[SecurityRatty] tag: web

Web Based Malware Emphasizes on Anti-Debugging Features

Mon, 06 Oct 2008 22:42:00 +0000

Following the ongoing development of a particular web based malware, always comes handy in terms of assessing the commoditization of anti-debugging features within modern malware. With plain simple, "managed binary crypting and firewall bypassing verification" on demand in February, to August's overall anti antivirus software mentality as a key differentiation factor of the malware.

So what are they working on? Anti tracing and emulation protection, PeiD and PESniffer protection, as well as anti heuristic scanning with a simple junk data adding feature in order to maintain a smaller binary size.

Here's a translated description :

"- The binary works under admin and under normal user
- The binary is always run as the "current user"
- An unlimited number of bots can be loaded and integrated within the command and control, and with the geolocation feature, filters can be applied for a particular country
-After successful infection, the binary which is tested against popular firewall and proactive protection security ensures that the actions it takes and their order do not trigger protactive protection mechanisms in place
- binary file size is 25k, the size can be reduced once it's crypted

- Doesn't take advantage of BITS protocol
- Doesn't allow an infected host to be infected twice
- Bypassing NAT and supporting "always-on" connections
- A simple, easy to configure web based admin panel"

What if the buyer doesn't care about the quality assurance practices applied? Managed lower AV detection and firewall bypassing service comes into play.

Fake Windows XP Activation Trojan Wants Your CVV2 Code

Mon, 06 Oct 2008 15:01:01 +0000

In a self-contradicting social engineering attempt, a malware author is offering to sale a (updated version of Kardphisher) DIY fake Windows XP activation builder, which despite the fact that it claims "We will ask for your billing details, but your credit card will NOT be charged", is requesting and remotely uploading all the credit card details required for a successfully credit card theft.

Perhaps among the main reasons why such simplistic social engineering attempts never scaled in a "malicious economies of scale" approach, is because sophisticated crimeware kits capable of obtaining the very same data automatically, started leaking for everyone to start taking advantage of - including yesterday's cybercriminals using such DIY fake message builders.

Moreover, according to recently reseased survey results, end users cannot distinguish between fake popups and real ones, and on their way to continue doing what they were doing, click OK on that pesky warning message telling them that they're about to get infected with malware. Taking into consideration the fact that the popup windows the researchers used look like cheap creative compared to the average fake security software's layout high quality GUIs, it is perhaps worth restating your research questions with something in the lines of - What motivates end users to install an antivirus application going under the name of Super Antivirus 2009 or Mega Virus Cleaner 2008? The fact that the fake status bar is telling them that they're infected with 47 spyware cookies, or the fact that they ended up at the fake site while browsing their trusted web services?

The increase of rogue security software domains is happening due to the high payout affiliation based model, the standardized creative allowing the participants to come up with their own fake names if they want to, and due to the fact that the fake security threats scareware approach seems to be perfectly taking advantage of the overall suspicion on the effectiveness of their legitimate security software.

Is Google Using Chrome to Index Password Protected Web?

Mon, 06 Oct 2008 07:20:02 +0000

An interesting theory we heard recently is that Google will use Chrome to index the password protected Web. Right now the Chrome Terms of Service prevents Google from indexing private data. But when you consider that Chrome was initially presented as a browser for applications, instead of just web pages, this theory begins to make more sense.

Imperva tailors Web app firewall for midsize businesses

Sun, 05 Oct 2008 20:00:00 +0000

Imperva is introducing a scaled-down version of its Web application firewall designed for quick installation in midsize businesses.

Proxy Caches are a Challenging Threat to Internet Security

Sun, 05 Oct 2008 06:41:52 +0000

Proxy caches, combined with poorly written session management code, can easily leads to serious security flaws similar to what we highlighted in A New Security Breach in Google Docs Revealed.

Web developers have no control over proxy caches in the Internet. However, developers do have control of the code they write and their admin teams have configuration control of their web servers. Developers must assume the worst case Internet scenario with aggressive Internet cache management policies that serve cached data for economic and performance reasons.

