A Multi Feature Malware Crypter

Compared to the malware crypters I covered in previous posts -- part of the Malicious Wild West series -- this one is going way beyond the usual file obfuscation, and despite that it's offered for sale and not in the wild yet, it includes anti-sandboxing, and anti-virtual machine capabilities, as malware authors started feeling the pressure posed by the two concepts when it comes to detecting their releases.

Features include :

- Add File to load on Memory

- Add File to load on Browser

- Add File to drop on Temp

- Add File to drop on System

- Add File to drop on Windows

- Process injection

- Different crypting routines on a per buyer basis

- Mega icons pack with the purchase

So let's sum up, the end user isn't bothering to update her anti virus software signatures, and even if she did and despite a vendor's response time, the concept of zero day malware and rebooting the lifecycle of a malware release through crypting it, is sort of ruining the signatures based scanning approach. Still living in the suspicious file attachments world, the end user is easily falling victim into web site embedded malware taking advantage of months old client side vulnerabilities in their web browser, media player and everything in between. Botnet communication platforms are maturing, not with the idea to innovate, but to diversify the communications channels, and so are malware embedding and statistics kits. OSINT through botnets given the amount of infected PCs is a fully sound practice, and so is corporate espionage through botnets.

Moreover, what used to a situation where malware authors were doing over their best to maintain their releases as invisible as possible, nowadays, malware is directly exploiting vulnerabilities within anti virus software to evade detection or get rid of the anti virus software itself. In fact, malware authors became so efficient so that vendors are coming up with very interesting stats based on the greediest, smallest, largest and most malicious malware on a monthly basis.

As always, the "best" is yet to come.

Continue reading →

Bluetooth Movement Tracking

Passing by the local Hugo Boss store, all of a sudden you receive a SMS message - "It's obvious you like out new suits collection since that's the 5th time you pass by our store, and spend on average 15 seconds staring at them. So, why don't you come inside and take a closer look for yourself?". Spooky? For sure, but with bluetooth movement tracking to faciliate purchases slowly emerging in the practices of evil marketers basically generating even more touch points with the assets in their brands' portofolios, it's something to keep an eye on :

"When the project was deployed at the ZeroOne Festival is San Jose, California, the system sent attendees messages about where they had been and asked about their intentions for being there. For example, one such message read, “You were in a flower shop and spent 30 minutes in the park; are you in love?” Those contacted were eventually led to the Loca kiosk where they could obtain a log of all their activities, which sometimes reached over 100m long. It should be noted that movement was only tracked on phones with discovery mode turned on."

Marketing research and faciliating purchases aren't the only incentives for marketers and of course malicious attackers looking for innovative ways to socially engineer you to accept a bluetooth connection, even an attachment. Measuring the ROI of advertising and sales practices that used to lack reliable metrics is becoming rather common, like for instance this Big Brother style billboards that measure how many people actually looked at them :

"If you’ve ever seen a poster in the mall that you’ve liked and stared at it for some time, chances are, that poster will be staring right back. This is, however, not so much of a "Big Brother" gimmick as much as it is a marketing tool. From xuuk, a Canadian-based company specializing in cutting-edge technology, comes the eyebox2. This contraption is essentially a tiny video camera surrounded by infrared light-emitting diodes. It can record eye contact with 15-degree accuracy at a distance of up to 33 feet, so even a simple glance from someone in passing will be tallied into the score."

I can certainly speculate that this technology will evolve in a way that it will be able to tell whether it was a male, or a female that looked at it, and if data from local stores gets syndicated to tell the system the prospective customer took notice of the store itself, it would provide the marketers with enough confidence to SMS you a discount offer valid in the next couple of hours only while you're still somewhere around a local store.

The convergence of surveillance technologies is a fact, and what's measuring the ROI of a marketing campaign to some, is an aggressive privacy violations for others. But as we've already seen the pattern of such technologies around the world, first they get legally abused, then customers suddenly turn into vivid privacy activists, to later on have the option to opt-in and opt-out so that everyone's happy.

Continue reading →

Targeted Extortion Attacks at Celebrities

Who else wants to hack celebrities besides wannabe uber leet h4x0rs looking for fame while brute forcing with username "Philton" and using a common pet names dictionary word list? Digitally naughty paparazzi wanting to have celebrities do their work for them? Not necessarily as third-parties are looking for direct revenue streams out of obtaining personal and often devastating to a cebrity's PR photos by targeted hacking attacks combined with extortion attempts :

"According to the police and S.M. Entertainment Friday, a 23-year-old college student was arrested for hacking a blog of singer BoA and blackmailing her, threatening to spread her private photos. The student, identified as Seo, sneaked onto BoA's Cyworld blog in April 2006 and obtained photos that she took with a male singer. He sent e-mails to her manager to threaten that he would release the photos if they did not provide money. He took 35 million won. S.M. Entertainment said in a press release that the victim was BoA and the male singer was Ahn Danny, former member of pop group g.o.d., and the two have been close friends."

