Security researchers have had a number of victories to celebrate recently. First Atrivo and now McColo have been disconnected from the Internet. This was done not by law enforcement or other governmental action, but rather by the concerted efforts of the Internet community. The Internet is made up of privately owned networks that are voluntarily connected. The companies that were connected to Atrivo and McColo have severed those connections, removing the companies from the Internet.

Removing those two companies from the Internet has also removed large amounts of botnet and spam infrastructure. Several sources have reported seeing spam drop as much as 60-70% following McColo’s loss of connectivity. There was a similar, but smaller drop when Atrivo was taken offline. Of course, one of the reasons that the McColo disconnect reduced spam more than Atrivo, is that some of the spammers simply moved from Atrivo to McColo.

Back in October, my colleague Joe Stewart documented the Warezov botnet moving to McColo and also predicted (quite correctly as it turned out) that disconnecting McColo would reduce spam by one-half world wide. A number of other botnets, including Rustock, Srizbi, Pushdo and Ozdok had infrastructure hosted at McColo.

It’s clear that this infrastructure remains in place. Over the weekend McColo was able to temporarily find a new upstream provider. Thankfully, they were quickly shut down again. However, this did allow botnet C&C platforms in McColo to connect to their bots, updating software and rerouting the bots to new C&C servers located elsewhere. This has been seen to be happening with Srizbi, where researchers were able to register domains used as a fallback C&C mechanism.

Other botnets will also be relocating their C&C servers. While most, if not all, will just pop up in another datacenter, the growing trend of upstream providers disconnecting nefarious hosting companies is encouraging. So far these companies have been US based. We’re now seeing early evidence that bot-herders are moving their C&C servers overseas. The next question is: will the Internet community be able to put pressure on those companies and their upstream providers to prevent the bot-herders from finding a new safe haven?

On October 23, 2008, Microsoft released an out-of-cycle emergency patch for a flaw in the Windows RPC code. The reason for this unusual occurance was the discovery of a “zero-day” exploit being used in the wild by a worm (or trojan, depending on how you look at it). The announcement of a new remote exploit for unpatched Windows systems always raises tension levels among network administrators. The fact that this one was already being used by a worm evoked flashbacks of Blaster and Sasser and other previous threats that severely impacted the networked world.

But, unlike these past worms, Gimmiv turned out to have infected scarcely any networks at all. One reason for this is that the scanning done by Gimmiv looking for vulnerable hosts is limited to the local subnet, meaning it can only jump networks if an infected computer is moved from one network to another. Even if this were not the case, by default Windows XP SP2 (and above) restricts connections to the RPC ports to the local subnet only. So although future trojans and worms might utilize the same exploit, the window of opportunity for a globally impacting worm using this vector has passed for the most part.

Because of some mistakes made by the author(s) of Gimmiv, third parties were able to download the logfiles of the Gimmiv control server. Although most of the data in the logs is AES-encrypted, we were able to find the key hardcoded in the Gimmiv binary and decrypt the data.

Although it has been reported that Gimmiv is a credential-stealing trojan, this functionality is actually not used - the gathered data is never sent. What is sent is simply basic system information, such as the Windows version, IP and MAC address, Windows install date/time and the default system locale. Using this data we were able to track exactly how many computers had been infected prior to October 23rd (after this time infection counts are somewhat skewed due to malware researchers all over the world investigating Gimmiv). As it turns out, only around 200 computers were infected since the time Gimmiv was actively deployed on September 29, 2008.

By converting the decrypted log data into KML format, we were able to use Google Maps and Google Earth to take a look at the global impact and spread of Gimmiv. Only 23 countries had infected users, and Southeast Asia appeared to have the greatest number of infections:

Each computer on the maps above represents a Gimmiv-infected location - due to NAT, this may include dozens of computers. For example, two networks in Malaysia had the most infections:

While Malaysia was the hardest hit, it appears that the “in-the-wild” spread of Gimmiv may have started in Vietnam on September 29:

But, looking in the logs, we actually see that Gimmiv appeared first on August 20, 2008 - but we don’t count this as being in-the-wild. This is because logs were seen from only two IP addresses, only briefly. One of these IP addresses, located in Korea, we can tell was running Gimmiv in a VMware virtual machine - exactly the kind of thing you might expect someone testing a piece of malicious mobile code to do:

Additionally, a zip file left behind on one of the control servers contained Korean characters in the compressed folder name. For these two reasons, we believe Gimmiv’s author is probably from South Korea.

