Robert McArdle - Info Security / AV / Inane Ramblings

Social Engineering is Easy

2009-11-11T10:51:00.004Z

I had to cancel an account with a certain Internet Provider today for my parents and was stunned at how easy this was to do, even with minimal details about them.

On the first call I explained that I was not the bill holder but wanted to cancel on their behalf - no dice.

So I gave it 5 minutes, disabled Caller ID and rang back. This time I gave the name of my parent who was the bill holder. The friendly person on the other end of the line then asked me their standard security questions, which were:

1. What is the address on the account
2. What is the mobile number on the account
3. What payment method is being used.

Thats pretty scary. Getting someones name, mobile number and address are fairly trivial. For option 3 it is pretty much always going to be Direct Debit for a monthly bill.

After some standard questions about why I was cancelling the account, am I sure I did want to avail of their "awesome deal of awesomeness", etc - account closed.

And people think that Identity Theft is hard :(

More compromised Irish Sites

2009-10-23T15:42:00.001+01:00

Quick one before I head out of the office

An Irish domain, Ivote.ie is currently being used by criminal gangs as part of an SEO poisoning attack

Take the following two examples of popular search terms (I got these from Google Trends). Standard warning applies about visiting these sites (Here be Dragons):

SEARCH: steve phillips girlfriend picture:

RESULT:

http://www.gsarchives.net/index2.php?t=steve-phillips-girlfriend-picture

-> http://guardsyszone.com/?p=WKmimHVlcW6HjsbIo22EeXZe0KCfZ1bVoKDb2YmHWJjOxaCbkX1%2Ba16orKWeYpWcZWliaGaalGCIo6THodjXoGJdpqmikpVuaGdpZmxmbF%2FEkKE%3D

->-> http://www.ivote.ie/jjjr/Steve-Phillips-Girlfriend-Picture.htm

->->->http://cakuqe.cn/22/?uid=13700 (which infects the users machine with malware)

SEARCH: explosion in puerto rico:

RESULT:

http://www.gsarchives.net/index2.php?t=explosion-in-puerto-rico

-> http://guardzone-sys.com/?p=WKmimHVlcW6HjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Ba16orKWeYpWcZWliaGaalGCIo6THodjXoFerpXOWk5hvZWRsZnFqXpzEag%3D%3D

->->http://www.ivote.ie/jjjr/Explosion-In-Puerto-Rico.htm

->->->http://cakuqe.cn/22/?uid=13700 (which infects the users machine with malware)

Same result with “steve phillips wife photos” and many other search terms which are popular in Google today

It appears that the IVOTE.IE domain has been compromised (similar to the Zdesign.com domain in the last post). Normal deal - most likely one of IVOTE’s employees machines became infected, that person had access to their webserver (probably FTP access), and the malware simply stole the credentials. These credentials would then have been sold in bulk (normally 10,000 at a time) to a seperate criminal gang, who in turn sell compromised sites to a third gang which upload the malware onto the site.

I've contact the host providers of IVote to have the page cleaned up

More AIB Scams

2009-10-23T09:03:00.004+01:00

WARNING: This blog contains some links to phishing sites.

I'm sure I was not the only person to wake up this morning to find this in my mailbox - a delightful little email informing me that my AIB account had been "temporarily limited".

As a concerned AIB customer I obviously have when my account gets "temporarily limited" (whatever the hell that means). Needless to say the email accounts@aib.ie looks legitimate, but changing any field in an email (especially the From field) is childs play. Also they specifically ask the victim not to reply to the mail (no need to let AIB know there is a new scam doing the round after all)

So lets take a look at the actual link I would need to click on to "resolve the problem"

http://zdesign.com/aibinternetbanking.aib.ie/login.htm

See what they did there? Clever eh... no not particularly.

Before we go look at the dodgy domain lets have a look at what the phishing site actually looks like - see can you figure out which is the real page:

Pretty well done isn't it - needless to say it is the one on the left (the one which does not warn you not to click on fraudulent emails). All of the images are loaded directly from AIB, and all of the links with the exception of the next button also point to legitimate AIB pages. I'm not sure if AIB monitors for external sites linking to their internet banking images, but it would certainly be a useful tool for identifying these types of phishing sites.

After a user enters their registration number, they are prompted for 3 digits of their pin number as is normal procedure for AIB logins. However instead of been logged into their account, they are then brought to a very non-AIB looking page which ask for all sorts of information including Credit Card details and the person's full pin code:

http://zdesign.com/aibinternetbanking.aib.ie/data.htm

Once you kindly provide the scammer with this information you are informed that someone may ring you shortly to confirm your details and to have your code card ready, before being redirected to the real AIB site. As I did not bother entering any real data (and I assume the scammer would check if my pin code worked before ringing me to grab all my code card details), I'm unsure if the attacker would actually really follow up with a call.

So there you have it - pretty standard phishing scam - lets looks at some of the details about the actual site used however.

First of all http://zdesign.com/ seems to be a legitimate design company, the wayback engine shows their sites existance since 1998. As such it looks like their site was compromised and the phishing scam was uploaded to their webserver. The webserver is not exclusive to ZDesign, there are plenty of other companies running websites on it, so it obviously a shared hosted server.

I had a look at some of the other companies to see if they had been compromised in a similar way, but none that I checked appeared to have been. What most likely happened in this case was that one of ZDesigns employees machines became infected, that person had access to their webserver (probably FTP access), and the malware simply stole the credentials. These credentials would then have been sold in bulk (normally 10,000 at a time) to a seperate criminal gang, who in turn sell compromised sites to a third phishing gang. Ah the joys of modern day criminal malware writers.

Anyhow - if you see one of these emails, ignore it or better yet delete it. In the mean time I've contacted AIB, ZDesign and IRISS (Irish CERT). I've also blocked the URL for any Trend Micro customers.

Happy long weekend everyone :)

Also available on Twitter

2009-10-15T12:38:00.002+01:00

Hi everyone,

Just a quick message to let everyone know that I am now also using Twitter. Feel free to follow me on http://www.twitter.com/bobmcardle . I will continue to use this blog (as well as the official Trend Micro blog) for articles that take longer than 140 characters to get the message across :)

Have not updated too much here in a while as I am currently doing so Web Application Security research, but once I have the results of that it will be going up here.

For anyone who is attending the IRISS conference in Dublin on the 19th of November I hope to see you all there.

Bob

Succeeding in IT Security

2009-09-30T09:48:00.002+01:00

I was interviewed recently for a jobs site (Odinjobs) asking what it takes to succeed in IT Security - the interview, along with those from other people is up at the following URL

http://www.odinjobs.com/blogs/careers/entry/it_security_what_it_takes

Attacker Mindset

2009-07-14T09:23:00.002+01:00

An unfortunate necessity of working in the security industry, and particularly in analysing malware / hacking attacks everyday is that you quite often need to put yourself in the mind of a criminal in order to properly understand the motives behind an attack. The downside is that it can be hard to turn this off. Its often been said that the only difference between a hacker and a penetration tester is "permission", as in permission to access the target you are testing. Well the only difference between a security professional and a hacker are "ethics". Both have very similar skillsets, and both are very good at spotting scams and flaws in systems - the difference is that hackers act on this information for financial gain, wheras security professionals generally try to fix the problem, or at the very least do not act on it (we'd all be making MUCH more money if we did :P )

So it was in this frame of mind that I visited one of Ireland biggest hardware stores at the weekend to drop back a couple of items that we did not need. While waiting for about 15 minutes at the customer service desk an idea hit me. I'd love to hear others feedback on this situation:

A scammer can walk into a store (in this case a hardware store but other stores would work). He goes around the shop and spends a couple of hundred (not too much or this would probably not work) on a variety of items.
Scammer comes back the following day, walks around the store and takes several of the same items of the shelves. They bring these items to customer service, along with their reciept, to "drop them back".
End result scammer spends a couple of hundred, gets the majority of it back, and keeps all the goods (which can then be sold on for a tidy profit.

There are couple of conditions for this attack to work:

Needs to be big busy store, otherwise it is easier to see the attacker is simply dropping back good from the shelves
Item must not have an electronic tag which indicates that they have been sold already (for example the tags you see in a lot of clothes stores).
Barcodes must not be individual. In other word all copys of product X should have the exact same barcode (otherwise the customer service can uniquely identify each item). TV Shops tend to have individualised codes.

Having said that there are a lot of stores that fall into this category (particually Hardware stores, where individual items can be quite expensive). I very much doubt that this is an old scam, but would love to hear peoples thoughts on it (or if you have worked in / ran a store, how did they address this issue)?

All feedback is good feedback

2009-06-23T14:37:00.000+01:00

In our recently published white paper on Pushdo we noted that the malware used a certain string as part of its encryption routine.

Poshel-ka ti na hui drug aver

This string roughly translates to “Screw you my friend Aver” (well its actually a lot less polite than that, but you get the idea). We theorized that the word Aver could refer to a certain computer hardware reseller based in Moscow, but one of our peers at Kaspersky pointed out that this word could mean “AVer” (a slang term used mainly on english virus writing forums meaning AV researcher).

Doh!

This is not the first time that malware writers have left hidden message that are only revealed during reverse engineering. My personal favorite was from a sample of the WORM_RINBOT family which included a message for a fellow AV researcher, after he assigned the name RINBOT to the malware family instead of the criminal gangs prefered name:

Dear Symantec:
For years I have longed for just one thing,
to make malware with just the right sting,
you detected my creation and got my domains killed,
but I will not stop,
I can rebuild.

P.S. F*** you a**holes, especially Stephen Doherty who is the biggest f****t I know of.

The Rinbot authors where particulary well known for getting frustrated at AV companies for detecting their creations (ironically made easier by all of those nice messages they included for us to use in malware signatures). They were fairly generous in distributing their pent up annoyance with everyone from SANS to CNN included. In particular they really disliked people refusing to name their malware as they had intended.

Rinbot is not the only malware to include such strings, recently the TSPY_ZBOT family also started with messages giving out about blog articles by Avira and Microsoft. In fact these messages have been going on for years, another one from a WORM_MYDOOM variant back in 2004 read:

we will attack f-secure,symantec,trendmicro,mcafee , etc.
The 11th of march is the skynet day lol .

Its always nice to get feedback on your work, even more so when its the bad guys complaining that we are doing too good of a job.

5 Must Have Tools (from ISSA Talk)

2009-06-12T13:25:00.003+01:00

On Tuesday I attended the very interesting talk held by the ISSA in Dublin, where several Microsoft employees spoke about Windows 7, their own internal IT security setup, and a good overview of the Conficker Worm by Elda Dimakiling and Francis Ten Seng. This was followed by 2 short presentations - Paul Collins, head of IT with Hypo Real Estate Group showed the capabilities of the very useful MSAT tool, and I demoed some useful malware analysis tools. Overall really enjoyed the event, and will continue to attend the ISSA events in the future.

I thought that I may as well stick up the tools in question on this blog post so that they are all linked in one location. I often get asked to fix friends computers, and always carry around a copy of these tools on a USB key - if you know what you are doing you can clean about 90% of all Windows malware with them. I'd advise any security professional to download all 5 and play around with them for 30 minutes, you'll be happy you did.

Ice Sword (Mirrored Download - Use This)
Ice Sword is a fantastic tool for Rootkit detection. It will allow you to see hidden processes, registry keys, services etc on the infected machine. In addition to this it will actually let you directly read and write areas of process memory, and includes a basic dissassembler. It also has another host of features such as inspection the systems SSDT and looking at Layered Service Providers. In any malware analysis Icesword is my first port of call, remove any rootkits from the system so that you can continue your analsis.

GMER
Gmer is another Rootkit removal tool, again with many other features built in. Personally I prefer Ice Sword, but you really should have both at hand - sometimes malware will successfully hide, or kill one or the other.

Autoruns
Now that you have removed the rootkits from the PC, Autoruns is Step 2. It is a fantastic tool which shows every singles system load point (i.e. All of the executable which will be started during Windows startup). As it returns quite a large amount of information, here are some tips on where to start looking (as you get more used to the tool, this will become 2nd nature):

Check the following Tabs first - Logon, Internet Explorer, Scheduled Task, Services, Image Hijacks, Winlogon.
Pay particular attention to any entries that do not have an associated Publisher or Description, especially anything in the System32 or Windows folders. There is a very nice Right-Click-> Verify function that will test the digital signature of the executable.
For executables you are unfamiliar with try the Right-Click->Search Online feature. Interestingly this uses Yahoo search - but I would not be surprised to see a Bing version in future.
Delete any suspicious load points and then refresh. If the value is being recreated thats normally a sure sign that its bad.

Process Explorer
Think Task Manager on steroids. Some tips:

Pay particular attention to Packed Images (highlighted in Purple)
As well as killing processes, you can also suspend them. This can sometimes be better as some malware will have a 2nd process or dll watching the first, and if it is removed from memory will automatically restart it - suspending the process means that it is still in memory, but not doing anything.
Most of the really cool stuff is in the Right-Click->Properties menu. The Thread tab is very powerful - allowing you to kill/suspend individual threads within a process. Malware likes to create remote threads in processes so if you are having difficulties removing it pay close attention to any threads injected into Winlogon, Explorer or IExplore.
The TCP/IP tab will show you any network activity of the process.
Strings is another excellent tab - showing human readable strings in a file. Note that you can look for strings in the Image (the file) or in Memory. Memory is normally more useful especially if the file is packed.

Process Monitor
A very simple, yet incredibly powerful tool. Every single File, Registry, Process and Network access performed on the system is intercepted and logged. You can use Filters to only see the details you are interested in. This is particulary useful if you are noticing certain registry keys, files or processes being recreated by a threat - as it will show you the process responsible for recreating them (quite often Explorer or Winlogon, which indiciates an injected malicious thread).

Oh and if you have spent the suggested 30 minutes mucking about with these and want to know where next to go on your quest to become a security tool guru - all of the Microsoft Sysinternals tools are now available in single download - http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx .

I know that I've lost all my street cred by actually praising a Microsoft product (none of the cool kids are returning my calls), but sometimes they really do get it 100% right

Pushdo Pushdo we all push for Pushdo

2009-05-22T10:43:00.002+01:00

Part 2 to 5 of the Pushdo articles are now on the web.

Pushdo/Cutwail – From Russia with Love (Part 2 of 5)
Pushdo/Cutwail – Can’t Touch This (Part 3 of 5)
Pushdo/Cutwail – Sniffing for the Win (Part 4 of 5)
Pushdo/Cutwail – Traditional AV is Useless (Part 5 of 5)

More Importantly our paper is now online, I know no one actually reads this blog (*Tumbleweed drifts by*), but if anyone has any comments (both good and bad) I'd love to hear them

Paper: A Study of Pushdo / Cutwail

Pushdo Blog Series

2009-05-12T12:42:00.004+01:00

WAY too long since I've updated this :(

Myself and my teammate David Sancho have created a series of 5 blog articles on the Pushdo malware family, which we've been researching for the last 2 months. They will be released today, Wednesday, Friday and the following Monday and Wednesday - culminating in the release of an indepth white paper. If you are interested in reading part 1, you can read it here.

I've also been informed that I got name dropped in one of PDP's latest blogs over on Gnucitizen, from a talk I did at Risk 2008 in Oslo (shockingly expensive city). Really good article talking about the underground exploit selling economy.

And lastly I was at ISSA's security event last week in Dublin. Very impressed by the speakers and interesting attendees, plus it was good to put some faces to names. They have a nice lightning presentation to wrap things off (5-10 minute presenations), that I'd be interested in giving a go next time - need to think of something interesting and snappy :) Was also great to see all the Symantec crowd.

Anyhow - hope people find the Pushdo series interesting - and feel free to post any questions here as it is not possible to comment on the Trend Micro blog itself

Largest Bulletin Board providers compromised

2009-02-04T12:41:00.003Z

I regularly contibute and help run a couple of Internet Bulletin Boards in my spare time, and it was while running one of these this morning that something quite interesting popped up. On this particular site I had installed PHPBB (which holds the largest Market Share for internet boards), and my version was a bit out of date so I thought it was time to wander over to http://www.phpbb.com and grab the latest update. To my surprise I came across:

Hmm - that can't be good was my knee jerk reaction, and judging from the waves of comments on other sites, everyone elses as well. Cries of "Oh Noes! De Interwebz is broken" or their equivalent where fairly widespread. Unfortunately a large chunk of todays internet users spend a very short amount of time reading a page before deciding to move on or read the rest. In the case of phpbb.com - its looks like this attention span lasted about 2 lines, as line number 3 clearly reads (in bold):

No vulnerabilities have been found in the phpBB software itself.

Excellent! It appears the internet has not come to a grinding halt after all (unlike last Sunday). Some further reading on the PHPBB support forums shows that the vulnerability is in an entirely different piece of software running on the site, PHPList - A newsletter manager which allows you to add and manage users along with creating and email newsletters. According to the Support Forums:

The attacker gained entry through the PHPList application and was able to dump a complete backup of the emails on file. He then used the same exploit to access the phpBB.com database. Both the email list from PHPlist and a copy of the phpBB.com users table were then posted publicly.

This database is from PHPBB3 which contains a much better form of encryption for password protection that PHPBB2 (MD5). Unfortunately any users who signed up to the support site back when it was still running PHPBB2, and have not signed in since the upgrade will still have their passwords in the older format - which is trivial to crack with freely available Rainbow Tables. Users have been advised to reset their passwords on all other sites that they also use it for.

Password Policy

I've already refered to Password Policy in a previous post, but heres another little tip - Pick and remember 3 different passwords (more on chosing strong passwords in the previous blog post).

1) Use the 1st one for all public sites that you sign up to - bulletin boards, social networks, and the vast array of other web sites that seem to need you to give them passwords details

2) Have another different password for your laptop/desktop itself, to protect against physical access to your system

3) Lastly pick a seperate password for your email account - the holy grail for password theives. Have a search through your emails for the words "Password" or "New Account" - scary the amount that will turn up. Compromise someones email and you compromise their entire online web activity.

Lastly - change these passwords every 6 months. If you do this you will have gone a LONG way to keeping your information secure online. Having seperate levels of passwords is key - the amount of people who blindly sign up for sites and provide both their email, and the password which is also used for their email account, as login details is scary. If you are not used to remembering seperate passwords, try and pick some have something in common. I'll end this with a simple easy to remember example (Note: Don't bother trying to access my email account with these :) )

Level-1 Password: aFiFuOf$$$
Level-2 Password: 4aF$$$Mo
Level-3 Password: ThGoThBa&ThUg

Clue: Spaghetti Westerns

NOTE: The Hacker who carried out the attack has posted a very interesting step by step here - http://hackedphpbb.blogspot.com/2009/01/place-holder.html

Security Policy 101

2009-01-16T14:24:00.002Z

Quite a few Security Websites and Media outlets have reported on the current wave of WORM_DOWNAD.AD detections over the last few weeks. Whats noteworthy about this particular beastie is not only the scale of the infections (some estimates put it at over 8 million infected machines), but also the propagation techniques - a 3 pronged attack designed to exploit weak Company Security Policys.

Firstly DOWNAD.AD sends exploit packets for the recent Microsoft Server Service Vulnerability to every machine on the network, and to several randomly selected targets over the Internet. This vulnerability allows remote code execution for an attacker, and effects just about every version of Windows since Windows 2000.

For its next trick DOWNAD.AD drops a copy of itself in the Recycler folder (Recycle Bin) of all available removable and network drives. Next it creates an obfuscated Autorun.inf file on these drives, so that the Worm is executed simply by browsing to the network folder or removable drive (the user does not need to actually click on the file).

And then comes the icing on the cake - It first enumerates the available servers on the Network and then, using this information, it gathers a list of user accounts on these machines. Finally it runs a dictionary attack against these accounts using a predefined password list (more details here). If successful (and a scary amount of the time peoples passwords are that bad), it drops a copy of itself on their system and uses a scheduled task, also known as an AT job, to execute the worm.

So why is this Worm so successful? Simple - poor security policies.

The first propagation technique is really exploiting Poor Patch Management. A patch for this vulnerability has been available since late last year, but still some companies have not properly rolled this out to all machines on their network. Remember even one unpatched machine is enough to have this Worm spread through the entire network. Patch Management is a critical component of any IT departments jobs today, and it is vitally important that it is applied in a timely fashion across ALL of the companies machines, including laptops and other mobile devices. Companies also need to have very clear policies on patch levels of external parties who access their network (e.g. Partner Companies, Contractors, etc). Like so many aspects of Security, it only takes one hole to bring down an entire network.

Autorun malware has been a big problem over the last 6 months, and to be honest, it really should be a non-issue. Quick grab a piece of paper and a pencil. Got them? Great, ok - now in 30 seconds try to write down a single reason why your company NEEDS to have the ability for all Removable Drives and Network Shares to automatically execute code just by viewing them. Its ok I'll wait till you are done...didn't come up with one did you. Let me save you the pain of figuring out the next step - How to disable Autorun (more details here)

Lastly we have the old classic - using weak passwords. You could write a book on how to ensure users use strong passwords (in fact people already have), but to help save your hard earned money during this economic downturn, we've kindly made one available as part of our Safe Computing Guide . Go have a read. After all it would be nice to not have to explain to your boss that every machine in the company is infected because you had picked "123456" as the default password on all of your machines and shared drives.

To quote my favourite sportsperson Roy Keane - "Failure to Prepare, Prepare to Fail"

Security in a Recession

2008-12-08T12:13:00.005Z

With the National Bureau of Economic Research in the United States announcing last week that the US has officially been in recession since Dec 2007, IT budgets are highly likely to be strictly controlled both in the US and in other parts of the world. I had a conversation with a friend over the weekend and he asked me did I expect there to be redundancies in the IT Security industry, as companies could not longer afford to have dedicated Security personal on their books.

To be honest, yes I think there will. However, I also think that the overall IT Security industry will continue to grow in 2009 - the bad guys are not going away anytime soon, and a lot of their existing scams work really well in this economic climate. The companies which take this course of action may well end up regreting it in the long term, and here is my thoughts on why.

All Security at the end of the day boils down to risk management, and the 3 core values every organisation needs to protect are often shown in the acronym CIA (Confidentiality, Integrity, Availability). Different organisation prioratise different areas, e.g. Military value Confidentiality highest, for Banks it is Integrity, etc. I think when it comes to economic downturn Confidentiality and Availability are the most obviously affected.

In terms of Confidentiality we are talking about an organisations private data being protected. I'm based in Ireland where we had 17000 people made redundant in November, but this is a drop in the ocean compared to other countries (particularly the half a million in the US). Insider threats have long been one of the largest risks facing organisations, and especially in the case of the so called "Disgruntled Employee". With large number of employees been made redundant, having their salaries cut, etc there is a lot of incentive for these same employees to engage in Data Theft. When people feel hard done by by their employers, they are more likely to relax their morales, and in a lot of cases would not consider taking confidential company information outside of the company stealing - they feel an entitlement to this information, after all they put X years of work into helping the company grow. The very fact that there are so many Data Leak/Loss Prevention (DLP) solutions on the market should give you an idea of just how big this problem is - and I think the risk of Data Theft/Loss is going to increase in the current climate

Which brings us to the other big one - Availability. Almost every company is currently engaged in examing their costs and reducing them wherever possible. Whether it is in terms of head count or even simply lowering all of the thermostats in their buildings by 5 degrees (my hands are going blue typing this), a lot of companies are walking a very fine line trying to keep afloat for the next 2 to 3 years - even the smallest misfortune could tip the ship.

This is where malware comes in. The recent WORM_DOWNAD.A attack was quite successful in infecting unpatched Windows machines, with a quite a few companies having 1000's of machines infected by the threat. Cleaning a threat like costs a lot of money. In a lot of cases a company may need to pay their IT staff overtime to fix the problem, or bring in external contractors. That's not where the real loss is however. Picture a company of 4000 employees. Now picture all of those employees being unable to use their machines for 3 hours while the systems are being cleaned, repatched and tested. That is 12000 man-hours of work which that company is paying for, and getting nothing in return. To put it another way thats about 6.5 peoples salaries for the year so around 200-250K . There are very few companies that have that kind of money to burn at the moment.

So to any organisations thinking of cutting their security budgets, think long and hard about weighing the short term savings with the potential losses. I wish I could say that there won't be companies that go under because of a malware attack in the next couple of months - but optimism is not exactly in large supply at the moment

Breaking the Internet 101

2008-12-03T09:38:00.006Z

I have not posted on here in FAR to long, apologies to my hordes of loyal readers (hi mom!)

I just wanted to bring 2 excellently written articles to people attention on the DNS Vulnerability discovered by Dan Zaminksy earlier this year. Unless you where hiding under a rock, if you are in anyway involved in the Security industry this is an attack you should know inside out (as well as DNS Cache Poisoning and RR attacks). This stuff comes up all the time when I am teaching SANS courses (GSEC and GCIH), and the students are always amazed at the simplicity of the attacks. If the students do not walk out of the classroom at the end of the day terrified that the entire Internet is based on such a horribly unsecure protocol, I have not done my job properly :)

Boing Boing has an excellently written article on Dan's discovery of the attack and the subsequent media storm that followed. It reads akin to the plot for a hollywood blockbuster (much better than Swordfish) and I found it hugely entertaining.

It is a bit light on the exact details of the attack, which are just as interesting - and can be found here. Incidently an exploit is available as part of the Metasploit toolkit over here.

As I said before - a must read for anyone involved in security - but Boing Boing have done a fine job of making the attack understandable for everyone

YAMSIA (Yet Another Massive SQL Injection Attack)

2008-07-28T10:50:00.001+01:00

Forgot to crosspost from TM Site

Clever mnemonics aside, last week we have seen another large scale SQL injection attack (or YAMSIA, if you prefer), this time being orchestrated by a botnet that has become known as Asprox—but first, a history lesson.

The code behind the Asprox botnet seems to have been around for quite some time now, but it was only in the last year that it has upgraded to a botnet where its main focus is to send phishing emails. This has changed in late May / early June of this year when the bots where issued a new set of commands–namely to start searching the Web for certain .ASP pages - and then launching an SQL injection attack against these pages (hmm … I wonder where they got that idea from).

Figure 1. The modus operandi that has become more and more common.

Compromised sites have a piece of JavaScript (JS) embedded in them, which in turn points to another JS file on a seperate domain (the first technique has been taught in Bouncing Malware 101). These domains are part of a fast-flux network hosted on the botnet itself (a technique widely used by another well-known botnet, Storm). The JS file name was originally b.js, but this has since changed and, in the latest wave, it is the highly imaginative ngg.js.

Figure 2. Sample of malicious script (with some parts removed)

As you can see, this script creates a cookie that expires after 9 days. This serves as an infection marker on the page, as it then “bounces” the threat once more to the page pointed to by the iFrame.

Depending on what country you are browsing from, the Asprox botnet may decide not to let you access this page, in which case, you will be redirected to the legitimate www.msn.com. If you are “lucky” enough to be allowed access to the page, however, your browser will be promptly slapped in the face with a barrage of vulnerabilities–all with the goal of having your computer join in all of the fun by hooking your PC up to the botnet.

SQL injection attacks can be very effective as they are normally completely hidden to the Internet user—everything is quietly downloaded in the background without their knowledge. We were sure this was a criminal act, and as such have added a detection for the threat, as well as the bouncing JavaScript (JS_IFRAME.ADN) itself.

Unfortunately, security is still a major issue with the majority of Web sites, and until it becomes one of the core design goals from the start of a Web site project, expect to see more YAMSIA (Can you tell I’m trying to get this mnemonic to stick?) blogs in the future.

Breaking News! Iran Invaded! Well…maybe

2008-07-28T10:48:00.000+01:00

Forgot to repost from TM Site

Picture the scene: You wake up in the morning and make your way on autopilot to work at your job in Tehran, then switch on your work PC to check your email. One in particular stands out as being a bit different from the others. You read it once, and then just to be sure read it a second time, then run to look out the window. Seeing no tanks in the streets and a significant lack of mushroom clouds, you return to your desk and take another look…

Anxious to find out what’s going on, you download the video and run it to find out more information.

Wrong move.

Now, longtime readers of this blog (well, most people to be honest) should look at that email and be immediately skeptical. They might even go check out a legitimate new sites like CNN or BBC. However, enough people will open your email inboxes this morning, download the video (hint: it’s not really a video, it’s just another Storm/Nuwar/Zhelatin/Peacomm variant detected by Trend Micro as TROJ_NUWAR.AB) and proceed to help the Storm gang’s authors make even more money. The Storm network may have decreased since its heyday — but its size still makes the approximately 20,000 soldiers seem small in comparison.

It’s a sad world we live in where we have to educate people to be careful of what they get in their email, to be suspicious of every site they visit, and to be constantly on the lookout for scams.

Needless to say, Trend Micro customers are protected from this threat, both with our latest pattern file, and in the cloud with our Smart Protection Network. For everyone else, think before you click.

Additional information — here are samples of spam pertaining to this attack:

Ultimate Travel Bag

2008-06-30T09:20:00.007+01:00

Not a security related post - but heres one that is close to my heart. Decided to put this question out there for anyone who can help.

I travel quite a lot for short trips (2-3 days) where I need to have my Laptop case. Personally airports annoy the hell out of me, especially going through security. The last time I was in the airport, standing behind a queue of people who took ages finding all of the metal objects in their pockets, forgetting to remove laptops from bags etc - an idea struck me.

There must be an easier way than this

And so I have started my search for the ultimate short trip laptop bag. The type of bag that has enough space for your laptop, and all of your clothes etc. I decided to start with a short list of the features this type of bag would need to have.

Needs to fit in an overhead compartment of an aircraft - by Aer Lingus's standards thats 56cms x 45 cms x 25 cms or 22in x 18in x 10in
The laptop must be easy to remove for airport scanners, not stuck somewhere in the depths of the bag.
Pouches at the front for passport/tickets
Compartment for metal coins and keys. Basically a small compartment that you can put toss all of your metal items. It would be even better if this was detachable
Enough room and compartments for all of your laptop stuff - chargers, dvds etc.
Enough room for 2 days worth of clothes, including shoes - and the option to be able to pack a suit.
Rollers & and a long handle. I'm over 6 foot so stooping while dragging a bag is a pain

All of that should not be rocket science. I would be interested in hearing what other people would have in their "ultimate" laptop travel bag, and of course any suggestions on existing bags I could get

All your info are belong to us

2008-05-22T09:25:00.002+01:00

Google Health has opened its door today, and the ramifications are quite frankly worrying. Don't get me wrong, I am a big fan of Gmail and the Google Search Engine (best Hacking tool on the planet), but this is a worrying development. Google Health aims to be a portal to organise and maintain all of your health records...lets think about this all for a second.

On the face of things Google is a company that aims to be number one in the field of Online Advertising, and they clearly are, through the use of highly targetted adverts. What they are really all about is Data Aggregation. To quote Sir Francis Bacon - "Knowledge is Power", and that is what Google are all about - sorting and categorising every single piece of information about every person on the planet.
Now thats not necessarily a bad thing. Just because they have access to all of that information does not necessarily mean they will abuse it - but the fact remains that they can, or indeed they can be forced by another group (i.e. a government) to hand over certain information. Having all of your information in one place like that is just asking for trouble.

Do I sound overly paranoid (my tinfoil hat is the height of fashion)? Well let me ask you this question. I have a mate called Dave (Dave may or may not be hypotethical). Dave runs a small data storage company and for a low low price (free), has kindly offered to store every email you recieve; catalog every site you visit (yes even the dodgy ones you swear you never go to); store all of your personal documents (both the ones on the web, and those on your pc); keep your personal calendar for you (not that you care that he knows where you will be every minute of the day); mind all of your private photos (which you have kindly cateogorised and labelled for him); and of course keep track off everybody you are acquainted with.

But wait - theres more! He will now keep all of your medical history safe for you as well! Remember that nasty rash "down there"; or the incident with the gerbil, the bungee rope and the rocket launcher - all neatly documented in case you ever need to access it.

But there is no need to be paranoid, because Dave would never do anything dodgy with your information. Afterall his Companies motto is "Don't be Evil"...

Wheres the Risk? Oslo apparently.

2008-05-01T12:34:00.003+01:00

Just back (well a few days ago) from the RISK 2008 conference in Oslo, Norway. Overall I really liked this conference, although I did not get to attend all of the talks due to my average (read: non-existant) command of the Norwegian language, so as such I limited myself to the talks of an English speaking variety.

The conference was held in the Norwegian national football stadium (real football, not the version with body armour and 40 ad breaks), so the hosts, Mnemonic, had gone for a football theme. All of the organisers were dressed in Referees jerseys; Going over time by 5 minutes saw you recieving a yellow card, and in extreme cases a red would see an early end to your conference.

The first speaker up was Marcus Ranum, who delivered an excellent and very entertaining talk about how we are stuck dealing with all of the mistakes of the past, and how we must be much more careful going forward. He also has an interesting read on his website about the "6 Dumbest Ideas in Computer Security". The only other English presenations for the day where by Peter Finnegan on Oracle Security/Lack there off, and by Sebastien Deleersnyder explaining what OWASP was all about.

That evening Mnemonic put on an excellent drinks reception, and a really nice dinner. There was also a very good comedian, at least all of the locals were laughing, although he did a sketch about going through airport customs that was mostly in English and was great. The night was good craic overall, and hats off to Mnemonic for organising it.

The 2nd day of the conference started with Joanna Rutkowska's talk on Virtual Machine malware. This was a talk that I was really looking forward to - unfortunately my own presentation was up next so I spent most of the time down the back going over that. The bits I caught were as interesting as ever. My own presentation on "Fighting web-based, profit-driven threats" sparked quite a few questions from the audience (joys of being the only AV Speaker), especially from the afore mentioned Joanna. Eventually the organisers called time on the questions, but the spirited debate continued during the break attracting a bit of a crowd.

Essentially a lot of people where saying that a) pattern matching is dead b) counting unique md5's as a measure of the rise in malware is pointless c) we should fix the OS, not build on it.

On A I mostly agree - pattern matching on its own is not capable of dealing with the current threat landscape, but when complemented with other technologies like Behaviour Based detection, Web Threat Protection and Data Leak Protection, suddenly we have a decent defense-in-depth model.

Regardless of the fact that the number of unique samples has gone through the roof, the fact is the number of individual variants is also on the rise. Everyone knows that is trivial to generate 10,000 copies of the same malware - but you still need to deal with each of them, and thats why the malware industry does it. Even if you have only one brand of bullet, firing 10K at the target instead of 1 makes it a lot more likely you are going to do some damage

In an ideal world fixing the OS is a big step. Proper process isolation, data permissions, etc go along way to helping secure a system but the majority of malware attacks are still aimed at the most vulnerable part of the system - the part between the keyboard and the chair.

Anyhow - the other English presentation of the day was a really interesting talk by PDP of Gnucitizen.com (if you don't already regularly read it, you should). He gave a very nice run down of attacks against Web 2.0 that was both entertaining and informative, and was tied with Marcus's presentation as far I was concerned for the best at the conference.

Anyhow back now to a place where beer does not cost €10, but that may all change as I head to CARO in Amsterdam later this week.

Full Program of the Event
Copy of the Slides from my presentation

Jokes on you

2008-03-31T19:36:00.006+01:00

There is a new variant of a well known threat which has been spotted cashing in on April Fool's day in a the last few hours? Anyone want to hazard a guess as to which one it is?

Wasn't that hard of a question I guess - the Storm Gang are at it again.
Too lazy to actually create their own image to represent the holiday, the group simply googled "April Fools" and used the first image that showed up. So far emails are being spammed out with the Subject Line "April Fool's Day", and the executables on the site are called "foolsday.exe" or "funny.exe". However if the gangs past behaviour is as predictable as normal, these will change several times over the next 48 hours to similarly themed names. (EDIT: In fact they have added "Kickme.exe" in the time it took me to type this)

Needless to say Trend Micro customers are already being protected using our Web Threat Protection technology - blocking access to the sites themselves, preventing the user from any exposure to the threat. We are also adding detection proactively for the binary files themselves.

Overall I doubt that this incident will be remembered in the same way as other classics such as the value of pi being changed to 3.0 and the hotheaded naked ice borer , but this is definately one prank you do not want to fall for.

