Tuesday, July 31, 2007

Average Online Time for Phishing Sites

Some vendors specialize in clustering phishing attacks to better understand the phishing ecosystem and reveal all of its nodes. Others too, armed with opportunistic business development strategies are developing a market segment to provide their customers with services for timely shutting down a phishing or malicious web site. Symantec recently released informative averages on the time a phishing site remains online, confirming the need for a such a market segment and prompting the discussion on alternative solutions :

"Our analysis shows how ISPs in some countries are relatively slower than others to shut down attacks. For example, Taiwan’s average shutdown time has been only 19 hours on 92 attacks, while in Australia the average for 98 attacks has been almost one week for a single shutdown. Other countries slow to respond include the USA and India. Countries identified as responding quickly include Germany, Netherlands, Japan, Estonia, Poland and Russia."

Moreover, May's report from the Anti-Phishing Working Group has an ever better sample consisting of 37438 unique phishing sites, where the average time online for a phishing site was 3.8 days, and the longest time online was 30 days. Why are certain ISPs slower in shutting down phishing sites compared to the others? What motivates the best performing ones to react immediately? It's all a matter of perspective. Let's consider the facts :

- DIY phishing kits such as Rock Phish significantly increased the number of phishing sites, but sacrificed efficiency for quality. Rock Phish's major strength is Rock Phish's major weakness, namely that of centralization, so the phisher ends up with a single IP hosting phishing sites for numerous banks. In fact, according to IBM's X-Force, single domains were carrying an average of 1000 phishing sites

- Phishing sites hosted at home users PCs are harder to shut down compared to those hosted on a web server

- Russia is responding faster than the U.S because according to the APWG's Countries hosting phishing sites stats, Russia's percentage is 7.41% compared to the U.S 32.41%. We have the same situation with countries hosting trojans and downloaders where Russia accounts for 6% compared to China with 22%. It does not mean Russia is out of the game, not at all, but the way you may have a Russian phishing/malware campaign hosted in the U.S, you may also have a U.S phishing/malware campaign hosted in Russia

- The lack of incentives for ISPs to be in a hurry and the lack of accountability for them if they are not in a hurry. Perhaps if the vendors developing the market segment for shutting down phishing sites start sharing revenues in a win-win-win fashion, it would make a difference if no legislations are in place

- XSS vulnerabilities within E-banking sites often act as redirectors, so while you're shutting down the yet another .info domain, the XSS is still there waiting to get abused

- In a fast-flux empowered malicious economies of scale attacks, any stats should be considered at least partly "scratching the surface" only due to the fact that, while the redirector may be in the U.S, the second one with the phishing site may be in Russia, and the third one hosting the malware in Taiwan. And so, while you've shut down the most obvious nodes, the campaign remains in tact, and gets automatically re-mixed to achieve malicious diversity using the same domain names, but under different and dynamic IPs next time

What would be the most effective approach for the most targeted financial services to protect their customers from phishing attacks? Hire brandjacking monitoring services to shut down efficiently and persistently, the generated phishing sites with DIY phishing kits, educate E-banking customers, or do both? Assess their unique situation and balance while considerating that some folks still don't know what phishing really is. Now, try explaining to them what form input grabbing malware tools such as the Nuclear Grabber are.

Related posts:
A Client Application for Secure E-banking?
The Rock Phish Kit in action
The Brandjacking Index
Security threats to consider when doing E-banking
Banking Trojan Defeating Virtual Keyboards
Defeating Virtual Keyboards

Feeding Packed Malware Binaries

Remember the avvcc.com domain which I mentioned in a previous example of a fast-flux network using the WebAttacker kit two months ago? It's still up and running this time hosting online gaming accounts password stealer, and the binary is packed using five different packers in exactly the same fashion like the binary obtained two weeks ago. The domain itself is a great example of a fast-flux network, a term coined by the Honeynet Project to showcase the growing complexity and evasive techniques introduced by the malicious ecosystem, on their road to invisibly control, evaluate and manage their malicious campaigns online.

Packed binary obtained two weeks ago :

File size: 205917 bytes
MD5: ef11bed4a5f4d61ad771204d1ec6ac25
SHA1: 6c35869de5ef20b949b3d9f53e111f26f4631569
packers: PECompact, NsPack
packers: ZIP, PecBundle, PECompact

Packed binary as of today :

File size: 76800 bytes
MD5: 17d12aecb7aba82ecc38dd6d2dd3e3b3
SHA1: 439947056d1005ec8738ed19e84bbba043556a2f
packers: PecBundle, PECompact

Both binaries have a relatively high detection rate, but that's not the point. The point is the ongoing trend of malware embedded web sites, which in combination with a fast-flux network prompts the need for re-evaluating your security policies and preemptive security strategy.

Fast-flux networks graph courtesy of the Honeynet Project & Research Alliance.

GIMF Switching Blogs

The Global Islamic Media Front like pretty much all other cyber jihadist supporters, and jihadist media agencies, seem to have fallen in love with Wordpress. Exactly one month since I posted a list of terrorism supporting or glorifying blogs, both GIMF's English and German version blogs were shut down. Strike one for the good guys. But did they really dissapear from the cyber jihadist blogosphere? Not at all. The Global Islamic Media Front simply switched propaganda to this blog. Among GIMF's most notable IT releases are the Mujahideen Secrets Encryption Tool, and the quarterly released Technical Mujahid E-zine.

Monday, July 30, 2007

World of Warcraft Domain Scam

World of Warcraft playing species, beware! Can you find the differences? Depending on the font type, font size and email client, an euphoric gamer can easily fall victim into this, and she will, since the domain is currently redirecting to Blizzard's real WoW site in Europe. As you can see in the attached screenshot, this domain registered a week ago aims to trick you, and your email client font preferences, into thinking VV equals W, and that vvovv-europe.com is indeed wow-europe.com.

Creation Date........ 2007-07-25
Expiry Date.......... 2008-07-25

Some developments on the cybersquatting front :

"The Coalition Against Domain Name Abuse (CADNA) is announcing the launch of its national campaign against Internet fraud. A non-profit organization based in Washington D.C., CADNA is leading the way in confronting cybersquatting – the fraudulent abuse of domain name registration that threatens the future viability of Internet commerce. Although the Anti-Cybersquatting Consumer Protection Act (ACPA) was introduced in 1999, cybersquatting remains an underestimated threat. The number of .com domain names alone has doubled since 2003, and the number of cybersquatting disputes being filed with the World Intellectual Property Organization (WIPO) is on the rise – up 25% in 2006 from 2005. According to a recent independent report, cybersquatting increased by 248% in the past year."

So far, this remains the most creative typosquatting "scam to come" I've seen in a while.

