We all get phishing emails. Some of us more than others, so it’s no surprise that sometimes people take out their frustrations on the phishing form, letting the phisher know just what they think of him or her.

While it might make you feel better, it isn’t always a good idea. For instance, if you were to do this on a phishing page hosted by the Asprox botnet, you might get more than you bargained for. The Asprox phishing form backend has a bit of extra logic added to it. If the form looks like it has been filled out with legitimate data, you get redirected to the main page of the bank website.

However, fill it out incompletely or use certain words like “phish” or NSFWUYAS (Not Safe For Work Unless You’re a Sailor) language, and your browser will be subjected to a number of exploits. If you are running Windows and haven’t recently installed your security updates and patched all your browser plugins/ActiveX controls, you might find yourself infected with your very own copy of Asprox.

Not only do you then get the opportunity to unknowingly send phishing emails on behalf of the botnet, you will likely get some extra goodies, since Asprox is also a downloader trojan. You won’t notice it running, but you might notice some of the things it downloads and installs.

For instance, you might find your desktop wallpaper changed to a “spyware alert” type of message, and now all your screensaver shows is scary blue-screens-of-death. Of course, if you’re familiar with the Windows desktop properties dialog, you can change all that back, right?

Oops. the rogue antivirus program has removed that functionality for you. But hey, at least it gives you a chance to look over the license agreement, right?

Except you’ll notice the lack of a “I disagree” or even a “close window” button at the top of the dialog (which can’t be minimized, and stays on top of all your other windows). So there’s no easy way to continue using your computer without clicking on the “Agree and install” button. But don’t worry, Antivirus XP 08 has already installed itself, whether you click through the license agreement or not. Eventually you will see this:

Of course, you’re not infected with everything this program says you are - it’s scareware, designed to get you to fork over $50 or $100 in order to clean your system of all these nasty threats. But it doesn’t actually detect or clean anything, especially not the Asprox bot you’re hosting now.

And at any time, Asprox might deliver another malicious payload and install it for you - and it could be much worse: we’ve seen the Zbot banking trojan installed by Asprox in the past. So instead of a dealing with a nuisance program, you might be silently sending your banking and credit card information to the botnet owners. Something to think about before venting your frustrations on the bad guys. Sometimes phish bite back.

By Hunter King & Nick Chapman

The saying goes: “What happens in Vegas stays in Vegas.” Well, apparently not during the week of Black Hat USA 2008. Black Hat is one of the world’s largest and most well known security conferences. Several members of the SecureWorks Counter Threat Unit^SM had an opportunity to attend and we’d like to share some brief highlights from a few of the talks.

There were many highly renowned speakers sharing their expertise, including our own Joe Stewart speaking about the Storm botnet. Informal conversations with other attendees were also extremely valuable. With all this knowledge and experience in one place, Black Hat really is like drinking from the InfoSec fire hose. We don’t want to keep you in suspense any longer, so here are a few samples from some of our favorite talks.

SQL Injection Worms for Fun and Profit

Readers of our previous blog postings will know that we, like many others, have been keeping an eye on the recent waves of mass SQL injection attacks (here, here, and here). Justin Clarke of Gotham Digital Science gave a turbo talk about this very topic. The main thrust of his presentation was that this is just the beginning. The current attacks, although widespread, are very limited in scope. The attackers are only targeting websites using Microsoft SQL Server for a backend database and only targets Microsoft ASP (and more recently Cold Fusion) websites. Once a website has been compromised, the payload is only targeting users who visit that site. Nasty attacks that could be on the horizon include privilege escalation / attacking the database host OS, attacking HTML Forms, scanning internal corporate networks / DMZs, and more. Today the attackers are using the Google search engine to identify potentially vulnerable systems and have successfully compromised literally hundreds of thousands of websites. It would be quite feasible to use Google search results to further refine their focus, generating a targeted attack against an entire business vertical or just a particular organization.

Get Rich or Die Trying - “Making Money on The Web, The Black Hat Way”

Jeremiah Grossman and Arian Evans gave a wonderful talk about real world ways to monetize attacks, both against technology and flaws in business logic (Arian’s other talk about encoding issues was also very interesting). What I found fascinating is how, as the amount of money involved increased, the amount of technical expertise required to pull off the hack decreased. The presentation started by talking about manually solving CAPTCHAs for profit. Initial offers were for $10 per 1000 CAPTCHAs solved, which works out to an income of about $50 a day. However, free market competition drove that price down to as low as $2 per 1000 CAPTCHAs.

