WarPigW2

Systems Affected

• Microsoft Windows systems running Adobe Reader, Acrobat, or Oracle Java

Overview

On May 16, 2013, US-CERT was notified that both www.federalnewsradio[.]com and www.wtop[.]com had been compromised to redirect Internet Explorer users to an exploit kit. As of May 17, 2013, US-CERT analysis confirms that no malicious code remains on either site.

Description

The compromised websites were modified to contain a hidden iframe referencing a JavaScript file on a dynamic-DNS host. The file returned from this site was identified as the Fiesta exploit kit. The kit uses one of several known vulnerabilities to attempt to download an executable:

• CVE-2009-0927: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat

• CVE-2010-0188: Unspecified vulnerability in Adobe Reader and Acrobat

• CVE-2013-0422: Multiple vulnerabilities in Oracle Java 7 before Update 11

Any systems visiting running vulnerable versions of Adobe Reader or Acrobat or Oracle Java may have been compromised.

Impact

The exploit kit, once successful, delivers and executes a known variant of the ZeroAccess Trojan. Additionally, according to open source reporting, the malware also downloads and installs a variant of FakeAV/Kazy malware.

The ZeroAccess Trojan attempts to beacon to one of two hardcoded command-and-control addresses, 194[.]165[.]17[.]3 and 209[.]68[.]32[.]176. The beaconing occurs using an HTTP GET using the Opera/10 user-agent string.

After beaconing, the malware then downloads a custom Microsoft Cabinet file and the malware uses port 16464/udp to connect to the peer-to-peer network. This cabinet file contains several lists of IP addresses, as well as a fake flash installer.

Solution

Apply Updates

Updated software that addresses the vulnerabilities referenced in this incident has been available for years. It is imperative to apply current security updates to software that is commonly targeted by attackers.

• Adobe provided updates for the Adobe Reader and Acrobat vulnerabilities (CVE-2009-0927 and CVE-2010-0188) in Adobe Security Bulletins APSB09-04 and APSB10-07 respectively.
• Oracle released Oracle Security Alert for CVE-2013-0422 to address the Java vulnerability.

In order to defend against additional vulnerabilities, install the most recent versions of Adobe Reader, Acrobat, and Oracle Java. At the time of publication, Adobe Security Bulletin APSB13-15 documents current security updates for Adobe Reader and Acrobat, and Oracle Java SE Critical Patch Update Advisory - April 2013 documents vulnerabilities addressed by Java 7 Update 21.

Identify Compromised Systems

Monitor activity to the following IP addresses as a potential indicator of compromise where permitted and practical:

• 209[.]68[.]32[.]176
• 194[.]165[.]17[.]3

References

• WTOP and Federal News Radio Websites Back After Cyber Attack
• K.I.A. – WTOP.com, FedNewsRadio and Tech Blogger John Dvorak Blog Site Hijacked – Exploits Java and Adobe to Distribute Fake A/V
• Stack-based buffer overflow in Adobe Reader and Adobe Acrobat
• Unspecified vulnerability in Adobe Reader and Acrobat
• Adobe Security Bulletin APSB09-04
• Adobe Security Bulletin APSB10-07
• Adobe Security Bulletin APSB13-15
• Multiple vulnerabilities in Oracle Java 7 before Update 11
• Oracle Security Alert for CVE-2013-0422
• Oracle Java SE Critical Patch Update Advisory - April 2013

Revision History

• Initial release
• Updated Solution section

This product is provided subject to this Notification and this Privacy & Use policy.

Systems Affected

• JDK and JRE 7 Update 17 and earlier
• JDK and JRE 6 Update 43 and earlier
• JDK and JRE 5.0 Update 41 and earlier
• JavaFX 2.2.7 and earlier

Overview

Oracle has released a Critical Patch Update (CPU) for Java SE. Oracle strongly recommends that customers apply CPU fixes as soon as possible.

Description

Oracle Java SE Critical Patch Update Advisory - April 2013 describes the update:

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update and Security Alert. Thus, prior Critical Patch Update and Security Alert advisories should be reviewed for information regarding earlier accumulated security fixes.

Systems administrators are advised to pay additional attention to Oracle advisories due to the increasing volume of vulnerabilities being patched with each release.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Oracle Java SE Critical Patch Update Advisory - April 2013 includes the following information:

Developers can download the latest release from http://www.oracle.com/technetwork/java/javase/downloads/index.html.

Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.

The latest JavaFX release is included with the latest update of JDK and JRE 7. For JDK and JRE 6 users, the latest Java FX release is available from http://www.oracle.com/technetwork/java/javafx/

References

• Oracle Java SE Critical Patch Update Advisory - April 2013

Revision History

• April 17, 2013: Initial release
• April 18, 2013: Minor update to description

This product is provided subject to this Notification and this Privacy & Use policy.

Systems Affected

• Domain Name System (DNS) servers

Overview

A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic.

Description

A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. The basic attack technique consists of an attacker sending a DNS name lookup request to an open recursive DNS server with the source address spoofed to be the victim’s address. When the DNS server sends the DNS record response, it is sent instead to the victim. Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. By leveraging a botnet to perform additional spoofed DNS queries, an attacker can produce an overwhelming amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.

While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack.

Impact

A misconfigured Domain Name System (DNS) server can be exploited to participate in a Distributed Denial of Service (DDoS) attack.

Solution

DETECTION

Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers.  These tools will scan entire network ranges and list the address of any identified open resolvers.

Open DNS Resolver Project
http://openresolverproject.org
The Open DNS Resolver Project has compiled a list of DNS servers that are known to serve as globally accessible open resolvers.  The query interface allows network administrators to enter IP ranges in CIDR format [1].

