Hi! My name is Java. Welcome to my site!

Apache Denial-of-Service (DOS) vulnerability

Apache is by far today's most widely used web server, hence the one which mostly catches the eyes of hackers.

A bug in the way that Apache handles some types of HTTP "range" header requests can enable a remote attacker to cause a denial-of-service condition on a vulnerable server. The flaw, which affects all versions of Apache 1.3 and Apache 2, reportedly already is being exploited in the wild and Apache Software Foundation officials are working on a fix for the bug, which is expected to be released within a few days.

The vulnerability in Apache actually has been a known issue for more than four years, since researcher Michal Zalewski pointed it out in a Bugtraq post. On his post, Zalewski said that the attack was fairly simplistic and not especially innovative.

"Combined with the functionality of window scaling (as per RFC 1323), it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?" he wrote.

But the bug apparently never was fixed by Apache and resurfaced late last week when another researcher, known as Kingcope, posted a message to Full Disclosure about it. He also released a Perl script that executed the attack, exhausting the memory of the remote Apache server. That message sparked a long discussion on the mailing list about the severity and nature of the vulnerability, and a separate discussion on the Apache list about wasy to mitigate the problem.

"At least apache 2.2.17 has a remotely exploitable dos vulnerability which allows to consume all memory on a target system. A request for triggering the memory consumption includes a large "Range" header which requests as many different bytes as possible from a file served by httpd. Combining this with a gzip "Accept-Encoding" header the httpd is assumed to compress each of the bytes requested in the Range header seperately consuming large memory regions. The behaviour when compressing the streams is devastating and can end up in rendering the underlying operating system unusable when the requests are sent parallely. Symptoms are swapping to disk and killing of processes including but not solely httpd processes," Kingcope wrote in an Apache Bugzilla bug report.

Apache now is developing a patch for the bug, but it apparently won't be ready for a few more days. Apache is by far the most widely deployed Web server, with hundreds of millions of installations around the world. Apache servers accounted for more than 65 percent of all Web servers in July, according to statistics gathered by Netcraft.

I will be waiting for Apache foundation to release the bug fix for this vulnerability, as it has been taking them so long to make a resolution to this major issue. You can visit this site as well. Found out a bug in Apache server? File a bug report.

SpyEye Trojan Source code released to the public

"Now that SpyEye has been outed, it is only a matter of time before this becomes a much larger malware threat than any we have seen to date. So for the next few months, please hold onto your seats people… this ride is about to get very interesting," wrote security vendor Damballa's Sean Bodmer after the source code of the trojan program SpyEye has been released in the wild.

I was actually surprised by the release of this trojan program because of its reputation as one of the best out there. And thinking that it is the best, i have always thought that it is nearly impossible to crack this program open. I find this very interesting, which is why I decided to share this to my readers.

The SpyEye code, which was previously only available to malicious attackers on the black market for a hefty price in the vicinity of $10,000 or so, was leaked by a French researcher who goes by the handle Xyliton, and is a member of the Reverse Engineers Dream (RED) outfit.

Now that the source code of the trojan, which is known to be one of the best out there, has been available to millions, more exploits are expected to come to the security scene.

"SpyEye has been on everyone’s priority list of threat discussions for quite some time, and is now going to become an even more pervasive threat. The same thing happened when the Zeus kit source code was released in March 2011," said Sean Bodmer of Damballa, a security firm.

Security researches last spring noted the release of source code for the infamous Zeus Trojan when files containing the code began to appear in underground discussion forums most often used by criminal hackers.

In an article on the McAfee Labs blog last fall, Senior Threat Researcher Francois Paget warned of the pending merger of the Zeus and Spyeye tools, and the first toolkit combining the exploits arrived on the black market early this year. If we could remember it right, Zeus has been released just lately and a lot of criminal hackers benefited from it.

The source code leecher was able to locate a copy of SpyEye builder 1.3.45 and created a tutorial that enables the reader [once in possession of SpyEye builder] to crack the hardware identification [HWID] which has been secured using VMProtect, a licensing tool that locks an installation of software to a particular physical device.

The SpyEye malware kit has been widely used in cyberspace for some time now, but it generally was sold at a price of around $10,000 -- not a price paid by the average script kiddie, Bodmer observes. Now, with the crack, the kit is being sold inexpensively on hacker forums.

"What this means is that anybody can use it," Bodmer says.

Perhaps just as important, the "crack" enables malware developers to avoid the attribution that was previously associated with the high-priced toolkit, Bodmer states. Where previous exploits using the kit could often be traced back to the original buyer of the toolkit, there have already been some SpyEye exploits spotted that have no attribution, he says.

"This will make it more difficult to track SpyEye botnets back to the source," Bodmer says.
SpyEye has been improved after the Zeus source code went out to the open. "Both Zeus and SpyEye were prevalent and dangerous malware separately; the combination of their functionality takes this threat to a new level," Paget wrote.

Now, that I have plenty of personal time, my current goal is to search for this trojan source code myself and try to study the source code for educational purposes.

(For ethical reasons, here is my source.)

Related Posts Plugin for WordPress, Blogger...