The KML file used to generate the maps above can be downloaded into Google Earth and is available here.

If you’re a hacker wanting to register a domain for nefarious purposes, EstDomains is your go-to guy. They registered tens of thousands of malicious domains during their existence, providing an integral piece of the malware lifecycle. The Russian Business Network (RBN) used them extensively for their “bullet proof” hosting (web hosting designed to make takedowns extremely difficult if not impossible). Back in February of this year Vladimir Tsastsin, EstDomains founder, was sentenced to three years in prison for forgery, money laundering and credit card fraud. This conviction caused EstDomains to break section 5.3 of ICANN’s Registrar Accreditation Agreement. This section states:

Any officer or director of [a] Registrar is convicted or a felony or of a misdemeanor related to financial activities, or is adjudged by a court to have committed fraud or breach of fiduciary duty, or is the subject of judicial determination that ICANN deems as the substantive equivalent of any of these; provided such officer or director is not removed in such circumstances.

On October 28th, ICANN notified EstDomains that on November 12th, 2008, it would no longer be an accredited registrar. ICANN has posted this notice here: http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf

EstDomains is currently attempting to distance themselves from Tsastsin in an attempt to stay in business. They responded to ICANN claiming Tsastsin was removed from his position in January one month before his conviction on the 29th: http://www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf

Due to this response October 29th ICANN stayed the termination process:
http://www.icann.org/en/announcements/announcement-2-29oct08-en.htm

Hopefully ICANN will make the right decision and shutdown these criminals for good.

DarkMarket.ws (known in carding, identity theft, and other black-hat rings) went “Dark” earlier this month. DarkMarket was widely known and respected among criminals as a forum for exchanging stolen banking data, credit card information, and other underground activities. What users of the site didn’t know was that the site wasn’t really hosted by Eastern-European hackers. Run from an FBI location in Pittsburgh PA, Agents of the National Cyber Forensics Training Alliance collaborated with industry professionals and graduate students for assistance tracing the identity and locations of criminals. The DarkMarket site was run primarily by agent J. Keith Mularski, under the handle ‘Master Splyntr’.

Reports leaked from Südwestrundfunk, a German radio station, revealed the FBI operation’s role in detaining a German card fraudster active on the site. In operation since November of 2006, DarkMarket was especially well known for English-speaking forums. Ironically, soon after DarkMarket’s launch in 2006, well-known hacker Max Ray Butler penetrated the site’s servers and found information revealing FBI ties. Butler’s claims to the underground were largely ignored; at the time, he ran a competing underground forum. As a result, most believed his claims false. DarkMarket successfully continued operations despite Butler’s claims.

Now that the site has gone down and the cat is out of the bag, numerous arrests are expected. This is a big win for the good guys. So far, 56 arrests have been made. We have a suspicion that others who may have conducted business at DarkMarket have not been sleeping too well, as additional arrests are expected.

In this case, the FBI got it right. It’s an impressive feat to penetrate the inner circle of these criminals.

ClickJacking has recently been getting lots of media attention. Security Researchers Robert Hansen (”RSnake”) and Jeremiah Grossman planned to give a talk outlining this vulnerability at OWASP AppSec, but the talk was cancelled. At this point, some details have come to light. The specifics of the attack may vary. Some variants require JavaScript, Flash, cross-domain access, IFRAMEs, overlays, or a combination of these.

The attack starts with a malicious web page that may have some unintended consequences. Objects embedded in the page may capture mouse clicks and direct them to a hidden target. Hijacked clicks from users may be used in many ways, including deleting mail, advertisement click fraud, or other, more sinister actions. A demo page demonstrating one possible variation (reads images from a webcam without knowledge of the user) can be seen at the following URL:

http://guya.net/security/clickjacking/game.html

Unfortunately, there is no quick and easy fix. Firefox users using the NoScript plugin will thwart the majority of these attacks (make sure you are using version 1.8.1.9 or later!). We will continue to monitor this vulnerability and provide an update when more information is available.