The Measurement Factory
http://dns.measurement-factory.com
Like the Open DNS Resolver Project, the Measurement Factory maintains a list of Internet accessible DNS servers and allows administrators to search for open recursive resolvers [2].  In addition, the Measurement Factory offers a free tool to directly test an individual DNS resolver to determine if it allows open recursion.  This will allow an administrator to determine if configuration changes are necessary and verify that configuration changes have been effective [3].  Finally, the site offers statistics showing the number of open resolvers detected on the various Autonomous System (AS) networks, sorted by the highest number found [4].

DNSInspect
http://www.dnsinspect.com
Another freely available, web-based tool for testing DNS resolvers is DNSInspect.  This site is similar to The Measurement Factory’s ability to test a specific resolver for vulnerability, but offers the ability to test an entire DNS Zone for several other potential configuration and security issues [5].

Indicators

In a typical recursive DNS query, a client sends a query request to a local DNS server requesting the resolution of a name or the reverse resolution of an IP address.  The DNS server performs the necessary queries on behalf of the client and returns a response packet with the requested information or an error [6, page 21].  The specification does not allow for unsolicited responses.  In a DNS amplification attack, the key indicator is a query response without a matching request.  

MITIGATION

Unfortunately, due to the overwhelming traffic volume that can be produced by one of these attacks, there is often little that the victim can do to counter a large-scale DNS amplification-based distributed denial-of-service attack.  While the only effective means of eliminating this type of attack is to eliminate open recursive resolvers, this requires a large-scale effort by numerous parties.  According to the Open DNS Resolver Project, of the 27 million known DNS resolvers on the Internet, approximately “25 million pose a significant threat” of being used in an attack [1].  However, several possible techniques are available to reduce the overall effectiveness of such attacks to the Internet community as a whole.  Where possible, configuration links have been provided to assist administrators with making the recommended changes.  The configuration information has been limited to BIND9 and Microsoft’s DNS Server, which are two widely deployed DNS servers.  If you are running a different DNS server, please see your vendor’s documentation for configuration details.

Source IP Verification

Because the DNS queries being sent by the attacker-controlled clients must have a source address spoofed to appear as the victim’s system, the first step to reducing the effectiveness of DNS amplification is for Internet Service Providers to deny any DNS traffic with spoofed addresses.  The Network Working Group of the Internet Engineering Task Force released a Best Current Practice document in May 2000 that describes how an Internet Service Provider can filter network traffic on their network to drop packets with source addresses not reachable via the actual packet’s path [7]. The changes recommended in this document would cause a routing device to test whether it is possible to reach the source address of the packet via the interface that transmitted the packet. If it is not possible, then the packet obviously has a spoofed source address. This configuration change would considerably reduce the potential for most current types of DDoS attacks.

Disabling Recursion on Authoritative Name Servers

Many of the DNS servers currently deployed on the Internet are exclusively intended to provide name resolution for a single domain.  These systems do not need to support resolution of other domains on behalf of a client, and therefore should be configured with recursion disabled.

Bind9

Add the following to the global options [8]:
options {
     allow-query-cache { none; };
     recursion no;
};

Microsoft DNS Server

In the Microsoft DNS console tool [9]:

1. Right-click the DNS server and click Properties.
2. Click the Advanced tab.
3. In Server options, select the “Disable recursion” check box, and then click OK.

Limiting Recursion to Authorized Clients

For DNS servers that are deployed within an organization or ISP to support name queries on behalf of a client, the resolver should be configured to only allow queries on behalf of authorized clients.  These requests should typically only come from clients within the organization’s network address range.

BIND9

In the global options, add the following [10]:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
  allow-query { corpnets; };
  allow-recursion { corpnets; };
};

Microsoft DNS Server

It is not currently possible to restrict recursive DNS requests to a specific client address range in Microsoft DNS Server.  The most effective means of approximating this functionality is to configure the internal DNS server to forward queries to an external DNS server and restrict DNS traffic in the firewall to restrict port 53 UDP traffic to the internal server and the external forwarder [11].

Rate Limiting Response of Recursive Name Servers

There is currently an experimental feature available as a set of patches for BIND9 that allows an administrator to restrict the number of responses per second being sent from the name server [12].  This is intended to reduce the effectiveness of DNS amplification attacks by reducing the volume of traffic coming from any single resolver.

BIND9

There are currently patches available for 9.8.latest and 9.9.latest to support RRL on UNIX systems. Red Hat has made updated packages available for Red Hat Enterprise Linux 6 to provide the necessary changes in advisory RHSA-2013:0550-1. On BIND9 implementation running the RRL patches, add the following lines to the options block of the authoritative views [13]:
rate-limit {
    responses-per-second 5;
    window 5;
};

Microsoft DNS Server

This option is currently not available for Microsoft DNS Server.

References

• [1] Open DNS Resolver Project
• [2] The Measurement Factory, "List Open Resolvers on Your Network"
• [3] The Measurement Factory, "Open Resolver Test"
• [4] The Measurement Factory, "Open Resolvers for Each Autonomous System"
• [5] "DNSInspect," DNSInspect.com
• [6] RFC 1034: DOMAIN NAMES - CONCEPTS AND FACILITIES
• [7] BCP 38: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
• [8] Chapter 3. Name Server Configuration
• [9] Disable recursion on the DNS server
• [10] Chapter 7. BIND 9 Security Considerations
• [11] Configure a DNS Server to Use Forwarders
• [12] DNS Response Rate Limiting (DNS RRL)
• [13] Response Rate Limiting in the Domain Name System (DNS RRL)

Revision History

• March 29, 2013: Initial release
• April 18th, 2013: Minor updates to Description and Solution sections(Source IP Verification and BIND9)

This product is provided subject to this Notification and this Privacy & Use policy.