Thursday, January 28, 2010

Blackhat SEO is New Spam

It used to be that when you checked your email and/or email spam folder there would be a slew of messages with links or attachments that would have titles related to the popular subjects of the time, and would be used to spread malware (think Anna Kournikova).

Now the game seems to be that you sip your morning coffee and browse the web - largely driven from search results from Google. However, many of these search results cannot be trusted - Google's web of trust, Page Rank technology has been leveraged by the bad guys using search engine optimization (SEO) to spread malware. This has been seen in almost every major news story this year (for example, Haiti's Earthquake) and some not so major news stories (American Idol's 'pants on the ground' audition).

The past few days, there have been numerous big headline stories with poisoned Google search results leading the victim to Fake Anti-Virus malware: Apple's iPad announcement, Toyota's safety recall, and the State of the Union address all have poisoned search results ... just wait "Super Bowl" the bad guys will get to you next if they haven't already ...

Below are some screenshots of the poisoned results, followed by the subsequent infection. Note, visiting the SEOed links directly redirects you to a benign page, such as cnn.com; visiting with a Google referrer string (which someone following the link from Google would have) takes the user to the malicious page.



Monday, January 25, 2010

IE 0-Day on GOV.CN

A few days back, there was a post on a forum about malware warnings displayed when visiting: www[dot]latax[dot]gov[dot]cn


Translates:



Upon analysis of the page, it appears that this GOV.CN page is hosting a page exploiting the Internet Explorer 0-day vulnerability (CVE-2010-0249). The same vulnerability exploited to compromise Google, Adobe, and other vendors in an attack dubbed 'Operation Aurora.'

Here is a snippet of the GOV.CN source, building the shellcode variable:

There is a slight deviation to the way that the shellcode is constructed (visible in above image) from some of the other variants that we have seen. Though, it uses the same exploit structure as past variants, including the ev1() and ev2() function names.
The ev1() function is used to dereference the previously declared event object:and attack the vulnerability
using the ev2() function to load the shellcode into memory and call the previously dereferenced object:
The JavaScript loads the shellcode and exploits the vulnerability, which downloads the payload v.exe from the same GOV.CN domain.
VirusTotal identifies 12/41 Anti-Virus engines detect the v.exe payload. It is a variant of the Chinese based Hupigon Backdoor, which F-Secure lists some of its features as:
• It allows others to access the computer
• Allows for recording with the user's webcam
• Can make the user's computer to attack various servers
• Send victim's computer messages
• Has rootkit functionality so it has a stealth component that hides files
• Create logs from keystrokes, steals passwords, and sends this information to remote servers

The Hupigon malware kit is described as being "maintained in a very professional fashion with a highly developed User Interface (UI)." Screenshot below:


This is just one example of this IE 0-day impacting GOV.CN sites; I have seen a few other reports of this. While there are several other examples of malware being hosted on GOV.CN domains, for example,
  • .wscz.gov.cn
  • .zhepb.gov.cn
  • .jssalt.gov.cn
  • .xfgh.gov.cn
  • .laspzx.linan.gov.cn
  • .zsjs.nmfc.gov.cn
The question is: are these CN Government sponsored for the purposes of potentially spying on its citizens, or have GOV.CN websites been infiltrated by hackers? In either case, browse safe, and if you are using IE 6, please upgrade or consider a different browser.

Thursday, January 21, 2010

Watch out Bill Gates...

Rise in Social Networks in Underground Economy
It should not come as a surprise that verified, "followed" or "friended" social networking accounts are being bought and sold in the underground, similar to the way that e-mail lists have been for spamming and other campaigns. In fact one ad snippet shows that social networking accounts are more valuable in the underground than email accounts: Facebook ($20 per 100) and Twitter ($19 per 100) versus Yahoo or Hotmail ($15 per 1000) accounts.
I've run into a few of these in the underground marketplace ads, including one today specifically calling out that Twitter accounts are "Good for Spreading Bots."
In light of Bill Gates' adoption of Twitter yesterday, I thought it would be fitting to put out a word of warning: we've already seen Koobface and other malware on Facebook, and we've seen the Twitter/StalkDaily worm. There are many more examples of the social networking medium being used and abused. It is safe to say that enough user adoption of social networking has occurred that the bad guys have likewise adapted and are here to stay on this medium...
Facebook has set 5000 as the maximum number of friends per account, and these maxed out accounts are the among the most valuable accounts being traded in the underground.

Tuesday, January 19, 2010

What we can learn from Google's China attack

The Internet has been abuzz over Google's admission that it was targeted in a coordinated and allegedly state sponsored cyber attack. Some are applauding Google's stance, while others question Google’s true motivation. This story is too big to just disappear so I have no doubt that we'll learn more as time goes on, but let's consider what we should have learned thus far.

