[SecurityRatty] tag: decode

Copycat Web Malware Exploitation Kit Comes with Disclaimer

Wed, 01 Oct 2008 22:58:01 +0000

Such disclaimers make you wonder what's the point of including a notice forwarding the responsibility for the upcoming cybercrime activities to the buyer, when the seller himself is offering daily updates with undetected bots, and is promising to include new exploits within the kit.

For the time being, this recently released copycat web exploitation malware kit, includes two PDF exploits, IE snapshot, and naturally MDAC, with a DIY builder for the binary. Here's the disclaimer, greatly reminding us of Zeus's copyright notice :

"Purchasing this product, you hold the full responsibility for its usage and for consequences which may have been caused by incorrect usage or the usage with some evil intent or violation of the usage rules. The author excludes the placement of the scripts somewhere on the Internet, you can only place them on localhost, virtual machine or on a test botnet (minibotnet). WARNING! The usage of this product with evil intent leads to the criminal responsibility!"

What happens when the buyer tries to resell the kit? - "If you try to resell, decode, remove the boundaries, you will lose all the support, updates and guarantees." which is surreal considering that the kit is open source one, and just like we've seen with a recent modification of Zeus if it were to include unique features -- which it doesn't -- others would build upon its foundations.

Going through the exploitation statistics of a sample campaign, you can clearly see that out of the 859 unique visits 250 got exploited with outdated and already patched vulnerabilities. Therefore, diversifying the exploits set would have increased the number of exploited hosts.

With IE6 visitors exploited at 46% as a whole, it would be hard not to notice that just like Stormy Wormy's historical persistence of using outdated vulnerabilities, a great majority of today's botnets have been aggregated using old exploits.

Trying to enforce the intellectual property of a malware kit means you're claiming ownership, and therefore the disclaimer becomes irrelevant.

Exposing Indias CAPTCHA Solving Economy

Fri, 29 Aug 2008 13:03:37 +0000

"Are you a Human?" - once asked the CAPTCHA, and the question got answered by, well, a human, thousands of them to be precise. Speculations around one of the main weaknesses of CAPTCHA based authentication in the face of human CAPTCHA solvers, seems to have evolved into a booming economy in India during the past 12 months, with thousands of people involved.

The following article - "Inside India’s CAPTCHA solving economy" aims to expose legitimate data entry workers, whose business models and techniques are in fact used by Russian cybercriminals not only for personal phishing, spamming and malware spreading purposes, but also, to resell the bogus accounts and earn a premium in the process :

"No CAPTCHA can survive a human that’s receiving financial incentives for solving it, and with an army of low-wagedIndia CAPTCHA breakers human CAPTCHA solvers officially in the business of “data processing” while earning a mere $2 for solving a thousand CAPTCHA’s, I’m already starting to see evidence of consolidation between India’s major CAPTCHA solving companies. The consolidation logically leading to increased bargaining power, is resulting in an international franchising model recruiting data processing workers empowered with do-it-yourself CAPTCHA syndication web based kits, API keys, and thousands of proxies to make their work easier, and the process more efficient."

Cybercrime is just as outsourceable as CAPTCHA breaking is these days.

Related posts:
The Unbreakable CAPTCHA
Spam coming from free email providers increasing
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Microsoft’s CAPTCHA successfully broken
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

The Unbreakable CAPTCHA

Thu, 17 Jul 2008 13:05:54 +0000

In response to the continuing evidence of how spammers are efficiently breaking the CAPTCHAs of popular free email service providers in order to abuse their clean IP reputation, and already validated authenticity through the use of DomainKeys and SenderID frameworks, someone has finally came up with an unbreakable CAPTCHA.

If it only weren't a hoax, it would have even solved the human CAPTCHA solvers problem, whose sessions would have probably expired due to their inability to solve it.

