Ecards and email filtering

in the past two weeks, ecards became a major threat.

ecards (or electronic greeting cards) were always a perfect social engineering scheme, open for abuse. with the storm worm and massive exploitation, i believe it has become prudent to filter out all ecard messages in your email systems.

further, some training or awareness information on this subject distributed to your organizations could be very useful.

gadi evron,


Alternative Botnet C&Cs – free chapter from Botnets: The Killer Web App

syngress was kind enough to allow me to post the chapter i wrote for botnets: the killer web application here as a free sample.

it is the third chapter in the book, and requires some prior knowledge of what a botnet c&c (command and control) is. it is basic, short, and to my belief covers quite a bit. it had to be short, as i had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion. ;)

you can download it from this link:

for the full book, you would need to spend the cash.


gadi evron,


Botnets != Terrorism, or is it? :)

just last week we were throwing jokes on funsec@, of calling botnets terrorism to get some action going. of course, we decided that’s an extremely bad idea as people are already starting to discount issues when “terrorism” or “2.0″ are attached.

no, i am not going to say it, you are going to put these two together on your own! :)

today, fergie (paul ferguson) sent this to funsec:

brian krebs writes in the washington post:


the global jihad landed in linda spence’s e-mail inbox during the summer of 2003, in the form of a message urging her to verify her ebay account information. the 35-year-old new jersey resident clicked on the link included in the message, which took her to a counterfeit ebay site where she unwittingly entered in personal financial information.

ultimately, spence’s information wound up in the hands of a young man in the united kingdom who investigators said was the brains behind a terrorist cell that sought to facilitate deadly bombing attacks against targets in the united states, europe and the middle east.

investigators say spence’s stolen data made its way via the internet black market for stolen identities to 21-year-old biochemistry student tariq al-daour, one of three u.k. residents who pleaded guilty

enjoy. funny, i just had fun with online forums and terrorism with this a few days ago.

buzzwords for fud are generally a bad idea. botnets are not terrorism. :p but of course, like most malicious activity, they are used.



Phishing just got a little less tedious

I know I shouldn’t be merely referencing others’ blog posts, but this is just too good. Kuza55 has written up how a phisher can very easily get around the phishing-filter implemented in IE7, Firefox and Opera.


CFP: ISOI III (a DA workshop)

cfp: isoi iii (a da workshop)


cfp information and current speakers below.

isoi 3 (internet security operations and intelligence) will be held in
washington dc this august the 27th, 28th.

this time around the folks at us-cert (department of homeland security -
dhs) are hosting. sunbelt software is running the after-party dinner.

we only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:

if you haven’t rsvp’d yet, please do so soon. although we have 240 seats, we are running out of space.

a web page for isoi 3 can be found at:

27th, 28th august, 2007
washington dc -
aed conference center:

registration via is mandatory, no cost attached to attending. check if you apply for a seat in our web page.


this is the official cfp for isoi 3. main subjects include: fastflux, fraud, ddos, botnets. other subjects relating to internet security operations are also welcome.

some of our current speakers as you can see below lecture on anything from estonia’s “war” to current web 2.0 threats in-the-wild.

please email as soon as possible to submit a proposal. i will gather them and give them to our committee (jeff moss) for review.

current speakers (before committee decision)

roger thompson (exp labs
- google adwords .. .the dangers of dealing with the russian mafia

barry raveendran greene (cisco)
- what you should be asking me as a routing vendor

john lacour (mark monitor)
- vulnerabilities used to hack sites for phishing
- using xss to track phishers

dan hubbard (websense)
- mpack and honeyjax (web 2.0 honeypots)

april lorenzen
- fastflux: operational update

william salusky (aol)
- the spammer evolves – migration to webmail

hillar aarelaid (estonian cert)
- incident response during the recent attack

Sun Shine (beyond security)
- strategic lessons from the estonian “first internet war”

jose nazarijo (arbor)
- botnet statistics from the estonian attack

andrew fried (treasury department)
- phishing and the irs – new methods

danny mcpherson (arbor)
- tba


Targeted or not targeted?

many of us have been having discussions and arguments over if the recent bbb phishing attacks are targeted or not.

thinking on this, i believe the better equivalent which may solve our terminology disagreements on if these bbb phishing emails were targeted or not would be “targeted spam” as a tried concept. we can assume, although in some cases incorrectly, that spam is bulk.

usually, spam goes to “lists” of addresses, harvested. sometimes it is targeted to a certain audience. but there are other types of lists, not just of addresses and interests.

it is possible to buy lists of addresses of people who attended rsa and visited booths, for example. or any other number of trade-shows. it is possible to harvest linkedin, etc.

my take is that this attack is targeted in the sense that it goes to certain individual types only, but is quite mundane and bulk in the type.

we need terms for individual/close-to attacks and attacks by targeting an audience, still in bulk.

gadi evron,


A call from the boiler room

Being knee deep in online mischief all day I sometimes forget that most of the online attacks are simply extensions of offline ones. The Nigerian scam has been performed via fax and (snail) mail for decades now – I even got a 419 scam by postcard a year back that made me feel very special that someone will waste a stamp on me.

