[SecurityRatty] tag: pleasant

Keeping America Safe from Terrorism by Monitoring Distillery Webcams

Fri, 31 Oct 2008 08:15:49 +0000

We had an email recently from an observer "curious as to why the webcam that was inside the shop/bar is no longer there, or at least, functional". The email was from the Defense Threat Reduction Agency in the United States.
When we replied that it was simply a short term technical problem, we asked why on earth they could be interested in the comings and goings of a small Distillery off the West Coast of Scotland. Were there secret manoeuvres taking place in Loch Indaal, or even a threat of terrorists infiltrating the mainland via Islay?

The answer we received was even more surreal. Evidently the mission of the DTRA is to safeguard the US and its allies from weapons of mass destruction -chemical, biological, radiological, nuclear and high explosives. The department which contacted the Distillery deals with the implementation of the Chemical Weapons Convention, going to sites to verify treaty compliance. Funnily enough chemical weapon processes look very similar to the distilling process and as part of training there is a visit to a brewery for familiarization with reactors, batch processors and evaporators. As they said, it just goes to show how "tweaks" to the process flow or equipment, can create something very pleasant (whisky) or deadly (chemical weapons).

As they say: "In the post-Cold War environment, a unified, consistent approach to deterring, reducing and countering weapons of mass destruction is essential to maintaining our national security. Under DTRA, Department of Defense resources, expertise and capabilities are combined to ensure the United States remains ready and able to address the present and future WMD threat. We perform four essential functions to accomplish our mission: combat support, technology development, threat control and threat reduction. These functions form the basis for how we are organized and our daily activities. Together, they enable us to reduce the physical and psychological terror of weapons of mass destruction, thereby enhancing the security of the world's citizens. At the dawn of the 21st century, no other task is as challenging or demanding".

Coding Spyware and Malware for Hire

Mon, 21 Jul 2008 23:52:14 +0000

What type of antivirus evasion do you want today? For the past several years, we have been witnessing the emerging customerization applied in malware and spyware for hire services. What used to be a situation where the malware authors would code and then start promoting a piece of malware including features that he thinks his potential customers would want by generalizing a cybercriminal's needs, is today's "listening to the customer" win-win situation that they've reached already.

The whole maturity from a product concept to customerization is in fact so prevalent these days, that malware authors wanting to preserve their intellectual property are forbidding their customers from reverse engineering their malware modules, presumably fearing that remotely exploitable flaws like this one in one of the most popular Ebanker malwares for the last two yers Zeus, could be discovered due to the malware author's insecure coding practices. Moreover, limiting the distribution of a single license they are given to more than three people will result in the malware author ignoring any future business relationships with the party that ruined the exclusiveness of the malware, thereby leaking it to the public, something that's been happening and will continue happening with web malware exploitation kits.

What would be the price of a custom malware module coded on demand? How much does it cost to have a built in email harvester that would sniff all the incoming and outgoing email addresses from the infected host to later on include them in upcoming spam and malware campaigns? Would the malware author also provide a managed hosting service for the command and control and the actual binaries on a revenue sharing

Here's an automatically translated, and fairly easy to understand random proposition for coding spyware and malware for hire, aiming to answer many of these questions, clearly demonstrating that today's malware is coded in exactly the same way the customer wants it to :

"As you can see in the history of its development turned directly into the combine, while almost no raspuh in weight, full-size pack аж 18 kb and minialno 5 kb, for all nampomnyu again, all descriptions below can be done as otdelnym bot, and any combination of cross except for a few restrictions. This product is targeted at mass-user and will not be all prodavatsya row. So, you can choose from:

Actually loader - is able to load a file from adminki, by country and other characteristics, such as the number of animals on board with a specific bot, a country group of countries, the availability of certain authors or Fire, sredenemu time online, etc. etc.. You can adjust the speed of shipping limits for each file, can load 1 as well as how files simultaneously
300 €

FTP and not only Graber
Analyzes user traffic and collects from the ftp acclamation, that is ftp acclamation would you regardless of how the customer uses ftp user, thus can be obtained most valuable ftp aka (even those to which the password is not saved), you can also grab other in a way not only acclamation acclamation and other tasty things more)
150 €

Assembler spam bases
Analyzes user traffic and collects from all email, snifit http pop3 smtp protocols, keeps records unikallnosti locally on each boat to reduce the burden on the server as well as globally on a server has 2 mode of operation - ie passive with only collects user to please and active - the very beginning to download the entire inet) in search of soap
220 €

