Author (#12)June 2006 Archives

Security is always full of twists and surprises. To borrow from the spirit of Forrest Gump" Security is like a box of handgrenades- you'll never know when you're gonna get a live one."

Much to the chagrin of some Yahoo Mail users. the JS/Yamanner Worm played havoc through a vulnerability in Yahoo Mail service. Now for that bizarro twist- the alleged worm writer was simply looking for a job. He concocted the worm to show off his "elite skills".

From Silicon Valley Sleuth Blog.

Subject: I have written JS/Yamanner@MM Worm

I have written JS/Yamanner@MM Worm that has been discovered 12 June 2006. I found that in Yahoo! mail and use it to execute scripts ( collecting yahoo addresses from someone mail, sending this email using Ajax technology to them and then redirecting them into a sample site).

Finally I should mention that I don't like to disturb no one. Since I live in iran and taking a Job in good computer companies is very hard (becaue getting Visa is very hard from US) I just want to prove that I have some abilities in web programming . And I like to work with professional team like you if there is any way to do that.

Perhaps they should have named the worm JS/BadManners?

Bottom line is security companies don't hire digital criminals. The actions don't say much for this misguided individual. As Silicon Valley Sleuth notes he simply could of have written a proof of concept instead of steam rolling innocents via e-mail. Security ethics are cemented around integrity. Some of the finest malware fighters I know are truly great people- who care not only about our technological ecosphere but simply want to make it more safe.

On that note stay tuned to this bat channel- PaperGhost has been leading a mad hunt, guns blazing, with the team into the murky depths of- let's say the "Lords of The Underworld". That's your hint. The days get stranger...

I also promise you won't want to hire this guy either...not even to stock your grocery shelves or to mow your lawn.

Question from a Reader: "Can people hide messages in pictures? Is this for real?"

Yes this is for real! It is not limited to just pictures, although this is one the common uses, but messages can be embedded in any number of digital media types. It can even be embedded into sound files.

This practice is called steganography, or stego for short. Steganography is the science of writing hidden messages in such a way that no one, except the intended recipient knows of the message.

Usually a steganographic message will appear to be something else: a picture, an article, a shopping list, or some other message - this is referred to as the covertext or in the case of digital file- the carrier.

Steganography is different than cryptography. With cryptography, encryption is the process of obscuring information to make it unreadable without special knowledge. In this case the message is not concealed just scrambled or obscured.

The obvious advantage of steganography over cryptography is that messages do not attract any attention. A coded message that is unhidden, no matter how strong the encryption, will arouse suspicion and may in itself be problematic. For example, in some countries encryption is illegal.

A common form of steganography is the use of jpeg files (a computer image) to hide the message. Research is already underway to create systems that can detect secret files or messages hidingwithin digital images.

Electronic images, such as jpeg files, provide the perfect ?cover? because they?re very common ? a single computer can contain thousands of jpeg images and they can be posted on Web sites or e-mailed anywhere. Steganographic, or stego, techniques allow users to embed a secret file, or payload, by shifting the color values just slightly to account for the ?bits? of data being hidden. The payload files can be almost anything from illegal financial transactions and the proverbial off-shore account information to sleeper cell communications or child pornography.

?We?re taking very simple stego techniques and trying to find statistical measures that we can use to distinguish an innocent image from one that has hidden data,? said Clifford Bergman, ISU math professor and researcher on the project. ?One of the reasons we?re focusing on images is there?s lots of ?room? within a digital image to hide data. You can fiddle with them quite a bit and visually a person can?t see the difference.?

?At the simplest level, consider a black and white photo ? each pixel has a grayscale value between zero (black) and 255 (white),? said Jennifer Davidson, ISU math professor and the other investigator on the project. ?So the data file for that photo is one long string of those grayscale numbers that represent each pixel.?

You can read more on the Ames Laboratory research here.

Curious users can also try stego software, but use at your own risk. You should be sure it is legal to use in your country. In some countries this type of software is illegal and carries stiff penalities for use.

