So... years ago, I wrote a program called WormRadar. It was designed to detect and measure the malware of the day, worms. More recently, the web became the main attack vector, and we started building programs to detect and measure that activity (which is where LinkScanner came from), and WormRadar gradually fell into disuse. Really recently (as opposed to more recently, and yes, my old English teacher wants to rap my knuckles for that), we cranked up a WormRadar node again, just to see what new things were circulating, and the number one thing we're detecting is .... Slammer!!!!!!
Now, many readers will already see the funny side of that, but many will also not, so for the "nots" ... SqlSlammer was a worm that appeared in January 2003, and really hit the Internet hard. That was pretty amazing at the time, because it exploited a vulnerabilty that had been patched as MS02-039... _six_ months earlier. In other words, although a patch had been released for six months, so many people had not patched, that the worm was able to be a major spreader six months later.
Then, in 2004, Microsoft released XP Service Pack 2, in which the firewall was on by default for first time, and this was really an Extinction Level Event for most worms, because even little old Windows firewall is enough to stop all worms. There have not been any worms since then that can force their way thru the firewall from outside. Conficker, for example, relies on gettin ginside the firewall by some other method... USB drive... social engineering ... whatever... and then runs rampant inside a network, but it can't _force_ its way in.
This then, is the amusing and amazing thing about Slammer... it's still alive and well six _years_ after its first appearance, which is six _years and six months_ after the patch was released!
In other words, there are computers which are just never patched!!!!
There is a name for this type of user .... Victims!
Keep safe folks! (Oh, and keep patched! ;-))
Roger
Saturday, April 4, 2009
Tuesday, March 31, 2009
The imminent demise of the Internet ...
is being greatly exaggerated, in case you haven't figured it out by yourself.
What's happening is that people are worried because the Conficker worm is due to do "something" on Apr 1st, and no one knows exactly what. Human nature being what it is, some folks are fixating on the worst possible outcome. It'd be pretty bad if you got hit by a meteor too, but no one is building meteor shelters.
There are two main issues to consider here. The first is that Conficker is a pretty well-thought out attack, and it's pretty unlikely that they want to do anything but make money for their efforts. It's not in their, or anyone's interests to try to kill the Internet. They can't make money if they do that. They don't want to chop down the apple tree... they just want to shake it and pick up the apples that fall off.
The second is that this is a government/ corporate/ education problem... not a consumer. The two main vectors for spreading are a vulnerability in a service called RPC, which was patched in October 2008, and poorly protected network shares. The only people that have networks and who also don't patch are government, corporates and education users. Fortunately, they're also the folk that have staff with expertise that they can call on to fight back. The worm probably grabbed millions of users right out of the box in December 2008, but any gov/ corp/ edu user who is still infected after five months, deserves it. On the other hand, JoeThe Plumber almost certainly allows automatic patching each month, and probably doesn't have much of a network, and presents a much smaller target.
Yes, some of Joe's friends will have been nailed by now, by infected USB keys or something, but it's not going to be a massive number of users. The conficker botherders will simply have achieved their goal of building a fairly bullet-proof botherd, and will now "farm" that botnet, while they prepare their next attack. (We will see things like this again, so now would be a good time to upgrade to AVG identity protection ... it'll provide a good safety net for the next attack)
By the way, I think this is a fairly predictable consequence of playing whackamole with botherds. All you do is cull the weak ones from the herd, and encourage the smarter ones to build a stronger botnet.
All in all, I think the date of April 1st is entirely (if accidentally) appropriate.
Keep safe, folks.
Roger
What's happening is that people are worried because the Conficker worm is due to do "something" on Apr 1st, and no one knows exactly what. Human nature being what it is, some folks are fixating on the worst possible outcome. It'd be pretty bad if you got hit by a meteor too, but no one is building meteor shelters.
There are two main issues to consider here. The first is that Conficker is a pretty well-thought out attack, and it's pretty unlikely that they want to do anything but make money for their efforts. It's not in their, or anyone's interests to try to kill the Internet. They can't make money if they do that. They don't want to chop down the apple tree... they just want to shake it and pick up the apples that fall off.
The second is that this is a government/ corporate/ education problem... not a consumer. The two main vectors for spreading are a vulnerability in a service called RPC, which was patched in October 2008, and poorly protected network shares. The only people that have networks and who also don't patch are government, corporates and education users. Fortunately, they're also the folk that have staff with expertise that they can call on to fight back. The worm probably grabbed millions of users right out of the box in December 2008, but any gov/ corp/ edu user who is still infected after five months, deserves it. On the other hand, JoeThe Plumber almost certainly allows automatic patching each month, and probably doesn't have much of a network, and presents a much smaller target.
