Security Watch

OpenSSL Still Wide Open to BOF

Plus: Check Point BOF; zombies and botnets; and rootkits

OpenSSL was patched in September 2006 for a buffer overflow vulnerability in the SSL_get_shared_ciphers() function. That patch, however, did not completely resolve the issue and an announcement recently went out that stated that it's still possible to overflow a buffer in that function. Patches have been released.

It took almost a year to get the majority of products that use the OpenSSL library to issue patches for the 2006 problem, so expect it to take a similar amount of time for this one.

Check Point Lets 'Em Through
A proof of concept exploit has been released which is alleged to run at the local console of a Check Point Firewall-1 R60 system. A SecurityFocus article points to researchers who have published a paper discussing their findings, which they claim includes many buffer overflow vulnerabilities exploitable at the local console. There has yet to be any respond from Check Point.

At this point, to be exploitable, a criminal must be able to run code on the Check Point system. Such access should be restricted to trusted users only, individuals who would likely have permission to execute code of their choice on the platform anyway.

Throw the Book at Bot Herders
The Central Valley Business Times of Sacramento reports on a 21-year-old California man who was indicted on four counts of electronic transmission of codes to cause damage to protected computers. He's alleged to have controlled some 7,000 bots in a botnet and used them to conduct Denial of Service attacks against two businesses.

Let’s hope we see more and more of these indictments. There has been a severe lack of prosecutions against bot herders.

Meanwhile, F-Secure’s Mika Stahlberg believes that bot herders are breaking their big botnets down into smaller chunks in order to help avoid detection and shutdown, says this article at Stahlberg also believes that virus-writing criminals have stopped trying to make technically sophisticated malware, and instead are simply pushing out myriad variants in an attempt to thwart anti-virus technology.

As far as variants go, there’s little doubt that 10,000 unique pieces of malware a day will do some damage to AV companies' attempts to thwart malware.

As far as botnets go, certainly smaller botnets means the criminal is likely to keep some of them longer, just the way numerous variants of malware work. As for why -- beyond the obvious, that they don’t want to lose their money-making machines -- speculation of other motives run the gambit. At some point, however, this strategy is likely to fail for the criminals. They are either going to need too many people to control the botnets to keep them quiet, or they’re going to have to automate control of them, leading once again to some single point of command and control that could be detected.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Rootkits on the Virtual Frontier?
According to researchers from Carnegie Mellon University, Standford University, VMware and UBC/XenSource, “building a transparent VMM is fundamentally infeasible”, and, “we believe the potential for preventing VMM detection under close scrutiny is illusory -- and fundamentally in conflict with the technical limitations of virtualized platforms.” They have published a joint paper, “Compatibility is Not Transparency: VMM Detection Myths and Realities” (.PDF here), that provides reasons why and some insights into how to detect stealthy virtual machine monitors or hypervisors.

The authors reasonably point out that eventually malware criminals are going to either pass up a large percentage of potential victims by preventing themselves from running on VM platforms, or, run regardless. Ergo, while it will likely remain a constant topic of conversation, the creation of a VMM that can completely hide itself is neither useful nor practical.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular