VoIP Phishing and eBay (joke)

as you may remember, ebay bought skype.

i don’t want to get into actual details, but after this has been discussed last week on funsec , it now hit slashdot .

just to remind everybody of funsec’s take on this issue by dr. neal krawetz:

combination #2: phone phishing
ring ring
(thick russian accent) “wello, wis is ebay. we need to werify account.”

gadi evron,


LinkedIn Spam

today i received via email a request to join as my contact on linkedin. i did not know the guy by name so i emailed him.

in response the guy offered me a job.

a few minutes later i saw bounces on my server with the same request to email addresses that must have been harvested online.

a few questions arise:
1. how did the guy manage to send so many linkedin requests? did he really?
2. according to some friends, they get similar spam for months now that they just started ignoring linkedin requests. can this constitute a joe job?

what do you think?

gadi evron,


Call to Arms: Rita Scams

good evening.

this is a notice from mwp, the malicious websites and phishing research & operational mailing list.

over the next few days some of us are going to process information
about sites that will probably be used for rita scams.

through mwp resources and isp connections we are going to make sure these sites are taken off-line as soon as we detect them.

also, via reg-ops, an operational list for registrars, we are going to see if we can get the domains terminated at the registrar level.

to accomplish this we don’t want to rely only on our sources, but rather issue a call to arms to the public.

to report a rita phishing scam to the mwp call to arms rita task force, please contact:

us-cert at soc@us-cert.gov
sans isc at handlers@sans.org

we hope to get the cooperation of several incident response mechanisms both in the us and abroad. we will update you as we proceed and when we are done.

if you run an incident response team that can handle internet abuse and would like to take part, please contact us as well.

thank you for your help.

gadi evron,


Operation CYBERx

I just spotted this on an anti spam list I’m on:


“…the DEA, along with their law enforcement counterparts today
arrested 18 people for allegedly selling pharmaceutical drugs
illegally over the Internet. Those arrested include the ringleaders
of more than 4,600 rogue Internet pharmacy websites.”


Learning security from an age-old fortress

i ran across this link a while back, and just again yesterday:


the story details how an age-old fortress planned and implemented security over thousands of years and analyzes the lessons that can be learned from it today in the information security age.

i often find that comparisons between real world security from the realms of physical security, biology and even architecture can teach us quite a bit, as security is not a 20-year-old field as most of us treat it, but rather a very old and learned field dating back to the bible.

while we are at it, bill cheswick has interesting presentations on his web page, analyzing security gates all around the world, the great wall of china, the body’s immune system, etc. you can find his presentations at:


gadi evron,


Virtual Sex with Commwarrior

Now that I have your attention :) well Commwarrior is a worm that is spreading to Bluetooth based Cellular phones. Actually it spreads to Symbian Series 60 devices using MMS and Bluetooth communication.

MMS, for those that don’t know, stands for “Multimedia Messaging System”, a younger brother of SMS, that allows 3G cellular phones to send short sounds, movie clips and other multimedia as a message that looks like SMS, using the Internet Message Format (RFC 2822) . MMS starting to be highly popular like many other gimmicks of the 3rd generation and the world of cellular phones.

Anyway, as far as I could find, there are two versions of Commwarrior, both of them spread by “Virtual Sex”. It does so by looking for Bluetooth phones near by, and sending them infected SIS file. The SIS files that Comwarrior sends are named with random file names, so you can’t just ignore a certain file name and be safe.

Regardless of Bluetooth, the worm also tries to send MMS with itself to all of the phones listed on the contact/address books.

Here some details from F-Secrue about the worm:

The Comwarrior contains the following texts:

CommWarrior v1.0 (c) 2005 by e10d0r

The text “OTMOP03KAM HET!” is Russian and means roughly “No to braindeads”.

Replication over bluetooth

Comwarrior replicates over bluetooth in SIS files that have random name, the SIS file contains the worm main executable commwarrior.exe and boot component commrec.mdl.

The SIS file contains autostart settings that will automatically execute commwarrior.exe after the SIS file is being installed.

When Comwarrior worm is activated it will start looking for other bluetooth devices, and send a copy of itself to each of these phones one after another. If target phone goes out of range or rejects file transfer, the commwarrior will search for another phone.

The replication mechanism of Comwarrior is different than in Cabir. The Cabir worm locks into one phone as long as it is in range, and depending on the variant will either look another variant after losing contact or stay locked.

