Thursday, August 27, 2009

How To Spot a Phony (anti-malware vendor)

What's this world coming to?

There are so many sites that pop up every day peddling what appears to be AM (anti-malware) software for your PC that it's hard to keep them straight. The sad fact is that the vast majority of them are actually malware themselves. How do you know which ones are safe, and which ones are just going to infect your computer with nastiness?

I found one such site today which, after lots of investigation I concluded is a "scare-ware" site... Scare-ware is useless software that effectively lies to you and tries to scare you into buying it to remove some monumental threats which most often aren't real. It's a fascinating business model that generates real money in the tens of thousands to hundreds of thousands (or possibly even millions) of dollars.

That being said, these people want to lure you in, and get you to give them money - so I'm going to walk you through some steps to determine if a site you've stumbled across, or been directed to, is real... or phony.

I'm working with a real scare-ware site called "AntiSpyware.com". You can either follow along or insert a site that you want to investigate yourself...

First off, you're going to want to investigate who owns the domain. While AntiSpyware.com looks very official, let's see who owns this domain. Network Solutions (www.networksolutions.com) has a landing page wherein you can type in a domain and it will retrieve the "whois" information.

Straight off I would focus your attention on the redirection to who.godaddy.com, which means that you'll have to go elsewhere for the "real" answer.

Pasting that into a browser, it becomes even more clear that this site is dodgy. Most sites that are legitimate will easily identify the owning company, contacts and such. Look up any legitimate company, or your own employer, and you'll see what I mean.


Now, let's look at the GoDaddy.com record for AntiSpyware.com. Do any alarms go off in your head?
You'll notice someone went to some pretty great lengths to mask the ownership of the domain. In fact, the site DomainsByProxy.com has an entire business model centered around this type of priavcy, allowing you to register domains through them, without having to provide your personal details on the registrant's site. That's brilliant... brilliantly evil that is.

A quick scan of the DomainsByProxy landing page immediately reveals that they have a legitimate purpose - that is to protect people's personal information from being put up on the Whois registry - which is being abused here to mask and hide obvious criminal activity.

So far we know that the site doesn't appear to be owned by any "honest" company - as far as I know when I check out TrendMicro, Kaspersky, or even Symantec their Whois records are all public - go look for yourself or follow the links.


Now, so far we've been able to determine the site is shady simply by investigating its reputation based on Whois record. This by no means should be your only step to determine the legitimacy of a site or its content... but it's a great start.

Armed with this information let's look at site linking, meaning, how well-linked is this site and where do links to this site come from? Often who links to a site is a wonderful indicator to what the site contains.

I've been using WhoLinksToMe.com for a while to determine site legitimacy, because they have a wonderful output even for the anonymous user. Check out the results for AntiSpyware.com...

What immediately attracted my attention is that the site has a very poor PageRank for a "legitimate business"... I mean, this blog you're reading on some days has a higher PR than that! A PR of 4 means that the site isn't very well linked from other legitimate sites, and that the content has not been well-received by the Googleplex :)

Look at the keywords too... the number one search term is "all in one keylogger key" ... how interesting. You'll also find that the key search terms for this site (after some digging) are ones like "antispyware, free, windows spyware remover..." Bells should be going off right about now. Now look at the BackLinks... that's where links to this site are posted on...

I recommend going to Google and simply typing "link: InsertYourDomain.tld"... here are some examples for AntiSpyware.com:
  • DNForum.com where someone claims that AntiSpyware.com was sold for 550,000EUR (link)
  • StatBrain.com link which gives you some idea of how much traffic is generated here, and why someone might pay 550,000EUR for the domain (link)
  • A link to an interesting "review" of the site/product (link)
By now you're getting the picture... Next on the list is to throw the site against "McAfee SiteAdvisor" which, as you will see, does NOT like AntiSpyware.com :) By the way, I think this is the one and only time I've ever, or will ever, plug a McAfee tool...

When all else has been checked, and you're still not sure... look at the site. Does it look "too good to be true"? If so it probably is! Additionally, look at the link structure for the site... does it try and suck you in? Are all the links pointing to "BUY THIS NOW"?

If you're still thinking that the site has a legitimate (free) product... then download it and bounce it off of a site like VirusTotal.com --> setup.exe analysis

This one, boys and girls... is obviously evil! I hope you've learned something, and can take this back and apply it the next time you see a sketchy site trying to sell you a fix for a malware problem you may not have.

Be safe!

