[SecurityRatty] tag: domain

Anti-theft Protocols

Wed, 03 Sep 2008 12:18:14 +0000

At last Friday’s Security Group meeting, we talked about security protocols that are intended to deter or reduce the consquences of theft, and how they go wrong.

Examples include:

GSM mobile phones have an identifier for the phone (separate from the identifier for the user) that can be blacklisted when the phone is stolen.
Some car radios will stop working when the battery is disconnected, and only start working again when a numeric code is entered. This is intended to deter theft of the radio.
In Windows Vista, Bitlocker can be used to encrypt files. One of the intended applications for this is that if someone steals your laptop, it will be difficult for them to gain access to your encrypted files.

Ross told a story of what happened when he needed to disconnect the battery on his car: the radio stopped working, and the code he had been given to reactivate it didn’t work - it was the wrong code.
Ross argues that these reactivation codes are unecessary, because other measures taken by the car manufacturers - such as making radios non-standard sizes, and hence not refittable in other car models - have made them redundant.

I described how the motherboard on a laptop had needed to be replaced recently. The motherboard contains the TPM chip, which contains the encryption keys needed to decrypt files protected with Bitlocker. If you replace the motherboard, the files on your hard disk will become unreadable, even if the disk is physically OK. Domain-joined Vista machines can be configured so that a sysadmin somewhere within your organization is able to recover the keys when this happens.

Both of these situations suffer from classic usability problems: the recovery procedures are invoked rarely (so users may not know what they’re supposed to do), and, if your system is configured incorrectly, you only find out when it is too late: you key in the code to your radio and it remains a doorstop; the admin you hoped was escrowing your keys turns out not to have the private key corresponding to the public key you were encrypting under (or, more subtly: the person with the authority to ask for your laptop’s key to be recovered is not you, because the appropriate admin has the wrong name for the laptop’s owner in their database).

I also described what happens when an XBox 360 is stolen. When you buy XBox downloadable content, you buy two licenses: one that’s valid on any XBox, as long as you’re logged in to XBox live; and one that’s valid on just your XBox, regardless of who’s logged in. If a burglar steals your Xbox, and you buy a new one, you need to get another license of the second type (for all the other people in your household who make use of it). The software makes this awkward, because it knows that you already have a license of the first type, and assumes that you couldn’t possibly want to buy it again. The work-around is to get a new email address, a new Microsoft Live Account, and a new Gamer Tag, and use these to repurchase the license. You can’t just change the gamertag, because XBox live doesn’t let the same Microsoft Live account have two gamertags. And yes, I know, your buddies in the MMORPG you were playing know you by your gamertag, so you don’t want to change it.

My First Rogue Cleaner Popup Of The Month

Mon, 01 Sep 2008 04:24:51 +0000

Click to Enlarge

...courtesy of Secureonlinetags(dot)com, seemingly associated with popups from rogue antispyware hijacks. The feedback isn't particularly positive on Siteadvisor either, so you might want to block this domain.

Fake Security Software Domains Serving Exploits

Thu, 28 Aug 2008 02:41:10 +0000

Psychological imagination, "think cybercriminals" mentality or scenario building intelligence, seem to always produce the results they are supposed to. On Monday, I pointed out that :

"Ironically, the participant in the affiliate program whose original objective was to drive traffic to the fake security software's site, may in fact start receiving so much traffic due to the combination of traffic acquisition tactics, that introducing client-side exploits courtesy of a third-party affiliate network, may in fact prove more profitable then the revenue sharing partnership with the rogue security software's vendor at the first place."

The next day, client-side exploits start getting introduced "in between" the fake security software sites :

"I've blogged before about the problem of Google Adwords pushing Antivirus XP Antivirus 2008. The situation is still ongoing. However, it's taken a turn for the worse, as these XP Antivirus pages are pushing exploits to install malware on the users system. This will also affect the many syndicators of Google Adwords."

The domain in question bestantivirus2009.com - (68.180.151.21) is hosting the binary at bestantivirus2009 .com/setup_1096_MTYwM3wzNXww_.exe and has an IFRAME pointing to huytegygle .com/index.php (200.46.83.246).

Here's another example antivirus0003.net with an IFRAME pointing to a different location - 124.217.250.85 /~ave/etc/count.php?o=16.

Despite that these domains are part of the "International Virus Research Lab" fake domains portfolio, it remains to be seen whether others will start multitasking as well.

Magic Quadrant for IT Event Correlation and Analysis, 2007

Tue, 26 Aug 2008 11:04:05 +0000

I often get asked that if the current self-decribed CEP vendors are not doing “real CEP,” in my opinon, who are the vendors in the CEP space?

