Recently in Greynets Research Category

Based on recent research Facetime has found security incidents targeting public IM and P2P channels increased by 5 percent in Q2 2007 compared with Q1 2007. In contrast, last year we saw a 35 percent decline over the same period, from Q1 to Q2 2006. We didn't cover this report recently on the blog, as the GTA story was rolling out full steam, but it is worth the time to read the analysis.

Some Highlights

A total of 317 incidents were reported during Q2 2007, bringing the total since Jan. 1, 2007, to 618 incidents. Ongoing research reaffirms a cyclical nature to malware threats with peaks in each year, typically in the spring and fall, followed by lulls in the summer and winter. In 2007, security incidents declined somewhat during the first quarter from a high in January. In the second quarter, security threats climbed again, but appear to have peaked in June. If previous patterns hold, we can expect a decline in the summer, followed by an upswing in the early fall.

From Q1 to Q2 2007, attacks spread via the mainstream networks (Yahoo, MSN and AOL) dropped from 74 total incidents in the first period to 64 in the second quarter. Attacks spread via AOL dropped by more than half (from 28 incidents to 13). Overall, the MSN network accounted for 50 percent of the attacks on the major networks, followed by Yahoo at 30 percent and AOL with 20 percent.

Some Key Findings


-- Increase in IRC attacks

As we predicted earlier this year, attacks spread via Internet Relay Chat (IRC) continue to account for a growing percentage of all attacks. In fact, the percentage of attacks that are IRC-based has risen in each of the last six quarters, rising from a 59 percent share in Q1 2006 to 72 percent in the current quarter.

-- Single channel attacks vs. multichannel

Similarly, single channel attacks?security incidents that propagate via only one vector, such as AOL, Yahoo or IRC?now account for almost three-fourths of all attacks. The percentage of attacks that are single-channel has also risen in each of the last six quarters, growing from a 46 percent share in the first quarter of 2006 to 71 percent in Q2 of 2007.

View the full report here along with past reports. It is important to note with the rise of unified communications and Web 2.0 we can expect attacks along social vectors to become more subtle, creative and far more sophisticated.

While single channel attacks continue to dominate, in May we covered this example of an attack through Skype (the ultimate payload being the Stration Worm) with the built-in intelligence to go after other IM services. I feel this is a good example of what we can expect long-term.


Research and Summary Write-Up: Wayne Porter, Senior Director of Special Research

Microformat Communications

In case you aren't up on all that is Web 2.0 let me explain "Twitter".

Twitter is a social networking service that allows users to send "updates" (text-based posts, called "tweets", up to 140 characters long) via SMS, instant messaging, e-mail, the Twitter website or any application built using their services.

These updates are displayed on the user's profile page and also instantly delivered to other users who have signed up to receive them. The sender can restrict delivery to members of a circle of friends, or allow delivery to everybody, which is the standard default setting.

Users can receive updates via the Twitter website, instant messaging, SMS, RSS, or through an application. For SMS, currently two gateway numbers are available: one for the USA and a UK number for international use. While the Twitter service itself is free, posting and receiving updates via SMS typically incurs a charge from the wireless carrier- watch your SMS plan carefully! Some people have gotten large bills without thinking before they realized how much volume can pass, so if you do use Twitter, or a service like Jaiku (similiar), you should probably use an all "you can eat plan" of SMS.

According to many, and I agree, Twitter is one of the first iterations of the "microblogging" or "nanoblogging" formats- a form of "micro-chunking". This is because the characters are capped to a certain number and the messages are very small. Twitter has caught on like wildfire because it is a very useful service for influence shaping, information gathering and simple communications. Services like this will change the face of the web, since it lowers the bar to communicate and express or influence opinion.

Twitter- The Cool Aspects

1) It doesn't interrupt you like Instant Messaging or VoIP- you can communicate when and where you want.

2) You can communicate from cell phone, PDA, applications, even games or "metaverses" like Second Life have Twitter Heads Up Displays.

3) Simple to use and simple to get rid of those you don't want updates from. You can keep your Twitter stream private too...meaning only "friends" can see them.

The Not So Cool Aspects of Twitter

With the good news comes some bad news. That is simply how greynets roll. I am not touching on privacy concerns, simply security concerns. They are related but different.

1) No "bullet-proof" authentication- at this time it is pretty easy to impersonate someone because of the lack of authentication. There are a number of "popular people" who are not who they say they are. I have been following a bogus "Steve Jobs" for some time now- at least I think it is a bogus Steve Jobs...I don't really know, and I have no way to make sure. Of course- this can happen with IM too. e.g. someone's account is compromised and the attacker spoofs the trusted user. This has been going on for a decade and usual cause is a weak password susceptible to brute force attacks.

2) Long web addresses, URLS, are wrapped in redirect or compression services like tinyURL- this by itself is not bad and a perfectly legitimate use- remember "Tweets", as the Twitter messages are known, are capped at 140 characters so a compression service makes sense. However, since it is a blind redirect- you don't know where you might end up. An attacker could encode a malicious site on the next hop, inject obfuscated Javascript into the header (as we saw with the World Cup case), or someone might link to a site without knowing it has been compromised or the site might later become compromised. It is not too hard to predict that we might see "Twishing", or phishing via Twitter.

3) As the service gains critical mass it will attract those who seek to exploit the service for gain, mischief or intrusion. This is unfortunate, but history teaches us this almost always happens- where there are people- there will be a few bad apples.

Thanks to the TipsDr who tipped us off to the latest, and a much more sophisticated attack using caller id number spoofing. This is rather alarming since I was looking for the first real attacks to be simple malicious URLs.