Useful Links:

Wednesday, August 26, 2009

1984: Tech Has Turned Against Us

Wow, it's getting to where you can't even sext (WikiPedia says...) and cheat on your partner via text messages anymore.

The fact that the French Courts are now starting to allow SMS evidence of infidelity is one thing all in itself - but the fact that this information is available is an entirely different privacy issue.

It's long been known that nothing is ever permanently erased, even on your cell phone or mobile device -and digital forensics have come a long way... but things are starting to go all 1984 on us. Remember that some mobile carriers actually store text messages for an indeterminate amount of time... and even if the device itself is "unrecoverable" the carrier is likely still going to have copies of every text you've sent and received.

Let's think about this... what situations would potentially turn bad?
  • You're texting someone about a new job on the company cell phone
  • You've planning a crime over text message to be "secretive"
  • You're cheating on your significant other
  • You're participating in a plethora of other illicit (illegal) activity

Couple all this with the fact that the government (at least here in the US) can get this information sometimes without a warrant while claiming national security risk... and it starts to get pretty ugly. Throw-away, paid-in-cash, pre-pay cell phones are starting to look better and better... except that those are probably just as bugged.

In a digital age where everything travels over circuits and gets recorded and transcribed many times before it reaches the destination is it reasonable to expect privacy? Is it reasonable for me to expect my mobile carrier to not save my text messages? Does anyone have access to their carriers legal statements on this, I'd love to hear the legal-speak on the matter.

Am I paranoid or has technology turned against us? Let's see... time to find that tin-foil hat and destroy all technology before it takes over.

Saturday, August 22, 2009

EXACTLY Why Data Breaches Happen...

I'm blogging on a Saturday afternoon, because as I caught up on my Breach-a-Palooza reading this morning I came across this little gem (again)... and it got me ... upset.

This is exactly what's wrong with corporations, and why we will continue to see data breaches. People like Heartland Payment Systems CEO Robert Carr obviously ...
  • don't understand their responsibility to their customer
  • don't understand security
  • don't understand the role of compliance in overall security
  • can't accept personal blame
I know it's customary in corporate space to just deflect blame - but this type of crap is ridiculous:
..."Carr opens up about his company's data security breach. He explains how, in his opinion, PCI compliance auditors failed the company,.." (Network World, 8/12/09)
That's right folks... PCI Compliance Auditors, not Heartland's pathetic security, failed.

So the next time you smash your car into someone else while drunk as hell... the car company failed you... because it's naturally not your fault, and you should not take any responsibility. This is what we're teaching people.

Another brilliant quote...
"What have you learned in recent months regarding how exactly the burglars were able to get in? What have investigators flagged in terms of the big security holes that were exploited?
Carr: "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that."
"
I think I'm going to be sick. Robert Carr, how do you sleep at night?

Wednesday, August 19, 2009

Worthwhile reads - and commentary

Over the past few weeks I've had very little time to actually sit down and research the topics I want to write about, but I've been trying to keep up on my reading of blogs, news and such. I know that as Q4 approaches and we all start to wind down for the year (unless you work with sales teams like I have the pleasure of doing) the gotta get this in projects are now in full swing and you've got very little time to sit and read. That being said, I've compiled a few articles below that I read and think you should too. Of course, where would a post from me be without my unique take on the subject via commentary!

  • "Hackers break into police computer as sting backfires"
    In short - wow. Conducting a raid and missing your target it one thing. Knowing the bad guy got away because he had previously hacked your idiotically poor security and gotten wind of your raid - yea, that's criminal.
  • "Gonzalez: The Al Capone of Cyber Thieves?"
    Leave it to a retail industry online trade-mag to add some drama to an already unbelievable story. Albert Gonzalez, whom you already should be familiar with, will now go down into the record books as almost getting away with the largest series of hacks ever. Almost. Note to Al... hey dumbass, if you're already negotiating a plea with federal agents... STOP HACKING... Oh, kudos on the "Soup Nazi" handle. More here from the AP.
  • "Radisson Hotels: Data breach affected 'limited' number of sites, guests"
    Yes, yet another hotel has been breached. Radisson's website says "At this time we do not know how many properties and/or consumers/guests were affected".... but they're quick to point out it was a limited group. Sure, limited to your customers, maybe. More on Radisson's issues here, here, and here.
  • "University College Berkeley hit by second data breach in six months..."
    How bad is the security over that at UC Berkeley? Seriously. 2 major reportable breaches in 6 months... you know it would have cost them LESS to do a line-by-line code review of all their critical sites than to keep shelling out cash for disclosure-related costs! Can I get a trifecta?

