[SecurityRatty] tag: minor

Run Through PCI DSS 1.2 Changes

Tue, 26 Aug 2008 07:38:00 +0000

Finally, I found time to read PCI DSS 1.2. change doc. So:

Good news: router is now officially a firewall (it has been for a while, but many people are still stuck in "security device" vs "network device" cloud) - see Req 1
From the "WTH dept": anti-virus is a MUST on ALL platforms - Req 5. Please ship me some of the stuff they are smoking; I want it! BTW, I am going to Amsterdam soon :-)
WAF or code review for web application security is still a stupid "OR" - Req 6.6. OMG, please, software security folks, teach them the truth.
Can we kill "plain text passwords" once and for all? Req 8 tries to achieve that noble goal (good thing!)
Visit your offsite data storage - good (if costly) idea - added to Req 9. Requirements to secure electronic AND paper media are solid too.
Love it, love it! Req 10 explains that logs needs to be actually available: 'three months of audit trail history must be “immediately available for analysis” or quickly accessible' (bye-bye, silly log dumps...)
Some vulnerability stuff clarified in Req 11, mostly about ASVs and pentesting.
Scope of security policy is expanded to "employee-facing technologies" (what a term!) - Req 12
All over: more references to wireless (WEP, access points, hidden SSIDs, etc) - indeed, recent data losses are often due to insecure wireless.

Overall, a minor change that, sadly, doesn't touch a few KEY areas, such as virtualization, for one.

PCI Compliance: Reaction to the Summary of Changes

Mon, 18 Aug 2008 20:00:00 +0000

On August 18 the PCI Security Standards Council formally announced (http://www.pcisecuritystandards.org/pdfs/08-18-08_2.pdf) forthcoming changes to the Payment Card Industry's Data Security Standard (PCI DSS) as it moves from version 1.1 to version 1.2 in October 2008. The release represents the first major update since September 2006.

What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...

Summarizing July's Threatscape

Fri, 01 Aug 2008 12:08:24 +0000

July's threatscape -- consider going through June's summary as well -- once again demonstrated that nothing is impossible, the impossible just takes a little longer where the incentive would be the ultimate monetization of the process.

Russian hacktivists attacking Lithuania and Georgia, several Storm Worm campaigns, a couple of new malware tools, Neosploit team abandoning support for their web malware exploitation kit, CAPTCHA for several of the most popular free email providers getting efficiently attacked in order to resell the bogus accounts registered in the process, several copycat SQL injects next to the evasion techniques applied by the copycats, botnets continuing to commit click fraud and generate revenue for those who own or have rented them, an infamous money mule recruitment service taking advantage of the fast-fluxed network provided by the ASProx botnet - pretty interesting month indeed.

01. Decrypting and Restoring GPcode Encrypted Files -
The GPcode authors read the news too, and are catching up with the major weaknesses pointed out in their previous release in order to come with a virtually unbreakable algorithm. And since more evidence of who's behind the GPcode ransomware was gathered, vendors and independent researchers realized that the latest release is also susceptible to a plain simple flaw, namely the encrypted files were basically getting deleting and not securely erased making them fairly easy to recover.

02. Chinese Bloggers Bypassing Censorship by Blogging Backward -
When you know how it works, you can either improve, abuse or destroy it in that very particular order. Chinese bloggers are always very adaptive in respect to spreading their message by obfuscating their messages in a way that common keywords filtering software wouldn't be able to pick them.

03. Gmail, Yahoo and Hotmail’s CAPTCHA Broken -
This has been an urban legend for a while, but with more services starting to offer hundreds of thousands of pre-registered accounts at these providers, it's surprising that spam and phishing emails coming from legitimate email providers is increasing. The "vendors" behind these propositions are naturally starting to "vertically integrate" by offering value-added services for extra payments, namely, scripts to automatically abuse the pre-registered accounts for automatic registration of splogs and anything else malicious or blackhat SEO related.

04. The Antivirus Industry in 2008 -
If it were anyone else but a security vendor to come up with such a realistic cartoon aiming to stimulate innovation by emphasizing on how prolific and sophisticated malware groups have become, it would have been a biased cartoon. However, this one is courtesy of a security vendor, and it's pretty objective.

05. Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced -
This attack is a good example of a decent PSYOPS operation. Of course they have already build the capabilities to deface and even execute DDoS attacks against Lithuania, so why not put them in a "stay tuned" mode, by speculating on the upcoming attack and then executing it making it look like they delived what they've promised? This a lone gunman mass defacement given that the sites were all hosted on a single ISP, with no indication of any kind of coordination whatsoever. The same for the Georgia President’s web site which was under DDoS attack from Russian hackers later this month. Despite that the hacktivists behind it dedicated a separate C&C for the attack, one that hasn't been used in any type of previous attacks so far, they did a minor mistake by using a secondary command and control location that's known to have been connected with a particular "botnet on demand" service in the past. The second attack once again proves that you don't need to build capacity when you can basically outsource the process to someone else.

06. The ICANN Responds to the DNS Hijacking, Its Blog Under Attack -
The ICANN finally issued a statement concerning the DNS hijacking of some of their domains, which is in fact what Comcast.net and Photobucket.com should have done as well, next to stating it was a "glitch". The ICANN also took advantage of the moment and also pointed out that their blog has also been under attack during the month. There's no better example of how the combination of tactics can result in the hijacking of the domains of the organizations implementing procedures aiming to protect against these very same attacks. And while Photobucket.com remained silent during the entire incident, the hosting provider that was used by the Netdevilz team in the two attacks, since they were also responsible for the ICANN and IANA DNS hijackings, technological and social engineeringissued a statement.

07. The Risks of Outdated Situational Awareness -
Security vendors are often in a "catch-up mode" and if I were an average Internet user not knowing that real-time situational awareness speaks for the degree to which my vendor knows what going on online, I'd be pretty excited. However, I'm not. Prevx were catching up with a service which I covered approximately two months ago, I even had the chance to constructively confront with one of the affected sites on how despite their security measures in place, this attack was still possible. Recently Prevx have once again demonstrated an outdated situational awareness by coming across a banking malware in July 2008, whereas the malware has been around since July 2007, and earlier depending on which version you're referring to.

08. Fake Porn Sites Serving Malware - Part Two -
Yet another domain portfolio of fake porn sites serving rogue codecs and live exploit URLs, just the tip of the iceberg as usual, however their centralization is greatly assisting in tracking them down.

09. Storm Worm's U.S Invasion of Iran Campaign -
Stormy Wormy is once again making the headlines with their ability to actually make up the headlines on their own.

10. Mobile Malware Scam iSexPlayer Wants Your Money -
The best scams are the ones to which you've personally agreed to be scammed with without even knowing it. Like this one, which was tracked down and analyzed a couple of hours once a uset tipped on it.

11. The Template-ization of Malware Serving Sites -
The increase of fake porn and celebrity sites is due to the overall template-ization of these, with the people behind them basically implementing several malicious doorways to ensure that the domains get rotated on the fly. Despite that they all look the same, they all sever different type of malware, and zero porn of celebrity content at all except the thumbnails.

12. Violating OPSEC for Increasing the Probability of Malware Infection -
No better way to expose your affiliations and several unknown bad netblocks so far, by adding the netblocks and the malicious domains as trusted sites upon infecting a PC with the malware. Of course, the usual suspects lead the "trusted netblocks".

13. Monetizing Compromised Web Sites -
Several years ago, a script kiddie would install Apache on a mail server, they claim that they defaced it. Today, these amusing situations are replaced by monetization of the compromised sites, by reselling the access to them to blackhat SEO-ers, malware authors, phishers, or personally starting to manage a scammy infrastructure on them, by earning money on an affiliate based model, like this particular attack.

14. Malware and Office Documents Joining Forces -
A recent DIY malware kit, sold as a proprietary tool basically crunching out malware infected office documents, whose built-in obfuscation makes them harder to detect. It will sooner or later leak out, turning into a commodity tool, a process that's been pretty evident for web malware exploitation kits as well.

15. Are Stolen Credit Card Details Getting Cheaper? -
Depends on who you're buying them from, and whether or not they offer discounts on a volume basis, namely the more you buy the cheaper the price of a card is supposed to get. With the current oversupply of stolen credit card details, what used to be an exclusive good once where they could enjoy a higher profit-margin, is today's commodity good.

