[SecurityRatty] tag: pages

A Costly Crush

Tue, 02 Sep 2008 11:24:54 +0000

I've seen a few blog posts over the last couple of days, with people complaining about an application on Facebook charging them crazy amounts of money. Certainly, there's a lot of angry Facebook users out there:

Click to Enlarge

Some more complaints? Sure, I can do that:

There are many, many more like the above comments out there. One slight problem with all of this is that the complaints are scattered across a whole range of different Crush application forums - in short, they're all being blamed, but they can't all be doing this, can they? What's the alternative, though?

A short while ago, I wrote about deceptive advert placements with regards another facebook application. It seems we have a similar situation here, where an "enterprising" Ad network is placing Facebook-style buttons onto installer pages and hoping people will be fooled. As it turns out, it seems to be working. While attempting to install one randomly selected Crush application, I noticed the following advert at the top of the installer splash (highlighted in red):

Click to Enlarge

It's easy to imagine a regular Facebook user thinking this is part of the application install and clicking "Ok". Do that, and you're taken to a site called Amazingchat(dot)net that throws up a fake message regarding you having "7 New Crush Messages" (and uses geolocational technology to point a targeted message your way). If you look like you're in the UK, you'll see this:

Click to Enlarge

Wow, FOUR of my (fake and non-existent) messages are from Sheffield! How about if I look like I'm in the States? You've guessed it....

Windy City, here I come!

Not. It's looking promising so far, though. If we can just go to the next screen and see something utterly useless advertised in exchange for lots of money....

Click to Enlarge

Horoscopes for only ?9 / $15 a week? WOW!

Also, there go your savings.

Could this be the site at the heart of so many complaints? Well, let's quickly check who runs it...

"Sms-helpdesk", eh? I do believe I've seen a long thread concerning people having issues with large bills for phone messages. Indeed, a rep from sms-helpdesk actually appears to be posting there:

Shame it seems some people can't even get through to the supposed helpline. Perhaps "Denise" would be better off tackling the deceptive placement of adverts made to look like installer buttons, not to mention non-existent crush messages based around geolocational targeting?

Just a thought...

Amazon's Mechanical Turk Used for Fraudulent Activities

Sat, 30 Aug 2008 11:50:18 +0000

Although these HITs may stop short of being "fraud" in the legal sense of the word, they are certainly dishonest and unsavory. In addition to these spam bookmarking requests, we're also seeing HITs for Diggs, Stumbles, Slashdots, etc. of spammers' web pages and web sites.

Fake Security Software Domains Serving Exploits

Thu, 28 Aug 2008 02:41:10 +0000

Psychological imagination, "think cybercriminals" mentality or scenario building intelligence, seem to always produce the results they are supposed to. On Monday, I pointed out that :

"Ironically, the participant in the affiliate program whose original objective was to drive traffic to the fake security software's site, may in fact start receiving so much traffic due to the combination of traffic acquisition tactics, that introducing client-side exploits courtesy of a third-party affiliate network, may in fact prove more profitable then the revenue sharing partnership with the rogue security software's vendor at the first place."

The next day, client-side exploits start getting introduced "in between" the fake security software sites :

"I've blogged before about the problem of Google Adwords pushing Antivirus XP Antivirus 2008. The situation is still ongoing. However, it's taken a turn for the worse, as these XP Antivirus pages are pushing exploits to install malware on the users system. This will also affect the many syndicators of Google Adwords."

The domain in question bestantivirus2009.com - (68.180.151.21) is hosting the binary at bestantivirus2009 .com/setup_1096_MTYwM3wzNXww_.exe and has an IFRAME pointing to huytegygle .com/index.php (200.46.83.246).

Here's another example antivirus0003.net with an IFRAME pointing to a different location - 124.217.250.85 /~ave/etc/count.php?o=16.

Despite that these domains are part of the "International Virus Research Lab" fake domains portfolio, it remains to be seen whether others will start multitasking as well.

