Cryptome Under Fire

John Young at Cryptome.org is reporting that its hosting provider decided to terminate their relationship on the basis of violating their Acceptable Use Policy :

"This notice of termination is surprising for Verio has been consistently supportive of freedom of information against those who wish to suppress it. Since 1999 Cryptome has received a number of e-mailed notices from Verio's legal department in response to complaints from a variety of parties, ranging from British intelligence to alleged copyright holders to persons angry that their vices have been exposed (see below). In every case Verio has heretofore accepted Cryptome's explanation for publishing material, and in some cases removal of the material, and service has continued. In this latest instance there was no notice received from Verio describing the violation of acceptable use to justify termination of service prior to receipt of the certified letter, thus no opportunity to understand or respond to the basis for termination."

Guess who'll be the first echo-cursing in an unnamed CavePlex? That'll be Osama Bin Laden feeling sorry for not making copies of key documents on how the U.S Coast Guard is vulnerable to TEMPEST attacks. Cutting out the sarcasm, Cryptome is an OSINT heaven, no doubt about it, but it's also an initiative debunking the entire concept that secrecy actually results in improved and sustained security on an international level.

The data collected at Cryptome would never be destroyed, mainly because it's all digital, it's all distributable, and it simply wants to be free. Thought of the day - The man who brought fire to the world got burned at the stake.

Video Demonstration of Vbootkit

Orignally introduced at this year's Blackhat con in Amsterdam, the Vbootkit is a kit showcasing the execution of unsigned code on Windows Vista. Recently, the researchers released two videos demonstrating the attack worth watching. Here's the authors' research itself. Answering the mythical question on which is the most secure OS, direct the reply in a "which is the most securely configured one" manner, and you'll break through the technology solution myopia and hopefully enter the security risk management stage. A secure OS from what? Nothing's unhackable, the unhackable just takes a little while -- where the invisible incentivising in the desired direction is the shortcut.

Malicious Keywords Advertising

Blackhat SEO's been actively abused by spammers, phishers and malware authors, each of them contributing to the efficiency of the underground ecosystem. Comments spam, splogs, coming up with ways to get a backlink from a .EDU domain, the arsenal of tools to abuse traffic acquisition techniques has a new addition - paid keyword advertising directly leading to sites hosting exploit code :

"Those keywords put the criminals' sponsored links at the top of the page when searches were run for brand name sites like the Better Business Bureau or Cars.com, using phrases such as "betterbusinessbureau" or "modern cars airbags required." But when users clicked on the ad link, they were momentarily diverted to smarttrack.org, a malicious site that used an exploit against the Microsoft Data Access Components (MDAC) function in Windows to plant a back door and a "post-logger" on the PC."

Here's another interesting subdomain that was using JPG images to "break the .exe extension ice" and redirect to anything malicious - pagead2.googlesyndication.com.mmhk.cn

What's the most cost-effective approach, yet the most effective one as well when it comes to that sort of scheme? On a quarterly basis, a "for-the-masses" zero day vulnerability becomes reality. The fastest exploitation of the "window of opportunity" until a patch is released and applied, is abused by embedding the exploit into high traffic web sites, or even more interesting, exploiting a vulnerability in a major Web 2.0 portal to further spread the first zero day. Therefore, access to top web properties is a neccessity, and much more cost effective compared to using AdSense. I wouldn't get surprised to find out that hiring a SEO expert to reposition the malicious sites is also happening at the time of blogging. Some details at McAfee's blog.

Despite the amateurs using purchased keywords as an infection vector, at another malicious url _s.gcuj.com we have a decent example of a timely exploitaition with _s.gcuj.com/t.js and _s.gcuj.com/1.htm using Microsoft's ANI cursor vulnerability to install online games related trojans - _t.gcuj.com/0.exe_ The series of malicious URLs are mostly advertised or directly injected into Chinese web forums, guestbooks etc. Here are some that are still active, the majority of AVs thankfully detect them already :

_cool.47555.com/xxxx.exe_
_d.77276.com/0.exe_
_www.puma163.com/pu/pu.exe_
_rzguanhai.com/server.exe_

The key point when it comes to such attackers shouldn't be the focus on current, but rather on emerging trends, and they have to do with anything, but malicious parties continuing to use AdSense to direct traffic to their sites in the long term. Watch a video related to the attacks, courtesy of Exploit Prevention Labs.