Dound's Steganography Freeware. This software allows users to encode and decode messages of their choice with a keyword. The message is coded into a picture, which can be sent via e-mail, uploaded, and so on, and then decoded by the recipient with the keyword that it was encoded with. It's easy to use and you can't tell the difference between the original and the encoded pictures. It comes with a test picture, too.

Steganography Trialware. This application enables you to use digital data hiding techniques to hide as well as encrypt files within other files such as picture or sound files. This allows you to encrypt sensitive information, while at the same time hiding it in a file that will not look suspicious, so nobody even knows that there is encrypted information.

Steganos Security Suite: Trialware. $69 to Buy. Offers a complete encryption software package, which provides protection for users of PCs and laptops. The software features 256-bit AES encryption of an unlimited amount of data; e-mail encryption; the ability to use USB sticks as rewriteable mobile safes; the potential to track down a lost or stolen laptop; track shredding, a password manager; password quality control; a file shredding; and steganographic capabilities.

Internet security...sometimes it isn't all dry analysis and wading through rogue code and links...sometimes the stories get- strange.

First we thought the YapBrowser was dead and buried. After being exposed for serving up UA Porn by a number of security experts 180Solutions (now Zango after the Hotbar merger) stopped sponsoring the product. A product, I might add, that should have never gotten through any good quality assurance department in the first place.

Then I conducted an e-mail interview with "John Sandy" to try to get to the bottom of the fiasco. The answers were evasive and to date no one can seem to take responsibility for the situation- it has all been pass the buck. Then, mysteriously and quietly, the YapBrowser comes back online promising an adult browser that in their own words: "There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities.". We find that promise hard to believe.

We thought that might be the end of it, but now a mini-soap opera is playing out as the people behind the project have launched a discussion forum. What is intriguing about this forum is that a number of the names are the same as or similiar to well known security professionals and analysts and people in stories we have covered before. They have registered as users and they are actively carrying on coversations. Some examples include:

Chris Boyd, our own PaperGhost, well known and accomplished malware researcher who went back and forth with the YapBrowser crew across a number of blogs including his own at It is notable the real Chris Boyd did not sign up at the forum. (He has now as Paper-Ghost to monitor the events.)

Susie, who we assume could be an impersonation of Suzi Turner, the well known anti-malware activist that runs and blogger at ZDNET Spyware Confidential who covered the story and had harsh words for the Yap people. In the forum she states her favorite blog is "Sunbelt Software", run by Alex Eckleberry, who was also instrumental in the crack down on YapBrowser, our own Greynets Blog, and a large business blog I contribute to at Revenews (neutral ground where the first interview took place). Susi goes on to make some jabs at VitalSecurity and Washington Post's Security Blog- written by Brian Krebs. It is notable that the real Suzie does consult for Sunbelt Software and she doesn't speak Russian either. Then again, maybe it isn't *that* Suzie just a vague "coincidence".

RinCe- An individual who assisted our team with a tip-off while investigating a rogue botnet involved in a massive credit card theft scheme whose owners later wound up in serious legal hotwater after the story broke. RinCe doesn't speak Russian to our knowledge. (More on that story later.)

Ozzy, we assume this could be the top gun hacker buster of BlueMicro We really don't know if it is actually Ozzy having a go at them, or an Ozzy impersonater, but given the circumstances we simply have to wonder. You see how confusing it all gets.

To top it off they link to my interview with the alleged "John Sandy" as if the interview vindicates their activities. Folks- it doesn't. My role was merely to facilitate the conversation and work with the translators to try to get some answers to how a situation could go so horribly wrong.

So why this apparent complex game of charades? We really don't now. That is what we mean by the story getting stranger and stranger. We will continue to monitor, but that won't distract us from the really interesting stories on the horizon. Stay tuned for more mayhem from the digital trenches.

ADDENDUM: Within a few minutes of posting this blog, the Chris Boyd page at Wikipedia was defaced. Fortunately the Wikipedia provides the IP address of individuals who deface the popular wiki.

