25k UNIX systems spread infections to over half a million Windows boxes, and the method of attack simply put, is brilliant we’ll share the details!

Google DNS gets hijacked we’ll explain how, and then a great big batch of your question, a rocking round up, and much much more!

On this week’s TechSNAP!

Thanks to:

— Show Notes: —

Allan’s Trip

• bhyvecon Tokyo – Slides and Videos

• AsiaBSDCon 2014

• iXsystems G+ Photo Album

• AsiaBSDCON 2014 Recap | iXsystems, Inc.

Operation Windigo

• The attack leverages previously compromised (how is unknown) servers, and using them to scan for other hosts to compromise, serve malware, infect sites hosted on the compromised servers with malware, and to send spam

• Victims have included cPanel and Kernel.org (the official Linux kernel archive)

• “The Ebury backdoor deployed by the Windigo cybercrime operation does not exploit a vulnerability in Linux or OpenSSH,”

• During an analysis of stolen credentials, the researchers found:

  • 66% of the stolen passwords contained only alpha numeric characters

  • 41% of the stolen credentials were for the root user

• Remote login as root should never be allowed. Disable root login over SSH and login as a regular user and use su or sudo. If you use sudo you should read Sudo Mastery and probably SSH Mastery too.

• The researchers also found 23 victims running Windows 98, and 1 running Windows 95

• “We found an official mirror of CentOS packages infected with Linux/Ebury. Fortunately, no package files were seemingly altered by the malicious operators. However knowing that Linux RPM packages are cryptographically signed such tampering is probably infeasible”

• However, amateur administrators have been conditioned to accept unknown GPG keys for CentOS repositories.

• When users visit an infected site, Windows users are given malware, Mac users are served ads for dating sites, and iPhone users are served ads for “strong pornography”, likely as these are each the most profitable way to exploit such users

• The operators maintain control on the infected servers by installing a backdoor in the OpenSSH instance. The backdoor provides them with a remote root shell even if local credentials are changed on the infected host

• The attackers used a number of techniques to remain stealthy:

  • Use Unix pipes as much as possible when deploying their backdoor to avoid landing files on the filesystem

  • Leave no trace in log files when using the backdoor

  • Change original signatures in the package manager for the modified file

  • Avoid exfiltrating information when a network interface is in promiscuous mode

  • Use POSIX shared memory segments with random system user owners to store stolen credentials

  • Inject code at runtime into three OpenSSH binaries instead of modifying the original OpenSSH files on disk

  • Change OpenSSH daemon configuration in memory instead of on disk

• Centralize their backdoor in a library instead of an executable (libkeyutils.so)

• Researcher PDF

Google Public DNS (8.8.8.8) suffers brief BGP hijack redirecting it to Venezuela

• At approximately 17:23 UTC on March 15th, a router on the British Telecom Latin America network (BT LATAM, AS 7908) in Venezuela began announcing 8.8.8.8/32

• A /32 prefix is unusual, most BGP routers will not propagate such short prefixes, only passing routes of /24 or larger. This resulted in the bad route not spreading as far, however because routing tables always take the ‘most specific’ match, it resulted in more of the traffic being rerouted than would have normally been the case

• This resulted in most all traffic in Venezuela and Brazil, among other networks, including a University Network in Florida, to be misdirected to a server in Venezuela

• The false BGP (Border Gateway Protocol) announcement was retracted 23 minutes later

• It is possible that this was an effort by the Venezuelan government to intercept traffic bound for the Google Public DNS service, and it was accidently leaked upstream, disrupting the internet outside of Venezuela

• Similar cases have happened in Pakistan and other countries attempting to block Youtube and other services

• The network that sent the request, Madory said, “leaked other internal routes earlier in the day. So I suppose someone was tinkering with the network over the weekend. We see routing goof-ups like this almost every day.”

• Additional Coverage

• There are BCPs and RFCs that cover ways to prevent this kind of hijacking, by only allowing ASs to announce prefixes they control, however there is a lot of administrative overhead, especially when an ISP announces routes for its customers

• There is another system, RPKI, that allows a network to specify which AS numbers are allowed to announce an IP block, as well as specifying the maximum prefix length, to prevent someone from announcing a more specific prefix (like in this case)

• However RPKI has not yet received wide adoption

• Providers ignore routing and DNS security

Feedback:

• Follow Up to HIPAA Question

• Better answer for David with wifi latency

• Soooo, I got one of those \”Your computer is infected\” scam calls a little bit ago.

• Single server, SSH multiple users over LAN and SFTP single user over internet

• Wifi Security Fix

• Sharing Resources Between 2 or more computers

• Unraid to Freenas

• SSH Config Exmaple

Round Up:

• In sudden announcement, US to give up control of DNS root zone

• Snowden gives TED talk — “Here\’s how we take back the Internet”

• File advertised as MtGox data archive is actually bitcoin stealing malware

• Why people get malware

• Google Hangouts, Gmail Chat And Google Spreadsheets Go Down

• Full disclosure mailing list shuts down after member requests some content be redacted

• NTP Amplification DDoS Attacks Increasing

• Weev (posted link to AT&T iPad activation database that was left publically accessible) is in jail because the government can’t understand what he did. \”He had download the entire iOS system on his computer, he had to decrypt it, he had to do all of these things I don\’t even understand,\” Assistant US Attorney Glenn Moramarco argued

• Tech Giants Knew About Prism All Along, the NSA\’s Top Lawyer Says

• Hashing MAC addresses does not really improve privacy. The limit address space means calculating the hash table of every possible MAC address only takes minutes

• New development model, Unreal Engine 4 with source code (on Github) will be available to everyone for $19/month and 5% of gross sales revenue

• Survey finds 16% of websites running old vulnerable versions of PHP. The vuln only applies to CGI type installations, which many of these may not be. Also, it is possible that some of these are redhat/centos installations which are patched but have frozen version numbers