Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Updated version of rouge Apache Module injects iframes, but hides from administrators

• The module, known as Linux/Chapro.A and alternately as Darkleech, is loaded into an Apache server and injects iframes into the pages that are served
• The iframes load content from malicious sites, usually the with intent of infecting the visitor with the Zeus trojan (Win32/Zbot), or another malware such as the new Sweet Orange exploit kit
• What makes this module exceedingly clever is that it uses a number of techniques to prevent itself from being discovered and to mask the source of the infection
• For starters, the module checks all open SSH sessions on the host server and will not serve the malware to any website visitors from those IP addresses
• The malware also looks at the user agent string, and purposely does not serve the malware to bots, crawlers (Attempting to avoid detection by the likes of Google’s Safe Browsing system) or machines that are not likely to be vulnerable (it purposely does not inject the iframe for browsers on OS X, Linux or BSD or mobile devices)
• The malware also does not attempt to infect the same user twice, via communications with a C&C server, the module decides whether or not to attempt to infect a user. This means that returning to the site if you are already infected, your IP address has been seen before or you are marked by a cookie, will return in you not being served the malware
• This remote C&C server also determines the content that is injected, allowing the controllers to change the iframe to point to a different exploit without having to change the apache module
• These factors make it much harder for server administrators to determine that it is infact their server that is injecting the iframe, not something on the users’ side, but also makes it harder for users and researchers to determine which site infected them, as they may not see the malicious content on a return visit
• As we know the Zeus trojan targets users of European and Russian banks, and attempts to steal users’ credentials
• Some banks have started adding warnings to their login screen, notifying users that the bank will never ask them for specific pieces of information, like their card PIN, or CVC/CVV value, however machines infected with the trojan do not see the warning, as it is removed by the malware
• The apache module has also been seen to deliver the Sweet Orange exploit kit
• The developers of the new sweet orange exploit kit claim an infection rate of 10–25%
• The developers have 45 dedicated IP addresses and 267 unique domains to allow them to avoid blacklists
• Researchers also found an alarmingly low detection rate when some of the domains and IPs were run through scanners
• It has yet to be seen if this new-comer can compete with the industry-dominating Blackhole Exploit Kit

---

Researcher exploits old design flaw in WordPress to turn it into an Island Hopping Machine

• WordPress and many other blogging platforms use a feature called ‘pingback’ to alert other blogs when they are being mentioned
• In WordPress this causes the blog being mentioned to add a link to the new blog post as a comment, making the connection bidirectional
• The way this works is upon receiving a pingback request the wordpress site will contact the URL included in the pingback and attempt to find links to itself and if found, add the requested comment
• The issue here is that the pingback request may not actually originate from the site mentioned in the pingback
• In a wordpress bug opened in 2007, the reporter describes a scenario where many wordpress sites could be asked to pull large files from a victim site, causing a bandwidth amplification attack on both the requesters and the responder. Additionally an extremely large number of wordpress sites could be used for a regular distributed denial of service attack against a target site
• The severity of this flaw was considered low and while some attempts to write patches to prevent large files from being returned were written for older versions of wordpress, it seemed that the feared attacks never surfaced and nothing was ever done about it
• However, new research by Bogdan Calin (the researcher that developed the ‘hijack your router via an email message to your iOS device’ attack) has found a more novel use for this flaw
• In addition to causing wordpress to execute his existing attacks against routers on the local networks of the wordpress sites he is attacking, he has also managed to map the various error messages wordpress returns to be able to explore and map the local network
• WordPress returns different error messages based on if the host of the requested pingback URL resolves or not or if the port connected to is open or not (connection refused, timeout, or connected)
• This allows anyone with access to the xmlrpc.php (which is typically publically exposed) to determine if specific hostnames (especially unqualified ones) such as svn, subversion, dev, fileserver, exchange, bugzilla, etc exist or not as well as do port scans (request a pingback to https://192.168.0.100:22/ and see which error message you get)

---

Some Samsung devices include full read/write access to all memory, allowing easy rooting and exploitation of the devices

• /dev/exynos-mem has world read/write permissions and seems to be very similar to /dev/mem
• The device seems to be used by the Camera and HDMI interfaces on the devices
• The exploit allows for dumping all device ram, kernel code injection, and possibly malicious app installation
• Additional Coverage
• A new app called ExynosAbuse APK chmod’s the device at boot to prevent world read/write access, however this may disable your camera and HDMI interfaces
• Samsung Exynos kernel exploit offers easy root and malware possibilities | Android Community
• Vulnerable devices include:
• Samsung Galaxy S II, S III and S III LTE
• Samsung Galaxy Camera
• Samsung Galaxy Note, Note II, and Note II LTE
• Samsung Galaxy Note 10.1
• Samsung Galaxy Tab 7.0 Plus
• Samsung Galaxy Tab 7.7
• Hardkernel ODROID-A and Hardkernel ODROID-X
• Lenovo K860
• Meizu MX 2-Core, Meizu MX 4-Core and Meizu MX2
• Newman N2
• ORIGEN 4 Dual and ORIGEN 4 Quad

---

Feedback:

• Hardware Monitoring under FreeBSD?
• Best FS for RAID?
• 3 Points of Note
• A better way to manage configuration for openvpn
• Domain Spotting

HALL OF SHAME:

• Alabama Department of Education USA Hall of shame

Round Up:

• It’s the 90s again, Excel macro viruses make a comeback disgused as Sudoku puzzles
• Java 7u10 (JDK 1.7.0_10-b18) includes new Java control panel option to disable running plugins in your browser
• Researchers find hash collision Denial of Service attack against Btrfs
• Wikipedia moving from MySQL to MariaDB
• Cox Comm. Injects Code Into Web Traffic To Announce Email Outage
• More attacks on SCADA systems, including the HVAC in your office building
• ISP Data caps generate record revenues while doing little to combat congestion
• SSD prices continue to drop while HDD prices remain inflated
• Online game HON (Heros of Newerth) has its password database leaked, live streaming players targeted. Some twitter accounts compromised (DON’T REUSE PASSWORDS!)
• Design flaw in Adobe Shockwave could allow attackers to purposefully cause Shockwave to install/use an older vulnerable version to view their content, allowing them to exploit already patched flaws
• Oracle posts policies for thier cloud offerings, many concerning aspects for potential enterprise customers
• Large donations from Mark Cuban and Markus ‘Notch’ Persson create ‘Mark Cuban Chair to Eliminate Stupid Patents’ at the EFF