Tuesday, August 18, 2009

Twitter as a Covert Channel?

Your tweeple [your Twitter followers, for the not-in-the-Twitter-lingo-know] may be out to get you. Seriously!

Unless you've been completely living with your head in the sand (or too busy to read, like I've been) lately, you've undoubtedly seen this article in Wired Magazine titled "Hackers Use Twitter to Control Botnet". This type of communication is hardly a covert channel, as it's sitting out in the open and can be detected rather easily if one looks hard enough - the problem then becomes one of Twitter's servers reading your tweets to determine if you're a "bot" or "bot-master" or not... that poses some interesting privacy issues but in a social media platform where you're publishing your thoughts to the world... wouldn't it be OK to have some tool that reads all your tweets? ... well... actually... what about those people who protect their tweets? Personally I think it's sort of like standing on a street corner but only telling certain people to listen - isn't it going completely against the whole point of the social media micro-blogging thing? ... but I digress.

So anyway, I had this conversation with a Twitter colleague a while back much to this effect, and now of course I'm sitting here thinking... look, someone made it work! On that note - I think it's important to recognize that DigiNinja (twitter.com/digininja) has a brilliant Twitter bot (and oh, so much more) called Kreios C2, already in it's second release and is quite brilliant, you should really give it a read. So we know that a Twitter-bot is not only possible but it is actively out there... but there's more to this than meets the eye.

You ever wonder why some accounts just randomly follow you? I've dug into this, and have noticed something that may or may not be of consequence... but it's interesting nonetheless. Some of these obviously spam-laden or bot-laden accounts follow people randomly just to get follows... which will attempt to legitimize their existence, but others simply like to look for people to @ message. Think about this attack vector for a second, and think how you'd stop it.

Say you get infested with a drive-by trojan which happens to drop a bot on your machine, and communicates its presence back to the master... The Twitter control-channel is so much more practical than the old IRC channel approach simply because damn near everyone is on Twitter these days... right? I can notice something amiss in 3 seconds flat if machines inside of some corporate network begin to make connections to Efnet servers... but if 1,000 computers fire up a Twitter client... that's pretty much a Monday morning at the office. Even worse, I think DigiNinja's approach may even be sharpened by taking the spammer approach to getting your message across. Once you know which targets have been infected, and you want to send them individual messages simply send them an @message! Even if my Twitter client isn't following "@BigBotMaster" all that account has to do is simply @RafalLos or what-ever DigiNinja and the Hak5 crew end up cooking up... and you're seriously in hot water. You can't simply look at who you're following to see if you're infected (because you aren't following them!), and since Twitter's clients will alert you (i.e. show it in your feed) when someone @ messages you... this is an indefensible position if you're compromised and you have a legitimate Twitter client. This type of "reflective" C2 (Command/Control) infrastructure could be incredibly sneaky at controlling millions of Twitter hosts, or just one.

Imagine a control-structure like this:
  • RT (fake re-tweet) of any message you've actually previously sent with a "control" bit inserted in the tweet; for example "RT @RafalLos #InfoSecBlogs :|: "New Blog Post on Twitter Bots" :|: http://no.url/aidli3 AQ3
  • Suggested-reading/following: "@RafalLos - I think you would also enjoy http://no.url/EVIL_URL" with the EVIL_URL being a page where the bot would go to for instructions, updates... whatever
  • Fake Replies: "@RafalLos You should get some sleep, ping me at 1.2.3.4 later!"
The beauty of this is that only the BotMaster needs to know the accounts of compromised machines! The client doesn't have to follow anyone! Yes... there are thousands of possible approaches besides the 3 super-simple examples above... but this approach basically ensures that even if the master account is suspended another is spooled up in seconds and since it knows all the accounts it's responsible for - it simply announces itself to them! Ok, now even I'm worried.

By the way, Paul Makowski has a brilliant write-up on his research into one of these botnets - and it's worth the time it'll take you to read it, I can promise you that. Check it out on his (hopefully patched?) WordPress page... just kidding Paul. Go read: "A Closer Look at the Twitter-Controlled Botnet (Part 1)". Quality stuff, kudos for the work.

The explosion of social media formats such as the micro-blogging Twitter platform are going to continue to pose a serious threat to Information Security measures by making botnet controls so much more sneaky ... I don't envy our position as the good guys.

