4 X Security Team

Kaspersky Lab released a warning for MySpace and Facebook users, regarding two new versions of a worm, Net-Worm.Win32.Koobface.a. and Net-Worm.Win32.Koobface.b respectively, that put the security of those who have accounts on the two web services at risk.

The MySpace worm creates some catchy phrases that are sent to friends' accounts. Appealing taglines, such as "You must see it!!! LOL. My friend catched you on hidden cam" or "Paris Hilton Tosses Dwarf On The Street", are used to create spam messages that, click by click, are spread all over the network.

The spam messages Kaspersky specialists discovered include links to http://youtube.[skip].pl. and those who choose to click on these links are redirected to another address, http://youtube.[skip].ru. If users want to see the video they were interested in, they are told to click on an executable file that will provide them with the latest Flash Player version, which is compulsory in order to watch the media file. The codesetup.exe is installed on the computer and it acts as a link between Facebook and MySpace accounts. Users who received the spam message on one of the two networks would actually download the other worm on their computers.

Social networks have plenty of users, and most of them are not very careful when they click on some links apparently sent by their friends. If the link they are invited to visit actually contains some hidden malware, the damage extends not only to their social network accounts, but to a wider range of Internet applications.

"Unfortunately, users are very trusting of messages left by 'friends' on social networking sites. So the likelihood of a user clicking on a link like this is very high," says Alexander Gostev, Senior Virus Analyst at Kaspersky Lab. "At the beginning of 2008 we predicted that we'd see an increase in cybercriminals exploiting MySpace, Facebook and similar sites, and we're now seeing evidence of this. I'm sure that this is simply the first step, and that virus writers will continue to target these resources with increased intensity," he further noted.

[Source: softpedia]

Spammers radically changed their methods from what they used last year. If, at the end of June 2007, 60% of spammers used images in order to make people swallow the bait, the percentage dropped to 3% at the end of June 2008. On the other hand, after conducting a global study, BitDefender researchers noticed the revival of text spam – 70% of the spamming attacks are now text-based, compared with the 20% that was recorded last year.

"Plain-text continues to be the most prolific medium for e-mail spam istribution, especially due to its simplicity, reduced size and extreme versatility," said Vlad Valceanu, head of BitDefender AntiSpam Research Lab.
The methods used to spread malware in the first six months of 2008 were reported as being, in order, downloaders, malicious advertising, bundle applications, social engineering and information websites, autorun and file infectors, email spam and peer-2-peer networks.

As expected, considering the immense number of emails with a medical subject that are received by almost anyone, the team that works in the anti-virus field said that content related to drugs is the most used, worldwide, to spread malicious software. Replica watches placed second in the top of most popular subjects to be delivered by spammers via email.

Phishing tools were also popular in the first half of 2008. Those who were especially targeted were native English speakers from the US, UK or Canada, who were tempted with counterfeited offers, mainly from US banks and other financial institutions. Most of the messages were alarming, in order to make people react impulsively – they were relating about blocking or expiration of accounts, while also asking for private information that was to be used to enhance security.

"Spammers and phishers continued to improve their skills in replicating and forging legitimate message characteristics. However, the simple text e-mails proved their efficiency as well, rounding up the total figure of ID theft victims to 50,000 each month," added Vlad Valceanu.

[Source: softpedia]

The Guardian, out of the United Kingdom, is reporting that Gary McKinnon, the “world’s most dangerous hacker”, will be extradited to the United States to face criminal hacking charges. McKinnon, a 42 year old unemployed systems administrator from north London, allegedly hacked into systems belonging to the US army, navy, air force, and Nasa in 2001. From the article:

He said he was merely searching for evidence of extraterrestrial life, but American officials labeled him the world’s most dangerous hacker and accused him of deleting important files and causing hundreds of thousands of dollars’ worth of damage.

According to prosecutors, McKinnon scanned more than 73,000 US government computers and hacked into 97 machines belonging to the US army, navy, air force and Nasa.

Not to stick up for this guy, but I am not sure that scanning 73,000 machines and hacking into 97 of them qualifies someone as the “world’s most dangerous hacker”. Certainly he is not harmless, but I have to believe there’s a lot of hackers out their with a bigger trophy case than McKinnon’s. This is not to trivialize what he has done, I just worry that the US may be over-sensationalizing this to play into their case.

The Guardian article claimed:

His lawyers have fought vigorously against the extradition, arguing that McKinnon could face up to 60 years in prison as a result of his actions, and could even be classed as an “enemy combatant” and interned at Guantánamo Bay. Instead they argued that he should face prosecution under Britain’s more lenient computer crime laws because he carried out the hacking from his bedroom in London.

McKinnon is certain to get harsh treatment here, but has he caused enough damage to warrant 60 years in prison and a trip to Gitmo? The article talked about what comes next for McKinnon and his legal team:

In a statement, McKinnon’s legal team said it would be taking the appeal to the European Court of Human Rights.

