{ Comments on this entry are closed }
From the monthly archives:
December 2009
That is all.
I expect that there will be senseless acts of violence, planes destroyed and perhaps a city attacked with effective biological weapons. There will be crazy people with more power than we want to comprehend. There will be a billion malnourished, undereducated folks whose lives don't improve. The first world will continue to be saddled with debt, the third world with mis-management and kleptocracies. Global climate change will continue to threaten us all.
There will also be heroic responses to that craziness. More effective aid will help hundreds of millions to help themselves. This may be the decade where we get a handle on malaria and hunger. Genetically modified food will improve nutrition for many of those on the edge. The best education in the world will be a free click away and watched on a cell phone. The Persians and Chinese may well end the decade with more freedoms.
There's also going to be vaccines created within months of a new disease discovery, a global network that lets you talk to anyone, anytime, robots on mars, computers in our pockets. I'm also given to understand that we'll be able to watch movies with plots in vivid 3d, and print 3d objects at home.
And there's going to be things we can't predict, which will emerge out of nowhere and blow all our minds. Maybe this will even be the decade that brings us flying cars and peace on Earth.
Whatever it brings, I'm looking forward to it.
Happy new year, and a happy new decade!
{ Comments on this entry are closed }
Keeping up in Information Security is a Red Queen's race. Personally, I follow hundreds of blogs through RSS, and hundreds of "securitytwits" on Twitter, just to keep up.
There were many interesting articles in 2009. I have gone through the ones that I've shared on Google Reader (an interesting walk down memory lane) and created a list of my ten favorite must-read InfoSec articles from 2009. These are articles that either changed or solidified my thinking on a particular area of InfoSec. They are listed below in no particular order:
{ Comments on this entry are closed }
Google likes to have fun with the holidays, and it appears that New Year’s Eve will be no exception. People who have been hitting the “I’m Feeling Lucky” button lately with a blank search have been presented with a timer counting down the seconds to New Year’s Eve. The timer is based on the PC clock.
Click 'I'm Feeling Lucky' with a blank search.
To see what Google is planning when the clock strikes zero (as I’ll be drinking champagne at midnight not watching google.com), make a quick change to our PC time by double clicking the clock on your PC, and modifying the time to 11:59pm:
Change your Windows time to 11:59pm.
Once the timer hits zero on Google, text based fireworks and a ‘Happy New Year’ message are revealed:
Fireworks, Google style.
Happy New Year from all of us at Praetorian Security Group, LLC.
Related Posts:
{ Comments on this entry are closed }
As we pass the first decennial after 2000 we can look back at how IS threats have evolved for complexity of the attacks and the evolution of the attacker's motives from fame to profit, as well described by Robert Vamosi on his article on PC world "Top 10 Security Nightmares of the Decade
The new threats that will be facing in 2010, according to predictions from this report from McAfee Avert labs will be exploiting social networking sites, drive by download, Web 2.0, browser vulnerabilities, especially adobe flash, mobile phone vulnerabilities, and least and not last will continue (since 2005) be vulnerable to man in the browser/middle, botnets and banking trojans
For the security practitioners that still think old security school such as secure the perimeter by deploying firewall and IDS (that I pioneered developing at ISS) mitigate threats to the PC/desktop using AV, AS this is the main lesson from the trenches: as threat evolve and rather quickly with increased sophistication, the security industry also need defenses to quickly adapt to these new threats and build new countermeasures. The new defenses need to look at security of data transactions and the applications end to end (from user to web application) above all. We also need to look at security from risk mitigation perspective, keep what works (that is risk mitigation to acceptable residual risk) and discard what does not. One example of a very destructive change would be for example to retire all MFA (Multi Factor Solutions) that we (I mean mostly banks) adopted in 2006 (mostly to earn a checkmark from FFIEC) that now just add to the TCO (Tocal Cost of Ownership). As Einstein said," let's not pretend that things will change if we keep doing the same things". In essence the cyber crisis we are moving to as past information age society is to reach a tipping point where organizations and governments will pay a huge price for fraud and data losses.
So my wish for the 2010 is that, looking past we already reached that tipping point in 2009 and 2010 would be the year of the change of course of action about security that is organizations and government focusing on application security, build new countermeasures, use threat modeling approaches (that will be the book I will publish in 2010) to re-engineer applications with new security controls and choose security solution that quickly adapt to respond to new fast pacing, growing cyber threats of the next decade...
The new threats that will be facing in 2010, according to predictions from this report from McAfee Avert labs will be exploiting social networking sites, drive by download, Web 2.0, browser vulnerabilities, especially adobe flash, mobile phone vulnerabilities, and least and not last will continue (since 2005) be vulnerable to man in the browser/middle, botnets and banking trojans
For the security practitioners that still think old security school such as secure the perimeter by deploying firewall and IDS (that I pioneered developing at ISS) mitigate threats to the PC/desktop using AV, AS this is the main lesson from the trenches: as threat evolve and rather quickly with increased sophistication, the security industry also need defenses to quickly adapt to these new threats and build new countermeasures. The new defenses need to look at security of data transactions and the applications end to end (from user to web application) above all. We also need to look at security from risk mitigation perspective, keep what works (that is risk mitigation to acceptable residual risk) and discard what does not. One example of a very destructive change would be for example to retire all MFA (Multi Factor Solutions) that we (I mean mostly banks) adopted in 2006 (mostly to earn a checkmark from FFIEC) that now just add to the TCO (Tocal Cost of Ownership). As Einstein said," let's not pretend that things will change if we keep doing the same things". In essence the cyber crisis we are moving to as past information age society is to reach a tipping point where organizations and governments will pay a huge price for fraud and data losses.