Monday, August 17, 2009

Red Pill... or Blue Pill... Pick One


Well, thank $deity August is coming to a close... hopefully the number of hacking incidents finally goes down now that school is kicking back into session.

Seriously though, this has been a tough couple of months hasn't it? I've lost track of the number of times a bank, retail store, or school has been victimized by some hacker for personal information - and don't even get me started on the whole Twitter/Facebook angle!

I bet by now you're curious why there is a potato chips bag scanned and pasted here for your viewing pleasure... well I'll tell you. This bag caught my attention when I was sitting eating lunch a little while ago - and I've kept it here on my desk to remind me how much of a failure most every "security campaign" is. Look at the chip bag... what's the first thing that catches your eye? The big "LIGHT" logo in the middle right? It's no wonder this particular type of chip was the one that was almost empty on the rack at the local sandwich shop... it practically screams I'm more healthy, eat me!

How the hell does this relate to info security? How does it not?! Think about it. ... time's up. The reason many of our security campaigns to save people from themselves (i.e. stop clicking on stupid links) fail is because people just don't pay attention. People don't pay attention because we don't get our message across like the Lays advertising people! We don't grab the user's attention and make them compulsively do what we want them to. Personally, I think the Lays advertising people are brilliant... maybe someone should hire them to do an InfoSecurity campaign?

Hear me out- I've been saying for years now that security isn't at a state yet where it's sufficiently user-friendly. It's just not "usable" by the general link-clicking masses. In addition to that we market it quite poorly. The best advances in Information Security are often marketed to those that already understand - but we can't seem to get the message out to the general masses and grab their attention. NoScript is brilliant, right? Sure, NoScript is still not Joe-user-friendly but it's as close as we have to something usable - and I haven't seen any mass-marketing campaign to the millions of Internet browser fans worldwide. In fact... I haven't seen any mass-marketing campaigns of late that even hinted at security. Everything is "new functionality" and "cool" and "new widget" - not even a hint of more secure.

I can't just poke you in the eye and not offer up a solution to the issue - so here goes. As I see it, we have 2 choices. We can (a) make security transparent to the user or (b) make it sexy. I just don't see an option (c) anywhere. I think it's clear that making security a bolt-on has miserably failed, and will continue to fail well into the next decade if we don't shift the paradigm of security from forced adoption to something else (either a or b) then the overall state of the user won't be any better.

The Red Pill - "Make it transparent"
To make this work, step 1 is to give up on the bolt-on approach. Next it's time to start up a grass-roots effort to push better security into our respective industries. Browsers, Operating Systems, cell phones, ATMs, parking meters... whatever - we need to make sure better security is carefully cloaked behind a veil of cool the user won't recognize. This will require a concentrated effort and an entire abandonment of the patching principle we've all clung onto so tightly. Once we re-focus our efforts it will need to become apparent that applying fix after temporary fix is not the answer and that a permanent solution is needed. I can't see many people jumping on this bus readily because it involves a very heavy effort. It also involves a forceful shift of how Information Security has fundamentally behaved. We've always been the patch it after it's been released people; and with that the users of the world have come to accept that it's OK to release crap because Info Security will figure out a way to make it acceptable later. No more.

Better security simply has to become ingrained into the fabric of everything. Security needs to be an after-thought for every one of the millions of system users. Security shouldn't even be brought up anymore by the average user... it should just be an automatic, a can't-live-without-it safeguard that lives deep in the background. No user effort must be required; in fact, no user knowledge must be required to raise the bar on security. Make users safer from themselves without letting them know... therein lies your challenge.

Choose the Red Pill and choose sneaking better security into everyone's daily life - without their knowledge.

The Blue Pill - "Make it sexy"
Your other option is to make security the bag of chips here. Make it pop, make it sexy, make it cool. Make security the thing that everyone wants to work towards. Scare them into it, hypnotize them, or just educate them better in large quantities - but do it with pizazz. I can envision it now... a SuperBowl commercial advertising the next cool gadget ... to keep you more secure. Hire the marketing geniuses behind the iPhone... and have them market security. What would that look like?

Could the InfoSec community get a supermodel to advertise NoScript? (let's assume it was more usable for the average Joe). What about Tom Brady in a commercial where he foils a would-be attacker by creating a complex password strategy for his many online IDs?

You get the idea, making security sexy is not going to be simple; but it's going to take a two-step process capped off with a marketing frenzy. "Now 50% more secure!" needs to be the label on Windows 7, or some other operating system. Can you picture it?