For all you people who are just crazy about Twitter, a vulnerability has been posted that will allow you to post to someone else?s twitter account. Since twitter uses caller id to authenticate users, it is very easy to post to someone else?s account since it is so easy to spoof the caller id number. Fakemytext.com is just one example of a site that will help you do just that.

Read more about the spoof here. I do agree. SMS was never designed to be used for authentication. This is like the From: address in email was never designed to be an element to authenticate against.

In short proceed with caution- just as you would any web surfing- never assume communications are 100% safe. Don't click on links and until phone spoofing is resolved, if it can be, - I would be keep your numbers close.

Enterprises will probably want to block this emerging type of greynet for intra-company use, and remain guarded if they use it as a marketing, promotional or communications hub. This is a shame since it is a very handy service that has the ability to transform how a company can communicate, but until there are better locks- or an enterprise intranet version- this is just the type of greynet that highly sophistcated users will bring in the door...because it is very useful, used by influentials and highly communicative and our research shows web traffic moving from simple HTTP to highly communicative traffic.

I imagine as the technology matures and becomes more secure we will see the enterprise adopt similiar mechanisms- perhaps replacing the "dark blog". No doubt customers will force the Enterprise to adopt these emerging microformats to some degree. Until then... Have fun communicating, but proceed with very real caution. Ensure your I.T. policies are up to date with the high velocity field of "social media"- or simply socializing around media. It is moving at an incredible velocity and shows no signs of letting up.

This coverage from colleague, Anne. P. Mitchess, Esq., President of the Institute for Spam and Internet Public Policy (ISIPP) on the Melanie McGuire and Google search case caught my eye. It was a matter of time before search histories come back to haunt...and this leaves me further worried about the insecure state of PCs and malware's ability to upload "at-will" into infected PCs. Think "extortionware"- we covered the concept at RSA Conference 2007.

Anne writes...


Melanie McGuire is currently on trial for the murder of her husband, William McGuire. And while many people now know that your Google and other search engine searches can be discovered, apparently back in 2004, Melanie McGuire did not. For among the searches that the prosecution has found on her computers - searches which she conducted on the days leading up to the murder - were searches for "instant poisons", "undetectable poisons", and "fatal digoxin doses." And while those alone don't necessarily prove intent, another search, "how to commit murder" is pretty unambiguous.

But the crown search in the state?s case against Melanie McGuire may be that Melanie also performed searches about gun laws in New Jersey and Pennsylvania. William McGuire was indeed murdered with a gun which, the state claims, Melanie purchased in Pennsylvania.

O.K. so far it doesn't look good for Melanie McGuire. We talk about "greynets" and how different tools, even a simple web browser, carry different degrees of risk based on their use, the user's purpose and intent, and the environment in which the software is deployed and even the security of the hardware and facility too. This case involves Google search queries to help build a case.

It gets more interesting...


Also relevant is the fact that the day before the murder, the state says, Melanie?s computer shows that she searched for a Walgreens pharmacy near to her. A pharmacist at that Walgreens has testified that on the day before the murder she filled a prescription for an as yet unidentified woman with a prescription written for ?Tiffany Bain?, for a rarely ordered but known narcotic. The prescription, for chloral hydrate, was written by Doctor Bradley Miller - a doctor at the office where Melanie McGuire worked at the time. Dr. Bradley Miller, the doctor with whom Melanie was having an affair at the time that William McGuire was murdered

That is true, chloral hydrate (a Class IV hypnotic) is rarely used these days, but still not unheard of during my days in medicine a few years ago. At any rate the circumstantial evidence is starting to pile up. You can read more at The Internet Patrol... but of particular interest was a comment by a reader- Jack Stock who pens:

As a writer, I can see myself asking these same questions of Google?how to commit a murder, the most efficient poisons, etc. And that doesn?t mean that I was planning a murder?except in a fictional story. Murder, he wrote.

There a number of factors to consider here- let's us start with just four questions for starters:

- Who physically had access to the computer?

- What other data was found on the PC?

- Was the PC compromised in any way?

- Is there any other evidence beyond stored search queries?

No matter how obvious or open-shut a case it seems, faulty computer forensic assumptions are dangerous. We certainly don't want to see something like the Julie Amero case happen. You can read a summary and full transcripts here and decide for yourself.

We are in a new era, where your digital footprints, whether you made them out of innocent research, or even if someone else made them for you- can and probably will be used against you.

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

FaceTime just released a study on the state of Greynets and here are some highlights and in future entries we will talk about the implications of this study as it relates to the Enterprise.

FaceTime Communications
2006 Greynets Survey Key Findings

Survey confirms that greynets continue to be dangerous if left unmanaged, introducing significant risks to the business. End users continue at an increasing rate to take business communications into their own hands, downloading and using what ever resource they choose to get their jobs done, wherever and whenever.


How is Instant Messaging and other greynets used at work?-

IM usage?and by extension, other similar greynet apps?is driven foremost by its convenience: three in four employees use IM because they need "immediate answers ?from co-workers" (76%).

Endusers also see IM as a productivity tool?two-thirds use it to "to multi-task" (62%) while another third use it because "email is too slow" (33%). (The take-away users, often the most advanced are the ones introducing greynets into the Enteprise because they want to be more productive!)

- IM usage is increasingly complex: 60 percent of IM users have accessed advance features (55%), such as file transfer (29%), web conferencing (24%), VOIP (15%)video or (12%).

