[SecurityRatty] tag: placement

Copycat Web Malware Exploitation Kit Comes with Disclaimer

Wed, 01 Oct 2008 22:58:01 +0000

Such disclaimers make you wonder what's the point of including a notice forwarding the responsibility for the upcoming cybercrime activities to the buyer, when the seller himself is offering daily updates with undetected bots, and is promising to include new exploits within the kit.

For the time being, this recently released copycat web exploitation malware kit, includes two PDF exploits, IE snapshot, and naturally MDAC, with a DIY builder for the binary. Here's the disclaimer, greatly reminding us of Zeus's copyright notice :

"Purchasing this product, you hold the full responsibility for its usage and for consequences which may have been caused by incorrect usage or the usage with some evil intent or violation of the usage rules. The author excludes the placement of the scripts somewhere on the Internet, you can only place them on localhost, virtual machine or on a test botnet (minibotnet). WARNING! The usage of this product with evil intent leads to the criminal responsibility!"

What happens when the buyer tries to resell the kit? - "If you try to resell, decode, remove the boundaries, you will lose all the support, updates and guarantees." which is surreal considering that the kit is open source one, and just like we've seen with a recent modification of Zeus if it were to include unique features -- which it doesn't -- others would build upon its foundations.

Going through the exploitation statistics of a sample campaign, you can clearly see that out of the 859 unique visits 250 got exploited with outdated and already patched vulnerabilities. Therefore, diversifying the exploits set would have increased the number of exploited hosts.

With IE6 visitors exploited at 46% as a whole, it would be hard not to notice that just like Stormy Wormy's historical persistence of using outdated vulnerabilities, a great majority of today's botnets have been aggregated using old exploits.

Trying to enforce the intellectual property of a malware kit means you're claiming ownership, and therefore the disclaimer becomes irrelevant.

A Costly Crush

Tue, 02 Sep 2008 11:24:54 +0000

I've seen a few blog posts over the last couple of days, with people complaining about an application on Facebook charging them crazy amounts of money. Certainly, there's a lot of angry Facebook users out there:

Click to Enlarge

Some more complaints? Sure, I can do that:

There are many, many more like the above comments out there. One slight problem with all of this is that the complaints are scattered across a whole range of different Crush application forums - in short, they're all being blamed, but they can't all be doing this, can they? What's the alternative, though?

A short while ago, I wrote about deceptive advert placements with regards another facebook application. It seems we have a similar situation here, where an "enterprising" Ad network is placing Facebook-style buttons onto installer pages and hoping people will be fooled. As it turns out, it seems to be working. While attempting to install one randomly selected Crush application, I noticed the following advert at the top of the installer splash (highlighted in red):

Click to Enlarge

It's easy to imagine a regular Facebook user thinking this is part of the application install and clicking "Ok". Do that, and you're taken to a site called Amazingchat(dot)net that throws up a fake message regarding you having "7 New Crush Messages" (and uses geolocational technology to point a targeted message your way). If you look like you're in the UK, you'll see this:

Click to Enlarge

Wow, FOUR of my (fake and non-existent) messages are from Sheffield! How about if I look like I'm in the States? You've guessed it....

Windy City, here I come!

Not. It's looking promising so far, though. If we can just go to the next screen and see something utterly useless advertised in exchange for lots of money....

Click to Enlarge

Horoscopes for only ?9 / $15 a week? WOW!

Also, there go your savings.

Could this be the site at the heart of so many complaints? Well, let's quickly check who runs it...

"Sms-helpdesk", eh? I do believe I've seen a long thread concerning people having issues with large bills for phone messages. Indeed, a rep from sms-helpdesk actually appears to be posting there:

Shame it seems some people can't even get through to the supposed helpline. Perhaps "Denise" would be better off tackling the deceptive placement of adverts made to look like installer buttons, not to mention non-existent crush messages based around geolocational targeting?

Just a thought...

