This is a funny one actually
I am just working as usual when I got the following message on my MSN Messenger:

This is how real girls party. Great high quality pictures on

http://jusmineza.PartyPicturez.info

Now of course i understood that it’s a worm, but still, lets see where it leads to.
So I went into the site and it looked like this:

With what i have seen until now, this is a classic phising site, I saw dozens
like it for Yahoo! in the past. But wait! lets look at that GREY text blow:

Terms of Use / Privacy Policy:

By filling out this form, you authorize T P Ltd to spread the word about this new 100% real and upcoming Messenger Community Site. You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties. By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a “phishing” site that attempts to “trick” you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may temporarily access your MSN account to do a combination of the following: 1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.

This is a free service. You will not be asked to pay at any time. You will not be subscribed to anything asking for payment. This service is made possible by many hours of human effort.

T P Ltd reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.

You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, T P Ltd is NOT agreeing to MSN’s terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

Copyright 2008 T P Ltd

OK, they said in the text:

This is not a “phishing” site that attempts to “trick” you into revealing personal information.

So they don’t want our usernames and password, which is also the EMAIL of most people, yeah I believe them, sure.

They just want to:

1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.

Which is completely different with what a worm does. A worm just spreads and “introduces”, “entertaining” sites with a lot of porn and exploits.

By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us.
…..
ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED

Yeah why not, take my account and send spam “on behalf of third parties” and if they get like hacked or something, we are not responsible, you agreed to this.

I believe this should be called “Legal Phishing User Agreement” or “Worm As A Service”.
It is also a little wiered that a “legal” domain called “partypicturez.info” is dealing with MSN accounts and not PICTURES FROM PARTIES and has unlimited(*.) subdomains and only 1 page, don’t you think?!
Ofcourse they used the domain protection:

Registrant Email:9648af2d68114548bfc703cca6806a46.protect@whoisguard.com
Admin Name:WhoisGuard Protected
Admin Organization:WhoisGuard

Well, don’t fill any form you see without reading the small (and in this case GREY) prints

Update:
The same worm also sends this message:

“[msn_dst_user], claim your Prize!
http://
[msn_src_user].win-win-it.com/winner.php”

Any file or subdomain in win-win-it.com redirects to http://www.desktopsmiley.com/go.do?a=814

Which is also registered by WHOISGuard.
Both these websites were built to make people download this:

http://www.desktopsmiley.com/toolbar/desktopsmiley/download/stb_installer.exe

Which they claim is:

“Download DesktopSmiley to get 1000′s of FREE Smileys!
It’s totally FREE! No Registration. No Spyware.”

Yes, a toolbar advertised by a WORM is not spyware, sure…
The example above was version 2.0c. It seems these guys used different methods and different domains and different company names in the older versions (which is typical to viruses and spyware but not to legitimate software).
The following example belongs to an older version 1.1c whi MSN message:

foto http://hi5.eu.com/id.php?=[dst_user_email]

Which prompts a download for “IMG455.jpg-www.photo.com” which is an EXE file with a COM extension and where ran “True Type Detection” will be made by windows loader and it will execute as the regular EXE file it is.
Those people don’t care a bit and they left “Directory Browsing” open in the subdomain’s root, check it out at: http://hi5.eu.com/
They even forgot to remove their private packer from the site: http://hi5.eu.com/pa-packer.rar

They also have a version at: http://new.upicx.com/ (which i think just went down…)
Which loads ” http://new.upicx.com/indexx.php” and ” http://new.upicx.com/pop.php” and VERIFYS the request’s REFERER is ” http://new.upicx.com/” so direct reference to these files returns “404 Not Found”.

This was just too funny not to share. Read carefully and draw your own conclusions, haha.

from    MIKE ROBINSON
reply-to    mike_robinson79@yahoo.com
to
date    Wed, Dec 17, 2008 at 10:23 AM
subject    WINING NOTIFICATION

hide details 10:23 AM (3 hours ago)

Reply

1 MICROSOFT WAY
Redmond, WA 98052.
BL4 4PZ,lONDON.
Ref: BTD/968/08
Batch: 409978E
WINNING NOTIFICATION

This is to inform you that your email has won a consolation prize
of the Microsoft Corporation 2008 EMAIL DRAW.Your email has won
(£500,000.00)&(Great British Pounds)of the microsoft onlinelottery
promotion Your email address as indicated was drawn and attached to
ticket number 008795727498 with serial numbers BTD/9080648302/08 and
drew the lucky numbers 14-21-25-39-40-47(20)To file for your claims,you
are to contact your designated claims agent
Mr.mike robinson of this
email: mike_robinson79@yahoo.com

