Thompson Cyber Security Labs

NBC Twitter account

2011-09-09T16:04:00.001-07:00

Hi folks,

So, today, in an (impressively successful) attempt to prove how irresponsible some people can be, some morons calling themselves ScriptKiddies managed to sneak into NBC's Twitter account, and posted fake alerts about a hijacked plane crashing into the World Trade Center site.

It's not clear how they got in yet, but I have a feeling it was password re-use. Yes, I know the password might have just been phished, and I know it might been a weak password which was guessed, but I doubt that it was brute-forced, as Twitter learned that lesson years ago.

Entirely too many people use just one, or a few, passwords for all their web access, and there are simply too many places we log in now, and if one falls, they all fall.

There are three lessons from this:

(1) Don't take Tweets too seriously. People do get their accounts nailed from time to time.
(2) Subscribe to multiple sources. If something important does happen, multiple sites will report it.
(3) Most importantly, please use one password, or passphrase per site, and either write them down and keep them in your wallet, or use some password keeping software, but don't re-use passwords.

Password re-use is your enemy.

Roger

Diginotar notes

2011-09-05T18:47:00.000-07:00

SO, over the weekend, we became aware that a Dutch certificate authority had been hacked, and a whole truckload of fake certificates issued for people like google, cia.gov, and mossad, to mention just a few of the more embarrasing ones. In the fullness of time, it's become clear that the initial result of this is that for at least a day, Iranian Internet users were subject to mass Man In The Middle attacks.

The certificates have now been revoked, but there is a certain amount of damage already done.

What this means to those who have been attacked, is that authorities probably read a whole lot of their supposedly private emails, and may have stolen their login credentials for future use. If you happen to be an Iranian dissident, that's probably not good news for you.

There are a couple of shoes left to drop, however. The first is that some of these certificates could probably be used to sign executable code, which in turn will make it easier to slip targeted malcode into a victim's system. Stuxnet, you might recall, was code signed with stolen certificates, so as to avoid Windows warnings.

I don't like this idea at all, as I'm fond of having electricity, and would prefer if it stayed on. Just saying'

The second, and bigger shoe, is the simple idea that a medium sized Certificate Signing Authority can (a) have so much power, and (b) be so poorly defended.

How many more such authorities are there? It's worth pointing out that this is probably the second hack of a CA by the same guy, and we may be confident that he'll find more.

The really sad thing is that there is no easy solution for this. No single bit of software, like anti virus, will protect us.

The best we can do is to start layering in defenses.

For starters, make CAs show some level of security sense.

From an end user point of view, use only one password for each site.

Create a user-grade account for your PC, and use it on a daily basis, instead of admin level.

If your computer warns you about a dodgy certificate for a website, or for an executable... listen to it.

Keep patched (obviously) and find an av program that doesn't rely on signatures.

Most importantly, more needs to be done by ISPs, and backbone providers. Botnets have to be reduced.

We have probably reached a point where machines cannot be allowed on the Internet if they are showing they are infected. As it is, no one cares,as there is no revenue in it.

This has to change.

Roger

FaceBook _didn't_ screw up

2011-08-10T19:35:00.000-07:00

Hi folks,

This morning, following a friend's status update, I looked at my contacts list on FaceBook, and was horrified to see a huge list of friends and their _phone numbers_! (If you want to see it yourself, you go to Accounts, Edit Friends, and Contacts)

On the page, FaceBook says "Facebook Phonebook displays contacts you have imported from your phone, as well as your Facebook friends. If you would like to remove your mobile contacts from Facebook, you need to disable the feature on your mobile phone and visit this page."

My initial reaction, looking at great swaths of phone numbers that I'd never seen before was "Oh no! FaceBook's done something bad again with privacy" (or words to that effect), followed by "And _I_ never gave permission for my contacts to be imported from my phone!", but after I looked at it for a while, I realized that the list did not have my phone's contact numbers at all. And not only that, but the list did not have all my friends on it.

What I was actually looking at was a list of my friends that had ponied up their own numbers. Perhaps they'd come from some of their phones, but a bunch that I checked were simply what people had put on their own profile, including one memorable one of +10000000000 (R.A....You know who you are).

FaceBook didn't do anything bad, they simply assembled available information, from your friends, in a neat list.

It was just a shock to see it all at once.

Really, the only downside is if your privacy settings are open to the world, and in that situation, it is not yet clear if that might leak your friends' private information.

Perhaps that's a topic for another day.

Keep safe folks.

Roger (Btw, I am currently an independent security guy, _not_ something to do with AVG. Even though they're still my friends, I no longer work there)

YAFC-Y (Yet Another Facebook Clipjack - Yawn)

2011-07-23T18:52:00.000-07:00

Hi folks,

Today, with Amy Winehouse's passing, another young star burned out entirely too soon. Whether we were fans or not is irrelevant. The salient point is that there is a group of greedy, covetous, rapacious, insatiable, avaricious, penurious, gluttonous vultures who eagerly await some misfortune, such as Amy, or yesterday, the cruel events in Norway.

Within hours of these events, they flood Facebook with promises of prurient or sensational videos, but the real goal is to trick kids or teens into agreeing to a $10 a month charge to the cell phone bill. They assume they won't read the fine print.

So, as the title says, on one hand it's YAFC-Y ... Yet Another Facebook Clipjack - Yawn..., but by golly, they're not much more than sociopathic animals. I wonder how they can sleep at night.

Truly, these people (and I use the word loosely) are the lowest of the low, and I can only hope that someone like FTC has them squarely in their crosshairs.

Grrrr.

Hardening iOS

2011-07-06T13:48:00.000-07:00

Hi folks,

iOS is the operating system that powers iPhones, iPods and iPads. These things, along with Android powered devices, are clearly a critical part of the future of computing, and how we go about securing them is an emerging issue. We may be confident that the Bad Guys (tm), whether they be criminals or State-level cyber-warriors are looking hard at how to attack them. With that in mind, I was pleased to see this document, prepared by DSD, the Australian Defense Department Intelligence group, about how to harden these devices against attacks and probes.

It's 36 pages of very interesting reading (if you're a security geek), and definitely worth studying (if you're said security geek). If, however, you're either a simple consumer, or ADD, or both, the critical points seem to me to be these...

