US-CERT has received information from multiple sources about coordinated distributed denial-of-service (DDoS) attacks with targets that included U.S. government agency and entertainment industry websites. The loosely affiliated collective "Anonymous" allegedly promoted the attacks in response to the shutdown of the file hosting site MegaUpload and in protest of proposed U.S. legislation concerning online trafficking in copyrighted intellectual property and counterfeit goods (Stop Online Piracy Act, or SOPA, and Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, or PIPA).
US-CERT has evidence of two types of DDoS attacks: One using HTTP GET requests and another using a simple UDP flood.
The Low Orbit Ion Cannon (LOIC) is a denial-of-service attack tool associated with previous Anonymous activity. US-CERT has reviewed at least two implementations of LOIC. One variant is written in JavaScript and is designed to be used from a web browser. An attacker can access this variant of LOIC on a website and select targets, specify an optional message, throttle attack traffic, and monitor attack progress. A binary variant of LOIC includes the ability to join a botnet to allow nodes to be controlled via IRC or RSS command channels (the "HiveMind" feature).
The following is a sample of LOIC traffic recorded in a web server log:
"GET /?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1" 200 99406 "hxxp://pastehtml.com/view/blafp1ly1.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
The following sites have been identified in HTTP referrer headers of suspected LOIC traffic. This list may not be complete. Please do not visit any of the links as they may still host functioning LOIC or other malicious code.
"hxxp://3g.bamatea.com/loic.html"
"hxxp://anonymouse.org/cgi-bin/anon-www.cgi/""hxxp://chatimpacto.org/Loic/"
"hxxp://cybercrime.hostzi.com/Ym90bmV0/loic/"
"hxxp://event.seeho.co.kr/loic.html"
"hxxp://pastehtml.com/view/bl3weewxq.html"
"hxxp://pastehtml.com/view/bl7qhhp5c.html"
"hxxp://pastehtml.com/view/blafp1ly1.html"
"hxxp://pastehtml.com/view/blakyjwbi.html"
"hxxp://pastehtml.com/view/blal5t64j.html"
"hxxp://pastehtml.com/view/blaoyp0qs.html"
"hxxp://www.lcnongjipeijian.com/loic.html"
"hxxp://www.rotterproxy.info/browse.php/704521df/ccc21Oi8/vY3liZXJ/jcmltZS5/ob3N0emk/uY29tL1l/tOTBibVY/wL2xvaWM/v/b5/fnorefer"
"hxxp://www.tandycollection.co.kr/loic.html"
"hxxp://www.zgon.cn/loic.html"
"hxxp://zgon.cn/loic.html"
"hxxp://www.turbytoy.com.ar/admin/archivos/hive.html"
The following are the A records for the referrer sites as of January, 20, 2012:
3g[.]bamatea[.]com
A 218[.]5[.]113[.]218
cybercrime[.]hostzi[.]com
A 31[.]170[.]161[.]36
event[.]seeho[.]co[.]kr
A 210[.]207[.]87[.]195
chatimpacto[.]org
A 66[.]96[.]160[.]151
anonymouse[.]org
A 193[.]200[.]150[.]125
pastehtml[.]com
A 88[.]90[.]29[.]58
lcnongjipeijian[.]com
A 49[.]247[.]252[.]105
www[.]rotterproxy[.]info
A 208[.]94[.]245[.]131
www[.]tandycollection[.]co[.]kr A
121[.]254[.]168[.]87
www[.]zgon[.]cn
A 59[.]54[.]54[.]204
www[.]turbytoy[.]com[.]ar
A 190[.]228[.]29[.]84
The HTTP requests contained an "id" value based on UNIX time and user-defined "msg" value, for example:
GET
/?id=1327014189930&msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20
Other "msg" examples:
msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20
msg=:)
msg=:D
msg=Somos%20Legion!!!
msg=Somos%20legi%C3%B3n!
msg=Stop%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB HTTP/1.1" 200 99406
"http://pastehtml.com/view/bl7qhhp5c.html"
msg=We%20Are%20Legion!
msg=gh
msg=open%20megaupload
msg=que%20sepan%20los%20nacidos%20y%20los%20que%20van%20a%20nacer%20que%20nacimos%20para%20vencer%20y%20no%20para%20ser%20vencidos
msg=stop%20SOPA!!
msg=We%20are%20Anonymous.%20We%20are%20Legion.%20We%20do%20not%20forgive.%20We%20do%20not%20forget.%20Expect%20us!
