Defeating Virtual Keyboards

To deal with the threat of keyloggers -- or to win time during te process of implementing two factor authentication and one-time-passwords-in-everything -- E-banking providers started introducing virtual keyboards as a pragmatic solution to the threat. Malicious attackers are anything but old-fashioned and this is a great example that insecurities are only a matter of perspective. To the E-banking providers who were aware that a static virtual keyboard would be much more easier to defeat, a randomized characters appearance came into play and so attackers adapted by first taking video sessions of the login process, and now turning each mouse click into a screenshot to come up with the accounting data in a PoC on Defeating Citibank Virtual Keyboard:

"Citibank Virtual Keyboard is a security enhancement for protecting from the key loggers. Using this virtual keyboard user can enter Card no and IPIN using mouse. This keyboard will display a keys in random position in a virtual keyboard on the screen where it makes little difficult for password capture. This only gives confidence for end user from key loggers not from other methods. Local attacker can use Win32 API’s to capture using screen shot method and obtain sensitive information including Credit Card/Debit Card (Suvidha Account), IPIN and misuse it."

From a malicious economies of scale perspective, these rather amateur techniques mean lack of efficiency compared to advanced tools suh as the Nuclear Grabber which I intend to cover in-depth in a future post from the Malicious Wild West series. Continue reading →

International Cryptography Regulations Map

Regulations on importing, exporting and using encryption greatly vary across the world. Bert-Jaap Koops came up with some informative maps highlighting the big picture :

"This is a graphic summary of the pertaining cryptography laws and regulations worldwide as outlined in the most recent version of my Crypto Law Survey. It shows the import controls, export controls, and domestic controls, according to the information available to me. Consult the corresponding entry in the Crypto Law Survey for the contents of the pertaining regulation in a particular country."

And here's a related post on a bureaucratic utopia, another one on bureaucracy vs reality when it comes to security, as well as famous cases related to criminals using encryption. Continue reading →

Disintermediating the Major Defense Contractors

Innovative and cost-effective altogether? Think SpaceShipOne, a commercial space ship that didn't come from a major defense contractor, not even NASA but from a competition won by a privately run company. How to disintermediate yet innovate? Become a venture capitalist, or an angel investor and optimistically hope the academic-to-commercialization process would happen with one of your investments. The DeVenCI project aims to connect sellers with buyers and seems like a sound short-term objectives oriented idea compared with In-Q-Tel the CIA's VC fund emphasizing on long-term R&D :

"Some companies have already profited from the program. In 2003, when DeVenCI was in its experimental phase, the Defense Information Systems Agency was looking for ways to protect computer networks. After speaking to several companies through DeVenCI and evaluating their technology, the agency wound up working with ArcSight, a software company based in Cupertino, Calif., which won $3.6 million in related contracts over the next few years, DeVenCI officials said. Mr. Novak of Novak Biddle said he brought with him to the March DeVenCI meeting two executives from a small start-up developing biometric technology that could be used for things like advanced fingerprinting or eye scans. Mr. Novak said the chief executive and chief technology officer from the Virginia company, which he declined to name for competitive reasons, gave a presentation to the roughly 50 assembled procurement agents."

Here's In-Q-Tel's investment portfolio so far -- Google used to be among them.

Related posts:
Insider Competition in the Defense Industry
Aha, a Backdoor!
Overachieving Technology Companies
Continue reading →

DDoS on Demand VS DDoS Extortion

There were recent speculations on the decline of DDoS attacks, in respect to the lack of companies actually paying to extortion attacks and that it's supposedly not a cost effective approach for malicious attackers to use their botnets. Think again, as it's always a matter of a vendor's sensor network diversity, one that's also excluding targeting mom-and-pop web properties. Just because DDoS extortion may not be working, and I say may not be working because only a few companies would admit they have paid money given the simple math of losing revenues on an hourly basis and spending more on bandwidth and security consultancy than the money requested, DDoS on demand still remains a well developed underground business model. DDoS attacks may not be profitable for the attacker directly performing them, but remain profitable if he's getting paid to provide the service only. Here's an excerpt from my Future Trends of Malware (January, 2006) publication related to DDoS extortion :

"Now you should ask yourself, would total cost of ownership of the business, the costs of the bandwidth, the DDoS attack protection solution, or the botmaster’s deal with the devil style proposition can solve the situation. If you’re thinking big, each and every time an organization pays, it not only risks a repeated demand, but is also fueling the growth of the practice in itself – so don’t do it!"

I'm aware of an ironic situation where a small-biz client's web server started getting DDoS without any reason whatsoever. The first thing that came to my mind was that it's either a DDoS extortion, or a possible rival, so I asked whether or not they've received any extortion emails. They declined, and here comes the interesting part, two days later, the attacks stopped, and a letter arrived in the form of the following email - "We saw you ignored our first email so we had to demonstrate you the power of our attack, this is your second chance to bla bla bla". What happened, and why did they say no extortion emails were sent? Here comes the irony, in the spam folder of the publicly obtainable email account for the domain was the original extortion email, that got detected as a spam. Time for some cyber intelligence to assess their capacity.. Never comply with such letters, or they'll come back for more. By the way, ever thought of the DDoS extortion bluff?

