Bits and Bytes

Did you know that you can search VirusTotal? You don’t have to submit a file, but you can search for the report of a file has been submitted before. You use a cryptographic hash (MD5, SHA1, SHA256) to identify the file.

There are several tools to submit a batch of files to VirusTotal, but I didn’t find any that just searches VirusTotal for a list of search terms via VirusTotal’s API.

Thus I wrote my own Python program. It accepts a file with a list of hashes, and produces a CSV file with the result. Here is an example displayed with InteractiveSieve:

To get this program working, you need to get a VirusTotal API key and add it to this program. You need a VirusTotal account to get your API key.

And my program respects VirusTotal’s rate limitation (4 requests per minute), I don’t want it to DoS VirusTotal.

virustotal-search_V0_0_1.zip (https)
MD5: 0F3A1E18C79DFDB143CCC2F860E2C4B2
SHA256: BD213BBC55A9048DBB7B890209E2831EF81049B45ABE9091E01F0692F4F23283

Busy day today. Chores to do inside the house and out. And links galore spilling out of my Firefox sidebar, ripe for posting.

Critical Updates

• Adobe: Critical security holes in Shockwave, Photoshop, Illustrator – ZDNet ZeroDay blog
• Adobe – Security Bulletins: APSB12-13 -Security update available for Adobe Shockwave Player.
• Adobe – Web Players – Links to download Adobe Flash Player and Adobe Shockwave.
• QuickTime for Windows update plugs security holes – The H Security: News and Features – And then when you are done with Adobe, go grab the latest QuickTime player update.

New Place to Report Fake Tech Support Scam Calls

As if the usual bane of telemarketers isn’t enough to wade through almost every day and night, now we are seeing a renewed push of the fake-tech-support calls. Enterprise IT shops are even having to now send notices across their employee-base to remind them that they haven’t been outsourced to these callers and that employees should always make sure they are talking to the right IT guys and gals. Some places are event starting to black-list some of these third-party remote control sites to clamp-down the borders against these calls.

Troy Hunt has a series of great posts that tell you just about everything you need to know about these scams. I’ve posted them before but Troy’s writings are so good, they need another mention.

• Anatomy of a virus call centre scam – Troy Hunt’s blog
• Scamming the scammers – catching the virus call centre scammers red-handed - Troy Hunt’s blog
• “Type www.” – “Ok, w-w-w-d-o-t”; antagonising call centre scammers – Troy Hunt’s blog

The guys and gals over at SANS have gotten into the game as well.

• Who’s tracking phone calls that target your computer? Stay Tuned to the ISC – ISC Diary

They have opened up two (same) locations for you to report any fake-tech-support calls you may get for intel-gathering purposes. Knowledge is power!

• (Red Theme) – Report Fake Tech Support Calls – SANS Internet Storm Center; Cooperative Network Security Community
• (Green Theme) – Report Fake Tech Support Calls – DShield; Cooperative Network Security Community

For the SysAdmins in the Audience

Kyle Beckman has written an outstanding series of posts at 4Sysops blog on folder redirection in Windows. Definitely worth taking some notes from.

• Folder Redirection – Part 1: Introduction – 4sysops
• Folder Redirection – Part 2: Setting up your file server – 4sysops
• Folder Redirection – Part 3: Explanation of folder permissions – 4sysops
• Folder Redirection – Part 4: Group Policy configuration – 4sysops
• Folder Redirection – Part 5: Best practices – 4sysops

In other news…

FREE: Veeam ONE Free Edition – Real-time Hyper-V and VMware monitoring – 4sysops

“Could not reconnect all network drives” – TinyApps.Org. Great tip and trick for delaying (slightly) the mapping of network drives until the network is fully available after login.

Windows Error Lookup Tool Portable 3.0.4 (get details on Windows error codes) Released – PortableApps.com

Batch-Convert XLSX To XLS Without MS Excel Or An Online Converter – New tool reviewed by AddictiveTips.  Get the tool here from the author.

