learn the tricks. spread the word.
stop the virus.
|
|
|
vectorblog
Regular updates on what's interesting in the virus world. Send submissions to contact@infectionvectors.com
May 16, 2008 cyber force capabilities After our extensive research into cyber weapons development, culminating with the presentation last month, the article by Air Force Col. Williamson last week was absolutely fascinating to consider, as it is from the perspective of a military expert. Definitely check this out if you have not (Armed Forces Journal). It is worth pointing out that if the "good" botnet suggested by Col. Williamson came first (before illicit bots began sending bulk spam & Trojans), the discussion of weapon safety may have taken a very different turn. Weaponizing cyberspace will have only one outcome: the broad use of weapons to accomplish all types of business - criminal, defensive, (legal) commerce, governmental, etc. This is crucial element of the dangerousness debate we started in 2006 with the objective valuation of software flaws (Sharing the Unverifiable) and recently with cyber weaponization (see this initial post: weaponized and the the soon-to-be-published paper from the Computer Sec Conference 2008). Anyway, as you may expect, we have a little more to say the issue, check that out here.
April 26, 2008 personal sites The personal website, hosted on forums like Geocities were lots of fun in the early stages of the web. Now, they may still be fun for entry into web design, but they also point out the dangers in allowing any external content to be posted to your space. After reading an entry at the Internet Storm Center by Mark Hofman on the spam influx, I thought about a few we received still leveraging a redirect from geocities/yahoo. This has been a known means of funneling people to websites, Dancho Danchev had a report about it in October 20007. One example that came in this week advertising prescriptions had this link:
<A = href=3D"http://geocities.com/enriquefields[removed]">See and achieve!!!</A>
The geocities site was the stock yahoo code plus obfuscated JavaScript:
<script language="JavaScript" type="text/javascript">var ghywkjw='pgmxambuhugxxnudpuxbw';var tqjg=0;var lqys, nwisuix, zegiz='4C140E0A081D16550414091F0D0F12014D5732030111340E0A081D165756020 E161C01024A041A084C1B1F040C0C08020C5B0007021E5853554318010C124D5F48 091702190D070F1A13561B0118434B49571114020E1D0C5F';nwisuix='';var oapixlw;for( lqys=0;lqys < zegiz.length;lqys+=2){oapixlw = unescape( '%' + zegiz.substr( lqys,2));nwisuix += String.fromCharCode( oapixlw.charCodeAt(0) ^ ghywkjw.charCodeAt(tqjg++) );if ( tqjg >= ghywkjw.length ) tqjg = 0;}document.write(nwisuix);</script> Which turns out to be:
<script language="JavaScript">window.top.location.href = 'hxxp://doctorgot.com';</script>
-which is a Canadian Pharmacy server. Surprised? No? Is this a violation of host policies like Yahoo/Geocities'? The "site" is not being used to send spam, there is no malware apparent at the front page of the redirect; however, it certainly doesn't look great for Geocities - in my opinion. How about yours? Send an email to linzey OR contact AT this domain. linzey
March 12, 2008 beach trip The Myrtle Beach, South Carolina (USA) Computer Security Conference looked interesting last year, but I couldn't make the trip. This year, we were fortunate enough to get an acceptance for a paper (Cyber Weaponization: Analysis of Internet Arms Development, hinted at by a few of Gordon's posts late last year...) which took up a good deal of research time at the end of 2007/early 2008. Gordon is going, and hoping for good beach weather, although we're not too sure how it is in April in South Carolina. The conference is comprised of people smarter than either of us, so it promises to be interesting, and being academically-hosted, something different from the usual conference fare. linzey
December 5, 2007 I've been doing some reading on evading spiders. Mostly this is related to a paper we worked on concerning weapons development in cyberspace - offensive tactics that one may undertake to beat a known or unknown opponent. Dodging well-meaning or nefarious crawlers certainly falls into that arena. Anyway two things that we may look at for broader use: a validation method that strips comments from HTML/JS prior to release and obfuscated links. The first is like stripping binaries of symbol files (the "strip" command style that used to be a fashionable way to make it hard for attackers to reverse your apps). The second is more along the lines of honeylinks and negative honeylinks. There's got to be a better buzz word than negative honeylinks, maybe someone has already coined one, please let me know. Honeylinks have been discussed before: put a link on a page that has no human visible link - when it's included in a GET or a HEAD, then you know someone is crawling the page. Negative honeylinks are the opposite, use simple scripts to craft a URL when a page is requested (the spider will not be able to execute the script and make a follow-on request, example: encode a JS call to a small image file) - and hide them at varying depths in the web. Now, in the age of worries about client side scripting (and tools like Firefox's NoScript), there will be legitimate users that don't execute the scripts either, but maybe it is one more way to correlate a crawl. linzey
December 3, 2007 Like most (maybe all?) sub-disciplines within the world of Internet security, fuzzing has some well-researched and fascinating foundations. I have been poking around reading about pharmaceutical development, inspired by an interest in how drug manufacturers get their “leads” for what chemicals may help (or hurt) various conditions. And if you haven’t guessed, it sounds a lot like application fuzzing. Are we good at it on the pharmacology side? I don’t have the background to have a meaningful opinion, but it sure seems like it.
