The story behind the Microsoft Nitol Botnet takedown

Earlier today Microsoft announced the takedown of the Nitol botnet and takeover of the 3322.org domain. However, if you are using the Damballa flow-based Detection Control, this was a non-event. Full disclosure – Cymbel partners with Damballa.

Gunter Ollman, Damballa’s CTO, today commented on Nitol and 3322.org, and the ramifications of the Microsoft takedown, which I will summarize.

First, Damballa has been tracking Nitol and the other 70 or so botnets leveraging 3322.org for quite some time. Therefore, as a Damballa user, any device on your network infected with Nitol, or the other 70 botnets leveraging 3322.org, would be identified by Damballa. Furthermore, if you were using Damballa’s blocking capabilities, those devices would be prevented from communicating with their malware’s Command & Control (C&C) servers.

Second, most of these 70+ botnets make use of “multiple C&C domain names distributed over multiple DNS providers. Botnet operators are only too aware of domain takedown orders from law enforcement, so they add a few layers of resilience to their C&C infrastructure to protect against that kind of disruption.” Therefore this takedown did not kill these botnets.

In closing, while botnet and DNS provider takedowns are interesting, they simply do not reduce an organization’s risk of data breaches. Damballa does!!

 

 

Jeremiah Grossman: Internet Explorer 9 ad blocking via “Tracing Protection” — no means yes.

Jeremiah Grossman: Internet Explorer 9 ad blocking via “Tracing Protection” — no means yes..

Last week, the FTC issued a report recommending Congress implement Do-Not-Track legislation to help protect consumer privacy. This week, Microsoft detailed Do-Not-Track” options in the upcoming Internet Explorer 9. Coincidence? Doubtful.

No way Microsoft slammed out the code from scratch in a few short days because the FTC made some recommendation. The IE team clearly saw ad blocking as a good idea despite what they told us before and had ad blocking, errr I mean Tracking Protection, ready to go. Only they might not have had the juice to include it because of the aforementioned road blocks.

Will Mozilla make AdBlock Plus a standard feature of Firefox? AdBlock Plus is the top download in the Privacy & Security category with overd over 100 million downloads. It has over 8 million daily active users and a 5 star rating with over 2,000 reviews.

Will Mozilla try to match or exceed Microsoft? How will Google react?

Are we going to see a major shift in Internet advertising so it’s more akin to email marketing?

I think we’re witnessing the beginning of a whole new chapter in the ongoing browser war. Now we must ask, when and if Mozilla is going to add the functionality of their #1 extension natively into their browser? How can they now not do so? Can Firefox’s market-share position afford Internet Explorer to be more advanced in privacy protection features? We’ll have to wait and see what they say or do. I’m hopeful they’ll come around as Microsoft did. Even more interesting will be how Google reacts. AdBlock is their most popular add-on as well. The bottom line is these are very good signs for everyone on the Web.

Researchers Bypass Internet Explorer Protected Mode | threatpost

Researchers Bypass Internet Explorer Protected Mode | threatpost.

A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he’s successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. Protected Mode was introduced in Windows Vista and Internet Explorer 7, and other software vendors have followed Microsoft’s lead, introducing sandboxes in applications such as Adobe Reader X and Google Chrome.

The key points and recommended actions are well summarized in Verizon’s own blog post, Evaluating Protected Mode in Internet Explorer:

Since it is not an official security boundary, Microsoft does not guarantee that it will issue patches for bypasses within the monthly patch-cycle.

It can be recommended that domain administrators consider following the steps below to improve the security of Protected Mode Internet Explorer in the enterprise:

  • Ensure that User Access Control (UAC) is enabled, as disabling it will also disable Protected Mode.
  • Ensure that workstation users cannot run as administrators.
  • Enable Protected Mode for all zones where possible.
  • Disable the Local Intranet Zone, or limit the members of the zone as far as possible.
  • Ensure that third-party software vendors create software which does not incorrectly configure Internet Explorer’s elevation policy and introduce privilege escalation bugs that allow malicious code to escape from Protected Mode.

The Scourge of IE6 Continues, for Some Surprising Reasons

The Scourge of IE6 Continues, for Some Surprising Reasons.

Why is Microsoft Internet Explorer 6 still the third most popular browser? The biggest reason organizations do not upgrade, according to this article, is that they are running third party applications that do not work properly with IE8. In fact, Gartner estimates that 40% of in-house applications do not work properly with IE8.

Another reason, since most social media sites do not work well with IE6, companies stay with IE6 as a form of URL filtering!! Of course, the security risks associated with this strategy far outweigh the benefits.

Microsoft responds to Firesheep cookie-jacking tool – The H Security: News and Features

Microsoft responds to Firesheep cookie-jacking tool – The H Security: News and Features.

It’s hard to believe that Firesheep is only two weeks old. In response to Firesheep,  Microsoft said it will convert its Hotmail / Windows Live email service to SSL. Google did this for Gmail some time ago, well before Firesheep.

Facebook says it will also address the issue in the coming months.

So there is no doubt that more and more web traffic will be SSL encrypted and hidden from corporate control. I wrote about this last week, Easy fix for Firesheep creates a problem for enterprises.

Microsoft: ‘Unprecedented Wave of Java Exploitation’ — Krebs on Security

Microsoft: ‘Unprecedented Wave of Java Exploitation’ — Krebs on Security.

Microsoft is confirming a huge increase in attacks against Java vulnerabilities. Why is this important? Java is installed on the majority of the world’s desktop computers.  In fact, the attack volume on Java dwarfs that of Adobe, which is saying something. Java may not be quite as ubiquitous as Adobe, but it’s close. For example, Java is required for Webex and GoToMeeting, the two most popular web meeting applications. To get an idea of the Java to Adobe proportion, see the graph below, courtesy of Microsoft via Krebs on Security.

According to Microsoft, the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions.

Krebs claims the reason for this spike is the inclusion of Java exploits in the commercial crimeware kits sold in the hacker underground.

Java surely falls into that set of PC applications which must be kept up-to-date.

How risky is the ‘Padding Oracle’ Crypto Attack?

ThreatPost reported that a pair of security researchers announced have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies. ‘Padding Oracle’ Crypto Attack Affects Millions of ASP.NET Apps | threatpost.

Microsoft admitted the vulnerability in Microsoft Security Advisory 2416728.

The question is, how likely is this vulnerability going to be exploited in the millions of ASP.NET web sites? According to a post on Slashdot.org:

…this attack requires fairly verbose error messages be sent back to the user of a web application. While I’m sure there do exist some ASP sites where this is the case, I don’t think it has been in any of the non-intranet sites I’ve seen in my career.

It just is not standard in any exposed web site, especially the kind of web site where you would care about customer information getting out, to allow useful error messages reach the end user. It is by far the standard to catch the exceptions, log them on the server, and show the end user a generic error message which would not be helpful in the case of this exploit.

So it appears that the risk of exploitation of this vulnerability depends on the coding practices of the web site developers. Good coding practices, not so risky.

Microsoft addresses one of the Stuxnet related zero-day vulnerabilities

Today’s round of Microsoft patches addresses a variety of issues including one of the Stuxnet-related zero-day vulnerabilities. Stuxnet actually leverages four different zero-day vulnerabilities! For more details go here, here and here. Computerworld has a more detailed article about Stuxnet: Siemans: Stuxnet worm hit industrial systems.

Windows DLL exploits boom – how to thwart them

On August 23, 2010 Microsoft issued Security Advisory 2269637, warning about a new method of attack based on the standard way Windows finds a DLL called by a program when the program does not specifically define the location. InfoWorld’s Woody Leonhard, among others had an article about this on August 24 – Heads Up: A whole new class of zero-day Windows vulnerabilities looms.

In a matter of days, hackers were publishing attacks against many Windows apps including FireFox, Chrome, Word, and Photoshop. See Windows DLL exploits boom (August 26).

This is just one example of the speed with which zero-day attacks can proliferate. This is a particularly bad situation because just one Windows vulnerability is being used to create a large number of zero-day attacks across a wide range of applications. We recommend organizations deploy FireEye to counter these zero-day attacks.

From an end user perspective, on August 27, Woody Leonhard published a helpful article, How to thwart the new DLL attacks. To summarize, Woody has two excellent recommendations for users:

First, never double-click on a file that’s in a potentially compromised location. Drag it to your desktop, then open it.

Second, make Windows show you filename extensions and hidden files.

Enhanced by Zemanta