Jarfix – free tool to fix broken “jar” file associations in Windows.  I needed this after the last Java Runtime update I applied to my system. After installation, I could no longer run the Java-based Software Protection Initiative – Encryption Wizard tool as I had before. I tried several times to update the file-associations but no dice. Then I found this tool, and once executed…problem solved!

Likewise, a few months ago I had re-installed Google Earth but for some reason, lost all indications on how to launch it…no icon on the desktop. None in my “Start” list. Nada. Uninstalled/reinstalled. Still the launcher icon was no-where to be found.  Finally found this link: Google Earth icon has disappeared from my PC : Fix my problem – Google Earth Help  Downloaded the Google Earth Icon Restorer and ran it. Again, problem solved!

Mirekusoft Install Monitor -freeware Installation management software. (Note site down at time of posting) – I have a number of system change monitor/detectors I rely on to monitor how and where a software install impacts a system. Each one takes slightly different approaches. So I read with interest about this new installation monitor/logger. It runs as a service so it catches all installations and documents where in the file-system and registry the bits go. Drawbacks? Maybe a bit unstable and if a program was already installed prior to installing this tool, it doesn’t well-catch the updated installation bits. All that said, it might be worth looking into…particularly in a lab/test-bench setting where you need to document where install bits go before deploying them.  See this CSArchive.Net Mirekusoft Install Monitor post for some screenshots while the main site is down. Alternative programs to consider: Total Uninstaller by martau.com (free-trial/$) or Revo Uninstaller Freeware.

Leelu Soft: Watch 4 Folder 2.3 and Track Folder Changes are two other utilities you may want to check out.

I’m not sure why I’m on this theme this week, but the freeware app GeekUninstaller came to my attention this week also. Free and available in both installable and portable versions, helps remove installed applications.  For a few more details and screen-caps, see this AddictiveTIps post: Geek Uninstaller Lets You Completely Wipe Off Any Application From PC

VMware Workstation Player 4.0.3 released / Workstation 8.0.3 – Born and Windows IT Blog – My own recent experience using VMWare Player 4.0.3 for a Win 8 CP run was outstanding. Definitely worth getting these updated bits. VMware Player 4.0

Group Policy Central – new blog to me about Group Policy topics, including some Win 8 items and findings. Doesn’t appear to be updated quite as frequently as I would like, but since it is new, I’ll probably find more than enough material here to keep me busy until the next post comes out.

Network Nuggets of Gold!

NetBScanner – New tool from NirSoft – NetBIOS scanner. Provide a IP range and get IP addresses, WS Names, Workgroup membership as well as MAC address. Super nice GUI. Add this right now to your network toolbox!  Reminds me of the CLI tools (work good for me) NBTScan and the similarly named nbtscan. More info on NetBScanner at this AddictiveTips review. 

wpic v1.0.0 – woanware – A “simple console web page capture tool based on Chromium project that captures an entire web-page. Reminded me of IECapt which is an IE based web-page capture tool that I use daily for some data archiving.

NETRESEC CapLoader – Not free – interesting tool to process large network PCAP files and filter flows of interest. See this CapLoader Demo – YouTube for more info.

Curiously, there was this related post The Adventures of Packet Tracy, PI over at wirewatcher blog on parsing down large PCAP sets for URLs of interest.

HolisticInfoSec: toolsmith: Buster Sandbox Anayzer – Detailed information and walkthrough regarding a new release of Buster Sandbox Analyzer back in April.

In a GSD post On the Hunt… I detailed a quite involved process in hunting down/validating network connections and mapping them to specific switch ports. Over at LoveMyTool blog, Tony Fortunato posted a short video on how to find out which switch port the client is connected to. Pretty standard stuff.  However, I’m always putting a sharp eye on these just in case I find a new or better technique. And I did! For whatever reason (Cisco IOS updates?) we’ve seriously lost our ability to search for MAC addresses in the Cisco Network Assistant product. We are not alone as others are encountering issues as well. Anyway, we have some workarounds in the GUI but they are a bit time intensive looking through many, many switch port connections.  So like Tony, I find it (generally) faster to just telnet to each switch, run a “show mac address-table” and list the MAC/Port associations and look for the target MAC. On 48-port switches, that is a lot of searching. Tony’s video taught me the following trick; “show mac address-table |include <mac address>”  Including the pipe-include lets me pop just the single MAC I want. Sweet!

