Tag Archives: Denial of Service

Skype vulnerability makes hijack child’s play.

A serious vulnerability in Skype has come to light. This vulnerability allowed you to take over the Skype account of any other user, armed only with knowledge of their e-mail address.

Proof of concept for the issue was posted in a Russian forum about three months ago and the original poster posted again on a different site just yesterday that the vulnerability was still not fixed. The author also notes that abuse of the vulnerability has been widespread, affecting many users from his own contact list.
Continue reading

Skype worm spreading fast

Ransom by redtype

Ransom by redtype


 
It’s Monday morning and the bleary-eyed start of a new week. Criminals are taking advantage of our post-weekend lassitude by starting a Skype based campaign aimed at spreading malicious software.
 
Many users have reported receiving messages from friends in their Skype contact lists. So far, socially-engineered messages have been seen in both English and (Bavarian accented (seems my German accent recognition is way off “Moin” is north German, thanks guys )) German, saying either:
 

“lol is this your new profile pic? h__p://goo.gl/{BLOCKED}5q1sx?img=username”

 
or
 

“moin, kaum zu glauben was für schöne fotos von dir auf deinem profil h__p://goo.gl/{BLOCKED}5q1sx?img=username”

 

Regardless of the language used, the link is the same, although of course this can easily be modified. The shortened URL eventually redirects to a download on hotfile.com which pulls down an archive named “Skype_todaysdate.zip” containing a single executable file of the same name. We detect this initial downloader as TROJ_DLOADER.IF
 
The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF or WORM_DORKBOT.DN respectively. On installation, this worm may initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet.
 
These Dorkbot variants will also steal user name and password credentials for a vast array of websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. They can interfere in DNS resolution, insert iFrames into web pages, perform three different kinds of DDoS attack, act as a Proxy server and download and install further malware at the botmaster’s initiation. These are only some of the functionality of this pernicious worm, in the 24 hours since discovery, Trend Micro have blocked more than 2800 associated files.
 
Some infections will subsequently install a ransomware variant locking the user out of their machine, informing them that their files have been encrypted and that they will be subsequently deleted unless the unfortunate victim surrenders a $200 fine within 48 hours.

 

This malware is still under investigation and TrendLabs have posted initial findings here. Until then, please remember not to click on unexpected links, no matter how bleary-eyed you may be.

 

Make vendors liable for vulnerabilities?

Where does the Buck stop?


 
Should software vendors be liable for vulnerabilities in the products they sell? Are they already liable to some degree, or would new legislation be required in order to make it so? These are interesting questions, sure to provoke strong opinions on both sides of the fence.
 
In almost every case, when you buy a software product, a close inspection of the End User License Agreement (EULA) will reveal a host of exculpatory clauses, exonerating the vendor of responsibility for any kind of direct, indirect, consequential (and just about every other applicable adjective) damages “whatsoever” that may arise from the installation or use of (or inability to use) the software product. But is this reasonable or indeed fair?
 
Software products are not a tangible asset and as such escape much of the legislation that applies to the sale of goods and their fitness for purpose. However the majority of successful compromises of systems and enterprises arise from the exploitation of a vulnerability or flaw in an application or operating system, and often results in direct financial loss.
 
At first glance the case for enforcing some kind of liability on vendors seems obvious. Make the vendor legally responsible for the quality of their product and thus increase their focus on writing secure code. Lower the number of vulnerabilities in published product and create an ecosystem where vendors routinely produce more robust software. Indeed the idea is not a new one. A House of Lords Science and Technology Committee report on Personal Internet Security from 2006/7 reached the following conclusion (8.15):
 
We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced.”
 
Similar calls have been echoed by such luminaries as Bruce Schneier and Viviane Reding, but what might be some of the consequences and does adequate cover exist already?
 
The first and most obvious is that it may well increase the cost of developing software, the impossibility of creating invulnerable code would oblige vendors to take out unlimited liability insurance contracts against the inevitable stream of lawsuits, the cost of this being passed on to the consumer. Particularly when the temptation might exist for companies to skimp on even the most basic of security practices, passing the buck to the software vendor when a breach occurs. This could effectively be the death-knell for free software.
 
A second unintended consequence could be equally costly for the consumer. What happens when the vendor releases an updated product addressing identified flaws with an earlier version? Would cover cease for the now legacy versions, obliging consumers to commit to expensive and perhaps unnecessary upgrades to continue to benefit from their newfound legal protection?
 
Where do we truly stand right now, are those EULAs worth the bits they’re written on? Is new legislation required or even worthwhile? In the traditional last refuge of the scoundrel, I Am Not A Lawyer, so I’ll defer to the opinion of a colleague who is:
 
If a software vendor negligently exposes its software to vulnerabilities, in particular because of defects in the software or non-compliance with best practices, under current law it can be held liable for all consequences arising therefrom. Exculpatory clauses in EULAs can limit liability but the validity of such clauses have to be examined on a case-by-case basis
 
Bear this in mind though; the vast majority of breaches are the result of the exploitation of vulnerabilities for which a patch has already been released by the vendor. Even with a physical good such as a car, the vendor is not required to fix the (potentially life-endangering) fault, only to issue a recall and make the necessary changes. Is it really so different, and if you don’t respond to the recall notice, or install the patch, where do you think the liability is going to lie in those cases?