Internet Threats, IM, Malware, P2P, Spyware - Software in a World of Grey.
- Security Attacks On The Rise in IM and P2P Channels
Based on recent research Facetime has found security incidents targeting public IM and P2P channels increased by 5 percent in Q2 2007 compared with Q1 2007. In contrast, last year we saw a 35 percent decline over the same period, from Q1 to Q2 2006. We didn't cover this report recently on the blog, as the GTA story was rolling out full steam, but it is worth the time to read the analysis.
A total of 317 incidents were reported during Q2 2007, bringing the total since Jan. 1, 2007, to 618 incidents. Ongoing research reaffirms a cyclical nature to malware threats with peaks in each year, typically in the spring and fall, followed by lulls in the summer and winter. In 2007, security incidents declined somewhat during the first quarter from a high in January. In the second quarter, security threats climbed again, but appear to have peaked in June. If previous patterns hold, we can expect a decline in the summer, followed by an upswing in the early fall.
From Q1 to Q2 2007, attacks spread via the mainstream networks (Yahoo, MSN and AOL) dropped from 74 total incidents in the first period to 64 in the second quarter. Attacks spread via AOL dropped by more than half (from 28 incidents to 13). Overall, the MSN network accounted for 50 percent of the attacks on the major networks, followed by Yahoo at 30 percent and AOL with 20 percent.
Some Key Findings
-- Increase in IRC attacks
As we predicted earlier this year, attacks spread via Internet Relay Chat (IRC) continue to account for a growing percentage of all attacks. In fact, the percentage of attacks that are IRC-based has risen in each of the last six quarters, rising from a 59 percent share in Q1 2006 to 72 percent in the current quarter.
-- Single channel attacks vs. multichannel
Similarly, single channel attacks—security incidents that propagate via only one vector, such as AOL, Yahoo or IRC—now account for almost three-fourths of all attacks. The percentage of attacks that are single-channel has also risen in each of the last six quarters, growing from a 46 percent share in the first quarter of 2006 to 71 percent in Q2 of 2007.
View the full report here along with past reports. It is important to note with the rise of unified communications and Web 2.0 we can expect attacks along social vectors to become more subtle, creative and far more sophisticated.
While single channel attacks continue to dominate, in May we covered this example of an attack through Skype (the ultimate payload being the Stration Worm) with the built-in intelligence to go after other IM services. I feel this is a good example of what we can expect long-term.
Research and Summary Write-Up: Wayne Porter, Senior Director of Special Research
- First ID Number Spoofing Attacks Against Popular Twitter
In case you aren't up on all that is Web 2.0 let me explain "Twitter".
Twitter is a social networking service that allows users to send "updates" (text-based posts, called "tweets", up to 140 characters long) via SMS, instant messaging, e-mail, the Twitter website or any application built using their services.
These updates are displayed on the user's profile page and also instantly delivered to other users who have signed up to receive them. The sender can restrict delivery to members of a circle of friends, or allow delivery to everybody, which is the standard default setting.
Users can receive updates via the Twitter website, instant messaging, SMS, RSS, or through an application. For SMS, currently two gateway numbers are available: one for the USA and a UK number for international use. While the Twitter service itself is free, posting and receiving updates via SMS typically incurs a charge from the wireless carrier- watch your SMS plan carefully! Some people have gotten large bills without thinking before they realized how much volume can pass, so if you do use Twitter, or a service like Jaiku (similiar), you should probably use an all "you can eat plan" of SMS.
According to many, and I agree, Twitter is one of the first iterations of the "microblogging" or "nanoblogging" formats- a form of "micro-chunking". This is because the characters are capped to a certain number and the messages are very small. Twitter has caught on like wildfire because it is a very useful service for influence shaping, information gathering and simple communications. Services like this will change the face of the web, since it lowers the bar to communicate and express or influence opinion.
Twitter- The Cool Aspects
1) It doesn't interrupt you like Instant Messaging or VoIP- you can communicate when and where you want.
2) You can communicate from cell phone, PDA, applications, even games or "metaverses" like Second Life have Twitter Heads Up Displays.
3) Simple to use and simple to get rid of those you don't want updates from. You can keep your Twitter stream private too...meaning only "friends" can see them.
The Not So Cool Aspects of Twitter
With the good news comes some bad news. That is simply how greynets roll. I am not touching on privacy concerns, simply security concerns. They are related but different.
1) No "bullet-proof" authentication- at this time it is pretty easy to impersonate someone because of the lack of authentication. There are a number of "popular people" who are not who they say they are. I have been following a bogus "Steve Jobs" for some time now- at least I think it is a bogus Steve Jobs...I don't really know, and I have no way to make sure. Of course- this can happen with IM too. e.g. someone's account is compromised and the attacker spoofs the trusted user. This has been going on for a decade and usual cause is a weak password susceptible to brute force attacks.
3) As the service gains critical mass it will attract those who seek to exploit the service for gain, mischief or intrusion. This is unfortunate, but history teaches us this almost always happens- where there are people- there will be a few bad apples.
Thanks to the TipsDr who tipped us off to the latest, and a much more sophisticated attack using caller id number spoofing. This is rather alarming since I was looking for the first real attacks to be simple malicious URLs.
For all you people who are just crazy about Twitter, a vulnerability has been posted that will allow you to post to someone else’s twitter account. Since twitter uses caller id to authenticate users, it is very easy to post to someone else’s account since it is so easy to spoof the caller id number. Fakemytext.com is just one example of a site that will help you do just that.
Read more about the spoof here. I do agree. SMS was never designed to be used for authentication. This is like the From: address in email was never designed to be an element to authenticate against.
In short proceed with caution- just as you would any web surfing- never assume communications are 100% safe. Don't click on links and until phone spoofing is resolved, if it can be, - I would be keep your numbers close.