Related posts:
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

Gmail, Yahoo and Hotmails CAPTCHA Broken

Thu, 03 Jul 2008 04:36:21 +0000

It's one thing to start efficiently registering thousands of email accounts at reputable email providers by automatically breaking their CAPTCHA authentication, and entirely another to build a business model on the top of it next to the opportunity to abuse if for your own malicious purposes. Which is exactly what we have here, an underground service that's selling registered accounts at Gmail, Yahoo, Hotmail and the most popular Russian email providers in the thousands. Once the inventory of registered accounts drops due to someone's purchase, it continues registering one to two email accounts per second.

Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers :

"Breaking Gmail, Yahoo and Hotmail’s CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes. This post intends to make this official, by covering an underground service offering thousands of already registered Gmail, Yahoo and Hotmail accounts for sale, with new ones registered every second clearly indicating the success rate of their CAPTCHA breaking capabilities at these services."

Text based CAPTCHA is so broken, that if major web sites whose services are getting abused don't at least try to slow down the efficient approach of breaking it, we are going to see an entire spamming infrastructure build on the foundation of legitimate email service providers.

Related posts:
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

Chinese Bloggers Bypassing Censorship by Blogging Backward

Wed, 02 Jul 2008 12:25:19 +0000

With China trying to silence over 30,000 rioters during the weekend, by deleting forum postings and deactivating accounts mentioning the riot, Chinese bloggers have started using a widget they originally came up in order to bypass the "Great Firewall of China" by blogging backward, vertically and horizontally :

"So bloggers on forums such as Tianya.cn have taken to posting in formats that China's Internet censors, often employees of commercial Internet service providers, have a hard time automatically detecting. One recent strategy involves online software that flips sentences to read right to left instead of left to right, and vertically instead of horizontally. China's sophisticated censorship regime -- known as the Great Firewall -- can automatically track objectionable phrases. But "the country also has the most experienced and talented group of netizens who always know ways around it," said an editor at Tianya, owned by Hainan Tianya Online Networking Technology Co., who has been responsible for deleting posts about the riot"

An old-school content obfuscation service that they could take advantage of, offers the opportunity to turn a short message into spam or a fake PGP encrypted file, where both parties can easily decode them to the original.

Spammmic is what I have in mind.

Eavesdropping on Encrypted Compressed Voice

Thu, 19 Jun 2008 02:27:13 +0000

Traffic analysis works even through the encryption:

The new compression technique, called variable bitrate compression produces different size packets of data for different sounds.
That happens because the sampling rate is kept high for long complex sounds like "ow", but cut down for simple consonants like "c". This variable method saves on bandwidth, while maintaining sound quality.

VoIP streams are encrypted to prevent eavesdropping. However, a team from John Hopkins University in Baltimore, Maryland, US, has shown that simply measuring the size of packets without decoding them can identify whole words and phrases with a high rate of accuracy.

The technique isn't good enough to decode entire conversations, but it's pretty impressive.

University of Miami reports stolen tapes affecting patients

Fri, 25 Apr 2008 11:34:41 +0000

Technorati Tag: Security Breach

Date Reported:
4/17/08

Organization:
University of Miami

Contractor/Consultant/Branch:
Archive America Ltd.

Victims:
Medical patients that visited university medical facilities since January 1st, 1999.

Number Affected:
"more than 2 million" (2,000,000+)*

*According to the ComputerWorld report. The University of Miami will be notifying 47,000 people whose data may have included credit card or other financial information regarding bill payment

Types of Data:
Names, addresses, Social Security numbers, health information, and credit card or other financial information

Breach Description:
"A private off-site storage company used by the University of Miami has notified the University that a container carrying computer back-up tapes of patient information was stolen. The tapes were in a transport case that was stolen from a vehicle contracted by the storage company on March 17 in downtown Coral Gables, the company reported."

Reference URL:
University of Miami announcement
The Associated Press via The Florida Times-Union
ComputerWorld

Report Credit:
The University of Miami

Response:
From the online sources cited above:

University of Miami officials last week acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility.
[Evan] I'm not sure where ComputerWorld came up with the 2,000,000 number. I could only find references to the number 47,000. I went with the 2,000,000 in this report because 47,000 doesn't seem large enough for "Anyone who has been a patient of a University of Miami physician or visited a UM facility at any time since January 1, 1999"

Jacqueline Menendez, vice president of communications at the university, said a vehicle used by Archive America Ltd. to transport the patient data was broken into in downtown Coral Gables, Fla., on March 17.