PAYMENT RELEASE ORDER FORM
Full Names——————-
Gender———————–
Age————————–
Contact Address————–
Occupation——————-
Country———————-
Telephone numbers————
Batch————————
Reference——————–
Microsoft Fiduciary Agent
MR Harry peterson

A not-uncommon phone fraud story from the CBC.  However, I keep telling people:

a) We don’t know enough about phone systems, and unlike most of the breaches we deal with phone fraud costs you real money, right now.

b) When you get hit and take the story to the telcos, the telcos, very profoundly, don’t care.

I just seen the new advisory for Opera, headlining a ‘memory corruption’ vulnerability that sounds like its triggered by specially crafted html construction, that is gathered from this almost incoherent ‘detailed’ description of the bug:

“Certain HTML constructs affecting an internal heap structure. As a result of a pointer calculation, memory may be corrupted in such a way that an attacker could execute arbitrary code.”

I often wonder when I see advisories like this if the vulnerabilities have been found by fuzzing.

Another bug found in Adobe Flash Player that I also discuss here, found by iSEC, looks also to be found by fuzzing, but more (nearly directly) implied in the advisory.

“iSEC applied targeted fuzzing to the ActionScript 2 virtual machine used by the Adobe Flash player, and identified several issues which could lead to denial of service, information disclosure or code execution when parsing a malicious SWF file. The majority of testing occurred during 120 hours of automated SWF-specific fault injection testing in which several hundred unique control paths were identified that trigger bugs and/or potential vulnerabilities in the Adobe Flash Player. Paths leading to duplicate issues where condensed down to a number of unique problems in the Adobe Flash Player. The primary cause for these vulnerabilities appears to be simple failures in verifying the bounds of compartmentalized structures.”

Now, both of these examples could have been found by other means than fuzzing, but I know every time I see scrupulous advisories like those it just makes me wonder. By the way, IMHO Fuzzing: Brute Force Vulnerability Discovery is a great book and a great read. Kudos to the swift, engineering authors as well.

You can browse a list of fuzzers hosting by PacketStorm to exercise your mind even more.

So what do you think? Have fuzzers, being at the most ‘trivial’ to write in ideal conditions (well documented protocol, continued aggressive latency, etc), taken a strong hold in many security researcher’s work?

This junk keeps slipping through gmail’s spam filters and the best I can say about it is ‘useless’.

Anybody else been getting this kind of crap lately?

from    Christoph_Schell@computacenter.com
to    [0][x][j][b][r][o][w][n][4][1]@gmail.com
date    Mon, Dec 15, 2008 at 4:02 PM
subject    Christoph Schell/Kerpen/GECITS-EU is out of the office.
mailed-by    computacenter.com

I will be out of the office starting  11.12.2008 and will not return until
18.12.2008.

I will respond to your message when I return or contact Michael Menen
(Michael.Menen@computacenter.com).

**********************************************************************
COMPUTACENTER PLC is registered in England and Wales with the registered number 03110569.  Its registered office is at Hatfield Business Park, Hatfield Avenue, Hatfield, Hertfordshire AL10 9TW
COMPUTACENTER (UK) Limited is registered in England and Wales with the registered number 01584718.  Its registered office is at Hatfield Business Park, Hatfield Avenue, Hatfield, Hertfordshire AL10 9TW

The contents of this email are intended for the named addressee only.
It contains information which may be confidential and which may also be privileged.
Unless you are the named addressee (or authorised to receive mail for the addressee) you may not copy or use it, or disclose it to anyone else.

If you receive it in error please notify us immediately and then destroy it.

Computacenter information is available from:

http://www.computacenter.com

**********************************************************************

I usually get 5-10 of these about once a month, all in the same hour or two.The most ‘useless’ part about it is that it doesn’t affect me, at all, in any way, neither personally or work related.

I’m sure all of you have Ticketmaster horror stories.  (Anyone who has ever bought a ticket through Ticketmaster, that is.)  I needed to get a ticket to an event last night.  As usual, the only way to get it was through Ticketmaster, and, as usual, the entire process was annoying from beginning to end.

As I was paying, I was noting the various extraneous charges that increased the price from the face value (which includes the tax, of course) to roughly 25% more than that.  The one that struck me was the “convenience” charge.

