Month: June 2009

Good writeup by Gary Warner:

We are well past time for someone to declare a “Spam Crisis in China”.

There are three components to the Spam Crisis:

1) Certain Registrars in China who refuse to cooperate with abuse complaints and who let domains “live forever”, even when they are involved in criminal activity. We do not believe these companies are criminals. We believe that these companies have provided “reseller services” to criminals, and do not engage themselves proactively in stopping the criminal activities of their resellers. We look forward to helping in any way possible to identifying and stopping the criminals who are tarnishing the names of the companies listed below. I specifically name:

Sponsoring Registrar: 易名中国 ENAME Corporation, http://www.ename.cn/

Sponsoring Registrar: XIN NET TECHNOLOGY CORPORATION

2) Certain Network operators in China refuse to cooperate with abuse complaints and who let bad computers “live forever”, even when they are clearly involved in criminal activity. We invite the companies who are allowing criminals to continuously use their networks to take action so that they can be an International Success Story similar to our friends at HKDNR. We do not believe that these network companies are criminals. We believe that criminals use their network, and these companies have not yet found a way to effectively receive our complaints and remove these criminals from their networks. There are many companies, but I specifically name:

ASN 4837 CHINA169-BACKBONE CNCGROUP China 169 Backbone

ASN 4134 CHINANET-BACKBONE No.31, Jin-rong Street

ASN 9929 CNCNET-CN China Netcom Corp.

3) Law Enforcement activity. It is unacceptable in the International Community to allow one’s country to continue to serve as a haven for spammers of illegally counterfeited pills, illegally counterfeited software, and illegally counterfeited watches and handbags. It is also unacceptable to provide hosting services for numerous international criminals to place their servers on networks in your country. We invite Chinese Law Enforcement to become engaged in being part of the solution to this problem, and through dialogue with the International Community learn more about interacting with other countries about these issues.

More here.

Alex Eckelberry

Ok, musically, I’m not going to comment. Really.

But the content of the song isn’t that bad.

Lyrics:

I see your input’s not validated properly
You have to check it at all tiers: 1, 2 and 3
Give me a browser and quite soon you will agree. There must be
50 ways to inject your SQL

You see it really is my business to intrude
The CTO wants to see this web app broke into
Turn on my proxy and all doubt will be removed. There must be
50 ways to inject your SQL
50 ways to inject your SQL

Try a quick hack, Jack
Add a new row, Joe
Try an insert, Kurt
Change their SQL query

Evade the regex, Rex
Encode it all in hex
Unbalance the quotes, Vinod
And change the query

Break the syntax, Max
Use a backslash, Cash
Try command shell, Mel,
And change the query

Use “one equals one,” son,
Unhandled exception!
Read the stack trace, ace
and change the query

He said our application is secure against your kind
There are no simple vulnerabilities to find
I said your coders write their code like they are blind, there must be
50 ways to inject your SQL

He said our logs show unexpected funds were sent
Its probably time we started using Prepared-Statements
I said I’m glad you’re seeing what I meant, there were
50 ways to inject your SQL
50 ways to inject your SQL

Break the syntax, Max
Use a backslash, Cash
Try command shell, Mel,
And change the query

Use “one equals one,” son,
Unhandled exception!
Read the stack trace, ace
and change the query

Try a quick hack, Jack
Add a new row, Joe
Try an insert, Kurt
Change their SQL query

Evade the regex, Rex
Encode it all in hex
Unbalance the quotes, Vinod
And change the query

Alex Eckelberry (via Cedric)

Opera has introduced a new feature called “Unite” that will allow users to turn their browsers into servers. It’s a concept that might be as well-thought-out as sending customers on a hike in a safari park with backpacks full of raw meat.

According to the Opera Unite Developer’s Primer, “Opera Unite features a Web server running inside the Opera browser, which allows you to do some amazing things.” We’re betting there are some other people who use the Internet who will be doing some amazing things with this too.

