Volunteer Project Takes Down 100,000 Malware Distribution Sites
A community of volunteer researchers has managed to take down around 100,000 malware distribution websites over the past 10 months as part of a new URL blacklisting project.
The initiative, called URLhaus, was launched last March by abuse.ch, a non-profit organization based in Switzerland that has made a name for itself in the security industry and law enforcement for helping track down command-and-control servers for botnets, ransomware and other malware threats.
Since it was launched, 265 security researchers from around the world have identified and submitted 300 malware sites to URLhaus per day, on average. The project provides an API through which companies or anyone interested can access the dataset and use it to protect their networks.
“Together with the community, URLhaus also managed to get the attention of many hosting providers, helping them to identify and re-mediate (sic) compromised websites hosted in their network,” the project maintainer and abuse.ch creator said in a blog post. “This is not an easy task, especially for large hosting providers that have tens of thousands of customers and hence a significant amount hijacked websites in their network that are getting abused by cybercriminals to distribute malware.”
URLhaus tracks between 4,000 and 5,000 active malware distribution sites on a daily basis and, despite the takedown efforts, they remain active for more than eight days on average. That’s more than enough time for attackers to infect thousands of victims.
The abuse response times vary widely between the various hosting services providers, from less than a day for some to more than a month for others, including the top three networks that host malware sites in China.
The trojan program Emotet, also known as Heodo, which is distributed through spam emails that direct users to malicious office documents hosted on compromised sites, has been the most frequently observed threat by URLhaus. It accounts for more than 15,000 of the 380,000 malware samples collected by the project from malicious URLs over the past 10 months.
“There is still a long way to go with regards to response time of abuse desks,” the URLhaus creator said. “An average reaction time of more than a week is just too much and proves bad internet hygiene. I do also hope that the Chinese hosting providers wake up and start taking care about the abuse problems in their networks in time. Having malware distribution sites staying active for over a month is just not acceptable.”
APT Package Manager Flaw Exposes Linux Systems to Attacks
A vulnerability in the widely used APT package manager exposes Linux systems to rogue package installations and complete compromise.
APT is the default package manager in Ubuntu and Debian, as well as many other Linux distributions based on them. It is used to install applications and package updates served from the official repositories, including for the operating system itself.
APT commands are executed will full administrative privileges and the package installers are also executed as root—the administrator account on Linux systems.
The new vulnerability, tracked as CVE-2019-3462, was discovered by researcher Max Justicz and is located in the APT code that handles HTTP redirects. It allows an attacker who can intercept a connection to a package repository to inject malicious content in APT’s HTTP connection. That content can be crafted in a way that will cause APT to treat it as a package installer and execute it.
This vulnerability can lead to remote code execution as root, and since it’s located in one of the core packages of the operating system, the Ubuntu maintainers have flagged it as critical.
One mitigating factor is that, to exploit it, attackers need to have a man-in-the-middle position on the network, for example by controlling a router or a Wi-Fi access point through which a Linux machine accesses the internet. The attack can also be executed from a malicious repository or compromised repository, if the hacker convinces the victim to add that repository on their machine.
The vulnerability affects all APT versions starting with 0.8.15 and was fixed in version 1.4.9 for the Debian Stable (Stretch) release. Since the flaw is in the software updater itself and fixing it requires updating the software, the Debian maintainers recommend that users manually perform the APT upgrade after disabling HTTP redirects with these commands:
apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade
This should only be done once, to upgrade APT, because the HTTP redirect feature is important and shouldn’t be disabled.
Package repositories for Debian and most Linux distributions are mirrored on servers around the world that are hosted by various sponsors, including universities and other organizations. Users get the option to choose a mirror that is closer to them, but these servers sometimes get replaced and changed and the HTTP redirect feature allows a retired server to redirect querying users to a newer mirror.
If the APT update and upgrade commands fail with HTTP redirect disabled, the Debian maintainers advise users to add this repository in their APT configuration (with no dot at the end): deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main.
