July 12, 2009

I think I know what the Ddos was about

If you've watched any news broadcasts since the 4th of July, you'll be aware that that certain US and South Korean government and commercial websites have been under Distributed Denial Of Service (ddos) attack. Early on, someone pondered for a minute or two about who might be a common enemy to both the US and SK, and the obvious answer was .... gasp... North Korea!!! And if NK is the perp, then clearly this is ... cyberwar!!! Holy Moley Batman!!!! Quick ... run to the bunkers!


It's obviously a great headline, but most actual security folk took the view that it's just a ddos, for goodness sake. If we can't get to Whitehouse.gov for a few days, the world is not going to end. The tourists will still take their photos from the street, and the rest of us will just get another cup of coffee while we wait for it to end. Ddos's are really easy to do, and impossible to prevent up front. It's just that they're not profitable, so no one bothers in this day of "Show me the money for my malcode". And it was silly to blame North Korea, because the whole point of a ddos from a remote controlled botnet is that no one really knows who's driving it.

Now, having had a look at the disparate list of victim websites, my initial thought was that it was a disgruntled businessman targeting the Federal Trade Commission, and shooting at everyone else to conceal their real target, but then we realized that the malcode was programmed to self-destruct, starting July 10th, by erasing the first megabyte of the victim's hard drive!

At least this would effectively clean up these computers. 

After we got over laughing about botmasters destroying their own botnet, and making jokes like "Don't these guys understand how retaliation works?", etc, the light slowly dawned on us that maybe they did understand exactly what they were doing.

It's not cyber-war ... it's someone who's worried about the growing plethora of botnets on the Internet, and who's trying to make people care enough to do something about it! A vigilante!

Think about it.

Why bother nuking 60k computers after doing all the work of assembling them? Nuking them only helps the Good Guys, because the victims are forced to re-build, and therefore clean, their computers.

Why bother with a ddos of a bunch of disparate government and commercial websites? Nobody was really impacted ... border routers were reprogrammed to deflect the ddos off any important sites... the only thing it really did was cause a bunch of lawmakers to point the finger at North Korea.

And the only other thing it really did was make lawmakers think "If North Korea could do this with a mere 60k machines, what could Al Qaeda do with a big botnet of 300k machines?" 

Big botnets are really common, by the way.

The only reasonable explanation for the whole thing is that it was someone who is worried about the botnet problem, and who wanted to make lawmakers think about it, and do sometihng about it.

A high--tech vigilante.

By the way, the vigilante has a point. Botnets are a real probem, and we need to mitigate them a bit. Most ISPs could do something, except that their give-a-darn bone is broken.

Incidentally, the erase-one-mb thing reminds several of us of the CIH virus. The underground scuttlebut about the CIH author was that he was hired by Taiwanese military intelligence. It's an easy mind-wander to wonder if there's a connection there. Surely not. :-)

Keep safe folks.

Ps ... please follow me on twitter
and for support, please go here

Posted at 04:39 AM | | Comments (0)

July 06, 2009

Heads up - new 0-day

Hi folks,


A nifty new 0-day has appeared on multiple (mostly) Chinese sites overnight. It involves an ActiveX control called the Microsoft Streaming Video control. At this point, it seems to work _really_ well, so it's likely to become a staple of would-be exploitive websites for years to come. LinkScanner detects it just fine, and we may make extra releases to deal with variants over the next few days, so make sure you stay up to date.

We'll add more information here as we find more out.

Cheers

Roger

Please follow me on twitter

and, for support, please go here

Update #1

Hi folks,

Just a quick note to tell you that the exploit is indeed spreading. It doesn't seem to have made its way into the overtly criminal activity yet, or into the exploit packs, but it's a given that it will. Still no patch from Microsoft. If you are not running the professional version of AVG, the one with Indentity Protection, it'd be a good idea to upgrade at this point.

Cheers

Roger

Posted at 03:43 PM | | Comments (0)

June 05, 2009

Unfortunate brand squatting

Hi folks,


A common practise among enterprising webmeisters is what's known as brand-squatting. That's where you find a domain whose owner has neglected, or not bothered, to renew it, and it's up for grabs. If you get something modestly popular, then you get the beneift of whatever residual traffic they've generated as a starting point. Makes sense for most domains.

This time, however, someone re-registered and re-vitalized one of the most notorious brands in malcode history .... coolwebsearch ! :-) :-) :-) 

Not only that, but while it was a search-enginey kind of page, it was also hosting an exploit!!! Whether that was deliberate or accidental is not clear, but it doesn't matter much as it's down now.

coolwebsearch.us was registered on about the 18th of April 2009, and our first detection was 24th April. Our last was yesterday, but as this graph shows, activity has been tapering off anyway.

Here's a graph of the detection events our users told us about.

