Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2008-03-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber attacks against Tibetan communities

Published: 2008-03-21
Last Updated: 2008-03-24 13:25:22 UTC
by Maarten Van Horenbeeck (Version: 4)
0 comment(s)

There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, are the various targeted cyber attacks that have been taking place against these various communities recently.

UPDATE: We published an extended diary with additional tech info here.

These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.

The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community. Some impressive social engineering tricks are used:

  • Messages make a strong statement on a well known individual or group, but do not mention its name. The attachment is then named after that individual. A state of 'cognitive dissonance' is invoked between the reader's pre-existent beliefs and the statement. There's a natural urge to click on the attachment to confirm that belief;
  • The writing style of the purported sender is usually well researched to have the message look as believable as possible;
  • The content of the document actually matches closely what was discussed in the e-mail message;
  • Having legitimate, trusted, users actually forward along a message back into the community.

The messages contain an attachment which exploits a client side vulnerability. Generally these are:

  • CHM Help files with embedded objects;
  • Acrobat Reader PDF exploits;
  • Microsoft Office exploits;
  • LHA files exploiting vulnerabilities in WinRAR;
  • Exploitation of an ActiveX component through an attached HTML file.

Here's a sample attachment and its AV coverage at the time it was distributed:

reports_of_violence_in_tibet.ppt
MD5 977a4ac91acf5d88044a68f828154155

AhnLab-V3 2008.3.20.2 2008.03.20 -
AntiVir 7.6.0.75 2008.03.20 EXP/Office.Dropper.Gen
Authentium 4.93.8 2008.03.20 -
Avast 4.7.1098.0 2008.03.20 MPPT97:CVE-2006-3590
AVG 7.5.0.516 2008.03.20 -
BitDefender 7.2 2008.03.20 Exploit.PPT.Gen
CAT-QuickHeal 9.50 2008.03.20 -
ClamAV 0.92.1 2008.03.20 -
DrWeb 4.44.0.09170 2008.03.20 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5629 2008.03.20 -
Ewido 4.0 2008.03.20 -
F-Prot 4.4.2.54 2008.03.19 File is damaged
F-Secure 6.70.13260.0 2008.03.20 -
FileAdvisor 1 2008.03.20 -
Fortinet 3.14.0.0 2008.03.20 -
Ikarus T3.1.1.20 2008.03.20 -
Kaspersky 7.0.0.125 2008.03.20 -
McAfee 5256 2008.03.20 -
Microsoft 1.3301 2008.03.20 -
NOD32v2 2964 2008.03.20 PP97M/TrojanDropper.Agent.NAI
Norman 5.80.02 2008.03.20 -
Panda 9.0.0.4 2008.03.20 -
Prevx1 V2 2008.03.20 -
Rising 20.36.32.00 2008.03.20 -
Sophos 4.27.0 2008.03.20 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.20 -
TheHacker 6.2.92.250 2008.03.19 -
VBA32 3.12.6.3 2008.03.17 -
VirusBuster 4.3.26:9 2008.03.20 -
Webwasher-Gateway 6.6.2 2008.03.20 Exploit.Office.Dropper.Gen

As you can see, Anti virus is generally not proving effective against the samples distributed in this ongoing attack. We often see similar samples returning, only to have been edited slightly to prevent them from being picked up.

Most of the time, the samples then drop very raw trojans not restricted much in ability. This means that only investigating the trojan does not always reveal the data targeted. To investigate, it's necessary to find out which commands were submitted So far, we have uncovered attacks that specifically searched the file system for Word documents, e-mail contents and, most interestingly PGP keyrings.

If you’re interested in this, you may like to read Crouching Powerpoint, Hidden Trojan, a presentation I gave earlier in the year on similar attacks against Falun Gong. Brian Krebs at the Washington Post has also written on the unfolding events.  Mikko at F-Secure, Sophos and McAfee AVERT also have very interesting blog postings up on the topic.

