John Young at Cryptome.org is reporting that its hosting provider decided to terminate their relationship on the basis of violating their Acceptable Use Policy :
"This notice of termination is surprising for Verio has been consistently supportive of freedom of information against those who wish to suppress it. Since 1999 Cryptome has received a number of e-mailed notices from Verio's legal department in response to complaints from a variety of parties, ranging from British intelligence to alleged copyright holders to persons angry that their vices have been exposed (see below). In every case Verio has heretofore accepted Cryptome's explanation for publishing material, and in some cases removal of the material, and service has continued. In this latest instance there was no notice received from Verio describing the violation of acceptable use to justify termination of service prior to receipt of the certified letter, thus no opportunity to understand or respond to the basis for termination."
Guess who'll be the first echo-cursing in an unnamed CavePlex? That'll be Osama Bin Laden feeling sorry for not making copies of key documents on how the U.S Coast Guard is vulnerable to TEMPEST attacks. Cutting out the sarcasm, Cryptome is an OSINT heaven, no doubt about it, but it's also an initiative debunking the entire concept that secrecy actually results in improved and sustained security on an international level.
The data collected at Cryptome would never be destroyed, mainly because it's all digital, it's all distributable, and it simply wants to be free. Thought of the day - The man who brought fire to the world got burned at the stake.
Monday, April 30, 2007
John Young at Cryptome.org is reporting that its hosting provider decided to terminate their relationship on the basis of violating their Acceptable Use Policy :
Orignally introduced at this year's Blackhat con in Amsterdam, the Vbootkit is a kit showcasing the execution of unsigned code on Windows Vista. Recently, the researchers released two videos demonstrating the attack worth watching. Here's the authors' research itself. Answering the mythical question on which is the most secure OS, direct the reply in a "which is the most securely configured one" manner, and you'll break through the technology solution myopia and hopefully enter the security risk management stage. A secure OS from what? Nothing's unhackable, the unhackable just takes a little while -- where the invisible incentivising in the desired direction is the shortcut.
Blackhat SEO's been actively abused by spammers, phishers and malware authors, each of them contributing to the efficiency of the underground ecosystem. Comments spam, splogs, coming up with ways to get a backlink from a .EDU domain, the arsenal of tools to abuse traffic acquisition techniques has a new addition - paid keyword advertising directly leading to sites hosting exploit code :
"Those keywords put the criminals' sponsored links at the top of the page when searches were run for brand name sites like the Better Business Bureau or Cars.com, using phrases such as "betterbusinessbureau" or "modern cars airbags required." But when users clicked on the ad link, they were momentarily diverted to smarttrack.org, a malicious site that used an exploit against the Microsoft Data Access Components (MDAC) function in Windows to plant a back door and a "post-logger" on the PC."
Here's another interesting subdomain that was using JPG images to "break the .exe extension ice" and redirect to anything malicious - pagead2.googlesyndication.com.mmhk.cn
What's the most cost-effective approach, yet the most effective one as well when it comes to that sort of scheme? On a quarterly basis, a "for-the-masses" zero day vulnerability becomes reality. The fastest exploitation of the "window of opportunity" until a patch is released and applied, is abused by embedding the exploit into high traffic web sites, or even more interesting, exploiting a vulnerability in a major Web 2.0 portal to further spread the first zero day. Therefore, access to top web properties is a neccessity, and much more cost effective compared to using AdSense. I wouldn't get surprised to find out that hiring a SEO expert to reposition the malicious sites is also happening at the time of blogging. Some details at McAfee's blog.
Despite the amateurs using purchased keywords as an infection vector, at another malicious url _s.gcuj.com we have a decent example of a timely exploitaition with _s.gcuj.com/t.js and _s.gcuj.com/1.htm using Microsoft's ANI cursor vulnerability to install online games related trojans - _t.gcuj.com/0.exe_ The series of malicious URLs are mostly advertised or directly injected into Chinese web forums, guestbooks etc. Here are some that are still active, the majority of AVs thankfully detect them already :
The key point when it comes to such attackers shouldn't be the focus on current, but rather on emerging trends, and they have to do with anything, but malicious parties continuing to use AdSense to direct traffic to their sites in the long term. Watch a video related to the attacks, courtesy of Exploit Prevention Labs.
Thursday, April 26, 2007
Insightful comment on how assymetric warfare and abusing the most versatile communication medium is something conventional weaponry cannot and should not aim to fight :
"Terrorists use a flat, open network of communications and pass their information mainly through the Internet, Lute said as he briefed the group at the Pentagon. These are aspects that defy U.S. military capability. “We buy airplanes, ships and tanks and recruit and train soldiers to deal with the geographics of a tangible target,” he said. “We can bomb training camps, and we can hunt down the enemy, but we can’t bomb the Internet.” By using a nodal network to spread their extremist ideologies, Lute said, terrorists are able to easily recruit members, acquire weapons, build leaders and receive financial backing."