The IcePack Malware Kit in Action

The IcePack is a rather average web based malware C&C kit compared to for instance, the Black Sun, the Cyber Bot, Mpack, and mostly to Zunker. Average in terms of the lack of unique features offered, which makes me think that it's a hybrid of publicly obtainable stats and exploits rotation modules.

After providing you with in-depth overviews of the WebAttacker and the Mpack kit large scale attacks in previous posts, in this post I'll showcase the IcePack kit in action. As I've already pointed out in a previous post related to the increasing number of malware embedded sites, malware authors are diversifying their traffic aggregation approaches, and are either exploiting the sites themselves, their ISP's CPanel, or using push, pull and passive embedding techniques to achieve their goal.

Listening to your infection? Indeed. In the middle of the month, the Brazil's fan sites of popular music bands such as t.A.T.u and Linkinpark got IFRAME-ed, and had their visitors infected with a IcePack loader. Let's assess the URL within the IFRAME appropriately.

URL : hllp://my-loads.info
IP :
Response : HTTP/1.1 200 OK
Date: Mon, 30 Jul 2007 01:02:43 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.8a PHP/5.2.3 mod_perl/1.29
X-Powered-By: PHP/5.2.3
Transfer-Encoding: chunked
Content-Type: text/html

Then, we are taken to a not so sophisticated obfuscation pointing us to the vulnerabilities exploited and the actual binary. Detection rates for the loader so far :

AntiVir 2007.07.28 TR/Crypt.U.Gen
AVG 2007.07.28 Obfustat.AGS
eSafe 2007.07.29 suspicious Trojan/Worm
Ikarus 2007.07.29 Trojan-Downloader.IcePack
McAfee 2007.07.27 New Win32
Panda 2007.07.29 Generic Malware
Sophos 2007.07.26 Mal/HckPk-A
Sunbelt 2007.07.28 Trojan-Downloader.IcePack
Symantec 2007.07.29 Downloader
Webwasher-Gateway 2007.07.29 Trojan.Crypt.U.Gen

File size: 6792 bytes
MD5: ce3291be2ded8b82fc973e5f5473b1fe
SHA1: fcf4cab3ade392c611c95e16c913fbc967577222

More screenshots of the IFRAME at Finjan's blog and a comment on evasive attacks : "The toolkit also uses evasive attack. By blocking specified countries and multiple instances from the same IP address, it minimizes exposure to security vendors." Very true. Re-visting it again, I no longer get exploited.

Ice Pack kit screenshots courtesy of IDT Group member while pitching the kit.

Saturday, July 28, 2007

Shark2 - RAT or Malware?

The latest release (26 July 2007) of the Shark2 RAT (Remote Administration Tool) once again demonstrates how thin is in fact the line between RATs and malware. Moreover, the reality on how malware is often pitched as a RAT for educational purposes only, whereas it includes typical malware-like features such as virtual machine detection and anti virus detection, ones not so common for RAT's such as PC Anywhere for instance. So, it's not a RAT but malware. More on Shark2 :

"sharK is an advanced remote administration tool written in VB6. With sharK you will be able to administrate every PC in the world (using Windows OS) remotely. Here are some facts:
* sharK uses RC4 to encrypt the traffic with a random cypher generated every new startup.
* sharK is able to resume downloads and uploads when the server disconnects on the next connect
* sharK is completly Plugin based! So you have a very small server and never need to update it (except on core changes)
* Compressed Transfers
* Thumbnail Previews of Pictures
* Screen Capture with VNC-Technology (Only the parts of the pic that are changed since the last shot will be transfered)
* Keylogger works with Keyboard hooking
* You have a real DOS-Shell instead of dos-output like in the most Remote Administration Tools
* Interactive Process Blacklist
* Virtual-Machine detection"

Vendors detecting the latest builder already, despite the logical crypter obfuscations to come :

AntiVir 2007.07.28 TR/Sniffer.VB.C.2
CAT-QuickHeal 9.00 2007.07.28 Backdoor.VB.bax
Fortinet 2007.07.28 W32/VB.BAX!tr.bdr
Ikarus T3.1.1.8 2007.07.28 Backdoor.Win32.VB.bax
Kaspersky 2007.07.28 Backdoor.Win32.VB.bax

MD5: d5eca6c6a1956cb2f4261da1b8f25ee2
SHA1: b603d0d6e3dff0f5f01e86eb82eb80a0e0455445

Delicious Information Warfare, Saturday, 28th

Here are some of the most interesting security papers, tools and services I stumbled upon during the week. Enjoy, and stay informed!

Papers and Publications :

- Exploiting the iPhone - Paper + Video
"Shortly after the iPhone was released, a group of security researchers at Independent Security Evaluators decided to investigate how hard it would be for a remote adversary to compromise the private information stored on the device. Within two weeks of part time work, we had successfully discovered a vulnerability, developed a toolchain for working with the iPhone's architecture (which also includes some tools from the #iphone-dev community), and created a proof-of-concept exploit capable of delivering files from the user's iPhone to a remote attacker. We have notified Apple of the vulnerability and proposed a patch. Apple is currently looking into it."

- The Evolution of GPCode/Glamour RansomWare
"This report contains a description of the more obscure, previously undocumented traits belonging to the GPCode/Glamour trojan. The code is a modified version of the Prg/Ntos family which was detailed in depth during our Encrypted Malware Analysis in November 2006. While a majority of the functionality has not changed since then, this recent variant is distinctive enough to warrant additional research. In
particular, the trojan is now equipped with the ability to encrypt a victim’s files on disk. The motive for adding this feature is clearly monetary, as the victim is advised that the files will remain encrypted unless $300 is turned over to the authors, in exchange for a decryption utility

- A Guide to Security Metrics
"In the face of regular, high-profile news reports of serious security breaches, security managers are more than ever before being held accountable for demonstrating effectiveness of their security programs. What means should managers be using to meet this challenge? Some experts believe that key among these should be security metrics. This guide provides a definition of security metrics, explains their value, discusses the difficulties in generating them, and suggests a methodology for building a security metrics program."

- Secure File Deletion - Fact or Fiction?
"This paper will deal with how and where some of these files are created and how to securely remove them from a system. Microsoft Windows operating systems and associated applications will be the main focus. This paper is divided into two main sections, the first section is designed to be a primer on the types of information that can be found on a hard drive. It is not designed to be a fully detailed data recovery/computer forensics tutorial, but is designed to show security professionals how much information can be found on a hard drive. The second section deals with the concepts behind securely deleting files and associated data from a hard drive."

- Group Policy Extensions in Windows Vista and Windows Server 2008 - Part 1
"Some of the more useful new group policy settings included in Windows Server 2008 and Windows Vista."