- Not surprisingly, two in three endusers have sent IMs while multi-tasking (88%). Around half have IM'ed colleagues on the same conference call (57%). Even colleagues in the next cube are not safe?44% of IM users have sent a message to a physically adjacent co-worker or while having a face-to-face conversation with someone else (40%).

- Six in ten IM-users have sent attachments, application files or links to external websites as part of an IM (57%). About one in five endusers (17%) have sent company plans (15%), information about company finances (5%) and even passwords or login information (4%)


What are end user attitudes toward greynets?

- Four in ten endusers (41%) have downloaded or installed applications that are not approved by their company?s IT department.

- Among the most popular applications deployed by endusers are streaming audio or video services (77%), web-based email (70%), web conferencing (57%) and public instant messaging (48%). Almost half of all endusers have deployed browser plug-ins (46%) [NOTE: these apps are particularly well-suited at evasive techniques that bypass network security requirements.]

- Seven in ten IM users have sent personal or non-work related IMs while at work, over company networks (70%)

- Unfortunately for IT managers responsible for network security, one-fourth of IM users deploy IM in order to have "private, unmonitored communications" (26%).

- Not surprisingly, if endusers knew their IM communications were monitored, they would change their usage patterns: almost half would "pay more attention to company guidelines" (45%), while one-third would simply "use IM less often" (31%), be more cautious about clicking on links (31%) or simply pick their words more carefully (21%)


So what?s the problem?

- In a broad market research survey of US-based IT managers, 81 percent report a security incident has resulted in the last six months from employee use of "greynet" applications".

- Spyware and adware are the most commonly reported incidents (75%), followed by viruses (57%), malware such as keyloggers (28%) and rootkits (22%).

- Seven in ten IT managers indicated that spyware and adware attacks are occurring at the same rate (36%) or more frequently (33%), compared to the prior six-month period.

- Greynets app usage may also result in business-related incidents. In the past six months, half of all IT managers report business incidents resulting from Greynet application usage (52%). Among these managers, the most commonly reported issues are: downloading of adult materials (50%), copyright violations (39%) and violations of corporate communications policies (33%).

- Seventy percent of IT managers report a wide range of network and computer issues that result from greynet application usage. Three-fourths of these managers report enduser system slowdowns or crashes (76%), followed by slowdowns in network traffic (68%), corrupted files (39%) and corrupted applications (30%).

Existing security infrastructure is not effective in combating greynet threats

-Survey respondents were asked to assess their own company networks in terms of their capacity to intercept the kinds of IMs allegedly sent by former Congressman Mark Foley. Only 11 percent of IT managers indicated that their networks would have been "very effective" at intercepting such communications. In fact, 31 percent of IT managers rate their networks as "not at all effective" at preventing these kinds of messages from being delivered.

What is the cost to businesses?-

Not surprisingly, these incidents may require remediation or repair of affected PCs or servers. Three-fourths of IT managers report having to make repairs or changes to computers as a result of greynet-related security incidents (72%).

- On average, IT managers report 14 incidents per month. Each incident requires 11 hours of work, on average. Based on an estimated average salary of $70 per hour, salary-related costs average almost $150,000 per year?just for greynet related repairs to enduser computers.

- IT managers who are involved in other security-related tasks may spend as much as 71 hours per month, on average, engaged in activities such as maintenance of network or enduser hardware, archiving and logging, research new technologies and so on....

more to come...

Noted blogger John Battelle reports in his blog based on a couple of pieces...about who Google (NASDAQ:GOOG) is working with these days.

One example from HomeLandStupidity.us he references:

IT contractors and intelligence officials familiar with the arrangement confirmed to HSToday.us that Google had been providing assistance to the intelligence community, but would not say under what authority that assistance had been requested or provided.

The intelligence community appears to be interested in data mining Google's vast store of information on each user who uses Google's services. Google collects data on each user's search queries, which web sites users visited after making a query, and through its Google Analytics service, can also track users on cooperating web sites. It's not clear what level of access to or how much of this information has been made available to intelligence agencies.

John goes on to note:

This might be filed in the Tin Foil Hat category, or it might be something we look back on and wonder how we ever missed it. I don't have any idea which. That alone sort of scares me.

The story says that Google is working with the Govt. in the war on terror. It depends a lot on ex CIA agent Robert Steele, who may or may not be a trustworthy source.

I've seen this story all over the place this weekend, and it strikes me as possibly accurate on at least one level: If the CIA/Dept. of Homeland Security was NOT trying to secretly work with Google, it's even lamer than we might imagine. After all, the company has just about the best infrastructure in the world to help them do their job. Is it legal? Moral? Right? Another question entirely....

This is ironic for two reasons:

1) Chris Boyd (Microsoft Security MVP) and head of our Malware Research Labs (currently on hiatus preparing for our talk at the RSA show and something he want talk about called The Fourth Wall) and yours truly- Wayne Porter, also Microsoft Security MVP, Director of Special Research, currently working on e-commerce analysis....were recently, along with the Facetime Communication's team and our Security Labs team, noted publicly on Google's Security thank you page:

Google Thanks You People and organizations with an interest in security issues have made a tremendous contribution to the quality of the online experience. We are grateful for the responsible disclosure of security vulnerabilities in our software. On behalf of our millions of users, would like to thank the following individuals and organizations for going out of their way to improve the Google experience for everyone:

* Alex Shipp, Messagelabs
* Bryan Jeffries
* Castlecops
* H D Moore
* Jeremiah Grossman
* Johannes Fahrenkrug
* Martin Straka
* Team Cymru
* Yahoo! Paranoids
* Wayne Porter & Chris Boyd, FaceTime Communications
* Alex Eckelberry, Sunbelt Software
* Richard Forand

I add as an odd aside that after commenting on an article at ThoughtShapers on Google's move into podcasting/adsense and how they are tearing up top down media all kinds of people pinged me on whether I was one of the 'trusted sources" who leaked this to Jeff Molander. The answer is no. I made that clear in my personal blog notably here (The Google Rumor Mill Redux- Getting Details Straight) and an aside here Leaked Papers and Google Adsense.

Going back to John's observations though I have no idea how Google or to what capacity they are working with Homeland Security- I am just a cog. With their processing and information gathering power I would be hard pressed to say that it wouldn't make sense for DHS and / or the CIA not to want to do so.

Remember that GUID I talked about at Revenews? (Note: GUID is a Globally Unique Identifier. A GUID is often a pseudo-random number used in software applications. Each generated GUID is "statistically guaranteed" to be unique.)

For example, the concept of a GUID or the longer they use a service (even anonymously and in aggregate) makes it easier to determine who they are. Granted Google may not have any nefarious purposes for this, but what happens when other agencies do? You might be ?anonymous? to Google, but when another agency plays connect the dots after obtaining access to your machine and subpoenas activity around a GUID- you aren?t so anonymous anymore. In reality, you become an online novel- I can perhaps establish your character by your queries. Of course, this risk exists with any tracking mechanisms, but a service as ubiquitous as Google, especially one that looks at queries, is all the more potent.

2) I do know that Homeland Security does pay attention to cyberthreats- as they should. I was surprised to find some of our research in their daily briefing reports, specifically around some notable worms. These reports a.k.a. The DHS Daily Open Source Infrastructure Report (Daily Report) is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. They divide it up by the critical infrastructure sectors and key assets defined in the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.

An Example- this was over the KMeth Worm, which I find interesting.

  • Kmeth Worm noted by DHS [PDF Document]
  • Most of these Daily Briefings- which are free and unclassified appear on the DHS.gov site, although to search them you need to use the FEMA.gov site...

    Tin Foil Hats? I don't know. Safety and privacy and security are all different but related and require a delicate balance. Then you have to think back to the NSA wiretaping scandal. Did people really notice? Did they really care?

    Take a look at Google Trends (given the questions is this a good place to validate this question?). Google trends is a fairly good indicator of search activity. It is an indirect reflection of what is going on online.

    Here we see the terms: wiretapping, NSA scandal, wiretapping scandal, wire tapping

    Click to See Chart

    Interesting...there is some movement there.

    Now: NSA scandal, wiretapping scandal, ATT scandal, NSA wiretapping, phone tapping

    Click to See Chart

    Nada, zilch. Not even if you analyze U.S. queries only- despite major press coverage. Try your own strings and see what turns up.

    Of course per Google: "Google Trends aims to provide insights into broad search patterns. As a Google Labs product, it is still in the early stages of development. Also, it is based upon just a portion of our searches, and several approximations are used when computing your results. Please keep this in mind when using it."

    The Center for Democracy and Technology has released their latest report on advertising intermediaries, which include ad networks, affiliate networks, and cpa networks. The document might be confusing if you are not practiced in the world of online advertising but the CDT does a pretty good job of making a complex economy simple.

    The takeaway is that advertisers and advertising intermediaries need to practice more due dilligence in their business practices.

    Find below the download links for the Following the Money Trail Series Part I and the latest Part II. If you want to understand how malware and money are the new fuel for Internet mayhem this is a good place to start.

    To give you an idea how complex some of the relationships become while we track the money trail on cases take a look at this sample screenshot from the report. Rest assured we have seen cases far more tangled than this cloud.

    adware-advertising-small.gif


    "Companies need to take responsibility when their advertising dollars go to support companies that prey on unsuspecting consumers," said CDT Policy Analyst Alissa Cooper, who co-authored the report. "Whether placed directly or through intermediaries, these ads diminish the Internet experience for millions of people. Advertisers that work with these distributors are running out of excuses, and must either start policing their advertising spending, or answering to their customers who have been harmed by adware."

    Indeed! We could not agree more.

    Take the time to get educated with these great reports from the CDT and pass them along to your friends. Have an advertising question? Drop us a comment and and I will be happy to answer it for you or find someone who can.

    Part 1 of the CDT Report [PDF]

    Part 2 of the CDT Report [PDF]

    Report Write-Up: Wayne Porter, Sr. Dir. Greynets Research

    The issue of Blogspot URLs being redirected and used for exploits has been noted before. In this particular case we follow the evolution of sophisticated mass spamming of Google's Blogspot service URLs, coupled with other search engine spam techniques and trace the cascade of events that follow.

    Overview: The "Simple Scenario"

    1) Party unknown figures out how to optimize Blogspot pages to achieve high rankings in MSN portal Search Engine Results Pages (SERPS) for popular terms known as keywords, in particular keywords around World Cup coverage.

    2) This person uses Google's Blogspot hosting. It has been noted before that Blogspot hosting allows users to insert JavaScript into the head of the HTML page, creating a vulnerable environment.

    3) Party unknown implements a complex server-side, auto-rotation system on a domain hosted elsewhere.

    4) Party unknown accomplishes "cloaking" the Blogspot URLs, hiding the auto-rotation system. The pages rank high in many MSN search results for targeted keywords.

    5) Users conducting queries on MSN or users who arrive on the tainted blogspot URLs are redirected to various pages. In this particular example some sites display explicit pornographic content in addition to offering software downloads with a documented history of security risk.

    The World Cup

    This investigation over distribution and deception was kicked off by one of the world's biggest sporting events- the World Cup. We all have our favorite teams, and at FaceTime we want people to be able to follow their favorite teams and sports safely! The goal of our research was to investigate a popular sporting event and probe the Internet for attacks, social engineering, or any other malicious or deceptive activity centered around this event.

    Flow Chart Sample of Events

    To better understand the event flow, click the thumbnail image below to enlarge. This will open to a new window.

    http://blog.spywareguide.com/upload/2006/07/flowchart-thumb.JPG

    Deceptive Mass Spamming Distribution

    Basic search engine analysis shows the "party unknown" appears to be using automated techniques to spam guest books and other web pages in order create links to the domain. Because of the auto-rotatation system the domain's homepage changes frequently and apparently randomly. For example, it often defaults to Google's own portal for India.

    Search System Pollution

    As we will show, the techniques used to taint MSN search rankings are based on an understanding of the MSN search algorithm. However the primary deceptive tactics are carried out through obfuscated JavaScript injected into Google's Blogspot page headers. This is significant because this particular problem as been publicly noted before by researcher Ben Edelman.


    WARNING TO USERS: DO NOT go searching for these sites unless you are a trained security researcher. There is a dynamic component to this operation which could lead to a hostile environment or unwanted content. In short- What you see is not what you may get..

    Research: How Did This Happen?

    While searching for the keyword ?World Cup 2006? in the MSN search Engine, our researcher clicked the first natural result, the result below the sponsored ads. This result appeared to be an innocent looking Blogspot URL as screenshot will demonstrate.


    Note on Search Engine Results:

    Search engines use their own systems to determine the relevancy of a page for a keyword entered in the Search Box. Based on the search engine's algorithms the pages will be ranked and appear in the results. These results are often called SERPS or Search Engine Result Pages.

    In crude theory the first result should be more relevant to the keyword, and second result would be a somewhat less relevant page?etc. Numerous factors effect relevancy beyond the scope of this write-up. It is reasonable to expect people to believe they will find the most most relevant pages on the first pages of the results. For this reason, in this study, we have placed emphasis on studying the first results returned in the SERPS.

    http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFAWorldCupSearchResult-thumb.JPG
    Click To Enlarge Screenshot


    How Did this Page Get to the Top?

    In simple terms by using "spam techniques." With JavaScript functions of a browser turned off the user would see a page like this:

    Click To View Page with JavaScript Off


    Redirection and Misdirection Over Time

    Upon some of the first checks of these URLs our researcher noted redirects to the following
    Russian web-site. By.ru is a common hosting company, and the "tkgroup" appears to be a student class blog.

    http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFARussianWebSite-thumb.JPG
    Click to enlarge ScreenShot

    At first glance it might seem this could be a student prank merely playing search engine tricks. However,
    after several days the same result redirected our researcher to a different website which is now ?Adult DVD Download Network? IcooNet. The context and tone have now changed considerably. The tone is now commercial in intent but also pornographic. Users would have no way of knowing the site they were trying to reach would serve pornographic content if they relied on the title, text description and link displayed in the SERP.

    http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFAIcoonet-thumb.JPG
    Click to enlarge screenshot

    In this example our research term used was for FIFA, so it would seem unreasonable to be offered an adult downloader. This is deceptive, and many users may find it offensive, especially since it is reasonable to expect young football fans would be searching for similar terms and will be guided by the domain name, title and description.

    From a legal context this is significant: US CODE: Title 18,2252B. Misleading domain names on the Internet, from law.cornell.edu.

    In a final example, the redirection goes to a website which features pornographic galleries offering a program that is cited as a variant of Zlob.Media-Codec. It may go under different names. A EULA is presented if the user wants to access the deceptively advertised pornography. We have not placed a screenshot here because the images are simply too offensive for our blog standards, but we have retained screen capture documentation and video of the site.

    The different variants of these programs have to be downloaded in order to play any of the movies on the web-site.

    Note this particular search query was conducted from one of our labs in India, so other users and countries will likely get different results. In addition search results change frequently. For purposes of documentation, we have included packet logs from query to destination as well as install of software.

    Query Sample 1: Term FIFA+World+Cup+2006 .txt file

    Query Sample 2: Term FIFA+World+Cup+2006 .txt file


    We Just Wanted the World Cup

    In the sample query illustrated by the packet logs above our researcher, searching for ?FIFA World Cup 2006?, finds a tainted Blogspot site and clicks-thru. The log documents the various redirects which end with the researcher arriving on a pornographic website where he was offered, and accepted, programs with well documented problematic behavior.

    The initial MSN results showed 3 out of 10 results from Blogspot which display the obfuscated JavaScript and re-direction system. Users rely on search engines to deliver them high quality and relevant results. Since the domain names contain football (soccer to U.S. readers) related terms, titles and descriptions it is reasonable the user will feel confident to click-thru.

    In a system such as this any number of attacks could be launched, and depending on the degree of sophistication of the attack or skill in social engineering- the results could be quite harmful. The screenshot below shows the tainted Blogspot URLs at MSN in the top ten results.

    http://blog.spywareguide.com/upload/2006/07/3of10BlogSpotURLsinFirstpageoftheMSNResult-thumb.JPG
    Click To Enlarge Image


    Past History of Problems

    It should be noted that while unable to document any exploit behavior with the software page of the pornographic content, it has a well documented history of problematic behavior from numerous third party sources. It is usually classified as a "trojan". Reference: Sunbelt on Zlob.Media-Codec. and on Super AdBlocker on xpassman-v3 for example.

    EULA Red Flags

    In this particular case EULAs were presented with the software product(s) needed to access the content deceptively advertised by the unknown party. EULA analysis shows additional security software will be added, updates can be made, and home page will be change among other items.

    See one EULA Analysis Sample

    By accepting it the user grants the software rights to install additional components on the machine. These components or updates may not have cleared appropriate security hygiene processes. In addition no warranty on performance of the software is given.

    Also notable among the EULAs displayed, using our automated readability analysis demonstrates above 12-Grade Reading Level skills needed to understand the document based on various readability batteries.

    Flesch Grade: Beyond Twelfth Grade reading level
    Automated Readability Index: Beyond Twelfth Grade reading level
    Coleman-Liau Index:Beyond Twelfth Grade reading level
    Gunning-Fog Index: Beyond Twelfth Grade reading level

    Technical Background: How Did Blogspot Do This?

    The attack is quite subtle. Put simply it uses obfuscated or "garbled" JavaScript.

    Inspecting the inside of the source code of the blog entry, we noted a JavaScript calling a function decode().. We noted there was no simple redirection code found from the page source code at first glance. We also noted only the random numbers stored as a string. Function name itself decode, which was the hint to decode the whole function. Let us take a look at the original source code:

    http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFAJavaScript-thumb.JPG
    Click to Enlarge Screenshot


    Now let us examine the screenshot of the "decoded" code:



    http://blog.spywareguide.com/upload/2006/06/Blogspot_Hijack/FIFAJavaScriptDecoded-thumb.JPG
    Click to Enlarge Screenshot


    Explanation of Code:
    The code says if the blog is referred by any of the following major search engines:

    Google
    MSN
    Yahoo
    AOL
    Ask
    Altavista

    Then it will open the URL http://www.toptravel10.com/search.php?aid=<*****>&q=World+Cup, which calls into action the redirection system. Therefore, the writer of this code is actively looking to intercept search traffic and move it somewhere else and the code writer is doing this with obvious intent.

    However, if the blogspot address is only pasted or typed into the address bar of the IE browser it will redirect to MSN search result with the keyword "World Cup 2006". As we know from the above search result screen capture 3 out of the first 10 MSN natural search results could most likely be the same kind of tainted Blogspot entries. Clicking any of the entries will again redirect to the same system. This puts the user into a dangerous cycle. We qualify "most likely" because top ten entries can and do change dynamically beyond control of users.

    Controlling the Deceit

    In this case there is no need to change the source code of the page because the operator of toptravel10 domain has set-up a complex server-side, auto-rotation system of unknown make-up. The tainted Blogspot URLs used the URL http://www.toptravel10.com/search.php?aid=56340&q=World+Cup as a mediator. The Blogspot URLs will to open this page when called. At this point the toptravel10 domain's system decides where the user is redirected. The mediator remains constant and links to different URLs over a given period of time. In this entry the researcher was referred to a Russian Web-site, second ICOONet(Adult DVD Downloader), and now the mediator links to VideoGalleries which in turn offers adult oriented software.

    It is also notable the ownership information for the toptravel10.com domain is cloaked through a proxy registration service.


    Why Use Blogspot?

    Blogspot has been the target for similar attacks in the past. Researcher Ben Edelman?s concern about blogspot will help us understand why this case is important. From his article:

    ?...Numerous blogs hosted at Google's Blogspot service contain JavaScript that tries to trick users into installing unneeded software..."

    In this instance the obfuscated JavaScript not only impacts the quality of search engine results it also acts as a more complex line of redirects to distance the designer from the scene.


    Why MSN Search?

    As researchers, we might ask: "Why would someone target the MSN search system?"

    The logical reasons would probably be most of the Windows based O/S use default redirection to MSN search and/or the orchestrator had some mastery at gaming the Microsoft ranking algorithm.

    Examples of tainted URLs are:

    http://worldcup2006z.blogspot.com
    http://footballwordcup2006.blogspot.com
    http://fifaworldcup2006-.blogspot.com
    http://-fifaworldcup2006.blogspot.com

    (Note: After contacting Google last week- these are now offline!)

    .Are There More?

    Yes. One such instance was found for the keyword "AIRLINE TICKETS".

    These blog URLs may also be redirected to the same pornographic galleries, again depending on the system of rotation.

    List of the following blog URLs for the keyword "AIRLINE TICKETS".

    http://airlineticketsz.blogspot.com
    http://cheapairlineticketsz.blogspot.com

    Conclusion and Final Notes:

    A solution was already offered by Ben Edelman:

    "...What should Google do? Google already disallows JavaScript within Blogspot.com posts. Apparently Google considers embedded JavaScript too risky -- too likely to trick, deceive, or otherwise take advantage of users. But Google oddly allows JavaScript to be added to Blogspot headers and navigation bars. This decision should be reversed..."

    In terms of football (soccer) this is the equivalent of a "Yellow Card".

    We must add the following caution and warning on the tactical approach.

    In this particular case the unknown party used some technological sophistication coupled with knowledge of world events, search engine algorithms and planning. However, the party used poor targeting.

    Let us explore a "what if" scenario...

    What if the same system, using football (soccer) keywords were used to trick a user to open a page that asked them to view 'World Cup Bloopers' or 'World Cup Highlights' or lured users with a fake video over a 'disputed call' or 'insider interview' cobbled together from pirated video footage? The user, now contextually targeted would probably click and any number of hostile scenarios could be played out. The attack would only limited by the creativity and motivation of the operator.

    To use our football analogy again- this is a "Red Card".

    LATE ADDITION: We have contacted Google about our concerns pointing out the problem around the World Cup spam and they reacted rapidly. Initial research seems to show they scoured Blogspot and removed the tainted URLs so World Cup fans wouldn't fall into this trap during the championship weekend. However, the root of the problem still remains. What to do about the JavaScript? Ultimately that is a problem Google will have to solve.

    The problem has been pointed out before- history should be the teacher.


    Blog Summary Write-Up: Wayne Porter, Sr. Dir. Greynets Research
    Technical Research: Peter Jayaraj, FSL Threat Researcher

    IMPORTANT UPDATE: Google has reacted very quickly to our concerns, and we have been in discussions with their top engineers. As netizens we are encouraged by their quick reaction to our concerns, and willingness to listen thoughtfully to our feedback. Successful companies like Google understand that one must be a part of the conversation, not stand outside the conversation or try to obscure it. Our hats are off!
    Stay tuned for more news...(See Addendum At Bottom)

    -Wayne Porter
    Sr. Dir. Greynets Research, FaceTime Communications

    Back to the entry and analysis from Paperghost....

    The idea of problems behind "gated" communities is a pretty interesting one, even more so when the idea regularly rolls around that segregating various parts of the Internet to "keep the bad guys out" would be a great idea. But what happens when those bad-guys are already inside the gates?

    From Wikipedia:

    (Orkut is) run by Google and named after its creator, Google employee Orkut Buyukkokten. It claims to be designed to help users meet new friends and maintain existing relationships. Similar to Friendster and MySpace, orkut goes a step further by permitting "communities" of users. It is also invitation-only: users must be invited to join the community by someone already there.

    So, an interesting concept. But as we saw with Myspace not so long ago, people can (and will) game the system. In this case, the targets are (primarily) Brazilian users of Orkut - because for some reason, something like 70% of all users are from Brazil, and Portuguese is the language of choice right now. Of course, Orkut are not to blame here - nor are social networking sites in general. The sad fact is, large concentrations of end-users in a confined space are like the world's biggest honeypot to a social engineer.

    It figures, then, that this particular infection - a variant of an older password stealer, which we dubbed Orc.Malware - should contain a message in Portuguese. Following up a hot tip from this guy (FallenHawk, an extremely resourceful Security Researcher), I was able to get a look at something rather nasty. Something that has apparently been nailing Orkut users for at least a month or so, but (until now) has been ultra-elusive with regards trying to pin it down. The early variants (one or two of which I've since obtained) didn't do very much, and there was no direct tie to Orkut, other than this was where the bad-guys were pushing it. Now, however, the infection will pop up a message telling you your data is being mailed off someplace, before sending you to the Orkut site (as you'll see from the video later on. Bring some popcorn).

    The source of the problem are these two nasties (disguised as images), created in the System32 folder by a rogue executable file:

    orkfiles1.jpg

    Let's have a look at how these things get on board in the first place. We'll start off with the method of delivery...the infection message. The most common one we've seen so far is this:

    "Oi... tudo bom? Como o orkut limita a quantidade de fotos que podem ser publicadas na minha conta, eu criei um slide com algumas fotos minhas, pra ver e so clicar clicar no link!!! [link removed] - Sei que vai gostar"

    A (very rough!) translation: "As Orkut limits the amount of photos that can be published in my account, I created a slideshow with some photos of mine, please click to see!"

    This message is deposited in an Orkut user's "Scrapbook" (similar to a guestbook), and as the Scrapbooks are public, anyone visiting can see the link and click it. As you probably guessed, that's a real bad idea in this case.

    The end-user is presented with what looks like an image file - open it up, and covert ops of the nastiest kind are instigated against the PC. Two more files are installed.

    They don't look like much, but they're busy trying to drain your pockets of cash and anything else they can get their hands on. One of the files contains references to a pile of specific login pages for Brazilian banks, as well as a whole section devoted to Orkut and its Friends and Scrapbook pages. On the Orkut help site, they mention how automated Scrap sending isn't allowed:

    "If you use other sites to log into orkut or send your friends scraps, you will likely be blocked from performing any actions on orkut.com for about 15 minutes and you'll see the message "We're sorry...but your query looks similar to automated requests."

    However, there are many examples of people abusing the system - Orkut has had lots of problems previously with people creating Spam scripts. And this particular infection does seem to have at least a (very) basic automated functionality. I first tested this on the Eighth of June, and was more interested in the data-theft aspect at that point. I didn't see anything particularly unusual going on (beyond the keylogging, of course!) and yet when I logged in a few days later, I saw this:

    http://blog.spywareguide.com/upload/2006/06/orkfiles2-thumb.jpg
    Click to Enlarge

    ...and this:

    http://blog.spywareguide.com/upload/2006/06/orkfiles3-thumb.jpg
    Click to Enlarge

    During testing, I had two contacts in my "Friends" network. To my surprise, both of those users now had the infection message sitting in their scrapbooks. As you can see, the time / date of both messages is identical: 09:54 AM, 08/06/2006.

    Now that's pretty freaky.

    Worse still, this infection seems to be amazingly random. During one round of testing, it even deposited me into an XDCC Botnet:

    http://blog.spywareguide.com/upload/2006/06/orkfiles4-thumb.jpg
    Click to Enlarge

    Yay, I'm file-sharing pirated content!

    As for how the data is actually sent back to the hacker guy, you'll probably want to check this short movie clip out:

    flmtckr1.jpg Click here to download movie (2.90 MB)

    00:00 to 00:09 seconds: End-user is going about their daily business, logging into Orkut. Note that you could be performing any web-based activity here; it's just a little thing I like to call context. Plus, I don't actually have any Brazilian bank accounts so you'll just have to make do with Orkut.

    00:10 to 00:14 seconds: The end-user clicks into "My Computer". Oh dear - an "error message", warning that you have insufficient virtual memory and the application will now close (or words to that effect. I never was very good with Babelfish).

    00:17 to 00:27: At this point, the end-user is probably wondering what on Earth is going on, as they see a message telling them their "form has been submitted", and that they will be redirected somewhere in 5 seconds. Can you guess where?

    00:28 to 00:34: That's right, Orkut! I mean, he stole all your bank details and website logins, but at least he gives you a chance to get back into Orkut and change your password before he steals that too!

    http://blog.spywareguide.com/upload/2006/06/orkfiles5-thumb.jpg
    Click image to Enlarge

    Make no mistake about it - this infection is a real nasty one. And worse still, it looks like the tip of a very ugly iceberg. I'd insert a really rubbish comment at this point about "how I hope we're not too late to avoid a Spyware-Titanic", but you'd probably hate me for it. Even if it was a nice tie in to the whole iceberg thing. So I'll just leave you with the advice that randomly clicking links to check out pictures, especially when those pictures are from some magical party you've never heard of, is probably not a very good idea.

    Many thanks to Peter in our Bangalore office for his incredible sleuth work and the entire team for assisting in pulling this complex case to pieces. Special thanks to Wayne Porter for all night monitoring and revisions.

    ADDENDUM: A startling event was discovered during extended testing on an infected machine, which was infected in a lab setting on the 13th of June. The link to the dangerous payload was propogated on the 16th...however the infection message is timestamped as having been sent on the 14th of June:

    http://blog.spywareguide.com/upload/2006/06/orkfiles6-thumb.jpg
    Click to Enlarge


    http://blog.spywareguide.com/upload/2006/06/orkfiles7-thumb.jpg

    Click to Enlarge

    ADDENDUM Saturday, 17 2006 Happy Endings for Orkut

    From CNET:


    Google confirmed the worm. "We are aware of this issue and will have a temporary fix in place within the hour," a company representative said in an e-mailed statement. "We are working on a more permanent solution for users to guard against these malicious efforts."

    For their protection, Orkut users, just as users of all online services and applications, should always be careful when opening or clicking on anything suspicious, the Google representative said.

    -Wayne Porter
    Sr. Dir. Greynets Research, FaceTime Communications

    Let's Dive Right Into It...

    Recently, like my colleague Chris Boyd, I received the Microsoft MVP Award, I thought I might get a raise- instead I received the honor of leading the Greynets Blog! What a task it has been. Imagine having a team of extremely smart and busy analysts, researchers, and engineers from all around the world, many from different cultures, and getting them to settle down to write about their experiences and document some of their findings? Piece of cake right?

    Who is This Blog For...

    Good question and I have a good answer. The Greynet Blog carries a wide range of information to fit every type of person: the casual PC user, the new PC user, the hard-core technical user, the Enterprise manager, and intermediate users too. We even you use it ourselves!

    Rather then try to create a blog that is nothing but complete technical jargon or a blog that caters only to beginners we try to produce a good mix of novice and intermediate material. However, we know there are some hard core programmers, spyware warriors and analysts out there who enjoy a thrill ride all the way into the Matrix and back. Don't worry- we won't leave you out because we like to visit the Matrix too. And if you are a beginner or an intermediate user you can always shoot us a question and we can try to answer it here. That is one of our aims- to educate and help people from all backgrounds understand the impact of the technology and software they use.

    Think of the Greynets Blog as a salad bar...you can pick and choose exactly what you want and we never charge for seconds, as a matter of fact we encourage them and you can leave out the bean sprouts if you don't like them.

    Haven't I Seen Some of You Guys Before?

    Maybe. ..Perhaps in the press or some of you may know me from my Revenews Blog where I bust up the financials on seedy outfits. You may know the infamous Chris Boyd, a.k.a. Paperghost from VitalSecurity.org where he kicks up the action on malware and spyware writers "kung-fu" style and is a recognized CNET Top 100 Blogger as well as a MSFT Security MVP x2! You will soon meet a new legion of bloggers from various disciplines and cultures- Manoj, Deepak, Peter, Charles, Chris, Tyler, Jan (who we call Obijan- which is another story from another galaxy) from across our company.

    I promise more individuals will follow as we cover topics from P2P file sharing to securing IM networks and, of course, the ever present threat of spyware, malware and adware and what it means to you. Our goal is to share our experiences deep in the cyber- trenches, to educate both Enterprise users and the home PC user and to do this through opinions backed up by facts and evidence- and hopefully entertain you occasionally. We also intend to drag in some other notables in the security industry, many our colleagues, and get their take on things- and who knows maybe we can drag in an executive or two to get the 10,000 mile (or meter if your from not from the U.S.-assume nothing.) view on the future of security.

    So What Is It?

    Like many blogs, also known as weblogs, it contains documented experiences from the trenches- often where the real battles happen and we show it to you one bullet at a time, slow motion style, so like Neo, you can avoid the bullets but watch the ripples as they tear up the air.

    Some of the experiences are quite comical, some quite sad, but they all carry the message that Internet Security is no longer simply black and white- it comes in various shades of grey. Ultimately it is up to you- the Systems's Administrator of the Home PC User to make decisions on what you want or do not want on your machine or network. Afterall you have that right- it's your property!

    About this Archive

    This page is a archive of recent entries in the Greynets Research category.

    EULA Madness is the previous category.

    In The Press is the next category.

    Find recent content on the main index or look in the archives to find all content.