Saturday, May 28, 2016

Cookie hijacking|Session hijacking|Cookie theft


Cookie hijacking is a hacking process by which the hacker gains unauthorized access to some confidential information in a way which is not facilitated by the user or a secure session.
Specifically speaking cookie hijacking means hacking or stealing the cookies that contain confidential information that is needed to authenticate or connect a user to a remote web server.
Cookie hijacking can be performed by the hacker by using a computer between the node and server or by obtaining access to the cookies stored on the user’s computer.
A hacker can also use source router Internet protocol or IP packets to gain unauthorized access between two communicating nodes.
The hacker would then route the packets containing cookies to pass through his computer before reaching destination.
Cookie hijacking sometimes is used to perform denial of service attacks also known as DOS attacks.

What is a cookie?
Cookies are usually small text files, given ID tags that are stored on your computer's browser directory or program data subfolders. Cookies are created when you use your browser to visit a website that uses cookies to keep track of your movements within the site, help you resume where you left off, remember your registered login, theme selection, preferences, and other customization functions.The website stores a corresponding file(with same ID tag)to the one they set in your browser and in this file they can track and keep information on your movements within the site and any information you may have voluntarily given while visiting the website, such as email address.
Cookies are often indispensable for websites that have huge databases, need logins, have customizable themes, other advanced features.
Cookies usually don't contain much information except for the url of the website that created the cookie, the duration of the cookie's abilities and effects, and a random number. Due to the little amount of information a cookie contains, it usually cannot be used to reveal your identity or personally identifying information.However, marketing is becoming increasingly sophisticated and cookies in some cases can be agressively used to create a profile of your surfing habits.
There are two types of cookies: session cookies and persistent cookies. Session cookies are created temporarily in your browser's subfolder while you are visiting a website. Once you leave the site, the session cookie is deleted. On the other hand, persistent cookie files remain in your browser's subfolder and are activated again once you visit the website that created that particular cookie. A persistent cookie remains in the browser's subfolder for the duration period set within the cookie's file.

More on Cookies
A cookie is a small file of letters and numbers downloaded on to your computer when you access certain websites. Like virtual door keys, cookies unlock a computer's memory and allow a website to recognise users when they return to a site by opening doors to different content or services. Like a key, a cookie itself does not contain information, but when it is read by a browser it can help a website improve the service delivered.
Cookie files are automatically lodged into the cookie file - the memory of your browser - and each one typically contains:
·         The name of the server the cookie was sent from
·         The lifetime of the cookie
·         A value - usually a randomly generated unique number
The website server which sent the cookie uses this number to recognise you when you return to a site or browse from page to page. Only the server that sent a cookie can read, and therefore use, that cookie.
A cookie is a text-only string of information that a website transfers to the cookie file of the browser on the hard disk of computers so that the website can remember who you are.
A cookie will typically contain the name of the domain from which the cookie has come, the "lifetime" of the cookie, and a value, usually a randomly generated unique number. Two common types of cookies are used on most websites-session cookies, which are temporary cookies that remain in the cookie file of your browser until you leave the site, and persistent cookies, which remain in the cookie file of your browser for much longer (though how long will depend on the lifetime of the specific cookie).

Session cookie
A session cookie, also known as an in-memory cookie or transient cookie, exists only in temporary memory while the user navigates the website.[14] Web browsers normally delete session cookies when the user closes the browser.[15] Unlike other cookies, session cookies do not have an expiration date assigned to them, which is how the browser knows to treat them as session cookies.

Persistent cookie
Instead of expiring when the web browser is closed as session cookies do, persistent cookies expire at a specific date or after a specific length of time. This means that, for the cookie's entire lifespan (which can be as long or as short as its creators want), its information will be transmitted to the server every time the user visits the website that it belongs to, or every time the user views a resource belonging to that website from another website (such as an advertisement).
For this reason, persistent cookies are sometimes referred to as tracking cookies because they can be used by advertisers to record information about a user's web browsing habits over an extended period of time. However, they are also used for "legitimate" reasons as well (such as keeping users logged into their accounts on websites, to avoid re-entering login credentials at every visit).

Secure cookie
A secure cookie can only be transmitted over an encrypted connection (i.e. HTTPS). This makes the cookie less likely to be exposed to cookie theft via eavesdropping.

HttpOnly cookie
HttpOnly cookies can only be used when transmitted via HTTP (or HTTPS). They are not accessible through non-HTTP APIs such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS), while leaving the threats of cross-site tracing (XCT) and cross-site request forgery (CSRF) intact.

