MSN Spamming Bot

An image is sometimes worth a thousand words. This is a screenshot of infected bots spreading spam messages at MSN via typical !spam IRC based command and control. And here's a related article about malware on IM networks as well:

"It is not clear exactly why the number of IM attacks is increasing, but security researchers have their theories. Don Montgomery, vice president of marketing at Akonix, speculated the increase in the number of attacks reflects the increase in the use of instant messaging, particularly on corporate networks. "IM is becoming favored over e-mail as a distribution vector for malware as a result of e-mail security now being employed by 75 percent or more of companies, while IM security is only employed by 15 to 20 percent of companies," Montgomery said. "The hackers are simply turning to the open door."

Two options remain highly lucrative. Either someone’s spamming p3n1$ enlargement propositions and directing to a spam site, or the social engineering efforts aim at visiting an exploit hosting site. No more direct .pif; .scr; or .exe propositions in plain simple text, what’s exploited is mostly client side vulnerabilities and redirectors to break the ice. IM threats stats courtesy of Symantec's IMlogic and here’s a related post regarding the acquisition of the company with Symantec anticipating the emergence of this market segment and investing in it. IM propagation has it cyclical patterns which like pretty much all other propagation vectors reaching a mature level starts getting at least partly replaced by other ways of propagation.

The WebAttacker in Action

Interesting to see that the WebAttacker kit can still be seen in the wild. Here are the redirectors in action :

Input URL: _http://rulife.info/traffic/go.php?sid=1
Effective URL: _http://greencunt.org/crap/index.php
Responding IP: 203.223.159.110
Name Lookup Time: 1.290261
Total Retrieval Time: 5.987628

=> _http://rulife.info/traffic/go.php?sid=1
=> _http://xorry.org/backup/atds/out.php?s_id=1
=> _http://greencunt.org/crap/index.php

What follows is the (sandboxed) infection : file: Write C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\sysykiz.exe

Several more URLs are to be found at the "green" domain as well :
_http://greencunt.org/anna/fout.php
_http://greencunt.org/spl1/index.php

Despite that the tool is outdated compared to mature malware platforms and exploitation kits which I'll be covering in upcoming posts, the leak of its source code made it easy for someone to tweak it for their personal needs and simply feed with undetectable binaries, new vulnerabilities, and newly registered domains -- even hijacked ones through web application vulnerabilities for instance.

In case you're interested in a proof that attackers are still successfully infecting victims by using vulnerabilities for which patches have been released months ago, here's another URL that's exploiting two vulnerabilities at once namely :

MDAC ActiveX code execution (CVE-2006-0003)
IE COM CreateObject Code Execution (MS06-042)

The domain in question is - _http://www.avvcc.com and _http://www.avvcc.com/lineage/djyx.htm

Related posts:
RootLauncher Kit
Nuclear Grabber Kit
Shots from the Malicious Wild West - Sample Seven
Shots from the Malicious Wild West - Sample Six
Shots from the Malicious Wild West - Sample Five
Shots from the Malicious Wild West - Sample Four
Shots from the Malicious Wild West - Sample Three
Shots from the Malicious Wild West - Sample Two
Shots from the Malicious Wild West - Sample One

The Revenge of the Waitress

Think your scrooge tips will achieve their effect? Think twice but don't put the emphasis on underpaid waitresses, rather on the overall availability of credit card data reading devices as well as their vulnerability to such readers. Here's a video of another waitress clonning credit cards on the fly :

"A telltale clue that helped the restaurant and investigators zero in on the waitress: She would make quick visits to the restroom after picking up customers' charge cards, apparently to swipe them through a palm-sized device that recorded the confidential numbers."

Reverse Engineering the ANI Vulnerability

Informative video analyzing the ANI cursor vulnerability, part of the Google TechTalks series.

"Alex Sotirov is a vulnerability engineer at determina. He will discuss some latest techniques in reverse engineering software to find vulnerabilities. Particularly, he'll discuss his technique that lead him to find the ANI bug (a critical new bug in WinXP and Vista)."

Phrack Magazine's Latest Issue

Phrack is back believe it or not with its latest Issue 64 released two days ago. The style is still so old-school, so authentic it makes you remember extraordinary Web 1.0 experiences. Articles of notice I went through so far : "A brief history of the Underground scene" ; "Blind TCP/IP hijacking is still alive" ; and "The art of Exploitation: come back on an exploit". Dazzling already :

"In the last decade, Phrack took a very annoying industry-oriented editorial policy and the original spirit was in our opinion not respected. The good old school spirit as we like had somehow disappeared from the process of creating the magazine. That is why the underground got split with a major dispute, as some part of the scene was unhappy with this new way of publishing. We clearly needed to bring together again all the relevant parties around the spirit of hacking and the values that make the Underground. The Underground is neither about making the industry richer by publishing exploits or 0day information, nor distributing hacklogs of whitehats on the Internet, but to go further the limits of technology ever and ever, in a big wave of learning and sharing with the people ready to embrace it. This is not our war to fight peoples doing this for money but we have to clearly show our difference."