That type of extortion attacks are fundamentally flawed based on the attacker's perspective that the stolen personal data is most valuable to the person who faces major privacy exposure, totally excluding the possibility to forward it to thirt parties such as the "yellow press". Timing as in cryptoviral extortion is everything, for instance, a couple of million dollars PR campaign positioning the singer as a vivid anti drugs and anti alcohol activities could turn into a fiasco if pictures of hear stoned and drunk to death leak at that very particular moment. Celebrity endorsement is always tricky, and the in very same way your brand can harness the popularity of a celebrity, your entire business model could become dependent on someone's ability to manage stress, thus not getting involved into synthetic sins.

Here's yet another related story this time targeting Linkin Park :

"In a plea agreement, she said she was able to see the family's photographs and travel plans, as well as
information about a home they had purchased. She also read messages sent between Linkin Park's record company and lawyer, including a copy of the band's recording contract."

Meanwhile, more targeted attacks make their invisible rounds across the world :

"On June 26, MessageLabs intercepted more than 500 individual email attacks targeted toward individuals in senior management positions within organizations around the world. The attack was so precisely addressed that the name and job title of the victim was included within the subject line of the email. An analysis of the positions targeted reveals that Chief Investment Officers accounted for 30 percent of the attacks, 11 percent were CEOs, CIOs accounted for almost seven percent and six percent were CFOs."

For quite some time spammers have been segmenting and sort of data mining their harvested emails databases to not only get rid of fake emails and ones on purposely distributed by security companies, but to also start offering lists on a per country, per city, even per company basis. In a Web 2.0 world, top management is actively networking in way never imagined before, and despite that privacy through obscurity may seem a sound approach, someone out there will sooner or later get malware infected and have their HDD harvested for emails, thus exposing the what's thought to be a private email for a top executive. I often come across such segmented propositions for specific emails of specific companies, and even more interesting, people are starting to request emails for certain companies only, so that they can directly target the company in question with a typical zero day malware packed and crypted to the bottom of its binary brain.

Despite all these emerging trends, we should never exclude the possibility for a guerilla marketing campaign based on a celebrity's leak of personal, often nude personal data, a technique in the arsenal of the truly desperate.

Continue reading →

Insecure Bureaucracy in Germany

First, it was data mining 22 million credit cards to see who purchased access to a set of child porn sites to figure out the obvious - that the accounts were purchased with stolen credit cards, and now, declaring that hacking tools are illegal is nothing more but creating a bureaucratic safe heaven on the local scene. And while pen-testers in Germany will do password cracking with a paper and a pen to verify their passwords best practices are indeed enforced and taken seriously, script kiddies that just compiled yet another 5GB rainbow table will have a competitive advantage by default :

"The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are not properly covered in the legislation, critics argue. Taken as read, the law might even even make use of data recovery software to bypass file access permissions and gain access to deleted data potentially illegal."

The idea is greatly hoping that Germany's Internet is an isolated Intranet where if noone can have access to hacking tools than noone will be able to find vulnerable hosts and actually exploit them. But the reality is that it's all a matter of perspective. By not wanting to conduct a security audit of your assets, and with the lack of any (detected) breaches, you're enjoying a nice false sense of security. This story is a great example of bureaucrats evangelizing security through obscurity on a wide scale, where every single script kiddie on the other side of the world will have access to a commodity set of pen-testing tools to showcase age-old vulnerabilities in Germany's infrastructure. Of course, you're secure in your own twisted reality, but limiting access to pen-testing tools for a security consultant, and evil hacking programs to others, in order for you to improve security is nost just unpragmatic, but naive as well. Here's an interview with Marco Gercke, a local expert on the topic.

This is not just a seperate case in Germany, to what looks like a growing trends with a previous discussion on whether or not German law enforcement should code and use malware on a suspect's PC, something by the way the FBI is doing in the form of keyloggers to obtain passphrasess of impossible crack at least in respect to bruteforcing PGP and Hushmail accounts. So what could be a next? A law that would open up a cooperation with anti virus vendors doing business in the country in the form of either not detecting or delaying signatures of law enforcement coded malware? Or law enforcement will start bidding for zero day vulnerabilities right next to an intelligence agency without both of them knowing who's the challenging bidder?

Another bureaucratic development from the past is related to U.K's perspective on how to obtain access to encrypted material without coding malware and keyloggers - by requesting that everyone should provide their private encryption keys. It gets even more interesting with Australia joining the trend by using spyware on suspects.

Never let a bureaucrat do an ethical pen-tester's job.

Related articles:

Group: Anti-hacking laws can hobble Net security

Hacking or reverse engineering?