Third-party cookie
Normally, a cookie's domain attribute will match the domain that is shown in the web browser's address bar. This is called a first-party cookie. Third-party cookies, however, belong to domains different from the one shown in the address bar. These sorts of cookies typically appear when web pages feature content, such as banner advertisements, from external websites. This opens up the potential for tracking the user's browsing history, and is often used by advertisers in an effort to serve relevant advertisements to each user.

As an example, suppose a user visits www.example.org. This web site contains an advertisement from ad.foxytracking.com, which, when downloaded, sets a cookie belonging to the advertisement's domain (ad.foxytracking.com). Then, the user visits another website, www.foo.com, which also contains an advertisement from ad.foxytracking.com/, and which also sets a cookie belonging to that domain (ad.foxytracking.com). Eventually, both of these cookies will be sent to the advertiser when loading their advertisements or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites that have ads from this advertiser.

As of 2014, some websites were setting cookies readable for over 100 third-party domains.[16] On average, a single website was setting 10 cookies, with a maximum number of cookies (first- and third-party) reaching over 800.[17]

Most modern web browsers contain privacy settings that can block third-party cookies.

Supercookie
A "supercookie" is a cookie with an origin of a Top-Level Domain (such as .com) or a Public Suffix (such as .co.uk). Ordinary cookies, by contrast, have an origin of a specific domain name, such as example.com.

Supercookies can be a potential security concern and are therefore often blocked by web browsers. If unblocked by the client computer, an attacker in control of a malicious website could set a supercookie and potentially disrupt or impersonate legitimate user requests to another website that shares the same Top-Level Domain or Public Suffix as the malicious website. For example, a supercookie with an origin of .com, could maliciously affect a request made to example.com, even if the cookie did not originate from example.com. This can be used to fake logins or change user information.
The Public Suffix List helps to mitigate the risk that supercookies pose. The Public Suffix List is a cross-vendor initiative that aims to provide an accurate and up-to-date list of domain name suffixes. Older versions of browsers may not have an up-to-date list, and will therefore be vulnerable to supercookies from certain domains.
The term "supercookie" is sometimes used for tracking technologies that do not rely on HTTP cookies. Two such "supercookie" mechanisms were found on Microsoft websites in August 2011: cookie syncing that respawned MUID (Machine Unique IDentifier) cookies, and ETag cookies.[18] Due to media attention, Microsoft later disabled this code.

Zombie cookie
Zombie cookies are cookies that are automatically recreated after being deleted. This is accomplished with the help of a client-side script. The script starts by storing the cookie's content in multiple locations, such as Flash local storage, HTML5 storage, and other client-side storage locations. When the script detects the cookie's absence, it recreates the cookie using the data stored in these locations.

Structure
A cookie consists of the following components:

Name
Value
Zero or more attributes


Tuesday, May 24, 2016

Cyber attack landscape

 Cyber attack

Today’s organizations continue to fall victim to sophisticated cyber attacks—including zero-day exploits and Advanced Persistent Threats (APTs). The following is the lifecycle of cyber attacks which possess an imminent threat to organizations working in both public and private sectors.





















Anything that has the potential to cause harm to the system is coined as Threat. Threat creates Attack. Attack exploits vulnerability to create an Impact . The severity of impact can be minimized by applying corrective control. A corrective control is control set which is put in place to mitigate damage once a risk is materialized for example Computer images are created so that if software gets corrupted, they can be loaded

Main function of all security control  is to reduce or minimize the damages once a risk is materialized. Deterrent control which is intended to discourage a potential attacker reduces the likelihood of an attack. Firewall is considered as a preventive control but if an attacker know that it is in place than it is considered as deterrent control.
Detective control like auditing of logs, setting of endpoint security should be implemented together with preventive control set like firewall. Together these controls minimizes the  surface area of attack by minimizing loopholes.


Compensating control is just an alternate control that provides similar protection as the original control, but has to be used because it is more affordable or allows specifically required business functionality. This kind of control measure reduce the likelihood of attack.

