Security Advisory July 15, 2012

by | Jul 15, 2012 | Security

  • MS12-044 – Critical : Cumulative Security Update for Internet Explorer (2719177) – Version: 1.0

    Severity Rating: Critical
    Revision Note: V1.0 (July 10, 2012): Bulletin published.
    Summary: This security update resolves two privately reported vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  • MS12-050 – Important : Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502) – Version: 1.1

    Severity Rating: Important
    Revision Note: V1.1 (July 10, 2012): Downgraded the severity rating for the SharePoint Search Scope Vulnerability, CVE-2012-1860, from Important to Moderate for all affected software. This is an informational change only.
    Summary: This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft SharePoint and Windows SharePoint Services. The most severe vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes the user to a targeted SharePoint site.

  • MS12-016 – Critical : Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026) – Version: 1.3

    Severity Rating: Critical
    Revision Note: V1.3 (July 10, 2012): Microsoft revised this bulletin to communicate a minor detection change for KB2633880 for Microsoft .NET Framework 2.0 Service Pack 2 to correct an offering issue. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.
    Summary: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted web page using a web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  • MS12-049 – Important : Vulnerability in TLS Could Allow Information Disclosure (2655992) – Version: 1.0

    Severity Rating: Important
    Revision Note: V1.0 (July 10, 2012): Bulletin published.
    Summary: This security update resolves a publicly disclosed vulnerability in TLS. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. All cipher suites that do not use CBC mode are not affected.

  • MS12-036 – Critical : Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939) – Version: 1.2

    Severity Rating: Critical
    Revision Note: V1.2 (July 10, 2012): Removed MS11-065 as a bulletin replaced by the KB2685939 update for Windows XP Service Pack 3, Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 Service Pack 2, Windows Server 2003 x64 Edition Service Pack 2, and Windows Server 2003 with SP2 for Itanium-based Systems. This is an informational change only. There were no changes to the detection logic or the update files.
    Summary: This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

  • MS12-048 – Important : Vulnerability in Windows Shell Could Allow Remote Code Execution (2691442) – Version: 1.0

    Severity Rating: Important
    Revision Note: V1.0 (July 10, 2012): Bulletin published.
    Summary: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file or directory with a specially crafted name. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  • MS12-045 – Critical : Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (2698365) – Version: 1.0

    Severity Rating: Critical
    Revision Note: V1.0 (July 10, 2012): Bulletin published.
    Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  • MS12-047 – Important : Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2718523) – Version: 1.0

    Severity Rating: Important
    Revision Note: V1.0 (July 10, 2012): Bulletin published.
    Summary: This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

  • MS12-043 – Critical : Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479) – Version: 1.0

    Severity Rating: Critical
    Revision Note: V1.0 (July 10, 2012): Bulletin published.
    Summary: This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website.

  • MS12-046 – Important : Vulnerability in Visual Basic for Applications Could Allow Remote Code Execution (2707960) – Version: 1.0

    Severity Rating: Important
    Revision Note: V1.0 (July 10, 2012): Bulletin published.
    Summary: This security update resolves one publicly disclosed vulnerability in Microsoft Visual Basic for Applications. The vulnerability could allow remote code execution if a user opens a legitimate Microsoft Office file (such as a .docx file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  • Threat Outbreak Alert: Misleading Proof of Deposit E-Mail Messages on July 11, 2012

  • Threat Outbreak Alert: Fake Portuguese Contract Confirmation E-mail Messages on July 12, 2012

  • Threat Outbreak Alert: Fake Personal Photo Attachment E-mail Messages on July 12, 2012

  • Threat Outbreak Alert: Fake Import Assistant E-mail Messages on July 13, 2012

  • Threat Outbreak Alert: Fake Western Union Money Transfer Transaction E-mail Messages on July 12, 2012

  • Threat Outbreak Alert: Fake Hotel Reservation Confirmation Details E-mail Messages on July 12, 2012

  • Threat Outbreak Alert: Fake USPS Parcel Delivery Failure Notification E-mail Messages on July 13, 2012

  • Threat Outbreak Alert: Fake German Account Statement Notification E-mail Messages on July 21, 2012

  • Threat Outbreak Alert: Fake Purchase Order Notification E-mail Messages on July 11, 2012

  • Threat Outbreak Alert: Fake Order Reminder Notification E-mail Messages on July 11, 2012

  • TA12-192A: Microsoft Updates for Multiple Vulnerabilities

    Original release date: July 10, 2012 | Last revised: —

    Systems Affected

    • Microsoft Windows
    • Microsoft Internet Explorer
    • Microsoft Office
    • Microsoft Developer Tools
    • Microsoft Server Software

    Overview

    Select Microsoft software products contain multiple vulnerabilities.  Microsoft has released updates to address these vulnerabilities.

