|
Archive for December, 2008
Wednesday, December 31st, 2008
Yesterday’s presentation at the Chaos Communication Congress by a handful of researchers brought to light that the use of MD5 for secure computing (digital certificates, SSL, etc) truly is gasping its last breath. A fine summary of the MD5 algorithm and its use by the Certificate Authorities is written up by Scott Merrill here.
Unfortunately, Mr. Merrill makes the same lame excuse for the CA’s that most of the software world has made for decades regarding change: “MD5 has been known for some time to be weak against collision attacks, but running a CA is a pretty complex operation, so the entities behind them are slow to change.” Pretty complex? When something is broken, profitable security enterprises have the resources to change it (the researchers themselves state that the “affected CAs are switching to SHA-1″). That excuse simply is not valid.
Is this security vulnerability something that we didn’t already know about? Heck, a free MD5 crack demo is posted here and a fantastic study and MD5 collision attack source is served here.
The new work is a blow to the internet infrastructure that we depend on for secure communications. For CA’s, trust is their business, and some have not been very good at deserving it. The group’s work is impactful in that it brings to public light this specific application of md5 cracks. It takes a determined and seriously talented group like this to implement optimized algorithms for this specific application, and handle it properly. Let’s hope that their work “stimulates better Internet security with adequate protocols”.
Finally, Thomas Ptacek at Matasano made several excellent points about the work. The sky is not falling. Continue about your business on the internet with the same caution.
“If you take everything in the paper at face value, a couple things mitigate this attack:
* The research team had access not only to a cluster of PS3s but to a specially optimized MD5 collision-finding implementation, which they had because Lenstra’s team has been playing with a PS3 cluster for awhile.
* The research team had access to a currently-unpublished optimization to (presumably the birthday-bits search part of) the collision-finding algorithm,
* The attack could be made impractical by randomizing the serial numbers for all future certs issued by RapidSSL (and, presumably, by banning MD5).”
Update: Chris Eng similarly laments that the problem never should have happened as a guest opinion posted on the 0day blog.
For those of you interested in the characters/researchers behind the work, Alexander Sotirov recently shared conceptual details and motivations behind it:
“Most of the theory behind our attack was published in the ‘Target Collisions for MD5 and Colliding X.509 Certificates for Different Identities’ paper in 2007 by Marc Stevens, Benne de Weger and Arjen Lenstra” and that “David Molnar and Jake Appelbaum noticed that RapidSSL was still using MD5 in 2008″.
Posted in Vulnerability | 1 Comment »
Tuesday, December 30th, 2008
In a throwback to the Storm campaigns that we heavily reported on in 2007, another group has been spamming out links to malicious Season’s Greetings’ sites (a list of domains previously serving up “ecard.exe” variants can be found here), attempting to fool users into running “postcard.exe”. Here is a screenshot of one server currently up this afternoon on an infected host on the Comcast network at 71.233.193.xx:
A visit to this page results in multiple client side exploits, delivered by multiple redirected web pages, which TF prevents. ThreatFire also stops the attacking executable file as Trojan.Waledac.
The attackers make it obvious what web site they are attempting to mimic in their social engineering scheme. The entire HTML header for the attacking web page on the malicious site was ripped directly from 123greetings.com, a popular ecard site. Here is some of the header from the malicious web page:
Title: New Year Cards, Free New Year eCards, Greeting Cards
meta name =”keywords” content=”new year cards,free new year ecards,greeting cards,greetings,wishes for the new year,free e cards for new year,christmas and new year wishes,free new year greetings,free ecards for new year”
meta name=”description” content=”2009 is here! Fill your heart with new hopes, reach out for new opportunities and celebrate the New Year! Reach out to your friends, family,…”
Keep in mind that the legitimate www.123greetings.com site appears to send out ecards as Flash videos, and not as “postcard.exe” files.
Update (1/5/2008): Waledac variant card.exe continues to be distributed — we’re seeing hxxp://direct christmas gift.com as an offending server up and running with the same card store front.
Posted in Exploit, Social Engineering, Spyware, Storm, Trojan, Vulnerability, cybercrime | No Comments »
Thursday, December 18th, 2008
Zbot is the kind of malware you really don’t want to see on anyone’s computer, stealing banking passwords and financial information.
We’ve been seeing more reports and ThreatFire preventions of the malware delivered along with a somewhat common email-based social engineering scheme. The Zbot variant is attached to an official sounding warning from the worldwide delivery group UPS. The file currently in circulation has a name somewhat like “Exl6512721.ZIP”, and the contents of the email looks something like this text:
“Sorry, we were not able to deliver postal package you sent on November the 25th in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.
If you do not receive package in ten days you will have to pay 36$ per day.
Your UPS Support Team “
The Zbot variant attempts to steal banking information and passwords from unsuspecting users, and this one sends the information off to a waiting server in russia. Fortunately, at this time, the servers are down.
You can see here that ThreatExpert now decodes the config files delivered with this nastiness. The post includes a list of financial institutions commonly being targeted.
As always, exercise caution when opening unusual emails and especially when opening attachments.
Posted in Password stealing, Social Engineering, Spyware, ZBot, cybercrime | 3 Comments »
|
|
|
|