Here's another excerpt on DDoS on demand :

"There’s a lot of demand for paying to teens to shut down your competitors and hoping they would go under the radar, and while ethics are excluded, given these get busted, they’ll be the first to forward the responsibility to the buyer of the service. There’s also a clear indication of market for such services, and sooner or later these individuals will improve their communication skills, thereby increasing the impact of these attacks. For instance, Jay Echouafni, CEO of TV retailer Orbit Communications, paid a group of botmasters to DDoS his competitors, where the outage costs were estimated at $2 million. Another case of DDoS on demand occurred in March, 2005, when the FBI arrested a 17 year old and a Michigan man for orchestrating a DdoS attack, again causing direct monetary loses. DDoS attacks, and the ease of gaining capability in this field are clearly increasing."

Unethical competitions would favor a service where a third party maintains the infrastructure, launches the attack, and for the safety of both parties, remain as anonymous as possible. Here' a related article at BBC News:

"We are seeing a lot of anti-competitive behaviour," he said. Mr Sop added that many more Asian targets were being hit by DDoS attacks - a region in which Symantec did not historically have a big presence. In Asia, he said, DDoS attacks were proving very popular with unscrupulous firms keen to get ahead of their rivals. "The really frightening thing is you can buy access to a botnet for a small amount of money and you can have you competitor down for a long time," he said."

I never actually enjoyed articles emphasizing on how Russian script kiddies are taking over the world given the idea of "outsourcing malicious services". So next time you see a DDoS attack coming from the Russian IP space against U.S companies, it could still be U.S based rivals that requested the attack on their U.S based competitors -- stereotypes keep you in the twilight zone.

Meanwhile, here's a proof hacktivism is still alive and fully operational as the Estonian Internet infrastructure's been recently under permanent DDoS attacks due to real-life tensions of removing a statue from the Soviet era. It wasn't Chinese Mao-ists that did it for sure, but the recent case is another proof that it's always about the money, as everyone not aware of different malicious attackers' motives is preaching. DDoS extortion isn't dead, it's just happening beneath the radar, as targets are picked up more appropriately balanced with less greed regarding this underground business model only.

UPDATE : More developments on the DDoS attacks in Estonia now combined with defacements, which I think was only a matter of time.

Related posts:
The Underground Economy's Supply of Goods
The War against botnets and DDoS attacks
Emerging DDoS Attack Trends
Korean Zombies Behind the Root Servers Attack
Hacktivism Tensions - Israel vs Palestine Cyberwars Continue reading →

A Chronology of a Bomb Plot

A very detailed overview of a bomb plot, especially the lines related to anything digital such as :

- "An e-mail sent from Mr. Khawaja to Mr. Khyam on Nov. 30, 2003, read: "It's not as easy as we thought it would be. We have to design the whole thing ourselves. "There are two parts to it, one transmitter and another receiver that will be at a distance of about 1 or 2km that will be attached to the wires and send out 5 volts down the line and then we get fireworks."

No details on whether or not the communication was encrypted, how it was decrypted -- indirectly through client side attacks for sure -- and was their communication on purposely intercepted or filtered though the noise with keywords such as transmitter, wires and fireworks.

- "Mr. Mahmood was working for the British gas company, Transco, and had stolen sensitive CD-ROMs from National Grid, a British utility, that detailed the layout of hundreds of kilometres of high-pressure gas pipelines in southeast England."

And the insider threat was just an overhyped threat with lack of statistical evidence of it happenning. Think twice. Don't dedicate efforts in ensuring such information never makes it out of the organization due to terrorist fears only, but consider the consequences of it getting into the wrong hands at the first place.

- "A notebook in the living room included references for books including The Virtue of Jihad, and Declaration of War."

Propaganda writings are easily obtainable online, which reminds me that monitoring them to the very last mile is worth the risk in order to further expand their network, of both, sites they visit and people they communicate with.

- "Downloaded on to his laptop was a computer file, The Mujahideen Explosive Handbook. It contained the exact recipe to build an ammonium nitrate bomb."

On purposely placed online DIY manuals can act as honeypots themselves. As we've already seen, counter-terrorism forces across the world are establishing such fake cyber jihad communities in order to lure and monitor wannabe jihadists. But monitoring who's obtaining the already hosted in the wild manuals, is far more beneficial than hoping someone will eventually fall a victim into your cyber trap.

In another related research by the RAND Corporation entitled "Exploring Terrorist Targeting Preferences" the authors try to come up with various scenarios on the process of prioritizing possible targets such as :

"the coercion hypothesis; the damage hypothesis; the rally hypothesis; and the franchise hypothesis. If Al-Qaeda directs the next attack the coercion and damage hypothesis, and, quite possibly both, are the most likely to influence the nature of the target.

