Paid Advertising
web application security lab

Archive for the 'Anti-Virus' Category

Effectiveness of User Training… and Security Products in General

Wednesday, March 17th, 2010

It’s not every day I come across real wisdom in research but I saw a link yesterday to So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users which is a research paper written by one of the guys at Microsoft. There are some amazingly choice quotes in there, like:

as far as we can determine, there is no evidence of a single user being saved from harm by a certificate error, anywhere, ever. Thus, to a good approximation, 100% of certificate errors are false positives.

Priceless… Mozilla - take a word of advice from the MS guys and make your invalid SSL cert flow 1000% less annoying please. Anyway, another one of the quotes I thought was even more interesting:

If phishing victimizes 0.37% of users per year and each victim wastes 10 hours sorting it out, to be beneficial the daily effort of following the advice should be less than 0:0037 x 0:5 x 10=365 hours or 0.18 seconds per day.

So… if .18 seconds per day is too much, let’s take a look at what our anti-phishing technologies are doing. Let’s say they take up 2 whole seconds a day to download their lists, and verify that the sites you browse aren’t on that list, while you are surfing and trying to boot up and shut down browser processes, etc…. We are talking about more than 10x delta between what it should actually take. Further, let’s do the math on what would happen if anti-phishing went away. How many times worse would the phishing black market be if anti-phishing filters went away entirely and phishing was instead dealt with the registrars, ISPs and the brand owners themselves? Three times? Five times? Would it go to ten times? Would it go to more than ten times to make it actually worthwhile from an economic perspective?

How about UAC in Windows? How many seconds has that added to everyone’s day to stop the threat of malware? Does it add up and does it actually stop malware infections for the additional time it incurs? What about Anti-virus? Are we operating in a deficit or do those security products actually prove themselves to be worthwhile for the entire public? I know this is really tricky math based on an insane amount of variables, and it very might well prove out that some products are a no-brainer because they don’t add time or latency. But I do suspect there are a lot of things that we tend to think of as good ideas that actually end up being worse for the end user if you do the math. I know the article was really talking about user education being a bad idea economically (and I couldn’t agree more based on every study I’ve seen or been a part of). But it’s still interesting to think about how a similar formula could be applied elsewhere. Thought provoking research anyway.

Conversations With a Blackhat

Sunday, March 14th, 2010

I’ve been spending more and more time talking to blackhats lately. Frankly, I think they’re fascinating people, and have a lot to teach the rest of us. With the solemn promise that I won’t try to put them in jail, we can have free flowing conversations which aid us all in thinking about the problem space. I’ve certainly learned a lot. Anyway, I got into a conversation with one of them about how he believes that a lot of the security put in place is actually doing a pretty good job.

The basic premise of the problem, from his perspective, is that hacking directly just isn’t as easy as it used to be, if you are like him. He’s not the type to hack randomly, he’s only interested in targeted attacks with big payouts. Sure, if you really work at it for days or weeks you’ll get in, almost always, but it’s not like it used to be where you’d just run a handful of basic tests and you were guaranteed to break in. The risk is that now when he sends his mules to go cash out, there’s a chance they’ll get nailed. Well, the more I thought about it the more I thought that this is a very solvable problem for bad guys. There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.

So let’s say I’m badguy1 who wants to break into one or more companies of interest. Sure, I could work for days or weeks and maybe get into one or both of them, but at the risk of tipping my hand to the companies and there’s always a chance I’ll fail entirely. Or I could work with badguy2 who has a botnet. I could simply give a list of IPs, domains or email addresses of known targets to the bot herder and say that instead of paying a few cents to rent some arbitrary machine for a day, I’ll pay thousands of dollars to get a bot within the company I’m actually interested in.

This tactic reminds me a little of the movie Wall Street. You have a failing company (in this case a botnet that will probably only last a year or two). If the company continues on it’s course it’ll make a pretty good amount of money, but nowhere near as much as if the owners break up the company into pieces and sell them off one by one to the interested parties. Kind of an interesting/scary thought, but it could easily be used to avoid the cost and danger of individual exploitation against a company for a hacker interested in target attacks. Rather, a brokerage for commodities (bots that come from interesting IPs/domains) could be created and used to sell off the individual nodes. Using the existing backdoor into the company greatly reduces the risks involved for badguy1, because it’s guaranteed to be successful, without all the noise of a targeted attack.

If you were a blackhat, how much would you pay to have access to a machine inside of an organization that will lead to the big payout?

Banks, Businesses, Viruses and the UCC

Wednesday, February 24th, 2010

There’s an interesting post over at Krebs On Security talking about some poor company that is going bankrupt because TD Bank allegedly will not give them their money back after it was stolen out of their account. Now, I wish I could say this concept is totally foreign to me, but unfortunately this isn’t the first time I’ve heard this story. I’m under NDAs not to describe the people involved, or the bank involved, but the important details are nearly identical to this story. Why is this happening?

There is a little known code call the UCC (Uniform Commercial Code) that essentially says that if you are a business and you want to do wire transfers you are essentially to be treated as a bank. You are probably wincing right now, because it’s just as stupid as it sounds. Note that this is not true for consumers - but even if your business consists of even one person, you still are treated as a bank. As such, if your company has money wired out of it’s account, the bank isn’t to be held liable - or at least that’s been their argument. This is happening all the time, so why aren’t we hearing about it all the time? Well that leads me to the worst part of this story.

The banks have essentially two options if a company takes them to court. They can win the case, or they can lose the case. If they win, that leaves the company in question free to say and do whatever they want (as is the case with TD Bank above). If they lose the case, it essentially creates precedence and can open the bank to class action lawsuits to overturn the UCC. Either way, it’s a bad day for the bank. So they opt for the third choice which is to delay the inevitable. They make these poor businesses wait for sometimes years before they will begrudgingly settle for somewhere shy of the full amount. Sometimes companies just give up, and sometimes they take the money and sign the NDAs. Either way, that’s a much better outcome than letting something get litigated. So yes, those poor companies are getting the run around, and we don’t get to hear about it because at the end of the day they are all signing NDAs.

So, if you run a company, be prepared for the worst when it comes to how the bank is going to treat you if someone steals your money. There don’t appear to be any safeguards other than individual contracts you might be able to get your bank to sign and agree to. However, if anyone happens to work for a bank, and can guarantee that money held there will be treated just like physical cash (and reimbursed just like if it is stolen out of the vault), I’m sure companies would flock to you - I know a lot of small businesses that would like to know that their money is safe, and right now, it just isn’t with TD Bank and their ilk. In the meantime, I sort of hope some lawyer is salivating at the prospect of a class action suit.

Quicky Firefox Bookmarklet Backdoor

Tuesday, January 26th, 2010

Every once in a while I see someone who really should know better leaving their desktop unattended. Sometimes you can change their homepage to porn sites, or send emails to their bosses telling them that they don’t need that pay raise after all and other such fun. Well, if you know the user isn’t utilizing Noscript you can modify their homepage to something a little more dangerous - a JavaScript bookmarklet.

You can see a demo here. Of course this relies on you having a web server set up with a malicious piece of JavaScript that you can include ahead of time. But I think this teaches two valuable lessons if done properly. 1) Use Noscript, even on your homepage and 2) Don’t leave your desktop unattended. Please don’t use it for evil!

Yahoo Mail Gives Users Trojan Horses

Tuesday, March 18th, 2008

I got this picture from a reader of the site. Apparently the reader was simply viewing Yahoo mail and poof, RogueIframe trojan. We are starting to see a lot more of this kind of stuff, but it’s really disappointing that third party ads are being displayed on otherwise sensitive apps (or at least I think most people feel they are sensitive). Here’s the picture:

Click to enlarge

We’ve seen this exact hack hit before, against Facebook. But I think this kind of thing may be the beginning of a epidemic. As long as you can end up with your advertisements on any site that is even vaguely sensitive, you can start either taking over the site, or delivering malware. Whatever best suits the attacker’s needs. I think this all goes back Tom Stripling’s speech at OWASP where he in painstaking detail explained why you cannot trust third party JavaScript on your site, and yes, that definitely includes advertisements. Anyway, I hope this gets cleaned up quickly.

Google Text Ad Subversion

Thursday, December 20th, 2007

There’s an interesting article over at ZDNet that explained that Google’s text ads are getting subverted by trojans on people’s machines to get them to click on other people’s ads. It wasn’t clear what those ads were, exactly, but there you have it. I see this kind of thing as a clear path for future monetization - similar to how bad guys are adding extra form fields into forms via malware to gain more information about your identity. Very clever, and easy to do.

This is different from when Google’s ads were spreading malware but has the same basic purpose. Ultimately getting code on people’s machines is the best way to get control of the machine and ultimately make money off of it via spam, clicks, or whatever else they come up with.

Malware Uses Browser Plugin Sniffing

Tuesday, June 5th, 2007

Similar to Mr T, Łukasz Pilorz sent me a link to some malware that is actually doing browser sniffing. This was something we had thought was probably going on, but it was more of a theoretical attack. Now it’s clear it is actually being used in the wild. The interesting part of the code reads as follows:

if (win && ie) {
xd = _hwaPlugIE("SWCtl.SWCtl.1") ? "1" : "0";
sf = _hwaPlugIE("ShockwaveFlash.ShockwaveFlash.1") ? "1" : "0";

if (_hwaPlugIE("PDF.PdfCtrl.1")) pdf = "1";
if (_hwaPlugIE('PDF.PdfCtrl.5')) pdf = "1";
if (_hwaPlugIE('PDF.PdfCtrl.6')) pdf = "1";

qt = _hwaPlugIE("QuickTimeCheckObject.QuickTimeCheck.1") ? "1" : "0";
rp = _hwaPlugIE("rmocx.RealPlayer G2 Control.1") ? "1" : "0";
wm = _hwaPlugIE("MediaPlayer.MediaPlayer.1") ? "1" : "0";
} else if (!win || moz) {
for (var i=0; i < n.mimeTypes.length; i++)
_hmime += n.mimeTypes[i].type.toLowerCase();

xd = _hwaPlugMoz("application/x-director") ? "1" : "0";
sf = _hwaPlugMoz("application/x-shockwave-flash") ? "1" : "0";
pdf = _hwaPlugMoz("application/pdf") ? "1" : "0";
qt = _hwaPlugMoz("video/quicktime") ? "1" : "0";
rp = _hwaPlugMoz("audio/x-pn-realaudio-plugin") ? "1" : "0";
wm = _hwaPlugMoz("application/x-mplayer2") ? "1" : "0";

You can download the entire source here. It’s pretty interesting code, if you haven’t seen it before. Clearly it’s malicious so be careful about executing it, since it does use full paths. Interesting though. Thanks to Łukasz!

Malware Stats or Ghost in the Browser

Tuesday, May 15th, 2007

I found an interesting link after visiting Zeno’s post on a Malware paper produced by Google to document malware on the internet. Firstly, let me start by saying, this is a really good paper, as it discusses the ways in which malware propagates. Not that it’ll be news to anyone who reads this site religiously, but it’s still interesting to see all our theories validated.

Secondly, be wary of the statistic 1 out of 10 websites have malware. Google hand selected 17 million and only did a deep dive into 4.5 million sites out of their own repository. It’s well known that Google does not spider the entire internet (it’s a very small portion in reality) and also, they picked those URLs because they were likely conduits. They weren’t arbitrary. So let’s just take that statistic off the table. Yes, the Internet is a scary place, but not 1 out of 10 sites actively trying to screw you scary.

But back to the interesting stuff for a minute. They point to a large number of the exploits found having to do with website vulnerabilities, including those found within ASP and PHP and additionally a big chunk was delivered through holes in the site that allowed XSS. That XSS may have been intentional in the case of widgets or advertising or not, but in the end, it’s bad.

I should also point out that this doesn’t say anything about sites that attempt to do things like CSRF, or servers that have been compromised in other ways that allow the attacker to quietly steal user data. For instance, SQL injection or server vulnerabilities that just allow a back door into the system to pull confidential info out of the database.

One point that I’d like to make on top of this, is that the two things that were able to cause most of these problems were remote JavaScript and iframes. I just don’t see many applications for those technologies that, as a user, I care about (ads and widgets are pretty low on the list of what I care about seeing on my browser as a consumer). I am an edge case as a user, I’ll admit. But as nice as Web2.0 is, not getting malware is even nicer.

WAFs - A Change of Heart

Monday, April 30th, 2007

I’ve been auditing a website over the last few days that has been seriously compromised. The good news is that they are prepared and determined to fix the problem, the bad news is that they have so many potential holes it would take a small army to fix them all in a reasonable amount of time. I found myself saying something I really thought I’d never say - “What about a WAF?” There are two special circumstances that struck me about this situation that made me have a bit of a change of heart.

First of all, anyone who has read this site long enough knows that I’m pretty critical of WAFs in general, so I’m not here selling them or anything. They can represent a single point of failure in many applications, add additional complexity, have false positives and false negatives and require administrative overhead - not to mention the cost. But here is where I changed my mind. In this case the client had between 1,000-5,000 customer facing attack points to secure. There is no possible way they could fix that by hand in any reasonable timeframe.

Secondly, the attacker left malware on the system that was intended to infect the users of it (a la the superbowl hack). Like firewalls, WAFs could theoretically be used for egress filtering. Even during a complete compromise the system could prevent consumers from getting infected with any future malware that the system leaves for them. This assumes that it is not re-assembled via JavaScript (or other client side code), but in most cases it would at least slow down the rate of infection. So yah, I had a moment of weakness and let the three letters out of my mouth, but in this case, I think it’s justified.

Google Ads Spread Malware

Friday, April 27th, 2007

This is actually a really serious issue that was sent to me. The funny part is that I’ve known this was possible for years now and even already put it into a presentation I’m doing in a few weeks, but anyway Google’s ads have been spreading malware. A few people with Google accounts have been buying sponsored ads (no doubt with stolen credit cards/identities). It’s sure easier than getting to the top of the search results page!

Although I don’t think this signals the end of text ads, I think it’s a wise choice to consider any paid links to be just as untrustworthy as anything on the SERPs. Google, nor any search engine have been particularly good about vetting how good or bad a domain is before linking to it. Hey, money is money right? Although, I believe they will probably do a cursory scan of the domain to make sure it isn’t spreading malware in the future given the bad PR, it’s pretty easy to fool spiders into not seeing malware. So I’m not sure what actual protection this will provide.

My next thought was CSRF - if you buy a search term and include a few images to remote domains you can pretty easily get them to do things on your behalf, and it’s extremely targeted at the same time. Yah, that’s bad. Don’t trust those paid ads - it doesn’t matter if they are “sponsored” or not. As a side note, I was a little annoyed to read that Matt Cutts wants people to snitch out paid links. I think Google should look at it’s own problems before trying to hurt people’s revenue streams. At least with my paid links, I wouldn’t be risking people’s identity to click on them!