Google Hacking for Vulnerabilities

Tools like these are a clear indication in the interest of gathering targets through google hacking techniques and SQL injecting them using a single tool. What’s important to note is that, instead of scanning the target's web server in an automated fashion thus, increasing the potential of detecting your malicious requests in this case the attack vectors are already known even cached on a search engines' servers. Perhaps a good time to set up a google hacking or PHP deception honeypot, make sure google crawls it and either gather first hand statistics, or deceive at your best. A paper released under the Know Your Enemy series comments on the concept of search engines' reconnaissance :

"Below we give the exploits we have seen against our honeypots and where possible an estimate of the number of users for each piece of software. The estimates are obtained by checking the number of Google search results returned for a given page in a website, for example searching for '"powered by PHPBB" inurl:viewtopic.php' suggests there are around 1.5 million installations of PHPBB indexed by Google."

Malware using search engines to build its hit lists is nothing new and it's the Santy worm and perhaps even the JS/Yamanner worm I have in mind. Worms like these are just the tip of the iceberg when it comes to malware because their successful intrusions act as a propagation vector for malware exes, exploits embedded pages, and hosting of phishing sites. In case you remember, over an year ago New Zealand started a nation wide google hacking security audit aiming to not just build awareness on the potential security issues, but to also, measure the country's susceptibility to google hacking which they claim is the highest in the world. If you don’t take care of your web application vulnerabilities someone else will, and your organization wouldn’t even have "the privilege" of getting exploited by an advanced attacker, but by a script kiddie making your server open a reverse shell back to them in between everything else.

Microsoft's Forefront Ad Campaign

The introduction of Microsoft's Forefront security solutions is already backed up by a huge ad campaign that can be seen on the majority of tech-news portals. The campaign is however lacking a consistent vision to communicate the benefits and main differentiation points -- if any -- of the product, and is barely informing that it exists in a not so creative way :

There's nothing in Forefront that really makes it notably better or worse than any other solutions that are already in the marketplace. However, the Microsoft name may be sufficient for it to steal market share, and a better integration with other Microsoft solutions…is likely to be a bit of a differentiator,” said Quin. Faced with increasing competition from Microsoft, Symantec Corp. questioned Microsoft's ability to effectively protect enterprise customers.

Trying to be witty too much while fighting ninjas and aliens often results in your ad campaign "clowning" in the eyes of a prospective customer. Security is indeed a cosmic phenomenon for Microsoft, an unexplained pseudo-randomly generated event that's continuing to be researched and analyzed for generations to come. Can they achieve desirable results? Will penetration pricing help? And will the ad agency that got commisioned with the ad campaign come up with a bit of a more creative psychological imagination the next time?

A pure example of an acquisition-to-solution strategy compared to AOLs licensing of a reputable AV vendor's technology, in order for them to enter the market segment as well.

Jihadists' Anonymous Internet Surfing Preferences

Jihadists are logically not just interested in encryption and steganography but also, in ways to anonymize their web surfing activities as much as possible. A wannabe jihadist whose tips and recommendations have gained him a lot of reputation around the forums I follow, recently came up with an in-depth article on recommended and reviewed IP cloaking services with direct download links in between. It makes stats like these questionable to a certain extend as I've already pointed out. Among the IP cloaking tools reviewed are :
- Steganos Internet Anonym Pro
- Hide IP Platinum 3.1
- Proxy Switcher Pro
- Invisible Browsing v5.0.52

TOR is, of course, mentioned as well but at the bottom of the article citing performance issues compared to commercial solutions. IP decloaking is not even considered as a concept.

Counter Espionage Tips from the Cold War

There's nothing old-fashioned in short films like these representing possible techniques used by intelligence services while recruiting - "Cold War counter-spy instructional film created to convince government officials traveling with top secret info to watch their backs. Watch hapless G-men get seduced and setup for blackmail by treacherous Soviet she-spies"



And despite that today's perception of sexy she-spies has evolved proportionally with the technological advances in espionage, some of the tips are still emphasizing on the basics.

A Client Application for "Secure" E-banking?

