Month: August 2009

Whenever new technology comes along and makes our world nearly unrecognizable, there are always people who make art and explain it all to the rest of us. Charles Dickens explained it all after new technology – the guillotine – changed the world, mostly in France. Joe McKay, who appears to live in California, is just such a person for our “cyber” times.

A first glance gives the impression that he’s just an imaginative schlep with a cat, Ico, and a home page on mac.com. If you read further, however, it turns out he’s a cyber artist with a list of gallery shows going back nine years. He’s also a college professor who teaches at UC Berkeley and Stanford (MFA UC Berkeley, ’07 and BFA Nova Scotia College of Art and Design, ’93).

In addition to making gallery art and musical instruments with cell phones, McKay has been working on the problem of how to stop the advertising that gets sent to your Gmail recipients along with your emails.

His techniques include putting a reference to a major catastrophe in your email. Gmail’s “good taste” filter prevents the ads from appearing.

He also did some serious experimenting by using George Carlin’s famous “seven dirty words” in email text and subject lines to stop the ads. The mixed results, and his spread sheet, are just hilarious, and very practical.

See McKay’s “How to avoid Gmail’s Sponsored Links” here.

Tom Kelchner

Twenty four hours after the denial-of-service attack on Twitter, the web is just aglow with theories about what happened. There seems to be agreement that Twitter, which has been experiencing phenomenal growth in the last year, didn’t have the infrastructure to withstand a huge surge of traffic.

The Register, possibly the best source of hilarious headlines and slang in the history of writing (well, there is the Onion, but they make up the news), called it a “Joe Job.” That’s a distributed denial-of-service attack launched when some malicious entity social engineers a large number of people into visiting to a target web site. The surge in traffic brings the victim site down.

The chain of events then would be: Pro-Russian miscreants spam a lot of people with Tweets, possibly via a botnet, to visit the web site of Cyxymu, a pro-Georgia blogger. The surge in Tweets and people clicking links brings down Twitter. Facebook and LiveJournal are slowed, but not shut down. Possibly the attackers also use a botnet to attack at the same time.

Cyxymu’s site is down this morning.

So, in the worst tradition of journalism we will now report the speculation:

PC Magazine: “Did Koobface Cause the Twitter DDoS Attack?”

The headline says it all.

PC World: “Why Attack Twitter?”

Answer: Koobface or old-school hacker looking for fame or someone advertising the power of their botnet, which is for hire.

The Register: “Twitter meltdown raises questions about site stability”

The Twitter problems were collateral damage from a Joe Job attack on a blogger named Cyxymu who apparently is a very vocal pro-Georgia advocate who irritates a lot of pro-Russian folks in the war of words over South Ossetia and Abkhazia independence. Cyxymu has Facebook, Blogger and LiveJournal accounts. Aug. 8 is the one-year anniversary of Russia’s invasion of Georgia. (See “The Georgian Times” one-year-later story here.)

The Register credits the theory to Bill Woodcock, research director of the non-profit Packet Clearing House in San Francisco.

Researchers Patrik Runald at F-Secure and Graham Cluley at Sophos, disagree.

Associated Press: “Hackers attack Twitter, Facebook also slows down”

Agrees with Register.

The root causes then would be: bot-infected machines (not running anti-virus solutions) and Internet users clicking on links from strangers.

Tom Kelchner

Details few.

Story in the Wall Street Journal.

2:05 p.m. (EDT) — back on line

Believed to be distributed denial of service attack. Details still few.

Story in the Telegraph.

Confirmed DoS on Twitter status page.

Facebook and LiveJournal also under attack.

Story in New York Times.

Tom Kelchner

And now, from that fun-loving Finnish gang that discovered the ASN.1 network
standard vulnerabilities in 2001 – critical flaws in XML.

Researchers at Codenomicon in Oulu, Finland, have found critical flaws in open-source implementations of Extensible Markup Language (XML) that affect a huge array of applications used by nearly every sector of the computer-using population of planet Earth.

Ari Takanen, Codenomicon CTO, has said that the vulnerabilities are in every open-source XML library and a lot of them could let the dark side write exploits that could launch denial-of-service attacks or execute malicious code.

Applications affected include anything written with Java, Python or Apache Xerces.

Libraries built on C – and most are Takanen said – are a high risk. Exploits against those are significant since they can execute code.

Codenomicon briefed the Finnish Computer Emergency Readiness Team, which is contacting software publishers who have embedded the libraries in their products.

The principals of Codenomicon discovered vulnerabilities in the ASN.1 network standard in 2001 that many companies (and governments) struggled to fix for months.

The vulnerabilities can be used in exploits and victims could be social engineered into opening malicious XML files or sending malicious requests to Web services that depend on XML.