    Description

    The Microsoft Security Bulletin Summary for July 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.

    Impact

    A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

    Solution

    Apply updates

    Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for July 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

    References

    Revision History

    • July 10, 2012: Initial release

    This product is provided subject to this Notification and this Privacy & Use policy.

  • TA12-174A: Microsoft XML Core Services Attack Activity

    Original release date: June 22, 2012 | Last revised: —

    Systems Affected

    Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 are affected. Microsoft Internet Explorer, Microsoft Office 2003, and Microsoft Office 2007 are affected due to their use of XML Core Services.

    Overview

    Microsoft Security Advisory (2719615) warns of active attacks using a vulnerability in Microsoft XML Core Services. Microsoft Internet Explorer and Microsoft Office can be used as attack vectors.

    Description

    Microsoft Security Advisory (2719615), a Google Online Security blog post, Sophos, and other sources report active attacks exploiting a vulnerability in Microsoft XML Core Services (CVE-2012-1889). Attack scenarios involve exploits served by compromised web sites and delivered in Office documents. Reliable public exploit code is available, and attacks may become more widespread.

    Impact

    By convincing a victim to view a specially crafted web page or Office document, an attacker could execute arbitrary code and take any action as the victim.

    Solution

    As of June 22, 2012, a comprehensive update is not available. Consider the following workarounds.

    Apply Fix it

    Apply the Fix it solution described in Microsoft Knowledge Base Article 2719615. This solution uses the Application Compatibility Database feature to make runtime modifications to XML Core Services to patch the vulnerability.

    Disable scripting

    Configure Internet Explorer to disable Active Scripting in the Internet  and Local intranet zones as described in Microsoft Security Advisory (2719615). See also Securing Your Web Browser.

    Use the Enhanced Mitigation Experience Toolkit (EMET)

    EMET is a utility to configure Windows runtime mitigation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP). These features, particularly the combination of system-wide DEP and ASLR, make it more difficult for an attacker to successfully exploit a vulnerability. Configure EMET for Internet Explorer as described in Microsoft Security Advisory (2719615).

    References

    Revision History

    • June 22, 2012: Initial release

    This product is provided subject to this Notification and this Privacy & Use policy.

  • TA12-164A: Microsoft Updates for Multiple Vulnerabilities

    Original release date: June 12, 2012 | Last revised: —

    Systems Affected

    • Microsoft Windows
    • Microsoft Internet Explorer
    • Microsoft .NET Framework
    • Microsoft Office
    • Microsoft Visual Basic for Applications
    • Microsoft Dynamics AX

    Overview

    Select Microsoft software products contain multiple vulnerabilities.  Microsoft has released updates to address these vulnerabilities.

    Description

    The Microsoft Security Bulletin Summary for June 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.  Additional details for MS12-042 can be found in US-CERT vulnerability note VU#649219.

    Impact

    A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

    Solution

    Apply updates

    Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for June 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

    References

    Revision History

    • June 12, 2012: Initial release
  • TA12-156A: Microsoft Windows Unauthorized Digital Certificates

    Original release date: June 04, 2012 | Last revised: —

    Systems Affected

    All supported versions of Microsoft Windows, including:

    • Windows XP and Server 2003
    • Windows Vista and Server 2008
    • Windows 7 and Server 2008 R2
    • Windows 8 Consumer Preview
    • Windows Mobile and Phone

    Overview

    X.509 digital certificates published by the Microsoft Terminal Services licensing certificate authority (CA) can be illegitimately used to sign code. This problem was discovered in the Flame malware. Microsoft has released updates to revoke trust in the affected certificates.

    Description

    Microsoft Security Advisory (2718704) warns of active attacks using illegitimate certificates published by the the Microsoft Terminal Services licensing certificate authority (CA). There appear to be problems with some combination of weak cryptography and certificate usage configuration. From an MSRC blog post:

    We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

    From another MSRC blog post:

    What we found is that certificates published by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate published by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure.

