[SecurityRatty] tag: releases

The Good Get Conned-When Trust is Biological

Mon, 01 Dec 2008 11:00:35 +0000

Bruce Schnier linked to an interesting article a while back, discussing how brain chemistry causes you to trust people when demonstrate that they trust you, especially when they’re relying on you and may be vulnerable…interesting stuff:

THOMAS is a powerful brain circuit that releases the neurochemical oxytocin when we are trusted and induces a desire to reciprocate the trust we have been shown–even with strangers. The key to a con is not that you trust the conman, but that he shows he trusts you. Conmen ply their trade by appearing fragile or needing help, by seeming vulnerable. Because of THOMAS, the human brain makes us feel good when we help others–this is the basis for attachment to family and friends and cooperation with strangers

So my question: if real-life cons can easily scam people by appearing to depend on them, how does this affect the scams we see on the Net? Clearly some online cons rely on this method — the Nigerian bank scam being a prime example. It seems like social engineering scams particularly rely on this method — but not all scams. And of course many other vulnerabilities just seem to rely on people’s habits to just click links willy-nilly online, which is an impersonal event. If the net were a more personal place, we might see many more of those kinds of scams.

Links for 2008-11-19 [del.icio.us]

Wed, 19 Nov 2008 21:00:00 +0000

QualysGuard PCI Pass/Fail Status Criteria - Qualys
Press Releases - November 11, 2008 - Q1 Labs
free, downloadable, log management and compliance product that provides organizations with visibility across their networks, data centers, and infrastructures
Healthy Paranoia: Top 50 Internet Security Blogs by The Daily Netizen
GOVCERT.NL Symposium 2008
Looking for Trouble - WSJ.com
ClearNet Security : It’s hard to build a smart SIEM
If you find yourself evaluating SIEM products, dig in and investigate how each works - you don’t want yesterday’s product.
PCI Perspectives by Dave Taylor
Lehman Bros 'killed by complexity' (physicsworld.com Blog) - physicsworld.com

Will Code Malware for Financial Incentives

Tue, 18 Nov 2008 10:57:55 +0000

A couple of hundred dollars can indeed get you state of the art undetectable piece of malware with post-purchase service in the form of automatic lower detection rate for sure, but what happens when the vendors of such releases start vertically integrating just like everyone else, and start offering OS-independent spamming, flooding, modifications and tweaking of popular crimeware kits in the very same fashion? The quality assurance process gets centralized into the hands of experienced programmers that have been developing cybercrime facilitating tools for years.

It's interesting to monitor the pricing schemes that they implement. For instance, the modularity of a particular malware, that is the additional functions that a buyer may want or not want, increase or decrease the price respectively. Others, tend to leave the price open topic by only mentioning the starting price for their services and they increasing it again in open topic fashion.

Let's take look at some recently advertised (translated) "malware coding for hire" propositions, highlighting some of the latest developments in their pricing strategies :

Proposition 1 :
"Programs and scripts under the following categories are accepted :
grabbers; spamming tools for forums, spamming tools for social networking sites, modifications of admin panels for (popular crimeware kits), phishing pages

Platform: software running on MAC OS to Windows
Multitasking: have the capacity to work on multiple projects
Speed and responsibility: at the highest level
Pre-payment for new customers: 50% of the whole price, 30% pre-pay of the whole price for repreated customers
Support: Paid
Rates: starting from 100 euros

If, after speaking ultimate price, you decide to add to your order something else - the price change. Prepare the job immediately, which will understand what to do and how much it will cost you, if you have any suggestions for a price, then lays them immediately and not after the work is completed. If you order something that requires parsing your logs, and their continued use, you agree to provide "a significant portion of the logs, so that after putting the project did not raise misunderstandings due to the fact that some logs are no longer "fresh", because of their "uniqueness". In this case, for the finalization of the project will be charged an additional fee."

This is an example of an "open topic pricing scheme" with the vendor offering the possibility to code the malware or the tool for any price above 100 euro based on what he perceives as features included within worth the price.

Proposition 2:
"Starting price for my malware is 250 EUR. Additional modules like P2P features, source code for a particular module go for an additional 50 EUR. If you're paying in another currency the price is 200 GBP or 395 dollars. I sell only ten copies of the builder so hurry up. The trading process is simple - a password protected file with the malware is sent to you so you can see the files inside. You then sent the money and I mail you back the password. If you don't like this way you lose.