Also posted to Trend Micro Blog

Fluxed up beyond all recognition

2008-03-27T08:51:00.003Z

The Guardian Newspaper have published a piece on "Fast-Flux" networking, a system used by many of todays cyber criminals in order to make it more difficult to track them down and shut down their sites. The article is up here and features 2 quotes from yours truely (well one from me, and one from my evil twin Robert McCardle - you can tell us apart as he has a goatee).
The idea of Fast-flux has actually been around for a while, but it was not until the Storm botnet started using it that it began to gain widespread use. The key to really making it work however is the DNS servers, which are normally hosted on "Bulletproof" networks that allow these criminals to run their attacks without fear of an ISP coming along and shutting them down, although the gang behind Storm did actually have to move hosting companies in December due to the amount of attention they had drawn on themselves.

Speaking of Fast-Flux, if you want to take a short break from the web with friends - I fully recommend Fluxx , a neat little card game that is almost completely random.

EDIT: Scan of newspaper article attached (Click for full size):

Cyber Criminals sink to new low

2008-03-09T15:39:00.003Z

Its been all over several Security sites last week that the Storm worm has changed once more in the first wave since the one coinciding with Valentines day. Now there was nothing particularly new or interesting about this latest wave (poses as an ecard, site has exploits etc), except for the time the new wave started.

The latest wave commenced at 02:11 am on the 3rd of March. I know this exact time because that was the time in the morning that an automated SMS message from our Storm monitoring system woke me up to tell me of the switch.

Would it be so difficult for malware writers to release their new threats at a decent hour of the day (GMT)? Grumble grumble grumble...

Interview with the Irish Independant

2008-02-28T15:54:00.006Z

An Interview I did last week with Gordon Smith of SiliconRepublic has been published in the Digital Ireland supplement of todays Irish Independant . I've got 2 scans as PDFs below for anyone who is interested. Overall happy enough with this interview, no real misquotes and Gordon was great to work with and knew his stuff on the topic which helped a lot.

Scan 1 (Some words cut off)
Scan 2 (Picture at top cut off)

Also the Picture they used was smaller than the Interview with the Irish Examiner, which is much appreciated :P

UPDATE: The Story has also been publised on SiliconRepublic this morning

Whats the worst that could happen?

2008-02-27T12:00:00.007Z

Identity Theft - the crime that happens to other people.

Most people I have talked to about identity theft, have been mildly concerned, but normally think that it is not something they themselves should worry about. After all they say, I only use the Internet to check my email and occasionally buys things - whats the worst that can happen?

I would imagine that is exactly what a fellow Irish man who uses the eBay handle jopsoup was thinking as he strolled into a local internet cafe to check his email, only to find that he owed $3,002,150 dollars. I would also imagine that he had quite different opinions of identity theft when he got up to leave.

It appears that this man's eBay account details had previously been stolen (most likely from a trojan monitoring for passwords which could have been installed in the same internet cafe he always frequented), and had been used in the winning bid on a massive collection of music being sold on the well-known auction site. The collection on its own is quite impressive with over 300,000 CDs (thats 75 16Gb IPhones for all you youngsters out there).

The UK Home Office estimates that Identity Theft cost the British economy £1.7 Billion over the last 3 years, figures that have been echoed by other governments around the world. The fact is your data, no matter how trivial, can be very valuable if it falls into the wrong hands. Be careful out there people - The Web can be a dangerous place and and just as you would when exploring a new city or town, it pays to be prepared and protected before venturing into it.

Also posted on Trend Micro Blog

Spot The Difference

2008-02-06T14:01:00.001Z

Now also on Trend Micro Blog

For generations kids all over the world have enjoyed "Spot The Difference" puzzles, but who says us Adults can't join in the fun. See can you spot the difference between the real banking login page, and the phishing attack below:

Not very easy is it? Well lets look at the source code and see what differences appear there. Well to be honest there are very few differences and most are simply a case of correcting the paths or images/links from the real site to still work correctly on the Phishing site. For example in the picture below the red highlighted site is the real one, and the yellow the phishing site:

The truth is the source code is almost identical, the form on the page is submitted to the page itself. In the case of the real bank this will authenticate and login the user, in the case of the phishing one - well lets just say, they are most likely not going to use your details to send you free money.

About the only real difference noticable to the user is in the URL, and even this is is very difficult to spot unless you are really looking for it.

Where does this threat come from? Well it is currently being spammed around by a certain well known botnet (Start with "S" end with "torm") specifically targeting Australian email accounts. It looks this page was actually put together by some one outside of the normal Storm group, but they are most likely renting a section of the network. Luckily Trend Micro automatically protects our customers by blocking the URL with our Web Reputation.

One last thing, remember when I said there were virtually no differences between the 2 page sources? Well I lied a little bit - check this out (again Red=Real, Yellow=Fake)

When you access the real Banking page a piece of PHP script takes your IP address and stores it as a hidden variable on the page, so the bank can track what IP's people are logging in from. The top IP address is my own from when I accessed the site. The bottom one however is the attackers, from when they downloaded the real page to create their phishing site. They obviously never bothered removing this incriminating evidence (or just did not notice) before putting up the page. However the IP traces back to a standard ISP in Argentina, and users most likely recieve a new IP every time they connect to the network - so chances of finding the culprits, are unfortunately slim.