Strange Digg.com Spamming

Wed, 06 Aug 2008 03:51:10 +0000

I saw this in the security section earlier today:

Click to Enlarge

Each one links to a page on a website called Tubeteases(dot)com, and each page streams a Youtube video - usually females bouncing around in various states of undress.

Click to Enlarge

Usually with spam like this, there's a financial incentive - however, I'm having a hard time working out what the motive is here. There are no clickable ads to make money from on the site - it's just page after page of miniaturised Youtube clips.

Click to Enlarge

No popups, no flashing banners, no mousetraps.....nothing.

I thought I'd worked it out when I scrolled down the page and saw a large advert for a webcam site. Aha! Obviously the gimmick is luring you to the above video site then get you to pay up for webcam access, right?

Well, not exactly...

Click to Enlarge

...."Free"? Oh dear, this isn't going well. They don't even have the advert for the webcam site at the top of the page, it's stuffed down at the bottom somewhere so I can't even claim "in-your-face" advertising.

At the very bottom, I saw a set of weblinks to other sites - surely this is the gimmick then? Entice potential webmasters to pay up for links placed on-site? Well, as it turns out, no. Clicking the "free slots available" link simply takes you to a page offering a free link placement script.

Normally spam = profit. Here though, I can't see that this follows the usual pattern. Perhaps someone woke up feeling philanthropic and randomly decided the best course of action for Digg.com users was watching hundreds of postage-stamp sized clips of semi-naked females.

We can tell them off for spamming Digg though, so we've got them there...

Long Island Proposal Snags Again, on Poles

Mon, 28 Jul 2008 07:07:26 +0000

Long Island proposal still mired: The plan to put Wi-Fi up across two Long Island counties has seemed doomed to me from the start. The company that won the bid was untested, and its other in-deployment or in-proposal networks are off the table. Expertise aside, it needs tens of millions to build such a network, and financing for company-funded metro-scale projects is not available. The counties involved have pledged no purchases of services. And, perhaps the final stroke, the local utility says that E-Path doesn't meet the test of being a telecom and paying less than $10 per year for pole placement, but instead must pay the all-comer rate of $50 per year.

This is a critical distinction. Telecoms are covered under the Telecom Act of 1996 that requires non-discriminatory access to utility poles to avoid incumbent local exchange carriers (ILECs) and utilities from being gatekeepers that prevent competitive service from emerging. There are a series of tests in the law and local qualifications, too, that allow a firm to be a registered telecom. An FCC decision last year ruled that companies that mix telecom and unregulated information services on the same wires aren't disqualified from getting the Telecom Act deal, however.

But E-Path seems to meet none of the criteria except their desire to pay $10 instead of $50 per year per pole. Utility poles have held up many other municipal networks. We're not hearing more about them these days because such networks are now being built on a smaller scale for different purposes, where the number of nodes and their placement is rather different than networks built with the intent of providing indoor coverage.

Cablevision, by the way, qualifies as a telecom, this article states, which helps them in placing nodes for their planned $300m network across their coverage territory. They can also mount nodes in-line with their cable lines, using power from their cable plant on the lines already.

E-Path appears to have a variety of communication problems as well. The article notes, "Tortoretti said his Washington, D.C., attorneys disagree with LIPA's interpretation. But the attorney Tortoretti said represents E-Path, Charles Rohe, said he couldn't speak about the company or the dispute."

Later, E-Path's "chief executive said he hopes the county will help with his LIPA dispute." But an aide to the Suffolk County executive said, "That's not really our issue. That's out of our control."

Correspondent Craig Plunkett, quoted near the end, points out that if the counties were to change their minds and want to buy services on the network, the proposal would have to be rebid (appears as the sound-alike "rebuild" by accident in the online article at this moment).

"Interesting" Advert Placements On Facebook

Thu, 03 Jul 2008 14:45:10 +0000

I've had a few people mention "odd things" happening when trying to install an application on Facebook called "Gridview". Well, I decided to try it out. On the install screen, you see this:

Makes sense so far. Here's the install screen where you agree to let the application loose on your profile:

Click to Enlarge

Once done, you see the following screen and this is where it all starts to go a bit wrong:

Click to Enlarge

Note that the application is ALREADY installed by this point, because the Gridview icon is on your list of current applications (highlighted by the red box on the left).