Convenience?  Convenience?  Who decided this system was convenient?  I’m old enough to remember the days when you called, on the phone, and got an actual person, who was associated with the group, or at least the theatre itself, and could tell you what tickets and places were available on what days.

OK, I’m old.  But leaving aside issues of efficiency and greater profit margins, what was the person smoking when they decided that this system was convenient?  In order to find decent tickets, at decent prices, I had to look up, individually, every single performance, and then search for tickets, separately, in each price range.

And, of course, every time I searched for tickets (I wasn’t told what tickets were available, mind you, no, the system decides what tickets it’s going to offer me), I had to go through the ReCAPTCHA process (which we were just discussing here).  And, as my wife, looking over my shoulder as I went through this delay every single time asked, why?  It certainly doesn’t provide any security at all.  Yes, I know that you are only supposed to get one of the words right, but I’m fairly certain that, in all the queries I did on the system, there were a few where I got neither of the words right.  (Several of them were just blobs.)  So why is it there?  I suppose it is partly security theatre, and partly it is so that Ticketmaster can get a little goodwill for supporting the book transcription project.  (Of course, Ticketmaster isn’t supporting the project, you are, whether you want to or not.)

Spare me from convenience …

Now, believe me, I have only the greatest of sympathy with the intent of this phrase.  Yes, I agree that we’ve been hamstrung and hampered by insecurities due to sloppy programming, and we desperately need to have more secure software development practices.

It’s just nothing  new, that’s all.

I mean, we’ve been preaching this for years.  Decades, really.  Ask any old programmer what he, she, or it was taught way back in the old days.

Structured programming.  Top-down programming.  The waterfall method.

And documentation.  I especially like internal documentation.  If you don’t like documentation you can have a moment of pity for my (occasional) programming students.  When they hand in a project it has to have internal documentation in the source code, and it has to be clear and make sense.  (They lose marks if they don’t and it doesn’t.)  As far as I’m concerned, if you can’t say what you are doing, you don’t know what you are doing.

And if you know what you are doing, you do it right.

The flaw discovered by Dan Kaminsky put a forthright scare into the entire internet community — and it should have. This attack, which is trivial in nature, could make the difference between sending all your private data to the secure server across the ocean, or to a happy hacker filling his/her eye balls with goodies.

But now, since everyone was woken up, there are two mainstream, proposed solutions in hopes of ending the insecurity in DNS: DNSSEC and DNSCurve. Which one should you bet your network’s integrity on? Better hope your patched or you might get bailiwicked. Let the enlightenment begin.

DNSSEC, or Domain Name System Security Extensions, is a suite of IETF specifications for securing certain kinds of information in DNS. Recently, lots of companies have been gearing up to implement DNSSEC, as a means of securing DNS on the Internet. One man, that opposes DNSSEC, has written his own code to provide a nicer, more secure solution, and far better than DNSSEC. He calls it DNSCurve.

DNSCurve uses high-speed, high-security elliptic cryptography to improve and secure DNS. Daniel J. Bernstein, the creator of DNSCurve and many other high security servers such as qmail and djbdns servers, doesn’t want DNSSEC implemented, but DNSCurve instead. And it is no question which one is the better choice after looking at the comparisons Bernstein makes between the two now rivals.

Some huge advantages with DNSCurve vs DNSSEC are encrypting DNS requests and responses, not publishing lists of DNS records, much stronger cryptography for detecting forgeries, (some) protection against denial of service attacks, and other improvements.

There is one quick, unrelated issue that I disagree with Mr. Bernstein about. After offering $500 “to the first person to publish a verifiable security hole in the latest version of qmail”, he states: “My offer still stands. Nobody has found any security holes in qmail”. But in 2005, Georgi Guninski found one and has confirmed exploitability on 64 bit platforms with a lot of memory.

Bernstein denied his claim and then stated “In May 2005, Georgi Guninski claimed that some potential 64-bit portability problems allowed a “remote exploit in qmail-smtpd.” This claim is denied. Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail’s assumption that allocated array lengths fit comfortably into 32 bits.”. Now, to me, and I am sure to many other people as well, an exploitable bug in an exploitable bug. Conditions have to sometimes be met and “can be carried too far”, one might put it, but in this case, it is clear that Guninski found at least one exploitable bug in qmail. Game over. No disrespect to Mr. Bernstein or his code; he does have both great code and concepts. On with my main literature.

