Computer Monitoring Tools

As security professionals we all know when our computers are trying to tell us that there is something wrong.  We also have our own techniques for poking around "under the hood" looking for trouble before it gets out of hand.  Like car enthusiasts, we know what each rattle and noise means and we take steps to correct the problem early.  But what about our parents and extended family members who don't have the same skills?  Like the temperature gauge or "check engine" light in your car, how does a typical user know that something is wrong?
Most newer operating systems have a system health and monitoring capability.  For example, in Windows 7 you do this:

• Log on as a local administrator on your computer, click Start, and then click Performance and Information Tools.
• Under Advanced Tools, select Generate a system health report.

And in Windows XP you take these steps:

• Log on as a local administrator on your computer, click Start, and then click Help and Support.
• Under the Pick a task, click Use Tools to view your computer information and diagnose problems.
• In the Task pane, click My Computer Information, and then click View the status of my system hardware and software.

Recognizing phishing and online scams

Recognizing phishing and online scams. Which is an interesting discussion. For example, would phishers still bother if no one clicked and freely entered their credit card and personal information? Would 419 scammers bother if no one responded to their messages? Since there is a profit motive behind the miscreants actions if there were a diminishing return, or the actual possibility or prosecution, would we continue to see so many of their emails and web sites? Philosophical questions aside, in oder to reduce the harm of scammer and phishers the people receiving the bait need to be able to recognize the messages as such and not respond or click.


Don't click or respond to the following:

• If the message does not appear authentic, it probably isn't.
• If it sounds too good to be true, it is.
• Do the content of the message appear in search engine results?
• If you hover your mouse over the link does your browser or security software silently scream at you?
• Seeing silly typos, formatting, or grammatical errors a professional would not make.
• If the message asks you to send your information to them, rather than the other way around.
• If you don't have an account with the company supposedly sending the email!

Here are some useful links:

http://www.microsoft.com/protect/fraud/phishing/symptoms.aspx
http://www.us-cert.gov/reading_room/emailscams_0905.pdf
http://www.gongol.com/howto/recognizephishing/
http://www.surfnetkids.com/safety/how_to_recognize_phishing-21760.htm

Cyber Security Awareness - Securing the Family PC

So today let's look at some common sense advice about the family computer. Yes, we all know the mantra about keeping the anti-virus software updated and the system patched (we'll talk more about that in a few days) but what else should we be doing? Some of the things that I recommend for the family PCs I work on include:

• Keep all computers in full view (no hidden machines, no illusion of privacy)
• Document computer details in writing (serial number, software, receipts, BIOS password, etc.) and keep the documentation in a fireproof box or safe
• Use an uninterruptable power supply (UPS) for PCs, laptops have their own built-in UPS - the battery
• Keep all of the hardware and software manuals, plus any software CDs/DVDs in one place that is easy to find
• Use a cable lock to keep intruders from stealing the computer should there be a break-in
• Throw a towel over the webcam (better: unplug the webcam)
• Unless it needs to always be on, consider turning it off when not in use
• Keep plenty of room around the PC so that air can flow through to cool it

Zeus In The Mobile (Zitmo): Online Banking’s Two Factor Authentication Defeated

During the weekend, in our monitoring of the Zeus botnet, my colleague Kyle Yang stumbled upon an unexpected payload: a brand new mobile malware piece we named SymbOS/Zitmo.A!tr (Zitmo standing for “Zeus In The MObile”), likely aimed at intercepting confirmation SMS sent by banks to their customers. This also caught the eye of s21sec with a nice analysis you should read.


Basically, the ZeuS network initiated some social engineering operations (via injection of HTML forms in the victims’ browser) to get the phone number and phone model of its infected victims. Based on that info, it sends an SMS with a link to the appropriate version of the malicious package (a Symbian package for Symbian phones, a BlackBerry Jar for BlackBerry phones etc).

This malicious package is still under investigation, but given the context, it is logical to believe it is aimed at defeating SMS-based two-factor authentication that most banks implement today to confirm transfers of funds initiated online by their end users, and that currently impedes the plunging of infected users’ online accounts by Zeus masters (Note: although it was possible before, with man-in-the-middle attacks, it required the victim to initiate a financial transfer in the first place).

On the technical side, this malware is not altogether that much ‘unexpected’ because, since SymbOS/Yxes, we always said somebody would use web servers to distribute platform-specific malware to victims. Yet, it is the first time we acknowledge the technique to be used by a real gang.

So far, we have seen that:
» the Symbian version is correctly signed, using the Express Signed program, once more. Symbian has been notified, but meanwhile, please beware this certificate hasn’t been revoked yet:

Serial Number: 61:f1:00:01:00:23:5b:c2:79:43:80:40:5e:52

C=AZ, ST=Baku, L=Baku, O=Mobil Secway, OU=certificate 1.00,

OU=Symbian Signed ContentID, CN=Mobil Secway» the malware creates its own malicious database on the phone, where it stores all information it steals (contact first and last names for instance, phone numbers) and needs. This database is named NumbersDB.db, and contains 3 tables:
» tbl_contact with 4 columns: index, name, descr, pb_contact_id.
» tbl_phone_number with 2 columns: contact_id, phone_number
» and tbl_history with 6 columns: event_id, pn_id, date, description, contact_info, contact_id.

The malware searches those tables using standard SQL queries.
» the malware sends SMS messages. In particular, it sends a message to a phone number located in the United Kingdom to notify that the malware has been successfully installed (”App installed ok”).

"27/09/2010","12:09","Short message","Outgoing","App installed ok","+44778xxxxxxx"

(NOT SENT - OFFLINE)Additionally, as explained by s21sec, the malware seems to be able to answer to a few commands such as ’set admin’, which might be particularly dangerous: anyone sending a “set admin” SMS to your infected phone may be able to take control of it. We’re of course investigating this, as well as the rest.

Worst U.S. military security breach ever

A malware-laden flash drive inserted in a laptop at a U.S. military base in the Middle East in 2008 led to the "most significant breach of" the nation's military computers ever, according to a new magazine article by a top defense official.

The malware uploaded itself to the U.S. Central Command network and spread undetected on classified and unclassified computers creating a "digital beachhead, from which data could be transferred to servers under foreign control," William J. Lynn III, U.S. deputy secretary of defense, wrote in his essay in the September/October issue of Foreign Affairs.

"It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary," he wrote. This previously classified incident was the most significant breach of U.S. military computers ever, and it served as an important wake-up call. The Pentagon's operation to counter the attack, known as Operation Buckshot Yankee, marked a turning point in U.S. cyberdefense strategy."


Read more: http://news.cnet.com/8301-27080_3-20014732-245.html#ixzz0ypX371xv

Epic -A Browser Made For Indians By Indians

Epic -A Browser Made For Indians By Indians

Meet Epic, Your New Best Friend.The first-ever web browser for India,The world’s only antivirus browser.Yeah it’s true EPIC Web browser which is developed by and indian company called Hidden Reflex,and these guys are really making waves across the web Epic is Powered by the open-source Mozilla platform

http://www.epicbrowser.com/

httpry-A specialized packet sniffer designed for displaying and logging HTTP traffic.

httpry is a specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications.