Greetings from sunny San Diego! The past couple of days have been an absolute blast. The folks at ToorCon have put together an awesome conference this year, including speakers from around the world presenting some cutting edge research.

Ben Feinstein and I attended a two-day “crash course” in penetration testing offered by Learn Security Online. Chris Gates and Joe McCray presented some excellent introductory material. They also included a few advanced evasion techniques that I hadn’t seen before. It’s always good to sharpen your skills.

During the Friday seminars, Jay Beale from InGuardians gave an overview of his man-in-the-middle tool, The Middler. He mentioned the code would be released Real Soon Now, so I look forward to a chance to play around with it. Jared DeMott, now at Crucial Security, also gave a rundown of reverse engineering using IDA Pro and the Immunity Debugger. I’m a big fan of Jared’s previous work with fuzzing.

The first day of the convention was pretty packed. Since I didn’t have the chance to attend Black Hat/Defcon this year, Dan Kaminsky’s DNS keynote and Alex Sotirov’s evasion of Vista’s memory protections were fresh and eye-opening to me. Ben also gave his talk about brute-forcing SSH sessions that use the broken Debian SSL libraries, the code for which is available as part of our open-sourced Snort plugins. Joe McCray also gave a good survey of various advanced SQL injection techniques; I really like his classification scheme for the types of SQL injection. Finally, Kurt Grutzmacher’s squirtle tool for obtaining and reusing NTLM hashes from inside corporate networks via XSS definitely proves that you must secure even internal Web applications.

Day two’s shorter format squeezed a lot more presentations in, but some of them kind of felt pressed for time. Marc Bevard showed how to crack DES passwords with the PS3, using some awesomely optimized code. Chema Alonso released a tool for downloading remote files via blind SQL injection. Dennis Brown presented some interesting new details on the Asprox/Damnec botnet, which we’ve covered before. The presentation on hacking telephone entry systems elicited a few chuckles, especially the “dial 333 for rickroll” segment. Stephan Chenette’s presentation on browser hooking is an excellent new technique for deobfuscating Javascript, like our Caffeine Monkey tool. I’ve been really impressed with the convention this year. ToorCon is big enough to attract some high quality presenters, but still small enough where you don’t get lost in the crowd. Hope to see everyone again next year!

I have the honor of presenting at ToorCon X this coming weekend at the San Diego Convention Center. I will be delivering a new talk entitled “Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln” at 2pm PDT on Saturday, September 27. If you’re in the vicinity of southern California this weekend, I encourage you to make the trip down to ToorCon. Based on my experience as an attendee last year, it is a great smaller con with a strong reputation for very deep technical talks.

I’ll also be in the Crash Course in Penetration Testing Workshop and the Deep Knowledge Seminars, so maybe I’ll catch some of ya’ll there too, before the actual conference kicks off Friday evening.

At SecureWorks, we follow a Responsible Disclosure Policy. As such, when we find vulnerabilities in other vendors’ products or services, there is often a delay between the discovery and when we can publicly disclose the issue.

The following cryptographic hashes are related to a couple of disclosure processes I kicked off on Thursday, September 18, 2008.

File #1
MD5 b0625c8d39e3fcfaf51a577e310eb053
SHA1 0a8bdb073855eee0d31ff3afb081cf1d8d17c2bd

File #2
MD5 c74309900e7b11de5d7f211eb536cdb6
SHA1 99870aa6a0b4b33a88a2fbfd3eb83ce38bfbb7ce

Border Gateway Protocol (BGP), the high level routing protocol that figures out how to route packets between ISPs and other large Internet entities, has been seeing a lot of press recently. While BGP is vitally important to the Internet, it’s not often talked about in the mainstream press. However, two rather interesting security related issues have come up in the past few weeks.