We've been working with several groups on these attacks since early 2007. If you or your organization has also been targeted, now or in the past, please get in touch. We will not publish any data on your specific attacks without your permission.

--
Maarten Van Horenbeeck

Keywords: tibet
0 comment(s)

Several new Asterisk vulnerabilities were recently announced.

Published: 2008-03-21
Last Updated: 2008-03-21 18:23:17 UTC
by donald smith (Version: 1)
0 comment(s)

The Astrerisk.org team has released new versions of code to address the following four vulnerabilities.
From: http://www.asterisk.org/node/48466 
“AST-2008-002 details two buffer overflows that were discovered in RTP codec payload type handling.
http://downloads.digium.com/pub/security/AST-2008-002.pdf
All users of SIP in Asterisk 1.4 and 1.6 are affected.
AST-2008-003 details a vulnerability which allows an attacker to bypass SIP authentication and to make a call into the context specified in the general section of sip.conf.
http://downloads.digium.com/pub/security/AST-2008-003.pdf
All users of SIP in Asterisk 1.0, 1.2, 1.4, or 1.6 are affected.
AST-2008-004 details some format string vulnerabilities that were found in the code handling the Asterisk logger and the Asterisk manager interface.
http://downloads.digium.com/pub/security/AST-2008-004.pdf
All users of Asterisk 1.6 are affected. “

Exploitation of these types of vulnerabilities has been used in the past to gain access to asterisk servers to set up automated systems for vishing attacks.

Vishing is a term used for voice based phishing.  http://en.wikipedia.org/wiki/Vishing

If you get a message, email or phone call that asks you to call a number you do not recognize check the bill for that service or the back of your credit card and call THAT number not the number that was included in the message.

Never give out personal information unless you have verified the data receiver.

Keywords:
0 comment(s)

D-Link router based worm?

Published: 2008-03-21
Last Updated: 2008-03-21 16:44:10 UTC
by donald smith (Version: 1)
1 comment(s)

Yesterday we were notified by one of our contributors Fausto Zuin of unusual activity.
He was seeing lots of full TCP connect scans to destination port 23.
I examined data based on some of his attacking sources and noticed there was also
udp 161 packets coming from the same sources towards the same victims.
The pattern looks like this:
A couple of telnet attempts and a couple of SNMP attempts.
The telnet packets tend to be small in the 50-100 byte range.
The SNMP packets are slightly larger in the 120 byte to 140 byte range.
12 attacking IP addresses were fingerprinted and 10 appear to be D-Link routers.

I suspect someone is using snmp to reconfigure the router to its default
password or to read it's admin password and then accessing the D-Link via telnet
to modify the routers configuration or firmware.

The D-Link DWL-1000AP had an snmp based password confidentiality vulnerablity
reported back in 2001. There were a default SNMP communities that could
be used to read or reset the admin password.

http://www.derkeiler.com/Mailing-Lists/Securiteam/2001-12/0111.html

"A MIB walk using the read-only SNMP community of 'public' (default
read-only community for most devices) can allow an attacker access to
the "admin password" to the access point listed in clear text in OID
1.3.6.1.4.1.937.2.1.2.2.0 as a string value."

This particular model also had a single Ethernet based LAN interface.
So most consumers using this as an AP would have had to point the Ethernet
connection towards the Internet.  In most cases the LAN interface is a
trusted management interface so I believe that would leave it wide open
to snmp and telnet attacks from the internet.

I doubt this attack includes changing the firmware of the router itself
to become router based self propagating worm while possible it is more
difficult then compromising one of the home systems. Given control of a device
like this in the network it would be relatively simple to redirect consumer's
traffic to a site with client side exploits that would compromise any computer
that was not fully patched.

If you believe your dlink router has been compromised and have any additional details
please contact us via the contacts link at http://isc.sans.org/contact.html.

Keywords: dlink router
1 comment(s)
Diary Archives