What can you do with it? Here's a few ideas:
•See what users on your network are requesting online
•Check for proper server configuration (or improper, as the case may be)
•Research patterns in HTTP usage
•Watch for dangerous downloaded files
•Verify the enforcement of HTTP policy on your network
•Extract HTTP statistics out of saved capture files
•It's just plain fun to watch in realtime

Download:http://dumpsterventures.com/jason/httpry/

Application Security Checklists

This checklist is a helpful reference when performing a web application security test. It is not a complete list though - there are often application-specific vulnerabilities and subtle issues that this does not cover.


Authentication
Logging in with an invalid user name does not reveal whether the user exists
Accounts are locked after a number of failed logins
An attacker cannot reset the lockout (e.g. by removing cookies)
Can't easily lockout an account to cause a denial of service
After login a redirect is issued, to prevent refresh attacks
Both "change password" and "logout" functions are provided
User is informed of last login time
Change password requires provision of old password
Passwords are proactively checked for strength
Password is never revealed (e.g. in the source of change password)

Session Management
Session tokens are at least 128-bit
Session tokens are unpredictable
A new session is allocated at login (i.e. session fixation is prevented)
Logout invalidates the session token on the server
Cookie has "secure" and "httponly" options set and is non-persistent
Sessions have an inactivity timeout
Sessions have an absolute timeout

Injection Attacks
Cross-site scripting
HTTP response splitting
SQL injection
LIKE pattern injection
LDAP injection
XPATH injection
Mail header injection
Directory traversal
Null-byte injection
Shell script / batch injection
Server-side script injection (PHP, Perl, etc.)
XML injection
Try to bypass filters using over-long utf-8 encodings
Try to bypass filters using wide-ASCII, or other Unicode equivalents

Content Checks
No script or CSS tags reference resources on other servers
No script or CSS tags on a page that can be accessed over HTTPS use URLs beginning http://
Use of eval, document.write, innerHTML, etc. does not cause XSS
Comments in files do not reveal sensitive information
Frames/iframes, if used, have frame spoofing protection
autocomplete=off is set on all forms asking for personal information
Private IP addresses

Server Side Script Behaviour
Arbitrary redirection
Arbitrary message inclusion
File upload features restrict uploaded content to prevent compromise
JavaScript Hijacking
Scripts that cause write actions require POST with a CSRF token
Scripts that act as an open proxy or mail relay
Exponential format accepted
Server compromise by uploading XML that sources a stylesheet
Source code disclosure through scripts that allow read access to files

Authorisation
All protected resources check for a valid session
All protected resources check for user permissions (forced browsing)
Parameter tampering does not allow access to others' data
Page-to-page flow is correctly enforced where required
Form POST targets perform the same authorisation as form views

Miscellaneous
cache-control: private or stronger is used on sensitive pages
All client-side validation is repeated on the server
Site supports HTTPS, and sensitive pages forbid HTTP access
All pages are displayed with status and address bars
All URLs are expected from a customer's point of view
No "Mixture of secure and insecure content" warnings

Server Configuration
There are no "orphaned" files (exist on the web server, but not linked)
No backup versions of files are accessible (may reveal source code)
No common insecure scripts (e.g. snoop servlet) are accessible
Error messages do not provide overly-detailed information

Special Cases
Dynamic login questions: question cannot be changed by the user
Application forms: restarting a transaction doesn't leak information
Smoke & mirrors: generated emails are appropriately protected
Domain auth: domain accounts cannot be locked out from the Internet
Forgotten password: understand any information leaked or risks created

SSL Client Certificates
Does login check user name matches certificate?
Can you lock out an account without holding the certificate?
Is certificate required for every request?
Does it check the certificate matches the session ID?
Can you login using a self-signed certificate?
Are test/pre-prod certificates separated from live?

Nested Web Service
Is the WSDL file accessible?
Does access to the web service require a web session?
Does it check the web session user matches the WS user?
Also, most of this checklist also applies to the web service.

Further, Very good article on Web Application Security Checklist:
http://www.enterpriseitplanet.com/security/features/article.php/2214631/Web-Application-Security-Checklist.htm

Various Security Checklists for your reference:
http://iase.disa.mil/stigs/checklist/

NEW PROPOSED Top 7 Essential Log Reports

Top Log Report Candidate 1. Authentication and Authorization Reports
a. Login Failures and Successes
b. Attempts to gain unauthorized access through existing accounts
c. Privileged account access (success, failure)
d. VPN Authentication and other remote access (success, failure)
e. Please add more reports you find useful!

Top Log Report Candidate 2. Change Reports
a. Addition/Changes/Deletions to Users, Groups and Services
b. Change to configurations
c. Application installs and Updates
d. Please add more reports you find useful!

Top Log Report Candidate 3. Network Activity Reports [used to be called “Suspicious or Unauthorized Network Traffic Patterns” in the old Top 5 list]
a. Top Internal Systems Connecting Through Firewall // Summary of Outbound Connections
b. Network Services Transiting A Firewall
c. Top Largest File Transfers Through the Firewall
d. Internal Systems Using Many Different Protocols/Ports
e. Top Internal Systems With NIDS Alerts
f. Proxy Report on File Uploads
g. Please add more reports you find useful!

Top Log Report Candidate 4. Resource Access Reports
a. File
i. Failed File or Resource Access Attempts
b. Database
i. Top Database Users
ii. Summary of Query Types
iii. SELECT Data Volume
iv. All Users Executing INSERT/DELETE Commands
v. Database Backups
c. Email
i. Top Internal Email Addresses by Volume of Messages
ii. Top Attachment Types with Sizes
iii. Top Internal Systems Sending Spam // Top Internal Systems Sending Email NOT Through Mail Server
c. Please add more reports you find useful!

Top Log Report Candidate 5. Malware Activity Reports
a. Top systems with anti-malware events
b. Detect-only events from anti-malware tools (“leave-alones”)
c. Anti-virus protection failures by type
d. Internal malware connections (all sources)
e. Please add more reports you find useful!

Top Log Report Candidate 6. “Various FAIL”
a. Critical Errors
b. Backup failures
c. Capacity / Limit Exhaustion
d. System and Application Starts, Shutdowns and Restarts
e. Please add more reports you find useful!

Top Log Report Candidate 7. Analytic Reports  [Mostly Using “Never Before Seen” (NBS) aka “NEW Type/Object” Analysis]
a. NEW (NBS) IDS/IPS Alert Types
b. NEW (NBS) Log Entry Types
c. NEW (NBS) Users Authentication Success
d. NEW (NBS) Internal Systems Connecting Through Firewall
e. NEW (NBS) Ports Accessed
f. NEW (NBS) HTTP Request Types
g. NEW (NBS) Query Types on Database
h. Please add more NBS or other analytic reports you find useful!

So, please help this project by commenting via whatever means!!!
BTW, I think I perused all the previous effor5ts to distill log reports (such as this one), but feel free to point me to such things as well.
Finally, if you are a SIEM or log management vendor, please consider supporting the resulting reports in your products – after they are finalized by the community and released by SANS.

