[SecurityRatty] tag: forums

Hunt The Dark Knight

Thu, 04 Sep 2008 02:24:38 +0000

After writing about this website yesterday (and alerting those I know involved in comics, comic forums and news portals), I woke up to see this...

Click to Enlarge

Of course, it's too early to tell if the site has been pulled permanently - but it looks like someone realised there's no point trying to scam a community when they're already waiting for it with a baseball bat.

Thanks to all who put the word around - your honorary vigilante badges are in the post...

A Costly Crush

Tue, 02 Sep 2008 11:24:54 +0000

I've seen a few blog posts over the last couple of days, with people complaining about an application on Facebook charging them crazy amounts of money. Certainly, there's a lot of angry Facebook users out there:

Click to Enlarge

Some more complaints? Sure, I can do that:

There are many, many more like the above comments out there. One slight problem with all of this is that the complaints are scattered across a whole range of different Crush application forums - in short, they're all being blamed, but they can't all be doing this, can they? What's the alternative, though?

A short while ago, I wrote about deceptive advert placements with regards another facebook application. It seems we have a similar situation here, where an "enterprising" Ad network is placing Facebook-style buttons onto installer pages and hoping people will be fooled. As it turns out, it seems to be working. While attempting to install one randomly selected Crush application, I noticed the following advert at the top of the installer splash (highlighted in red):

Click to Enlarge

It's easy to imagine a regular Facebook user thinking this is part of the application install and clicking "Ok". Do that, and you're taken to a site called Amazingchat(dot)net that throws up a fake message regarding you having "7 New Crush Messages" (and uses geolocational technology to point a targeted message your way). If you look like you're in the UK, you'll see this:

Click to Enlarge

Wow, FOUR of my (fake and non-existent) messages are from Sheffield! How about if I look like I'm in the States? You've guessed it....

Windy City, here I come!

Not. It's looking promising so far, though. If we can just go to the next screen and see something utterly useless advertised in exchange for lots of money....

Click to Enlarge

Horoscopes for only ?9 / $15 a week? WOW!

Also, there go your savings.

Could this be the site at the heart of so many complaints? Well, let's quickly check who runs it...

"Sms-helpdesk", eh? I do believe I've seen a long thread concerning people having issues with large bills for phone messages. Indeed, a rep from sms-helpdesk actually appears to be posting there:

Shame it seems some people can't even get through to the supposed helpline. Perhaps "Denise" would be better off tackling the deceptive placement of adverts made to look like installer buttons, not to mention non-existent crush messages based around geolocational targeting?

Just a thought...

Epic Cash Vs Zango - Legal Action Incoming?

Mon, 01 Sep 2008 14:58:06 +0000

Over the last few days I've seen a scan doing the rounds on a couple of adult webmaster sites & forums, like here (Warning: there may be NSFW content on that forum). There's another link here regarding some follow up information which seems to be safe for work, but the forum it links to most definitely isn't. Just a heads up.

Anyway, the source of all the commotion is this scan, the contents of which read:

Epic Cash Files Lawsuit Against Zango and Adult Friend Finder

On August 26, 2008, Epic Cash LLC filed suit against Zango, Inc. and the owners of AdultFriendFinder.com for Unfair Business Practices, Unfair Competition, Tortious Interference with Prospective Economic Advantage, Unjist Enrichment, and Conversion.

Check the scan for full details - the root of the problem seems to be Epic Cash claiming Zango Adware diverted traffic away from Epic Cash websites and "converted Epic Cash's business to their benefit". This could prove to be interesting...

Leave Your Webcam On 24/7? Might Want To Reconsider...

Mon, 01 Sep 2008 11:46:09 +0000

It's nothing new that many hackers use programs that allow them to "spy" on their victims once they've compromised the PC (as long as they have a webcam switched on, of course). Similarly, hacking culture has always had a fascination for memes, incorporating them into part of the design of their latest DDoS tools.

However, the strange obsession with shock memes has now spilled into a "fun" game currently doing the rounds on various hacking sites and forums.

What this involves is hackers compromising a PC, ensuring the victim has a webcam switched on then opening up shock meme websites at the most inopportune moment, recording the moment of impact with the webcam feed. Or, as one guy put it:

If you don't know what Meatspin is, you can probably count yourself lucky. If you still want to know, click here (for an explanation. Not Meatspin itself, though the explanation might be classed NSFW anyway).