Continue reading →

E-commerce and Privacy

Privacy should be a main concern for everyone, not because you have something to hide, but because you deserve it, it's your right, while on the other hand, the thin line between a sales department preservation of your purchasing history to later one contact you, or vice-versa to serve you better, is where the dilemma starts. Should you always have an opt-out capability, thus ruining someone's marketing data aggregation model, or should you be willing to share it in order to receive a better customer experience?

In a recently conducted study, researchers at Carnegie Mellon University came to the conclusion that people are in fact willing to pay more when their privacy is ensured, but mind you - in a merchant's privacy policy only. Is this a feasible protective measure or just a compliance-centered and automatically generated text you come across to on every merchant's web site? Or how harsh is in fact reality in this case?

"The study, led by Lorrie Cranor, director of the Carnegie Mellon Usable Privacy and Security (CUPS) Lab, found that people were more likely to buy from online merchants with good privacy policies, as identified by Privacy Finder and were also willing to pay about 60 cents extra on a $15 purchase when buying from a site with a privacy policy they liked."

One of the most famous breaches of personal data aggregators that really made it all over the world was Choicepoint, a U.S based personal data aggregator. Famous mainly because of the huge number of affected individuals, which doesn't mean a bigger breach hasn't happened somewhere around the world already, the thing is, across the world it is still not very popular to report a security breach, even regulated by law -- perhaps even if you were you wouldn't be able to report something you're not aware of at the first place, would you? Looking at a merchant's/data aggregator's privacy policy given you have enough experience to detect the authentic policy from the automatically generated one you often see something like this line in Choicepoint's privacy policy for instance :

"Once we receive personally-identifiable information, we take steps to protect its security on our systems. In the event we request or transmit sensitive information, such as credit card information or Social Security Numbers, we use industry standard, secure socket layer ("SSL") encryption. We limit access to personally-identifiable information to those employees who need access in order to carry out their job responsibilities."

The same is the case with Amazon, Ebay and the rest of the E-commerce icons. In 2007, even phishers use SSL certificates to make their spoofs look more legitimate, and again in 2007 the majority of reported data breaches are due to laptop losses compared to network or even insider related vulnerabilities. Therefore, even though compliance with law regarding the need for a privacy policy, having it doesn't mean privacy of purchasing history and personal data wouldn't get exposed.

Common privacy assurance criteria on major merchant's sites remain :

- TRUSTe certificate
- Hackersafe check
- Compliance with industry standard security best practices

Best practices are a necessary evil, evil because what they're missing is exactly what attackers are exploiting - the pragmatic vulnerabilities to obtain the data in question compared to entering the target through the main door. Back in the times of the dotcom boom when Web 2.0's mature business models were a VC's dream come true, the overall perspective of Internet crime had to do with the concept of directly transferring funds from the a hacked through network vulnerabilities bank, while in reality, from an attacker's point of view it's far more effective to target its customers directly. Which is exactly the same case with E-commerce and privacy, either the merchant will store your business relationship with them and expose it, or you will somehow leak it out.

Whatever the case, a privacy policy is words, and common sense obviously remains a special mode of thinking for the majority of web shoppers.

Related posts:
Afterlife Data Privacy
The Future of Privacy = Don't Over-empower the Watchers
Anonymity or Privacy on the Internet?
U.K's Telecoms Lack of Web Site Privacy
Big Brother Awards 2007
A Comparison of U.S and European Privacy Practices Continue reading →

The Extremist Threat from Metallica

No, this is serious - James Hetfield from Metallica questioned by airport security personel before the Live Earth concert in London because of "taliban-like beard" :

"According to British newspaper The Times, the rocker jetted into Luton airport ahead of Saturday's Live Earth concert at Wembley Stadium - where his legendary rock band was due to perform - but was halted by officials before he could leave the terminal. The legendary frontman was then subjected to a brief line of questioning, after which security-conscious officials were left red-faced when Hetfield explained he was a member of a world-famous rock band."

In 2007, if you're named Muhammad you'll be living the life of someone else's stereotype that you're a terrorist, and with a beard it's even more suspicious, which is perhaps why Muslims in the U.K started an anti-terror campaign "Not in Your Name" trying to distinguish themselves from such simple and totally wrong stereotypes.

Continue reading →

Terrorist Groups' Brand Identities

The author of this terrorist groups' logos compilation is greatly using business logos identity building analogy to discuss whether or not logos of terrorist groups successfully communicate their message or vision :

"I did some research and rounded up as many logos as I could find from terrorist groups past and present. While I hate to give terrorists any more attention, I still think it’s interesting to see the various approaches they took in their logos, and wonder what considerations went into designing them. Does the logo successfully convey the organization’s message? Is it confusingly similar to another group’s logo? Does it exhibit excessive drop shadows, gradients, or use of whatever font is the Arabic equivalent of Papyrus?"