    The following details about the affected certificates were provided in Microsoft Security Advisory (2718704):

    Certificate: Microsoft Enforced Licensing Intermediate PCA
    Issued by: Microsoft Root Authority
    Thumbprint: 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70

    Certificate: Microsoft Enforced Licensing Intermediate PCA
    Issued by: Microsoft Root Authority
    Thumbprint: 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08

    Certificate: Microsoft Enforced Licensing Registration Authority CA (SHA1)
    Issued by: Microsoft Root Certificate Authority
    Thumbprint: fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97

    Impact

    An attacker could obtain a certificate that could be used to illegitimately sign code as Microsoft. The signed code could then be used in a variety of attacks in which the code would appear to be trusted by Windows.

    An attacker could offer software that appeared to be signed by a valid and trusted Microsoft certificate chain. As noted in an MSRC blog post, “…some components of the [Flame] malware have been signed by certificates that allow software to appear as if it was produced by Microsoft.”

    Solution

    It is important to act quickly to revoke trust in the affected certificates. Any certificates published by the Microsoft Terminal Services licensing certificate authority (CA) could be used for illegitimate purposes and should not be trusted.

    Apply updates

    Apply the appropriate versions of KB2718704 to add the affected certificates to the Untrusted Certificate Store. Updates will reach most users via automatic updates and Windows Server Update Services (WSUS).

    Revoke trust in affected certificates

    Manually add the affected certificates to the Untrusted Certificate Store. The Certifcates MMC snap-in and Certutil command can be used on Windows systems.

    References

    Revision History

    • June 04, 2012: Initial release
  • TA12-129A: Microsoft Updates for Multiple Vulnerabilities

    Original release date: May 08, 2012 | Last revised: —

    Systems Affected

    • Microsoft Windows
    • Microsoft .NET Framework
    • Microsoft Office
    • Microsoft Silverlight

    Overview

    Select Microsoft software products contain multiple vulnerabilities.  Microsoft has released updates to address these vulnerabilities.

    Description

    The Microsoft Security Bulletin Summary for May 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.

    Impact

    A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

    Solution

    Apply updates

    Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for May 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

    References

    Revision History

    • May 08, 2012: Initial release
  • TA12-101B: Adobe Reader and Acrobat Security Updates and Architectural Improvements

    Original release date: April 10, 2012 | Last revised: —

    Systems Affected

    • Adobe Reader X (10.1.2) and earlier 10.x versions for Windows and Macintosh
    • Adobe Reader 9.5 and earlier 9.x versions for Windows, Macintosh, and UNIX
    • Adobe Acrobat X (10.1.2) and earlier 10.x versions for Windows and Macintosh
    • Adobe Acrobat 9.5 and earlier 9.x versions for Windows and Macintosh

    Overview

    Adobe has released Security Bulletin APSB12-08, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. As part of this update, Adobe Reader and Acrobat 9.x will use the system-wide Flash Player browser plug-in instead of the Authplay component. In addition, Reader and Acrobat now disable the rendering of 3D content by default.

    Description

    Adobe Security Bulletin APSB12-08 describes a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Adobe Reader and Acrobat versions 9.x through 9.5, and Reader X and Acrobat X versions prior to 10.1.3.

    The Adobe ASSET blog provides additional details on new security architecture changes to Adobe Reader and Acrobat. Adobe Reader and Acrobat 9.5.1 will use the Adobe Flash Player plug-in version installed on the user’s system rather than the Authplay component that ships with Adobe Reader and Acrobat. This change helps limit the number of out-of-date, vulnerable Flash runtimes available to an attacker. Adobe Reader and Acrobat 9.5.1 also now disable rendering of 3D content by default because the 3D rendering components have a history of vulnerabilities.

    US-CERT recommends that Flash users upgrade to the latest version of Adobe Flash Player and turn on automatic updates.

    An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. This can happen automatically as the result of viewing a webpage.

    Impact

    These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file.

    Solution

    Update Reader

    Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB12-08 and update vulnerable versions of Adobe Reader and Acrobat.

    In addition to updating, please consider the following mitigations.

