[SecurityRatty] tag: simpsons

Homer's Odyssey

Fri, 18 Jul 2008 12:52:08 +0000

Well, it's been a pretty busy week here as Homer Simpson + Malware = quite the commotion.

It started off with USA Today, VNUNet and CNET, then appeared on Slashdot over the weekend. After that, the sheer joy at being able to use Homer Simpson pictures in tech-related writeups was evident. Who would have thought it would finish off with Matt Selman himself (the Simpsons scriptwriter responsible for the whole "Chunkylover53" phenomenon) writing about the situation.

Pretty nuts. Heck, I even got to do a four minute Podcast that (from what I've been told) goes out to around 100 radio stations in the States. I think the closest I got to crossing security with popular culture previously was ye olde net-war (that revolved around a "stolen" picture of Lindsay Lohan - long story), but this one has Homer Simpson in it so clearly it wins by default.

However, what a lot of people might have missed - in fact, I nearly missed it myself - was something that appeared shortly before the plug appeared to be pulled on poor old Homer. Here's a screenshot of his previous message history - you can see how many times it was constantly changing:

Click to Enlarge

Here's the final message I saw before the lights seemingly went out on Homer:

Click to Enlarge

That message is particularly interesting, because it refers to a group of individuals who were involved in this Comcast hack not so long ago. Were they involved here? Or are the real culprits simply blaming someone else?

Homer Simpson and the Kimya Botnet

Fri, 11 Jul 2008 13:46:17 +0000

Television often relies on fake codes, phone-numbers and addresses to make up part of their fictional worlds. Sometimes, it can go slightly wrong - how many people tried to call Doctor Who last week?

D'oh.

Actually, "D'oh" is rather appropriate here. In an old episode of The Simpsons, it was revealed that Chunkylover53@aol.com was Homers Email address. Of course, every Simpsons fan with net access immediately added Chunkylover53 to their AIM contact list. As this article points out....

Homer's e-mail address chunkylover53@aol.com, as seen on EABF03, was registered by writer-producer Matt Selman, who also replied to e-mails from fans testing it. "He logged in the night that the episode aired and it was immediately filled with the maximum number of responses. He's tried to answer every one of them and then as soon as he answers a hundred, a hundred more pop in," Al Jean told the New York Post in January 2003.

The "Chunkylover53" AIM screen-name hasn't logged in for quite some time, apparently. Imagine the puzzled expressions worn by Simpsons fans when, all of a sudden, the account came back to life in the last few days with this in their "Away" message....

...yes, "Homer" has seemingly returned, and he comes bearing infection files!

Of course, the "exclusive Simpsons episode" is nothing of the kind - what you actually download is a file about 150kb in size, and it looks like this:

Run the file, and you won't see a new Simpsons episode - you're actually more likely to see this:

....a strange error message that mentions "photos" (probably fake), followed by lots of real error messages as most of your desktop fails, leaving you with an entirely blank screen:

Click to Enlarge (if you really must!)

From this point onwards, the PC will likely need a reboot and will be sluggish until cleaned up, constantly throwing out error messages, crashing when attempting to open Windows Explorer etc.

Now, given that the infection links are being passed around via IM Away messages, there was always going to be the possibility of an Instant Messaging worm attack. However, a lot of testing has taken place and so far, we haven't seen any malicious messages or URLs sent via AIM or MSN Messenger.

That's no reason to get complacent though, because what we have seen taking place is possibly quite a bit worse. First of all, a number of hidden files are dropped onto the PC, including Rootkit technology (which the bad guys have helpfully pointed out in the code):

Worse, your PC is deposited into a Botnet of Turkish origin - here's the giveaway traffic stream via an Ethereal log:

....awaiting further instructions from the Botnet C&C center. This particular Botnet has been around since March of this year. The Turkish connection is interesting, because I haven't seen too many Turkish Botnets - and there's been quite a surge in hacking activity from Turkey recently (most notably the DNS attacks on Photobucket and ICAAN by NeTDevilz).

Finally, the infection drops a number of other files onto the PC besides the Rootkit, which are seemingly related to a new variant of this Chinese infection.

It's worth noting that there may only be Instant Messaging infection links sent out if the person running the Botnet Command Center decides to issue all the drones with such a command - so while we haven't seen any IM infection activity, it would be wise not to rule it out completely. We recommend infected users keep an eye on all Instant Messaging activity until they can clean the infection from their computer, just in case.