Activity

As you can see, we had about 11,000 hits spread over 40 days, across 106 countries.

It's a dangerous internet folks, but at least it's sometimes funny.

Keep safe,

Roger

Please follow me on Twitter

and for support, please go here

Posted at 03:45 AM | | Comments (0)

May 10, 2009

Here's a whoopsie to start the week.

*** don't go to any of these websites... they seem safe today, but you can't be certain, and it's better to avoid them ***

It's just a simple (and common) script injection, but the victim is kind of interesting. Seems like none other than the City of London website has poor security. :-) 


As usual, the page itself renders just fine, and looks like this ...

Main page


but if you have a look at the source, you see something like this ...

Injections

If you look closely, you see references to URLs like 4log-in.ru, and in fact there are eight different ones...

www.ojns.ru/js.js>
www.ujnc.ru/js.js>
www.64do.com/script.js
www.mnicbre.ru/script.js>
www.4log-in.ru/script.js>
www.berjke.ru/script.js>
www.wmpd.ru/style.js
www.lijg.ru/script.js

(again, don't go to these places unless you know what you're doing, because you might get nailed)

What this means is that the City of London website has been nailed, not once, but _eight_ times.

Fortunately, the site is seemingly not infective, so the injections have only partly worked, but then again, it might depend on what you click on the page, and there might well be other hacked pages that we've not discovered yet.

What needs to happen is that the injections need to be removed, and the City of London webmeisters need to find the form that is allowing the injections, and fix it.

It's a dangerous Internet, folks. Keep safe.

Cheers

Roger

Ps... please follow me on Twitter

and for support, please see here

Posted at 11:58 PM | | Comments (0)

April 09, 2009

Conficker updating?

Hi folks,


It seems like Conficker might be updating itself. Quietly... surreptitiously... but updating none-the-less. If we are correct that the aim of the authors was to build a fairly bullet-proof botnet, this is to be expected, and again, we now expect them to farm it. They'll install a keylogger and watch for bank-account logins, and credit card numbers, and try to make money.

We'll keep watching and analyzing it, and will let you know.

We can also expect copycats to try to follow this path and use the same infection techniques (we already saw one with the Neeris worm), so if you haven't already updated to AVG 8.5, which adds full LinkScanner real-time surf monitoring, and the Identity Protection (real-time behavior monitoring), now would be a Good Time (tm) to do so.

Keep safe folks,

Roger
 

Posted at 12:33 PM | | Comments (0)

April 05, 2009

The gift that keeps on giving

So... years ago, I wrote a program called WormRadar. It was designed to detect and measure the malware of the day, worms. More recently, the web became the main attack vector, and we started building programs to detect and measure that activity (which is where LinkScanner came from), and WormRadar gradually fell into disuse. Really recently (as opposed to more recently, and yes, my old English teacher wants to rap my knuckles for that), we cranked up a WormRadar node again, just to see what new things were circulating, and the number one thing we're detecting is .... Slammer!!!!!!


Now, many readers will already see the funny side of that, but many will also not, so for the "nots" ... SqlSlammer was a worm that appeared in January 2003, and really hit the Internet hard. That was pretty amazing at the time, because it exploited a vulnerabilty that had been patched as MS02-039... _six_ months earlier. In other words, although a patch had been released for six months, so many people had not patched, that the worm was able to be a major spreader six months later.

Then, in 2004, Microsoft released XP Service Pack 2, in which the firewall was on by default for first time, and this was really an Extinction Level Event for most worms, because even little old Windows firewall is enough to stop all worms. There have not been any worms since then that can force their way thru the firewall from outside. Conficker, for example, relies on gettin ginside the firewall by some other method... USB drive... social engineering ... whatever... and then runs rampant inside a network, but it can't _force_ its way in.

This then, is the amusing and amazing thing about Slammer... it's still alive and well six _years_ after its first appearance, which is six _years and six months_ after the patch was released!

In other words, there are computers which are just never patched!!!! 

There is a name for this type of user .... Victims!

Keep safe folks! (Oh, and keep patched! ;-)) 

Roger

Posted at 01:27 AM | | Comments (0)

April 01, 2009

The imminent demise of the Internet...

is being greatly exaggerated, in case you haven't figured it out by yourself.


What's happening is that people are worried because the Conficker worm is due to do "something" on Apr 1st, and no one knows exactly what. Human nature being what it is, some folks are fixating on the worst possible outcome. It'd be pretty bad if you got hit by a meteor too, but no one is building meteor shelters.

There are two main issues to consider here. The first is that Conficker is a pretty well-thought out attack, and it's pretty unlikely that they want to do anything but make money for their efforts. It's not in their, or anyone's interests to try to kill the Internet. They can't make money if they do that. They don't want to chop down the apple tree... they just want to shake it and pick up the apples that fall off.