And while it reminds me of another business analogy, namely a A Cost-Benefit Analysis of Cyber Terrorism, such analogies clearly indicate two things - first, branding is something they are aware of, and second, they understand that evil advertising can easily turn into propaganda and a brainwashing tool given the numerous PR channels they already actively use -- pretty much every Web 2.0 company that is out there. The screenshot above represents an advertisement of the Mujahideen Secrets Encryption Tool, more screenshots of which you can find in a previous post. Despite that the tool is freely available for the wannabe jihadists to use, and that no one is ever going to receive a box-copy of it physically, GIMF took the time and effort to come up with a box-style software product ad realizing the basics of branding, namely that each and every contact with the brand -- GIMF in this case -- can either weaken or strengthen a brand's image in the perception of the prospective user/customer.

Continue reading →

Zero Day Vulnerabilities Auction

Theory and speculation, both finally materialize - an 0bay auction for security vulnerabilities was recently launched, aiming to reboot the currently not so financially favorable for researchers full disclosure model, and hopefully, create a win-win-win solution for Wabisabilabi, the vendors and the researchers themselves :

"We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited. Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals."

As I've been covering the topic of commercializing vulnerability research since I've started blogging, and my second post was related to 0bay or "How Realistic is the Market for Security Vulnerabilities?" I'll briefly summarize the key points and let you deepen your knowledge into the topic by going through the previous posts related to buying and selling vulnerabilities, even requesting ones on demand -- which is perhaps the most sound market model in my opinion at least in respect to relevance.

Back in December, 2005, the infamous WMF vulnerability got sold for $4000 to be later on injected into popular sites, and embedded whereaver possible. The idea behind this attack? Take advantage of the window of opportunity by the time a patch by Microsoft is released, but instead of enjoying the typical advantage coming from full disclosure exploit and vulnerabilities sites, the attackers went a little further, they also wanted to make sure that the vulnerability wouldn't even appear there at the first place. And while it later became a commodity, WMF DIY generators got released for the script kiddies to generate more noise and the puppet masters to remain safe behind a curtain of the click'n'infect kiddie crowd.

Several months later, hinted by a person whose the perfect representation of the phrase "Those who talk know nothing, those who don't talk they know" tipped me on a zero day shop site -- The International Exploits Shop -- that was using a push-model that is a basic listing of the vulnerabilities offered and the associated prices, even taking advantage of marketing surveys to figure out the median price customers would be willing to pay for a zero day vulnerability.

Commercializing vulnerability research the way the company is doing it, will inevitably demonstrate the lack of communication and incentives model between all the parties in question. Moreover, if you think that a push-model from the researcher compared to a pull one, even on demand is better think twice - it isn't. If I'm a vendor, I'd request a high profile vulnerability to be found in my Internet browser in the next two months and offer a certain financial incentive for doing so, compared to browsing through listings of vulnerabilities in products whose market share is near the 1%. For the computer underground, or an information broker, there's no such thing as a zero day vulnerability because they understand the idea that in times when everyone's fuzzing more effectively than the vendors themselves, or transparency and social networking has never been better, a zero day to some is the last month's zero day to others.

Questions remain :

- how do you verify a vulnerability is really a zero day, when infomediaries such as iDefense, Zero Day Initiative or Digital Armaments delay "yesterday's" security vulnerability or keep you in a "stay tuned" mode? How can you be sure you as an infomediary are not part of a scheme that's supplying zero days to both the underground and you?

- why put an emphasis on something's that's a commodity, but forgetting that closing a temporarily opened up window of opportunity posed by today's zero day will lose its value in less than a minute by the time an IDS signature takes care of it while a patch is released? In exactly the very same fashion of malicious economies of scale, a stolen personal and financial information is lossing value so that the attackers are trying to get rid of it as soon as possible, by the time it value doesn't decrease to practically zero. Stay tuned for a zero day vulnerabilities cash bubble.

- how do you put a value on a vulnerability and what is your criteria? Of course, monocultural OSs get a higher priority, but does this mean that a zero day in MAC would get more bids because of the overall perception that it's invincible and the verification of such vulnerability would generate endless media echo effect, while someone's checking your current zero day propositions to see if the one he came across is still not listed there? For instance, Wabisabilabi have posted a Call for iPhone vulnerabilities in the first days of their launch.

Theoretically, if everyone starts selling zero day vulnerabilities they find, there will be people who will superficially increase a zero day's value by holding it back and keeping quiet for as long as someone doesn't find it as well. Here's an interview I took from David Endler at the Zero Day Initiative you may find informative, and more opinions on the topic - Computerworld; Dark Reading; Slashdot; The Register; TechTarget; Heise Security; Techcrunch, and an interesting quote from a BBC article that the initiative is aiming to limit the flow of vulnerabilities to the underground :

"By rewarding researchers, the auction house aims to prevent flaws getting in to the hands of hi-tech criminals."