(1) When you travel overseas, you need to keep in mind that foreign ISPs and carriers may not provide the same levels of user rights that we often take for granted. Being blunt, foreign governments may well sniff your traffic, so be .... thoughtful... about what you say / type / tweet. (On the other hand, if you are of a mischievous bent, and your friend happens to be traveling in one of these countries, it could well provide much entertainment if you sprinkle seditious words like "revolution" and "protest" in your emails/ IM chats with him... but I digress)

(2) Keep in mind that "Smart Phones" tend to synch (in other words, mirror) lots of data that you might otherwise think was just on your desktop, and if you lose your phone, or it's stolen, you might well be off-network, and thus unable to send a remote-wipe command to it. What this means is that it's a pretty good idea to set a pin on the phone, and set it to automatically wipe itself after 10 failed attempts to guess the pin. A few hundred dollars gets you a new phone, but a lost bank account UID/PW might cost you much more.

(3) Be cautious about what apps you allow on your devices. How do we know what data these apps are transmitting, and how do we know who they are transmitting to? The answer is that we don't. A good rule of thumb is to consider how the app developers are getting a return on their development investment. It costs money, time and resources to build an app, and oddly, not many folks do it for free. If you can't see how they're getting a return, it might be a good idea to pass it by. If I can mix metaphors for a moment, there aren't a whole lot of free lunches on the Internet.

When I first started in anti-virus in 1987, there were only a few viruses... Brain, LeHigh, Jerusalem. By the end of the first year, there were only about twelve in total, and we would wonder each month if there would be any more. Today, every anti virus lab in the world gets about 300k samples every day, 25-30k of which are new and unique. Every day!

For a long while, we only had to worry about Dos, and then Windows viruses, but now we have ubiquitous Windows, plus Apple OSX malware, and a fast-growing Android malware problem. iOS is still fairly safe, but history shows that any platform that has the characteristics of being both widely adopted, and cheap and easy to develop on, becomes a target.

Apple does their best to keep it all safe, but it's in our interests to employ whatever hardening steps we can now. Special thanks and shout-outs to Australia DSD for a fine document.

Keep safe folks.
Roger

A trap for young players

2011-07-05T13:32:00.000-07:00

Hi folks,

Today, on my iPhone (note: not my laptop), I got this message from the friendly folk at Facebook Support...

I've been doing a bunch of things on FB recently, so I thought "I wonder what they want? Did I do something wrong?", and clicked it.

To my shock and chagrin, I was taken, not to FB, but to a Pharma page!

Wait ... I'm much too cunning to be caught by that! What happened?

The issue, friends, is that I was reading FB on my smart phone, and not my laptop. If it had been the laptop, I would, as a matter of course, simply hovered the mouse over the link, and after a small pause, my mail client would have shown me the true URL behind the link. (In non-geeky talk, what that means is that whenever you get a suspicious email, you point the mouse at the link in the email, but _don't_ click it. Just wait a couple of seconds, and it will pop up a message showing the _real_ URL behind the link. If it's not Facebook, or eBay, or whatever you thought it should be, just delete the email)

Because, however, I was on my smart phone (dumb phone might be more correct, perhaps?), there is _no_ way to do a mouse hover, and therefore no way to see what's really behind the link.

Because so many people are moving to either Android or iPhone, this is an emerging problem. In this case, all I had to do to fix it was to close the browser, but if there had been an exploit, or even convincing social engineering behind it, they might have caught me. And I'm a little bit more cunning than lots of users.

What is needed is some way to view the source of the message. If no one builds such an app, maybe I will.

Keep safe folks, and be cautious. When Obi-Wan Kenobi said "There has never been a more wretched hive of scum and villainy", I'm pretty sure he was talking about the Internet.

Roger

You just can't believe everything you read

2011-07-05T02:55:00.000-07:00

Hi folks,

Over the weekend, our friends over at Sophos noticed that Fox News got one of their Twitter accounts "hacked". The "hacker" posted four or five bogus tweets about the President being assassinated, over a ten hour period, before the Fox guys noticed. I guess we could say that it took them ten hours to tweak that their tweets were being twampled. (Sorry)

Once they realized what had happened, they (presumably) changed their password, and deleted the dud tweets.

Their public response was that they had been "hacked", and they were demanding a full explanation from Twitter about what happened.

Well, I can tell you what happened. You weren't "hacked". Your person, or people, running that Twitter account got his or her password phished.

It hurts a bit, but it wasn't Twitter's fault, so there's no point in blaming them.

What it really underscores is the danger of password re-use. It's dangerous, and you simply must adopt the idea that you'll have one password per website that you want to use. If that's 50 websites, then you need fifty passwords. It sucks a but, but the alternative is that if you only have a few passwords, and one website fails, then that all the other websites that password accesses, are compromised.

Use a password manager, or even write them down and keep them in your wallet, but the rule has to be ...

No password re-use! Ever.

Keep safe folks,

Roger

Ok, now that was interesting!

2009-09-15T21:01:00.000-07:00

Over the weekend, several people noticed attacks originating from a malicious ad placed at nytimes.com. Viewers were redirected to what we call a fake, or rogue antispy page, where the webpage _pretends_ to scan your computer, and then tries to convince you to install some nifty antivirus program to clean it up-oh-but-you-have-to-register-first-put-your-credit-card-here-mr-victim. Nothing new there... it's the most common thing we see _every_ day.

We've been watching this particular style of rogue attack since about March, and just happened to have them under the microscope over the weekend, and here's the interesting thing... normally, we see 10-15,000 such detections each day, but from about last Thursday thru Sunday, it spiked to 160-170,000 per day. It dropped off today to about 20,000.

The attacks seemed to come from two main types of lures, with the first being advertisments, including the fake one on nytimes, and lots of Flash banner ads, and the second being searches for "newsie" events like Kanye and Taylor, and Patrick Swayze, and Serena Williams.

It's ever so impressive how quickly they not only react, but also point the news search results at their hijacked lure machines. In other words, not only are they quick to react to something news worthy, but they are somehow able to get their hijacked machines right up to the top of the google and bing searches. These guys are flat-out clever.

In summary, not only was there a huge spike in activity by this particular group (or groups), but they quickly were able to manipulate the search engines.

It goes without saying that LinkScanner is able to detect and block these attacks, but it's a dangerous Web folks.

