Month: April 2013

“Given that these are dynamically generated, there would be no viable means to do a search to ferret them out on Google, etc.,” Mary Landesman a senior security researcher for Cisco Systems’ TRAC team, told Ars.

Referring to the rogue Apache modules that are injected into infected sites, he added, “Since late 2012 people have sent me new versions of the malicious modules, so this malware is in active development, which means that it pays off well and the number of infected servers can be high (especially given the selectivity of the malware that prefers to stay under the radar rather than infecting every single visitor).”

According to recent blog posts published here and here by researchers from security firm Securi, Darkleech uses rogue Apache modules to inject malicious payloads into the webpages of the sites it infects and to maintain control of compromised systems. They note the third-party attack sites host malicious code from the Blackhole exploit kit, a suite of tools that targets vulnerabilities in Oracle’s Java, Adobe’s Flash and Reader, and a variety of other popular client software. “It looks like the attackers were beforehand well-prepared with some penetration method to gain web exploitation which were used to gain shell access and did the privilege escalation unto root,” the writer of the latter blog post wrote last week, adding that he wasn’t at liberty to discuss the precise method.

The Apache server compromise in many ways resembles a mass infection from 2008 that also used tens of thousands of sites to silently expose visitors to malware attacks. … Because the server malware is designed to conceal itself and because so many individual systems are affected, it can be next to impossible for any one person to gain a true appreciation for the scope of attack.

Link: http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29

“In the last few years we have shown enough data that proves that the number and complexity of these attacks have been increasing steeply,” said Jamie Blasco, manager of the Vulnerability Research Team at open source security firm AlienVault.

“Legal firms may be the biggest target of nation states because they have so much proprietary information in their systems,” noted Tim Keanini, chief research officer at enterprise security firm nCircle.

However, last month President Obama signed an executive order giving the Secretary of Homeland Security until mid-July to extend the definition of critical infrastructure to include organizations “where a cybersecurity incident could reasonably result in catastrophic regional or national effects.” “That’s not the same as destruction, but it can have a huge impact on companies that live and breath on just-in-time inventories and the ability to connect with their customers immediately.”

Sophisticated, highly-modular malware like Flame isn’t produced by a lone hacker pulling in a few all-nighters, but almost certainly represents skills and sustained efforts of well-compensated professional programmers – or at least a big bankroll and a willingness to ply the black market for exploits. Exploits and techniques developed by state-sponsored efforts can be leaked or reverse-engineered just like any other malware, making their way into the hands of traditional cybercriminals and widely-available exploit collections like Blackhole, Phoenix, and RedKit.

Engaging hacker groups or online criminals to assist with cyber attacks could give nations a way to deny responsibility; however, it could also mean hackers and cybercriminals may have access to the state’s technical and fiscal resources.

Link: http://www.digitaltrends.com/computing/will-the-next-9-11-be-digital/