[Shields Up] Computer Security Thread

TetraNitroCubane

Assuming that the infection is not active in the environment you're using to copy the files, you should be A-OK. Transferring the files to an external drive isn't really the risk, so much as the external drive getting infected itself is. By that I mean if the rootkit plays some nasty autorun games with your external drive, or leverages the .LNK vulnerability that Stuxnet was infamous for. Even if there are infected files on the external drive, if they aren't explicitly executed by you (or one of the aforementioned vulnerabilities), then the clean machine you're transferring to should be fine. Seeing as you're operating out of a LiveCD environment, though, the rootkit shouldn't have a chance to run, and it shouldn't even get the opportunity to infect your external drive in these specific ways. You might copy over a few compromised files, but without your launching them yourself, you should be safe. Still, sometimes extra precautions are better. An ounce of prevention, a pound of cure, and all that.

My advice would be that, after you transfer your files to your external, wipe the computer as you're planning. Then, after a clean install, make sure you patch the system completely up to date. Afterward, install security software (just about everything will block Stuxnet type infections), and disable autorun/autoplay (Windows 7 does this by default). Then, and only then, mount the external drive and scan it with MBAM and your A/V of choice. Alternatively, you can boot to a Live or RescueCD and scan the external HDD from there before connecting it to the freshly installed system.

TetraNitroCubane

So I completely missed this story while I was out of town last week, but apparently Dutch Certificate issuer Diginotar was compromised recently. The hacker/attacker in question issued a variety of different certificates, but the most alarming is that a cert for Google domains was pinched and released into the wild.

Somehow, somebody managed to get a rogue SSL certificate from them on July 10th, 2011. This certificate was issued for domain name .google.com.

What can you do with such a certificate? Well, you can impersonate Google — assuming you can first reroute Internet traffic for google.com to you. This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP.

But why would anybody want to intercept Google? Well, this is not really about the search engine at www.google.com. This is about the Gmail servers at mail.google.com and Google Docs at docs.google.com and maybe Google+ at plus.google.com.

It's been a hot topic while I wasn't watching, but recently it's come to light that Diginotar may have been compromised for up to two years prior to the attacks. Techdirt has the story as well as F-Scure.

So how was this done? The folks at F-Secure have found some evidence suggesting the company was hacked by Iranian hackers (probably working for the government). But what's really scary, is that the evidence F-Secure found suggests that DigiNotar was hacked at least two years ago. F-Secure also takes issue with DigiNotar's explanation concerning how this one fraudulent Google certificate got out:

"While Diginotar revoked the other rogue certificates, they missed the one issued to Google. Didn't Diginotar think it's a tad weird that Google would suddenly renew their SSL certificate, and decide to do it with a mid-sized Dutch CA, of all places? And when Diginotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement discussed above?"

Just another incident that seems to indicate that digital certificates are a weak link in our security chain these days. Revocation should be handled by windows update soon. I'll dig around and see if I can't find more solid mitigating information.

There's a list of domains that fraudulent certs were issued to under the spoiler, via F-Secure:

Spoiler:

*.*.com
*.*.org
*.10million.org
*.android.com
*.aol.com
*.azadegi.com
*.balatarin.com
*.comodo.com
*.digicert.com
*.globalsign.com
*.google.com
*.JanamFadayeRahbar.com
*.logmein.com
*.microsoft.com
*.mossad.gov.il
*.mozilla.org
*.RamzShekaneBozorg.com
*.SahebeDonyayeDigital.com
*.skype.com
*.startssl.com
*.thawte.com
*.torproject.org
*.walla.co.il
*.windowsupdate.com
*.wordpress.com
addons.mozilla.org
azadegi.com
friends.walla.co.il
login.live.com
login.yahoo.com
my.screenname.aol.com
secure.logmein.com
twitter.com
wordpress.com
www.10million.org
www.balatarin.com
www.cia.gov
www.cybertrust.com
www.Equifax.com
www.facebook.com
www.globalsign.com
www.google.com
www.hamdami.com
www.mossad.gov.il
www.sis.gov.uk
www.update.microsoft.com

Mr_Rose

*.*.com?
Who the fuck issues a cert as trusted for every single .com address possible?