This is perhaps the second product concept myopia right after the lie detection software for text comminations I come across to recently. Remember a previous post heading in the opposite direction, where a bank was trying to rebuild confidence in the most abused phishing medium - the email - to keep in touch with its customers? Here's another company that's betting on a third-party client application to solve the problem of secure E-banking totally falling victim in the secure channel communication myopia one that I think has nothing to do with reality when it comes to the success of phishing :

"Here’s how Armored Online works: A company, such as a financial institution or online retailer, offers a downloadable client to customers through its website. That client then gives the customer’s computer a secure channel with which to communicate and transact with the company. Its Java-based browser is locked down, meaning it won’t accept any plug-ins, like cookies used by criminals. What’s more, the client can only “talk” to the server at the bank or online store. “It’s like iTunes for banks,” Mr. Sowerby said."

The attack of the disabled cookies? Not really, so be realistic. Coming up with a third-party application as the cornerstone of E-banking security directly conflicts with E-banking's biggest benefit - flexibility due to the compatibility with the most popular browsers. So you'd rather focus on the current situation - Brandjacking instead of re-inventing the SSL wheel -- as a matter of fact the Gozi trojan and the Nuclear Grabber are quite comfortable with SSL as they bypass it entirely. Even worse, a trojanized copy of the program will emerge given it receives any acceptance at all. And if banks start embracing it -- don't -- we can easily start talking about DRM enabled E-banking where, both, banks and customers will turn into virtual hostages to a third-party application trying to reboot the market for anti-phishing services, totally forgetting the problem is not in the lack of unencrypted transactions as no one is sniffing the credentials, but pushing fake sites instead of letting customers pull the sites for themselves.

Don't disrupt in irrelevance.

A Malware Loader For Sale

Continuing the Shots from the Malicious Wild West series and the yet another malware tool in the wild posts, here’s a recently advertised malware loader. Polymorphism, built in packing functions and the ability to set an interval for loading yet another executable at a URL or a URL redirector, DIY firewalls unloading techniques, pretty much anything ugly is in place -- as usual. The loader's source code is currently available for $150, undetected bots go for $15 per piece. Malware on demand in principle, or malicious economies of scale?

MySpace's Sex Offenders Problem

MySpace, being one of the most popular social networking sites is always under fire on its efforts to combat known child offenders registering and using its database to find what they're looking for. The problem isn’t MySpace as a faciliator for such type of communications but the vast amounts of personal information -- future contact points -- kids publish about themselves online, not knowing that on the Internet anyone can be a dog and most importantly, parents loosing the emotional connection with their kids and making it easier for someone to break the ice and establish trust.

Several months ago, funded by nothing more but his common sense Kevin Poulsen gathered name data from the U.S public child offenders registry and found positive results with people -- thankfully -- stupid enough to use their real names. And while they wouldn't do it again the next time instead of making it easier to aggregate the data, a CAPTCHA to limit such automatic activities was implemented. Don't blame MySpace blame bureaucracy. Meanwhile, here's an article on U.S authorities demanding that MySpace provide data on identified and removed known child offenders -- they agreed :

"MySpace agreed Monday to provide the information to all states after some members of the group filed subpoenas or took other legal actions to demand it. The company said last week such efforts were required under the federal Electronic Communications Privacy Act before it could legally release the data."Different states are going about it different ways," said Noelle Talley, spokeswoman for Cooper, who filed a "civil investigative demand" for the information. Connecticut Attorney General Richard Blumenthal used a subpoena that "compels this information right away - within hours, not weeks, without delay - because it is vital to protecting children," he said."

If protecting children is vital, remove the CAPTCHA so everyone knowing how to aggregate and tweak the data will come up with far more sophisticated stats than the ones currently available. Actual results too. Next time it would become harder to track them, so don’t count on measures like these instead, ensure naughty conversations aren’t taking place at all. Makes me wonder one thing - should you be filtering known child offenders on the Internet perhaps a futile attempt given the pseudo-personalities they could establish, or at the ISP level and put them under surveillance right from the very beginning? Of course child offenders should not have unmonitored access to the Internet so rethink the basics.

Related posts:
Registered Sex Offenders on MySpace
IMSafer Now MySpace Compatible

Tricking a Laptop's Fingerprint Authentication

The joys of fingerprint biometrics with a duplicate fingerprint of the original.

Commercializing Mobile Malware

Visionary enough, I predicted this over an year ago, and despite that for the time being there are only two publicly known pieces of mobile malware sending sms messages from the infected devices to premium numbers, it's an emerging trend for customers and mobile operators to keep an eye on :

"After installation, the Viver trojans immediately start sending SMS messages to premium-rate numbers. The messages are sent with proper international area codes, so they are able to reach the correct destination even when activated outside Russia. We've already seen for-profit malware in mobile devices: Wesber.A and Redbrowser are Java Midlet trojans that try to send messages to Russian premium-rate numbers. But these trojans require user acceptance per each message and are able to send messages correctly only inside Russia."