Socks 4 / 5
Normal soks with competently implemented multithreading, is activated only if the user real Ip, otherwise not. And also optional, depending on the connection type and speed ineta.
70 €

Indicates
The primitive method, contamination fleshek avtoranom gives 2-3% increase in the first week and up to 7% in the next, a pleasant trifle)
35 €

Scripts
Loader supports internal scripting language - jscript, to carry out arbitrary actions on the victim machine, whether recording data in the register, setting authentic hon-Pago, opening URL in your browser (it was done so to please with 90% punching)), apload arbitrary files on a server, even theoretically possible to form and grabing inzhekty in IE) has only to write the script zaebetes, vobschem lyuboye actions soul who wish)
70 € basic functionality

Assembler passwords
Collects data such as passwords pstorage IE, MSN, etc., will be added at the request of other sources of passwords
70 €

Mini-AV
When installing loadera wheelbarrows to remove BHO shaped three, zevso-shaped, the majority of shit from all avtoranov, render most keylogerov until all) forward proposals to improve
70 €

File-default
In exe loadera program URL (in adminke) to the file which once progruzit 1 and run at first start loadera on wheelbarrows, while simultaneously helping progruzke Trojan for example, in its entire botnet that does not paired with challenges in adminke, the module operates in 20 seconds after the mini - av which excludes the removal of your Trojan bot, after progruza this exe bot continues to normal activities.
35 €

Form Graber
While in beta version, robbed IE. Sends logs in adminku, folding country. Logs are like logs agent. It consists of:

Graber certificats
On the idea is part formgrabera but could work and of itself, actually there is nothing to describe)

Injections
Literacy sold inzhekty, did not begin work after full progruza pages (as in bolshistve three) and immediately supported injection yavaskript code, which allows avtozalivy and DC inzhekty for data collection. For example not to yuzat acclamation at all is not yet introduce the necessary number of Britain, after which inzhekt ceases to operate. Вобщем mdelat can be anything and in any form) rather than the meager request field pin) And also inzhektov subspecies - a substitute for the issuance of search enginee.

Graber balances
Makes loot aka balances at the entrance to the user acclamation, detail added to the logs.

Screen
Universal method to grab information from absolutely any species and varieties klaiviatur screens, in particular html, flash, in one picture, with a drop-down fields after choosing your encrypted, as well as information such as "enter 3 yu secret letter word" etc. as well as any information which is visible a user but not seen in the logs. Screen settings of adminki, set URL where do screen as well as the type of screen: for virtual keyboard (done several small images of areas around the clique) or to "enter 3 yu secret letter words" (makes 1 full shot). With the withdrawal screen recorded in the log entry with the name of the file to the screen this position.

Antiabuznost for botneta
Feachem adminki, keep botnet enables fast, normal, bezglyuchnyh NEabuzoustoychivyh hosting, with features that you forget what abuzy, nohistory week saporta "abuzoustoychivogo" hosting inaccessibility host to half ineta etc., etc., also with the help of the supplement will be able to keep huge botnety (over SL) at 1 dedike with 512 Lake) and well on the price of hosting a savings, not $ 500 a month and 150. It may use this feature to stroronnim development, Trojans, bots, etc., actually is a separate product. And incidentally, if you do not understand the theory that nenado ask "and how does it work?" imagine that it works and point and neubivaemo in pritsnipe.
600 € +

All prices are in euros, the calculation is made at the rate of CB on the day of purchase. ps I will not disappear as most authors after months of sales, I DONT how to please you get to the assembly ftp, I DONT how many soap collects soap-graber, I DONT what otstuk from loadera, I DONT soksov how many will be from 1 to downloads, and how best To work load a file is not dead quickly, if you are confused my ignorance - that my loader so you do not need more tries)

Rules / Licence
-- Customer has no right to transfer any of his three 3 persons except options for harmonizing with me
-- Customer does not have the right to make any decompile, research, malicious modification of any three parts
-- Customer has no right where either rasprostanyat information about three and a public discussion with the exception of three entries.
-- For violating the rules - without any license denial manibekov and further conversations"

This malware coder seems to be participating in an affiliate program with a malicious ISP that is offering hosting services for the entire campaign, not just the malware binaries, so you have a rather good example that incentives and revenue-sharing models result in value-added services, a all-in-one shop for a customer to take advantage of without bothering to approach a third-party.