“Gary McKinnon is neither a terrorist nor a terrorist sympathizer,” the statement said. “His case could have been properly dealt with by our own prosecuting authorities. Instead, we believe that the British government declined to prosecute him to enable the US government to make an example of him.

“American officials involved in this case have stated that they want to see him ‘fry’. The consequences he faces if extradited are both disproportionate and intolerable and we will be making an immediate application to the European Court to prevent his removal.”

[Source: zdnet]

he end of the Neosploit web malware exploitation kit? RSA’s FraudAction Research Labs recent monitoring of ongoing communications between Neosploit team members and their potential customers indicates so. The Neosploit malware kit has been around since the middle of 2007, with prices varying between $1000 and $3000, whose main differentiation factors next to its popular alternatives such as MPack and Icepack, were its customer support and the constant updates, including new javascript obfuscation routines and exploits as they were made available, its multi-user command and control interface, as well as the improved metrics and filtering of infected hosts.

Is this really the end of Neosploit? Could be, but it’s definitely not the end of web malware exploitation kits in general :

“In mid-July, however, evidence showed that Neosploit’s successful business was running into problems. It is likely that Neosploit was finding it difficult to sustain its new customer acquisition rate, and that its existing customers were not generating enough revenue to sustain the prior rate of development. These problems appear to have been too much of a burden, and we now believe that the Neosploit development team has been forced to abandon its product. Like any responsible business, the Neosploit team is trying to be remembered as a good business that might one day return. Our sources reported that they took the time and effort to part properly with an “out of business” announcement. Or as the translation goes:

“Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself. We tried hard to satisfy our clients’ needs during the last few months, but the support had to end at some point. We were 1.5 years with you and hope that this was a good time for your business.”

Let’s discuss their business model, how other cybercriminals disintermediated it thereby ruining it, and most importantly, how is it possible that such a popular web malware exploitation kit cannot seem to achieve a positive return on investment (ROI).

The short answer is - piracy in the IT underground, and their over-optimistic assumption that high-profit margins can compensate the lack of long-term growth strategy, which in respect to web malware exploitation kits has do with the benefits coming from converging with traffic management tools. Let’s discuss some key points.

You cannot pitch an open source malware kit as a proprietary one

Neosploit, just like the majority of other web malware kits, are open source, which means the customer can add new functions and exploits, enjoying the malware kit’s modularity. Neosploit Team’s business model was relying on the wrong assumption that charging thousands of dollars for a proprietary malware kit with the idea to position it as exclusive one could result in a high-growth business model. Moreover, according to their statement that the amount of time spend on the “product” isn’t justifying itself wrongly implies that it takes a great deal of time to embedd a publicly available exploit code for a recent vulnerability into the while, while in reality it doesn’t.

Furthermore, the coders of crimeware kits like Zeus for instance, have tried to enforce “licensing agreements”, ironically by doing so they claim ownership over the crimeware kit in general. In fact, coders of malware for hire are taking advantage of the same end user agreements, forbidding the customer of reverse engineering the malware they’ve just coded, and also sharing it with others. And so, the Neosploit kit leaked into the wild, for script kiddies and sophisticated attackers to take advantage of, from here no one was bothering to purchase a copy of the malware kit, and started persinally embedding new exploits within.

Localization to foreign languages is done on behalf of the customers, not the malware kit’s coders

One would logically assume that if a Russian malware coder wants to target potential customers from Chine, he’d bother translating the entire command and control interface next to the documentation of the malware kit into the local language. In reality through, this localization has been done mainly on behalf of users who’ve obtained leaked copies of the malware kits and localized them into their native languages, thereby allowing easier entry into cybercrime in general. For instance, the originally Russian MPack and IcePack malware kits were localized to Chinese by Chinese hackers last year, the same localization of the Firepack malware kit to Chinese took place this May, and suprisingly, IcePack got localized to French the same month.

Web malware exploitation kits are a commodity

Namely, they are easy to obtain, and even easier to use even by those who’re not familiar with Russian. This commoditization directly ruined the business model, and among the main reasons why the Neosploit Team is stopping the support of their malware kit, is mainly because they’re no longer feeling comfotable being used as the foundation for someone else’s successful malware attack. However, the open source nature of the malware kits is directly resulting in an unknown number of modified malware kits using the publicly ones as a foundation to build and add new features on. This fact makes it a bit irrelevant to count and keep track of which and how many exploits are included within a particular kit, since the number will only be valid for this particular copy of the kit.

The again, when you have 637 million Google users surfing with insecure browser and getting exploited with “last quarter’s critical browser vulnerability”, why bother introducing zero day vulnerabilities within your kit when outdated and already patched ones seems to achieve such a high success rate of infection anyway?

