spot the trend. defend the
net.
stop the attack.
Hotzone Issues examines events that have affected a large percentage of organizations directly. Currently, that work involves the flashbulb project.
|
Hotzone Issues examines events that have affected a large percentage of organizations directly. Currently, that work involves the flashbulb project. |
|
|
flashbulb project The flashbulb project began in, and persisted through, 2008 as a very informal means of organizing various tactics used to battle SWF-based phishing, spam, malware, etc. Although the effort was considered to be a purely defensive collection, it became apparent that it could also be applied towards more offensive means. As part of a theoretical debate, the notion of imposing the costs of doing business on the Internet is an interesting one, however, this site and all authors do not recommend or endorse the use of any offensive means to protect a network or network/information resource.
flashbulb was conceived of as a short-term (being relevant for only a brief time while attacks were fresh), but illuminating project (hence, "flashbulb"). Additional topics can be mailed to the site - linzey@infectionvectors.com.
flashbulb - 2008 - SWF-based attacks Fiddler Web Debugging Proxy Ruleset (sample) Snort Rules
Suggested tools: SWF::Parser (Perl) SWF Tools (primarily SWF Dump)
Hotzone Reports
September 2007 Possessive: IE Apostrophes (PDF) The question of what is security-related is larger than simple, discrete technical issues. This answer will affect Internet security as an entire practice. This report introduces both a technical peculiarity (rendering in IE) and the impact on the practice.
July 2007 iPhony: Pop Scamming in 2007 (PDF) The swarm of hype around the Apple iPhone made for great malware bait - this report examines all the ingredients for a successful scam in 2007.
March 2006 Phish Sticks: Email Crime Revisited (PDF) It has been repeated in every phishing report: no organization is immune to phishing attacks. This article shows how one that targeted Royal Bank of Canada customers developed and what could be done about it.
January 2006 Frames and Meta Frames: The WMF Exploits (PDF) The WMF 0-day exploits created both a security and security media tornado. This report attempts to make sense of both sides and examine the truly critical issues involved.
November 2005 Brains Behind the Operation (PDF) After some of the storm surrounding the Sony/BMG rootkit discovery has dies down, this report takes a look at how the impending court actions may affect malware author liability in the future.
October 2005 Brick by brick: Platforms, Viruses, Doorstops (PDF) Making a system unusable ("bricking") is often the payload of the first wave of malware for any particular platform. This brief examination is spurred by the first salvo for Playstation Portable and Nintendo DS platforms, released in October of 2005.
September 2005 Aftereffects: Katrina-based Malware/Scams (PDF) Hurricane Katrina devastated portions of the southeastern US. Just like previous tragedies, the criminals were prompt to use the interest and good will of others for nefarious ends. This report examines the tactics of one such criminal outfit, email/web-based Trojan delivery, and what it may mean to the Internet community.
August 2005 Plug and Play and Bots: Zotob (PDF) Less than a week after the August bulletins were released from Microsoft Security, the proof-of-concept for MS05-039 (Plug and Play flaw) hit the streets. Within a day or so, the bot followed. Zotob's explosion over just a few days in August is one of the year's biggest malware stories.
August 2005 Web Retailing: Virtual Reality (PDF) The Internet boom and bust has left web commerce market looking just like the brick and mortar world, dominated by large companies that have been around for a long time and struggling to beat criminals. Two recent reports point to interesting trends online: that well-established companies continue to rule the web-retailing world, and the threats against them are growing.
July 2005 The 2005 Black Hat conference included a controversial presentation by former Internet Security Systems (ISS) analyst Michael Lynn. This presentation covered the possibility of using flaws in the Cisco IOS to take control of a piece of network hardware. If possible, this would be the first step to developing network worms that attack and propagate via routers and switches.
July 2005 Sven Jaschen has the pleasure of being the first person captured and convicted with the help of Microsoft's Anti-Virus Rewards program, a.k.a. the bounties for virus writers. In July of 2005, Jaschen, the Netsky/Sasser author was sentenced in Germany - this report gives a brief history of the events and comments on the outcome.