Enterprises will probably want to block this emerging type of greynet for intra-company use, and remain guarded if they use it as a marketing, promotional or communications hub. This is a shame since it is a very handy service that has the ability to transform how a company can communicate, but until there are better locks- or an enterprise intranet version- this is just the type of greynet that highly sophistcated users will bring in the door...because it is very useful, used by influentials and highly communicative and our research shows web traffic moving from simple HTTP to highly communicative traffic.
I imagine as the technology matures and becomes more secure we will see the enterprise adopt similiar mechanisms- perhaps replacing the "dark blog". No doubt customers will force the Enterprise to adopt these emerging microformats to some degree. Until then... Have fun communicating, but proceed with very real caution. Ensure your I.T. policies are up to date with the high velocity field of "social media"- or simply socializing around media. It is moving at an incredible velocity and shows no signs of letting up.
- Google, Guns, Searches and Alleged Murder
This coverage from colleague, Anne. P. Mitchess, Esq., President of the Institute for Spam and Internet Public Policy (ISIPP) on the Melanie McGuire and Google search case caught my eye. It was a matter of time before search histories come back to haunt...and this leaves me further worried about the insecure state of PCs and malware's ability to upload "at-will" into infected PCs. Think "extortionware"- we covered the concept at RSA Conference 2007.
Melanie McGuire is currently on trial for the murder of her husband, William McGuire. And while many people now know that your Google and other search engine searches can be discovered, apparently back in 2004, Melanie McGuire did not. For among the searches that the prosecution has found on her computers - searches which she conducted on the days leading up to the murder - were searches for "instant poisons", "undetectable poisons", and "fatal digoxin doses." And while those alone don't necessarily prove intent, another search, "how to commit murder" is pretty unambiguous.
But the crown search in the state’s case against Melanie McGuire may be that Melanie also performed searches about gun laws in New Jersey and Pennsylvania. William McGuire was indeed murdered with a gun which, the state claims, Melanie purchased in Pennsylvania.
O.K. so far it doesn't look good for Melanie McGuire. We talk about "greynets" and how different tools, even a simple web browser, carry different degrees of risk based on their use, the user's purpose and intent, and the environment in which the software is deployed and even the security of the hardware and facility too. This case involves Google search queries to help build a case.
It gets more interesting...
Also relevant is the fact that the day before the murder, the state says, Melanie’s computer shows that she searched for a Walgreens pharmacy near to her. A pharmacist at that Walgreens has testified that on the day before the murder she filled a prescription for an as yet unidentified woman with a prescription written for “Tiffany Bain”, for a rarely ordered but known narcotic. The prescription, for chloral hydrate, was written by Doctor Bradley Miller - a doctor at the office where Melanie McGuire worked at the time. Dr. Bradley Miller, the doctor with whom Melanie was having an affair at the time that William McGuire was murdered
That is true, chloral hydrate (a Class IV hypnotic) is rarely used these days, but still not unheard of during my days in medicine a few years ago. At any rate the circumstantial evidence is starting to pile up. You can read more at The Internet Patrol... but of particular interest was a comment by a reader- Jack Stock who pens:
As a writer, I can see myself asking these same questions of Google–how to commit a murder, the most efficient poisons, etc. And that doesn’t mean that I was planning a murder–except in a fictional story. Murder, he wrote.
There a number of factors to consider here- let's us start with just four questions for starters:
- Who physically had access to the computer?
- What other data was found on the PC?
- Was the PC compromised in any way?
- Is there any other evidence beyond stored search queries?
No matter how obvious or open-shut a case it seems, faulty computer forensic assumptions are dangerous. We certainly don't want to see something like the Julie Amero case happen. You can read a summary and full transcripts here and decide for yourself.
We are in a new era, where your digital footprints, whether you made them out of innocent research, or even if someone else made them for you- can and probably will be used against you.
- Kailash Ambwani Talks on Greynets and Perils of Web 2.0
Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.
Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.
However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.
In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.
podtech_news, facetime.com, facetime communications, skype, greynets, VoIP, IM security, instant_messenger_security, enteprise_security, perimeter_security, security_solutions, Enterprise_IM, control_applications, IT_managers_risks, ediscovery, tech_execs, web2.0, web_2.0, web2.0_security_risks, anonymizers, RTG, Real_Time_Guardian
podtech_news, facetime.com, facetime communications, skype, greynets, VoIP, IM security, instant_messenger_security, enteprise_security, perimeter_security, security_solutions, Enterprise_IM, control_applications, IT_managers_risks, ediscovery, tech_execs, web2.0, web_2.0, web2.0_security_risks, anonymizers, RTG, Real_Time_Guardian
- Facetime Communications Greynet Study Highlights
FaceTime just released a study on the state of Greynets and here are some highlights and in future entries we will talk about the implications of this study as it relates to the Enterprise.
2006 Greynets Survey Key Findings
Survey confirms that greynets continue to be dangerous if left unmanaged, introducing significant risks to the business. End users continue at an increasing rate to take business communications into their own hands, downloading and using what ever resource they choose to get their jobs done, wherever and whenever.
How is Instant Messaging and other greynets used at work?-
IM usage—and by extension, other similar greynet apps—is driven foremost by its convenience: three in four employees use IM because they need "immediate answers …from co-workers" (76%).
Endusers also see IM as a productivity tool—two-thirds use it to "to multi-task" (62%) while another third use it because "email is too slow" (33%). (The take-away users, often the most advanced are the ones introducing greynets into the Enteprise because they want to be more productive!)
- IM usage is increasingly complex: 60 percent of IM users have accessed advance features (55%), such as file transfer (29%), web conferencing (24%), VOIP (15%)video or (12%).
