“How did you two meet? Did you mark her, or was it the other way around?”

- Robert Redford to Brad Pit, Spy Game

Con man 101: The best way to gain someone’s confidence is to make them think they contacted you. Scammers just love having potential victims contacting them.

Now, it seems they figured an interesting way to draw potential victims to their web site, in a way that is much easier than sending billions of spam email messages.
The idea is simple: take the person’s name (real people’s names are available for harvesting in places like linkedin, facebook, and other social networks) and put it in a web page. Doesn’t really matter where, as long as google indexes it.

Wait a while, and have that person google himself. Many people (myself included) have a ‘google alert’ on their name which sends them updated list of links to new pages where their name is mentioned.

Everyone likes to see where they are mentioned, so they will click on the link. And voila! They arrive to the spammer’s page. In some cases I’ve seen, the name was already gone from the page (but was still in the google cache). But all this doesn’t matter: as soon as the person reached the page, the web spammer’s job is done – he got his message in front of you, and maybe you’ll even dig deeper into his web site trying to figure out what the connection is to you.

There are many advantages to this method. First, you are not restricted by the message: the web page can openly have the words Viagra, Credit card debt and mortgage assistance without the fear of triggering anti-spam software. Also, people will pay more attention to the page since they think it has to do with them.

I don’t get the spammers’ marketing statistics, but I’m sure that the infamous spam text “it came to our attention that you’re in dire need of financial help” which sounds very much like a sincere, personal message, is a huge success. But this message has to get through the spam filters and include a real email address and a correct first/last name. The spam web page doesn’t need to bypass spam filters, and already has the correct name. In addition, you gain interesting information about the visitor: browser version, IP location and of course, the name he was searching for (that would be in the ‘referrer’ that is sent automatically by the browser to the web site). Oh, and of course – it’s cheap. You only need to put together a nice looking web page, and wait for google to do the rest. No buying of email lists and no cost of sending spam (which is nowadays the cost of hiring a zombie botnet for a couple of days).

For those aspiring scammers who are reading this, you should understand that it’s not a foolproof method. Obviously, it requires people to do a vanity search to reach you in the first place (though it also works on people who google their dates, their parents or their teachers). It also requires time – days, weeks or months (which may be difficult if your web site is on a zombie computer that might disappear by the time google indexes and the user comes to the site). But due to the fact the costs are very small, and there are no effective countermeasures at the moment, I think we will see more and more such attacks in the near future.

So-called Koobface case was covered in the IT news quite widely, but security mailing lists received the information on Thursday 7th August.

Kaspersky Lab reported about the existence of the worm on 31th July. Hey, it’s more than a week ago, but it took several days until the anti-virus protection was notable.

Remarkable anti-virus vendors have the following detection now:
(listed in alphabetical order)

McAfee – W32/Koobface.worm
BitDefender – Win32.Worm.KoobFace.A
Kaspersky Lab – Net-Worm.Win32.Koobface.b
Panda Security – Boface.A [Technical name: W32/Boface.A.worm]
Sunbelt Software – Net-Worm.Win32.Koobface.b
Sophos – detected proactively as Mal/Heuri-D, Mal/Heuri-E, Mal/Emogen-N and Mal/Packer
Symantec – W32.Koobface.A

There is no write-up available from F-Secure, Norman, TrendMicro etc. yet.

The AV industry knows the alias KoobFace too.

The size of the worm is 16 384-16 652 bytes. It is written in Visual C++ 6.0 and packed with UPX and Upack.
The second malware, attacking Facebok users since 7th Aug, is a Trojan horse (Sophos uses name Troj/Dloadr-BPL), spreading as Google video links posted to Wall and is a separate issue.

It’s time to remember that if you don’t see a detailed write-up from your own AV vendor later today - it’s a DEFCON weekend and Facebook has started blocking these from its side already.

But the protection - that’s we need with a delay less than 4 or 5 days.

Joe has a nice write up on the inner working of the Pushdo Trojan.

Pushdo is interesting since it was written for “future use” - i.e. it updates itself to obey his master’s latest needs and requests. It also has intelligence-collecting routines and in general shows how sophisticated the bad guys are getting.

URLs in this post should be considered as unsafe.

Fake sites and SE poisoning are nothing new. The use of blogs for this is far from new, either. Thousands of new fake blogs pop up every day on blogspot, livejournal, etc.

Web spam is a subject I have written about in the past, and some of you may be familiar with it regardless of me (no kidding), especially if you run a blog yourself.

A new fake blog which looks like blogspot, but has its own “domain”, recently popped up in a Google alert on my name.

I get hits on these fake pages all the time as my name is a key word used by some of these spammers to grab attention to their pages.
This time around they really over-did it.

The page has a blogspot layout, and continues with ads to pornographic sites or malware (is there any difference anymore?)

Then the site shows the YouTube video which can be found under my name.
Following that is a post I made to a mailing list recently (poorly formatted).
Then we have a few pictures of girls, linking once more either to pornographic sites or malware drive-by sites (if there is a difference, again).

They finish the page off by adding comments, which are actually some old securiteam posts by me.

Heck, it looks fake, but it is obvious the bad guys are investing more in their fake web pages. Their auto-creation tools seem to be getting more impressive, and I believe we will see much improved believable sites, soon.

Google Blog Search displays this site as (nasty words replaced with beep):

Gadi Evron
2 Sep 2007
Gangbeep facial asian amateurs, bang bus jessica hardcore pictures bang your head, asian virgins.asts. Teen Cherry Action - Nice brunette teen beeped hard on the bed and getting a beepy beepshot. Beep beeping boy beep teen legs, …
Untitled - h ttp://n ewadult.celeberia.com/

URL:
h ttp://n ewadult.celeberia.com/Gadi-Evron

Again, I am unsure if these URLs are safe.

For those of you wondering if these web pages mean anything to the bad guys, the answer is absolutely yes. Search engine ranking, indexing, etc. helps them advance their own sites (or their clients’). Then of course, there is advertising and Google ads.
It works. And the advertising space on unrelated key words is a plus.

The concept is very similar to comment spam. Comment spam may not contribute to SE ranking anymore due to the nofollow tag attached to links in comments, but these get indexed and that’s all the bad guys care about. Nofollow is crap, and what shows up when you search is what matters.

As an example of how these things work, in a recent blog post of mine a buddy left a comment (see here http://gevron.livejournal.com/8859.html for the example).

He left a URL for his legitimate Python/math/music/origami blog in his comment, and now when you search for his blog you find my post placed in the 4th place with the title ‘A Jew in a German Camp’ (about the CCC Camp in Germany). He is not pleased, but it is obvious how the bad guys abuse this, and infect millions of computers just because their owners surf the net.

Gadi Evron,
ge@linuxbox.org.

Following up on that strange title, ISOI 3 (Internet Security Operations and Intelligence), a workshop for do-ers who work on the security of the Internet and its users, is happening Monday and Tuesday in Washington, DC.

This time around we have even more government participation (we’re in DC, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

I am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. I am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

If you are interested in this realm of Internet security operations, take a look at ISOI 3’s schedule, and perhaps submit something for the next workshop.

Some reporters are somewhat annoyed that entrance is barred to them, but I hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

The third ISOI is here because after DHS ended up unable to host it, sponsors emerged who were happy to assist:

Afilias Ltd.: http://www.afilias.info/
ICANN: http://www.icann.org/
The Internet Society: http://www.isoc.org/
Shinkuro, Inc.: http://www.shinkuro.com/

It’s going to be an interesting next week here at the swamp. Atendees better show up with their two forms of ID.

Gadi Evron,
ge@linuxbox.org.

I posted a column on eWeek on what critical infrastructure means, looking back at the Estonia incident.

They edited out some of what I had to say on home computers and their impact as a critical infrasrtcuture, but hey, word limitations.

http://www.eweek.com/article2/0,1895,2166125,00.asp

Gadi Evron,
ge@linuxbox.org.

The guys at rustylime describe how they are using a honey pot form fields to detect spam bots.

This method is interesting, since the false positive rate will be close to zero - any decent browser will not show the ‘honey pot’ fields and a human won’t be able to enter information there accidentally. The false negative will be low, since most spam bots will enter information on those fields. The problem, of course, is that the spam bots can be adjusted specifically for rustylime (now that they outlined their spam comment fighting technique), either by looking for these specific field names or by calibrating their spam bots to render the page and filter out invisible parts (this would be a serious technical challenge for the spammers).

Of course, a post on SecuriTeam blogs, a web site that is probably frequently read by spammers, is not going to help them keep a low profile against spammers - so my apologies to the rustylime people. Lets hope their comment spam queue remains clean, and maybe someone can pick this up and find a more generic way to fight comment spam using browser-invisible fields.

In the past two weeks, ecards became a major threat.

Ecards (or electronic greeting cards) were always a perfect social engineering scheme, open for abuse. With the Storm worm and massive exploitation, I believe it has become prudent to filter out all ecard messages in your email systems.

Further, some training or awareness information on this subject distributed to your organizations could be very useful.

Gadi Evron,
ge@linuxbox.org

Syngress was kind enough to allow me to post the chapter I wrote for Botnets: The Killer Web Application here as a free sample.

It is the third chapter in the book, and requires some prior knowledge of what a botnet C&C (command and control) is. It is basic, short, and to my belief covers quite a bit. It had to be short, as I had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion.

You can download it from this link:
http://www.beyondsecurity.com/whitepapers/005_427_Botnet_03.pdf

For the full book, you would need to spend the cash.

Enjoy!

Gadi Evron,
ge@linuxbox.org.

Just last week we were throwing jokes on funsec@, of calling botnets terrorism to get some action going. Of course, we decided that’s an extremely bad idea as people are already starting to discount issues when “terrorism” or “2.0″ are attached.

No, I am not going to say it, you are going to put these two together on your own!

Today, Fergie (Paul Ferguson) sent this to funsec:

Brian Krebs writes in The Washington Post:

[snip]

The global jihad landed in Linda Spence’s e-mail inbox during the summer of 2003, in the form of a message urging her to verify her eBay account information. The 35-year-old New Jersey resident clicked on the link included in the message, which took her to a counterfeit eBay site where she unwittingly entered in personal financial information.

Ultimately, Spence’s information wound up in the hands of a young man in the United Kingdom who investigators said was the brains behind a terrorist cell that sought to facilitate deadly bombing attacks against targets in the United States, Europe and the Middle East.

Investigators say Spence’s stolen data made its way via the Internet black market for stolen identities to 21-year-old biochemistry student Tariq al-Daour, one of three U.K. residents who pleaded guilty

http://www.washingtonpost.com/wp-dyn/content/article/2007/07/05/AR2007070501153.html

Enjoy. Funny, I just had fun with online forums and terrorism with this a few days ago.

Buzzwords for FUD are generally a bad idea. Botnets are not terrorism. But of course, like most malicious activity, they are used.

Gadi.

So, someone sent this to NANOG:
An IPv6 address for new cars in 3 years?

From: Rich Emmings
Date: Thu Jun 28 17:47:46 2007

Mark IV systems has a spec for OTTO. Mark IV makes automatic
toll collection and related systems O(Not to mention other
automotive products)

The system spec’s show support for IPv6 and SNMPv3. Notably
absent was IPv4 as far as I could tell. No notes on if the IPv6
would be used for Firmware updates or live data collection.
802.1p radio is the spec’d LLP. O/S is VxWorks.

The expectation is for 100% of new cars to have OTTO around
2010.

http://www.ivhs.com/pdf/FactSheet_OTTO_FactSheet1_101105.pdf

Topicality: Looks like someone, somewhere intends to be live
with IPv6 in 3-5 years.
Off Topic: The privacy and security ramifications boggle the
mind….

Which I didn’t read.

Then, this thread happened:

> - — “Suresh Ramasubramanian” wrote:
>
> >On 6/29/07, Rich Emmings wrote:
> >>
> >> Topicality: Looks like someone, somewhere intends to be live with
> >> IPv6
> >> in 3-5 years. Off Topic: The privacy and security ramifications
> >> boggle
> >> the mind….
> >>
> >
> >Fully mobile, high speed botnets?
>
> *bing*

That last bing was from Paul Ferguson, our Fergie.
If I was drinking coffee, I’d have dropped it!

Other followups included Chris Morrow’s:
> I can’t help it:
>
> “If a bot-car is headed north on I-75 at 73 miles per hour for 3 hours
> and a bot-truck is headed west on I-90 at 67 miles per hour, how long
> until they are 129 miles apart?”

