Red October Hunts You | TechSNAP 93
Posted on: January 17, 2013
del.icio.us
blinklist
digg
Facebook
Furl
ma.gnolia
Newsvine
Pownce
reddit
StumbleUpon
Technorati
Twitter
If you thought Stuxnet was a big deal, wait till you meet Red October. The incredible story of some of the most sophisticated malware yet surfaces, and we’ve got the details.
Plus: A Nasty 0-Day exploit for Linksys routers, a HUGE batch of your questions, and much much more – On this week’s episode of TechSNAP!
Thanks to:
Use our code tech295 to get a .COM for $2.95.
Something else in mind? Use go20off5 to save 20% on your entire order!
Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
Support the Show:
|
Show Notes:
Get TechSNAP on your Android:
Browser Affiliate Extension:
- Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox
- Researchers at DefenseCode have discovered a remote root access exploit for default installations on Linksys routers
- When the researchers contacted Cisco and shared the vulnerability as well as Proof of Concept code, Cisco originally claimed that the vulnerability had already been fixed in the latest firmware release, however this turned out the be incorrect
- The current Linksys firmware (4.30.14) and all previous versions are vulnerable to this remote root exploit
- DefenseCode published a youtube video showing them using the exploit against a Linksys WRT54GL router, and getting busybox shell
- It is not clear what if other models of Linksys routers are also vulnerable
- Sales figures say Linksys has shipped over 70 million routers
- Cisco expects to have a firmware update available before the full research is published in less than two weeks
- Researchers at Immunity Products looked at the Java 7u11 patch and found that it only fixed one of two vulnerabilities
- They say that this means that the next 0-day exploit could cause all the same problems over again
- Security Explorations, the firm with a reputation for discovering Java vulnerabilities reports that Oracle has still not addressed issues they reported in April and September of 2012
- The September vulnerability , as with the one fixed in Java 7u11 allows an attacker to bypass the java security sandbox and remotely execute code
- Metaploit’s HD Moore says Java could take years to fix
- the next scheduled Java security release is Feb. 19
- In October 2012 Kaspersky labs was contacted by a partner (who wishes to remain anonymous, likely a government or defense contractor), and was asked to investigate some malware samples
- This week, they started publishing the results of the attack they found, called Rocra (short for ‘Red October’)
- Researchers did not find any evidence of links between Rocra and other major malware platforms such as: Stuxnet, Duqu, Flame, Tilded and Gauss
- The exploits appear to have been created by Chinese hackers
- Some of the Rocra malware modules appear to have been created by Russian-speaking operatives
- In addition to exploits for MS Excel and MS Word, the Red October attacks also used exploits for Java 6 and 7 as part of the attack
- The malware would check for an internet connection by attempting to connect to legitimate addresses at microsoft (windows update, support.microsoft.com), likely to avoid detection of unusual network traffic. If a connection was not found, some information would still be collected and stored locally, possibly to be copied via file sharing to a machine that did have internet access
- The attack was used to gain access to secured systems and lift files, especially files with these extensions:
- txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,
cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca,
aciddsk, acidpvr, acidppr, acidssa - Of particular interest are the files with the acid extensions, likely created by “Acid Cryptofiler", which is known to be used by NATO and others in the European Union
- txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau,
- The attack was also an ‘advanced persistent threat’, doing things such as:
- Extract saved passwords for Web sites, FTP servers, mail and IM accounts from various applications
- Send Windows account password hashes to the C&C server for offline cracking
- Copy configurations from exposed network devices (Switches and routers with default passwords)
- Enumerate visible windows shares and report to the C&C server (probably for future document exfiltration)
- Scan connected USB drives for interesting files, the attack even included its own file system parser to copy deleted files
- Copy data from connected Nokia and Apple iPhones copy address books, call history, calendar, SMS messages, and browsing history
- Infecting Windows Mobile phones with a special mobile version of the Rocra virus
- Watch for specially crafted Microsoft Office or PDF documents and execute their malicious payload without user interaction, allowing the attackers to exploit future vulnerabilities to keep control over exploited machines even as old exploits were patched
- Standard key logging and screenshots, send back to C&C servers
- Execute additional encrypted payload modules according to a pre-defined schedule
- Copy all e-mail messages and attachments from Microsoft Outlook and from any mail servers found on the network that were accessible with the previously obtained credentials
- Targets Infographic
- Detailed Analysis:
- Red October – Introduction Blog Post
- Red October – Diplomatic Cyber Espionage Investigation
- Red October – Stage One – Exploits and Components
- Red October – Stage Two – Modules and Recon
- Red October – Stage Two – Passwords, Email and Physical
- Red October – Stage Two – Persistence and Spreading
- Red October – Stage Two – Mobile and Exfiltration
- Digital Undergrounds podcast – Interview with Red October researchers
- Reminder: The deadline to submit proposals for talks at BSDCan 2013 is Friday January 18th
- What do you think is the best way to configure an array of let’s say 14 drives?
- ZFS De-Dupe Inside a VMDK?
- Is my ZIL Helping? And force FreeBSD to scan the SATA Bus?
- Rotate System Account Passwords?
- XP on my ATM? WTF!
- Picking the right switch for iSCSI
- Control Panel for Nginx on Kickstarter
- MoinMoin’s strange name
- I conceal my identity the same way Aaron was indicted for
- Microsoft ‘fix-it’ solution for IE 6–8 users by passed. Full patch finally released
- Bitcoin exchange hacked via Ruby On Rails exploit, funds stolen
- HRSDC loses data on student loans from 2000 thru 2006 when unencrypted external drive goes missing
- Internet 2012 in numbers
- ICS-CERT responds to Power plants where both common and sophisticated malware were found in Industrial Control Systems
- Security audit finds dev OUTSOURCED his JOB to China to goof off at work
- While SSDs got 35–45% cheaper across 2012, Q4 actually saw prices go up, as OCZ backed off its strategy of using lower prices to win market share, reducing price pressure on all manufacturers
- DHS tries to force medical device manufacturers to improve security after FDA fails to do so
- Intel to introduce silicon photonics (thin fibre optics) to motherboards, possible to the rack level (100G Infiniband)
