Australia's Leading Computer Emergency Response Team

AusCERT Week in Review for 5th April 2013
Date: 05 April 2013
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=17317


Greetings,

The "Darkleech" malware has compromised approximately 20,000 websites running Apache web server over at least the past nine months. Research performed by Cisco has shown that once a host is compromised using an SSH backdoor, the malware dynamically injects invisible iFrames which link to malicious web pages. This on-the-fly nature of constructing the iFrames makes discovery and remediation difficult, as there isn't a viable means to use a search tool to identify them.

Researchers at Securi have noted that attackers modify SSH binaries and supply a modified version which then allows full access back to the server. Furthermore, consideration seems to have been given to evading detection. The malware blacklists IP addresses belonging to security researches, owners of data centres where compromises have occurred, and crawlers for search engines. Cisco further noted that the initial infection vector is unclear, although the usual culprits are likely to blame such as out-of-date administration software or stolen passwords.

This brings me to another important point: web sites operated by small businesses. Whilst many of you belong to large organisations with rigid service management processes such as ITIL and risk-based security management practices such as the ISO 27000 series, there are many who don't benefit from the excitement of a weekly change control board or audit review meeting! Spare a thought for these people – In the course of AusCERT's regular travels, we often speak with small business owners who honestly didn't realise their responsibilities as a web site operator. Whilst they understand they must pay a web developer and hoster to maintain the content on their site, small business operators don't always realise that system administration functions are essential.

Unless the developer/hoster is also skilled in system administration areas the consequences can be eventual compromise of the web site, usually via out-of-date content management software. How many of you have family or friends who operate web sites for the purpose of supporting their small business? Have they have contracted the right support for their needs? Remember that a compromised web site means downtime, which means revenue loss. Incidentally Google have a fairly plain English video which assists web site owners who have been compromised, and have ended up "blacklisted" by search engines and/or web browsers.

Finally, there were a number of bulletins you may be interested in from this week:

1. ASB-2013.0050 - ALERT [Appliance] Sophos Web Appliance: Multiple vulnerabilities

A number of vulnerabilities have been identified in Sophos Web Appliance prior to version 3.7.8.2.

2. ASB-2013.0048 - [Win][UNIX/Linux][Android] Mozilla Firefox, Thunderbird and SeaMonkey: Multiple vulnerabilities

This week's mandatory browser bulletin, definitely worth your attention.

3. ESB-2013.0451 - [Win][UNIX/Linux] DHCP: Denial of service - Remote/unauthenticated

A denial of service attack vulnerability has been discovered in libdns.

That's all for this week, so go forth and help a neighbour understand his or her small business web site responsibilities and enjoy your weekend!

Regards,
Mike.