gilbc DNS Bug Reveals Deep Flaws in Domain Name Lookups

gilbc DNS Bug Reveals Deep Flaws in Domain Name Lookups

Google has recently unveiled the “glibc DNS bug” (CVE-2015-7547), or a buffer overflow in the Gnu C library’s DNS client. glibc is an ancient bug with traces known as early as 2008 that is widespread in its points of contact with software. This affects a universally used library (glibc) at a universally used protocol (DNS). It can be potentially triggered by tricking a remote computer into looking up a domain name, which have the bug potentially have full control over another computer.

A function known as getaddrinfo() that performs domain-name lookups contains a buffer overflow bug that allows attackers to remotely execute malicious code. The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack  It can be exploited when vulnerable devices or apps make queries to attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack where the attacker has the ability to secretly monitor and manipulate data passing between a vulnerable device and the open Internet.

All versions of glibc after 2.9 are vulnerable. The open source library maintaining glibc released an update that patches the vulnerability, and Google reported that up to three separate groups have been working on fixing the vulnerability upon its discovery. However, the gilbc DNS bug implies potential magnitude of damage, seeing how glibc maintainers allowed the bug in their code, it took seven years for the bug to be discovered, and unfixed for seven months following its report.

Average Cost of Cybercrime Up 200% in Just Five Years

A report by Hamilton Place Strategies claims that cybercrime is costing the global economy up to $450 billion annually. The document finds that the median cost of cybercrime has actually increased by approximately 200% in the last five years alone, and that trend is very much likely to continue growing. The argument is that since 2005, 828 million online records have been stolen or the equivalent of every U.S. person having 3 records stolen along with the added cost comes from companies such as Target’s 2013 data breach has caused reputational damage. Thereafter, because of a “ricochet” effect of companies becoming targets of mass data breaches, sharing an industry with a victim of cybercrime can have a detrimental effect on a business.

The report also reveals that if cybercrime is acknowledged as a legitimate “enterprise” industry, it would be the second only behind Apple and ahead of Exxon Mobil and Microsoft. And if cybercrime were considered an economy, it would rank the 23rd largest ahead of countries such as Austria.

AirDroid Patches Vulnerability Exposing Android

A critical vulnerability impacting 50 million Android users running the popular AirDroid application has been patched on January 29th. AirDroid is a free app that allows you link an Android device to a computer and send SMS messages, run apps, manage files, contacts, photos, videos. WhatsApp/Line/WeChat messages, etc. via a Wi-Fi connected web browser. Checkpoint researchers revealed that the vulnerability from the app enables the attackers to execute code on the device in order to steal data and send it back to their servers.

The vulnerability (CVE-2015-8112) that allows attackers to execute malicious code during an AirDroid session. The attacker only requires the phone number associated with the targeted account. Once the phone number is obtained, the attacker shares a contact card (vCard) with the target user from any messaging service service. Once the user receives a text message from that new contact, the malicious code (located at is loaded and executed inside the AirDroid web page, allowing the attacker to steal all of the user’s data and take complete control over a user’s Android device by achieving a valid session token to use the AirDroid API.

Locky Ransomware Attacks Like Dridex

A brand new malware dubbed .locky has borrowed the technique from the successful Dridex banking malware to emerge as one of the highly successful malware families, targeting victims through encryption-based extortion. Locky ransomware can infect Windows machines and also spread to other platforms like Linux and OS X via network connections.

Locky focuses primarily emailing massive phishing campaigns with Microsoft Word document attachments (Troj/DocDl-BCF) and the message “Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.” Once the victim opens the Word .doc, the document advises the user to enable macros if the text is unreadable. Afterwards, the saved file (Troj/Ransom-CGX) serves as a downloader, and the embedded code will execute the Locky malware payload from the attackers.

Once Locky is in the victim’s system, it scrambles any files that match a long list of extensions from any directory that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers. The obtained files are encrypted with with RSA-2048 and AES-128 ciphers and renames them as [hash].locky with the attacker holding the decryption key. Victims are then instructed to a Locky payment portal in the dark web via Tor network and must pay the ransom fee of BTC 0.5 to BTC 1.00 (or $218 – $427 USD) in order to retrieve their files.

Android GM Bot Source Code Linked

IBM X-Force threat intelligence researchers have discovered that the source code belonging to the popular GM Bot malware for Android devices has been leaked online in an underground forum December 2015. The source code not only means attackers have access to this code without paying any types of purchase or subscription fees, but the code also came with a tutorial and server-side instruction manual.

The post author behind the malware has the archive file containing the source code and its control panel password protected and only offers the password to forum members who have previous experience with banking Trojans or Trojan-facilitated online banking fraud. GM Bot will be freely available for potential attackers to create new variants and use the leaked sources to build, sell, or deploy for fraud scenarios.

GM Bot is a type of Android trojan that has emerged in late 2014 in the underground Russian market. A recent version, also called MazarBOT, has the capability to display phishing pages as fake overlay screens on the top of mobile banking applications in an effort to trick Android users into handing over their credit card information. Also, the trojan is also capable of forwarding phone calls and intercepting SMS messages to help attackers forgo an additional layer of bank security mechanisms, and locking a device’s screen.

Scroll to Top