Saturday, July 31, 2010
Day Two of Blackhat once again had far too many overlapping presentations so I was forced to skip a few that I would have liked to attend. For the most part, I chose to stick with some proven talent that I knew would keep me entertained.
HTTPS can Byte Me
RSnake and Josh chose to tackle a component of the web that I've always believed is misunderstood by the general web population - HTTPS. They went through a laundry list of ways that HTTPS can be abused, not so much because the technology is flawed but because users implicitly trust the 'lock and key' and assume that it is a silver bullet to solving security on the web. For me, the most interesting part of the talk dealt with passively monitoring encrypted traffic on the web to gain insight into what a user is doing, even if you cannot see the decrypted traffic. For example, by monitoring packet sizes you can determine if POST or GET requests are being sent. POST requests will generally result in more egress packets due to content being sent to the server while GET requests typically result in more ingress packets. The timing of packets can also reveal information with frequent requests suggesting AJAX traffic. Combine this knowledge from prior reconnaissance of the site being visited and a passive attacker may be able to determine with reasonable confidence, where you were on a web site and what you were doing - even without being able to access decrypted traffic. RSnake and Josh admitted that another group had already gone public with similar research but I certainly feel that it's a topic worthy of more investigation.
Blitzableiter - The Release
FX, a longtime Blackhat speaker, released Blitzableiter (German for lightning rod), a tool designed to protect against malicious Adobe Flash files. Rather than take the approach of AV vendors and use a library of signatures to identify malicious content within a Flash File, FX has chosen instead to parse the Flash binary to ensure that the file is well formatted by looking for undocumented tags and length values that do not match the data that they contain. Blitzableiter is a command line tool written in C# which can be integrated with NoScript to provide in-line protection while browsing online.
How I Met Your Girlfriend
Samy Kamkar, for those not familiar, gained fame for writing an XSS based MySpace worm when the Feds failed to appreciate his great sense of humor. What I love about Samy is that he's not a security guy per se, but rather a talented developer, intrigued by security. He delivered the funniest talk of the show and I found myself regularly laughing out loud throughout. The premise of his talk - detailing a variety of web based hacking techniques told through a story of how Samy might attack Robert 'RSnake' Hansen in order to steal his 'girlfriend'. Techniques that he discussed:
- How to reduce entropy in PHP in order to more reliably predict session cookie values
- Cross-Protocol Scripting (XPS)
- NAT Pinning
Lord of the Bing
Johnny Long's indispensable Google Hacking Database sadly hasn't been well maintained since it was first released years ago - fortunately, Rob and Francis have not only resurrected it from the dead, they've taken it to the next level and added Bing hacking to the mix. They discussed a variety of free tools that will be released, built around Google Diggity and Bing Diggity, two platforms that automate Goggle/Bing hacking and provide a repository for current and future hacking queries.
That's it for Blackhat 2010 - see you next year.
Friday, July 30, 2010
In a previous post, I pointed out the vast majority of malicious spam SEO sites check the referrer string of the visitor. If this string does not include bing.com, yahoo.com or google.com, the user is not redirected to a malicious page.
We are releasing a Firefox add-on that uses this trick to protect Firefox users against most spam SEO threats, including fake AV and fake Video pages. This plugin works with Firefox 3.x. Click on the image below to install it. It is called "Search Engine Security".
|Search Engine Security add-on installed|
How it works
This Firefox add-on handles Bing, Yahoo and Google search engines, in all languages. Normally, if a user clicks on a link within search engine results, the HTTP request to the external site contains a Referrer string from the search engine within the HTTP header. For example, if a user searches for "this is a test" in Google, any request to a search result will include the following Referrer:
The add-on does not change the referrer if you navigate within the same site (for example, inside google.com), or if your Referrer does not include a Bing, Yahoo or Google domain.
You can customize the behavior of the Search Engine Security add-on. In the preferences menu, you can change the following values:
|Search Engine Security preferences|
Select the search engines for which you wish to enable protection.
- Use Referer header
Choose the Referer value to use for overriding the Google/Bing/Yahoo Referer. You can use an empty value, but it is recommended that you use a valid URL.
- Modify User-Agent (NEW in 1.0.8)
Most spam pages look at the Referrer value to decide whether or not to redirect users to a malicious page. However, in some cases like the Hot Video pages, only the User-Agent value is used. One common check is to look for "slurp" in the user-agent string to flag the request as coming form the Yahoo crawler. If you check the "Modify User-Agent" checkbox in the options, the string "slurp" is added to the User-Agent header when you leave Google/Bing/Yahoo in addition to overriding the Referrer header.