At the moment, event correlation and event analysis is Gartner’s closest magic quadrant (MQ) that relates directly to complex event processing (and event processing in general).

A number of our friends and colleagues would like to position CEP as BRE, BRMS, BPM, SOA, algo trading and just about every other technology under the sun, except event correlation!

In a nutshell, the state-of-the-state of CEP/EP is that a number of firms in the software industry have found some “uncharted magic quadrant waters” and are positioning themselves to be “chart worthy”. Instead of competing head on with the experienced players (event correlation and analysis) that have been in the event processing field for many years.

As I have mentioned a few times here on The CEP Blog, if the current generation self-described CEP engines were leading the industry in event correlation and analysis (CEP’s core technology domain) they would be either be on Gartner’s Magic Quadrant for IT Event Correlation and Analysis, or possibly acquired by a one of these large giants in event processing to solve complex event processing and event correlation problems that remain, for the most part, still unsolved!

Fake Porn Sites Serving Malware - Part Three

Tue, 26 Aug 2008 05:02:26 +0000

Continue the Fake Porn Sites Serving Malware and Fake Porn Sites Serving Malware - Part Two series, in part three we'll take a peek at the emerging trend of parking a single domain at up to three different hosting locations, re-establishing connections between malicious ISPs for yet another time in between exposing the domains and the download locations sharing the same IPs.

downlfreesexgirlbeach .com first redirects to infodist1 .com/in.cgi?2 then to watchnenjoy.com/index.php?id=1314&style=black, and finally to the front end to the codec's download location handmadeclips .com, where the codec is downloaded from fwlprocedure .com. Behind these domains, we can easily expose many other fake porn sites and pharmaceutical scams, next to a small portfolio of domains specifically used for hosting the binaries. Due to the obvious rotation I've encountered several times so far, a fake porn site today, is tomorrow's blackhat SEO content farm :

downlfreesexgirlbeach .com - (88.214.198.25)
vids365 .com
downlfreesexgirlbeach .com
top.only-bi .com
wikiei .com
paysuperporn .com
aboutsexporn .com
freactor .com
cheapofficialpills .com
finance-leaders.comnudenakedboys .com
photosgayboys .com
uniqueincest.com
shyincest .com
banrnd.central-xxx .com
tvisklick .info
thebg .net
termion .net
xoxvids .net
bestpricepills .net
bcodecnow .net

infodist1 .com - (88.214.204.40)
farmasearch2008 .com
flaxxvid .com
xanax777pills .com
18virgingirls .com
girlnudegallaryvideox .com
allxxxpornogerlsx .com
jproshin .info
familytaboo .info
fullsitehost .info
20searchonlinesite .net
add-your-video .net
blogs4y .net

adult-shemale .com - (88.214.198.25)
adult-tranny .com
all-shemale .com
bcodecnow .net
best-tranny .com
bestguyportal .com
bestmoviez .com
central-xxx .com
downlfreesexgirlbeach .com
gallery-boy .com
hiosexywomensxxxgirlsx .com
lady-dick .com
bcodecnow .net
mytoppharmacy .com
nakednudeboys .com
nakednudemen .com
nudenakedboys .com
only-bi .com
only-shemale .com
page-reviews .com
paulaslosingit .com
photosgayboys .com
stud-boys .com
the0download .com
wikiei .com
moviez .com
hiosexywomensxxxgirlsx .com
sexygirlsisuniformh0t .com
the0download .com

flwprocedure .com - (77.91.231.201)
movupdate .com
flwupdate .com
formatmpeg .com
movieexternal .com
flwtool .com
aviexecution .com
releasedvideo .com
wmvcompressor .com
movieopens .com
mpegapparatus .com
flwassistant .com
flwinstrument .com
piterserv .com
wovview .com

Some info on a sample codec :
Scanners Result: 11/36 (30.56%)
Trojan-Downloader.Win32.Zlob.cos
Trojan.Popuper.7315
File size: 10240 bytes
MD5...: 467e4e78974dc8b2ee5d7da024daf31a
SHA1..: 311e0c710bb15761ef3dace54b55489830cf5803

Phones back to 69.50.164.50/this/is/stereo/music.php?param=0;1314;1550; 69.50.164.50/this/is/stereo/jazz.php?param=49325611;2:191:5|7:271:0|6:130:0|9:0:5|34:65536:0 and to 85.255.119.244/this/is/stereo/music.php?param=0;4135;1548.

When Emil Kaperski's owned InterCage, Inc. (69.50.164.50) meets UkrTeleGroup Ltd. (85.255.119.244) previously known as Andrei Kislizin's owned InHoster, you know you're on the right track.