- Hooking CPUID - A Virtual Machine Monitor Rootkit Framework
"One of the fascinating debates taking place around the web is whether or not an OS can detect if it is running inside a VM. Surely a VMM will never be able to fool an external clock but discounting that, who knows? In any regard, I have written a small VMM that attempts to place the host OS into a VM and then handles the basic subset of unconditional VM-exits. Great. Now what?"

- BIND 9 DNS Cache Poisoning
"This weakness can be turned into a mass attack in the following way: (1) the attacker lures a single user that uses the target DNS server to click on a link. No further action other than clicking the link is required (2) by clicking the link the user starts a chain reaction that eventually poisons the DNS server?s cache (subject to some standard conditions) and associates fraudulent IP addresses with real website domains. (3) All users that use this DNS server will now reach the fraudulent website each time they try to reach the real website."

- Secure Programming Best Practices for Windows Vista Sidebar Gadgets
"Today, the Windows Vista Sidebar hosts Gadgets built from HTML, JavaScript, and potentially ActiveX controls, and because Gadgets are HTML, they are subject to Cross-site Scripting style bugs. These bugs are extremely serious because script in the Sidebar is capable of running arbitrary code in the context of the locally logged-on user. This document outlines some of the secure programming best practices that should be considered when building Windows Vista Sidebar Gadgets."

- Wardriving Bots
"wardriving-bot's are autonomous systems that are installed in a train, car, bus, taxi or truck and collect wardriving data's, like SSID, GPS-data, MAC address and all other stuff, that kismet can handle. after collecting this data, encrypting, the bot try to send this information back to the Bot-Handler with using a "open" accespoint or a HotSpot."

- KYE: Fast-Flux Service Networks
"This whitepaper details a growing technique within the criminal community called fast-flux networks. This is an architecture that builds more robust networks for malicious activity while making them more difficult to track and shutdown. This is the first KYE paper we are releasing in both .pdf and .html format."

Security Tools :

- Atsiv v1.01 - load, list and unload signed or unsigned drivers on 32 and 64 bit versions of Windows XP, 2K3 and Vista
"Atsiv is a command line tool that allows the user to load and unload signed or unsigned drivers on 32 and 64 bit versions of Windows XP, Windows 2K3 and Windows Vista. Atsiv is designed to provide compatibility for legacy drivers and to allow the hobbyist community to run unsigned drivers without rebooting with special boot options or denial of service under Vista."

- Secunia Personal Software Inspector - Checks Over 4,200 Applications for Latest Patches
"The Secunia PSI detects installed software and categorises your software as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors."

- HIHAT - High Interaction Honeypot Analysis Toolkit
"The High Interaction Honeypot Analysis Toolkit (HIHAT) allows to transform arbitrary PHP applications into web-based high-interaction Honeypots. Furthermore a graphical user interface is provided which supports the process of monitoring the honeypot and analysing the acquired data."

- GPCode Ransom Trojan Decoder
"Recent reports of GPCode, a Ransom Trojan that encrypts files and asks for $300.00 to unlock the victim files have been hitting headlines in the news. Secure Science has offered a freely available decoder for freeing up the files without any problems. This program was written as open source software in the interest of support for other researchers. If you have become a victim of the GPCode Ransom trojan, please download a copy and run it on your systems and it will decrypt the files back to the state they were in before the trojan infected the computer."

- Rootkit Detective v1.0
"McAfee Rootkit Detective is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system."

- CSRF Redirector
"Inspired by the XSS POST Forwarder, I just created the CSRF Redirector. It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated."

- WordPress Security Scanner
"The WordPress version survey was largely successful; it was released on both Slashdot and SecurityFocus which I am quite pleased about, but now onto something even more interesting - that was just the appetizer. I received alot of questions regarding how my survey was conducted. I was going to write an aftermath post (which I still may do), but decided to release my tool, "wp-scanner" instead."

- WAZ v 1.0 - Windows Anti DDoS Tool
"Through my study and research I found lots of networks that are under the hood of Ddos attacks.WAZ is a solution to this. The tool is fully functional and effective in stopping the Ddos agents. You can find lots of Ddos agents like Trinoo, WinTrinoo, Shaft, Mstream, Stacheldhart Ver 1 & 2, Trinity, Entitee etc. They are considered to be the best agents to launch distributed denial of service attacks."

- The Ultimate Distributed Cracker
"The main purpose of UDC is the recovery of the passwords by the given hash-values (NTLM, MD5, SQL, SHA1 and 40+ other). The typical user can recover own forgotten passwords, for example, Windows NT/XP/2003 authorization passwords. Multithreaded and distributed recovery modes are supported. The new method for precalculating Hybrid Attack using Rainbow Tables is introduced. Now there's nothing unbreakable"

- MITRE Honeyclient Project
"Honeyclients can proactively detect exploits against client applications without known signatures. This framework uses a client-server model with SOAP messaging as the primary communication method, and uses the free version of VMware Server as a means of virtualizing the client environment."

- PSA3 - PHP Source Auditor III
"PHP Source Auditor III (or PSA3) was created in order to quickly find vulnerabilities in PHP source code. Written in Perl."

- Javascript LAN scanner
"Any information obtained using the scanner will not be logged in any way. All new router form submissions are anonymous"

Services & Misc :

- 10 Free Services to Send Self-Destructing/Auto-Expiring Emails
"Self Destructing emails delete the original message once it has been read by the recipient. While they are not completely fool proof, for example, someone can take a photo of the message with the camera, the record on the Internet does not remain. Here are a few self destructing email providers that you might find useful for sending emails. Some even provide free plug-ins for sending emails through a desktop based email client such as Outlook or Thunderbird."

- Video - Using Darik's Boot and Nuke (DBAN) to Totally Wipe a Drive
"Another continuation of my file carving video and selective file shredding (DOD 5220.22-M) to thwart forensics tools video, this video shows how to use Darik's Boot and Nuke (DBAN) to totally wipe a drive. DBAN is a great tool to add to your anti-forensics tool box."

- Videos from the ToorCon Information Security Conference

- CISSP Certification Verification Site
"Check (ISC)? credential status for an individual or find credential holders within a company or geographic area."

Thursday, July 26, 2007

More Malware Crypters for Sale

There's an ongoing trend among malware authors to either code malware crypters and packers from scratch and sell then at a later stage, or even more interesting, obtain publicly available crypters source code, modify, add extra featured and new encryption routines and make them available for sale. The rise of DIY malware crypters enables literally everyone to fully obfuscate an already detected piece of malware, so that if no extra security measures but only virus signatures scanning are in place, an infection takes place.