It would have absolutely zero effect on the flow of vulnerabilities in computer underground circles, mostly because if someone likes the idea of getting a one time payment for its discovery, others would get a revenue stream for months to come by integrating it into the underground ecosystem. Even the average MPack attack kit, compared to others I've seen showcases the reality - a huge number of people are infected and no zero day vulnerabilities are used but ones for which patches are available for months. Moreover, they don't just buy stockpiles of zero day vulnerabilities, but are actively discovering new ones as well and holding them back for as long as possible as I've already mentioned.

And another one from CNET :

"WSLabi is backed by about 5 million euros ($6.8 million) from individual investors, and hopes to float on a stock exchange (probably London's AIM or a similar exchange in Oslo) in around 18 months."

Is this for real, and if so, it makes it yet another investment in the information security market to keep an eye on in the very same fashion I've been following and speculating on SiteAdvisor's eventual, now real acquisition. But WSLabi's road to an IPO would be a very, very bumpy one. Everyone's excluding the obvious, namely that the biggest and most targeted vendors could ruin WSLabi's entire business model by starting to offer financial incentives let's call them for zero day vulnerabilities, or perhaps keep it pragmatic, namely ignore the fact that someone's trading with zero days regarding their products mainly because the vendors cannot be held liable for not providing patches in a timely manner or not reacting to the threat.

Two projects worth considering are the ElseNot one, listing exploits for every Microsoft vulnerability ever, and eEye's Zero Day Tracker, keeping track of unpatched vulnerabilities. Make sure what you wish for, so it doesn't actually happen.

Continue reading →

Hacking the iPhone

Faster than you can say hacked! In the first days of what can be described as yet another case study on marketing buzz generation done by evil brand managers, DVD Jon is coming up with universal unlocking app for the iPhone, the folks at Errata Security join the party by announcing several vulnerabilities within the device as well :

"So far, Errata has found three main flaws in the long-awaited and much-hyped mobile phone/music/video player/mobile Web/email client device: a heap overflow bug in its Safari browser; a potential denial-of-service bug in its Bluetooth feature; and a data "seepage" bug that could cause seemingly innocuous data to be exposed by chatty client applications over a WiFi connection."

And here's someone pen-testing the entire device to figure out that data is leaking out. On the compatibility front, this is already proving quite handy, and regarding this step-by-step disassembly of the iPhone, a factory manager in China is definitely in a good mood today.

Cartoon courtesy of Caglecartoons. Continue reading →

Mujahideen Harvest Magazine - Issue 41

Compared to the quarterly released Technical Mujahid E-zine, the yearly updated Jihadist Security Enclopedia, or the regularly updated terrorism glorifying blogs, the Mujahideen Harvest magazine is released monthly, and represents a complete account of mujahideen activities in Iraq, featuring successful attacks and coming up with top 20 lists of the best explosions. It's latest issue 41 is 45 pages long, and details the strategies and events related to each attack in a daily like journal entry. This magazine (Mujahideen Harvest) is 100% conventional warfare achievements related, and from an OPSEC perspective, is an indispensable account into each and every attack that occurred in between the last and the current issue was released from the perspective of the mujahideen militants. Some more info on the "publishing house" that's been releasing it :

"The Mujahideen Shura Council is an umbrella organization of a number of different Islamic terrorist groups active in Iraq, attacking U.S. and coalition forces. For some time, they have been issuing monthly printed reports in Arabic about their “successes” against U.S. forces. Almost without exception, these reports are pure Islamic propaganda and issued to rally the terrorists fighting in the Iraqi theater. The statistics they provide are usually inflated and frequently used by other terrorist groups and once translated, are often cited by anti-war, anti-U.S. groups to sway public opinion. For their October report, they made it easier to attract Western sympathizers." Continue reading →

Exploits Serving Domains - Part Two

The saying goes that there's no such thing as free lunch, so let me expand it - there's no such thing as free pr0n, unless you don't count a malware infection as the price. What follows is a demonstration of the Zlob trojan in action that occurs though the usual redirectors, and here's a related article emphasizing on the IFRAME embedded pr0n sites directing traffic to the redirectors :

"Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so or are being paid to host the IFRAMES," acknowledged Trend Micro. The attack probably began June 17, the company said. Other researchers have continued to dig into the Mpack-based attacks and have shared some of their findings. Symantec Corp., for instance, asked how hackers were able to infect so many sites in such a short time and how they could inject the necessary IFRAMES code -- the malicious code they added to the legitimate sites' HTML that redirected visitors to the Mpack server -- so quickly."

Psst - they are hosting the IFRAMES, whether compromised or equal revenue sharing among the parties is a question of another discussion. The attack is quite widespread in the time blogging, check for yourself to get a full listing of all the IFRAME-ed pr0n sites in question. Let's dissect the central hosting locations where all other sites ultimately lead to.