Unite is basically a group of extensions to the Opera Web browser widget system. They will make it possible for Opera users to set their machines up as servers to provide their friends with blogs or access to files. Opera’s servers will serve up pages for the “Turbo” feature and act as proxies (with firewall) for the communication between the users’ Unite-linked browsers. Opera staff will check for bugs and malcode. Adult material is not allowed.

The most significant question that arises is: Will users accidentally give unintended access to their file systems? Opera programs are really widgets. Shortcuts have been provided for configuring what they can access. Some shortcuts lead to system folders. There are warnings included in the documentation, but, ultimately what is exposed is left to the developer.

Widgets will be available from sources other than Opera. It could be possible for an intruder to create an Opera widget that appears to be just a local widget but really uses the Unite protocol for malicious purposes.

We’ll be watching for the first “Unite” botnet.

Read more here.

Opera’s primer for Unite developers here.

Tom Kelchner

Sunbelt Software has added detections to its products to find and remove Green Dam-Youth Escort, the Internet filtering (and spyware) software that the Chinese government requires on all new computers sold in the country after July 1.

We classify it as a surveillance tool with a rating of “moderate risk” and we recommend that CounterSpy™ and VIPRE® users quarantine it.

We’re going to be reading a lot about Green Dam-Youth Escort in coming weeks (months? years?) The government of China mandated that it be installed on new machines to protect its citizens from obscene and harmful content. Computer users are allowed to uninstall it.

The Chinese Ministry of Industry and Information Technology bought the rights to the application for one year through a no-bid $6 million purchase from Jinhui Computer System Engineering Co. of Zhengzhou. Jinhui also stands to make a mountain of money after one year since users will be required to pay for updates. It was estimated recently that there are 253 million Internet users in China.

Most observers assume it also is to prevent Chinese Internet users from seeing content critical of the government. The Chinese government already operates a “Great Firewall” to filter Internet content (including politically sensitive sites) but it can be bypassed.

Politics aside, there are some serious problems with Green Dam:
— It has the capacity to monitor keystrokes.
— It logs the URLs of sites the user has attempted to reach.
— It uses unencrypted data transfer from clients to company servers.
— OpenNet Initiative said Green Dam can monitor activities in addition to Web browsing and can shut down applications.
— The black-list update process is vulnerable to compromise
— Exploit code has been posted that compromises Internet Explorer on computers running Green Dam. It uses a stack overflow in the browser process triggered by an overly long URL. It works on Microsoft’s latest Vista operating system too.
— Solid Oak Software Inc. of Santa Barbara, Calif., is bringing a legal action in China, claiming that Jinhui used code from its CyberSitter filtering software. Jinhui denies the allegation.

There have been reports from testers that Green Dam slows browsers and doesn’t filter properly. It uses color-tone filtering to spot pornographic images, but there are reports that it misses images of dark-skinned people and mistakenly filters images of pigs.

The Green Dam black list

Bloggers familiar with China who have read through the Green Dam black list of words to be filtered found that it contains about 2,700 words related to pornography and about 6,500 “politically sensitive” words.

The political blacklist includes:

June 4th (Date of military attack on Tiananmen Square protestors that left 2,500 dead)
democracy
liberty
essence (?)
fallacies and heresies

The porn-related words include:

Cat-III (Hong Kong film industry “adult” rating)
Naked
Homosexuality

And, nobody-knows-what, maybe a typo or a new euphemism for a sex act:

Fanyu (originally a little known word found in a few Buddhist scriptures)

For more, see here.
Or here.

Exploit code here.

Tom Kelchner

Danish security company Orbasoft is now using comment spam to promote its products.

On my blog. 

Using a New Delhi IP, so it looks like the Orbasoft marketing people hooked up with one of these shady “SEO” companies to improve their search rankings.

Nice going, guys.  

Alex Eckelberry

ByteHosting, the hosting firm run by James Reno, and linked to Innovative Marketing’s fraudulent marketing tactics, has settled with the FTC.

The settlement includes a $.8 million judgment and injunctions against further sleazy/scareware marketing. The agreement also includes reporting requirements for the next five years.

