4 X Security Team

After years of operation, California based ISP Atrivo/Intercage, a well known Russian Business Network darling, faced the music and was disconnected from the Internet by its upstream provider at the end of September. What happened according to MessageLabs’s latest intelligence report, was a brief decline of spam due to the fact that the malware infected hosts couldn’t reach the ISP’s netblock. Logically, within the next couple of days Intercage’s customers quickly switched hosting locations of their botnet’s command and control servers, and cybercrime activity quickly got back to normal :

“Charged with providing a safe-haven for online scammers, cyber crooks and malware distributors, California-based ISP Intercage (aka Atrivo) was disconnected from the internet on September 20. Pacific Internet Exchange, Intercage’s upstream provider, terminated the service and after a few days, UnitedLayer, another service provider, agreed to host Intercage. But on September 25, after deciding Intercage still had too many on-going problems, UnitedLayer also terminated service.

It can be seen from the chart above that the botnet controllers are quick to respond to any degradation of their service, and can re-point their bots at a new command and control channel in a matter of days. Therefore MessageLabs expects this decline in spam to be short-lived, especially in anticipation of Halloween in October and Thanksgiving in the US in November, both of which are traditionally seasonal favorites for spammers.”

What’s particularly disturbing in Intercage’s case is not just the fact that it’s a U.S based ISP undermining the “lack of international cybercrime cooperation” excuse for not shutting it down earlier, but also, the fact that ATRIVO/Intercage’s uptime is a great example of how marginal thinking and relatively high average time it takes to shut them down, is nonetheless still keeping their business in the game. How come? For the past year, ATRIVO/Intercage has had 10 different Internet Service Providers, so controversially to the common wisdom that being on the run is supposed to make your job harder, it doesn’t really matters as the average time for ATRIVO to remain online seems to be above their customers’ averages :

“The following graph shows that Atrivo has had 10 different Internet providers over the past year. The number of Renesys peers selecting each provider is shown over time. Most providers didn’t stick around for long, but a few like WV Fiber (AS 19151) did hang in there for much of the year. For a couple of days recently, Atrivo had zero providers and were hence effectively out of business, but then United Layer (AS 23342) became their latest — and currently only — provider. We’ll see how long this lasts and if others step up to provide Atrivo with some redundancy. Of course, those who are convinced Atrivo is up to no good can simply block access to their IP addresses (prefixes) as they have a relatively modest allocation.”

Do bullet-proof cybercrime friendly providers have a future? Naturally, since it’s the simple market forces that are going to keep both fronts busy for years to come. With ATRIVO/Intercage now shut down, what’s next? Lessons learnt for the bad guys realizing that it’s about time they start taking advantage of basic OPSEC (operational security) processes like decentralizing their networks, and increasing the lifecycle of their customer’s cybercrime activities by taking advantage of fast-fluxing. The bottom line, despite that Intercage remains offline, but the concepts of cybercrime content hosting, and the Russian Business Network as a franchise, are always going to be there.

[Source: zdnet]

[ UPDATE: The details are out. Lots of unresolved clickjacking issues]

A security researcher in Israel has released a demo of a “clickjacking” attack, using an JavaScript game to turn every browser into a surveillance zombie.

The release of the demo follows last month’s partial disclosure of the cross-platform attack/threat, which affects all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

[ SEE: Clickjacking: Scary new cross-browser exploit]

In Guy Aharonovsky’s demo game, a Web page is set up to seamlessly hide another page in the background that’s actually managing the target’s Adobe Flash Player privacy settings manager.

Using a series of clicks bouncing around the rigged page, Aharonovsky is able to silently hijack the user’s clicks to modify the Flash privacy settings and take complete control of the installed webcam.

The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

If you don’t want to try it or don’t have a webcam connected, you can see the attack in action in this YouTube video.

[ SEE: Firefox + NoScript vs Clickjacking ]

Aharonovsky’s harmless demo game is a perfect example of how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user. The webcam hijack could have been used, for example, with live streaming sites like UStream or JustinTV to create a malicious surveillance platform, he explained.

The demo was done in the form of a JavaScript game but Aharonovsky warns that a Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.

Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index.

I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it’s better to know about it.