16. The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit -
Since alll the web malware exploitation kits are open source, and leaked in the wild at large, their modularity allows everyone to easily embed any type of exploit that they want to, resulting in Neosploit's single most beneficial feature, the fact that certain versions include all the publicly available exploits targeting Internet Explorer, Firefox and Opera. Moreover, the open source nature of the kit is resulting in a countless number of modified versions yet to be detected and analyzed, therefore keeping track of the exploits included in a malware kit can only be realistic if you take into considered the exploits that come with the default installation.

17. Obfuscating Fast-fluxed SQL Injected Domains -
Now that's a very good example of different tactics combined to attack, ensure survivability, and apply a certain degree of evasion in between.

18. The Unbreakable CAPTCHA -
There's never been a shortage of ideas, there's always been an issue of usability.

19. The Ayyildiz Turkish Hacking Group VS Everyone -
That's a pretty inspiring mission if you are to ensure your future in the next couple of years, by targeting everyone, everywhere that has ever publicly stated their disagreement with the Turkish foreign policy.

20. Money Mule Recruiters use ASProx's Fast Fluxing Services -
A true multitasking in action with a botnet that's been crunching out phishing emails, SQL injecting and now hosting a well known money mule recruitment service.

21. SQL Injecting Malicious Doorways to Serve Malware -
Constantly switching tactics and combining different ones to achive an objective that used to be accomplished by plain simple techniques, is only starting to take place. In this case, instead of a hard coded SQL injected domain, we have the typical malicious doorways the result of the converging traffic management tools with web malware exploitation kits.

22. Impersonating StopBadware.org to Serve Fake Security Warnings -
Typosquatting popular security vendors and services is nothing new, by having HostFresh providing the hosting for the parked domains promoting the rogue security software, is a privilege and flattery for the success of the Stopbadware initiative.

23. Coding Spyware and Malware for Hire -
Customerization -- not customization -- has been taking place for a while, that's the process of tailoring your upcoming products to the needs of your future customers, compared to the product concept myopia where the malware coder would code something that he believes would be valuable to the potential customers. End user agreements, issuing licenses for the malware tool, as well as forbidding the reverse engineering of the malware so that no remotely exploitable flaws could be, are among the requirements the coder assists on.

24. Lazy Summer Days at UkrTeleGroup Ltd -
Taking a random snapshot of the current malicious activity at a well known provider of hosting services for rogue security applications, live exploit URLs and botnet command&control locations, always provides an insight into what are their customers up to. In this case, centralization of their scammy ecosystem, and parking a countless number of rogue domains on the same server.

25. Email Hacking Going Commercial -
Cybercrime is in fact getting easier to outsource, and while the number of scammers trying to offer non-existent services, or at least services where they cannot deliver the goods, the business model of this service that is that you only pay once they show you a proof that they've managed to hack the email address you game them. How are they doing it? Social engineering and enticing the user to click on live exploit URL from where they'll infect the PC and obtain the email password, of course, next to definitely abusing it for many other purposes in the process.

26. Vulnerabilities in Antivirus Software - Conflict of Interest -
You can easily twist the number of vulnerabilities found in your antivirus solution, but not recognizing them as vulnerabilities at the first place. It's all a matter of what you define as a vulnerability, or perhaps what you admit as a serious vulnerability - remote code execution through a security software, or a flaw that's allowing malware to bypass the security solution itself.

27. Counting the Bullets on the (Malware) Front -
Emphasizing on the number of malware/threats/viruses/worms/slugs your solution detects may be marketable in the short-term, but is damaging the end user's understanding of the threatscape in the long-term. So, by the time he catches up with what exactly is going on, he'll recall the moment in time where he was using the number of threats his solution was detecting as the main benchmark for its usefulness. In reality through, the number is irrelevant from a pro-active point of view, with zero day malware like the one coded for hire undermining the signatures based scanning model.

28. Smells Like a Copycat SQL Injection In the Wild -
It was pretty obvious that copycats seeing the success of SQL injections the the huge number of sites susceptible to exploitation, would also starting taking advantage of the practice. Some are, however, targeting local communities and trying to avoid detection by using targeted SQL injections.

