April 2007 Archives

No, not Mussorgsky - InfoSec Europe 2007.

http://blog.spywareguide.com/upload/2007/04/mikkoandpg-thumb.jpg
Click to Enlarge

This is Mikko Hypponen of F-Secure fame and my good self.

http://blog.spywareguide.com/upload/2007/04/gamble-thumb.jpg
Click to Enlarge

This is a poker game at the Webroot stand. I can play 52 card pickup but that's about it.

http://blog.spywareguide.com/upload/2007/04/corridor-thumb.jpg
Click to Enlarge

This is a really boring picture of a bunch of stands. I had lots of these and this was the most exciting one. Whoops.

http://blog.spywareguide.com/upload/2007/04/hackistan2-thumb.jpg
Click to Enlarge

This is me hanging out with a really tall guy from Hackistan. Um...

http://blog.spywareguide.com/upload/2007/04/work1-thumb.jpg
Click to Enlarge

Slightly blurry, but a nice snap of the chaos the night before as painters, plasterers and guys with gigantic wheelie bins ran riot.

http://blog.spywareguide.com/upload/2007/04/box-thumb.jpg
Click to Enlarge

More blurryness, but hey - it's someone popping out of a cardboard box for no good reason whatsoever. That alone is worth saving the image for posterity. I think.

http://blog.spywareguide.com/upload/2007/04/balloon-thumb.jpg
Click to Enlarge

This poor guy struggled with these huge, uncontrollable balloon things for an age. He's probably still battling with them.

http://blog.spywareguide.com/upload/2007/04/jenga-thumb.jpg
Click to Enlarge

I'm not sure if this was a really expensive art piece or Giant Jenga. Maybe it was both.

I'd like to say there were more pictures - and there are. Sadly, like so many pictures taken at these sort of events, most of them are blurry disasters. That just about wraps up this post - thanks to all that came over and said hello, I had a great (if vaguely tiring) time!

Microformat Communications

In case you aren't up on all that is Web 2.0 let me explain "Twitter".

Twitter is a social networking service that allows users to send "updates" (text-based posts, called "tweets", up to 140 characters long) via SMS, instant messaging, e-mail, the Twitter website or any application built using their services.

These updates are displayed on the user's profile page and also instantly delivered to other users who have signed up to receive them. The sender can restrict delivery to members of a circle of friends, or allow delivery to everybody, which is the standard default setting.

Users can receive updates via the Twitter website, instant messaging, SMS, RSS, or through an application. For SMS, currently two gateway numbers are available: one for the USA and a UK number for international use. While the Twitter service itself is free, posting and receiving updates via SMS typically incurs a charge from the wireless carrier- watch your SMS plan carefully! Some people have gotten large bills without thinking before they realized how much volume can pass, so if you do use Twitter, or a service like Jaiku (similiar), you should probably use an all "you can eat plan" of SMS.

According to many, and I agree, Twitter is one of the first iterations of the "microblogging" or "nanoblogging" formats- a form of "micro-chunking". This is because the characters are capped to a certain number and the messages are very small. Twitter has caught on like wildfire because it is a very useful service for influence shaping, information gathering and simple communications. Services like this will change the face of the web, since it lowers the bar to communicate and express or influence opinion.

Twitter- The Cool Aspects

1) It doesn't interrupt you like Instant Messaging or VoIP- you can communicate when and where you want.

2) You can communicate from cell phone, PDA, applications, even games or "metaverses" like Second Life have Twitter Heads Up Displays.

3) Simple to use and simple to get rid of those you don't want updates from. You can keep your Twitter stream private too...meaning only "friends" can see them.

The Not So Cool Aspects of Twitter

With the good news comes some bad news. That is simply how greynets roll. I am not touching on privacy concerns, simply security concerns. They are related but different.

1) No "bullet-proof" authentication- at this time it is pretty easy to impersonate someone because of the lack of authentication. There are a number of "popular people" who are not who they say they are. I have been following a bogus "Steve Jobs" for some time now- at least I think it is a bogus Steve Jobs...I don't really know, and I have no way to make sure. Of course- this can happen with IM too. e.g. someone's account is compromised and the attacker spoofs the trusted user. This has been going on for a decade and usual cause is a weak password susceptible to brute force attacks.

2) Long web addresses, URLS, are wrapped in redirect or compression services like tinyURL- this by itself is not bad and a perfectly legitimate use- remember "Tweets", as the Twitter messages are known, are capped at 140 characters so a compression service makes sense. However, since it is a blind redirect- you don't know where you might end up. An attacker could encode a malicious site on the next hop, inject obfuscated Javascript into the header (as we saw with the World Cup case), or someone might link to a site without knowing it has been compromised or the site might later become compromised. It is not too hard to predict that we might see "Twishing", or phishing via Twitter.