A couple of quotes from the pharmacological side of the house, just to get things going: [http://www.research.ibm.com/journal/sj/402/waszkowycz.txt 2001 IBM Large-scale virtual screening for discovering leads in the postgenomic era by B. Waszkowycz, T. D. J. Perkins, R. A. Sykes, and J. Li] “Identification of leads is driven either by random screening or a directed design approach, and traditionally both strategies have been of equal importance, depending on the problem in hand. The directed approach needs a rational starting point for medicinal chemists and molecular modelers to exploit.” In the business, this is apparently known as “hit to lead” development, taking something that shows some promise (a verified hit) and massaging that into a lead for future development. The Wikipedia discussion: http://en.wikipedia.org/wiki/Drug_Discovery_Hit_to_Lead. There are incredibly sophisticated programs for helping with such things, as one would imagine.
And back to the cyber world: I’ll take for granted that no one believes there are any perfect applications, ones that are written completely free of exploitable defects. This axiom of the security world applies equally to malicious and beneficial programs. Maybe an anti-malware weapon of tomorrow is a fuzzing engine, one used to find the intrinsic weakness in the malicious software, which knocks the malware over. That could be a new thread that crashes the malicious process, issues a kill, or something even cooler. Is that far-fetched considering the ever expanding (and fuzzy) definition of cyber weapon? gordon
November 4, 2007 Based on the generosity of Richard Bejtlich who ran an essay contest over at the superb TaoSecurity blog, I got a pass to the CSI2007 conference in Washington, DC. Looking forward to attending and seeing more of DC. gordon
October 11, 2007 say aaahhh One topic that has fascinated us is the use of "a good offense" as a primary tool in the "defender's" toolkit. In short, since this is a late night post: offensive maneuvers are never going to end well, they generally violate the rules of the road, and will damage the (limited) trust we have in logs, infrastructure, etc. The first paper (that is not malware-centric) on the subject was posted tonight: Hippocratic Oath: Good Attacks Revisited (and the easier to read PDF). gordon
September 30, 2007 is it security We made a case last year that the severity of software flaws could be discerned (predicted even) with a scientific, objective approach. The root of that discussion was whether or not Internet security could be or will be a true professional practice, with a scientific rigor behind it or if it will always be a "magical" guru-driven field. I hope the former is true, but more and more I believe that it is the latter that will win out. In either case, a good test came across our desks - a simple rendering issue with Internet Explorer 6 & 7 involving HREFs and single quotes (apostrophes). Some odd things happen when non-standard HTML coding occurs, which is to be expected I suppose, that could be considered security-related. Let me note that Microsoft does not consider the issue security related (if you are so interested as to see their responses, email the contact address above and we'll send them). Moreover, I am not sure I would say it is truly security related, although I can see how someone would make the case (and we try to make one ourselves in the article). The bottom line is that if the word security is subjective in itself (that is, from one organization to another the devices, patches, issues, etc. that make up a security practice are different), then maybe Internet security is always going to be Socrates' domain instead of Hawkins'. The article talks about the apostrophe rendering issue (which I personally think is kind of funny) and what things like it mean for security as a practice. Read up and let us know your thoughts: Apostrophe and the PDF version. linzey P.S. - Yes, this was briefly discussed last year as "Not Security-Related: Classifying Fixes." gordon
September 11, 2007 can you hear me now Not so much a VoIP worm as a worm that exploits an application that stands next to a VoIP technology, Skipi made a minor media splash this week with its Skype IM transport mechanism. It says little for the security or insecurity of voice applications (please be part of the informed crowd at voipsa.org if you need to make a decision in that arena), but quite a bit about the state of the IM world - things that rely on a user to download and execute still get traction if they employ a previously "trustworthy" program (meaning no one had the ambition to use them for nefarious things). If you need the details, check out the malicious agent report on Skipi. gordon
August 29, 2007 branching out After absorbing the exploit-o-rama that is Blackhat and DEFCON - this year's papers and presentations I thought were especially good - I went in a little different direction: privacy data protection. Certainly, any administrator watching the vulnerability research game is likely thinking about what the thieves are aiming for, but it is rare that technical sites (if this still counts as one) examine how and why private information is protected. As we have done for the US DoD customers in the past (DIACAP information), this was created for a specific group of customer, the health care sector. Nonetheless, the information is good for risk managers of all flavors.
Check out the paper, Exchange Rate: Privacy Data here and in PDF form. linzey
July 18, 2007 rootkit confessions Yes, like I suspect every malware research fan, I really like Joanna Rutkowska's work in rootkit detection. That doesn't make me totally unobjective, however, when I say she is responsible for the most important malware thinking of the last few years. To be both the author of some of the most potent stealth proofs of concept and profess that we can win the war against malware authors has allowed her to bring attention to malware research that has not existed before, from people within the security discipline. A new paper, posted today, makes the argument with a little more detail, check out linzey's work, Retest: Cutting Malware Losses, and the PDF. gordon
July 10, 2007 depths of defense I thought about the old "defense in depth" quite a bit today. Although an overused, almost worthless, phrase, it is included in a lot of formal policies. My thoughts: defense in depth is not a sum, it is a product. Meaning: pile up a bunch of crappy guards, and you get crap. Leveraging one or more guards with another, a multiplier, works.
