Scammer tying in on disasters
We saw them before, scum trying to make money off of disasters in other people's lives. And an aircraft crash in Brazil is not different. Start with a spammed campaign promoting a website, the website promoting clicking on tiny thumbnail images that lead to malware. Not cool.
Find courtesy of Websense, who has an article about it.
Here is what the antivirus vendors think of the malware (virustotal):
[ file data ]| size | 274462 |
| md5 | fca50b317ac7648b65c80a2f08ede9ef |
| sha1 | bd85d52e616ab14bef3bfe42e9d44c0820d895cf |
[ scan result ]
| AntiVir | 7.2.0.22/20061003 | found [DR/Spy.Bancos.YT] |
| Authentium | 4.93.8/20061002 | found [W32/Banker.XCA] |
| Avast | 4.7.892.0/20061003 | found nothing |
| AVG | 386/20061003 | found nothing |
| BitDefender | 7.2/20061003 | found [Generic.Banker.VB.11DF9CB6] |
| CAT-QuickHeal | 8.00/20061003 | found nothing |
| ClamAV | devel-20060426/20061003 | found nothing |
| DrWeb | 4.33/20061003 | found [BackDoor.Generic.1437] |
| eTrust-InoculateIT | 23.73.11/20061002 | found nothing |
| eTrust-Vet | 30.3.3113/20061003 | found nothing |
| Ewido | 4.0/20061003 | found nothing |
| F-Prot | 3.16f/20061002 | found [security risk named W32/Banker.XCA] |
| F-Prot4 | 4.2.1.29/20061002 | found [W32/Banker.XCA] |
| Fortinet | 2.82.0.0/20061003 | found [Spy/Bancos] |
| Ikarus | 0.2.65.0/20061003 | found [Backdoor.Win32.Radmin.w] |
| Kaspersky | 4.0.2.24/20061003 | found [Trojan-Spy.Win32.Bancos.yt] |
| McAfee | 4865/20061003 | found nothing |
| Microsoft | 1.1603/20061003 | found nothing |
| NOD32v2 | 1.1787/20061003 | found [probably a variant of Win32/Spy.Bancos.U ] |
| Norman | 5.80.02/20061003 | found [Bancos.KVY] |
| Panda | 9.0.0.4/20061003 | found nothing |
| Sophos | 4.10.0/20061003 | found nothing |
| Symantec | 8.0/20061003 | found nothing |
| TheHacker | 6.0.1.090/20061003 | found [Trojan/Spy.KeyLogger.bp] |
| UNA | 1.83/20061003 | found nothing |
| VBA32 | 3.11.1/20061003 | found [Trojan-Spy.Win32.Bancos.yt] |
| VirusBuster | 4.3.7:9/20061003 | found nothing |
IOW: a bank aware keylogging piece of malware that's not detected by some of the big name vendors.
The important lesson to learn is not to click on links in email or IM, or any other way you could be social engineered into doing things you don't want to do. That however needs to be translated not just on the receiving end into not following links we're given, but also on the sending end by not offering friendly links to our friends.
e.g.:
- NOT: pointing to http://news.bbc.co.uk/1/hi/world/americas/5401846.stm
- BUT instead tell them go to the bbc and search for 'brazil aircrash' instead.
Swa Frantzen -- Section 66
Firefox ...
Firefox seems to have its share of followers, just like the Mac community. I'm actually using both typing this so don't get on my case too much. Their supporters seem to react a lot when it comes to vulnerabilities being exposed at hacker venues. While fascinating from a social perspective, let's look at what we do know:
Over the weekend a conference called ToorCon was held in San Diego and one of the presentations by Mischa Spiegelmock and Andrew Wbeelsoi was (among other things?) about Firefox security.
None of us handlers at that point had seen the presentation(*) itself and the interaction with a Mozilla staffer, but we did see the Mozilla developers react to it like it was real (as they should) and we reported briefly about it ourselves. So there was something but none of us knew exactly what or how it was and the threat of having more exploits up their sleeve wasn't going to give a comfortable feeling any time soon.
Today we were pointed by numerous readers towards more news by Mozilla. While it seems to debunk the whole situation somewhat, do reread this one before calling it a hoax. There is a DoS in there and those have shown in the past this nasty habit of sometimes turning around and biting you with code execution (like the setslice thing did for MSIE).
All in all the whole thing obviously was hilarious to present and attend (see the video above), but it still leaves the rest of us with a foul taste.
(*): In a twisted way, you need javascript enabled and sit through the commercial before you can see it.
--
Swa Frantzen -- Section 66
Detecting attacks against servers
We all hear of servers getting hit on one of their exposed interfaces and then being used in phishing attacks, spreading malware, feeding warez and basically support all other things the bad guys out there do.
But how can you detect it with little to no fancy means?
Flows are a neat source of information. Basically it's the routers you already have telling you what IP address talked to what other IP address using what port during a relatively short interval. Now collecting flows from a high end router is no little feat, so you will need storage and processing resources but if you can do it, it allows for insights in traffic patterns on a large scale.
E.g. discovering machines scanning for SSH (port tcp/22) next starting to talk on port tcp/4000 to some of those machines is a sign of something spreading to the next server. If those already affected IP addresses are then also relatively high bandwidth and owned by companies that sound like they are in the hosting business, the impact of each and every of these machines getting owned is not insignificant. A shared hosting server can service many hundreds domainnames and each one of those might be adding the newest 0-day exploit towards its visitors.
So keep those applications such as openssl and openssh patched on your servers, they are being scanned for.
Update: Andrew provided a pointer to a list of netflow tools.
--Swa Frantzen -- Section 66
Comments