So my wish for the 2010 is that, looking past we already reached that tipping point in 2009 and 2010 would be the year of the change of course of action about security that is organizations and government focusing on application security, build new countermeasures, use threat modeling approaches (that will be the book I will publish in 2010) to re-engineer applications with new security controls and choose security solution that quickly adapt to respond to new fast pacing, growing cyber threats of the next decade...
{ Comments on this entry are closed }
We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back!
I'm on vacation today, so I was actually alerted to the story by a friend twittering this SC Magazine story. Vacation or not, that was worth checking into. I took a dip into the UAB Spam Data Mine looking for domain names associated with this version of the malware.
We've seen more than sixty different Subject lines used by the spam:
2010 New Year Wishes!
A Great 2010!
A Happy New Year!
A New Year e-card is waiting for you
A special card just for you
Greeting Card from Santa
Greeting for you!
Greeting you with heartiest New Year wishes.
Greetings from Santa
Happy 2010 To U!
Happy 2010!
Happy New Year 2010!
Happy New Year greetings e-card is waiting for you
Happy New Year greetings for you
Happy New Year greetings from your friend
Happy New Year To U!
Happy New Year Wish!
Happy New Year wishes just for you
Happy New Year Wishes!
Happy New Year!
Happy, Happy New Year!
Have a funfilled and blasting NewYear!
Have a Great New Year!
Have a happy and colorful New Year!
Have a Happy New Year!
Have a very Happy New Year!
I made an Ecard for U!
I sent you the ecard
l want to share Greeting with you
New Year 2010 Ecard Special Delivery
New Year 2010 greetings for you
New Year 2010!
New Year Cheers!
New Year E-card for you
New Year Ecard Notification
New Year Wishes!
Regards from Santa
Santa has sent you a digital postcard!
Santa has sent you a greeting card!
Santa has sent you a Happy New Year E-Card!
Santa has sent you a New Year E-Card!
Santa has sent you a New Year greeting card!
Santa has sent you an E-Card!
Santa has sent you an ecard!
Santa has something to show you!
Santa sent you New Year Greetings
Santa sent you a Greeting!
Santa sent you New Year Wishes!
Santa wishes you a Happy New Year
Sparkling wishes on the New Year!
Special New Year Wish for you.
Warmest Wishes For New Year!
Welcome 2010!
Wishing you a Happy New Year!
Wishing you the Best New Year!
You have a greeting card
You have a New Year Greeting!
You Have An E-card Waiting For You!
You have received a greetings card
You Received an Ecard.
You've got a Happy New Year Greeting Card!
You've got a New Year card!
You've got an E-card
Each domain can be used with any subject, and with any of the following paths:
/2010.html
/card.html
/ecard.html
/postcard.html
Domain names are pre-pended with random host names, such as:
aohqi.aweleon.com
bpn.bedioger.com
cjk.bicodehl.com
amb.birdab.com
coki.cismosis.com
amg.crucism.com
csxyg.cycloro.com
aqlec.encybest.com
asthu.framtr.com
boiij.frostep.com
dxuo.gumentha.com
bba.hindger.com
bt.hornalfa.com
delhy.noloid.com
aju.nonprobs.com
cvr.oughwa.com
buqdv.pantali.com
djre.pathoph.com
balr.prerre.com
cuh.purgand.com
dope.rascop.com
baamo.specipa.com
These domains are of course registered at China Springboard Inc. On each domain name, you can click the name to see the Waledac Tracker report by our friend Jeremy at SudoSecure in Huntsville. Some of these domain names have as many 12,000 entries in his Waledac Tracker!
aweleon.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
bedioger.com - registered Aug 7, 2009 - NS1.FAVOLU.COM - pljlkeg@126.com
bicodehl.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
birdab.com - registered Sep 30, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
cismosis.com - registered Aug 7, 2009 - NS1.FAVOLU.COM - pljlkeg@126.com
crucism.com - registered Sep 30, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
cycloro.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
encybest.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
framtr.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
frostep.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
gumentha.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
hindger.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
hornalfa.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
noloid.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
nonprobs.com - registered Aug 7, 2009 - NS1.FAVOLU.COM - pljlkeg@126.com
oughwa.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
pantali.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
pathoph.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
prerre.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
purgand.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
rascop.com - registered Sep 30, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
specipa.com - registered Sep 30, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
DomainName : FRAMTR.COM
RSP: China Springboard Inc.
URL: http://www.namerich.cn
Name Server: NS6.FAVOLU.COM
Name Server: NS3.FAVOLU.COM
Name Server: NS1.FAVOLU.COM
Name Server: NS2.FAVOLU.COM
Name Server: NS5.FAVOLU.COM
Name Server: NS4.FAVOLU.COM
Status: clientTransferProhibited
Status: clientDeleteProhibited
Creation Date: 2009-11-26
Expiration Date: 2010-11-26
Last Update Date: 2009-12-31
Registrant ID: V-X-57482-12887
Registrant Name: HUA XINGJUN
Registrant Organization: HUA XINGJUN
Registrant Address: CHANGZHOUDADAO214
Registrant City: CZ
Registrant Province/State: JS
Registrant Country Code: CN
Registrant Postal Code: 213072
Registrant Phone Number: +86.051956612412
Registrant Fax: +86.051956612412
Registrant Email: xihyakern@163.com
Some of these domains are already published in MalwareDomainList.com, such as:
noloid.com/wcap.exe - this one is a Fake AV dropper. Here's the VirusTotal report showing 19 of 40 detects:
File size: 230994 bytes
MD5 : ab585c87652c933f82bbaddfd52ea15d
SHA1 : a142cb266ad6cd764501981f6bb194025b7c8cc8
gumentha.com/ecard.html
gumentha.com/counter.php
- this actually causes a download from biozcgicfziy.com/nte/TREST1.php
gumentha.com/in2.php
- this one causes a download from domoktov.com/bu1/
- (you'll be shocked to learn that domain is registered to someone in St. Petersburg, Russia . . .one Denis Sergunkin already known to be hosting Fragus Exploit kits on other domains of his, such as 1tomohappy.com and funky-soft2.com)
purgand.com/in5.php
- this one also hits domoktov.com/bu1/
aweleon.com/ghost.php
- that one ALSO hits domoktov.com. So, Denis? are you paying the Waledac gang? or ARE you the Waledac gang?