At miss-krista.info - 66.230.171.36 - we have an IFRAME pointing us to todaysfreevideo.com/ad/6811214.html - 81.0.250.239 - where we are offered to download two pr0n videos, todaysfreevideo.com/teens/mr-tp01-2g2s1/1/movie1.php and todaysfreevideo.com/teens/mr-tp01-2g2s1/1/movie2.php, but the actual malware is hosted at an internal page at downloadvax.com - 85.255.118.180 -- and while as usual we get a 403 Forbidden at the main index, within to domain the pr0n surfer gets infected with the Zlob Trojan.

File size: 70853 bytes

MD5: 009ca25402ee7994977f706b96383af0

SHA1: ab60ecefcf27420a57febd5c8decc5c9f34f0e74

packers: BINARYRES

Obviously, unsafe pr0n surfing leads to malware transmitted diseases, but why exploit serving domains when no vulnerabilities get exploited at these URLs? Mainly because miss-krista.info is part of the exploits hosting domain farm I discussed in part one.

Related posts:

Exploits Hosting Domains

The MPack Kit Attack on Video

Massive Embedded Web Attack in Italy

Testing Anti Virus Software Against Packed Malware

Continue reading →

Post a Crime Online

In exactly the same fashion of Chicago's Crime Database, a community powered site integrating crime reports on Google Maps, Postacrime.com aims to empower police officers with citizen submitted crimes in progress :

"POSTACRIME.COM is a free service for anyone to upload photo or video content of burglary, theft, vandalism, or other criminal acts that have been caught on camera for the purpose of identification by the public. Often times Law Enforcement is unable to apprehend criminals, even if with the best video evidence, because no one is able to identify the criminal caught on camera. POSTACRIME.COM hopes to change that."

If the site reaches YouTube's popularity by disintermediating police forces ongoing intestigative efforts, it could also act as an early warning system for the criminals themselves, especially to change areas of operation. The site is pitching itself as the World's Largest Crime Prevention Network, a bold vision despite that I find it as an informediary categorizing user submitted crimes and hoping the publicity will help identify and criminal and hopefully restore the stolen goods -- you wish. You cannot prevent crime Web 2.0 style at least not in this way, you can aggregate publicly available crime data and present a (heat) map of a certain location based on a specific time for trends analysis. Continue reading →

Exploits Serving Domains

More cyber leads from the previous analysis of Mpack embedded dekalab.info with a particular malicious domains farm emphasis as follows. Multiple redirectors, blackhat SEO, XOR-ifying javascript obfuscation and a piece of rootkit installed, pretty much everything's in place as usual. The majority of redirectors are part of an exploit serving domains farm. The whole process starts from trancer.biz :

trancer.biz/sys/index.php
81.95.149.176
HTTP/1.1 302 Found
Server: nginx/0.5.17
Date: Tue, 26 Jun 2007 11:51:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: cawajanga.biz/ts/in.cgi?oscorp

HTTP/1.1 302 Found
Server: nginx/0.5.17
Date: Tue, 26 Jun 2007 11:51:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: blooded.biz/2103/index.php

Then we get redirected to blooded.biz's obfuscated payload
81.95.149.176 in between loading cawajanga.biz/ts/in.cgi?oscorp and mobi-info.ru where the deobfuscated XOR-ifying javascript leads us to the exact payload location the output of which is in the form of Rootkit.Win32.Agent.fb

File size: 7503 bytes
MD5: 09994afd14b189697a039937f05f440f
SHA1: b9832689aa1272f39959087df41cea13fc283910 Continue reading →

Early Warning Security Event Systems

Years ago, early warning systems for security events used to be a proprietary service available to a vendor's customers only, or even worse, to the vendors themselves. But with more vendors realizing the marketing potential behind viral marketing, and the need for more transparency on the state of Internet attacks, nowadays such EWS's are either publicly available at a vendor's site, or accessible due to the emerging CERT-ization and aggregation of honeypot data on a coutry level courtesy of the local CERTs themselves. And such is the case with ARAKIS :

"an early warning system operated by CERT Polska. ARAKIS aggregates and correlates data from various sources, including honeypots, darknets, firewalls and antivirus systems in order to detect new threats. The dashboard provides a snapshot of activity on the Internet based on data gathered from a selected group of sensors."

PING sweeps dominate the local threatscape? As always, nobody likes shooting into the dark unless of course they really have to. Several more publicly available early warning systems for security events worth considering are :

ATLAS: Active Threat Level Analysis System
CipherTrust's Real-Time PC Zombie Statistics
WatchGuard's Real-Time Spam Outbreak Monitor
ProjectHoneypot's Spam Harvesting Statistics

as well as several malware outbreaks related early warning systems:

Trend Micro's Virus Map
F-Secure's World Map
PandaSoftware's Virus Map
McAfee's Virus Map

As far as any other non IT security incident on a worldwide scale is concerned, the Global Map of Security and Terrorist Events, maps the "big picture".

