Archive for April, 2012

A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn’t necessary for some Arcadyan based routers anymore.

Last year it was exposed that the WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct.

The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on many wireless routers makes this brute force attack that much more feasible.

Some 100,000 routers of type Speedport W921V, W504V and W723V are affected in Germany alone. What makes things worse is the fact that in order to exploit the backdoor, no button has to be pushed on the device itself and on some of the affected routers, the backdoor PIN (“12345670”) is still working even after WPS has been disabled by the user. The only currently known remedy for those models is to disable Wi-Fi altogether. Since all Arcadyan routers share the same software platform, more models might be affected.

Last year, Tactical Network Solutions develop and released Reaver , which is a WPA attack tool that exploits a protocol design flaw in WiFi Protected Setup (WPS). Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP.



VMWare Source Code Leak

Posted: April 26, 2012 in Analysis

Source code belonging to VMWare has leaked to the internet after apparently being stolen by a hacker who claims to have obtained it from a Chinese firm’s network.

The source code belongs to VMWare’s ESX virtual machine software product, a popular tool for creating and operating virtual computing environments. The code was posted to the Patebin website, a repository for coders that has become a favorite for hackers to publish purloined wares.

VMWare acknowledged the leak in a note posted to the company’s website.

On Monday, VMWare “became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future,” wrote Iaian Mulholland, director of the company’s Security Response Center, in the note.

Mulholland said the code dates from the 2003-2004 timeframe and noted that the company regularly shares its source code with other industries, suggesting that the software might indeed have been stolen from a third-party network, rather than VMWare’s own network.

But Mulholland, naturally, downplayed the seriousness of the leak.

“The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers,” he wrote.

Others disagree with this assessment.

“The real pain for the industry in this case is … the intimate knowledge attackers may now possess of possible vulnerabilities in a critical virtualization tool that is the foundation for many enterprise data centers, clouds, and applications,” said Mark Bower, a vice president at Voltage Security, in a statement.

A hacker who goes by the name “Hardcore Charlie” claimed responsibility for the leak and asserted that he possessed about 300 Megabytes of VMWare source code, more of which would be released. He said the data was part of a cache taken from a previously reported breach of a network belonging to the Beijing-based China Electronics Import & Export Corporation, which works with the Chinese military.

The hacker told Reuters earlier this month that he had targeted CEIEC in an effort to uncover documents about the U.S. government’s involvement in Afghanistan. He said he worked with another hacker who goes by the name YamaTough.

Hardcore Charlie told security firm Kaspersky that they got to CEIEC and other firms after first targeting, an e-mail hosting firm. After stealing the credentials of hundreds of thousands of accounts, the hacker said they cracked the cryptographic hashes on credentials for interesting accounts, such as ones belonging to workers connected to CEIEC and other firms, and then purloined more than a terabyte of data from those company networks.

Earlier this month, he posted documents from those breaches, some of which purport to be U.S. military reports and shipping documents related to Afghanistan.

Although VMWare has confirmed the authenticity of its leaked source code, the authenticity of the U.S. military documents published by the hackers, or the story about how the breaches were accomplished, have not been verified.

The VMWare leak matches some details around a similar source code leak earlier this year involving Symantec products. Hardware Charlie’s alleged partner in crime, YamaTough, claimed responsibility for that leak.

In February, YamaTough posted files belonging to six-year-old versions of Symantec’s source code, including its 2006 Endpoint Protection 11.0 and its discontinued Symantec Antivirus 10.2. The hacker posted the code after an alleged attempt to extort $50,000 from Symantec.

YamaTough apparently obtained the code from a hacker group calling itself the Lords of Dharmaraja. That group claimed it uncovered the source code on servers belonging to India’s military intelligence agency. But a document the group initially published with their claim, purporting to show cooperation between Symantec and the spy agency, proved to be false.


Another Mac os Backdoor

Posted: April 17, 2012 in Vulnerabilities

Sabpab – Another Mac os Backdoor Trojan Discovered

Security firm Sophos has discovered more malware for the Mac OS X platform called Sabpab. It uses the same Java vulnerability as Flashback to install itself as a “drive-by download.” Users of older versions of Java now have still more malware to worry about.
It also doesn’t require any user interaction to infect a system either just like Flashback all that needs to happen is for you to visit an infected webpage. Sabpab, according to Sophos, installs a backdoor that allows the hackers to capture screen snapshots, upload or download files and execute commands on infected Macs remotely.
The Trojan creates the files
  • /Users//Library/Preferences/
  • /Users//Library/LaunchAgents/

Encrypted logs are sent back to the control server, so the hackers can monitor activity. Although one variant of Flashback installed a file in the LaunchAgents folder, not all tools for detecting Flashback do anything with that folder.

