[SecurityRatty] tag: screenshot

The DDoS Attack Against Bobbear.co.uk

Wed, 19 Nov 2008 05:35:01 +0000

When you get the "privilage" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.

The attached screenshot demonstrates how even the relatively more sophisticated countersurveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.

Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.

Related posts:
A U.S military botnet in the works
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Botnet on Demand Service
OSINT Through Botnets
Corporate Espionage Through Botnets
The DDoS Attack Against CNN.com
A New DDoS Malware Kit in the Wild
Electronic Jihad v3.0 - What Cyber Jihad Isn't

Dont Confuse Windows Defender and WinDefender

Thu, 06 Nov 2008 08:56:31 +0000

WinDefender is a malware program, now it’s promising an update “Get rid of mailware now!” It’s been out a while but now there’s the “Update” going around.

Be wary and warn the folks you know — this isn’t Windows Defender, an anti malware program.

F-secure has a screenshot so you know what to look for…and of course the requisite joke, hoping that future versions might promise an end to “maleware.”

Good luck with that, guys.

Inside a Managed Spam Service

Fri, 03 Oct 2008 07:20:32 +0000

A managed spam vendor always has to raise the stakes during its introduction period on the market. But what happens when a market follower starts using the market leader's proprietary managed spamming system, and is able to provide better spamming rates at a cheaper prices? Market forces and unethical competition at its best.

So, what is this market challenger using the monopolist's -- in respect to managed spamming services not spam in general -- proprietary system (Spamming vendor launches managed spamming service) up to anyway? Promising and delivering, 1, 400,000 emails daily, 60,000 mails per hour, and 100 emails per minute. What we've got here are the spam metrics out of 5 already finished spam campaigns that has managed to sent out a million spam emails using only 2000 malware infected hosts. Also, CC-ing and BCC-ing made it possible to multiple the effect of the campaign and increase the total number of emails spammed. Talking about benchmarks, 789 emails per minute at a rate of 12/13 emails per second is a pretty good one, considering it's only 2k bots that they were using. What they also promise is automatic rotation of IPs upon automatically checking them against public blacklists, and a mix rotation of IPs from their own netblocks located in Russia and Germany with the fresh IPs coming from the newly infected hosts.

Earlier this month, I discussed the market leader's managed spamming system, access to which they also offer for rent :

"An inside look of the system obtained on 2008-08-12 indicates that they are indeed capable of delivering what they promise - speed, simplicity and 5000 malware infected hosts. Moreover, the attached screenshot demonstrates that 20 different email databases can be simultaneously used resulting in 16,523,247 emails about to get spammed using 52 different macroses. Furthermore, what they refer to as a dynamic set of regional servers aiming to ensure that the central server never gets exposed, is in fact fast-flux which depending on how many bots they are willing to put into “rtsegional server mode” shapes the size of the fast-flux network at a later stage."

With cutting edge managed spam services like the ones currently in circulation, it remains to be seen whether or not spammers would migrate to this outsourcing model, or continue coming up with adaptive ways to send out their scams and malware on their own.

A New Security Breach in Google Docs Revealed

Mon, 15 Sep 2008 07:59:03 +0000

I am a big fan of Google and, over time, I have started to enjoy the freedom from my desktop with Google Docs. For example, when I keep track of business expenses I have found it easier to update a Google Spreadsheet versus depending on Microsoft Excel on my laptop because I can update from anywhere in the world and share with my bookkeeper too. So, I’ve been using Google Docs more lately.

Today, however, I discovered a huge security breach in Google Docs. While I was in my account working on a spreadsheet I suddenly found my Google Doc account listing many documents that did not belong to me. I clicked on one of the documents and the results are in the image below, where my Google Doc session appears to have “crossed over” with another users.

I decided to do a bit more exploring and take a few more screenshots, because I don’t yet know how to reproduct this security breach. The image below show a Google document (fifth from the top) which is not owned by me, “owned by me”. However, when I click on this mysterious “owned by me” document, it is owned by another user. Here is another screenshot below; you can click on the image for the full-screen version.

Again, here is another example of the same security violation with two documents. As above, you can click on the image for a full-screen version.

I contacted the owner of the Google Docs account which I had suddenly and mysteriously “crossed sessions” with today. I asked him if he was in Thailand (since a few of the documents were in Thai) and he said yes, however he say he did not have any Thai language documents in his account. However, as you can see from the screenshot, the Google Docs menu shows this person as “the owner” of a Thai language document. He also mentioned that, today, he saw “wierd documents” in his account that did not belong to him (or “normally” shared with him).

Unfortunately, I was having problems with the Internet connection in my hotel room so I could not continue to investigate the breach. When I logged back in a few hours later, everything was back to normal. So far, all is “normal” and I have not been able to repeat this breach.