This option provides additional protection against malicious spam SEO.
Some websites display a different page if you come from a search engine. When you use this add-on, the websites can no longer detect that you come from Google/Yahoo/Bing. If you are sure that a website is safe, you can add it to the whitelist. This will disable the add-on for this website.
If the URL matches any of the elements in the whitelist, the add-on does not change the Referer value. This is a string match and the match occurs if the URL includes one element of the whitelist. For example, http://www.expert-exchange.com/ can be whitelisted by adding:
- http://www.expert-exchange.com/ (also matches http://www.expert-exchange.com/foo)
- expert-exchange.com/ (matches any subdomain)
- expert-exchange. (matches the domains expert-exchange.net, expert-exchange.org, and paths like http://example.com/expert-exchange.html/)
Notification (NEW in 1.0.4)
A notification is shown on Bing, Yahoo, and Google to let users know whether the SES protection is enabled for this search engine. The notification is shown under the search input.
|Search Engine Security notification in Google search|
|Search Engine Security notification in Bing search|
If you find any problem with this add-on, please let me know at firstname.lastname@example.org.
Wednesday, July 28, 2010
While I wasn't able to attend everything that I would have liked to, I did take in several great talks and here's an overview of the hilights.
Dan Hubbard, Websense
Real-Time Search Poisoning
Dan has been spending time researching ways to abuse realtime search of social networking content, most notably Twitter. His goal - figure out how to ensure that your desired content shows up in the most popular results for a given topic. Think Blackhat SEO with a social angle. Dan illustrated a variety of approaches that focused on the following techniques:
- Time and trend hacks - continual or well timed postings
- Social graph hacking - linking to or taking control of existing account
- Geo hacks - spoof your location to target people in a certain geography (i.e. Nearby Tweets)
Wolfgang Kandek, Qualys
Jeremiah Grossman, Whitehat Security
CSA Application Security Findings
I wasn't able to stay for the full talk but Jeremiah made some insightful comments.
- Web application security is a scale problem. 200M websites built before we knew that they needed to be secured and 200M more built by people that don't have security knowledge.
- Web application developers have a lack of motivation when it comes to security - developers get paid to ship product, not secure product.
Crash Analysis Using BitBlaze
I'm always up for a good Charlie Miller talk. He's sure to drop an 0day (Adobe was the target this time) and speak his mind. He's also a great guy, after all, he provided critical feedback on the Fuzzing book that we released in 2007. Charlie spoke about BitBlaze, a binary analyzer out of UC Berkeley that he's been using to streamline vulnerability discovery. It fuzes static and dynamic analysis, allows for taint analysis and delivers taint slicing - an approach which allows the researcher to more easily follow the path of user supplied input throughout the code execution process. Charlie's ultimate assessment - the trace data provided by BitBlaze is very valuable. Although the tool can be a bit slow, the overall approach will likely save you time in the end as you'll be able to better focus on crashes likely to be exploitable.
Michael Sutton, Zscaler
Dan Hubbard, Websense
Steven Adair, ShadowServer
Steve Riley, Amazon
Michael Panico, Microsoft
Chris St. Myers, Rackspace
Alex Rice, Facebook
Dan and I had the good fortune to assemble an all-star cast to debate security in the cloud and how the cloud is being abused by attackers. I was especially pleased at how honest the vendors were willing to be, providing insight into the challenges that they face. More than once they hilighted the fact that they are restricted in what they can do from a security perspective due to business requirements to maintain customer privacy. Yes, they could identify malicious content if they scanned all uploaded content but that would not be well received by customers who expect that their data will not be inspected - a business/security battle that will need to be resolved. Monitoring is therefore largely restricted to the network level. To date, far too much security from cloud vendors has been the man behind the curtain, with too little shared publicly. It was great to hear directly from the vendors that they recognize the security challenges and are working to resolve them. My favorite quote came from Steve Riley who insisted that Amazon is committed to providing customers with options and not locking them into the AWS platform. He stated that "[Amazon] wants to build a service that is as easy for you to enter as it is to exit". Good for you Steve - we're going to hold you to that.