First, there has been a lot of attention  on the BGP hijacking attack demonstrated at DEFCON 16 last month. It has long been known in network operations circles that nothing inherent in BGP prevents a rogue actor from announcing IP space they don’t own. Until recently this attack has been seen mostly useful as a denial of service attack. This is because once a rogue actor starts announcing the target’s IP space, they start receiving all traffic destined for the target. This makes it very obvious to the target that something bad  is going on. It is also easy to trace the bad actor because BGP records the path a route announcement took, including its point of origin.

However, Alex Pilosov and Tony Kapela’s DefCon presentation revealed a way to intercept traffic and then route it back to the target. As the victim continues to receive their normal traffic, there is no reason for them to suspect that something malicious is afoot. They also suggested ways to alter the TTL on diagnostic packets to cloak the hijacked route from  traceroute and similiar IP layer utilities. This means that the target would have to examine BGP tables to discover that their traffic has been hijacked. As most organizations don’t directly use BGP, this results in a pretty stealthy attack.

The other BGP related issue in the news recently is the depeering of Atrivo. BGP is designed to connect networks administered by independent, autonomous groups. This requires each autonomous system (AS) to connect to various peers (including a kind of paid peering known as a transit link - see this for more info) to maintain connectivity. A white paper was recently released by Jart Armin describing a large amount of malicious activity on a service provider network known as Atrivo. This included details on how the malicious sites have lingered on the network for years, despite being reported to the Atrivo abuse department. That report has been publicized in a variety of places, including the Washington Post.

This spawned a discussion on the North American Network Operator’s Group (NANOG) mailing list regarding Atrivo. A number of Atrivo’s peers have severed their connections with them, making it more difficult for them to route traffic. Despite the large amounts of information on the abuse coming from Atrivo’s network, a number of network operators expressed concerns. These included worries that one man’s malicious traffic is another man’s censorship,  copyrighted traffic, this should be handled by law enforcement, conspiring to keep the Internet clean may lead to legal liability, and an interesting discussion on if providers should have to prove the cleanliness of their networks.

We all get phishing emails. Some of us more than others, so it’s no surprise that sometimes people take out their frustrations on the phishing form, letting the phisher know just what they think of him or her.

While it might make you feel better, it isn’t always a good idea. For instance, if you were to do this on a phishing page hosted by the Asprox botnet, you might get more than you bargained for. The Asprox phishing form backend has a bit of extra logic added to it. If the form looks like it has been filled out with legitimate data, you get redirected to the main page of the bank website.

However, fill it out incompletely or use certain words like “phish” or NSFWUYAS (Not Safe For Work Unless You’re a Sailor) language, and your browser will be subjected to a number of exploits. If you are running Windows and haven’t recently installed your security updates and patched all your browser plugins/ActiveX controls, you might find yourself infected with your very own copy of Asprox.

Not only do you then get the opportunity to unknowingly send phishing emails on behalf of the botnet, you will likely get some extra goodies, since Asprox is also a downloader trojan. You won’t notice it running, but you might notice some of the things it downloads and installs.

For instance, you might find your desktop wallpaper changed to a “spyware alert” type of message, and now all your screensaver shows is scary blue-screens-of-death. Of course, if you’re familiar with the Windows desktop properties dialog, you can change all that back, right?

Oops. the rogue antivirus program has removed that functionality for you. But hey, at least it gives you a chance to look over the license agreement, right?

Except you’ll notice the lack of a “I disagree” or even a “close window” button at the top of the dialog (which can’t be minimized, and stays on top of all your other windows). So there’s no easy way to continue using your computer without clicking on the “Agree and install” button. But don’t worry, Antivirus XP 08 has already installed itself, whether you click through the license agreement or not. Eventually you will see this:

Of course, you’re not infected with everything this program says you are - it’s scareware, designed to get you to fork over $50 or $100 in order to clean your system of all these nasty threats. But it doesn’t actually detect or clean anything, especially not the Asprox bot you’re hosting now.

And at any time, Asprox might deliver another malicious payload and install it for you - and it could be much worse: we’ve seen the Zbot banking trojan installed by Asprox in the past. So instead of a dealing with a nuisance program, you might be silently sending your banking and credit card information to the botnet owners. Something to think about before venting your frustrations on the bad guys. Sometimes phish bite back.