Spam is obviously just an online extension of junk mail, only in a different order of magnitude, and same goes for phishing compared to identity theft. But there is one fraud scheme I’m especially fond of – ‘pump-n-dump’, where you get a spam email about a stock that’s about to go up (“skyrocket”), hoping enough people will buy it and make it go up so that the person who initiated the attack can sell quantities of this penny stock and leave the victims with a worthless piece of paper.

The ‘pump-n-dump’ is an extension of phone-based fraud that was featured in the Sopranos (with Chris’s crew running the scam) and outlined nicely in “Boiler Room”. Wikipedia has a nice description on the scheme and origin of the term.

The reason I’m reminded of this is because I actually got a call from a boiler room, sorry, from a law office with offices in Park Avenue and London. The call could have been a scripted audition to “Boiler Room 2″ to play the part of the junior associate creating warm leads to Ben Affleck’s gang. It included everything to the immortal “I will only call you if we have something really good” and “we might have something for you in 2 weeks”. Amazingly enough they did have something really good for me and exactly two weeks later I got a call from the Vin-Diesel wannabe following up on the warm lead created by the associate. Unfortunately this time I didn’t have the time to play along so I don’t know if he would have told me there’s a maximum for new clients and 5,000 shares is as much as he can sell me…

My only complaint now is that my spam filter who is doing such a good job filtering pump-n-dumps is unable to handle human conversations and filter boiler room calls. Actually, there’s one more complaint – why is it I always get stuck in the Boiler Room-like movies instead of getting a visit from Halle Berry a-la swordfish?…


A Botted Fortune 500 a Day

support intelligence releases daily reports on different fortune 500
companies which are heavily affected by the botnet problem, with many
compromised machines on their networks.

you can find more information on their blog:

they are good people, and they know botnets.

gadi evron,


On-going Internet Emergency and Domain Names

there is a current on-going internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.

this incident is currenly being handled by several operational groups.

this past february, i sent an email to the reg-ops (registrar operations) mailing list. the email, which is quoted below, states how dns abuse (not the dns infrastructure) is the biggest unmitigated current vulnerability in day-to-day internet security operations, not to mention abuse.

while we argue about this or that tld, there are operational issues of the highest importance that are not being addressed.

the following is my original email message, elaborating on these above statements. please note this was indeed just an email message, sent among friends.

date: fri, 16 feb 2007 02:32:46 -0600 (cst)
from: gadi evron
to: reg-ops@…
subject: [reg-ops] internet security and domain names

hi all, this is a tiny bit long. please have patience, this is important.

on this list (which we maintain as low-traffic) you guys (the
registrars) have shown a lot of care and have become, on our sister mitigation and research lists (those of you who are subscribed), an integral part of our community we now call “the internet security operations community”.

we face problems today though, that you can not help us solve under the current setting. but only you can help us coming up with new ideas.

day-to-day, we are able to report hundreds and thousands of completely bogus phishing and other bad domains, but both policy-wise and resources-wise, registrars can’t handle this. i don’t blame you.

in emergencies, we can only mitigate threats if one of you or yours are in control.. just a week ago we faced the problem of the dolphins stadium being hacked and malicious code being put on it:

1. we tracked down all the ip addresses involved and mitigated them (by we i mean also people other than me. many were involved).
2. we helped the dolphins stadium it staff take care of the malicious code on their web page – specifically gary warner).
3. we coordinated with law enforcement.
4. we coordinated that no one does a press release which will hurt law enforcement.
5. we did a lot more. including actually convincing a chinese registrar to pull one of the domains in question. a miracle. there was another domain to be mitigated, unsuccessfully.

one thing though – at a second’s notice, this could all be for nothing as the dns records could be updated with new ip addresses. there were hundreds of other sites also infected.

even if we could find the name server admin, some of these domains have as many as 40 nss. that doesn’t make life easy. then, these could change, too.