Sunday, May 22, 2016

Tiny banker aka Zusy| Banking Malware



Tinba

Tinba short form of Tiny banker, is a banking Trojan targeted to steal banking details like personal information, login credentials or requests to perform a funds transfer.
When Tinba infects a computer and the user tries to log in to one of the targeted banks, Tinba’s webinjects are launched into action. Depending on the targeted bank, victims are presented with fake Web forms asking for personal information, login credentials or requests to perform a funds transfer. The notice may even try to convince the victim that a certain amount is deposited accidently and it must be refunded immediately.
 This Trojan targets a large scope of banks like Bank of America, ING Direct, and HSBC. The fake web form may look something like this.


                                               Representation image
Mechanism
  • The victim visits a website infected with the Tinba Exploit kit  aka Rig Exploit Kit(Flash or Silverlight exploit).  If the victim system is vulnerable, the exploit executes a malicious code that downloads and executes the malware payload, Tinba Trojan.
  •   When the Trojan is executed, it copies itself to the following location: 
%SystemDrive%\Documents and Settings\All Users\Application Data\default\bin.exe
  •  Then Trojan  modifies the following file to disable Mozilla Firefox warnings when visiting insecure sites: 
%SystemDrive%\Documents and Settings\All Users\Application Data\Mozilla\Firefox\Profiles\[USER PROFILE NAME]\user.js 
  •  Next, the Trojan creates the following registry entry so that it executes whenever Windows starts: 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"default" = "%SystemDrive%\Documents and Settings\All Users\Application Data\default\bin.exe" 
  •   It then modifies the following registry entry to alter Internet Explorer settings: 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1609" = "0" 
  •  Next, the Trojan injects itself into the following processes: 
a.     svchost.exe
b.    explorer.exe·         


  • It then injects code into the following browsers: 
 chrome.exe
                    iexplore.exe
                    firefox.exe

  • The Trojan then ends the following processes: 

        svchost.exe
                             explorer.exe
                                   
  • Next, the Trojan then monitors network traffic and the records information in the following file:  %SystemDrive%\Documents and Settings\All Users\Application Data\default\web.dat

  •   The stolen information is then sent to one of the following command-and-control (C&C) servers 

                      [http://]d3akotav33olandos.com
                                           [http://]dakotavolandos.com
                                           [http://]dakotavolandos.com
                                           [http://]dak1otavola1ndos.com
                                           [http://]dako22tavol2andos.com
                                           [http://]d4ak4otavolandos.com


Recommendations

  • ·         Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • ·         Use a firewall to block all incoming connections from the Internet. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • ·         Always use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • ·         Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders.
  • ·         Disable Autoplay.exe  to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • ·         Turn off and remove unnecessary services.
  • ·         If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • ·         Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • ·         ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources
  • ·         Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files..



Friday, May 20, 2016

GHOST| CVE-2015-0235

GHOST: glibc vulnerability (CVE-2015-0235)




GHOST is  a heap-based buffer overflow vulnerability triggered by both locally and remotely via all the gethostbyname*() functions in GNU C library aka glibc . All versions of glibc shipped with all variants of Red Hat Enterprise Linux are affected.


Background Information

GHOST is a 'Heap based buffer overflow' bug affecting the   gethostbyname() and gethostbyname2() function calls in the glibc library. These functions are used for DNS resolving by various applications. Theoretically, any application that uses these functions (practically any application that goes online) is at risk of being exploited. In other words to exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.


Determining Vulnerability

You can use below C Code to determine Ghost Vulnerability.


/* ghostvtest.c:  GHOST vulnerability tester */
/* Credit: http://securityfunda.blogspot.com
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}
Compile and run it as

$ gcc ghostvtest.c -o ghostvtest
$ ./ghostvtest


How to list packages/applications which depends upon vulnerable Glibc?

Type the following lsof command:

lsof | grep libc | awk '{print $1}' | sort | uniq



Affected Version:

Glibc version 2.18 & before (released August ) is vulnerable, you can check glibc version by typing ldd command in RHEL.


Resolution

To eliminate the possibility of an exploit:
1.    Update the glibc and nscd packages on your system using the packages released 
2.    Reboot the system to let the changes come into effect.