Alex Eckelberry

Contrary to popular belief, not all malware is hosted in Eastern Europe or China.

In fact, there’s a whole bucketload of malware hosted in Scranton, PA.

Here are malware domains associated with IP 64.191.92.197:

1-againstspy  net
1-agentprotect  net
1-antispystore  com
1-antspy2008  com
1-mas2009  com
1-myantispy  net
1-myspyguard  com
1-spguard2008  com
1-webspyguard  com
2-againstspy  net
2-agentprotect  net
againstspy  net
agentprotect  net
antispysoft4u  com
antispystore  com
antspy2008  com
anush  biz
bestcontraadwarelive  com
bestcontraadwareonline  com
bestcontraadwarestore  com
bestmachinedefenderonline  com
bestmachinedefenderpro  com
bestmachinedefenderstore  com
bestopposingadwarelive  com
bestopposingadwareonline  com
bestopposingadwarepro  com
bestopposingadwarestore  com
bestserverdefenderlive  com
bestserverdefenderonline  com
bestserverdefenderpro  com
bestserverdefenderstore  com
chaepantispyforpc  com
codei  net
computeralt  net
easycontraadwarelive  com
easycontraadwareonline  com
easycontraadwarestore  com
easymachinedefenderonline  com
easymachinedefenderpro  com
easymachinedefenderstore  com
easyopposingadwarelive  com
easyopposingadwareonline  com
easyopposingadwarepro  com
easyopposingadwarestore  com
easyremoveviruspro  com
easyserverdefenderlive  com
easyserverdefenderonline  com
easyserverdefenderpro  com
easyserverdefenderstore  com
easyversusadwarestore  com
expertalt  com
freeofviruspc  com
is-antispy  com
lava-antispy  com
mas2009  com
medkeep  net
metricshop  net
ms-antispy  com
msantispyware2009  com
myantispy  net
mycontraadwareonline  com
mymachinedefenderpro  com
mymachinedefenderstore  com
mymedstore  net
myopposingadwareonline  com
myopposingadwarestore  com
myprosoftware  net
myserverdefenderlive  com
myserverdefenderonline  com
myserverdefenderstore  com
myspyguard  com
neosoftware  net
neosoftwareonline  net
novirusonpc  com
pc-cleaner2009  com
removevirusonline  com
softwaresky  net
softwarestrike  com
softwaretwo  com
softwareunity  net
spguard2008  com
spyfighterantivir  com
spywaredeletehere  net
spyware-out  com
spywareout2009  com
stopadvaresoft  com
systemstock  net
uploadantispy  com
virusprotectionsoft  com
virussoftwareremoval  com
virustreatmentforpc  com
webmedstore  net
websoftwarecloud  com
webspyguard  com
winspycleaner  com
winsyscleaner  com
yourcontraadwarelive  com
yourcontraadwareonline  com
yourcontraadwarestore  com
yourmachinedefenderpro  com
yourmachinedefenderstore  com
youropposingadwarelive  com
youropposingadwareonline  com
youropposingadwarepro  com
youropposingadwarestore  com
yourserverdefenderlive  com
yourserverdefenderonline  com
yourserverdefenderpro  com
yourserverdefenderstore  com

Quite a list, eh?

[Obviously, please don’t visit these unless you’re some kind of masochist —  or a security researcher (there is little difference between the two, incidentally).]

Alex Eckelberry

News sites on the Web today seem to have just discovered a story from last Thursday’s Guardian newspaper in the UK that said government agencies in the U.S. and U.K. are preparing to go after the servers of the criminal gangs and government-sponsored hackers in Russia, China and North Korea. The measures could include the subtle installation of spyware to try to identify the miscreants all the way up to denial-of-service attacks.

The Guardian quotes unnamed sources saying that the UK’s Serious Organised Crime Agency and the Metropolitan police e-crime unit have already begun operations.