GARTNER: COMPANIES SHOULDN'T BOTHER BANNING FACEBOOK, SOCIAL

NATIONAL HARBOR, Md. -- According to a Gartner Inc. social media security expert, banning Facebook, and other social networking services like LinkedIn and Twitter, is an exercise in futility. To
boot, securing social media in the enterprise is not a responsibilitythat should fall to information security teams.
Tuesday at Gartner's Security and Risk Management Summit, research director Andrew Walls told attendees that although infosec pros may worry that social networking will lead to uncontrolled malware
outbreaks, phishing, breaches of confidentiality and trade secrets, and even damage to the corporate reputation, trying to take control of, or even block its use is akin to monitoring employees' home phone
calls and rifling through their postal mail.

Honey Pot -HoneyBOT v1.7 released!

Atomic Software Solutions is offering a Windows based honeypot solution available as a free.

Whitelist feature allows users to configure HoneyBOT to ignore trusted computers.

Upgraded FTP service allows file uploads after administrator account is breached.

Screenshots

http://www.atomicsoftwaresolutions.com/download.php

Metasploitable-VM Image

One of the questions that we often hear is "What systems can i use to test against?" Based on this, we thought it would be a good idea throw together an exploitable VM that you can use for testing purposes.
Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql.

You can use most VMware products to run it, and you'll want to make sure it's configured for Host-only networking unless it's in your lab - no need to throw another vulnerable machine on the corporate network. It's configured in non-persistent-disk mode, so you can simply reset it if you accidentally 'rm -rf' it.

http://blog.metasploit.com/2010/05/introducing-metasploitable.html

IDA Pro

IDA Pro is a Windows or Linux hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all. Just grab an evaluation version if you want a test drive. An executive summary is provided for the non-technical user.

Evaluation version,: http://www.hex-rays.com/idapro/idadown.htm

Responder™ Professional

The ultimate in Windows™ physical memory and automated malware analysis all integrated into one application for ease of use, streamlined workflow, and rapid results. The Professional platform is designed for Incident Responders, Malware Analysts, and Computer Forensic Investigators who require rapid results. Responder Professional provides powerful memory forensics and malware identification with Digital DNA™. Malware analysis includes automated code disassembly, behavioral profiling reporting, pattern searching, code labeling, and control flow graphing. This is a huge step forward for the information security and computer forensic communities. Finally, these long-awaited capabilities are available to complement enterprise security best practices in the areas of host intrusion detection, computer forensics and security assessments,

https://www.hbgary.com/products-services/

WinAPIOverride32:an advanced api monitoring software.

WinAPIOverride32 is an advanced api monitoring software.You can monitor and/or override any function of a process. This can be done for API functions or executable internal functions.It tries to fill the gap between classical API monitoring softwares and debuggers.

It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.

Main differences between other API monitoring softwares :

- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll

- You can hook functions inside the target process not only API

- You can hook asm functions with parameters passed through registers

- You can hook hardware and software exceptions
- Double and float results are logged
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers

- You can call functions which are inside the remote processes

- Can hook COM OLE and ActiveX interfaces
- User types (enum, struct and union) and user defines are supported
- All is is done like modules : you can log or override independently for any function
- Open Source
- A library is provided for developpers who intend to build their one hooking software

http://jacquelin.potier.free.fr/winapioverride32/

RTIR -A premiere Open Source incident handling system.

RTIR is the premiere Open Source incident handling system. We worked with over a dozen CERT and CSIRT teams to build a world-class incident handling system. RTIR helps you handle the ever-increasing volume incident reports. RTIR lets you tie multiple incident reports to specific incidents. RTIR makes it easy to launch investigations to work with law enforcement, network providers and other partners to get to the bottom of each incident and to track it through to a successful resolution.


It's easy to integrate RTIR into your existing systems and workflow. With open source code, a rich API and a vibrant community, RTIR can be tied into many external systems with only a few lines of configuration or a few minutes of programming. If you're using a publicly available product as part of your incident handling workflow, someone has probably already integrated it with RTIR

Download From:

http://www.bestpractical.com/rtir/download.html

Google Criticized for 'Buzz' Privacy Faults

Google has announced it will ask all users to reconfirm their preferred privacy settings on its social networking site 'Buzz'. It follows a controversial launch in which many believed, correctly or otherwise, that their privacy had been compromised.


Buzz is Google's rival to Facebook and Twitter. It's integrated into Gmail and allows users to follow and reply to posts made by people they decide to follow on the service.

The service also allows users to share information from other Google-owned services such as Google Reader (an RSS newsreader) and picture-sharing site Picasa. It was clearly designed to encourage users to spend more time in Gmail and thus be more attractive to advertisers.

Automated 'Followers' Idea Backfires

The big problem with the launch was that Google decided to "help" users by automatically adding in some online followers from their email address book. This annoyed many users as they felt some of their information was now being shared with other people without their permission.

In one extreme case, a woman said she was automatically made a Buzz contact of an abusive ex-partner who only appeared as a regular email contact because they had been sending harassing messages.

FTC Commissioner Critical of Service
To make things worse, many users were in the dark about the implications of the Buzz service, with some believing their entire email history had been exposed. Others found opt-out settings but, because of the close integration, believed that turning off Buzz could only be done by quitting the email service altogether.

A privacy watchdog and several politicians complained about the move to the Federal Trade Commission. Although not a formal response to the complaints, one commissioner later said "I do not believe consumer privacy [considerations] played any significant role in the release of Buzz." (Source: bbc.co.uk)

Google Confirms Test Failure

Google later admitted it had only tested the service on its own staff rather than the usual test panel of employees' friends and family. That may have meant the results were distorted, as Google workers may have been more tech-savvy and less concerned about privacy implications than the general public.

Shortly after the launch, Google responded to criticism by simplifying the processes for blocking "followers," changing privacy settings or quitting Buzz altogether, but this only applied to new Buzz users. The firm also dropped the automated following system and replaced it with a list of suggested contacts.

This week's announcement goes a step further: the firm will now ask every user to specifically change or reconfirm their privacy option settings. That move, albeit late in the day, will go some way towards answering criticism that both Buzz and other social networking services need to adopt a policy of making all user data as private as possible until the user specifically says otherwise. (Source: pcmag.com)

Payment Card Industry Rock

Do you remember those old School House Rock commercials from the 70’s? I do, in part because someone gave my kids a DVD set with all of them on it. And apparently the folks at the PCI Council remember them too, because they’ve created a video that looks a lot like those old commercials. My favorite part is the fact that Bob Russo let a cartoon version of himself be part of the video. I wonder if the real Mr. Russo can sing and play the guitar?

StreamArmor – Discover & Remove Alternate Data Streams (ADS)

What are ADS (Alternate Data Streams)?

If you’ve had any experience with advanced malware or Windows forensics you’d already know what ADS are, but if you haven’t is a lesser known feature of the Windows NTFS file system which provides the ability to put data into existing files and folders without affecting their functionality and size. Any such stream associated with file/folder is not visible when viewed through conventional utilities such as Windows Explorer or DIR command or any other file browser tools.


StreamArmor is a tool for discovering hidden alternate data streams (ADS) and can also clean them completely from the system. It’s advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams. StreamArmor comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams.

StreamArmor has built-in advanced file type detection mechanism which examines the content of file to accurately detect the file type of stream. This makes it great tool in forensic analysis in uncovering hidden documents/images/audio/video/database/archive files within the alternate data streams. StreamArmor is the standalone, portable application which does not require any installation. It can be copied to any place in the system and executed directly.