This time around the Waledac domains are hosted using Fast Flux, and they are also using Fast Flux for the Nameservers. As we've discussed before, this means that the addresses of the compromised computers are entered into the nameserver records as the host addresses for the malware domains. In other words, getting infected makes your computer spread the infection. So far we've seen more than 1500 computers being used by the malware in this way.
I'll load up a Virtual Machine in a bit to evaluate the actual malware.
We're also seeing an on-going fake Facebook update, which is the Zeus bot. Here are the 45 domains we've seen in the UAB Spam Data Mine so far this morning:
www.facebook.com.hyjjjh1a.com
www.facebook.com.hyjjjh1a.net
www.facebook.com.hyjjjh1d.com
www.facebook.com.hyjjjh1d.net
www.facebook.com.hyjjjh1f.com
www.facebook.com.hyjjjh1f.net
www.facebook.com.hyjjjh1h.com
www.facebook.com.hyjjjh1h.net
www.facebook.com.hyjjjh1j.com
www.facebook.com.hyjjjh1j.net
www.facebook.com.hyjjjh1m.com
www.facebook.com.hyjjjh1q.com
www.facebook.com.hyjjjh1q.net
www.facebook.com.hyjjjh1s.com
www.facebook.com.hyjjjh1s.net
www.facebook.com.ter3awqlaq.com.pl
www.facebook.com.ter3awqlbb.com.pl
www.facebook.com.ter3awqlcd.com.pl
www.facebook.com.ter3awqlds.com.pl
www.facebook.com.ter3awqlee.com.pl
www.facebook.com.ter3awqleg.com.pl
www.facebook.com.ter3awqler.com.pl
www.facebook.com.ter3awqlhg.com.pl
www.facebook.com.ter3awqlju.com.pl
www.facebook.com.ter3awqlre.com.pl
www.facebook.com.ter3awqlsz.com.pl
www.facebook.com.ter3awqlvb.com.pl
www.facebook.com.ter3awqlvr.com.pl
www.facebook.com.ter3awqlwt.com.pl
www.facebook.com.ter3awqlyy.com.pl
www.facebook.com.y7y66yc.com.pl
www.facebook.com.y7y66yd.com.pl
www.facebook.com.y7y66yf.com.pl
www.facebook.com.y7y66yg.com.pl
www.facebook.com.y7y66yh.com.pl
www.facebook.com.y7y66yi.com.pl
www.facebook.com.y7y66yj.com.pl
www.facebook.com.y7y66yk.com.pl
www.facebook.com.y7y66yl.com.pl
www.facebook.com.y7y66ym.com.pl
www.facebook.com.y7y66yo.com.pl
www.facebook.com.y7y66yr.com.pl
www.facebook.com.y7y66yt.com.pl
www.facebook.com.y7y66yu.com.pl
www.facebook.com.y7y66yy.com.pl
I'm on vacation today, so I was actually alerted to the story by a friend twittering this SC Magazine story. Vacation or not, that was worth checking into. I took a dip into the UAB Spam Data Mine looking for domain names associated with this version of the malware.
We've seen more than sixty different Subject lines used by the spam:
2010 New Year Wishes!
A Great 2010!
A Happy New Year!
A New Year e-card is waiting for you
A special card just for you
Greeting Card from Santa
Greeting for you!
Greeting you with heartiest New Year wishes.
Greetings from Santa
Happy 2010 To U!
Happy 2010!
Happy New Year 2010!
Happy New Year greetings e-card is waiting for you
Happy New Year greetings for you
Happy New Year greetings from your friend
Happy New Year To U!
Happy New Year Wish!
Happy New Year wishes just for you
Happy New Year Wishes!
Happy New Year!
Happy, Happy New Year!
Have a funfilled and blasting NewYear!
Have a Great New Year!
Have a happy and colorful New Year!
Have a Happy New Year!
Have a very Happy New Year!
I made an Ecard for U!
I sent you the ecard
l want to share Greeting with you
New Year 2010 Ecard Special Delivery
New Year 2010 greetings for you
New Year 2010!
New Year Cheers!
New Year E-card for you
New Year Ecard Notification
New Year Wishes!
Regards from Santa
Santa has sent you a digital postcard!
Santa has sent you a greeting card!
Santa has sent you a Happy New Year E-Card!
Santa has sent you a New Year E-Card!
Santa has sent you a New Year greeting card!
Santa has sent you an E-Card!
Santa has sent you an ecard!
Santa has something to show you!
Santa sent you New Year Greetings
Santa sent you a Greeting!
Santa sent you New Year Wishes!
Santa wishes you a Happy New Year
Sparkling wishes on the New Year!
Special New Year Wish for you.
Warmest Wishes For New Year!
Welcome 2010!
Wishing you a Happy New Year!
Wishing you the Best New Year!
You have a greeting card
You have a New Year Greeting!
You Have An E-card Waiting For You!
You have received a greetings card
You Received an Ecard.
You've got a Happy New Year Greeting Card!
You've got a New Year card!