Yesterday we reported on speculation of a marriage between Hotbar and 180Solutions. Today it was announced that 180 Solutions had merged with Hotbar. The new name for the company will be Zango and it would probably be correct to assume they are now the largest adware maker on the Internet.

According to the Seattle Times:

Bellevue-based 180solutions, which makes software commonly known as adware, has acquired Hotbar of New York for an undisclosed amount of money. As part of the announcement, 180solutions will be renamed after its consumer brand: Zango.

Adware is an application that users download to their computer to get free content. The application monitors what they are doing online to deliver relevant advertising. In the past, Zango and other companies have been lumped together with spyware, which works similarly, but is typically installed on a computer without permission.

For several weeks speculation has been moving fast and furious inside security research circles that "adware" maker 180Solutions Inc. has been courting Hotbar, another company that traffics in adware. Naturally this deal would catch the eyes and probing minds of security researchers given 180Solution's checkered past and Hotbar has had it is own fair share of controversy. The most notable when Symantec sued Hotbar for the right to classify Hotbar's products as adware. (The suit was settled out of court.)

Now there are articles hitting mainstream press covering the proposed deal, and we can point readers to a rough translation of an article that Google News snagged out of Israel: Hotbar in talks for sale to 180Solutions at

The article says :

Israeli company Hotbar Inc. is negotiating its sale at a company value of $52 million. The probably buyer is Internet company 180Solutions Inc.. Sources inform ''Globes'' that Hotbar is also negotiating with other companies, including ICQ. Hotbar develops software that sits on the browser, enabling users to change their toolbar to include links to services the company offers. Founded in 1999 by CEO Oren Dobronsky and president Gabriella Karni, the company has raised $15 million to date. Its last financing round was held in 2001. Investors include Eurofund, Tamar technology Ventures, Technorov Holdings, CE Unterberg Towbin, and Deutsche Bank subsidiary ABS Ventures. According to IVC Online, the company had $35 million in sales in 2004.

180Solutions develops software solutions for on-line advertising. The company develops adware, otherwise known as spyware, activities hated by surfers and users of computers. Coincidently or not, this activity is connected to a lawsuit anti-virus developer Symantec Corp. (Nasdaq:SYMC) filed a year ago against Hotbar, in which Symantec demanded that some of Hotbar?s activities be classified as adware. the case was settled out of court a few months ago.

Some of this article seems completely off base and some of the connections are a pretty far stretch. For example, it is hard to discern how the Symantec suit had anything to do with a deal like this being brokered- although the article does reference it as a possible "coincidence".

Furthermore, it would be surprising if ICQ were a buyer- ICQ is merely an instant messaging service. Mirabilis was the name of the Israeli company that produced ICQ. Mirabilis was formed in 1996 by four Israelis Arik Vardi, Yair Goldfinger, Sefi Vigiser and Amnon Amir, and was purchased by AOL in 1998 for over 200 hundred million U.S. (Note our recent walk down IM memory lane with ICQ.)

In 2001, a new company called AOL Time Warner was created when AOL purchased Time Warner forming the world's largest media company . The deal, announced in 2000, employed an atypical merger structure in which each original company merged into a newly created entity. We have documented Time Warner engaged in distribution deals with 180Solutions for some of their online soap operas. A distribution deal that was ill-timed given the highly problematic YapBrowser fiasco where the browser product, sponsored by Zango (the same adware product sponsoring Time Warner's content), displayed UA pornography after making it through 180Solution's "stringent" approval process. [Reference background on YapBrowser and links to our interview.] 180Solutions did end the relationship after the activities came to public light.

At this stage it all remains speculative, however information from many credible sources has been flowing into researchers for weeks now and coupled with coverage in Israel- Hotbar's hometown- this researcher is inclined to believe the deal is more than likely going down.

The looming question will be if 180Solutions will continue with what many call irresponsible and poorly controlled distribution practices. A good researcher relies on intuition and what he/she sees in the field. At the same time a good researcher doesn't ignore history and its lessons either.

