Thursday, January 29, 2009

A view of the recent google video attack

Hi folks,

Dancho Danchev blogged here about an inventive new way Bad Guys were luring people to innocent videos but then redirecting them to an attack site, which would then try to trick them into installing something bad. Dancho says they'd managed to hijack 400,000 search terms, so it's quite a big attack. We detect and block the way they attempt the trickery, so we were blocking it preemptively, but it's interesting to look at our graph of the attack...

Our first detection was on January 19th, and it jumped to between 200 and 250 a day up until January 27th, when it took a sharp drop and just about disappeared on the 28th. So here's the interesting bit ... a whois lookup of the attack domain shows that it was registered on January 19th, which means we started detecting it the same day they brought it on line... and then Dancho published his blog on January 27th, and the attacks diminished dramatically on the same day (probably because he also told the security team at google on the same day, and they started cleaning out the search pages)

Now, you might be tempted to think that a couple of hundred attacks a day for not much more than a week was not much of a payoff for hijacking 400,000 search terms, but it's important to understand that this is just measuring the attacks from a single domain. They probably had lots more than that. These guys are pretty smart, without a doubt.

I don't know about you, but I think it's pretty cool when you can see data like this, and even cooler when you can explain why it's happened.




Tuesday, January 27, 2009

Obama worm? ... nah, surely not

I don't often get to work at the coal face much anymore (which is a shame, because I'm a coal-face kind of guy), but today I had that privilege. One of our resellers, Walling Data, called me and asked if I knew of any malcode that displayed a picture of President Obama. While I could see the funny side of that, no matter what your political persuasion might be, I had to admit that I had not, but here's a screen shot to show you what these folks were seeing....

I'd be happy to think it was just someone's prank, except for these facts...
(1) The victim is a school, with about 100 pcs
(2) It appeared on all pcs at about the same time
(3) The pcs have fielsharing enabled
(4) It's not clear if all pcs are patched.

We're still investigating it, but Occam would suggest that it is what it seems ... a worm. Probably not a conficker variant, because as far as we can tell, the source code is not available for Conficker, but probably something exploiting ms08-067.

Anyway, we'll keep investigating, and will let you know what we find.



PS: Note to school admins: Given that Conficker source is probably not available, and if no one else ends up reporting this, there's some chance one of your students wrote it. Find your smartest, geekiest, dweebiest kid, and look hard at him. Remember, the geek shall inherit the earth.

PPS: Despite all the press, and the large number of victims that Conficker has recently gained, it's worth noting that this is probably a corporate and edu problem rather than a consumer problem. The only people this should really have caught are those that (1) haven't patched a two month old vulnerability and (2) allow filesharing. These are corporates and edus. Consumers, for the most part, allow automatic patching each month, and any consumer naive enough to allow filesharing got nailed a long time ago. This assertion is supported by the fact that, within our client base (mostly consumer and smb), we've had very little detection of it. It's also worth noting that if the perps really did nail 9 million victims, they defeated their own purpose anyway, because they dd0sed themselves instantly. Have you got any idea how long it would take to enumerate 9 million pcs over the Internet? They're still on the first pass, for sure.

Saturday, January 24, 2009

Something interesting tonight (and, boy, we have a great community)

Hi folks,

One of our friends, a security guy at the IRS, noticed a new FastFlux botnet today serving up exploits, and Nick FitzGerald a well-known anti malware guy investigated a bit further and found that the exploits were being fired based on which browser the visitor is using.

If you're using Internet Explorer, for example, it shoots a bunch of common IE exploits. Nothing too new here, so if you're patched, you're fine, but one interesting bit is that it looks to me like it's been lifted from a decrypted Neosploit, and tweaked a bit.

If you're using Firefox or Opera, it shoots a specific exploit for FF or Opera, and if you're using Chrome or Safari, it fires some generic pdf exploits at you.

The encryption technique is new, and bit cute in the way that it is hooked into the html, presumably to try to avoid decryption emulators.

Oh, and if it succeeds, it installs a fairly new rootkit, which AVG detects as an Agent variant. Oh, and from Russia, too.

So the first interesting thing is that it shows that the Bad Guys are constantly thinking and innovating and probing, but the second, and more important thing is that it highlights how well the anti-malware community cooperates, mostly unnoticed and unappreciated, behind the scenes.

Shout-outs to our friend at the IRS and Nick.



Monday, January 19, 2009

Write your passwords down

Hi folks,

For most of the last 20 years or so that I've been paying attention to computer security, the mantra has been "Don't write your passwords down .... someone might steal your postit note... make a password you can remember."

Now, this is a Good Idea, _except_ that it encourages most people to have just one password... Or maybe two, if you have a really strong memory. And, unlike twenty years ago, where you maybe only had an email password, and a network login password at the office, there are now a zillion places to log into. As well as your email and the office, there's all the web 2.0 (or as I like to put it, the web 2.uh-oh) stuff ... your bank, youtube, myspace, facebook, amazon, ebay and twitter to mention but a few. Guess what ... if they're all using the same password, and _one_ of them gets hacked or phished, you lose you password to everywhere. If that includes your bank or paypal password, that's about the key to the kingdom, and you might not even know until real money starts disappearing.

Instead of using just one or two password, have many, and _write them down_.... either in your wallet or in a database. If you lose your wallet, at least you'll know to reset your passwords, as well cancel your credit cards.

Remember, there's now a whole industry comprised of people whose job it is to compromise your security. They go hungry if they don't, so they are highly motivated to be successful. Be careful on the Internet.

Cheers folks,