A short excerpt from a previous post :
"A terrorists' training camp is considered a military target since it provides them the playground to develop their abilities. Sooner or later, it will feel the heat and dissapear from the face of the Earth, they know it, but don't care mainly because they've already produced and are distributing Spetsnaz type of video training sessions. So abusing information or the information medium itself is much more powerful from their perspective then destroying their means for communication, spread propaganda, and obviously recruit."
Reminds me of a great cartoon where soldiers are in the middle of a network centric warfare situation, all the equiptment on the field is in smoke or doesn't work, and soldiers beg the generals for more "shock and awe" action and less ELINT attacks. Which, of course, doesn't mean known adversary locations shouldn't get erased from the face of the Earth. Post strike imagery courtesy of FAS, here's the rest of the collection.
In a previous post I discussed various thought to be outdated physical security threats such as leaving behind CDs and DVDs malware ready and taking advantage of the auto loading feature most people conveniently have turned on by default. Seems like on purposely leaving behind pre-infected removable media with the hope that someone will pick them up and act as a trojan horse themselves, still remains rather common. Unless your organization has taken the necessary removable media precautions, a story on USB sticks with malware should raise your awareness on an attacker's dedication to succeed :
"Malware purveyors deliberately left USB sticks loaded with a Trojan in a London car park in a bid to trick users into getting infected. The attack was designed to propagate Trojan banking software that swiped users' login credentials from compromised machines. Check Point regional director Nick Lowe mentioned the ruse during a presentation at the Infosec trade show on Tuesday, but declined to go into further details, citing the need for confidentiality to protect an investigation he's involved in."
From an attacker's perspective that's an investment given USB sticks are left in parking lots around major banks, and finding a 1GB USB stick laying around would make someone's day for sure. Despite that in this case it's a banking trojan we're talking about, on a more advanced level, corporate espionage could be the main aim though the exploitation of various techniques.
Targeted attacks and zero day malware have always been rubbing shoulders, and it's not just a fad despite that everyone's remembering the wide-scale malware outbreaks attacking everything and everyone from the last couple of years. But the days of segmenting targeted attacks per country, city, WiFi/Bluetooth spot coverage are only emerging.
The idea of profitably serving a demand for a service however, is promting detective agencies to adapt to today's standards for surveillance and snooping in the form of using malware to obtain the necessary information. And despite that commercially obtainable surveillance tools are cheaply available to everyone interested and taking the risk of using them, customers obviously prefer to leave it to the "pros". Here's a story of an "adaptive" detective agency using targeted emails with malware to spy :
"The jury of five woman and seven men heard how the agency used "Trojan" computer viruses, which were hidden inside emails and attacked computers when opened, allegedly created by American-based IT specialist Marc Caron. Hi-tech devices used to bug phones were installed by interception specialist Michael Hall, the court was told. Prosecutors said a number of them were fitted to BT's telegraph polls and inside junction boxes, but BT eventually hid a camera in one of the boxes and caught him at work."
Here're more details on the targeted attack :
"Mrs Mellon opened it because it "purported to show what her husband was up to", said Ms Moore. It is alleged the agency hacked into emails to snoop on Tamara Mellon. The Trojan then recorded "every keystroke that was made", she said, including such things as bank account numbers and passwords. "They didn't take any money. They didn't steal anything, but from time to time they had a little snoop on behalf of their clients," Ms Moore said."
I imagine a questionnaire from such a detective agency in the form of the following :
- The victim's IT literacy from 0 to 5?
- Are they aware of the concept of anti virus and a firewall?
- List us all their contact points in the form of IM and email accounts
- Are they mobile workers taking advantage of near-office WiFi spots?
You get the point. Hopefully, such services wouldn't turn into a commodity, or even if they do, I'm sure they'll somehow figure out a way to legally forward the responsibility to the party that initiated the request.
HP Spying on Board of Directors' Phone Records
HP's Surveillance Methods
Mark Hurd on HP's Surveillance and Disinformation
Wednesday, April 25, 2007
The Webmoner is a malware family that's been targeting the WebMoney service for the last couple of years, a service which is mostly used in Russia from both legitimate and malicious parties -- three out of five transfers by malicious parties use WebMoney and the other two use Yandex. What's interesting about this trojan, or we can perhaps even define it as a module given its 2kb packed size and compatibility with popular malware C&C platforms in respect to stats, is that it doesn't log the accounting details of Web Money customers, instead, the attacker is feeding the trojan with up to four of his Web Purses, so that at a later stage when the infected party is initiating transfer, the malware will hijack the process and intercept the payments and direct them to the attacker's web money accounts. See how various AVs are performing when detecting a sample of it.
