-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Targeted Attacks July 18, 2005 23:00 GMT Number P-256 ______________________________________________________________________________ PROBLEM: We are seeing more targeted attacks both within and outside of the DOE. These attacks use e-mails and malicious code that are specifically targeted to a group or company. The malicious code is crafted to not be detected by current antivirus programs. As it is targeted to a small group of people, it is not likely to quickly get into the antivirus vendors detection signatures. PLATFORM: Primarily Windows systems but could target any system via e-mail, websites, instant messaging, and file sharing. DAMAGE: The attacks result in information gathering in compromised systems, installation of spyware, and installation of remote control software. SOLUTION: Be wary of unexpected e-mails, even those from people in your own organization. Start using cryptographic signing of messages to authenticate the sender. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A successful compromise could result in ASSESSMENT: remotely rooted systems and disclosure of sensitive information. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-256.shtml PATCHES: US Cert bulletin Technical Cyber Security Alert TA05-189A Targeted Trojan Email Attacks http://www.us-cert.gov/cas/techalerts/TA05-189A.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= ______________________________________________________________________________ Introduction ============ In recent months we have seen more examples of targeted attacks using e-mail and malicious code. Unlike viruses and worms that use the shotgun approach for spreading, these attacks take the opposite approach and attack a small group of IP addresses or e-mail accounts. We believe the reasons for this are twofold. First, malicious code that uses the shotgun approach is quickly picked up by the antivirus vendors who add detection signatures to their products within a day of the code’s release. Malicious code that targets a small number of systems is unlikely to be spotted and reported to the antivirus vendors and will not be detected by antivirus scanners. Second, is that the creators of the malicious codes want something specifically from the site being attacked. Reasons could be espionage, industrial espionage, payback by a disgruntled employee, etc. Attack Description ================== The attacks we are seeing are primarily spread by e-mail though they could easily spread by file sharing, instant messaging, malicious websites, or open shares. For example, the following e-mail message was used to carry a malicious PDF file to a small group of people. Subject: XXXXXX Meeting To: xxx Dear Colleagues, In regards to today's XXXXX meeting at 3pm, I have attached a preliminary file for your reading. As you know, Xxxxx will continue to allow the large experiments that currently have dedicated resources to have first priority usage of certain resources that are purchased on their behalf. The attached PDF will bring you up to date before the meeting to ensure a smooth transition. Xxx Xxxxxx CD-Computing Division Office Lab Extension: 12345 Mail Station 123 As you can see, the message is well written, contains enough local references to make it appear legitimate, and appears to have come from a real person. If this came from one of your managers, you would likely open the attached PDF file without checking to see if it really came from your manager. Here is another Subject: Mandatory Security Reading All, Please review the Security Update attachment. This reading is mandatory for all NNSA employees. Once you have read the document, follow the link at the end of the Security Update to verify you have completed this required reading. Remember this is mandatory and must be completed ASAP. security@nnsa.doe.gov 123-456-1234 Again, we have all received legitimate e-mails like this requiring us to read and verify some new security update. And another Subject: Article Input Request To: xxx Dear Readers, The Lab News has decided to implement a new article every week. These articles will be focused on various individuals throughout the lab. We have selected a few Senior Members to fill out a questionnaire about their work. Please take a couple of minutes to fill out the attached questionnaire. Thank you for your time, Lab News Team Communications Department MS 123, 1 Some Road, Somewhere, Somestate 12345 (123) 123-1234 Fax: (123) 123-1234 An article about you in the local paper is a definite career builder so you would likely open the attached questionnaire to see what kinds of things they want to know about you. In all these cases, if you had opened the attachment you would have installed malicious code on your system; code that collects information about you and sends it off to a remote site and then installs more code of the intruder’s choice on your system. Potential Damage ================ Having remote control access to a manager’s system would be an ideal situation for an intruder planning to collect information or do damage to a company. He could read any file on the system, including all of the manager’s e-mail. From that e-mail, he could determine the names of system administrators on the various company systems and send mail to those people either containing the malicious code, requesting an account for the intruder, or anything else that the manager would be expected to request of the system administrator. Detecting Fraudulent Messages ============================= There are several things you can do to detect fraudulent messages. • Reading Message Headers • Request Verification • Message Signing Reading Message Headers ======================= One thing you can do right away if you have any question about the authenticity of a message is to view the message headers to see where the message really came from. Unfortunately, most mail readers hide the message headers so you will first have to determine how to make the headers visible. Eudora - ------ If you use Eudora as your mail reader it is relatively simple to make the headers visible. Open a message and along the top of the open window is a button marked Blah Blah Blah. Click that button and the message headers become visible. Outlook and Outlook Express - --------------------------- If you use Microsoft’s mail readers, open a message and choose the File, Properties command. Choose the details tab and the message headers are in the open window. Other Mail Readers - ------------------ For other mail readers, you will need to check the documentation to see how to make the headers visible. Reading the Headers =================== E-mail message headers are everything at the top of the e-mail