Monthly Archives: March 2008

On the (dis)merits of privacy

Posted on by
Reply

Following up on my last post, after filing a complaint with the abuse department of privacyprotect.org (and blogging about the problem), I have just received an update noting that:

–quote–

On investigating on your complaint , we have determined that the domain name “SPYWARESAFE.NET ” is in violation of the terms of usage of the Privacy Protect service. We have therefore,

  1. disabled the Privacy Protect service for the domain name, such that it now displays the putative contact details of the domain name holder, and
  2. notified the sponsoring Registrar about the complaint, who shall act upon the complaint in accordance with their policies.

For any further updates on this matter, you can contact ESTDOMAINS, INC.  , the sponsoring Registrar for “SPYWARESAFE.NET”.

We are extremely particular about preventing misuse of our services in any manner. Should you encounter any other such instances, please feel free to notify us immediately.

–quote–

It’s interesting to note how a little exposure, combined with an email pointing out that the privacy protection is in direct violation of the service terms, gets some gears in motion. Don’t expect though to get complete verifiable details on the domain owner… The known issue with whois data is not limited to hideouts such as privacyprotect.org, but to the entire scheme of how domain registration works, and the accountability (or lack of) of the registrars to make sure that the details of domain owners are at least somewhat relevant. As you can see from the below data, trying to find a “Pavel” that lives in Russia, is like trying to find a “Mohammad” in Saudi-Arabia, or a “Mr. Smith” back in the states…

–quote–

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: SPYWARESAFE.NET

Registrant:
N/A
Pavel        ([email protected])
kremlin st. 1
Moscow
Moskovskaya oblast,123456
RU
Tel. +495.1231212

Creation Date: 05-Dec-2007
Expiration Date: 05-Dec-2008

–quote–

At least the onion is starting to peel off and maybe hopefully law-enforcement can get better details on the owner, or work with the registrar to track him/her down.

Off to Amasterdam now – see you in BlackHat EU (Friday the 28th, track 2, 10am)!

Taking down a malicious site – the good, the bad, and the ugly…

Posted on by
Reply

As part of the “closure” on the February Malicious Page of the Month, which involved meoryprof.info (taken down), and spywaresafe.net we have contacted the appropriate parties in order to notify them that these websites contain malicious code.

Meoryprof.info was the first to buckle (probably under the press exposure), but spywaresafe.net have managed to stay afloat for quite a while. The problem with such domains these days, is that they are usually designed to hide the true owner in the best possible way.

Spywaresafe.net has been running in full-steam for only a short period of time, but has managed to rack up quite a track record of user visits and infections (see the below screenshot from its NeoSploit admin page)

takingDown

(note that this screenshot is rather old and contains data on the first half of February only… nevertheless, almost 300k visits were logged to the main user and 150k more on the second user)

Looking into the whois record for spywaresafe.net would yield a disappointment – it is hidden using a service provided by privacyprotect.org. This service allows domain owners to hide behind an entity that would provide them “privacy”. The practice itself may seem questionable, but privacyprotect.org has a nice website with easy to access forms for requesting the disclosure of a domain owner in case there is some kind of “abuse” done by it.

Well… that didn’t really work. Sending a couple of these forms in the past month got us absolutely nowhere. No response, not even a decline for our request. These guys must be doing a too good of a job protecting something (definitely not internet users, but something…).

On the bright side, when we contacted the hosting company that was associated with the IP address for spywaresafe.net (78.109.18.130), the response was surprisingly quick, and the security guys there took the offending site down (p.s. – always use email, trying to call in brought an unbridgeable language barrier):

—quote—

The actions accepted by us:

Server IP: 78.109.18.130 it is disconnected and formatted.

—quote—

Although the company policy there is not to disclose details about the client who paid for this service (can’t blame us for trying ;-) ).