However, top right (also highlighted) is a box made to look like a standard Facebook "continue" button. When installing the application for the first time, this caught me out too - I didn't notice the app was already installed and (naturally enough) clicked the "continue" button, thinking there was something else I needed to do to complete the installation.

Imagine my confusion, then, when I was suddenly presented by this:

Click to Enlarge

A page asking me to download "Mothers Day E-cards", via IAC (creators of Smiley Central, amongst other things). By this point, you've left the Facebook network completely and are sitting on a page served up by an advertising network - go back to the Facebook screenshot above and check out the URL at the bottom of the browser. That's the actual destination of the "Continue" button.

That's a pretty sneaky tactic, if you ask me.

What needs to be established is, who is responsible for the placement of the fake "Continue" button? Is it the creator of the application, or is it legitimate advertising space on Facebook being subverted in a rather creative fashion by an advertising agency promoting IAC products?

I've tried reinstalling the application a few times, and the graphic displayed sometimes changes to more overt "this is an advert" style banners leading to other sites offering similar downloads / offers. Other applications installed don't seem to display sneaky adverts like that in the same location, but every application install is somewhat different so that's not really a conclusive answer.

At any rate, be wary of what you click on when installing Facebook applications...

Communicating about risk - part 2

Tue, 20 May 2008 12:22:24 +0000

The trouble with likelihood

It’s common to see charts similar to the one below used to communicate risk. On one axis we have Impact, and on the other we have Likelihood. We’ll save a discussion regarding Impact for another post, but in this post I’d like to point out a couple of subtle but important limitations with the term “likelihood”.

Likelihood connotes the probability of an event occurring. In fact, you may see explicit probability ranges assigned to each qualitative label (e.g., “Very High = 90% to 100% probable”). And, while this seems to be on the right track, there are two problems with it:

It often doesn’t include a timeframe reference. In other words, does the likelihood statement refer to the probability of the event occurring this week, this year, in this lifetime?
It doesn’t provide the means to differentiate between something that may happen once vs. something that may happen multiple times. For example, a statement; “The likelihood of a virus infection is Very High” doesn’t differentiate whether the event is likely to happen once or many times.

These two limitations become critical when we’re trying to quantify and/or compare risk issues.

Using frequency, we can account for events that occur many times within the defined timeframe as well as those that occur fewer than once in the timeframe (e.g., .01 times per year, or once in one hundred years). Of course, this raises the question of how we determine frequency, particularly for infrequent events. In the interest of keeping this post to a reasonable length, I’ll cover that another time (soon).

Drawing lines

You may have seen charts like the ones below, with lines drawn to differentiate High from Medium, etc.

(NOTE: Magnitude scales will vary based on the risk capacity/tolerance of the organization)

These can be useful, but a few challenges I’ve encountered with this approach include:

If the risk point falls barely on one side of the line or the other, do the lines really serve a useful purpose, at least from the perspective of being able to assign a qualitative value?
Who drew the lines? At one place I’ve worked, I couldn’t get management to provide guidance on where to draw the lines so I took a stab at drawing them based on what I thought management’s risk tolerance was given their earlier decisions. This seemed to work okay, as I didn’t experience much push-back from management, but you need to constantly look for evidence that the lines need to be changed.
Particularly in larger companies with multiple affiliates or subsidiaries, line placement will vary because each part of the enterprise will have its own risk tolerance. A “critical” loss at the subsidiary level might not equate to a rounding error at the enterprise level. I’ve dealt with this by plotting results on two charts; one scaled to the enterprise risk tolerance, and another drawn to the subsidiary’s tolerance.

Of course, the fact that the point isn’t really a point at all, but the intersection of two ranges or distributions further affects the utility of lines.

I’ve found two ways of charting risk that seem to be well received by management (below).