The disturbing part is a recently made public builder, the type of DIY a.k.a the revenge of the script kiddies with a push of a button malware generation with a built in fsg packing to further obfuscate it and have it reach the 1.5kb size. See attached screenshot. This attack puts the service in a awkward situation, as the transfers are actually hijacked on the fly, and the responsibility is forwarded to the infected party, compared to a situation where the details have been keylogged and transfers made with stolen IDs. How have things evolved from 2001 until 2007? Keylogging may seem logical but is the worst enemy of efficiency compared to techniques that automatically, collect, hijack and intercept the desired accounting data. The screen capturing banking trojan Hispasec came across to is a good example presenting the trade off here. The irony? The author of the builder is anticipating malware on demand requests and charging 10 WMZ in virtual money for undetected pieces of the malware.
There's an ongoing debate on the usefulness and lack of such of popular anti virus software. In January 2007, the Yankee Group released a 4 pages report starting at $599 -- try a 26 pages free alternative released in January 2006 debunking lots of myths -- entitled "Anti-Virus is Dead: Long Live Anti-Malware" in an effort to not only generate lazy revenues on their insights, but to emphasize on the false feeling of security many AVs provide you with. As a consultant you often get the plain simple question on which is the best anti virus out there, to which you either reply based on lead generation relationship with vendors, or do them a favour and answer the question with a question - the best anti virus in respect to what? Detecting rootkits? Removing detected malware and restoring the infected files to their previous condition? Log event management compatibility with existing security events management software? Fastest response times to major outbreaks? -- psst zero day malware ruins the effect here. Or which anti virus solution has the largest dataset for detecting known malware? Anti virus is just a part of your overal security strategy, and given the anti virus market is perhaps the one with the highest liquidity, thus most $ still go to perimeter defense solutions, too much expectations and lack of understanding of the threatscape mean customer dissatisfaction which shouldn't always be the case. If anti virus software the way we use it today is dead, then John Doe from the U.S or Ivan Ivanov from Russia woud still be 31337-ing the world, the Sub7 world I mean.
Some AVs however perform better than others on given tasks. The recently released AV comparatives speak for themselves. If you're going to use an anti virus software, use one from a company who's core competency relies in anti virus software, and not from a company that entered the space through acquisition during the last couple of years, or from one where anti virus is just part of huge solutions portfolio. Boutique anti virus vendors logically outperform the market leaders -- exactly the type of advice I've been giving out for quite a while.
Related posts :
Security Threats to Consider when Doing E-banking
No Anti-Virus, No E-banking for You
The Underground Economy's Supply of Goods
Previous "virtual shots" :
Shots from the Malicious Wild West - Sample Six
Shots from the Malicious Wild West - Sample Five
Shots from the Malicious Wild West - Sample Four
Shots from the Malicious Wild West - Sample Three
Shots from the Malicious Wild West - Sample Two
Shots from the Malicious Wild West - Sample One
Posted by Dancho Danchev at Wednesday, April 25, 2007
Monday, April 23, 2007
Open source intelligence gathering techniques from a government sponsored cyber espionage perspective have been an active doctrine for years, and that's thankfully to niching approaches given the huge botnet infected network -- government and military ones on an international scale as well. And yes, targeted attacks as well. It's a public secret that botnet masters are able to geolocate IPs through commercially obtainable databases reaching levels of superior quality. Have you ever thought what would happen if access to botnet on demand request is initiated, but only to a botnet that includes military and government infected PCs only? Here's a related story :
"The misuse of US military networks by spammers and other pond life is infrequently reported, but goes back some years. In August 2004, we reported how blog comment spams promoting illegal porn sites were sent through compromised machines associated with unclassified US military networks. Spam advertising "incest, rape and animal sex" pornography was posted on a web log which was set up to discuss the ID Cards Bill via an open proxy at the gateway of an unclassified military network."
From an OSINT perspective, part by part a bigger picture emerges from the tiny pieces of the puzzle, and despite that these would definitely be unclassified, a clerk's email today may turn into a major violation of OPSEC tomorrow. Moreover, the security through obscurity approach of different military networks might get a little bit shaken up due to the exposure of the infrastructure in a passive mode from the attacker's perspective.
In the wake of yet another targeted attack on U.S government networks in the form of zero-day vulnerabilities in Word documents neatly emailed to the associated parties, it's worth discussing the commitment shown in the form of the Word zero day, and the attach congressional speech to Asian diplomacy sent to Asian departments :
"The mysterious State Department e-mail appeared to be legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, Reid said. By opening the document, the employee activated hidden software commands establishing what Reid described as backdoor communications with the hackers. The technique exploited a previously unknown design flaw in Microsoft's Office software, Reid said. State Department officials worked with the Homeland Security Department and even the FBI to urge Microsoft to develop quickly a protective software patch, but the company did not offer the patch until Aug. 8 — roughly eight weeks after the break-in."