Here's a real life example of one such incident, taken from a message board:

Click to Enlarge

Typically, the shock meme website is opened up at full blast, which startles the victim (most sites of this nature loop a piece of music in the background while the, er, action takes place on screen). The bigger the shock, the better. Here's one guy who sounds like he shot about six feet in the air when the meme site fired up in his browser:

Click to Enlarge

This might all sound like fun and games - sort of - but note that the above individual did try to grab the victims credit card details.

Generally, the attacker doesn't interact with the victim (because they want friends, relatives or others to think the victim actually brought the site up themselves) but here's a little trash talk anyway:

At this point, the attacker may or may not grab a screenshot for posterity. I've seen quite a few galleries on sites comprised of people looking shocked at Tubgirl, or being spun round baby right round by Meatspin, and there's no doubt countless others out there floating around. Of course, not everybody is shocked (or indeed impressed) by a shockmeme site popping up on their computer. As an example of that, take this guy:

Full credit to anyone that counters a shockmeme site appearing on their desktop by picking their nose for five minutes. At any rate, the golden rule with this is that the hackers only bother doing this when a webcam is present and left switched on. If there's no webcam, there's no point trying to elicit a response (because for all they know they're popping open 2 Girls and 1 Cup to an empty server room).

Webcams can be a fun tool, but remember to switch them off every now and again or they could come back to haunt you. Of course, depending on the shock meme site deployed (and who happens to be in the room with you at the time), that could be the least of your worries...

The Bot Hunter: An Event Processing Challenge

Fri, 15 Aug 2008 05:35:00 +0000

Recently we penned The Attack of the Spiders from the Clouds where we mentioned how cloud computing infrastructures can be used to stage malicous or accidential network attacks.

Today I challenge our CEP/ESP/EP vendors (or SIs) to create the following solution to detect and block rogue bots on Apache web sites. I will install and test each submitted solution on The UNIX Forums and post the results here.

Here are some basic requirements:

Your solution must run on Linux and be installable and configurable remotely with SSH or HTTP. There will be no physical access to the server. No exceptions.
Preferrably, the configuration can be done with a Web-Based Interface (WBI) - a browser.
Your solution will listen to continuous updates to the Apache2 access log, exact location configurable in your solution, and identify robots ( bots), also known as spiders, from the log.
Your solution will provide a confidence metric, key indicator (KI), for each bot detected, from 0 to 10, where 10 indicates “absolutely a bot,” 0 is “absolutely not a bot.”
Your solution will update the IP address of each bot and KI you identify in a file/table called, for example, ./bot_scorecard.txt where each line is an IP address of a bot, followed by a semicolon (or other delimiter of your choice) and the confidence factor, for example, 10.0.0.1;10 means that 10.0.0.1 is a bot, 100% sure.
Your solution must compare bots detected to a file/table called, for example, ./bots_allowed.txt and ./bots_denied.txt that are in the format IP address/mask, for example 10.0.0.1/24, or 10.0.0.1/32.
If the KI “confidence factor” of the IP address of your detected bot is higher than the tunable “is a bot” KI, then your solution should update the tables/files and then call iptables and block the bot.
It should send an email to one or more email addresses with a message, for example: “New Bot Detected - Confidence 8″ with IP address, etc. in the message. Another example would be an email, “Bot Blocked” - with details, etc.
You cannot automatically block any traffic that is not a bot. Blocking one “non-bot” results in failure, no exceptions.
The Prize: The winner will get their logo (w/link) on this site in a block called “Bot Hunter Winner” (or something like that.)

These are some basic requirements; I don’t want to restrict your thinking or solution, so be creative! Feel free to ask any questions in the comment section of this thread.

Remember, sometimes you may have to manage the state of IP addresses for days, or hours, before you can accurately deterimine if it is a bot based on behavior alone. So, you will need to work with both long and short time windows. Latency is not important. Detection accurate is importance.

Anyone care to submit a solution for testing?

The Russia vs Georgia Cyber Attack

Mon, 11 Aug 2008 15:35:55 +0000

Last month's lone gunman DDoS attack against Georgia President's web site seemed like a signal shot for the cyber siege to come a week later. Here's the complete coverage of the coordination phrase, the execution and the actual impact of the cyber attack so far - "Coordinated Russia vs Georgia cyber attack in progress" :

"Who’s behind it? The infamous Russian Business Network, or literally every Russian supporting Russia’s actions? How coordinated and planned the cyber attack is, and do we actually have a relatively decent example of cyber warfare combining PSYOPs (psychological operations), and self-mobilization of the local Internet users by spreading “For our motherland, brothers!” or “Your country is calling you!” hacktivist messages across web forums. Let’s find out, in-depth. With the attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists, the peak of DDoS attack and the actual defacements started taking place as of Friday."