Actually that's a very interesting list of sites, especially if you're a government agent who wants to intercept folks messages about starting revolutions and such, or put out a bunch of propaganda. Or, indeed, walk into users' machines when they legitimately remote in through logmein. Damn.

Fuu

So, I tried to get it to run DBAN last night, and it told me "No, you cannot run DBAN. Your HDD probably has bad sectors". Well, I'm starting to wonder if this is a symptom of the hidden partition, or if the HDD is actually going bad. I hate taking my work home with me, cause then after a full day of work... I just stare at it and wonder what is wrong with it. I'll try and fix it with seatools #hatebeingTGWIGWC

khalathas

Fuu, sadly as far as I've been able to discover, no program can yet remove Zaccess. There's a targetted utility that is SUPPOSED to be able to, but sadly, it detects and then fails to remove it. As Tetra said...back up the system via live environment, nuke it from orbit, then be *EXTRAORDINARILY* paranoid when you restore your data. Remember, in addition to doing the nuke, you have to cleansweep the entire drive, make sure all hidden partitions are blasted, etc...

TetraNitroCubane

From what Fuu's saying, he tried to nuke the drive already. DBAN (Darik's Boot and Nuke) is a bootable disk that's supposed to securely wipe any harddrive after you boot from it.

Fuu, it's been a while since I've used DBAN, but the official forums seem to indicate that if DBAN does find anything it considers a bad sector, it won't do its thing. The issue seems to predate Zaccess, so it's possible the issue is unrelated. I'm not sure if Zaccess can hide itself as 'bad sectors' or not, as I just don't know enough about the behavior of the rootkit. According to this thread on the official forums, downloading a previous version of DBAN might help you out, Fuu.

Beltaine

Is there a simple way to determine if you're infected by zaccess?

Sentret

Might be time to yank out the hard drives and fedex them to vatican city for cleansing (with fire).

grouch993

I would probably boot up a linux live cd, and then run shred, bonnie, or cpio to wipe the drive out.

Fire would be an option if I had to justify buying a new one.

Trentus

grouch993 wrote:

I would probably boot up a linux live cd, and then run shred, bonnie, or cpio to wipe the drive out.

I'm not overly familiar with bonnie or cpio, but how would you use them to wipe a disk? I thought bonnie was a filesystem benchmark utility and cpio was a file archiver.

I'm more of a dd kind of guy myself. It has the benefit of being damn near everywhere.

khalathas

http://forums.majorgeeks.com/showthread.php?t=243503

This guy claims he successfully cleaned Zaccess...not sure exactly how successful he was, knowing what we know about it, it might just be dormant and hidden in his system...but its worth considering.

Edit: for detection, don't underestimate the awesome power of GMER rootkit detector. It won't clean anything, but it'll give you all sorts of info that can be useful in detecting a possible infection that no cleaner will detect.

Edit 2: also potentially useful information http://www.malware-analysis.net/?p=236 Towards the bottom, where it suggests running a sigcheck on your driver files in offline mode...

grouch993

Trentus wrote:

grouch993 wrote:

I would probably boot up a linux live cd, and then run shred, bonnie, or cpio to wipe the drive out.

I'm not overly familiar with bonnie or cpio, but how would you use them to wipe a disk? I thought bonnie was a filesystem benchmark utility and cpio was a file archiver.

I'm more of a dd kind of guy myself. It has the benefit of being damn near everywhere.

Sorry, operating on low caffeine. Yes, dd is great. bonnie in destructive write testing will randomly alter data. cpio would need an input stream that would most likely come from dd.

bonnie++, this should run over entire drive reading and writing test data.
bonnie++ -d /drive/to/write -s 1024 -x 1000 -b

I remember a solaris admin accidentally nuking a bunch of his drives with this. We were testing drive performance with just the read testing.

