[SecurityRatty] tag: convergence

PCI DSS Blogs

Mon, 24 Nov 2008 12:20:00 +0000

I polled a few lists to create a longer lost of PCI DSS related blogs (looking especially for blogs by QSAs), so IN NO PARTICULAR ORDER:

If I missed anybody, sorry, please add below and I will update my list!

Just FYI.

Zeus Crimeware Kit Gets a Carding Layout

Mon, 10 Nov 2008 02:53:52 +0000

With cybercriminals clearly expressing their nostalgia for several notorious and already shut down credit card fraud communities, they seem to have found a way to once again give their self-esteem a boost. Following the ongoing modification of open source crimeware kits and the inevitable innovation introduced by third parties, last week a new layout was introduced for Zeus, once again courtesy of a group that's piggybacking on Zeus popularity.

It's particularly interesting to see how a one-man operation evolves into a group of third-party developers starting to claim ownership rights over the modified versions despite that they're basically brandjacking the Zeus brand and building business models on the top of it.

Open source crimeware and web malware exploitation kits on the other hand undermine the business model of a great number of "malware/spyware for hire" vendors, which surprisingly doesn't stop them from continuing offering their services and products which are often using the de facto crimeware kits as the foundations for their propositions. Are the buyers even aware of this fact? From a buyer's perspective in times when most of the output is sold in bulk form, or access to the botnet rented for a specific period of time, the buyer doesn't care about the cybercrime platform of use, but is looking for transparent ways to justify the investment he's made into renting the service.

Now that Zeus administrators and their cybercrime clerks in the face of those managing the campaigns knowingly or unknowingly knowing the type of campaigns and the data that they manage, can listen to their favorite music within Zeus and choose different layouts for the command and control interfaces while commiting cybercrime, what's next?

Convergence and improved monetization.

Modified Zeus Crimeware Kit Gets a Performance Boost

Mon, 03 Nov 2008 11:12:30 +0000

Oops, they did it again - modifying an open source crimeware kit like Zeus in order to improve its performance, fix previously known bugs, and release the improved administration script for free at the end of October.

It's important to point out that both of these modifications haven't been released by the original author of Zeus, but by third parties filling in the gaps he has left open. The very nature of open source web based malware exploitation kits is one of the key factors for the ongoing convergence of traffic management, exploits serving, ddos, and cybercrime as a service features into a simplified cybercrime platform available on demand.

Following the discovery of a remotely exploitable flaw within Zeus in June -- a flaw affecting Pinch leaked out two months later -- allowing cyberciminals to inject their own credentials and hijack the botnet of other cybercriminals, this modified version claims to have fixed three vulnerabilities within the original Zeus release, namely, a remote file inclusion flaw and two SQL injections within the administration panel. Here's the new CHANGELOG :

"- code improvements and optimizations
- internal data checkings added
- exit() function instead of die()
- echo() function instead of print()
- mysql_affected_rows () changed to mysql_num_rows () everywhere
- all queries are fixed in system or mod .php files
- no text password in the database and clear text password in $_SESSION, cookies authentication is gone and md5 hashes are everywhere
- Geo IP support has been added
- umask () bug fixed, the file has been created (chmoded) with different permissions
- language improvements and pre-installation checks
- checking for php version/safe_mod/open_basedir as you're required to run php 5.1.0 or higher to run it successfully
- fixed sql injection in credentials checking
- GetUserData () function has been rewritten - possible sql injection fixed
- possible remote file inclusion fixed
- socket error definition changed
- gcnt () function has been rewritten so you can use geolication - GeoIP which is free and GeoIPCity which is paid
- ip address checking improved through validIP() function improvement
- all queries are now fixed, input data has been sanitized
- fs () function has been fixed in order to improve the quality of the log names
- formatFilePath () function has been added for file upload purposes
- arbitrary file upload bug has been fixed so that you can now upload only images with original names
- the Log2SQL () function has been changed and stricter data checking/sanitizing is added
- internal file sorting mechanism is improved so that files/dirs are sorted by file modification time"

As it's becoming increasingly clear that what once used to be a proprietary crimeware kits whose business model got undermined by their open source nature and the fact that they've started leaking for average cybercriminals and script kiddies to take advantage of, are today's "open source projects" - and therefore maintaining static lists of exploits and features included within a particular kit is getting even more irrelevant these days. In the long term, the quality assurance processes applied within crimeware kits courtesy of third party cybercriminals, is prone to shift from performance to improving the infection rates.