A Diverse Portfolio of Fake Security Software - Part Four

Mon, 25 Aug 2008 01:58:02 +0000

Thanks to the affiliate based business model that's driving the increase of fake security software and rogue codecs serving domains, the very same templates, but with different domain names, continue appearing in blackhat SEO, spam, and malicious doorways redirection campaigns.

Moreover, with the "time-to-market" of a fake security software decreasing due to the efficiency approach introduced in the form of tips for abuse-free hosting services provided by the "known suspects", and the freely available templates, we're slowly starting to see the upcoming peak of this approach.

In a true proactive spirit, the domains parked at 216.195.56.88 are all upcoming fake security software, to be introduced anytime soon.

fast-pc-scanner-online .com - (92.62.101.41; 91.203.92.48; 91.203.92.106; 58.65.238.171)
top-pc-scanner .com
buy-secure-protection .com
security-scan-pc .com
pc-scanner-online .com
viruses-scanonline .com
virus-scanonline .com
antivirus-scanonline .com
topvirusscan .com
virusbestscan .com
best-security-protection .com
infectionscanner .com
virusbestscanner .com
full-protection-now .com

Pwrantivirus .com - 91.208.0.246
vav-x-scanner .com
vav-scanner .com
scanner.vavscan .com
malware-scan .com
Scanner-Pwrantivirus .com
Xpertantivirus .com
Scanner-xpertantivirus .com

spyware-quickscan-2008 .com - (216.195.56.88)
virus-quickscan-2008 .com
spyware-quickscan-2009 .com
virus-quickscan-2009 .com
winmalwarecontrol .com
antispyware-quick-scan .com
virus-quick-scan .com
antivirus-quick-scan .com
winprivacytool .com

topantispyware2008 .com - (216.195.56.86)
cleanermaster .com - (216.195.56.85)
antivirus777 .com - (67.228.120.3)
pcsecuritynotice .com - (67.228.120.3)

Whereas the average Internet users are falling victims into this type of fraud, what I'm more concerned about is the large traffic the malicious domains receive in general due to all the different traffic acquisition tactics the people behind them apply. This anticipated traffic can then be greatly used as valuable metrics for the many other malicious ways in which it can be monetized.

Ironically, the participant in the affiliate program whose original objective was to drive traffic to the fake security software's site, may in fact start receiving so much traffic due to the combination of traffic acquisition tactics, that introducing client-side exploits courtesy of a third-party affiliate network, may in fact prove more profitable then the revenue sharing partnership with the rogue security software's vendor at the first place.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Localized Fake Security Software
Diverse Portfolio of Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

Fake Celebrity Video Sites Serving Malware - Part Two

Wed, 20 Aug 2008 21:52:00 +0000

Malicious parties remain busy crunching out domain portfolios of legitimately looking celebrity video sites. The very same templates used on the majority of fake celebrity video sites which I exposed in a previous post, remain in circulation with anecdotal situations where they aren't even bothering to match the site's logo with the domain name -- it would ruin the malicious economies of scale approach. And since centralization to some, an laziness to others, remains in tact, the fake security software and fake codecs served remain once parked at the same IP as the fake celebrity sites which I'll expose in this post.

starfeed1 .com - (85.255.117.218)
codecservice1 .com
siteresults1 .com
codecservice6 .com
celebs69 .com
topdirectdownload .com
sexlookupworld .com
favoredtube .com
yourfavoritetube .com
wwvyoutube .com
celebsnofake .com
celebsvidsonline .com
celebstape .com
freevidshardcore .com
topsoftupdate .com
porndebug .com
newfunnyvideo .com
bestfunnyvids .com
pornmoviestube .net

worldstars2008 .com - (79.135.167.54)

antivirus2008-pro .name
antivirus-2008pro .name
antivirus2008pro .name
antivirus2008pro-download .org
antivirus-2008-pro .org
antivirus2008-pro .org
antivirus-2008pro .org
antivirus2008pro .org
thesoft-portal-08 .com
stars-08 .com
thestars-08 .com
thebigstars-08 .com
funny-08 .com
realonlinevideo-2008 .com
2008-adult-2008 .com
adult18tube2008 .com
adultstreamportal2008 .com
2008-adult-s2008 .com
new-content-s2008 .com
newcontent-s2008 .com
worldstars2008 .com
thestars2008 .com
thebigstars2008 .com
newcontents2008 .com
18x-adult2008 .com
2008adult2008 .com
adult-x2008 .com
hotadulttube08 .com
adultxx-18 .com
newcontent-s2008a .com
antivirus2008pro-download .com
onlinestreamvide .com
onlinestreamvide .com
ns2.onlinestreamvide .com
xxxstreamonline .com4
supersoft21freeware .com
kvm-secure .com
kvmsecure .com
themusic-08portal .com
adultstreamportal .com
streamxxxvideo .com
antivirus-2008-pro .com
antivirus2008-pro .com
antivirus-2008pro .com
thefunny-08 .com
thestars-08 .com
thestars08 .com
celebsnofake .com
adult-s-portal .com
adultsoftcodec .com
adultstreamportal .com
adultxx-18 .com

And while none of these seem to be taking advantage of client-side exploits, a Russian celebrity site that seems to by syndicating the malicious redirectors from a legitimate advertising network, is an exception worth point out due to the Adobe Flash player exploit it's attempting to take advantage of.