Thieves removed a transport case carrying the school's computer backup tapes

Archive America waited 48 hours before finally notifying the university on Mar. 19 about the break-in and theft.

The university posted an alert about the incident on April 17, a full month after the backup tapes were stolen.

In a statement, Doctor Pascal J. Goldschmidt, senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine, said, "Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter."
[Evan] Absolutely a good decision! More organizations should be more transparent in their responses to incidents involving personal information. After all, personal information belongs to the person, not the organization.

Since the incident, Mendendez said that the university temporarily stopped transporting backup data off-site

"At this point, we're not transporting anything until we conduct our own internal evaluation of the incident and see if there's anything that could have been done differently or better,"
[Evan] I like this response.

Coral Gables law enforcement officials, who are investigating the incident, have informed the school that it was likely a "random theft,"

Law enforcement is investigating the incident as one of a series of petty thefts in the area.
[Evan] Interesting that they chose the word "petty".

The stolen backup tapes hold names, addresses, Social Security numbers and health information all patients at university medical facilities since Jan. 1, 1999.

Financial data from approximately 47,000 people may be on the missing tapes

UM says it will notify 47,000 patients by mail whose records may have included credit card or other financial information

After learning about the data breach, the university contacted local computer forensics companies to see if data on a similar set of backup tapes could be accessed.

security experts at Terremark Worldwide Inc. "tried for days" to decode the data but could not because of proprietary compression and encoding tools used to write data to the storage tapes.

“For more than a week my team devised a number of methods to extract readable data from the tapes,’’ said Christopher Day, senior vice president of the Secure Information Services group at Terremark. “Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data.’’

Alan Brill, senior managing director at Kroll Ontrack, who was asked by the University to review the testing that had been done, said: “While the report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes. If the thief cannot cross all of those barriers simultaneously, they can’t access the data.’’ Based on this information, the University believes misuse of the information on the tapes is unlikely.
[Evan] I very much respect Ontrack's views on data recovery. These guys are the experts in data recovery.

"The university feels confident that the person who took [the tapes] doesn't know what they have. Even if they do know what's contained inside, it's very difficult to extract that information,"

The school regularly sends its data off-site as a precaution against hurricanes and other natural disasters.

the University has also established a call center at 1-866-628-4492

Commentary:
Minus the amount of time it took for the school to get the word out (for which there might be good reason), I am impressed with the school's response to this incident. The fact that they chose to consult with two independent "experts" about the risk of disclosure and convincing them to comment publicly was an excellent move. The school's transparency about this incident instills a sense of trust and honesty that could have easily turned the other way. Other organizations could stand to learn a thing or two here. Kudos to the school's management team.

Past Breaches:
Unknown

Irongeek's Infosec Wargame Servers Explained

Sun, 06 Apr 2008 09:50:29 +0000

I updated my post to explain that it was an April 1st joke, and link off to real ways to test your computer security skills. By the way, did anyone decode the QR Code I posted?

Irongeek's Infosec Wargame Servers Explained

Sun, 06 Apr 2008 09:50:29 +0000

I updated my post to explain that it was an April 1st joke, and link off to real ways to test your computer security skills. By the way, did anyone decode the QR Code I posted?

Embedding Malicious IFRAMEs Through Stolen FTP Accounts

Mon, 03 Mar 2008 07:14:01 +0000

Keywords for gaining attention from a marketing perspective for last week - embedded malware, IFRAMEs, stolen FTP accounts, Fortune 500 companies, Russia. Nothing's wrong with that unless of course you're interested in the whole story and the big picture, which wouldn't be excluding the possibility for having a Fortune 500 company's servers acting as C&Cs for a large botnet. Why are Fortune 500 servers excluded as impossible to get hacked at the first place, making it look like that the amount of money spent on security is proportional with the level of security reached? The more you spend does not mean the more secure it gets if you're not allocating the money where they have to be allocated at, in a particular moment of time, given the dynamic threatscape these days.

