OCR of the Document

View the Document >>

National Protection and Programs Directorate, "NPPD Information Bulletin: FCKeditor Vulnerability." Unclassified.

THIS FILE IS MADE AVAILABLE TH RDLIGH THE DEGLASSIFIG ATIGN AND RES EARGH THE BLAEH IS THE LARGEST FREEDGM DF AGTIGGVERNHENT REGDRD ELEARING IN THE THE RESEARCH HERE ARE FDR THE DEGLASSIFIGATIDN GF THDUSANDS DGGUMENTS THRGUGHDUT THE U FDRWARD THIS DDGUMENT TDUR FRIENDS EILJT PLEASE THIS IDENTIFTING IMAGE AT THE TDP IDF THE SD GTHERS MIDRE1 Office of the Under Secretary National Protection and Programs Directorate U S Department of Homeland Security Washington DC 20528 Homeland Security John Greenewald Jr Dear Mr Greenewald Re NPPD09F3722 This is the electronic final response to your Freedom of Information Act FOIA request to the Department of Homeland Security DHS dated July 10 2009 and received by this office on July 16 2009 You are seeking any and all DHS cyber security records final copy memorandum emails from Directors to the Secretary and Deputy Secretary indicating what took place and the steps taken to secure our nations network infrastructure concerning the July 2009 cyber attack on the United States causing disruption to major network systems A search of the Office of Cybersecurity and Communications for documents responsive to your request produced a total of 22 pages Of those pages I have determined that 14 pages of the records are releasable in their entirety and 8 pages are partially releasable pursuant to Title 5 U S C § 552 b 2 high FOIA Exemptions 2 high Enclosed are 22 pages with certain information withheld as described below FOIA Exemption 2 high protects information applicable to internal administrative and personnel matters such as operating rules guidelines and manual of procedures of examiners or adjudicators to the extent that disclosure would risk circumvention of an agency regulation or statute impede the effectiveness of an agency' s activities or reveal sensitive information that may put the security and safety of an agency activity or employee at risk Whether there is any public interest in disclosure is legally irrelevant Rather the concern under high 2 is that a FOIA disclosure should not benefit those attempting to violate the law and avoid detection You have a right to appeal the above withholding determination Should you wish to do so you must send your appeal and a copy of this letter within 60 days of the date of this letter to Associate General Counsel General Law U S Department of Homeland Security Washington D C 20528 following the procedures outlined in the DHS regulations at 6 C F R § 5 9 Your envelope and letter should be marked FOIA Appeal Copies of the FOIA and DHS regulations are available at www dhs gov foia Provisions of the FOIA allow us to recover part of the cost of complying with your request In this instance because the cost is below the $14 minimum there is no charge 6 CFR § 5 ll d 4 If you need to contact our office again about this matter please refer to NPPD09F3722 This office can be reached at 703 -235-2211 Sincerely c· FOIA OFFICE National Protection and Programs Directorate Enclosure s Responsive Documents 22 pages July4 2009 Point of contact US-CERT 703-235-5111 t r H 1 a-§§-ifie-d Fo- mta-1--bl§ o n -y­ NPPD Information Bulletin FCKeditor Vulnerability US-CERT is aware of reports of a remote file upload vulnerability in FCKeditor version 2 6 4 that is being actively exploited in the wild Currently there are no reported exploits in the Federal government According to open source re orts a new version of FCKeditor that corrects this vulnerability will be made available on Monday July 61 2009 FCKeditor may be used in any of the following server applications ASP Net ASP ColdFusion PHP Java Active-FoxPro Lasso Perl Python Impact · Currently there are no known compromises of any government servers US-CERT will continue to monitor this activity and update the impact assessment as necessary Current Ac ops - - · US-CERT • Released an alert to the GFIRST community via the US-CERT portal on July 3 2009 providing details of the vulnerability as well as recommendations to mitigate the risk until a patch is released · • Continuing to monitor for further developments • More information on this vulnerability can be found at http isc sans org diarv html storyid 6715 J 1 July 4 2009 Point of contact US-CERT 703-235-51Il - Lacl-a-s-s f ed -F r 9ffiei-a -B-s- n-ly NPPD Information Bulletin Potential SQL Injection Vulnerabilities on Government Servers - - --·····- 0 0 00 0 0 0' 00 0 - · ·- - - - _ - -· · - - --------- - - _ _ O OOHo o O • o • ·· · ---- ·-- - 0 - · 0 0 • • __ _ ____ - - - - ---······ 0 _ _ - -- - - - On July 3 2009 US-CERT received notification from a third-party that several government web servers may be vulnerable to a SOL injection attack US-CERT analysts have reviewed the websites and while the sites are susceptible there is no evidence of compromise at this time The websites reported are listed below Please note these URLs are obfuscated with hxxp and dot to prevent accidental execution hxxp lwww dot okcommerce dot gov index php option com_content task view id 12 1temid 36' hxxp l www dot senate dot michigan dot gov dem blog php id 121' hxxp l www dot openworld dot gov news frontimages php lang 1' · -·- ·- -- --· - ----- • -- · ·-··· • ••• • - ' - • •• • • • • • • - · ··· -·· • --- - --- ·· ·•··•· ··· ·· ·----· • • • • · ·· - • ··- • •• • • •u Currently there are no known compromises of these sites therefore the impact to the Federal government Is low If a SOL injection attack were to be leveraged against these servers there is potential for a root level compromise which could change the impact assessment at that time -·· • _ -- -·- ----- -- -- ---- - - -- ' ·····------------ -- -- - -- -· ·-- __--------···· ·-······ ······ US-CERT • • • • • Coordi the third- arty reporter to obtain more details f potential vulnerability on their website Notifie b 2 High Coordina e w1 o no 1 affected parties of potentially vulnerable sites Continue to coordinate wittlbl 2 Hig1o mitigate potential vulnerabilities Continue to work