Some comments I made back then :

"The number and penetration of mobile devices greatly outpaces that of the PCs. Malware authors are actively experimenting and of course, progressing with their research on mobile malware. The growing monetization of mobile devices, that is generating revenues out of users and their veto power on certain occasions, would result in more development in this area by malicious authors. SPIM would also emerge with authors adapting their malware for gathering numbers. Mobile malware is also starting to carry malicious payload. Building awareness on the the issue, given the research already done by several vendors, would be a wise idea."

Something else to think about is related to Europe’s most recent mega-music event Eurovision and the sms voting power that, given enough infected mobile devices are in place the results could change pretty fast if you’re following my thoughts. Thankfully, compared to zombie networks making it possible to do intelligence and espionage tweaks given the large infected population, we still cannot talk about mobile botnets. The most juicy target for the time being however, remains the rise mobile banking.

Another comment I made a while ago :

"Malware authors indeed have financial incentives to futher continue recompling publicly available PoC mobile malware source code, and it's the purchasing/identification features phones, opening a car with an SMS, opening a door with an SMS, purchasing over an SMS or direct barcode scanning, mobile impersonation scams, harvesting phone numbers of infected victims, as well as unknowingly interacting with premium numbers are the things about to get directly abused -- efficiently and automatically."

Related posts:
Proof of Concept Symbian Malware Courtesy of the Academic World
Mobile Devices Hacking Through a Suitcase

Yet Another Malware Cryptor In the Wild

Just stumbled upon a newly released cryptor in the wild, and as I pointed out in a previous post related to yet another cryptor, they're signature-based malware scanning's worst enemy. By the time AV vendors obtain a sample and analyze the routines they use, unless an IPS solution is in place, and end user friendly perimeter defense detecting the bot-ization of the host are in place - an infection occurs.

What's the big picture? It's launching a denial of service attack on anti virus vendors' labs in the form of distributing couple of hundred malware samples - future family members of a malware group. Polymorphism encrypting routines are nothing new, but with DIY cryptors in the wild the result can be quite successful even for copy cats:

"Another example is the Stration family of malware, responsible for worms and other forms of malware in late 2006. “Stration was changing so quickly—the encryption packaging, the compiler, everything. We saw up to 300 variants in a single day,” says Ron O’Brien, senior security analyst at anti-malware vendor Sophos."

File size: 4608 bytes
MD5: 406e3a1443ec617f2c968a957a460f10
SHA1: 187abe8cec588b53126afbe8e600379a3bac2321

Corporate Espionage Through Botnets

Following my previous post on OSINT Through Botnets, here's a company that's categorizing Fortune 500 companies whose networks are heavily polluted with malware infected hosts :

"Support Intelligence (SI), a network security company in San Francisco, has been running what it called "30 Days of Bots," featuring corporate networks infected with spam-churning bots. It began analyzing data in February, monitoring 10,000 domains that plow data into a trap much like a fishnet, except the intelligence in the data is designed to determine what information to keep by looking for spam. In total, SI analyzed traffic from more than 100 sources, including the aforementioned spam traps."

Considering the possibility for gathering open source intelligence through military and government infected PCs only, it is logical to conclude that a specific company can be targeted on the basis of the already infected hosts on its network as well. Think about it. For the time being, a botnet's master doesn't really care if it's a military or Fortune 500 company that's infected as long as spam, phishing and malware goes out of these hosts. But passive corporate espionage in the form of intercepting the traffic going out of a specific company's network shouldn't be excluded as an opportunity.

Visual Script Obfuscation

We often talk and deobfuscate scripts aiming to hide their real and often malicious intentions. But what if malicious attackers have become so efficient in their obfuscation, that they decide to show some JAPH style in order to make them harder to analyze by visually obfuscating the scripts as you can see here?

The Jihadist Security Encyclopedia

A month ago, the Media Jihad Battalion started distributing a 118 pages long encyclopedia on anything starting from secure communications to keywords not to search for as they'll raise an early warning system alarm. The front cover is so Blade's style, but the PSYOPS motive is highly influential. Here's a translated table of contents and the original version attached.

Sampling Jihadists' IPs

Great idea as a matter of fact :

"The following is based on an analysis of 4,593 IP addresses (1,452 unique IP addresses). The IPs were acquired from 19 of the more prominent of the Salafist/Jihadist forums, including both Arabic and non-Arabic forums, from 01 January through 30 April of this year."