Keep safe,

Roger

I think I know what the ddos is about

2009-07-11T19:45:00.001-07:00

If you've watched any news broadcasts since the 4th of July, you'll be aware that that certain US and South Korean government and commercial websites have been under Distributed Denial Of Service (ddos) attack. Early on, someone pondered for a minute or two about who might be a common enemy to both the US and SK, and the obvious answer was .... gasp... North Korea!!! And if NK is the perp, then clearly this is ... cyberwar!!! Holy Moley Batman!!!! Quick ... run to the bunkers!

It's obviously a great headline, but most actual security folk took the view that it's just a ddos, for goodness sake. If we can't get to Whitehouse.gov for a few days, the world is not going to end. The tourists will still take their photos from the street, and the rest of us will just get another cup of coffee while we wait for it to end. Ddos's are really easy to do, and impossible to prevent up front. It's just that they're not profitable, so no one bothers in this day of "Show me the money for my malcode". And it was silly to blame North Korea, because the whole point of a ddos from a remote controlled botnet is that no one really knows who's driving it.

Now, having had a look at the disparate list of victim websites, my initial thought was that it was a disgruntled businessman targeting the Federal Trade Commission, and shooting at everyone else to conceal their real target, but then we realized that the malcode was programmed to self-destruct, starting July 10th, by erasing the first megabyte of the victim's hard drive!

At least this would effectively clean up these computers.

After we got over laughing about botmasters destroying their own botnet, and making jokes like "Don't these guys understand how retaliation works?", etc, the light slowly dawned on us that maybe they did understand exactly what they were doing.

It's not cyber-war ... it's someone who's worried about the growing plethora of botnets on the Internet, and who's trying to make people care enough to do something about it! A vigilante!

Think about it.

Why bother nuking 60k computers after doing all the work of assembling them? Nuking them only helps the Good Guys, because the victims are forced to re-build, and therefore clean, their computers.

Why bother with a ddos of a bunch of disparate government and commercial websites? Nobody was really impacted ... border routers were reprogrammed to deflect the ddos off any important sites... the only thing it really did was cause a bunch of lawmakers to point the finger at North Korea.

And the only other thing it really did was make lawmakers think "If North Korea could do this with a mere 60k machines, what could Al Qaeda do with a big botnet of 300k machines?"

Big botnets are really common, by the way.

The only reasonable explanation for the whole thing is that it was someone who is worried about the botnet problem, and who wanted to make lawmakers think about it, and do sometihng about it.

A high--tech vigilante.

By the way, the vigilante has a point. Botnets are a real probem, and we need to mitigate them a bit. Most ISPs could do something, except that their give-a-darn bone is broken.

Incidentally, the erase-one-mb thing reminds several of us of the CIH virus. The underground scuttlebut about the CIH author was that he was hired by Taiwanese military intelligence. It's an easy mind-wander to wonder if there's a connection there. Surely not. :-)

Keep safe folks.

Unfortunate brand squatting

2009-06-04T18:45:00.000-07:00

Hi folks,

A common practise among enterprising webmeisters is what's known as brand-squatting. That's where you find a domain whose owner has neglected, or not bothered, to renew it, and it's up for grabs. If you get something modestly popular, then you get the beneift of whatever residual traffic they've generated as a starting point. Makes sense for most domains.

This time, however, someone re-registered and re-vitalized one of the most notorious brands in malcode history .... coolwebsearch ! :-) :-) :-)

Not only that, but while it was a search-enginey kind of page, it was also hosting an exploit!!! Whether that was deliberate or accidental is not clear, but it doesn't matter much as it's down now.

coolwebsearch.us was registered on about the 18th of April 2009, and our first detection was 24th April. Our last was yesterday, but as this graph shows, activity has been tapering off anyway.

Here's a graph of the detection events our users told us about.

As you can see, we had about 11,000 hits spread over 40 days, across 106 countries.

It's a dangerous internet folks, but at least it's sometimes funny.

Keep safe,

Roger

Please follow me on Twitter

Here's a whoopsie to start the week.

2009-05-11T06:41:00.000-07:00

*** don't go to any of these websites... they seem safe today, but you can't be certain, and it's better to avoid them ***

It's just a simple (and common) script injection, but the victim is kind of interesting. Seems like none other than the City of London website has poor security. :-)

As usual, the page itself renders just fine, and looks like this ...

but if you have a look at the source, you see something like this ...

If you look closely, you see references to URLs like 4log-in.ru, and in fact there are eight different ones...

www.ojns.ru/js.js>
www.ujnc.ru/js.js>
www.64do.com/script.js
www.mnicbre.ru/script.js>
www.4log-in.ru/script.js>
www.berjke.ru/script.js>
www.wmpd.ru/style.js
www.lijg.ru/script.js

(again, don't go to these places unless you know what you're doing, because you might get nailed)

What this means is that the City of London website has been nailed, not once, but _eight_ times.

Fortunately, the site is seemingly not infective, so the injections have only partly worked, but then again, it might depend on what you click on the page, and there might well be other hacked pages that we've not discovered yet.

What needs to happen is that the injections need to be removed, and the City of London webmeisters need to find the form that is allowing the injections, and fix it.

It's a dangerous Internet, folks. Keep safe.

Cheers

Roger

The gift that keeps on giving

2009-04-04T16:28:00.001-07:00

So... years ago, I wrote a program called WormRadar. It was designed to detect and measure the malware of the day, worms. More recently, the web became the main attack vector, and we started building programs to detect and measure that activity (which is where LinkScanner came from), and WormRadar gradually fell into disuse. Really recently (as opposed to more recently, and yes, my old English teacher wants to rap my knuckles for that), we cranked up a WormRadar node again, just to see what new things were circulating, and the number one thing we're detecting is .... Slammer!!!!!!

Now, many readers will already see the funny side of that, but many will also not, so for the "nots" ... SqlSlammer was a worm that appeared in January 2003, and really hit the Internet hard. That was pretty amazing at the time, because it exploited a vulnerabilty that had been patched as MS02-039... _six_ months earlier. In other words, although a patch had been released for six months, so many people had not patched, that the worm was able to be a major spreader six months later.