What's most important to point out about the recent incident of Fortune 500 companies stolen FTP accounts, is that it's "stolen accounting data for sale" as usual, as usual in the sense of the hundreds of other such propositions currently active online. And if we're to use an analogy on its importance as a event, it's like your smell receptors, namely the more you use a particular fragnance, the less you're capable of sensing it since you're getting used to the smell. In this line of thoughts, what's "stolen accounting data for sale as usual" for some, is exclusive event for others. Even worse, it's "slicing the threat on pieces" compared to discussing the "pie" itself. Moreover, the shift from products to services in the underground marketplace is something that's been happening for the past three years, and therefore making it sound like it's been happening as of yesterday, brings the discussion to the lowest possible level - right from the very beginning. Try the following malicious services on demand for instance, demostranting key business concepts such as consolidation, vertical integration, benchmarking -Q&A, and standartization :

Wild Wild Underground

DDoS on Demand VS DDoS Extortion

Malware as a Web Service

Multiple Firewalls Bypassing Verification on Demand

Managed Spamming Appliances - The Future of Spam

Botnet on Demand Service

DIY CAPTCHA Breaking Service

Managed Fast-Flux Provider

Which CAPTCHA Do You Want to Decode Today?

Localizing Cybercrime - Cultural Diversity on Demand

On the other side of the universe :

"The concept of Software-as-a-Service (SaaS) is nothing new, but this is the first time anyone has organized the purchase of FTP login credentials, with additional tools available to help a buyer confirm he's making a smart purchase."

on the other side of the universe on Neosploit's "purpose in life" :

"The information was available for blackmarket trade, along with the NeoSploit version 2 crimeware toolkit, a malicious application specifically designed to abuse and trade stolen FTP account credentials from numerous legitimate companies."

Robert Lemos is however, reasonably pointing out that :

"The tool, which is at least a year old, was described by antivirus firm Panda Software in June 2007."

Key summary points :

- the tool's been around since February, 2007, making it exactly one year old

- it has built-in accounting data validation, pagerank measurement of the sites whose FTP accounting data has been stolen as you can see in the third screenshot attached

- IP Geolocation for the now pagerank-ed sites is also included

- the tool's functions are relatively primitive compared to three other alternative ones that I'm aware of taking advantage of anything by stolen FTP accounts, a logical fad by itself

- the script is officially sold for $25, but as we've seen it in the past with MPack and IcePack, buyers unaware of other outlets for the tool would pay the high-profit margins offered by the seller

- FTP accounting data can be imported, and once verified, a statistical output for the automated process of logging in and embedding the IFRAME is provided

- IFRAMEs are automatically embedded within .php; .html; .asp; .htm extensions

- embedding iframes through stolen FTP accounts is a fad, purchasing and selling shells/web backdoors and huge domain portfolios controlled via Cpanels is a trend, as automatic injection of malicious IFRAMEs through remote file inclusion and remotely exploitable SQL injection vulnerabilities is

Your situational awareness about the emerging threatspace is as always up to the information sources that you use, or still haven't started using. My point is that exposing Pinch in the summer of 2007 despite that the tool's been around since 2004/2005, and exposing this malicious FTP account checker and IFRAMEs embedder in February, 2008, when it hasn't been updated since February, 2007, greatly contributes to the development of a twisted situational awareness. Realizing it or not, with the time, security researchers or intelligence analysts establish a very good sense of intuition about what's happening at a particular moment in time, or what will be happening anytime now. And using stolen FTP accounts for embedding IFRAMEs never picked up as a tactic, compared to using the stolen FTP accounts for hosting blackhat SEO content. Scenario building intelligence, or playing the devil's advocate, it's a mindset only a small crowd possess.