The life of this zero day vulnerability started much earlier than anyone had predicted, and obviously specific emails of various departments are known, are harvested or obtained through the already infected with malware PCs - pretty much everything for a successful targeted attacks seems to be in place right? But what makes me wonder is where are the attacking emails originating from, an infected ADSL user somewhere around the world whose spoofed .gov or .mil email somehow made it not though and got undetected as spam, or from an already infected .gov or .mil host where the attackers took advantage of its IP reputation?
In the majority of news articles or comments I come across to, reporters often make the rather simplistic connection with China's emerging cyber warfare capabilities -- a little bit of Sun Tzu as a school of thought and mostly rephrasing U.S studies -- whenever an attacking email, or attack is originating from China's netblocks. Perhaps part two of my previous post "from the unpragmatic department" sparkled debate on physically bombing the sources of the attacks, just to make sure I guess. Engineering cyber warfare tensions nowadays, providing that China's competing with the U.S for the winning place on botnet and spam statistics for the last several years speaks for itself -- the U.S will find itself bombing U.S ISPs and China will find itself bombing Chinese ISPs. So the question is - why establish an offensive cyber warfare doctrine when you can simple install a type of Lycos Spam Fighting screensaver on every military and government computer and have it periodically update its hitlists?
Black humour is crucial if you don't want to lose your real sense of humour, and thankfully, for the time being an offensive cyber warfare provocation -- or the boring idleness of botnet masters -- isn't considered as a statement on war yet. The Sum of All Fears's an amazing representation of engineering tensions in real-life, so consider keeping your Cyber Defcon lower.
Open source visualization courtesy of NYTimes.com, MakeLoveNotSpam's effect courtesy of Netcraft.
UPDATE: Apparently, seven years ago North Korea's hyped cyber warfare unit was aware of the concept of targeted attacks so that :
"Kim Jong Il visited software labs and high-tech hubs during his rare trips to China and Russia in 2000 and 2001. When then-U.S. Secretary of State Madeleine Albright visited Pyongyang in 2000, he asked for her e-mail address."
On a future visit, in a future tense, perhaps IM accounts would be requested to rotate the infection vectors. Meanwhile, read a great article on North Korea's IT Revolution, or let's say a case study on failed TECHINT due to a self-serving denial of the word globalization.
Posted by Dancho Danchev at Monday, April 23, 2007
Friday, April 20, 2007
Great fake as a matter of fact. Don't blame the crawler while crawling the public Web, but the retention of clickstreams for indefinite periods of time and the intermediaries selling them to keyword marketers. And of course the emerging centralization of too much power online with its privacy implications -- power and responsibility must intersect. Two more fakes for you to enjoy.
Continuing the "Malicious Wild West" series, the Blacksun RAT integration on the web is so modules-friendly it makes you wonder why it's not another case study on malware on demand, but a publicly obtainable open source malware like it is. Process injections in explorer.exe by default, and with a default port 2121, this HTTP bot is still in BETA. And BETA actually means more people will play around with the code, and add extended functionalities into it. There's a common myth that the majority of botnets are still operated through IRC based communications, and despite that there're still large botnets receiving commands through IRC, there's an ongoing shift towards diversification and HTTP in all of its tunneling and covert beauty seems to be a logical evolution.
Here are some commands included in default admin.php that speak for themselves :
Killmyself is quite handy in case you get control of the botnet in one way or another and desinfect the entire population with only one command. Stay tuned for various other "releases" in the upcoming virtual shots during the next couple of days.
Open source malware with a MSQL based web command and control? It's not just Sdbot and Agobot being the most popular malware groups that have such features by default, but pretty much every new bot famility. The Cyber Bot, a malware on demand is one of these. Among the typical DDoS capabilities such as SYN,ACK, ICMP, UDP, DNS and HTTP post and get floods, it offers various rootkit capabilities in between the ability to bypass popular AV and firewall software. I recently located various screenshots from the web command and control which I'm sure you'll find enlightening. A picture is worth a thousand fears as usual. Rather interesting, the bot is able to figure out whether the infected user is on a LAN, dialup, or behind a proxy connection, the rest of the statistics such as IP geolocation and infected users per OS are turning into a modular commodity. It's also worth noting that the web interface has the capability to offer access to the control panel to more than one registered user, which logically means that it's build with the idea to provide rental services.
Here's a related post with more web command and control screenshots, and another one taking into consideration various underground economics.
The other day I came across to a nice compilation of web backdoors only, and decided to verify how well are various AVs performing when detecting them :
"I have collected some WEB backdoors in the past to exploit vulnerable file upload facilities and others. I think a library like this may be useful in a variety of situations. Understanding how these backdoors work can help security administrators implement firewalling and security policies to mitigate obvious attacks."
