U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

TA15-337A: Dorkbot
12/03/2015 06:40 PM EST


Original release date: December 03, 2015

Systems Affected
Microsoft Windows

Overview
Dorkbot is a botnet used to steal online payment, participate in distributed denial-of-service (DDoS) attacks, and deliver other types of malware to victimsÆ computers. According to Microsoft, the family of malware used in this botnet ôhas infected more than one million personal computers in over 190 countries over the course of the past year.ö The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and Microsoft, is releasing this Technical Alert to provide
further information about Dorkbot.

Description
Dorkbot-infected systems are used by cyber criminals to steal sensitive information (such as user account credentials), launch denial-of-service (DoS) attacks, disable security protection, and distribute several malware variants to victimsÆ computers. Dorkbot is commonly spread via malicious links sent through social networks instant message programs or through infected USB devices.

In addition, DorkbotÆs backdoor functionality allows a remote attacker to exploit infected system. According to MicrosoftÆs analysis, a remote attacker may be able to:

Download and run a file from a specified URL;
Collect logon information and passwords through form grabbing, FTP, POP3, or Internet Explorer and Firefox cached login details; or
Block or redirect certain domains and websites (e.g., security sites).
Impact
A system infected with Dorkbot may be used to send spam, participate in DDoS attacks, or harvest users' credentials for online services, including banking services.

Solution
Users are advised to take the following actions to remediate Dorkbot infections:

Use and maintain anti-virus software û Anti-virus software recognizes and protects your computer against most known viruses. Even though Dorkbot is designed to evade detection, security companies are continuously updating their
software to counter these advanced threats. Therefore, it is important to keep your anti-virus software up-to-date. If you suspect you may be a victim of Dorkbot, update your anti-virus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
Change your passwords û Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords for more information.)
Keep your operating system and application software up-to-date û Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if
this option is available. (See Understanding Patches for more information.)
Use anti-malware tools û Using a legitimate program that identifies and removes
malware can help eliminate an infection. Users can consider employing a remediation tool (see example below) to help remove Dorkbot from their systems.

Disable Autorun¡ û Dorkbot tries to use the Windows Autorun function to propagate via removable drives (e.g., USB flash drive). You can disable Autorun
to stop the threat from spreading.
Microsoft
http://www.microsoft.com/security/scanner/en-us/default.aspx

The above example does not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.

References
Microsoft Malware Protection Center û Worm: Win32/Dorkbot
Microsoft Malware Protection Center û Microsoft assists law enforcement to help
disrupt Dorkbot botnets
Revision History
December 3, 2015: Initial Publication

-------------------------------------------------------------------------------
-

This product is provided subject to this Notification and this Privacy & Use policy.


-------------------------------------------------------------------------------
-
A copy of this publication is available at www.us-cert.gov. If you need help or
have questions, please send an email to info@us-cert.gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help


-------------------------------------------------------------------------------
-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of:
United States Computer Emergency Readiness Team (US-CERT) ╖ 245 Murray Lane SW Bldg 410 ╖ Washington, DC 20598 ╖ (888) 282-0870 Powered by GovDelivery

=== Cut ===


--
Guardien Fide :^)

Ben aka cMech Web: http://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

--- GoldED+/W32-MSVC
* Origin: FIDONet - The Positronium Repository (1:393/68)

On 12/03/15, Ben Ritchey pondered and said...

U.S. Department of Homeland Security US-CERT

Thanks for sharing this.

Best, Paul

--- Mystic BBS v1.11 (Windows)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (3:770/100)

TA14-017A:UDP-Based Amplification Attacks

Original release date: January 17, 2014 | Last revised: April 13, 2016
Systems Affected
Certain application-layer protocols that rely on User Datagram Protocol (UDP) have been identified as potential attack vectors:

DNS
NTP
SNMPv2
NetBIOS
SSDP
CharGEN
QOTD
BitTorrent
Kad
Quake Network Protocol
Steam Protocol
RIPv1
Multicast DNS (mDNS)
Portmap/RPC
Overview
A Distributed Reflective Denial of Service (DRDoS) attack is a form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic.