    Disable JavaScript in Adobe Reader and Acrobat

    Disabling JavaScript may prevent some exploits from resulting in code execution. You can disable Acrobat JavaScript using the Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable Acrobat JavaScript).

    Adobe provides a framework to blacklist specific JavaScipt APIs. If JavaScript must be enabled, this framework may be useful when specific APIs are known to be vulnerable or used in attacks.

    Prevent Internet Explorer from automatically opening PDF files

    The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file:

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOTAcroExch.Document.7]
    “EditFlags”=hex:00,00,00,00

    Disable the display of PDF files in the web browser

    Preventing PDF files from opening inside a web browser will partially mitigate this vulnerability. Applying this workaround may also mitigate future vulnerabilities.

    To prevent PDF files from automatically being opened in a web browser, do the following:

    1. Open Adobe Acrobat Reader.
    2. Open the Edit menu.
    3. Choose the Preferences option.
    4. Choose the Internet section.
    5. Uncheck the “Display PDF in browser” checkbox.

    Do not access PDF files from untrusted sources

    Do not open unfamiliar or unexpected PDF files, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010.

    References

    Revision History

    • April 10, 2012: Initial release
  • TA12-101A: Microsoft Updates for Multiple Vulnerabilities

    Original release date: April 10, 2012 | Last revised: —

    Systems Affected

    • Microsoft Windows
    • Microsoft Internet Explorer
    • Microsoft .NET Framework
    • Microsoft Office
    • Microsoft Server Software
    • Microsoft SQL Server
    • Microsoft Developer Tools
    • Microsoft Forefront United Access Gateway

    Overview

    There are multiple vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft .NET Framework, Microsoft Office, Microsoft Server Software, Microsoft SQL Server, Microsoft Developer Tools, and Microsoft Forefront United Access Gateway.  Microsoft has released updates to address these vulnerabilities.

    Description

    The Microsoft Security Bulletin Summary for April 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.

    Impact

    A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

    Solution

    Apply updates

    Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for April 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

    References

    Revision History

    • April 10, 2012: Initial release
  • TA12-073A: Microsoft Updates for Multiple Vulnerabilities

    Original release date: March 13, 2012
    Last revised: —
    Source: US-CERT

    Systems Affected

    • Microsoft Windows
    • Microsoft Visual Studio
    • Microsoft
      Expression Design

    Overview

    There are multiple vulnerabilities in Microsoft Windows, Microsoft Visual
    Studio, and Microsoft Expression Design. Microsoft has released updates to
    address these vulnerabilities.

    I. Description

    The Microsoft
    Security Bulletin Summary for March 2012     describes multiple vulnerabilities
    in Microsoft Windows, Microsoft Visual Studio, and Microsoft Expression Design.
    Microsoft has released updates to address the vulnerabilities.

    II. Impact

    A remote, unauthenticated attacker could execute arbitrary code, cause a
    denial of service, or gain unauthorized access to your files or system.

    III. Solution

    Apply updates

    Microsoft has provided updates for
    these vulnerabilities in the Microsoft
    Security Bulletin Summary for March 2012    , which describes any known issues
    related to the updates. Administrators are encouraged to note these issues and
    test for any potentially adverse effects. In addition, administrators should
    consider using an automated update distribution system such as Windows Server
    Update Services     (WSUS). Home users are encouraged to enable automatic
    updates    .

    IV. References

     

    Feedback can be directed to US-CERT.

    Produced 2012 by US-CERT, a government organization. Terms of use

    Revision History

    March 13, 2012: Initial release

  • TA12-045A: Microsoft Updates for Multiple Vulnerabilities

    Original release date: February 14, 2012
    Last revised: —
    Source: US-CERT

    Systems Affected

    • Microsoft Windows
    • Microsoft Internet Explorer
    • Microsoft
      .NET Framework
    • Microsoft Silverlight
    • Microsoft
      Office
    • Microsoft Server Software

    Overview

    There are multiple vulnerabilities in Microsoft Windows, Internet Explorer,
    Microsoft .NET Framework, Silverlight, Office, and Microsoft Server Software.
    Microsoft has released updates to address these vulnerabilities.

    I. Description

    The Microsoft
    Security Bulletin Summary for February 2012     describes multiple
    vulnerabilities in Microsoft Windows. Microsoft has released updates to address
    the vulnerabilities.