It also said a recent federal government review of cyber security in the U.S. stated that the president has the legal authorization to carry out such attacks to defend the national security under the Communications Act of 1934.

This isn’t the first time this has been discussed. While the increase in hacking and malware recently must be dealt with, a lot of observers draw the conclusion that there could be serious collateral damage if government agencies and the dark side begin exchanging attacks. Since the main “business model” for Internet crime is to organize botnets of other people’s computers to command and control, launch the denial-of-service attacks, store the porn and do the drive-by downloads, this could get really ugly.

Better update the emergency phone numbers for your up-stream provider and dust off the ol’ disaster recovery plan.

Story here.

Tom Kelchner

Malware authors continue to capitalize on the chattiness and marketing webiness in Windows.  A prime example is a new fake antivirus program masquerading as the Windows Malicious Software Removal Tool. 

CA has done the work on this one so I don’t have to — along with some good screenshots.  Link here.

Alex Eckelberry

 

Earlier today, I blogged about a new zbot campaign that pushes a program to “reconfigure Outlook Express”. Well, it seems to be working, because the volume of spams with this type of message have gone up.

And — they’ve targeted TheBat! (ah, memories for some of you…), but the bot seems to be a bit confused, mixing in TheBat! with Outlook and Outlook Express.

And, of course, the obligatory fake greeting card.

Sample strings used:

TheBat Setup Notification

You have (1) message from Microsoft Outlook.

Please re-configure your Microsoft Outlook again.Download attached setup file and install.

—————————————————————————————

Outlook Express Setup Notification

You have (8) message from Outlook Express.

Please re-configure your TheBat again.

Download attached setup file and install.

(If you’re curious as to what this thing does, you can view the Sunbelt Sandbox report here.)

Alex Eckelberry

VIPRE and CounterSpy HotFix 5 will be released today at 6 pm EDT, providing a number of improvements in stability and overall effectiveness. Most importantly for enterprise customers, it solves issues experienced when running VIPRE and the ShadowProtect backup program at the same time on a server.

Users will be prompted to update through the user interfaces of both the consumer and enterprise versions of VIPRE and CounterSpy.

Version numbers for Hotfix 5:

CounterSpy (enterprise agent and consumer): 3.1.2774
VIPRE (enterprise agent and consumer version): 3.1.2775

Along with the agent, enterprise customers are encouraged to update their console version. The console build number for both CounterSpy and VIPRE is 3.1.3121.

Alex Eckelberry

New spam message pushes zbot:

You have (1) message from Microsoft Outlook.

Please re-configure your Outlook Express again.

Download attached setup file and install.

The zip file attached gives you a happy dose of zbot love.

Admins — I know some of you don’t like to do this, but really — please, block all incoming zip files.

Alex Eckelberry

FTC denies challenges by Innovative Marketing.

This Court conducted a hearing yesterday on almost all outstanding motions in this case and rendered the following rulings for the reasons stated on the record:

• Sam Jain’s Motion to Stay (Paper No. 45) is DENIED;
• Kristy Ross’s Motion to Temporary Stay (Paper No. 48) is DENIED;
• FTC’s Motion for Order Holding Sam Jain and Kristy Ross in Contempt of Court and Requiring the Repatriation of their Assets (Paper No. 49) is DENIED;
• Kristy Ross’s Motion to Strike or in the Alternative Motion for an Extension of Time (Paper No. 51) is MOOT;
• Sam Jain’s Motion to Strike or in the Alternative Motion for an Extension of Time (Paper No. 52) is MOOT;
• Sam Jain’s Motion to Modify Preliminary Injunction (Paper No. 58) is DENIED IN PART, with the Court withholding a ruling on the requested modification of the asset freeze;
• Sam Jain’s Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 60) is DENIED;
• Kristy Ross’s Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 61) is DENIED;
• Marc D’Souza’s Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 70) is DENIED; and
• Marc D’Souza’s Motion for Temporary Stay and Modification of Preliminary Injunction (Paper No. 71) is DENIED IN PART, with the Court withholding a ruling on the requested modification of the asset freeze.