So, if I were a betting man (and I am), I would gamble on Bernstein’s all around great approach to making DNS safer, more resilient against attacks, and definatly more secure. Hopefully, people will realize money can’t solve all our problems, but the guys that know what they are doing, can, and might just make some things happen pretty soon.

I thought I’d try something different (excuse me if its been done before, oh well). Every week I will be making a list of the top 5 exploits of the week, details about them, etc.

So lets get the ball rolling:

#1 Internet Explorer 7 XML Buffer Overflow Exploit (Vista Target) — This remote beauty executes remote code on a vulnerable (probably still unpatched) Internet Explorer 7 machine running Windows Vista. Coded by muts.

#2 Internet Explorer 7 XML Buffer Overflow Exploit (XP SP3 Target) — Exploits the same bug as above but executes code on a Windows XP SP3 target. Coded by Guido Landi.

#3 XOOPS 2.3.1 Multiple LFI Exploits — XOOPS suffers from a few local file inclusion bugs, and DSecRG has some code for you.

#4 Linux Kernel ATMSVC DoS Exploit — Send a kernel into an infinite loop by locally running this exploit on a vulnerable machine. Code by Jon Oberheide.

#5 phpMyAdmin 3.1.0 XSRF Exploit — Cross site scripting attacks are more dangerous than most developers think. Here is exploit code, just don’t have phpMyAdmin open in another tab! Provided by Michael Brooks.

See you all next week with more. Bug on

Many administrators blindly block anything that isn’t running on either port 80 (http), 443 (https) or 22 (ssh). Their claim is that nothing good can work any other port. This causes their uses to get frustrated when they want to use anything else that runs on any other port.
I am not talking about P2P or any other ‘evil’ programs which are pretty good at bypassing your restrictio on their own, Skype is one such example, I am talking about for example one of your engineers wanting to get techsupport but has his corporate VPN access blocked as most VPNs require at least a non-80, 443, 22 port to be open.

In such cases (as VPN), the techsupport guy will find a way around your restriction, perhaps using port 443 to tunnel the traffic through, even though its not really SSL going inside there . The smart administrator will use a Proxy or a Content Filtering agent to prevent such things, so a smart techsupport guy will tunnel everything via SSH, or even use HTTPS to tunnel the data (there are several solutions that do that).

My point is that, blindly blocking will give you the benefit for stopping the common user, but will frustrate a techsupport guy to to the point that he will find a way to bypass it. I suggest that you ‘give’ the techsupport guy a hand, understand what he needs, and give him that. Its better than him bypassing your restriction.

I am sure the readers have additional examples that can strengthen this point.

Yeah, brute force attacks on SSH is old news. But now, there is something new and interesting about them! Attackers (How did they get so smart!?) are now using ‘advanced’ techniques to make these attacks even more effective:

“Instead of using the same compromised machine to try multiple password combination, the newer attack relies on coordination among multiple botnet clients. Also, instead of throwing this resource at random Secure Shell (SSH) remote admin servers, the assault is targeted at specific servers.”

OH NO! We all must go and protect our servers now!

Or do any or all of these good practices that decent administrators have known about for years…

1) USE STRONG PASSWORDS! (You can bet attackers will have ‘johndoe’ in their wordlist, but not ’00J0hNND0eEe00$’)
2) Firewall all logins via SSH except for authorized IP addresses
3) Run SSH Server on another port besides 22

Some helpful tips for the helpless. Ho, ho, ho unwise system admins.

Well your favorite website’s, favorite way to see if your human or not has a problem — their ‘protection’ has been ‘broken’. Who knew that asking a user to read and type the contents of a distorted image of text would be so easy for a computer/code to do as well? CAPTCHA’s have never even looked secure to anyone with a open security mind, and those swimming in the unconscious thoughts that some day this ‘protection’ would see its core cracked… well today is your lucky day.

But never fear! There is hope (really..?)! The Carnegie-Mellon University team behind CAPTCHA’s big brother, reCAPTCHA, is for some reason continuing research towards the “effort to mix basic  security and useful work”. While the reCAPTCHA service seems like a step in the right direction, I have my doubts. Actually, I think it won’t be too long until the next article at YOURFAVORITETECHNEWSSITE is about this new ‘improvement’ being ‘broken’. Oh internet, have mercy on the little people, and send your spam bots to wreck havoc on another interNET.

I cam across this interesting article at watchfire. The team there were able to exploit the Google gear infrastructure in order to perform malicious activities.