with MS-ISAC to mitigate potential vulnerabilities in state agency webservers MS-ISAC • • Notified affected state agencies of potentially vulnerable web sites Continue to coordinate with agencies and US-CERT to mitigate potential vulnerabilities Ill - -- ------------ ---- -- ------ - ------- --- ---- - --- - ---- ----- ··-- - - ·- - - -- - ·- - - -- ---- July 6 2009 - - ·-·-- - -·-· ·· - ·· Point of contact US-CERT 703-235-5111 -Y-B-e-l-assmea F -a-r-9ffie-i-a-1-Y e- la-ly- NPPD Information Bulletin Active Exploitation of Unpatched Vulnerability in Microsoft Video ActiveX Control ·-·-··_-_-__ ' --- - - - -_- _-____- - -_ ----- _· · -- -_ · _- - - --- _ _ -- · ·- -- -- -- - - - - - - ·_-·-_ · -- uv § 61mi rr --- Microsoft has released Security Advisory 972890 to address reports of an unpatched vulnerability in Microsoft Video ActiveX Control According to the advisory an attacker who successfully exploits this vulnerability may be able to gain the same user rights as the local user Additionally when using Internet Explorer remote code execution is possible and may not require any user intervention Microsoft is aware of attempts to exploit this vulnerability This vulnerability affects Windows XP and Windows Server 2003 The Microsoft Video Control Object is an ActiveX control that connects Microsoft OirectShow filters for use in capturing recording and playing video It is the main component that Microsoft Windows Media Center uses to build filter graphs for recording and playing television video According to the advisory when the ActiveX Control Object MPEG2TuneRequest is used in Internet Explorer the control may corrupt the system state which could allow an attacker to run arbitrary code Microsoft states that Internet Explorer has no by-design uses for this ActiveX Control including all of the Class Identifiers within msvidctl dll that hosts the control and therefore recommends removing support for all associated Class Identifiers This vulnerability may be exploited via a web-based attack scenario An attacker could host a web site that contains a specially crafted web page to exploit this vulnerability In order for a user to become a victim an attacker would have to lure the user to the compromised website typically by convincing them to click on a link in an email or Instant Messenger message lmP j · · - _ ·· -- - - - - -_ -- ·· - - · · ·· - ··_- · - -- ··-- - - · · ·· - _ x -- · - · - L · _ · ·___· 3 - -- ··-· -- J Currently there are no known compromises of any Federal government systems -· ' · · § - - ·- - _- _ · - _- - -- i T · - - -- - - -· · ' _ _- - ·T - - · ····· ·- ·· _ r - - -··------ -· US-CERT • • Coordinated with Microsoft to review the advisory prior to its public release Released multiple products to ensure broadest situational awareness of this vulnerability and to provide recommendations to mitigate the risk until a patch is available o Current Activity Entry - public website o Vulnerability Note VU#180513- public website o Technical Security Alert TA09-187A- public website o Cyber Security Alert non-technical SA09-187A- public website o Situational Awareness Report SAR - GFIRST community via the US-CERT portal o Critical Infrastructure Information Notice CIIN -ISACs and Critical Infrastructure partners via the US-CERT portal and vetted external distribution lists • Conducting a CIO CISO Unclassified Conference Call on July 7 2009 at 11 AM EST to discuss this vulnerability and web security in general • More information about this vulnerability is available in the MS Advisory http www microsoft com technet security advisory 972890 mspx Microsoft • Provided the Microsoft Advisory to US-CERT prior to its release • Developing a security update to address this vulnerability Ill - ---- - -- -- - -· -- -- - -- ---- ---- - -- -·· --- --- -- ------ ----· ------- ··-- ----- - - ----· - - --- - ------- July 8 2009 Point of contact US-CERT 703-235-5111 -ffn-cla-ss-ified Frri uffici-al u u-ly NPPD Information Bulletin Incident Involving DHS SOC Analyst Account Summary __ rEi• iitrv•_ l M mmit Y - ·_ -_- -_·_·__ T -·- - · - ·-· - 35 · - - - · -- -- r - --- --- -- - ----- O_n Ju e 17 2009 US-CERT observed an alert e erated from a DNS query and response on an 2 E1nste1n 2 sensorJ b High h1s alert was reported to the DHS SOC shortly thereafter On June 20 2009 DHS SOC notified US-CERT that a DHS SOC analyst's Einstein user account may have been compromised Later DHS SOC and US-CERT found no indication that the Einstein account was compromised US-CERT had the account disabled immediately to protect the integrity of Einstein After Einstein administrators reviewed account logs they confirmed the analyst's Einstein account was never logged into I Accordin to DHS SOC the analyst was investigating why a PDF file sent to a b 2 High ser was not loading properly During this investigation the analyst opened the b 2 High attac ment an subsequently infected his system Further investigation revealed that two b 2JHigh users' systems along with the analyst's system were infected with a key logger These systems queried a suspicious domain but did not make any connections to the domain itself The key logger files were sent to US-CERT for analysis which revealed that the DHS analyst was setting up his Secure Shell SSH client in order to log into his Einstein user account There were no indications that the user logged into the account while the key logger was present on his system Analysis of the DNS system logs by the DHS SOC and US-CERT showed DHS requests to the suspicious domain but no evidence of sessions that would indicate data exfiltration had taken place - · • •••• • • • - - - · · · · · - · - · · ··· --- • · · ·- • • • - - - - -- · - - - -- · - ···-· - • · ·- - -- • - - - ' · • • •• • •• -· - - ·· ·- -- - - - ____ ------ - · - -· ·· ·--- - ·· - -- - - ·· ___ ---·- -- --- - · - _ __ _ Due to the analyst's Einstein account being disabled quickly and the confirmation that the account had not been logged into the impact to DHS and the Federal government is minimal at this time Although three systems were infected with the malware there were no