Description
UDP, by design, is a connection-less protocol that does not validate source IP addresses. Unless the application-layer protocol uses countermeasures such as session initiation in VOIP (voice over IP), it is very easy to forge the IP packet datagram to include an arbitrary source IP address [1]. When many UDP packets have their source IP address forged to the victim IP address, the destination server (or amplifier) responds to the victim (instead of the attacker), creating a reflected Denial of Service (DoS) Attack.

Recently, certain UDP protocols have been found to have particular responses to
certain commands that are much larger than the initial request. Previously, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack; now a single packet can generate tens or hundreds of times the bandwidth in its response. This is called an amplification attack, and when combined with a reflective DoS attack on a large
scale using multiple amplifiers and targeting a single victim, DDoS attacks can
be conducted with relative ease.

To measure the potential effect of an amplification attack, a metric called the
bandwidth amplification factor (BAF) is used. BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request [2] [3].

The list of known protocolsùand their associated bandwidth amplification factorsùare listed below. US-CERT offers thanks to Christian Rossow for providing this information. For more information on bandwidth amplification factors, please see Christian's blog and associated research paper.

Protocol Bandwidth Amplification Factor Vulnerable Command
DNS 28 to 54 see: TA13-088A [4]
NTP 556.9 see: TA14-013A [5]
SNMPv2 6.3 GetBulk request
NetBIOS 3.8 Name resolution
SSDP 30.8 SEARCH request
CharGEN 358.8 Character generation request
QOTD 140.3 Quote request
BitTorrent 3.8 File search
Kad 16.3 Peer list exchange
Quake Network Protocol 63.9 Server info exchange
Steam Protocol 5.5 Server info exchange
Multicast DNS (mDNS) 2 to 10 Unicast query
RIPv1 131.24 Malformed request
Portmap (RPCbind) 7 to 28 Malformed request

In March 2015, Software Engineering Institute CERT issued Vulnerability Note (VU#550620) describing the use of mDNS in DRDoS attacks. Attackers can leverage
mDNS by sending more information than can be handled by the device, thereby causing a DoS. [6]

In July 2015, Akamai Technologies' Prolexic Security Engineering and Research Team (PLXsert) issued a threat advisory describing a surge in DRDoS attacks using the Routing Information Protocol version one (RIPv1). Malicious actors are leveraging the behavior of RIPv1 for DDoS reflection through specially crafted request queries [7].

In August 2015, Level 3 Threat Research Labs reported a new form of DRDoS attack that uses portmap. Attackers leverage the behavior of the portmap service through spoofed requests and flood a victimÆs network with UDP traffic.
[8]

Impact
Attackers can utilize the bandwidth and relative trust of large servers that provide the above UDP protocols to flood victims with unwanted traffic, a DDoS attack.

Solution
DETECTION
Detection of DRDoS attacks is not easy because of their use of large, trusted servers that provide UDP services. Network operators of these exploitable services may apply traditional DoS mitigation techniques. To detect a DRDOS attack, watch out for abnormally large responses to a particular IP address, which may indicate that an attacker is using the service.

If you are a victim of DRDoS attack, there are a few things you can do to detect such activity and respond:

Detect and alert large UDP packets to higher order ports.
Detect and alert on any non-stateful UDP packets. (A simple snort example is below. You will need to customize this approach to your environment with whitelist and known services.) Simple Snort rule example for stateless UDP check
var HOME_NET [10.10.10.20]
preprocessor stream5_global: track_ip yes, track_tcp yes,track_udp yes,track_icmp no,max_tcp 262144, max_udp 131072
preprocessor stream5_ip: timeout 180
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor stream5_udp: timeout 180, ignore_any_rules
alert udp HOME_NET 1024: -> any any (msg:"UDP Session start"; flowbits:set,logged_in; flowbits:noalert; sid: 1001;)
alert udp any any -> HOME_NET 1024: (msg:"UDP Stateless"; flowbits:isnotset,logged_in; sid: 1002)