Choose the Blue Pill and choose to make security cool... good luck!


---
Now I know that life isn't quite as black and white as this - but the reality is these are our realistic options. You know that patch-and-pray approach hasn't worked... so why keep it up? I honestly think we have just those 2 options before us; and if we don't pick one of them to try and shift security's approach to the world of risk - we're up for another decade of pain and failure.

Tuesday, August 11, 2009

WordPress Bugs... A Disturbing Vulnerability

Understanding bugs as they hit the wire has always been somewhat of a fascination with me... so I couldn't help but dig into the new WordPress vulnerability that hit Full-Disclosure earlier today. As I started working through the new WordPress 2..8.x admin-password-reset bug... I started giving myself a headache. Given PHP's bad name for having security issues it's not really hard to pin the "It's PHP's fault" tag on a vulnerability and move on. Not this time... err... not exactly anyway.

If you don't know what I'm going on about yet, go check it out here. Discovery credit goes to Laurent Gaffie, who posted it to Full-Disclosure... WordPress worked quickly to issue a fix here... (more on this below).

It would appear as though you can cause the administrator of any WordPress 2.8.x blog serious discomfort by repeatedly resetting the password to the system-generated random string. While this may not be anything to ring the alarms for - it does get quite annoying if you would like to administer your WordPress blog remotely (which is everybody, right?).

From the disclosure, submitting a query into the server like so
http://domain_name.tld/wp-login.php?action=rp&key[]=
causes it to simply skip verification and just re-set the password... how interesting!

Under ordinary circumstances, a user clicks on "forgot my password" then the server sends a one-time URL complete with random "key" to re-set the password. The thing to remember here is that the field in the user's record remains empty (null) until a password reset is requested! The user then gets an email with a URL that looks something like this:
http://domain_name.tld/wordpress/wp-login.php?action=rp&key=RANDOM0987654321
which he or she will click on. The server will then parse the request and compare the key parameter against the key stored in that user's database record. Easy so far.

Guessing the key is probably not realistic and not worth the attack bandwidth... but if you could just reset passwords without knowing the key then that would be insanely annoying, wouldn't it? The $64k question is... why does submitting a key[] (an empty array) work?

Looking at this issue it's clear there are several things possibly at play, including a little bug that may plague more PHP apps than we give it credit for - casting. Looking at the very first relevant line:
$key = preg_replace('/[^a-z0-9]/i', '', $key);
it appears as though this looks and works just fine... as long as the input in the $key variable is a string the line goes about making sure you only have alpha-numeric values in the $key parameter... golden so far. If you happen to try and stuff an array in there (or worse, an empty array), as evidenced by the key[]= above, this all goes sideways. As you'll now end up with an array in the $key variable... which the rest of the code is clearly not expecting.

Moving on... let's look at the SQL query string that gets built...
$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
Aha! If you've got an array in the $key variable, and you try to run this select statement then you end up with a very ugly array being flattened and stuffed into the %s (string)... What happens here is that WordPress will flatten the array - take the first value of the key[] which will be null and shove it into %s... and then go off and perform its database query. It ends up ooking something like this:

SELECT * FROM $wpdb->users WHERE user_activation_key = null

Since the administrator has not requested a password change, the value of $key, in the admin record will be null... thus you have a match and a password reset takes place. Makes perfect sense... Whoops.

Now presumably this hits admin every time since this is the first user typically created in the database, but I'm just speculating now since I haven't had a chance to thoroughly test this yet.

Even more interesting is the fix from the WordPress folks...
if ( empty( $key ) || is_array( $key ) )
The "patch" simply replaces the broken if empty statement and adds an is_array, which will check to see if we've accidentally left key blank or passed in an array and bomb if we have. Of course, this patches this bug but ...

Mike Bailey (@mckt_ on Twitter) and I were poking at this and wondered... why wouldn't you use "is_string" instead? Hasty coding? Why take the blacklist vs. whitelist approach?

Obviously, you have to wonder now... how many other bugs are there of this type in other PHP apps? What about other parts of WordPress? Hey... isn't there a rumor going around that Kaminsky and Matasano got taken by an undisclosed WordPress bug? Hrmm... While I agree with Mike's assessment that these types of bugs are rare, PHP certainly makes them more possible, especially when it doesn't have the opportunity to throw errors in a situation like this.

I think Mike's comment sums it up nicely though...
"It's [the source] full of WTF moments... I'm amazed anybody uses WordPress"
Indeed.