- Not surprisingly, two in three endusers have sent IMs while multi-tasking (88%). Around half have IM'ed colleagues on the same conference call (57%). Even colleagues in the next cube are not safe—44% of IM users have sent a message to a physically adjacent co-worker or while having a face-to-face conversation with someone else (40%).
- Six in ten IM-users have sent attachments, application files or links to external websites as part of an IM (57%). About one in five endusers (17%) have sent company plans (15%), information about company finances (5%) and even passwords or login information (4%)
What are end user attitudes toward greynets?
- Four in ten endusers (41%) have downloaded or installed applications that are not approved by their company’s IT department.
- Among the most popular applications deployed by endusers are streaming audio or video services (77%), web-based email (70%), web conferencing (57%) and public instant messaging (48%). Almost half of all endusers have deployed browser plug-ins (46%) [NOTE: these apps are particularly well-suited at evasive techniques that bypass network security requirements.]
- Seven in ten IM users have sent personal or non-work related IMs while at work, over company networks (70%)
- Unfortunately for IT managers responsible for network security, one-fourth of IM users deploy IM in order to have "private, unmonitored communications" (26%).
- Not surprisingly, if endusers knew their IM communications were monitored, they would change their usage patterns: almost half would "pay more attention to company guidelines" (45%), while one-third would simply "use IM less often" (31%), be more cautious about clicking on links (31%) or simply pick their words more carefully (21%)
So what’s the problem?
- In a broad market research survey of US-based IT managers, 81 percent report a security incident has resulted in the last six months from employee use of "greynet" applications".
- Spyware and adware are the most commonly reported incidents (75%), followed by viruses (57%), malware such as keyloggers (28%) and rootkits (22%).
- Seven in ten IT managers indicated that spyware and adware attacks are occurring at the same rate (36%) or more frequently (33%), compared to the prior six-month period.
- Greynets app usage may also result in business-related incidents. In the past six months, half of all IT managers report business incidents resulting from Greynet application usage (52%). Among these managers, the most commonly reported issues are: downloading of adult materials (50%), copyright violations (39%) and violations of corporate communications policies (33%).
- Seventy percent of IT managers report a wide range of network and computer issues that result from greynet application usage. Three-fourths of these managers report enduser system slowdowns or crashes (76%), followed by slowdowns in network traffic (68%), corrupted files (39%) and corrupted applications (30%).
Existing security infrastructure is not effective in combating greynet threats
-Survey respondents were asked to assess their own company networks in terms of their capacity to intercept the kinds of IMs allegedly sent by former Congressman Mark Foley. Only 11 percent of IT managers indicated that their networks would have been "very effective" at intercepting such communications. In fact, 31 percent of IT managers rate their networks as "not at all effective" at preventing these kinds of messages from being delivered.
What is the cost to businesses?-
Not surprisingly, these incidents may require remediation or repair of affected PCs or servers. Three-fourths of IT managers report having to make repairs or changes to computers as a result of greynet-related security incidents (72%).
- On average, IT managers report 14 incidents per month. Each incident requires 11 hours of work, on average. Based on an estimated average salary of $70 per hour, salary-related costs average almost $150,000 per year—just for greynet related repairs to enduser computers.
- IT managers who are involved in other security-related tasks may spend as much as 71 hours per month, on average, engaged in activities such as maintenance of network or enduser hardware, archiving and logging, research new technologies and so on....
more to come...
- John Battelle on Google and DHS and Google Trends Can See
Noted blogger John Battelle reports in his blog based on a couple of pieces...about who Google (NASDAQ:GOOG) is working with these days.
One example from HomeLandStupidity.us he references:
IT contractors and intelligence officials familiar with the arrangement confirmed to HSToday.us that Google had been providing assistance to the intelligence community, but would not say under what authority that assistance had been requested or provided.
The intelligence community appears to be interested in data mining Google's vast store of information on each user who uses Google's services. Google collects data on each user's search queries, which web sites users visited after making a query, and through its Google Analytics service, can also track users on cooperating web sites. It's not clear what level of access to or how much of this information has been made available to intelligence agencies.
John goes on to note:
This might be filed in the Tin Foil Hat category, or it might be something we look back on and wonder how we ever missed it. I don't have any idea which. That alone sort of scares me.
The story says that Google is working with the Govt. in the war on terror. It depends a lot on ex CIA agent Robert Steele, who may or may not be a trustworthy source.
I've seen this story all over the place this weekend, and it strikes me as possibly accurate on at least one level: If the CIA/Dept. of Homeland Security was NOT trying to secretly work with Google, it's even lamer than we might imagine. After all, the company has just about the best infrastructure in the world to help them do their job. Is it legal? Moral? Right? Another question entirely....
This is ironic for two reasons:
1) Chris Boyd (Microsoft Security MVP) and head of our Malware Research Labs (currently on hiatus preparing for our talk at the RSA show and something he want talk about called The Fourth Wall) and yours truly- Wayne Porter, also Microsoft Security MVP, Director of Special Research, currently working on e-commerce analysis....were recently, along with the Facetime Communication's team and our Security Labs team, noted publicly on Google's Security thank you page:
Google Thanks You
People and organizations with an interest in security issues have made a tremendous contribution to the quality of the online experience. We are grateful for the responsible disclosure of security vulnerabilities in our software. On behalf of our millions of users, would like to thank the following individuals and organizations for going out of their way to improve the Google experience for everyone:
* Alex Shipp, Messagelabs
* Bryan Jeffries
* H D Moore
* Jeremiah Grossman
* Johannes Fahrenkrug
* Martin Straka
* Team Cymru
* Yahoo! Paranoids
* Wayne Porter & Chris Boyd, FaceTime Communications
* Alex Eckelberry, Sunbelt Software
* Richard Forand
I add as an odd aside that after commenting on an article at ThoughtShapers on Google's move into podcasting/adsense and how they are tearing up top down media all kinds of people pinged me on whether I was one of the 'trusted sources" who leaked this to Jeff Molander. The answer is no. I made that clear in my personal blog notably here (The Google Rumor Mill Redux- Getting Details Straight) and an aside here Leaked Papers and Google Adsense.
