Neosploit, a crimeware kit thought by some security experts to have been retired, has reared its ugly head again, and may have been used in one of the biggest organized crimeware attacks in history.  Ian Amit, a security researcher investigating the possible resurrection of the notorious kit, discovered a server hosting the login credentials of more than 200,000 servers in more than 86 countries around the world.  According to Amit, he has uncovered evidence suggesting that 80,000 legitimate web sites from dozens of countries have been infected with the malware, which in turn infect visitors to these sites with various Trojans and other malware.

Last April, the neosploit development team had announced that it was discontinuing support and development of the kit, despite the success of the “product,” citing concerns with the ongoing viability  of the business.  Now it appears that this statement was a ruse designed to buy the gang some time to perfect the next release of the kit.  The latest discoveries by Amit and his crew indicate that a new version was used to compromise the data of millions of users across hundreds of thousands of systems.  These include major overseas weapons manufacturers, the U.S. Postal Service, Fortune 500 companies, universities, and government departments.

Amit is working with US-CERT (a department of Homeland Security) as well as other local and international law enforcement agencies to investigate and shut down the servers operated by these criminals, and to notify and work with infected enterprises to clean up their systems.

Tags: crimware, Malware, NeoSploit, US-CERT

Author: Christopher

There are currently known vulnerabilities with DNS servers across all implementations.  These vulnerabilities are not vendor specific, in fact all DNS distributions are vulnerable.  I recommend all organizations develop an action plan immediately to identify and patch all DNS servers, applications, and clients on all networks in your control.

These vulnerabilities expose vulnerable DNS servers to DNS cache poisoning, this potentially can effect proper email delivery and what website you actually visit when entering a URL into a browser.

DNS specifically calls for 16 bit transaction ID field, which would require 32,768 “guesses” to predict the ID.  Many implementations use a smaller number of bits, and thus would require considerably fewer guesses.

US-CERT has an excellent write up on this vulnerability here.

You can find patch specifics for Microsoft here.

If you are running BIND 8, there is currently no solution and no plans to fix this problem for this platform, it is highly recommended to immediately look at upgrading to BIND 9.

If you only apply one patch in 2008, this should be it!

If you are using DNS from your ISP, you may still be vulnerable!

To assist organizations in containing this issue, I put together a few actions steps to get everyone on track.

1. Identify all DNS servers on your network and any networks you are responsible for.  To be sure, you may want to run a port scan for anything listening on UDP port 53.
2. Identify vendors responsible for each and every DNS server found from step 1.
3. Refer to US-Cert for links to each vendor to the appropriate patch documentation.
4. Patch all Servers.
5. Repeat for all DNS Clients, although these patches are more focused on DNS Servers.

It is highly recommended all servers be patched before the Black Hat convention on August 6th when more information will be disclosed.

UPDATE:

You can check your upstream DNS Servers here:
http://www.doxpara.com/

Tags: BIND, DNS, DNS Cache Poisoning, US-CERT, VU#800113, Vulnerabilities, Vulnerability

Author: Christopher