Aviv Raff, a security researcher with expertise in browser hacking, has also built a proof-of-concept exploit using a hidden iFrame to hijack clicks to snag Twitter followers.

Raff’s demo invisibly overlays a blank page over the Twitter site and sets the”Click Me!” button on the spot where Twitter’s “Follow” icon is displayed. If the target is logged into Twitter, the click on Raff’s demo is actually executed on Twitter’s site.

The ramifications for this is truly scary and, as Google browser security guru Michal Zalewski explains, difficult to fix.

If you expand the idea behind these clickjacking demos, you can see how this can be exploited to make it easier to launch drive-by malware download using social engineering techniques.

Until the affected vendors can come up with adequate patches/mitigations, Web surfers might want to follow Jeremiah Grossman’s advice and move to Firefox + NoScript to get some level of security.

[Source: zdnet]

Last week I wrote two posts about why I was not concerned about mobile malware right now, but I expected mobile malware to become a problem in the near future. There were several responses to the two posts, including the following:

Phatkat writes:

Most crackers (hackers gone bad) are doing this for monetary gain so like most people want to put the minimal amount effort to get the maximum gain. Mobile devices are such a nice diverse group of devices that crackers haven’t found the “maximum economic benefit” cracking at one type of mobile device.

I 100% agree with this statement, particularly when we define mobile malware as being an endemic security threat. There will always be proof-of-concept attacks against one platform or another, but the point in time where you have to worry is when real money and real time is being lost.

More importantly, there are plenty of security threats associated with mobile devices that have nothing to do with malware. Any CSO worth his salt should prioritize real, quantifiable threats over imaginary ones. Of the real threats, data leakage prevention is probably the biggest sector that comes to mind. Dealing with lost sensitive corporate data is a real security problem that requires real technology to handle. The present problems may not be as sexy as computer viruses, but they are problems that do need to be solved.

[Source: zdnet

Last week Apple lifted their NDA on iPhone developers, freeing them to discuss amongst themselves how to properly build applications. This decision is a “good thing” for not just applications but also application security on the iPhone.

The iPhone NDA was antithetical to how developers work. Developers learn from code snippets and design patterns. They rarely invent functions from scratch, and will look at how previous applications were built to decide how to build their current projects. This isn’t because developers are unimaginative, but because they recognize there are a million ways of doing something but only a handful are efficient, effective, and ultimately won’t cause a security event that will bite you in the rear somewhere down the road.

Over the past decade, developers and security consultants have worked to fix millions of lines of code that were created without an understanding of their possible security implications. Software vulnerabilities with names like “buffer overflow” and “double free” are the result of improper coding practices. The software development community started to produce programming guides that contained code describing the right and wrong way of handing C strings, SQL queries, and cryptography. Without this open discussion, we would still be fighting basic programming flaws in widespread binaries, which is something that has largely slowed down several years ago.

I don’t know if there are any programming flaw syndromes that are already present in iPhone applications. I would be surprised if there were any, given the programming language used for iPhone apps as well as their use profile. If flaws were to come up, though, having an NDA on programming techniques would make the flaws far more difficult to repair.

[Source: zdnet]

In an underground ecosystem that is anything but old fashioned when it comes to abusing legitimate web services, cybecriminals have started exploiting the traffic momentum, and by monitoring the peak traffic for popular search queries using Google’s Trends, are syndicating the keywords in order to acquire the traffic and direct it to malware serving blogs primarily hosted at Windows Live’s Spaces.

According to a recent advisory issued by Webroot :

“For the first time, hackers are capitalizing on the top news stories from Google Trends Labs, which lists the day’s most frequently searched topics, which can include news of the Wall St. bail out or the presidential campaign,” said Paul Piccard, director of Threat Research, Webroot. “These highly relevant news stories and videos are being posted to the hackers’ fake blogs to increase the site’s Google search rankings.

These fraudulent blogs contain several video links about the news story for which the users were originally searching. Once a user clicks on one of the video links, they are prompted to download a video codec that downloads a rogue antispyware program designed to goad the user into purchasing an illegitimate program that may put their personal information and data at even greater risk. “

Let’s take a sample, and confirm the ongoing syndication of popular keywords in order to attract traffic to the several hundred malware serving blogs.