Going back to John's observations though I have no idea how Google or to what capacity they are working with Homeland Security- I am just a cog. With their processing and information gathering power I would be hard pressed to say that it wouldn't make sense for DHS and / or the CIA not to want to do so.
Remember that GUID I talked about at Revenews? (Note: GUID is a Globally Unique Identifier. A GUID is often a pseudo-random number used in software applications. Each generated GUID is "statistically guaranteed" to be unique.)
For example, the concept of a GUID or the longer they use a service (even anonymously and in aggregate) makes it easier to determine who they are. Granted Google may not have any nefarious purposes for this, but what happens when other agencies do? You might be “anonymous” to Google, but when another agency plays connect the dots after obtaining access to your machine and subpoenas activity around a GUID- you aren’t so anonymous anymore. In reality, you become an online novel- I can perhaps establish your character by your queries. Of course, this risk exists with any tracking mechanisms, but a service as ubiquitous as Google, especially one that looks at queries, is all the more potent.
2) I do know that Homeland Security does pay attention to cyberthreats- as they should. I was surprised to find some of our research in their daily briefing reports, specifically around some notable worms. These reports a.k.a. The DHS Daily Open Source Infrastructure Report (Daily Report) is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. They divide it up by the critical infrastructure sectors and key assets defined in the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.
An Example- this was over the KMeth Worm, which I find interesting.
Kmeth Worm noted by DHS [PDF Document]
Most of these Daily Briefings- which are free and unclassified appear on the DHS.gov site, although to search them you need to use the FEMA.gov site...
Tin Foil Hats? I don't know. Safety and privacy and security are all different but related and require a delicate balance. Then you have to think back to the NSA wiretaping scandal. Did people really notice? Did they really care?
Take a look at Google Trends (given the questions is this a good place to validate this question?). Google trends is a fairly good indicator of search activity. It is an indirect reflection of what is going on online.
Here we see the terms: wiretapping, NSA scandal, wiretapping scandal, wire tapping
Click to See Chart
Interesting...there is some movement there.
Now: NSA scandal, wiretapping scandal, ATT scandal, NSA wiretapping, phone tapping
Click to See Chart
Nada, zilch. Not even if you analyze U.S. queries only- despite major press coverage. Try your own strings and see what turns up.
Of course per Google: "Google Trends aims to provide insights into broad search patterns. As a Google Labs product, it is still in the early stages of development. Also, it is based upon just a portion of our searches, and several approximations are used when computing your results. Please keep this in mind when using it."
- CDT Releases Following The Money Trail Part Two
The Center for Democracy and Technology has released their latest report on advertising intermediaries, which include ad networks, affiliate networks, and cpa networks. The document might be confusing if you are not practiced in the world of online advertising but the CDT does a pretty good job of making a complex economy simple.
The takeaway is that advertisers and advertising intermediaries need to practice more due dilligence in their business practices.
Find below the download links for the Following the Money Trail Series Part I and the latest Part II. If you want to understand how malware and money are the new fuel for Internet mayhem this is a good place to start.
To give you an idea how complex some of the relationships become while we track the money trail on cases take a look at this sample screenshot from the report. Rest assured we have seen cases far more tangled than this cloud.
"Companies need to take responsibility when their advertising dollars go to support companies that prey on unsuspecting consumers," said CDT Policy Analyst Alissa Cooper, who co-authored the report. "Whether placed directly or through intermediaries, these ads diminish the Internet experience for millions of people. Advertisers that work with these distributors are running out of excuses, and must either start policing their advertising spending, or answering to their customers who have been harmed by adware."
Indeed! We could not agree more.
Take the time to get educated with these great reports from the CDT and pass them along to your friends. Have an advertising question? Drop us a comment and and I will be happy to answer it for you or find someone who can.
Part 1 of the CDT Report [PDF]
Part 2 of the CDT Report [PDF]
Report Write-Up: Wayne Porter, Sr. Dir. Greynets Research
- The World Cup- The Internet "Red Card"
The issue of Blogspot URLs being redirected and used for exploits has been noted before. In this particular case we follow the evolution of sophisticated mass spamming of Google's Blogspot service URLs, coupled with other search engine spam techniques and trace the cascade of events that follow.
Overview: The "Simple Scenario"
1) Party unknown figures out how to optimize Blogspot pages to achieve high rankings in MSN portal Search Engine Results Pages (SERPS) for popular terms known as keywords, in particular keywords around World Cup coverage.
3) Party unknown implements a complex server-side, auto-rotation system on a domain hosted elsewhere.
4) Party unknown accomplishes "cloaking" the Blogspot URLs, hiding the auto-rotation system. The pages rank high in many MSN search results for targeted keywords.
5) Users conducting queries on MSN or users who arrive on the tainted blogspot URLs are redirected to various pages. In this particular example some sites display explicit pornographic content in addition to offering software downloads with a documented history of security risk.
The World Cup
This investigation over distribution and deception was kicked off by one of the world's biggest sporting events- the World Cup. We all have our favorite teams, and at FaceTime we want people to be able to follow their favorite teams and sports safely! The goal of our research was to investigate a popular sporting event and probe the Internet for attacks, social engineering, or any other malicious or deceptive activity centered around this event.
Flow Chart Sample of Events
To better understand the event flow, click the thumbnail image below to enlarge. This will open to a new window.
Deceptive Mass Spamming Distribution
Basic search engine analysis shows the "party unknown" appears to be using automated techniques to spam guest books and other web pages in order create links to the domain. Because of the auto-rotatation system the domain's homepage changes frequently and apparently randomly. For example, it often defaults to Google's own portal for India.