And Steve Bellovin’s:
Hmm — I was going to say 127.1 miles apart, but that’s not a v6
address… 1918 miles apart?

CFP: ISOI III (a DA workshop)
=============================

Introduction
————

CFP information and current speakers below.

ISOI 3 (Internet Security Operations and Intelligence) will be held in
Washington DC this August the 27th, 28th.

This time around the folks at US-CERT (Department of Homeland Security -
DHS) are hosting. Sunbelt Software is running the after-party dinner.

We only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:
http://isotf.org/isoi2.html
http://isotf.org/isoi.html

If you haven’t RSVP’d yet, please do so soon. Although we have 240 seats, we are running out of space.

A web page for ISOI 3 can be found at: http://isotf.org/isoi3.html

Details
——-
27th, 28th August, 2007
Washington DC -
AED conference center:
http://www.aedconferencecenter.org/main/html/main.html

Registration via contact@isotf.org is mandatory, no cost attached to attending. Check if you apply for a seat in our web page.

CFP
—

This is the official CFP for ISOI 3. Main subjects include: fastflux, fraud, DDoS, botnets. Other subjects relating to Internet security operations are also welcome.

Some of our current speakers as you can see below lecture on anything from Estonia’s “war” to current web 2.0 threats in-the-wild.

Please email contact@isotf.org as soon as possible to submit a proposal. I will gather them and give them to our committee (Jeff Moss) for review.

Current speakers (before committee decision)
——————————————–

Roger Thompson (Exp Labs
- Google adwords .. .the dangers of dealing with the Russian mafia

Barry Raveendran Greene (Cisco)
- What you should be asking me as a routing vendor

John LaCour (Mark Monitor)
- Vulnerabilities used to hack sites for phishing
- Using XSS to track phishers

Dan Hubbard (Websense)
- Mpack and Honeyjax (Web 2.0 honeypots)

April Lorenzen
- Fastflux: Operational Update

William Salusky (AOL)
- The Spammer Evolves - Migration to WebMail

Hillar Aarelaid (Estonian CERT)
- Incident Response during the Recent Attack

Gadi Evron (Beyond Security)
- Strategic Lessons from the Estonian “First Internet War”

Jose Nazarijo (Arbor)
- Botnet statistics from the Estonian attack

Andrew Fried (Treasury Department)
- Phishing and the IRS - New Methods

Danny McPherson (Arbor)
- TBA

People have been wondering why I’ve been keeping quiet on this issue, especially since I was right there helping out.

A lot of people had information to share and emotions to get out of the way. Also, it was really not my place reply on this - with all the work done by the Estonians, my contributions were secondary. Mr. Alexander Harrowell discussed this with me off mailing lists, and our discussions are public on his blog. Information from Bill Woodcock on NANOG was also sound.

As to what actually happened over there, more information should become available soon and I will send it here. I keep getting stuck when trying to write the post-mortem and attack/defense analysis as I keep hitting a stone wall I did not expect: strategy. Suggestions for the future is also a part of that document, so I will speed it up with a more down-to-Earth technical analysis (which is what I promised CERT-EE).

In the past I’ve been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. I was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses.

I keep seeing strategy for the use IN information warfare battles as I write this document on what happened in Estonia, and I believe I need more time to explore this against my previous take on the issue, as well as take a look at some classics such as Clausewitz, as posh as
it may sound.

Thanks,

Gadi Evron,
ge@linuxbox.org.

The New York Times carries a good popular-level accounting of what happened in the recent Estonian information warfare incident. Suggested reading.

http://www.nytimes.com/2007/05/29/technology/29estonia.html (subscription required)
Syndicated: Times Daily

The new trend in organizing Distributed Denial of Service attacks are P2P networks.

This is the way how Netcraft describes the situation:

large numbers of client computers running P2P software are tricked into requesting a file from the intended target of the DDoS, allowing the attacker to use the P2P network to overwhelm the target site with traffic.

The Netcraft entry points to FL-based Prolexic Technologies alert too sharing more technical details and information about the number of clients and the traffic being generated.
A very nice catch, Rich Miller of Netcraft!