Whoever is responsible for these messages has changed them a couple of times already - last night, the download link had been updated to look like this:

...and it currently advertises a link for a dating website:

We've reported all links related to this attack, and at least two of the files claiming to be "exclusive Simpsons episodes" are currently offline, though there's bound to be more out there. For now, this is a good reminder to be cautious when randomly adding cool things seen on TV and film to your online applications - you can't always assume the person at the other end is entirely in control.

We detect this as Kimya.

Additional Research: Chris Mannon, FSL Senior Threat Researcher
Deepak Setty, FSL Senior Threat Research Engineer

Myrcurial gets placed in the Leaders Quadrant - Gartner Days 1&2

Tue, 03 Jun 2008 10:23:04 +0000

Gartner IT Security Summit - June 1-3, 2008 - Washington, DC.

Alright - call this an omnibus posting.

I had planned to do a better job of intra-day postings, but the schedule here is hectic and as anyone who knows me can attest, I really do work to get maximum value out of any conference that I go to.

Highlights here - much more detail available if anyone comments/emails me to ask.

Day 1
Opening Keynote - The next 10 years in IT Security - Rated: Good.
Keynote - Google’s Security - Rated: Excellent.
Keynote - SciFi Authors’ Future View of IT Security - Rated: Excellent.

“F” Track - Gartner Analysts/Researchers speak on the topic of “The CISO” - Rated: Mediocre to Good.
Exhibition Floor - Rated: Good.
Food - Rated: Hotel Std. Bring Pepto
Product Highlight - Alcatel-Lucent OmniAccess 3500 Nonstop Laptop Guardian It’s a way to lojack your laptops - a device that stores your crypto keys, 2nd factor auth token, acts as your 3G WWAN, GPS enabled, has an on-board Linux which acts as the “IT department’ controlled/controllable machine. Main feature - remote kill the laptop you lost.

Day 2
Keynote - Security Architecture for the Next 10 years - Rated: Excellent
“F” Track - Gartner Analysts/Researchers speak on the topic of “The CISO” - Rated: Good to Better
Exhibition Floor - Rated: I don’t want to try to get that much shwag through airport security. SRSLY.
Food - Rated: I cannot wait for my kitchen. I cannot eat this much commercial grade food and stay healthy/alive. Amazing how even the fresh fruit is labelled “Hotel Froot”. It’s like an episode of the Simpsons.

Overall Review: I’ll probably come back - the issue of credibility in ensuring that I can quote someone that the business / IT folks respect rather than just my own opinion is a good thing, however, as a prominent (ha - take that Mike) security blogger, I’m a 4-5 on the CISO-CMM — and I’m surrounded by a whole lot of zeros and ones. Gartner is a good host, they take feedback seriously and are very interested in delivering some real value to people like me.

What needs to be fixed:

You may have noted that I’m not really chuffed by the food, and you’d be damn right. What is it with the “Conference Hotel/Venue” market that gives them such perfect 2 dimensional homogeneity of image and food? Fix the food.
Reorganize the environment such that I spend less time walking back and forth down this hallway.

Wifi… oh terrifying wifi. If there was a Wall of Sheep here, you couldn’t read it - it’d be scrolling too fast. Don’t you idiots have a freakin’ VPN?
BoF Sessions would be good — there’s not a whole lot of time in the schedule just to stir around and talk to people. There should be a number of areas that allow for free form communication amongst attendees. Have Gartner Analysts in and around those areas to spur conversations.
And lastly - Washington? WTF? Flying in to the DC area is practically a strip search. Conferencing is getting harder as the airline industry squeezes - and if I’ve got to fly, I want as little friction as possible.

It’s been a blast, but I need to pay attention and watch the countdown to my airport transfer at 1600.

Tags: Gartner, Gartner IT Security Summit, Alcatel-Lucent, OmniAccess 3500, Security Conferences

Get your paws off me, you dirty ape. Of course I can talk, Im a contractor.

Sat, 22 Mar 2008 01:20:51 +0000

I felt a bit like one of the humans in Planet of the Apes (or the Simpsons’ version - Stop the Planet of the Apes, I Want to Get Off … click HERE) today when I saw the news about the breach of privacy by US State Department and/or passport office employees. They have apparently [...]