Here are some results listing the AVs that detected them -- as they should :
* name: cfexec.cfm
* size: 1328
* md5.: cce2f90563cb33ce32b6439e57839492
* sha1: 01c50c39e41c6e95262a1141dbfcbf9e8f14fc19
_No AV detects this one
* name : cmdasp.asp
* size: 1581 bytes
* md5: d0ef359225f9416dcf29bb274ab76c4b
* sha1: 9df3e72df372c41fe0a4d4f1e940f98829b752e1
Authentium 4.93.8 04.14.2007 ASP/Ace.G@bd
Avast 4.7.981.0 04.16.2007 VBS:Malware
BitDefender 7.2 04.16.2007 Backdoor.ASP.Ace.C
ClamAV devel-20070312 04.16.2007 ASP.Ace.C
DrWeb 4.33 04.16.2007 BackDoor.AspShell
Ewido 4.0 04.16.2007 Backdoor.Rootkit.10.a
F-Prot 188.8.131.52 04.13.2007 ASP/Ace.G@bd
F-Secure 6.70.13030.0 04.16.2007 ASP/Ace.G@bd
Kaspersky 184.108.40.206 04.16.2007 Backdoor.ASP.Ace.q
Microsoft 1.2405 04.16.2007 Backdoor:VBS/Ace.C
Symantec 10 04.16.2007 Backdoor.Trojan
VBA32 3.11.3 04.14.2007 Backdoor.ASP.Rootkit.10.a#1
Webwasher-Gateway 6.0.1 04.16.2007 VBScript.Unwanted.gen!FR:M-FW:H-RR:M-RW:M-N:H-CL:H (suspicious)
* name: cmdasp.aspx
* size: 1442
* md5.: 27072d0700c9f1db93eb9566738787bd
* sha1: 2c43d5f92ad855c25400ee27067fd15d92d1f6de
_No AV detects this one
* name: simple-backdoor.php
* size: 345
* md5.: fcd01740ca9d0303094378248fdeaea9
* sha1: 186c9394e22e91ff68502d7c1a71e67c5ded67cc
_No AV detects this one
* name: php-backdoor.php
* size: 2871
* md5.: 9ca0489e5d8a820ef84c4af8938005d5
* sha1: 89db6dc499130458597fe15f8592f332fb61607e
AhnLab-V3 2007.4.19.1/20070419 found [BAT/Zonie]
AntiVir 220.127.116.11/20070419 found [PHP/Zonie]
Authentium 4.93.8/20070418 found [PHP/Zackdoor.A]
AVG 18.104.22.1684/20070419 found [PHP/Zonie.A]
BitDefender 7.2/20070419 found [Backdoor.Php.Zonie.B]
F-Prot 22.214.171.124/20070418 found [PHP/Zackdoor.A]
F-Secure 6.70.13030.0/20070419 found [PHP/Zackdoor.A]
Ikarus T126.96.36.199/20070419 found [Backdoor.PHP.Zonie]
Kaspersky 188.8.131.52/20070420 found [Backdoor.PHP.Zonie]
McAfee 5013/20070419 found [PWS-Zombie]
Microsoft 1.2405/20070419 found [Backdoor:PHP/Zonie.A]
NOD32v2 2205/20070419 found [PHP/Zonie]
Norman 5.80.02/20070419 found [PHP/Zonie.A]
VBA32 3.11.3/20070419 found [Backdoor.PHP.Zonie#1]
Webwasher-Gateway 6.0.1/20070419 found [Script.Zonie]
* name: jsp-reverse.jsp
* size: 2542
* md5.: ebf87108c908eddaef6f30f6785d6118
* sha1: 24621d45f7164aad34f79298bcae8f7825f25f30
_No AV detects this one
* name: perlcmd.cgi
* size: 619
* md5.: c7ac0d320464a9dee560e87d2fdbdb0c
* sha1: 6cd84b993dcc29dfd845bd688320b12bfd219922
_No AV detects this one
* name: cmdjsp.jsp
* size: 757
* md5.: 3405a7f7fc9fa8090223a7669a26f25a
* sha1: 1d4d1cc154f792dea194695f47e17f5f0ca90696
_No AV detects this one
* name: cmd-asp-5.1.asp
* size: 1241
* md5.: eba86b79c73195630fb1d8b58da13d53
* sha1: 22d67b7f5f92198d9c083e140ba64ad9d04d4ebc
Webwasher-Gateway 6.0.1/20070419 found [VBScript.Unwanted.gen!FR:M-FW:M-RR:M-RW:M-N:H-CL:H (suspicious)]
Rather interesting, there have been recent targeted attacks aiming at gullible admins who'd put such web shells at their servers, thus opening a reverse shell to the attackers. As always, this compilation is just the tip of the iceberg, as Jose Nazario points out having variables means a different checksum, and considering the countless number of ASP, PHP and PERL based reverse backdoors, the threat is here to remain as silent and effective as possible. Grep this viruslist, especially the ASP, PHP and PERL backdoor families to come up with more variants in case you want to know what's already spotted in the wild. Here's a very well written paper by Gadi Evron on Web Server Botnets and Server Farms as Attack Platforms discussing the economies of scale of these attacks.