Yes, some of Joe's friends will have been nailed by now, by infected USB keys or something, but it's not going to be a massive number of users. The conficker botherders will simply have achieved their goal of building a fairly bullet-proof botherd, and will now "farm" that botnet, while they prepare their next attack. (We will see things like this again, so now would be a good time to upgrade to AVG identity protection ... it'll provide a good safety net for the next attack)
By the way, I think this is a fairly predictable consequence of playing whackamole with botherds. All you do is cull the weak ones from the herd, and encourage the smarter ones to build a stronger botnet.
All in all, I think the date of April 1st is entirely (if accidentally) appropriate.
Keep safe, folks.
Roger
Saturday, March 28, 2009
KoobFace, Facebook and Classmates... oh my.
Hi folks,
So, the March pitch from KoobFace seems to be bigger in scope...well, that's if you can derive stats from a sample-base of one, because I've personally received three pitches this time... One for FaceBook, and two for Classmates.com... but the basic pitch is the same.
It comes as an email along these lines ... : "Girls in beautiful black underwear dancing in the pub, showing off perfect bodies. Unbelievable Final!".
If you go to the webpage in the email, it looks pretty much like the site is Facebook or Classmates, because the fake site draws a bunch of content directly from the real site, like this ...
and, of course, the aim is to get you to download a fake Adobe update, which is really the worm.
Of course, if you look at the url in the browser bar, it is obviously not really FaceBook, but that's not the point. They don't expect to fool everybody .... they just want to fool enough bodies.
And, of course, it goes without saying that LinkScanner detects and blocks the fakes just fine.
Oh, and I am kidding about deriving stats from a sample-size of one. :-)
Keep safe folks,
Roger
So, the March pitch from KoobFace seems to be bigger in scope...well, that's if you can derive stats from a sample-base of one, because I've personally received three pitches this time... One for FaceBook, and two for Classmates.com... but the basic pitch is the same.
It comes as an email along these lines ... : "Girls in beautiful black underwear dancing in the pub, showing off perfect bodies. Unbelievable Final!".
If you go to the webpage in the email, it looks pretty much like the site is Facebook or Classmates, because the fake site draws a bunch of content directly from the real site, like this ...
and, of course, the aim is to get you to download a fake Adobe update, which is really the worm.
Of course, if you look at the url in the browser bar, it is obviously not really FaceBook, but that's not the point. They don't expect to fool everybody .... they just want to fool enough bodies.
And, of course, it goes without saying that LinkScanner detects and blocks the fakes just fine.
Oh, and I am kidding about deriving stats from a sample-size of one. :-)
Keep safe folks,
Roger
Monday, March 16, 2009
One website cleaned ... many more to go
Hi folks,
Just a quick note to share that the hacked page at phoenix.spelthorne.gov.uk has been cleaned, and no longer displays "Fatal Error ownz you" and is no longer redirecting to sites in Turkey.
We have, however, found lots of other .gov.uk websites with hacked and (sometimes) infective pages, which we'll blog about shortly.
Cheers
Roger
To be notified of updates to this blog, please follow me on Twitter
Just a quick note to share that the hacked page at phoenix.spelthorne.gov.uk has been cleaned, and no longer displays "Fatal Error ownz you" and is no longer redirecting to sites in Turkey.
We have, however, found lots of other .gov.uk websites with hacked and (sometimes) infective pages, which we'll blog about shortly.
Cheers
Roger
To be notified of updates to this blog, please follow me on Twitter
Thursday, March 12, 2009
Oh goody! City of Streator has a Yahoo counter!
The page looks quite normal, except that LinkScanner knows better and has told us that it contains a fake Yahoo! counter, and if you look at the source, sure enough you see this block of code ...
As readers of this blog will know, one of the more commonly-encountered web tricks is a Yahoo-counter-that-is-not-a-counter. Instead of counting visitors, it reaches out to an exploit site and ... counts victims.
This gang's specialty is to hack into an innocent website, and turn it into a unwitting lure... all the website's visitors are probed by the villains, and if they're vulnerable... wham! the visitor is a victim of a drive-by download.
Here's a sample from today's hack list. (*** AGAIN.... DON"T GO TO THE PAGE ... IT MIGHT BE STILL INFECTIVE ***)
This page, hxxp://www.ci.streator.il.us/cms/index.php?page=fire-department-faq-s, looks like this ...
If you look closely at the code you see not one, but _two_ yahoo counters! How exciting! This means they've been whacked not once, but twice. :-)
And sure, enough, if we look at the critical files list, we see the start of an infection cycle...
I find that outing a site on this blog is actually the best way to get it cleaned up. It's much more effective than me trying to explain to confused support staff, so c'mon City of Streator guys.... please clean your site, and fix the hole that allowed the Bad Guys in in the first place. You're probably running a vulnerable php tool or version.
Readers, please remember that City of Streator is an innocent victim too... they didn't mean for this to happen, but they do need to fix it.
Look both ways when crossing the web, folks.... it's dangerous out there.
