Tuesday, October 28, 2014

(CVE-2014-2718) ASUS wireless router updates vulnerable to a Man in the Middle attack

Over the past few months I have come across a couple of significant issues with ASUS wireless routers (which to their credit the company has been quick to resolve).  

In mid February, I wrote that a substantial portion of ASUS wireless routers would fail to update their firmware. In fact, the "check for update" function would inform the administrator that the router was fully up-to-date, even though it was not. The timing could not have been worse, coming right on the heels of an exploit for a bug in which USB hard drives connected to the router could be accessed from the public Internet, with no login required.

In April I wrote that the same line of routers exposed the administrator username and password in clear text. Anyone that could access a PC that had logged into the router could retrieve the admin credentials. Since the admin session would never time out, this could be exploited even without the administrator having a window open on the router.

Today I am disclosing one additional vulnerability, submitted as CVE-2014-2718The ASUS RT- series of routers rely on an easily manipulated process to determine if an update is needed, and to retrieve the necessary update file. In short, the router downloads via clear-text a file from http://dlcdnet.asus.com, parses it to determine the latest firmware version, then downloads (again in the clear) a binary file matching that version number from the same web site. 

Monday, October 27, 2014

Tell someone you love them today


October 27. For many it's just another day on the calendar, a time when the weather has turned cooler, the nights longer, and perhaps Halloween plans are on the mind. For me it holds a special meaning: on this date nine years ago I learned just how precious life is.

October 27, 2005. My wife was driving our oldest two, then 5 years old, to kindergarten, as she had done every day that school year. As she was turning out of our neighborhood and onto the main highway, she was hit broadside by a teenage driver that ran a red light. To this day she does not remember the impact. She remembers turning, then the strange sensation that the van was falling over, but doesn't remember the impact itself.

I'll likely never know what exactly distracted the other driver, but he not only missed the red light, he didn't even see the other cars that had stopped at the light. At the last second he pulled onto the shoulder and shot through the intersection at about 70 mph, hitting my wife with enough force to roll a 5,000 pound van.

The entire side of the van caved in. To see the wreckage, no one should have survived, least of all anyone sitting in the rear seats. Miraculously my wife suffered only a few bruises and scratches, but both boys were critically injured. The airbag kept either from hitting the window, but it did not prevent them from hitting each other. Both boys suffered severe concussions, and Austin suffered a fractured skull and cheekbone. He spent the next 12 hours in and out of consciousness. I spent much of that day in the pediatric ICU praying they would make it.

October 27. I thank God for his provision that day. Any other day, my wife would have had all 5 children in the van. That day, I was working from home and had the youngest three with me. The middle row - the center of the impact - was empty.

This morning I had breakfast with my boys, now 14 years old. I am thankful for the strong, intelligent, and Godly young men they are becoming. I am forever aware of how fleeting life is, of how close they came to not growing up. 

In a cruel twist of irony, today I mourn the loss of a friend, killed in a car accident Saturday morning. He and I had worked together off and on for about 15 years, and he was one of those colleagues I genuinely liked, instead of just got along with. Life is fragile, life is uncertain.

Take a minute today to tell someone you love them. Give a friend a hug. Spend a few extra minutes with a child at the dinner table. Make time for coffee with a friend. You never know when it may be your last chance to do so.

Friday, October 24, 2014

Would you know if your email server were attacked?

This is a continuation of a series investigating a piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.
I had thought part 3 was the end of the story, but there is now more to tell. Last week I received a relatively typical spam message containing a link to view an "invoice" for something I had supposedly purchased. The link instead downloaded a botnet agent - software that would turn my PC into a bot that an attacker could remotely control to do his bidding. Nothing unusual about that approach. The attacker then gave my bot instructions to probe 5,000 domains, looking for mail servers that could be used to relay yet more spam.

Discovering and writing about criminal mischief is great, but if that's where I stopped, I'm just one more source of noise on the Internet. I research with two purposes: to teach, and to fix. Writing this blog series was the teaching part; as for the fixing part, that is where today's story picks up.

Thursday, October 23, 2014

Where does all the spam come from?

This is part 3 in a series investigating a particular piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.
Ever wondered how spam ends up in your inbox, or how spammers come up with the email addresses from which to send spam? The spammer needs a few things in order to send messages: obviously he needs a list of target email addresses to send messages to; those can be bought on the dark market at very little cost. Unless he wants to send email from his own server though, he also needs an abuseable email relay server and spoofed source address. Why? Two reasons – not every Internet provider would turn a blind eye to a spammer sending millions of malicious email; and he can gain far more capacity by sending mail through thousands of open relays.

From click to pwned

This is part 1 in a series investigating a particular piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.

Malware writers and scammers have a number of tricks up their sleeves, all with the goal of making your computer become their computer. Some tactics involve technology, some involve sleight-of-hand (sleight-of-mouse?), some involve social engineering, and some involve a combination of factors. I received an email scam that slipped past my spam filters and that exhibited a combination of old and new tactics, so took some time to break it apart.

If you don't want to read through the technical details, here's the short version: don't click links or open attachments in unexpected email, don't trust email from an unknown or uncertain source, and be aware that there are lots of ways to make a malicious link look legitimate. In short, don't click the link.

Wednesday, October 22, 2014

An introduction to malware forensics

This is part 2 in a series investigating a particular piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam. 


In my last post, we looked at a fairly typical spam message used to deliver malware to unsuspecting users. This message played on psychology (aka social engineering) to trick the reader - a confirmation message for an expensive purchase (in this case, about $1,600), with a link to retrieve the "invoice" (actually the malware). It used Google redirectors to avoid a suspicious-looking link to DropBox or some random web site.

Once the reader clicks the link and allows it to download and run, their computer becomes infected with a botnet agent. In this post, I downloaded the malware into a virtual environment to do some analysis.

Tuesday, October 14, 2014

Snapchat: What every parent needs to know (and teach)

Some topics are less pleasant to write about than others, though at times far more important. It is with this in mind that I write today on a topic every parent needs to know about. Late last week, rumors started to surface regarding a database breach that revealed thousands of supposedly private messages and photographs sent via the social sharing app Snapchat. Over the weekend that has proved true.

Snapchat is heavily used by younger people - in fact, roughly half of all Snapchat accounts belong to children under 17 years old. The selling point behind Snapchat is that messages and photos can be seen by the intended recipient only, for a brief time only, and then disappear forever - much like old Mission: Impossible assignments ("this message will self-destruct in 10 seconds..."). As such, it has been used by many teenagers for "sexting" - sharing indecent photos of themselves, never suspecting that the photos might not actually disappear.

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in appdev support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. When not at work, I spend my time raising five rambunctious kids - twins age 14, a 13-year-old, and twins age 11. Amongst that, I am the Commander for a Wednesday night Awana club at my church, teaching some 60+ preschool through 6th grade kids. Follow @DSTX_Awana or Like FBC Dripping Springs Kids to see what is going on in our club.