The syndication of such publicly available data into a central dashboard is nothing new, but with so many CERTs in Europe the next big milestone to be achived should be to first integrate the data between themselves, share with vendors and vice versa, and then communicate the big picture for industry insiders and outsiders to see. An effort which could really undermine the commercial EW systems, ones whose business model is getting outdated with every day.

The FBI's recent "Operation Bot Roast" not only reminds me of the Wardriving Police who will wardrive and leave you flyers that you're vulnerable, but also that when proactive measures cannot take place post-event ones dominate - "Dude, you're malware-infected and sending spam and phishing emails to yourself!" - not exactly what pragmatic is all about :

"OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the CERT Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers."

One thing I've learnt about end users, either educate and evaluate the results, or directly enforce practices leaving them with no other option but to stay secure by default. Most importantly, with major U.S based ISPs sending out spam, thus having the largest proportion of infected customers are publicly known. So instead of giving out anti virus tips, cooperate with ISPs on the concept of filtering outgoing spam messages, and DDoS attacks.

With malicious economies of scale, that is botnet masters automating the entire process of exploiting unpatched PCs, using old-school social engineering attacks taking advantages of opened up "event windows", packing and crypting their malware to exploit the flows in the current signatures-based detection hype - is such an initiative really worth it? Time will show, but what could follow are fake FBI emails telling everyone that they're infected, a little something about the operation itself, and how visiting a certain malware embedded web site will disinfect your PC the way we've seen it happen before.

Continue reading →

Security Comic Strips

If all rest is a commodity but attitude, let me introduce you to the first two additions from my new Unstripped Security comic strips series to be expanded on a weekly basis. Strip One - The Blackberry Espionage Saga presenting the irony in the International Intelligence Community, and Strip Two - It's All a Matter of Perspective discussing the different perspectives of commonly stereotyped participants during a malicious Internet attack. Feel free to email and embed them within your thoughts, blogs and sites, include a backlink to Unstripped Security, and subscribe to the RSS feed to get notified on the latest strips. Enjoy! Continue reading →

Cell Phone Stalking

Six year olds install hardware keyloggers at the U.K's Parliament , and now as you can listen to the sweet sixteen's voice in this video, they also know how to take advantage of commercially available cell phone snooping services such as Flexispy for instance :

"Just ask Tim Kuykendall, whose cell phone provided a portal through which a hacker gained access to the most intimate details of his life, recording family members' conversations and snapping pictures of what they were wearing. “We’ve had [times] where I’m having a conversation in my home and I get a voice mail and the conversation’s replayed; received a phone call or even checked my voice mail from a message and while I push 'OK' to listen to [it] I’m hearing a conversation going on in the living room between my daughter and my wife,” he told FOX News."

The successful surveillance however, doesn't make him a hacker, rather a customer of a product, but what's worth considering is how did he manage to infect their cell phones at the first place, namely socially engineering them remotely, or physically infecting the mobile device. Meanwhile, Flexispy is continuing its compatibility efforts among popular Symbian, Symbian 9, Windows Mobile, and BlackBerry devices, aiming to strengthen its position as mobile device activity monitoring solution for some, and cell phone stalking service to others -- two-sided copywriting messages aim to convince those who might be eventually opposed to the idea.

Related posts:

USB Surveillance Sticks

Outsourcing the Spying on Your Wife

Continue reading →

The MPack Kit Attack on Video

Video demonstration of MPack courtesy of Symantec, goes through various infected sites and showcases the consequences of visiting them : "This video demonstrates how a system is compromised by a malicious IFRAME and how the MPack gang has accomplished this on literally thousands of websites (mostly Italian) through usage of an IFRAME manager tool."



Meanwhile, dekalab.info is yet another malicious URL exploiting MDAC ActiveX code execution (CVE-2006-0003) for you to analyze, among the many already patched vulnerabilities used in the latest version of Mpack. The question remains - how many zero days are currently exploited in the wild through the MPack kit? The "best" is yet to come, paying attention to the periodical new supply of loaders -- 58.65.239.180 got last updated Date: Thu, 21 Jun 2007 22:02:08 GMT -- indicates commitment.

Input URL: dekalab.info

Responding IP: 203.121.78.127

203.121.64.0 - 203.121.127.255

TIME Telecommunications Sdn Bhd

Interesting enough, the original source of the IFRAME attack 58.65.239.180 remains active, still acting as a redirector to 64.62.137.149/~edit/ which is again an exploit embedded page generated with the MPack kit :

- 58.65.239.180

58.65.232.0 - 58.65.239.255

HostFresh

- alpha.nyy-web.com (64.62.137.149)

64.62.128.0 - 64.62.255.255

Hurricane Electric

Evasive malware embedded attacks are aiming the improve their chances of not getting detected. If your browser cannot be exploited all you will see at these IPs/URLs is a :[ sign, the rest is the obfuscated javascript attack you can see in the screenshot. Here's the deobfuscated reality as well. Periodically monitoring these IPs will result in a great deal of undetected malware variants. AVs detecting the current payload

eTrust-Vet - Win32/Chepvil!generic

File size: 7283 bytes

MD5: ae4e60d99ec198c805abdf29e735f1a7

SHA1: b0d1b68460683d98302636ab16a0eaa4b579397d

Aruba.it's comments on the case as well. Now, let's move on, shall we?