Platform

Windows XP, 2K3, Vista, Longhorn and Windows 7 (both 32 & 64 bit versions) On 64 bit platform, only 32 bit processes are supported.

You can download StreamArmor v1.0 here
http://www.rootkitanalytics.com/tools/streamarmor.php

Flint – Web-based Firewall Rule Scanner

Flint examines firewalls, quickly computes the effect of all the configuration rules, and then spots problems so you can:

•CLEAN UP RUSTY CONFIGURATIONS that are crudded up with rules that can’t match traffic.
•ERADICATE LATENT SECURITY PROBLEMS lurking in overly-permissive rules
•SANITY CHECK CHANGES to see if new rules create problems.
Flint is absolutely free. There’s no catch. You can download the source from the git repository. This isn’t the “play at home” version; it’s their second product, and they want to do it open source.

Why You Need Flint

You have multiple firewalls protecting internal networks from the Internet and controlling access to customer data. Your business changes, and so do your firewalls, and not always at the same time. Firewalls can get out of step with policies.

Everybody makes mistakes. To understand a firewall configuration, you have to read hundreds of configuration lines, and then you have to think like a firewall does. People aren’t good at thinking like firewalls. So most firewalls are riddled with subtle mistakes. Some of those mistakes can be expensive:

•INSECURE SERVICES might be allowed through the firewall, preventing it from blocking attacks.
•LAX CONTROLS ON DMZs may expose staging and test servers.
•FIREWALL MANAGEMENT PORTS may be exposed to untrusted networks.
•REDUNDANT FIREWALL RULES may be complicating your configuration and slowing you down.

You can download Flint here:

VMWare Virtual Machine – FlintVM-current.zip
OVF Virtual Machine – FlintVM-current.ovf.zip
Source – flint-current.tgz

http://runplaybook.com/p/11

Critical Log Review Checklist for Security Incidents

This cheat sheet presents a checklist for reviewing critical logs when responding to a security incident. It can also be used for routine log review.

General Approach

Identify which log sources and automated tools you can use during the analysis.
Copy log records to a single location where you will be able to review them.
Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are benign.
Determine whether you can rely on logs' time stamps; consider time zone differences.
Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
Go backwards in time from now to reconstruct actions after and before the incident.
Correlate activities across different logs to get a comprehensive picture.
Develop theories about what occurred; explore logs to confirm or disprove them.

Potential Security Log Sources

Server and workstation operating system logs

Application logs (e.g., web server, database server)
Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)
Outbound proxy logs and end-user application logs
Remember to consider other, non-log sources for security events.

Typical Log Locations
Linux OS and core applications: /var/log

Windows OS and core applications: Windows Event Log (Security, System, Application)
Network devices: usually logged via Syslog; some use proprietary locations and formats

What to Look for on Linux
Successful user login----- “Accepted password”,“Accepted publickey”,"session opened”

Failed user login----- “authentication failure”,“failed password”
User log-off----- “session closed”
User account change or deletion----- “password changed”,“new user”,“delete user”
Sudo actions----- “sudo: … COMMAND=…” “FAILED su”
Service failure----- “failed” or “failure”  

What to Look for on Windows
Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.

Most of the events below are in the Security log; many are only logged on the domain controller

User logon/logoff events----- Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc

User account changes----- Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes----- To self: 628; to others: 627
Service started or stopped----- 7035, 7036, etc.
Object access denied (if auditing enabled)----- 560, 567, etc

What to Look for on Network Device
Look at both inbound and outbound activities.

Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.

Traffic allowed on firewall----- “Built … connection”,“access-list … permitted”

Traffic blocked on firewall----- “access-list … denied”,"deny inbound”,“Deny … by”
Bytes transferred (large files?)----- “Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage----- “limit … exceeded”,“CPU utilization”
Detected attack activity----- “attack from”
User account changes----- “user added”,“user deleted”,“User priv level changed”
Administrator access----- “AAA user …”,“User … locked out”,“login failed”

What to Look for on Web Servers
Excessive access attempts to non-existent files

Code (SQL, HTML) seen as part of the URL
Access to extensions you have not implemented
Web service stopped/started/failed messages
Access to “risky” pages that accept user input
Look at logs on all servers in the load balancer pool
Error code 200 on files that are not yours

Failed user authentication----- Error code 401, 403

Invalid request----- Error code 400
Internal server----- error Error code 500

Google Talk used to distribute Fake AV

Maria Varmazis, a colleague from our Boston office, got to experience what happens when a friend's account is compromised. When she logged onto Gmail, she got a pop-up message from someone she regularly chats with: "Hey are you on Facebook ??? If u are then check this out ". Wisely, Maria didn't click on the link and instead passed it on to me to investigate.


The link led me to a web page that had some dancing stick people and a link that read, "Click on the picture to download my party pictures gallery. . . (Click Open or Run when prompted.)".

Of course I wanted to view this party picture gallery. . . Past experience tells me the best pictures are taken after 11pm at parties. When I clicked the image, Internet Explorer presented a download prompt for a file called my_image_gallery.scr

This attack once again shows us the importance of defense in depth. An administrator for an organizational network has several chances to prevent this infection:

1.Education. Teach end users how to spot something out of the ordinary, to avoid clicking links in IMs, and what techniques are used in social engineering.

2.Anti-virus. As Virus Bulletin regularly demonstrates, the majority of up-to-date anti-virus products protect against most in-the-wild threats.

3.Proactive protection. Using heuristic, behavioral and other techniques provides protection against malicious code that may not yet be detected by your anti-virus definitions.

4.Web filtering. Both the site offering malware for me to download, and the one that was luring me into clicking the picture were blocked by the Sophos Web Appliance as malicious. Our web appliance also scans all your downloads for malware, and lets you disable downloading of dangerous filetypes.

Unfortunately, quite often our friends may not really be our friends. Use this as a reminder to stay vigilant and warn others about this type of attack.

Top 10 Ways to avoid Phishing Scams - Please Forward To All Non-IT People You Konw.

The phenomenon of internet phishing scams is a serious problem, and the number and sophistication of these schemes are increasing all the time. Individuals using the web for personal or business reasons must be alert to possible fraud, and employers should warn their employees and customers to be extremely selective about giving out personal financial information over the Internet.


The following is a list of suggestions and recommendations that may help people avoid becoming a victim of these online phishing scams.

1. Never fill out forms in e-mail messages that ask for personal financial information. Many Phishing scams are designed to get access to accounts that can then be drained of funds by the scammers

2. Check your online accounts regularly, as well as your bank, credit and debit card statements to make sure all transactions are legitimate.

3. If you suspect an e-mail might not be authentic, don't use the links within the e-mail to get to a webpage, as it may leave your computer vulnerable. Often the entire point of these e-mails is to get you to do just that.

4. You should always be suspicious of any e-mail with “urgent” requests for personal financial information.

5. If you do provide personal information (like a credit card number), do so only via a secure website or the telephone.

6. Always make sure you're on a secure Web server when sharing sensitive information. To do so, check the beginning of the URL in your browser address bar. It should be "https" rather than "http." The "s" stands for secure.

7. It’s advisable to install a Web browser toolbar to alert you before you visit known phishing fraud websites.

8. If you receive an e-mail message that is not personalized, assume it's a shady message.

9. If e-mails use upsetting or exciting statements to try to get you to react immediately, that’s a red flag signaling to stop and think carefully about your next move; these statements are almost always false anyway.