indications of agency data being exfiltrated from the network US-CERT • Notified DHS SOC of the Einstein 2 alert generated from the DHS query and response • Analyzed Einstein data to ensure no further compromises were observed • Notified the appropriate system administrator to have the user account disabled • Analyzed the key logger files provided by DHS SOC to determine if any connections to the suspicious domain were made • Coordinated with DHS SOC to investigate the details of the incident • Obtained a copy of the malware for analysis • Continue to monitor this activity and provide assistance to the agency as needed DHS SOC DHS CblC 2l High • Coordinated with US-CERT to provide details of the incident the related key logger files and associated malware ------ • Removed the infecte b 2 High ystems from the network 1 1 July I 0 2009 Point of contact US-CERT 703-235-5111 Unclassified For Official Use Only NPPD Information Bulletin UPDATE DDoS Attacks Against Agency Websites I On July 4 2009 US-CERT received a report from the b 2 High lot a possible Distributed Denial of Service DDoS attack against their web servers and those of several com onents The DDoS severely degraded the availablility of their websites Following the initial report fro b 2JHigh US-CERT proceeded to test the availability of other major public websites operated by executive branch agencies From July 4-6 2009 the following agencies either reported experiencing similar attacks or were notified by US-CERT of degraded performance of their websites b 2 High I On July 6 2009 US-CERT received an anonymous tip that bJ 2JHigh Was also affected by this DDoS attack US-CERT contacted I b 2JHigh land confirmed that they were experiencing an ongoing DDoS attack but that their websites were not affected due to carrier level black-holing and broad blocks on PAC-ASIA IP addresses At this time reporting from all impacted parties suggests that the majority of the botnet clients involved in these attacks are located in the Asia Pacific region although the specific botnet s involved are not known US-CERT has contacted all affected agencies to determine if they are back online and if not the steps they are taking to do so bJ 2 Hig3 is working with Sprint to initiate a carrier level block while J 2 igps back online after Verizon initiated a carrier level block US-CERT is still awaiting responses from the other affected agencies ·-·· - - ·· · ' - · · •· • • -· · ·· --···· ·- -··- · - · · · ·· · · · - -- _ _ • •• • · ···- - - - · - ·· - ·- ·------- ···1 - ·-- - -- - ·- -------- - - --- J US CERT • Continues to monitor and analyze Einstein data for signs of additional agencies being attacked July 10 2009 Point of contact US-CERT 703·235-5111 • Reached out to the National Communications Center NCC Watch and NCI-JTF to provide situational awareness and issue a request for information for any additional details from other partners in the community • Reached out to the impacted agencies for additional information including log files and other technical data which could be used to diagnose and counter this type of attack • Contacting Akamai to obtain more information regarding these attacks • Organizing an engineer to engineer call with measures they implemented • Conducting a CIO CISO conference call on Tuesday July 7 2009 to review defensive steps agencies can take during a DDoS web security best practices and the recent Microsoft Video ActiveX Control vulnerability • I bJ 2JHigh Ito better understand the defensive bJ 2JHigh Icontact CIO CISO's prior to conference call Requested I to provide them updated information and also to ask for updated status information UPDATE-7fi 2009 am • US-CERT NCC conducted a conference call with the ISPs including Verizon Sprint AT T and Qwest US-CERT agreed to the following actions on the call and has completed all of these • Sent each individual carrier a list of their customers affected • Sent a technical description of the issue to each carrier • Compiled and sent sanitized flow data to each carrier for review • Sent each carrier a technical contact for engineer to engineer collaboration • Spoke with Akamai regarding information sharing concerning this incident Akamai stated they could not share information with US-CERT because US-CERT is not their customer • Identified • Requested DHS SOC reach out through concerning this incident • Conducted an engineer to engineer call with I strategy • Working with NCSD's National Security Deployment branch to develop a script to determine if a department agency web site is up and returning pages th eb site as a victim web site via their Einstein 1 sensor •I b 2 High bJ 2JHigh as the customer and request further information b 2JHigh Ito discuss their defensive mitigation I UPDATE - fi 2009 pm • Contacted the six affected agencies to determine if their websites and the websites of their components were back up and functioning properly All affected agencies reported they are back online • Conducted a Federal Department and Agency D A CIO CISO Call July 10 2009 Point of contact US-CERT 703-235-5111 • Encouraged all Departments and Agencies to know their carrier web provider or caching provider i e Sprint AT T Verizon Qwest etc including contact information for use in time of emergency • Reviewed the Tactics Techniques and Procedures of this DDoS • Warned the D As about the dangers of Structured Query Language SOL injection attacks as three D As were shown to be vulnerable to these types of attacks SOL injection is an attack technique that attempts to subvert the relationship between a webpage and its supporting database typically in order to trick the database into executing malicious code 1 • Recommended all D As test their websites for these vulnerabilities and warned that SOL Injection is a favored exploit for the highest threat actors Additionally US-CERT reminded the participants that web attacks often led to data exfiltration attacks not necessarily just web site defacement Reviewed the Microsoft ActiveX vulnerability 2 aAd associated mitigation strategies • • Released a Federal Information Notice FIN to the GFIRST