(NOTE: These charts were created using Monte Carlo analyses within FAIR-based applications)

My preference is the scatter plot, which does a nice job of visualizing the uncertainty that is a part of any risk analysis. A couple of things to note:

No lines have been drawn to label the result “High”, “Medium”, etc.
I haven’t used a green-to-red background on the charts.

I will use those illustrative tools if requested by management, but I tend not to use them otherwise. Besides the challenges I noted above regarding lines, my rationale is that lines and colors tend to bias interpretation of the results. In other words, if someone sees a risk point plotted in a red background or in the “High” section of the chart, they equate those results as “unacceptable”. The fact is, the acceptability of a risk condition is often dependent on the value proposition of the situation, the cost to mitigate risk, etc. I’ve found management is intelligent enough to know that the upper-right part of the chart means more risk than the lower-left.

OnStar Offers a Model for IT Security

Fri, 07 Mar 2008 08:08:35 +0000

At the recent Gartner Mobile and Wireless Conference, Sanjay Khunger, the chief technologist of GM's OnStar unit, gave a presentation on the history of OnStar's satellite-based remote safety, security and diagnostic service. GM looks at auto safety as being in three distinct phases: before the crash, during the crash and after the crash. Another way to look at this is preventing/avoiding the crash, surviving the crash and recovering after the crash. GM designs features into cars in each of those phases (anti-lock brakes to avoid crashes, chassis design and airbags that reduce injury during the crash, and so on). I always thought of OnStar as a "push the button to call for help" service, but Khunger explained how it was an integrated part of GM's overall safety strategy.

Beyond the obvious capabilities to call for help after a crash, OnStar has features that also apply to the first two phases. Hands- and eyes-free navigation and cell phone capabilities minimize driver distraction and reduce accidents. Remote proactive diagnostics and remote door unlock services reduce the time a driver spends standing next to a dead car on the side of the road. Multiple sensors in the vehicle provide information on the type of crash and the number of occupants so that emergency personnel have more information to ensure that EMTs have the right equipment to best save lives at the crash scene.

This isn't meant to be a commercial for OnStar - if you watch sports on TV, you've already seen plenty of those. However, GM's placement of a security-related service in the larger context of customer safety really hits home on a larger point: Security and, just as importantly, safety need to be worked into all the critical business and IT processes at your business. The biggest bang for the buck comes from avoiding incidents - minimizing vulnerabilities in applications, not just by having secure development life cycles but by thinking about user safety. What are the abuse cases where a user or customer might accidentally put themselves in danger? What features are built into your business applications to avoid those situations?

Financially, OnStar makes more money by helping its customers avoid accidents. But stuff happens, and building in instrumentation, response and recovery features to minimize damage during an incident and speed to ensure swift resumption of business after an incident is important, as well. This applies as much to car crashes as it does to identity theft incidents, insider attacks and every other IT security "crash." Build security into your critical business processes, and keep your customers safe.

ZDNet Asia and TorrentReactor IFRAME-ed

Tue, 04 Mar 2008 06:15:20 +0000

This currently ongoing malware embedded attack aimed at ZDNet Asia and TorrentReactor is very creative at the strategic level, whereas the IFRAME-ing tactic remains the same. The sites' search engines seem to have been exploited to have the IFRAME injected, not embedded, within the last 24 hours, redirecting to known Russian Business Network's IPs and ex-customers in the face of rogue anti-virus and anti-spyware applications. For the time being, zdnetasia.com has 11,200 cached pages loading the IFRAME, and torrentreactor.net - 29,300 cached pages loading the IFRAME. Even worse, the IFRAME embedded search results hosted on their sites, are appearing between the first ten to twenty search results, thanks to the sites high page ranks. Sample search queries :

jamie presley

mari misato

risa coda

kasumi tokumoto

jill criscuolo

The IFRAME is loading 72.232.39.252/a also responding to themaleks.net. The link itself is loading an obfuscated javascript, which once deobfuscated attempts to load a-n-d-the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2) also responding to ppcan.info, with two more domains sharing nameservers, findhowto.net, searchhowto.net. Ppcan.net has already been assessed by Microsoft's Security Team :