this is the weakest link online today in internet security, which we in most cases can’t mitigate, and the only mitigation route is the domain name.

every day we see two types of fast-flux attacks:
1. those that keep changing a records by using a very low ttl.
2. those that keep changing ns records, pretty much the same.

now, if we have a domain which can be mitigated to solve such
emergencies and one of you happen to run it, that’s great…
however, if we end up with a domain not under the care of you and yours.. we are simply.. fucked. sorry for the language.

icann has a lot of policy issues as well, and the good guys there can’t help. icann has enough trouble taking care of all those who want money for .com, .net or .xxx.

all that being said, the current situation can not go on. we can no longer ignore it nor are current measures sufficient. it is imperative that we find some solutions, as limited as they may be.

we need to be able to get rid of domain names, at the very least during real emergencies. i am aware how it isn’t always easy to distinguish what is good and what is bad. still, we need to find a way.

members of reg-ops:
what do you think can be conceivably done? how can we make a difference which is really needed on today’s internet?

please participate and let me know what you think, we simply can no longer wait for some magical change to happen.


thousands of malicious domain names and several weeks later, we face the current crisis. the 0day vulnerability is exploited in the wild, and mitigating the ip addresses is not enough. we need to be able to “get rid” of malicious domain names. we need to be able to mitigate attacks on the weakest link – dns, which are not necessarily solved by dns-sec or anycast.

on reg-ops and other operational groups, we came up with some imperfect ideas on what we can make happen on our own in short term which will help us reach better mitigation, as security does not seem to be on the agenda of those running dns:

1. a system by which registrars can acknowledge confirmed bad domains (under strict guidelines) and respond to the reports according to their aup and icann policy, thus “getting rid” of them in a much quicker fashion, is being set up at the isotf.
a black list for registrars, if you will. this is far from perfect and currently slow-going. naturally, this can not be forced on all registrars, nor do the black hat ones, care.

2. a black list for resolvers (hopefully large service providers) is also being created at the isotf, so that the risk of visibility of bad domains, as will be defined, can be minimized. naturally, no provider can be forced to use this list and there are millions of unaffiliated resolvers, etc.

other options that have been raised as technically possible, but considered unlikely and indeed, bad:

3. setting up a black list of domain names for tld servers, for them not to respond on.

4. creating an alternate root which we could trust.

another suggestion which was raised:

5. apply to change the icann policy.

we need a solution. this operational issue needs to be added as a main agenda item today so that tomorrow we will be ready to mitigate it. i blame myself to some degree for not raising this with higher echelons 2 and 3 years ago due to respect to those who have been working on dns for many years, but what’s done is done.

the operational communities do not always know how to voice their needs or the difficulties they face. nor will everyone agree on what the issues are. it is my strong belief (which is obviously my personal opinion), based on facts we see in daily security operations on the internet that this issue is paramount, and i am sending here a call for help to the dns experts of the world: what is our next step to be?

what do we currently intend to do (not my personal opinion):
we are formalizing a letter to icann’s ssac, as they are the top experts on dns infrastructure security issues, coming from operational folks at the isotf dealing with daily usage of the dns for abuse purposes (and specifically fastflux).

further, the isotf is moving forward with items #1 and #2 as mentioned above. #3 will have to remain as a contingency, #4 we have no influence to affect. #5 is currently being explored.

are we missing a possible solution? what does the larger community suggest?

gadi evron,


Fake “Australian PM heart attack”

there has been a trojan horse making the rounds, sending email informing people that the australian prime minister suffered from a heart attack (which of course isn’t true).

websense released a nice advisory on it:

gadi evron,


Wireless “Drive-by Pharming Threat”


read this before reading this blog entry.

this was posted to bugtraq today. let’s see what this is about…

date: thu, 15 feb 2007 13:02:46 -0800
from: zulfikar ramzan
subject: drive-by pharming threat

we discovered a new potential threat that we term “drive-by pharming”. an attacker can create a web page containing a simple piece of malicious javascript code. when the page is viewed, the code makes a login attempt into the user’s home broadband router and attempts to change its dns server settings (e.g., to point the user to an attacker-controlled dns server).
once the user’s machine receives the updated dns settings from the router (e.g., after the machine is rebooted) future dns request are made to and resolved by the attacker’s dns server.

the main condition for the attack to be successful is that the attacker can
guess the router password (which can be very easy to do since these home
routers come with a default password that is uniform, well known, and often
never changed).  note that the attack does not require the user to download
any malicious software – simply viewing a web page with the malicious
javascript code is enough.

