OpenSSL Still Wide Open to BOF
Plus: Check Point BOF; zombies and botnets; and rootkits
OpenSSL was patched in September 2006 for a buffer overflow vulnerability
in the SSL_get_shared_ciphers() function. That patch, however, did not
completely resolve the issue and an announcement recently went out that
stated that it's still possible to overflow a buffer in that function.
have been released
It took almost a year to get the majority of products that use the OpenSSL
library to issue patches for the 2006 problem, so expect it to take a
similar amount of time for this one.
Check Point Lets 'Em Through
A proof of concept exploit has been released which is alleged to run at
the local console of a Check Point Firewall-1 R60 system. A
SecurityFocus article points to researchers who have published a paper
discussing their findings, which they claim includes many buffer overflow
vulnerabilities exploitable at the local console. There has yet to be
any respond from Check Point.
At this point, to be exploitable, a criminal must be able to run code
on the Check Point system. Such access should be restricted to trusted
users only, individuals who would likely have permission to execute code
of their choice on the platform anyway.
Throw the Book at Bot Herders
The Central Valley Business Times of Sacramento reports
on a 21-year-old California man who was indicted on four counts of electronic
transmission of codes to cause damage to protected computers. He's alleged
to have controlled some 7,000 bots in a botnet and used them to conduct
Denial of Service attacks against two businesses.
Lets hope we see more and more of these indictments. There has
been a severe lack of prosecutions against bot herders.
Meanwhile, F-Secures Mika Stahlberg believes that bot herders are
breaking their big botnets down into smaller chunks in order to help avoid
detection and shutdown, says this
article at News.com. Stahlberg also believes that virus-writing criminals
have stopped trying to make technically sophisticated malware, and instead
are simply pushing out myriad variants in an attempt to thwart anti-virus
As far as variants go, theres little doubt that 10,000 unique pieces
of malware a day will do some damage to AV companies' attempts to thwart
As far as botnets go, certainly smaller botnets means the criminal is
likely to keep some of them longer, just the way numerous variants of
malware work. As for why -- beyond the obvious, that they dont want
to lose their money-making machines -- speculation of other motives run
the gambit. At some point, however, this strategy is likely to fail for
the criminals. They are either going to need too many people to control
the botnets to keep them quiet, or theyre going to have to automate
control of them, leading once again to some single point of command and
control that could be detected.
This column was originally
published in our weekly Security Watch newsletter. To
subscribe, click here.
Rootkits on the Virtual Frontier?
According to researchers from Carnegie Mellon University, Standford University,
VMware and UBC/XenSource, building a transparent VMM is fundamentally
infeasible, and, we believe the potential for preventing VMM
detection under close scrutiny is illusory -- and fundamentally in conflict
with the technical limitations of virtualized platforms. They have
published a joint paper, Compatibility is Not Transparency: VMM
Detection Myths and Realities (.PDF
here), that provides reasons why and some insights into how to detect
stealthy virtual machine monitors or hypervisors.
The authors reasonably point out that eventually malware criminals are
going to either pass up a large percentage of potential victims by preventing
themselves from running on VM platforms, or, run regardless. Ergo, while
it will likely remain a constant topic of conversation, the creation of
a VMM that can completely hide itself is neither useful nor practical.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.