Here’s a weird spam I got last night:

Hello

The route taken through Customs is mainly determined by your point of departure and whether you are bringing into the country more duty payable goods than your free allowance. For those passengers who have flown in from outside the European Community (EC), their baggage will have a white tag and they must pass through either the Red or Green channel according to the amount of duty free goods they have. Those passengers arriving from countries within the EC should use the Blue channel, and their baggage will have green-edged tag.

As part of our routine check and based on the above, we have a consignment in your name; you are advised to come to the office address below

Customs office
Terminal 3
Heathrow Airport

You are required to come with the following:
1. Your ID
2. Diplomatic Tag either white or green-edge tag.
3. Non Inspection document

Your appointment time is 10am GMT, failure to comply; we will have over the matter to Metropolitan and the FBI. I am the officer in charge of your matter.

Thomas Smith
UK Customs
Heathrow Airport

It’s weird, because it contains no advertisement, and no links. There’s nothing “encoded” in it -  it seems to be an old version of this notice.

So why would a spammer waste valuable botnet cycles on sending me the email? The only explanation I could come up with is “a boy who cried wolf” attack. You send this email a few times, and the Baysian filtering systems train themselves that this is a good email (i.e. “ham”). Most Baysian spam filtering systems have a loopback mechanism where spam email is used to train the system further, and ham email is used to teach the system what “good” email is. If this email is seen a few times and considered ham, spam filters will accept something similar to it that contains a link. That link, can be the spam or phishing attack.

Another guess is that it’s simply used to verify email addresses - you read that a scary Customs agent from Heathrow wants you in his office first thing tomorrow morning, and you quickly reply to ask what it’s about; the spammer (whose reply-to address is different than the “From”) gets a confirmation that your email address is valid, maybe with some more details like your phone number. This is a plausible explanation but it seems like too much hard work just to get some valid email addresses.
Any other guesses?

Those in the Australian state of Queensland are having a cull of cane toads, a pest.  I don’t know whether it would work, but the mass reduction of a pest population is, generally speaking, a good thing.  It may not eliminate the problem once and for all, but a sharp decrease in population is usually better than a constant pressure on a species.

So, is there any way we can get some support going for a mass cull of computer viruses?  Most currently “successful” viruses are related to botnets, and botnets are often used to seed out new viruses.  Viruses are used to distribute other forms of malware.  Doing a number on viruses would really help the information security situation all around.  (I have, for some years, been promoting the idea that corporations, by sponsoring security awareness for the general public, would, in fact, be doing a lot to reduce the level of risk in the computing and networking environment, and therefore improving their own security posture.)

Online payment system infected with malware? not good.

You are receiving this message because you are a subscriber to online bill payment services through CheckFree or through a provider who contracts with CheckFree for these services. This message is sent on behalf of CheckFree by Silverpop Systems.

December 11, 2008
AVIRAM JENIK

[address omitted]

Dear AVIRAM JENIK,
We take great care to keep your personal information secure. As part of these ongoing efforts, we are notifying you that the computer you use for online bill payment may have been exposed to software that puts the security of your computer’s contents at risk. This letter will help you determine if your computer is actually infected and advise you how to fix the problem and protect yourself against future risk.

The malicious software affects some but not all customers who accessed online bill payment on Tuesday, December 2, 2008. For a limited period of time, some customers were redirected from the authentic bill payment service to another site that may have installed malicious software. Your computer may be infected if all of the following are true:

• You attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time (GMT -5) on Tuesday, December 2, 2008, and
• You were using a computer with the Windows operating system, and
• You reached a blank screen rather than the usual bill payment screen when you attempted to navigate to online bill payment, and
• After reaching the blank screen, your computer’s virus protection program did not tell you via pop-up or other messaging that malicious software was detected and quarantined.

If all four of the conditions above are true, your computer may be infected. [marketing blurb about an AV vendor that was quick enough to cash in]

CheckFree will never ask for your password via email or via phone.  If you ever receive an email requesting your password, do not respond and delete the email immediately.

We value your business and your trust, and we apologize for any inconvenience this incident has caused.
Thank you,

Art D’Angelo
Vice President, CheckFree Customer Operations

I guess we’ll call this the CheckFree botnet?

I guess one of the signs that your web service is taking off is that spammers are targeting you. In the last few days more and more fictitious followers have surfaced, obviously for the purpose of sending twitter spam once you follow the person who is following you (as most people do almost without thinking).

The twitter team seem to be doing a good job on suspending those accounts immediately (perhaps automatically?) now they just need to figure out how to prevent them from signing up in the first place.

Update: Definitely not automatically. The last batch of spam followers are still active accounts. Or maybe they figured twitter’s threshold and they are avoiding the automatic suspension.

Xyberpix posted his challenge without giving us any advance notice, but being the ego-driven macho man that I am, even with mediocre writing skills, I can’t not accept it.

So here’s a random thought for the day. AppleTV is a useless brick unless hacked to run something like boxee or another front-end player for custom movie files. It’s safe to say most AppleTV users use it to play content outside iTunes.

The latest AppleTV update (version 2.3) has two interesting qualities.

One, it fixes several vulnerabilities involving playing malformed movie files (kuddos for ZDI for the finds). It shouldn’t be difficult to compare 2.3 to 2.2 and find where the problems are exactly. Some reverse-assembly requires, but definitely doable.

Two, it breaks many of the hacks like mounting external USB drives, and creates problems for applications like boxee.

From problem #2, I’m willing to guess many (most?) of the ATV users that hacked the machine haven’t upgraded. From problem #1 I know that those who haven’t upgraded are vulnerable. They will remain vulnerable for some time, until the hacks improve and find a way around this infamous update.

So will we see an attack targeting AppleTV any time soon? It’s a cute little linux-based device that sits in the network with a connection to the local home LAN. All it takes is the right AVI on the piratebay (or youtube?) to create a little AppleTV zombie net.

Summary:
This is Frequently Asked Questions document about new, recently patched RPC vulnerability in Microsoft Windows. The document describes related Trojan and worm malware as well.
It is worth of noticing that code execution type vulnerabilities in Office programs are widely used to industrial espionage since 2006. This time the exploitation represents the use of non-Office vulnerabilities and e-mail attack vector is not used.

Update: After the weekend the malware analyses shows that the Trojan has designed to steal credential information and to collect a botnet-like network.

Q: What is the recent Microsoft Window RPC vulnerability disclosed in October?
A: This vulnerability is caused by an error when processing malformed RPC (Remote Procedure Call) requests. The issue was disclosed by the vendor after active exploitation of the vulnerability.
Q: How does the vulnerability mentioned works?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine.
This vulnerability is caused due to overflow when handling malformed RPC requests. This enables executing arbitrary code of the attacker. Technically the vulnerability exists in the Server service.

Q: When this vulnerability was found?
A: The exact information is not available. Information about upcoming security update was announced on 22nd October, but this vulnerability has been used in targeted attacks at least two weeks already. The exploitation disclosed the existence of vulnerability.

Q: What is the mechanism in exploitation?
A: Information was not disclosed, but during the exploitation malicious executables are being downloaded and executed from the remote Web site.

Q: Is the exploit code of this vulnerability publicly released?
A: Yes. On Friday 24th October the proof of concept code was released on a blog of security researcher and on public, moderated security mailing list. The PoC has been released at several well-known exploit and security community Web sites too. Metasploit module has been released too (link). PoC’s work against Windows XP SP2, Windows XP SP3 and Windows 2003 Server SP2 machines.

Q: Which Windows versions are affected?
A: Microsoft Windows 2000, Windows XP, Windows Vista, Windows 2003 Server and Windows Server 2008 systems are affected.

Q: I am using the 7 Pre-Beta version of Windows, is my operating system affected?
A: According to the Microsoft it is affected too. An update is available (see MS08-067).

Q: I am a home user, is it possible to update my system in a normal way via Microsoft Update?
A: Yes, visiting the Microsoft Update Web site at http://update.microsoft.com/ will update the system against the exploitation of the vulnerability. If the Automatic Updates is enabled the system will be updated automatically without user’s actions.

Q: Where are the official Microsoft documents related to this case located?
A: The official Security Bulletin MS08-067, entitled Vulnerability in Server Service Could Allow Remote Code Execution (958644) has been released at Microsoft TechNet Security section:
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Updated information released by the vendor has been covered at MSRC Blog (The Microsoft Security Response Center Blog). The address of the blog is blogs.technet.com/msrc/.
File information of the MS08-067 security update has been released at separate Knowledge Base document #958644: support.microsoft.com/kb/958644.
Microsoft Security Advisory #958963 released to notify the availability of the security update is located at
www.microsoft.com/technet/security/advisory/958963.mspx

Q: What the term ‘out-of-band’ means?
A: Normally Microsoft releases security updates once a month, at the second Tuesday of the every month. Very rarely, during the Windows ANI vulnerability etc. the security update will come out outside of this regular update cycle. Out-of-band and out-of-cycle describe the situation when waiting the regular update Tuesday, so-called Patch Tuesday is not enough to protect Windows systems against exploitation.
The next security updates will be released on Tuesday 11th November.

Update:
Q: Is this a new Slammer worm?
A: No, due to new security features included to SP2 etc. However, on 3rd Nov it was reported about the worm exploiting this vulnerability.

Q: Are there any workarounds available? Our organization is making tests with the patch still.
A: The security bulletin lists the following workarounds:
-Disable the Server and Computer Browser services
-Block TCP ports 139 and 445 at the firewall

Q: Is there Snort rules for this vulnerability available?
A: Yes. Additional details can be obtained at
www.snort.org/vrt/advisories/vrt-rules-2008-10-23.html
known as a ruleset against Microsoft DCE/RPC remote code execution attempts.
The download address is www.snort.org/pub-bin/downloads.cgi
(to paying Sourcefire customers)
Emerging Threats project has released new signatures too, details at
http://www.emergingthreats.net/index.php/component/content/article/17-sigs/125-weekly-new-signatures-october-25-2008.html

Q: What is the situation of Nessus plugins related to this vulnerability?
A: Nessus Plugin ID #34476 has been released. More information is available at
www.nessus.org/plugins/index.php?view=single&id=34476

Q: What are the target organizations etc. of this vulnerability?
A: This information is not available and probably it will never go public. Microsoft has confirmed that fever than 100 organizations are targeted in targeted attacks.

Q: Is there information about file sizes used during the attacks?
A: Yes. The size is 397,312 bytes.
Update: The size can be anything between 49,152 and 417,792 bytes.

Q: How the user can notify the infection?
A: It is reported that the command prompt will appear.

Q: What are the names of malwares exploiting this vulnerability?
A: There are reports about a data collecting Trojan (Gimmiv.A) and a Trojan searching for non-patched machines on LAN (Arpoc.A).

The following names are being used (listed in alphabetical order):
AhnLab - Dropper/Gimmiv.397312 since 2008.10.24.04
Authentium - W32/Gimmiv.A since 23rd Oct
Avira - TR/Dldr.Agent.gcx since 24th Oct, iVDF 7.00.07.81
Bitdefender - Win32.Worm.Gimmiv.A since since 23rd Oct
- dropper detected as Win32.Worm.Gimmiv.B
CA - Win32/Gimmiv.A since eTrust 31.6.6167
ClamAV - Trojan.Gimmiv since 8524
- Trojan.Gimmiv-1…Trojan.Gimmiv-7 since 8526
Dr.Web - DLOADER.PWS.Trojan since 23rd Oct
Eset - Win32/Gimmiv.A since 24th Oct, v.3551
- Win32/Spy.Gimmiv, Win32/Spy.Gimmiv.A since v.3553
- Win32/Spy.Gimmiv.B since v.3555
Fortinet - W32/Gimmiv.A!tr.spy
- name change: W32/Gimmiv.A!worm since 9.676
F-Secure - Trojan-Spy:W32/Gimmiv.A since 2008-10-24_01
- Trojan-Spy:W32/Gimmiv.B since 2008-10-24_05
- Trojan-Spy:W32/Gimmiv.C, D, E, F variants since 2008-10-24_08
- Net-Worm.Win32.Gimmiv.a since 25th Oct 2008-10-25_01
McAfee - PWS.y!C91DA1B9 since DAT5413
- Spy-Agent.da since 23rd Oct, DAT5414, its DLL component detected as Spy-Agent.da.dll
Microsoft - TrojanSpy:Win32/Gimmiv.A[.dll] since 23rd Oct
- since 24th Oct update 1.4005 included signatures
- exploit: Exploit:Win32/MS08067.gen!A
Kaspersky - Trojan-Downloader.Win32.Agent.alce since 24th Oct, 7.0.0.125
Panda Security – detected as ‘Suspicious file’ since 23rd Oct, 9.0.0.4
- Gimmiv.A since 24th Oct
PCTools - Trojan-Spy.Gimmiv.A
Prevx - detected as ‘Cloaked Malware‘
Rising - Trojan.Spy.Win32.Undef.z since 23rd Oct, 21.00.32.00
Sophos - Sus/Dropper-A since 21st Aug (based to heuristic techniques)
- additionally Troj/Gimmiv-A, IDEs since 4.34.0,
- Troj/Gimmiv-Gen since 4th Nov
Symantec - Infostealer since 23rd Oct
- name change: Trojan.Gimmiv.A since 24th Oct, rev. 024
- malicious files detected as Bloodhound.Exploit.212
Trend Micro - WORM_GIMMIV.A since 5.617.00
- TSPY_GIMMIV.A since 5.617.00

where ’2008.10.24.04’ states that these virus signatures or newer include a protection for the malware.

Alias names CVE-2008-4250, W32.Slugin.A and W32/NetAPI32.RPC!exploit.M20084250 are in use too.

Update: Added Arpoc section:
BitDefender - Win32.Worm.Gimmiv.B
CA - Win32/Gimmiv.B since 31.6.6172
Dr.Web - Win32.HLLW.Jimmy.3 since unknown signatures
McAfee - Spy-Agent.da since DAT5414, its DLL component detected as Spy-Agent.da.dll

Update: Added RPC worm section:
AntiVir - TR/Expl.MS08-067.G
BitDefender - Trojan.Downloader.Shelcod.A
ClamAV - Exploit.MS08-067 since 8566
Eset - Win32/Exploit.MS08-067.B, C and D since 3576
F-Secure - worm component as Exploit.Win32.MS08-067.g
- kernel component as Rootkit.Win32.KernelBot.dg
Ikarus - Virus.Exploit.Win32.MS08.067.g
Kaspersky - Exploit.Win32.MS08-067.g since 31th Oct
McAfee - kernel component as KerBot!37E73FFB since DAT5422
Microsoft - Exploit:Win32/MS08067.gen!A
- Trojan:Win32/Wecorl.A
- Trojan:Win32/Wecorl.B
Norman - kernel component as w32/agent.jbvo
Prevx - Worm.KernelBot
Sophos - Mal/Generic-A
- Exp/MS08067-A since 4th Nov
Symantec - W32.Wecorl since 3rd Nov (latest daily certified version) rev. 052
- W32.Kernelbot.A since 3rd Nov (latest daily certified version) rev. 041
Trend Micro - WORM_KERBOT.A since 5.637.00
- WORM_WECORL.A since 5.640.05

Q: What kind of payload this Trojan horse has?
A: This is what the Trojan gathers (according to Microsoft’s document):
*User Name
*Computer Name
*Network Adapters / IP Addresses
*Installed com objects
*Installed programs and installed patches
*Recently opened documents
*Outlook Express and MSN Messenger credentials
*Protected Storage credentials

Q: What kind of Trojan has attacked to the targeted organizations?
A: It is a very sophisticated and dangerous Trojan. It encrypts the data with AES and deletes itself after its operations. Before sending the gathered data to the attacker it reports the AV software of the installation (from HKEY_LOCAL_MACHINE\SOFTWARE\) as a parameter (BitDefender, Jiangmin, Kingsoft, Kaspersky, Microsoft OneCare, Rising and Trend Micro).

Q: Are there any changes to Windows registry or the file system made by this malware?
A: The following registry key is being modified:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr
The display name of the service being generated is System Maintenance Service.
The malicious files are being copied to System32\wbem folder including basesvc.dll, syicon.dll, winbase.dll and winbaseInst.exe. NOTE: After being executed the Trojan deletes these files and itself.
Update: According to Arbor Networks the file C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\macnabi.log is being dropped too.

Q: Now I know that my anti-virus software can report computers in my organizations as clean because the Trojan has deleted itself from the system. What are the malicious executables that I can search them and examine logs etc.?
A: There are several names and all of the files has same size mentioned earlier, i.e. 397,312 bytes.
Update: According to McAfee the size varies from 49,152 to 417,792 bytes.

The most common file name is N2.exe. However, file names Nx.exe are widely spreading as well; [x] represents a number from 1 through 9.
The MD5 hash of the one specific N2.exe file in the wild on 23rd Oct is f173007fbd8e2190af3be7837acd70a4.
Update: To list one more the MD5 hash of n5.exe is 24cd978da62cff8370b83c26e134ff4c.

Prevx database knows the following file names too:
15197927.EXE, 00003106.EXE, NVIR/N2.EXE, 18912604.EXE, 54800477.DAT
The format of the file can be NVIR/N3.EXE etc. too.

Q: What type of network connections these malware make?
A: Gimmiv.A sends an ICMP Echo Request packet to multiple IP addresses including the string ”abcde12345fghij6789”.

Q: How can I recognize malicious files spreading RPC worm (Exploit.Win32.MS08-067.g)?
A: The files names reported in the wild are 6767.exe and KernekDbg.exe.

Q: What is the size of these files?
A: The size are various, but many of them are 16,384 bytes long.

Q: What kind of network connections the worm makes and are there any modifications made to Windows registry?
A: It connects to robot.10wrj.com, ls.cc86.info, ls.lenovowireless.net and ls.playswomen.com. Yes, the worm will add the new value to HKLM\SOFTWARE\Licenses and HKLM\SOFTWARE\Google.

Q: Are there any changes to Windows HOSTS file?
A: Yes, the lines
127.0.0.1 dnl-cn1.kaspersky-labs.com
127.0.0.1 alert.rising.com.cn
127.0.0.1 www.mcafee.com
will be added yo the HOSTS file.

Q: Is there CVE name available to this issue?
A: Yes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has released the following CVE candidate CVE-2008-4250:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

Q: What is the CVSS severity of this vulnerability?
A: The CVSS (Common Vulnerability Scoring System) score is 10.0 (High).

Q: Is there a CWE class assigned?
A: The CWE (Common Weakness Enumeration) ID of the vulnerability, in turn, is #119, i.e. Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer class:
cwe.mitre.org/data/definitions/119.html

Q: Is there a CME name available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier for these malware.

Q: When exploiting this RPC vulnerability is the authentication needed?
A: On Windows 2000, XP, and Windows Server 2003 systems arbitrary code can be run without authentication. On Vista systems the authentication is needed.

Q: What is the vulnerable component?
A: It is netapi32.dll (Net Win32 API DLL). On Windows 2000 SP4 the non-affected version is 5.0.2195.7203, on Windows XP SP3 5.1.2600.5694 and on Vista SP1 there are several 6.0.6000.xxxx versions, see KB958644 for details. The vulnerable Windows API call is NetPathCanonicalize(), in turn.
Secunia has renamed its vulnerability advisory to Windows Path canonicalisation vulnerability. It states that processing directory traversal character sequences in path names enables to send drafted RPC requests to the Server Service.

(c) Juha-Matti Laurio, Finland (UTC +2hrs)
The author has released several Microsoft Office 0-day vulnerability FAQ documents, e.g.
blogs.securiteam.com/index.php/archives/759
and Windows Vector Markup Language vulnerability FAQ’s
blogs.securiteam.com/index.php/archives/640
since 2006.

Revision History:
1.0 25-10-2008 Initial release
1.1 26-10-2008 Updated document and some minor fixes
1.2 26-10-2008 Major updates to Trojan section, added credits, information of non-affected dll versions and Snort rule reference
1.3 27-10-2008 Added information about the various file names and sizes, a separate Arpoc section and Nessus plugin reference and [UPDATED] to the title
1.4 27-10-2008 Several virus description release dates and ID’s added, updated the summary to clarify the characteristics of the exploitation
1.5 28-10-2008 Added Microsoft Security Advisory #958963 link
1.6 29-10-2008 Added names to Arpoc Trojan section
1.7 03-11-2008 Updated the exploit/PoC section and added information about the worm exploiting the vulnerability
1.8 04-11-2008 Added names to RPC worm section, updated the summary
1.9 05-11-2008 Added information about Windows HOSTS file modification and new worm names

Credits: Microsoft, AV vendors, Prevx Malware Center

“How did you two meet? Did you mark her, or was it the other way around?”

- Robert Redford to Brad Pit, Spy Game

Con man 101: The best way to gain someone’s confidence is to make them think they contacted you. Scammers just love having potential victims contacting them.

Now, it seems they figured an interesting way to draw potential victims to their web site, in a way that is much easier than sending billions of spam email messages.
The idea is simple: take the person’s name (real people’s names are available for harvesting in places like linkedin, facebook, and other social networks) and put it in a web page. Doesn’t really matter where, as long as google indexes it.

Wait a while, and have that person google himself. Many people (myself included) have a ‘google alert’ on their name which sends them updated list of links to new pages where their name is mentioned.

Everyone likes to see where they are mentioned, so they will click on the link. And voila! They arrive to the spammer’s page. In some cases I’ve seen, the name was already gone from the page (but was still in the google cache). But all this doesn’t matter: as soon as the person reached the page, the web spammer’s job is done – he got his message in front of you, and maybe you’ll even dig deeper into his web site trying to figure out what the connection is to you.

There are many advantages to this method. First, you are not restricted by the message: the web page can openly have the words Viagra, Credit card debt and mortgage assistance without the fear of triggering anti-spam software. Also, people will pay more attention to the page since they think it has to do with them.

I don’t get the spammers’ marketing statistics, but I’m sure that the infamous spam text “it came to our attention that you’re in dire need of financial help” which sounds very much like a sincere, personal message, is a huge success. But this message has to get through the spam filters and include a real email address and a correct first/last name. The spam web page doesn’t need to bypass spam filters, and already has the correct name. In addition, you gain interesting information about the visitor: browser version, IP location and of course, the name he was searching for (that would be in the ‘referrer’ that is sent automatically by the browser to the web site). Oh, and of course – it’s cheap. You only need to put together a nice looking web page, and wait for google to do the rest. No buying of email lists and no cost of sending spam (which is nowadays the cost of hiring a zombie botnet for a couple of days).

For those aspiring scammers who are reading this, you should understand that it’s not a foolproof method. Obviously, it requires people to do a vanity search to reach you in the first place (though it also works on people who google their dates, their parents or their teachers). It also requires time – days, weeks or months (which may be difficult if your web site is on a zombie computer that might disappear by the time google indexes and the user comes to the site). But due to the fact the costs are very small, and there are no effective countermeasures at the moment, I think we will see more and more such attacks in the near future.

So-called Koobface case was covered in the IT news quite widely, but security mailing lists received the information on Thursday 7th August.

Kaspersky Lab reported about the existence of the worm on 31th July. Hey, it’s more than a week ago, but it took several days until the anti-virus protection was notable.

Remarkable anti-virus vendors have the following detection now:
(listed in alphabetical order)

McAfee – W32/Koobface.worm
BitDefender – Win32.Worm.KoobFace.A
Kaspersky Lab – Net-Worm.Win32.Koobface.b
Panda Security – Boface.A [Technical name: W32/Boface.A.worm]
Sunbelt Software – Net-Worm.Win32.Koobface.b
Sophos – detected proactively as Mal/Heuri-D, Mal/Heuri-E, Mal/Emogen-N and Mal/Packer
Symantec – W32.Koobface.A

There is no write-up available from F-Secure, Norman, TrendMicro etc. yet.

The AV industry knows the alias KoobFace too.

The size of the worm is 16 384-16 652 bytes. It is written in Visual C++ 6.0 and packed with UPX and Upack.
The second malware, attacking Facebok users since 7th Aug, is a Trojan horse (Sophos uses name Troj/Dloadr-BPL), spreading as Google video links posted to Wall and is a separate issue.

It’s time to remember that if you don’t see a detailed write-up from your own AV vendor later today - it’s a DEFCON weekend and Facebook has started blocking these from its side already.

But the protection - that’s we need with a delay less than 4 or 5 days.

Joe has a nice write up on the inner working of the Pushdo Trojan.

Pushdo is interesting since it was written for “future use” - i.e. it updates itself to obey his master’s latest needs and requests. It also has intelligence-collecting routines and in general shows how sophisticated the bad guys are getting.

URLs in this post should be considered as unsafe.

Fake sites and SE poisoning are nothing new. The use of blogs for this is far from new, either. Thousands of new fake blogs pop up every day on blogspot, livejournal, etc.

Web spam is a subject I have written about in the past, and some of you may be familiar with it regardless of me (no kidding), especially if you run a blog yourself.

A new fake blog which looks like blogspot, but has its own “domain”, recently popped up in a Google alert on my name.

I get hits on these fake pages all the time as my name is a key word used by some of these spammers to grab attention to their pages.
This time around they really over-did it.

The page has a blogspot layout, and continues with ads to pornographic sites or malware (is there any difference anymore?)

Then the site shows the YouTube video which can be found under my name.
Following that is a post I made to a mailing list recently (poorly formatted).
Then we have a few pictures of girls, linking once more either to pornographic sites or malware drive-by sites (if there is a difference, again).

They finish the page off by adding comments, which are actually some old securiteam posts by me.

Heck, it looks fake, but it is obvious the bad guys are investing more in their fake web pages. Their auto-creation tools seem to be getting more impressive, and I believe we will see much improved believable sites, soon.

Google Blog Search displays this site as (nasty words replaced with beep):

Gadi Evron
2 Sep 2007
Gangbeep facial asian amateurs, bang bus jessica hardcore pictures bang your head, asian virgins.asts. Teen Cherry Action - Nice brunette teen beeped hard on the bed and getting a beepy beepshot. Beep beeping boy beep teen legs, …
Untitled - h ttp://n ewadult.celeberia.com/

URL:
h ttp://n ewadult.celeberia.com/Gadi-Evron

Again, I am unsure if these URLs are safe.

For those of you wondering if these web pages mean anything to the bad guys, the answer is absolutely yes. Search engine ranking, indexing, etc. helps them advance their own sites (or their clients’). Then of course, there is advertising and Google ads.
It works. And the advertising space on unrelated key words is a plus.

The concept is very similar to comment spam. Comment spam may not contribute to SE ranking anymore due to the nofollow tag attached to links in comments, but these get indexed and that’s all the bad guys care about. Nofollow is crap, and what shows up when you search is what matters.

As an example of how these things work, in a recent blog post of mine a buddy left a comment (see here http://gevron.livejournal.com/8859.html for the example).

He left a URL for his legitimate Python/math/music/origami blog in his comment, and now when you search for his blog you find my post placed in the 4th place with the title ‘A Jew in a German Camp’ (about the CCC Camp in Germany). He is not pleased, but it is obvious how the bad guys abuse this, and infect millions of computers just because their owners surf the net.

Gadi Evron,
ge@linuxbox.org.

Following up on that strange title, ISOI 3 (Internet Security Operations and Intelligence), a workshop for do-ers who work on the security of the Internet and its users, is happening Monday and Tuesday in Washington, DC.