Then, in 2004, Microsoft released XP Service Pack 2, in which the firewall was on by default for first time, and this was really an Extinction Level Event for most worms, because even little old Windows firewall is enough to stop all worms. There have not been any worms since then that can force their way thru the firewall from outside. Conficker, for example, relies on gettin ginside the firewall by some other method... USB drive... social engineering ... whatever... and then runs rampant inside a network, but it can't _force_ its way in.

This then, is the amusing and amazing thing about Slammer... it's still alive and well six _years_ after its first appearance, which is six _years and six months_ after the patch was released!

In other words, there are computers which are just never patched!!!!

There is a name for this type of user .... Victims!

Keep safe folks! (Oh, and keep patched! ;-))

Roger

The imminent demise of the Internet ...

2009-03-31T17:42:00.000-07:00

is being greatly exaggerated, in case you haven't figured it out by yourself.

What's happening is that people are worried because the Conficker worm is due to do "something" on Apr 1st, and no one knows exactly what. Human nature being what it is, some folks are fixating on the worst possible outcome. It'd be pretty bad if you got hit by a meteor too, but no one is building meteor shelters.

There are two main issues to consider here. The first is that Conficker is a pretty well-thought out attack, and it's pretty unlikely that they want to do anything but make money for their efforts. It's not in their, or anyone's interests to try to kill the Internet. They can't make money if they do that. They don't want to chop down the apple tree... they just want to shake it and pick up the apples that fall off.

The second is that this is a government/ corporate/ education problem... not a consumer. The two main vectors for spreading are a vulnerability in a service called RPC, which was patched in October 2008, and poorly protected network shares. The only people that have networks and who also don't patch are government, corporates and education users. Fortunately, they're also the folk that have staff with expertise that they can call on to fight back. The worm probably grabbed millions of users right out of the box in December 2008, but any gov/ corp/ edu user who is still infected after five months, deserves it. On the other hand, JoeThe Plumber almost certainly allows automatic patching each month, and probably doesn't have much of a network, and presents a much smaller target.

Yes, some of Joe's friends will have been nailed by now, by infected USB keys or something, but it's not going to be a massive number of users. The conficker botherders will simply have achieved their goal of building a fairly bullet-proof botherd, and will now "farm" that botnet, while they prepare their next attack. (We will see things like this again, so now would be a good time to upgrade to AVG identity protection ... it'll provide a good safety net for the next attack)

By the way, I think this is a fairly predictable consequence of playing whackamole with botherds. All you do is cull the weak ones from the herd, and encourage the smarter ones to build a stronger botnet.

All in all, I think the date of April 1st is entirely (if accidentally) appropriate.

Keep safe, folks.

Roger

KoobFace, Facebook and Classmates... oh my.

2009-03-28T16:11:00.000-07:00

Hi folks,

So, the March pitch from KoobFace seems to be bigger in scope...well, that's if you can derive stats from a sample-base of one, because I've personally received three pitches this time... One for FaceBook, and two for Classmates.com... but the basic pitch is the same.

It comes as an email along these lines ... : "Girls in beautiful black underwear dancing in the pub, showing off perfect bodies. Unbelievable Final!".

If you go to the webpage in the email, it looks pretty much like the site is Facebook or Classmates, because the fake site draws a bunch of content directly from the real site, like this ...

and, of course, the aim is to get you to download a fake Adobe update, which is really the worm.

Of course, if you look at the url in the browser bar, it is obviously not really FaceBook, but that's not the point. They don't expect to fool everybody .... they just want to fool enough bodies.

And, of course, it goes without saying that LinkScanner detects and blocks the fakes just fine.

Oh, and I am kidding about deriving stats from a sample-size of one. :-)

Keep safe folks,

Roger

One website cleaned ... many more to go

2009-03-16T06:42:00.000-07:00

Hi folks,

Just a quick note to share that the hacked page at phoenix.spelthorne.gov.uk has been cleaned, and no longer displays "Fatal Error ownz you" and is no longer redirecting to sites in Turkey.

We have, however, found lots of other .gov.uk websites with hacked and (sometimes) infective pages, which we'll blog about shortly.

Cheers

Roger

To be notified of updates to this blog, please follow me on Twitter

Oh goody! City of Streator has a Yahoo counter!

2009-03-12T17:32:00.001-07:00

The page looks quite normal, except that LinkScanner knows better and has told us that it contains a fake Yahoo! counter, and if you look at the source, sure enough you see this block of code ...

As readers of this blog will know, one of the more commonly-encountered web tricks is a Yahoo-counter-that-is-not-a-counter. Instead of counting visitors, it reaches out to an exploit site and ... counts victims.

This gang's specialty is to hack into an innocent website, and turn it into a unwitting lure... all the website's visitors are probed by the villains, and if they're vulnerable... wham! the visitor is a victim of a drive-by download.

Here's a sample from today's hack list. (*** AGAIN.... DON"T GO TO THE PAGE ... IT MIGHT BE STILL INFECTIVE ***)

This page, hxxp://www.ci.streator.il.us/cms/index.php?page=fire-department-faq-s, looks like this ...

If you look closely at the code you see not one, but _two_ yahoo counters! How exciting! This means they've been whacked not once, but twice. :-)

And sure, enough, if we look at the critical files list, we see the start of an infection cycle...

I find that outing a site on this blog is actually the best way to get it cleaned up. It's much more effective than me trying to explain to confused support staff, so c'mon City of Streator guys.... please clean your site, and fix the hole that allowed the Bad Guys in in the first place. You're probably running a vulnerable php tool or version.

Readers, please remember that City of Streator is an innocent victim too... they didn't mean for this to happen, but they do need to fix it.

Look both ways when crossing the web, folks.... it's dangerous out there.

Roger

Ps to be notified of updates to this blog, please follow me on Twitter

There's a bit of bad luck!

2009-03-09T18:57:00.001-07:00

*** WARNING - This website is probably still hacked and infective, so please don't go there unless you really know what you're doing***

A couple of days ago, LinkScanner started detecting (and blocking) a page of a UK gov website, so we thought we'd take a look. This is the screen we were presented with ...

The "Fatal Error ownz you" is a fair clue that something is not quite right here. ;-)

While reading that, you are quickly and automatically redirected to this website ...

I'm reasonably confident that a Brit government website shouldn't be transferring you to (what I think is ) a Turkish one, so this is a fair second clue that something is wrong.