Great psychological imagination applied in the paper, worth the read. From a statistical point of view, the probability of death due to a car accident is higher than that of a terrorist attack, so consider escaping the FUD related to terrorism that's streaming from your favorite TV channels in order to remain objective. The ugliest part of them all is that everyone's discussing the post-event actions taken, and no one is paying any attenting to the pre-event activities that made it possible, and with training camps under heavy fire, the digitalization of terrorist training is taking place.

And here's another great analysis, this time covering the process of how terrorists send money by combining anonymous Internet services in between mobile banking :

"Advanced mobile technology, cooperation between international mobile communications providers and international financial institutions and the lack of regulations make for a swift, cheap, mostly untraceable money transfer -- known as "m-payments" -- anywhere, anytime, by anyone with a mobile telephone."

Dare we say adaptive? Continue reading →

Winamp PoC Backdoor and a Zero Day

Listen to your infection? Not necessarily as this backdoor binds cmd.exe on port 24501, but needs to be socially engineered in the form of a plugin for Winamp. Code originally released in December, 2006, see attached screenshot. Not much of a fun here either, but as the folks at SANS point out Winamp doesn't play .MP4 files automatically from a web page, so no chance to have it embedded within popular sites and cause mass outbreaks as we saw it happen with the with ANI exploit code and the WMF one.

gen_wbkdr.dll
File size: 45056 bytes
MD5: 74d149f4a1f210ea41956af6ecedb96b
SHA1: 5a2e8d5727250a647ce44d00cf7446775e6cd7d5 Continue reading →

Anti-Censorship Lifestyle

Following a previous post on security lifestyle(s), and in between the ongoing efforts to censor a 16 digit number I feel it's about time you dress yourself properly in case you haven't done so already. Censorship in a Web 2.0 world is futile, the way security through obscurity is. Seems as everyone's talking about the number today, there's even a domain name registered with it. Continue reading →

The Brandjacking Index

Picture a situation where a customer gets tricked into authenticating at the wrong site of company XXX. Would they do business with company XXX after they get scammed, trojan-ized, and spammed to (virtual) death? I doubt so, and as we can also see in the results of a recently released survey on whether or not customers would do business with retailers who exposed personal data - they'd rather dump them right away.

MarkMonitor just released their first quarterly Brandjacking Index :

"The Brandjacking Index investigates trends, including drilled-down analysis of how the most popular brands are abused online and the industries in which abuse is causing the most damage. The report examines the ever-adaptive tactics of brandjackers such as cybersquatting, false association, pay-per-click (PPC) fraud, domain kiting, objectionable content, unauthorized sales channels and phishing. The Brandjacking Index tracks the top 25 brands from the 2006 Top 100 Interbrand study plus additional Interbrand ranked companies for business segment analysis."

The old marketing rule that a dissatisfied customer will share the bad experience with at least five more fully applies here, and given he or she's an opinion leader in their circle - you've got a problem as it's your brand in the domain name. Therefore, despite the companies developing a market segment for timely and reliably shutting down phishing sites, the most obvious "cybersquatted" domains shouldn't even be allowed to get registered at the first place. But given the flexibility of registering a domain these days, from a company's perspective, cybersquatting's an uncontrollable external factor, and in order to protect their future flow of "soft dollars" efforts to monitor the domain space are highly advisable.

There're several key techniques you should keep in mind. Cybersquatting, vulnerabilities within the browser to spoof the status bar and make it look like the legitimate page, or a malware infected PC that's basically redirecting all the known E-banking sites to fake ones. No anti virus, no Ebanking is highly advisable, yet not a solution to the problem, and E-banking site's compatibility with the most popular -- and targeted -- Internet Explorer browser ONLY, turn many precautions into a futile attempt to deal with the problem -- heading in the opposite direction. The question is, which technique is more effective at the end user's perspective, and how should the targeted organizations deal with this indirect form of attack on their brands, reputation and the rest of the "soft dollars" goodies such as favorable PR and stakeholder's comfortability? From another perspective, who's more irresponsible, the unaware end user, or banks whose web application security ignorance make it easier for phishers to establish trust?

One solution to the problem is shortening the lifetime of such a domain to the minimum by tracking and shutting them down by using a commercial service like this online trademark monitor, a screenshot of which you can see at the top of the post. Perhaps rather resources-consuming, but educating your customers for their own safety in times when anyone can register a pay-pal-login.tld domain like through third-party registers, is another way to go. Did I mention that anti-phishing toolbars are a free alternative in case common sense fails -- like it does? Continue reading →

Cryptome Under Fire

John Young at Cryptome.org is reporting that its hosting provider decided to terminate their relationship on the basis of violating their Acceptable Use Policy :

"This notice of termination is surprising for Verio has been consistently supportive of freedom of information against those who wish to suppress it. Since 1999 Cryptome has received a number of e-mailed notices from Verio's legal department in response to complaints from a variety of parties, ranging from British intelligence to alleged copyright holders to persons angry that their vices have been exposed (see below). In every case Verio has heretofore accepted Cryptome's explanation for publishing material, and in some cases removal of the material, and service has continued. In this latest instance there was no notice received from Verio describing the violation of acceptable use to justify termination of service prior to receipt of the certified letter, thus no opportunity to understand or respond to the basis for termination."