Gears is a browser extension that allows developers to create richer and more responsive web-applications. One of its key features is the ability to create web-applications that can run both online and offline transparently.
Some of the capabilities Gears introduces are:

• A local server, to cache and serve application resources (HTML, JavaScript, images, etc.) without needing to contact a server
• A database, to store and access data from within the browser
• A worker thread pool, to make web applications more responsive by performing expensive operations in the background
• The HttpRequest API, which implements a subset of the W3C XmlHttpRequest specification
• A Geolocation API that enables a web application to obtain a user’s geographical position

To brief the attack, attacker needs to create a text file that contains (malicious) Google Gears commands. He can then put the text content into a target domain by say uploading it to target domain through image files. Attacker then creates a web page which has to be approved for using Google-Gears or the one that hosts user-created content and contains some Google Gears code that loads and executes the malicious code. The code now will run in the context of victim and hence will have permissions to access Google Gears client-side objects such as the DB, the local server data or web resources. This  information can then be leaked back to attacker’s web page using Google Gears’ standard messaging mechanism.

Google Team have patched this issue. The fix is based on a special Google-Gears Content-Type header value (application/x-gears-worker) that must be sent by the web-server when it serves Google-Gears worker code files without that value the loading of such worker files is denied.
Full explanation of google gears can be found here.

Long ago, my all-time favorite desktop firewall was none other than sygate pro (symantec junkies sought-and-destroyed a while back). I loved all of its seemingly superior and cool features that really just made me feel great about using it on some servers and workstations. But like most other desktop firewalls, sygate is/was windows only. But this article isn’t about just any desktop firewall; it is about Firestarter, the Linux GUI firewall solution.

Firestarter is a nice, sleek, Desktop-safe, open source and server or workstation setting network security solution. Say that 128 times fast! Haha. If you are an administrator or just a savvy Linux Desktop user who wants to feel a little more secure on your network, you’ll probably love Firestarter.

Some of the great features of Firestarter include a graphical user interface to configuring firewall rules and settings, a nice wizard to walk you through it, real-time event monitor to check on intrusion attempts or the like, in and outbound network access policy control, port forwarding, the ability to whitelist and blacklist traffic, viewing network connections, advanced kernel tuning to provide somewhat protection against [flooding, broadcasting, spoofing, typical DoS attacks], and much more!

Firestarter sits atop of iptables and it works quite nicely to control traffic in and out of your workstation or server. I’ll even give you a couple of quick and smile examples. Say you got XYZ Linux running ZYX Desktop system and you want to be able to transfer files (or data) via XZY, but only from a certain IP address. Simply add a rule in Firestarter and watch it work. What if you want to completely (for the boundries of this tool) block access from xx.xxx.xx.xxx? Add a rule to blacklist it on outboard traffic. Volia! Simple firewalling made super easy. I use Firestarter and I absolutely love it. So if you haven’t already tried Firestarter, I recommend you give it a shot! I can’t imagine you being disappointed.

Or, converged communications, if you prefer.

I mean, c’mon.  We’ve had VoIP for a while.  (Before that we had H.323.  Even before that we had Internet telephony, although it didn’t work all that terribly well.)

Of course, from our perspective in security, convergence is a great thing–for job security.  Just think, we can take all the problems we have in networking, and all the problems we have in telephony, and roll them up into one big insecurity.

(Surprise, surprise: bad guys are breaking into home and small office VoIP PBXs and using them to make telemarketing calls.)  (Although don’t get me wrong: I’ve nothing against Asterisk per se, and I’m sure it’s a great system–if well managed.)

Yes, this should have brought tears into your eyes too Spam Volumes Drop by Two-Thirds After Firm Goes Offline, but luckily I cried too soon, I have seen spam amounts on the increase in the past 2 weeks. And unlike previous spam that my bogofilter and spamassassin were able to handle, this new spam is something that it can’t – or at least can’t yet.

I wonder what happened to make spam more ‘intelligent’, one thought that comes to my mind is that since now the massive botnet that was used to send spam is owned by someone else, the spam now looks different – something else generates it, while the same network sends it out.

I hope the catch the guy whose keeping this network alive, and take it down once more, we deserve the relief from spam for a few days at least

On a side note, I have seen an increase on foreign spam, natively written Russian, Chinese , and Japanese spam – this is even more silly than regular English written spam, as I can’t even start to wonder what they are trying to sell me