The first crypter has the following options :

- Memory execution/injection within its own process, execute in a default browser's memory, or no execution in memory takes place but dropping
- Custom encryption with min and max encryption layers, RC4, and NTDLL Compression API

The second crypter, a previous version of the first one, has the following options :

- custom resource names
- scramble
- custom encryption layer

Moreover, realizing the ongoing competition among coders or modifyers of malware crypters, services such as already packed dozens of bots often act as a bargain in case of a possible and much more flexible purchase. The third crypter is a perfect example of a source code modification since its lacking any significant and unique features.

The most dangerous threat, however, remains your lack of decent situational awareness.

Cyber Jihadists' and TOR

You've always knew it, I've always speculated on it, now I can finally provide a decent screenshot of cyber jihadist's howto recommending and taking the average reader step by step through the process of obtaining and using TOR -- a "rocket science" by itself. Following previous comments regarding Jihadists' Anonymous Internet Surfing Preferences I also pointed out on the obsolesence of Samping Jihadist IPs at various forums and sites, as it's both obvious and logical to consider that surfing, reconnaissance and communication is happening in a tunneled nature.

Related posts:
Cyber Traps for Wannabe Jihadists
Mujahideen Secrets Encryption Tool
The Current State of Internet Jihad
Characteristics of Islamist Web Sites
A List of Terrorists' Blogs
An Analysis of the Technical Mujahid Issue One
An Analysis of the Technical Mujahid Issue Two
Terrorist Groups' Brand Identities

Confirm Your Gullibility

The Rock Phish kit in action. Registered yesterday, a .info domain is faking a Royal Bank of Scotland Customer Confirmation Form, and is a great indication on the convergence of spam and phishing, part of the phishing ecosystem in terms of cooperation.

Message source spoofed from : corporateclients.refj2225451hh.ib @ rbs.co.uk

Message content : Dear Royal Bank of Scotland customer,
The Royal Bank of Scotland Customer Service requests you to complete Digital Banking Customer Confirmation Form (CCF). This procedure is obligatory for all customers of the Royal Bank of Scotland. Please select the hyperlink and visit the address listed to access Digital Banking Customer Confirmation Form (CCF). Again, thank you for choosing the Royal Bank of Scotland for your business needs. We look forward to working with you. ***** Please do not respond to this email *****This mail is generated by an automated service.

Sender's IP : Listed by only one of the popular anti-spam blacklists
Domain info : buhank.info ; ; Created On: 25-Jul-2007 18:53:03 UTC ; Expiration Date: 25-Jul-2008 18:53:03 UTC.

HTTP/1.1 200 OK
Date: Wed, 25 Jul 2007 22:21:30 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7f PHP/4.4.4
mod_perl/1.29 FrontPage/
Last-Modified: Tue, 26 Jun 2007 19:05:56 GMT
ETag: "e6c64f-23f9-46816394"
Accept-Ranges: bytes
Content-Length: 9209
Content-Type: text/html

Main index returns "209 Host Locked" message typical for Rock Phish.

Phishing URL : sessionid-02792683.rbs.co.uk.buhank.info/customerdirectory/direct/ccf.aspx
Original URL : rbs.co.uk/Bank_Online/logon_to_digital_banking/default.asp

It's cost-effective not to register a phishing domain for longer than an year, given its "lifetime", that's for sure. Having your own certificate authority is even better, given they've actually implemented it since there's no httpS option available, thus this phishing campaign is doomed to failure. And while the message and the spoofed site look relatively decent, the people behind this phishing campaign are newbies using the Rock Phish phishing kit. Efficiency of DIY phishing kits VS the quality of the phishing site. More info on this campaign and Rock Phish, as well as SpamHaus.org's recent efforts on limiting the lifetime of Rock Phish domains.

Rock Phish screenshot courtesy of Fortinet.

Related posts :
Phishing Domains Hosting Multiple Phishing Sites
Interesting Anti-phishing Projects
Taking Down Phishing Sites - a Business Model?
Take this Malicious Site Down - Processing Order..
Anti-phishing Toolbars - Can You Trust Them?

Wednesday, July 25, 2007

Malware Embedded Sites Increasing

The emerging trend of malware embedded sites

Malware embedded web sites are steadily gaining a priority in an attacker's arsenal of infection and propagation vectors, and we've been witnessing the trend for over an year and a half now. Malware authors seem to have found an efficient way to hijack, inject and exploit legitimate sites or Web 2.0 services in order to serve the obfuscated payload which is no longer purely relying on social engineering tactics, but is basically exploiting unpatched client side vulnerabilities to infect the visitors. Also, malware authors seem to have started thinking as true marketers, taking into consideration that a visitor will go through a potentially malware embedded site only once and wouldn't visit it given the lack of content -- blackhat SEO garbage -- so that they've stopped relying on having a malicious site exploit a single vulnerability only, and started hosting multi-browser, multi-third-party malware embedded sites, thus achieving malicious economies of scale.

Here's a great summary courtesy of Sophos showcasing the increasing number of sites with malware embedded payload :

"The figures compiled by Sophos's global network of monitoring stations show that infected web pages continue to pose a threat, affecting official government websites as well as other legitimate pages. On average this month, Sophos uncovered 9,500 new infected web pages daily - an increase of more than 1000 every day when compared to April. In total, 304,000 web pages hosting malicious code were identified in May."

The stats are a great wake up call for those still believing that malware comes in the form of executables and is mostly using email as propagation and infection vector. Moreover, these stats show great similaties with the ones released by ScanSafe an year ago whose conclusion was that based on 5 billion web requests there was once piece of malware hosted on 1 of every 600 social networking pages. Furthermore, Finjan's latest Web Security Trends Report indicates the rise of evasive web malware that is aiming at making cyber forensics of malware embedded sites like the ones I provided you with in previous posts, harder to conduct.

Malware embedding techniques
- vulnerabilities within popular traffic aggregators and web 2.0 darlings have a huge potential, but a major downsize from an attacker's perspective - they're like sending several hundred pieces of zero day malware to couple of million emails, thus having anti virus vendors and the security community detect the malware outbreak and react accordingly

- a pull approach consisting of blackhat SEO on popular searches, or any strategy related to seducing the end user's desire for "free lunch" online while abusing it. We've already seen automated spamming attacks at the .EDU domain in order to harness the power of a university site's pagerank so that the malicious sites get higher priority in search engines

- a push approach - via spam and phishing emails, a digital greed so that in case the attackers cannot trick you into giving them your accounting and financial data, they'll infect you with malware in between, a trend which I'm seeing recently. Basically, you have a fake PayPal phishing page hosting malware in between the scam

- passive - using advertising networks are infection vectors, basically a fake but reputable looking service or product centered site is set up, an advertising budget on a CPC basis is considered, and even though you may visit Yahoo.com an ad appearing at the top though a third-party advertising network may indeed turn out to be one loading a malicious payload. We've already seen this malicious cycle with zero day vulnerabilities trying to take the maximum advantage out of the window of opportunity of a certain vulnerability, and despite that zero day vulnerabilities are greatly desired by malware authors, the plain simple truth whose effectiveness we've seen with MPack is that the attack was a very successful one given it was abusing old vulnerabilities. So, if the end user doesn't patch, an old and already patched vulnerability has the same value as a zero day one, isn't it?

