June 2013 – SWITCH Security-Blog

Neues aus dem IPv6-Universum

Was tut sich in Sachen IPv6?

Dieser Juni war der Monat der IPv6-Konferenzen. Am 6. und 7.6. fand in Frankfurt/Main der fünfte Heise IPv6-Kongress statt. Eine Woche später gab es die vom Swiss IPv6 Council organisierte eintägige IPv6 Business Conference in Zürich.

Beiden Veranstaltungen gemein waren eine hohe Dichte an hochkarätigen Speakern, die nicht – wie vielleicht befürchtet – die letztjährigen Talks wiederaufbereiteten, sondern viel Neues zu berichten hatten. Beiden Veranstaltungen gemein war auch, dass sie in Kinosälen stattfanden. Mit riesigen Leinwänden für die Präsentationen und gemütlichen Sesseln anstelle von Tageslicht und der üblichen Konferenzmöbel.

Beide Konferenzen boten sowohl reichlich technisch versierte Vorträge, als auch genügend Stoff zum Nachdenken fürs IT-Management. Verschiedene parallele Tracks sorgten dabei für eine breite Auswahl.

Continue reading “Neues aus dem IPv6-Universum”

IT-Security-Links #26

Android Trojans are getting more sophisticated. Roman Unuchek, a Kaspersky Lab Expert, gives insights into Backdoor.AndroidOS.Obad.a.
Google Glass: What are the Privacy Implications of the tracking eye movement system and the head-worn camera?
Darkleech: It looks like Plesk is often one of the entry points. If you are still running old Plesk Panels we recommend that you update Plesk immediately. (Here you find details from the manufacturer ‘Parallels’.)
PRISM: The NY-Mag interviewed 9 Former NSA Employees. And Pierluigi Paganini thought about “Who helped NSA to build PRISM?”
DDoS: You need to be prepared – 7 essentials for defending against DDoS attacks.
Hard-coded passwords are apparently state of the art for medical devices.

German:

Banking-Trojaner: Zeus-Aufwärtstrend durch Facebook-Phishing und sinnvolle Gegenmassnahmen

New wave of attack on Swiss Webservers

Author: Serge Droz

Since a few weeks SWITCH-CERT has observed a dramatic increase in sophisticated attacks on Swiss web servers. The compromised servers will then be used to distribute malware through drive-by attacks. We currently observe two different, although related, linux based attacks. Both deploy the black hole exploit kit as the actual drive-by infrastructure.

Both attacks are extremely difficult to detect for website owners, because:

The attacker code is in the server config, through modules, not in the content part
The black hole exploit kit returns malicious content only once per day and IP

The two attack waves have been dubbed darkleech and Cdorked respectively. Most attacks go after cPanel managed systems and target Apache. But this is not always the case: There are reports, that versions exist that target Lighttpd and nginx. Many of the compromised systems seem to also have a modified sshd, containing a backdoor installed. So if a compromise is detected, sshd must be cleaned, too. Sometimes it’s possible to spot tampered binaries through an integrity check, that various package managers offer. This obviously only works if a packet has been installed through a package manager. On cPanel based systems the webserver is not installed by this mechanism.

Continue reading “New wave of attack on Swiss Webservers”