Once we establish that a site is hacked, we like to see how long it has been hacked, because mostly it's quite a quick thing ... most sites get hacked and cleaned up in under a couple of days... The best way to find out is to look at the search engine cached pages, so we had a look at the google cache, and to our surprise, we saw this page.... (again, don't even go to the cached pages, unless you know what you're doing, because if the page was infective when the search bots indexed it, it'll still be infective in the cache) ....

On January 24th, when the google bots crawled by, it was hacked again, by a different crew! That's what's known in the biz as a Bit Of Bad Luck (tm) !

So, just to be sure that they are not serially and constantly hacked, we consulted two more caches... The msn Live cache snapshot was taken on March 4th, and shows it clean...

and the ask.com cache snapshot was taken on January 7th, and it was clean then too.

The webmasters are obviously cleaning things up as quickly as they realize they have a problem, but seemingly have yet to plug the hole that the Bad Guys are using to get in. It just shows how tricky it is to keep your websites clean, and it shows how pointless it is to blacklist websites via a central database... it's always too slow to realize something is hacked, and too slow to realize it's cleaned up.

Stay safe folks,

Roger

To be notified of blog updates, please follow me on Twitter

KoobFace

2009-03-06T06:03:00.000-08:00

Hi folks,

I've just realized that I didn't make it clear that this post is actually about KoobFace.

Cheers

Roger

UsAid site hacked and infective

2009-03-04T16:35:00.000-08:00

Hi folks,

The usaid.gov site for Azerbaijan is hacked and infective. _DO NOT GO TO THEIR SITE_. We made a vid to show what happens, because that's much safer than visiting, and it is viewable here...

Screen shots are a little bit blurry this time ... sorry about that... we've changed our screen resolution for captures and it didn't quite work out, but you can still get the idea.

Cheers

Roger

Watch out for fake FaceBook emails

2009-03-02T19:50:00.000-08:00

Today, one of our old friends, Mark Coker got three different emails purporting to be about Facebook. He twittered about it here and asked me what it was about.

He actually got three emails, all in short order, with this subject (remember, future attempts will have different subjects) ...

Review - My family invite you out for lunch, don't hesitate!

And if you click the embedded link, you're taken to a fairly convincing looking facebook page...

Notwithstanding the funny looking url that I've circled in red, the rest of the page looks convincing. If you are alert enough to look at the url, then you know you're not at a real FB page, but as I've often said, they don't want to catch everyone.. .they don't want to cut down the apple tree... they just want to shake it and pick up the apples that fall off.

If you click anywhere on the image, you get the "pitch" screen, that looks like this...

and then you get a convincing looking adobe download dialog. Given the number of recent Adobe updates, this will catch a bunch of folk, and they will indeed run the installer. This approach, by the way, works no matter how well you are patched, and probably even works if you are running full-blown UAC in Vista....

If you run it, of course, you no longer own your machine. It belongs to them, because it installs a rootkit....

This one is worse than most, because once it runs, it's subtle... it doesn't pop up messages asking you to install some antispy ... it's just _got_ you.

Remember, as the economy worsens around the world, the Bad Guys are more motivated than ever to get into your pc.

Keep safe folks,

Roger

It's _not_ a Yahoo counter!

2009-02-25T20:14:00.000-08:00

One of the most common complaints we get is when a webmeister or user thinks we're unjustly accusing a website of being evil, and, without sounding immodest about it, we're usually right. The way LinkScanner works is that it makes its evaluations in real time ... it looks at the code as it comes off the webpage, and decides if things are dangerous or not. That's as opposed to those systems that rely on a central database, which is usually too slow to realize that something is dirty, and then too slow to realize it's been cleaned up.

A typical example is the fake Yahoo counter that looks like this ...

That's the source of a typically hacked page. You see the bit about "Yahoo counter starts" ? Guess what... it's _lying_! It actually decrypts to an iframe link to an exploit site, but you wouldn't believe the number of conversations I've had that go like this...

Ring, ring... me, "Hello, could I speak to your webmeister please?"
Shuffle, shuffle, switching thru ... webmeister, "Hello?"
me, "Hi, I'm sorry to have to tell you this, but I'm a security researcher, and I have to tell you that your website has been hacked."
webmeister, "Sorry... what ... who is this?"

and then we have many chats about who I am, and how I know, and eventually it gets to the point where they say "Show me", so I show them the code on their page, and they say "But it's a Yahoo counter!"
and I say "Did you put it in?", and they say, "Well, no, but one of the other guys must have"

:-)

Sometimes they believe me, but mostly they don't.

Here's the bottom line folks. I have yet to see a genuine Yahoo counter. They may exist, but they sure don't look like that, so if you're a webmeister with code like that in your pages, please delete it. Unless you put it there, it's fake.

Keep safe

Roger

Btw, to be notified of blog updates, plus little extra bits that don't make it to the blog, please follow me on twitter

Off-topic (but I think it's a neat story)

2009-02-22T19:33:00.000-08:00

Hi folks, this is completely off-topic, but I've been chewing on this for a few days, and feel I should share it...

A few days ago, I took three of my little girls to ballet, and in the middle of the class, the tornado sirens went off. The teachers got all the kids into the safest place in the building which was a hallway, and got them to sit down... all by the book.

Then the neat part happened...

One end of the hall was sort of open, and faced the windows .... obviously the most dangerous thing if a tornado did hit. Without anyone saying anything, the moms who were waiting for the kids sat between the kids and the windows, and the two dads, (me and another guy) interposed ourselves between the moms and the windows, thus taking the most dangerous spot. No one said anything, or talked about it ... it just all happened naturally.

The parents stayed calm, and the kids stayed calm, and the tornados went south of us, so they went back to ballet, and the parents went back to chatting aimlessly.

About an hour later, I thought about what had happened, and realized that something nice had occured. A bunch of strangers had naturally come together, without anyone saying anything, with the adults protecting the kids, and the men protecting the women.

In these days of terrible economic uncertainty, I found it heart warming to find that the natural inclination of a group of strangers was to protect the weaker ones.

We can, and will pull thru this, folks,

Cheers

Roger

I didn't say that, I _promise_

2009-02-19T13:30:00.000-08:00

Ok, I'll admit it ... I google-alert my name. It's not as bad as it sounds, because I google alert lots of things. It's surprising to see how many people are named Roger Thompson, and it's even mildly amusing to see some of their professions, but that's a story for another day. Today, however, I got this alert...