More here: Cisco IOS “include” filter.  And for the full list of powerful Cisco CLI options, check out this Cisco IOS Terminal Services Configuration Guide, Release 12.2 – Regular Expressions  [Cisco IOS Software Releases 12.2 Mainline] at Cisco Systems . Note your Cisco IOS version may render some of these commands a bit different, if supported at all. You probably also want to tuck away this Regular Expressions (PDF) for reference as well.

Finally, over at Anything About IT blog, Alex Verboon posted this Script for finding Executables that are command-line programs via a free utility IsCommandLineApp by Helge Klein. Might be useful in incident-response.

For the ForSec crewmates

In my recent Forensically Sound: Quick Post #3 I posted a number of links touching on early forensic surveys of Windows 8 “release” builds. I warned that none of these observations are 100% guaranteed to be present and accounted for in the final baked version, but they are good starting points. Troy Larson wisely commented on that post “Regarding Windows 8 forensics: I would be careful of relying too much on the public preview versions for detailed forensic analysis. Offsets and formats can still change.” Noted! So with Troy’s perspective firmly fixed in mind, here are a few more links touching on early (very early) Win 8 forensic notes and observations.

• Windows 8 Forensics Part 3 -Post by Ethan Fleisher on file history saving.
• Digital Forensics Stream: Windows 8 TypedURLsTime by Jason Hale at the Digital Forensics Stream blog
• Random Thoughts of Forensics: Windows 8 – Refresh Excerpt – Random Thoughts of Forensics – Kenneth Johnson touches on “Windows 8 Refresh points” impact as well as “System Recovery”

Portable Agents to QuickScans: Tips on Using the Latest Version of Redline – Mandiant M-unition blog

SANS DFIR Wall Poster Preview – SANS

File Formats ZOO – Hexacorn blog – file sector header information for common file formats.

File Formats ZOO – Installers – Hexacorn blog – likewise for software installer files.

The Curious Case of the Forensic Artifact – Hexacorn blog – in which the process of solving a curiosity is illuminated.

RegRipper: Update, Road Map, How not to get p0wned by RR v2.5, and Approximating Program Execution via VSC Analysis with RegRipper – Windows Incident Response blog — my o my how RegRipper has grown!

More About Volume Shadow Copies – Journey Into Incident Response:  Corey Harrell dishes more on VSCs.

Related…VSC Toolset Update: Browsing Shadow Copies – Digital Forensics Stream post by Jason Hale with interesting comment thread follow up.

TypedURLs (Part 1) and TypedURLs (Part 2) – Crucial Security Forensics Blog posts by Paul Nichols.

Addressing Malware Issues from an Operational Perspective – Crucial Security Forensics Blog post by Michael Robinson. Great quick read on malware in the organization and changes that may be needed in operations.

Resurrecting “Dead” Images for Live Analysis – Crucial Security Forensics Blog post by Mark A. Wade.

Old Servers never die – unfortunately – Forensics from the sausage factory. Great “how-to” tips and results on imaging a server/system over the network, when you must…

Digital Forensics with Open Source Tools (Amazon link) – New book by Cory Altheide, Harlan Carvey. It’s a book after my own heart! Open Source/freeware (closed-source) tools for for/secs.

Windows Live Messenger – MessengerCache folder  Forensics from the sausage factory. This post was very interesting as it took a fresh look at what may be a commonly used application on some Windows systems.