Why are malware embedded web sites increasing?
- Web application vulnerabilities exploited in an automated fashion make it possible for malicious attackers to inject malicious pages within domains with high page rank and ones attracting lots of traffic. In a previous post I provided various screenshots of an IRC controlled bot google hacking for vulnerabilities and injecting web shells to take control over the vulnerable sites. Next time it could logically be web backdoors making it harder for the exploited party to react given the perimeter defense myopia they're still living in

- DIY malware kits make it possible for virtially anyone to embed malware on a web page. In my "Future Trends of Malware" publication I emphasized on how open source malware is undermining the entire singnatures based detection model, at least in respect of timing. Open source malware evolved into open source exploitation and statistics tools, thus lowering the entry barriers into the malware area for anyone who has obtained the source code of these kits. It's even more interesting to note that given the open source nature of the kits, modifications are already getting traded and used in the wild, so basically, the MPack kit we know of last month is someone elses's advanced malware distribution platform next month. Anyway, going through an interview with the authors of MPack, I'd rather say - a little less who, and a little bit more on what's to come in this space, would be a wise approach

- Malicious pages hosting service on usually compromised servers on purposely ignoring "take down notices" to further extend the window of opportunity for someone to visit and get infected. Various vendors such as RSA and NetCraft are already developing a market segment for timely shutting down such phishing and malware hosting web sites, and by the time the service scales enought I'd be very interested in seeing some averages based on the time it took them to shut down such a site

- A logical move exploiting the overall lack of awareness from the end user's part on how client side vulnerabilities result in malware infections compared to potentially malware infected downloads as it used to be in the past, a very tricky situation by itself taking into consideration the future growth of E-commerce. With end users becoming more privacy conscious, and the countless users who wouldn't purchase anything only for more than $50 let's say, trying to communicate to them that malware can be found on literally any web site and that it's not longer coming in the typical binary nature they're used to, could undermine their confidence in E-commerce even more

- Malicious economies of scale, a phrase I coined to bring the discussion at another level, namely, that malware authors are putting less efforts but achieving a higher level of productivity, greatly represents the concept of malware embedded sites

Here are more articles presenting other points of view on the topic.

Related posts:

Thursday, July 19, 2007

SQL Injection Through Search Engines Reconnaissance

In previous posts "Google Hacking for Vulnerabilities" ; "Google Hacking for Cryptographic Secrets" and "Nation Wide Google Hacking Initiative" I emphasized on the concept of using search engines for reconnaissance purposes and for building hitlists of targets susceptible to remotely exploitable web application vulnerabilities. Yesterday, I came across to an IRC based botnet C&C and the bots activities follow in the form of screenshots and summary of the reconnaissance approaches used.

- Remotely exploitable SQL injection vulnerabilities act as the infection vector
- Taking advantage of the most popular search engines' indexes, vulnerable sites and web pages get automatically detected and simultaneously exploited
- The scanning bots injects back the most popular web shell c99shell, so that ull control with UID based on the web server's use privileges is gained
- Hosting of malware embedded sites, phishing and spam pages, blackhat SEO taking advantage of the domain's pagerank are among the few examples of how is the access abused

These so called "malicious economies of scale" showcase the following :

- botnet masters are using search engines to build a hitlist of easy to attack targets

- a new command is gaining malware author's attention, namely !milw0rm that is directly syndicating remotely exploitable web application vulnerabilities

- approximately 10 to 15 sites got remotely SQL injected in the first minute of monitoring the bot

- web application vulnerabilities continue to get a lower priority in an infosec budget

- XSS vulnerabilities to actually have e-bank.com forward the captured information to a third-paty via a phishing attack undermine SSL certificates and the rest of the "yes, we're working on it" security for the massess approaches

- c99shell may be the most popular web shell, but taking into considerating the Web-ization of malware, and how a huge number of web application backdoors remain undetected by anti virus software, botnet masters and malicious attackers are gaining competitive advantage in a very efficient way

- botnet masters are not rocket scientiests, in some of the IRC channels used to control the scan bots, the administrators were so lame they were even allowing complete outsiders to perform scanning commands based on their preferences

- despite that the majority of SQL injected sites are connected to a centralized web shell, even if it gets shut down, namely a home user somewhere across the world is acting as a C&C for the entire campaign, the site remains vulnerable and anything can make it "phone wherever they want to"

- the botnet masters in this particular case were also interested in the FREE SPACE they have available at the exploited domains

What are the search engines doing to tackle the search engine hacking possibilities, especially Google being the most widely used and having the most comprehensive index? They're successfully implementing CAPTCHA's for such suspicious scanning bot behaviour :

"At ACM WORM 2006, we published a paper on Search Worms [PDF] that takes a much closer look at this phenomenon. Santy, one of the search worms we analyzed, looks for remote-execution vulnerabilities in the popular phpBB2 web application. In addition to exhibiting worm like propagation patterns, Santy also installs a botnet client as a payload that connects the compromised web server to an IRC channel. Adversaries can then remotely control the compromised web servers and use them for DDoS attacks, spam or phishing. Over time, the adversaries have realized that even though a botnet consisting of web servers provides a lot of aggregate bandwidth, they can increase leverage by changing the content on the compromised web servers to infect visitors and in turn join the computers of compromised visitors into much larger botnets."

It will not solve the parsing approach scanning bots are implementing, so I think that in the short term a database of google hacking searches may indeed get a CAPTCHA verification by default. An IP reputation system has a lot of potential too, and with Google's acquisition of Postini, they already have a huge population of IPs you should not trust for anything. My expirience shows that once you get a phishing email from a single IP, you will sooner or later see the same IP hosting and sending malware, hosting as well as sending spam, and pretty much anything malicious.

Wednesday, July 18, 2007

A Multi Feature Malware Crypter

Compared to the malware crypters I covered in previous posts -- part of the Malicious Wild West series -- this one is going way beyond the usual file obfuscation, and despite that it's offered for sale and not in the wild yet, it includes anti-sandboxing, and anti-virtual machine capabilities, as malware authors started feeling the pressure posed by the two concepts when it comes to detecting their releases.

