Tuesday, March 31, 2009

The imminent demise of the Internet ...

is being greatly exaggerated, in case you haven't figured it out by yourself.

What's happening is that people are worried because the Conficker worm is due to do "something" on Apr 1st, and no one knows exactly what. Human nature being what it is, some folks are fixating on the worst possible outcome. It'd be pretty bad if you got hit by a meteor too, but no one is building meteor shelters.

There are two main issues to consider here. The first is that Conficker is a pretty well-thought out attack, and it's pretty unlikely that they want to do anything but make money for their efforts. It's not in their, or anyone's interests to try to kill the Internet. They can't make money if they do that. They don't want to chop down the apple tree... they just want to shake it and pick up the apples that fall off.

The second is that this is a government/ corporate/ education problem... not a consumer. The two main vectors for spreading are a vulnerability in a service called RPC, which was patched in October 2008, and poorly protected network shares. The only people that have networks and who also don't patch are government, corporates and education users. Fortunately, they're also the folk that have staff with expertise that they can call on to fight back. The worm probably grabbed millions of users right out of the box in December 2008, but any gov/ corp/ edu user who is still infected after five months, deserves it. On the other hand, JoeThe Plumber almost certainly allows automatic patching each month, and probably doesn't have much of a network, and presents a much smaller target.

Yes, some of Joe's friends will have been nailed by now, by infected USB keys or something, but it's not going to be a massive number of users. The conficker botherders will simply have achieved their goal of building a fairly bullet-proof botherd, and will now "farm" that botnet, while they prepare their next attack. (We will see things like this again, so now would be a good time to upgrade to AVG identity protection ... it'll provide a good safety net for the next attack)

By the way, I think this is a fairly predictable consequence of playing whackamole with botherds. All you do is cull the weak ones from the herd, and encourage the smarter ones to build a stronger botnet.

All in all, I think the date of April 1st is entirely (if accidentally) appropriate.

Keep safe, folks.

Roger

Saturday, March 28, 2009

KoobFace, Facebook and Classmates... oh my.

Hi folks,


So, the March pitch from KoobFace seems to be bigger in scope...well, that's if you can derive stats from a sample-base of one, because I've personally received three pitches this time... One for FaceBook, and two for Classmates.com... but the basic pitch is the same.

It comes as an email along these lines ... : "Girls in beautiful black underwear dancing in the pub, showing off perfect bodies. Unbelievable Final!".

If you go to the webpage in the email, it looks pretty much like the site is Facebook or Classmates, because the fake site draws a bunch of content directly from the real site, like this ...





and, of course, the aim is to get you to download a fake Adobe update, which is really the worm.

Of course, if you look at the url in the browser bar, it is obviously not really FaceBook, but that's not the point. They don't expect to fool everybody .... they just want to fool enough bodies.

And, of course, it goes without saying that LinkScanner detects and blocks the fakes just fine.

Oh, and I am kidding about deriving stats from a sample-size of one. :-)

Keep safe folks,

Roger

Monday, March 16, 2009

One website cleaned ... many more to go

Hi folks,

Just a quick note to share that the hacked page at phoenix.spelthorne.gov.uk has been cleaned, and no longer displays "Fatal Error ownz you" and is no longer redirecting to sites in Turkey.

We have, however, found lots of other .gov.uk websites with hacked and (sometimes) infective pages, which we'll blog about shortly.

Cheers

Roger

To be notified of updates to this blog, please follow me on Twitter

Thursday, March 12, 2009

Oh goody! City of Streator has a Yahoo counter!

The page looks quite normal, except that LinkScanner knows better and has told us that it contains a fake Yahoo! counter, and if you look at the source, sure enough you see this block of code ...



As readers of this blog will know, one of the more commonly-encountered web tricks is a Yahoo-counter-that-is-not-a-counter. Instead of counting visitors, it reaches out to an exploit site and ... counts victims.


This gang's specialty is to hack into an innocent website, and turn it into a unwitting lure... all the website's visitors are probed by the villains, and if they're vulnerable... wham! the visitor is a victim of a drive-by download.

Here's a sample from today's hack list. (*** AGAIN.... DON"T GO TO THE PAGE ... IT MIGHT BE STILL INFECTIVE ***)

This page, hxxp://www.ci.streator.il.us/cms/index.php?page=fire-department-faq-s, looks like this ...