Search System Pollution
WARNING TO USERS: DO NOT go searching for these sites unless you are a trained security researcher. There is a dynamic component to this operation which could lead to a hostile environment or unwanted content. In short- What you see is not what you may get..
Research: How Did This Happen?
While searching for the keyword “World Cup 2006” in the MSN search Engine, our researcher clicked the first natural result, the result below the sponsored ads. This result appeared to be an innocent looking Blogspot URL as screenshot will demonstrate.
Note on Search Engine Results:
Search engines use their own systems to determine the relevancy of a page for a keyword entered in the Search Box. Based on the search engine's algorithms the pages will be ranked and appear in the results. These results are often called SERPS or Search Engine Result Pages.
In crude theory the first result should be more relevant to the keyword, and second result would be a somewhat less relevant page…etc. Numerous factors effect relevancy beyond the scope of this write-up. It is reasonable to expect people to believe they will find the most most relevant pages on the first pages of the results. For this reason, in this study, we have placed emphasis on studying the first results returned in the SERPS.
Click To Enlarge Screenshot
How Did this Page Get to the Top?
Redirection and Misdirection Over Time
Upon some of the first checks of these URLs our researcher noted redirects to the following
Click to enlarge ScreenShot
Russian web-site. By.ru is a common hosting company, and the "tkgroup" appears to be a student class blog.
At first glance it might seem this could be a student prank merely playing search engine tricks. However,
Click to enlarge screenshot
after several days the same result redirected our researcher to a different website which is now “Adult DVD Download Network” IcooNet. The context and tone have now changed considerably. The tone is now commercial in intent but also pornographic. Users would have no way of knowing the site they were trying to reach would serve pornographic content if they relied on the title, text description and link displayed in the SERP.
In this example our research term used was for FIFA, so it would seem unreasonable to be offered an adult downloader. This is deceptive, and many users may find it offensive, especially since it is reasonable to expect young football fans would be searching for similar terms and will be guided by the domain name, title and description.
From a legal context this is significant: US CODE: Title 18,2252B. Misleading domain names on the Internet, from law.cornell.edu.
In a final example, the redirection goes to a website which features pornographic galleries offering a program that is cited as a variant of Zlob.Media-Codec. It may go under different names. A EULA is presented if the user wants to access the deceptively advertised pornography. We have not placed a screenshot here because the images are simply too offensive for our blog standards, but we have retained screen capture documentation and video of the site.
The different variants of these programs have to be downloaded in order to play any of the movies on the web-site.
Note this particular search query was conducted from one of our labs in India, so other users and countries will likely get different results. In addition search results change frequently. For purposes of documentation, we have included packet logs from query to destination as well as install of software.
Query Sample 1: Term FIFA+World+Cup+2006 .txt file
Query Sample 2: Term FIFA+World+Cup+2006 .txt file
We Just Wanted the World Cup
In the sample query illustrated by the packet logs above our researcher, searching for “FIFA World Cup 2006”, finds a tainted Blogspot site and clicks-thru. The log documents the various redirects which end with the researcher arriving on a pornographic website where he was offered, and accepted, programs with well documented problematic behavior.
In a system such as this any number of attacks could be launched, and depending on the degree of sophistication of the attack or skill in social engineering- the results could be quite harmful. The screenshot below shows the tainted Blogspot URLs at MSN in the top ten results.
Click To Enlarge Image
Past History of Problems
It should be noted that while unable to document any exploit behavior with the software page of the pornographic content, it has a well documented history of problematic behavior from numerous third party sources. It is usually classified as a "trojan". Reference: Sunbelt on Zlob.Media-Codec. and on Super AdBlocker on xpassman-v3 for example.
EULA Red Flags
In this particular case EULAs were presented with the software product(s) needed to access the content deceptively advertised by the unknown party. EULA analysis shows additional security software will be added, updates can be made, and home page will be change among other items.
See one EULA Analysis Sample
By accepting it the user grants the software rights to install additional components on the machine. These components or updates may not have cleared appropriate security hygiene processes. In addition no warranty on performance of the software is given.
Also notable among the EULAs displayed, using our automated readability analysis demonstrates above 12-Grade Reading Level skills needed to understand the document based on various readability batteries.
Flesch Grade: Beyond Twelfth Grade reading level
Automated Readability Index: Beyond Twelfth Grade reading level
Coleman-Liau Index:Beyond Twelfth Grade reading level
Gunning-Fog Index: Beyond Twelfth Grade reading level
Technical Background: How Did Blogspot Do This?
Click to Enlarge Screenshot
Now let us examine the screenshot of the "decoded" code:
Click to Enlarge Screenshot
Explanation of Code:
The code says if the blog is referred by any of the following major search engines:
Then it will open the URL http://www.toptravel10.com/search.php?aid=<*****>&q=World+Cup, which calls into action the redirection system. Therefore, the writer of this code is actively looking to intercept search traffic and move it somewhere else and the code writer is doing this with obvious intent.
However, if the blogspot address is only pasted or typed into the address bar of the IE browser it will redirect to MSN search result with the keyword "World Cup 2006". As we know from the above search result screen capture 3 out of the first 10 MSN natural search results could most likely be the same kind of tainted Blogspot entries. Clicking any of the entries will again redirect to the same system. This puts the user into a dangerous cycle. We qualify "most likely" because top ten entries can and do change dynamically beyond control of users.
