Compromised Site: Peugeot

Websense Security Labs ThreatSeeker Network has discovered that the official Web site of Peugeot in Romania has been compromised and is infecting the machines of site visitors with malicious code. Malicious code has been inserted onto the reported page of the site via iframes. These iframes redirect to the pages of a different host that contains malicious obfuscated JavaScript code. This code takes advantage of the MS Snapshot Viewer exploit (CVE-2008-2463), and the Adobe Reader PDF exploit (CVE-2007-5659).

Peugeot is a major French car brand. Its parent company PSA Peugeot Citroën is the second largest carmaker in Europe, behind Volkswagen. Peugeot’s roots go back to pepper, salt, and coffee mill manufacturing in 1842 and later bicycle manufacturing at the end of the 19th century. Its world headquarters are in Paris, Avenue de la Grande Armée, close to Porte Maillot and the Concorde Lafayette Hotel but the Peugeot company and family is originally from Sochaux, France.

Source:
http://securitylabs.websense.com/content/Alerts/3327.aspx

Posted in Coding, Internet, Security | No Comments

Stealthy router-based botnet worm squirming

Researchers at DroneBL have spotted signs of a stealthy router-based botnet worm targeting routers and DSL modems.

The worm, called “psyb0t,” has been circulating since at least January this year, infecting vulnerable embedded Linux devices such as the Netcomm NB5 ADSL modem (above) and launching denial-of-service attacks on some Web sites.

Some characteristics:

• It’s the first botnet worm to specifically target routers and DSL modems
• Contains shellcode for many mipsel devices
• It’s not targeting PCs or servers
• Uses multiple strategies for exploitation, including brute-force username and password combinations
• Harvests user names and passwords through deep packet inspection
• can scan for exploitable phpMyAdmin and MySQL servers

According to this DroneBL blog post, the worm can infect any Linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).

Source:
http://blogs.zdnet.com/security/?p=2972

Posted in Hardware, Internet, Networking, Privacy, Security | No Comments

Researchers unveil persistent BIOS attack methods

Apply all of the browser, application and OS patches you want, your machine still can be completely and silently compromised at the lowest level–without the use of any vulnerability.

That was the rather sobering message delivered by a pair of security researchers from Core Security Technologies in a talk at the CanSecWest conference on methods for infecting the BIOS with persistent code that will survive reboots and reflashing attempts. Anibal Sacco and Alfredo Ortega (above) demonstrated a method for patching the BIOS with a small bit of code that gave them conplete control of the machine. And the best part is, the method worked on a Windows machine, a PC running OpenBSD and another running VMware Player.

“It was very easy. We can put the code wherever we want,” said Ortega. “We’re not using a vulnerability in any way. I’m not sure if you understand the impact of this. We can reinfect the BIOS every time it reboots.”

Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope. But the methods are deadly effective and the pair are currently working on a BIOS rootkit to implement the attack.

“We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus,” Ortega said.

Source:
http://threatpost.com/blogs/researchers-unveil-persistent-bios-attack-methods

Posted in Hardware, Privacy, Security | No Comments

Attacking SMM Memory via Intel CPU Cache Poisoning

As promised, the paper and the proof of concept code has just been posted on the ITL website here.

A quote from the paper:

In this paper we have described practical exploitation of the CPU cache poisoning in order to read or write into (otherwise protected) SMRAM memory. We have implemented two working exploits: one for dumping the content of SMRAM and the other one for arbitrary code execution in SMRAM. This is the third attack on SMM memory our team has found within the last 10 months, affecting Intel-based systems. It seems that current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying.

The potential consequence of attacks on SMM might include SMM rootkits [9], hypervisor compromises [8], or OS kernel protection bypassing [2].

Don’t worry, the shellcode we use in the exploit is totally harmless (have really no idea how some people concluded we were going to release an SMM rootkit today?) — it only increases an internal counter on every SMI and jumps back to the original handler. If you want something more fancy, AKA SMM rootkits, you might want to re-read Sherri’s and Shawn’s last year’s Black Hat paper and try writing something they describe there.

The attack presented in the paper has been fixed on some systems according to Intel. We have however found out that even the relatively new boards, like e.g. Intel DQ35 are still vulnerable (the very recent Intel DQ45 doesn’t seem to be vulnerable though). The exploit attached is for DQ35 board — the offsets would have to be changed to work on other boards (please do not ask how to do this).

Source:
http://theinvisiblethings.blogspot.com/2009/03/attacking-smm-memory-via-intel-cpu.html

Posted in Coding, Hardware, Linux, Security, Windows | No Comments

Researchers Make Wormy Twitter Attack

Computer security researchers have devised a new Twitter attack that they say could spread virally, much like a worm on the microblogging service.

The attack, posted online Thursday by researchers at Secure Science is an innocuous proof of concept that forces users to send out a predetermined twitter message, but it could be repurposed into a very nasty worm, said Lance James, chief scientist with Secure Science.

“You can couple an attack with our code and it would just tear the crap out of Twitter,” he said.

The hack is similar to a clickjacking attack that was making the rounds on Twitter last month. There, hackers used a sneaky technique to trick users into clicking on a link without realizing it. That link would post the Twitter message saying “don’t click” along with a URL.

This time around, Secure Science’s researchers found a way to take advantage of a Web programming error on Twitter’s support site to post the unwanted message. After a warning message, Secure Science’s test code posts the message: “@XSSExploits I just got owned!” to the victim’s profile.

A malicious user could do much worse with this bug, however, James said. The attack could be modified so that there was no warning screen, and it could be beefed up with a sensational message that users would be more likely to click. If it were combined with malicious browser attack code, it could be used to take control of victims’ machines, James said.

Source:
http://www.pcworld.com/businesscenter/article/161631/researchers_make_wormy_twitter_attack.html

Posted in Internet, Security | 1 Comment