10. Make sure that your browser is up-to-date and security patches have been applied.

How to Protect Yourself from ZeuS

The security consultants recommends that businesses and home users carry out online banking and financial transactions on isolated workstations that are not used for general Internet activities, such as web browsing and reading email which could increase the risk of infection.


Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts. Keep your antivirus, operating system and software patches up to date. Also do not open suspicious e-mail attachments or links from people that you do not know and even if you do know them, check with them to find out if they sent you something prior to opening the email.

Additionally, awareness for both customers and employees is crucial. In particular, employees who interface with clients should be made aware of these types of threats to help triage potential victims.

Zeus Trojan Now Has Hardware Licensing Scheme

The authors of the Zeus bot client, perhaps the most popular and pervasive piece of malware of its kind right now, have taken an extraordinary step to protect their creation: inserting a hardware-based licensing scheme into the Trojan. This represents a significant leap in the sophistication and professionalism of malware development, researchers say.


Zeus has been making the rounds on the Web for some time now, and it has gone through a number of revisions and upgrades in recent months. Its creators, who remain unknown, have steadily added more and more features and functionality to the package, including a form grabber for Firefox, the ability to add extra data fields to online banking applications, a backconnect module and support for Windows Vista and Windows 7.

Much of this is fairly standard stuff, but the addition of the hardware licensing/activation scheme is an interesting, unique twist. Researchers at SecureWorks have been analyzing each new iteration of the Zeus kit and found that the latest release, version 1.3.4.x, added this functionality, likely in an effort to prevent rivals from selling pirated versions of the attack kit.

"The author has gone to great lengths to protect this version using a Hardware-based Licensing System. The author of Zeus has created a hardware-based licensing system for the Zeus Builder kit that you can only run on one computer. Once you run it, you get a code from the specific computer, and then the author gives you a key just for that computer. This is the first time we have seen this level of control for malware.," Kevin Stevens and Don Jackson of SecureWorks wrote.


The newest release of Zeus is selling for $3,000 to $4,000 right now in private sales, the researchers said, and is being sold solely by the kit's author. Other, older versions have been sold publicly in the past, which likely led to the author taking the step of using the hardware licensing system to protect his creation.

 

While Zeus includes a wide range of capabilities now, its basic reason for being is to steal financial data. Think of it as a banker Trojan on steroids, the 2007 David Ortiz of malware. As the SecureWorks researchers found, Zeus does much of its dirty work through secure HTTP POST requests to the remote command-and-control server. It targets a broad spectrum of financial data, including credit card numbers, bank account numbers and online banking login credentials.

Stevens and Jackson said that the Zeus author is working on version 1.4 of the kit, which will include a polymorphic encryption feature.

"The 1.4 version of ZeuS will enable the ZeuS Trojan to re-encrypt itself each time it infects a victim, thus making each infection unique. The 1.4 version also enables the ZeuS file names to be randomly generated, thus each infection will contain different file names. This will make it very difficult for anti-virus engines to identify the ZeuS Banking Trojan on the victims’ system," they said.

Google search reveals 3 million pages link to rogue AVs

Do you know what the latest version of Adobe’s Flash Player is? If you don’t, you may very well fall for this:

Flash Player 11?

There are more than 3 million pages linking to this alleged version 11:

Most pages are from unsanitized forums, but there is even a Google Ad for it! Ooooops….

The screen below depicts the social engineering trick: What appears to be an X-rated video with a Windows Media Player logo (that is odd!).

What intrigued me in that screenshot was that this malicious post was made with a user account that was highly rated:Such posts are automated, so I’d guess this user got his credentials stolen. Regardless, it adds to the deceptiveness, coming from what looks like an ‘approved’ forum user.

What happens next is an intermediary URL, freevideos.osa.pl/video.php?, redirects you to fast flux domains updated on a regular basis, all showing the well known “YouTube-like” screenie:

Clicking on it will download ‘video-plugin.45210.exe’ (Virus Total detection here)

So, what really is the latest Adobe Flash Player? The answer: 10.0.45.2

You can find it here http://www.adobe.com/software/flash/about/

Looks like the bad guys are already one step ahead. By the way, I did a Google search with version 12 and it returned nothing

In the meantime, there are million of pages out there fooling people and infecting them with a non-existent Flash Player version.

Fixing the Windows Registry Using Backtrack

BackTrack is the most popular Linux live CD distribution focused on penetration testing. It comes loaded with all the top security tools so that you can immediately startup with your work without the need for downloading and installing any of the security tools.

One of the use of BackTrack is to fix Windows problems such as fixing the registry, resetting the user passwords etc. Here I am going to explain how we can use BackTrack to fix the Windows registry.


Often times, we mess up with the registry leaving the system in hanged state. In such situations BackTrack plays major role to put you back on track.

Registry Recovery Operation
To start with, boot your system with BackTrack CD. After booting you have to make sure that your Windows system partition is mounted in read/write mode. If your system partition has NTFS file system then you have to unmount that partition and remount in read/write mode.



Lets assume that your system partition is /dev/hda1 which is currently mounted on to /mnt/hda1. You can use 'mount' command to view the devices and their respective mount points.

To unmount this partition use following command
# umount /mnt/hda1

Now to mount it with read/write access, execute the following command
# mount -o rw /dev/hda1 /mnt/hda1

If the above method does not work then use the following method specified by Muts of BackTrack. For FAT32 partition, you need not have to do anything as it is already mounted with read/write access.

Using Chntpw tool to Edit Windows Registry
Now go to config folder on your system partition which has all registry hives.
# cd /mnt/hda1/windows/system32/config

Then type 'chntpw' command to view its help screen. This tool comes with built-in registry editor which can be used to manipulate any part of the registry. To invoke registry editor you have to specify -e option with the name of registry hive file. Entire Windows registry data is stored in couple of hive files. Here is the table below that shows mapping between the hive file and the part of the registry. Based on what part of the registry you are going to modify, you have to select corresponding hive file.

Let me explain the complete registry editing operation with an example. Assume that 'Windows Themes service' is preventing normal booting of your system. Now to bring your system back to normal you need disable this service.


The registry key for the Themes service is located here.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Themes

To disable this service, we have to change the 'Start' value (under above mentioned key) to '4'.
Start REG_DWORD 4

Now from the above table, its clear that we have to use 'SYSTEM' hive file for editing with 'chntpw'. Type the command as shown below.
# chntpw -e SYSTEM

At the new command prompt type ? to see various commands used for registry editing. Most useful commands are dir,cat,cd,ed etc.

Now type 'dir' command to see all the subkeys under the root key. You will see many ControlSet00* keys under this, but where is the CurrentControlSet key. We need this subkey to edit properties of Themes service..!

Well, don't be panic. The answer is hidden in 'Select' subkey. Now enumerate all the values under 'Select' subkey as shown below.

> cd Select
> dir

Now the value associated with 'Current' subkey will tell you which is the currently used ControlSet00* key. For example if the 'Current' has value 2 then that means you have to select 'ControlSet002' etc. On my machine the 'Current' has value 1. So I am going to select 'ControlSet001' key.