Guess who'll be the first echo-cursing in an unnamed CavePlex? That'll be Osama Bin Laden feeling sorry for not making copies of key documents on how the U.S Coast Guard is vulnerable to TEMPEST attacks. Cutting out the sarcasm, Cryptome is an OSINT heaven, no doubt about it, but it's also an initiative debunking the entire concept that secrecy actually results in improved and sustained security on an international level.

The data collected at Cryptome would never be destroyed, mainly because it's all digital, it's all distributable, and it simply wants to be free. Thought of the day - The man who brought fire to the world got burned at the stake. Continue reading →

Video Demonstration of Vbootkit

Orignally introduced at this year's Blackhat con in Amsterdam, the Vbootkit is a kit showcasing the execution of unsigned code on Windows Vista. Recently, the researchers released two videos demonstrating the attack worth watching. Here's the authors' research itself. Answering the mythical question on which is the most secure OS, direct the reply in a "which is the most securely configured one" manner, and you'll break through the technology solution myopia and hopefully enter the security risk management stage. A secure OS from what? Nothing's unhackable, the unhackable just takes a little while -- where the invisible incentivising in the desired direction is the shortcut. Continue reading →

Malicious Keywords Advertising

Blackhat SEO's been actively abused by spammers, phishers and malware authors, each of them contributing to the efficiency of the underground ecosystem. Comments spam, splogs, coming up with ways to get a backlink from a .EDU domain, the arsenal of tools to abuse traffic acquisition techniques has a new addition - paid keyword advertising directly leading to sites hosting exploit code :

"Those keywords put the criminals' sponsored links at the top of the page when searches were run for brand name sites like the Better Business Bureau or Cars.com, using phrases such as "betterbusinessbureau" or "modern cars airbags required." But when users clicked on the ad link, they were momentarily diverted to smarttrack.org, a malicious site that used an exploit against the Microsoft Data Access Components (MDAC) function in Windows to plant a back door and a "post-logger" on the PC."

Here's another interesting subdomain that was using JPG images to "break the .exe extension ice" and redirect to anything malicious - pagead2.googlesyndication.com.mmhk.cn

What's the most cost-effective approach, yet the most effective one as well when it comes to that sort of scheme? On a quarterly basis, a "for-the-masses" zero day vulnerability becomes reality. The fastest exploitation of the "window of opportunity" until a patch is released and applied, is abused by embedding the exploit into high traffic web sites, or even more interesting, exploiting a vulnerability in a major Web 2.0 portal to further spread the first zero day. Therefore, access to top web properties is a neccessity, and much more cost effective compared to using AdSense. I wouldn't get surprised to find out that hiring a SEO expert to reposition the malicious sites is also happening at the time of blogging. Some details at McAfee's blog.

Despite the amateurs using purchased keywords as an infection vector, at another malicious url _s.gcuj.com we have a decent example of a timely exploitaition with _s.gcuj.com/t.js and _s.gcuj.com/1.htm using Microsoft's ANI cursor vulnerability to install online games related trojans - _t.gcuj.com/0.exe_ The series of malicious URLs are mostly advertised or directly injected into Chinese web forums, guestbooks etc. Here are some that are still active, the majority of AVs thankfully detect them already :

_cool.47555.com/xxxx.exe_
_d.77276.com/0.exe_
_www.puma163.com/pu/pu.exe_
_rzguanhai.com/server.exe_

The key point when it comes to such attackers shouldn't be the focus on current, but rather on emerging trends, and they have to do with anything, but malicious parties continuing to use AdSense to direct traffic to their sites in the long term. Watch a video related to the attacks, courtesy of Exploit Prevention Labs.

Continue reading →

Conventional Weaponry VS Cyber Terrorism

Insightful comment on how assymetric warfare and abusing the most versatile communication medium is something conventional weaponry cannot and should not aim to fight :

"Terrorists use a flat, open network of communications and pass their information mainly through the Internet, Lute said as he briefed the group at the Pentagon. These are aspects that defy U.S. military capability. “We buy airplanes, ships and tanks and recruit and train soldiers to deal with the geographics of a tangible target,” he said. “We can bomb training camps, and we can hunt down the enemy, but we can’t bomb the Internet.” By using a nodal network to spread their extremist ideologies, Lute said, terrorists are able to easily recruit members, acquire weapons, build leaders and receive financial backing."

A short excerpt from a previous post :

"A terrorists' training camp is considered a military target since it provides them the playground to develop their abilities. Sooner or later, it will feel the heat and dissapear from the face of the Earth, they know it, but don't care mainly because they've already produced and are distributing Spetsnaz type of video training sessions. So abusing information or the information medium itself is much more powerful from their perspective then destroying their means for communication, spread propaganda, and obviously recruit."

