del.icio.us
blinklist
digg
Facebook
Furl
ma.gnolia
Newsvine
Pownce
reddit
StumbleUpon
Technorati
Twitter
A researcher stumbles into the middle of a botnet war, and documents what he finds. Plus a Facebook mistake took down countless sites around the web.
Then it’s huge batch of your questions, our answers, and much much more!
Thanks to:
Use our code tech295 to get a .COM for $2.95.
Something else in mind? Use go28off2 to save 28% on your entire order!
Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
Support the Show:
|
Show Notes:
Get TechSNAP on your Android:
Browser Affiliate Extension:
- Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox
- CVE–2013–0633 – A buffer overflow allowing remote code execution – reported by Kaspersky Labs – CVSS 9.3
- CVE–2013–0634 – Remote code execution and memory corruption – Reported by Shadowserver Foundation and Lockheed Martin Computer Incident Response Team – CVSS 9.3
- Both vulnerabilities were being exploited in the wild during February 2013
- Both CVE numbers were allocated December 18th, 2012. “The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE”
- Both vulnerabilities were used in malicious SWF code embedded in Microsoft Word documents that users were tricked into opening
- CVE–2013–0634 was also used as a direct attach via SWFs hosted on websites
- Reaction to seeing Lockheed Martin in a vulnerability announcement
- While analyzing the commands received by bots that were part of a botnet (ShadowServer runs a large honeypot where it monitors the activities of the bots), they noticed a disturbing pattern
- The bot commands included javascript code to inject an iframe causing your browser to load a malicious site that would attempt Java and ActiveX exploits against you
- Once the exploit is successful, it drops a password stealer, which attempts to steal saved credentials from apps such as CuteFTP, FlashFXP, FileZilla, SmartFTP, TurboFTP, Firefox and more
- It then encrypts that information and sends it to a different C&C server
- Researchers at the ShadowServer Foundation originally thought it was a clever attack against researchers, attempting to exploit their scanning and reporting interfaces, which are usually custom built and lack some input sanitization
- It also appeared that the malware that was dropped by the exploit had already been submitted to malware analysis sites such as VirusTotal and Malwr.com
- Searching further, he found that an earlier version of the malware, with a much better detection ratio (number of virus scanners that detect the malware) had been uploaded by the same person a few days previous
- This led to speculation that the author may have been uploading various revisions of his malware and working to make it less detectable
- An update posted later suggestions that it appears to be one Botmaster attempting to exploit another Botmaster and take over his botnet
- It still suggests an interesting concept, where the Botmaster who is being observed, reverses the roles and begins observing the activities of the watcher
- Some type of error or mistake in the code for Facebook Connect caused users trying to visit any site with Facebook Connect to be redirected to a Facebook error page that contained nothing but a very generic message “An error occurred. Please try again later.”
- The issue only seemed to affect those who were logged in to Facebook
- Logging out of Facebook seems to have prevented you from being redirected
- The outage caused huge dips in traffic to major sites including:
- ABC, BuzzFeed, Capital.fm, CNN, DailyMail, ESPN, Etsy, Fox News, Gawker, Geico, HBO, Hollywood.com, The Huffington Post, Hulu, InfoWorld, MSNBC.com, NBC News, News.com.au, NFL, OKCupid, People, Pinterest, Reddit, Slate, Smallworlds, SwagBucks, The Sydney-Melbourne Herald, TED, The Los Angeles Times, The New Zealand Herald, The Washington Post, Vulture, Weather.com, WikiAnswers, WordPress, XOJane, Yahoo, and YugaTech
- Additional Coverage
- It just goes to show the risk involved in relying on 3rd party services for basic mechanisms like authentication, and the risk of embedding 3rd party code that can change without notice
- libcURL is a library for handling HTTP URLs and many other web protocols
- It is very commonly found on web servers and in php scripts where it is used to access remote sites via protocols such as HTTP(S), FTP(S), SSH, SCP/SFTP, POP3/SMTP, IMAP, RTSP, RTMP
- The problem stems from the way cURL handles certain headers in the POP3 protocol while negotiating SASL DIGEST-MD5 authentication
- cURL reads the response into a fixed length buffer, assuming that the response will be no longer than 128 bytes, however a malicious server could return a longer response, allowing it to overwrite memory outside of the buffer, possibly leading to remote code execution
- The most common vector for the attack is that by default cURL follows HTTP redirects, so when cURL attempts to load a URL (possibly provided by the user/attacker), it receives an HTTP redirect to pop3://username:password@evil.pop3-server.com/. and then gets exploited
- If you don’t expect to ever receive a redirect, you can tell cURL or libcURL not to follow redirects, or you can tell it to follow follow redirects for a list of protocols via CURLOPT_REDIR_PROTOCOLS
- An updated version of cURL/libcURL has been released to resolve this vulnerability
- Vulnerability Announcement
- Affected versions: < 7.26.0 and >= 7.29.0
- How Redhat hires people
- Redhat is looking to hire almost 1000 more software engineers, technical support engineers, and salespeople this year
- SSL @ home
- OpenSSL comes with a perl script for managing your own CA
-
NoPriv.py – Easy IMAP email backup to HTML archive. – Raymii.org
TechSNAP 100 Limited Edition Shirt:
Limited time left on our limited run TechSNAP 100 T-shirt!