Today’s international script kiddies are empowered with localized versions of sophisticated web malware exploitation kits courtesy of Russian hackers, seems like globalization in action. The Neosploit Team may be abandoning support for their malware kit, but they’re so not abandoning the current malware campaigns they manage using it.

[Source: zdnet]

The distributors of Neosploit, one of the more dangerous drive-by download exploit kits on the Internet, have shut down operations because of financial problems, according to malware researchers at RSA FraudAction Research Labs.

In a blog entry, the company said it found evidence that Neosploit will no longer be supported (yes, the do-it-yourself malware installation kit comes with terms of service and customer support!) and will not feature any new exploits.

Here’s a rough translation of the shutdown announcement, which was posted on a Russian Web site:

“Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself.

We tried hard to satisfy our clients’ needs during the last few months, but the support had to end at some point. We were 1.5 years with you and hope that this was a good time for your business.

Now we will not be with you, but nevertheless we wish that your businesses will prosper for a long time! Good luck all, The Neosploit Team!”

Neosploit was notorious for being very aggressive about adding new exploits for vulnerabilities and was considered the the most advanced infection kit used by online criminals. From a bad guy’s perspective, it was considered reliability, scalable and efficient, even offering GUI-based features for tracking malware infections by OS, browser version or country.

According to the RSA research team, the Neosploit creators ran a successful business selling the kit to malware purveyors but things have apparently gone downhill:

In mid-July, however, evidence showed that Neosploit’s successful business was running into problems. It is likely that Neosploit was finding it difficult to sustain its new customer acquisition rate, and that its existing customers were not generating enough revenue to sustain the prior rate of development. These problems appear to have been too much of a burden, and we now believe that the Neosploit development team has been forced to abandon its product.

If this shutdown is for real, it is good news for computer security but it’s certainly not only malware installation kits available for sale online. Neosploit competed with others like IcePack, Black Sun, Cyber Bot, Mpack and Zunker.

[Source: zdnet]

Guest editorial by Oliver Day

In June 2008, StopBadware published a report with statistics (.pdf) based on our sample of infected website data from Google. In those statistics we noted that over half of the infections came from addresses originating in China. We’ve received some attention for these statistics and I’d like to delve a little further into this. This blog post should provide some insight into those numbers, provide some clarifications on common misconceptions and possibly open up new questions.

The percent of infections claiming to be from China are not an absolute measure and it is safe to assume that there are not only registrations originating from China claiming to be from other countries but also registrations from outside the country claiming to be Chinese. One of the general assumptions I’ve operated under is that the majority of the infections we see are not operated by those who profit from the infections. Those who do play in the underground economy of identity theft, botnets, etc are the ones who will generally spend the time to fake registration data. Another assumption is that those false registrations are relatively few compared to the bulk of accurate registrations.

In the paper, the authors suggest that many of the infections are from illicit material or from webmasters who cash out their existing web traffic by inserting the iframes themselves. In either case the numbers of infections are measurably high and finding out why is complicated by serveral factors. A staggering growth in online population, both a low per capita Internet Protocol address (IPV4), high relative IPV4 growth and majority of users without sufficient education add unaccounted for variables. With this background in place we can look at some measures of the Internet in China to try and inform our discussion.

The majority of my sources are from the Chinese Internet Network Information Center (CNNIC). They have published remarkably detailed statistics and histories of the Internet in China. One factor that seems relevant is the search market in China. According to a 2007 report issued by CNNIC a majority of Chinese users searching with Baidu instead of Google.

While these two engines matched evenly in the competition for the “high end market,” their 2007 report shows a very small amount of this classification of user on the Internet. 71.5% of Chinese internet users fall outside of this range. One of the points we made in a paper I published at WEIS was that the availability of malicious links in trusted gatekeepers, such as Baidu, increases the number of infections globally. Search engines have become manipulated to a degree and links from a credible gatekeeper are leading to Drive By Downloads. The Safe Browsing program virtually quarantines sites from users of Google’s search services. While Google isn’t able to prevent anyone from literally connecting to a website by typing the URL into their location bar the warnings contained in their interstitial seem to deter a majority of users. Anecdotally we at StopBadware have heard numbers as high as 80% reductions in traffic due to the interstitial program but are still creating a system to measure the true effectiveness on web traffic.

Another factor that complicates our understanding is the way China has setup their Autonomous System (AS) names. In the US AS names generally lead to either a hosting provider or a colocation service. In China however the top infected AS Names are huge backbone providers. When we group our data and find that 60,000 infections are coming from a backbone provider that doesn’t give us much to go on. In some US cases involving colocation services, we were able to use rwhois services to get a better idea of who to contact; however, in China there seems to be relatively few rwhois servers on the reported networks. Part of this could be due to the ownership of backbones in China or perhaps due to explosive growth. As shown below by statistics gathered by bgpexpert, the growth of IPv4 addresses in China in the last year exceeds 60%.

