Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have I understood this hack, where are the vulnerabilities and how to detect ?


  • Please log in to reply
3 replies to this topic

#1 palerider2

palerider2

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 PM

Posted 05 September 2014 - 01:57 AM

Here is the latest hack that was performed on my PC that holds nothing of any value and I don't have any online banking. Oh, and I'm not a celebrity :)

My Win7starter PC always runs the browser in a sandbox. My PC has no update programs making connections from outside of the sandbox and it doesn't run SandboxieBITS.exe or SandboxieCrypto.exe.

I also restrict my connections to HTTPS by blocking HTTP traffic in the software firewall. This week I experimented a little and allowed svchost to use HTTP and I also opened up a small number of CAs on port 80.

But before I relaxed HTTP I witnessed a hack being done which I didn't think was possible. The site that I connected to using HTTPS had been hacked already by the hacker and he was pretty certain that I would connect to it. This is because it's one of the few proxy servers that I connect to.

When I connect to, for example BC, I use that server. And there are a few other sites that I use which only accept HTTP.

So when I connected to the proxy server, the hacker took control of the connection and used that to communicate with the browser (which was running in the sandbox). This has almost the same effect as performing MiTM on an SSL/TLS connection but it's easier to do if you can hack the victim's preferred web sites beforehand.

What appeared to happen next was that the hacker managed to execute code on my PC. No alarms were raised. On one occasion the hacker managed to break out of the sandbox and disable the anti-virus, whilst I was watching. In fact he did that twice - the first time wasn't quite as neat and an error message was raised by the application.

This raises many questions:
i) Am I right to think that the browser has a 0-day vulnerability ?
For info: I upgraded to a beta version of chrome and one of these hacks happened after that. My MS updates are a little behind, currently sitting at end of May 2014. but that will change soon and I'll be almost bang up to date.
ii) How did the hacker break out of the sandbox ? Ans. It was not up to date, but it is now. It might be secure now but I'm not certain yet.
iii) Why didn't sandboxie notice new files appearing inside the sandbox and offer to recover them ?
iv) If something was executed, why didn't Comodo Defence+ pick that up ? Or was it being executed under the auspices of chrome ?
v) what can I do to detect any of this ?
vi) What evidence can I gather that would help google understand what this vulnerability is (assuming it's not because the MS patches are behind times at the moment) ?

I'm wondering if Sysmon is something that will help with the detection.

The proxy server isn't the only web site that's been attacked. The CDN servers of one my ISPs were hacked earlier this week and used to launch an attack on my PC over HTTPS.

It's strange witnessing all this, given my total unimportance.

Edit: it's plausible that the MS updates being behind allowed the hacker to elevate his privilege when the A/V was disabled. So getting up to date would help with that. I now do MS updates offline so that there's no HTTP outside the sandbox.

Edit2: I also noticed chrome connecting to my NAT router on port 53. That must have been part of the hacking. I now use the software firewall to keep the router out-of-bounds for chrome.

Edited by palerider2, 05 September 2014 - 02:07 AM.


BC AdBot (Login to Remove)

 


#2 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 PM

Posted 06 September 2014 - 04:35 AM

OK, let's try this ...

Has anyone else had cause to report a security breach to Google (or similar) and what kind of supporting information are they looking for ?

What support can people seek for a case of hacking such as the one described ? In this case I don't have an IP address to report. I already use TCPview and it's excellent at what it does.

I look for more ideas from the knowledgeable ....

Edited by palerider2, 06 September 2014 - 04:35 AM.


#3 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 PM

Posted 07 September 2014 - 06:05 PM

One element of the attack that I described might seem unlikely - the use of third-parties to assist in the attack on one target PC. However, not so.

"Compromised sites are the threat that people are most likely to encounter, Wang said"

"Infected websites have been the single biggest threat over the past six months, and the threat vectors that have seen the most growth are Web 2.0 and social networking technologies, according to the report, which was released Wednesday by security firm Sophos."
(noting that this was written 5 years ago!)

"Approximately 23,500 infected webpages are discovered every day that's a new one every 3.6 seconds, according to Sophos' "

It's all over the place.

And since I've gone to some lengths to eliminate both common and uncommon forms of attack (e.g. MiTM via HTTP) it's not really a surprise that a determined hacker would resort to the most recently observed tactics.

But the questions raised in the first post remain. What do people think ?

Incidently, this is the source of the quotes:
http://www.scmagazine.com/every-36-seconds-a-website-is-infected/article/140414/
Thanks quietman for that :)

Edited by palerider2, 07 September 2014 - 06:06 PM.


#4 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 PM

Posted 11 September 2014 - 02:10 PM

I updated my internet-facing PC with the missing updates and took the opportunity to examine each one, just to see if the vulnerabilities that I'm looking for were there.

I examined 15 updates, from memory, but here are two which could be relevant:

https://technet.microsoft.com/en-us/library/security/ms14-036.aspx
"This security update resolves two privately reported vulnerabilities in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerabilities could allow remote code execution if a user opens a specially crafted file or webpage. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for all supported editions of Windows..."

https://technet.microsoft.com/en-us/library/security/ms14-041.aspx
"This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker first exploits another vulnerability in a low integrity process and then uses this vulnerability to execute specially crafted code in the context of the logged on user. ... This security update is rated Important for all supported editions of Windows..."

Regarding 036, that looks like a smokin' gun to me. I *was* being attacked through hacked web sites.

What do you guys think though ?

Edited by palerider2, 11 September 2014 - 02:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users