Dark Shroud

http://arstechnica.com/tech-policy/news/2011/09/how-an-omniscient-internet-sextortionist-ruined-lives.ars

TetraNitroCubane

Dark Shroud wrote:

http://arstechnica.com/tech-policy/news/2011/09/how-an-omniscient-internet-sextortionist-ruined-lives.ars

Damn, that's disturbing. If anything like that happened to me, I'd be curled up in a shivering ball on the floor for weeks. Particularly the point about the 'inside knowledge' the guy seemed to have.

Interesting to note how he got initial access, though:

Mijangos admitted that he did sometimes hack into other people's computers. A favorite trick was seeding peer-to-peer networks with popular-sounding song titles that were actually malware; when someone downloaded and executed the file, their machine was infected and would open itself to Mijangos's control.

I'm guessing that this probably has to do with the recent development that's arisen in obfuscating filenames. There's some unicode trick that's been used recently to make a completely fake hosts file and present it as the real one on a system, as well as make an .exe file look like a legitimate .jpg. The details are here, on TechNet.

Beltaine

Don't have nude/lewd photos taken of yourself, and absolutely don't put them on your computer, send them to your boy/girlfriend, or post them on the Internet.

Seriously, both the examples in the article would have been non-issues had they just done that one simple thing.

TetraNitroCubane

That's always an extremely sound (and obvious) policy to have, I'd say. Though to be fair, in this case the article made it sound like the malware delivered was used to surreptitiously activate microphones and webcams in order to record the victims while they were unaware. It's obviously hard to know without details, but it seemed it was implied that this guy was snapping photos of the victims as they left the shower/got dressed. Which makes him a special kind of scum.

Mr_Rose

...this is why I don't even have a webcam. Activate that remotely, bitches.

Orca

Webcams have an off switch, or, in the case of laptops, a cover.

Use it.

External mics usually have an off switch as well.

Internal ones I usually shut off at the mixer, simply so I don't have to worry about feedback...but I can understand not messing with that all the time.

Mr_Rose

Really though, I have no need of a webcam so I don't have one. I know they can be disconnected easily enough when not in use but I also remember from my days as a sysadmin that there are still people that believe you can remotely hack into a machine that is not actually connected to a network.

TetraNitroCubane

Personally I have no use for a webcam, either. And I agree - disconnecting all peripherals you're not using seems like a good idea to me, including webcams.

Of course, sometimes it's not possible to disconnect your webcam. For example, the iSight built into most MacBooks, both camera and mic. I think there are software methods for disabling them, but there's no reasonable way to disconnect them from the machine.

And before someone says that MacBooks aren't a good example, because it's unlikely that anyone could ever plant backdoor software on them and use that software to covertly steal photos and videos of the user... Well, the students of Lower Merion School district would probably disagree with you.

Granted, in this case the laptops were issued to the students pre-rooted (so to speak), so I know it's not directly related to the conversation at hand. It's just a bit of a chilling example.

Orca

In college the workaround I've seen (which of course does nothing for the speaker) is folks putting a fragment of a post-it note over a macbook's webcam.

$2000+ piece of hardware with a damn sticky note on it...but it works.

Muse Among Men

Glad I was able to find this thread (somehow my eyes glossed over it numerous times despite looking for it) because I have a new laptop. That is just for myself and not going to be ruined by being shared by 'the family'. I'm not even that computer savvy but I've been chasing around after their various security transgressions as long as I can remember. It hasn't gotten better, especially since my sister uses the internet more now that she has gotten older.and has no sense of safety. If it turns out some shady Romanian dude already has my info I get to blame her. I sure hope that isn't the case.

But yes, this thread is very helpful and I am glad it is here.

Muse Among Men

holy triple post

Muse Among Men

and now posts delete themselves too?

So it seems like I should be mostly OK if I connect to the internet with only the default firewall (win7) so long as I am not putzing around? I want to get MSE first and foremost and don't want to have tor transfer any files from my old comp onto my new laptop without some measure of security on it.

TetraNitroCubane

Running with the Windows 7 firewall set to public, and having MSE installed are excellent starts for protecting a system. Remember, whether or not you're 'putzing' around doesn't matter a lick these days. The biggest website that nasty people use to distribute nasty malware is Google - Particularly Google Image Search. The most common tactic these days is injecting malicious software into normal webpages, so there's no such thing as 'safe surfing'.