Taking into consideration the per-country stats, do not exclude the logical possibility of IP cloaking while browsing these and also, the tiny number of intelligence and lone gunman info warriors gathering OSINT data. In another much more in-depth analysis on mapping the online jihad, the authors point out the emerging internationalization of jihad as well :

"The near exclusive use of the Arabic language in these significant jihadi websites likely accounts for the concentration of activity in the Middle East and North Africa. But with a reach to more than 40 countries, the virtual community within these ten influential sites assumes a global significance. The international jihadi movement's use of the internet to fuel the exchange of ideological expansion and its corresponding influx of support will increase the vulnerability of many countries to the appeal of extremism."

At least these organizations don't rely on setting up fake jihadist communities to come up with the sample data, but know exactly where to look for.

Mind Mapping Web 2.0 Threats

An informative, and for sure to be expanded mind map presenting various Web 2.0 threats courtesy of Mike Daw who by the way neatly integrated the anti virus detection results to his web backdoors compilation, I commented on in a previous post. Here are two more mind maps of Firefox security related tools, and the threats faced by mobile devices. A related post on the "wormability" of web application insecurities for everyone thinking flash worms.

XSS The Planet

Yet another initiative proving that major sites indeed suffer from XSS vulnerabilities in exactly the same fashion E-banking sites do. Perhaps the most interesting point regarding the list is that it's from 2005 and some of the sites still remain vulnerable but why is that? Lack of internal incentive programs to deal with the problem? Not getting the necessary attention given the rise of the lost laptop with unencrypted data issue? A lack of common sense is the best alternative for me. Consider the perspective - its like utilizing quantum encryption for the sake of protecting the confidentiality of your data but remaining vulnerable to wardriving attacks capable of obtaining the data in a pre-encryption stage, even on the fly. The encrypted data myopia is on the rise and it's the result of a yet another "stolen laptop news article" emphasizing on current and ignoring the emerging trends, namely, that a mobile workforce's improved productivity is proportional with the insecurities coming from storing sensitive data in a less controlled external environment. There's no point in implementing state-of-the-art technology when you haven't taken care of the basics, such as the ones that are so easy to exploit even a script kiddie can become the next pentagon hacker bruteforcing passwords on an unclassified system. And yes - trivial XSS ones too.

Currently active URLs on the list are the following:
Nortel.com
Federal Deposit Insurance Corporation
JC Penney
SonyStyle.com
D-Link.com
Poetry.com

Big Brother Awards 2007

I always liked the idea of emphasizing on the big picture when it comes to the worst privacy invadors on a worldwide basis compared to that of a particular country only. They are all interconnected to a certain extend, united under the umbrella of the common good which as a matter of fact won a golden boot in this year's Big Brother International Awards :

"PI's 'Big Brother Awards' have been running for nearly ten years, with events run in eighteen countries around the world. Government institutions and companies have been named and shamed as privacy invaders in a variety of countries and contexts. This year was the first time that Privacy International ran an international event to identify the greatest invaders around the world. The event was hosted by 'the pope', as presented by Simon Davies in full regalia. Previous hosts include 'Dr. Evil' and 'The Queen of England'."

Here are the winners in their categories :

Most invasive company - Choicepoint
Data aggregators and centralizing too much personal data in a single place makes it vulnerable even to pringles hacking attacks. Next year I'm sure Google's purchase of Doubleclick would get more attention

Worst Public Official - Stewart Baker
The way Microsoft and open source look awkward in a sentence in this very same way democracy looks awkward next to Russia

Most Heinous Government - The United Kingdom
Fully agree here. Twisting the common good is very marketable

Most Appalling Project or Technology - The International Civil Aviation Organization

I think the CCTV industry should have won here the rest are bureaucrats whose closed doors propositions later on face the public outbreak of how not to implement them. Anyway supply meets the demand for surveillance.

Lifetime Menace Award - The 'Common Good'
The main reason for the existence of today's intrusive surveillance technologies is the idea of the common good. We spy on you to protect you, we take away your civil liberties to protect you, and CCTV after CCTV you end up in a situation which can be best seen in the U.K

Related posts:
The Future of Privacy = don't over-empower the watchers!
Security vs Privacy or what's left from it
The Cell-phone Industry and Privacy Advocates VS Cell Phone Tracking
Afterlife Data Privacy

Defeating Virtual Keyboards

To deal with the threat of keyloggers -- or to win time during te process of implementing two factor authentication and one-time-passwords-in-everything -- E-banking providers started introducing virtual keyboards as a pragmatic solution to the threat. Malicious attackers are anything but old-fashioned and this is a great example that insecurities are only a matter of perspective. To the E-banking providers who were aware that a static virtual keyboard would be much more easier to defeat, a randomized characters appearance came into play and so attackers adapted by first taking video sessions of the login process, and now turning each mouse click into a screenshot to come up with the accounting data in a PoC on Defeating Citibank Virtual Keyboard:

"Citibank Virtual Keyboard is a security enhancement for protecting from the key loggers. Using this virtual keyboard user can enter Card no and IPIN using mouse. This keyboard will display a keys in random position in a virtual keyboard on the screen where it makes little difficult for password capture. This only gives confidence for end user from key loggers not from other methods. Local attacker can use Win32 API’s to capture using screen shot method and obtain sensitive information including Credit Card/Debit Card (Suvidha Account), IPIN and misuse it."

