Name : Flame.so / Flame.php
Appeared : Summer & Fall 2005
Uses : PHP's Dynamic Loader function - dl()
Description: Attackers exploit insecure PHP scripts to
load flame.php and flame.so on the server. The
attacker then accesses flame.php which loads
flame.so as a PHP module. The active PHP module
injects malicious code within each PHP page.
Systems Affected: Any system with dl() function
enabled
Disable dl() in php.ini
– enable_dl = Off
The specific flame.so exploit has been patched in
PHP 4.4+ but can still be seen in different variations
due to the nature of the dynamic loader function
============================================
Name: Apache DSO
Appeared: Summer & Fall 2007
Uses: Apache's Dynamic Module Support
Description: Attackers exploit an insecure script to
place custom Apache module on the server. The
attackers then use a specially crafted URL to load the
module using Apache's Dynamic Module support.
This allows malicious code to be served into each
request.
Systems Affected: Any system running Apache 1.3.34
and lower
Uses a technique introduced in Phrack to ensure
code modification persists to new Apache children
http://www.phrack.org/issues.html?issue=59&id=8&mode=txt
============================================
Name: Random JavaScript Toolkit
Appeared: Fall & Winter 2007 and Early 2008
Uses: Root SSH Access
Description: Attackers gain root login information using
viruses placed on a user's PC. This virus sends all
login information used on that PC to a master server
where it is logged and used to install a rootkit which
serves malicious content into random web requests.
Systems Affected: RedHat 4/5, CentOS 4/5
Modifies 7 System Binaries
– /sbin/ifconfig
-/sbin/fsck
– /sbin/route
-/bin/basename
– /bin/cat
-/bin/mount
– /bin/touch
Technically not a loadable module (LKM), modifies
kernel directly through /dev/mem
Injects IFrame text into pages, after the body tag
Sometimes random, sometimes consistent
Need to have root to modify the binaries
The infected binaries ensure the rootkit persists after
a reboot
Someone logs in as root without brute force
Found simple port 22 passwords, and also
convoluted passwords on random ports
Attacker installs a rootkit based on Boxer
Serves malicious code to random web requests
without any direct html modification
=============================================
Name: Gozi
Appeared: Spring 2007
Uses: Login credentials
Internet Explorer lets Winsock handle SSL, Gozi
hooks this
Also takes all client certificates from the Windows
certificate store
Requests are encrypted and repeated to a data
collecting machine via HTTP in real time
Protocols like FTP, SMTP, IMAP, POP, HTTP all use
plain text
In order to obtain passwords, just watch the Ethernet
traffic
It's easy to download Winpcap and windump
Tools have existed for years in Linux that use
libpcap and grab all login information from plaintext
protocols
No comments:
Post a Comment