Roger
Ps to be notified of updates to this blog, please follow me on Twitter
As readers of this blog will know, one of the more commonly-encountered web tricks is a Yahoo-counter-that-is-not-a-counter. Instead of counting visitors, it reaches out to an exploit site and ... counts victims.
This gang's specialty is to hack into an innocent website, and turn it into a unwitting lure... all the website's visitors are probed by the villains, and if they're vulnerable... wham! the visitor is a victim of a drive-by download.
Here's a sample from today's hack list. (*** AGAIN.... DON"T GO TO THE PAGE ... IT MIGHT BE STILL INFECTIVE ***)
This page, hxxp://www.ci.streator.il.us/cms/index.php?page=fire-department-faq-s, looks like this ...
If you look closely at the code you see not one, but _two_ yahoo counters! How exciting! This means they've been whacked not once, but twice. :-)
And sure, enough, if we look at the critical files list, we see the start of an infection cycle...
I find that outing a site on this blog is actually the best way to get it cleaned up. It's much more effective than me trying to explain to confused support staff, so c'mon City of Streator guys.... please clean your site, and fix the hole that allowed the Bad Guys in in the first place. You're probably running a vulnerable php tool or version.
Readers, please remember that City of Streator is an innocent victim too... they didn't mean for this to happen, but they do need to fix it.
Look both ways when crossing the web, folks.... it's dangerous out there.
Roger
Ps to be notified of updates to this blog, please follow me on Twitter
Monday, March 9, 2009
There's a bit of bad luck!
*** WARNING - This website is probably still hacked and infective, so please don't go there unless you really know what you're doing***
A couple of days ago, LinkScanner started detecting (and blocking) a page of a UK gov website, so we thought we'd take a look. This is the screen we were presented with ...
The "Fatal Error ownz you" is a fair clue that something is not quite right here. ;-)
While reading that, you are quickly and automatically redirected to this website ...
I'm reasonably confident that a Brit government website shouldn't be transferring you to (what I think is ) a Turkish one, so this is a fair second clue that something is wrong.
Once we establish that a site is hacked, we like to see how long it has been hacked, because mostly it's quite a quick thing ... most sites get hacked and cleaned up in under a couple of days... The best way to find out is to look at the search engine cached pages, so we had a look at the google cache, and to our surprise, we saw this page.... (again, don't even go to the cached pages, unless you know what you're doing, because if the page was infective when the search bots indexed it, it'll still be infective in the cache) ....
On January 24th, when the google bots crawled by, it was hacked again, by a different crew! That's what's known in the biz as a Bit Of Bad Luck (tm) !
So, just to be sure that they are not serially and constantly hacked, we consulted two more caches... The msn Live cache snapshot was taken on March 4th, and shows it clean...
and the ask.com cache snapshot was taken on January 7th, and it was clean then too.
The webmasters are obviously cleaning things up as quickly as they realize they have a problem, but seemingly have yet to plug the hole that the Bad Guys are using to get in. It just shows how tricky it is to keep your websites clean, and it shows how pointless it is to blacklist websites via a central database... it's always too slow to realize something is hacked, and too slow to realize it's cleaned up.
Stay safe folks,
Roger
To be notified of blog updates, please follow me on Twitter
A couple of days ago, LinkScanner started detecting (and blocking) a page of a UK gov website, so we thought we'd take a look. This is the screen we were presented with ...
The "Fatal Error ownz you" is a fair clue that something is not quite right here. ;-)
While reading that, you are quickly and automatically redirected to this website ...
I'm reasonably confident that a Brit government website shouldn't be transferring you to (what I think is ) a Turkish one, so this is a fair second clue that something is wrong.
Once we establish that a site is hacked, we like to see how long it has been hacked, because mostly it's quite a quick thing ... most sites get hacked and cleaned up in under a couple of days... The best way to find out is to look at the search engine cached pages, so we had a look at the google cache, and to our surprise, we saw this page.... (again, don't even go to the cached pages, unless you know what you're doing, because if the page was infective when the search bots indexed it, it'll still be infective in the cache) ....
On January 24th, when the google bots crawled by, it was hacked again, by a different crew! That's what's known in the biz as a Bit Of Bad Luck (tm) !
So, just to be sure that they are not serially and constantly hacked, we consulted two more caches... The msn Live cache snapshot was taken on March 4th, and shows it clean...
and the ask.com cache snapshot was taken on January 7th, and it was clean then too.
The webmasters are obviously cleaning things up as quickly as they realize they have a problem, but seemingly have yet to plug the hole that the Bad Guys are using to get in. It just shows how tricky it is to keep your websites clean, and it shows how pointless it is to blacklist websites via a central database... it's always too slow to realize something is hacked, and too slow to realize it's cleaned up.
Stay safe folks,
Roger
To be notified of blog updates, please follow me on Twitter
Subscribe to:
Posts (Atom)
Posts