"Even in spite of this it was a relatively benign episode as worms bearing of walking, Grey Goo is cost note, as it may be only the best ancient of this brand of malware for the future, warn Roger Thompson, CTO of anti-exploit software ..."

Now, I do like the occasional glass of shiraz, but I'm fairly confident that, even after a whole bottle of shiraz, I never said that. Heck, I can't even parse it.

It was in a blog whose identity shall remain private to protect the innocent (which may be all of us in this case), and a quick bit of searching found a second blog that opens with this amazing statement...

"A exotic resistant decisive against protecting computer user and business antagonistic zero-day attack aware to that occurrence exploit belt users' frozen drive launch a interview variation of its opening goods on Monday.", in an interview also attributed to me.

Although it was posted today, it was under a heading of "Antispyware pros launch SocketShield beta", which gives a bit of a clue, because that happened in early 2006, but I'm pretty sure I never said that either.

In fact, both blogs were full of incomprehensible and un-parsable english just like that. It looks like someone is picking up old articles, and translating them to non-English, and then back again... twice or more.

But the question is ... why bother? And my answer is ... I have no clue! What's the point? The blogs don't appear to be malicious as far as I and my software can determine, but who knows what might happen in the future?

As funny as the entries are, I think the best idea is simply regard them as potentially dangerous, and stay away. In other words, if you are googling for _anything_ and the summary that comes up on the search page doesn't make sense.... treat it like a crazy looking stray dog that might bite, and go to a different site.

Stay safe folks!

Roger

PS Please follow me on twitter

Storm is dead ... long live storm

2009-02-10T19:05:00.000-08:00

Today I looked at a Valentine's Day eCard scam, and it was like unexpectedly bumping into an old friend...

I got this URL, yourgreatlove.com (**** DON"T GO THERE!!!!! IT MIGHT BE STILL LIVE AND DANGEROUS**** ) from the the malwarebytes forum (malwarebytes.org/forums/index.php?showtopic=11109) , and given that it was valentine's day malware, I thought I'd take a closer look, and I saw this screen...

I thought "That's Storm!... Haven't seen that for ages". Now, it might well have been around and I just haven't been paying attention, and I'm pretty sure it's what most people call the Waldec botnet, but it was fun to think "Oh, I know what you are!"

They've updated their crypto and their exploit set, but they still try to trick you into downloading something if the exploits don't get you first, and here's the current exploit list that they throw, hoping something will stick ...

Outlook Application
Vis Studio
MS Dbg Clr
Vis Stuidio DTE
D.Explore
Vis Studio
Microsoft Update Web Control
Outlook Data Object
Business Object Factory
MDAC
NCT Audio File
Yahoo webcam/Messenger - June 2007
Real Player - March 2008
Creative Labs - May 2008
CA List Ctrl
Yahoo webcam - June 2007
Kingsoft update ocx - Apr 2008
MySpace uploader ocx - Feb 2008
WebEx mtg manager - Aug 2008

Of course, if they nail you, you become part of the botnet, as well as giving up your identity and bank account.

Anyway, it was a deja vu moment. These guys show a pretty fair understanding of current events, and US holidays, so the next thing we'll probably see is an Easter version, unless something newsworthy happens... disaster photos of Australian bushfires maybe?

Keep safe folks,

Roger

OFFTOPIC - REQUEST FOR HELP
Folks,
My wife and son have managed to get a song in the final 15 for the annual NSAI Country Music Television awards. This is out of several thousand entries. They have two chances to win. The first is the judged portion, which is conducted by CMT.com themselves, but the second is a public vote. It's a big opportunity for them.

Their song is "I found everything" by Kate and Ben Thompson, and you can vote for them (as often as you'd like) at http://nsai.cmt.com . I've resisted the temptation to enlist a botnet :-) but would like to help them win.

Please consider voting for them, and please ask five of your friends to.

:-)

Thanks in advance

Roger

Guess what should be blocked next? :-)

2009-02-05T12:05:00.000-08:00

*** Warning! DON"T go to any of these sites***

One of the longer-lived attack sites is thedeadpit. This first graphic shows the attack profile, showing a peak of about 1500 hits per day. (You can click any of the images for a larger view)

And then, after a while we started seeing the same stuff come from internetcountercheck. The attack profile shows a recent peak of about 4000 hits in one day. This is kind of interesting, and probably reflects a marketing push on their part.

It turns out that there are five domains on their domain name server, and look ... today the third one is starting too :-) ...

and here are the rest of the domains on the domain server...

So, as you can see, it's a case of three down, two to go. If anyone likes to block URLs, these would be a couple of good ones to add.

Cheers

Roger

Firefox /El Fiesta mystery solved... well, sort of

2009-02-02T18:12:00.000-08:00

One the most common attack kits (that we see and block every day) is El Fiesta. It is frequently updated, and according to reports, pretty cheap.... generally a fair formula for success in any part of the software biz. It has a neat statistics page that keeps nice stats like which countries it has seen, and how many successes (or loads) it has managed in each country.

It also tracks the browsers it has seen, and tracks its successes against each browser. At the bottom of the statistics page, it shows how well it has done with each exploit.

The first interesting point here is that it shows 67 loads against FireFox 3.5, which is impressive, and even more interesting is that the summary shows two FF exploits ... a FF NS Local, and a FF Behavior.

This lead us to wonder what they might be, and in particular, just what was the FF Behavior trick?

At first, all we could get it to do was to throw fairly common PDF exploits at FireFox, which all failed, but then, after certain components were updated just right, we suddenly got this screen that wants to update the page....

Now, if you click ok for the update, and then run the update, you get this old friend ...

Gosh, you've got spyware.... whoda thunk it? Now, I'm not saying it's a great trick or anything, but as the stats page shows, it works. Remember, these guys don't want to cut down the apple tree... they just want to shake it, and pick up the apples that fall off.

We'll keep trying to figure out exactly how they're doing it, just for grins, but there are two other mysteries that we stumbled across while trying to solve this one, so we'll see what happens.