It is suggested that organizations keep aware of security updates from companies that provide the libraries they use.

According to the Codenomicon web site: “Founded in 2001, the company was spun out of the successful PROTOS test tools research of the Oulu University Secure Programming Group.

See story in Register.

Tom Kelchner

Typical Browser Hijacker for the Personal Antivirus rogue

All your grammar are belong to us.

Description of Personal Antivirus in the Sunbelt Rogue Blog here.

Thanks to Patrick

Tom Kelchner

Swedish based telecom TeliaSonera has cut Internet connections to the Riga, Latvia servers hosting Real Host Ltd., a bullet-proof ISP and host of the Zeus botnet which is suspected of stealing financial information from millions of PCs, 3.6 million in the U.S. Real Host also is believed to be a splinter of the Russian Business Network.

TeliaSonera provides telecommunication services in the Nordic and Baltic countries as well as Russia, Turkey and Spain, according to its web site.

Real Host joins the elite group of recently shutdown spam networks Atrivo, McColo and Pricewert.

Story here.

Researchers have discovered that micro-blogging service Twitter is apparently working on a system for filtering malicious URLs, including shortened ones, but it’s a work in progress.

We tried it.

It’s a work in progress.

Shortened URLs are handy in Twitter posts, which are limited to 140 characters. Unfortunately, they are also handy for spammers and botnet operators to obscure malicious links in email.

Mikko Hypponen, chief research officer at the F-Secure security company in Finland, blogged about Twitter’s filtering August 3. Twitter has made no announcement and researchers believe the company is working on the process.

This much is known about it at this point:

— it’s using Google Safe Browsing API to filter links to malicious Web sites listed on Google’s blacklists of sites connected to phishing and malware.

— it stops automatically registered or compromised legitimate accounts from Tweeting known malicious links.

— if the “www” subdomain is removed from a URL, it isn’t filtered.

— a URL with “http://” isn’t filtered.

— the system isn’t linked to StopBadware.org’s database of nearly 400,000 reported malicious sites

— an alert is triggered only for URLs shortened using bit.ly. TinyURL-shortened links are not filtered.

In July, the dark side discovered the potential of micro-blogging sites and the Koobface worm had a field day spreading through automatic Tweets generated from hijacked accounts.

The new system isn’t really advanced at this point, but, a work in progress is better than no security at all.

We’d really like to see Twitter’s system filter URLs with the StopBadware.org’s clearing house and maybe some of the Sunbelt Software ‘Threat Track™’ Data Feeds.

Our demo

To see just how bad the Twitter jungle was, we set up a Twitter account…

… and immediately got several followers, April and Lisa. Wow! Cute girls are interested in ME! April looks, well, sort of animated. She must be psychic though, since she put in a request to follow ME five hours BEFORE I set up my new Twitter account! (Do I hear someone whispering “bot”)?

I checked out her web site by clicking on the xurl.jp-shortened URL. It resolved to xxxblackbook.com. Hmmm, an adult dating web site. There certainly appear to be some uninhibited folks advertising for new friends there, but April doesn’t seem to be among them.

StopBadware.com said xxxblackbook.com was a place where you might want to tread carefully. Sunbelt Labs found that it was associated with malware. They have at least one unsatisfied customer on the ripoff report too.

So, clearly, Twitter’s filtering is a work in progress.

Story here.

F-Secure blog post here:

Tom Kelchner

At the Defcon hacker conference this week, two researchers demonstrated a technique for downloading malcode onto a computer during an update process – showing that it could be possible to compromise machines on public WiFi networks.

Itzik Kotler and Tomer Bitton said they know of about 100 popular applications that are vulnerable.

The two also released a tool that shows which machines on a network are vulnerable when they check for new updates over the Web. The tool, which they call Ippon (a Japanese word for “one full point” used in the martial arts world), can send customized messages to potential victims stating that there is an updated available for one of his applications even if it has the most recent real update. An attacker can then download malicious code.

Kotler and Bitton said digital signatures are the answer to this vulnerability. Microsoft software is not vulnerable to the process since it does use them in its updates.

Those conscious of security are already wary of making sensitive transactions on public networks since it is possible to monitor network traffic with sniffers.

This is reason #2 to be careful when you’re trying to work in an airport waiting area or having that double-plus-extra-high-octane mocha latte and playing on your laptop in a coffee shop.

Story here.

Tom Kelchner

PC Antispyware 2010 is a new rogue security application from WinReanimator family. This rogue is peddled by Braviax infection.

The name WinTechProtection LTD is associated with this rogue family and is still evident in the splash screen.

All the clones from this family use the same code below the hood but a new GUI jacket to scam people in to purchasing their products.

PC Security 2009 and Home Antivirus 2010 are the recent clones from this family.

Bharath M N