I suspect the Google Docs flaw comes from a JavaScript error in how Google manages user sessions. The bottom line is that the security breach is real and dangerous. Your Google Docs, and I suspect other Google applications that use the same session management code, are vulnerable. There may be an underlying XSS vulnerability as well.

Note: Reposted from my original post on the ISC2 blog.

More MMORPG Fakeouts

Thu, 04 Sep 2008 12:16:43 +0000

Here's a few more sites presumably created by the maker of the fake Batman Online game.

Step up, Dragonball Z:

Click to Enlarge

To "download" this Dragonball Z MMORPG, you have to fill out a survey:

Click to Enlarge

Once done, you'll be amazed(!) to find you're taken to....shockingly....the official Dragonball Z MMORPG game.

The only problem? The website is in Japanese and the game hasn't been released yet.

Click to Enlarge

Forgive me for thinking this isn't the greatest deal I've ever been sold.

Now it's Harry Potters turn:

Click to Enlarge

Like the Batman site, you need to install Zango. Do so, and.....you're taken to the popular Hogwarts Live, which you could have easily found and played yourself without installing Adware. As you probably guessed, the screenshot from the title graphic on the site is not part of the game you'll eventually play.

The sites involved are

onlinedbzgame.info

and

harrypottergame.info

in case you want to add them to your blocklists.

XSS fortune cookie

Tue, 02 Sep 2008 12:10:00 +0000

Forgive me in advance for an extremely bad joke, if you can even call it that, but I just can't help it.
Here's how to get an XSS fortune cookie:

1) Ask the mighty Google oracle who might be able to tell you your fortune.
http://www.google.com/search?hl=en&q=tell+my+fortune&btnG=Search&lr=lang_en

2) Select one of the sponsored links; in this case I chose SpritualExperts.com.

3) Pick a variable. I settled for banid.

4) Ask it if it has a cookie for you.
http://www.spiritualexperts.com/psychic_reading/psychic_reading.asp?banid=%22%3E%3CSCRIPT%3Ealert%28document%2Ecookie%29%3C%2FSCRIPT%3E

Voila...an XSS fortune cookie. Sorry. Really, I am.

The webmaster has been advised...play nice.

Screenshot for after they fix the issue.

del.icio.us | digg

Leave Your Webcam On 24/7? Might Want To Reconsider...

Mon, 01 Sep 2008 11:46:09 +0000

It's nothing new that many hackers use programs that allow them to "spy" on their victims once they've compromised the PC (as long as they have a webcam switched on, of course). Similarly, hacking culture has always had a fascination for memes, incorporating them into part of the design of their latest DDoS tools.

However, the strange obsession with shock memes has now spilled into a "fun" game currently doing the rounds on various hacking sites and forums.

What this involves is hackers compromising a PC, ensuring the victim has a webcam switched on then opening up shock meme websites at the most inopportune moment, recording the moment of impact with the webcam feed. Or, as one guy put it:

If you don't know what Meatspin is, you can probably count yourself lucky. If you still want to know, click here (for an explanation. Not Meatspin itself, though the explanation might be classed NSFW anyway).

Here's a real life example of one such incident, taken from a message board:

Click to Enlarge

Typically, the shock meme website is opened up at full blast, which startles the victim (most sites of this nature loop a piece of music in the background while the, er, action takes place on screen). The bigger the shock, the better. Here's one guy who sounds like he shot about six feet in the air when the meme site fired up in his browser:

Click to Enlarge

This might all sound like fun and games - sort of - but note that the above individual did try to grab the victims credit card details.

Generally, the attacker doesn't interact with the victim (because they want friends, relatives or others to think the victim actually brought the site up themselves) but here's a little trash talk anyway:

At this point, the attacker may or may not grab a screenshot for posterity. I've seen quite a few galleries on sites comprised of people looking shocked at Tubgirl, or being spun round baby right round by Meatspin, and there's no doubt countless others out there floating around. Of course, not everybody is shocked (or indeed impressed) by a shockmeme site popping up on their computer. As an example of that, take this guy:

Full credit to anyone that counters a shockmeme site appearing on their desktop by picking their nose for five minutes. At any rate, the golden rule with this is that the hackers only bother doing this when a webcam is present and left switched on. If there's no webcam, there's no point trying to elicit a response (because for all they know they're popping open 2 Girls and 1 Cup to an empty server room).

Webcams can be a fun tool, but remember to switch them off every now and again or they could come back to haunt you. Of course, depending on the shock meme site deployed (and who happens to be in the room with you at the time), that could be the least of your worries...