Big thanks to Mike Bailey for working through this with me... apparently caring for sleep as much (little) as I do!

Monday, August 10, 2009

Monday - TSA on My Mind

Happy Monday everyone, as I travel this week I can't help but notice some of the silly things still going on at the airports. Of course, my love for the TSA always shows through so here are some interesting things I've encountered or read involving the TSA today.

At Chicago's ORD today was the typical circus of mad people, crying babies, and TSA agents standing around signing off on your boarding pass. Nothing exciting or monumental to report here.

Now, I can't believe I of all people am writing about this... but since it's actually a bright spot in the TSA record, I thought I'd share. If you, much like me, thinks the TSA is 90% theater and 10% security then hopefully we've found the 10% ... check out this story on the TSA's success in foiling a drug dealer. Keep in mind while this actually has nothing to do with security, it does mean that someone in there paid attention during all that security training those TSA folks get...
http://www.tsa.gov/press/happenings/ice_tea_proves_acidic.shtm

Oh, and since I'm writing about interesting developments at the TSA... have you been through one of these whole-body scanners yet? I'm going to echo what Connie Schultz wrote... ew, ew, ew. I've thought about some of the non-security aspects (ie, privacy) of this type of technology and while the TSA agent guidelines around the screening process seem sound... the devil is in the enforcement, right? Man, that is a job I would not want.


Friday, August 7, 2009

Raking in the Cash - A Look at BlackHat SEO

Over the last several days I've been digging into the Black Hat SEO world... and some of the techniques that the dark side likes to employ to draw clicks and eyeballs to their sites. Whether they're serving up an online pharmacy selling Tramadol or Viagra, or performing drive-by malware installations or even pushing fake video codec malware through porn downloads... this is a big business that makes many times the money many of us make in our day-jobs.

In the final analysis... all of these techniques depend on poorly written code on the site that's being abused. Site that use injectable CMSes (via content injection such as SQLi or other techniques) are the biggest target since you can rather easily fingerprint the CMS and then google its fingerprint ... then write a quick automated script that'll crank out injections all day long. Here's one perfect example on Weblocal.ca, which appears to be using Movable Type CMS (follow this link [http:||www.weblocal.ca/user/224gxft] at your own risk, NoScript recommended).
What's interesting is that this is a user-content driven site, which has a pretty good page-rank [Ranked PR6] according to PRChecker.info. What this means is that Google's magic search engine formula is more likely to index this page and thereby bring users to a page like this... with the redirect. As you can see, the redirect goes to a Russian site (shocking that the Russians would be involved in organized exploitation like this... no, really); which if you do a little simple digging - has a huge presence in the Interwebs. Check this out, a Google of the link (http:||upop.ru_/in.cgi?7&parameter=Tramadol) brings up a mountain of sites that have been "injected" with this link. While many of these are comment-spam inserts (think X-Rumer ... from my previous post), there are plenty of instances where the injection just flat-out fails to launch... but the point remains clear -there are automated scripts out there that are hitting sites with this link.

One such injections, on UrbanMoms.ca [which has a PageRank of 4], is obviously a broken attempt to create a profile which is injected with the page-link... http:||www.urbanmoms.ca/mt/mt-cp.cgi?__mode=view&id=19962&blog_id=52)


At any rate... the problem is obvious. Poorly coded sites that allow HTML links, and other gaping holes in them are fodder for these types of injections. You have to try and rationalize the reason for this type of attack. Are people actually making money off of injecting links into random sites?

The answer is yes... on a mass scale. Per unique visitor on the Tramadol keyword, a spammer is likely to pick up over $1USD. That's per click... the PPC (pay-per-click) for this specific keyword is about $6USD/click. Of course, the source also reveals that this is one of the most difficult keywords to rank (be high up in the Google search results) for... meaning, attract people to. Think about it... a successful injection of a well-ranked, well-trusted site with a high volume of daily traffic can possibly net you well over $1MM USD/month.

The problem doesn't end there. Keep in mind that links like this sometimes also deliver payloads... trojans which drop malware in droves. The economy for this is booming.

With vulnerabilities on the web sites multiplying like bunnies in May, gullible users clicking on fake video codecs, and 0days for a fully-patched Vista/IE8 a-plenty... how does one not make buckets of cash?

Mitigating this "problem"? Let's start with writing more sensible web sites, and maybe getting Google's engine a little more intelligent - but beyond that there isn't much you can do... and that's a sad, sad statement.

Thursday, August 6, 2009

Repeat Offender: Time to Boot Adobe?

It's no doubt that over the last year or so everyone has been ripping up the Adobe folks for releasing version after version of the bloated PDF reader with more and more seemingly stupid security bugs. Now we've got yet another ridiculous vulnerability in the PDF family of products - this time dealing with Flash.

From the Sans Newswire...
Adobe Issues Critical Updates for Reader and Acrobat (August 3, 2009) Adobe has released updates for Reader and Acrobat on Windows, Mac, and Unix to address critical flaws related to Flash content. The vulnerabilities are being actively exploited. Users are encouraged to update to Adobe Reader 9.1.3 as soon as possible. Those already running Reader version 9.x can update to 9.1.3 with the automatic update function. Users who download Reader for Windows from the Adobe site should be aware that the version they receive is 9.1. If they download that version, they will still need to update to version 9.1.3. Windows and Mac users will need to download completely new versions of Adobe Acrobat.
Wait, there's a PDF Reader/Acrobat vulnerability that deals with the Flash engine? I had a hard enough time trying to force myself to understand why the JavaScript engine is so integrated into the PDF Reader/Acrobat - there is absolutely no way in hell you're going to convince me that Flash content inside a PDF doc is necessary... period.

At some point - people are just going to stop using the PDF format... I know it's convenient, functional but at some point... everyone's just going to get sick of patching and re-patching for stupid functions that shouldn't be there in the first place... am I alone? I don't think so... One of the editors, Stephen Northcutt, had this to say:
"I think organizations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products whenever you can." --Northcutt

Whoops. I don't know about you guys and girls out there... but I'm with him. In fact, a great alternative is Foxit PDF Reader, available here - that's what I use when I had to open PDFs.

UPDATE
As Stephan Chenette so astutely pointed out to me via email (thanks by the way)... Adobe isn't the only group that can be AWI (Architecting While Intoxicated)... apparently somehow it's also now a critical feature that Microsoft's Excel be able to embed Flash! content in it... and is thus vulnerable. Whiskey. Tango. Foxtrot. Seriously... See here: http://www.sophos.com/blogs/sophoslabs//?p=5798 (head in hands)...

Tuesday, August 4, 2009

300th Post - 31337 Spotlight: "Anonymous"

At last... this blog has reached post #300.

While I've covered some truly epic topics over the past 300 posts there are always a few that stand out in my mind, and in the minds of you readers. There are those topics which get covered which, well, really make you think twice... and since I've gotten more requests for this than I can possibly respond to directly - here it is. I've managed to convince "Anonymous", the person responding to many of the recent posts on here, to respond to a few questions in the form of the 31337 spotlight. I hope you enjoy the insight... and hopefully you have plenty of questions to ask yourself - which I recommend leaving in the comments section of this post as I'm sure he/she will respond (if possible)...

In case you're wondering why I've chosen to interview a self-professed BlackHat for the milestone #300... the reasoning is simple - awareness. I think too many of us whitehats walk around thinking we've got this security problem pretty well figured out; thinking we're even remotely successful at creating a real concrete state of security. Maybe we're complacent enough to think that the hardened, patched, anti-malware-protected and firewalled systems and users we are employed to protect are actually, well, safe... we're wrong. The "Dark Side" of the force is much more cunning, and has a much larger opportunity than we give it credit for... so we need to make sure we're never complacent in our understanding of [in]security - so without further ado... let's get to it.