Modified Zeus Crimeware Kit Comes With Built-in MP3 Player

Mon, 29 Sep 2008 13:55:03 +0000

Modified versions of popular open source crimeware kits rarely make the headlines due to the fact that anyone can hijack a crimeware kit's brand, build and innovate using its foundations, and claim it's a new version released by the original authors. That's of course in between the tiny time frame until he's exposed as the fake author of Zeus that may have in fact came up with a unique feature that the original authors didn't include.

This modified version of Zeus is yet another example of how cybercriminals are actively modifying crimeware kits, literally making such practices as keeping version numbers irrelevant. While the administrator is managing his botnet, he can load local, or tunein the built-in online radio stations the author of this modification included, next to changing Zeus entire graphical layout.

Let's take into consideration another example, the infamous Pinch DIY malware builder, that's been around for over 4 years. With the populist arrest of its authors in 2007, cybercriminals are still innovating on the foundations offered by Pinch, and thanks to its publicly obtainable source code. It's also worth pointing out that these two Zeus and Pinch modifications are courtesy of a single individual, that in between modifications of popular crimeware kits, seems to be busy porting different modules on different malware kits and web based malware, knowingly or unknowingly contributing to the convergence of spamming, DDoS, web based malware, and botnet management kits.

From a sarcastic perspective - what's next? Perhaps a built-in slideshow of random screenshots taken from malware infected desktops in the botnet, or even a pink layout modification for female botnet masters. Customerization, and customer tailored services can make anything happen, and naturally enjoy the higher profit margins.

Two Copycat Web Malware Exploitation Kits in the Wild

Wed, 24 Sep 2008 10:28:37 +0000

We're slowly entering into "can you find the ten similarities" stage in respect to web malware exploitation kits, and their coders continuous supply of copycat malware kits under different names, taking advantage of different exploits combination. Copycat web malware exploitation kits are faddish, however, from a strategic perspective, releasing exploits kits like this one covered by Trustedsource, consisting entirely of PDF exploits, can greatly increase the exploitability level of Adobe vulnerabilities in general.

A similar web malware exploitation kit, once again using only Adobe related exploits is Zopa. Have you seen this layout before? That's the very same layout MPack and IcePack were using, were in the sense of cybercriminals preferring to use much mode modular alternatives these days. Ironically, Zopa is more expensive than MPack and IcePack, with the coder trying to cash-in on its biased exclusiveness and introduction stage buzz generated around it.

The second web malware exploitation kit is relying on a mix of exploits targeting patched vulnerabilities affecting IE, Firefox and Opera, with its authors asking for $50 for monthly updates, updates of what yet remains unknown. Both of these kits once again demonstrate the current mentality of the kit's coders having to do with -- thankfully -- zero innovation, fast cash and no long-term value.

However, modularity, convergence with traffic management kits, vertical integration with cybercrime services and bullet proof hosting providers, advanced metrics, evasive practices, improved OPSEC (operational security), and dedicated cybercrime campaign optimizing staff, are all in the works.

Related posts:
Web Based Botnet Command and Control Kit 2.0
DIY Botnet Kit Promising Eternal Updates
Pinch Vulnerable to Remotely Exploitable Flaw
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
The Small Pack Web Malware Exploitation Kit
Crimeware in the Middle - Zeus
The Nuclear Grabber Kit
The Apophis Kit
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action

Interview with Lenny Heymann, Interop General Manager

Tue, 23 Sep 2008 16:47:39 +0000

Interop General Manager Lenny Heymann, took some time out of his very busy show schedule to talk with us at Interop New York this year.

We chatted about the growth of the show and how much that growth reflects the industry itself. Since the bust earlier in the decade both Interop Las Vegas and New York shows have grown year over year – not just in attendees and exhibitors but in topics covered in the conference tracks. As any of us who are in the space know, it’s a rapidly changing market and Interop strives not just to cover the latest trends but also to get ahead of them while still making sure that they are relevant.

