PostgreSQL database fixes “persistent denial-of-service” bug

Maintainers of the PostgreSQL open-source database have patched a vulnerability that allowed attackers to corrupt files and in some cases, execute malicious code on underlying servers.

The bug, categorized as CVE-2013-1899, opened users to "persistent denial-of-service" attacks, in which unauthenticated hackers could corrupt files in a way that caused the database server to crash and refuse to reboot. Affected servers could only be restarted by removing garbage text from the files or by restoring them from a backup. Versions 9.0, 9.1, and 9.2 are all vulnerable.

The bug also allowed limited users of a PostgreSQL database to escalate their privileges when it was configured in a way that assigned the same name to the user and the database. When those conditions are met "then this vulnerability may be used to temporarily set one configuration variable with the privileges of the superuser," PostgreSQL maintainers wrote. Such users who also had the ability to save files to the system could also execute malicious code, except in cases where the database is running on the SELinux operating system.

Read 1 remaining paragraphs | Comments

Malware spread on Skype taps victim PCs to mint bitcoins

Bitcoin mining takes a lot of computing power—so naturally someone created a piece of malware to mine on other people's computers.
Kaspersky Lab

As the value of bitcoins skyrockets, security researchers have discovered yet another piece of malware that harnesses the processing power of compromised PCs to mint the digital currency.

BTCs, as individual bitcoin units are known, have recently traded as high as $130, about four times their value from February. In Bitcoin vernacular, BTCs are "mined" by computers that solve cryptographic proof-of-work problems. For each correct block of data submitted, contributors are collectively rewarded with 50 25 bitcoins. Legitimate participants, who typically receive a percentage of the reward based on the number of blocks processed, often use powerful systems with multiple graphics processors to streamline the process.

But scammers spreading malware on Skype are taking a decidedly more nefarious approach. Their malicious code hijacks a computer's resources to mine BTC, according to a blog post published Thursday by a researcher from Kaspersky Lab. While the bitcoin-miner.exe malware harnesses only the CPU resources, which are much slower than GPUs in BTC mining, the attackers have the benefit of infecting many computers and then chaining them together to mint the digital currency. Unlike legitimate miners, the criminals don't have to pay the purchase price of the hardware or pay for the electricity to run them.

Read 4 remaining paragraphs | Comments

Bitcoin wallet service Coinbase faces phishing attacks after data leak

Bitcoin wallet service Coinbase has publicly, and presumably accidentally, exposed information about its merchants' names, e-mail addresses, and product details on the Coinbase website. The exposed e-mail addresses have become the target of phishing attacks. Update: Coinbase says only certain Coinbase merchants had their email addresses exposed. No transaction receipts were leaked, as this story originally stated. See below for details.

Coinbase, a Y Combinator-backed startup, is a popular service for holding users' bitcoins. At the time of this writing, the leaked information was still showing up in Google searches of the Coinbase site:

The URLs of the pages label them "checkouts," and they appear to be transaction receipts. One was a 0.05 BTC ($6.85) transaction labeled as a donation. Another was a $980 transaction for "8 managed VPS hosts" from a company called cachedd. A third was a 229.99 BTC ($31,508) transaction for "AVALANCHE SPA POWDER."

Read 6 remaining paragraphs | Comments

Shylock Beefing Up and Looking for New Business Opportunities

Shylock (a.k.a. The Merchant of Malice) is one of the most sophisticated banking Trojan horse programs presently occupying the financial fraud threat landscape. From its humble beginnings in 2011, it has seen increased infections in the United Kingdom, Italy, and the United States. This is consistent with the increased number of targeted financial institutions over that time period. Shylock is currently targeting over 60 financial institutions with the majority of them operating in the United Kingdom.

The main purpose of Shylock is to perform a man-in-the-browser (MITB) attack against a configured list of target organization websites. The attack is used to steal user credentials and apply social engineering tactics in order to convince the user to perform fraudulent transactions at the target institution.

 

Additional modules
Recently, Shylock has begun downloading and executing complementary modules in order to beef up its functionality. The following modules have been developed and are being downloaded by the threat.

  • Archiver (compresses recorded video files before uploading them to remote servers)
  • BackSocks (enables the compromised computer to act as a proxy server)
  • DiskSpread (enables Shylock to spread over attached, non-fixed, drives)
  • Ftpgrabber (enables the collection of saved passwords from a variety of applications)
  • MsgSpread (enables Shylock to spread through Skype instant messages)
  • VNC (provides the attacker with a remote desktop connection to the compromised computer)

 

Infrastructure
The Trojan employs a robust infrastructure that allows for redundancy and load-balancing during periods of high traffic, whereby servers will redirect compromised computers to another server depending on the number of incoming connections.

The first level of servers belonging to this threat has been identified and can be categorized into the following three groups:

  1. Central command-and-control (C&C) servers (responsible for botnet control and maintenance)
  2. VNC and Backsocks servers (enable remote control during transactions)
  3. JavaScript servers (allow remote Webinjects during MITB attacks)

Server_image.png

Figure 1. Groups of servers utilized in Shylock’s infrastructure

These are proxy servers that are used to control the main component. The main purpose of these servers is to maintain the Shylock infection base by providing the following updated configuration files and modules to compromised computers:

  • Binary files
  • A hijackcfg module
  • A httpinject module

When a compromised computer performs one of the new, additional modules, it sends a report log to the C&C server. These logs are then redirected to the appropriate server using encrypted communication—the servers act as a secure socket layer (SSL) to each other. The servers use the following protocols when communicating with each other:

  • SSH is fingerprinted as ''Debian 6'' (''OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)'')
  • HTTPS response includes ''CentOS'' (''Server: Apache/2.2.15 (CentOS)'')

Five central C&C servers are currently controlling the Shylock botnet. These servers are situated in Germany and the United States at various hosting providers.

 

Evidence of a strain migration
At first, Shylock was specifically targeting computers located in the United Kingdom but it is now spreading to other countries. Also, as some financial institutions become less desirable as targets, either due to increased security measures or a lack of high-value business accounts, Shylock is refocusing its attacks on those offering potentially larger returns.

first_graph.png

Figure 2. Computers infected with Shylock between 2011 and 2013

second_graph.png

Figure 3. Targeted sectors

We expect to see new iterations of this threat in the wild and are continuing to monitor the threat landscape.

Symantec Protection

As always, we recommend that you follow best security practices and ensure that you have the most up-to-date software patches in place, and that you use the latest Symantec technologies and virus definitions to ensure that you have the best protection against threats.