You've got an E-card
Each domain can be used with any subject, and with any of the following paths:
/2010.html
/card.html
/ecard.html
/postcard.html
Domain names are pre-pended with random host names, such as:
aohqi.aweleon.com
bpn.bedioger.com
cjk.bicodehl.com
amb.birdab.com
coki.cismosis.com
amg.crucism.com
csxyg.cycloro.com
aqlec.encybest.com
asthu.framtr.com
boiij.frostep.com
dxuo.gumentha.com
bba.hindger.com
bt.hornalfa.com
delhy.noloid.com
aju.nonprobs.com
cvr.oughwa.com
buqdv.pantali.com
djre.pathoph.com
balr.prerre.com
cuh.purgand.com
dope.rascop.com
baamo.specipa.com
These domains are of course registered at China Springboard Inc. On each domain name, you can click the name to see the Waledac Tracker report by our friend Jeremy at SudoSecure in Huntsville. Some of these domain names have as many 12,000 entries in his Waledac Tracker!
aweleon.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
bedioger.com - registered Aug 7, 2009 - NS1.FAVOLU.COM - pljlkeg@126.com
bicodehl.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
birdab.com - registered Sep 30, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
cismosis.com - registered Aug 7, 2009 - NS1.FAVOLU.COM - pljlkeg@126.com
crucism.com - registered Sep 30, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
cycloro.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
encybest.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
framtr.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
frostep.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
gumentha.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
hindger.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
hornalfa.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
noloid.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
nonprobs.com - registered Aug 7, 2009 - NS1.FAVOLU.COM - pljlkeg@126.com
oughwa.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
pantali.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
pathoph.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
prerre.com - registered Oct 27, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
purgand.com - registered Nov 26, 2009 - NS1.FAVOLU.COM - xihyakern@163.com
rascop.com - registered Sep 30, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
specipa.com - registered Sep 30, 2009 - NS1.FAVOLU.COM - hjuahge@yeah.net
DomainName : FRAMTR.COM
RSP: China Springboard Inc.
URL: http://www.namerich.cn
Name Server: NS6.FAVOLU.COM
Name Server: NS3.FAVOLU.COM
Name Server: NS1.FAVOLU.COM
Name Server: NS2.FAVOLU.COM
Name Server: NS5.FAVOLU.COM
Name Server: NS4.FAVOLU.COM
Status: clientTransferProhibited
Status: clientDeleteProhibited
Creation Date: 2009-11-26
Expiration Date: 2010-11-26
Last Update Date: 2009-12-31
Registrant ID: V-X-57482-12887
Registrant Name: HUA XINGJUN
Registrant Organization: HUA XINGJUN
Registrant Address: CHANGZHOUDADAO214
Registrant City: CZ
Registrant Province/State: JS
Registrant Country Code: CN
Registrant Postal Code: 213072
Registrant Phone Number: +86.051956612412
Registrant Fax: +86.051956612412
Registrant Email: xihyakern@163.com
Some of these domains are already published in MalwareDomainList.com, such as:
noloid.com/wcap.exe - this one is a Fake AV dropper. Here's the VirusTotal report showing 19 of 40 detects:
File size: 230994 bytes
MD5 : ab585c87652c933f82bbaddfd52ea15d
SHA1 : a142cb266ad6cd764501981f6bb194025b7c8cc8
gumentha.com/ecard.html
gumentha.com/counter.php
- this actually causes a download from biozcgicfziy.com/nte/TREST1.php
gumentha.com/in2.php
- this one causes a download from domoktov.com/bu1/
- (you'll be shocked to learn that domain is registered to someone in St. Petersburg, Russia . . .one Denis Sergunkin already known to be hosting Fragus Exploit kits on other domains of his, such as 1tomohappy.com and funky-soft2.com)
purgand.com/in5.php
- this one also hits domoktov.com/bu1/
aweleon.com/ghost.php
- that one ALSO hits domoktov.com. So, Denis? are you paying the Waledac gang? or ARE you the Waledac gang?
This time around the Waledac domains are hosted using Fast Flux, and they are also using Fast Flux for the Nameservers. As we've discussed before, this means that the addresses of the compromised computers are entered into the nameserver records as the host addresses for the malware domains. In other words, getting infected makes your computer spread the infection. So far we've seen more than 1500 computers being used by the malware in this way.
I'll load up a Virtual Machine in a bit to evaluate the actual malware.