Features include :
- Add File to load on Memory
- Add File to load on Browser
- Add File to drop on Temp
- Add File to drop on System
- Add File to drop on Windows
- Process injection
- Different crypting routines on a per buyer basis
- Mega icons pack with the purchase

So let's sum up, the end user isn't bothering to update her anti virus software signatures, and even if she did and despite a vendor's response time, the concept of zero day malware and rebooting the lifecycle of a malware release through crypting it, is sort of ruining the signatures based scanning approach. Still living in the suspicious file attachments world, the end user is easily falling victim into web site embedded malware taking advantage of months old client side vulnerabilities in their web browser, media player and everything in between. Botnet communication platforms are maturing, not with the idea to innovate, but to diversify the communications channels, and so are malware embedding and statistics kits. OSINT through botnets given the amount of infected PCs is a fully sound practice, and so is corporate espionage through botnets.

Moreover, what used to a situation where malware authors were doing over their best to maintain their releases as invisible as possible, nowadays, malware is directly exploiting vulnerabilities within anti virus software to evade detection or get rid of the anti virus software itself. In fact, malware authors became so efficient so that vendors are coming up with very interesting stats based on the greediest, smallest, largest and most malicious malware on a monthly basis.

As always, the "best" is yet to come.

Bluetooth Movement Tracking

Passing by the local Hugo Boss store, all of a sudden you receive a SMS message - "It's obvious you like out new suits collection since that's the 5th time you pass by our store, and spend on average 15 seconds staring at them. So, why don't you come inside and take a closer look for yourself?". Spooky? For sure, but with bluetooth movement tracking to faciliate purchases slowly emerging in the practices of evil marketers basically generating even more touch points with the assets in their brands' portofolios, it's something to keep an eye on :

"When the project was deployed at the ZeroOne Festival is San Jose, California, the system sent attendees messages about where they had been and asked about their intentions for being there. For example, one such message read, “You were in a flower shop and spent 30 minutes in the park; are you in love?” Those contacted were eventually led to the Loca kiosk where they could obtain a log of all their activities, which sometimes reached over 100m long. It should be noted that movement was only tracked on phones with discovery mode turned on."

Marketing research and faciliating purchases aren't the only incentives for marketers and of course malicious attackers looking for innovative ways to socially engineer you to accept a bluetooth connection, even an attachment. Measuring the ROI of advertising and sales practices that used to lack reliable metrics is becoming rather common, like for instance this Big Brother style billboards that measure how many people actually looked at them :

"If you’ve ever seen a poster in the mall that you’ve liked and stared at it for some time, chances are, that poster will be staring right back. This is, however, not so much of a "Big Brother" gimmick as much as it is a marketing tool. From xuuk, a Canadian-based company specializing in cutting-edge technology, comes the eyebox2. This contraption is essentially a tiny video camera surrounded by infrared light-emitting diodes. It can record eye contact with 15-degree accuracy at a distance of up to 33 feet, so even a simple glance from someone in passing will be tallied into the score."

I can certainly speculate that this technology will evolve in a way that it will be able to tell whether it was a male, or a female that looked at it, and if data from local stores gets syndicated to tell the system the prospective customer took notice of the store itself, it would provide the marketers with enough confidence to SMS you a discount offer valid in the next couple of hours only while you're still somewhere around a local store.

The convergence of surveillance technologies is a fact, and what's measuring the ROI of a marketing campaign to some, is an aggressive privacy violations for others. But as we've already seen the pattern of such technologies around the world, first they get legally abused, then customers suddenly turn into vivid privacy activists, to later on have the option to opt-in and opt-out so that everyone's happy.

Tuesday, July 17, 2007

Targeted Extortion Attacks at Celebrities

Who else wants to hack celebrities besides wannabe uber leet h4x0rs looking for fame while brute forcing with username "Philton" and using a common pet names dictionary word list? Digitally naughty paparazzi wanting to have celebrities do their work for them? Not necessarily as third-parties are looking for direct revenue streams out of obtaining personal and often devastating to a cebrity's PR photos by targeted hacking attacks combined with extortion attempts :

"According to the police and S.M. Entertainment Friday, a 23-year-old college student was arrested for hacking a blog of singer BoA and blackmailing her, threatening to spread her private photos. The student, identified as Seo, sneaked onto BoA's Cyworld blog in April 2006 and obtained photos that she took with a male singer. He sent e-mails to her manager to threaten that he would release the photos if they did not provide money. He took 35 million won. S.M. Entertainment said in a press release that the victim was BoA and the male singer was Ahn Danny, former member of pop group g.o.d., and the two have been close friends."

That type of extortion attacks are fundamentally flawed based on the attacker's perspective that the stolen personal data is most valuable to the person who faces major privacy exposure, totally excluding the possibility to forward it to thirt parties such as the "yellow press". Timing as in cryptoviral extortion is everything, for instance, a couple of million dollars PR campaign positioning the singer as a vivid anti drugs and anti alcohol activities could turn into a fiasco if pictures of hear stoned and drunk to death leak at that very particular moment. Celebrity endorsement is always tricky, and the in very same way your brand can harness the popularity of a celebrity, your entire business model could become dependent on someone's ability to manage stress, thus not getting involved into synthetic sins.

Here's yet another related story this time targeting Linkin Park :

"In a plea agreement, she said she was able to see the family's photographs and travel plans, as well as
information about a home they had purchased. She also read messages sent between Linkin Park's record company and lawyer, including a copy of the band's recording contract.

Meanwhile, more targeted attacks make their invisible rounds across the world :

"On June 26, MessageLabs intercepted more than 500 individual email attacks targeted toward individuals in senior management positions within organizations around the world. The attack was so precisely addressed that the name and job title of the victim was included within the subject line of the email. An analysis of the positions targeted reveals that Chief Investment Officers accounted for 30 percent of the attacks, 11 percent were CEOs, CIOs accounted for almost seven percent and six percent were CFOs."

For quite some time spammers have been segmenting and sort of data mining their harvested emails databases to not only get rid of fake emails and ones on purposely distributed by security companies, but to also start offering lists on a per country, per city, even per company basis. In a Web 2.0 world, top management is actively networking in way never imagined before, and despite that privacy through obscurity may seem a sound approach, someone out there will sooner or later get malware infected and have their HDD harvested for emails, thus exposing the what's thought to be a private email for a top executive. I often come across such segmented propositions for specific emails of specific companies, and even more interesting, people are starting to request emails for certain companies only, so that they can directly target the company in question with a typical zero day malware packed and crypted to the bottom of its binary brain.

Despite all these emerging trends, we should never exclude the possibility for a guerilla marketing campaign based on a celebrity's leak of personal, often nude personal data, a technique in the arsenal of the truly desperate.