I unfortunately wasn't able to attend what was ultimately the talk of the day as it conflicted with our panel. After lunch, Barnaby Jack delivered a talk that was pulled last year on how to hack ATM machines. Barnaby actually purchased his own ATMs for the research and was able to root the machines. Here's a video of his live demo - getting a machine to spit out dollar bills using his program called (what else) Jackpot...and he did it all to music.
Day one done.
Tuesday, July 27, 2010
|New fake AV look & feel|
|Popup is followed by an attempt to download fake antivirus|
Wednesday, July 21, 2010
I've scanned 294,691 unique URLs the Google search results. A full 5% of results (15,913 URLs) turned out to be spam SEO pages, which redirected to 573 different spam or malicious domains.
Filter URLs to scan with a regular expression
The spam URLs often look the same. For the search "word1 word2 word3", most of the spam addresses match this regular expression:
(\.php|\/)\?[a-z]+=word1(%20|\+|-| )word2(%20|\+|-| )word3
For example, for the search "keith britto actor", I get these types of URLs:
I've applied this regular expression to all the spam SEO links. This gives 10,821 matches (68% of all spam links) which lead to 352 domains (61% of all the spam/malicious domains). If applied on all the links, this regular expression also triggers on 5,455 good URLs.
So, by using this one regular expression, I can scan 3.4% off all search results (16,276 links) and I catch 68% of all spam and 61% of the bad domains.
Loose regular expressions
We can catch even more spam by making the regular expression less strict. Some popular searches exist in different variations. For example, the search "keith britto actor" shows spam results for the another poplar trend - "keith britton wiki". So I came with the following regular expression: (\.php|\/)\?[a-z]+=[a-z]
This new regular expression gives us 3,618 additional spam links to 56 new domains, but it doubles the number of good URLs scanned by adding 5,047 good search results. So the new numbers are:
- 14,439 spam results, 91% of all spam links
- 408 spam/malicious domains, 71% of all bad domains
- 10,502 good results, 3.5% of all links to scan
More effective regular expressions
There is one more optimization that can be done: all hot trends contain at least 2 words, so the regular expression may contain one word separator: (\.php|\/)\?[a-z]+=[a-z]+(%20|\+|-| )
This new regular expression adds only 1,362 legitimate results, and adds the 56 bad domains found with the previous regex version. It also finds 2,115 spam links. Total results:
- 12,936 spam results, 81% of all spam links
- 408 spam/malicious domains, 71% of all bad domains
- 6,817 good results, 2.3% of all links to scan
Here is a comparison of the scan efficiency with no filter and with the optimized filter:
Which search pages to scan?
Finally, I wanted to find out which search results pages should be scanned. Here is the distribution of spam SEO links on the first 10 pages of a Google search:
While pages 5 to 10 have more malicious links, no page should be skipped. The fact that page10 contains the most number of links means that more pages should be scanned.
We can optimize the Google search results scanning by looking at trends 5 to 12 days after they appear, and by looking at links that match a regular expression. This will allow for the scanning of more pages per search terms, and increase the number of malicious domains found each day.
Conducting web log forensics, we detected a small number of Stuxnet infected machines calling out to known C&C servers. None of the impacted machines appear to be running SCADA or industrial equipment.
We are sharing the below information to facilitate detection and analysis for other security operations centers (SOCs) and the like.
The date of all of the infected transactions observed was on July 12.
C&C Server: www.mypremierfutbol.com
Server IP: 126.96.36.199
URL Sample: www.mypremierfutbol.com/index.php?data=66a96e28<redacted>
Request Type: GET
- Only one transaction was observed to the C&C per infected machine.
- The request size varied depending on the data parameter.
- The response size was always 24,778 bytes in the observed transactions.
- The user agent string varied among Microsoft Internet Explorer versions (to include MS IE 8).
- The transaction to the C&C was observed immediately following a transaction to MSN or WindowsUpdate.
Organizations that have the ability to, should conduct similar log analysis, and respond to any identified infections.
The following are in-line protections that an enterprise can and should have in place to protect its users against this threat.
Blocks against known C&C servers including:
In-line anti-virus signatures in place and tested against known related malware artifacts. For example, MD5s:
- 743E16B3EF4D39FC11C5E8EC890DCD29F (Stuxnet)
- 15db99383d46d790812e83df6196f4fd (SuckMe LNK PoC)
Signatures deployed for traffic that may mimic past observed C&C activity, for example,
- In URL: “index.php?data=66a96e28”
As well as signatures to detect the Metasploit WebDAV .LNK exploit.