Reminds me of a great cartoon where soldiers are in the middle of a network centric warfare situation, all the equiptment on the field is in smoke or doesn't work, and soldiers beg the generals for more "shock and awe" action and less ELINT attacks. Which, of course, doesn't mean known adversary locations shouldn't get erased from the face of the Earth. Post strike imagery courtesy of FAS, here's the rest of the collection. Continue reading →

Malware Infected Removable Media

In a previous post I discussed various thought to be outdated physical security threats such as leaving behind CDs and DVDs malware ready and taking advantage of the auto loading feature most people conveniently have turned on by default. Seems like on purposely leaving behind pre-infected removable media with the hope that someone will pick them up and act as a trojan horse themselves, still remains rather common. Unless your organization has taken the necessary removable media precautions, a story on USB sticks with malware should raise your awareness on an attacker's dedication to succeed :

"Malware purveyors deliberately left USB sticks loaded with a Trojan in a London car park in a bid to trick users into getting infected. The attack was designed to propagate Trojan banking software that swiped users' login credentials from compromised machines. Check Point regional director Nick Lowe mentioned the ruse during a presentation at the Infosec trade show on Tuesday, but declined to go into further details, citing the need for confidentiality to protect an investigation he's involved in."

From an attacker's perspective that's an investment given USB sticks are left in parking lots around major banks, and finding a 1GB USB stick laying around would make someone's day for sure. Despite that in this case it's a banking trojan we're talking about, on a more advanced level, corporate espionage could be the main aim though the exploitation of various techniques. Continue reading →

Outsourcing The Spying on Your Wife

Targeted attacks and zero day malware have always been rubbing shoulders, and it's not just a fad despite that everyone's remembering the wide-scale malware outbreaks attacking everything and everyone from the last couple of years. But the days of segmenting targeted attacks per country, city, WiFi/Bluetooth spot coverage are only emerging.

The idea of profitably serving a demand for a service however, is promting detective agencies to adapt to today's standards for surveillance and snooping in the form of using malware to obtain the necessary information. And despite that commercially obtainable surveillance tools are cheaply available to everyone interested and taking the risk of using them, customers obviously prefer to leave it to the "pros". Here's a story of an "adaptive" detective agency using targeted emails with malware to spy :

"The jury of five woman and seven men heard how the agency used "Trojan" computer viruses, which were hidden inside emails and attacked computers when opened, allegedly created by American-based IT specialist Marc Caron. Hi-tech devices used to bug phones were installed by interception specialist Michael Hall, the court was told. Prosecutors said a number of them were fitted to BT's telegraph polls and inside junction boxes, but BT eventually hid a camera in one of the boxes and caught him at work."

Here're more details on the targeted attack :

"Mrs Mellon opened it because it "purported to show what her husband was up to", said Ms Moore. It is alleged the agency hacked into emails to snoop on Tamara Mellon. The Trojan then recorded "every keystroke that was made", she said, including such things as bank account numbers and passwords. "They didn't take any money. They didn't steal anything, but from time to time they had a little snoop on behalf of their clients," Ms Moore said."

I imagine a questionnaire from such a detective agency in the form of the following :

- The victim's IT literacy from 0 to 5?
- Are they aware of the concept of anti virus and a firewall?
- List us all their contact points in the form of IM and email accounts
- Are they mobile workers taking advantage of near-office WiFi spots?

You get the point. Hopefully, such services wouldn't turn into a commodity, or even if they do, I'm sure they'll somehow figure out a way to legally forward the responsibility to the party that initiated the request.

Related posts:
HP Spying on Board of Directors' Phone Records
HP's Surveillance Methods
Mark Hurd on HP's Surveillance and Disinformation
Continue reading →

Shots from the Malicious Wild West - Sample Seven

The Webmoner is a malware family that's been targeting the WebMoney service for the last couple of years, a service which is mostly used in Russia from both legitimate and malicious parties -- three out of five transfers by malicious parties use WebMoney and the other two use Yandex. What's interesting about this trojan, or we can perhaps even define it as a module given its 2kb packed size and compatibility with popular malware C&C platforms in respect to stats, is that it doesn't log the accounting details of Web Money customers, instead, the attacker is feeding the trojan with up to four of his Web Purses, so that at a later stage when the infected party is initiating transfer, the malware will hijack the process and intercept the payments and direct them to the attacker's web money accounts. See how various AVs are performing when detecting a sample of it.

The disturbing part is a recently made public builder, the type of DIY a.k.a the revenge of the script kiddies with a push of a button malware generation with a built in fsg packing to further obfuscate it and have it reach the 1.5kb size. See attached screenshot. This attack puts the service in a awkward situation, as the transfers are actually hijacked on the fly, and the responsibility is forwarded to the infected party, compared to a situation where the details have been keylogged and transfers made with stolen IDs. How have things evolved from 2001 until 2007? Keylogging may seem logical but is the worst enemy of efficiency compared to techniques that automatically, collect, hijack and intercept the desired accounting data. The screen capturing banking trojan Hispasec came across to is a good example presenting the trade off here. The irony? The author of the builder is anticipating malware on demand requests and charging 10 WMZ in virtual money for undetected pieces of the malware.