Wednesday, July 11, 2007

Insecure Bureaucracy in Germany

First, it was data mining 22 million credit cards to see who purchased access to a set of child porn sites to figure out the obvious - that the accounts were purchased with stolen credit cards, and now, declaring that hacking tools are illegal is nothing more but creating a bureaucratic safe heaven on the local scene. And while pen-testers in Germany will do password cracking with a paper and a pen to verify their passwords best practices are indeed enforced and taken seriously, script kiddies that just compiled yet another 5GB rainbow table will have a competitive advantage by default :

"The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are not properly covered in the legislation, critics argue. Taken as read, the law might even even make use of data recovery software to bypass file access permissions and gain access to deleted data potentially illegal."

The idea is greatly hoping that Germany's Internet is an isolated Intranet where if noone can have access to hacking tools than noone will be able to find vulnerable hosts and actually exploit them. But the reality is that it's all a matter of perspective. By not wanting to conduct a security audit of your assets, and with the lack of any (detected) breaches, you're enjoying a nice false sense of security. This story is a great example of bureaucrats evangelizing security through obscurity on a wide scale, where every single script kiddie on the other side of the world will have access to a commodity set of pen-testing tools to showcase age-old vulnerabilities in Germany's infrastructure. Of course, you're secure in your own twisted reality, but limiting access to pen-testing tools for a security consultant, and evil hacking programs to others, in order for you to improve security is nost just unpragmatic, but naive as well. Here's an interview with Marco Gercke, a local expert on the topic.

This is not just a seperate case in Germany, to what looks like a growing trends with a previous discussion on whether or not German law enforcement should code and use malware on a suspect's PC, something by the way the FBI is doing in the form of keyloggers to obtain passphrasess of impossible crack at least in respect to bruteforcing PGP and Hushmail accounts. So what could be a next? A law that would open up a cooperation with anti virus vendors doing business in the country in the form of either not detecting or delaying signatures of law enforcement coded malware? Or law enforcement will start bidding for zero day vulnerabilities right next to an intelligence agency without both of them knowing who's the challenging bidder?

Another bureaucratic development from the past is related to U.K's perspective on how to obtain access to encrypted material without coding malware and keyloggers - by requesting that everyone should provide their private encryption keys. It gets even more interesting with Australia joining the trend by using spyware on suspects.

Never let a bureaucrat do an ethical pen-tester's job.

Related articles:

E-commerce and Privacy

Privacy should be a main concern for everyone, not because you have something to hide, but because you deserve it, it's your right, while on the other hand, the thin line between a sales department preservation of your purchasing history to later one contact you, or vice-versa to serve you better, is where the dilemma starts. Should you always have an opt-out capability, thus ruining someone's marketing data aggregation model, or should you be willing to share it in order to receive a better customer experience?

In a recently conducted study, researchers at Carnegie Mellon University came to the conclusion that people are in fact willing to pay more when their privacy is ensured, but mind you - in a merchant's privacy policy only. Is this a feasible protective measure or just a compliance-centered and automatically generated text you come across to on every merchant's web site? Or how harsh is in fact reality in this case?

"The study, led by Lorrie Cranor, director of the Carnegie Mellon Usable Privacy and Security (CUPS) Lab, found that people were more likely to buy from online merchants with good privacy policies, as identified by Privacy Finder and were also willing to pay about 60 cents extra on a $15 purchase when buying from a site with a privacy policy they liked."

One of the most famous breaches of personal data aggregators that really made it all over the world was Choicepoint, a U.S based personal data aggregator. Famous mainly because of the huge number of affected individuals, which doesn't mean a bigger breach hasn't happened somewhere around the world already, the thing is, across the world it is still not very popular to report a security breach, even regulated by law -- perhaps even if you were you wouldn't be able to report something you're not aware of at the first place, would you? Looking at a merchant's/data aggregator's privacy policy given you have enough experience to detect the authentic policy from the automatically generated one you often see something like this line in Choicepoint's privacy policy for instance :

"Once we receive personally-identifiable information, we take steps to protect its security on our systems. In the event we request or transmit sensitive information, such as credit card information or Social Security Numbers, we use industry standard, secure socket layer ("SSL") encryption. We limit access to personally-identifiable information to those employees who need access in order to carry out their job responsibilities."

The same is the case with Amazon, Ebay and the rest of the E-commerce icons. In 2007, even phishers use SSL certificates to make their spoofs look more legitimate, and again in 2007 the majority of reported data breaches are due to laptop losses compared to network or even insider related vulnerabilities. Therefore, even though compliance with law regarding the need for a privacy policy, having it doesn't mean privacy of purchasing history and personal data wouldn't get exposed.

Common privacy assurance criteria on major merchant's sites remain :

- TRUSTe certificate
- Hackersafe check
- Compliance with industry standard security best practices

Best practices are a necessary evil, evil because what they're missing is exactly what attackers are exploiting - the pragmatic vulnerabilities to obtain the data in question compared to entering the target through the main door. Back in the times of the dotcom boom when Web 2.0's mature business models were a VC's dream come true, the overall perspective of Internet crime had to do with the concept of directly transferring funds from the a hacked through network vulnerabilities bank, while in reality, from an attacker's point of view it's far more effective to target its customers directly. Which is exactly the same case with E-commerce and privacy, either the merchant will store your business relationship with them and expose it, or you will somehow leak it out.

Whatever the case, a privacy policy is words, and common sense obviously remains a special mode of thinking for the majority of web shoppers.

Related posts:
Afterlife Data Privacy
The Future of Privacy = Don't Over-empower the Watchers
Anonymity or Privacy on the Internet?
U.K's Telecoms Lack of Web Site Privacy
Big Brother Awards 2007
A Comparison of U.S and European Privacy Practices

Monday, July 09, 2007

The Extremist Threat from Metallica

No, this is serious - James Hetfield from Metallica questioned by airport security personel before the Live Earth concert in London because of "taliban-like beard" :

"According to British newspaper The Times, the rocker jetted into Luton airport ahead of Saturday's Live Earth concert at Wembley Stadium - where his legendary rock band was due to perform - but was halted by officials before he could leave the terminal. The legendary frontman was then subjected to a brief line of questioning, after which security-conscious officials were left red-faced when Hetfield explained he was a member of a world-famous rock band."

In 2007, if you're named Muhammad you'll be living the life of someone else's stereotype that you're a terrorist, and with a beard it's even more suspicious, which is perhaps why Muslims in the U.K started an anti-terror campaign "Not in Your Name" trying to distinguish themselves from such simple and totally wrong stereotypes.