If you are an upstream provider maintain updated contacts and methods with downstream customers to send alerts by network.
In general, network and server administrators for Internet service providers (ISPs) should use the following best practices to avoid becoming amplifier nodes:

Detect spoofed packets using network flow. (In order to validate before blocking it, read more in the Mitigation section on blocking spoofed traffic.) Monitor for an unusual number of requests to UDP services at risk using network
flow or other summarized network data.
Use network flow to detect service anomalies (bytes-per-packet, packets-per-second anomalies).
MITIGATION
If you are a victim of DRDoS attack there are a few things you can do to mitigate this attack:

Use stateful UDP inspection to reduce impact on critical services on your border firewall or border router (like reflexive ACL [9])
Using Border Gateway Protocol (BGP), create a Remotely Triggered Blackhole, preferably in coordination with your upstream provider or ISP. [10]
Maintain a list of primary upstream provider emergency contacts to coordinate response to the attack. If you are an upstream provider, conduct mitigation in coordination with your downstream customers.
In general, network and server administrators for Internet service providers (ISPs) should use the following as best practices to avoid becoming amplifier nodes:

Keep your software and configuration up to date to deny or limit abuse (e.g., DNS response rate limit [11] [12] [13])
Disable and remove unwanted services or deny access to local services over the Internet.
Enable network-based rate-limiting to legitimate services you provide over the Internet using UDP-based protocols (e.g., quality of service (QoS) on switching
and routing devices)
Work with Customer Provider Edge manufactures for secure configuration and software [14]
As a service provider, to avoid any misuse of Internet resources

Block spoofed packets by using ingress filtering (the Spoofer Project [15] and IETF BCP 28 and BCP 39 guidelines [16])
Use traffic shaping on UDP service requests to ensure repeated access to over-the-internet resources is not abusive.[17] [18]
References
[1] SIP: Session Initiation Protocol
[2] Amplification Hell: Abusing Network Protocols for DDoS
[3] Ampli?cation Hell: Revisiting Network Protocols for DDoS Abuse
[4] DNS Amplification Attacks
[5] NTP Amplification Attacks Using CVE-2013-5211
[6] VU#550620: Multicast DNS (mDNS) implementations may respond to unicast queries originating outside the local link
[7] RIPv1 Reflection DDoS [Medium Risk]
[8] A New DDoS Reflection Attack: Portmapper; An Early Warning to the Industry [9] Configuring IP Session Filtering (Reflexive Access Lists)
[10] Remotely-Triggered Black Hole (RTBH) Routing
[11] A Quick Introduction to Response Rate Limiting
[12] Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing
[13] Ingress Filtering for Multihomed Networks
[14] Abuse of Customer Premise Equipment and Recommended Actions
[15] The Spoofer Project
[16] Abuse of Customer Premise Equipment and Recommended Actions
[17] An Architecture for Differentiated Services
[18] New Terminology and Clarifications for Diffserv
Revisions
February 9, 2014 û Initial Release
March 7, 2014 û Updated page to include research links
July 13, 2015 û Added RIPv1 as an attack vector
August 19, 2015 û Added Multicast DNS (mDNS) and Portmap (RPCbind) as attack vectors
April 13, 2016 û Updated detection and mitigation information

-------------------------------------------------------------------------------
-
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help


-------------------------------------------------------------------------------
-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of:
United States Computer Emergency Readiness Team (US-CERT) ╖ 245 Murray Lane SW Bldg 410 ╖ Washington, DC 20598 ╖ (888) 282-0870 Powered by GovDelivery
=== Cut ===

--
Keep the faith :^)

Ben aka cMech Web: http|ftp|telnet://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

--- GoldED+/W32-MSVC
* Origin: FIDONet - The Positronium Repository (1:393/68)

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:



TA16-144A: WPAD Name Collision Vulnerability
05/23/2016 07:38 AM EDT


Original release date: May 23, 2016

Systems Affected
Windows, OS X, Linux systems, and web browsers with WPAD enabled

Overview
Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed
reaching public DNS servers [1]. In combination with the New generic Top Level Domain (gTLD) programÆs incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in domain name collisions
with internal network naming schemes [2] [3]. Collisions could be abused by opportunistic domain registrants to configure an external proxy for network traffic, allowing the potential for man-in-the-middle (MitM) attacks across the
Internet.