29. Click Fraud, Botnets and Parked Domains - All Inclusive -
The scheme is nothing new, what's new is that the botnet masters are trying to limit the revenues that used to go out to affiliate networks they were participating in, and are trying to own or rent the entire infrastructure on their own.

30. Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings -
With access to Storm Worm sold and resold, and new malware introduced on Storm Worm infected hosts used as foundation for the propagation of the new malware in this case, it's questionable whether or not the Storm Worm-ers themselves are sending out the junk emails, or are they people who've rented access to the botnet doing it.

31. Neosploit Team Leaving the IT Underground -
Pretty surprising at the first place, but in reality it clearly demonstrates that when you cannot enforce the end user agreement on your crimeware kit, but continue seeing it used in a very profitable malware operations, you basically shut down the support for the public version. The team is not going to stop innovating for their own purposes, and in the long-term they may in fact re-appear with an updated malware kit that's converging different services next to the product itself.

32. Dissecting a Managed Spamming Service -
Managed spamming services using botnets as the foundation for the campaigns are starting to introduce improved metrics for the delivery, as well as experienced customer support ensuring the spam messages make it through spam filters, or at least increase the probability of making the happen. This is an example of a random service emphasizing on the improved metrics they're capable of delivering.

33. Storm Worm's Lazy Summer Campaigns -
Looks like a "cybercrime intern" launched this campaign, lacking any of the usual Storm Worm evasive practices, no exploitation of client side vulnerabilities, as well as no survivability offered by their usual fast-flux nodes.

Here come the Yankees!

Sun, 27 Jul 2008 05:52:02 +0000

Image by goddam via Flickr

Ah, its almost August. Football training camps are open and the Yankees and Red Sox are battling. Does it get any better? For most of this year I thought the Yankees were going to be out of it this year and content to have a rebuilding year. We have several veteran players who past their prime and whose contracts are up after this year. We have a some great young talent that need to grow into their potential. It looked like the Bosox and Tampa Rays were going to run away with the division and wild card this year.

But like inevitable turning of the seasons, sometime after July 4th and then the All Star break, the Yankees beginninng their drive. Those old bones warm up in the heat of the summer and the bats come alive. This year the pitching is carrying them too. Old pros Andy Pettite and Mike Mussina are joined by Jobba Chamberlin. Mariano Rivera is still the best closer in baseball. Just like old times the Yanks went out and fleeced some 2nd division team for a bunch of minor leaguers and added a quality hitter and pitcher right before the trade deadline. Look around and we are one game behind the Red Sox for the wild card slot and only three games behind the Rays for first place!

I still think Tampa is going to stumble and it will come down to the Sox and the Yanks. Just the way it is supposed to be. I am heading up to NY next Friday, taking my sons to the shrine that is Yankee Stadium to see it in person in its last year. The rest of the baseball season is going to be very exciting. Again, just the way it is supposed to be!

Here come the Yankees!

Sun, 27 Jul 2008 04:54:09 +0000

Image by goddam via Flickr

Are you using the latest web browser?

Wed, 16 Jul 2008 09:24:00 +0000

Written by Thomas Duebendorfer

In view of mass defacements of hundreds of thousand of web pages - with the intent to misuse them to launch drive-by download attacks - security researchers from ETH Zurich, Google, and IBM Internet Security Systems were interested in looking at the other side of the attack: the web browser. By analyzing the web browser versions seen in visits to Google websites, they have shown that more than 600 million Internet users don't use the latest version of their browser.

Slow migration to latest browser version
The researchers' paper, entitled "Understanding the Web Browser Threat", shows that as of June 2008, only 59.1% percent of Internet users worldwide use the latest major version of their preferred web browser. Firefox users are the most attentive: 92.2% of them surfed with Firefox 2, the latest major version before the recently released 3.0. Only 52.5% of Microsoft Internet Explorer users have updated to version 7, which is the most secure according to multiple publicly-cited Microsoft experts (among them Sandi Hardmeier). The study revealed that 637 million Internet users worldwide who use web browsers are either not running the latest version of their preferred browser or have not installed the latest patches. These users are vulnerable to exploitation due to their web browser's "built-in" vulnerabilities and the lack of more recent security mechanisms such as improved phishing protection.