“You Can’t See Me”…(my bad…I guess you can…)

A recent round of migrating users into a new AD domain (and some folder rcopy/redirection work on the side) has left a few users with missing data post-migration. I have tons and tons of tools to recover deleted data from a drive. The sysadmin I was working with reached for a new one to me in our troubleshooting work together, FreeUndelete over at OfficeRecovery.com. Did the job nicely and the customer had their files restored in no time. I offered my own recommendations in thank-you. In doing so I spotted that Kickass Undelete recently got bumped up to 1.3 beta version. Others I like include Recuva. I also learned (via this AddictiveTips blog post) about Orion File Recover Software Free. I also saw this review at AddictiveTips blog for Wise Data Recovery freeware software. For even more tools, check out this GSD post File Recovery Extravaganza.

PhotoGrok / Java

PhotoGrok: EXIF-Based Image & File Viewer With Metadata Filters – AddictiveTips blog. I have more than enough EXIF-data/File-Viewer apps than I really need, but I’m a sucker for a new utility so I went ahead and downloaded the PhotoGrok tool and was quite pleased with the effort. It’s a nice tool. However, when I went to try to uninstall it, it wasn’t listed in my Add/Remove program (errr, make that Programs and Features) list. Nor could I find a link to an uninstaller in my program file list.

Checking the desktop shortcut target location led me to

“C:\Windows\SysWOW64\javaws.exe -localfile -J-Djnlp.application.href=http://www.haplessgenius.com/photogrok/launch.jnlp “C:\Users\profilename\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\3b46d1a5-79989755″”

Now how do we uninstall this?  Unfortunately, the otherwise well-written FAQ didn’t seem to spell out the method. Yikes. Time for some deeper digging.

Turns out PhotoGrok is a Java WebStart application.

To remove you can follow the principle outlined in this post: How to Clear the Java Web Start Cache as explained by a different software vendor. This post Clearing the Java WebStart Cache by NGS has some better screen-captures (although they may be outdated a bit if you have a more recent Java build on your system…it should work well enough to get you what you need to know). Still not sure? See this final set of screen-caps for a newer Java build: Java Web Start 1.6 beta2 Review courtesy of UCWare.com.

See, no need to panic! Easy-peasy if you want to strike it from your system.

Reset that Windows Password! (or crack it with a new release of Ophcrack…)

So last week–a tech was having some issues having a pushed application install on their system. Turns out their domain account didn’t have admin group membership and was causing the bomb-out. No problem, let’s just add you to the…hmm…for some reason all the admin account passwords are different from our standard and the “fail-safe” account is disabled. Oh snap. I hear the drumbeats of a system reload! Can you say “too-bad, doo-dad?”

Luckily, I had a backup plan.  Booted the system in my custom WinPE, used the embedded tools to off-line authenticate to the whole-disk encrypted system drive, then used NTPWEdit 0.3 to update the Admin password accordingly. Reboot. On the local system admin account now, added tech to the admin group. enabled the disabled account, good to go.

See also Password Renew at sala source (which I understand doesn’t play well under WinPE).

Related: DistroWatch.com: Ophcrack LiveCD updated May 15th. More news about this build here: Distribution Release: Ophcrack LiveCD 3.4.0

“This new live CD includes the latest version of ophcrack 3.4.0. It is built on Slitaz GNU/Linux 4.0, the latest version of this great live CD. Christophe Lincoln from Slitaz helped us to enhance the scripts for partitions and tables detection. A new ncurses interface is also available to help users look for tables on other drives or interact with ophcrack. Finally a live CD without tables has been released as well for users that already downloaded or bought tables. The directory containing the table files must be placed inside another directory called tables in order for ophcrack to find them automatically.”

More Ophcrack release news here: news page

Now where’s my mop?

Cheers!

–Claus V.

cc image credit image by Víctor Espinoza on flickr

Last weekend I finally got around to installing the latest Windows 8 Consumer Preview version (x32 flavor) in a virtual machine.

Overall the process went very smooth, however for some reason I never could get the latest version of VBox Additions installed in it.  Everything seemed to go OK but eventually it appears the associated PnP drivers would fail installation and it would roll back. Yes, I was installing them in “Windows 7” compatibility mode. Yes, I tried installing them in safe-mode. Yes, I even tried unpacking the virtual additions exe and manually installed the drivers in “legacy mode” via the hardware and devices module. No dice.  I don’t recall having any problems under the Developer’s Version of Win8.