1.) Corporations make corporate decisions

It makes for a lovely feel good story to believe that Sergey Brin charged into Eric Schmidt's office to demand that Google exit China as retaliation for the attack. It's nice to believe that "do no evil" can survive in the corporate jungle. The reality is that Google is a large (very large) corporation and mottos other than "do what's best for the shareholder's" are little more than advertising hype. Sure Sergey and Larry own a big piece of the pie, but like all large corporations, Google is controlled by large, faceless institutional investors doing what they've been tasked with - looking at the bottom line. Google didn't go public with this story to save the world. They did so because they believe that it's the right business decision and they've decided that the benefits of doing business in China simply aren't worth the costs. They remain a long way from winning in China the way that they've won in the rest of the world. They have decided that the cost of the negative public perception created when they agreed to censor search results simply hasn't been worth it, especially when they are also forced to deal with state sponsored infiltrations, possibly aided by insiders.

2.) Outdated Web Browsers Leave a Gaping Security Hole

Just because software hasn't reached end-of-life status isn't justification for using it. It has been a long standing gripe of mine that IE 6 continues to control significant market share in the enterprise. Any CISO that hasn't fought to change this should be fired. Yes, IE 7 & 8 are also allegedly vulnerable but public exploit code seen to date has not successfully exploited these versions of IE. Why? Because they have additional security measures that make this vulnerability harder to exploit. In this case, the protection making the difference is Data Execution Prevention (DEP) but additionally, they include a number of additional protections such as Address Space Layout Randomization (ASLR), malicious URL/phishing blacklists, XSS protection, etc. The answer is not to avoid IE altogether as Germany and France suggest, but at a minimum, enterprises must ensure that they are running the latest browsers, with the most current security protections.

3.) 0Day, Targeted Attacks are Very Hard to Defend Against

Perfect security lives on Pandora. We live on Earth. Don't waste time looking for it.

When an attacker possesses a weapon that you haven't seen before, you are at a significant disadvantage. 0day attacks present a fundamental challenge because we don't know what we're looking for. Combine that with a knowledgeable adversary that can effectively employ social engineering and no matter what security measures you have in place, at some point you will be compromised. Should we roll over and give up? Of course not. The goal is not perfect security but rather to mitigate threats to an acceptable level. We can achieve that by employing defense-in-depth and assuring that our detective controls are sufficient to understand the extent of damage, control it and quickly recover should a breach occur.

4.) The Best Defense is a Good Offense

One of the more surprising angles to this story has been the revelation that Google went on the offensive to get to the bottom of the attack. While such an approach can put an organization in a legal grey area, it is unlikely that Google would ever have had the evidence necessary to be confident of the origin of the attacks and the fact that some 33 other companies were affected had they not broken into a server in Taiwan. Did Google coordinate it's efforts with law enforcement? Is this a tipping point in the evolution of cyber warfare, when corporations frustrated with the red tape encountered by law enforcement crossing international borders begin to take matters into their own hands? Stay tuned...

- michael

Thursday, January 14, 2010

Haiti Earthquake Also Rocks Internet (Update)

Following my previous post, I had lots of questions about what we are seeing in terms of malware and fraud taking advantage of the Haiti earthquake.

Not surprisingly we have seen an increase of web transactions to charity / donation sites - including some domains that were registered immediately following the earthquake, for example, haitifoundation.com.


Web transactions to donations sites range from:
  • The mainstream, for example, RedCross
  • The more obscure, for example, a personal blog (haitirescuecenter.wordpress.com) of an alleged worker in Haiti.
  • The suspicious, for example, haitipal.com that links you to a PayPal donation to the user haitipal{at}hotmail[dot]com.
While, such sites may have good intentions, users should be wary of any site soliciting PayPal donations as there's no way to vet the source and ensure that donations are going to the victims. Individuals looking to donate should stick to reputable organizations only. CNN has a list of known, vetted donation organizations for Haiti.

On the malware front, we are seeing an increase in search engine optimization (SEO) taking advantage of Haiti Earthquake search terms to redirect visitors to FakeAV malware.

Here is a small list of the FakeAV domains that we have seen recently being redirected from Haiti Earthquake SEOed sites:
  • fullsecurityscanc.com
  • scan-now23.com
  • full-pc-scanner1.com
  • best-systemguard.net
  • full-pc-scanner22.com
Zscaler will continue to monitor and protect their customers against this campaign.

Wednesday, January 13, 2010

Haiti Earthquake Also Rocks Internet

The magnitude 7.0 earthquake rocked Port-Au-Prince and its surrounding area on Tuesday, January 12, 2010 at 13:53:09 PST (21:53:09 UTC) according to USGS. Within the hour, the shock resonated on the Internet. The security community, including Zscaler, has been and continues to be vigilant (reference SANS ISC) for SEO attacks, fraudulent donation sites, and malicious web content taking advantage of the global popularity of folks following the story on the Internet. How quickly did this physical event transcend to cyber space and what was its impact on the Internet? Zscaler is in a unique position to provide an answer based on customer usage of the cloud.

I pulled the numbers for unique URLs visited with the word ‘haiti’ in the URL string for January 11 PST and then for January 12 PST, and calculated the percentage increase in URLs visited and bandwidth used over these two 24 hour periods.

There was a 1578% increase in URLs visited with a corresponding 5407% increase in bandwidth usage for ‘haiti’ URLs. Where bandwidth includes the request and response bytes over the 24 hour period.

Here is a graph of the ‘haiti’ URLs visited for each hour (PST) during January 12, showing an explosion in Internet activity covering this event.