|
Security
ByJake Edge
June 3, 2015
The Linux/Moose worm is not particularly innovative, nor does it exploit
new holes, but it does highlight a problem that is likely to only increase
over time. In fact, the hubbub around the Internet of Things (IoT) reminds
us that plans are afoot to put more and more devices—undoubtedly some with default or
easily guessed
passwords—onto the net. Taking over a device with a default
administrative password is not particularly difficult, but the consequences
for the device owner can be rather severe, though they generally aren't for
Moose.
The Moose worm was described in great detail in a 54-page
PDF by Olivier Bilodeau
and Thomas Dupuy of the security software firm ESET. The report is replete with various
moose jokes along with an
extremely detailed look at how the worm operates. The name stems from the name
of the
malware binary that gets installed on infected systems: elan2.
Élan is French for moose.
At its heart, Moose is a form of malware that targets home routers,
including those that Internet Service Providers (ISPs) make available to
their customers. It spreads via telnet using access credentials
from a list of common or default usernames and passwords stored in the
binary. Once it
has broken in, it starts scanning
for new victims—on the internet at large, in the ISP's range of IP
addresses, and on the local net behind
the firewall maintained by the router. It can also cause several other
kinds of mayhem including rerouting DNS traffic, performing social network
fraud using hijacked accounts, and eavesdropping on other devices that are using the router.
Beyond that, there are a set of "command and control" (C&C) servers
that Moose communicates with to get its marching orders, report
"interesting" traffic to, or proxy requests to hosts both inside and
outside the firewall, which allows
bypassing network address translation (NAT).
Once Moose gains access to another device by having its credentials
accepted, it contacts its "report C&C"
server to give it information it has gathered about the device (IP
address, which credentials were used, CPU type, etc.). That server will
send back obfuscated commands to be run on the victim. Those commands will
typically result in the malware binary being executed on the victim,
causing it to
join the Moose "network".
Once a system has been infected, it talks to a configuration C&C server
chosen at random from a list in the binary. That server will provide the
newly infected device with the IP addresses for the other two C&C
servers it should use, one for reporting and one to relay traffic from.
For relaying, Moose listens on port 10073 but
will only connect with IP addresses from a hard-coded whitelist in the
binary. For any successful connection,
Moose will set up a SOCKS or
HTTP proxy based on the value of the first byte sent. Those proxies can
then be used to
bypass NAT or to send web requests
to arbitrary hosts—generally social networking sites.
Moose also sniffs the traffic that is traversing the router, looking for
"interesting" strings that the configuration C&C server supplied.
Those strings turn out to be the HTTP cookies for sites like Twitter,
Facebook, Instagram, Google, YouTube, and so on. The values get reported
back to
the C&C servers, which can then use them to perpetrate fraud on those
social networks—adding "likes", followers, and such for anyone willing to
pay for that kind of "service".
There is more to Moose, of course, which is described in the report. The
researchers tried to estimate how many
Moose-infected routers there are, but found it difficult to do so because
of the way the malware operates. It seems clear that Moose has been operating
for roughly a year; ESET has been looking at it since July 2014.
One "feature" that Moose is missing is persistence. A reboot of an affected
device will remove the malware, though it may just get installed again if the
password is not changed. Even for its seeming mission, though, Moose is
relatively ineffective. Most of the social networks (with Instagram
evidently being one exception) have moved to HTTPS-only access, which means
that Moose can't passively sniff the cookies. It also relies on
telnet to
propagate, which is becoming less and less popular—at least hopefully.
The basic infrastructure that Moose sets up could be used for other
nefarious activities, however. Distributed denial of service, spamming,
more active HTTPS interception (since most users will simply click through
any browser warnings), or other schemes are all possible. In addition, the
report notes that IoT or other non-router devices connected to the internet
could be affected in a kind of collateral damage. It is possible that Moose's
activity on, say, an internet-attached medical device could interfere with
its normal operation—yet another good reason not to make such connections.