As a consequence, this fact-of-life on the Internet sometimes results in multiple web clients being sent the same Set-Cookie HTTP headers, for example. Caching proxy servers should obtain a fresh cookie for the each new client request. Ideally, proxy caches should not cache session management cookies and distribute cached cookies to multiple clients. However, application developers cannot assume that proxy caches are well behaved, especially for applications where security and privacy are required.

Web developers cannot know whether their content is consumed directly or via a proxy cache. Developers also cannot assume that the HTTP responses will be delivered to the intended browser. Moreover, developers cannot be sure that the intended browser even receives the intended content. For example, a session ID issued to a client gets used while it is valid or until abandoned and expired. If it is served and delivered in response to an unencrypted HTTP GET request, there’s no guarantee it will be consumed by the intended web browser.

Ideally, SSL should be used on all web transactions that require confidentiality and privacy, including our recent Google Docs breach. On the other hand, even SSL is not foolproof. For example, many web developers do not correctly set the “Encrypted Sessions Only” cookie property. These incorrectly configured “secure” servers will send HTTPS cookies in the open, unencrypted.

There be dragons …

Note: Reposted from the (ISC)2 blog.

Hacking Your VoIP Box From The Net

Sat, 04 Oct 2008 13:06:04 +0000

Do you do penetration testing of your own network? Is it comprehensive enough? Read this recent blog from McAfee's Avert Labs and you may wonder. An Avert analyst, reading about vulnerabilities in the Cisco IP phone model 7960 then used Google to try to find publicly-accessible 7960 phones. He found "almost 10" (does that mean 9? awkward turn of phrase). 1 of them had the vulnerable firmware version And the vulnerability was that the phone's web interface reveals a lot of sensitive network information, so the company that holds that phone has a vulnerable network. What was revealed by the phone? "...the IP addresses of the TFTP server/router/DNS server/DHCP server/Cisco Call Manager, as well as some application links, internal device configuration, and debugging information. If there are any exploitable vulnerabilities in one of these linked servers, attackers could use this information to stage further attacks." There's always more to test for, and mistakes you in device configuration can have dire consequences.

AntiVirus XP ads on Google?

Fri, 03 Oct 2008 11:12:03 +0000

So, If I had clicked on this ad, and dnloaded this awful program and my puter was infected,,,,
Would Google be responsible?

clipped from www.2-spyware.com

Time for vengeance: AntiVirus XP distributors sued

Malware vendors hide well, however they do make mistakes. Distributors of Antivirus XP were bold enough and dumb enough to buy advertisements on Google Adwords! You get it right: someone looking for anti-virus software on Google search engine was offered Antivirus XP by official adds from Google. The scam was noticed pretty soon. Security experts all over the web guess that this mistake was the one that revealed names of AntivirusXP vendors. Victims of Antivirus XP can start celebrating as the distributors won’t get away easily.

OWASP AppSec Asia 2008: Proxy Caches and Web Application Security

Fri, 03 Oct 2008 07:05:04 +0000

Back to travelling a bit, I have accepted an invitation from Wayne Huang, Chapter Leader, OWASP Taiwan, to give the following presentation at OWASP AppSec Asia 2008, October 27 - 28, 2008, in Taipei:

Proxy Caches and Web Application Security

Abstract: Proxy caches, combined with poorly written session management code, can easily lead to serious Internet security breaches. Web application developers cannot know whether their content is consumed directly or via a proxy cache. Developers cannot assume that the HTTP responses will be delivered to the intended browser. Moreover, developers cannot be sure that the intended browser even receives the intented content. Consequently, proxy caches are a serious theat to web application security. In the presentation, we will discuss the recent security breach Tim found in Google Docs and review web application security and session management topics related to proxy caching.

Grand jury indicts two Europeans over denial-of-service attacks in 2003

Fri, 03 Oct 2008 00:00:00 +0000

A federal grand jury has indicted two European men for allegedly orchestrating denial-of-service attacks against a pair of U.S.-based Web sites in 2003.

Two Europeans charged in U.S. over DDoS attacks

Thu, 02 Oct 2008 20:00:00 +0000

Two European men have been indicted for allegedly orchestrating cyberattacks against two Web sites, a continuation of the first successful U.S. investigation ever into distributed denial-of-service attacks, according to the U.S. Department of Justice.