Don't Panic

Fri, 29 Aug 2008 13:03:16 +0000

Sometimes it's easy to believe that every last thing online is going to eat into your PC, burn your house down, kill your cat and so on. The last few days I'd been hearing rumblings about some "Youtube rap video" and a file that would start hijacking your PC - well, thanks to a tipoff from a forum-goer at Spywarewarrior, I can hopefully put this one to rest.

In short, a video promoting a rap mix-tape supposedly took you to a file that "hijacked your PC with Spywarestop". In actual fact, there's no file to hijack you. Let's take a look - here's the Youtube page in question:

Click to Enlarge

As you can see, there's the mix-tape being advertised and a link to Mediafire, where the mix-tape is hosted. Click the Mediafire link, and all that happens is you'll see an advert for various antispyware tools - some of them on the Rogue Antispyware list, some of them not on the list but known to be of little worth to the end-user.

Click to Enlarge

In this particular case, it's an advert for Adware Alert. It's not hijacking you, or breaking things or making your browser fly around the screen, nor is it a "virus". It's just an (admittedly loud) advert. If you're running a browser compatible with Adblock Plus, all you'll see beneath the Mediafire logo is a blank space. Even if you're vaguely alarmed by the advert, all you have to do is click the "Continue to Mediafire.com" message at the top right of the screen (missing from the above screenshot as I cropped the image too small - whoops) and you'll be taken to the file you requested.

Like the title says - don't panic. This really isn't something to worry about too much. Even the most obnoxious rogue antispyware advert (the ones that do resize your browser, throw up endless popups and make annoying "Woop woop" noises) can usually be escaped by simply hitting CTRL+ALT+DEL and using Task Manage to close your browser session.

Banker Malware Targeting Brazilian Banks in the Wild

Mon, 18 Aug 2008 03:01:03 +0000

Despite the ongoing customerization of malware, and the malware coding for hire customer tailored services, certain malware authors still believe in the product concept, namely, they build it and wait for someone to come. In this underground proposition for a proprietary banker malware targeting primarily Brazillian bank, the author is relying on the localized value added to his malware forgetting a simply fact - that the most popular banker malware is generalizing E-banking transactions in such a way that it's successfully able to hijack the sessions of banks it hasn't originally be coded to target in general.

Banks targetted in this banker malware :
Bank Equifax
Bank Itau
Bank Check
Bank Vivo
Bank Banrisul
Tim Bank Brazil
Bank Nossa Caixa
Bank Santander Banespa
Bank Infoseg
Bank Paypal
Bank Caixa Economica Federal
Bank Bradesco
Bank Northeast
Royal Bank
Bank Itau Personnalite
Bank PagSeguro
Australia Bank
Credicard Citi Bank
Credicard Bank Itau
Rural Bank

Taking into consideration the fact that not everyone would be willing to pay a couple of thousand dollars for a banker malware kit targeting banks the customer isn't interested in at the first place, malware authors have long been tailoring their propositions on the basis of modules. Adding an additional module for stealtness increases the prices, as well as an additional module forwarding the process of updating the malware binary to the "customer support desk". Moreover, stripping the banker kit from modules in which the customer doesn't have interest, like for instance exclude all Asian banks the kit has already built-in capabilities to hijack and log transactions from, decreases its price.

In a truly globalized IT underground, Brazillian cybercriminals tend to prefer using the market leading tools courtesy of Russian malware authors, so this localized banker malware with its basic session screenshot taking capabilities and accounting data logging has a very long way to go before it starts getting embraced by the local underground.

Related posts:
The Twitter Malware Campaign Wants to Bank With You
Targeted Spamming of Bankers Malware
A Localized Bankers Malware Campaign
76Service - Cybercrime as a Service Going Mainstream
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Malware as a Web Service
Coding Spyware and Malware for Hire
Are Stolen Credit Card Details Getting Cheaper?
Neosploit Team Leaving the IT Underground
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Pinch Vulnerable to Remotely Exploitable Flaw
Dissecting a Managed Spamming Service
Managed "Spamming Appliances" - The Future of Spam

Is Your Firewall a High Risk Entity

Fri, 15 Aug 2008 11:15:57 +0000

Not trying to be overly snarky here, but I was reviewing some GRC product literature recently. And there was a screenshot of an application window showing how the software helps identify “high risk entities”. And in the screenshot, there were 5 of these entities listed, each with corresponding risk ratings (High/Medium/Low) and scores (really just non-measurement ordinal numbers). The screenshot showed that the riskiest entity of the five shown was a Checkpoint Firewall-an assertion backed up by the non-measurement “Risk Score”. The lowest risk scores were shared by a nameless Web Application and an entity called “Oracle App”.

My friend, I’m going to give you a hint. If your firewall is “high risk” and your actual business applications are “low risk” - you might be doing it wrong.