Cheers

Roger

A view of the recent google video attack

2009-01-29T09:46:00.001-08:00

Hi folks,

Dancho Danchev blogged here about an inventive new way Bad Guys were luring people to innocent videos but then redirecting them to an attack site, which would then try to trick them into installing something bad. Dancho says they'd managed to hijack 400,000 search terms, so it's quite a big attack. We detect and block the way they attempt the trickery, so we were blocking it preemptively, but it's interesting to look at our graph of the attack...

Our first detection was on January 19th, and it jumped to between 200 and 250 a day up until January 27th, when it took a sharp drop and just about disappeared on the 28th. So here's the interesting bit ... a whois lookup of the attack domain shows that it was registered on January 19th, which means we started detecting it the same day they brought it on line... and then Dancho published his blog on January 27th, and the attacks diminished dramatically on the same day (probably because he also told the security team at google on the same day, and they started cleaning out the search pages)

Now, you might be tempted to think that a couple of hundred attacks a day for not much more than a week was not much of a payoff for hijacking 400,000 search terms, but it's important to understand that this is just measuring the attacks from a single domain. They probably had lots more than that. These guys are pretty smart, without a doubt.

I don't know about you, but I think it's pretty cool when you can see data like this, and even cooler when you can explain why it's happened.

:-)

Cheers

Roger

Obama worm? ... nah, surely not

2009-01-27T12:19:00.002-08:00

I don't often get to work at the coal face much anymore (which is a shame, because I'm a coal-face kind of guy), but today I had that privilege. One of our resellers, Walling Data, called me and asked if I knew of any malcode that displayed a picture of President Obama. While I could see the funny side of that, no matter what your political persuasion might be, I had to admit that I had not, but here's a screen shot to show you what these folks were seeing....

I'd be happy to think it was just someone's prank, except for these facts...
(1) The victim is a school, with about 100 pcs
(2) It appeared on all pcs at about the same time
(3) The pcs have fielsharing enabled
(4) It's not clear if all pcs are patched.

We're still investigating it, but Occam would suggest that it is what it seems ... a worm. Probably not a conficker variant, because as far as we can tell, the source code is not available for Conficker, but probably something exploiting ms08-067.

Anyway, we'll keep investigating, and will let you know what we find.

Cheers

Roger

PS: Note to school admins: Given that Conficker source is probably not available, and if no one else ends up reporting this, there's some chance one of your students wrote it. Find your smartest, geekiest, dweebiest kid, and look hard at him. Remember, the geek shall inherit the earth.

PPS: Despite all the press, and the large number of victims that Conficker has recently gained, it's worth noting that this is probably a corporate and edu problem rather than a consumer problem. The only people this should really have caught are those that (1) haven't patched a two month old vulnerability and (2) allow filesharing. These are corporates and edus. Consumers, for the most part, allow automatic patching each month, and any consumer naive enough to allow filesharing got nailed a long time ago. This assertion is supported by the fact that, within our client base (mostly consumer and smb), we've had very little detection of it. It's also worth noting that if the perps really did nail 9 million victims, they defeated their own purpose anyway, because they dd0sed themselves instantly. Have you got any idea how long it would take to enumerate 9 million pcs over the Internet? They're still on the first pass, for sure.

Something interesting tonight (and, boy, we have a great community)

2009-01-24T18:06:00.000-08:00

Hi folks,

One of our friends, a security guy at the IRS, noticed a new FastFlux botnet today serving up exploits, and Nick FitzGerald a well-known anti malware guy investigated a bit further and found that the exploits were being fired based on which browser the visitor is using.

If you're using Internet Explorer, for example, it shoots a bunch of common IE exploits. Nothing too new here, so if you're patched, you're fine, but one interesting bit is that it looks to me like it's been lifted from a decrypted Neosploit, and tweaked a bit.

If you're using Firefox or Opera, it shoots a specific exploit for FF or Opera, and if you're using Chrome or Safari, it fires some generic pdf exploits at you.

The encryption technique is new, and bit cute in the way that it is hooked into the html, presumably to try to avoid decryption emulators.

Oh, and if it succeeds, it installs a fairly new rootkit, which AVG detects as an Agent variant. Oh, and from Russia, too.

So the first interesting thing is that it shows that the Bad Guys are constantly thinking and innovating and probing, but the second, and more important thing is that it highlights how well the anti-malware community cooperates, mostly unnoticed and unappreciated, behind the scenes.

Shout-outs to our friend at the IRS and Nick.

Cheers

Roger

Write your passwords down

2009-01-19T17:15:00.000-08:00

Hi folks,

For most of the last 20 years or so that I've been paying attention to computer security, the mantra has been "Don't write your passwords down .... someone might steal your postit note... make a password you can remember."

Now, this is a Good Idea, _except_ that it encourages most people to have just one password... Or maybe two, if you have a really strong memory. And, unlike twenty years ago, where you maybe only had an email password, and a network login password at the office, there are now a zillion places to log into. As well as your email and the office, there's all the web 2.0 (or as I like to put it, the web 2.uh-oh) stuff ... your bank, youtube, myspace, facebook, amazon, ebay and twitter to mention but a few. Guess what ... if they're all using the same password, and _one_ of them gets hacked or phished, you lose you password to everywhere. If that includes your bank or paypal password, that's about the key to the kingdom, and you might not even know until real money starts disappearing.

Instead of using just one or two password, have many, and _write them down_.... either in your wallet or in a database. If you lose your wallet, at least you'll know to reset your passwords, as well cancel your credit cards.

Remember, there's now a whole industry comprised of people whose job it is to compromise your security. They go hungry if they don't, so they are highly motivated to be successful. Be careful on the Internet.

Cheers folks,

Roger

Don't be a donkey, they just want a mule

2008-12-31T15:48:00.001-08:00

Hi folks,

Today I received this in the email...

>Hello ,

>Make $10,000 per week working from home. No experience necessary.

>Do you wish you could make money regardless of where you are, work or home?

>Stop wishing. Get a life of freedom where you can do what you want, when
>you want, all while making a good living from wherever you want.

>Register on our website,"

Ten grand a week working from home? Gosh, I'd be a fool not to follow up on that ... wouldn't I?

Heh. If you follow up, of course, eventually you find that all they want you to do is move money through your account, for which you get to keep a percentage. Very easy money.

Or maybe they want you to receive packages, and re-pack the contents and send them overseas somewhere, and again, it's easy money.