The show’s mission overall has expanded beyond “just” networking to cover performance and new trends like virtualization, cloud computing and SAAS that all affect network performance. It is a mirror for the demands on the network (and network admins) and the convergence we see going on that make managing the network so complex today.

Responding to criticisms about the lack of interoperability at the show, Lenny says, “Our special sauce is interoperability.” And in fact the expanded mission of the show ensures that there are more interoperability issues to deal with and he invites the community to comment and share feedback on this core mission.

Last, we talked about InteropNet. We’ve loved our participation in it this year for a variety of reasons – from the opportunity to work with other cool vendors in an intensive and real-life/real-time environment to the true sense of camaraderie and “getting it done” that everyone shares on the InteropNet team to the wonderful atmosphere of hard work AND hard play that you have to experience to believe.

We talked with Lenny about how he measures InteropNet “success” and the answer was illuminating. They’ve got high expectations at Interop; they expect the network to just work, so the focus is actually not on uptime and SLAs – that’s a given. “Nothing less than perfection works here.” (Let me tell you, after my horrible experience with the super slow and inaccessible network at the VMworld conference, that is definitely not always the case. Maybe InteropNet should sell its services…hmmmm…) Rather, it’s about being able to showcase technologies and strategies for networking and interoperability – or as we’re interpreting that, basically “walking the walk – which in the end is what InteropNet is all about.

See the full video here.

From the Executive Women's Forum on Information Security

Thu, 18 Sep 2008 15:29:34 +0000

The theme of the 2008 Executive Women's Forum on Information Security, Risk Management & Privacy is "risk convergence is inevitable." The risks associated with information security, privacy, physical security and so forth are converging such that an integrated management approach is required from within the firm.

Interestingly enough, business continuity management was not a key risk area mentioned by all panelists of the session titled "Convergence: The Good, The Bad & The Ugly." There were two pieces of strategic program management advice from the panelists. The first point is that you have to partner with all of your lines of business and corporate support areas. Since risk is related to the delivery of the business, no one department can address all of the issues. And, you might find that there are good practices already in place within your firm, so that you are not reinventing the wheel - leverage the good stuff throughout the firm. The second point is to focus on the budget issue - how many risk-related activities are already in place in your organization that could be combined, and possibly duplicated, so that more work gets done with less money spent? Pooling of already limited budgets can go a long way toward developing a program that is more mature, delivers more benefit to the organization and eliminates a lot of duplicative work.

But all of this convergence comes at a price - mainly in fear, uncertainty and doubt of the workforce. Some feel that they will lose authority (especially in siloed risk approaches); others might lose their jobs as a result of the convergence. This human aspect was mentioned as the key challenge of an integrated approach. Therefore, communicating not only up within the firm but down to the workforce is critical to achieving a well-run and integrated program.

And finally, for those areas that just don't want to "play the game," use your internal audit department as the "stick" that can get them to act. When I was an IT risk manager, I always said that I was management's best friend - let me tell you the gaps in your risk program rather than having them come from the audit department, which then become part of the records of the firm.

Network skill level gap is growing, but growth opportunities abound!

Mon, 25 Aug 2008 17:06:07 +0000

A recent IDC report sponsored by the Cisco Learning Institute reveals a huge networking skills gap is emerging in North America, which spells trouble for enterprises. Listen to this: “600,000 IT workers were needed to install, configure, manage and secure networks in North America in 2007, 14% of the total IT workforce.” However, IDC reports that another 180,000 engineers with wireless as well as traditional network engineering experience will need to be added by 2011 to keep pace with advances in technology that is transforming the role of the network.

The convergence of voice and video traffic are quickly transforming the growing complexity of networks at a torrid pace. IDC estimates that the skills gap in VOIP should grow to 19% by 2011.

This changing profile in the role of the network plays a key role in the skills shortage. Network enabled collaboration tools such as social networking apps and the Webex conferencing/collaboration solutions we use in our business each and every day are demanding a new set of IT skills to deliver business value.