Know we know which controlset we have to use for our purpose. Now select it and move on to Themes subkey as shown below. Note that we are under Select key. You have to go back to root key to choose the ControlSet key.
> cd..
> cd ControlSet001\Services\Themes

Now type 'dir' command to see all the names and their values under this key. We have to just change DWORD value of 'Start' to 4 using the 'ed' command.
> ed Start

When you are prompted to enter new value, just type 4 and press 'ENTER' to set the new value.To verify use the below shown command.
> cat Start

Once you have modified all required changes, type 'q' to quit the registry editor and then press 'y' to save your changes. After that restart the system and you should be able to login normally without any problem.

Remote VNC Installation

RealVNC is a server and client application for the Virtual Network Computing (VNC) protocol to control another computer's screen remotely. The company RealVNC Ltd. — founded by the same AT&T team which created the original VNC program — produces the RealVNC software. RealVNC runs on Windows, Mac OS X (Enterprise edition only), and many Unix-like operating systems (both free and enterprise-class). A RealVNC client also runs on the Java platform and on the iPhone. A Windows-only client is now available, designed to interface to the embedded server on Intel AMT chipsets found on Intel vPro motherboards.

New phishing campaign against Facebook led by Zeus

Some time ago we warned about different campaigns where the employer, in all cases without exception, is the exploitation of social engineering to execute a fraudulent component, and the goal is the theft of sensitive information.

Cases like the previous campaign by using the image of ZeuS Facebook and phishing attacks using popular services such as primary coverage, including IRS, VISA, Google and Blogger, among many others, are concrete examples that demonstrate what is the magnitude of the business ZeuS offers computer criminals.

A few days ago, a new campaign to materialize from the hand of ZeuS, involving a large battery of malicious domains. Among them:

downloads.legomay.com/id735rp/LoginFacebook.php
downloads.legomay.net/id735rp/LoginFacebook.php
downloads.legomay.org/id735rp/LoginFacebook.php
downloads.megavids.org/id735rp/LoginFacebook.php
downloads.migpix.com/id735rp/LoginFacebook.php
downloads.migpix.net/id735rp/LoginFacebook.php
downloads.migpix.org/id735rp/LoginFacebook.php
downloads.modavedis.com/id735rp/LoginFacebook.php
downloads.modavedis.net/id735rp/LoginFacebook.php
downloads.modavedis.org/id735rp/LoginFacebook.php
downloads.portodrive.org/id735rp/LoginFacebook.php
downloads.reggiepix.com/id735rp/LoginFacebook.php
downloads.reggiepix.net/id735rp/LoginFacebook.php
downloads.reggiepix.org/id735rp/LoginFacebook.php
downloads.regzapix.com/id735rp/LoginFacebook.php
downloads.regzapix.net/id735rp/LoginFacebook.php
downloads.regzapix.org/id735rp/LoginFacebook.php
downloads.regzavids.com/id735rp/LoginFacebook.php
downloads.regzavids.net/id735rp/LoginFacebook.php
downloads.regzavids.org/id735rp/LoginFacebook.php
downloads.restopix.org/id735rp/LoginFacebook.php
downloads.restpictures.com/id735rp/LoginFacebook.php
downloads.restpictures.net/id735rp/LoginFacebook.php
downloads.restpictures.org/id735rp/LoginFacebook.php
downloads.restway.net/id735rp/LoginFacebook.php
downloads.restway.org/id735rp/LoginFacebook.php
downloads.tastyfiles.net/id735rp/LoginFacebook.php
downloads.vedivids.com/id735rp/LoginFacebook.php
downloads.vedivids.net/id735rp/LoginFacebook.php
downloads.vedivids.org/id735rp/LoginFacebook.php
downloads.vediway.com/id735rp/LoginFacebook.php
downloads.vediway.net/id735rp/LoginFacebook.php
downloads.vediway.org/id735rp/LoginFacebook.php

auth.facebook.com.legomay.com/id735rp/LoginFacebook.php
auth.facebook.com.legomay.net/id735rp/LoginFacebook.php
auth.facebook.com.legomay.org/id735rp/LoginFacebook.php
auth.facebook.com.megavids.org/id735rp/LoginFacebook.php
auth.facebook.com.migpix.com/id735rp/LoginFacebook.php
auth.facebook.com.migpix.net/id735rp/LoginFacebook.php
auth.facebook.com.migpix.org/id735rp/LoginFacebook.php
auth.facebook.com.modavedis.com/id735rp/LoginFacebook.php
auth.facebook.com.modavedis.net/id735rp/LoginFacebook.php
auth.facebook.com.modavedis.org/id735rp/LoginFacebook.php
auth.facebook.com.portodrive.org/id735rp/LoginFacebook.php
auth.facebook.com.reggiepix.com/id735rp/LoginFacebook.php
auth.facebook.com.reggiepix.net/id735rp/LoginFacebook.php
auth.facebook.com.reggiepix.org/id735rp/LoginFacebook.php
auth.facebook.com.regzapix.com/id735rp/LoginFacebook.php
auth.facebook.com.regzapix.net/id735rp/LoginFacebook.php
auth.facebook.com.regzapix.org/id735rp/LoginFacebook.php
auth.facebook.com.regzavids.com/id735rp/LoginFacebook.php
auth.facebook.com.regzavids.net/id735rp/LoginFacebook.php
auth.facebook.com.regzavids.org/id735rp/LoginFacebook.php
auth.facebook.com.restopix.org/id735rp/LoginFacebook.php
auth.facebook.com.restpictures.com/id735rp/LoginFacebook.php
auth.facebook.com.restpictures.net/id735rp/LoginFacebook.php
auth.facebook.com.restpictures.org/id735rp/LoginFacebook.php
auth.facebook.com.restway.net/id735rp/LoginFacebook.php
auth.facebook.com.restway.org/id735rp/LoginFacebook.php
auth.facebook.com.tastyfiles.net/id735rp/LoginFacebook.php
auth.facebook.com.vedivids.com/id735rp/LoginFacebook.php
auth.facebook.com.vedivids.net/id735rp/LoginFacebook.php
auth.facebook.com.vedivids.org/id735rp/LoginFacebook.php
auth.facebook.com.vediway.com/id735rp/LoginFacebook.php
auth.facebook.com.vediway.net/id735rp/LoginFacebook.php
auth.facebook.com.vediway.org/id735rp/LoginFacebook.php

The folder Id735rp also contains kit phishing, ZeuS trojan, which in this case appears under the name photo.exe (19d9cc4d9d512e60f61746ef4c741f09).

Even in the same URL format strategy is being used by another known crimeware: Phoenix Exploit Pack.

Evil Sports Sites

 A Google query to us that points to yet another temptation that the criminals are taking advantage of - the March Madness basketball tournaments here in the USA.  I'm sure that other sporting events are just as popular with the scammers and crooks.  If you want to check out the fun, put this into your browser:

http://www.google.com/search?q=big+ten+tournament+2010+wiki

We trust that you are not crazy enough to click on the links that Google marks as hazardous to your computer's health, but if you do and you net something really cool that you'd like to analyze, please let me know what you uncover.

Password cracker 100 times faster with an SSD

The security specialist Objectif Sécurité has optimised its rainbow tables – a common tool used to crack password hashes – to make use of SSDs. The result is, according to Objectif Sécurité's Philippe Oechslin, an acceleration by a factor of 100 when compared to their old 8GB Rainbow Tables for XP hashes. A web form takes the XP-hashes and cracks them for free with the new, ten times larger tables.


