Tag Archives: eCrime

Mapping and Security Research

From the “We should have trademarked this” department: McAfee came out with their “Mapping the Mal Web“[PDF] report and are proving that innovation is best left for the smaller players to meddle with, only to be used later by the big guys.

Not that there is anything revolutionary about the report – it’s the same basic “look at what we could figure out from our logs” type, loaded with graphs and tables (as opposed to forward looking research, or one that dares to predict or create a disruptive technological/behavioral change). But the mere use of “MalWeb” is funny since I clearly remember starting to use it in an internal meeting some years ago back when we used to issue reports ourselves…

In any case – use this “with caution” (just as you would use last years financial news to base your investments on), or better yet – just use the graphs and maps to scare potential customers 🙂 Hope that the nest report would have a somewhat beefed up sections discussing “what to look for” (a mere single paragraph here), and more discussions on the thinking of how domain names are picked by eCrime operators to reach their target audience.

Keep safe!

DefCon 17 talk video available!

For your viewing pleasure – if you happened to miss out on DefCon 17 earlier this year, the full video and slides of my talk “Down the Rabbit Hole – uncovering a criminal server” have been uploaded to the DefCon archive page.

The slides and audio are also available in my section on the DefCon17 archives: http://defcon.org/html/links/dc-archives/dc-17-archive.html#Amit

Have fun!

Malicious ads circa 2007

Sometimes the only thing you can say about something boils down to the sound of your palm hitting your forehead. We have been seeing many ways in which criminals try to attack unsuspecting users and take over their PCs. One of which has been for quite some time the usage of advertisements as a vehicle to run malicious code on the victim’s browser – also exploiting the fact that these ads show up on the most legitimate sites.

Recently, I ran across an article that “exposes” such a scheme as if it was completely new (see Register article here). My initial response was to tweet about it as it reminded me of how we covered the same issue some years ago. It was late and I was trying to recall how far back was it since this coverage, and surprisingly I got it right! 2007…

Having been running this blog which saves all of my “historical” posts, there is even one dating back to September 2007 here, which references a report I issued for the 2nd quarter of 2007 (means it was written in May) and tracks the story published on the Q1 report (which would mean that I almost missed it and some of these were tracked back at the end of 2006). Funny story how a 3 year old news is reemerging now… For your comfort here are a couple of excerpts from the original research (find the differences…):

Numerous parties are often involved in getting an ad from an advertiser to a consumer. These include advertisers, ad agencies, advertising affiliate networks, adware makers, software makers, distribution affiliates, distribution affiliate networks, and websites. This complicated network of relationships can make it difficult for advertisers to know exactly where their ads are being delivered.

As websites depend more on advertising revenues, they often display ads from third party advertising networks, over which they have little or no control. While legitimate website owners trust advertisers to display non-malicious content, advertisers sometimes “sublet” their space to others. This hierarchy can often comprise several layers, seriously compromising the level of control the website owner has over advertising content.

Bottom line – same as always. If it works, no point of changing anything. Back at the time we were watching sites such as MLB.com, CNN.com and other high profile ones serve malicious ads, and today the situation is not any different. And I thought that I had to keep on the cutting edge of research to keep up in this line of business 🙂

Keep safe!

Down the rabbit hole all the way to Miami

So the talk at Hacker Halted was really good – I was impressed with the quality of the audience and the presentations.
As promised, I’m posting my slide deck here for your reference. Enjoy!

Two steps forward, one step back – controling botnets…

Just stumbled across this: http://www.symantec.com/connect/blogs/google-groups-trojan – basically, botnets are utilizing Google groups (could have been any other mailing list system for the sake of argument) to communicate between the bots (trojans) and their command and control centers.

Funny how technology sometimes is way simpler than you imagine it would be. As per the new twitter based botnet channels, and the fancy web2.0 communications that are available for usage (see older post at here), utilizing the age-old mechanism of anonymously posing messages on a newsgroup is humbling.

Nevertheless, it’s the same new story (Google groups were chosen because of the web interface and the uptime reputation), just dressed up in old clothes (pun intended…). The same advice that I gave 2 years ago, which I gave last year, and again 3 months ago, is still valid – forget about putting out fires (that’s your off-the-shelf AV). Focus on proper mitigation, a solution that shows you how the technology is an extension of the company’s research, and forward thinking attitude. Look for solutions that are more behavioral in nature in order to identify mal-intent communications, and act proactively based on the predictions and research done.

Basically – don’t settle for mediocracy!

Stay safe.