SDL and the XSS Filter

Wed, 27 Aug 2008 11:35:00 +0000

Steve Lipner here. When the Internet Explorer team posted the announcement about the XSS Filter feature in IE8 I asked some other members of the SDL blog team “why aren’t we talking about the new XSS Filter feature on the SDL blog?” Bryan and Jeremy said something like “that’s a mitigation that only applies to specific clients and a subset of attacks”. So we didn’t cross-reference IE’s XSS Filter post on the SDL blog at the time. Instead, I agreed to write a subsequent post about the relationship of XSS Filter to the SDL and to the ways that our SDL and security science teams think about improving product security.

For those of you who aren’t familiar with XSS Filter, a brief summary is that it is a client-side defense against reflected cross-site scripting (XSS) attacks. It works by recognizing that reflected XSS attacks inject script into the string that the browser sends to the targeted web server. If the server doesn’t neuter or strip out the injected script, it gets sent back to the browser and executed in the context of the target web page. Bad things then happen. At a high level, XSS Filter remembers the string that the browser sent to the server, and looks at the server’s response to see if any of the script was actually in that string. If it was, then XSS Filter decides that it got there because it was injected by an XSS attack and blocks the script from executing. The rest of the web page renders as usual. This is a vastly oversimplified sketch of XSS Filter – for details, see the post by David Ross, inventor of XSS Filter on the Security Vulnerability Research and Defense blog.

So what does XSS Filter have to do with the SDL? Well, for almost nine years, since XSS was first discovered at Microsoft, we’ve been trying to figure out effective ways to reduce vulnerability to XSS attacks. Our focus has been on improving the ways that web page developers code their pages, and we’ve developed a lot of tools and techniques for making web content safer from XSS attacks and for detecting XSS vulnerabilities in live pages. The SDL requires the use of many of these tools and techniques, and we’re sure we’ve prevented a lot of XSS vulnerabilities from being introduced into Microsoft web pages as a result.

But while we identify (and the SDL requires) measures that allow developers to avoid classes of vulnerabilities, we also look to identify more sweeping solutions that can either 1) eliminate classes of vulnerabilities, 2) reduce their severity, or 3) reduce the likelihood of attacks being successful. The process usually starts from deep understanding of a class of vulnerabilities and attacks, and then we broaden defenses from there. In the case of XSS Filter, David’s years of work researching XSS led him to come up with an approach that blocks many of the most common vulnerabilities to reflected attacks found on the web today. The solution is compatible with existing web pages (doesn’t “break the web”) and thus we were able to enable it by default for users of Internet Explorer 8. Because it’s a client-side mitigation, it will help protect users from attacks even though the sites they visit may be vulnerable to XSS.

Our work on buffer overrun defenses follows a somewhat similar pattern – we started by prescribing coding techniques, banning the use of some APIs, and building tools that detect coding constructs that look like buffer overruns. As we gained a deeper understanding of how buffer overruns can be exploited, we enhanced the /GS compiler flag and added ASLR in a quest to cause classes of exploits to fail even if a buffer overrun remains. We’re not yet close to eliminating the SDL requirements for use of tools and coding techniques, but the SDL also requires the use of the mitigations to reduce the severity of vulnerabilities that slip past. Will we ever get to the point where the mitigating technologies are so strong that we can relax the coding requirements? Maybe not, but we will continue to introduce technologies that reduce the chances of a successful attack.

Similarly, in the case of XSS, even after IE8 ships, the SDL will continue to require the use of safe web site coding practices and tools such as the Anti-XSS library both to protect users of browsers other than IE8 and to provide protection in recognition of the fact that XSS Filter is a mitigation or defense in depth rather than a complete solution. But we’ll also be keeping our eyes open (and doing active research) in the quest for an even more effective defense – whether client or server side – that eliminates XSS for good.

This post is a little far afield from the normal content of the SDL blog, but I thought it was important to provide a picture of the role of security science and security research in defining SDL requirements and in making major improvements in software security. You can read more about our work in security science in the Security Vulnerability Research and Defense blog.

Spammers Take A Cheap Shot...

Tue, 19 Aug 2008 10:24:05 +0000

I'm on holiday this week, but thought I'd better give this a mention anyway (plus, when did being on holiday ever stop me from posting stuff on blogs, right?)

I was surprised to see this posted to the comments section of the Sunbelt Blog:

I was about as surprised as The Dean was!