Cybercrime is getting even more easier to outsource these days, and with the malicious parties improving their communication and incentives model, the resulting transparency in the underground market

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Russia's FSB vs Cybercrime
Malware as a Web Service
Localizing Open Source Malware
Quality and Assurance in Malware Attacks
Benchmarking and Optimising Malware

A Culture of Compliance

Fri, 18 Jul 2008 10:12:01 +0000

For those of you that aren’t familiar with it, Ethisphere is generally a great source for interesting news about corporate ethics violations, insider trading, bribery, fraud, and other embarrassing news stories. This recent article has a much more pleasant ending than most, with a former general manager of a waste collection company earning nearly $47 million for obeying the law. After repeatedly refusing to fire three of his employees over the age of 60 despite ongoing pressure from his superiors, he was wrongfully terminated, according to the jury. Partly responsible for the large settlement were actions taken by his employers after he was terminated, including tampering with memos related to his performance review. The good-guy-comes-out-on-top stories are always nice to see. But while it may work for the IRS (which reminds me, I have this colleague...) and the occasional waste collection company, most organizations can’t rely on the promise of riches to entice staff to behave appropriately and report wrongdoing. This quarter I will be writing a report on how compliance professionals work to create a culture of compliance and responsibility in their organizations. I have seen very interesting videos, training programs, and other awareness campaigns to drive the message home, and there are certainly examples of reward and punishment, but I’d like to hear from you as well... any good examples of how your company distributes or enforces policies, or maybe stories of a colleague who was singled out and embarrassed for not following the rules?

Massive Blackhat SEO Targeting Blogspot

Sun, 17 Feb 2008 19:53:13 +0000

With Blogspot's fancy pagerank and with Google's recent introduction of real-time content indexing of blogs using the service, the interest of blackhat SEO-ers into the efficient registration and posting of junk content with the idea to monetize the traffic that will come from the process, seems to continue evolving as a process. In this specific case, we have firesearch.sc (64.111.196.120; 64.111.197.88) a blackhat SEO links farm that's visualized in the attached screenshot, and several thousands of automatically registered blogspot accounts directly feeding the searching queries that led to visiting them into firesearch.sc. What's also worth mentioning about this campaign is that the firesearch.sc's javascript search field appears at the top of every blog, whereas the blog's content itself consists of outgoing links to nearly fifty other such automatically registered blogs, again redirecting the search queries to firesearch.sc, whereas advertisements get served from 64.111.196.117/c.php

Sample blogs :

tilas--paralyze--video.blogspot.com
parentdirectoryofnokia19942.blogspot.com
imelodyalesana.blogspot.com
iberryblack8320.blogspot.com
ku990downloadwallpaper.blogspot.com
blackberrypearl8100fre62265.blogspot.com
motorolarazrv3amdriver90079.blogspot.com
downloadcredmakerforf64090.blogspot.com
smsmarathi.blogspot.com
pradaphonethemes.blogspot.com

With a basic sample of ten such blogs, the entire operation could be tracked down and removed from Google's index. And while firesearch.sc is pitching itself as a "search engine that you can trust", it looks like it's not generating revenues for the people behind the operation, but also, acts as a keyword popularity blackhole.

Related posts:
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
Malicious Keywords Advertising
Visualizing a SEO Links Farm
Spammers and Phishers Breaking CAPTCHAs
But of Course It's a Pleasant Transaction
Vladuz's EBay CAPTCHA Populator
The Blogosphere and Splogs
p0rn.gov - The Ongoing Blackhat SEO Operation

Evil Silos

Thu, 24 Jan 2008 12:42:00 +0000

Today I will speak about evil. Yes, evil! There is plenty of evil in the world of logs (e.g. ugly logs), but this is a "bigger, better" evil :-): siloed approach to logs!

There is little that I hate more than siloed approach to logs. A situation when you have your security team "owning" network IDS logs, network team having firewall and router logs (as well as all SNMP traps) and, say, a sysadmins possessing (or, rather, ignoring!) the logs from servers and desktop is not only sad, counterproductive, inefficient and wasteful, but also dangerous.

Where does such approach to logs (where they are divided by both technical and political chasms) breaks down most painfully? In case of an incident response, of course. This is where instead of one query across all logs and all log sources (or whatever needed subset of logs or log sources), you'd end up with having run around, beg, connect, wait, swear, wait, download logs, dig in many places at once, wait, grep, suffer with many UIs, swear more - and have a time of your life in general! :-) All of the above instead of connecting to your shiny new log management system and running a few reports, drilldowns and searches across the relevant logs.