Skype continues to bring new firsts to everyone's Internet social and work experience- myself included. First there was a strange SPIM ambush [define SPIM] and now something more interesting.

Before I get into the experience and in order to fully understand and appreciate why I find this experience so progressive, I need to back up a decade ago to the launch of a company called Mirabilis. Mirabilis made the ICQ product. ICQ, short for "I Seek You", was launched over a decade ago by three enterprising Israeli entrepreneurs. ICQ drove online communications out of message boards and forums and into real time text chat. Back in 1997 ICQ really changed how I and many others operated online. Instead of waiting for e-mails to bounce back and forth you could message in real-time. Before that time the closest I had come to chat was on dial-up Bulletin Board Systems that hade multi-chode chat and three inbound phone lines. With IM development, feedback and collaboration suddenly became easier, faster and it cut down geographical barriers and fused the world at incredible speed. It was life and business changing for many people and a very exciting time to experience.

Naturally it was first adopted by technical userers who immediately grasped the concept. It also became essential for online team gaming like Quake, where you had to organize players before a match of TCP/IP based gunslinging action. Families and friends began to use it to communicate, form relationships, stay up to date and it also provided small businesses and virtual workers a whole new way to do interact. Because of the social nature of Instant Messaging it propogated like wildfire passing by word-of-mouth, e-mail and community.

While I still retain my original ICQ number, the digits are so low I simply can't let it go, I have forsaken ICQ and even AOL IM for the most part. I have moved on to Skype. Skype offers voice chat, web cam ability, conference ability and file transfers among other options.

Skype is free, easy to use and fairly good quality for voice calls- plus you can dial land lines or get a SkypeIn number- for free. I keep it open most of my work day, unless I don't want an interruption. With Skype on the desktop I am able to work and communicate with people around the world at the click of a button- it is absolute critical for working global research. If you stop and think about it that is extremely powerful. This is the next wave for the Enterprise too, as customers will demand to interact with businesses in the format they choose.

One look at Google trends of Google Chat and AIM versus Skype shows just how monumental and fast Skype use has ignited. So on with my experience...

Recently Chris Boyd and had a conversation with a reporter from a very high profile magazine. That isn't news of course. We do that all the time. What was novel is that we did it via Skype. That may not seems like a big deal, but this reporter didn't flinch when it was suggested we utlilize Skype to connect everyone- no problem at all!

I simply cannot imagine that happening two years ago. Having a Skype call with a technically savvy reporter is progressive and underscores how businesses are adopting this communication tool for their work. Skype is becoming as ubiquotous as Google if you think about terms like "Skype Me" or "Google It".

Naturally all of this free communication without the barriers doesn't come without some risk. IM networks can be attack vectors for worms as we detailed in a recent threat and as with any virtual communication you don't know for sure that who you are talking with is really are who they claim to be. In many cases threats from unknown people with unknown agendas can be risky too.

Instant Messaging is a rich petri dish for social engineering and it is also laced with fast-circulating rumors. Going back to ICQ again one of the old and long standing ICQ rumors was that Mirabilis was going to charge for their service. It never happened and AOL bought ICQ a few years ago, but that didn't stop the rumors from flying all across the Web fueled by the IM medium. Many people believed the rumors if the outcry on the Web was accurate.

In terms of businesses many are starting to embrace IM and VoIP and this is partly powered by the incredibly lush features and partly because employees themselves are introducing the tools into the Enterprise on their own. Soon businesses cannot afford not to embrace it because their customers will be demanding it in tandem. Enterprise IM applications are great if you want to communicate inside the Enterprise only, but all businesses have customers and these customers will set the tone for how they want to communicate with the business.

Will Skype supplant land lines? Probably not anytime soon, but lots of home users and business users are embracing it at a rate that is astounding. Voice 2.0 is upon us and it is an exciting time to be on the Internet.

About this Archive

This page is a archive of recent entries written by (Display Name not set) in June 2006.

Author (#12)May 2006 is the previous archive.

Author (#12)July 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.