There's an ongoing debate on the usefulness and lack of such of popular anti virus software. In January 2007, the Yankee Group released a 4 pages report starting at $599 -- try a 26 pages free alternative released in January 2006 debunking lots of myths -- entitled "Anti-Virus is Dead: Long Live Anti-Malware" in an effort to not only generate lazy revenues on their insights, but to emphasize on the false feeling of security many AVs provide you with. As a consultant you often get the plain simple question on which is the best anti virus out there, to which you either reply based on lead generation relationship with vendors, or do them a favour and answer the question with a question - the best anti virus in respect to what? Detecting rootkits? Removing detected malware and restoring the infected files to their previous condition? Log event management compatibility with existing security events management software? Fastest response times to major outbreaks? -- psst zero day malware ruins the effect here. Or which anti virus solution has the largest dataset for detecting known malware? Anti virus is just a part of your overal security strategy, and given the anti virus market is perhaps the one with the highest liquidity, thus most $ still go to perimeter defense solutions, too much expectations and lack of understanding of the threatscape mean customer dissatisfaction which shouldn't always be the case. If anti virus software the way we use it today is dead, then John Doe from the U.S or Ivan Ivanov from Russia woud still be 31337-ing the world, the Sub7 world I mean.

Some AVs however perform better than others on given tasks. The recently released AV comparatives speak for themselves. If you're going to use an anti virus software, use one from a company who's core competency relies in anti virus software, and not from a company that entered the space through acquisition during the last couple of years, or from one where anti virus is just part of huge solutions portfolio. Boutique anti virus vendors logically outperform the market leaders -- exactly the type of advice I've been giving out for quite a while.

Related posts :
Security Threats to Consider when Doing E-banking
No Anti-Virus, No E-banking for You
The Underground Economy's Supply of Goods

Previous "virtual shots" :
Shots from the Malicious Wild West - Sample Six
Shots from the Malicious Wild West - Sample Five
Shots from the Malicious Wild West - Sample Four
Shots from the Malicious Wild West - Sample Three
Shots from the Malicious Wild West - Sample Two
Shots from the Malicious Wild West - Sample One
Continue reading →

OSINT Through Botnets

Open source intelligence gathering techniques from a government sponsored cyber espionage perspective have been an active doctrine for years, and that's thankfully to niching approaches given the huge botnet infected network -- government and military ones on an international scale as well. And yes, targeted attacks as well. It's a public secret that botnet masters are able to geolocate IPs through commercially obtainable databases reaching levels of superior quality. Have you ever thought what would happen if access to botnet on demand request is initiated, but only to a botnet that includes military and government infected PCs only? Here's a related story :

"The misuse of US military networks by spammers and other pond life is infrequently reported, but goes back some years. In August 2004, we reported how blog comment spams promoting illegal porn sites were sent through compromised machines associated with unclassified US military networks. Spam advertising "incest, rape and animal sex" pornography was posted on a web log which was set up to discuss the ID Cards Bill via an open proxy at the gateway of an unclassified military network."

From an OSINT perspective, part by part a bigger picture emerges from the tiny pieces of the puzzle, and despite that these would definitely be unclassified, a clerk's email today may turn into a major violation of OPSEC tomorrow. Moreover, the security through obscurity approach of different military networks might get a little bit shaken up due to the exposure of the infrastructure in a passive mode from the attacker's perspective.

In the wake of yet another targeted attack on U.S government networks in the form of zero-day vulnerabilities in Word documents neatly emailed to the associated parties, it's worth discussing the commitment shown in the form of the Word zero day, and the attach congressional speech to Asian diplomacy sent to Asian departments :

"The mysterious State Department e-mail appeared to be legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, Reid said. By opening the document, the employee activated hidden software commands establishing what Reid described as backdoor communications with the hackers. The technique exploited a previously unknown design flaw in Microsoft's Office software, Reid said. State Department officials worked with the Homeland Security Department and even the FBI to urge Microsoft to develop quickly a protective software patch, but the company did not offer the patch until Aug. 8 — roughly eight weeks after the break-in."

The life of this zero day vulnerability started much earlier than anyone had predicted, and obviously specific emails of various departments are known, are harvested or obtained through the already infected with malware PCs - pretty much everything for a successful targeted attacks seems to be in place right? But what makes me wonder is where are the attacking emails originating from, an infected ADSL user somewhere around the world whose spoofed .gov or .mil email somehow made it not though and got undetected as spam, or from an already infected .gov or .mil host where the attackers took advantage of its IP reputation?