Additionally, if appropriate or available organizations can deploy technologies to identify, parse, and/or block LNK files entering their organization.
There is not currently a patch, though Microsoft has issued a work around detailed here.
Didier Stevens, a security researcher, has released a tool and screenshots on his blog about how to apply protections locally to prevent against LNK exploitation.
This vulnerability has been, is being, and will continue to be exploited in the wild. Use the above information to conduct log forensics and analysis to identify and respond to infected systems. Apply appropriate in-line and local protections as appropriate within your environments.
Monday, July 19, 2010
For example, LoudMo is a well-known adware vendor. Their affiliate network pays $1.50 per installation.
Spammers don't hesitate to trick users into downloading such adware. They hack legitimate web sites to pollute Google search results, and then redirect users to fake video pages.
Placeblogger spam page:
Clicking any of the links takes you to the affiliate page (this one is setup on Quogger but there are a large number of social media sites used for this):
It didn't take long from here to start to unravel the web of spam and affiliate pages setup to monetize porn and dating service pay-per-clicks / pay-per-purchase.
Some Placeblogger spam pages:
The list goes on...
This Google search identifies about 300 or so for example.
Some Affiliate / Advertisement pages:
~ snip ~
Note: there are a lot more affiliate pages - about 10 per Placeblogger spam page. Most of these are profile pages on a variety of social media sites.
Most of the affiliate links direct the visitor through imgwebsearch.com. A search for this site uncovers a large number of spam links to a variety of campaigns including: porn/dating, pharma, casinos, loans, replicas, etc., etc. Imgwebsearch spam shows up everywhere - yes, including Facebook. An example of imgwebsearch pharma spam on Facebook:
Actually, this Google search shows over 600 some related spam pages on Facebook.
How does this work?
Here is an example of one such related spammer detected via Project HoneyPot. In this case the spammer / spam group seems to have one or more netblocks (188.8.131.52/24 in Latvia for example) with the hosts setup to spider the web and post comment spam to sites (infected machines / bots may be used or rented out for this purpose as well). In this case all of the spammer's links were through imgwebsearch. The pool of source IP addresses for spidering / spamming and the changing of the user-agent is used to evade detection. This relatively simple spam operation could be home grown by the spammer(s), or there are relatively inexpensive tools such as XRumer for purchase to facilitate this type of spam (also used for SEO). This and other tools provide account creation / CAPTCHA bypass to be able to spam to sites that require account / login. Affiliate programs (aka Partnerka in Russian slang) -- in this case it appears to be imgwebsearch -- pay these spammers from anywhere from a few cents per click, a few dollars per sign-up/purchase, or in some cases tens of dollars per install (for example, the FakeAV campaigns). There is a good paper from Dmitry Samosseiko from last year's Virus Bulletin that details the Partnerka.
Friday, July 16, 2010
From the above code, it is clear that it is targeting the ADODB.Stream vulnerability from 2003. Here is the other part of the decoded content which exploits the MS09-002 vulnerability.
I am not going into the more details of this exploit as the code is pretty self explanatory. It is going to download additional malicious binaries and execute them on the system. The author who discovered this older ADODB.Stream vulnerability has posted a proof-of-concept. For those interested, an explanation of the MS09-002 vulnerability can be found here.
Thursday, July 15, 2010
I've never seen a registrar with such prominent links to reports of "Spam or Abuse", but there is a good reason for this: most of the malicious sites (fake AV, browser exploits, etc.), spam and free proxies seen in recent weeks use co.cc domains.
All of the fake AV sites we've seen since July 1st are .co.cc domains, including sunclear.co.cc, avsolution20.co.cc, truefind49p.co.cc, oksave5.co.cc, fillfree21.co.cc, etc.
37% of all free proxies we've seen from our customers in the past 5 days are .co.cc including: surflife.co.cc, feelmuchbetter.co.cc, pickupsurf.co.cc, surfday.co.cc, etc.
Example of a malicious co.cc domain
Here is an example of malicious co.cc site: hxxp://flashupdate.co.cc/ As its name suggests, the sites tries to lure users into thinking they are downloading a never version of the Flash plugin. The page was made for Internet Explorer users. It displays a fake IE warning that the flash version is too old, and automatically attempt to download a malicious executable v11_adobe_flash_update.exe. This executable is flagged by only 9 antivirus vendors out of 41.