My perspective is two-fold on this issue; the first is what I have seen in the resources we have attempted to hire! We give a very straightforward quick written/oral test to all new technical hires. This requires basic networking knowledge and some Unix commands. On average, (after filters from reputable recruiting firms, some with 5-10 years experience) less than 10% pass muster for the first filter we use in our hiring process. This is a troubling fact, which has cost us considerable time and effort to secure the right resources with competent skills. So I can say from our market assessment in a very strong technological job skills market, core Unix and networking foundation skills are slipping.

The second is that we as an IT Operations Management (ITOM) industry need to keep pushing hard to build better proactive and intuitive solutions to aggregate instrumentation from all Data Center tools, including more work around VOIP, video streaming, and collaboration so that we can ease this transition. If ITOM solutions become more proactive across the typical Cisco infrastructure that is commonly installed in the Data Center, we can free up some additional time for advanced “emerging technologies” training where existing IT workers can enhance their core skills and re-invigorate their careers. We have to do a much better job of getting our existing IT professionals trained on emerging technologies!

While there’s less that ScienceLogic can do around training, we certainly strive to do our part to enhance a day in the life of the networking engineers who use our solutions to simplify monitoring of increasingly complex networking, Wireless, VOIP, and collaboration needs.

Underground Multitasking in Action

Mon, 23 Jun 2008 05:20:41 +0000

How many ways in which a malicious party can abuse its unauthorized access to a host, can you think of? In this example of remotely file included web backdoor (web shell), we have a malicious party that's hosting a web spammer, planning to launch a phishing attack impersonating Halifax, locally hosting blackhat SEO junk pages redirecting to rogue security software, redirecting to multiple live exploit URLs through javascript obfuscations, as well as to fake casinos and fake celebrity video sites - all from a single location.

This risk-forwarding process for all the malicious and criminal activities to the owner of the compromised web server is something usual, what's more interesting in this case is the number and diversity of the affiliations this guy has set up in order to monetize the unauthorized access by using all the possible sources of revenues like the ones I pointed on in a previous post regarding increasing monetization of web site defacements.

In fact, he seems to have built enough confidence in the new "hosting provider", that he's even hosting his blackhat SEO advetising services there. The multiple javascript obfuscations hosted locally, point to the following malicious domains which expose all the revenue generating affiliations, and even more malicious doorways :

analytics-google .info/q/urchin.js
209.205.196.16/freehost22/paula2/index.php?id=0271
209.205.196.16/freehost22/paula2/exxe.php?id=0271
crklab .us/index.php
my-page-de .info/in.cgi?2&1400397
tapki .cn/1.html?92465
dificalgot .net/s/in.cgi?2?1121268b0d022308
my-page-de .info?default.cgi
magichotgaming .net
allextra .com/best/go.php?sid=2&tds-parametr1=Taryn+Manning
newextra .com/in.cgi?19&group=allextra
drivemedirect .com/soft.php?aid=0358&d=3&product=XPA securityscannersite .com/2008/3/freescan.php?aid=880358

Sampe detection rate for the casino adware, a reminder on why you shouldn't play poker on an infected table :

Scanners result : 7/33 (21.22%)
Trojan.Casino.466752; W32/Casino.A.gen!Eldorado; Adware.Casino-18
File size: 466752 bytes
MD5...: b0f70441dde5c2b82ba5388f3d566576
SHA1..: 5603b1b972e2cff99d6339fbd8970278f5ff371d

To sum up - with the overall availability of templates for phishing sites, fake video sites, fake security software, as well as the ongoing traffic management tool's convergence with web malware exploitation kits, the opportunity for a malicious party to participate in different affiliate based scams on revenue sharing basis, increases. Therefore, what looked like an isolated attack, is slowly becoming an "attack in between" the rest of the malicious activities lunched by the same party.

Malicious Doorways Redirecting to Malware

Sun, 15 Jun 2008 23:51:11 +0000

Blacklisting malicious sites in times when legitimate ones are starting to compete with bogus .info and .biz ones for the leading position of hosting and serving malicious content, is a bit of an outdated and reactive approach for protecting against unknown threats. However, a single malicious domain whose live exploits can be easily detected and consequently blocked, is often just a front end to a large domains portfolio whose malicious content may easily pass through web filtering and on-the-fly malware attempts. Even worse, a malicious domain often exists in multiple "alternate realities" since a single IP is hosting many other unique and related malware domains.