Description
WPAD is a protocol used to ensure all systems in an organization utilize the same web proxy configuration. Instead of individually modifying configurations on each device connected to a network, WPAD locates a proxy configuration file and applies the configuration automatically.

The use of WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers. WPAD is supported but not enabled by default on Mac and Linux-based operating systems, as well as, Safari, Chrome, and Firefox browsers.

With the New gTLD program, previously undelegated gTLD strings are now being delegated for public domain name registration [3]. These strings may be used by
private or enterprise networks, and in certain circumstances, such as when a work computer is connected from a home or external network, WPAD DNS queries may be made in error to public DNS servers. Attackers may exploit such leaked WPAD queries by registering the leaked domain and setting up MitM proxy configuration files on the Internet.


Impact
Leaked WPAD queries could result in domain name collisions with internal network naming schemes. If an attacker registers a domain to answer leaked WPAD
queries and configures a valid proxy, there is potential to conduct man-in-the-middle (MitM) attacks across the Internet.

The WPAD vulnerability is significant to corporate assets such as laptops. In some cases these assets are vulnerable even while at work but observations indicate that most assets become vulnerable when used outside an internal network (e.g. home networks, public Wi-Fi networks).

Solution
US-CERT encourages users and network administrators to implement the following recommendations to provide a more secure and efficient network infrastructure:

Consider disabling automatic proxy discovery/configuration in browsers and operating systems during device setup if it will not be used for internal networks.
Consider using a fully qualified domain name (FQDN) from global DNS as the root
for enterprise and other internal namespace.
Configure internal DNS servers to respond authoritatively to internal TLD queries.
Configure firewalls and proxies to log and block outbound requests for wpad.dat
files.
Identify expected WPAD network traffic and monitor the public namespace or consider registering domains defensively to avoid future name collisions.
File a report with ICANN if your system is suffering demonstrably severe harm as a consequence of name collision by visiting https://forms.icann.org/en/help/name-collision/report-problems.
References
[1] Verisign û MitM Attack by Name Collision: Cause Analysis and Vulnerability Assessment in the New gTLD Era
[2] ICANN û Name Collision Resources & Information
[3] ICANN û New gTLDs
[4] US-CERT û Controlling Outbound DNS Access
Revision History
May 23, 2016: Initial Release

-------------------------------------------------------------------------------
-

This product is provided subject to this Notification and this Privacy & Use policy.


-------------------------------------------------------------------------------
-
A copy of this publication is available at www.us-cert.gov. If you need help or
have questions, please send an email to info@us-cert.gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help


-------------------------------------------------------------------------------
-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of:
United States Computer Emergency Readiness Team (US-CERT) ╖ 245 Murray Lane SW Bldg 410 ╖ Washington, DC 20598 ╖ (888) 282-0870 Powered by GovDelivery

=== Cut ===


--
Keep the faith :^)

Ben aka cMech Web: http|ftp|telnet://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

--- GoldED+/W32-MSVC
* Origin: FIDONet - The Positronium Repository (1:393/68)

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:



TA16-144A: WPAD Name Collision Vulnerability
05/23/2016 07:38 AM EDT


Original release date: May 23, 2016 | Last revised: June 01, 2016

Systems Affected
Windows, OS X, Linux systems, and web browsers with WPAD enabled
Networks using unregistered or unreserved TLDs
Overview
Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries that are intended for resolution on private or enterprise DNS servers have been observed
reaching public DNS servers [1]. In combination with the new generic top level domain (gTLD) programÆs incorporation of previously undelegated gTLDs for public registration, leaked WPAD queries could result in domain name collisions
with internal network naming schemes [2] [3]. Opportunistic domain registrants could abuse these collisions by configuring external proxies for network traffic and enabling man-in-the-middle (MitM) attacks across the Internet.