Because of that, I'd highly recommend that for whatever browser you use, you also install an Ad-blocker, a Javascript Blocker, and a Flash Blocker. Only let Javascript and Flash run when you're sure you want them to run. That should increase your security nicely. Oh, and be sure that you don't have files set to auto-open on download. Particularly PDFs. Disable any plugin that will open PDFs in your browser, in particular.

Orca

The other thing is to (if you can) ditch Adobe Acrobat Reader; there's been a fair few exploits out for it, and its support for scripting makes it an obvious target. The other options aren't quite drop-in replacements, but Evince is a free option that does the job decently.

khalathas

Great news guys! It APPEARS we may be in luck with ZAccess. I know some of you have already nuked systems...and that was fine at the time, we had no solution then. It does appear, though, that the very latest version of combofix http://www.bleepingcomputer.com/download/anti-virus/combofix IS capable of punching ZAccess straight in the nuts.

I just happened to get my hands on a zaccess infection (client's machine) today and gave it a test run. Not only did it detect and remove the relevant files we'd expect...it was able to get rid of the corrupt KB folder that contained the ADS's and pointers to the hidden partition that supposedly exists. I'm doing a followup diagnosis to make sure its clean..but it looks like that's our solution now.

TetraNitroCubane

I'm glad to hear Combofix can take a bite out of ZAccess now, but I'll be honest: If something like that ever touched my system I'd be reformatting (re-zeroing) my hard drive no matter what.

Although in certain cases, it seems like even that may not be enough. A new nasty named Mebromi is making the rounds, a rootkit that flashes the BIOS of machines which rely upon Award BIOS. This means the infection is active before the MBR is even invoked, allowing the nasty piece of kit to play some seldom-seen games:

The next time Windows launches, the malicious code downloads a rootkit to prevent the drive's MBR from being cleaned by a virus scanner. But even if the drive is cleaned, the whole infection routine is repeated the next time the BIOS module is booted. Mebromi can also survive a change of hard drive. If the computer doesn't use an Award BIOS, the contaminant simply infects the MBR.

Symantec has a more in-depth view over on their blog. Additionally, Webroot weighs in on the infection, pointing out the difficulty of cleaning such a piece of malware.

Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giving the fact that even if an antivirus detect and clean the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again. Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all. The job of handling with such specific system codes should be left to the developers of the specific motherboard model, who release BIOS updates along with specific tool to update the BIOS code.

khalathas

Saw articles on that one...there's really almost no space on the bios chip to store MUCH of a payload...they're almost at capacity as is. It's more of a proof of concept than a real threat currently. The thing I worry more about is it giving developers ideas, and then less-capable developers write shoddy hackjobs of attempts that end up hosing the bios entirely and "bricking" motherboards. At that point there's real collateral damage being done.

Orca

Don't most motherboards have a backup BIOS that you can load in by shorting a jumper, after the CIH debacle?

Bendery It Like Beckham

Some do, but most pre-built machines don't. If you're buying a high end mobo or even mid end you're fine; but if you are the majority of consumers who bought that $600 hp you saw on sale you're boned. I mentioned the idea of memory and bios resident viruses to some co-workers the other day, they scoffed. Bringing a copy of this article in tomorrow.

khalathas

My Asus Rampage III Formula is nice...not only does it have 2 bios chips (specifically if you screw one up with a firmware update), but it has onboard buttons and LEDs for diagnostics, and 10 "profile" save slots for bios configurations. I actually can swap active bios by pressing a button on the mobo, booting (there's a start and reset button right on the mobo as well), and there's an LED beside each physical bios chip to let me know which one is active. Look it up, its pretty much amazing.

TetraNitroCubane

An interesting bit of news hit the Register recently. It's been causing a buzz, but I'm still not entirely sure how to interpret it. I'll say that the attack in question is certainly getting trumped up in its reporting, though.

Basically, two security researchers have found a way to defeat TLS 1.0 encryption by using malicious javascript via a MITM attack.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL.

...