Ideally, you'd fight the evil and break down the silo walls by deploying a log management platform across the entire organization and then letting every team that needs logs to get them from the system in a controlled fashion, via the interface or a web API (BTW, LogLogic has a web API to get logs!). Apart from being a trend (e.g. see recent ESG report on that), it will make your IT and security operations that much more efficient - and pleasant!

On the other hand, what is bizarre is that some newer vendors, who claim to do log management, actually work to propagate, not combat, the siloed approach. For example, selling the tool for $5000 to each of the many separate teams within the organization IMHO must be made illegal :-) as it builds walls, not bridges; digs holes and overall "silo-izes" your operation...

Technorati tags: logging, log management

How to fraudulently elect a president

Tue, 22 Jan 2008 21:00:00 +0000

As most know, the United States is in the midst of primary elections for presidential candidates. I live in New Hampshire, so woke at around 5:00am a couple of Tuesdays ago eager to participate in the democratic process (I went early because I had a flight the same day to Germany...more on that later). After getting to the front of the line, the pleasant elderly volunteer proceeded to authenticate me so that I could vote. The authentication method she used was name and address. She had a three ring binder with everyone's name printed in an easily readable large font size. The only problem was that she exposed the credential type, the name and the address for me to misuse as I pleased! Now I know that I am not the first to bring this up or write about it. Even so, it boggles my mind that after having to go to the Supreme Court the last time we went through this exercise to select our president, we would not take more care with the voting process...

Holiday Storm Part 3

Wed, 26 Dec 2007 20:43:00 +0000

I know, I know...enough already. But our Storm friends have changed the game a bit for the third round, as discussed on the ISC Diary, in particular Update 3. The changed domain and binary name led me to ponder what else has changed. So...
1) New hash: BE22F894AC662C905C37CEFDE66DE065
2) Better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?). No more hanging out in the open, easily seen.
The Helios Rootkit Detector, now included in RAPIER, discovered darker voodoo than the last two versions:

Scanning File System For Hidden Files
[*] Scanning Drive C
1 C:\WINDOWS\system32\cleanmgr.exe Hidden From API
2 C:\WINDOWS\system32\clean.config Hidden From API
3 C:\WINDOWS\system32\clean6c9-3320.sys Hidden From API
4 C:\WINDOWS\system32\dllcache\cleanmgr.exe Hidden From API

SysAnalyzer says:

Loaded Drivers:
Driver File Company Name Description
C:\WINDOWS\System32\clean6c9-3320.sys

Kernel31 Api Log
***** Installing Hooks *****
4012c1 CreateFileA(C:\WINDOWS\System32\clean.config)
40117f CreateFileA(C:\WINDOWS\System32\clean6c9-3320.sys)

DirwatchData
WatchDir Initilized OK
Watching C:\WINDOWS
Created: C:\WINDOWS\system32\clean.config
Modifed: C:\WINDOWS\system32\clean.config
Modifed: C:\WINDOWS\system32\config\system.LOG
Modifed: C:\WINDOWS\system32
Created: C:\WINDOWS\system32\clean6c9-3320.sys
Modifed: C:\WINDOWS\system32\clean6c9-3320.sys

3) AV coverage is further improved for this version:

AntiVir 7.6.0.46 - TR/Rootkit.Gen
Authentium - W32/StormWorm.R
Avast - Win32:Zhelatin-ASX
AVG - Dropper.Generic.TLF
BitDefender - DeepScan:Generic.Malware.FMH@mmign.55A134E9
ClamAV - Trojan.Zhelatin
DrWeb - Trojan.Spambot.2387
Fortinet - W32/Tibs.G@mm
F-Prot - W32/StormWorm.R
F-Secure - Email-Worm.Win32.Zhelatin.pl
Ikarus - Virus.Win32.Zhelatin.ASX
Kaspersky - Email-Worm.Win32.Zhelatin.pl
Microsoft - Backdoor:WinNT/Nuwar.B!sys
NOD32v2 - Win32/Fuclip.AW
Panda - Suspicious file
Prevx1 - Stormy:Worm-All Variants
Sophos - Mal/Dorf-H
Webwasher-Gateway - Trojan.Rootkit.Gen

How perfectly unpleasant, making things more difficult to spot. Here's my New Years wish for the Storm lamers. Bugger off (kept pleasant for the kids).