As it stands, Moose doesn't pose that much of a threat. It is a clever use
of well-known techniques and flaws; it could presumably be "upgraded"
into something far more dangerous. Adding SSH, for example, would
result in more opportunities to propagate, especially in the future, and
wouldn't reduce the effectiveness of the weak-password attack. But it is
good to learn as much as we can from Moose, to help recognize and repel its
descendants (and siblings) down the road.
The vast array of poorly configured home routers seems like a ticking time
bomb of sorts. Even those that were configured with good passwords and
sensible access policies may never have been updated since they were
installed. Thus they are
susceptible to vulnerabilities found in the meantime. Moose is simply
another reminder of that threat.
Comments (none posted)
Brief items
It's been fourteen hours since a few provisions of the Patriot Act have expired, and the world hasn't come to an end -- at least so far.
— Bruce
Schneier
At $8 billion per year, the TSA is the most expensive theatrical production
in history.
— David Burge
Frustrated NSA Now Forced To Rely On Mass Surveillance Programs That Haven’t Come To Light Yet
— A headline from The
Onion
Comments (5 posted)
Here's an
article on the Red Hat security blog on the use of Systemtap to apply
emergency security fixes. "With the vulnerability-band-aid approach
chosen, we need to express our intent in the systemtap scripting
language. The model is simple: for each place where the state change is to
be done we place a probe. In each probe handler, we detect whether the
context indicates an exploit is in progress and, if so, make changes to the
context. We might also need additional probes to detect and capture state
from before the vulnerable section of code, for diagnostic
purposes."
Comments (none posted)
New vulnerabilities
apache2: multiple vulnerabilities
| Package(s): | apache2 |
CVE #(s): | |
| Created: | June 2, 2015 |
Updated: | June 3, 2015 |
| Description: |
From the Ubuntu advisory:
As a security improvement, this update makes the following changes to
the Apache package in Ubuntu 12.04 LTS:
Added support for ECC keys and ECDH ciphers.
The SSLProtocol configuration directive now allows specifying the TLSv1.1
and TLSv1.2 protocols.
Ephemeral key handling has been improved, including allowing DH parameters
to be loaded from the SSL certificate file specified in SSLCertificateFile.
The export cipher suites are now disabled by default. |
| Alerts: |
|
Comments (none posted)
fusionforge: code execution
| Package(s): | fusionforge |
CVE #(s): | CVE-2015-0850
|
| Created: | June 1, 2015 |
Updated: | June 11, 2015 |
| Description: |
From the Debian advisory:
Ansgar Burchardt discovered that the Git plugin for FusionForge, a
web-based project-management and collaboration software, does not
sufficiently validate user provided input as parameter to the method to
create secondary Git repositories. A remote attacker can use this flaw
to execute arbitrary code as root via a specially crafted URL. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | |
| Created: | June 2, 2015 |
Updated: | June 3, 2015 |
| Description: |
From the Fedora advisory:
The 4.0.4-303 update contains a fix for a namespace crash issue.