All that said, I do have a fully working version of Win 8 CP now and I’m getting more familiar with navigating around in it. It is not quite fully intuitive yet swapping around between the “Metro” interface and the desktop and the different “tile” applications.  However I’m getting a bit better at it. Practice makes perfect.

I’m keeping the topic heading structure from the last post. Seems to break things down logically and well and makes managing my to-be-blogged pile for Windows 8 much easier to handle.

Windows 8 “Release Preview” Version – Coming Soon

• NEWS: Windows 8 Release Preview slated for June 2012 – Kurt Shintaku’s Blog

Windows 8 – Related Betas

• Windows Server 2012 release candidate coming in June – BetaNews blog

Windows 8 – Install It

As I mentioned in the opening, I ran into some issues attempting to get the latest VirtualBox additions working in Windows 8 Consumer Preview version. Here is some related linkage I ran down in the troubleshooting/recovery process. (I got much more familiar with getting the system to start in safe/recovery mode that I had planned!)

• Downloads – Oracle VM VirtualBox
• Index of /virtualbox/ – Because sometimes I want to view the download index.
• virtualbox.org • View topic – Problem installing GA – Poor forum user “aaaaagh.” I totally get it!  My install kept bombing out at the “(3) ERROR: 2 – RETURN UpdateDriverForPlugAndPlayDevices.” section line. Usually screwed up the video as well requiring a repair/recovery via safe-mode to get things going again.
• How To Boot Into Safe Mode On Windows 8 (The Easy Way) – How-To Geek
• Windows 8 Virtual Box – [H]ard|Forum

Next up…trying to install Windows 8 in VMware Player.  I’ve heard good performance can be had in this system.  May try the Win 8 CP x64 flavor this time for a bit of contrast to my x32 version in VirtualBox

• Windows 8 on VMware Player – This ‘n That blog
• VMware Player – Install Windows 8 Consumer Preview – Windows 8 Forums
• How to add the “Virtual Network Editor” to VMware Player – Windows 8 Forums
• Solved Windows 8 under VMWare Player : better graphics performance possible? – Windows 8 Forums
• A Tip on increasing Graphics VRAM in a VMWare WM – Windows 7 Forums

Post Update – The night of this post I went ahead and did install Windows 8 CP in VMWare Player. I ended up just loading a fresh install of x32 bits as I got a bad SHA1 hash match after the first download of x64 ISO attempt. I didn’t feel like burning into my monthly ISP bandwidth quota sucking down another attempt.  I’ll save the x64 for the “Release Preview” version next month. The setup was easy-peasy on VMWare using the WIndows 8 Forums walkthrough post linked above. I had NO issues installing the VMWare Tools pack once I had the OS running. Win 8 performance in VMWare was simply amazing in comparison to the VirtualBox load. Both are set to two processors, both are set to 2 GB system RAM, the only real “difference” is that the VirtualBox graphics is set to 256 MB while the VMWare is using 896 MB. I’m not certain if that alone is enough to describe the difference in feeling between them. I do know that I feel much more positive in how the Win 8 OS responds and operates in VMWare. I’m a Microsoft Virtual PC guy, followed by VirtualBox–primarily for Linux builds. That said, while I have used VMWare Player before, it was mostly just using VMWare pre-built system packages I had downloaded. Based on my new experience with VMWare Player and Windows 8, I’m going to seriously have to consider which platform I want to use next virtualized system I need to build. This is in line with the a previous Win8 linkpost comment left by “Anonymous” last month also touting the surprising performance difference in VMWare over VirtualBox. I can now independently confirm that tippage.  VMWare Player + Windows 8 previews–highly Valca recommended!

Other bits…

• Windows 8 Web setup, how can I delete it?
• Saturday morning ramblings with Windows 8 Hyper-V and Sun VirtualBox – Anything about IT
• How to Upgrade Windows 8 Consumer Preview from Developer Preview – Windows7hacker
• How to install Windows 8 Developer Preview in VirtualBox – 4sysops

Product Key:   DNJXJ-7XBW8-2378T-X22TX-BKG7J

Windows 8 – Under the Hood Stuff

Quite a few new articles on new features and functions in Windows 8.

• Windows Services, what changed from Windows 7 to Windows 8 – Anything about IT
• New Group Policy Settings in Windows 8 Consumer Preview – Anything about IT
• Windows 8 – File History Feature replaces “Previous Versions” and Backup and Restore -Anything about IT
• Accessing data in ISO and VHD files – Building Windows 8
• Making Windows Media Center available in Windows 8 – Building Windows 8
• FAQ – DVD playback and Windows Media Center in Windows 8 – Building Windows 8
• Refresh and reset your PC – Building Windows 8

Windows 8 – To Go

Windows “To Go” is basically a feature in Windows 8 that allows it to run “full OS” from a supported USB storage device like a flash drive or external hard-disk drive. Here’s new news on the topic.

• Windows 8 To Go problems with USB flash drives – I – Born and Windows IT Blog (GTranslated)
• Windows 8 To Go USB stick problems – II – Born and Windows IT Blog (GTranslated)

Windows 8 – Tweakages

Even more tweaking tips these past few weeks!

• Windows 8 Forums – New forum site for all things Windows 8
• Windows 8: CD-DVD Repair Icon – Born and Windows IT Blog (GTranslated)
• Change Windows 8 Explorer Ribbon Icons with Ribbon Icons Customizer – The Windows Club
• How to remove the system reserved partition – Anything about IT
• Windows 8: Clear Documents Shortcuts & Jump List items At Log Off – AddictiveTips
• How To Turn Off Windows Store In Windows 8 – AddictiveTips
• 5 Freeware to add Start Menu or Start Button to Windows 8 – The Windows Club

Windows 8 – Deeper Insights

• Announcing the Windows 8 Editions – WindowsTeam blog
• Windows 8 Forensic Overview – Random Thoughts of Forensics blog
• Redesigning chkdsk and the new NTFS health model – Building Windows 8
• Windows Server 2012 Remote Desktop Services (RDS) – Windows Server Blog

Windows 8 – Usage Tips

• Windows 8 – AutoPlay Configuration – Anything about IT
• Windows 8 – Closing Metro Style Apps – Anything about IT

Windows 8 – Miscellanea & Rumor Mongering

The first link is almost a manifesto on the new “Metro” interface. Probably will take most folks a long time read-though and may need several passes to fully digest. Gotta hand it to Microsoft, they’ve committed to the new interface…like-it-or-not.

I figured it’s a great starting point and provides a fair context for the follow-on links that consider that new Windows 8 GUI. I’m still not sold, but I’m going take an “okra” approach. I like okra but it took me a long time getting to that point. Now I can’t imagine not having it in my gumbo or fried on the side along with catfish fillets. I really like the under-the-hood improvements I have read so far that are being served up in Windows 8. So it seems that to get them, I’m going to have to learn to tolerate the slime-factor as I prepare/tweak/bend Windows 8 to my own enjoyment.

• Creating the Windows 8 user experience – Building Windows 8
• Windows 8: Does Metro actually work? – ZDNet’s Mary-Jo Foley “All About Microsoft” page dishes it up.
• Windows 8 on the desktop—an awkward hybrid – ArsTechnica Technology lab review
• As Metro debate smolders, will it burst into flames and consume Windows 8? – BetaNews
• DVD, Blu-ray playback won’t be built in to Windows 8 – Chron.com’s TechBlog
• Windows 8 the Comeback of 3rd Party DVD Player Software? – Anything about IT

Windows 8 – GSD Previously Posted

• Windows 8 Linkage: “Majestic Metro” version – GrandStreamDreams blog
• Windows 8 Linkage: “Passage Public Metro” version - GrandStreamDreams blog

Cheers.

–Claus V.

Welcome to the Digital Forensic Case Leads. A Volume Shadow Copies toolset updated with a new great ability, Malware binary files analysis became easier, Media and Mobile forensics analysis,is your cloud data secure? Data killers, a man stab his computer!? Mobile phones cyberthieves, i-robot film in reality? All that and more, this week on Case LeadsIf you have an item you’d like to contribute toDigital Forensics CaseLeads, please send it to caseleads@sans.org.Tools: VSC toolset A.K.A Volume Shadow Copies toolset updated, and one of the biggest change incorporates the ability to browse shadow copies using an Explorer-like interface! That’s a great feature to ease forensicators tasks Anubis is a web application/service for analyzing malware. Submit your Windows executable and receive …

Check it on on SpiderLabs Anterior!

http://blog.spiderlabs.com/

Check it on on SpiderLabs Anterior!

http://blog.spiderlabs.com/

Post [9] Apple Filing Protocol (AFP)

The Apple Filing Protocol (AFP) is a network protocol that offers file services for Mac OS X and original Mac OS. In Mac OS X, AFP is one of several file services supported including Server Message Block (SMB), Network File System (NFS), File Transfer Protocol (FTP), and WebDAV.

http://en.wikipedia.org/wiki/Apple_Filing_Protocol

Lives on TCP port 548

LOW?

What can I do with it?

• Read access to files/folders (always fun)
• Write access (sometimes)

The data breach at Atlanta-based credit and debit card processor Global Payments just keeps getting bigger. Earlier this month, I reported that Visa and MasterCard were alerting banks that the breach extended back to June 2011. Now it appears the breach jeopardized cards processed by Global as far back as January 2011.

The latest disclosure, detailed in a story at BankInfoSecurity.com, now aligns with the timeline outlined by anonymous hackers who reached out to me after I broke the story on this breach back at the end of March. Global has disclosed relatively little about the breach, and has sought to downplay the severity of it. Initial reports suggested that more than 10 million card accounts were compromised in the breach, yet Global insists fewer than 1.5 million were taken. Recent reports by The Wall Street Journal put that figure closer to 7 million stolen card accounts.

Shortly after the breach, Global executives were complaining about “rumor and innuendo” in press reports about the incident. I borrowed that quote for the title of a follow-up blog post, which included claims from a hacker who told me he was reaching out because he felt Global was hiding the true extent of the breach. He told me that he was part of a group that had been inside of Global since just after the new year in 2011. From that story:

The hacker said the company’s network was under full criminal control from that time until March 26, 2012. “The data and quantities that was gathered [was] much more than they writed [sic]. They finished End2End encryption, but E2E not a full solution; it only defend [sic] from outside threats.” He went on to claim that hackers had been capturing data from the company’s network for the past 13 months — collecting the data monthly — gathering data on a total of 24 million unique transactions before they were shut out.

Global has refused to comment further on the incident, referring people to a Web site with a series of Q&As for various parties potentially impacted by the breach. I guess only time will tell whether the hackers were right about the number of compromised transactions as well.

Facebook is attempting to nip in the bud a new social networking worm that spreads via an application built to run seamlessly as a plugin across multiple browsers and operating systems. In an odd twist, the author of the program is doing little to hide his identity, and claims that his “users” actually gain a security benefit from installing the software.

At issue is a program that the author calls “LilyJade,” a browser plugin that uses Crossrider, an emerging programming framework designed to simplify the process of writing plugins that will run on Google Chrome, Internet Explorer, and Mozilla Firefox.  The plugin spreads by posting a link to a video on a user’s Facebook wall, and friends who follow the link are told they need to accept the installation of the plugin in order to view the video. Users who install LilyJade will have their accounts modified to periodically post links that help pimp the program.

The goal of LilyJade is to substitute code that specifies who should get paid when users click on ads that run on top Internet properties, such as Facebook.com, Yahoo.com, Youtube.com, Bing.com, Google.com and MSN.com. In short, the plugin allows customers to swap in their own ads on virtually any site that users visit.