community via the US-CERT portal to provide departments and agencies details about these attacks as well as recommendations for detecting and mitigating them • Released a Critical Infrastructure Information Notice CIIN to the ISACs Critical Infrastructure partners and U5 communities via the· US-CERT portal to provide organizations details about these attacks as well as recommendations for detecting and mitigating them • Participated in a telecommunication engineer working group • Received malware binary • • • -------- b 2 H ig_h-------- Reverse engineering and analyzing binary code Malware Analysis produced a file with a target domain list • Contacted additional possible victim sites • mil sites- JTFGNO contacted • Nsye com usbank com - L I_____ _bl _2JH_ g_h______ • Finance yahoo com usauctionslive com washingtonpost com- contacted these organizations directly I • b 2 High L--------------------------- Developing a script to test website health UPDATE -7 8 2009 pm 1 2 http www us-cert gov reading_roornlsql20090l pdf hnp www microsoft com technet security advisory 972890 mspx ---- ----- ----- --- ------- ----------------- ---- -- ----- July 10 2009 • • ----- ------- - -- --- -- - - --- ---- - ---- Point of contact US-CERT 703-235-5111 Shared the NPPD Information Bulletin with the DHS NOC for distribution to the White House Situation Room the Office of Legislative Affairs OLA for distribution to the Capitol Hill staff and I • - -- I b 2 High Participated in a conference call with Senate Majority and Minority Staffers from the Senate Homeland Security and Government Affairs Committee regarding the DDoS event Participated in a conference call with Congressman Langevin and staff regarding the DDoS event • '- - --- --------- _bl_ 2 _Hr_gh_ _ _ _ _ _ _ _ _ _ __ Preliminary reports indicate the malware is known • Coordinated with DHS Public Affairs to develop Public Affairs Guidance PAG regarding the DDoS attacks and mitigation strategies • Contacted the six affected agencies to determine if their websites and the websites of their components were functioning properly and if they had any new information to share with USCERT All affected agencies reported their sites are functioning properly and they had no new information to share • JTF-GNO reported the effects of the DDoS have been minimized on mil JTF-GNO also conducted malware analysis that indicated this malware is known • Coordinated information sharing with the New York Stock Exchange NYSE regarding the attacking IP addresses and mitigation strategies • Shared the malware binary with Antivirus Vendors Symantec McAfee TrendMicro and Microsoft and Security Information and Event Management SIEM tool vendors ArcSigh EMC RSA Symantec Netwitness l b 2JHigh I All indicated this is known malware Antivirus vendors have current signatures already available and recommend updating antivirus software and scanning systems • Conducted conference calls with the various Information Sharing and Analysis Centers ISACs and Antivirus Vendors to discuss the status of the DDoS attacks the latest details surrounding the attacks indicators and mitigation strategies • Assisting States • Shared three command and controiiP addresses with Communications ISAC COMMS-ISAC that were found in the malware code COMMS-ISAC is sharing this information with their constituents and requesting the ISPs initiate blocks for those IP addresses • Notified thel CblC2lHigh lot a formal request from the Korean Embassy made to the National Cyber Security Division NCSD to seize the Command and Control machine determined to have been located in the United States • Shared information with Internet Corporation for Assigned Names and Numbers ICANN and will continue to work with them regarding this issue • Briefed CIO CISOs with an update on the DDoS activity at the Information Security Identity Management Council ISIMC I b 2 Htgh Iin developing a brief for the President of the United -- --- July I0 2009 ---- --------------- -- ---- - -- ----- -------- --- - -- ----· Point of contact US-CERT 703-235-5 J I I • Supported the Deputy Undersecretary in connection with Press interviews and inquiries related to the DDoS attacks • Developing a technical information product detailing the characteristics of these OOoS attacks as well as detection and mitigation strategies that can be distributed outside the Federal government This product is being developed due to an overwhelming number of requests for technical information • Conducting a conference call with international partners Usual 5 on Thursday July 9 2009 at 7 AM EST • Current indicators show that the DOcS attacks within the United States have stabilized while activity in Korea continues at a high rate US CERT believes the stabilization within the United States is due to broad carrier level blocks UPDATE 7 9 2009 • Conducted a conference call with International Partners U5 to discuss the status of the DDoS attacks the latest details surrounding the attacks indicators and mitigation strategies • Participated in a conference call with Opsec-Trust aka Ops-Trust to discuss details of the DDoS attacks and share information across the community Ops-Trust is a highly vetted community of security professionals focusing on the operational robustness integrity and security of the Internet • Contacted the Department of State to inquire about open source reporting that stated the American Embassy in Korea was affected by these DDoS attacks The Department of State reported no observed or reported issues with the American Embassy in Korea • Contacted JTF-GNO to confirm open source reporting that usfk mil was under renewed DDoS attack JTF-GNO reported no issues •I I had to fail over to an alternate content site due to concentrated DOoS activity against one of their web servers The site was offline for six minutes but has since resumed normal functionality bl 2 lHigh • Received detailed malware analysis report from JTF-GNO US-CERT is reviewing this report • Shared details and mitigation strategies for the OOoS attacks with the International Watch and Warning Network • Received additional information