Two weeks ago, we talked about how many sites in the top 1 million domains (as judged by Alexa) were vulnerable to the Heartbleed SSL vulnerability. How do things stand today?

Figure 1. Sites vulnerable to Heartbleed as of April 22

Globally, the percentage of sites that is vulnerable to Heartbleed has fallen by two-thirds, to just under 10 percent. Only three TLDs we looked at have percentages above the global number: Brazil (.BR), China (.CN), and Russia (.RU).

The only TLD with a 100% cleanup record was the .gov domain, reserved for the use of US government sites.The Australian (.AU), British (.UK), German (.DE), and Indian (.IN) TLDs also had rates that were significantly lower than the global average.

Overall, the numbers leave room for optimism when it comes to addressing Heartbleed. Most system administrators have paid attention to the warnings and patched their servers accordingly. The question is now whether the remaining 10% of vulnerable domains will be patched sooner rather than later, or if we will be stuck with a non-trivial portion of the Internet that will be left at risk.

For users who want to test if the sites they use are at risk, a Trend Micro heartbleed detector app may be found in the Google Play store, the Google Chrome store, and the web.

 For other posts discussing the Heartbleed bug, check our previous entries:

• Bundled OpenSSL Library Also Makes Apps and Android 4.1.1 Vulnerable to Heartbleed
• Heartbleed Bug—Mobile Apps are Affected Too
• Heartbleed Vulnerability Affects 5% of Select Top Level Domains from Top 1M
• Skipping a Heartbeat: The Analysis of the Heartbleed OpenSSL Vulnerability

In trying to gauge the impact of the Heartbleed vulnerability, we proceeded to scanning the Top Level Domain (TLD) names of certain countries extracted from the top 1,000,000 domains by Alexa. We then proceeded to separate the sites which use SSL and further categorized those under “vulnerable” or “safe.” The data we were able to gather revealed some interesting findings.

As of the moment, we see an overall percentage of around 5% in terms of sites affected by CVE-2014-0160. The TLDs with the largest percentage of vulnerable sites are .KR and .JP. It’s interesting to note that sites from the .GOV TLD rank fifth on the list.

Figure 1. A breakdown of vulnerable sites per country
(Click image above to enlarge)

On the other hand, we have significantly low number of vulnerable sites under .FR and .IN TLDs. We just think of a few theories why this is so. Maybe they haven’t updated to the version of OpenSSL which was vulnerable. They could also have immediately patched vulnerable sites. Another possible reason is in these countries, relatively few servers use the most recent versions of Linux (and so use older versions of OpenSSL without this vulnerability).

We are going to rescan selected TLDs in a few days to monitor possible changes. In the meantime, we advise website administrators to update OpenSSL to protect their users.

Update as of April 10, 2014, 10:18 A.M. PDT: The title has been edited for clarity. 

For other posts discussing the Heartbleed bug, check these other posts:

• Trend Micro Heartbleed Detector Now Available
• Bundled OpenSSL Library Also Makes Apps and Android 4.1.1 Vulnerable to Heartbleed
• Heartbleed Bug—Mobile Apps are Affected Too
• Skipping a Heartbeat: The Analysis of the Heartbleed OpenSSL Vulnerability

Recently, I had pleasure to attend the ZeroNights 2012 security conference. ZeroNights 2012 is an international conference that covers the technical side of information security. The main scope of the conference is to distribute information about new attack methods, threats and defense tools.

This year’s conference took place last November 19-20 in Moscow, right in the middle of the city with both the Kremlin and the Moscow River nearby. I had some problems finding the venue as it was a bit hidden and it was rush hour, but I was (almost) on time and only missed the welcome coffee and the keynote.

The conference itself had four tracks, and I have to admit that I was lost at times due to the choices available and had to cast lots to decide which track to go for. I would like to highlight the three presentations that impressed me the most.

“No locked doors, no windows barred: hacking OpenAM infrastructure” by Andrey Petukhov, and Georgy Noseyevich

One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). This presentation described a popular access control system called ForgeRock OpenAM.

During the presentation Andrey and his assistant Georg showed how it is possible to exploit Server Side Request Forgery and Local File Include vulnerabilities on the said access control system. Combining the two above vulnerabilities and an XML external entity vulnerability, they were able to read files and folders on the server side. Combining the 3 techniques, they wrote a simple fuse module to read files remotely. The fuse module cached files, and then with bash commands is easy to “ls” or “cat” or even “find” everything you need on the server side.

Read the rest of this entry »

Earlier today, we released the paper Russian Underground 101 which provides readers an overview of the Russian underground economy. The Russian underground is a key source for all sorts of illegal products and services used by criminals, which is ultimately aimed at users all over the world.

By exploring underground resources, (visiting various underground forums) we were able to determine the products and services that are most commonly traded for, as well as the prices of these goods. This provides us with a good insight into the Russian underground ecosystem, information which can be used to provide enhanced protection for Trend Micro customers.

A wide variety of goods and services are sold in the Russian underground economy. These include exploit kits (which can cost several thousand dollars for well-known, effective kits), “bullet-proof” web hosting, VPN services, and custom-created malware. Business aspects of the underground (such as the pay-per-install service model), are also included.

For full details, you can follow the following link to download the paper in full: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-101.pdf

On December 6 2011, a number of pro-Kremlin activists launched an attack on Twitter using bots which posted messages with a hashtag #триумфальная (Triumfalnaya). These bots posted a range of national slogans and crude language. With a rate of up to 10 messages per second, these bots succeeded in blocking the actual message feed with that hashtag.

The reason to boycott the conversations surrounding the pre-arranged #триумфалtная (Triumfalnaya) hashtag was that it had been announced as a channel for exchanging information by anti-government opposition protesters, and was also been used as a live text translation on protestor actions against the recent election results in Russia – which are taking place at Triumfalnaya Square in Moscow.

Read the rest of this entry »