3) As the service gains critical mass it will attract those who seek to exploit the service for gain, mischief or intrusion. This is unfortunate, but history teaches us this almost always happens- where there are people- there will be a few bad apples.

Thanks to the TipsDr who tipped us off to the latest, and a much more sophisticated attack using caller id number spoofing. This is rather alarming since I was looking for the first real attacks to be simple malicious URLs.


For all you people who are just crazy about Twitter, a vulnerability has been posted that will allow you to post to someone else?s twitter account. Since twitter uses caller id to authenticate users, it is very easy to post to someone else?s account since it is so easy to spoof the caller id number. Fakemytext.com is just one example of a site that will help you do just that.

Read more about the spoof here. I do agree. SMS was never designed to be used for authentication. This is like the From: address in email was never designed to be an element to authenticate against.

In short proceed with caution- just as you would any web surfing- never assume communications are 100% safe. Don't click on links and until phone spoofing is resolved, if it can be, - I would be keep your numbers close.

Enterprises will probably want to block this emerging type of greynet for intra-company use, and remain guarded if they use it as a marketing, promotional or communications hub. This is a shame since it is a very handy service that has the ability to transform how a company can communicate, but until there are better locks- or an enterprise intranet version- this is just the type of greynet that highly sophistcated users will bring in the door...because it is very useful, used by influentials and highly communicative and our research shows web traffic moving from simple HTTP to highly communicative traffic.

I imagine as the technology matures and becomes more secure we will see the enterprise adopt similiar mechanisms- perhaps replacing the "dark blog". No doubt customers will force the Enterprise to adopt these emerging microformats to some degree. Until then... Have fun communicating, but proceed with very real caution. Ensure your I.T. policies are up to date with the high velocity field of "social media"- or simply socializing around media. It is moving at an incredible velocity and shows no signs of letting up.

This was sadly inevitable, but you can see what to avoid here, courtesy of Sophos. The file itself seems to be a commonplace Banking Trojan popular in Brazil - a variant of which was used in the Orkut Worm attack last year. I expect we'll see many more variations on this in the weeks to come - indeed, there are already fake "donation websites" popping up online so be careful what you click on...

Here's a nice find - a file that searches for a Virtual PC by means of a Registry check. If the Virtual Machine is detected, the install comes to a halt. If you're on a real computer, however, you'll find numerous files downloaded and installed onto your PC. Along with the usual Trojans, there's something called CPush:

vmdetect4.jpg

This is a Browser Helper Object related to Sogou, also from China:

http://blog.spywareguide.com/upload/2007/04/vmdetect7-thumb.jpg
Click to Enlarge

There are numerous other websites mentioned in files, install logs and executables - as usual, they vary from blank pages to game websites:

http://blog.spywareguide.com/upload/2007/04/vmdetect8-thumb.jpg
Click to Enlarge

Finally, some of the files make reference to a well known IRC Server used for Botnet activity - though we didn't see any live Botnet action while testing the files, there's nothing to say they couldn't install additional Bot components sometime after the initial hijack. We did find a Login page on one of the related sites, but that proves nothing - it could just as easily be an Admin Panel as it could a Command and Control Center:

http://blog.spywareguide.com/upload/2007/04/vmdetect6-thumb.jpg
Click to Enlarge

What's interesting here is that it seems to share some similarities with this Worm. They both seem to have emerged at the same time - I'd love to know which one came first, though I'd prefer it if they hadn't emerged at all...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: FSL Threat Research Team, WV

Wayne_Porter-Chris_Boyd_RSA2007.bmp

If you were unable to attend RSA 2007, an audio version with the slideshow is now available for a limited time. This recording covers the economic structures behind botnets and delves deeply into the "Carder Botnet" as well as the "Q8 Army Botnet", with an emphasis on the players, environment and the ever-changing "botnet" landscape.

Today, we'll see that even the simplest of hijacks can result in one seriously broken PC, and install what are apparently files related to a "non-profit" group taking orders from the Chinese Government's "Ministry of Information Industry" in the process. After observing a file in the database flagged by one of our researchers, I decided to take it for a test drive and see what happened. In theory, it should have been a straightforward search hijack. In practice, if this had been my "real" PC instead of a test box, I'd now be calling in the world's biggest platoon of priests and holy water.

Let's begin, shall we?