The second is that this is a government/ corporate/ education problem... not a consumer. The two main vectors for spreading are a vulnerability in a service called RPC, which was patched in October 2008, and poorly protected network shares.  The only people that have networks and who also don't patch are government, corporates and education users. Fortunately, they're also the folk that have staff with expertise that they can call on to fight back. The worm probably grabbed millions of users right out of the box in December 2008, but any gov/ corp/ edu user who is still infected after five months, deserves it. On the other hand, JoeThe Plumber almost certainly allows automatic patching each month, and probably doesn't have much of a network, and presents a much smaller target. 

Yes, some of Joe's friends will have been nailed by now, by infected USB keys or something, but it's not going to be a massive number of users. The conficker botherders will simply have achieved their goal of building a fairly bullet-proof botherd, and will now "farm" that botnet, while they prepare their next attack. (We will see things like this again, so now would be a good time to upgrade to AVG identity protection ... it'll provide a good safety net for the next attack)

By the way, I think this is a fairly predictable consequence of playing whackamole with botherds. All you do is cull the weak ones from the herd, and encourage the smarter ones to build a stronger botnet. 

All in all, I think the date of April 1st is entirely (if accidentally) appropriate.

Keep safe, folks.

Roger

Posted at 02:42 AM | | Comments (0)

March 28, 2009

KoobFace, FaceBook, and Classmates.... again

Hi folks, 


So, the March pitch from KoobFace seems to be bigger in scope...well, that's if you can derive stats from a sample-base of one, because I've personally received three pitches this time... One for FaceBook, and two for Classmates.com... but the basic pitch is the same.

It comes as an email along these lines ... : "Girls in beautiful black underwear dancing in the pub, showing off perfect bodies. Unbelievable Final!". 

If you go to the webpage in the email, it looks pretty much like the site is Facebook or Classmates, because the fake site draws a bunch of content directly from the real site, like this ...

Pitchmod



and, of course, the aim is to get you to download a fake Adobe update, which is really the worm.

Of course, if you look at the url in the browser bar, it is obviously not really FaceBook, but that's not the point. They don't expect to fool everybody .... they just want to fool enough bodies.

And, of course, it goes without saying that LinkScanner detects and blocks the fakes just fine.

Oh, and I am kidding about deriving stats from a sample-size of one. :-)

Keep safe folks,

Roger

Posted at 11:47 PM | | Comments (0)

March 16, 2009

One website cleaned... many more to go.

Hi folks,


Just a quick note to share that the hacked page at phoenix.spelthorne.gov.uk has been cleaned, and no longer displays "Fatal Error ownz you" and is no longer redirecting to sites in Turkey.

We have, however, found lots of other .gov.uk websites with hacked and (sometimes) infective pages, which we'll blog about shortly.

Cheers

Roger

To be notified of updates to this blog, please follow me on Twitter

Posted at 02:42 PM | | Comments (0)

March 13, 2009

Oh goody! City of Streator has a Yahoo counter!

As readers of this blog will know, one of the more commonly-encountered web tricks is a Yahoo-counter-that-is-not-a-counter. Instead of counting visitors, it reaches out to an exploit site and ... counts victims.


This gang's specialty is to hack into an innocent website, and turn it into a unwitting lure... all the website's visitors are probed by the villains, and if they're vulnerable... wham! the visitor is a victim of a drive-by download.

Here's a sample from today's hack list. (*** AGAIN.... DON"T GO TO THE PAGE ... IT MIGHT BE STILL INFECTIVE ***)

This page, hxxp://www.ci.streator.il.us/cms/index.php?page=fire-department-faq-s, looks like this ... 

Home page


The page looks quite normal, except that LinkScanner knows better and has told us that it contains a fake Yahoo! counter, and if you look at the source, sure enough you see this block of code ...


Source


If you look closely at the code you see not one, but _two_ yahoo counters! How exciting! This means they've been whacked not once, but twice. :-)

And sure, enough, if we look at the critical files list, we see the start of an infection cycle...

Crtical files

I find that outing a site on this blog is actually the best way to get it cleaned up. It's much more effective than me trying to explain to confused support staff, so c'mon City of Streator guys.... please clean your site, and fix the hole that allowed the Bad Guys in in the first place. You're probably running a vulnerable php tool or version.

Readers, please remember that City of Streator is an innocent victim too... they didn't mean for this to happen, but they do need to fix it.

Look both ways when crossing the web, folks.... it's dangerous out there.

Roger

Ps to be notified of updates to this blog, please follow me on Twitter


Posted at 01:31 AM | | Comments (1)

Next »

AVG's Homepage | About Us | Privacy Policy | © 2008 AVG Technologies