Facebook Zbot Still Spreading
We're also seeing an on-going fake Facebook update, which is the Zeus bot. Here are the 45 domains we've seen in the UAB Spam Data Mine so far this morning:
www.facebook.com.hyjjjh1a.com
www.facebook.com.hyjjjh1a.net
www.facebook.com.hyjjjh1d.com
www.facebook.com.hyjjjh1d.net
www.facebook.com.hyjjjh1f.com
www.facebook.com.hyjjjh1f.net
www.facebook.com.hyjjjh1h.com
www.facebook.com.hyjjjh1h.net
www.facebook.com.hyjjjh1j.com
www.facebook.com.hyjjjh1j.net
www.facebook.com.hyjjjh1m.com
www.facebook.com.hyjjjh1q.com
www.facebook.com.hyjjjh1q.net
www.facebook.com.hyjjjh1s.com
www.facebook.com.hyjjjh1s.net
www.facebook.com.ter3awqlaq.com.pl
www.facebook.com.ter3awqlbb.com.pl
www.facebook.com.ter3awqlcd.com.pl
www.facebook.com.ter3awqlds.com.pl
www.facebook.com.ter3awqlee.com.pl
www.facebook.com.ter3awqleg.com.pl
www.facebook.com.ter3awqler.com.pl
www.facebook.com.ter3awqlhg.com.pl
www.facebook.com.ter3awqlju.com.pl
www.facebook.com.ter3awqlre.com.pl
www.facebook.com.ter3awqlsz.com.pl
www.facebook.com.ter3awqlvb.com.pl
www.facebook.com.ter3awqlvr.com.pl
www.facebook.com.ter3awqlwt.com.pl
www.facebook.com.ter3awqlyy.com.pl
www.facebook.com.y7y66yc.com.pl
www.facebook.com.y7y66yd.com.pl
www.facebook.com.y7y66yf.com.pl
www.facebook.com.y7y66yg.com.pl
www.facebook.com.y7y66yh.com.pl
www.facebook.com.y7y66yi.com.pl
www.facebook.com.y7y66yj.com.pl
www.facebook.com.y7y66yk.com.pl
www.facebook.com.y7y66yl.com.pl
www.facebook.com.y7y66ym.com.pl
www.facebook.com.y7y66yo.com.pl
www.facebook.com.y7y66yr.com.pl
www.facebook.com.y7y66yt.com.pl
www.facebook.com.y7y66yu.com.pl
www.facebook.com.y7y66yy.com.pl
{ Comments on this entry are closed }
As you may already know, Adobe acknowledged another public security vulnerability in their products on December 15, 2009. APSA09-07 affects all current and earlier versions of Adobe Acrobat and Reader with JavaScript enabled and is currently being exploited in the wild. There is no doubt Adobe products have been in the cross hairs of attackers over the past two years and Adobe's use of JavaScript seems to provide an easy opportunity for exploitation.
Upon reading the advisory, it was no surprise that disabling JavaScript was the mitigation. Many users in my environment do not use this functionality and it can easily be turned off via the Windows registry. The problem is it does not remain off. When opening an Adobe JavaScript enabled .pdf the user is presented with a prompt to re-enable JavaScript. To date Adobe does not provide any way to permanently disable JavaScript via the Adobe Reader preferences menu or the registry. We all know how useful warnings are for end users right? <insert self-signed ssl certificate here> But I'll save the use of a warning as a form of mitigation of badly thought up functionality for a later blog post.
<my rant>
So Adobe products are increasingly being targeted and although Adobe seems to have picked up the pace with their security stance, I have often questioned if they have enough internal resources to do anything but be reactive. Once again, a zero day leveraging JavaScript in an Adobe product is flying around and the patch for this vulnerability will not be available until January 12, 2010. In my opinion, this is unacceptable. Adobe seems to be struggling with putting out the fires and are not being preventative by fixing their code or providing systems administrators with the tools or patches they need to properly mitigate. I can personally tell you my corporate IDS and Antivirus have been lighting up like a Christmas tree (tis the season) with attacks using this exploit.
Soon after the advisory dropped, I listened to Dennis Fisher and Ryan Naraine interview Brad Arkin on the Digital Underground podcast. Brad Arkin is currently Director of Product Security and Privacy at Adobe and has held previous positions at Symantec and @stake. Now Brad seems like an intelligent guy and I applaud him for taking on such a challenge. I became annoyed while listening to the interview, however. Ryan Naraine repeatedly queried Brad during the podcast on what I have suspected for quite some time. Does Adobe have enough resources in place for dealing with the current trend of attacks targeting their products? Brad seemed to repeatedly side step the question. He attempted to explain the complexity of dealing with such vulnerabilities with such a large and diverse install base.
<disclaimer> While I may have no experience dealing with what Brad has stepped up to do, I do have a lot of experience mitigating vulnerabilities in the corporate environment and my opinions here are based on that experience. </disclaimer>
Now while I have no doubt that this is a challenge indeed, maybe Adobe needs to stop, glance around, and take a cue from the company that has the largest and most diverse install base I know of. That company would be Microsoft. While far from perfect, Microsoft seems to have made some significant advances with their security program over the last 5-6 years. When MS08-067 dropped in October 2008 (for those not familiar, that’s the vulnerability used by the Conficter variants), Microsoft did what any responsible software vendor should do. They released an Out-Of-Band patch! So what gives Adobe?
I almost jumped out of my skin when Brad stated Adobe often needs to shift resources off of other security projects and research to handle an exploit such as this. So to answer Ryan’s question, I guess you do not have enough resources then? My point is if you have to shift all your resources to handle each and every fire and it still takes you a month to put out the fire, then you will never be preventative. Maybe I am being naive here but I don't believe so.
</my rant>
Ok so with my ranting out of the way, I did state that I thought Adobe was making improvements. One such improvement is their implementation of the JavaScript Blacklist Framework mentioned during the podcast. It is still reactive but it is at least something. Thank you to Dennis, Ryan, and Brad for bringing this to my attention. To quote Adobe’s tech note located here;
“The Adobe Reader and Acrobat JavaScript Blacklist Framework introduced in versions 9.2 and 8.1.7 provides granular control over the execution of specific JavaScript APIs. This mechanism allows selective blocking of vulnerable APIs so that you do not have to resort to disabling JavaScript altogether.”
Brad admitted during the interview that this is only effective for specific vulnerabilities and it may break legitimate uses of functionality in Adobe Acrobat and Reader. He further stated Adobe has many more improvements coming during 2010. I can only hope this includes some preventative improvements to their code base and internal resources dedicated to the current target on their back.
More can be found on using the blacklist framework to mitigate the vulnerability in APSA09-07 here.
For an entertaining and informative Adobe rant (that puts mine to shame) checkout the latest post on the Sourcefire VRT Team blog, entitled Matt's Guide to Vendor Response
Happy New Years to Everyone!
Update:
More reports of sophisticated Adobe exploits have been appearing this week. Some have little to no coverage by the AntiVirus vendors. I noted the following article describing Adobe's plans to begin testing a silent Adobe updater. Someone needs to tell Adobe an updater only works if you actually provide the update and explain to them the basics of enterprise change control.