Thursday, April 12, 2007
Remember Mujahideen Secrets, the jihadist themed encryption tool released by the Global Islamic Media Front (GIMF) to aid cyber jihadists about to convert to cyber terrorists in encrypting their communications? See the attached screenshot -- if only could jihadists see through the eyes of the multilingual crawler or knew I violate their OPSEC on a daily basis. The interesting part from a PSYOPS perspective is how they've realized that using PGP no longer means improved and sustained self-esteem for the average jihadists, so coming up with their very own encryption tool and file shredder is a logical step. Encryption, even steganography has been used by terrorists for years, and despite that no one is feeling comfortable with the idea, it's an unspoken fact. There's also something else to keep in mind, terrorists are putting more efforts into recruiting knowledgeable individuals than trying to educate them from day one. And while coding the mujahideen secrets software requires nothing more than a simple GUI and publicly obtained encryption libraries, I wonder did the people behind it on purposely knew who they're compiling the tool for, or was it a part time project on a "need to know basis"?
Encryption algorithms' sophistication in respect to the key's size shouldn't really be of any concern in this case, but how come? Simple, the lack of quality passphrases, even implementation of the algorithms into the software, combined with client side attacks seeking to obtain the passphrase compared to perhaps futile bruteforcing, speak for themselves. One thing remains for sure - they're encrypting and generating more noise than originally thought. Go through an analysis of the Technical Mujahid Issue One as well.
Posted by Dancho Danchev at Thursday, April 12, 2007
Tuesday, April 10, 2007
My previous "shots" related to various pieces of malware, packers, or on the fly malicious URL analysis will continue to expand with the idea to provide you with screenshots of things you only read about, but never get the chance to actually see. In the first shot I discussed ms-counter.com, in the second the Pohernah crypter, and in the third The Rat! Keylogger. You may also find a recent post related to the dynamics of the underground's economy, as well as the related screenshots very informative.
In this virtual shot I'll discuss the High Speed Verifier, a commercial application spammers use to filter out the fake and non-existent emails in their spam databases in order to not only achieve a faster speed while sending their message out, but also improve the quality of their databases which I love poisoning so much. What the High Speed Verifier all about? As its authors state :
"HSV detects about 20-30% of invalid addresses in a mailing list, though theoretically it is possible to detect up to 60-70% using a software product. This figure seems relatively small, but actually it might make 10% of a list. Besides, HSV provides for optimal checking mode in terms of time and data traffic. More thorough checking (with which the rest 40% of invalid addresses could be detected) takes 10 times longer and requires 5 times greater traffic for each address, hence it's not that advisable with huge lists."
So once emails are harvested, they have to be verified and then abused for anything starting from phishing attacks to good old fashioned social engineering tricks decepting users into executing malware or visiting a site for them to do so. Don't get too excited, the advanced version has even more interesting features :
"The program works on the same algorithm as ISP mail systems do. Mail servers addresses for specified address are extracted from DNS. The program tries to connect with found SMTP-servers and simulates the sending of message. It does not come to the message sending — AMV disconnect as soon as mail server informs does this address exist or not."
The old dillema is still place - direct online marketing VS spam or what's the difference these days if any? Marketed as tools to assist online marketers these programs are logically abused by spammers, phishers and everyone in between.
Posted by Dancho Danchev at Tuesday, April 10, 2007
This will prove to be interesting as it's directly related with a previous discussion on hijacking or shutting down someone else's botnet through exploiting vulnerabilities in their code :
"During each day of the Month of Bug Bugs McAfee Avert Labs will provide analysis of flawed malicious code (aka bugs). These are viruses that don’t spread, password stealing Trojans that can’t leave the stable, drive-by attacks that crash and burn, phishing attacks that phlop, denial of service attacks that are denied, etc. Our analysis will highlight the errors made by authors, and show how these threats can be fixed and in most cases optimized for maximum potency."
Have you ever imagined that as a pen tester or security consultant you'll have to exploit XSS vulnerabilities in a botnet's web C&C in order to take a peek inside? Botnet polymorphism in order for the botnet to limit the possibility of establishing a communication pattern -- an easily detectable one -- is just as important as is the constant diversification towards different communication platforms. Despite that malware authors are consistently creative, and efficiently excelling at being a step ahead of the security measures in place, they're anything but outstanding programmers, or at least don't put as much efforts into Q&A as they could. Aren't malware coders logically interested in benchmarking and optimizing their "releases", do they have the test bed in terms of a virtual playground to evaluate the effectiveness of their code, or are they actually enjoying a "release it and improve it on the fly" mentality? It's all a question of who the coders are, and how serious are their intentions.
In a very well structured paper courtesy of Symantec, the author John Canavan looks are various bugs in popular malware such as the Morris worm, Sobig, Nyxem, OSx.Leap, as well as Code Red Worm, W32.Lovgate.A@mm, W32.Logitall.A@mm, VBS.SST@mm, VBS.Pet_Tick.N, W32.Beagle.BH@mm, W32.Mytob.MK@mm. Rather interesting fact about the much hyped Nyxem :
"However something that was overlooked in a lot of reports at the time was this bug in the code, which meant that the worm would not overwrite files on the first available drive found. For example if the first available drive is the C drive, the worm will overwrite files in available drives from D to Z."
Looking forward to seeing the bugs due to be highlighted in the MoBB.
Posted by Dancho Danchev at Tuesday, April 10, 2007
Monday, April 09, 2007
The art of money wasting when there's a surplus of research grants and no one to pick them, or a product concept myopia? $680,000 have been awarded by the U.S National Science Foundation to software developers to come up with a lie detecting software for email, IM and SMS messages :
"There's still an open question of whether that is actually possible or not," said Jeff Hancock, a communications professor and information science faculty member at Cornell. "Our research suggests that it is." Passive voice, verb tense changes, and even noun or verb selection can suggest a person is lying, he said. Hancock said another indicator of written deception is the decreased use of the word "I," which is most likely an attempt to create distance. "One of the reasons we think that works as an indicator is that pronoun use is subconscious," he said. In interactive speech, like instant messaging and some dialogues, liars go into a "persuasive mode" and increase the length of their message by 30% to describe and explain situations, he said. Other factors -- such as individual beliefs about behavior, whether someone is accused of something or interacting with an accuser -- can complicate the proces."
Lies are creative even in a written form compared to the favorable body jestures that speak for themselves. And I don't really think an alert such as "the suspect's talking too much on a one sentence question" would do any good. It's all about doing your homework, having experience, not being naive and the power to remain silent when someone's lying to you -- lying pattern intelligence gathering. On the other hand, the product concept myopia is a situation where a company falls in love with their product or service and establish the "build it and they'll come" mentality even without bothering to assess whether or not the market's environment is willing to embrace it, can afford it, or actually need it. The less market transparency, the better for the company, the better the market transprancy the better the puchasing decision of the customer who'll realize that the solution doesn't have to be in the form of the offered product. My point is that, despite the need for the detection of lies of text communications, the solution may not come in the form of talk pattern detection, for instance, your overhyped lover tells you he's in Paris, but geolocating your communicating with him you see he's in Frankfurt, and what a coincidence that is since his ex also lives there.
Using Enron, the infamous case study that'll be discussed in business school for years to come is a good analogy. But just because you think you've established a pattern of communication -- lies -- in conversations that are fake by default, doesn't mean you'll be able to build the dynamics of lying into a detectable pattern. Detecting lies on the fly remains futile for the time being, and you really don't need a program to tell you if someone's lying to you especially in a written form. Outsmart them, act like you don't know to get intelligence on their lying pattern, remain silent for a short timeframe, they'll lie again, be prepared and hopefully you'll recognize a new pattern. Enron's past communication shouldn't be the benchmark in this case, try some Fool's day press releases like this PirateBay announcement for finding a permanent hosting solution - in North Korea! Average people's patterns are the same, therefore pretend to be a moron when you're most knowledgeable, and pretend to be weak when you're most strong and I guarantee you a quick reboot of your relationships.
The lines between sarcasm and a lie are getting even more blurred these days.
Posted by Dancho Danchev at Monday, April 09, 2007
Wednesday, April 04, 2007
Have no fear, the toxoplasma gondii parasite is here. Just like a decent piece of malware exploiting a zero day vulnerability in an anti virus software, shutting it down or making sure it cannot obtain the latest signatures while totally ignoring the host's firewall, this parasite controls the fate of rats and mice in a targeted nature :
"by hijacking the part of the brain that makes the rodents naturally fear cats, a new study show. The exquisite precision leaves intact all other neurological mechanisms for learning to avoid danger, so the rodents learn to survive all hazards except being eaten by cats – the only form of death beneficial to the parasite."
Very interesting example of targeted attacks on a rat's brain courtesy of mother Nature's ghost-hacking capabilities. Just a whisper in my ghost - hope the parasite doesn't become cats-compatible and have them fear the mice.
Unbelievable, and you wonder why is spam on the verge of destroying email as the once so powerful communication medium. What I don't like about survey's like these is that they barely report their findings without providing further clues on the big picture and actually assess the findings in the way they should. The ultimate question thefore always is - So What?! Interacting with spam in any way, be it clicking on a link inside the email, loading the bugged with remote images emails, and the most moronic of them all - unsubcribing from the spammer's URL will only result in verifying that your email is active. What follows is a syndication of this email by different spammers and a flood of advertisements in languages you'll probably never speak :
"Bombarded by spam, e-mail users are eager for tools like a "report fraud" button that would help weed out unwanted messages that litter inboxes, according to a survey by the Email Sender and Provider Coalition released on Tuesday. More than 80 percent of e-mailers already use tools such as "report spam" and the "unsubscribe" button to manage their in-boxes, the survey found. The survey, which was also conducted by marketing research firm Ispos, polled 2,252 Internet users who access e-mail through service providers such as AOL, MSN/Hotmail, Yahoo! and Gmail."
Having a report spam button means the technological measures in place to prevent the spam from reaching a mailbox have failed, a very bad sign by itself. Before asking for a report spam button understand how spammers obtain your email at the first place and try to prevent it. Standardizing the "report spam" button on multi-vendor level would never happen. That's mainly because vendors actually compete on spam detection results, just like they should do with the idea that competition not only keeps them in a good business shape, but has the potential to best serve the customer.
There's also the mean wisdom of crowds to keep in mind. Remember when Hotmail was blocking Gmail invites? Was it an undercover corporate policy, or Hotmail fans were clicking the report spam button on received Gmail invites to make sure Hotmail subscribers never get the chance to receive them? Empowering the massess in a Web 2.0 windom of crowds style is tricky, as the way competitors click on each other's AdSense ads during lunch breaks, the very same way they'd subscribe to a competitor's email notifications and have them reported as spam. Contribute to Project Honeypot if your infrastructure allows you to and see them crawling. Cartoon courtesy of Bill Holbrook.
Processing orders for taking down malicious or fraudulent web sites is gaining grounds with not just RSA providing the service, but also, with Netcraft joining the process :
"Netcraft will identify, contact and liaise with the company responsible for hosting the fraudulent content. Netcraft enjoys excellent relations with the hosting community, and many of the world’s largest hosting companies are Netcraft customers. Netcraft can exercise its existing relationships with these companies to provide a swift and smooth response to the detection of the site. If the hosting company is reputable, this may be sufficient to ensure a prompt end to the fraudulent activity. However, some hosting companies offer fraud hosting as a service whereby they are incentivized to keep the site up as long as possible, and this necessitates more extensive action."
How does Netcraft differentiate its value proposition compared to RSA's? Netcraft's core competency is monitoring of web sites and providing historical perforce reports regarding various server variables, and they've been doing it for quite some time. Moreover, the company directly relies on the success of its anti-phishing toolbar in respect to gathering raw data on new phishing sites, thus, a future customer in the face of company whose brand is attacked. While the business models seem sound to some, it's worth discussing their pros and cons. Will ISP implement an in-house phishing sites monitor to compete with the services offered by third-party vendors -- they could definitely delay their actions given the huge infrastructures they monitor and the lack of financial incentives for the timely shut down -- or will ISPs and vendors figure out a way to build an ecosystem between themselves? The pioneer advantage is an important despite the common wisdom that even if you have an innovative idea and a market that's not ready to embrace it it wouldn't get commercialized.
In the past, there were futile attempts by banks to utilize the most commonly abused phishing medium - the email - to build awareness among their customers on the threats of phishing which isn't the way to solve the problem. You've got many options in respect to your customers - either educate them, enforce E-banking best practices or deny them the service if they don't comply, be a paper tiger and forward the responsibility for fraudulent transactions to their gullibility, or improve the entire authentication process. As we have seen two-factor authentication may improve consumer's confidence, but we're also seeing malware authors getting pragmatic and adapting to the process as well. Flexibility also stands for better transparency of the process - respect to the banks providing me with the opportunity to receive an SMS each and every time money come and go out of the account.
OPIE and multiple factor authentication are inevitable, but a customer's awareness of the threat is worth more than another keychain of OPIE generators. The rest are unmaterialized E-commerce revenues due to customers still fearing the risks are not worth the benefits.
Sunday, April 01, 2007
Yeah sure, on the 1st of April only! Enjoy this marvelous cyberpunk compilation with Juno Reactor as a background music. A group whose works such as Pistolero and Rotor Blade continue reminding me of the good old school psychedelic vortexes we used to spin in -- that's of course in a previous life.
Posted by Dancho Danchev at Sunday, April 01, 2007