    II. Impact

    A remote, unauthenticated attacker could execute arbitrary code, cause a
    denial of service, or gain unauthorized access to your files or system.

    III. Solution

    Apply updates

    Microsoft has provided updates for
    these vulnerabilities in the Microsoft
    Security Bulletin Summary for February 2012    , which describes any known
    issues related to the updates. Administrators are encouraged to note these
    issues and test for any potentially adverse effects. In addition, administrators
    should consider using an automated update distribution system such as Windows Server
    Update Services     (WSUS). Home users are encouraged to enable automatic
    updates    .

    IV. References

     

    Feedback can be directed to US-CERT.

    Produced 2012 by US-CERT, a government organization. Terms of use

    Revision History

    February 14, 2012: Initial release

  • TA12-024A: “Anonymous” DDoS Activity

    Original release date: January 24, 2012
    Last revised: —
    Source: US-CERT

    Overview

    US-CERT has received information from multiple sources about coordinated
    distributed denial-of-service (DDoS) attacks with targets that included
    U.S. government agency and entertainment industry websites. The loosely
    affiliated collective “Anonymous” allegedly promoted the attacks in
    response to the shutdown of the file hosting site MegaUpload and in protest of
    proposed U.S. legislation concerning online trafficking in rightsed
    intellectual property and counterfeit goods (Stop Online Piracy Act, or SOPA,
    and Preventing Real Online Threats to Economic Creativity and Theft of
    Intellectual Property Act, or PIPA).

    I. Description

    US-CERT has evidence of two types of DDoS attacks: One using HTTP GET
    requests and another using a simple UDP flood.

    The Low Orbit Ion Cannon
    (LOIC) is a denial-of-service attack tool associated with previous Anonymous
    activity. US-CERT has reviewed at least two implementations of LOIC. One variant
    is written in JavaScript and is designed to be used from a web browser. An
    attacker can access this variant of LOIC on a website and select targets,
    specify an optional message, throttle attack traffic, and monitor attack
    progress. A binary variant of LOIC includes the ability to join a botnet to
    allow nodes to be controlled via IRC or RSS command channels (the
    “HiveMind” feature).

    The following is a sample of LOIC traffic
    recorded in a web server log:

    “GET
    /?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1″ 200 99406
    “hxxp://pastehtml.com/view/blafp1ly1.html” “Mozilla/5.0 (Windows
    NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1″

    The
    following sites have been identified in HTTP referrer headers of suspected LOIC
    traffic. This list may not be complete. Please do not visit any of the links as
    they may still host functioning LOIC or other malicious code.

    "hxxp://3g.bamatea.com/loic.html"
    "hxxp://anonymouse.org/cgi-bin/anon-www.cgi/"
    "hxxp://chatimpacto.org/Loic/"
    "hxxp://cybercrime.hostzi.com/Ym90bmV0/loic/"
    "hxxp://event.seeho.co.kr/loic.html"
    "hxxp://pastehtml.com/view/bl3weewxq.html"
    "hxxp://pastehtml.com/view/bl7qhhp5c.html"
    "hxxp://pastehtml.com/view/blafp1ly1.html"
    "hxxp://pastehtml.com/view/blakyjwbi.html"
    "hxxp://pastehtml.com/view/blal5t64j.html"
    "hxxp://pastehtml.com/view/blaoyp0qs.html"
    "hxxp://www.lcnongjipeijian.com/loic.html"
    "hxxp://www.rotterproxy.info/browse.php/704521df/ccc21Oi8/vY3liZXJ/jcmltZS5/ob3N0emk/uY29tL1l/tOTBibVY/wL2xvaWM/v/b5/fnorefer"
    "hxxp://www.tandycollection.co.kr/loic.html"
    "hxxp://www.zgon.cn/loic.html"
    "hxxp://zgon.cn/loic.html"
    "hxxp://www.turbytoy.com.ar/admin/archivos/hive.html"

    The
    following are the A records for the referrer sites as of January, 20,
    2012:

    3g[.]bamatea[.]com               
    A    218[.]5[.]113[.]218
    cybercrime[.]hostzi[.]com        
    A    31[.]170[.]161[.]36
    event[.]seeho[.]co[.]kr          
    A    210[.]207[.]87[.]195
    chatimpacto[.]org                
    A    66[.]96[.]160[.]151  
    anonymouse[.]org                 
    A    193[.]200[.]150[.]125
    pastehtml[.]com                  
    A    88[.]90[.]29[.]58
    lcnongjipeijian[.]com            
    A    49[.]247[.]252[.]105
    www[.]rotterproxy[.]info         
    A    208[.]94[.]245[.]131
    www[.]tandycollection[.]co[.]kr   A   
    121[.]254[.]168[.]87
    www[.]zgon[.]cn                  
    A    59[.]54[.]54[.]204
    www[.]turbytoy[.]com[.]ar        
    A    190[.]228[.]29[.]84

    The HTTP requests
    contained an “id” value based on UNIX time and user-defined
    “msg” value, for example:

    GET
    /?id=1327014189930&msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20

    Other
    “msg” examples:

    msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20
    msg=:)
    msg=:D
    msg=Somos%20Legion!!!
    msg=Somos%20legi%C3%B3n!
    msg=Stop%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB HTTP/1.1" 200 99406
    "http://pastehtml.com/view/bl7qhhp5c.html"
    msg=We%20Are%20Legion!
    msg=gh
    msg=open%20megaupload
    msg=que%20sepan%20los%20nacidos%20y%20los%20que%20van%20a%20nacer%20que%20nacimos%20para%20vencer%20y%20no%20para%20ser%20vencidos
    msg=stop%20SOPA!!
    msg=We%20are%20Anonymous.%20We%20are%20Legion.%20We%20do%20not%20forgive.%20We%20do%20not%20forget.%20Expect%20us!

    The
    “msg” field can be arbitrarily set by the attacker.

    As of
    January 20, 20012, US-CERT has observed another attack that consists of UDP
    packets on ports 25 and 80. The packets contained a message followed by variable
    amounts of padding, for example:

    66:6c:6f:6f:64:00:00:00:00:00:00:00:00:00 |
    flood.........

    Target selection, timing, and other attack activity
    is often coordinated through social media sites or online forums.

    US-CERT
    is continuing research efforts and will provide additional data as it becomes
    available.

    III. Solution

    There are a number of mitigation strategies available for dealing with DDoS
    attacks, depending on the type of attack as well as the target network
    infrastructure. In general, the best practice defense for mitigating DDoS
    attacks involves advanced preparation.

    • Develop a checklist or
      Standard Operating Procedure (SOP) to follow in the event of a DDoS attack. One
      critical point in a checklist or SOP is to have contact information for your ISP
      and hosting providers. Identify who should be contacted during a DDoS, what
      processes should be followed, what information is needed, and what actions will
      be taken during the attack with each entity.
    • The ISP or hosting provider
      may provide DDoS mitigation services. Ensure your staff is aware of the
      provisions of your service level agreement (SLA).
    • Maintain contact
      information for firewall teams, IDS teams, network teams and ensure that it is
      current and readily available.
    • Identify critical services that must be
      maintained during an attack as well as their priority. Services should be
      prioritized beforehand to identify what resources can be turned off or blocked
      as needed to limit the effects of the attack. Also, ensure that critical systems
      have sufficient capacity to withstand a DDoS attack.
    • Have current
      network diagrams, IT infrastructure details, and asset inventories. This will
      assist in determining actions and priorities as the attack
      progresses.
    • Understand your current environment and have a baseline of
      daily network traffic volume, type, and performance. This will allow staff to
      better identify the type of attack, the point of attack, and the attack vector
      used. Also, identify any existing bottlenecks and remediation actions if
      required.
    • Harden the configuration settings of your network, operating
      systems, and applications by disabling services and applications not required
      for a system to perform its intended function. 
    • Implement a bogon block list at the
      network boundary.
    • Employ service screening on edge routers wherever
      possible in order to decrease the load on stateful security devices such as
      firewalls.
    • Separate or compartmentalize critical
      services:
      • Separate public and private services
      • Separate intranet,
        extranet, and internet services
      • Create single purpose servers for each
        service such as HTTP, FTP, and DNS
    • Review the US-CERT Cyber
      Security Tip Understanding
      Denial-of-Service Attacks      .

    IV. References

     

    Feedback can be directed to US-CERT.

    Produced 2012 by US-CERT, a government organization. Terms of use

    Revision History

    January 24, 2012: Initial release