In the majority of news articles or comments I come across to, reporters often make the rather simplistic connection with China's emerging cyber warfare capabilities -- a little bit of Sun Tzu as a school of thought and mostly rephrasing U.S studies -- whenever an attacking email, or attack is originating from China's netblocks. Perhaps part two of my previous post "from the unpragmatic department" sparkled debate on physically bombing the sources of the attacks, just to make sure I guess. Engineering cyber warfare tensions nowadays, providing that China's competing with the U.S for the winning place on botnet and spam statistics for the last several years speaks for itself -- the U.S will find itself bombing U.S ISPs and China will find itself bombing Chinese ISPs. So the question is - why establish an offensive cyber warfare doctrine when you can simple install a type of Lycos Spam Fighting screensaver on every military and government computer and have it periodically update its hitlists?

Black humour is crucial if you don't want to lose your real sense of humour, and thankfully, for the time being an offensive cyber warfare provocation -- or the boring idleness of botnet masters -- isn't considered as a statement on war yet. The Sum of All Fears's an amazing representation of engineering tensions in real-life, so consider keeping your Cyber Defcon lower.

Open source visualization courtesy of NYTimes.com, MakeLoveNotSpam's effect courtesy of Netcraft.

UPDATE: Apparently, seven years ago North Korea's hyped cyber warfare unit was aware of the concept of targeted attacks so that :

"Kim Jong Il visited software labs and high-tech hubs during his rare trips to China and Russia in 2000 and 2001. When then-U.S. Secretary of State Madeleine Albright visited Pyongyang in 2000, he asked for her e-mail address."

On a future visit, in a future tense, perhaps IM accounts would be requested to rotate the infection vectors. Meanwhile, read a great article on North Korea's IT Revolution, or let's say a case study on failed TECHINT due to a self-serving denial of the word globalization. Continue reading →

Google in the Future

Great fake as a matter of fact. Don't blame the crawler while crawling the public Web, but the retention of clickstreams for indefinite periods of time and the intermediaries selling them to keyword marketers. And of course the emerging centralization of too much power online with its privacy implications -- power and responsibility must intersect. Two more fakes for you to enjoy. Continue reading →

Shots from the Malicious Wild West - Sample Six

Continuing the "Malicious Wild West" series, the Blacksun RAT integration on the web is so modules-friendly it makes you wonder why it's not another case study on malware on demand, but a publicly obtainable open source malware like it is. Process injections in explorer.exe by default, and with a default port 2121, this HTTP bot is still in BETA. And BETA actually means more people will play around with the code, and add extended functionalities into it. There's a common myth that the majority of botnets are still operated through IRC based communications, and despite that there're still large botnets receiving commands through IRC, there's an ongoing shift towards diversification and HTTP in all of its tunneling and covert beauty seems to be a logical evolution.

Here are some commands included in default admin.php that speak for themselves :

OPTION value=cmd
OPTION value=cmd
OPTION value=bindshell
OPTION value=download
OPTION value=ftp_upload
OPTION value=msgbox
OPTION value=power
OPTION value=monitor
OPTION value=cdrom
OPTION value=keyboard
OPTION value=mouse
OPTION value=crazymouse
OPTION value=funwindows
OPTION value=version
OPTION value=exitprocess
OPTION value=killmyself

Killmyself is quite handy in case you get control of the botnet in one way or another and desinfect the entire population with only one command. Stay tuned for various other "releases" in the upcoming virtual shots during the next couple of days. Continue reading →

Shots from the Malicious Wild West - Sample Five

Open source malware with a MSQL based web command and control? It's not just Sdbot and Agobot being the most popular malware groups that have such features by default, but pretty much every new bot famility. The Cyber Bot, a malware on demand is one of these. Among the typical DDoS capabilities such as SYN,ACK, ICMP, UDP, DNS and HTTP post and get floods, it offers various rootkit capabilities in between the ability to bypass popular AV and firewall software. I recently located various screenshots from the web command and control which I'm sure you'll find enlightening. A picture is worth a thousand fears as usual. Rather interesting, the bot is able to figure out whether the infected user is on a LAN, dialup, or behind a proxy connection, the rest of the statistics such as IP geolocation and infected users per OS are turning into a modular commodity. It's also worth noting that the web interface has the capability to offer access to the control panel to more than one registered user, which logically means that it's build with the idea to provide rental services.

Here's a related post with more web command and control screenshots, and another one taking into consideration various underground economics. Continue reading →

A Compilation of Web Backdoors

The other day I came across to a nice compilation of web backdoors only, and decided to verify how well are various AVs performing when detecting them :

"I have collected some WEB backdoors in the past to exploit vulnerable file upload facilities and others. I think a library like this may be useful in a variety of situations. Understanding how these backdoors work can help security administrators implement firewalling and security policies to mitigate obvious attacks."