we\’ve written proof of concept code that can successfully carry out the
steps of the attack on linksys, d-link, and netgear home routers.  if users
change their home broadband router passwords to something difficult for an
attacker to guess, they are safe from this threat.

additional details on the attack can be found at:


zulfikar ramzan


zulfikar ramzan
sr. principal security researcher
advanced threat research
symantec corporation
- —————————————————–
- —————————————————–
this message (including any attachments) is intended only for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law or may constitute as attorney

the main condition for the attack to be successful is that the attacker can guess the router password (which can be very easy to do since these home routers come with a default password that is uniform, well known, and often never changed). note that the attack does not require the user to download any malicious software – simply viewing a web page with the malicious javascript code is enough.

we’ve written proof of concept code that can successfully carry out the steps of the attack on linksys, d-link, and netgear home routers. if users change their home broadband router passwords to something difficult for an attacker to guess, they are safe from this threat.

additional details on the attack can be found at:
drive-by phraming


zulfikar ramzan

zulfikar ramzan
sr. principal security researcher
advanced threat research
symantec corporation

in discussions of this issue, fergie (paul ferguson) said, and i replied:

on fri, 16 feb 2007, fergie wrote:
> i don’t know — i found this whole “report” somewhat dubious, if
> not downright opportunist: hasn’t this “vulnerability” basically
> existed since, like, forever?
> i write it off as marketing opportunism… among other things. :-)

well duh. think rsa and a brand new idea they did a pr about – phishing mitm kit (think phishing: user >> fake site >> bank).

nothing is really new in security, we have seen malware/etc. change the hosts file for years now, not to mention domain hijacking.

we have also seen wireless brute-forcing/etc./what-not.

the one thing about the folks at symc who did this release is that they actually know their ****. meaning, someone took these two technology ideas and made something new from them, which is:
break into wireless routers and put your dns server in them for hijacking purposes. symantec just reported it to us.

it’s cool, it’s “new” and it won’t be a huge problem quite yet.

i remember a thread from nanog a couple of years back when i mentioned google and all these other national/international wireless providers better be ready with physical operational folks that will track down rougeaps, etc. cop cars with triangulation devices? :)

it was a vulnerability waiting to happen which wasn’t exploited, meaning it didn’t get much attention. this is much like the days when bots weretrojan horses as botnets didn’t yet exist.

wireless used to be used for hacking into a network-connected machine, now it is suddenly used for the sake of it being wireless. still network-connected as a goal, but it is no longer just tcp/ip which playsthe game.

good news: these are dns servers we can take-down. fun, yet another escalation war.


this is very interesting, although not too exciting. nice work by the guys at symantec.

gadi evron,


Web Server Botnets and Server Farms as Attack Platforms

are file inclusion vulnerabilitiess equivalent to remote code execution? are servers (both linux and windows) now the lower hanging fruit rather than desktop systems?

in the february edition of the virus bulletin magazine, we (kfir damari, noam rathaus and gadi evron (me) of beyond security) wrote an article on cross platform web server malware and their massive use as botnets, spam bots and generally as attack platforms.

web security papers deal mostly with secure coding and application security. in this paper we describe how these are taken to the next level with live attacks and operational problems service providers deal with daily.

we discuss how these attacks work using (mainly) file inclusion vulnerabilities (rfi) and (mainly) php shells.
further, we discuss how isps and hosting farms suffer tremendously from this, and what can be done to combat the threat.


What’s the deal?

in the past week or two, the anti phishing community has been buzzing with this. now it is public and i can finally shout my frustration:
so, we have phishing sites which are doing man-in-the-middle in real time, between the phished site and the phished user.
how is that news?

regular phishing works like so:
victim >> fake site >> real site

middle, see?

now, in most cases in the past, this process was not automatic, and in most cases – it won’t be. distribution across ip addresses, choosing what accounts are worth it to steal from, choosing money mules, etc. is far easier to do off-line.
that said, this isn’t new, it’s just… yet another kit. am i excited about a new kit? kinda. is this big news? no.

why you ask? as this real-time phishing using mitm attacks has been happening for years now using phishing or banking trojan horses. the best we can describe happened is that the technique was now incorporated into older email-based phishing, as well.

new? okay, maybe if we push it. exciting? so-so.

gadi evron,


The Bank of America: Please lower your defenses, we’re coming through

I wrote about the how the Bank of America are conditioning their customers to be more susceptible to phishing.