A large number of the the malicious domains have been hosted on:
184.108.40.206 - 220.127.116.11
These IPs belong to the 18.104.22.168/24 owned by ATECH-SAGADE:
Which other ATECH-SAGADE netblocks have been described as "evil" in blog posts from earlier this month:
"Evil network: Sagade Ltd / ATECH-SAGADE" -- Dynamoo
"Basically, 22.214.171.124 – 126.96.36.199 is completely evil and has no legitimate use as far as I can see." -- ComputerSecurityArticles
"Exploits, Malware, and Scareware Courtesy of AS6851, BKCNET, Sagade Ltd." -- ComputerSecurityArticles
There have also been a number of recent malicious sites related to this .IN campaign seen on the 188.8.131.52/24 ATECH-SAGADE netblock as well, for example:
which currently resolve to 184.108.40.206, .15, and .16.
Here is a snippet of what we've seen and blocked related to this ongoing .IN campaign:
Other open-source research show several of these sites still live on this /24, for example:
Here is an example of the WHOIS for one of the malicious .IN domains:
Russian based information and self-resolving domain. The name servers currently resolve to 220.127.116.11 and 18.104.22.168 respectively on the same ATECH-SAGADE netblock.
Here is a small snippet from the exploit kit hosted on the .IN domains:
I believe this is from the SUTRA exploit pack. In any case, here is an example of an earlier Wepawet report from analyzing one of these .IN sites:
The exploits detected from the report are CVE-2009-0927 and CVE-2007-5659
And the ActiveX controls:
While many of the payloads include Trojan Downloaders and FakeAV, there have been some other wares installed via this campaign. VirusTotal has shown that some of the payloads dropped by the kit are undetectable via anti-virus:
The sigcheck on the artifact shows it as System Explorer by the Mister Group:
Secunia has a brief advisory posted on the Mister Group and their System Explorer here.
The Mister Group has a few pages setup for their System Explorer:
From the above, it seems that this campaign is largely driven by pay-per-install profit.
Monday, July 12, 2010
Trends by search rank
First, let's try to see if the rank of a search term turns out to be a factor. Hot trends are ranked from 1 to 20. A search term can appear on several days in hot trends, with a different rank each time. The graph below shows the average number of spam links for each trend rank:
I generated the same type of graph, but based on the percentage of searches that contain at least one spam link:
The variations are smaller: 44% to 65% of each rank contains at least one SEO spam link.
The distribution of spam per hot trend search is pretty flat, so it is not a good indicator of which search is more likely to be interesting for security research.
Trends by days
Next I checked the distribution of spam over time. One researcher told me that there seems to be a spike of spam, five days after a term first appears in the hot trends. A search is more likely to contain spam, or contain more spam results, five days after it first appeared in Google hot trends. Here is what I get from my data:
Google hot trends. Most the spam links can be found after five to twelve days.
The graph below shows similar information: the number of searches that contain at least one spam result. As I have not scanned as many searches each day, I also included the number of search terms scanned that day:
How can I reduce the number of security scans required, while maximizing the potential number of spam links I find? I cannot rely on the rank of a trend, as the distribution is flat, but I can skip trends which appeared within five days. I'll probably scan the search results five to ten days after they show up in Google Hot trends.
Friday, July 9, 2010
Attackers are constantly changing the way the operate. Recently, I found a malicious page for the search term "world cup extra time rules", which does not have the common traits of a spam SEO attack for a fake AV page.
The Google result is actually a fake YouTube page (see screen shot below). The page is comprised of three parts:
- HTML and images display a fake YouTube video page
- Hidden HTML (a
tag moved outside of the screen) stuffed with keywords for "world cup extra time rules" in order to rank well in searches
The hacked French site then redirects the browser to a fake AV page. I've seen redirections to four different fake AV domains, and only one of them was blocked by Google Safe Browsing - ryuk4.co.cc was blocked while savewarez54.co.cc, richav8.co.cc and richav2.co.cc were not. I also witnessed six different versions of the fake AV page. One seemed to be broken, it displayed the "loading..." animation, but did not ultimately deliver fake AV page. Instead, it directly attempted to download the malicious executable. Here is the screen shot of the five variations of the fake AV page:
Wednesday, July 7, 2010
You can compare these statistics with the number of warnings shown by Google: