A recent article published on the Wall Street Journal online declares a “Broad New Hacking Attack” involving the ‘new’ malware threat, Zeus or zbot.  This threat is far from new, however, neither the malware nor the phenomenon.  In April of 2008, RSA issued an advisory about the threat.  It is simply another dashboard exploiting a different set of vulnerabilities. 

The reality of the situation is that the current security controls in place for many companies are not going to adequately protect against this kind of threat. At a macro level, until industry standards demand rapid patch releases from vendors and corporate policies enforce more timely updates for their users, these botnet armies will continue to grow virtually unchecked. 

Even with corporate patch management programs that enforce strong update policies, it is fundamentally a losing battle to try and stay ahead of the people crafting this malware by patching once a month.   Whether it’s Microsoft’s ‘patch Tuesday’ or Firefox’s semi-monthly security updates, the window of time in between patches leaves attackers too much room to craft new exploits to update the malware with.  Companies are limited by the patches released by vendors and the vendors in turn are limited by the vulnerabilities they are aware of.

In order to further facilitate the production of these patches, stronger incentives should exist for responsible vulnerability disclosure.  Rather than simply relying on community reports or vulnerability leaks, vulnerability disclosure should be rewarded monetarily.  If Microsoft is willing to offer a quarter of a million dollar reward for the arrest of the people that made Conficker, isn’t it reasonable to offer rewards for the responsible disclosure of these vulnerabilities before they reach the massively exploited botnet-army stage?  These patches are only useful, however, if corporate policies enforce regular updates.  It‘s the circle of life. 

There are, obviously, steps that can be taken to mitigate the risk presented by these threats but those are covered in Jim’s post.

Matthew Parcell

Senior Security Consultant – Accuvant LABS

Yesterday, the Wall Street Journal published an article by Siobhan Gorman about hackers in Europe and China who successfully broke into computers at 2,500 companies and agencies over the last 18 months. The hackers used various techniques to infiltrate the corporate networks, including malware, phishing, email attachments, false virus patches and botnets.

A client of ours asked us: “what do you propose we do as an organization?” The answer to this question really revolves around at what point of the infestation/attack they are at.

Not Infested/Attacked Yet – Answer:

Training, Training, Training! The best non-technical way to prevent getting infected is user awareness training and testing/retesting. The majority of the attacks faced by Twitter, Google – and with this round of attacks – are directly targeting the employees and users of your network.   If you haven’t taught your users the basics of what to avoid, you can pretty much assume you are going to get infected by the next big infestation/attack that is going to come around. Providing ongoing user awareness training and seminars that include real world examples and scenarios is the best way to educate your users on their requirements to help you keep your environment as security as possible.

Additionally, if you’re one of the organizations with dynamic content filtering, proxies, IPS, DLP, HIDS, and an enterprise patch management solution, some luck may be on your side. A lot of the ‘ware can be delivered in email, through web applications and most popularly, through PDF, so more than one area of your strategy may need attention if you don’t have the above.   

Darn it , We got it! – Now What Answer:

 So, you’ve gotten infected and need some help cleaning up or figuring out what’s going on.  Here’s where Accuvant can help and the types of services we offer:

1- Emergency Response Level Services:

Time is of the essence. Emergency response services can assist customers with responding, containing and isolating infected systems to start fixing the issue.  These services are designed to get in there fast and start helping the client monitor for points of infestation and possibly kill spreading attacks.  

2- Malware Analysis:

The LABS team has performed these for clients that want detailed analysis of a unique infestation or deliberate events.  In these cases, we do a forensic image of the system and review the binary to try and determine origin and function.  We have performed these services for financial companies, and those that need to know if they are being targeted by industrial espionage or organized crime.

3 – Solutions Optimization

After an event, several clients have asked us to come in and evaluate their current solutions to determine if they have configuration issues or coverage gaps in current technologies.  Essentially, we do a security gap analysis to see what solutions/technologies they are missing, as well and how we can optimize their existing installed solutions. Once the gaps are identified, we can start helping the client find solutions to fill the voids.

After The Dust Settles:

By now, we should have things at least contained and most of the issues have been resolved.  At this point, Accuvant highly recommends going back to step one, user security awareness training,  updating your existing program to include these latest examples and refreshing your users on their responsibilities to helping you keep your environment secure.

Unfortunately, the events that were discussed in the WSJ are ongoing. There is no silver bullet to stop stuff like this from happening, so the best solution is mitigation, prevention and awareness training. Companies need to understand their risk landscape and take steps to appropriately address those risks before they get compromised.

Jim Broome
Director – Accuvant LABS

The latest Oracle vulnerability announcement at the Black Hat DC 2010 conference by security researcher, David Litchfield of NGS Software, could possibly prove troublesome for Oracle 11g users.

The potential impact of this set of vulnerabilities could be devastating to an enterprise that has sensitive data contained in databases, and allows low level privileged users access through a local or networked database session. To effectively exploit the vulnerabilities, the attackers will require some degree of SQL knowledge, but this knowledge should be relatively trivial to gain considering the Black Hat presentation currently available in the public domain.

The crux of the issues stem from the fact that Oracle seems to be in the business of enabling hackers instead of enabling business. Oracle provides the locked and loaded gun to would-be attackers in the form of the Oracle Data Pump maintenance and the Java virtual machine environment called Aurora.

To help their users with an upgrade, Oracle provides a suite of tools called the Oracle Data Pump which is installed by default. Contained within this tool is a package called DBMS_JVM_EXP_PERMS, which enables administrators to export permissions and to import them using a database procedure in that tool called IMPORT_JVM_PERMS. The procedure IMPORT_JVM_PERMS within the DBMS_JVM_EXP_PERMS package enables the administrator to provide it a list of permissions and update the Java policy table, where the security permissions for certain java actions are stored.

In order to allow Java code to read, write or execute files on the underlying server operating system, this Java policy table must have an entry.

Experienced security practitioners can already see the hand-writing form on the wall.

Oracle, as it should, does not give local users privileges to do read, write or execute files on the OS. However, there’s always a “however” in security, Oracle does allow by default ‘public’ role users to execute the DBMS_JVM_EXP_PERMS package.

What does this mean? This tool, provided by Oracle and installed by default with local user execute privileges, gives potential malicious users the ability to also perform the package procedure of IMPORT_JVM_PERMS and provide their own permissions to update the java policy table.

Mr. Litchfield continued to demonstrate how, by exploiting another Oracle provided Java class contained within Aurora, an attacker could eventually own the underlying OS to the extent of even creating his own user and granting them Administrator status on the server using the Oracle tool DBMS_JAVA.SET_OUTPUT_TO_JAVA.

DBMS_JAVA.SET_OUTPUT_TO_JAVA will redirect Java output to another java session. Per the specification for the SET_OUTPUT_TO_JAVA function, allows it to execute SQL when it receives the output. But Oracle, by default, has set DBMS_JAVA.SET_OUTPUT_TO_JAVA to execute with SYS user privileges, because the SYS user owns this package.

From this point it is just a matter of crafting a proper SQL query gives the package something to execute when the output is directed to another java session. The attacker then creates a query that causes Java to be output, which will in turn execute the SQL code that escalates the user to any role they wish, such as the ‘dba’ role.

It is recommended that all enterprises using Oracle 11g immediately remove the Data Pump tool packages mentioned, or change the permissions of the packages.

Additionally, this continues to underscore that an enterprise should consider an out of band DB monitoring solution, as once an attacker gains access to a database as the ‘dba’ role, you can no longer trust any logs that are output, or stored by the database server. Proper oversight will require an out of band solution that has complete visibility to view all database user network sessions.

–Steve Richards, Accuvant