This time around we have even more government participation (we’re in DC, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

I am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. I am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

If you are interested in this realm of Internet security operations, take a look at ISOI 3’s schedule, and perhaps submit something for the next workshop.

Some reporters are somewhat annoyed that entrance is barred to them, but I hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

The third ISOI is here because after DHS ended up unable to host it, sponsors emerged who were happy to assist:

Afilias Ltd.: http://www.afilias.info/
ICANN: http://www.icann.org/
The Internet Society: http://www.isoc.org/
Shinkuro, Inc.: http://www.shinkuro.com/

It’s going to be an interesting next week here at the swamp. Atendees better show up with their two forms of ID.

Gadi Evron,
ge@linuxbox.org.

I posted a column on eWeek on what critical infrastructure means, looking back at the Estonia incident.

They edited out some of what I had to say on home computers and their impact as a critical infrasrtcuture, but hey, word limitations.

http://www.eweek.com/article2/0,1895,2166125,00.asp

Gadi Evron,
ge@linuxbox.org.

The guys at rustylime describe how they are using a honey pot form fields to detect spam bots.

This method is interesting, since the false positive rate will be close to zero - any decent browser will not show the ‘honey pot’ fields and a human won’t be able to enter information there accidentally. The false negative will be low, since most spam bots will enter information on those fields. The problem, of course, is that the spam bots can be adjusted specifically for rustylime (now that they outlined their spam comment fighting technique), either by looking for these specific field names or by calibrating their spam bots to render the page and filter out invisible parts (this would be a serious technical challenge for the spammers).

Of course, a post on SecuriTeam blogs, a web site that is probably frequently read by spammers, is not going to help them keep a low profile against spammers - so my apologies to the rustylime people. Lets hope their comment spam queue remains clean, and maybe someone can pick this up and find a more generic way to fight comment spam using browser-invisible fields.

In the past two weeks, ecards became a major threat.

Ecards (or electronic greeting cards) were always a perfect social engineering scheme, open for abuse. With the Storm worm and massive exploitation, I believe it has become prudent to filter out all ecard messages in your email systems.

Further, some training or awareness information on this subject distributed to your organizations could be very useful.

Gadi Evron,
ge@linuxbox.org

Syngress was kind enough to allow me to post the chapter I wrote for Botnets: The Killer Web Application here as a free sample.

It is the third chapter in the book, and requires some prior knowledge of what a botnet C&C (command and control) is. It is basic, short, and to my belief covers quite a bit. It had to be short, as I had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion.

You can download it from this link:
http://www.beyondsecurity.com/whitepapers/005_427_Botnet_03.pdf

For the full book, you would need to spend the cash.

Enjoy!

Gadi Evron,
ge@linuxbox.org.

Just last week we were throwing jokes on funsec@, of calling botnets terrorism to get some action going. Of course, we decided that’s an extremely bad idea as people are already starting to discount issues when “terrorism” or “2.0″ are attached.

No, I am not going to say it, you are going to put these two together on your own!

Today, Fergie (Paul Ferguson) sent this to funsec:

Brian Krebs writes in The Washington Post:

[snip]

The global jihad landed in Linda Spence’s e-mail inbox during the summer of 2003, in the form of a message urging her to verify her eBay account information. The 35-year-old New Jersey resident clicked on the link included in the message, which took her to a counterfeit eBay site where she unwittingly entered in personal financial information.

Ultimately, Spence’s information wound up in the hands of a young man in the United Kingdom who investigators said was the brains behind a terrorist cell that sought to facilitate deadly bombing attacks against targets in the United States, Europe and the Middle East.

Investigators say Spence’s stolen data made its way via the Internet black market for stolen identities to 21-year-old biochemistry student Tariq al-Daour, one of three U.K. residents who pleaded guilty

http://www.washingtonpost.com/wp-dyn/content/article/2007/07/05/AR2007070501153.html

Enjoy. Funny, I just had fun with online forums and terrorism with this a few days ago.

Buzzwords for FUD are generally a bad idea. Botnets are not terrorism. But of course, like most malicious activity, they are used.

Gadi.