Controlling the Deceit
In this case there is no need to change the source code of the page because the operator of toptravel10 domain has set-up a complex server-side, auto-rotation system of unknown make-up. The tainted Blogspot URLs used the URL http://www.toptravel10.com/search.php?aid=56340&q=World+Cup as a mediator. The Blogspot URLs will to open this page when called. At this point the toptravel10 domain's system decides where the user is redirected. The mediator remains constant and links to different URLs over a given period of time. In this entry the researcher was referred to a Russian Web-site, second ICOONet(Adult DVD Downloader), and now the mediator links to VideoGalleries which in turn offers adult oriented software.
It is also notable the ownership information for the toptravel10.com domain is cloaked through a proxy registration service.
Why Use Blogspot?
Blogspot has been the target for similar attacks in the past. Researcher Ben Edelman’s concern about blogspot will help us understand why this case is important. From his article:
Why MSN Search?
As researchers, we might ask: "Why would someone target the MSN search system?"
The logical reasons would probably be most of the Windows based O/S use default redirection to MSN search and/or the orchestrator had some mastery at gaming the Microsoft ranking algorithm.
Examples of tainted URLs are:
(Note: After contacting Google last week- these are now offline!)
.Are There More?
Yes. One such instance was found for the keyword "AIRLINE TICKETS".
These blog URLs may also be redirected to the same pornographic galleries, again depending on the system of rotation.
List of the following blog URLs for the keyword "AIRLINE TICKETS".
Conclusion and Final Notes:
A solution was already offered by Ben Edelman:
In terms of football (soccer) this is the equivalent of a "Yellow Card".
We must add the following caution and warning on the tactical approach.
In this particular case the unknown party used some technological sophistication coupled with knowledge of world events, search engine algorithms and planning. However, the party used poor targeting.
Let us explore a "what if" scenario...
What if the same system, using football (soccer) keywords were used to trick a user to open a page that asked them to view 'World Cup Bloopers' or 'World Cup Highlights' or lured users with a fake video over a 'disputed call' or 'insider interview' cobbled together from pirated video footage? The user, now contextually targeted would probably click and any number of hostile scenarios could be played out. The attack would only limited by the creativity and motivation of the operator.
To use our football analogy again- this is a "Red Card".
The problem has been pointed out before- history should be the teacher.
Blog Summary Write-Up: Wayne Porter, Sr. Dir. Greynets Research
Technical Research: Peter Jayaraj, FSL Threat Researcher
- Data-Theft Worm Targets Google's Orkut
IMPORTANT UPDATE: Google has reacted very quickly to our concerns, and we have been in discussions with their top engineers. As netizens we are encouraged by their quick reaction to our concerns, and willingness to listen thoughtfully to our feedback. Successful companies like Google understand that one must be a part of the conversation, not stand outside the conversation or try to obscure it. Our hats are off!
Stay tuned for more news...(See Addendum At Bottom)
Sr. Dir. Greynets Research, FaceTime Communications
Back to the entry and analysis from Paperghost....
The idea of problems behind "gated" communities is a pretty interesting one, even more so when the idea regularly rolls around that segregating various parts of the Internet to "keep the bad guys out" would be a great idea. But what happens when those bad-guys are already inside the gates?
(Orkut is) run by Google and named after its creator, Google employee Orkut Buyukkokten. It claims to be designed to help users meet new friends and maintain existing relationships. Similar to Friendster and MySpace, orkut goes a step further by permitting "communities" of users. It is also invitation-only: users must be invited to join the community by someone already there.
So, an interesting concept. But as we saw with Myspace not so long ago, people can (and will) game the system. In this case, the targets are (primarily) Brazilian users of Orkut - because for some reason, something like 70% of all users are from Brazil, and Portuguese is the language of choice right now. Of course, Orkut are not to blame here - nor are social networking sites in general. The sad fact is, large concentrations of end-users in a confined space are like the world's biggest honeypot to a social engineer.
It figures, then, that this particular infection - a variant of an older password stealer, which we dubbed Orc.Malware - should contain a message in Portuguese. Following up a hot tip from this guy (FallenHawk, an extremely resourceful Security Researcher), I was able to get a look at something rather nasty. Something that has apparently been nailing Orkut users for at least a month or so, but (until now) has been ultra-elusive with regards trying to pin it down. The early variants (one or two of which I've since obtained) didn't do very much, and there was no direct tie to Orkut, other than this was where the bad-guys were pushing it. Now, however, the infection will pop up a message telling you your data is being mailed off someplace, before sending you to the Orkut site (as you'll see from the video later on. Bring some popcorn).
The source of the problem are these two nasties (disguised as images), created in the System32 folder by a rogue executable file:
Let's have a look at how these things get on board in the first place. We'll start off with the method of delivery...the infection message. The most common one we've seen so far is this:
"Oi... tudo bom? Como o orkut limita a quantidade de fotos que podem ser publicadas na minha conta, eu criei um slide com algumas fotos minhas, pra ver e so clicar clicar no link!!! [link removed] - Sei que vai gostar"
A (very rough!) translation: "As Orkut limits the amount of photos that can be published in my account, I created a slideshow with some photos of mine, please click to see!"
This message is deposited in an Orkut user's "Scrapbook" (similar to a guestbook), and as the Scrapbooks are public, anyone visiting can see the link and click it. As you probably guessed, that's a real bad idea in this case.
The end-user is presented with what looks like an image file - open it up, and covert ops of the nastiest kind are instigated against the PC. Two more files are installed.
They don't look like much, but they're busy trying to drain your pockets of cash and anything else they can get their hands on. One of the files contains references to a pile of specific login pages for Brazilian banks, as well as a whole section devoted to Orkut and its Friends and Scrapbook pages. On the Orkut help site, they mention how automated Scrap sending isn't allowed:
"If you use other sites to log into orkut or send your friends scraps, you will likely be blocked from performing any actions on orkut.com for about 15 minutes and you'll see the message "We're sorry...but your query looks similar to automated requests."
