Trojans steal FTP Login passwords for websites


Jacques Erasmus, CTO at Prevx, an internet security vendor headquartered in the U.K., discovered a site where a trojan is uploading FTP login credentials from more than 74,000 websites. Among the affected FTP login data are major corporations including Bank of America, BBC, Amazon, Symantec and McAfee. The trojan, a variant of Zbot, main purpose is to harvest stored FTP login credentials to send them to servers located in China. According to Erasmus, the final purpose of this attack is to get access to websites source codes injecting evil Iframe that would spread the malware further. The Zbot trojan has been in use for some time to carry on different types of illegal and also remunerative activities: installing spyware and adwares and
phishing emails mainly.

An overview of Web Applications and Web Servers security

Did you know that the vast majority of internet attacks nowadays are focused on web applications and web servers in general? Almost any business has an online presence with a website, e-commerce web application, web front with database at the back etc etc.

Hackers have found ways to infiltrate internal networks via those web applications that most of the times are insecurely coded and are full of vulnerabilities. Attacks and exploits range from code injections, sql injection, cross site scripting (XSS) etc. Via those exploits, attackers can steal sensitive information from the databases on the back of the web-apps, or even manage to gain shell access on the database or web server itself. Gaining shell access allows the attacker to create a “pivot-point” from where he can execute further attacks to get deeper into the network.

The following are some important suggestions to follow for hardening your web applications:

  1. First and most important is to adopt secure coding. Your software developers or the vendor from where you purchased the web application or whoever designed and coded your website, must have implemented security inside the code itself. Some examples include the filtering of input data in web forms (to block sql injections or XSS), the avoidance of buffer overflows, the avoidance of remote file injection and local file injection etc.
  2. Don’t allow the web server to communicate with the database as an administrator user (sa).
  3. Don’t run the webserver or the database server with administrator priviledges.
  4. Configure engress firewall filtering in order to prohibit the database from communicating with the outside world.
  5. Remove command execution (e.g xp_cmdshell) capability on the database.
  6. And ofcourse harden all software and applications with latest patches.
  7. Implement host intrusion detection and log monitoring.

 Those are some of the most important steps you need  to take to enhance the security of your web-apps and backend databases.

Protect your children on the Internet

Many parents ask how they can protect their children while they surf on the Internet. Recently a mother was worried that her children spend too much time on sites like Orkut, MySpace and Facebook. These concerns were not because of time loss from such activities but mainly because she didn’t know with whom the children were communicating in these social networks and whether the children were giving any personal information to unknown people. After several references on the press about the hazards hidden in the Internet social networks, the mother decided to block some sites on the children computer.

The only problem was that the mother was not aware of parental control software like Net Nanny or Norton Internet Security, which also cost some money. Before you decide to block some addresses (something that the children will be opposed), try a few other things:

First of all, educate your children and tell them about the dangers that exist when they share information with strangers. Family members should discuss the security and confidentiality of data in the web. You can place the computer in an area where you can easily check the screen to get an idea of what your children do and which sites they visit frequently. Furthermore, Orkut is a social network which means that one can easily see what friends your children have and what data is exchanged.

Finally, to block specific sites on your child’s computer with Windows without paying any money, follow the procedure below.

* Start – Run
* Enter notepad c: \ windows \ system32 \ drivers \ etc \ hosts
* Go to last line and add:

* Save the file and quit notepad

You can block any site you want with this technique. If you want later to unblock a certain site, simply remove the appropriate line with the same procedure. You should know however that usually your children are very smart and they will find out about the above technique sooner or later. So maybe a parental control software might be more appropriate.

Adobe Reader and Acrobat JBIG2 Processing Multiple Vulnerabilities

Adobe Acrobat is a program designed to create, manage and view Portable Document Format (PDF) and Adobe Reader is designed to only view and print PDF’s. Both Adobe Acrobat and Reader have buffer overflow vulnerabilities while handling JBIG2 streams inside a PDF file. JBIG2 is an image encoding standard for encoding bi-level images. One of the flaws is due to a four byte value which represents the number of values in a table and is used to allocate a buffer. This value is taken from the file without adequate checking and a specially crafted PDF file can be used to overflow the buffer. The other flaw is due to a malformed JBIG2 symbol dictionary segment contained in a malicious PDF file. There are still some other unspecified errors in the processing of this JBIG2 streams. Potential vectors of attack are sending the malicious PDF document as an email attachment, or enticing the victim to visit the website that has malicious document – which can be achieved via iframes, or placing the document on a file share. In either case the attacker has to convince the victim to open the files. Successful exploitation can lead to code execution. Some technical details are publicly available.