Description
WPAD is a protocol used to ensure all systems in an organization use the same web proxy configuration. Instead of individually modifying configurations on each device connected to a network, WPAD locates a proxy configuration file and
applies the configuration automatically.

The use of WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers. WPAD is supported but not enabled by default on Mac OS X and Linux-based operating systems, as well as Safari, Chrome, and Firefox browsers.

With the New gTLD program, previously undelegated gTLD strings are now being delegated for public domain name registration [3]. These strings may be used by
private or enterprise networks, and in certain circumstances, such as when a work computer is connected from a home or external network, WPAD DNS queries may be made in error to public DNS servers. Attackers may exploit such leaked WPAD queries by registering the leaked domain and setting up MitM proxy configuration files on the Internet.

Other services (e.g., mail and internal web sites) may also perform DNS queries
and attempt to automatically connect to supposedly internal DNS names [4].

Impact
Leaked WPAD queries could result in domain name collisions with internal network naming schemes. If an attacker registers a domain to answer leaked WPAD
queries and configures a valid proxy, there is potential to conduct man-in-the-middle (MitM) attacks across the Internet.

The WPAD vulnerability is significant to corporate assets such as laptops. In some cases, these assets are vulnerable even while at work, but observations indicate that most assets become vulnerable when used outside an internal network (e.g., home networks, public Wi-Fi networks).

The impact of other types of leaked DNS queries and connection attempts varies depending on the type of service and its configuration.

Solution
US-CERT encourages users and network administrators to implement the following recommendations to provide a more secure and efficient network infrastructure:

Consider disabling automatic proxy discovery/configuration in browsers and operating systems unless those systems will only be used on internal networks. Consider using a registered and fully qualified domain name (FQDN) from global DNS as the root for enterprise and other internal namespace.
Consider using an internal TLD that is under your control and restricted from registration with the new gTLD program. Note that there is no assurance that the current list of ôReserved Namesö from the new gTLD Applicant Guidebook (AGB) will remain reserved with subsequent rounds of new gTLDs [5].
Configure internal DNS servers to respond authoritatively to internal TLD queries.
Configure firewalls and proxies to log and block outbound requests for wpad.dat
files.
Identify expected WPAD network traffic and monitor the public namespace or consider registering domains defensively to avoid future name collisions.
File a report with ICANN if your system is suffering demonstrable severe harm due to name collision by visiting https://forms.icann.org/en/help/name-collision/report-problems.
References
[1] Verisign û MitM Attack by Name Collision: Cause Analysis and Vulnerability Assessment in the New gTLD Era
[2] ICANN û Name Collision Resources & Information
[3] ICANN û New gTLDs
[4] US-CERT û Controlling Outbound DNS Access
[5] ICANN û gTLD Applicant Guidebook
Revision History
May 23, 2016: Initial Release
June 1, 2016: Added information on using TLDs restricted from registration with
the gTLD program

-------------------------------------------------------------------------------
-

This product is provided subject to this Notification and this Privacy & Use policy.


-------------------------------------------------------------------------------
-
A copy of this publication is available at www.us-cert.gov. If you need help or
have questions, please send an email to info@us-cert.gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help


-------------------------------------------------------------------------------
-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of:
United States Computer Emergency Readiness Team (US-CERT) ╖ 245 Murray Lane SW Bldg 410 ╖ Washington, DC 20598 ╖ (888) 282-0870 Powered by GovDelivery

=== Cut ===


--
Keep the faith :^)

Ben aka cMech Web: http|ftp|telnet://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

--- GoldED+/W32-MSVC
* Origin: FIDONet - The Positronium Repository (1:393/68)