However, there are many examples of people abusing the system - Orkut has had lots of problems previously with people creating Spam scripts. And this particular infection does seem to have at least a (very) basic automated functionality. I first tested this on the Eighth of June, and was more interested in the data-theft aspect at that point. I didn't see anything particularly unusual going on (beyond the keylogging, of course!) and yet when I logged in a few days later, I saw this:
Click to Enlarge
Click to Enlarge
During testing, I had two contacts in my "Friends" network. To my surprise, both of those users now had the infection message sitting in their scrapbooks. As you can see, the time / date of both messages is identical: 09:54 AM, 08/06/2006.
Now that's pretty freaky.
Worse still, this infection seems to be amazingly random. During one round of testing, it even deposited me into an XDCC Botnet:
Click to Enlarge
Yay, I'm file-sharing pirated content!
As for how the data is actually sent back to the hacker guy, you'll probably want to check this short movie clip out:
Click here to download movie (2.90 MB)
00:00 to 00:09 seconds: End-user is going about their daily business, logging into Orkut. Note that you could be performing any web-based activity here; it's just a little thing I like to call context. Plus, I don't actually have any Brazilian bank accounts so you'll just have to make do with Orkut.
00:10 to 00:14 seconds: The end-user clicks into "My Computer". Oh dear - an "error message", warning that you have insufficient virtual memory and the application will now close (or words to that effect. I never was very good with Babelfish).
00:17 to 00:27: At this point, the end-user is probably wondering what on Earth is going on, as they see a message telling them their "form has been submitted", and that they will be redirected somewhere in 5 seconds. Can you guess where?
00:28 to 00:34: That's right, Orkut! I mean, he stole all your bank details and website logins, but at least he gives you a chance to get back into Orkut and change your password before he steals that too!
Click image to Enlarge
Make no mistake about it - this infection is a real nasty one. And worse still, it looks like the tip of a very ugly iceberg. I'd insert a really rubbish comment at this point about "how I hope we're not too late to avoid a Spyware-Titanic", but you'd probably hate me for it. Even if it was a nice tie in to the whole iceberg thing. So I'll just leave you with the advice that randomly clicking links to check out pictures, especially when those pictures are from some magical party you've never heard of, is probably not a very good idea.
Many thanks to Peter in our Bangalore office for his incredible sleuth work and the entire team for assisting in pulling this complex case to pieces. Special thanks to Wayne Porter for all night monitoring and revisions.
ADDENDUM: A startling event was discovered during extended testing on an infected machine, which was infected in a lab setting on the 13th of June. The link to the dangerous payload was propogated on the 16th...however the infection message is timestamped as having been sent on the 14th of June:
Click to Enlarge
Click to Enlarge
ADDENDUM Saturday, 17 2006 Happy Endings for Orkut
Google confirmed the worm. "We are aware of this issue and will have a temporary fix in place within the hour," a company representative said in an e-mailed statement. "We are working on a more permanent solution for users to guard against these malicious efforts."
For their protection, Orkut users, just as users of all online services and applications, should always be careful when opening or clicking on anything suspicious, the Google representative said.
Sr. Dir. Greynets Research, FaceTime Communications
- Welcome to The New Spyware Guide.com Site & Greynets Blog
Let's Dive Right Into It...
Recently, like my colleague Chris Boyd, I received the Microsoft MVP Award, I thought I might get a raise- instead I received the honor of leading the Greynets Blog! What a task it has been. Imagine having a team of extremely smart and busy analysts, researchers, and engineers from all around the world, many from different cultures, and getting them to settle down to write about their experiences and document some of their findings? Piece of cake right?
Who is This Blog For...
Good question and I have a good answer. The Greynet Blog carries a wide range of information to fit every type of person: the casual PC user, the new PC user, the hard-core technical user, the Enterprise manager, and intermediate users too. We even you use it ourselves!
Rather then try to create a blog that is nothing but complete technical jargon or a blog that caters only to beginners we try to produce a good mix of novice and intermediate material. However, we know there are some hard core programmers, spyware warriors and analysts out there who enjoy a thrill ride all the way into the Matrix and back. Don't worry- we won't leave you out because we like to visit the Matrix too. And if you are a beginner or an intermediate user you can always shoot us a question and we can try to answer it here. That is one of our aims- to educate and help people from all backgrounds understand the impact of the technology and software they use.
Think of the Greynets Blog as a salad bar...you can pick and choose exactly what you want and we never charge for seconds, as a matter of fact we encourage them and you can leave out the bean sprouts if you don't like them.
Haven't I Seen Some of You Guys Before?
Maybe. ..Perhaps in the press or some of you may know me from my Revenews Blog where I bust up the financials on seedy outfits. You may know the infamous Chris Boyd, a.k.a. Paperghost from VitalSecurity.org where he kicks up the action on malware and spyware writers "kung-fu" style and is a recognized CNET Top 100 Blogger as well as a MSFT Security MVP x2! You will soon meet a new legion of bloggers from various disciplines and cultures- Manoj, Deepak, Peter, Charles, Chris, Tyler, Jan (who we call Obijan- which is another story from another galaxy) from across our company.
I promise more individuals will follow as we cover topics from P2P file sharing to securing IM networks and, of course, the ever present threat of spyware, malware and adware and what it means to you. Our goal is to share our experiences deep in the cyber- trenches, to educate both Enterprise users and the home PC user and to do this through opinions backed up by facts and evidence- and hopefully entertain you occasionally. We also intend to drag in some other notables in the security industry, many our colleagues, and get their take on things- and who knows maybe we can drag in an executive or two to get the 10,000 mile (or meter if your from not from the U.S.-assume nothing.) view on the future of security.
So What Is It?
Like many blogs, also known as weblogs, it contains documented experiences from the trenches- often where the real battles happen and we show it to you one bullet at a time, slow motion style, so like Neo, you can avoid the bullets but watch the ripples as they tear up the air.
Some of the experiences are quite comical, some quite sad, but they all carry the message that Internet Security is no longer simply black and white- it comes in various shades of grey. Ultimately it is up to you- the Systems's Administrator of the Home PC User to make decisions on what you want or do not want on your machine or network. Afterall you have that right- it's your property!
Continue reading "Welcome to The New Spyware Guide.com Site & Greynets Blog" »
- Deception, Deceit and Dollars- Spotting Red Flags
While Googling for downloading Hijackthis, i spotted a link from Google's Adsense program. Check out the following screenshot:
Click Image to enlarge
(Note the Red X is part of the SiteAdvisor program which can help users spot sites that use deceptive practices and is only displayed if you using the program.)
In above screenshot clicking the link “HijackThis Free download” opens a site http://hijack-thisnet/. Naturally curiosity compelled me to dig deeper into this site and also I wanted to know what Merijn, the original creator of HJT had to about this site? It appears it struck his radar a long time ago and was not pleased the name of his product was being used to push other commercial products.
He states from http://www.merijn.org/
" April 22, 2005:
Just a short note on the domain HIJACK-THIS.NET: this is not mine! It has been registered by an affiliate of XoftSpy (who are also on the Rogue Antispyware List on SpywareWarrior.com) and they are luring people into downloading their software believing it is HijackThis. Also, they have registered a few AdWords at Google leading to the same result. We'll see where this goes. In the meantime, if you want to download any of my programs, the official domain is and always will be www.merijn.org."
UPDATE: April 29, 2005:
I just received word from Paretologic (the ownsers XoftSpy) that the affiliate responsible for the page has been terminated and the site will be taken down. That's one down, one to go. :) "
Let's dig into this mystery...
Continue reading "Deception, Deceit and Dollars- Spotting Red Flags" »
- Dell Decrappifier- From Cluttered to Pristine
It appears this fellow isn't the only one tired of getting lots of "useful addons" on his new PC from Dell. Rather than ship a virgin system, Dell has money making deals to include certain forms of adware or sponsored search engines and they pocket the change.
This, in theory, is ok, depending on what the Dell EULA states, but what about users who do not want all of the extraneous stuff, trial installations and other unwanted programs? This person took matters into his own hands by by creating and running a very simple file.
Enter in the Dell Decrappifier, a script, that hopefully returns your PC back to its pristine state before all the marketing deals take over your coveted resources.
From their website:
It's a sad state of affairs when you buy a new computer these days and it comes pre-loaded with a ton of garbage software that brings your new machine to a crawl. If anyone's bought a Dell PC in the last few years, you probably know what I'm talking about. Just recently, I was helping a friend set up his brand new Inspiron 1300 and it took FOREVER for it to boot up. It's a very dissatifiying experience to pull a brand new computer out of the box and be spammed with a bunch of trial software. After removing all of the crap, (wich took a significant amount of time) it booted much faster and performed like it should. I kept thinking it would be nice to have an automated way to remove all this stuff. Thus was born the Dell De-Crapifier script.
Now, to be fair, I know most all of the major PC manufacturers have similar practices of installing trialware. I would suspect they don't make any profit on the hardware (or even a loss) and they make their money on the kickbacks from the software companies. I don't know.
Anyway, I wrote the Dell De-Crapifier using a great little scripting tool called AutoIT. You can use it to automate pretty much anything in Windows. There is also a cool editor called SciTE that gives you all the tools you need to put together a script. The best thing about this whole system is that you can generate stand alone executables that don't require a runtime.
Visit the Dell Decrappifier to see it in action. Read *carefully* before you download the file and use!
- EULA Madness Tinko Pal Revisited With Commentary
I am really ready to start tackling EULAs, so to kick things off I am revisiting a piece I did on the TinkoPal EULA months ago. Take a close look as I highlight some of the language and conditions you would accept in this EULA. For added value my comments will be in bold text surrounded by parentheses and are not a part of the EULA.
TinkoPal EULA Page: http://www.tinkopal.com/terms.html
Note: The original EULA is longer valid at this URL.
Continue reading "EULA Madness Tinko Pal Revisited With Commentary" »
- More On The Botnet Bust...
Check out my interview with Internetnews.com. From the article:
"We had a tip-off from an individual known as RinCe," Chris Boyd, security research manager at FaceTime, told internetnews.com. "With his assistance, we were able to map the activities of these groups in great detail. From there, it was a case of analyzing all the files, making the right connections, finding compromised servers and gathering more data."
...and how sweet it is.
When you're done there, we have more coverage on Techweb :
"They're using the kitchen sink approach times one hundred," said Boyd.
As far as notable quotables go, that's a cliche-laden screamer, wouldn't you say? On the other hand, it's a more than accurate description of the scam at hand. Stay frosty...
- IM E-commerce Database Theft
Not good, is it? Bad guys using custom built scripts to steal card data from payment databases. Botnets. Adware installs. The whole nine yards. For a quick summary of what we found, read this, and this. When you're done with those, you might want to check out our interview with the guy who provided the initial tip-off, RinCe.
My humble opinion? One of the nastiest scams I've come across, and proof (if it were needed..which it isn't) that kids are happily swapping your card details like Pokemon cards and they really couldn't care less. Bottom line - start thinking protection, or else it'll soon be a case of damage limitation.
- Google API: Geocoding Spyware Pushers and Adware Vendors
Click here: List of Software Vendors to see it in action. (Please no yelling if it doesn't work. It's not even beta.)
Some observations already ([Insert disclaimer about small dataset here]):
- These companies seem to cluster together. You can notice some definite grouping. Coincidence?
- Some of them have really neat offices. Select one, zoom in to max level and switch to "satelite mode" to see them.
- Look at some of the exotic locations! Here is one in Hawaii!