This post just scratches the surface for those who are interested in the Internet in China. There are still so many different questions left unanswered when it comes to infections in China and I am still learning how to derive answers. Currently I have been studying some published network maps to get an idea of the ISP landscape in China. I hope to combine this with maps I create using tools like scapy to produce some more answers to the questions I have raised.

* Oliver Day is a security researcher at StopBadware.org, a project of the Berkman Center for Internet and Society at Harvard University. He has over ten years experience in web and network security, working for companies including @stake, eEye, and Rapid7. He has presented on network security to dozens of Fortune 500 companies and educational institutions and is a staunch advocate of the disclosure process and providing shielding for security researchers. Oliver can be contacted at oday [-at-] cyber.law.harvard.edu.

[Source: zdnet]

UPDATE: Arbor Networks have provided more details in their “30 Days of DNS Attack Activity” analysis, SANS confirmed HD Moore’s statement on DNS cache poisoned AT&T DNS servers. Numerous independent sources are starting to see evidence of DNS cache poisoning attempts on their local networks, in what appears to be an attempt to take advantage of the “recent” DNS cache poisoning vulnerability :

” client 143.215.143.11 query (cache) ‘www.ebay.com/ANY/IN’ denied: 31
Time(s)
client 143.215.143.11 query (cache) ‘www.facebook.com/ANY/IN’
denied: 30 Time(s)
client 143.215.143.11 query (cache) ‘www.gmail.com/ANY/IN’ denied:
30 Time(s)
client 143.215.143.11 query (cache) ‘www.google.com/ANY/IN’ denied:
30 Time(s)
client 143.215.143.11 query (cache) ‘www.live.com/ANY/IN’ denied: 30
Time(s)
client 143.215.143.11 query (cache) ‘www.microsoft.com/ANY/IN’
denied: 30 Time(s)
client 143.215.143.11 query (cache) ‘www.msn.com/ANY/IN’ denied: 30
Time(s)
client 143.215.143.11 query (cache) ‘www.myspace.com/ANY/IN’ denied:
30 Time(s)”

Surprised? I’m not, since this was pretty logical given that the three publicly available exploits have been downloaded over 15,000 times in the last couple of days. What I’m actually surprised of is that it took so long to produce a working exploit, and the despite the media outbreak raising awareness on the potential for abuse, major international and local ISPs remain vulnerable. Ironically, remain vulnerable just like they’ve always been even though patches for a particular vulnerability were available. Insecure and misconfigured DNS servers were, and continue to be a realistic threat even in a Web 2.0 world.

Take for instance a survey of DNS security conducted back in 2004, showing that :

“We next examine which names depend on nameservers with known security flaws. Of the 166771 nameservers, 27141 have known vulnerabilities. These vulnerabilities affect 185802 names. A naive expectation might be that, with ~17% vulnerable nameservers, only 17% of the names would be affected. This is patently not the case; transitive trust relationships “poison” every path that passes through an insecure nameserver. Hence 34% of DNS names can be compromised by launching well-known, scripted attacks. “

Another DNS measurement study conducted back in 2005, showed that 84% of Internet name servers could be vulnerable to pharming attacks. Even if you’re more conservative than you should be, you can easily consider that at least 50% of Internet name servers remain vulnerable three years later. Well, that seems to be the case according to last year’s survey of DNS security, again conducted by Infoblox :

“Still more than 50% of Internet name servers allow recursive queries, which is consistent with 2006 results. Accepting recursive queries from arbitrary addresses allows servers to be used in DNS amplification attacks that can bring down major networks, and also leaves them vulnerable to cache poisoning attacks. The percentage of name servers that allowed us to transfer zones actually increased slightly, from 29% to 31%. While this change is probably within the survey’s margin of error, it does show that this aspect of security isn’t improving. A change in the default behavior of the BIND 9 name server (like the change to the default recursion setting introduced in BIND 9.4) might help here.”

Moreover, the MIT’s IP Spoofer project originally running since 2005, continues to automatically generate graphs representing the state of DNS servers security across the globe, particularly their susceptibility to IP spoofing, the ABC of DNS security. Despite the hype over the recent vulnerability, DNS cache poisoning has been around for years, and it’s not going away anytime soon.

Most importantly, malicious attackers don’t need to take advantage of this flaw to successfully commit cybercrime like they do on a daily basis. What hasn’t been taken care of for years, wouldn’t be solved in a matter of days, that’s for sure. Until then, take control of the situation, check whether or not your ISP is running DNS servers susceptible to cache poisoning, approach them in between sharing your evidence online, and consider going through the possible abuse scenarios malicious attackers can take advantage of using DNS cache poisoning.

[Source: zdnet]