Some of the tactics used :
distributing a static list of targets, eliminate centralized coordination of the attack, engaging the average internet users, empower them with DoS tools; distributing lists of remotely SQL injectable Georgian sites; abusing public lists of email addresses of Georgian politicians for spamming and targeted attacks; destroy the adversary’s ability to communicate using the usual channels -- Georgia's most popular hacking portal is under DDoS attack from Russian hackers.

Some of the parked domains acting as command and control servers for one of the botnets at 79.135.167.22 :
emultrix .org
yandexshit .com
ad.yandexshit .com
a-nahui-vse-zaebalo-v-pizdu .com
killgay .com
ns1.guagaga .net
ns2.guagaga .net
ohueli .net
pizdos .net
googlecomaolcomyahoocomaboutcom.net

Actual command and control locations :
a-nahui-vse-zaebalo-v-pizdu .com/a/nahui/vse/zaebalo/v/pizdu/
prosto.pizdos .net/_lol/

Consider going through the complete coverage of what's been happening during the weeked. Considering the combination of tactics used, unless the conflict gets solved, more attacks will definitely take place during the week.

Pinch Vulnerable to Remotely Exploitable Flaw

Thu, 07 Aug 2008 06:22:01 +0000

In the very same way a cybercrime analyst is reverse engineering and sandboxing a particular piece of malware in order to get a better understanding of who's being it, and how successful the campaign is once access to the command and control interface is obtained, cybercriminals themselves are actively reverse engineering the most popular crimeware kits, looking, and actually finding remotely exploitable vulnerabilities allowing them to competely hijack someone's command and control, and consequently, their botnet. The Zeus crimeware kit, which I've been discussing and analyzing for a while, is the perfect example of how once a popular underground kit start acting as the default crimeware kit, cybercriminals themselves start looking for vulnerabilities that they could take advantage of. And those who look, usually end up finding.

A remotely exploitable flaw allowing cybercriminals to remotely inject a web shell within another cybercriminal's web command and control interface of the popular Pinch crimeware that's been around VIP underground forums since June, 2007, is starting to receive the necessary attention from script kiddies catching up with the possibility of hijacking someone's malware campaign due to misconfigured command and control servers.

With the exploit now in the wild, retro cybercriminals still taking advantege of the ubiqutous command and control interface that could be easily used by other malware rathar than Pinch, "cybercriminals are advised" to randomize the default file name of the gate, and apply the appropriate directory permissions.

Monocultural insecurities are ironically started to emerge in the IT underground with the increasing commoditization of what used to be a proprietary web exploitation malware kit or a banker malware kit, allowing easy entry into the malware industry through the unregulated use of what some would refer to as an "advanced technology" that only a few cybercriminals used to have access to an year ago. Just like legitimate software vendors, authors of crimeware kits are also trying to enforce their software licenses and forbidding any reverse engineering of their kits in order to enjoy the false feeling of security provided by the security through obscurity. The result? Cybercrime groups filing for bankruptcy unable to achieve a positive return on investment due to their intellectual property getting pirated and their inability to enforce the licenses that they issue to their customers.

We're definitely going to see more trivial, but then again, remotely exploitable vulnerabilities within popular crimeware kits, which can assist both the cybercrime analysts and naturally the cybercriminals themselves. For the time being, even the most sophisticated malware campaigns aren't fully taking advantage of the evasive and stealth tactics that the kits, or their common sense allows them to - let's see for how long.

Related posts:
Russia's FSB vs Cybercrime
Crimeware in the Middle - Zeus
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Coding Spyware and Malware for Hire

419 Mail Targets Musicians

Wed, 06 Aug 2008 03:13:03 +0000

One of my musician colleagues received the following email:

------Original Message------
From: smith douglas
Subject: lovely song
Sent: Aug 5, 2008 5:50 PM

Hello Lovely vocalist

I am Olatunji Hassan a music lover and I must say I listened to
your song via the internet and was moved.I lived in the United
States all my life and now I am back in my father land(AFRICA)
I must also lay my emphasis on the fact that I still travel to
us when the country is pretty hot.
I am the C.E.O of Douglas compensations
The compensation company is a company which has gotten the
approval of the Government to dispatch lost funds and recovered
theft funds to individuals who seems to need the funds.
I am using the power bestowed on me by my Government to approve
the sum of 100,000 United states Dollars for you.
your urgent reply is needed in regards to this development.
Olantunji Hassan.