From a malicious economies of scale perspective, these rather amateur techniques mean lack of efficiency compared to advanced tools suh as the Nuclear Grabber which I intend to cover in-depth in a future post from the Malicious Wild West series.

International Cryptography Regulations Map

Regulations on importing, exporting and using encryption greatly vary across the world. Bert-Jaap Koops came up with some informative maps highlighting the big picture :

"This is a graphic summary of the pertaining cryptography laws and regulations worldwide as outlined in the most recent version of my Crypto Law Survey. It shows the import controls, export controls, and domestic controls, according to the information available to me. Consult the corresponding entry in the Crypto Law Survey for the contents of the pertaining regulation in a particular country."

And here's a related post on a bureaucratic utopia, another one on bureaucracy vs reality when it comes to security, as well as famous cases related to criminals using encryption.

Disintermediating the Major Defense Contractors

Innovative and cost-effective altogether? Think SpaceShipOne, a commercial space ship that didn't come from a major defense contractor, not even NASA but from a competition won by a privately run company. How to disintermediate yet innovate? Become a venture capitalist, or an angel investor and optimistically hope the academic-to-commercialization process would happen with one of your investments. The DeVenCI project aims to connect sellers with buyers and seems like a sound short-term objectives oriented idea compared with In-Q-Tel the CIA's VC fund emphasizing on long-term R&D :

"Some companies have already profited from the program. In 2003, when DeVenCI was in its experimental phase, the Defense Information Systems Agency was looking for ways to protect computer networks. After speaking to several companies through DeVenCI and evaluating their technology, the agency wound up working with ArcSight, a software company based in Cupertino, Calif., which won $3.6 million in related contracts over the next few years, DeVenCI officials said. Mr. Novak of Novak Biddle said he brought with him to the March DeVenCI meeting two executives from a small start-up developing biometric technology that could be used for things like advanced fingerprinting or eye scans. Mr. Novak said the chief executive and chief technology officer from the Virginia company, which he declined to name for competitive reasons, gave a presentation to the roughly 50 assembled procurement agents."

Here's In-Q-Tel's investment portfolio so far -- Google used to be among them.

Related posts:
Insider Competition in the Defense Industry
Aha, a Backdoor!
Overachieving Technology Companies

DDoS on Demand VS DDoS Extortion

There were recent speculations on the decline of DDoS attacks, in respect to the lack of companies actually paying to extortion attacks and that it's supposedly not a cost effective approach for malicious attackers to use their botnets. Think again, as it's always a matter of a vendor's sensor network diversity, one that's also excluding targeting mom-and-pop web properties. Just because DDoS extortion may not be working, and I say may not be working because only a few companies would admit they have paid money given the simple math of losing revenues on an hourly basis and spending more on bandwidth and security consultancy than the money requested, DDoS on demand still remains a well developed underground business model. DDoS attacks may not be profitable for the attacker directly performing them, but remain profitable if he's getting paid to provide the service only. Here's an excerpt from my Future Trends of Malware (January, 2006) publication related to DDoS extortion :

"Now you should ask yourself, would total cost of ownership of the business, the costs of the bandwidth, the DDoS attack protection solution, or the botmaster’s deal with the devil style proposition can solve the situation. If you’re thinking big, each and every time an organization pays, it not only risks a repeated demand, but is also fueling the growth of the practice in itself – so don’t do it!"

I'm aware of an ironic situation where a small-biz client's web server started getting DDoS without any reason whatsoever. The first thing that came to my mind was that it's either a DDoS extortion, or a possible rival, so I asked whether or not they've received any extortion emails. They declined, and here comes the interesting part, two days later, the attacks stopped, and a letter arrived in the form of the following email - "We saw you ignored our first email so we had to demonstrate you the power of our attack, this is your second chance to bla bla bla". What happened, and why did they say no extortion emails were sent? Here comes the irony, in the spam folder of the publicly obtainable email account for the domain was the original extortion email, that got detected as a spam. Time for some cyber intelligence to assess their capacity.. Never comply with such letters, or they'll come back for more. By the way, ever thought of the DDoS extortion bluff?

Here's another excerpt on DDoS on demand :

"There’s a lot of demand for paying to teens to shut down your competitors and hoping they would go under the radar, and while ethics are excluded, given these get busted, they’ll be the first to forward the responsibility to the buyer of the service. There’s also a clear indication of market for such services, and sooner or later these individuals will improve their communication skills, thereby increasing the impact of these attacks. For instance, Jay Echouafni, CEO of TV retailer Orbit Communications, paid a group of botmasters to DDoS his competitors, where the outage costs were estimated at $2 million. Another case of DDoS on demand occurred in March, 2005, when the FBI arrested a 17 year old and a Michigan man for orchestrating a DdoS attack, again causing direct monetary loses. DDoS attacks, and the ease of gaining capability in this field are clearly increasing."

Unethical competitions would favor a service where a third party maintains the infrastructure, launches the attack, and for the safety of both parties, remain as anonymous as possible. Here' a related article at BBC News:

"We are seeing a lot of anti-competitive behaviour," he said. Mr Sop added that many more Asian targets were being hit by DDoS attacks - a region in which Symantec did not historically have a big presence. In Asia, he said, DDoS attacks were proving very popular with unscrupulous firms keen to get ahead of their rivals. "The really frightening thing is you can buy access to a botnet for a small amount of money and you can have you competitor down for a long time," he said."

I never actually enjoyed articles emphasizing on how Russian script kiddies are taking over the world given the idea of "outsourcing malicious services". So next time you see a DDoS attack coming from the Russian IP space against U.S companies, it could still be U.S based rivals that requested the attack on their U.S based competitors -- stereotypes keep you in the twilight zone.

Meanwhile, here's a proof hacktivism is still alive and fully operational as the Estonian Internet infrastructure's been recently under permanent DDoS attacks due to real-life tensions of removing a statue from the Soviet era. It wasn't Chinese Mao-ists that did it for sure, but the recent case is another proof that it's always about the money, as everyone not aware of different malicious attackers' motives is preaching. DDoS extortion isn't dead, it's just happening beneath the radar, as targets are picked up more appropriately balanced with less greed regarding this underground business model only.

UPDATE : More developments on the DDoS attacks in Estonia now combined with defacements, which I think was only a matter of time.

Related posts:
The Underground Economy's Supply of Goods
The War against botnets and DDoS attacks
Emerging DDoS Attack Trends
Korean Zombies Behind the Root Servers Attack
Hacktivism Tensions - Israel vs Palestine Cyberwars

A Chronology of a Bomb Plot

A very detailed overview of a bomb plot, especially the lines related to anything digital such as :

- "An e-mail sent from Mr. Khawaja to Mr. Khyam on Nov. 30, 2003, read: "It's not as easy as we thought it would be. We have to design the whole thing ourselves. "There are two parts to it, one transmitter and another receiver that will be at a distance of about 1 or 2km that will be attached to the wires and send out 5 volts down the line and then we get fireworks."

No details on whether or not the communication was encrypted, how it was decrypted -- indirectly through client side attacks for sure -- and was their communication on purposely intercepted or filtered though the noise with keywords such as transmitter, wires and fireworks.

- "Mr. Mahmood was working for the British gas company, Transco, and had stolen sensitive CD-ROMs from National Grid, a British utility, that detailed the layout of hundreds of kilometres of high-pressure gas pipelines in southeast England."

And the insider threat was just an overhyped threat with lack of statistical evidence of it happenning. Think twice. Don't dedicate efforts in ensuring such information never makes it out of the organization due to terrorist fears only, but consider the consequences of it getting into the wrong hands at the first place.

- "A notebook in the living room included references for books including The Virtue of Jihad, and Declaration of War."

Propaganda writings are easily obtainable online, which reminds me that monitoring them to the very last mile is worth the risk in order to further expand their network, of both, sites they visit and people they communicate with.

- "Downloaded on to his laptop was a computer file, The Mujahideen Explosive Handbook. It contained the exact recipe to build an ammonium nitrate bomb."

On purposely placed online DIY manuals can act as honeypots themselves. As we've already seen, counter-terrorism forces across the world are establishing such fake cyber jihad communities in order to lure and monitor wannabe jihadists. But monitoring who's obtaining the already hosted in the wild manuals, is far more beneficial than hoping someone will eventually fall a victim into your cyber trap.

In another related research by the RAND Corporation entitled "Exploring Terrorist Targeting Preferences" the authors try to come up with various scenarios on the process of prioritizing possible targets such as :

"the coercion hypothesis; the damage hypothesis; the rally hypothesis; and the franchise hypothesis. If Al-Qaeda directs the next attack the coercion and damage hypothesis, and, quite possibly both, are the most likely to influence the nature of the target.