The Comwarrior worm will look for new targets after sending itself to the first target, thus it is able to contact all phones in range. And possible spreading faster than Cabir.

Commwarrior replicates over Bluetooth only from 08:00 to 23:59, based on the phone’s own clock.

Replication over MMS

Comwarrior replicates over MMS by sending MMS messages that contain infected SIS file to other users. The MMS messages contain variable text message and Comwarrior SIS file with filename commw.sis.

Unlike in bluetooth spreading the SIS file name is constant, otherwise the SIS file is identical to the one sent in bluetooth spreading.

The numbers where Commwarrior sends the MMS messages are read from the phone address book.

The comwarrior uses following texts in MMS spreading:

Matrix has you. Remove matrix!

3DGame from me. It is FREE !

MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!

PocketPC *REAL* emulator for Symbvian OS! Nokia only.

Nokia ringtoner
Nokia RingtoneManager for all models.

Security update #12
Significant security update. See www.symbian.com

Display driver
Real True Color mobile display driver!

Audio driver
Live3D driver with polyphonic virtual speakers!

Symbian security update
See security news at www.symbian.com

SymbianOS update
OS service pack #1 from Symbian inc.

Happy Birthday!
Happy Birthday! It is present for you!

Free SEX!
Free *SEX* software for you!

Virtual SEX
Virtual SEX mobile engine from Russian hackers!

Porno images
Porno images collection with nice viewer!

Internet Accelerator
Internet accelerator, SSL security update #7.

WWW Cracker
Helps to *CRACK* WWW sites like hotmail.com

Internet Cracker
It is *EASY* to *CRACK* provider accounts!

PowerSave Inspector
Save you battery and *MONEY*!

3DNow!(tm) mobile emulator for *GAMES*.

Desktop manager
Official Symbian desctop manager.

*FREE* CheckDisk for SymbianOS released!MobiComm
Norton AntiVirus
Released now for mobile, install it!

New Dr.Web antivirus for Symbian OS. Try it!


When the Comwarrior SIS file is installed the installer will copy the worm executables into following locations:


When the comwarrior.exe is executed it copies the following files:


And rebuilds it’s SIS file to:


After recreating the SIS file the worm starts spreading over MMS.

Commwarrior replicates over MMS only from 00:00 to 06:59, based on the phone’s own clock.

For reference please look at:
F-Secure Commwarrior.A
F-Secure Commwarrior.B
Some Bluetooth stuff
Bluetooth specs


Lexar’s LockTight CompactFlash Supports SHA-1

Good news from Lexar – one of the world’s bigger CompactFlash manufactures – as they start shipping their security oriented Lexar LockTight CompactFlash. Lexar’s LockTight CompactFlash support encryption and the ability to establish security settings on the memory card and digital camera to prevent unauthorized use – read and write – of the CompactFlash.

The encryption algorithm is said to utilize 160 bit encryption technology, using the SHA-1 (Secure Hash Algorithm), a standard approved by the NIST (National Institute of Standards and Technology).


Move Aside iPODCast it is Tempest for Eliza’s Turn

The idea behind Tempest is not new, however, the website I found is – at least to me.

The website proposes the idea of playing an MP3 music file on your screen and listening it through your radio. Were the only “connection” between the two are the emissions transmitted by your CRT screen and the radio picking them up.


Infected Files Found in Mozilla Version of Korean

Korean version of the Mozilla browser, mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz, and Mozilla Thunderbird, mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected by Virus.Linux.RST.b.

“This virus searches for executable ELF files in the current and /bin directories and infects them. When infecting files, it writes itself to the middle of the file, at the end of a section of code, which pushes the other sections lower down. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell” – taken from www.viruslist.com.

To those that are afraid that they might have been infected by the program should run an Antivirus program, open source or commercial. For the open source I suggest using, ClamAV, as it has the ability to detect the virus which they name as Linux.Rst.A (Clam).