Continue reading →

A Blacklist of Chinese Spammers

With China no longer feeling pround of its position in the top 3 main sources of spam on a worldwide basis, the coutry is going a step beyond the bureaucratic measure to fight spam by licensing email servers undertaken back in April, 2006, and has recently launched a blacklist of Chinese spammers :

"The comprehensive anti-spam processing platform (http://www.iscbl.anti-spam.cn/) will post a regularly updated blacklist of spam servers, allowing telecom operators and mail service providers to access the information. Over 100,000 IP addresses have been blacklisted thanks to public reports, said Zhao Zhiguo, vice-director of the telecommunications department of the Ministry of Information Industry. A "white list" of mail service providers will also be posted on the website, boosting the development of lawful mail service providers, such as the country's big players Sina, 163 and Sohu. ISC Secretary-General Huang Chengqing said the website will gradually open to the public and businesses to accelerate anti-spam efforts domestically and internationally."

And despite that major blacklist providers have been providing such lists for years, China's inside-towards-outside approach is a great example on the most effective, yet not so popular approach of dedicating more efforts into filtering outgoing spam, compared to the current approach of filtering incoming one. Only if responsibility is forwarded to the ISPs doing nothing to filter outgoing spam -- who will later on offer you a free spam protection to differentiate their USP -- we can start seeing results. 7h3 r3$t i$ a cat and mouse game, and overall decline in the confidence and reliability of email communications.

World spamming map courtesy of Postini.

Continue reading →

A List of Terrorists' Blogs

Following previous posts "Full List of Hezbollah's Internet Sites", and "Hezbollah's DNS Service Providers from 1998 to 2006", here's a list of terrorist/jihadists related blogs hosted at Wordpress.com, spreading propaganda, violent videos, and yes, glorifying terrorism. The raw content is fascinating, and the main idea behind this multilingual propaganda translations are to wage a "battle of ideas".

The list and associated analyses :

01. The Global Islamic Media Front

Keywords density :
you 531

allah 493

their 381

they 312

them 306

which 278

we 269

his 266

not 253

have 251

02. The Global Islamic Media Front - in German

Keywords density :

die 389

der 374

von 215

ist 187

sie 175

den 163

zu 161

das 143

dass 136

es 129

03. Abusayfullah

Keywords density:

he 33

his 25

we 25

they 23

allah 23

news 23

shaykh 17

people 16

wa 16

fighting 14

04. Caravan of Martyrs

Keywords density:

he 186

his 147

not 124

allah 122

him 106

they 104

them 82

one 73

you 69

their 66

The following are no longer updated :

Inshallahshaheed

Alkarnee

Truthline

Moderatesrefuted

Naseeha

Here are some more worth going through or crawling :

Jihad Fields are Calling!

Crusader Watcher

As always these are just the tip of the iceberg, but yet another clear indication of the digitalization of jihad.

Continue reading →

MANPADS and Terrorism

Can terrorist entities easily obtain shoulder-launched surface-to-air missiles and how are they achieving it? How is sensitive military technology leaking into the hands of those supposedly not in a position to take down modern aircraft? Did the overall shift of discussion aiming to shred more light into the guerilla type of asymmetric dominance terrorists have, excluded the real discussion of how MANPADS and night vision equipped fighters take lifes on a daily basis in the very sense of conventional warfare?

FAS analyst Matt Schroeder tries to answer these questions in a recently released publication entitled "Global efforts to control MANPADS" :

"Preventing the acquisition and use of man-portable air defence systems (MANPADS) by terrorists and rebel groups has been a matter of concern since the early 1970s. However, despite the persistence of the threat MANPADS pose to aviation, it was the 2002 al-Qaeda attack on an Israeli civilian aircraft flying out of Mombassa, Kenya, that focused world attention on the issue. This introductory section continues by providing some basic information on the development and main types of MANPADS and their capabilities. Section II of this appendix gives an overview of the main threats posed by the weapon. Section III reviews efforts to control the weapon prior to the Mombassa attack, and section IV examines contemporary counter-MANPADS efforts. Section V presents some concluding observations and recommendations for further action."

Export controls, stockpile destruction, physical security and stockpile management practices, buy-back programmes, and active defence measures: airports and airliners are among the key topics discussed. Here's a related post on the topic "Video Shows Somali Insurgent with Sophisticated SA-18 Missile" as well.

Images courtesy of a MANPADS related article in the second issue of the Technical Mujahid E-zine.

Continue reading →