"The advantage gained by faking the Referer field is nullified when pages use client-side cloaking to distinguish between fake and real Referer field data by running a script in the client’s browser to check the document.referrer variable. Example 1 shows a script used by the spam URL naha.org/old/tmp/evans-sara-real-fine-place/index.html. The script checks whether the document.referrer string contains the name of any major search engines. If successful the browser redirects to ppcan.info/mp3re.php and eventually to spam; otherwise, the browser stays at the current doorway page. To defeat the simple client-side cloaking, issuing a query of the form “url:link1” is sufficient. This allows us to fake a click through from a real search engine page."

So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it. Sample redirects upon visiting the IFRAME-ed pages at ZDNet Asia with the right referrer :

xpantivirus2008.com (69.50.173.10)

scanner.spyshredderscanner.com (77.91.229.106)

hot-pornotube-2008.com (206.51.229.67)

porn-tubecodec20.com (195.93.218.43)

Once the junkware inventory is empty, all pages redirect to requestedlinks.com (216.255.185.82). Let's take a peek at the codec :

Scanner results : 11% Scanner (4/36) found malware!

File Size : 85008 byte

MD5 : 6b325c53987c488c89636670a25d5664

SHA1 : c6aeeafffe10e70973a45e5b6af97304ca20b3bd

Fortinet - Suspicious

Norman - Tibs.gen200

Prevx - TROJAN.DOWNLOADER.GEN

Quick Heal - Suspicious - DNAScan

Even more interesting is the fact that literally minutes before posting this, another such campaign got launched at ZDNet Asia, this time having just 24 pages locally cached, and loading another IFRAME to 89.149.243.201/a redirecting to cialis2men.com/product/61 (92.241.162.154).

What is going on, have the sites been compromised, or the attackers are in fact smarter than those who would even bother to scan for remotely exploitable web application vulnerabilities, next to remote file inclusion? ZDNet Asia and TorrentReactor themselves aren't compromised, their SEO practices of locally caching any search queries submitted are abused. Basically, whenever the malicious attacker is feeding the search engine with popular quaries, the sites are caching the search results, so when the malicious party is also searching for the IFRAME in an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of both sites, the probability to have the cached pages with the popular key words easy to find on the major search engines, with the now "creative" combination of the embedded IFRAME, becomes a reality if you even take a modest sample, mostly names.

The bottom line is that ZDNet Asia and TorrentReactor SEO practices of caching the search queriesAnd given that the malicius parties can now easily tweak popular keywords to appear on ZDNet Asia and TorrentReactor's sites, thereby getting a front placement on search engines, they can pretty much shift the SEO campaign to a malware campaign by taking advantage of "event-based social engineering".

Central Bank of the UAE reports ATM fraud to lenders

Mon, 03 Mar 2008 08:41:37 +0000

Technorati Tag: Security Breach

Date Reported:
2/27/08

Organization:
Central Bank of the UAE

Contractor/Consultant/Branch:
Unknown lender

Victims:
ATM customers

Number Affected:
Unknown

Types of Data:
Bank card and account details, PIN numbers, and possible other related information.

Breach Description:
The Central Bank of the UAE has issued a statement claiming that criminals installed a card skimming device and video camera on at least one ATM in the UAE. Bank card details and PIN numbers were exposed in the attack that lasted from February 19th - 25th, 2008. Every customer that used the compromised ATM(s) during the time in question has been affected.

Reference URL:
ArabianBusiness.com news story
The Central Bank of the UAE press release
ITP News online story

Report Credit:
The Central Bank of the UAE

Response:
From the online sources cited above:

The card details of potentially thousands of UAE residents have been stolen by a gang of fraudsters who hacked into a bank's ATM machine

We have been informed by one of the banks operating in the UAE that a gang of computer professionals has managed to insert an electronic reader into the card reader of one of its ATMs, which enabled them to copy the data of all the cards used in the said ATM during the period 19-25 February 2008.
[Evan] Obviously I don't use ATM machines in UAE much, but aren't there controls in place to prevent most tampering? The ATMs around here in Minnesota (US) would be very difficult (not impossible) to mess with.

