I Am Security » malweb

Mapping and Security Research

iamit — Fri, 04 Dec 2009 12:31:43 +0000

From the “We should have trademarked this” department: McAfee came out with their “Mapping the Mal Web“[PDF] report and are proving that innovation is best left for the smaller players to meddle with, only to be used later by the big guys.

Not that there is anything revolutionary about the report – it’s the same basic “look at what we could figure out from our logs” type, loaded with graphs and tables (as opposed to forward looking research, or one that dares to predict or create a disruptive technological/behavioral change). But the mere use of “MalWeb” is funny since I clearly remember starting to use it in an internal meeting some years ago back when we used to issue reports ourselves…

In any case – use this “with caution” (just as you would use last years financial news to base your investments on), or better yet – just use the graphs and maps to scare potential customers Hope that the nest report would have a somewhat beefed up sections discussing “what to look for” (a mere single paragraph here), and more discussions on the thinking of how domain names are picked by eCrime operators to reach their target audience.

Keep safe!

DefCon 17 talk video available!

iamit — Sun, 15 Nov 2009 07:13:33 +0000

For your viewing pleasure – if you happened to miss out on DefCon 17 earlier this year, the full video and slides of my talk “Down the Rabbit Hole – uncovering a criminal server” have been uploaded to the DefCon archive page.

The slides and audio are also available in my section on the DefCon17 archives: http://defcon.org/html/links/dc-archives/dc-17-archive.html#Amit

Have fun!

Malicious ads circa 2007

iamit — Tue, 29 Sep 2009 12:11:29 +0000

Sometimes the only thing you can say about something boils down to the sound of your palm hitting your forehead. We have been seeing many ways in which criminals try to attack unsuspecting users and take over their PCs. One of which has been for quite some time the usage of advertisements as a vehicle to run malicious code on the victim’s browser – also exploiting the fact that these ads show up on the most legitimate sites.

Recently, I ran across an article that “exposes” such a scheme as if it was completely new (see Register article here). My initial response was to tweet about it as it reminded me of how we covered the same issue some years ago. It was late and I was trying to recall how far back was it since this coverage, and surprisingly I got it right! 2007…

Having been running this blog which saves all of my “historical” posts, there is even one dating back to September 2007 here, which references a report I issued for the 2nd quarter of 2007 (means it was written in May) and tracks the story published on the Q1 report (which would mean that I almost missed it and some of these were tracked back at the end of 2006). Funny story how a 3 year old news is reemerging now… For your comfort here are a couple of excerpts from the original research (find the differences…):

Numerous parties are often involved in getting an ad from an advertiser to a consumer. These include advertisers, ad agencies, advertising affiliate networks, adware makers, software makers, distribution affiliates, distribution affiliate networks, and websites. This complicated network of relationships can make it difficult for advertisers to know exactly where their ads are being delivered.

As websites depend more on advertising revenues, they often display ads from third party advertising networks, over which they have little or no control. While legitimate website owners trust advertisers to display non-malicious content, advertisers sometimes “sublet” their space to others. This hierarchy can often comprise several layers, seriously compromising the level of control the website owner has over advertising content.

Bottom line – same as always. If it works, no point of changing anything. Back at the time we were watching sites such as MLB.com, CNN.com and other high profile ones serve malicious ads, and today the situation is not any different. And I thought that I had to keep on the cutting edge of research to keep up in this line of business

Keep safe!

Twitter spam – Spitter? Tpam?

iamit — Mon, 06 Jul 2009 17:18:22 +0000

Unless you’ve been living under a rock in the past couple of years, you have been exposed to Twitter in some shape or form. Having adopted the means of socializing myself not too long ago (been researching it’s security since day-0, jumped on the bandwagon a few months ago), you have to live with the bad aspects of social networks again.

When you finally think that a social network platform would get immune from the perils of spam and malicious content, it’s funny to see how spammers – especially on the adult content side have been using Twitter to peddle their stuff… Instead of Tweeting it again (http://twitter.com/iiamit/status/2404011102), I decided to pay respects with a full blog post.

So here are my 2 new followers (the one mentioned on my older tweet has fled – probably didn’t get what they signed up for ), I’ll be sure to keep checking out these trends and make sure that nothing beyond the traditional and mostly harmless content (unless you consider NSFW dangerous – no malweb so far there).

See you all in Vegas (https://www.defcon.org/html/defcon-17/dc-17-speakers.html#Amit)!

Update: OK, this can go out in the open now (had to make sure that this went public already…) pushing malweb through Twitter has been going on for a while, a funny example below shows the usage of the same malicious URL being pushed by “foot soldiers” across multiple trending topics as they change over time:

And the Tweet of the day for me is an attempt to “whore” the trending topics in order to promote an adult site:

Obviously all the keywords at the time this was published were on the trending top list…