Great psychological imagination applied in the paper, worth the read. From a statistical point of view, the probability of death due to a car accident is higher than that of a terrorist attack, so consider escaping the FUD related to terrorism that's streaming from your favorite TV channels in order to remain objective. The ugliest part of them all is that everyone's discussing the post-event actions taken, and no one is paying any attenting to the pre-event activities that made it possible, and with training camps under heavy fire, the digitalization of terrorist training is taking place.

And here's another great analysis, this time covering the process of how terrorists send money by combining anonymous Internet services in between mobile banking :

"Advanced mobile technology, cooperation between international mobile communications providers and international financial institutions and the lack of regulations make for a swift, cheap, mostly untraceable money transfer -- known as "m-payments" -- anywhere, anytime, by anyone with a mobile telephone."

Dare we say adaptive?

Winamp PoC Backdoor and a Zero Day

Listen to your infection? Not necessarily as this backdoor binds cmd.exe on port 24501, but needs to be socially engineered in the form of a plugin for Winamp. Code originally released in December, 2006, see attached screenshot. Not much of a fun here either, but as the folks at SANS point out Winamp doesn't play .MP4 files automatically from a web page, so no chance to have it embedded within popular sites and cause mass outbreaks as we saw it happen with the with ANI exploit code and the WMF one.

gen_wbkdr.dll
File size: 45056 bytes
MD5: 74d149f4a1f210ea41956af6ecedb96b
SHA1: 5a2e8d5727250a647ce44d00cf7446775e6cd7d5

Anti-Censorship Lifestyle

Following a previous post on security lifestyle(s), and in between the ongoing efforts to censor a 16 digit number I feel it's about time you dress yourself properly in case you haven't done so already. Censorship in a Web 2.0 world is futile, the way security through obscurity is. Seems as everyone's talking about the number today, there's even a domain name registered with it.

The Brandjacking Index

Picture a situation where a customer gets tricked into authenticating at the wrong site of company XXX. Would they do business with company XXX after they get scammed, trojan-ized, and spammed to (virtual) death? I doubt so, and as we can also see in the results of a recently released survey on whether or not customers would do business with retailers who exposed personal data - they'd rather dump them right away.

MarkMonitor just released their first quarterly Brandjacking Index :

"The Brandjacking Index investigates trends, including drilled-down analysis of how the most popular brands are abused online and the industries in which abuse is causing the most damage. The report examines the ever-adaptive tactics of brandjackers such as cybersquatting, false association, pay-per-click (PPC) fraud, domain kiting, objectionable content, unauthorized sales channels and phishing. The Brandjacking Index tracks the top 25 brands from the 2006 Top 100 Interbrand study plus additional Interbrand ranked companies for business segment analysis."

The old marketing rule that a dissatisfied customer will share the bad experience with at least five more fully applies here, and given he or she's an opinion leader in their circle - you've got a problem as it's your brand in the domain name. Therefore, despite the companies developing a market segment for timely and reliably shutting down phishing sites, the most obvious "cybersquatted" domains shouldn't even be allowed to get registered at the first place. But given the flexibility of registering a domain these days, from a company's perspective, cybersquatting's an uncontrollable external factor, and in order to protect their future flow of "soft dollars" efforts to monitor the domain space are highly advisable.

There're several key techniques you should keep in mind. Cybersquatting, vulnerabilities within the browser to spoof the status bar and make it look like the legitimate page, or a malware infected PC that's basically redirecting all the known E-banking sites to fake ones. No anti virus, no Ebanking is highly advisable, yet not a solution to the problem, and E-banking site's compatibility with the most popular -- and targeted -- Internet Explorer browser ONLY, turn many precautions into a futile attempt to deal with the problem -- heading in the opposite direction. The question is, which technique is more effective at the end user's perspective, and how should the targeted organizations deal with this indirect form of attack on their brands, reputation and the rest of the "soft dollars" goodies such as favorable PR and stakeholder's comfortability? From another perspective, who's more irresponsible, the unaware end user, or banks whose web application security ignorance make it easier for phishers to establish trust?

One solution to the problem is shortening the lifetime of such a domain to the minimum by tracking and shutting them down by using a commercial service like this online trademark monitor, a screenshot of which you can see at the top of the post. Perhaps rather resources-consuming, but educating your customers for their own safety in times when anyone can register a pay-pal-login.tld domain like through third-party registers, is another way to go. Did I mention that anti-phishing toolbars are a free alternative in case common sense fails -- like it does?