If you look closely at the code you see not one, but _two_ yahoo counters! How exciting! This means they've been whacked not once, but twice. :-)

And sure, enough, if we look at the critical files list, we see the start of an infection cycle...



I find that outing a site on this blog is actually the best way to get it cleaned up. It's much more effective than me trying to explain to confused support staff, so c'mon City of Streator guys.... please clean your site, and fix the hole that allowed the Bad Guys in in the first place. You're probably running a vulnerable php tool or version.

Readers, please remember that City of Streator is an innocent victim too... they didn't mean for this to happen, but they do need to fix it.

Look both ways when crossing the web, folks.... it's dangerous out there.

Roger

Ps to be notified of updates to this blog, please follow me on Twitter

Monday, March 9, 2009

There's a bit of bad luck!

*** WARNING - This website is probably still hacked and infective, so please don't go there unless you really know what you're doing***

A couple of days ago, LinkScanner started detecting (and blocking) a page of a UK gov website, so we thought we'd take a look. This is the screen we were presented with ...




The "Fatal Error ownz you" is a fair clue that something is not quite right here. ;-)

While reading that, you are quickly and automatically redirected to this website ...




I'm reasonably confident that a Brit government website shouldn't be transferring you to (what I think is ) a Turkish one, so this is a fair second clue that something is wrong.

Once we establish that a site is hacked, we like to see how long it has been hacked, because mostly it's quite a quick thing ... most sites get hacked and cleaned up in under a couple of days... The best way to find out is to look at the search engine cached pages, so we had a look at the google cache, and to our surprise, we saw this page.... (again, don't even go to the cached pages, unless you know what you're doing, because if the page was infective when the search bots indexed it, it'll still be infective in the cache) ....




On January 24th, when the google bots crawled by, it was hacked again, by a different crew! That's what's known in the biz as a Bit Of Bad Luck (tm) !

So, just to be sure that they are not serially and constantly hacked, we consulted two more caches... The msn Live cache snapshot was taken on March 4th, and shows it clean...




and the ask.com cache snapshot was taken on January 7th, and it was clean then too.




The webmasters are obviously cleaning things up as quickly as they realize they have a problem, but seemingly have yet to plug the hole that the Bad Guys are using to get in. It just shows how tricky it is to keep your websites clean, and it shows how pointless it is to blacklist websites via a central database... it's always too slow to realize something is hacked, and too slow to realize it's cleaned up.

Stay safe folks,

Roger

To be notified of blog updates, please follow me on Twitter

Friday, March 6, 2009

KoobFace

Hi folks,

I've just realized that I didn't make it clear that this post is actually about KoobFace.

Cheers

Roger

Wednesday, March 4, 2009

UsAid site hacked and infective

Hi folks,


The usaid.gov site for Azerbaijan is hacked and infective. _DO NOT GO TO THEIR SITE_. We made a vid to show what happens, because that's much safer than visiting, and it is viewable here...

Screen shots are a little bit blurry this time ... sorry about that... we've changed our screen resolution for captures and it didn't quite work out, but you can still get the idea.

Cheers

Roger

Monday, March 2, 2009

Watch out for fake FaceBook emails

Today, one of our old friends, Mark Coker got three different emails purporting to be about Facebook. He twittered about it here and asked me what it was about.

He actually got three emails, all in short order, with this subject (remember, future attempts will have different subjects) ...

Review - My family invite you out for lunch, don't hesitate!

And if you click the embedded link, you're taken to a fairly convincing looking facebook page...




Notwithstanding the funny looking url that I've circled in red, the rest of the page looks convincing. If you are alert enough to look at the url, then you know you're not at a real FB page, but as I've often said, they don't want to catch everyone.. .they don't want to cut down the apple tree... they just want to shake it and pick up the apples that fall off.

If you click anywhere on the image, you get the "pitch" screen, that looks like this...




and then you get a convincing looking adobe download dialog. Given the number of recent Adobe updates, this will catch a bunch of folk, and they will indeed run the installer. This approach, by the way, works no matter how well you are patched, and probably even works if you are running full-blown UAC in Vista....



If you run it, of course, you no longer own your machine. It belongs to them, because it installs a rootkit....



This one is worse than most, because once it runs, it's subtle... it doesn't pop up messages asking you to install some antispy ... it's just _got_ you.

Remember, as the economy worsens around the world, the Bad Guys are more motivated than ever to get into your pc.

Keep safe folks,

Roger