The product we'll be looking at is this thing. Starting off the action with the oldest file in the Database:

ssearch1.jpg

....it didn't take long before my PC started acting strangely. And by "strangely", I do of course mean, hijacked with a whole bunch of random bits and pieces of awfulness:

ssearch2.jpg

The above is what had been dumped into my System32 Folder. Not a lot to go on at this point, and things are about to get worse. Before my computer-based Apocalypse takes place though, let's have a look inside one of the files and see what's lurking:

ssearch3.jpg

...hmm. Randomly named file handed the task of calling down lots of executables? Usually not a good sign - especially as some of the files mentioned weren't actually showing up on the PC at this point. Hidden downloaders? Looks that way, doesn't it. However, before we can pursue this line of enquiry, all the tech forensics go out of the window when....

http://blog.spywareguide.com/upload/2007/04/ssearch5-thumb.jpg
Click to Enlarge

...Internet Explorer pops open, complete with new Toolbar related addition! Is this a good time to see if anything has been deposited into the Program Files directory? You bet:

ssearch6.jpg

....hooray! Randomly named folders and files mixed in with the Toolbar folder and something called CNNIC. Remember this, because we'll be coming back to it. For now, we'll quickly examine the Add-ons in Internet Explorer and see how many new additions there have been. The short answer is "lots":

http://blog.spywareguide.com/upload/2007/04/ssearch7-thumb.jpg
Click to Enlarge

As I'm sure you'll agree, there's a fair amount of Browser Helper Objects in there! At this point, I decided to give the Toolbar a go and see if it worked or not. After entering a search for "Paperghost", this is what I got:

http://blog.spywareguide.com/upload/2007/04/ssearch9-thumb.jpg
Click to Enlarge

The results returned are given via the Baidu Search Engine. However, check out the bottom right hand corner - when the Toolbar was activated, a "fake warning" appeared telling me my PC had been infected and I needed to run a scan. Coincidence? Possibly. Either way, before I could click the warning and see which wonderful rogue product was about to greet me, the whole system collapsed and died in a horrible, horrible mess.

From this point onwards, the test PC would not function unless run in Safe Mode, and even then, only for a limited amount of time before rebooting itself. After a couple of attempts, I finally managed to get into the desktop and saw some new icons had appeared in Internet Explorer:

ssearch10.jpg

The yellow money-bag thing is for the Sofa Toolbar - however, the toolbar would no longer work, and it was impossible to reinstall it. Remember CNNIC? Well, clicking the blue icon on the left takes you to....

http://blog.spywareguide.com/upload/2007/04/ssearch11-thumb.jpg
Click to Enlarge

...the China Internet Network Information Center!

From Wikipedia:

China Internet Network Information Center: founded as a non-profit organization on June 3, 1997, is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People's Republic of China.

.....uh, okay, Government related webpages appearing in a hijack....new one on me. But wait, there's more:

Software produced by CNNIC

* Official version of Chinese url software, which is Malware. It installs in the user's system secretly and compulsorily, and will be automatically re-installed after you uninstall or delete it.

I had to do a little more digging than usual to find out more information on this one, because I couldn't actually get the thing to work, but one Antispyware team alleges the CNNIC software is used to hijack search results, and "also hijacks 404 pages to a controlling web server in China". In addition, you can see complaints regarding CNNIC software here and here.

Closing down Internet Explorer, I jumped over to the System32 Folder to see if anything new had been added. The answer was a resounding "yes":

http://blog.spywareguide.com/upload/2007/04/ssearch12-thumb.jpg
Click to Enlarge

No wonder the PC kept keeling over, because the System32 Folder had been completely overrun by a huge amount of files (the full list of things dumped into that folder would probably have required 3 or 4 full screenshots stitched together to give you an accurate idea of what was going on in there). A few more reboots, and eventually the fake popup from earlier on returned:

ssearch13.jpg

I was able to grab one final screenshot before the PC went into a sort of Permadeath, and we were finally able to see what rogue application had been installed:

http://blog.spywareguide.com/upload/2007/04/ssearch15-thumb.jpg
Click to Enlarge

....BraveSentry! After that, the test box was officially DOA. The total time taken to install all of these components was roughly ten minutes - from a seemingly harmless executable that promised maybe a Toolbar or something at best, and a few runs of your favourite Antispyware scanner at worst. If you value your PC, your sanity and your rapidly dwindling supplies of Internet Holy Water, steer well clear of this one...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery, Research: Chris Mannon, FSL Senior Threat Researcher

About this Archive

This page is an archive of entries from April 2007 listed from newest to oldest.

March 2007 is the previous archive.

May 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.