It seems they are actually trying to break a record here (or else their security guy quit and was replaced by a marketing person). I just got an email that said:

This email was sent to you by Bank of America. To ensure delivery to your inbox, please add to your address book or safe sender list.

My first assumption was that it was a phishing email – why on earth would the BoA legitimately try to convince me to open myself up for phishing? (after adding this email to my “safe sender list” every phisher in the world would set this as their “from” address). In fact, a friend made fun of me for thinking this was a legitimate email – clearly only phishers can think I’m that stupid. Unfortunately, it’s real – it was sent to an email used only by the BoA and unknown to anyone else.

Sad indeed.


Drop zones and an intelligence war

in this post ( ), fx describes a drop zone for a phishing/banking trojan horse, and how he got to it.

go fx. i will refrain from commenting on the report he describes from secure science, which i guess is a comment on its own.

we had the same thing happen twice before in 2006 (that is worth mentioning or can be, in public).

once with a very large “security intelligence” company giving drop zone data in a marketing attempt to get more bank clients (“hey buddy, why are 400 banks surfing to our drop zone?!?!)

twice with a guy at defcon showing a live drop zone, and the data analysis for it, asking for it to be taken down (it wasn’t until a week later during the same lecture at the first isoi workshop hosted by cisco). for this guy’s defense though, he was sharing information. in a time where nearly no one was aware of drop zones even though they have been happening for years, he shared data which was valuable commercially, openly, and allowed others to clue up on the threats.

did anyone ever consider this is an intelligence source, and take down not being exactly the smartest move?

it’s enough that the good guys all fight over the same information, and even the most experienced security professionals make mistakes that cost in millions of usd daily, but publishing drop zone ips publicly? that can only result in a lost intelligence source and the next one being, say, not so available.

i believe in public information and the harm of over-secrecy, i am however a very strong believer that some things are secrets for a reason. what can we expect though, when the security industry is 3 years behind and we in the industry are all a bunch of self-taught amateurs having fun with our latest discoveries.

at least we have responsible folks like fx around to take care of things when others screw up.

i got tired of being the bad guy calling “the king is naked”, at least in this case we can blame fx. :)

it’s an intelligence war people, and it is high time we got our act together.

i will raise this subject at the next isoi workshop hosted by microsoft
( ) and see what bright ideas we come up with.

gadi evron,


Botnets: a retrospective to 2006, and where we are headed in 2007

a few months back i released a post on where i think anti-botnets technology is heading. now it’s time for what happened in 2006, and what we can expect from here on.

i am not a believer in such retrospective looks, as often, they are completely biased and based on what we have seen and what we want to see. this is why i will try and limit myself to what we know happens and is likely to get attention, as well as what we have seen tried by bad guys, which is working for them enough to take to the next level.

what changed with botnets in 2006:

1.botnets reached a level where it is unclear today what parts of the internet are not compromised to an extent. count by clean rather than infected.
2. botnets have become the most significant platform from which virtually any type of online attack and crime are launched. botnets equal an online infrastructure for abusive or criminal activity online.
3. in the past year, botnets have become mainstream. from a not existent field even in the professional realm up to a few years ago, where attacks were happening constantly reagrdless, it has turned to the main buzzword and occupation of the security industry today, directly and indirectly.
4. websites have returned to being one the most significant form of infection for building botnets, which hadn’t been the case since the late 90s.
5. botnets have become the moving force behind organized crime online, with a low-risk high-profit calculation.
6. new technologies are finally being introduced, moving the botnet controllers from using just (or mainly) irc to more advanced c&c (command and control) channels such as p2p, or multi-layered, such as dns and irc on the osi model.
7. botnets used to be a game of quantity. today, when quantity is assured, quality is becoming a high concern for botnet controllers, both in type of bot as well as in abilities.

what’s going to happen with botnets in 2007:

botnets won’t change. all will remain the same as it has been for years. awareness however, will increase making the problem appear larger and larger, perhaps approaching its real scale. the bad guys would utilize their infrastructure to get more out of the bots (quality once quantity is here) and be able to do more than just steal cash. maximizing their revenue.

further, more and more attackers unrelated to the botnet controllers will make use of already compromised systems and existing botnets to gain access to networks, to facilitate anything from corporate espionage and intelligence gathering, to shame-less and open show of strength to those who oppose them (think blue security), in the real world as well as the cyber one (which to the mob is one and the same, it’s the income that speaks).

meaning, the existing botnets infrastructure will be utilized both in an open fashion, due to the fact online miscreants (real-world mob) face virtually no risk, as well as quiet and secretive uses for third-party intelligence operations.

gadi evron,