[1] Bug #1220519 - kernel/sched/core.c:7291 __might_sleep+0x87/0x90()
[2] Bug #1200353 - regression in ktime.h breaks infrared IR blaster/transmitter after upgrade
to Fedora 21
[3] Bug #1214474 - Mouse capture issues when running in vmware
|
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2015-1805
|
| Created: | June 3, 2015 |
Updated: | July 7, 2015 |
| Description: |
From the Red Hat advisory:
It was found that the Linux kernel's implementation of vectored pipe read
and write functionality did not take into account the I/O vectors that were
already processed when retrying after a failed atomic access operation,
potentially resulting in memory corruption due to an I/O vector array
overrun. A local, unprivileged user could use this flaw to crash the system
or, potentially, escalate their privileges on the system. |
| Alerts: |
|
Comments (none posted)
libinfinity: incorrect validation of certificates
Comments (none posted)
mysql-connector-java: information disclosure
| Package(s): | mysql-connector-java |
CVE #(s): | CVE-2015-2575
|
| Created: | June 1, 2015 |
Updated: | July 6, 2015 |
| Description: |
From the openSUSE advisory:
Difficult to exploit vulnerability allows successful
authenticated network attacks via multiple protocols. Successful attack
of this vulnerability can result in unauthorized update, insert or
delete access to some MySQL Connectors accessible data as well as read
access to a subset of MySQL Connectors accessible data. |
| Alerts: |
|
Comments (none posted)
netty: HttpOnly cookie bypass
| Package(s): | netty |
CVE #(s): | CVE-2015-2156
|
| Created: | June 1, 2015 |
Updated: | June 5, 2015 |
| Description: |
From the Red Hat bugzilla:
A flaw was found in the way Netty’s CookieDecoder method validated cookie name and value characters. An attacker could use this flaw to bypass the httpOnly flag on sensitive cookies. |
| Alerts: |
|
Comments (none posted)
nss: cipher-downgrade attacks
| Package(s): | nss |
CVE #(s): | CVE-2015-4000
|
| Created: | June 2, 2015 |
Updated: | July 24, 2015 |
| Description: |
From the CVE entry:
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. |
| Alerts: |
|
Comments (none posted)
python-django: incorrect session flushing
| Package(s): | python-django |
CVE #(s): | CVE-2015-3982
|
| Created: | June 1, 2015 |
Updated: | June 3, 2015 |
| Description: |
From the Red Hat bugzilla:
The following flaw was found in Django 1.8:
A change to session.flush() in the cached_db session backend in Django 1.8 mistakenly sets the session key to an empty string rather than None. An empty string is treated as a valid session key and the session cookie is set accordingly. Any users with an empty string in their session cookie will use the same session store. session.flush() is called by django.contrib.auth.logout() and, more seriously, by django.contrib.auth.login() when a user switches accounts. If a user is logged in and logs in again to a different account (without logging out) the session is flushed to avoid reuse. After the session is flushed (and its session key becomes '') the account details are set on the session and the session is saved. Any users with an empty string in their session cookie will now be logged into that account. |
| Alerts: |
|
Comments (none posted)
symfony: restriction bypass
| Package(s): | symfony |
CVE #(s): | CVE-2015-4050
|
| Created: | June 1, 2015 |
Updated: | June 8, 2015 |
| Description: |
From the Debian advisory:
Jakub Zalas discovered that Symfony, a framework to create websites and
web applications, was vulnerable to restriction bypass. It was
affecting applications with ESI or SSI support enabled, that use the
FragmentListener. A malicious user could call any controller via the
/_fragment path by providing an invalid hash in the URL (or removing
it), bypassing URL signing and security rules. |
| Alerts: |
|
Comments (none posted)
tomcat6: Security Manager bypass
| Package(s): | tomcat6 |
CVE #(s): | CVE-2014-7810
|
| Created: | May 29, 2015 |
Updated: | June 3, 2015 |
| Description: |
From the Apache advisory:
Malicious web applications could use expression language to bypass the
protections of a Security Manager as expressions were evaluated within
a privileged code section.
This issue only affects installations that run web applications from
untrusted sources. |
| Alerts: |
|
Comments (none posted)
virtio-win: denial of service
| Package(s): | virtio-win |
CVE #(s): | CVE-2015-3215
|
| Created: | June 3, 2015 |
Updated: | June 3, 2015 |
| Description: |
From the Red Hat advisory:
It was found that the Windows Virtio NIC driver did not sufficiently
sanitize the length of the incoming IP packets, as demonstrated by a packet
with IP options present but the overall packet length not being adjusted to
reflect the length of those options. A remote attacker able to send a
specially crafted IP packet to the guest could use this flaw to crash that
guest. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page:
Kernel development>>
|
|