Affected:Adobe Acrobat Standard 8.1.3 and prior
Adobe Acrobat Standard 7.0.8 and prior
Adobe Acrobat Standard 9
Adobe Acrobat Standard 8.1 and prior
Adobe Acrobat Standard 7.1
Adobe Acrobat Reader (UNIX) 7.0.1 and prior
Adobe Acrobat Reader 8.1.3 and prior
Adobe Acrobat Reader 7.0.9 and prior
Adobe Acrobat Reader 9
Adobe Acrobat Reader 8.1 and prior
Adobe Acrobat Reader 7.1
Adobe Acrobat Professional 8.1.3 and prior
Adobe Acrobat Professional 7.0.9 and prior
Adobe Acrobat Professional 9
Adobe Acrobat Professional 8.1 and prior
Adobe Acrobat Professional 7.1
Adobe Acrobat 7.0.3 and prior

Microsoft Buffer Overflow Vulnerability on Graphical Device Interface GDIPlus EMF

There is a Critical Microsoft vulnerability discovered these days affecting almost all windows versions:


Graphics Device Interface (GDI) is an application programming interface by Microsoft Windows. It’s a core operating system component responsible for representing graphical objects. Microsoft Windows GDI has integer overflow vulnerability in gdiplus.dll while processing Enhanced Metafile (EMF) files. Possible vectors to exploit the flaw are: (a) Create a webpage containing a malicious WMF or EMF image file, and entice an attacker to visit his webpage. (b) Send an email with a specially crafted EMF image file attachment and convincing the user to view it or (c) embedding the malicious image file in an Office document and convincing the user to open it. Successful exploitation might lead to code execution or denial-of-service. Technical details about the vulnerability are publicly available.

Affected versions:

Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Gold 0
Microsoft Windows XP 0
Microsoft Office XP SP2 and prior

Data security on the internet – DES and RSA Encryption

Have you ever wondered what happens when sending personal data via the Internet (eg via e-mail)? When you send your message, this becomes accessible from multiple computers, and a third person could take it and read. Imagine now if the government or military messages could be read by prospective Hackers what would happen. There should be therefore some kind of protection for sending and receiving messages. And of course this is how things are. There are two types of encryption, symmetric and asymmetric cryptography. Both types use two keys by which encryption and decryption of messages is achieved.

In symmetric cryptography, the same encryption key is used for encoding and decoding of a message. Therefore the key must be known to both the sender and the recipient. However, this requires a secure means for transmission and the only way to achieve this is to have a private meeting of the sender and the recipient where it is agreed what key will be used. If this is not feasible, symmetric cryptography is not recommended. A well known symmetric encryption algorithm is the Data Encryption Standard (DES or 3DES), which was developed by IBM and then adopted in 1977 by the U.S. Government as the standard encryption algorithm for important information.

On the other hand, in asymmetric cryptography two keys are used, one for encryption and another for decryption. Lets look at this case with an example using RSA asymmetric cryptography. Assume one party wants to accept a message from another party. Then from the side of the receiver, two keys are generated, a public and a private key, which uniquely correlate with each other. (ie for each private key there is only one public key). The receiver gives the sender the public key (which can be seen by anyone). Then the sender encrypts the message with this key and sends it to the recipient. During transport, the message can be seen by anyone but it can not be decrypted (at least regarding the RSA algorithm for which we discuss below). When the receiver gets the encrypted message, he can decrypt the message with his private key.

You must be asking now how this happens, that is, how an encrypted message created by the public key can not be deciphered with the same key that was created. This is the «magic» of mathematics in which there is not always a reverse process, or if there is, it can not be achieved by mathematical analytical methods. As we said before there is a correlation between public and private key. If you found this correlation then you can brake the encryption.

The RSA encryption method was proposed in 1977 by leading mathematicians Rivest, Shamir and Adleman, from where it took its name. The philosophy of this algorithm is what mentioned above and its security strength is based on the complexity of numbers. We will not mention how it operates exactly but we will give a very simple example to understand why its such a safe encryption method.

Assume you are given a number, 133. Can you find two numbers (except 1 and the same number), which when multiplied will give us 133? An analytical formula certainly does not exist (at least not for all the numbers), ie there is no formula to accept as input number 133 or 1,3,3 or any other relevant number and output a result. The only way to find these numbers is by trial and error, i.e to begin with numbers 2,3,4 … until we find exactly what divides 133 (to be precise we should look at numbers 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41 ..- prime numbers). After testing you will find that 7 divides exactly 133: 133 / 7 = 19, so the solution is the pair (7, 19).

Imagine now the number is not just 3 digits, like 133, … but 1000 digits! The time needed to find two numbers that when multiplied will give this 1000 digit number will increase dramatically. The RSA method is based on the inability of a system to analyze any such large numbers at a reasonable time.

As you will understand the higher the figure the more time you need to analyze this number to two factors (which are prime numbers). If one could calculate such numbers in a short time (and not a few years!), you could find the private key through the public key in order to decode the encrypted messages.