Monthly Archives: September 2008

Neosploit – The rumors of my demise have been greatly exaggerated

Posted on by
3

Despite being reported as “out of business” in late July/August, (see this blog, and this article as well), Neosploit, one of the most widely used tools by cybercriminals, clearly hasn’t ceased to exist . In fact, we have recently confirmed a highly enhanced Neosploit 3.1 installation to be out and about, and serving Malweb to hundreds of legitimate Web sites worldwide. We are currently working with law enforcement from around the globe to identify infections and inform organizations.

stats1

It’s clear that Neospolit actually planned to create Neosploit 3.1 and has actually made it available for at least the last few weeks on a significant scale.

Another interesting thing to note here is that the recent increase in PDF exploits can hardly be attributed to some new toolkit or older kits attempting to capitalize on the toolkit market, but actually the work of this new 3.1 version. See statistics from an active Neosploit attack server below:

stats2

What does all this mean? It’s a truly notable instance where the actual business side of running cybercrime operations pulled a fast one on the thousands of experts tasked with following the latest Web threats. They not only see the profitability of investing in development of newer versions – releasing cybercrime tools much like that of a typical software company. And it’s all proven by their greatly enhanced version of Neosploit 3.1 that was never anticipated by even the largest of security vendors. Instead, security vendors thought newly enhanced PDF exploits (actually a large part of Neosploit’s punch) was actually a new trend within itself – when actually it’s direct from Neosploit.

I would keep an eye on developments in the eCrime business market, for the rock-star of the Malweb toolkits to just disappear one day and declare retirement – does not really fit in to what is really happening in the business. Although the attempt to go under the radar has been greatly aided by reports of security researchers that the group has disbanded, it was hard to believe that they really went under with such a successful brand name and business behind it.

I’ll be covering some of the developments in Neosploit 3.1 at the upcoming BlueHat conference at Redmond next month, so if you are fortunate enough to get there – look for the opening talk.

Blocking legitimate sites in real-time

Posted on by
Reply

I Ran into this on Slashdot: http://tech.slashdot.org/tech/08/09/21/1827209.shtml. It seems like the Google filter for malicious sites was blocking a whole domain name – including all sub-domains, which happened to be a dynamic DNS provider. A Big false positive, and a big problem to all the legitimate sites that were hosted using this domain. Disclosure – I used to run my personal domain using the services provided by DynDNS as well.

The root of the problem here lies in the concept that someone (even if it’s Google) presumes that providing a list of “bad” sites can be used to provide security to users. It’s just not going to work no matter how fast the list is updated, and no matter how “real-time” the scanning and categorizing of the sites are. Unless the real-time is applied to where it is supposed to be applied – when a user requests content from a site, scanning in real-time the content that this user receives. No more, no less. Remember that content differs from user to user, and malicious code may be delivered to one but not to another user!.

Snooping into Palin emails? Watch out for the criminals snooping on you!

Posted on by
Reply

Following the recent news on how an anonymous group has managed to take over Sarah Palin’s Yahoo! email account; we have noticed some interesting happenings. As wikileaks which was the original posting location of the images taken from Palin’s yahoo inbox was unavailable for some time, copies of the wikileaks post started to appear on other sites.

Our assumptions are that as users  found  the original site unavailable, they started resorting to deepening their searches to try and find other copies of the original images. It seems that e-Criminals are just in-tune with the latest news and browsing habits, and have managed to publish (or alter an already published) zip archive of the original wikileaks post with a small alteration that included a malicious script appended to the html content. Users that are eager to take a look at the leaked images finally found themselves looking at an archive copy of the original wikileaks page, but without having any clue about the malicious script running on their PC at the same time.

palin

The script used is the usual obfuscated JavaScript that is designed to evade detection, which exploits a couple of vulnerabilities in QuickTime and Microsoft’s WMV components. The exploits are designed such that once successful, a Trojan is installed on the local machine with the pretence of an Anti-Virus application. The specific Trojan that is being used in this incident is similar to other related attacks covered in our latest security research findings that traced sites connected to recent news as well.

Attackers are at a position where they can choose the kinds of malicious software running on victims machines, as Malweb is allowing them to run any kind of code on them.

In conclusion – although it may be hard to stop on your tracks when the original site hosting breaking news is down, it seems like a wise decision to try and really look into alternate copies of the evidence that are being posted on other locations. Some may be legit and just have carbon copies of the content, some may have a slight addition to the news in order to serve less legitimate purposes.

Update: Further information on the technique itself used to obtain access to Palin’s account is covered here.

Less phish, more meat? Malweb proving to be more efficient than phishing scams.

Posted on by
Reply

In a somewhat below-the-radar report, the anti-phishing working group (APWG) Q1 report is for the first time in its report showing a decrease in the number of phishing reports towards the end of the quarter.

In a startling (although expected) contrast – reports on crimeware, malware, Trojans and other malicious code (all delivered by Malweb!) is on the rise as the attack vector that uses Malweb is proving to be the most efficient ROI-wise.

Our view on this – obvious!. Phishing is a one-off that targets a single institution. It may be efficient for a short time, as these sites are being detected and brought down rather quickly. Malweb on the other hand is a long term investment. It brings in the ability to install more persistent rootkit/Trojan on the victim’s system, which would provide a more configurable platform for financial fraud than a phishing scam would.

The report is available at http://apwg.org/reports/apwg_report_Q1_2008.pdf.

Chrome, IE8, FF3 – is there anything new?

Posted on by
Reply

As websites are getting to be treated more like applications, users, both end-users and especially business ones, are moving from traditional old-school desktop applications (remember when “client-server” architecture was the thing?) to Software as a Service (SaaS), in-the-cloud, and just plain web applications. Security has been shifting from securing the local operating system to securing the web channel.

This has been backed by the clear shift from email being the number one carrier of all things bad, to the web being the most prominent and efficient channel for cyber attacks. This shift – both the usability one, as well as the security one, brought in a lot of improvement in what we use to browse the internet today – our browsers. With the recent release of Firefox version 3, Google’s release of Chrome, and the upcoming Internet Explorer 8, browser makers are showing great improvements in both usability as well as security.

Nevertheless, the picture isn’t that pretty on the security front after all. Both Mozilla and Google are facing some major vulnerabilities that have been disclosed shortly after releasing the browsers. IE8 is lurking on the sidelines trying to make sure its release will go hopefully uneventful (on the security side of course).  History and reality are proving that as long as the web will keep providing such usability, we will still have to come up with more than just new versions of browsers, but with more elaborate ways to secure the web. Issues such as authorization, authentication, permissions, cross-site relationships, mashup data sharing (and these are just scraping the surface) – will have to be approached from a higher level, taking into account infrastructures, open protocols and APIs to be used across applications. Merely focusing on securing the endpoint (or now almost literally “window”) to the application is not enough, as corporations would have to deal with the actual essence of the data and applications handling it.

Don’t get me wrong – I highly appreciate the advancements that Chrome, FF3 and IE8 are making (and proud to be using all of them almost equally throughout the day), but let’s just remember not to keep living in a “whack-a-mole” security state of mind, and make sure we look at the whole picture.