Examples and descriptions of various common vulnerabilities
Microsoft Windows, the operating system most commonly used on systems connected to the Internet, contains multiple, severe vulnerabilities. The most commonly exploited are in IIS, MS-SQL, Internet Explorer, and the file serving and message processing services of the operating system itself.
A vulnerability in IIS, detailed in Microsoft Security Bulletin MS01-033, is one of the most exploited Windows vulnerabilities ever. A large number of network worms have been written over the years to exploit this vulnerability, including ‘CodeRed’. CodeRed was first detected on July 17th 2001, and is believed to have infected over 300,000 targets. It disrupted a large number of businesses, and caused huge financial losses around the world. Although Microsoft issued a patch for the vulnerability along with the MS01-033 security bulletin, some versions of the CodeRed worm are still spreading throughout the Internet.
The Spida network worm, detected almost a year after CodeRed appeared, relied on an exposure in MS-SQL server software package to spread. Some default installations of MS-SQL server did not have a password on the ‘SA’ system account. This allowed anyone with network access to the system to run random commands. When using this exposure, the worm configures the ‘Guest’ account to allow file sharing and uploads itself to the target. It then uses the same MS-SQL password-less ‘SA’ account access to launch a remote copy of itself, thus spreading the infection.
The Slammer network worm, detected in late January 2003, used an even more direct method to infect Windows systems running MS-SQL server: a buffer overflow vunerability in one of the UDP packet handling subroutines. As it was relatively small – 376 bytes – and used UDP, a communication protocol designed for the quick transmission of data, Slammer spread at an almost incredible rate. Some estimate the time taken for Slammer to spread across the world at as low as 15 minutes, infecting around 75,000 hosts.
These three notorious worms relied on vulnerabilities and exposures in software running on various versions of Microsoft Windows. However, the Lovesan worm, detected on 11th August 2003, used a much more severe buffer overflow in a core component of Windows itself to spread. This vulnerability is detailed in Microsoft Security Bulletin MS03-026.
Sasser, which first appeared at the beginning of May 2003, exploited another core component vulnerability, this time in the Local Security Authority Subsystem Service (LSASS). Information about the vulnerability was published in Microsoft Security Bulletin MS04-011. Sasser spread rapidly, and infected millions of computers world-wide, at an enormous cost to business. Many organizations and institutions were forced to suspend operations due to the network distruption caused by the worm.
Inevitably, all operating systems contain vulnerabilities and exposures which can be targeted by hackers and virus writers. Although Windows vulnerabilities receive the most publicity due to the number of machines running Windows, Unix has its own weak spots.
For years, one of the most popular exposures in the Unix world has been the ‘finger’ service. This service allows someone outside a network to see which users are logged on a certain machine or which location users are accessing the computer from. The ‘finger’ service is useful, but also exposes a great deal of information which can be used by hackers.
Here’s what a sample of a remote ‘finger’ report looks like:
Login Name Tty Idle Login Time Office Office Phone
xenon pts/7 22:34 May 12 16:00 (chrome.chiba)
polly pts/3 4d May 8 14:21
cracker DarkHacker pts/6 2d May 10 11:58
This shows that we can learn some interesting things about the remote machine using the finger server: there are three users logged in but two of them have been idle for more than two days, while the other one has been away from the computer for 22 minutes. Log-in names shown by the finger service can be used to try login/password combinations. This can quickly result in a system compromise, especially if users have based their passwords on their username, a relatively common practice.
The fingers service not only exposes important information about the server it is hosted on; it has been the target of many exploits, including the famous network worm written by Robert Morris Jr, which was released on November 2nd 1988. Most modern Unix distributions therefore come with this service disabled.
The ‘sendmail’ program, originally written by Eric Allman, is also another popular target for hackers. ‘Sendmail’ was developed to handle the transfer of email messages via the Internet. Due to the large number of operating systems and hardware configurations, ‘Sendmail’ grew into an extremely complex program, which has a long and notorious history of severe vulnerabilities. The Morris worm utilized a ‘sendmail’ exploit as well as the ‘finger’ vulnerability to spread.
There are many other popular exploits in the Unix world which target software packages such as SSH, Apache, WU-FTPD, BIND, IMAP/POP3, various parts of the kernels etc.
The exploits, vulnerabilities, and incidents listed above highlight an important fact. While the number of systems running IIS, MS-SQL or other specific software packages can by counted in the hundreds of thousands, the total number of systems running Windows is probably close to several hundred million. If all these machines were targeted by a worm or a hacker using an automated hacking tool, this would pose an extremely severe threat to the internal structure and stability of the Internet.
If you want to make the world safer, start with the smart things in your home. Or, to be more specific, start with your router – the core of any home network as well as an interesting research object. And that router you got from your ISP as part of your internet contract is even more interesting when it comes to research. Read Full Article
It would seem that no gadget has escaped the attention of hackers, yet there is one last bastion: “smart” devices for animals. For example, trackers to monitor their location. Read Full Article
In January, we uncovered a sophisticated mobile implant Skygofree that provides attackers with remote control of infected Android devices. Network worm OlympicDestroyer attacked on the Olympic infrastructure just before the opening of the games in February. Read Full Article
In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. Read Full Article
In Q1 2018, we observed a significant increase in both the total number and duration of DDoS attacks against Q4 2017. The new Linux-based botnets Darkai (a Mirai clone) and AESDDoS are largely responsible for this hike. Read Full Article
This report by Kaspersky Lab ICS CERT presents information on identified servers that have been infected and used by the Energetic Bear/Crouching Yeti group. The report also includes the findings of an analysis of several webservers compromised by the group during 2016 and in early 2017. Read Full Article
In the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018. Read Full Article
Kaspersky Lab ICS CERT publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second half of 2017. The main objective of these publications is to provide information support to incident response teams, enterprise information security staff and researchers in the area of industrial facility security. Read Full Article
At last year’s Security Analyst Summit 2017 we predicted that medical networks would be a titbit for cybercriminals. Unfortunately, we were right. The numbers of medical data breaches and leaks are increasing. According to public data, this year is no exception. Read Full Article
This time, we’ve chosen a smart hub designed to control sensors and devices installed at home. It can be used for different purposes, such as energy and water management, monitoring and even security systems. Read Full Article