  • "Anonymous" - tell us something about yourself (but not too much)
I'm an IT jack of all trades, started in a family business, had my own computer when I was 18months old and progressed from there. In primary school I was building computers faster than the techs dad had hired to build them for him and was doing just as good of a job. I can remember the days of MFM and RLL hard drives and I can remember the days of HDD's having 3:1 and 2:1 interleaving. Somewhere around 2000 I started to get into programming, mainly web based and then got hooked and started getting deeper and deeper into programming. My main language is PHP but I know enough c++ to get me by when I need to use it and well as much as I hate to admit it vb6 as well.
  • What types of technologies do you focus your 'hacking' on (and why)?
I'm not so much a hacker these days as someone who will use BlackHat techniques to bend and break rules of various applications/sites/search engines and the like for monetary gain. I wont deny I had my spree of hacking in the old days but these days hacking isn't worth the effort, malware dropped on PCs is far simpler than hacking them and far easier to get a lot of victims. As you may have guessed, malware is one section of the web that has my interests at this point in time, there is a lot of money to be made from 'junk' traffic as people class it, I have a broad range of interests though as far as monetization methods go and slowly but surely I'm testing them all, malware isn't where I want to be forever -but damn there's some good money in it.
  • What your most famous/proud accomplishment over the course of your career?
...that is something that will stay under wraps for the sake of not giving out any personal information, sorry. This years target however is to take and hold rank #1 for buy viagra/buy viagra online for at least a week just for shits and giggles, come on Ruskies, I'm gonna give you a run for your money here!
  • What got you started in Information Security...
...boredom really. When I learned web programming I made all the n00b mistakes when I started out just like everyone does. Then as I progressed I realized all the potential holes in my code and started to work towards understanding how to make my own work better and in the process just kinda stumbled into finding exploits in other peoples work and having some fun messing around with a few sites. These days I keep up-to-date on it purely for the laughs I get out of the exploits that are still out there in big expensive products (the count on remote IE 0day exploits is climbing at a fun rate) and to keep my own code safe and for new security ideas for myself. I should also mention I handle system/code-base security and DDoS protection for various clients so things I find here help with that as well, the more I understand about what goes on in the security world with exploits the easier it is to knock them out of my way when people try to target me (and I will admit I manage some somewhat more targeted sites and higher traffic sites than the average admin out there)
  • Tell us something that people rarely know about you?
Don't you wish I filled this question in with juicy personal details?
  • BONUS: What was your first computer system?

I can remember the old IBM 5150 quite well, I can also remember over-clocking it past the good 'ol 4.77mhz (replacing a crystal oscillator if I remember rightly) and getting it up to a bit over 5mhz, wow the performance difference... LOL
I've also had a Toshiba T1100 laptop and an old luggable as well (errr, don't remember the brand or model of it, sorry)
FWIW, these days I run a core2quad q9650, 8gig of ram, 12 500gig HDDs with an Areca arc1230 12port raid card in hardware raid6, a lot of my work currently is based around statistical analysis and split testing datasets to work out ways to bring in more traffic with methods I'm doing, currently I'm looking into upgrading again to a dual Xeon 5500 series with at least 36gig of ram and replacing the 500gig HDDs with 2tb disks (yes I'm running out of space fast). I was hoping there would be word about the new hex core Xeon's before I did the next upgrade though but it seems as though I might just have to put up with the current 5500 series.

FOOTNOTE
I'm a BlackHat, I'm the first to admit it. I do a lot of things that break too many rules and I don't like some things that I do on a day to day basis, that doesn't mean I'll stop doing them anytime soon though. I am interested in migrating away from some of the darker areas or putting less focus on them but it takes time, data and capital to be able to progress enough away from them to either drop them completely or wind them down to a point where they no longer are a big part of the daily income stream. Do I intend to ever go back to WhiteHat? Unlikely but stepping away from malware is something that I wouldn't mind to do in time, to some extent at least. I'm looking into more methods related to PPC and CPA for monetization and automatic split testing and so on that will work just as well as malware in the future but I don't have the datasets quite yet to migrate into harder niches to push into- hence why so much of my time is now on statistical analysis. A lot of what I do these days is purely gaming the search engines, its highly profitable and a lot easier than people think. Google is still quite a bit dumber than people imagine, just watch "buy tamiflu/viagra" pages for a few weeks and you will understand the fluxing that happens and how much garbage that can get through
. Yes I'm a BlackHat and I'm proud to be one, I know many WhiteHats out there who have, after seeing how fast I can game Google and garner traffic out of it, have just drooled and wanted my secrets. But the thing is, a lot of what I do is no secret, there is no real secret sauce for everything, its just testing and trial and error and working out new ways around new restrictions that get stuck in your face. Whitehats, I'm sorry, but your methods are too limiting for my tastes, if someone hires me to do work for them and wants me to play Mr. WhiteHat I can do it and I bet I can out WhiteHat you knowing just how far I can bend the rules before it causes things to snap in the area you're working in. Plain and simple, BlackHat is testing, analyzing, automating and scaling more than anything else for me and this is what puts me ahead of the game. I am a programmer, I know statistical analysis. I do have some serious hardware and bandwidth both here at home and out there on the interwebz. This lets me scale and analyze easier; it may just be that the way my mind works. I'm more suited to go down the BlackHat path but either way thats the path I have chosen for now and intend to take until I find something otherwise more interesting to me, what that is only time will tell.

Google+