Oracle issues rare out-of-band update for Apache DDoS vulnerability

Oracle, the giant enterprise database company – and, of course, owner of the erstwhile Sun Microsystems – has just published an out-of-band security update.

This is only the fifth time Oracle has issued an alert outside its routine quarterly patch cycle since introducing its own version of Patch Tuesday at the start of 2005.

The update introduces an updated version of the Apache web server, httpd, to Oracle’s Fusion Middleware and Application Server products. The former product includes Apache httpd 2.2; the latter includes Apache httpd 2.0.

Apache httpd was recently discovered to be vulnerable to an easily-exploited denial of service attack. The vulnerability, CVE-2011-3192, allowed even a single web client to trigger a huge number of simultaneous requests for large amounts of data. The flaw was exploited by sending a request for multiple parts of the same file at the same time.

(The Range feature of the HTTP protocol was intended to make it easy for web clients to restart interrupted downloads where they left off, or to permit large files to be fetched piecemeal and stitched together later. Apache httpd made it easy to misuse this feature by tolerating redundant Range requests which asked for many large and overlapping parts of a single file.)

Oracle doesn’t say on its public-facing web pages exactly how it patched the flawed Apache versions in its products.

The Apache Software Foundation has actually issued two official patches for httpd 2.2 relevant to the so-called byte-range flaw. Version 2.2.20 came out at the end of August, but that patch was recently superseded by 2.2.21, which is effect a patch for the 2.2.20 patch. Apache describes 2.2.21 as “[including] fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive.”

It’s not clear whether Oracle’s out-of-band fix includes the patch-to-the-patch, which appeared only three days ago.

And the previous official Apache httpd version, 2.0, hasn’t been patched since May, when 2.0.64 came out. Oracle, one assumes, has done its own back-port of the fix it applied to 2.2.

The fact that a patch-to-the-patch was necessary will no doubt cause more conservative IT administrators to say, “See. I told you that patches should never be rushed.”

In this case, however, I consider the glass half-full, not half-empty. I’d argue that the first patch greatly improved the situation, despite being imperfect. The second patch simply improved the improvement further.

However conservative you might be, if you’re an Oracle user, this patch is definitely recommended in a hurry. The general unwillingness of Oracle to deviate from its once-every-three-months patch cycle spells one word, “Importance.”

As Oracle itself points out, in bold characters:

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.

Sysadmins, there you have it. A little something for the weekend!

Pay-per-Install Malware Tries New Business Model

In an age in which money is king, I was surprised to discover this week a new forum that offers many malware for free. I found a post, below, as well as various announcements on the Net that call this site a botnet paradise.

Curious, I attempted to register. After a one-day wait, I was able to reach the packages. This forum was just created and was open to registration for seven days (from September 9 to 15). After this date it will become private, according to a decision taken by a majority of its subscribers.

For now, most of the posts are from the site administrator and a few global moderators. Initial topics unconcerned with sales are just copied from other blogs (recent or old) without any credit for the authors. In the sellers areas, the most interesting offers appear in the next image.

People searching for pay-per-install offers are directed to statsbusiness.net and Best AV. Statsbusiness seems to be the new label for InstallConverter, an old affiliate platform analyzed in depth by Kevin Stevens at BlackHat 2010. Statsbusiness requires an invitation code to join. This code is freely given in a post.

It shouldn’t be necessary to introduce Best AV. In July, international law enforcement struck hard at the underground scareware (fake AV) market. Best AV disconnected its site from the web after explaining it was “impossible to pay advertisers on time and in full.” Now we find Best AV appearing at a new URL, showing the business is continuing.

The pay-per-install forum sponsors services that will install malware for a price. Many countries are available, though not Russia and some others in Eastern Europe. The four offers I quoted (in the image) refer to installation services whose websites were recently unavailable. I suspect all these services reach a unique group that is engaged in designing a new business model they hope will be more discreet.

Pay-per-install businesses can be temporarily compromised by welcome law enforcement action, but the crooks will always find a way to return.

SpyEye targeting Android users – just a copy of Zeus’s strategy?

EyeIn the world of Windows malware, SpyEye is a widespread malicious toolkit for creating and managing botnets. It is designed primarily for stealing banking credentials and other confidential information from infected systems.

SpyEye is a major competitor of the infamous Zeus toolkit.

Zeus (also known as ZBot) generated a lot of interest in the mobile security community a couple of months ago when an Android version was discovered.