Neglected security patches
Over the past 18 months, the study also shows, a maximum of 83.3% of Firefox users were using the latest major version of the web browser and also had all current patches installed (i.e. latest minor version). Only 56.1% and 47.6% of Opera and Internet Explorer users, respectively, were similarly utilizing fully-patched web browsers. Apple users are no better: since the public release of Safari 3, only 65.3% of users operate the latest Safari version.

Maximum measured share of users surfing the web with the most secure versions of Firefox, Safari, Opera and Internet Explorer in June 2008 as seen on Google websites.

Obsolete browser warning
The study's most important finding is that technical measures now in place do not sufficiently guarantee browser security, and that users' security awareness must be further developed. The problem is that most users are unaware that they are not using their browser's latest version. It must be made clear to web browser users that outdated software is associated with significantly higher risk. The researchers therefore suggest that, as a critical component of web software, a visible warning be instituted that warns the user of missing security patches in a way analogous to the 'best before' date in the perishable food industry. Software updates must also be made easier to find. The resulting transparency would go far in contributing to end user awareness of software weaknesses, and allow users to better evaluate risks.

Example "best before" implementation on a Web browser

As a side effect, having users migrate faster to the latest browser version would not only increase security but also make the lives of webmasters easier, as they would need to test and optimize websites for fewer older versions of web browsers.

Simple oversight at TNS Infratest exposes participant information

Wed, 09 Jul 2008 19:37:10 +0000

Technorati Tag: Security Breach

Date Reported:
7/4/08

Organization:
Taylor Nelson Sofres plc (TNS)

Contractor/Consultant/Branch:
TNS Infratest

Victims:
Survey participants

Number Affected:
41,000

Types of Data:
"Name and address, date of birth, email address and phone numbers", "Some of the data included monthly income, education, bank account information, health insurance data, and which credit cards are used"

Breach Description:
"The scientific journal of the Chaos Computer Club (CCC), Die Datenschleuder, reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants."

Reference URL:
Chaos Computer Club e.V.
The Inquirer

Report Credit:
Chaos Computer Club e.V.

Response:
From the online sources cited above:

TOP MARKET RESEARCH firm TNS Infratest/Emnid has 'lost' 41,000 private data records of its survey participants, the Chaos Computer Club (CCC) has revealed in its official organ Die Datenschleuder.

As the magazine reports [1], it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures.

Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.
[Evan] This type of development mistake too common. The vulnerability is very easy to find by good pen testers and the bad guys. Actually, I am surprised that we don't hear about more of these types of breaches.

Besides name and address, the data records included date of birth, email address and phone number.

Many records also included very sensitive information: monthly income, education, bank account information, health insurance data, if and which credit cards are used, which electronic devices are used in the household, children's ages and yet more private data.
[Evan] Clearly this is some very sensitive information, all provided by people completing surveys.

"TNS Infratest made a beginner's mistake in their software development. This is unprofessional, grossly negligent and above all deeply worrying," commented CCC spokesman Dirk Engling regarding the incident.
[Evan] Mr. Engling is dead on. I couldn't have said it better myself.

"As this information is very sensitive, where abuse such as identity theft or its use in connection with burglary cannot be excluded, THS Infratest needs to inform the victims immediately," he continued

This case continues a disastrous, never-ending series of information leaks of data held by public and private sector organisations.

The need for more strict control of sensitive data collections is evidenced by the recent snooping affairs by German Telecom as well as the data leaks from the "Meldeämtern" (registration of address offices).

It is obvious here that data security only plays a minor role in companies.
[Evan] Very sad, but very true. Too many organizations still take the wrong view of information security as a "cost center" instead of a business driver. Well designed and managed information security programs, the ones that are aligned with the business and not IT, can actually provide value to the business.

"Especially for companies surveying the most confidential data, the highest security standards have to apply," said Engling.

The press team of the Chaos Computer Club is available for questions at the following addresses:

presse@ccc.de (preferred)
0700-CHAOSFON (0700 - 24267366)

Commentary:
TNS is a large company, a large company with resources to hire good management, programmers, and information security personnel. What is the excuse for making such a significant, yet simple oversight? There are a number of controls that could have reduced the risk of this occurring.