Thursday, May 19, 2016

Stuxnet|Malware|Rootkit



Stuxnet- CVE-2010-2568


Stuxnet is a highly sophisticated malware designed to sabotage the normal functioning of critical systems. In contrast to the somewhat indiscreet approach which is used to access these sensitive systems, this sabotage is intended to be very discreet. To approach its target, Stuxnet exploits at least four zero-day vulnerabilities (currently all corrected by Microsoft) targeting different versions of Windows, as well as the famous MS08-067 vulnerability that was corrected several years ago.
To quickly reach its target, the malware also uses a password defined by default within certain SCADA (Supervisory Control And Data Acquisition) systems. This is based on the Siemens SIMATIC WinCC software

How Stuxnet Work

This worm was created mainly to sabotage the Iranian Nuclear Program. Once installed on a PC, Stuxnet uses Siemens' default passwords to gain access to the systems that run the WinCC and PCS 7 programs which control and modify the code of the PLCs (programmable logic controller) which control the machines themselves

                                                                                            Source: http://spectrum.ieee.org


Stuxnet operates in two stages after infection, according to Symantec Security Response Supervisor Liam O'Murchu. First it uploads configuration information about the Siemens system to a command-and-control server. Then the attackers are able to pick a target and actually reprogram the way it works. "They decide how they want the PLCs to work for them, and then they send code to the infected machines that will change how the PLCs work," O'Murchu said.

Spreading Mechanism:
·        USB Drive Infection
Stuxnet creates a new hidden window “ABCDhJk”  and get notified of any new USB flash memory inserted to the computer by waiting for “WM_DEVICECHANGE” Windows Message.
After getting notified of a new drive added to the computer (USB Flash Memory), stuxnet writes 6 files into the flash memory drive:
Copy of Shortcut to.lnk
Copy of Copy of Shortcut to.lnk
 Copy of Copy of Copy of Shortcut to.lnk
Copy of Copy of Copy of Copy of Shortcut to.lnk
And 2 executable files (DLL files):
~WTR4141.tmp
~WTR4132.tmp
 These malformed shortcut files use vulnerability in Windows Shell named: CVE-2010-2568(MS-10-046) -Windows Shell LNK Vulnerability This vulnerability is not a buffer-overflow vulnerability but it’s due to a bad way for windows to load icons for LNK files which creates the vulnerability.

·       Spreading via Network:

Stuxnet spreads via Network using one of vulnerabilities:
CVE-2008-4250(MS-08-067) –Windows Server Service NetPathCanonicalize() Vulnerability
CVE-2010-2729(MS-10-061) –Windows Print Spooler Service Vulnerability
The first vulnerability is not a zero-day vulnerability, it’s already known. This vulnerability was used before by Conficker. In this vulnerability, stuxnet looks for C$ and Admin$ shares on remote systems. Then, it copies itself as a file named "DEFRAGxxxxx.TMP" in the first writable directory found on the share.
And then, it tries to execute a command:
 rundll32.exe "DEFRAGxxxxx.TMP",DllGetClassObjectEx

 The second vulnerability is a zero-day vulnerability. This vulnerability was first described by Carsten Kohler in Hackin9 Security Magazine 04-2009 in an article named “Print Your Shell”
This vulnerability wasn’t used in the wild until Stuxnet. This vulnerability allows a guest user account to communicate to a machine with a shared printer and writes a file to the system directory in it.
The windows APIs for printing allows to choose the directory that you wish to copy your file to and with an API named “GetSpoolFileHandle” you can get the file handle of the newly created file in the target machine and then you can easily with ReadFile & WriteFile APIs you can copy your file into the target machine.
 For stuxnet, it copies 2 files into the target machine:
Windows\System32\winsta.exe
Windows\System32\wbem\mof\sysnullevnt.mof
The first file is the stuxnet dropper and the second is a Managed Object Format file. This file (under some conditions) executes winsta.exe the stuxnet dropper.

Recommendations
  •       Some suggestions which can be considered to prevent Stuxnet infection.

  •        Restrict file sharing through USB drive via Active Directory or endpoint security solutions(For enterprises).

  •      Disable autorun features in windows so that removable devices do not execute when they are inserted into a computer.

  •      Patch operating system and software. Installation of the following patches will reduce the risk to your computer

                                  ->   Microsoft Security Bulletin MS10-046
                                   ->  Microsoft Security Bulletin MS08-067
                                  ->   Microsoft Security Bulletin MS10-061 

  •      Address blocking -Block access to the following addresses using a firewall, router, or add entries to the local hosts file to redirect the following addresses to 127.0.0.1: 


                                         -> www.mypremierfutbol.com
                                         -> www.todaysfutbol.com

  •           If below registry entries are found, Take immediate necessary action . Isolate the system and perform full malware analysis, delete the entries


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\"ImagePath" = "%System%\drivers\mrxcls.sys"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\"ImagePath" = "%System%\drivers\mrxnet.sys


  •       Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.




Reference:



  • http://www.Codeproject.com