Details of the attacks can be found here and here.
Another Update:
Adobe has release patches for the Acrobat/Reader vulnerability as well as another vulnerability in Illustrator. The Advisories can be found here:
http://www.adobe.com/support/security/bulletins/apsb10-02.html
http://www.adobe.com/support/security/bulletins/apsb10-01.html
I also found a great ADM template for tuning Adobe Acrobat and Reader JavaScript settings on the Praetorian Prefect Blog. Again, just note that the user will be prompted with a warning when opening a .pdf containing JavaScript.
OK Last Update
The Sourcefire VRT team posted an excellent article this week on the using the Acrobat JavaScript Blacklist Framework on common exploited functions within Adobe Acrobat and Reader. An example taken from their post for Adobe Acrobat 9 would be as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\9.0\FeatureLockDown\cJavaScriptPerms]"tBlackList"="Collab.getIcon|DocMedia.newPlayer|Util.printf|Spell.customDictionaryOpen|Doc.syncAnnotScan|Doc.getAnnots"
Additionally, they provide benign Adobe Acrobat files using each of these functions to test with.
Didier Stevens also pointed out during a recent interview on PaulDotCom Security Weekly that the new version of Adobe Reader and Acrobat has changed the way it warns users that JavaScript is disabled. While not quite the administrative control I had hoped for, it is a slight improvement as it renders the .pdf regardless of the action taken by the user.
Upon reading the advisory, it was no surprise that disabling JavaScript was the mitigation. Many users in my environment do not use this functionality and it can easily be turned off via the Windows registry. The problem is it does not remain off. When opening an Adobe JavaScript enabled .pdf the user is presented with a prompt to re-enable JavaScript. To date Adobe does not provide any way to permanently disable JavaScript via the Adobe Reader preferences menu or the registry. We all know how useful warnings are for end users right? <insert self-signed ssl certificate here> But I'll save the use of a warning as a form of mitigation of badly thought up functionality for a later blog post.
<my rant>
So Adobe products are increasingly being targeted and although Adobe seems to have picked up the pace with their security stance, I have often questioned if they have enough internal resources to do anything but be reactive. Once again, a zero day leveraging JavaScript in an Adobe product is flying around and the patch for this vulnerability will not be available until January 12, 2010. In my opinion, this is unacceptable. Adobe seems to be struggling with putting out the fires and are not being preventative by fixing their code or providing systems administrators with the tools or patches they need to properly mitigate. I can personally tell you my corporate IDS and Antivirus have been lighting up like a Christmas tree (tis the season) with attacks using this exploit.
Soon after the advisory dropped, I listened to Dennis Fisher and Ryan Naraine interview Brad Arkin on the Digital Underground podcast. Brad Arkin is currently Director of Product Security and Privacy at Adobe and has held previous positions at Symantec and @stake. Now Brad seems like an intelligent guy and I applaud him for taking on such a challenge. I became annoyed while listening to the interview, however. Ryan Naraine repeatedly queried Brad during the podcast on what I have suspected for quite some time. Does Adobe have enough resources in place for dealing with the current trend of attacks targeting their products? Brad seemed to repeatedly side step the question. He attempted to explain the complexity of dealing with such vulnerabilities with such a large and diverse install base.
<disclaimer> While I may have no experience dealing with what Brad has stepped up to do, I do have a lot of experience mitigating vulnerabilities in the corporate environment and my opinions here are based on that experience. </disclaimer>
Now while I have no doubt that this is a challenge indeed, maybe Adobe needs to stop, glance around, and take a cue from the company that has the largest and most diverse install base I know of. That company would be Microsoft. While far from perfect, Microsoft seems to have made some significant advances with their security program over the last 5-6 years. When MS08-067 dropped in October 2008 (for those not familiar, that’s the vulnerability used by the Conficter variants), Microsoft did what any responsible software vendor should do. They released an Out-Of-Band patch! So what gives Adobe?
I almost jumped out of my skin when Brad stated Adobe often needs to shift resources off of other security projects and research to handle an exploit such as this. So to answer Ryan’s question, I guess you do not have enough resources then? My point is if you have to shift all your resources to handle each and every fire and it still takes you a month to put out the fire, then you will never be preventative. Maybe I am being naive here but I don't believe so.
</my rant>
Ok so with my ranting out of the way, I did state that I thought Adobe was making improvements. One such improvement is their implementation of the JavaScript Blacklist Framework mentioned during the podcast. It is still reactive but it is at least something. Thank you to Dennis, Ryan, and Brad for bringing this to my attention. To quote Adobe’s tech note located here;
“The Adobe Reader and Acrobat JavaScript Blacklist Framework introduced in versions 9.2 and 8.1.7 provides granular control over the execution of specific JavaScript APIs. This mechanism allows selective blocking of vulnerable APIs so that you do not have to resort to disabling JavaScript altogether.”
Brad admitted during the interview that this is only effective for specific vulnerabilities and it may break legitimate uses of functionality in Adobe Acrobat and Reader. He further stated Adobe has many more improvements coming during 2010. I can only hope this includes some preventative improvements to their code base and internal resources dedicated to the current target on their back.
More can be found on using the blacklist framework to mitigate the vulnerability in APSA09-07 here.
For an entertaining and informative Adobe rant (that puts mine to shame) checkout the latest post on the Sourcefire VRT Team blog, entitled Matt's Guide to Vendor Response
Happy New Years to Everyone!
