Thanks to the revelations around the recent Ruby float conversion denial of service, aka CVE-2013-4164 discovered and reported by Charlie Somerville, this week's release is pretty slim in terms of content; on Friday (the day of the first disclosure), we pretty much dropped everything and got to work on testing and packaging up new Metasploit installers that ship with Ruby 1.9.3-p484, which fixes the bug.
As far as we are able to tell, it's merely a denial of service, so the worst that happens is that your given Ruby application can crash out with a segfault. Like most other Ruby bugs that lead to segfaults, we haven't been able to tease any code exec out, but it's not completely impossible.
So, in case it's not absolutely clear, Metasploit Community, Express, and Pro are all vulnerable as of Metasploit 4.8.0 and prior; again, we don't have a remote code exec path, but getting your assessment knocked out from under you can be more than a little unpleasant. Update to Metasploit 4.8.1 before you start your next engagement, and you'll be golden. We've also updated the Metasploit Framework repo to suggest ruby-1.9.3-p484, so take a moment to install that as well on your development environment if you're that sort.
We're not the only ones who were exposed to this, of course. If you have control over your Ruby installations, you'll want to update if you haven't already. If you rely on a cloud provider or some other kind of provisioning service, you should get with them; to take just one example, Sebastian Saunier has a procedure to update all your Heroku apps, all nicely scripted out in this gist.
PS: ruby-lang.org, it's a little unneighborly to disclose on a Friday; I'm sure the world's Ruby administrators could have used an extra weekday or two. No time is a good time for new vulns, but when Rapid7 discloses, we make every effort to make sure we coordinate around Wednesdays.
Alas, we just have the one new exploit that managed to get landed before the Ruby code review and update freak out. I Promise we'll have more next week, including the Metasploit module that exercises the aforementioned bug (it's landed on our development repo, but that won't be released until next week).
- DesktopCentral AgentLogUpload Arbitrary File Upload by Thomas Hibbert
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For many, the holiday season is a season for shopping and spending. But cybercriminals see it in a different light—they see it as a prime opportunity to steal.
Take, for example, online shopping. Malicious websites to try and trick online shoppers into giving them their money instead of the legitimate shopping websites. These sites are often made to look exactly like the website they’re mimicking, and feature a login screen that asks the user to enter their personal information. They are interested in any and all kinds of login information – for example, we recently saw phishing sites that stole the Apple IDs of users.
We have kept track of the number phishing sites created since 2008. We pay particular attention to those that target Christmas shoppers and/or have holiday themes. There are plenty of these, and they persist all year. Unsurprisingly, they rise towards the end of the year, as seen in the graph below:
Figure 1. Christmas-related / Holiday-themed Phishing Sites
These sites also peak during big shopping dates, such as Black Friday and Cyber Monday. Online shoppers tend to search for huge discounts on these dates.
Cybercriminals target specific items that users might be looking for in particular when shopping online, such as gadgets (tablets, smartphones and DSLR cameras) toys, video games/consoles, software, and so on. We examined the most popular items sold and wished for on online shopping sites and compared them with the phishing sites we saw. We found that these were the most targeted items:
Figure 2. Top 10 Most Targeted Shopping Items
Spam campaigns also take advantage of the season. We recently found a spam campaign which targeted British users. This campaign promoted cheap flights to destinations in the Canary Islands—popular tourist destinations for Britons. The name of a well-known provider of travel packages was also used.
Figure 3. Sample Holiday Spam
The email contains a .ZIP file that claims to contain more available holiday destinations. Opening the archive yields a .PDF file that is actually a malicious executable file. (We detect this file as TROJ_DLOAD.NOM.) Its final payload is a ZBOT variant, which can steal critical personal information of users from their systems.
Figure 4. Malicious File In Archive
Users can avoid these threats by following these tips:
- Don’t use search engines to find good deals. Web threats lurk in search engine results, and they’re often pushed up to the top of the first page because of Blackhat SEO. Instead, bookmark popular and well-established shopping websites and do your searching from there.
- If it’s a deal too good to be true, it probably is. Half-off promos and amazing discounts certainly exist (moreso during the holidays) but if it’s from an unfamiliar website or simply just beyond any reasonable sense of scale, then chances are it’ll lead to a web threat.
- Use online shopping apps instead of using your mobile browser. If you’re a huge online shopper and you use your mobile device to do all your buying, check if your favorite site has an app and use that instead. This allows for a more secure transaction between you, the customer, and the website itself—removing the chance for web threats.
- Install a security solution. A security solution can easily remove the risk of you accidentally stumbling onto opportunistic web threats when you’re shopping online by blocking malicious websites before you can even get to them. It also detects and removes any suspicious files or malware that may end up in your devices.
For more information on the threats that plague online shopping as well as how to shop in a safe manner, check out our latest e-guide, How to Safely Shop Online, as well as our latest image gallery, 5 Most Popular Online Shopping Items for Cybercriminals.
Update as of 10:15 PM PST, November 26.
As expected, cybercrmininals have started to leverage Black Friday, which usually marks the start holiday shopping season. Similar to the Halloween threats we noted previously, we uncovered several Black Friday-themed spam that lead to survey scam sites. These scams steal information from users by posing as survey questionnaires, asking personally identifiable information (PII) such as email addresses, contact information etc.
Figures 4-5. Black Friday-related spam
Several months ago, we found that several Ice IX servers were hosted in the .co.za (South Africa) top-level domain. Our research revealed that these servers were all tied to a group of individuals located in Nigeria.
To recap, Ice IX is a popular banking Trojan that was heavily used by these criminals, together with the better-known ZeuS malware. These types of threats are known for stealing the login credentials of users to banks, email addresses, and social networks.
On some of the servers, there was an infected machine located in Nigeria that the cybercriminals seemed to be using as a proxy to connect to their Ice IX and ZeuS control panels:
Figure 1. Infected machine used as proxy
These cybercriminals are also engaged in other online crimes, such as setting up phishing websites for banks and social media, as well as operating classic Nigerian 419 scams. In order to send the spam messages necessary to carry out these attacks, they also hacked into legitimate servers and installed a PHP mailer.
We identified three individuals as part of the group responsible for these crimes, and they are all located in Lagos, the commercial capital of Nigeria. We believe that they are all part of a larger organization that goes beyond Nigeria. This highlights how African cybercrime is growing and how the region may become a major player in a near future.
More details about this syndicate may be found in our paper “Ice 419″.