Here are some results listing the AVs that detected them -- as they should :

* name: cfexec.cfm
* size: 1328
* md5.: cce2f90563cb33ce32b6439e57839492
* sha1: 01c50c39e41c6e95262a1141dbfcbf9e8f14fc19

_No AV detects this one

* name : cmdasp.asp
* size: 1581 bytes
* md5: d0ef359225f9416dcf29bb274ab76c4b
* sha1: 9df3e72df372c41fe0a4d4f1e940f98829b752e1

Authentium 4.93.8 04.14.2007 ASP/Ace.G@bd
Avast 4.7.981.0 04.16.2007 VBS:Malware
BitDefender 7.2 04.16.2007 Backdoor.ASP.Ace.C
ClamAV devel-20070312 04.16.2007 ASP.Ace.C
DrWeb 4.33 04.16.2007 BackDoor.AspShell
Ewido 4.0 04.16.2007 Backdoor.Rootkit.10.a
F-Prot 4.3.2.48 04.13.2007 ASP/Ace.G@bd
F-Secure 6.70.13030.0 04.16.2007 ASP/Ace.G@bd
Kaspersky 4.0.2.24 04.16.2007 Backdoor.ASP.Ace.q
Microsoft 1.2405 04.16.2007 Backdoor:VBS/Ace.C
Symantec 10 04.16.2007 Backdoor.Trojan
VBA32 3.11.3 04.14.2007 Backdoor.ASP.Rootkit.10.a#1
Webwasher-Gateway 6.0.1 04.16.2007 VBScript.Unwanted.gen!FR:M-FW:H-RR:M-RW:M-N:H-CL:H (suspicious)

* name: cmdasp.aspx
* size: 1442
* md5.: 27072d0700c9f1db93eb9566738787bd
* sha1: 2c43d5f92ad855c25400ee27067fd15d92d1f6de

_No AV detects this one

* name: simple-backdoor.php
* size: 345
* md5.: fcd01740ca9d0303094378248fdeaea9
* sha1: 186c9394e22e91ff68502d7c1a71e67c5ded67cc

_No AV detects this one

* name: php-backdoor.php
* size: 2871
* md5.: 9ca0489e5d8a820ef84c4af8938005d5
* sha1: 89db6dc499130458597fe15f8592f332fb61607e

AhnLab-V3 2007.4.19.1/20070419 found [BAT/Zonie]
AntiVir 7.3.1.53/20070419 found [PHP/Zonie]
Authentium 4.93.8/20070418 found [PHP/Zackdoor.A]
AVG 7.5.0.464/20070419 found [PHP/Zonie.A]
BitDefender 7.2/20070419 found [Backdoor.Php.Zonie.B]
F-Prot 4.3.2.48/20070418 found [PHP/Zackdoor.A]
F-Secure 6.70.13030.0/20070419 found [PHP/Zackdoor.A]
Ikarus T3.1.1.5/20070419 found [Backdoor.PHP.Zonie]
Kaspersky 4.0.2.24/20070420 found [Backdoor.PHP.Zonie]
McAfee 5013/20070419 found [PWS-Zombie]
Microsoft 1.2405/20070419 found [Backdoor:PHP/Zonie.A]
NOD32v2 2205/20070419 found [PHP/Zonie]
Norman 5.80.02/20070419 found [PHP/Zonie.A]
VBA32 3.11.3/20070419 found [Backdoor.PHP.Zonie#1]
Webwasher-Gateway 6.0.1/20070419 found [Script.Zonie]

* name: jsp-reverse.jsp
* size: 2542
* md5.: ebf87108c908eddaef6f30f6785d6118
* sha1: 24621d45f7164aad34f79298bcae8f7825f25f30

_No AV detects this one

* name: perlcmd.cgi
* size: 619
* md5.: c7ac0d320464a9dee560e87d2fdbdb0c
* sha1: 6cd84b993dcc29dfd845bd688320b12bfd219922

_No AV detects this one

* name: cmdjsp.jsp
* size: 757
* md5.: 3405a7f7fc9fa8090223a7669a26f25a
* sha1: 1d4d1cc154f792dea194695f47e17f5f0ca90696

_No AV detects this one

* name: cmd-asp-5.1.asp
* size: 1241
* md5.: eba86b79c73195630fb1d8b58da13d53
* sha1: 22d67b7f5f92198d9c083e140ba64ad9d04d4ebc

Webwasher-Gateway 6.0.1/20070419 found [VBScript.Unwanted.gen!FR:M-FW:M-RR:M-RW:M-N:H-CL:H (suspicious)]

Rather interesting, there have been recent targeted attacks aiming at gullible admins who'd put such web shells at their servers, thus opening a reverse shell to the attackers. As always, this compilation is just the tip of the iceberg, as Jose Nazario points out having variables means a different checksum, and considering the countless number of ASP, PHP and PERL based reverse backdoors, the threat is here to remain as silent and effective as possible. Grep this viruslist, especially the ASP, PHP and PERL backdoor families to come up with more variants in case you want to know what's already spotted in the wild. Here's a very well written paper by Gadi Evron on Web Server Botnets and Server Farms as Attack Platforms discussing the economies of scale of these attacks. Continue reading →