Update:
More reports of sophisticated Adobe exploits have been appearing this week. Some have little to no coverage by the AntiVirus vendors. I noted the following article describing Adobe's plans to begin testing a silent Adobe updater. Someone needs to tell Adobe an updater only works if you actually provide the update and explain to them the basics of enterprise change control.
Details of the attacks can be found here and here.
Another Update:
Adobe has release patches for the Acrobat/Reader vulnerability as well as another vulnerability in Illustrator. The Advisories can be found here:
http://www.adobe.com/support/security/bulletins/apsb10-02.html
http://www.adobe.com/support/security/bulletins/apsb10-01.html
I also found a great ADM template for tuning Adobe Acrobat and Reader JavaScript settings on the Praetorian Prefect Blog. Again, just note that the user will be prompted with a warning when opening a .pdf containing JavaScript.
OK Last Update
The Sourcefire VRT team posted an excellent article this week on the using the Acrobat JavaScript Blacklist Framework on common exploited functions within Adobe Acrobat and Reader. An example taken from their post for Adobe Acrobat 9 would be as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\9.0\FeatureLockDown\cJavaScriptPerms]"tBlackList"="Collab.getIcon|DocMedia.newPlayer|Util.printf|Spell.customDictionaryOpen|Doc.syncAnnotScan|Doc.getAnnots"
Additionally, they provide benign Adobe Acrobat files using each of these functions to test with.
Didier Stevens also pointed out during a recent interview on PaulDotCom Security Weekly that the new version of Adobe Reader and Acrobat has changed the way it warns users that JavaScript is disabled. While not quite the administrative control I had hoped for, it is a slight improvement as it renders the .pdf regardless of the action taken by the user.
{ Comments on this entry are closed }
2009
has seen some incredibly diverse and creative attacks - shall we take one last
look the scams, hijacks and infections that particularly caught our eye?
January: If someone told you people will pay good money to have a third party create a Botnet designed to DDoS gamers out of Xbox console sessions, you might have wondered what exactly they were talking about. However, this technique (which has remained off radar for quite some time) finally went mainstream with every second script kiddy trying to work out how to do it via endless Youtube tutorials and "What am I doing wrong" posts on hacking forums.
Attacks on games and gamers have been a constant thread in research this year, as scammers realise there's a fair amount of money invested in gaming profiles - and those profiles can be bought and sold, just like any other stolen account. Attacks on consoles provide a bit of a headache for office network admins, who may well be jumping on the "put a net connected console in the office rec room and leave it to its own devices" bandwagon. Not a good idea...
February: Taking the idea of valued gaming accounts one step further, Erik Larkin of PC World explored the attacks on Steam account holders via phishing techniques. Steam accounts can have hundreds (or in some cases thousands) of dollars invested in them, and regular seasonal sales tend to send profits through the roof. Indeed, there's a heavy collection of "ten free games in exchange for your login" phish pages in circulation at the moment. Don't be fooled!
April: You can never be too careful with downloads, as this story readily illustrated. An instant messaging password stealer (that could disguise itself as Yahoo Messenger, Live Messenger or Skype) turned up on Download.com, a trusted source of legit downloads. Rogue elements will sadly always slip through somewhere, but full credit to CNET for removing the offending program quickly.
June: A program surfaced claiming to be a mail bombing extravaganza that would smite all of your enemies. The catch? You had to give them your own email address to use it.
We've seen many, many programs that attempt to punk out people in the hacking / cracking communities and while the majority of those files tend to stay on hacking forums some do occasionally creep outside into the daylight.
July: Oh dear. Targeting twelve year old kids? There's lame - then there's this. Popular social networking / gaming site Neopets came under attack from individuals who decided to offer kids "magical paintbrushes" for their Neopet in return for running an executable file. Of course, those files would be Trojans, password stealers and various other nasties in disguise. Taking advantage of a young child's desire to obtain rare ingame items - then break their computer - is one of the lowest attempts at being "a hacker" we can think of.
There was also a look at Xbox Gamerscore hacking - a technique used by people who want to artificially inflate statistics related to a gaming account then sell it on.
Did we mention the Megan Fox fake sex tape yet? No? Well, here it is (an article about it, anyway). Celebrities will always be used as low hanging fruit as a means for people to infect themselves or fill in surveys and Megan is no exception where that is concerned.
August: Here we arrived at what seems to have been a phishing page linked to from a legit Facebook application URL. There was also this infection, designed to overwrite all the images on your PC with the word "Hacked". The Facebook attack was fairly inventive, though we haven't seen a repeat performance so that's good news.
September: Twilight fever. This was always going to be sucked into various scams and sure enough, just before New Moon came out in cinemas sites such as Youtube had videos on them promoting "online versions" of the film. Sure enough, all you got for your trouble was Zango installers and empty pages.
Can't have an end of year summary without a mention of Zango!
October: This particular file hit the streets a little while after Google Wave invites were no longer the hot topic of debate which probably helped to lessen the impact. A fake Google Wave invite generator most certainly did not generate passwords of any kind, but did seem to be a likely candidate for harvesting email passwords. Clever.
We also talked about Gamers Under Fire at SecTor 2009, a security conference held in Canada. You can take in all the conference presentations here - they're well worth checking out.
November: Ah, Facebook applications. Sometimes you get rogue ones - other times, you get scams like this where no applications exist. Someone had the idea of putting together a fake program that claimed to exploit a genuine application by revealing who-said-what about you. Of course, this was all nonsense and the program infected your PC with a horrible file of the attacker's choosing. A simple but effective attack technique.
December: We'd been writing about various fake "work from home with Google" scams all year long, and it was nice to see some of them finally being tickled with the legal stick. Long may it continue.
We wound up the year with ZBot, in the form of a fake "Your VISA account has been compromised, download this file to see what's been going on" alert.