The "msg" field can be arbitrarily set by the attacker.
As of January 20, 20012, US-CERT has observed another attack that consists of UDP packets on ports 25 and 80. The packets contained a message followed by variable amounts of padding, for example:
66:6c:6f:6f:64:00:00:00:00:00:00:00:00:00 |
flood.........
Target selection, timing, and other attack activity is often coordinated through social media sites or online forums.
US-CERT is continuing research efforts and will provide additional data as it becomes available.
There are a number of mitigation strategies available for dealing with DDoS attacks, depending on the type of attack as well as the target network infrastructure. In general, the best practice defense for mitigating DDoS attacks involves advanced preparation.
Feedback can be directed to US-CERT.
Produced 2012 by US-CERT, a government organization. Terms of use
January 24, 2012: Initial release
There are multiple vulnerabilities in Microsoft Windows and Microsoft Developer Tools and Software. Microsoft has released updates to address these vulnerabilities.
The Microsoft Security Bulletin Summary for January 2012 describes multiple vulnerabilities in Microsoft Windows. Microsoft has released updates to address the vulnerabilities.
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Apply updates
Microsoft has provided updates for
these vulnerabilities in the Microsoft
Security Bulletin Summary for January 2012. That bulletin describes any
known issues related to the updates. Administrators are encouraged to note these
issues and test for any potentially adverse effects. In addition, administrators
should consider using an automated update distribution system such as Windows Server
Update Services (WSUS).
Feedback can be directed to US-CERT.
Produced 2012 by US-CERT, a government organization. Terms of use
January 10, 2012: Initial release
Most Wi-Fi access points that support Wi-Fi Protected Setup (WPS) are affected.
Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configure secure wireless networks. The external registrar PIN exchange mechanism is susceptible to brute force attacks that could allow an attacker to gain access to an encrypted Wi-Fi network.
WPS uses a PIN as a shared secret to authenticate an access point and a client and provide connection information such as WEP and WPA passwords and keys. In the external registrar exchange method, a client needs to provide the correct PIN to the access point.
An attacking client can try to guess the correct PIN. A design vulnerability reduces the effective PIN space sufficiently to allow practical brute force attacks. Freely available attack tools can recover a WPS PIN in 4-10 hours.
For further details, please see Vulnerability Note VU#723755 and further documentation by Stefan Viehbock and Tactical Network Solutions.
An attacker within radio range can brute-force the WPS PIN for a vulnerable access point. The attacker can then obtain WEP or WPA passwords and likely gain access to the Wi-Fi network. Once on the network, the attacker can monitor traffic and mount further attacks.
Update Firmware
Check your access point vendor's support website for updated firmware that addresses this vulnerability. Further information may be available in the Vendor Information section of VU#723755 and in a Google spreadsheet called WPS Vulnerability Testing.
Disable WPS
Depending on the access point, it may be possible to disable WPS. Note that some access points may not actually disable WPS when the web management interface indicates that WPS is disabled.
Feedback can be directed to US-CERT.
Produced 2012 by US-CERT, a government organization. Terms of use
January 06, 2012: Initial release
Adobe has released Security Bulletin APSB11-30, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat.
Adobe Security Bulletin APSB11-30 and Adobe Security Advisory APSA11-04 describe a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Reader and Acrobat 9.4.6 and earlier 9.x versions. These vulnerabilities also affect Reader X and Acrobat X 10.1.1 and earlier 10.x versions.
An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in, which can automatically open PDF documents hosted on a website, is available for multiple web browsers and operating systems.
Adobe Reader X and Adobe Acrobat X will be patched in the next quarterly update scheduled for January 10, 2012.
Additional details for the U3D memory corruption vulnerability can be found in US-CERT Vulnerability Note VU#759307.
These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file.
Update Reader
Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB11-30 and update vulnerable versions of Adobe Reader and Acrobat.
In addition to updating, please consider the following mitigations.
Disable Flash in Adobe Reader and Acrobat
Disabling Flash in Adobe Reader will mitigate attacks that rely on Flash content embedded in a PDF file. Disabling 3D & Multimedia support does not directly address the vulnerability, but it does provide additional mitigation and results in a more user-friendly error message instead of a crash. To disable Flash and 3D & Multimedia support in Adobe Reader 9, delete, rename, or remove access to these files:
Microsoft Windows"%ProgramFiles%\Adobe\Reader
9.0\Reader\authplay.dll"
"%ProgramFiles%\Adobe\Reader
9.0\Reader\rt3d.dll"
Apple Mac OS
X"/Applications/Adobe Reader 9/Adobe
Reader.app/Contents/Frameworks/AuthPlayLib.bundle"
"/Applications/Adobe Reader 9/Adobe
Reader.app/Contents/Frameworks/Adobe3D.framework"
GNU/Linux (locations may vary among distributions)"/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so"
"/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so"
File locations may be different for Adobe Acrobat or other Adobe products that include Flash and 3D & Multimedia support. Disabling these plugins will reduce functionality and will not protect against Flash content that is hosted on websites. Depending on the update schedule for products other than Flash Player, consider leaving Flash and 3D & Multimedia support disabled unless they are absolutely required.
Disable JavaScript in Adobe Reader and Acrobat
Disabling JavaScript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable Acrobat JavaScript).
Adobe provides a framework to blacklist specific
JavaScipt APIs. If JavaScript must be enabled, this framework may be useful
when specific APIs are known to be vulnerable or used in attacks.
Prevent Internet Explorer from automatically opening PDF files
The installer for Adobe Reader and Acrobat configures Internet Explorer to
automatically open PDF files without any user interaction. This behavior can be
reverted to a safer option that prompts the user by importing the following as a
.REG file:
Windows Registry Editor Version
5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00
Disable the display of PDF
files in the web browser
Preventing PDF files from opening inside
a web browser will partially mitigate this vulnerability. If this workaround is
applied, it may also mitigate future vulnerabilities.
To prevent PDF
files from automatically being opened in a web browser, do the following:
1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the Preferences option.
4. Choose the
Internet section.
5. Uncheck the "Display PDF in
browser" checkbox.
Remove or restrict access to 3difr.x3d
By removing or restricting access to the 3difr.x3d file, Adobe Reader and Acrobat will fail to render U3D content, which helps to mitigate this vulnerability. PDF documents that use the PRC format for 3D content will continue to function on Windows and Linux platforms.
To disable U3D support in Adobe Reader 9 on Microsoft Windows, delete or rename this file:
"%ProgramFiles%\Adobe\Reader
9.0\Reader\plug_ins3d\3difr.x3d"
For Apple Mac OS X, delete or rename this directory:
"/Applications/Adobe
Reader 9/Adobe
Reader.app/Contents/Frameworks/Adobe3D.framework"
For GNU/Linux, delete or rename this file (locations may vary among distributions):
"/opt/Adobe/Reader9/Reader/intellinux/plug_ins3d/3difr.x3d"
File locations may be different for Adobe Acrobat or other Adobe products or versions.
Do not access PDF files from untrusted sources
Do not open unfamiliar or unexpected PDF files, particularly those hosted on
websites or delivered as email attachments. Please see Cyber Security Tip ST04-010.
Feedback can be directed to US-CERT.
Produced 2011 by US-CERT, a government organization. Terms of use
December 16, 2011: Initial release
There are multiple vulnerabilities in Microsoft Windows, Office, and Internet Explorer. Microsoft has released updates to address these vulnerabilities.
The Microsoft Security Bulletin Summary for December 2011 describes multiple vulnerabilities in Microsoft Windows. Microsoft has released updates to address the vulnerabilities. Additional details for MS11-091 can be found in US-CERT vulnerability note VU#361441.
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Apply updates
Microsoft has provided updates for
these vulnerabilities in the Microsoft
Security Bulletin Summary for December 2011. That bulletin describes any
known issues related to the updates. Administrators are encouraged to note these
issues and test for any potentially adverse effects. In addition, administrators
should consider using an automated update distribution system such as Windows Server
Update Services (WSUS).
Feedback can be directed to US-CERT.
Produced 2011 by US-CERT, a government organization. Terms of use
December 13, 2011: Initial release
There are multiple vulnerabilities in Microsoft Windows. Microsoft has released updates to address these vulnerabilities.
The Microsoft Security Bulletin Summary for November 2011 describes multiple vulnerabilities in Microsoft Windows. Microsoft has released updates to address the vulnerabilities. Additional details for MS11-084 can be found in US-CERT vulnerability note VU#675073.
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Apply updates
Microsoft has provided updates for
these vulnerabilities in the Microsoft
Security Bulletin Summary for November 2011. That bulletin describes any
known issues related to the updates. Administrators are encouraged to note these
issues and test for any potentially adverse effects. In addition, administrators
should consider using an automated update distribution system such as Windows Server
Update Services (WSUS).
Feedback can be directed to US-CERT.
Produced 2011 by US-CERT, a government organization. Terms of use
November 08, 2011: Initial release
There are multiple vulnerabilities in Mac OS X 10.6.8, 10.7, and 10.7.1 and Mac OS X Server 10.6.8, 10.7, and 10.7.1. Apple has released updates to address these vulnerabilities.
The Apple Security Advisory for OS X Lion v10.7.2 and Security Update 2011-006 describes multiple vulnerabilities in Mac OS X and Mac OS X Server. Apple has released updates to address these vulnerabilities.
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Apple has provided updates for these vulnerabilities in the Apple Security Advisory for OS X Lion v10.7.2 and Security Update 2011-006. This advisory describes any known issues related to the updates and the specific impacts for each vulnerability. Administrators are encouraged to note these issues and impacts and test for any potentially adverse effects before wide-scale deployment.
Feedback can be directed to US-CERT.
Produced 2011 by US-CERT, a government organization. Terms of use
October 13, 2011: Initial release
There are multiple vulnerabilities in Microsoft Windows, .NET Framework, Silverlight, Internet Explorer, Forefront Unified Access Gateway, and Host Integration Server. Microsoft has released updates to address these vulnerabilities.
The Microsoft Security Bulletin Summary for October 2011 describes multiple vulnerabilities in Microsoft Windows, .NET Framework, Silverlight, Internet Explorer, Forefront Unified Access Gateway, and Host Integration Server. Microsoft has released updates to address the vulnerabilities.
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Apply updates
Microsoft has provided updates for
these vulnerabilities in the Microsoft
Security Bulletin Summary for October 2011. That bulletin describes any
known issues related to the updates. Administrators are encouraged to note these
issues and test for any potentially adverse effects. In addition, administrators
should consider using an automated update distribution system such as Windows Server
Update Services (WSUS).
Feedback can be directed to US-CERT.
Produced 2011 by US-CERT, a government organization. Terms of use
October 11, 2011: Initial release
There are multiple vulnerabilities in Microsoft Windows, Microsoft Server Software, and Microsoft Office. Microsoft has released updates to address these vulnerabilities.
The Microsoft Security Bulletin Summary for September 2011 describes multiple vulnerabilities in Microsoft Windows, Microsoft Server Software, and Microsoft Office. Microsoft has released updates to address the vulnerabilities.
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Apply updates
Microsoft has provided updates for
these vulnerabilities in the Microsoft
Security Bulletin Summary for September 2011. That bulletin describes any
known issues related to the updates. Administrators are encouraged to note these
issues and test for any potentially adverse effects. In addition, administrators
should consider using an automated update distribution system such as Windows Server
Update Services (WSUS).
Feedback can be directed to US-CERT.
Produced 2011 by US-CERT, a government organization. Terms of use
September 13, 2011: Initial release
There are multiple vulnerabilities in Adobe Shockwave Player, Flash Media Server, Flash Player, Photoshop CS5, and RoboHelp. Adobe has released updates to address these vulnerabilities.
Adobe security bulletins APSB11-19, APSB11-20, APSB11-21, APSB11-22, and APSB11-23 describe multiple vulnerabilities in Adobe Shockwave Player, Flash Media Server, Flash Player, Photoshop CS5, and RoboHelp. An attacker may use these vulnerabilities to run malicious code or cause a denial of service on an affected system. Adobe has released updates to address these vulnerabilities.
These vulnerabilities could allow an attacker to run malicious code on the affected system or cause a denial of service.
Users of these Adobe products should review the relevant Adobe security bulletins and follow the recommendations in the "Solution" section.
APSB11-19: Security update available for Adobe Shockwave Player
APSB11-20: Security update available for Adobe Flash Media Server
APSB11-21: Security update available for Adobe Flash Player
APSB11-22: Security update available for Adobe Photoshop CS5
APSB11-23: Security updates available for RoboHelp
Feedback can be directed to US-CERT.
Produced 2011 by US-CERT, a government organization. Terms of use
August 10, 2011: Initial release