A Review of SiteAdvisor Pro

During 2006, the company popped out like a mushroom in front of my desktop as you can read in a previous post, and on its acquisition two months later. In the typical detailed and extensive CNET Reviews style, here's what they have to say about SiteAdvisor Plus :

"SiteAdvisor Plus includes the ability to report suspicious links within IM and e-mail and can automatically block access to flagged sites. However, SiteAdvisor Plus lacks additional configuration options and doesn't work with Firefox or Opera, or with branded browsers from AOL and other services. In addition, the paid version on Internet Explorer appears to conflict with the free version installed on Firefox. Overall, we experienced greater flexibility and fewer hassles when using the free Netcraft toolbar, and we also liked the proactive nature of Linkscanner Pro better."

The niche filling competition is also reviewed, namely LinkScanner Pro. Niche filling in respect to the real-time sandboxing of results, a concept I'm sure is on its way at SiteAdvisor, or else the community has a lot to contribute as always. SiteAdvisor are however truly embracing a Web 2.0 business model on all fronts, and it's perhaps my favorite case study on commercializing an academic idea during the last year.

Characteristics of Islamist Websites

Excellent and recent analysis of the most common characteristics of islamist websites published by the Middle East Media Research Institute :

"The media platform favored by the Islamist organizations is the Internet, which they prefer for several reasons: firstly, for the anonymity it allows - anyone can enter and post to a site without divulging personal information; secondly, due to the medium's availability and low cost - all that is required is a PC and an Internet connection; and thirdly, due to the ability to distribute material to a great number of people over a wide geographic area in a matter of seconds.

The organizations use the Internet mainly for propaganda and indoctrination, but also for operational military needs.

This paper will discuss the distinguishing characteristics of the websites of Islamist organizations and their supporters; the various online activities through which terrorist organizations assist the mujahideen on the ground, both militarily and, especially, with propaganda; and the Internet polemics that these organizations conduct vis-à-vis their enemies."

The majority of articles you've probably read are doing nothing more than scratching the surface of the topic. Fundraising, propaganda, communications within steganographic images and the use of plain simple encryption, or the thriller type of scenarious where entire food supply chains get remotely controlled or where your next dose of Prozac may be a little bit more dangerous than it actually is, of course because terrorists may have the capacity to do so. In the post 9/11 world terrorist experts started emerging from all over the globe, universities realizied the potential and opened up educational courses, even degrees, security companies started pitching their offers with cyberterrorism in mind, and last but not least the mainstream media doesn't seem to stop piggybacking on historical events while actually doing terrorists the biggest marketing favour of them all - the media echo effect. Someone blows him or herself up in the Western world, and everyone forgets about all those little things people die from if you are to go through you local statistical institute and see the death rates, but starts requesting more information on what is your government doing to prevent this from happening. But compared to the same situation in the Middle East - it's part of the daily life, nothing ground-breaking besides a bunch of low lifes radicalizing online, looking for masters of brainwashing mentors, and most importantly looking for a mighty excuse for their pathetic existence. A terrorist organization uploads a video of shooting a soldier or anything that will shock someone's who's still getting shocked by the The Texas Chainsaw Massacre -- boring try the Evil Dead series -- and people become so outraged and get this feeling of being helpness in the situation that fear compared to reality drives the entire model of terrorism.

Terrorism is successful as both, a government's doctrine for re-election, and as a term mainly because it's a very open topic term these days. In some countries glorifying terrorism is illegal, but if you let you government convince you that it's not terrorizing you to protect you from an event that from a statistical point of view doesn't happen that very often, I think I will lose you as a reader of this blog. The world is losing the war on terrorism because it's rational, and terrorists aren't rational. In the very same fashion that companies don't compete with companies but with networks, a network that's anything but irrational isn't going to be beated by a network that's too bureaucratic and still waging departamental wars.

Go through many of my previous posts on cyberterrorism, a relevant collection of cases, and through the research which as a matter of fact is full with practical examples of various sites.

The RootLauncher Kit

After providing more insights on the WebAttacker Toolkit and the Nuclear Grabber, in this post I'll discuss the RootLauncher, a release courtesy of the same group behind WebAttacker. Something else worth mentioning is that a large percentage of the sites I'm monitoring are starting to use authentication, and on a trust-basis login access, perhaps it's due to the enormous coverage recent "underground" releases, namely phishing kits etc. got in the mainstream media. Therefore I'm doing my best to get as much information -- and screenshots -- before it dissapears and will blog on these releases as soon as my schedule allows me to. For instance, several months ago you could easily see over 50 publicly available control panels for the WebAttacker toolkit, now there're only several available through Google. The same goes for RootLauncher.

The RootLauncher kit is advertised -- Rusian to English automatic translation -- as follows :

"Just, we can offer you 3-version - D o w n l o a d e r-designed RootLauncher for the hidden load arbitrary WIN32 Exe-faila from a remote resource, followed by the launch of the file on the local hard disk. Obhodit all protection is not determined by any AV-Do not see fairvollah - Flexible settings - Periodic updates and supplements may download up to five exe files. Our team is not at the same point and develops all bolshe-bolshe for you dear friends services available to them closer you will be able to on our official website. We are also looking for people interested in partnership with us."

And while it's supposed to be nothing more then an average downloader, these "average downloaders" are actually starting to standardize features in respect to statistics and compatibility with other toolkits and malicious software.

In a previous post at WebSense's blog, they came across a web panel showing that the "total number of unique launchers is 155" now count these as infected PCs, but as you can see in the image attached, the sample could be much larger. This one I obtained from the following URL : http://www.inthost7.com/cgi-bin/rleadmin.cgi which is of course down, but was listing 1013 launchers already, here's an analysis of this very same URL.

IP cloaking when browing such sites and forums is important in order for you to remain as anonymous as possible. If you're on a Russian site make sure you're a Russian domain, if you're on a Chinese site make sure you're a Chinese domain, and most importantly don't directly translate through Google or Altavista, but copy and paste what's interesting to you so that you wouldn't let someone wonder why would a Russian domain translates a Russian text to English. Imagine the situation where security vendors browse them through their securityvendor.com subdomains, the results will follow shortly -- everything dissapears.

In respect to the WebAttacker, the kit is still widely used but the people using and updating it are starting to prevent Google from crawling and caching the control panels, which makes it harder to keep track of the sites in an OSINT manner -- my modest honeyfarm keeps me informed on URLs of notice though. Here's one of the very few instances of a Web-Attacker Control Panel still available at Google. Here's an analysis of the source code of the Web-Attacker kit as well -- and I thought I'm going full disclosure. More details on various newly released packers, multi-exploit infection toolkits, and standardized statistics with all the screenshots I've managed to obtain will follow next week.

Taking into consideration the big picture -- like you should -- the release and automation of phishing/exploit kits and lowering the entry barriers for script kiddies to generate enough noise to keep the real puppet masters safe, or at lease secretly pull the strings. I'd rather we operate in the time when launching a phishing attack required much more resources than it requires today.