Now that’s what I’m talking about

With all the stupid inventions around, finally an idea that’s actually helpful:


A bioterror attack in World of Warcraft

thanks to roland dobbins for pointing this story out on the funsec list.


this article describes how a new “monster” in the online game which infects players who meet it with a disease, caused a full epidemic in the game’s world.

a must read indeed.

moving beyond this story being cool, i’d like to actually discuss what we can learn from it.

i don’t think establishing such games to learn how diseases spread can really teach us much beyond being a sweet treat to someone working on their ph. d. there are a lot of metrics that can be collected here and therefore this can be interesting for many different research purposes, from the spread of diseases to comparisons between the biological and computers world.

i believe that looking at the ways the online game tries and will try to *cope* with the problem is by far more interesting.

so far we have seen “local authorities” try to quarantine users, as well as some other such measures. but what can really be done?

i suppose it all depends on the game and the capabilities of the software manufacturer and server managers to modify it “unfairly”, which is basically what most game manufacturers try and prevent.

if they could wipe the disease out they would have by now (i hope), so, what could they potentially do?

they could use the band-aid approach and send the game a new item, much like they send a new monster. widely distributing healing potions and/or something that will heal this particular epidemic.

they could do (potentially), a global “blessing” of sort to heal everybody.

whatever it is they do try their solutions will fall under one of the following four categories:

1. band-aids, trying to help as many as they can where they can. they could potentially heal most people, or have them take the medicine continuously over-time, as they will keep getting re-infected.

2. do something global – “heal everybody”. problem is there are players who won’t be there when everybody is healed and will just re-introduce the disease when they come back. i suppose constant global healing is not a bad idea, but it is once again a limited solution.

3. game manipulation: just edit this out from the game and/or all characters, whether at the db level or “on-login”.

4. scorched earth. kill everything. maybe try to restore data from before the “attack” and/or from after with the disease data removed.

it is very interesting to see a feature that does what is intended and yet “runs” out of control. following this story will be extremely interesting.

outbreaks can be eliminated for a time and controlled by massive vaccinations. viruses can not be released and remain predictable.

unrelated, two things this reminds me of:
1. the world of the sci-fi tv series, harsh realm, where real soldiers were sent to live in a completely virtual world that was as real as any.

2. the spin on one of arthur c. clarke’s laws, made by rich kulawiec over 20 years ago:
“any sufficiently advanced bug is indistinguishable from a feature.”


gadi evron,


Router worms and International Infrastructure

hello all, this is my first blog posting. i am making it to highlight some concerns i have regarding the security of the internet.

i recently raised this subject on nanog, bugtraq and our own fun list – funsec.

a while back i emailed the following text to a closed mailing list. i
figure now that quite a few cats are out of the bag it is time to get
more public attention to these issues, as the bad guys will very soon
start doing just that.

ciscogate by itself alone, and now even just a story about worms for
routers is enough for us to be clear that worms will start coming out.
we do learn from history.

so.. as much as people don’t like to talk much on the issues involving
the so-called “cooler” stuff that can be done with routers, now is the
time to start.

here is one possible and simple vector of attack that i see happening in
the future. it goes down-hill from there.

i wrote this after the release of “the three vulnerabilities”, a few
months back. now we know one wasn’t even just a ddos, and that changes
the picture a bit.

begin quoted text —–>>>

more on router worms – let’s take down the internet with three public
pocs and some open spybot source code.

people, i have given this some more thought.

let’s forget for a second the fact that these vulnerabilities are
dangerous on their own (although it’s a dos), and consider what a worm,
could cause.

if the worm used the vulnerability, it would shoot itself in the leg as
when network is down, it can’t spread.

now, imagine if a vx-er will use an ancient trick and release the worm,
waiting for it to propagate for 2 or 3 days. then, after that seeding
time when the say.. not very successful worm infected only about 30k
machines around the world, each infected host will send out 3 “one
packet killers” as i like to call them to the world.

even if the packet won’t pass one router, that one router, along with
thousands of others, will die.

further, the latest vulnerabilities are not just for cisco, there is a
“one packer killer” for juniper as well.

so, say this isn’t a 0-day. tier-1 and tier-2 isp’s are patched (great
mechanism to pass through as these won’t filter the packet out if it is
headed somewhere else), how many of the rest will be up to date?

let’s give the internet a lot of credit and say.. 60% (yeah right).

that leaves us with 30% of the internet dead, and that’s really a bad
scenario as someone i know would say.

make each infected system send the one packet spoofed (potentially, not
necessarily these vulnerabilities) and it’s hell. make them send it
every day, once! and the net will keep dying every day for a while.

as a friend suggested, maybe even fragment the packet, and have it
re-assembled at the destination, far-away routers (not sure if that will

these are all basic, actually very basic, techniques, and with the
source to exploits and worms freely available….
we keep seeing network equipment vulnerabilities coming out, and it is a
lot “cooler” to bring down an isp with one packet rather than with

i am sure the guys at cisco gave this some thought, but i don’t believe
this is getting enough attention generally, and especially not with
av-ers. it should.

this may seem like i am hyping the situation, which is well-known. still
well-known or not, secret or not, it’s time we prepared better in a
broader scale.