More over at Sandi’s blog.

Alex Eckelberry

Here’s a nifty little tool to use in analyzing your network connection from the folks at ICSI at Berkeley.  Useful for security or other purposes. ICSI Netalyzr link here.

Alex Eckelberry
(hat tip)

Here’s something you don’t see everyday.

Alex Eckelberry

Sunbelt Software researchers turned up an interesting (infected) Web site that’s been taken over and used in a redirect to install Zbot on the machines of web users looking for Al Gore’s “An Inconvenient Truth” site. Search engines are beginning to find it too:

Here is the real site they’re looking for at http://www.climatecrisis.net/:

The infected site, hxxp://an-inconvenient-truth.com, (DO NOT GO THERE!) has been registered since 2006, so, it’s probably a legitimate site that’s been taken over.

Obfuscated JavaScript at the bottom, points to
hxxp://bl4ckst4r.cn/blog/go.php?sid=17, (DO NOT GO THERE!) which delivers Zbot, a Trojan that plants spyware on victims’ machines to steal banking log-in information.

Tom Kelchner

Sears Holding Corporation, which owns Sears, Roebuck and Kmart, has signed an agreement with the U.S. Federal Trade Commission and will destroy the information it harvested using ComScore (spyware) software last year.

It’s shocking that such a big and reputable company would get involved in something that invites Web users to an “exciting online community,” then installs spyware on their computers that monitors their online banking details, texts of secure pages they visit, online drug prescription records and email as well as the relatively mundane information about the web sites they visit.

To its credit, the company stopped the spying after public concern was raised. And they didn’t fight the FTC action.

For Web users, one big lesson here is that you must read those miserable, huge End User Licensing Agreements (EULAs). All the spying was described in the EULA that Sears presented. Of course it was on page 10 of a gargantuan 54-page privacy statement. Harvard University professor and spyware researcher Ben Edelman said the document failed to meet FTC standards set out during actions against spyware companies Direct Revenue and Zango.

News story here.

FTC news release here.

Tom Kelchner

Well, this is not good.

The U.S. T-Mobile network predominately uses the GSM/GPRS/EDGE 1900 MHz frequency-band, making it the largest 1900 MHz network in the United States. Service is available in 98 of the 100 largest markets and 268 million potential customers.

Like Checkpoint Tmobile has been owned for some time. We have everything, their databases, confidental documents, scripts and programs from their servers, financial documents up to 2009.

We already contacted with their competitors and they didn’t show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder.

Please only serious offers, don’t waste our time.

Contact: pwnmobile_at_safe-mail.net

Alex Eckelberry
(Via Securiteam)

We REALLY hope this is the beginning of a trend.

The U.S. Federal Trade Commission has taken down Northern California Internet Service Provider Pricewert LLC (also doing business as 3FN and APS Telecom) that has hosted alleged criminal sites engaged in the distribution of spam, child pornography, spyware and malware as well as the operation of botnet command and control servers.

According to some reports, as many as 15,000 sites used for criminal purposes were shut down by the action.

Sunbelt Software researchers say they have been tracking Pricewert servers hosting alleged exploits and porn dialers since 2004. Also, IP addresses registered to them were known to be hosting exploits and malware, including rogues, since that year.

The FTC said in their complaint, filed in U.S. District Court for the Northern District of California, San Jose Division, that Pricewert advertised to a criminal clientele, then shielded their customers’ activities by ignoring take-down requests from the online security community or shifting the malicious sites to other IP addresses to help customers continue their activities.

The FTC filing is based on the commission’s belief that criminal activities have taken place and that the public interest would be served. A court must determine if any laws have been broken.

According to the FTC news release: “The court issued a temporary restraining order to prohibit Pricewert’s illegal activities and require its upstream Internet providers and data centers to cease providing services to Pricewert. The order also freezes Pricewert’s assets. The court will hold a preliminary injunction hearing on June 15, 2009.”

Mark your calendars!

FTC news release here.

Tom Kelchner