To quote a further post from The Dean:

"Well, that's weird. Isn't spywareguide Paperghost's blog? I know he wouldn't spam here. And, the link on the first comment goes to a 404 page."

So, we have someone spamming with broken English, dropping links to 404 pages on Spywareguide. Curious.

Now, I did have some suspicions on this - for starters, the recent blogs regarding the pirate movie websites that pop Zango installers just hit a few news websites. As this article mentions, a lot of the sites involved in this are from Asian regions - China, Indonesia etc. I couldn't help but notice the name of the poster was "Tam" - a common name in certain parts of Asia.

Coincidence? Or a possible affiliate not too happy about this being highlighted? Well, a quick email later and the results for the spammer are in:

A potentially forged Reverse DNS aside, it's a strange thing indeed that they just happen to resolve to Vietnam given that a good portion of these sites are in Asia, isn't it?

I think I'll see if any are owned by someone called "Tam".

When I return from my holiday, of course....

A Few More Words on DLP and Compliance

Fri, 15 Aug 2008 10:51:00 +0000

Today I was thinking about DLP again :-) (yes, I know that "content monitoring and protection" - CMF - is a better description) Specifically, I was thinking about DLP and compliance. At first, it was truly amazing to me that DLP vendors "under-utilize" compliance in their messaging. In other words, they don't push the "C-word" as strongly as many other security companies. Compliance dog doesn't snarl at you from their front pages and it doesn't bite you in you ass when you read the whitepapers, etc. Sure, it is mentioned there, but, seemingly, as an after-thought.

For example, Reconnex that was recently absorbed by McAfee, touts "information protection" before compliance. Similarly, my friends from nexTier only mention "compliance" on a few pages. Even newly unveiled DLP resource (DLP In-Depth portal) only contains a little bit of information on how DLP solutions help with various compliance projects. People tout "data protection", " data security", "data governance" (aka "we know big words - bigger than you") or even "data risk management" (aka "we are confused about what we sell")

I decide to explore this curious phenomenon.

Initially, I thought that it was reverse compliance at work? People not wanting to know what content packs up and leaves their network. Then I thought that maybe DLP vendors just aren't "the bandwagon jumping kind" (yeah, right!) Then I thought that they are "beyond compliance" already :-)

But you know what? I actually think that it is something different, much more sinister. It is the ominous checklist mentality (here too)! You know, DLP is newer than most regulations (PCI DSS, HIPAA, FISMA, etc) and - what a shock! - the documentation for these mandates just doesn't mention DLP (or CMF) by name. Sure, they talk about data protection (e.g. PCI DSS Requirements 3 and 4), but mostly in terms of encryption, access control, logging (of course!).

Also, PCI DSS directly and explicitly says "get a firewall", "deploy log management", "get scanned", "install and update AV" - but where is DLP? Ain't there...

Yes, Virginia, folks who "go by the book" and just "do the minimum" are missing out on the chance to procure DLP while their compliance budgets are still flowing. To me that means that many still don't get the "compliance+" model - buy for compliance -> use for security, operations, having fun, etc. Think what a good DLP solution will do for you in discovering regulated data across the entire organization, blocking those pesky email with SSNs, PHI (hi, HIPAA) and CCs (hi, PCI) as well as solving plenty of other problems ...

A Change of Plan For Your Spam

Wed, 13 Aug 2008 11:42:23 +0000

Someone really has to reign me in with these titles. Anyway, you may or may not have heard that the CNN spam mails have now morphed into mails that appear to come from Msnbc.com instead. The titles of the emails are still as insane as ever:

......uh, wow. The email will take you to a fake Flash download, just like the previous efforts:

Click to Enlarge

Obviously, they haven't gotten around to making fake Msnbc pages so for now we're still stuck with the fake CNN pages.

An odd side-effect of these emails is that they're likely lowering subscriber numbers for CNN and Msnbc, because the emails contain genuine unsubscribe links at the bottom:

I doubt the creators of these scam mails intended that - they're just wanting to make the mails look realistic - but I could imagine disgruntled subscribers wondering why CNN and Msnbc keep sending them these things then reaching for the "no more, please!" link...

Google 'Gadgets' Called Gateways For Hackers

Sat, 09 Aug 2008 19:40:10 +0000

Hackers turned computer security specialists accuse Google of setting users up for online disasters by letting them personalize home pages with applications that could be tainted.