Of course, it's a scam. There are plenty of musicians promoting their music on their websites, blogs, fan sites and forums - which presents scammers with a huge selection of targets to choose from. Be on your guard...

The Attack of the Spiders from the Clouds

Thu, 31 Jul 2008 11:09:19 +0000

We have seen a lot of discussions of cloud computing in the news recently, as a technology to permit “users to access technology-enabled serviceswithout knowledge of, expertise with, nor control over the technology infrastructure that supports them.” This sound great doesn’t it?! Users with little to no IT expertise can log into the cloud and launch 8 instances of a server with the equivalence of 16 high performance CPU cores. However, as we all know, all things, including cool technologies have the potential for both good and evil, opportunity or threat; and cloud computing is no different.

It just so happens that I have been experimenting with Amazon Elastic Computing Services (EC2), documented in Computing in the Clouds with AWS over at The CEP Blog. The server over at The UNIX and Linux Forums has been experiencing some very hardware-limited, high load averages recently. We thought we should take a look at moving the forum server up to the clouds.

Then, a fellow system admin over at the forums suggested that maybe some rogue bots were causing high server loads; so I wrote a one-line command to do a bit of real-time spider hunting in the Apache2 logfiles. Surprise! I found there were a number of rogue, hungry spiders that would not follow our robots.txt directive not to crawl the site. One of the bots was from Russia, one was from China, and another one was from Korea. There were spiders from places I never heard of, all consuming precious resources and denying our users!

So, I did what any Linux admin would do. I used iptables to block the networks of these rogue, hungry, spiders (sorry I was not very kind to these cyber creatures). It probally comes to no surprise at this point in the story that four of the spiders were from the Amazon EC2 cloud. Here is a sample of the output from iptables -L:

root@www:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all — ec2-67-202-45-0.compute-1.amazonaws.com/24
DROP all — ec2-75-101-243-0.compute-1.amazonaws.com/24
DROP all — ec2-75-101-197-0.compute-1.amazonaws.com/24
DROP all — ec2-75-101-213-0.compute-1.amazonaws.com/24

Well, imagine a not-so-distant future dystopian world where criminals or terrorists want to launch a massive denial-of-service attack against some critical infrastructure, like the root DNS servers, or an attack against major financial institutions, military or e-commerce sites.

First, the bad guys create an instance of powerful operating system with a malicious network application, they test it, and they place it the cloud (without invoking the instance, paying a very small storage fee, no computing time fee) and they wait. Then, at the precise moment of their planned attack, they launch 128 instances each with the equivalence of whatever is the mega-platform at the time, and just blast away at their attack target(s). Even more damaging, they do this from many cloud computing infrastructures. (Note: The cost of the attack is minimal because the criminals are only charged a few pennies an hour for each running instance and the attack runs an hour or two.)

My experience with cloud computing, which is still maturing, is that cloud computing has great promise for both good and evil. The very real example of the “spiders from the clouds” is a harmless enough story of folks using a cloud computing infrastructure for web crawling, perhaps hoping to be the next Google billionaires.

One the other hand, cloud computing brings with it an emerging and growing danger for the misuse of the power of cloud computing infrastructures. The misuse could be malicious, or accidental, but never-the-less, the danger is real.

What an interesting world we have created! Would would have ever dreamed 10 years ago that we could be attacked by ……

#include

…. Spiders from the Clouds.

Reprinted by permission from The Attack of the Spiders from the Clouds by Tim Bass, CISSP

Computing in the Clouds with AWS

Fri, 25 Jul 2008 05:34:14 +0000

The admin team at The UNIX Forums have been considering moving the UNIX and Linux Forums to the clouds - the Amazon Web Services (AWS) cloud. Amazon EC2 is one option to scale the forums, which is a LAMP application.

Amazon EC2 allows us to rent dedicated servers (instances) on-demand to run applications, such as the forums. Then we can run and host on EC2 any Linux application; but unlike classic hosting where folks install your application and set up your server for you, Amazon Web Services provide only the infrastructure.

Here are some links about AWS:

Maybe you will elevate your event processing application to the clouds?