Moral of the story – undecided (hence – good, bad, ugly?). Seems like the law enforcement efforts does work, on targeted incidents (no follow up on the second domain). Trying to be the good samaritan does not always play well, and you get to hurdles such as these privacy protection schemes (which in my opinion have no place on the internet), and to surprises such as the guys in hosting.ua (Ukraine’s national hosting) who diligently stepped up to the plate. One has to admit that there really is no place for discrimination on the net…

In hope that we won’t have to do any more of this and have law enforcement and CERTs kick in for those cases, I’ll sign off for this time :)

Optimizing Cross Site Scripting – and general security practices

Posted on by
Reply

We have been working recently on a XSS attack that impacted  a huge number of  potential victims, as the attack itself has been “optimized” by SEO (Seacrh Engine Optimization) practices that pushed it to Google’s indexes.

In itself, this is not a new technique, but the sheer size of it made us take a second look (incidentally, another security researcher has gone public with the details at the same time while we were communicating with Google’s security team about it). So how does it work? Basically the recipe is quite simple:

  1. Find an XSS vulnerability on a major site that has a decent amount of traffic (easy).
  2. Decide what you want your victim to “experience” – this can vary from serving some malicious code, to pure  Crimeware marketing (lessons learned from “what to avoid”  from SPAM email marketing).
  3. Start googling it with the XSS in the URL (most sites normally allow parameters to be passed in a GET rather than enforcing POST only).
  4. Enjoy the show – make sure that the XSS (usually a search page) also contains some keywords that would attract hits from legitimate searches.

XSSed sites used:

From what we have seen so far – including sites such as torrentreactor.net (first one) and zdnetasia.com (on 3/4/2008), tv.com (2/5/2008), torrentportal.com (3/8/2008), University of Pittsburgh’s jurist.law.pitt.edu, torrentfreak.com and fulldownloads.us (3/9/2008).

Unwanted sites used in the attack:

From is-t-h-e.com, through 72.232.39.252, media-toolbar.com, oasdc.info, do-t-h-e.com – all provide some kind of unwanted malware to be eventually dropped onto the unsuspecting user.

And finally – a glimpse into what people are looking for.  Looking at the keywords used as part of the search terms, we discovered a sort of a zeitgeist of popular terms. The obligatory mature content terms (which I won’t quote for obvious reasons!) to the other extreme such as “the lost book of the new testament bible”, and the more spiritual “working with emotional intelligence” as well as the mundane “chevy tahoe specs”. Even techies are properly served with “bash if or condition”. In short, it provides us with a truly “inspiring” journey into what makes us tick (although we already know, still, seeing it is truly believing).

And now for the replies we got from some affected parties:

From torrentreactor  – who we contacted on 3/4/2008, as their XSS was not public at the time (if you don’t count the outing done by other blogs) – we got a pretty quick response thanking us for the notification, and asking if there were more issues with their site. However, there hasn’t been a fix of the XSS issue yet at the time of this writing).

The more interesting view comes from Google (contacted early 3/4/2008). We contacted them since we saw that some of the search results were sanitized of the offending XSS effect, while other still contained a working XSS.

Google acknowledged that this was a known attack vector, and confirmed that they are indeed working on ways to manipulate and “sanitize” links provided by them in an effort to minimize the effect of incidents such as XSS on indexed sites. They also share our opinion on the reality of XSS and its affects on web browsing: “Google recommends that sites fix their cross-site scripting vulnerabilities as a priority. These can be abused in a number of ways, including bad interactions with search engines. Google is helping by reaching out to affected organizations. In addition, Google has internal processes to block abuses when the situation warrants.”

It will be interesting to see how this will work out  since sites still cache search results, thus allowing search engines to index those as results as well. That practice is exploited here where the site is affected by a XSS, which is then in turn “immortalized” when a search engine sees it.

In the meantime we would recommend the following:

  1. Website owners and developers – XSS is rated no. 1 in the OWASP top 10 web application vulnerabilities (no pun intended). Most of them are known. Test for it, fix it. It may not be a direct threat to YOUR site, but it’s a security issue nonetheless and poses a risk to your users.
  2. Stop allowing the caching of search results. All the XSS were found in the search pages of the vulnerable sites. Just disable search engine caching for them. There is no added value in it.
  3. Search Engines – you have the money and the resources. Although it’s OPP (other people’s problem), you can help prevent and mitigate such incidents (kudos to Google for their ongoing efforts).

Ending on a high note – we stand for security of online browsing, as well as responsible disclosure.