A wide-ranging set of attacks then, and a good indication (as if any were needed) that social networks, popular culture, videogames and the lives of celebrities will be targets for Botnets, exploits, scams, get rich quick schemes and every fake program you can think of well into 2010. It will be interesting to see how many 2.0 sites maintain a robust privacy policy (if such a thing is even possible) in the face of potential earnings from ad revenue, and how easy (or difficult) those policies will make it for those who want to use that data for nefarious purposes.
January: If someone told you people will pay good money to have a third party create a Botnet designed to DDoS gamers out of Xbox console sessions, you might have wondered what exactly they were talking about. However, this technique (which has remained off radar for quite some time) finally went mainstream with every second script kiddy trying to work out how to do it via endless Youtube tutorials and "What am I doing wrong" posts on hacking forums.
Attacks on games and gamers have been a constant thread in research this year, as scammers realise there's a fair amount of money invested in gaming profiles - and those profiles can be bought and sold, just like any other stolen account. Attacks on consoles provide a bit of a headache for office network admins, who may well be jumping on the "put a net connected console in the office rec room and leave it to its own devices" bandwagon. Not a good idea...
February: Taking the idea of valued gaming accounts one step further, Erik Larkin of PC World explored the attacks on Steam account holders via phishing techniques. Steam accounts can have hundreds (or in some cases thousands) of dollars invested in them, and regular seasonal sales tend to send profits through the roof. Indeed, there's a heavy collection of "ten free games in exchange for your login" phish pages in circulation at the moment. Don't be fooled!
April: You can never be too careful with downloads, as this story readily illustrated. An instant messaging password stealer (that could disguise itself as Yahoo Messenger, Live Messenger or Skype) turned up on Download.com, a trusted source of legit downloads. Rogue elements will sadly always slip through somewhere, but full credit to CNET for removing the offending program quickly.
June: A program surfaced claiming to be a mail bombing extravaganza that would smite all of your enemies. The catch? You had to give them your own email address to use it.
We've seen many, many programs that attempt to punk out people in the hacking / cracking communities and while the majority of those files tend to stay on hacking forums some do occasionally creep outside into the daylight.
July: Oh dear. Targeting twelve year old kids? There's lame - then there's this. Popular social networking / gaming site Neopets came under attack from individuals who decided to offer kids "magical paintbrushes" for their Neopet in return for running an executable file. Of course, those files would be Trojans, password stealers and various other nasties in disguise. Taking advantage of a young child's desire to obtain rare ingame items - then break their computer - is one of the lowest attempts at being "a hacker" we can think of.
There was also a look at Xbox Gamerscore hacking - a technique used by people who want to artificially inflate statistics related to a gaming account then sell it on.
Did we mention the Megan Fox fake sex tape yet? No? Well, here it is (an article about it, anyway). Celebrities will always be used as low hanging fruit as a means for people to infect themselves or fill in surveys and Megan is no exception where that is concerned.
August: Here we arrived at what seems to have been a phishing page linked to from a legit Facebook application URL. There was also this infection, designed to overwrite all the images on your PC with the word "Hacked". The Facebook attack was fairly inventive, though we haven't seen a repeat performance so that's good news.
September: Twilight fever. This was always going to be sucked into various scams and sure enough, just before New Moon came out in cinemas sites such as Youtube had videos on them promoting "online versions" of the film. Sure enough, all you got for your trouble was Zango installers and empty pages.
Can't have an end of year summary without a mention of Zango!
October: This particular file hit the streets a little while after Google Wave invites were no longer the hot topic of debate which probably helped to lessen the impact. A fake Google Wave invite generator most certainly did not generate passwords of any kind, but did seem to be a likely candidate for harvesting email passwords. Clever.
We also talked about Gamers Under Fire at SecTor 2009, a security conference held in Canada. You can take in all the conference presentations here - they're well worth checking out.
November: Ah, Facebook applications. Sometimes you get rogue ones - other times, you get scams like this where no applications exist. Someone had the idea of putting together a fake program that claimed to exploit a genuine application by revealing who-said-what about you. Of course, this was all nonsense and the program infected your PC with a horrible file of the attacker's choosing. A simple but effective attack technique.
December: We'd been writing about various fake "work from home with Google" scams all year long, and it was nice to see some of them finally being tickled with the legal stick. Long may it continue.
We wound up the year with ZBot, in the form of a fake "Your VISA account has been compromised, download this file to see what's been going on" alert.
A wide-ranging set of attacks then, and a good indication (as if any were needed) that social networks, popular culture, videogames and the lives of celebrities will be targets for Botnets, exploits, scams, get rich quick schemes and every fake program you can think of well into 2010. It will be interesting to see how many 2.0 sites maintain a robust privacy policy (if such a thing is even possible) in the face of potential earnings from ad revenue, and how easy (or difficult) those policies will make it for those who want to use that data for nefarious purposes.
{ Comments on this entry are closed }
If you enjoyed the Zombie Survival Guide by Max Brooks, you may enjoy this Kindle book by a friend of mine - The H1N1 Survival Guide by Craig Rickel. It's currently only available for the Kindle. It's a quick humorous read.
{ Comments on this entry are closed }
So, we're back from a bit of an unscheduled break for my web server. The hosting company had a bit of a problem with disks, so my VM has been out of action for a week or so.
Luckily, my backups worked pretty well so minimal content lost. I'm using the rather unorthodox backup over SMTP, which seems to work pretty well for smaller files. I knocked up a ruby class called Rbackup and just have a script running in cron nightly...
Actually had a trio of hardware failures over the festive period (2 hard disks and a graphics card), which just goes to show that checking backups (and restores!) is very important and not to be put off...
{ Comments on this entry are closed }