Oechslin has fitted an elderly Athlon 64 X2 4400+ with an SSD and the optimised tables. This system can, with only a 75% CPU utilisation, crack a 14 digit password with special characters, in an average of 5.3 seconds. Oechslin says that, worst case, it should be able to search arithmetically through 300 billion passwords per second, a speed that is a factor of 500 faster than an Elcomsoft cracker supported by a modern Tesla GPU from NVIDIA.

Calculations with rainbow tables achieve the acceleration by pre-computing the intermediate steps of all possible password hashes for a specific algorithm and then storing those results as a table. The more steps that are stored, the bigger the tables and the faster the cracking process. Once the tables no longer fit in memory, the less-used parts of the tables are saved on mass storage devices, previously this would have been a hard disk, which in turn leads to slower access times while searching them.

Rainbow Cracking - MD2, MD4, MD5, SHA1,L1

RainbowCrack is a computer program which generates rainbow tables to be used in password cracking. RainbowCrack differs from "conventional" brute force crackers in that it uses large pre-computed tables called rainbow tables to reduce the length of time needed to crack a password drastically. RainbowCrack was developed by Zhu Shuanglei, and implements an improved time-memory trade-off cryptanalysis attack which originated in Philippe Oechslin's Ophcrack.


As RainbowCrack's purpose is to generate rainbow tables and not to crack passwords per-se, some organizations have endeavored to make RainbowCrack's rainbow tables available free over the internet.

Hackers leave Orissa Govt website ‘tipsy-turvy’

Description:


If you click open Orissa Government's official website even as you read this piece of news, chances are that it would show you the price list of various kinds of liquor available in Delhi.

Chances are that it is still dishing out details of Delhi's entertainment and luxury tax structure. And why? Hackers seemed to have breached security firewalls of the State Government website - www.orissa.gov.

in/www.orissagov.nic.in - and in its place appears the official website of Excise Department of Government of National Capital Territory (NCT) of Delhi.

The matter came to notice only on Thursday evening, a few good hours after offices of State Government had closed for the day, it was not immediately possible to ascertain who could be behind the mischief.

As a result, those who logged into the site found, much to their curiosity, details of price list of various alcohol Delhites enjoy - whisky, beer, rum, wine, gin, vodka, brandy, and yes, country liquor too.

"It appears to be handiwork of some mischief mong ers who defaced the State Government website and placed such a webpage," said a software professional of the city.

It was not immediately known if the act could have anything to do with the huge information stored on the website or those who were behind it made any attempt to break into the servers.

http://www.expressbuzz.com/edition/story.aspx?Title=HackersleaveOrissaGovtwebsite?tipsy-turvy?&artid=0gAZYycyx2A=&SectionID=fyV9T2jIa4A=&MainSectionID=fyV9T2jIa4A=&SectionName=nUFeEOBkuKw=&SEO=NCT,Hackers,whisky,beer,rum,wine,gin,vodka

Bypassing Firewalls Using Reverse Telnet

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.


In 2000 according to www.insecure.org Netcat was voted the second most functional network security tool. Also, in 2003 and 2006 it gained fourth place in the same category. Netcat is often referred to as a "Swiss-army knife for TCP/IP." Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

According to http://nc110.sourceforge.net, some of netcat's major features are:

•Outbound or inbound connections, TCP or UDP, to or from any ports
•Full DNS forward/reverse checking, with appropriate warnings
•Ability to use any local source port
•Ability to use any locally-configured network source address
•Built-in port-scanning capabilities, with randomization
•Built-in loose source-routing capability
•Can read command line arguments from standard input
•Slow-send mode, one line every N seconds
•Hex dump of transmitted and received data
•Optional ability to let another program service established connections
•Optional telnet-options responder
•Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel.

Hostmap

What is hostmap?

Hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby by Alessandro `jekil` Tanasi and licensed under GNU General Public License version 3 (GPLv3). It's goal is to enumerate all hostnames and configured virtual hosts on an IP address. The primary users of hostmap are professionals performing vulnerability assessments and penetration tests.

The major features are:
DNS names and virtual hosts enumeration
Multiple discovery techniques, to read more see documentation.
Results correlation, aggregation and normalization
Multithreaded and event based engine
Platform independent


Download:
http://sourceforge.net/projects/hostmap/files/

404 error:

Don't Play Poker on an Infected Table - Part Three

The monetization of phony online gambling networks -- clearly tolerating systematic violation of their TOS -- is continuing with the scammers behind last month's campaign (Don't Play Poker on an Infected Table - Part Two) spamvertising another portfolio of domains using new templates.


It's worth pointing out that the spammers don't just earn revenue every time someone installs the application, but also, every time the, now converted visitor, interacts financially with the service, a monetization approach you'll see in the attached screenshots.

Detection rates for the spamvertised binaries (downloaded from gamez-lux.com and we3tt.com) : StarsVIPCasino_Setup.exe - Result: 14/42 (33.33%); GoldenMummyEN.exe - Result: 9/42 (21.43%); RubyRoyaleEN.exe - Result: 11/42 (26.19%). Sample phone back locations: download.thepalacegroupgaming.com; pcm3.valueactive.eu; rubyfortune.mgsmup.com

Spamvertised domains include:

adrembovesttes.net - Email: pengjiajie222@163.com
bonuscasinoslux.net - Email: fgsdvbbvd@qq.com
bonusgameslux.net - Email: fgsdvbbvd@qq.com
bonusluxcasinos.net - Email: fgsdvbbvd@qq.com
bonusluxplays.net - Email: fgsdvbbvd@qq.com
bonusplayslux.net - Email: fgsdvbbvd@qq.com
casinosbonuslux.net - Email: fgsdvbbvd@qq.com
casinosluxclub.net - Email: fgsdvbbvd@qq.com
casinosluxstar.net - Email: fgsdvbbvd@qq.com
clopelinesutes.net - Email: fgsdvbbvd@qq.com
clubgameslux.net - Email: fgsdvbbvd@qq.com
clubluxgames.net - Email: fgsdvbbvd@qq.com
club-of-lux.net - Email: fgsdvbbvd@qq.com
clubs-play.net - Email: fgsdvbbvd@qq.com
clubvegas-games.net - Email: fgsdvbbvd@qq.com
gameclubviva.net - Email: fgsdvbbvd@qq.com
game-lux-club.net - Email: fgsdvbbvd@qq.com
gamesbonuslux.net - Email: fgsdvbbvd@qq.com
games-gold.net - Email: fgsdvbbvd@qq.com
gameslux.net - Email: fgsdvbbvd@qq.com
gamesstarlux.net - Email: fgsdvbbvd@qq.com
gamevivagold.net - Email: fgsdvbbvd@qq.com
gorxshop.net - Email: sdfxckj@msn.com
hannoweramtes.net - Email: ftyughsere@qq.com
lutiok.net - Email: ftgy23fge@126.com
luxbonusgames.net - Email: fgsdvbbvd@qq.com
luxbonusplays.net - Email: fgsdvbbvd@qq.com
luxcasinosbonus.net - Email: fgsdvbbvd@qq.com
luxclubcasinos.net - Email: fgsdvbbvd@qq.com