Another example of ways hackers can make large sums of money that don’t require a high degree of technical sophistication was through information leakage. An Application Service Provider (ASP) which provided services to banks had been revealing sensitive information in an error message. Only three items of information were actually required to access an account through the ASP – a client identifier, a bank identifier and an account number.

These parameters were supplied via HTTP GET variables, easily modifiable by anyone with a web browser. If these three items didn’t match, the web application was kind enough to tell the visitor that “Account X belongs to Bank Y.” If a visitor used the correct bank identifier but other parameters did not match, the website would inform them you that “Bank Y belongs to Client Z.” The website was also only checking that a visitor was authenticated - it did not verify that the user was authorized to access a particular account. This could easily be exploited for profits in the tens or hundreds of thousands of dollars.

A third example requires even less technical expertise. A website featuring press releases (including profit and loss statements) would add press releases to their site ahead of their official release date — they just wouldn’t link them from the main page. However, the press releases were stored on sequentially numbered web pages, so it was a trivial task to identify and access a “hidden” press release. This would allow outsiders to have access to P&L information for publicly traded companies before the market closed. Hackers exploited this to earn over 8 million dollars on the stock exchange market.

The critical lesson here is that all avenues of attack must be considered. This is especially true when dealing with how the business logic is implemented at a technical level. This is very difficult to do, because it requires knowledge of the business processes and a grasp of some of the technical details that drive those processes. If you’re not aware of how these interact, rest assured that there are many people using your systems, and it only takes a single one having that “Eureka!” moment where they find a critical flaw. This can lead to financial losses in the hundreds of thousands or more. What’s even worse is that some of these “attacks” aren’t even illegal, not even in the United States.

Malware Detection Through Network Flow Analysis

The always entertaining Bruce Potter, founder of The Shmoo Group, gave a talk titled “Malware Detection Through Network Flow Analysis.” In it, Bruce emphasized the need to quickly detect compromised machines in order to minimize damage. Given the rate at which client-side attacks presently occur, compromise is, for many, inevitable. Quick detection of infections becomes an increasingly important tool in the defender’s toolkit. Bruce advocates analyzing network traffic data for statistical anomalies. For example, a desktop which sends out twice as much data as it receives is likely part of a botnet. Without NetFlow data (or similar), this infection may go completely unnoticed. Bruce also advocated including frequency distribution graphs alongside traditional time-based graphs as a method of quickly identifying potential network issues. Incorporating these techniques won’t stop the bad guys, but could greatly minimize the damage done once a compromise does occur.

Circumventing Automated JavaScript Analysis Tools

Billy “AJAX” Hoffman’s talk, titled, “Circumventing Automated JavaScript Analysis Tools,” focused on why current attempts to run malicious JavaScript within sandboxes are failing. With the increasing popularity of sandboxes, including SecureWorks’ own Caffeine Monkey, JavaScript-based malware is being forced to play “catch-up” with x86 malware with regard to sandbox detection. These techniques revolve around writing code which behaves differently in a browser than in a sandbox. Using the “quit” command within a try/catch block is a perfect example. This command, which does nothing when run from within a web browser, will exit Mozilla’s standalone JavaScript interpreter. Billy listed at least 20 pages of similar techniques (each needed to be coded for explicitly). Two main alternatives exist:

1) Analyze malware using a real browser within a VM. JavaScript can tell when being run from within a sandbox, but not while running in a real browser in a VM.

2) Modify the Mozilla JS interpreter to run in headless mode. This would break the majority of Billy’s attacks, and raise the bar significantly for malware authors. The analysis needed to detect this form of inspection would be easy to identify and evade.

UPDATE: The Boston Herald is now reporting that in today’s hearing (8/19/08), Judge O’Toole has rejected the MBTA’s request to impose a five month injunction. The temporary restraining order expired at earlier today. The MIT students are no longer subject to any judicial orders restraining them from speaking about their research.

Now that I’m back from Las Vegas and have had a week to dig out from under email and work tasks, I’d like to share a short post-con wrap-up.

The Black Hat Briefings 2008 were a good time. Just as important as the briefings, I had a lot of fun meeting new people, seeing old friends, and networking with others in the security community. Our industry is really based on trust and trusted relationships, so I always try and get out and mingle at the con.

Both of my DEFCON presentations seemed to be really well received. I was surprised with the large turnout Friday 10am for my web application firewall (WAF) talk, given that my slot was competing directly with the Dark Tangent’s annual DEFCON keynote and Joe “Kingpin” Grand’s talk on the making of this year’s badge. There were a few good questions, so at least someone was awake and paying attention.

My Friday afternoon talk on Snort plug-in development was very well attended. A group of Sourcefire employees were filling out the front row. They didn’t throw any rotten vegetables at me, so I figure I did alright.

Updated presentation materials should be getting posted to the DEFCON site soon. Here are links to the slides for my WAF talk, and slides for my Snort-plug-in development talk. I’m busy adding to my Snort preprocessor for weak SSH2 Diffie-Hellman Group Key Exchange, and should be releasing some new code released in the next few weeks.

The Unnamed Police Department (we’ll just call them the UPD for short) is charged with keeping the peace in a major American metropolitan area. For a public safety website, theirs is quite advanced. Visitors can view dynamically generated maps showing the distribution of different classes of crimes, make anonymous tips to the narcotics squad, and even try to sign up to join the force. As those of us that work in information security well know, all that rich web functionality brings increased risk.

This past Thursday afternoon I received a report from a colleague that the UPD public website appeared to be serving up malicious JavaScript injections. The URLs of the injected scripts were consistent with the recent waves of mass SQL injection attacks that have targeted Microsoft IIS sites backed by Microsoft SQL Server databases. The injected JavaScript payloads were consistent with malicious scripts generated using the Neosploit obfuscation tool. The first stage script redirected victims to another script, this one hosted at a domain name registered just the day before with a German domain registrar.

The impact of all this? Visitors to the UPD website were having their web browsers loaded with a witches brew of exploits, potentially leading to complete system compromise. While not all visitors were successfully exploited, enough folks are getting owned with these attacks to make them increasingly popular with the bad guys. Users of a tool such as the NoScript extension for Firefox (or possibly Microsoft’s new XSSFilter being included with Internet Explorer 8) would have been protected.

I immediately contacted the UPD and reported the issue. The conversation was initially pretty humorous, as you might imagine. Fortunately, the department includes a cybercrimes unit and my report was immediately routed to them. The contact at the UPD called me back about 5 minutes later and informed me one of the investigators in the cybercrimes unit had indeed confirmed the problem, and that they were working to resolve the issue. To verify the report, the cybercrimes investigator supposedly browsed to the UPD’s own public website and saw his anti-virus software light up with warnings.

I checked back less than four hours later, and the site appeared clean. I’m impressed with the speed of the response, given previously reported compromises of state and local government websites (credit to Sunbelt Blog: here, here, here, and here). I really thought I had enough time to get home before writing a cron job to keep checking the site for when it got cleaned up!

Unless the underlying SQL injection vulnerability was fixed however, this site is very likely to fall victim again, and soon.

This past Tuesday July 8th was a big day in information security. Accomplished security researcher Dan Kaminsky of IOActive announced a major new vulnerability in the DNS infrastructure underpinning the Internet. What is the vulnerability, you ask? We may all have to wait for Dan to tell us at the Black Hat Briefings security conference, kicking off on Wednesday August 6th.

You see, what transpired Tuesday was a massive coordinated exercise in controlled vulnerability disclosure, pulled off by many of the biggest vendors in IT. It has been attempted (e.g., SNMP), but something like this has never really been pulled off before.

Dan Kaminsky, with the help of Internet pioneer Paul Vixie and US-CERT, pulled all the major players together and got them to actually agree they had a problem. At a closely guarded March 31st meeting on Microsoft’s Redmond campus, the likes of Microsoft, Cisco and the ISC BIND team reached consensus on an aggressive fix to be coordinated among the participants. What’s more, this diverse group managed to effectively keep a lid on their efforts until Tuesday. As Dan said in a podcast interview, they “were very careful.”

Security research is all built upon trust, and the folks involved in this disclosure process proved themselves worthy of ours.

Dan references our very own Joe Stewart’s 2002 work on DNS cache poisoning attacks as helping to form a basis for this new work.

For the less technically inclined, Rich Mogull’s “Executive Overview” does a good job at explaining what all the fuss is about. Otherwise, I’d suggest you go right to the source, Dan’s post at DoxPara Research. And for good measure and referential completeness, US-CERT Vulnerability Note #VU800113 is right here.

Writing good antivirus software is hard. Just ask the developer at a major antivirus company who was infected with the Coreflood trojan on his personal computer for over a year. Perhaps he was just testing their product, but it seems odd to have allowed the trojan to capture some of his personal information.  Fortunately the antivirus developer was not a domain administrator on the company’s network, so Coreflood didn’t spread to every other system in the Windows domain like it did at several other businesses, hospitals and government organizations.

One might assume that by now, that the antivirus company, employing the developer, would detect the specific version of Coreflood that he was infected with on February 23, 2007. Sadly, they still do not. The reason probably stems from the overarching problem that all antivirus companies face, and Coreflood is as good an example as any. There have been dozens upon dozens of Coreflood variants over the last six years. Virus and trojan authors these days are in it for the money, and more infections equals more money. And less detections equals more infections. So constantly rebuilding the Coreflood trojan to evade detection is part of the bad guys’ business model. And it’s easy - programs that scramble a trojan’s code to avoid anti-virus detection are available everywhere and most of them are free. The antivirus industry is really fighting a losing battle - they have to invest as much effort in reverse-engineering executable packers as the whole of the criminal underground spends in writing them, and this translates into a lot of time spent (and profits lost), since it always takes longer to reverse-engineer something than it did to engineer it. Therefore it’s not surprising that AV detection rates for new variants of most malware are simply abyssmal.

But while the packed Coreflood code might change weekly, it is interesting to note that the network traffic pattern that Coreflood uses when checking in with the controller has not changed substantially in the last two years! The intrusion (really extrusion) signatures we wrote for our clients back in 2006 are still effective at locating Coreflood infections today. It goes to show that fighting malware requires a multi-faceted approach: defenses against the infection vectors (exploits and social engineering), system-level protection, and extrusion detection to fill the gaps. Increasingly we are using our iSensor(™) intrusion prevention platform to do just this. Every day our malware research department analyses a large number of malware samples in order to improve our clients’ security posture and prevent information leakage by botnets like Coreflood.

Of course, we’re not alone in recognizing extrusion detection as a key part of defense-in-depth. For example, the Emerging Threats project maintains sets of extrusion-detection rules for the open-source Snort IDS platform. Since Snort operates in detection (instead of prevention) mode, using it won’t stop data leakage or malicious commands from being downloaded by infected systems, but it can at least alert network administrators of infected workstations so that they can respond, and hopefully re-evaluate their defenses based on the frequency and types of infections occuring on their network.

At its core, the determination of malware versus non-malware with 100% certainty can only be accomplished by knowing the intent of the author, something that can’t always be divined by scanning the bits and bytes of the code. Thus, no product can ever provide a 100% solution against past, present and future malware infection.  However, extrusion detection and prevention continue to be invaluable tools in today’s world, where botnets lurk in the shadows and siphon data from every corner of the network.

Recently Lori Drew was charged with violating the Computer Fraud and Abuse Act for signing up for a MySpace account under a fake name. While the larger circumstances were quite shocking (and have been covered enough I don’t think I need to go into them), she was charged for nothing more than pretending to be someone else on the Internet. The indictment calls this a felony, under title 130 section (a) (2) (c) of the US Code, which criminalizes anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication.” The access to MySpace was unauthorized because using a fake name violated the terms of service. The information from a “protected computer” was the profiles of other MySpace users.

If this is found to be a valid interpretation of the law, it’s really quite frightening. If you violate the Terms of Service of a website, you can be charged with hacking. That’s an astounding concept. Does this mean that everyone who uses Bugmenot could be prosecuted? Also, this isn’t a minor crime, it’s a felony punishable by up to 5 years imprisonment per count. In Drew’s case she was charged with three counts for accessing MySpace on three different occasions.

This isn’t the first time that there’s been a controversial ruling based on these laws. Earlier this year David Ritz was fined over $50,000 in civil proceedings under a similar state statute in Sierra Corporate Design, Inc. v. David Ritz.

Ritz looked at DNS records in an attempt to get more information about a company he alleges was spamming. He used a zone transfer to retrieve all of the records on the Plaintiff’s DNS server. The judge found that “Ritz’s behavior in conducting a zone transfer was unauthorized within the meaning of the North Dakota Computer Crime Law.” The Plaintiff in the case argued that because a zone transfer was an obscure command, and because it was intended only for use by DNS administrators, it was unauthorized access, and that the information he obtained was not publicly available. This was found to be true even though the Plaintiff’s DNS server would happily hand out that information to whoever asked. I personally, as well as many other security and network professionals, consider this a legitimate use of a publicly available service. It may not be in the best interest of the plaintiff to make this information public, but that doesn’t mean that the Ritz should incur legal liability for accessing (or using) it.

The problem is that there is no generally accepted definition of what unauthorized means in this context. Law makers either didn’t define the term or if they did, used such sweeping language that the definition is plainly overbroad. One Kansas statue defined access as “to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer.” A judge rejected that definition, saying that if it was used, then “any unauthorized physical proximity to a computer could constitute a crime” and instead used the definition of access from Webster’s dictionary.

Such overarching language is also common in the terms of service used by ISPs and websites to define what is allowed to happen on their website or service. These documents are written by lawyers trying to shield their employers / clients from harm, not set up a set of usable rules of conduct. As such they are routinely ignored by both service providers and visitors. Commonly they contain clauses that no reasonable person could expect to abide by. One example is a TOS that expects users to not “violate any local, state, federal, or non-U.S. law, order, or regulation.” In conjunction with the CFAA, wouldn’t this make violating any law from any country a violation of US law? Another clause which is commonly found in a TOS, is to not include any content which is “threatening, abusive, defamatory, invasive of privacy or publicity rights, vulgar, obscene, profane or otherwise objectionable.” This type of clause seems to be intended to prohibit being mean on the Internet. The ironic thing is that it’s not uncommon to find TOS which prohibit the majority of content on the web site, for example a celebrity gossip site forbidding the posting of sensitive information.

The discrepancy between the TOS and the actual use of a website has had negative consequences. In March, New Jersey Attorney General Anne Milgram subpoenaed the website juicycampus.com. Milgram felt that it was a possible violation of the Consumer Fraud Act for the website to disallow offensive content in it’s TOS, but to not actively remove offensive content. Juicycampus.com is a gossip site, which goes out of it’s way to solicit, well, juicy gossip about college life. The website uses slogans like “Always Anonymous. Always Juicy,” so it sure looks like the website is going out of it’s way to solicit offensive content. Why does it say that such content is disallowed in it’s TOS? In Ritz’s case one of the findings of law was that “Ritz has engaged in a variety of activities without authorization on the Internet. Those activities include … the compilation and publication of Whois lookups without authorization from Network Solutions.”

Whois data is intended to be used to identify the owners of a domain and communicate that information to others. However, the TOS reads the “compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of Network Solutions.” This portion of the TOS clearly contradicts the intended use of the data, so why is it there?

I think it’s because the lawyers who wrote it wanted the most leverage possible if and when they felt it necessary to take legal action against someone using the data in a way they didn’t like. Unfortunately, this overly restrictive TOS helped contribute to a $50,000 judgment against Ritz.

In my perspective, as someone who writes IPS signatures, these issues are the result of not paying enough attention to false positives. The dedication to preventing false positives in the American legal system can be seen from Benjamin Franklin’s rephrasing of Blackstone’s formulation: “that it is better [one hundred] guilty Persons should escape than that one innocent Person should suffer.” Defining what constitutes an unauthorized and criminal violation of a computer system is an extremely difficult task, but it is an important enough issue that it deserves an earnest effort. While legislatures may have the advantage that unlike my IPS signatures, their laws are interpreted by judges, prosecutors and other people who are capable of exercising independent judgment, that’s no reason to write overly broad laws that criminalize the majority of Internet users. When those laws are so broad as to be unknowingly violated and unenforceable as written, judges should strike them down for vagueness. Website and ISP operators should also not write TOS that they know will be violated by legitimate users of their site. It might be nice if there was a principal of contract law that invalided Terms of Service which are so over broad as to be meaningless. However, even if this is not the case then they should still do so because words mean something and contracts and laws should as well.

I will be delivering a talk on PCI 6.6 and web application firewalls (WAFs) at Summercon this coming Saturday May 31st. If you are going to be in the Atlanta area this weekend, you really ought to come out and join the fun!

It has been a little while since my last blog post, 2007 was a busy year, and if this months security update from Microsoft is any indication then 2008 is going to be just as interesting.

There’s a few interesting things about this vulnerability from a technical perspective. Primarily, it’s a bug in the network stack of the operating system and bugs like these are extremely rare in mature software. The file affected, tcpip.sys, is among the most analyzed 352 kilobytes every coded. The bug has been written about in numerous blogs and whitepapers by now, so I won’t waste the time to repeat that here, but I’ll take the opportunity to plug one of my new favorite blogs, Microsoft Security Vulnerability Research and Defense. Their posts on this vulnerability are the first ones they’ve put out, but if they keep them coming out like this they’re going to be the first place I visit on Patch Tuesday. Microsoft has really turned around, from once being the “enemy” to many in the security field to now being an example for other vendors in the way they handle their entire development/patching programs.

While I’m plugging things, I’d also like to give a nod to the good people at Offensive Security for their Offensive Security Certified Professional certification. I had the opportunity to take the course late last year as part our teams continuing education goals, and I was very impressed with the quality of the materials and the staff. For a hands on, practical approach to learning how your systems are being attacked by the bad guys, this course cannot be beat.

Hope 2008 keeps you all (and your systems) happy and healthy.