"BEAST is different than most published attacks against HTTPS," Duong wrote in an email. "While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests."

The proof of concept they plan to demo is to intercept and decrypt a PayPal session cookie, so as to impersonate a user and claim the account. Of course, media outlets are reporting this as "ATTACK ON PAYPAL!!" despite the numerous issues wrong with that headline.

As for mitigation, NoScript author Giorgio Maone has stated that javascript must be allowed on the attacker's site for this exploit to be possible.

JavaScript and plugins need to be allowed on the site of the attacker for the attack to succeed.

Of course if the victim site uses a mixed SSL policy (i.e. it's NOT forced to HTTPS neither by HSTS, nor by NoScript's explicit HTTPS enforcement, something which shouldn't be condoned to any financial institution) the attacker might be able to inject its code directly inside the unencrypted victim pages, but in order to do that he must already control your DNS and/or your network (i.e. he's your internet provider or you're behind a hostile proxy).

In such extreme (and rather uncommon) situations you should raise your NoScript Option|Advanced|Forbid active web content unless it comes from a secure (HTTPS) connection setting to the appropriate level, even though this means browsing non-HTTPS website may become quite painful.

Personally I can't weigh in one way or the other on the actual severity of this particular exploit/threat. I simply know too little about cryptography, and the chatter I've seen has been coming from both sides of the issue. I will say that the reporting feels a bit sensationalist, though.

TetraNitroCubane

Pay no attention to this double post. Fnord.

Orca

My (nonexpert!) reading of it is that it is a threat that is not (as far as we know) yet out in the wild, but must be treated as if it were, because it renders TLS 1.0 vulnerable. And basically all sites use it. One possible solution is for everybody to move to requiring TLS 1.1 server-side (all modern browsers implement it, though I think 1.2 isn't fully implemented yet). Of course, who knows how much pain that would cause...

But it's important because it's not an attack that opens up paypal; it's an attack that potentially opens up essentially everybody.

Some discussion here: http://www.reddit.com/r/netsec/comments/kl1lr/hackers_break_ssl_encryption/

TetraNitroCubane

Oh yeah, absolutely it's a bigger problem than just PayPal. That's why I take exception to the way PayPal is getting trumped up in the headlines. If something were to truly break SSL (and I'm not convinced this is it), just about every website out there would be hosed, security wise.

Also, I'm not sure what the difficulty of migrating to TLS 1.1 or 1.2 would be on the server-side end of things, but given the way that some websites refuse to update security measures, I'm going to guess this might be a lingering problem for some folks.

Orca

Here's a plain-English explanation of how the attack works (not why it's important) within the context of TOR: https://blog.torproject.org/blog/tor-and-beast-ssl-attack

Mr_Rose

Quick question; from a security POV would you recommend GPT partitioning over MBR for a secondary, non-booting storage drive in Windows?

TetraNitroCubane

Mr_Rose wrote:

Quick question; from a security POV would you recommend GPT partitioning over MBR for a secondary, non-booting storage drive in Windows?

My quick and uneducated assumption on the matter is that, if the drive isn't something you'll be booting from, that there's no risk of an MBR infection or any other threats to the MBR. Then again, it never hurts to be cautious.

In other, delayed news, NPR ran a story today about how Stuxnet might be a creation of the United States. German security engineer Ralph Langner seems to think so, at least.

The sophistication of the worm, plus the fact that the designer had inside intelligence on the Iranian facility, led Langner to conclude that the United States had developed Stuxnet, possibly with the help of Israeli intelligence.

Langner isn't shy about naming the U.S. as the Stuxnet culprit, as he stated in a recent speech at the Brookings Institution. In that speech, he also made the bigger point that having developed Stuxnet as a computer weapon, the United States has in effect introduced it into the world's cyber-arsenal.

It's been a theory for a while, but I don't know of any security researchers who have put their name behind it quite as much as Langer is, here.

Mr_Rose

I was just thinking, with the increasing sophistication of these things, having one less place for the fuckers to hide shit would be an good idea. Defence in diversity and all that.

And apparently GPT includes a sort of fake MBR anyway. Hmm.

Eh, it's done now.