Until the Secret Service shows up, that is, and explains that the money and/ or the goods have been obtained illegally, and you are now in a spot of bother.

It's called being a mule, and such pitches are both more common and more tempting in these difficult finanacial times.

Bottom line is that, even on the Internet, if it sounds too good to be true, it probably is.

Keep safe folks,

Roger

Forged CAs

2008-12-30T21:35:00.001-08:00

Update #1 - Jan 2nd, 2009

It looks like Versign has fixed it (or at least thinks it has) ...

https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php

Reading between the lines, they've tweaked their cert issuing backend so that vulnerable certs cannot be issued. In other words, what the Clever White Hats originally did was get a website cert and then turn it into a root cert, and Verisign has changed their procedures so that vulnerable certs can no longer be issued.

This is called a work-around, as opposed to a true fix, but it's probably good enough.

We'll continue to monitor the situation, but I think all is well.

Cheers

Roger

Hi folks,

One of the most interesting developments in the last few weeks came at the 25c3 conference. The nub of the matter is that some really clever researchers have figured out how to break SSL. In other words, if this stuff was to become widespread, you couldn't trust a website anymore that was offering an https connection.

This would suck for the web in general, except that it's hard to duplicate. What this means is that it probably falls into the category of "This will be really bad if it ever happens, but it's by no means certain to happen."

I don't think there are any easy fixes for this, and we'll just have to watch to see how it unfolds.

I'm just glad it's at least hard to duplicate.

Cheers

Roger

Awww.... puppies?

2008-12-16T06:39:00.000-08:00

Hi folks,

A couple of days ago, I got this in email...

"GOOD DAY,

HOW ARE YOU DOING ? HOPE FINE.

MY NAME IS REV.PAUL xxxxx I AND MY WIFE AND 3 KIDS ARE ON A CHRISTIAN MISSION TO AFRICA AND WE CAME ALONG WITH OUR 2 TEACUP YORKSHIRE TERRIER BABIES. (BOTH ARE 14 WEEKS OLD) AFTER A WHILE WE NOTICE THAT THE AFRICAN WEATHER IS NOT GOOD FOR THERE HEALTH AND WE HAVE NOT BEEN ABLE TO TAKE GOOD CARE OF THEM THE WAY WE ALWAYS DO, BECAUSE OF MY JOB. THEY ARE AKC REGISTERED. - TEACUP. HOME RAISED,VACCINES & HEALTH GUARANTEE.

WE NEED SOMEONE TO ADOPT BOTH AND TAKE CARE OF THEM THE WAY WE ALWAYS DO. IF YOU CAN TAKE GOOD CARE OF THEM, DO SEND A REPLY AND WILL EMAIL YOU WITH MORE INFO.

P/S: PROVIDE A CONTACT PHONE NUMBER FOR FURTHER COMMUNICATION.

WE HOPE TO READ FROM YOU.

REGARDS,

REV. PAUL & MARY xxxxxx
MOTTO: IN GOD WE TRUST."

Now, I know he's a Reverend, and I know they're just little puppies, so nothing could go wrong with that, could it?

Heh. Of course, it's just another 419 scam, but it's a bit funny. Oh, and watch out for the "Pretty Russian girl" who wants to be your friend too.

Cheers

Roger

Blogger can have javascript embedded?

2007-01-15T19:02:00.000-08:00

Hi folks,

I guess other people knew this, but I did not. It turns out that if you own a blog, using the new version of Blogger, you can embed javascript, by adding Page Elements in the layout screen.

What this means is that, if you wanted to, you could embed exploits. Now, to be fair, it's only in your own blog, and an exploit might get shut down pretty quickly, but on the other hand, some exploits are pretty subtle, and some will not be noticed until long after someone has surfed off somewhere else. And, of course, if it's a rootkit, it might not be noticed at all. So far we have not found any overt exploits, but we do keep finding obfuscated automatic redirects to bogus search engines or porn pages.

How it works is this ... They first go to the trouble of setting up a fairly legitimate looking page. Probably they just "borrow" one from a legitimate site, such as Royal Caribbean Tours. This ensures that when the google bots come to index them, they will have lots of good keywords to be indexed on. Then, by adding a small javascript, they automatically redirect any visitors to the real target. I guess they consider that it's marketing, but being the kindest that you can, it's bait and switch at a minimum.

Naturally, we've taken the precaution of preemptively blocking those scripts, but it's easy to see how that school teacher recently got into trouble for having porn on the computers under her control.

Cheers

Roger

Yay! Winbudget is installed!

2007-01-13T06:52:00.000-08:00

Hi folks,

In the last day or so, there has been some discussion, particularly in EDU circles, about some sort of bot programs infecting computers and displaying "Yay". (The Attentive Reader will be amused that malcode would actually announce its presence, but that's beside the point). It's not yet clear where they're getting the Yay-bot from, but part of the mystery is now solved. The purpose of the Yay-bot is to install a piece of adware/spyware called WinBudget. This is a Browser Helper Object that appears to monitor all the major search engines, and hijack the search results, displaying its own popups as well.

I guess we can speculate that the dork^h^h^h^h programmer who wrote the installer must have been a bit of a newbie, and was thrilled to find his code actually worked... thus the "Yay". The BHO, however, works quite well and is a real nuisance, and we've taken the precaution of blocking the BHO install site.

Roger

A brief hello

2006-12-18T18:28:00.001-08:00

Since this is the first post, I thought I'd take a couple of sentences to talk about TCSL, and what we're about. I'm a long term anti virus guy, having started one of the first anti virus companies in Australia in 1987. I've stayed active in the industry at a technical level, and in 2005, I formedThompson Cyber Security Labs with a view towards making the industry stronger by helping people test their antivirus and antispyware products, mostly through private testing.You see, testing malicious code detection and remediation is quite tricky to do properly. Firstly, you've got to know how malicious code works, and what it does to a system, otherwise you can't tell if the antivirus/ antispy was able to stop it and/ or remove it properly. You can't rely on the logs of the av/ as program either, because that might be flat out wrong. There are many cases where av/as programs _say_ they've done something, and they simply haven't.So, that's where we come in. We'll monitor antivirus and antispy programs' ability to handle all sorts of malicious code.We'll start with rootkits...Stay tuned,Roger