Bestcelebs .ru javascript redirectors through several different doorways :

crklab .us/index.php => firstblu .cn/3.php?19383577 => xanjan .cn/in.cgi?mytraf => atomakayan .biz/afterftpcheck/2603/index.php =>
toksikoza .net/fi/index.php?mytraf => toksikoza .net/fi/1.swf

What you see is so not what you get.

Experts: Bush Administration is Not Fixing DNS Security Hole

Thu, 14 Aug 2008 16:10:08 +0000

Despite a recent high profile vulnerability that showed the net could be hacked in minutes, the domain name system -- a key internet infrastructure -- continues to suffer from a serious security weakness, thanks to bureaucratic inertia at the U.S. government agency in charge, security experts say.

EPTS: An Event Processing Marketing Society (EPMS)

Wed, 13 Aug 2008 04:02:57 +0000

A number of months ago we posted Some Comments on the EPTS Member Agreement where we concluded, in summary:

“I have quite a few other concerns the with EPTS Member Agreement. Basically, the agreement needs to be written with an eye toward a more flexible, open and inclusive process that puts the future of the EPTS square into the hands of the event processing community, not a small group of well intended folks who represent a small part of the overall event processing community and worldview.”

Opher’s reply was to just dismiss these comments, a bit surprising since I served the CEP/EP community on the EPTS steering committee; worked quite hard as a matter of fact, for a number of years. Opher’s appreciation for the years of work is to just off-handly dismiss my comments.

Then in On faithfull representation and other comments and On Top Down and Bottom Up Opher does the same thing, he simply dismisses my comments, defensively, adding humor, sarcasm and fallacy.

I am sorry Opher is so defensive of his narrow society; however I will not yield, because I do not need to resort to sarcasm, fallacy and ad hominums; the facts obviously support my view. For proof that Opher has a narrow view of event processing, go no further than look at the companies he hand-picked for his EPTS Steering Committee; most startups (or with startup products) in the event processing space, working on common messages to distinguish themselves in a market with much more mature players excluded - classic “not invented here,” isn’t it?

Opher’s claims the EPTS view on event processing is quite general, but the majority of vendors on the EPTS Steering Committee members are selling similar platforms, a very narrow segment of the CEP/EP space. Opher claims that he agrees that other domains (like sensor fusion) are significant to CEP/EP, but he simply dismisses my advice to create a true, general EPTS, inclusive of the prior-art and science of CEP/EP (before the marketing folks took over). He insists on having the EPTS “reinvent the wheel” and develop their own vocabulary, as if event processing did not exist prior to one book on CEP.

Opher’s fun-to-read blog counterpoints to my concerns are evolving to a mixture of ad hominums and sarcasm, sometime wrapped in a defensive tone. I think we can do better and we must be more inclusive of the other prior-art. I say we, because I am also a founding member of the EPTS, althought I suspect Opher will banish my name from the membership for trying to diminish the “not invented here” attitude that seems to dominate the EPTS since inception.

The truth of the matter is that the EPTS has a relatively narrow view of event processing, evident by the makeup of the steering committee and the focus of their discussions. It is not a technical society about event processing, per se; it is a marketing society with a narrowly focused membership that discounts most of the prior-art in the event processing space, it is really, an Event Processing Marketing Society (EPMS) for a narrow group of niche players.

The event processing domain is much, much larger. The art-and-science of event processing is deep and mature, much more mature (and inclusive) than what we see in the EPTS.

I think Opher (and the EPTS committee) should take these comments seriously and not discount them with sarcasm and subtle ad hominum replies.

ICANN/IANA Offer DNS Domain Test

Thu, 07 Aug 2008 07:21:10 +0000

ICANN has announced a test page, on the IANA site, to test if a domain is vulnerable to the Kaminsky DNS source port vulnerability. Click here to go to the test page. IANA also is providing a FAQ on the bug that has a lot of useful information without digressing into attack details, as so many other writeups do. This FAQ is focused on explanation and practical advice for IT. There is good advice in it, such as pointing out that authoritative name servers should never be configured also to provide recursive name service. This bug is a perfect example of why.