message. They are separated from the body of the e-mail message by one blank line. Headers include the To:, From:, and Subject: fields that are visible in most mail readers. Unfortunately, it is possible to fake those fields. The header fields you are interested in are the Received: from headers at the top of the message. For example, below is a Nigerian 419 scam e-mail with the headers. Return-Path: Received: from smtp-2.llnl.gov ([128.115.250.82] verified) by mailbe-2.llnl.gov (CommuniGate Pro SMTP 4.1.8) with ESMTP id 25791052 for orvis1@mail.llnl.gov; Fri, 15 Jul 2005 08:50:30 - -0700 Received: from ciac.org (ciac.org [198.128.39.4]) by smtp-2.llnl.gov (8.12.3p2-20030917/8.12.3/LLNL evision: 1.15 $) with ESMTP id j6FFoMU7014881 for ; Fri, 15 Jul 2005 08:50:23 -0700 (PDT) Received: from hotmail.com (bay15-f23.bay15.hotmail.com [65.54.185.23]) by ciac.org (8.11.7p1+Sun/8.11.6/LLNL-6.2) with ESMTP id j6FFmor27196 for ; Fri, 15 Jul 2005 08:48:50 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 15 Jul 2005 08:49:22 -0700 Message-ID: Received: from 196.3.60.17 by by15fd.bay15.hotmail.msn.com with HTTP; Fri, 15 Jul 2005 15:49:22 GMT X-Originating-IP: [196.3.60.17] X-Originating-Email: [musasike4@devbankofsouthafrica.com] X-Sender: musasike4@devbankofsouthafrica.com Reply-To: lmusasike10@excite.com From: "lewis musasike" To: musasike4@devbankofsouthafrica.com Subject: HELLO Date: Fri, 15 Jul 2005 15:49:22 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 15 Jul 2005 15:49:23.0012 (UTC) FILETIME=[C5499840:01C58954] X-Scanned-By: MIMEDefang 2.39 Hello, I am Mr Lewis Musasike, General Manager(Treasury) of Development Bank of Southern Africa.This is an urgent and very confidential business proposition. Note that everything below the line marked, X-Originating-IP: can be faked. An intruder could also fake some of the Received: from headers but then they would not match. The Received: from headers start just above the line marked, X-Originating-IP:. As an e-mail message passes from mailer to mailer on its way from the sender to the receiver, each mailer adds a Received: from header to the top of the message. Thus, the Received: from headers build up from the top of the message as the mail moves from mailer to mailer. Look at the first Received: from header just above the line marked, X-Originating-IP: Received: from 196.3.60.17 by by15fd.bay15.hotmail.msn.com with HTTP; Fri, 15 Jul 2005 15:49:22 GMT This being the first Received: from header, the address received from is the original sender of the message. Here, that is 196.3.60.17. As this IP address is not one of our local IP addresses, I can be sure that this message was not sent by my manager or anyone from my company. Looking at another header, Received: from hotmail.com (bay15-f23.bay15.hotmail.com [65.54.185.23]) by ciac.org (8.11.7p1+Sun/8.11.6/LLNL-6.2) with ESMTP id j6FFmor27196 for ; Fri, 15 Jul 2005 08:48:50 -0700 (PDT) This one has a little different format. Here the name hotmail.com is what the previous mailer told the mailer that is adding the header what its name is. Many worms and viruses fake this value. However, the next part, (bay15-f23.bay15.hotmail.com [65.54.185.23]) is created by the mailer adding the header and cannot be faked so always use the values in parenthesis to tell you who the message was received from. Note that while it is possible to stick fake Received: from headers on the top of a message before sending it, the fake headers will likely result in a discontinuity in the path a message takes or in the dates and times the message is passed. Requesting Verification ======================= Another option is to reply to the message without reading the attachment, asking the sender if he or she really sent it. This is relatively easy to do but requires you to wait for the sender’s reply before opening the attachment. When sending the reply, make sure the message is going to the correct person. Message Signing =============== The best way to verify a message is with cryptographic message signing but to do so requires a company wide infrastructure to be in place before it can work. Programs such as PGP and Entrust provide a message signing capability. The way message signing works is that a cryptographic checksum of the message is calculated using the sender’s secret key. The receiver decrypts that checksum using the sender’s public key. If the secret and public keys are not a legitimate key pair or if the message is changed in any way, the cryptographic checksum fails and you cannot trust the sender or content of the message. The cryptographic checksum is sufficiently difficult to calculate without knowing the private key that it is nearly impossible to change a signed message and have the signature still be valid. To make this work, the sender must have created a public and private key pair and have previously sent the public key to the receiver in a manner such that the receiver is sure that the public key really does belong to the sender. How you do that depends on which program you use to manage your keys. Entrust has a site wide infrastructure that securely communicates the keys from person to person in the background. With PGP you must manually send the key to the receiver or make it available on a trustworthy key server. Conclusions =========== Targeted attacks against our systems are increasing and are difficult to detect because they do not trigger antivirus or spyware detectors. This does not mean that you should not keep your antivirus and spyware detectors up to date as they are still effective against a large class of malicious code. Currently, the way to detect attack messages is to authenticate the sender of the message to make sure he really sent the message and attachment. You can do so by checking the e-mail headers, validating the message with the sender, or by using cryptographic signatures. Using cryptographic signatures is the easiest and most accurate solution for the general user after the public key infrastructure is in place. CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-246: Microsoft Word Font Parsing Vulnerability P-247: Microsoft Vulnerability in JView Profiler P-248: Microsoft Color Management Module Vulnerability P-249: krb5 Security Update P-250: Critical Patch Update - July 2005 P-251: Mozilla Security Updates P-252: Firefox Security Updates P-253: Solaris Runtime Linker Vulnerability P-254: 'tiff' Buffer Overflow Vulnerability P-255: Heimdal -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQCVAwUBQtw3hbnzJzdsy3QZAQF0sQP+I8YL0eMaBr67YymOpkMAFjtLr8WoQxIT kBSzLn7iEqtT6SUTdMNmQuKvLWSDil9mBOf3pXWULG1VhuLvatutEvCUPXz4Nau8 /WHDxGiUvFgv/9l7anjQLNTXuaJR9+avhN/c1NbWiTQzEUMuEo9b/UhnXwtfPPzu l0mW6K5M5FM= =Y0nq -----END PGP SIGNATURE-----