I first read about LilyJade in an analysis published earlier this month by Russian security firm Kaspersky Labs, and quickly recognized the background from the screenshot included in that writeup as belonging to user from hackforums.net. This is a relatively open online hacking community that is often derided by more elite and established underground forums because it has more than its share of adolescent, novice hackers (a.k.a. “script kiddies”) who are eager to break onto the scene, impress peers, and make money.

It turns out that the Hackforums user who is selling this plugin is doing so openly using his real name. Phoenix, Ariz. based hacker Dru Mundorff sells the LilyJade plugin for $1,000 to fellow Hackforums members. Mundorff, 29, says he isn’t worried about the legalities of his offering; he’s even had his attorney sign off on the terms of service that each user is required to agree to before installing it.

“We’re not forcing any users to be bypassed, exploited or anything like that,” Mundorff said in a phone interview.  “At that point, if they do agree, it will allow us to make posts on their wall through our system.”

Mundorff claims his software is actually a benefit to Facebook and the Internet community at large because it is designed to also remove infections from some of the more popular bot and Trojan programs currently for sale on Hackforums, including Darkcomet, Cybergate, Blackshades and Andromeda (the latter being a competitor to the password-stealing ZeuS Trojan that hides behind Facebook comments). Mundorff maintains that his plugin will result in a positive experience for the average Facebook user, although he acknowledges that customers who purchase LilyJade can modify at will the link that “users” are forced to spread, and may at any time swap in links to malware or exploit sites.

A LilyJade administrative panel

Dozens of customers who bought or trialed LilyJade posted statistics to Hackforums that purport to show the plugin spreading virally to tens of thousands of users per day. According to Mundorff, customers who use the system can expect to make about 50 cents per hour for every 100 users who install the plugin.

It’s impossible to verify those numbers or to say exactly how many Facebook users have installed this browser plugin. But the plugin has apparently been successful enough to have caught the attention of Facebook’s security team, which earlier this week sent Mundorff a cease-and-desist order demanding that he stop selling the program.

“Plugins such as LilyJade are configured to modify our [site] to inject ads and/or send spam through Facebook to the victim’s friends via wall posts and chat messages,” said Fred Wolens, public policy manager at Facebook. “These alterations materially change people’s Facebook experience and bypass Facebook’s quality and security controls. Additionally, programs like LilyJade can make Facebook slower, cause user confusion and can obfuscate authenticate user content by displaying banner ads.”

In a follow-up instant message conversation, Mundorff indicated that he has no intention of bowing to Facebook’s demands.

“I pretty much told them to go fuck themselves cause we cant post on anyones [sic] walls with out there [sic] permissions automated or not,” Mundorff said. “So they can go to hell.”

It remains to be seen who will prevail in this now-public battle (which according to Mundorff has since caught the interest of the anarchic hacker collective Anonymous). I wanted to call attention to this topic because I believe LilyJade is likely the precursor to a stream of malicious cross-browser plugins that we can expect in the coming months and years.

Plugin based threats seem to be especially pernicious because they work seamlessly across multiple operating systems and browsers, and are unlikely to be detected as malicious by antivirus software. What’s more, writing malicious plugins for different browsers has never been easier: Kango, an up-and-coming cross-browser plugin development environment that’s competing with Crossrider, supports plugins on even more browsers, including Opera and Safari.

The purpose of this post is not to cause alarm about legitimate development platforms like Crossrider and Kango, or even to dissuade people from using Facebook. It’s also true that rogue browser plugins are hardly a new problem, and that they can spread just as easily on Facebook as on Twitter, Pinterest or any other community where millions of users gather to share information. Rather, I wanted to remind readers that while modern malware can take many forms, it most often succeeds because computer users agree to install it in one form or another.

When in doubt, always consider Rule #1 from Krebs’s 3 Basic Rules for Online Safety: “If you didn’t go looking for it, don’t install it!” Religiously observing this advice will likely keep you safe from a huge percentage of the malware threats out there today.