regarding new command and controiiP addresses US-CERT is currently vetting and confirming this information • Conducting a conference call with IT-ISAC on Friday July 10 2009 at 2 00 EDT to discuss the details and mitigation strategies of the ODeS attacks • Developing a detailed timeline of events surrounding these DDoS attacks UPDATE 7 10 2009 • Director of US-CERT briefed Secretary Napolitano on the DDoS incident • Director of US-CERT briefed Deputy Secretary Lute on the DDoS Incident • Director of US-CERT briefed HPSCI staff on the DDoS incident July I0 2009 Point of contact US-CERT 703-235-51 I 1 • Conducted conference calls with MS-ISAC and IT-ISAC to discuss the DDoS attacks • Released an updated Federal Information Notice FIN to the GFIRST community and an updated Critical Infrastructure Information Notice CIIN to the ISACs Critical Infrastructure partners and US communities • Released a Malware Initial Findings Report MIFR to the GFIRST community ISACs Critical Infrastructure partners and International community US via the US-CERT secure portal This report details Initial analysis of the malware related to the DDoS attacks o US-CERT malware analysis has determined that several compromised sites related to this DDoS Incident were hosting flash gif files containing an embedded executable program This executable program will scan the infected system for specific file extensions When a match occurs the malicious executable program will compress the contents of the hard drive Into a password protected zip file which will render the system unbootable NCC • NCC US-CERT conducted a conference call with ISPs to include AT T Sprint Verizon and Qwest July 16 2009 Point of contact US-CERT 703-235-5111 -llncla ifiedlF-o-i 8fficla-l 8nly- u n NPPD Information Bulletin New Variant of Ciampi Trojan · -· - -··· - - · -·-- ·· · ····· ··- ··· ··· -·- - - -·· ·· -- - --- _ --·- · _ _ __ - · -- ·- - -- • - - _ _ _ _1_ _ _ 2 09 the bJ 2JHigh bJ 2JHigh reported that an unknown Trojan had infected up to 155 systems US-CERT · analysis conducted n Jul 13 did not reveal any significant anomalous activity emitting from bl 2JHigh network On July 15 bl 2lHig CSIRC was able to identify the Trojan as a variant of Ciampi 1 The Ciampi Trojan has been circulating since early 2008 Ciampi has the ability to propagate itself across a Windows domain via psexec which is a legitimate remote process execution tool provided by Microsoft I bJ 2JHigh attempted to implement a Group Policy Object GPO on July 15 to eliminate all copies of psexec and thus prevent Ciampi from spreading It was then discovered that this variant of Ciampi makes duplicates of psexec changing the filename as it does which prevents the GPO from stopping the spread of the Trojan At approximately 2200 on July 15 Cbl 2JHigh SIRC contacted US-CERT to update that the Ciampi Trojan had spread widely acros CbJ 2JHigh networks and was resisting attempts at containment and cleanup Via interaction with Symantec bJ 2 Hig CSIRC had learned that the variant of Ciampi infesting their systems is a new variant Symantec Security Response has stated that an increased number of Ciampi infections have been observed since July 1 2009 lrilpac _ - · _· _ · ·_ ·- -- -0 - --- -- --- -·-- -· j The impact of this incident to thefJ 2JHig is considered to be moderate although the degree of infection across the network and difficulty of remediation are high th has not yet reported a significant impact to mission-critical operations $ jii ijj ry· f Ma1YiJi fi _· - - · -- - · ·- - · -- _ '_ - -- -- ·- · _ - _ - - ---· · _-- _ _·_ c- - · · · · -_·- ·-- - · ·_-_ - -- - · - - _- ·-_-- _·_- Associated Active Domains IPs 78 dot 4 7 dot 61 dot 229 try dot mojitoboom dot in 64 dot 22 dot 130 dot 201 direct dot matchbox dot vc 64 dot 22 dot 131 dot 2 pop3 dot re-factoring dot cn 96 dot 6 dot 147 dot 49 secure dot loderunner dot in If a user with a privileged account system administrator logs onto a compromised system the malware propagates using a legitimate service psexec under the account If this method of propagation is not available the malware attempts to connect to three accounts administrator guest noguest using a blank password Please note the malware does not attempt brute force access into the accounts The initial infection vector is still being researched at this time but does include possible delivery via dropper malware Initial analysis indicates a low antivirus detection rate for the malware binary US-CERT • Published a GFIRST Alert to warn the community of the threat 112 July 16 2009 Point of contact US·CERT 703-235-5 I I I • Contacted partner organizations to include CMU SEI JTF-GNO and NTOC to request more information and analysis of this Trojan • Will continue to provide assistance to the s needed Updates from this morning • Reviewed Einstein for traffic to the resolving IPs of the domains described in the GFIRST Alert and found no reason to believe any other agencies are experiencing significant outbreaks of this malware at this time • Completed an Initial Findings Report analysis of malware samples received froml b C2 Highl • Contacted c SCIRC at 14 00 to obtain most recent update b 2 High • Applying updated AV signatures as they become available accompanied by more intensive AV scanning and cleaning policies network-wide 2 2 · • US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM Critical Infrastructure Information Notice CIIN-09-188-01 A UPDATE July 10 2009 Distributed Denial of Service Attacks Against US Web Sites Overview US-CERT has confirmed that multiple organizations have been impacted by massive Distributed Denial of Service DDoS attacks against their public-facing web sites These attacks began on July 4 2009 US-CERT is issuing this notice to warn organizations of this activity and to help mitigate against continued attacks of a similar nature Details A DDoS attack is an attempt to significantly degrade the availability of a system by overloading it with network traffic and or service requests until it can no longer function as intended The DDoS attacks addressed by this document appear to utilize at least four different attack vectors • • • Flooding the target IP address with UDP traffic on port 80 Since this vector utilizes connectionless UDP instead ofTCP it is possible that the source IP address may be spoofed UDP port 80 traffic is not normally used for legitimate communications and thus is relatively trivial to detect and block Flooding the target IP address with TCP traffic on port 80 generally using SYN packets but in some cases sending other flags or combinations of flags such as ACK RST SYN-RST or RSTACK SYN flooding using TCP is difficult to detect and block without affecting legitimate users As with the UDP floods described above these attacks may use spoofed addresses as the source IP if the goal of the attack does not require a full-connect handshake to succeed Full-connect HTTP GET requests also using TCP port 80 containing valid URLs It is not known at this time if these requests can be identified as malicious due to any anomalous attributes T documenl is UNCLASSIFJEDI FOR OFFICIAL USE ONLY U FOUO It contains infn - ction that may be exempt from public release unaer fhe F · ed JrrtO l11formation Act 5 U S C 552 Tt s C l controlled stored handled transmitted distributed and disposed of in accordance with the n' pcrt ru vf HO ' Iand Security policy relating to FOUO information and is not to be released to the p c i vr 01her personnel who do not have a valid need to know wiiJ c prior approval of the US-CERT Op rur ions Center at J-888-282-0870 No portion of this report shall be furnished to the media either in written or verbu f · -n • otherwise such service requests will appear completely legitimate except for the abnormally high volume at which they are sent to the target Higher than usual volumes ofiCMP Echo Request traffic PING floods This activity is not as consistent and does not carry as significant an impact as the preceding attack vectors This vector may also utilize spoofed source addresses Note that while three of the four attack vectors described above may use spoofed IP addresses there have been no indications that significant amounts of spoofed source addresses are being used in these attacks at this time US-CERT does want to caution organizations to practice due diligence in protecting their systems and be aware that source IP addresses related to this attack can and have changed UPDATE Additional Analysis Malware Analysis has revealed the following list ofiPs have been identified command and control C2 servers associated with this activity Each ofthese servers is hosting a flash gif' file which is retrieved by the infected hosts IP Address 117 18 237 20 85 255 198 237 85 255 207 100 174 142 97 10 208 70 247 68 67 205 112 104 124 131 219 22 58 215 76 82 58 218 201 187 60 191 185 71 61 135 133 35 61 135 134 251 62 193 255 220 80 239 186 20 80 5 176 140 83 138 162 11 83 231 143 134 200 6 218 194 202 146 4 17 122 208 224 55 124 83 226 246 202 143 88 6 202 210 130 141 202 222 19 89 202 232 67 114 Country AP Asia Pacific BE Belgium BE Belgium CA Canada CA Canada CA Canada CN China CN China CN China CN China CN China CN China FR France FR France GB United GB United GB United GT Guatemala ID Indonesia JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan US-CERT Critical Infrastructure Information Notice- CIIN-09-188-01A- July 10 2009 Page 2 of 5 IP Address Country 202 32 225 45 202 93 69 243 203 104 255 196 203 133 238 86 210 133 105 115 210 133 105 162 210 167 34 106 210 188 221 82 211 13 210 84 219 94 194 237 43 253 232 40 43 253 36 45 43 253 37 80 58 158 148 185 61 125 141 51 61 211 165 140 210 102 100 150 211 108 92 4 211 236 177 177 211 236 189 240 211 49 162 205 201 116 58 131 69 175 8 234 93 190 142 11 94 75 218 85 202 14 70 116 195 239 111 51 92 63 2 118 163 19 209 22 203 66 134 19 203 66 138 31 203 66 138 32 218 32 192 107 61 31 202 65 12 129 242 20 174 129 217 8 174 35 12 80 174 36 91 30 192 150 18 60 192 150 8 60 198 172 86 247 JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan KR Korea KR Korea KR Korea KR Korea KR Korea MX Mexico -- N A NL Netherlands NL Netherlands PK Pakistan RU Russian TR Turkey TW Taiwan TW Taiwan TW Taiwan TW Taiwan TW Taiwan TW Taiwan US United US United US United US United US United US United US United 207 199 89 152 US United 208 112 58 116 US United Page 3 of5 IP Address 208 67 226 9 208 71 107 54 209 222 148 148 209 222 148 150 216 14 84 61 216 38 164 142 63 216 60 71 67 207 210 208 67 21 114 16 68 142 234 143 69 162 73 154 69 22 138 89 69 43 149 237 72 247 247 35 74 205 62 39 75 151 32 182 8 12 131 30 8 17 248 8 Country US United US United US United US United US United US United US United US United US United US United US United US United US United US United US United US United US United US United UPDATED Recommendations US-CERT recommends that organizations implement the following to help detect and mitigate the effects of similar DDoS attacks • • • • Implement bogon 1 blacklists at the network boundary to ensure that attacks using spoofed source IP addresses are automatically blocked if the spoofed IP belongs to an invalid address range More information regarding bogon address space is available at http www team-cymru org Services Bogons Enable SYN Cookie functionality on public-facing servers This may result in an impact to operations when not under attack Ensure that all contact information for web hosting and internet service providers is up-to-date and that all operations personnel are aware of how to escalate critical information to the appropriate service representatives if a DDoS is detected Monitor network traffic for any increase in UDP port 80 TCP ACK packets with no preceding SYN or any other anomalous increase in traffic volume targeting a web server If such increases 1 Bogon is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved but not yet allocated or delegated by the Internet Assigned Numbers Authority lANA or a delegated Regional Internet Registry RIR - http en wikipedia org wiki Bogon filtering 9N€• F-I-EBH¥9P eFF-l€•M US-CERT Critical Infrastructure Information Notice- CIIN-09-188-01A- July 10 2009 oE- eN-• ¥ Page 4 of 5 • • • • can be tracked to certain IP addresses with a high degree of confidence then the IP address in question is participating in a DDoS attack Consider blocking those IP addresses or address ranges with an Access Control List at the perimeter Employ service screening on edge routers wherever possible in order to decrease the load on stateful security devices such as firewalls in case an attack occurs o A strong candidate for blocking by default on edge routers is UDP port 80 Monitor network egress points to ensure your network is not participating in these attacks If you have internal systems communicating on UDP port 80 or attempting to reach any of the command and control IPs then your network may be participating in the attacks Establish accurate resource utilization baselines and ensure that all critical systems have some degree of excess capacity for dealing with exigent circumstances Review US-CERT Cyber Security Tip ST04-015 ''Understanding Denial-of-Service Atacks Organizations should follow their established internal procedures if any suspected malicious activity is observed and report their findings to US-CERT for correlation against other incidents US-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures Contact US-CERT For any questions related to this report please contact US-CERT at Email soc@us-cert gov Voice 1-888-282-0870 Incident Reporting Form https forms us-cert gov report Document FAQ What is a CIIN A Critical Infrastructure Information Notice CIIN is intended to provide warning to US critical infrastructure owners and operators when a particular cyber event or activity has the potential to impact critical infrastructure computing networks I see that this document is labeled as UNCLASSIFIEDI FOR OFFICIAL USE ONLY U IFOUO Can I distribute this to other people Perthe U FOUO warning this document is to be distributed only to those parties who have a valid need to know It may be shared within a company industry association sector coordinating council or ISACIISO if the receiving person or group has a direct role in securing networks or systems that enable or support US critical infrastructures If necessary please contact US-CERT for clarification or specific distribution inquiries Can I edit this document to include additional information This document is not to be edited changed or modified in any way by recipients All comments or questions related to this document should be directed to the US-CERT Security Operations Center at 1-888-282-0870 or soc@us-cert gov - BNeL a Q8-IFIEBftF8R-8FFl'- - T •- l fSE-8NLY t US-CERT Critical Infrastructure Information Notice- CIIN-09-188-01A- July 10 2009 Page 5 of 5 Federal Information Notice-FIN-09-188-01 A UPDATE July 10 2009 Distributed Denial of Service Attacks Against US Web Sites Overview US-CERT has confirmed that multiple federal agencies have been impacted by massive Distributed Denial of Service DDoS attacks against their public-facing web sites These attacks began on July 4 2009 US-CERT is issuing this notice to warn agencies and organizations of this activity and to help mitigate against continued attacks of a similar nature Details A DDoS attack is an attempt to significantly degrade the availability of a system by overloading it with network traffic and or service requests until it can no longer function as intended The DDoS attacks addressed by this document appear to utilize at least four different attack vectors • • • Flooding the target IP address with UDP traffic on port 80 Since this vector utilizes connectionless UDP instead ofTCP it is possible that the source IP address may be spoofed UDP port 80 traffic is not normally used for legitimate communications and thus is relatively trivial to detect and block Flooding the target IP address with TCP traffic on port 80 generally using SYN packets but in some cases sending other flags or combinations of flags such as ACK RST SYN-RST or RSTACK SYN flooding using TCP is difficult to detect and block without affecting legitimate users As with the UDP floods described above these attacks may use spoofed addresses as the source IP if the goal of the attack does not require a full-connect handshake to succeed Full-connect HTTP GET requests also using TCP port 80 containing valid URLs It is not known at this time if these requests can be identified as malicious due to any anomalous attributes otherwise such service requests will appear completely legitimate except for the abnormally high volume at which they are sent to the target Thi d Pnt is UNCLASSJFIEDIIFOR OFFICIAL USE ONLY U IFOUO It contains information th ' t o zy be exempt from public release under the Freedom of lnformu1l n A 'i U S C552 It is to be controlled t ll 'f d usruii ed transmitted distributed and disposed of in accordance with Department of Homeland Security poliry ' l ti g iu DUO information and is not to be released to the public or other personnel who do not have a valid ' ed know without prior approval of the US-CERT OpertUiom Ca t J ' 'I 1-888-282-0870 No portion of this repfJr s I be furnished to the media either in written or verbal form • Higher than usual volumes ofiCMP Echo Request traffic PING floods This activity is not as consistent and does not carry as significant an impact as the preceding attack vectors This vector may also utilize spoofed source addresses Note that while three of the four attack vectors described above may use spoofed IP addresses there have been no indications that significant amounts of spoofed source addresses are being used in these attacks at this time US-CERT does want to caution federal departments and agencies to practice due diligence in protecting their systems and be aware that source IP addresses related to this attack can and have changed UPDATE Additional Analysis Malware Analysis has revealed the following list ofiPs have been identified command and control C2 servers associated with this activity Each of these servers is hosting a flash gif' file which is retrieved by the infected hosts IP Address 117 18 237 20 85 255 198 237 85 255 207 100 174 142 97 10 208 70 247 68 67 205 112 104 124 131 219 22 58 215 76 82 58 218 201 187 60 191 185 71 61 135 133 35 61 135 134 251 62 193 255 220 80 239 186 20 80 5 176 140 83 138 162 11 83 231 143 134 200 6 218 194 202 146 4 17 122 208 224 55 124 83 226 246 202 143 88 6 202 210 130 141 202 222 19 89 202 232 67 114 202 32 225 45 202 93 69 243 T Country AP Asia Pacific BE Belgium BE Belgium CA Canada CA Canada CA Canada CN China CN China CN China CN China CN China CN China FR France FR France GB United GB United GB United GT Guatemala ID Indonesia JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan l- Cb S--§-I-FI-EBHFaR- PFie i I tr 6i-ti J US-CERT Federal Information Notice- FIN-09-188-01A-July 10 2009 Page 2 of5 IP Address 203 104 255 196 203 133 238 86 210 133 105 115 210 133 105 162 210 167 34 106 210 188 221 82 211 13 210 84 219 94 194 237 43 253 232 40 43 253 36 45 43 253 37 80 58 158 148 185 61 125 141 51 61 211 165 140 210 102 100 150 211 108 92 4 211 236 177 177 211 236 189 240 211 49 162 205 201 116 58 131 69 175 8 234 93 190 142 11 94 75 218 85 202 14 70 116 195 239 111 51 92 63 2 118 163 19 209 22 203 66 134 19 203 66 138 31 203 66 138 32 218 32 192 107 61 31 202 65 12 129 242 20 174 129 217 8 174 35 12 80 174 36 91 30 192 150 18 60 192 150 8 60 198 172 86 247 207 199 89 152 208 112 58 116 Country JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan JP Japan KR Korea KR Korea KR Korea KR Korea KR Korea MX Mexico -- NIA NL Netherlands NL Netherlands PK Pakistan RU Russian TR Turkey TW Taiwan TW Taiwan TW Taiwan TW Taiwan TW Taiwan TW Taiwan US United US United US United US United US United US United US United US United US United 208 67 226 9 US United -tfl L1 -sSI-FtETh7'FttR-8F Ftei k o US-CERT Federal information Notice- FIN-09-188-01A-July 10 2009 Page 3 of5 IP Address 208 71 107 54 209 222 148 148 209 222 148 150 216 14 84 61 216 38 164 142 63 216 60 71 67 207 210 208 67 21 114 16 68 142 234 143 69 162 73 154 69 22 138 89 69 43 149 237 72 247 247 35 74 205 62 39 75 151 32 182 8 12 131 30 8 17 248 8 Country US United US United US United US United US United US United US United US United US United US United US United US United US United US United US United US United US United UPDATED Recommendations US-CERT recommends that agencies implement the following to help detect and mitigate the effects of similar DDoS attacks • • • 1 Implement bogon blocklists at the network boundary to ensure that attacks using spoofed source IP addresses are automatically blocked if the spoofed IP belongs to an invalid address range More information regarding bogon address space is available at http www team-cymru org Services Bogons Enable SYN Cookie functionality on public-facing servers This may result in an impact to operations when not under attack Ensure that all contact information for web hosting and internet service providers is up-to-date and that all operations personnel are aware of how to escalate critical information to the appropriate service representatives if a DDoS is detected 1 Bogon is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved but not yet allocated or delegated by the Internet Assigned Numbers Authority lANA or a delegated Regional Internet Registry RIR - http en wikipedia org wiki Bogon filtering US-CERT Federal information Notice- FIN-09-188-01A-July 10 2009 Page 4 of 5 • • • • • Monitor network traffic for any increase in UDP port 80 TCP ACK packets with no preceding SYN or any other anomalous increase in traffic volume targeting a web server If such increases can be tracked to certain IP addresses with a high degree of confidence then the IP address in question is participating in a DDoS attack Consider blocking those IP addresses or address ranges with an Access Control List at the perimeter Employ service screening on edge routers wherever possible in order to decrease the load on stateful security devices such as firewalls in case an attack occurs o A strong candidate for blocking by default on edge routers is UDP port 80 Monitor network egress points to ensure your network is not participating in these attacks If you have internal systems communicating on UDP port 80 or attempting to reach any of the command and control IPs then your network may be participating in the attacks Establish accurate resource utilization baselines and ensure that all critical systems have some degree of excess capacity for dealing with exigent circumstances Review US-CERT Cyber Security Tip ST04-015 Understanding Denial-of-Service Atacks Agencies should follow their established internal procedures if any suspected malicious activity is observed and report their fmdings to US-CERT for correlation against other incidents US-CERT reminds agencies that proper impact analysis and risk assessment should be performed prior to taking defensive measures Contact US-CERT For any questions related to this report please contact US-CERT at Email soc@us-cert gov Voice 1-888-282-0870 Incident Reporting Form https forms us-cert gov report Document FAQ What is a FIN Generally labeled UNCLASSIFIED FOR OFFICIAL USE ONLY FOUO a Federal Information Notice FIN is intended to provide warning to federal agencies when a particular cyber event activity has affected three or more federal agencies A FIN provides information about the cyber incident and makes recommendations for preventing or mitigating risks I see that this document is labeled as UNCLASSIFIEDI FOR OFFICIAL USE ONLY UI FOUO Can I distribute this to other people Per the U FOUO warning this document may be shared with personnel who have a valid need to know within your federal agency In the case of a FIN this is defmed as a person or group that has a direct role in securing federal networks If necessary please contact US-CERT for clarification or specific distribution inquiries Can I edit this document to include additional information This document is not to be edited changed or modified in any way by recipients All comments or questions related to this document should be directed to the US-CERT Security Operations Center at 1-888-282-0870 or soc@us-cert gov US-CERT Federal Information Notice- FIN-09-188-01A-July 10 2009 Page 5 of5