July 2005 Another in a line of IE problems, this one also allows remote code execution. Microsoft issued an alert outside of the normal course, making this flaw receive a little more attention than it otherwise would have (public release of the exploit code didn't help either).
June 2005 Scam Shuffle - Shell Game: Deutsche Bank The Phishing fun headed in a slightly different direction, looking at the speed and agility of professional outfits; in particular the work of one group that started June off with a Deutsche Bank-customer-directed scam..
May 2005 Fork in the Road: Phishing Deeper (PDF) North Fork Bank is one of many, many organizations that has found its customers targeted by phishers. This report examines a particularly good-looking scam and what it should say to security managers refining mail-based attack strategies.
The security community has accepted the idea that a virus could be used to generate revenue at this point. Worms like SoBig and Beagle point to the profit-motivated virus developer as a real threat to the Internet. The extensive use of spyware to snare referral commissions and deliver users to advertisers provides addition evidence of the problem: money is a tremendous motivator, and legality/ethics won’t be an obstacle.
March 2005 Beagle Variants Kick-Off March The latest offerings from the Beagle author include a Trojan that attempts to kill security software from all sides: HOSTS file entries, killing processes, deleting Registry keys, and removing files. This report examines the propagation mechanism and strategies of the Trojan, providing additional technical background behind the business that is Beagle.
February 2005 The Symantec/F-Secure/Trend AV Heap Overflow Issue Whenever the safety net has a hole in it, the flaw is going to seem pretty big. This vulnerability was widely reported as soon as it came out because of the catastrophic potential for organization dependant on SAV, even without a public exploit. It is presented here as a vehicle to discuss heap overflows, a topic that is mentioned in many worm reports, but rarely explained in its basic terms with an example of real exploit strategies. Also noted are the F-Secure and Trend Micro ARJ overflow vulnerabilities.
January 2005 The Demise of the Mass Mailer? PDF The end of 2004 saw a number of the usual predictions: more bots, watch out for phishing, viruses are getting better. One theory, that 2005 will see a significant decline in mass mailers is examined and refuted in this report.
October 2004 Worms Blocked by Awareness Training PDF Training programs help secure networks in many ways, this report examines the malcode that is deflected because of investments in end-user awareness programs. Added as part of the October training focus, this paper is part of a series on investing in awareness.
September 2004 Welcome to the Web: Here's Your Spam PDF Isn't this what you ordered? Although its hard to tell how much spam really costs in terms of filtering, lost time, and people turned off from the web, there is no doubt that spam is a hurdle for organizations connected to the Internet. This report takes an unscientific infectionvectors.com test case and explores how and why spam got to a fresh, undistributed email account-and more importantly, what it means to virus propagation.
MyDoom's Children Beagle continues to use Trojan code known as Mitglieder to open relay ports, kill security software, and open backdoors. Two applications that piggyback MyDoom variants are now attacking machines around the world. Check out Malagent reports Sykel & Nemog for details.
Threat Modeling the Network PDF Every network can benefit from identifying where it is strong and where it is weak. These strengths and weaknesses translate directly into how well the organization will deflect specific classes of worms. This report looks at threat models through the filter of the mass mailer, one of the more popular infectors of 2003 and 2004.
August 2004 Is it possible that spammers and virus writers are working together? At this point most researchers would agree that it is. What other evil combinations of criminals are lurking? This article examines a few of the possibilities and grounds some of the paranoia.
The last 18 months have brought a quiet boom in Macro viruses, dismissed by many as relics of a forgotten era of Internet security. Although they are not threatening to take over the world, the new breed of Macro viruses is an interesting study, bringing new tricks to every MS Office user.
July 2004 Without a doubt, the most troublesome issue for security professionals this year has been the aggressive "improvements" in delivering spyware to machines. This threat has likely affected every network connected to the Internet, from a single home PC to the largest corporate WANs. This paper identifies the most prominent infection vectors for spyware and raises some possible solutions. Also see the Reference Info section for sites dedicated to this threat.
|
Copyright © 2005-2009 infectionvectors.com. All rights reserved.