Of course, we did not have to wait long before a version of SpyEye targeting Android was also developed, and sure enough a malicious SpyEye Android app was discovered a few days ago.

The functionality of Zeus and SpyEye on Windows is quite similar, so I was curious as to how similar their respective Android versions would be.

Zeus for Android purports to be a version of Trusteer Rapport security software. This social engineering trick is used in an attempt to convince the user that the application they are installing is legitimate.

SpyEye for Android, now detected by Sophos products as Andr/Spitmo-A, uses a slightly different but similar social engineering technique.

When the user of a PC infected by the Windows version of SpyEye visits a targeted banking website, and when the site is using mobile transaction authorization numbers, the SpyEye Trojan may inject HTML content which will instruct the user to download and install the Android program to be used for transaction authorisation.

The SpyEye application package does not show up as an icon in the “All apps” menu, so the user will only be able to find the package when the “Manage Applications” is launched from the mobile device’s settings.

The application uses the display name “System” so that it seems like a standard Android system application.

SpyEye for Android installed

When installed, Zeus for Android displayed a fake activation screen, and Spitmo is again very similar.

However, Spitmo uses different tactics to convince the user that it is a legitimate application.

It applies for the following Android permissions:

android.provider.Telephony.SMS_RECEIVED
android.intent.action.NEW_OUTGOING_CALL

This allows the malware to intercept outgoing phone calls.

When a number is dialed, the call is intercepted before the connection is made and the dialed phone number is matched to a special number specified by the attacker in the alleged helper application installation instructions.

If the number matches, Spitmo displays a fake activation number, which is always 251340.

SpyEye for Android - fake activation

Once installed, the functionality of Zeus and SpyEye are pretty much the same.

A broadcast receiver intercepts all received SMS text messages and sends them to a command and control server using an HTTP POST request. The submitted information includes the sender’s number and the full content of the message.

So far, it does not seem that this attack is widespread, but it shows that the developers of major malicious toolkits are closely watching their competition and matching the latest features.

It also seems that support for Android is increasingly becoming an important part of their product strategy.


Fake FBI Anonymous psychological profile: a lesson to all internet users

The faceless power of Anonymous rages on.

Like headless horsemen, they gallop across the internet, intent on causing massive headaches and embarrassment for some, while keeping their fans and the media informed via social media.

Sounds even too good for a Hollywood movie plot. You couldn’t make it up.

But it turns out that someone did make up the recently disclosed FBI document ‘Psychological Profile of the Anonymous Key Personalities’ [PDF].

And the story was covered by several reputable media outlets, though admittedly some voiced skepticism.

On September 8, Anonymous used Twitter and Tumblr to distribute the fake document.

The question is why did anyone ever think it was real?

  • Why would Anonymous leak a document that would put their esteemed leaders at risk?
  • Why would the FBI actually use Wikipedia as their sole information source for Anonymous’s background?
  • The codename for the field informant is Marotte (which means prop stick, dummy head or fad)
  • Looking at the copious typos and grammar glitches in the document, would the FBI have a profiler without a basic grasp of written communication?

Fake FBI profile of Anonymous

So all this made us at Naked Security a bit suspicious at the time. So no surprise that this so-called FBI document turns out that it is a fake.

The thing is though, it does make for interesting lunchtime reading. I absolutely love some of the profiles in this faux document.

It defines “Kayla” as a violent, amoral bisexual with an inferiority complex, and “Topiary” as a youthful, obsessive idealist, possibly afflicted with Aspergers.

Forgive the quasi-psychology here – couldn’t a fake document, if indeed it is written by the Anonymous leaders, be used to help the FBI and other authorities better understand the collective? What seems like nonsense to its authors could accidentally reveal some interesting insights for those that analyse and pigeon-hole personalities.

That said, some of you might remember that great article by Malcolm Gladwell where he concludes that criminal profiling isn’t all that helpful to the capture of wanted criminals.

So what is the upshot? Whoever is involved in writing this didn’t waste the FBI’s time with this forgery, because they must have been aware from the get-go that this did not originate from their internal team.

Those responsible for the document did however manage to get the internet, media and bloggers yacking about it. Yes, even me. Anonymous have notoriety because many people have written about it. And if Anonymous did indeed pull this together, they have just lied to their online followers. tsk tsk.

Please, can we all make sure we take this collective’s word with a grain of salt next time?