Collected in the Wild

Nothing special, looks like a downloader, tries to connect to *****.cc/getcommand.php?addtodb=1&uid=rtrtrele.CurrentU. to get the payload that's packed and repacked quite often. File length: 2829 bytes. MD5 hash: 2147eb874fefe4e6a90b6ea56e4d629a.

The next one is rather more interesting as it's a registry backdoor, creating a new service and opening up a listening port 5555. File length: 21504 bytes. MD5 hash: 406e3fc8a2f298a151890b3bee9d7b18.

Creates service "msntupd (msntupd)" as "C:\WINDOWS\SYSTEM32\regbd.sys".

Inside an Email Harvester's Configuration File

In previous posts on web application email harvesting, and the distributed email harvesting honeypot, I commented on a relatively less popular threat - the foundation for sending spam and phishing emails, namely collecting publicly available email addresses. The other day I came across an email harvester and decided to comment on its configuration file.

Type of file extensions to look in :
TargetFile=abc;abd;abx;adb;ade;adp;adr;bak;bas;cfg;cgi;cls;
cms;csv;ctl;dbx;dhtm;dsp;
dsw;eml;fdb;frm;hlp;imb;imh;imh;imm;inbox;ldb;ldif;mbx;
mda;mdb;mde;mdw;
mdx;mht;mmf;msg;nab;nch;nfo;nsf;nws;ods;oft;pmr;pp;ppt;
pst;rtf;slk;sln;sql;stm;tbb;tbi;txt;uin;vap;vcf;myd;html;htm;htt;js;
asm;asp;c;cpp;h;doc;ini;jsp;log;mes;php;phtm;pl;
shtml;vbs;xhtml;xls;xml;xml;wsh;

Domains to look in :
TargetDomain=ru;com;net;cz;in;info;uk;fr;by;edu;it;de;ua;pl;nz;am;tv;

As you can see, this one is Europe centric.

Blacklisted usernames and domains :
BlackList=root;info;samples;postmaster;webmaster;noone;nobody;
nothing;anyone;someone;your;you;me;bugs;
rating;site;contact;soft;somebody;privacy;service;help;submit;feste;
gold-certs;the.bat;page;admin;support;ntivi;unix;bsd;linux;listserv;certific;
google;accoun;spm;spam;www;secur;abuse;
.mil;.ftn;@hotmail;@msn;@microsoft;rating@;f-secur;news;update;.gov;@fido;anyone@;bugs@;contract@;feste;gold-certs@;help@;info@;nobody@;noone@;kasp;sopho;@foo;
@iana;free-av;@messagelab;winzip;winrar;samples;abuse;panda;cafee;
spam;pgp;@avp.;noreply;local;root@;postmaster@;
.fidonet;subscribe;faq;@mtu;.mtu;.mgn;.plesk;.sbor;.port;.hoster;
@novgorod;@quarta;.nsk;.talk;.tomsknet;
@suct;.lan;.uni-bielefeld;@ruddy;.msk;@individual;.interdon;
@php;@zend; feedback;.lg;.lnx;@hostel;@relay;
.neolocation; @example;.kirov;.z2;.fido;.tula;
@intercom;@olli;@ozon; @bk;@lipetsk;@ygh;
.eltex;.invention;.intech;@cityline;.kiev;@4ax;
.senergy;@mail.gmail;@butovo;

F-Secure, Kaspersky, MessageLabs, Panda Software and McAfee are taken into consideration, but the best part is that the vendors themselves are visionary enought not to be using domains or email addresses associated with them, for spam and malware traps.

Thankfully, there're many spam poison projects where these crawlers get directed to a huge number of randomly generated email addresses. And while the results are evident, namely they're picking them up and poisoning their databases with non-existent emails it is questionable if that's the best way to fight spam, since the spammers are going to send their message to anyone, even to the non-existent email addresses causing network load. Something else worth mentioning, these email harvesters are starting to pick up [at] and [dot] type of obfuscation too.

Here are some more comments on the Spamonomics I recently made. Spammer's attitude has to do with "Busyness vs Business" factor of productivity mostly, their business model is broken, but they just keep on sending them without knowing it.

The Life of a Security Threat

Eye-catching streaming video courtesy of iDefense. In the past, iDefense got a lot of publicity due to their outstanding cyber intelligence capabilities, and quality reports among which my favorite is the one providing a complete coverage of the China vs U.S cyberwar due to the captured AWACS in case you remember. VeriSign, perhaps the last vendor you would think of, purchased the company with the idea to diversify its portfolio of services and further expand their market propositions, if critical infrastructure is what they manage, an IDS signature when there's no patch available and wouldn't be not even next Patch Tuesday, is invaluable and proactive approach for protecting a company's assets. Recently, iDefense offered another bounty on zero day vulnerabilities in Vista and IE7, but considering that Windows Vista is still not adopted on a large corporate and end user scale the way XP is, therefore a zero day exploit for Windows XP must have a higher valuation then a Windows Vista one. Proving Vista is insecure and iDefense taking the credit for it though, is a strategic business move rather then a move aiming to improve the overal security of their customers -- if only could iDefense purchase all the exploits from Month of the X Bugs initiatives. Moreover, a Vista zero day exploit was available for sale. Feel the hypo-meter about to explode. Think malicious attackers. Would someone pay $50,000 for an exploit of an OS whose adoption by corporate and home users is continuing to sparkle debates, while an IE6 zero days are offered in between $1000-2000?

In the time of blogging, there're numerous zero day vulnerabilities for sale out there, the way this commercialization of vulnerability research directly created the -- thankfully -- stil not centralized underground market for vulnerabilities by adding more value to what's a commodity from my point of view. Here's a complete coverage on how the WMF vulnerability got purchased for $4000 in case you want to deepen your knowledge into the topic.

Security Lifestyle(S)

If Security is a state of mind, then so is brand loyalty.

Head Mounted Surveillance System

It's so cheap and affordable even you can add it to your wish list :

"The new DV ProFusion is a cost effective alternative to the DV Pro. It is a lightweight, mobile, body worn video and audio solution. DV ProFusion has a built in screen allowing for live viewing and instant playback. DV ProFusion is available in either 30GB hard drive capacity, which provides up to 100 hours of video or 100GB offering 450 hours of video, depending on sampling bit rate. DV ProFusion enables the user to keep both hands free whilst recording exactly what they see and hear themselves. DV ProFusion is specifically designed to work with a number of optional accessories, including an extendable pole and additional lens options."

While it's very innovative idea, in five years the current models would look like the brick-size like Motorola cell phones you all know. I like the idea of storing the footage in the device compared to relying via air which makes me think of several scenarios for possible abuse or DoS attacks. In case you haven't heard public CCTV cameras are getting a boost with built-in speakers, so perhaps at a later stage it would come to someone's mind to include a speaker on the other side of the head too. Two clips to see it in action.

Transferring Sensitive Military Technology

Busted :

"China on Tuesday condemned US sanctions imposed last week on three Chinese companies for allegedly selling banned weapons to Iran and Syria, calling the accusations "totally groundless". "We strongly oppose this and demand the US side correct this erroneous action," foreign ministry spokesman Liu Jianchao said at a regular press conference. The Chinese firms are among 24 foreign entities from several countries hit with the sanctions, invoked under the 2005 Iran and Syria Nonproliferation Act."

Follow the connection, the U.S is doing business with the Chinese companies, who leak it to Iran and Syria, who leak it Hezbollah or pretty much everyone at the bottom of the food chain.

More comments - "Foreign Intelligence Services and U.S Technology Espionage" and "Hezbollah's use of Unmanned Aerial Vehicles - UAVs".

Artillery Rockets image courtesy of Globalsecurity.org