Terrorist Groups' Brand Identities

The author of this terrorist groups' logos compilation is greatly using business logos identity building analogy to discuss whether or not logos of terrorist groups successfully communicate their message or vision :

"I did some research and rounded up as many logos as I could find from terrorist groups past and present. While I hate to give terrorists any more attention, I still think it’s interesting to see the various approaches they took in their logos, and wonder what considerations went into designing them. Does the logo successfully convey the organization’s message? Is it confusingly similar to another group’s logo? Does it exhibit excessive drop shadows, gradients, or use of whatever font is the Arabic equivalent of Papyrus?"

And while it reminds me of another business analogy, namely a A Cost-Benefit Analysis of Cyber Terrorism, such analogies clearly indicate two things - first, branding is something they are aware of, and second, they understand that evil advertising can easily turn into propaganda and a brainwashing tool given the numerous PR channels they already actively use -- pretty much every Web 2.0 company that is out there. The screenshot above represents an advertisement of the Mujahideen Secrets Encryption Tool, more screenshots of which you can find in a previous post. Despite that the tool is freely available for the wannabe jihadists to use, and that no one is ever going to receive a box-copy of it physically, GIMF took the time and effort to come up with a box-style software product ad realizing the basics of branding, namely that each and every contact with the brand -- GIMF in this case -- can either weaken or strengthen a brand's image in the perception of the prospective user/customer.

Friday, July 06, 2007

Zero Day Vulnerabilities Auction

Theory and speculation, both finally materialize - an 0bay auction for security vulnerabilities was recently launched, aiming to reboot the currently not so financially favorable for researchers full disclosure model, and hopefully, create a win-win-win solution for Wabisabilabi, the vendors and the researchers themselves :

"We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited. Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals."

As I've been covering the topic of commercializing vulnerability research since I've started blogging, and my second post was related to 0bay or "How Realistic is the Market for Security Vulnerabilities?" I'll briefly summarize the key points and let you deepen your knowledge into the topic by going through the previous posts related to buying and selling vulnerabilities, even requesting ones on demand -- which is perhaps the most sound market model in my opinion at least in respect to relevance.

Back in December, 2005, the infamous WMF vulnerability got sold for $4000 to be later on injected into popular sites, and embedded whereaver possible. The idea behind this attack? Take advantage of the window of opportunity by the time a patch by Microsoft is released, but instead of enjoying the typical advantage coming from full disclosure exploit and vulnerabilities sites, the attackers went a little further, they also wanted to make sure that the vulnerability wouldn't even appear there at the first place. And while it later became a commodity, WMF DIY generators got released for the script kiddies to generate more noise and the puppet masters to remain safe behind a curtain of the click'n'infect kiddie crowd.

Several months later, hinted by a person whose the perfect representation of the phrase "Those who talk know nothing, those who don't talk they know" tipped me on a zero day shop site -- The International Exploits Shop -- that was using a push-model that is a basic listing of the vulnerabilities offered and the associated prices, even taking advantage of marketing surveys to figure out the median price customers would be willing to pay for a zero day vulnerability.

Commercializing vulnerability research the way the company is doing it, will inevitably demonstrate the lack of communication and incentives model between all the parties in question. Moreover, if you think that a push-model from the researcher compared to a pull one, even on demand is better think twice - it isn't. If I'm a vendor, I'd request a high profile vulnerability to be found in my Internet browser in the next two months and offer a certain financial incentive for doing so, compared to browsing through listings of vulnerabilities in products whose market share is near the 1%. For the computer underground, or an information broker, there's no such thing as a zero day vulnerability because they understand the idea that in times when everyone's fuzzing more effectively than the vendors themselves, or transparency and social networking has never been better, a zero day to some is the last month's zero day to others.

Questions remain :

- how do you verify a vulnerability is really a zero day, when infomediaries such as iDefense, Zero Day Initiative or Digital Armaments delay "yesterday's" security vulnerability or keep you in a "stay tuned" mode? How can you be sure you as an infomediary are not part of a scheme that's supplying zero days to both the underground and you?

- why put an emphasis on something's that's a commodity, but forgetting that closing a temporarily opened up window of opportunity posed by today's zero day will lose its value in less than a minute by the time an IDS signature takes care of it while a patch is released? In exactly the very same fashion of malicious economies of scale, a stolen personal and financial information is lossing value so that the attackers are trying to get rid of it as soon as possible, by the time it value doesn't decrease to practically zero. Stay tuned for a zero day vulnerabilities cash bubble.

- how do you put a value on a vulnerability and what is your criteria? Of course, monocultural OSs get a higher priority, but does this mean that a zero day in MAC would get more bids because of the overall perception that it's invincible and the verification of such vulnerability would generate endless media echo effect, while someone's checking your current zero day propositions to see if the one he came across is still not listed there? For instance, Wabisabilabi have posted a Call for iPhone vulnerabilities in the first days of their launch.

Theoretically, if everyone starts selling zero day vulnerabilities they find, there will be people who will superficially increase a zero day's value by holding it back and keeping quiet for as long as someone doesn't find it as well. Here's an interview I took from David Endler at the Zero Day Initiative you may find informative, and more opinions on the topic - Computerworld; Dark Reading; Slashdot; The Register; TechTarget; Heise Security; Techcrunch, and an interesting quote from a BBC article that the initiative is aiming to limit the flow of vulnerabilities to the underground :

"By rewarding researchers, the auction house aims to prevent flaws getting in to the hands of hi-tech criminals."

It would have absolutely zero effect on the flow of vulnerabilities in computer underground circles, mostly because if someone likes the idea of getting a one time payment for its discovery, others would get a revenue stream for months to come by integrating it into the underground ecosystem. Even the average MPack attack kit, compared to others I've seen showcases the reality - a huge number of people are infected and no zero day vulnerabilities are used but ones for which patches are available for months. Moreover, they don't just buy stockpiles of zero day vulnerabilities, but are actively discovering new ones as well and holding them back for as long as possible as I've already mentioned.

And another one from CNET :

"WSLabi is backed by about 5 million euros ($6.8 million) from individual investors, and hopes to float on a stock exchange (probably London's AIM or a similar exchange in Oslo) in around 18 months."

Is this for real, and if so, it makes it yet another investment in the information security market to keep an eye on in the very same fashion I've been following and speculating on SiteAdvisor's eventual, now real acquisition. But WSLabi's road to an IPO would be a very, very bumpy one. Everyone's excluding the obvious, namely that the biggest and most targeted vendors could ruin WSLabi's entire business model by starting to offer financial incentives let's call them for zero day vulnerabilities, or perhaps keep it pragmatic, namely ignore the fact that someone's trading with zero days regarding their products mainly because the vendors cannot be held liable for not providing patches in a timely manner or not reacting to the threat.

Two projects worth considering are the ElseNot one, listing exploits for every Microsoft vulnerability ever, and eEye's Zero Day Tracker, keeping track of unpatched vulnerabilities. Make sure what you wish for, so it doesn't actually happen.