Intelligent Malware | TechSNAP 108

Intelligent Malware | TechSNAP 108

A new Apache exploit hinds in shared memory, making it hard to detect. We’ll tell you all about this new type Intelligent malware.

Plus: Why all passwords are crackable no matter what anyone says, a great batch of your questions, and much more!

Thanks to:

Use our code tech295 to score .COM for $2.49!

32% off your ENTIRE first order just use our code go32off3 until the end of the month!


Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed


Support the Show:


Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

  • Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox
  • New Apache exploit hides in shared memory

    • The backdoor, called Linux/Cdorked.A is unusually sophisticated and stealthy
    • It is unclear if Cdorked is related to the previous ‘deepleech’, which deepleech was an apache module and worked quite differently, it shared the common goal of infecting users with the blackhole exploit kit and hiding from administrators
    • Unlike similar backdoors, Cdorked does not store or modify any files on the file system, other than the modified httpd binary
    • State information and configuration are stored in a small area of shared memory shared between all of the httpd processes
    • Interestingly, the region of shared memory has its permissions set wide open to allow the information to be read or modified by other applications as well
    • All of the backdoor bits of the infected httpd binary are encrypted with a static XOR key
    • The infected machines receive their instructions from the command and control server as special HTTP requests, which the backdoor prevents from ever being logged
    • The backdoor also has a reverse connection shell, when a special HTTP GET request is received, the httpd will connect out to the specified host and port, allowing the attack to get a shell on the infected host, even if it is behind a strict firewall
    • The reverse shell connection is also encrypted using a XOR based on the parameters sent when initializing the connection, likely to hide the shell connection from IDS (Intrusion Detection Systems)
    • The goal of the backdoor is the same as the earlier version, redirect users from legitimate sites to the blackhole exploit kit
    • This improved version does an even better job of hiding itself, and also provides perpetrators with additional analytics
    • When a victim is redirected to the exploit kit, the URL includes a long base64 encoded string, which contains information including the domain and url of the file the user was requesting (the attackers can figure out what sites and sending them the most victims, or when a site stops sending them victims) and whether or not the client’s request was to a javascript file, allowing the correct exploit to be served
    • Once a victim has been redirected once, a cookie is set on their system which prevents the exploit from appearing again in the future, making is harder to detect or recreate the infection
    • The exploit purposely avoids trying to infect administrators to avoid detection, not serving the redirect to visitors to any URLs containing: ‘adm’, ‘webmaster’, ‘submit’, ‘stat’, ‘mrtg’, ‘webmin’, ‘cpanel’, ‘memb’, ‘bucks’, ‘bill’, ‘host’, ‘secur’, ‘support
    • ESet has published detection instructions
    • It is not clear how servers are being infected initially, some suggest it is just ssh brute force attacks gaining administrative access, however a researcher from Cisco believe it may be an exploit in unpatched installations of Plesk, a web hosting control panel application

    Salted hashes are not uncrackable, no matter what anyone says

    • As details emerge about the recent compromise of LivingSocial that exposed their password database, it is important to clarify some points about password hashes
    • LivingSocial was using SHA1 hashes, with “40 byte salts”. It is unclear, but it seems they ‘rolled their own’ hashing system, because they knew SHA1 was not good enough by it self
    • There are a number of problems with their approach:
      • SHA1 is designed for speed, in a cryptographic password hashing system, you want it to be slow/expensive
      • There are special versions of the SHA algorithms for this, like sha512crypt, rather than just doing a sha512 hash of the input, it does a variable number of rounds, typically 5000, with alternating inputs, to make it take longer. More on how sha512crypt works
      • Salting a hash does not make the hash any stronger, because the salt is part of the hash, and known to the attacker (because you need to the salt to verify a legitimate login attempt). The purpose of a salt is to require an attack to calculate the hash of each password separately, so when you have a list of 50 million passwords, you have to try ‘password’ against all 50 million of them, because each has a unique salt
      • Poul-Henning Kamp, author of the original md5-crypt, in his post officially deprecating md5-crypt recommended large sites consider using a blend of the existing algorithms to take advantage of things like bcrypt’s resistance to GPU cracking
    • Password hashing has never, and will never be uncrackable
    • As with all security measures, it is a trade off. The goal is to balance the amount of computer power it takes to generate a single hash (to compare your login attempt against the stored hash to decide if you have entered the correct password) so that it is as slow as possible without delaying your login or over burdening the server (a good benchmark is 50–100ms) so that login attempts take an imperceptible amount of time, but brute forcing the hashes takes an impractical amount of time (large number of years)
    • Password hashing is designed to buy time, so that when the password database leaks, you have time to reset your password to something new, before the attacker can brute force the password and compromise your account
    • Reminder: Use a unique password for each site/service



Question? Comments? Contact us here!