One a secondary note, but no less important in my opinion. It seems that people (in general) provide too much information willingly, without understanding what the risks could be. Personally, I rarely complete surveys that ask me for personally identifiable information (name, address, etc.). I suggest that you give some serious thought to providing any of your personal information. Ask yourself if you trust the organization collecting your information. If so, question what your trust is based on. Do NOT hesitate to ask questions and err on the side of caution.

Past Breaches:
Unknown

The Malicious ISPs You Rarely See in Any Report

Mon, 30 Jun 2008 05:31:08 +0000

The recently released badware report entitled “May 2008 Badware Websites Report" lists several Chinese netblocks tolerating malicious sites on their networks. As always, these are just the tip of the iceberg out of a relatively good sample that the folks at Stopbadware.org used for the purposes of their report. In the long term however, with the increasing prelevance of fast-fluxing, a country's malicious rating could become a variable based on the degree of dynamic fast-fluxing abusing its infrastructure in a particular moment in time. Moreover, forwarding the risk and the malicious infrastructure to malware infected hosts, and exploited web servers, creates a "twisted reality" where the countries with the most disperse infrastructure act as a front end to the countries abusing it, ones that make it in any report, since they are the abusers.

The report lists the following malicious netblocks, a great update to a previous post on "Geolocating Malicious ISPs" :

- CHINANET-BACKBONE No.31,Jin-rong Street
- CHINA169-BACKBONE CNCGROUP China169
- CHINANET-SH-AP China Telecom (Group)
- CNCNET-CN China Netcom Corp.
- GOOGLE - Google Inc.
- DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
- SOFTLAYER - SoftLayer Technologies Inc.
- THEPLANET-AS - ThePlanet.com Internet Services, Inc.
- INETWORK-AS IEUROP AS
- CHINANET-IDC-BJ-AP IDC, China

With some minor exceptions though, in the face of the following ISPs you rarely see in any report - InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh. Ignoring for a second the fact that the "the whole is greater than the sum of it's parts", in this case, the parts represent RBN's split network. Since it's becoming increasingly common for any of these ISPs to provide standard abuse replies and make it look like there's a shutdown in process, the average time it takes to shut down a malware command and control, or a malicious domain used in a high-profile web malware attack is enough for the campaign to achieve its objective. The evasive tactics applied by the malicious parties in order to make it harder to assess and prove there's anything malicious going on, unless of course you have access to multiple sources of information in cases when OSINT isn't enough, are getting even more sophisticated these days. For instance, the Russian Business Network has always been taking advantage of "fake account suspended notices" on the front indexes of its domains, whereas the live exploit URLs and the malware command and controls remained active.

And while misconfigured web malware exploitation kits and malicious doorways continue supplying good samples of malicious activity, we will inevitable start witnessing more evasive practices applied in the very short term.

Related posts:
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

Malicious Doorways Redirecting to Malware

Sun, 15 Jun 2008 23:51:11 +0000

Blacklisting malicious sites in times when legitimate ones are starting to compete with bogus .info and .biz ones for the leading position of hosting and serving malicious content, is a bit of an outdated and reactive approach for protecting against unknown threats. However, a single malicious domain whose live exploits can be easily detected and consequently blocked, is often just a front end to a large domains portfolio whose malicious content may easily pass through web filtering and on-the-fly malware attempts. Even worse, a malicious domain often exists in multiple "alternate realities" since a single IP is hosting many other unique and related malware domains.

In this post, I'll assess a misconfigured malicious doorway, that is redirecting to ten different malware sites serving Zlob variants by delivering fake codecs that all the bogus adult sites require. The doorway is misconfigured in the sense of not recording the IP and checking the cookie set, in comparrision to every average web malware exploitation kit out there, which will not serve anything malicious when accessed for a second time since it's hashing the IPs that accessed it already. This is just the tip of the iceberg when it comes to the emerging evasive approaches applied to make the analysis of such doorways a bit more time and resources consuming. In a single sentence - there's evidence blackhat SEO-ers are starting to exchange crawling manipulation know-how with malware authors.