SQL Attacks Still Inject Websites Including Government Sites In US, UK

Fri, 08 Aug 2008 06:43:32 +0000

A new round of SQL injection attacks (most likely by Asprox) has infected millions of web pages belonging to businesses and government agencies, including those that belong to the National Institutes of Health and Education Department in the US and the UK Trade & Investment. It seems that a lot of domains involved are still [...]

Automated Spim on Microblogging Site Via MSN Messenger

Thu, 07 Aug 2008 17:12:09 +0000

There's been a fair amount of Twitter coverage recently, but it's worth noting that other countries have their own versions of Twittering and some of them have seem to be a little easier to use in conjunction with Instant Messaging, whereas Twitter still seems to have a need for third party services, add-ins and other tools to get the job done if the service used is something other than Google Talk, Livejournal Chat or Jabber (if it's now more straightforward for other clients too, please let me know!)

Either way, the below illustrates why adding Instant Messaging features to services such as Twitter can cause problems in the long run and needs to be considered carefully.

We were alerted to the fact that a large amount of Spam seemed to be coming out of China in the last day or two (indeed, one contact mentioned to me that this particular message had been sent to their Honeypot around 29,000+ times, which is a lot of spamming for one URL however you look at it). The spam in question seemed to have been sent via a Spambot, and the only mentions of this URL so far in search engines seems to be related to China - shall we take a look?

The URL in question (with part of it redacted) is

http: //5834******/ ;)

You'll notice the spam is short, snappy and also includes a little smiley-face thing at the end. In fact, it looks a little bit like the kind of link people send to their contacts on Twitter, doesn't it?

Well, let's see - a quick search and we find this:

Click to Enlarge

A page from Fanfou.com, which I believe is a Chinese site "inspired" by Twitter with much of the same features and functionality. In fact, it has one feature working straight off the bat that Twitter users previously had to rely on plugins for - the ability to send messages to their page via MSN Messenger updates.

http: //5834****** doesn't actually resolve anywhere - however, a quick Ping to that address and we have an IP:

Click to Enlarge

Type the IP address into the browser, and via some geolocational technology, you'll see a region specific version of the following dating website:

Click to Enlarge

Go back to the page on Fanfou.com, scroll down and select any of the clickable links and surprise - the same page appears. This particular account on Fanfou has something like 30+ pages devoted to endless Spim links via MSN. They link to placeholder pages, sites that look as though they've been suspended and / or deleted with no way to determine what content was there previously - all interspersed with "Twitter" style messages throughout such as this:

Again, note everything is coming via MSN. By this point, you're probably wondering exactly how they allow you to send messages to their Twitter-style pages. Well, the solution is quite clever - check out the IM page. You enter your MSN address, and when you login to your MSN account, you'll suddenly find you have a new IM buddy who wants to be a contact:

Add it, and whenever you want to put a message on your page, send it an instant message and, lo and behold, your Tweet-style message has appeared on your page:

Click to Enlarge

In conclusion, the steps here appear to be

1) Create a Spambot that infects users via MSN Messenger
2) Tailor the messages it sends to be short and sweet, just like a Twitter-style message
3) Set up an account on a service such as Fanfou.com that makes it easy to send messages to your page via MSN Messenger (or other IM services affected by your bot)
4) Infect the PC running your MSN Messenger account then watch as it spams the userpage with whatever messages you want it to send.

Of course, the links can be anything from dating sites and ringtone adverts to infection files and exploits - all made so much more easier (and far less time consuming than manually typing in URLs to your userpage) by the functionality built into the site you happen to be using. It's also worth noting that the accounts sending the Spim don't have to be set up by the spammer - they could be compromised accounts that had been hijacked when clicking a rogue IM link, which is a great way of filling out the spamming ranks very quickly.

This is definitely something Twitter - and any other site out there involved in microblogging - need to keep an eye out for, and consider carefully when thinking of adding integration with popular Instant Messaging clients.

We detect the file sending the weblinks via MSN as Foubot.

Research and Writeup: Christopher Boyd, Director of Malware Research
Additional Research: Chris Mannon, Senior Threat Researcher