Examples in practice are: -A/V: 6 solutions that all use signatures means the super fast mutating worm beats you; employing a super-itchy trigger at the gateway helps -firewalls:
forcing your programs to shoehorn everything into a couple of ports
might seem like a good way to monitor things, but you can't use advanced
filtering effectively since it looks for "anomalies" and would
likely trigger a flurry of false positives for your IDS team
If
you're some type of manager, you may be thinking that this needs a
metric. I couldn't agree more. So think about your scheme, rate each
layer as a 0, .5, or 1 (with a 0 being an open door, .5 being a
weakness, and 1 being a strong deterrent to attack) - without actually
July 2, 2007 is nothing sacred The iPhone hits the streets, the iPhone-malware is hot on its heels. There is nothing left overlooked by malware crafters, professionals seeking profit in the Internet underworld. This report shows some of the tricks and how they relate to the business world of Internet scams. Check out: iPhony: Pop Scamming in 2007.
June 13, 2007 PoWE You can get your IP phone powered from in line electricity, across the CAT5e cable - how about charging your mobile device without a wire? We have merged the data network with the electrical grid (BPL), electricity with data networks (PoE), data with radio waves (802.11a), data with wireless light (photonic power delivery)... Wireless power is not a new concept, consider solar-powered devices. The sun, however, does produce radiation that is harmful to the people using solar devices. If magnetic wireless power has this drawback, its usefulness will be impacted significantly.
For a little more on the subject, see: http://www.usatoday.com/tech/news/techinnovations/2007-06
In 1986, in a column about the evolution of technology ("Future Imperfect"), Vint Cerf wrote the following:
"My great great grandchildren may well read this screed by the illuminating rays of an Internet lightbulb and smile at their great great grandfather's limited vision and striking timidity. I wish they could FedEx a message from the future and scratch an itch that only clairvoyance could cure!" read the whole thing at: http://global.mci.com/ca/resources/cerfs_uptechnical_writings/futureimperf.xml
Truly, how far away is the wireless Internet from delivering power, presence, and data? Well, then why not artificial hearts monitored and powered by this true network environment? What is the killer app that makes wireless power take off? Send a response to contact | infectionvectors.com.
June 6, 2007 infectious vectoring The news reports have been widespread: Man infected with TB Beats CDC. A man from Atlnta, GA (USA) recently made a number of international flights and finally drove into the United States after being identified as having tuberculosis (TB). Not only TB, but a highly drug-resistant form of the illness known as XDR TB (exteremly drug resistant TB).
Physical boundary protection is a big concern to anyone managing laptops/PDAs - not just those with router issues. Interesting/disturbing to those concerned with security and germs is this quote: "The department does not get real-time passenger data for flights ending in Canada, Knocke said, making it "very difficult for us to know who might be traveling there." It is unknown if the TB patient specifically chose to return via Canada for that reason." from: http://www.washingtonpost.com/wp-dyn/content/article/2007 /05/30/AR2007053001962_2.html?hpid=moreheadlines "Man With Rare TB Easily Eluded Safeguards," David Brown, Thursday, May 31, 2007
May 29, 2007 A
story about the private security forces protecting US assets (that is,
people in the US working as private security guards), are considered by
many to be, as the Seattle Post Intelligencer noted, "a weak link
in homeland security."
May 28, 2007 ipo Google
made its first IT security purchase: http://scmagazine.com/us/news
April 28, 2007 mine or yours For
a little information on a recent GAO investigation of the FBI's network
security:
March 31, 2007 chased down Two new appears are up after a good long wait. Appropriately, they are two reports that some readers will remember hearing about for a year now. They each took about a year to research. The phishing world for a large corporation is a bear - just ask JP Morgan Chase. The Chaser report examines a year's worth of Chase-related phish that came to a single "user" (an iv Honey-inbox). There were 71 in all, a drop in the proverbial bucket to be sure, but plenty to look at nonetheless.
Second, there's the postcard-scam-in-review paper, Final Dispatch. Those of you with philosophy/linguistics courses behind you may have already guessed the inspiration for the perspective taken with this one.
February 13, 2007 be mine, again? Any interest in yet another part of the Beagle/Bagle series? We worked on a draft of such a beast, but it may be time to just let this go. Bagle continues to be a force (and inspiration sadly) in the malware world, making this attractive to the editor... Comments? Send to the contact address.
January 1, 2007 A new year of malware, no prognostication this year. We've seen a rather uneventful year: phishing continues to eat up bandwidth and victims, the rootkit is becoming more advanced, and the Internet worm is taking the form of an XSS exploit or two. If you have a prediction, feel free to send it in.
|
Copyright © 2005 - 2007 infectionvectors.com. All rights reserved.
