atm-se.html
21
Card details stolen in web hack
http://news.bbc.co.uk/2/hi/technology/7446871.stm
22
Scottish Ambulance Service loses nearly 900,000 records
http://www.computing.co.uk/computing/news/2219911/scottish-
ambulance-service
23
Stolen laptop teaches Stanford a lesson on need for encryption
http://computerworld.com/action/article.do?command=viewArticleBasic
&articleId=9094958
24
11,000 University of Florida Student Social Security Numbers Posted Online
http://www.foxnews.com/story/0,2933,365462,00.html
25
U of U medical records stolen, 2.2 million patients’ data at risk
http://www.sltrib.com/ci_9540210
All performance data contained in this publication was obtained in the specific
operating environment and under the conditions described above and is presented
as an illustration. Performance obtained in other operating environments may
vary and customers should conduct their own testing.
© Copyright IBM Corporation 2008.
07-08