In this example we have bestxvids.info (87.118.116.11) which is reditecting to all-index.com/in.cgi?5 (87.118.116.11) a URL that's been actively spammed across forums and guestbooks vulnerable to automatic posting vulnerabilities (weak CAPTCHAs and web application vulnerabilities) which is then redirecting to the following fake codec domains on the fly, and since the redirection script isn't hashing my IP like the majority of well configured ones requiring the use of multiple IPs if we're to expose all the campaigns, it makes the investigation easier :

tubeuniverses.com/teen/index.php?id=1883 - (78.108.177.99)
new-content-s2008.com/freemovie/938/0/ - (72.21.53.218)
teens.0bucksforpornmovie.com/?id=4199 - (64.28.181.28)
getadultaccess.com/movie/?aff=5310 - (200.63.46.84)
hqtube.com/?7014000000 - (88.85.66.116)
supersharebox.com/softw/?aff=5310&saff=0 - (200.63.46.84)
scanner.shredderscan.com/5/?advid=4329 - (92.241.182.13)
myflydirect.com/1/5310/ - (200.63.46.84)
getadultaccess.com/movie/?aff=5310 - (200.63.46.84)
hotvidstube.com/teen/index.php?id=1883 - (78.108.177.99)
2008-adult-2008.com/freemovie/938/0/ - (72.21.53.218)
s-soft08freeware.com/download/502/938/0 - (91.203.70.18)

Where's the "alternate reality"? All of the following fake codec and adult sites serving Zlob variants, with minor exceptions of course, are also responding to the main IP of the redirector - 87.118.116.11 :

carsfoto.ru
cheapest-pharmacy.com
coolsexmovies.net
free-movie-xxx.net
gold-collection.biz
p-o-r-n-0.com
p-o-r-n-0.info
sexakaporn.com
stred.biz
stred.in
tosserhost.com
west-video-xxx.info
wowtofree.info

Shall we also expose the entire scammy ecosystem of Zlob variants, as always, sharing the same netblocks in order to keep it simple? But of course :

porn-youtube08.net
sextubecodec55.com
2008adult2008.com
adultstreamportal2008.com
newcontent-s2008.com
adultxx-18.com
newcontents2008.com
onlinestreamvide.com
2008adultstreamportal2008.com
newcontents2008.com
hot-pornotube2008.com
adult-youtube-8.com
2008adult-s2008.com
2008adultstreamportal2008.com
adult-freetube-8.com
adult18tube2008.com
adultstreamportal2008.com
free-porntube-8.com
gt-funny.com
gt-movies.com
gt-stars.com
hot-sextube.com
new-content-s2008.com
newcontent-s2008.com
newcontents2008.com
onlinestreamvide.com
porno-tube20008.com
pornotube-20008.com
pornotube20008.com
sex-18tube-2008.com
sex-tube-20008.com
sex-tube20008.com
sex18tube2008.com
sexi18tube2008.com
sextube18adult.com
sextube20008.com
streamadultvideo.com
xxxstreamonline.com

The bottom line - malicious doorways are slowly starting to emerge thanks to the convergence of traffic redirection and management tools with web malware exploitation kits, and just like we've been seeing the adaptation of spamming tools and approaches for phishing purposes, next we're going to see the development of infrastructure management kits, a feature that DIY phishing kits are starting to take into consideration as well.

E-crime Unit On Track, Says Police Chief

Fri, 13 Jun 2008 10:51:22 +0000

The Policing Central e-Crime Unit (PCEU) is apparently full steam ahead but, the author of this next article points out one minor detail.

Where’s the funding?

From Silicon dot com:

Funding for PCEU has been slow to arrive, with the government still not committing to its £1.3m start-up costs, despite expectation that the money would be in place months ago.

It comes after Home Office minister Vernon Coaker told a House of Lords science and technology committee that the National Fraud Reporting Centre (NFRC) could take the lead on co-ordinating e-crime investigations nationwide.

But McMurdie said the government’s vision for the NFRC does not undermine the need for the PCEU.

She said: “It is moving towards addressing the problem. The more intelligence we have on cyber crime and the more opportunities there are to report it, the better we will be able to put resources in the most appropriate place.

Read on.

Article Link