A new tool developed by Francisco Amato of Infobyte Security Research takes advantage of automatic updates to spread just about any type of Malware an attacker would want. The tool is designed to be used by penetration testers to exploit common auto-update features found in software like OS X, Sun Micro’s Java, and iTunes. Dubbed "Evilgrade", the tool is one of the first to take advantage of the recently exposed DNS vulnerability, thanks to well-engineered exploit code released for Metasploit.
Kaminsky DNS flaw used as an example in testing of Evilgrade. (IMG:J.Anderson)
It is fast-becoming a long week for IT administrators and security engineers. By now, there have been meetings and memos, e-mails and phone calls, all related to the vulnerability. Most of the upper management who have seen the news of the recent DNS issues are all likely asking, “...are we safe?”
The truth is, if you have applied the patch, then yes, the simple answer is you are safe. However, real security experts know that while the patches helped, they did not remove the problem altogether (there is like a one-in-a-million chance the exploit will work on the DNS if patched, but the chance is there, and it is possible to make it work given some time).
Researcher Francisco Amato says that his Evilgrade tool takes advantage of the poor upgrade implementations by injecting fake updates. Platform independent, Evilgrade needs only the proper payload for the selected platform to work. For example: OS X exploits for OS X or Windows-based payloads using Winamp upgrades. The attack vector for the tool is a simple Man-in-the-Middle attack using any of the normal avenues such as ARP spoofing, DNS Cache Poisoning, DHCP Spoofing, or Internal DNS access.
Evilgrade is modular as well. Each of the modules will emulate the proper structure needed to target any framework selected. The list of modules so far includes, Sun Microsystems Java, WinZip, Winamp, Apple’s OS X, OpenOffice, iTunes, LinkedIn Toolbar, DAP, Notepad++, and speedbit.
The demonstration video for Evilgrade uses Sun’s Java auto-update process. Using the DNS flaws located by Dan Kaminsky, the video shows Metasploit being used to poison the DNS Cache for java.sun.com, after which the victim is prompted with an update alert from Java’s auto-update feature. The only problem is that the update was triggered and sent from the attacker. The attacker can set the level of severity for the update, such as critical, and even name the update to gain attention ("Hello Dan Kaminsky" was the update name used in the example).
The problem is, the update alert, the method Java used to initiate the update, and the update alert feature, all worked exactly how Sun intended. Only, in this case, the attacker actually caused the victim to install a reverse shell, allowing remote access to their machine.
Mitigation for this level of attack is difficult. Once the DNS is cached and poisoned, there is little a victim can do to prevent exploitation. The fact that the recent DNS vulnerability was used in the example only serves to point out why it is silly to have so many unpatched servers online.
Several ISPs, including Comcast, Sprint, Level3, Adelphia, Bell South, and AT&T, all show 'POOR' or 'FAIR' on the DNS tests. The rating of 'GOOD' is what you need, anything less is risky. Another interesting, if not odd, missing patch is Apple’s implementation of BIND; ISC released a patched version of BIND to address Kaminsky’s discovery, yet Apple has not pushed it to the OS X Server.
The appearance of Evilgrade will only complicate things once non-professionals -- read script kiddies -- get their hands on it. The best defense is a good offence, but since this tool takes advantage of the update systems already in place, it is hard to recommend mitigation until the companies, most notably Sun, address how their update platforms work.
As for the DNS issues, if you have not patched, or if you use one of the ISPs mentioned for business needs, then you need to make the proper upgrades in-house and call your ISP and ride it until it patch its own systems.
LauraAug 7th, 2008 - 19:03:24
I am sorry this is REALLY happening, but I have been suspicious of the
DNS servers for over a year.
starting 7-06, it looked like a Bios or VM rootkit. If I read 'boot files' correct,something on the boot was very wrong(4+ pcs/macosx). I saw the use of HFS,an old mac file system,QNX,mac/older unix programs. Wiped or new hard drives did no good, and it jumped on Linux faster. Finally, one day, someone dropped info (I could never find) on a pc that a DNS proxy,mail proxy was used. Maybe that was an 'ethical hacker', because the malware just seemed to go away.
Still have problems which cause me to suspect DNS as posible, but nothing
as bad as what ended in the beginning of 2008.I do see attempts on SQL attacks on some sites, but they are not as sophisticated as what hit before.
The security experts have publicized/are researching most of my 2007 q's,so I trust that they will win 'the war'!!
Report this comment