—–>>> end quoted text.

i would really like to hear some thoughts from the community on
threats such as the one described above. let us not get into an argument
about 0-days and consider how many routers are actually patched the
first… day.. week, month? after a vulnerability is released.

also, let us consider the ever decreasing vulnerability-2-exploit time
of development.

i don’t want the above to sound as fud. my point is not to yell “death
of the internet” but rather to get some people moving on what i believe
to be a threat, and considering it on a broader scale is long over-due.

the cat is out of the bag, as as much as i avoided using “potentially”
and “possibly” above to pass my point.. this is just one possible
scenario and i believe we need to start getting prepared to better
defending the internet as an international infrastructure rather than on an the isp level, locally.

gadi evron,


Band Assists Fans in Ripping Their CD

The music band Switchfoot has posted in their forum a guide to ripping their newly released music CD.

The most interesting aspects of their guide is this sentence:
my heart is heavy with this whole copy-protection thing. Many PC users have posted problems that they have had importing the new songs (regular disc only, not the dual disc) into programs such as Itunes. Let me first say that as a musician AND as a music fan, I agree with the frustration that has been expressed.

Moreover they state that:
We were horrified when we first heard about the new copy-protection policy that is being implemented by most major labels, including Sony (ours), and immediately looked into all of our options for removing this from our new album.

Which is very interesting when it comes from a band whose – ideally – sole purpose is to sell CDs.

Highlights from the guide:
1) MacOS users have no problem “Ripping” the CD i.e. importing it to iTunes

2) Windows users that “accidentallyhaven’t installed the copy protection program, can use a program called CDEX to rip the CD’s tracks

3) Windows users that “accidentallyhave installed the the copy protection program, will first need to save the songs into Microsoft’s WMV copyrighted/protected format, then burn the WMV files to an Audio CD. Once this has been completed they can then rip back to unprotected WAV files


TorrentBits Problem Allows Cheating

A problem with TorrentBits’ way of handling data, i.e. not confirming its origin, allows users to cheat – increase their upload size. As most sites that utilize TorrentBits enforce ratios, the problem allows bypassing of ratio system.

Additional details can be found here: How-To: Increase your upload/download/ratio in torrent trackers.


No more **** passwords?

A nice solution built by MERL to prevent shoulder surfing is to display a flickering picture and provide glasses that would be able to filter out these flickers resulting in a dual image:

This means that the display that can only be viewed with magic glasses.

Although the solution is simple, you can use this to “encrypt/hide” data quite well – i.e. show someone one picture while the person with the special glasses sees another one.

The only draw back is that the glasses need to be wired to the screen, making the solution not very portable.

This would also give a whole new meaning to “I can’t work today as forgot my glasses at home” :-)


People Watch PornTake Risks At Work Not At Home – A Study Finds

A study by Trend Micro reveals that end-users behave online in a more risky fashion than they would do at home.

The study was conducted during the July, 2005 month and featured more than 1,200 corporate end users in the United States, Germany and Japan.

The study found out that people would take greater risks at the office as 39% believed that their IT department would be able to stop them from falling victim to an attack – Spyware, Trojan and Phishing.

63% believed that clicking on suspicious links – visiting problematic sites – was more secure to be done at work, as the IT department has installed security countermeasures and defenses.

40% believed that they can take additional risks as the IT department was their to provide support in case they do get caught as a victim to a Spyware, Trojan or Phishing attack.

More interestingly, 40% would not contact their IT department for assistance whenever they believed they have fallen to such an attack and would rather hide the fact than admit it.

My feelings on this survey is that simply enough, people tend to not care much about the stability of their network, computer or even organization when they are at work, unlike when they are at home where the instability of their computer could result in being out of contact with their friends, family etc. In most cases I have seen, people have work feel they have a “parachute”, if their computer stops working, behaves strangely etc they pickup the phone and call support, caring very little whether their endeavour might have created risks to their organization.