In this post, I'll assess a misconfigured malicious doorway, that is redirecting to ten different malware sites serving Zlob variants by delivering fake codecs that all the bogus adult sites require. The doorway is misconfigured in the sense of not recording the IP and checking the cookie set, in comparrision to every average web malware exploitation kit out there, which will not serve anything malicious when accessed for a second time since it's hashing the IPs that accessed it already. This is just the tip of the iceberg when it comes to the emerging evasive approaches applied to make the analysis of such doorways a bit more time and resources consuming. In a single sentence - there's evidence blackhat SEO-ers are starting to exchange crawling manipulation know-how with malware authors.

In this example we have bestxvids.info (87.118.116.11) which is reditecting to all-index.com/in.cgi?5 (87.118.116.11) a URL that's been actively spammed across forums and guestbooks vulnerable to automatic posting vulnerabilities (weak CAPTCHAs and web application vulnerabilities) which is then redirecting to the following fake codec domains on the fly, and since the redirection script isn't hashing my IP like the majority of well configured ones requiring the use of multiple IPs if we're to expose all the campaigns, it makes the investigation easier :

tubeuniverses.com/teen/index.php?id=1883 - (78.108.177.99)
new-content-s2008.com/freemovie/938/0/ - (72.21.53.218)
teens.0bucksforpornmovie.com/?id=4199 - (64.28.181.28)
getadultaccess.com/movie/?aff=5310 - (200.63.46.84)
hqtube.com/?7014000000 - (88.85.66.116)
supersharebox.com/softw/?aff=5310&saff=0 - (200.63.46.84)
scanner.shredderscan.com/5/?advid=4329 - (92.241.182.13)
myflydirect.com/1/5310/ - (200.63.46.84)
getadultaccess.com/movie/?aff=5310 - (200.63.46.84)
hotvidstube.com/teen/index.php?id=1883 - (78.108.177.99)
2008-adult-2008.com/freemovie/938/0/ - (72.21.53.218)
s-soft08freeware.com/download/502/938/0 - (91.203.70.18)

Where's the "alternate reality"? All of the following fake codec and adult sites serving Zlob variants, with minor exceptions of course, are also responding to the main IP of the redirector - 87.118.116.11 :

carsfoto.ru
cheapest-pharmacy.com
coolsexmovies.net
free-movie-xxx.net
gold-collection.biz
p-o-r-n-0.com
p-o-r-n-0.info
sexakaporn.com
stred.biz
stred.in
tosserhost.com
west-video-xxx.info
wowtofree.info

Shall we also expose the entire scammy ecosystem of Zlob variants, as always, sharing the same netblocks in order to keep it simple? But of course :

porn-youtube08.net
sextubecodec55.com
2008adult2008.com
adultstreamportal2008.com
newcontent-s2008.com
adultxx-18.com
newcontents2008.com
onlinestreamvide.com
2008adultstreamportal2008.com
newcontents2008.com
hot-pornotube2008.com
adult-youtube-8.com
2008adult-s2008.com
2008adultstreamportal2008.com
adult-freetube-8.com
adult18tube2008.com
adultstreamportal2008.com
free-porntube-8.com
gt-funny.com
gt-movies.com
gt-stars.com
hot-sextube.com
new-content-s2008.com
newcontent-s2008.com
newcontents2008.com
onlinestreamvide.com
porno-tube20008.com
pornotube-20008.com
pornotube20008.com
sex-18tube-2008.com
sex-tube-20008.com
sex-tube20008.com
sex18tube2008.com
sexi18tube2008.com
sextube18adult.com
sextube20008.com
streamadultvideo.com
xxxstreamonline.com

The bottom line - malicious doorways are slowly starting to emerge thanks to the convergence of traffic redirection and management tools with web malware exploitation kits, and just like we've been seeing the adaptation of spamming tools and approaches for phishing purposes, next we're going to see the development of infrastructure management kits, a feature that DIY phishing kits are starting to take into consideration as well.