I can also offer you another deal, I will share the complete source code in exchange to access to a botnet with at least 4000 infected hosts because I don't have time to play around with me bot right now.

This proposition is particularly interesting because the seller is introducing basic understanding of exchange rates, but most of all because he's in fact offering a direct bargain in the form of access to a botnet in exchange for a complete source code of his malware bot. Both propositions are also great examples that vendors engage by keeping their current and potential customers up-to-date with TODO lists of features to come next to the usual CHANGELOGS, and, of course, establish trust by allowing potential customers to take a peek at the source code of the malware they're about to purchase.

Related posts:
Coding Spyware and Malware for Hire
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Russia's FSB vs Cybercrime
Malware as a Web Service
Localizing Open Source Malware
Quality and Assurance in Malware Attacks
Benchmarking and Optimising Malware

NetWitness releases free version of security software

Sun, 16 Nov 2008 21:00:00 +0000

NetWitness, a vendor of networking threat-analysis software, is offering a free version of its NetWitness Investigator package by download, the company said Monday.

A Diverse Portfolio of Fake Security Software - Part Thirteen

Wed, 12 Nov 2008 13:57:26 +0000

What is the difference between a reactive and proactive threat intell? A reactive threat intell is assessing a campaign, individual, a group of individuals, how are they related to one another, and what have they been doing in the past, based exclusively on a lead that's been found within the past couple of hours.

Try the very latest rogue security domains courtesy of three domainers (Fedor Ibragimov cndomainz@yahoo.com, Anton Golovayk gpdomains@yahoo.com and Ivan Durov idomains.admin@gmail.com ) whose portfolios can always keep you updated about the latest releases of such popular software as The Best Antivirus Cleaner 2008.

powerfullantivirusscan .com (78.159.118.217; 89.149.253.215; 208.72.168.185)
protection-update .com
updatepcprotection .com
updateyourprotection .com
mac-imunizator .net (67.205.75.10)
avproinstall .com (78.157.141.26)
winavpro .com (92.241.163.30)

As far as proactive threat intell is concerned, try the following "upcoming fake security software domains" :

spywaredefender2009 .com
spywaredestroyer2009 .com
spywareeliminator2009 .com
spywareprotector2009 .com

It would be interesting to monitor whether or not the well known non-existent security software brands we've monitoring throughout 2008, will be basically typosquatted in a 2009 like fashion, or would they simply introduce new brands. With their business model under pressure, I'm starting to see evidence of schemes involving the illegal advertisement of affiliate links to legitimate security software, where the cybercriminals are actual resellers of it. There's also no shortage of surreal situations, where a fake security software is taking advantage of blackhat SEO practices promising the removal of competing fake security software brands.

Last week, the noadware .net (69.20.71.82; 69.20.104.139) software was persistently advertised in such a way, mostly by generating Wordpress accounts promising to remove competing software :

antiviruspro2009.wordpress .com
ultraantivirus2009.wordpress .com
smartantivirus.wordpress .com
antiviruslab2009.wordpress .com
antivirusvip.wordpress .com
personaldefender2009.wordpress .com
malwareremoval.wordpress .com

Naturally, it didn't take long before blackhat SEO farms were created for the purpose, like these very latest ones :

removal-tool.blogspot .com
cgidoctor .com
spywareremoval .net
spyware-adware-remover .com
spywarestop .com
zero-adware .net
adware-remove .com
antispywaresecrets .com
protectyourcomputerfromspyware .info
cleanpcfree .net
spyware-bot .com
spywarezapper.co .uk
thepcsecurity .com
noadware-official-site .com
spywaredoctorfavor .cn
removespywareedge .cn
thespywareremover .com
virusremovalguru .com
virusremovalguide .org

The day when fake security software sites start attracting traffic by promising to remove other fake security software, is the day when we have clear evidence that an ecosystem has emerged.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Summarizing Zero Day's Posts for October

Tue, 04 Nov 2008 05:28:07 +0000

Here's a brief summary of all of my posts at Zero Day for October. You can also go through previous summaries for September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles for October - Scammers introduce ATM skimmers with built-in SMS notification; Inside an affiliate spam program for pharmaceuticals; CardCops: Stolen credit card details getting cheaper.