They have also managed to compromise the PIN through a small video camera placed above the ATM.

We attach herewith the list of ATM cards belonging to your customers who have used the ATM Machines belonging to the bank which has advised us of the ATM fraud.
[Evan] Judging from this statement, this appears to be a copy of the letter sent to the banks affected. I think it would be wise for the Central Bank to disclose the banks to the public so that affected customers can be better prepared.

We, therefore, advise you to:
1- Block the usage of the attached ATM cards;
and
2- Either to replace the cards or change the Pin numbers as deemed appropriate.
3- Fully checking all you ATMs to make sure there are no traces on ATM skimming devices or tampering on the ATM.

It is not known whether the gang has been caught, how much money had been stolen or the exact number of people affected.

Please report to the Central Bank - UAESWITCH any losses on the attached card numbers and the transactions originating country immediately.

For any clarifications, banks should contact the UAESWITCH immediately on Tel. No.: (02)6915395, Fax No.: (02)6674521 or email xxxxx@ebuae.go.ae attention Mr. Aden Omar, for action.

Interesting Comments on the ArabianBusiness.com Story:
Posted by KANDARP BAXI, DUBAI, UAE on 3 March 2008 at 16:50 UAE time
" Also it is high time one gets to know which bank / where etc rather than wait to go to the ATM and find out your account has been 'swiped' out.

All the more reasons for this information to be given ASAP, considering the pathetic customer service in most banks."

Posted by Avikul Hemmad, Dubai, UAE on 3 March 2008 at 16:38 UAE time
" The idea of publishing such news should be to inform the public about the modus operandi and ways to detect and avoid problems.

How would the layman identify "skimming machines" or whatever they are called, if they don't know what to look for? Why don't you give more details so bank customers and the general public can be wary???

Incomplete reporting only adds to the confusion."

[Evan] I agree with these two commenters. I don't understand why the Central Bank of the UAE even decided to make anything public if there is nothing actionable for the people affected. There is not enough information to help anyone.

It is often very (and I mean VERY) difficult to notice good card skimmers and cameras. Here is an example borrowed from the University of Texas.

Card skimmer being installed

Card skimmer after installation

Camera to capture PIN numbers hidden in an innocent looking brochure box

Camera is now installed.

This is only an example. There are more sophisticated skimmers and cameras out there. Diebold has a pretty good whitepaper ATM Fraud and Security.

Commentary:
Good commentary from ArabianBusiness.com:
"Skimming attacks normally involve the placement of a fake card reader over the regular card reader in an ATM, which reads and records the data from the card's magnetic strip, while either a hidden camera or a nearby observer, known as a ‘shoulder surfer', steals the PIN."

"The stolen details can then be used to create fake cards or make purchases online, or the data may be sold on to other gangs of fraudsters.

Skimming fraud has been seen in most regions of the world, and banks usually take measures to protect machines, such as installing plastic guards to prevent the installation of illicit card readers, camera monitoring of ATMs and regular inspections of machines."

"Most skimming attempts now either target high usage ATMs for a very short period of time to steal the maximum number of card details in a short amount of time, or machines in out-of-the-way locations where the reader will not be detected as quickly."

[Evan] It is unusual that a skimming device and video camera were installed for such a long period of time. It is important as bank customers to be cognizant of anything that seems a little out of place when using ATMs. If something is noticed, report it to the bank as soon as possible. Personally, I prefer to use ATMs at bank branches and ones located in buildings or rooms that require card access.

Past Breaches:
Unknown

Off the wire: Online advertising vs. personal privacy

Thu, 27 Dec 2007 21:18:42 +0000

Google cleared an important regulatory hurdle when the Federal Trade Commission last week approved its $3.1 billion merger with ad placement giant DoubleClick, but congressional hearings on privacy ar...