Symantec identifies the trojan asOSX.Sabpab which exploits the Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability (BID 52161) in order to install itself on to the compromised computer.

FlashBack Checker

Posted: April 10, 2012 in Vulnerabilities

FlashBack Checker – 38KB tool was created by Juan Leon, a software engineer at Garmin International, the Kansas-based company best known for its GPS devices.

When Flashback Checker is run, it displays “No signs of infection were found” or provides additional information if it does detect changes the malware has made to the Mac.
According to Dr. Web, the Russian security company that was the first firm to quantify Flashback infections, nearly 2% of all Macs have been hit by the malware.

Dr. Web used a different technique to detect Flashback than Leon. Rather than examine the Mac itself, Dr. Web’s tool compares the UUID (universally unique identifiers) of a machine to the list of UUIDs of infected Macs it compiled after commandeering a hacker command-and-control (C&C) server.
To help tackle the recent Flashback malware threat, Apple released a couple of updates for the Java runtime in OS X to bring it up to the latest Java release (version 1.6.0_31), which patches the vulnerability being exploited.
The download is posted to github and can run on Mac OS X10.5 and above. Leon also posted the source code for those interested in checking it out.

Android/InitrUp Trojan

Posted: April 9, 2012 in Vulnerabilities

The Android/InitrUp Trojan masquarades as a popular Chinese-language Android game. Upon infection, the malware attempts to extract sensitive informaiton from the installed-device, as well as generate charges for various premium carrier services (ex: SMS messaging). Installation of the Trojan does not require any specific user authorization or permission internaction, setting this appart from a majority of threats for the Android Platform.

A security researcher has discovered a serious flaw with the Facebook and Dropbox apps for both Android and iOS that puts all of your sensitive personal data at risk.

Anyone with access to your device can use a free piece of software that’s easily available on the internet to retrieve an unencrypted, plain text file from your device that provides access to your entire account — without requiring a jailbreak.

Gareth Wright detailed the issue in a post on his blog on April 3. It was initially focused on the Facebook app, but The Next Web reports that the flaw is also present in the Dropbox app.

Facebook has since issued a statement to deny there’s any issue on stock devices:

Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.

We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device.

But Facebook is wrong. With a free application called iExplore, users can access all sorts of files on their device without jailbreaking it first. This allows the .plist containing all of your personal data to be extracted. It’s in plain text and it’s not encrypted or secured in any way, so anyone can open it.

Facebook is correct, however, when it says that a “malicious actor” must obtain physical access to your device first. So there’s no need to worry about your data being stolen while you have possession of your handset. But if it’s lost or stolen, then there’s cause for concern.

The issue is not with Android or iOS themselves; it’s with these apps that choose not to encrypt your data. So it’s up to Facebook and Dropbox to fix the issue. There could be others out there, too, but these are the only two so far that have been found to feature this vulnerability.

Keep your eyes peeled for those updates.


The computer security industry is buzzing with warnings that more than half a million Macintosh computers may have been infected with a virus targeting Apple machines.

Dr. Web originally reported Wednesday that 550,000 Macintosh computers were infected by the growing Mac botnet. But later in the day, Dr. Web malware analyst Sorokin Ivan announced on Twitter that the number of Macs infected with Flashback had increased to 600,000, with 274 of those based in Cupertino, Calif.
Dr. Web explained that a system gets infected with the Mac Flashback trojan “after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system.” A specific JavaScript code on the site that contains the virus is then used to load a Java applet, which is how the malware makes its way onto a user’s computer.
This Trojan spreads via infected web pages and exploits Java vulnerabilities that have been known for some time, yet Apple didn’t see fit to release a patch until this week (Java for Mac OS X 10.6 Update 7 and Java for OS X Lion 2012-001).
Macs have historically been an unappealing hacking target because of their low market share. Instead, criminals have attacked personal computers running Microsoft Corp.’s Windows software, seeking the biggest number of victims for illicit moneymaking schemes. Windows runs on more than 90 percent of the world’s desktop computers, according to market researcher Net Applications.

All the stuff the bad guys have learnt for doing attacks in the PC world is now starting to transition to the Mac world,’ McAfee Labs director of threat intelligence Dave Marcus told.
Once installed, the Flashback will inject code into Web browsers and other applications like Skype to harvest passwords and other information from those program’s users.Security company F-Secure has published instructions on how to determine whether a Mac is infected with Flashback.
There has been a significant increase in Mac malware in the last several quarters, so what we’ve seen with the Flashback Trojan isn’t particularly surprising,’ Marcus said.’Cybercriminals will attack any operating system with valuable information, and as the popularity of Macs increase, so will attacks on the Mac platform.