01. Cybercriminals syndicating Google Trends keywords to serve malware
02. Scammers introduce ATM skimmers with built-in SMS notification
03. Atrivo/Intercage's disconnection briefly disrupts spam levels
04. Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick
05. Asus ships Eee Box PCs with malware
06. Fake Microsoft Patch Tuesday malware campaign spreading
07. Secunia: popular security suites failing to block exploits
08. Survey: 88% of Mumbai's wireless networks easy to compromise
09. Adobe's Serious Magic site SQL Injected by Asprox botnet
10. Inside an affiliate spam program for pharmaceuticals
11. Google to introduce warnings for potentially hackable sites
12. Lack of phishing attacks data sharing puts $300M at stake annually
13. CardCops: Stolen credit card details getting cheaper
14. Cybercrime friendly EstDomains loses ICANN registrar accreditation
15. Phishers apply quality assurance, start validating credit card numbers
16. Spammers targeting Bebo, generate thousands of bogus accounts

Microsoft Releases Emergency Patch For Critical Windows Vulnerability

Thu, 23 Oct 2008 21:01:14 +0000

Microsoft has released an out-of-band patch to fix an extremely critical vulnerability that exposes Windows users to remote code execution attacks. The emergency update comes just one week after the regularly scheduled Patch Tuesday and follows the discovery of a targeted zero-day attack, Microsoft said in an advisory. The vulnerability is rated critical on Windows 2000, [...]

Microsoft releases emergency Windows patch to head off worm attack

Thu, 23 Oct 2008 00:00:00 +0000

Microsoft warned that attackers are exploiting a critical flaw in the Windows operating system that could be used in a worm attack and rushed out an emergency patch on Thursday.

Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more

Mon, 20 Oct 2008 04:32:28 +0000

Synopsis: Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more

Welcome to Blue Box: The VoIP Security Podcast #84, a 30-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Three-year anniversary of Blue Box coming up on October 24th - any thoughts you'd like to share with us? (Please send them to us by October 23rd.)
VoIPShield announces new vulnerabilities and http://www.voipshield.com/research.php
http://www.theregister.co.uk/2008/09/30/voip_eavesdropping_tool/
"Sipera Develops VoIP Spy Program - to Prove a Point" - http://www.voipplanet.com/trends/article.php/3776136
SecureLogix Announces Free Availability of VoIP Security Tools
NY Times: Surveillance of Skype Messages Found in China - http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?_r=2&partner=rssnyt&pagewanted=print
http://securitywatch.eweek.com/privacy/skypechina_breach_is_anyone_really_surprised.html
http://www.informationweek.com/news/telecom/voip/showArticle.jhtml?articleID=210605439
Skype CEO's blog post about the issue: http://share.skype.com/sites/en/2008/10/answers_to_some_commonly_asked.html
http://www.itbusinessedge.com/blogs/top/?p=398
http://www.voip-news.com/feature/google-phone-europe-growth-092408/
http://www.itnewsafrica.com/?p=1269
http://news.cnet.com/8301-1009_3-10052393-83.html
http://www.broadbandreports.com/shownews/VoIP-Vulnerabilities-Being-Exposed-Today-98039
http://www.itbusinessedge.com/blogs/top/?p=402
http://voipsa.org/blog/2008/10/07/5th-emergency-services-workshop-to-be-held-oct-21-23-in-vienna/
http://eon.businesswire.com/news/eon/20080924005342/en
http://www.crn.com/security/210602442
http://it.tmcnet.com/topics/it/articles/41236-infoblox-unveils-dns-firewall-address-dns-vulnerability-concerns.htm
http://www.newswire.ca/en/releases/archive/September2008/29/c9005.html
No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list
Wrap-up of the show
30:26 - End of show

NOTE: Long-time listeners will note that the show notes above are in a less descriptive form than usual. After almost three years of using one wiki for preparing for our shows, Jonathan and I switched to using a new system and are still working out some of the details that will speed the input into show notes.

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Patch releases push down Microsoft's stock, researcher says

Tue, 14 Oct 2008 00:00:00 +0000

Microsoft's stock price regularly takes a hit on the days the company issues security patches, but it typically rebounds the next day, according to research by McAfee.