A random keyword “on fire” like gwen ifill wheelchair indicates that 55 minutes ago a malware serving blog has been successfully crawled and is now appearing within the first 10 results thanks to the high page rank of Windows Live Spaces. Upon clicking the link, the user is exposed to the typical ActiveX Object Error message that is attempting to trick them into installing TrojanDownloader:Win32/Zlob.AMV with 10 out of 36 AV scanners currently detecting it (27.78%).

Moreover, in order to ensure that their fake blogs will get crawled in the shortest time frame possible so that they can better abuse the momentum peak of the search query, they’re naturally taking advantage of the pre-registered blogs at popular blogging platforms which Google is crawling literally in real-time. Syndicating this particular keyword in order to serve malware is not an isolated event, with several hundred currently active blogs doing exactly the same as soon as Google Trends refreshes its hourly feed.

Malware campaigns have been taking advantage of pure SEO (search engine optimization), and mostly blackhat SEO techniques, during the entire 2008. The difference between the ongoing campaign and previous ones, is that the current approach has a higher probability of attracting generic search traffic since it’s relying on the world’s most popular search engine to tip them on what has the world been searching for during the past hour.

[Source: zdnet]

In response to Kaspersky’s statement that they were concerned about mobile malware, I provided a flurry of reasons why mobile malware epidemics don’t occur today. This may not be the case in the near future, however, as changes in the handset space is making the creation of malware far more attractive.

Consumers lusting over the iPhone are driving changes in the handset space that will make the platforms far more attractive for malware authors. Over the next few years, we will see nearly every phone with high quality displays and effective browsers, running operating systems that can support third party applications. Customers will want to use these features; financial institutions, such as Bank of America, are responding by adding mobile features to their websites. Handsets that support these features are more expensive, and will end up being in use far longer, accumulating bugs along the way. And finally, the malware landscape is becoming increasingly competitive on the PC side, which will force malware authors to find fertile ground. The only piece missing is an effective monetization strategy for mobile malware (say that three times fast) that would make the labor profitable.

My thoughts about mobile malware are very similar to those about mac malware. It isn’t a problem now, but if current trends continue it will be a problem in the future. It is not a question of if, but when, and those of us who are responsible for keeping our systems and handsets clean have to be prepared.

[Source: zdnet]

Never let a human do a malware infected host’s CAPTCHA recognition job. On their way to abuse the DomainKeys verified server reputation in order increase the probability of their spam emails reaching the receipts, spammers and malware authors are once again attempting to break Microsoft’s “revisited” CAPTCHA, and are able to sign up Live Hotmail accounts with a success rate of 10% to 15%, according to an assessment published by Websense today :

“Spammers are once again targeting Microsoft’s Hotmail (Live Hotmail) services. We have discovered that spammers, in a recent aggressive move, have managed to create automated bots that can sign up for and create random Hotmail accounts, defeating Microsoft’s latest, revised CAPTCHA system. The accounts are then used to send mass-mailings.

Early this year (2008), as reported by Websense Security Labs, spammers worldwide basis demonstrated their adaptability by defeating a range of anti-spam services offered by security vendors by carrying out the streamlined anti-CAPTCHA operations on Microsoft’s Live Mail, Google’s Gmail, Microsoft’s Live Hotmail, Google’s Blogger, and Yahoo Mail.”

10% to 15% recognition rate or “one in every 8 to 10 attempts to sign up for a Live Hotmail account is successful” as stated by Websense, is a bit of a modest success rate given that the academic community has managed to achieve 92% recognition rate in the past. But with hundreds of thousands of malware infected hosts, it appears that they are willing to allocate resources despite the modest success rate, and are actively spamming through the newly registered bogus email accounts.

Is machine learning CAPTCHA breaking the tactic of choice, or is the recently uncovered CAPTCHA solving economy the outsourcing model cost-effective enough to undermine the machine learning approach? With low-waged humans achieving a 100% recognition rate and processing “bogus account registration” orders, it may in fact be more cost-effective for a cybercriminal to outsource the process, than allocating personal resources and achieving a lower success rate. One thing’s for sure - CAPTCHA based authentication has been persistently under attack from all fronts, during the entire 2008.

[Source: zdnet]