luxclubplays.net - Email: fgsdvbbvd@qq.com

luxgamesbonus.net - Email: fgsdvbbvd@qq.com
luxgamesstar.net - Email: fgsdvbbvd@qq.com
luxplaysclub.net - Email: fgsdvbbvd@qq.com
luxplaysstar.net - Email: fgsdvbbvd@qq.com
luxs-games.net - Email: fgsdvbbvd@qq.com
luxstarplays.net - Email: fgsdvbbvd@qq.com
mollehoukutes.net - Email: guoaiwense@163.com
murgadobarotes.net - Email: guoaiwense@163.com
namedosaras.net - Email: ftyughsere@qq.com
pay3500win.net - Email: dfgdvbcv@sina.com
playeuro777.net - Email: fghvvbcfgds@tom.com
playeuro888.net - Email: fghvvbcfgds@tom.com
playglobal777.net - Email: dfhhjg4ee@163.com
playsclublux.net - Email: fgsdvbbvd@qq.com
playsluxclub.net - Email: fgsdvbbvd@qq.com
realcash-mine.net - Email: dfgdvbcv@sina.com
realcash-offer.net - Email: dfgdvbcv@sina.com
realcash-wins.net - Email: dfgdvbcv@sina.com
regal-jackpot.net - Email: dfgdvbcv@sina.com
regalvegas-online.net - Email: dfgdvbcv@sina.com
royalcasino777.net - Email: edwfrsdf@126.com
royalcasino888.net - Email: edwfrsdf@126.com
royalvegas-play.net - Email: dfgdvbcv@sina.com
satregonovates.net - Email: pengjiajie222@163.com
softaserutes.net - Email: ftyughsere@qq.com
softoutnertes.net - Email: ftyughsere@qq.com
softuoplowtes.net - Email: ftyughsere@qq.com
stargameslux.net - Email: ftyughsere@qq.com
starluxcasinos.net - Email: ftyughsere@qq.com
sundowutortes.net - Email: guoaiwense@163.com
vegasclubsgame.net - Email: fgsdvbbvd@qq.com
vegasgamesclub.net - Email: fgsdvbbvd@qq.com

Phony affiliate networks are reserve the right to forward the responsibility for the malicious activity to participants violating their Terms or Service. A violation that earned both parties significant amounts of money, in between

Vodafone Android Phone: Complete with Mariposa Malware

Panda Security has a post up on one of their employees buying a brand new Android phone from Vodafone and discovering it was spreading Mariposa. It didn't infect the phone proper, but it did have autoexec.inf and autoexec.bat files designed to infect whatever Windows machine the phone was plugged into via USB cable. Unlike the Engergizer story from yesterday, this one is happening now. Standard USB defenses apply, don't automatically execute autoexec.bat/inf files from USB devices. This Microsoft KB article discusses how to disable the "Autoplay" functionality that leads to this problem.

This leads to the interesting question, why not just infect the phones? The technology is certainly there to write malware that is phone specific.  We won't see mass infection of phones (or even better, a cell-phone botnet) likely until commerce is much more common on phones.  Malware is driven by the desire of profit and once it becomes profitable, we'll see exploitation.  The problem is, that these slimmed down devices make it difficult to configure in security. Only a few cell phone types even have the option of cell phone antivirus software. The clock is ticking on that threat.

http://research.pandasecurity.com/vodafone-distributes-mariposa/ 

SAHI – Web Automation & Application Security Testing Tool

Sahi is an automation tool to test web applications. Sahi injects javascript into web pages using a proxy and the javascript helps automate web applications.

Sahi is a tester friendly tool. It abstracts out most difficulties that testers face while automating web applications. Some salient features include excellent recorder, platform and browser independence, no XPaths, no waits, multi-threaded playback, excellent Java interaction and inbuilt reporting.

Features

• Browser and Operating System independent
• Powerful recorder which works across browsers
• Powerful Object Spy
• Intuitive and simple APIs
• Javascript based scripts for good programming control
• Version Controllable text-based scripts
• In-built reports
• In-built multi-threaded or parallel playback of tests
• Tests do not need the browser window to be in focus
• Command line and ant support for integration into build processes
• Supports external proxy, HTTPS, 401 & NTLM authentications
• Supports browser popups and modal dialogs
• Supports AJAX and highly dynamic web applications
• Scripts very robust
• Works on applications with random auto-generated ids
• Very lightweight and scalable
• Supports data-driven testing. Can connect to database, Excel or CSV file.
• Ability to invoke any Java library from scripts

Limitations

• Framesets/pages with frames/iframes loading pages from multiple domains is not supported. Sahi cannot handle pages which have other pages from different domains embedded in them using iframes or frames. So you cannot have a page from google.com having an iframe with a page from yahoo.com. Note that this is not the same as switching between domains, where you navigate from a google.com page to a yahoo.com page, which will work in Sahi.
• File upload field will not be populated on browsers for javascript verification. File upload itself works fine

You can download SAHI here:
http://sahi.co.in/w/

Scam Alert - Cute (and malicious) - funny picture from Facebook friends

Cute (but malicious)

There’s an angelically tinged infection doing the rounds at the moment that has more than a whiff of sulphur about it.

We can't say for definite, but it looks like the point of this little angel is to turn your PC into a file storage area for an IRC channel since it dumps you into #music IRC channels and makes sure you can accept various media files.

Our tale begins with an Email, claiming you have a “funny picture from Facebook friends” waiting for you at Oast(dot)com:

 
 

This is what the end-user will download onto their system – an executable claiming to be a .gif:
 
 

 
Should they run the file, two things will happen. The first is that a rather charming image will appear on their desktop (courtesy of a hidden file called “Out.exe” which is dropped into the User Account Temp folder) – all part of the general ruse to make them think that yes, they really have been sent a “funny picture”:


 
 

 
The second is a little more sinister – an entire hidden directory (called tmp0000729b, dropped into the Windows Temp folder) arrives unannounced, laying the groundwork for an IRC invasion:

 
 
Yes, anyone blessed with the “vision” of those little angels is now part of a collection of IRC drones. If the end-user should hover their mouse over the seemingly empty system tray, they’ll actually discover the mIRC Daemon running in a hidden state:

 
 
As is typical for an IRC related hijack, everything is hidden away to keep the end-user from suspecting anything is wrong. Hidden mIRC tools, and seemingly deserted IRC channels are the order of the day. Shall we open up the mIRC client and play a little game of “Now you see it, now you don’t” in reverse?
 
 

Taken at face value, the above screenshots shows the victim sitting in an empty IRC channel. However, a quick highlight and...

...there they are, sitting beneath a pair of Admins in a #Music room. You can set mIRC to accept and ignore certain types of files by default, and here the client is indeed set to disallow .exes, .dlls .bat and .scr files but allow normal files such as .wavs, .jpegs, .gifs and MP3s. The victim is placed into numerous #Music rooms like the one above on various IRC servers, so it’s a possibility the intention here is media sharing by way of compromised PCs.

Detections aren’t great at the moment (11/42 in VirusTotal)virustotal.com/analisis/9618c83546c16ae1dab70ca0d2e594c2dd41f622820d92e7bc9e22f2b3bc9f38-1267769547

We detect this as Trojan.Win32.Generic!BT, and as for the domain?