Security Corner


August 14, 2010  7:14 PM

What the Heck Are Botnets?

Ken Harthun Ken Harthun Profile: Ken Harthun

Yes, I know that this is an old topic and almost everyone knows about them by now. Or do they? In my tech support activities, I run into all different levels of PC savvy (and lack thereof). The other day, I was explaining in detail a phishing attack that a client had fallen for. I pointed out all of the obvious hints that the email was bogus and gave her some great tips on how to spot them. She was insistent that the email “came from [a family member]” and that’s why she opened it. I told her that it likely came from one of the spam botnets, not a family member and that the address was spoofed. I was greeted with one of the blankest blank stares I think I’ve ever seen, followed by “What the heck is a botnet?”

So, for those of you who may not know, here’s a rundown of what botnets are and where you can go for even more in depth information.

Botnets are networks of computers that criminal hackers (Crackers) have infected and grouped together under their control to propagate viruses, send illegal spam, and carry out attacks that cause web sites to crash. Most phishing emails like my client received are sent through spam botnets.

You can think of them in this way: “A botnet is comparable to compulsory military service for windows boxes” – Stromberg (http://project.honeynet.org/papers/bots/). The users often have no choice in the matter; their machines are surreptitiously infected when they click on a link or visit an infected website.

What makes botnets exceedingly bad is the difficulty in tracing them back to their creators as well as the ever-increasing use of them in extortion schemes. How are they used in extortion schemes? Imagine someone sending you messages to either pay up or see your web site crash.

Botnets can consist of tens, or hundreds of thousands of compromised machines. With such a large network, botnets can use Distributed denial-of-service (DDoS) as a method to cause mayhem and chaos. For example a small botnet with only 500 bots can bring corporate web sites to their knees. They do this by using the combined bandwidth of all the computers to send a continuous stream of requests to corporate systems and thereby cause their web site to appear offline.

One well-known technique to combat botnets is a honeypot. Honeypots help discover how attackers infiltrate systems. A Honeypot is essentially a decoy machine that one intends to be compromised in order to study how the hackers break the system. Unpatched Windows 2000 or XP machines make great honeypots given the ease with which one can take over such systems.

If you’re interested in finding out more about honeypots, a great site to visit is The Honeynet Project which describes its own site’s objective as “To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.”

Know your Enemy: Tracking Botnets is an in-depth paper written by several members of The Honeynet Project. Here’s what they say about it: “In this paper we look at a special kind of threat: the individuals and organizations who run botnets.”

Botnets are, after all, run by criminals for criminal purposes. It’s a fascinating study.

August 14, 2010  6:14 PM

Bogus Emails Look Legitimate, But Contain Malware

Ken Harthun Ken Harthun Profile: Ken Harthun

I’m always curious what these bogus emails contain and lately I’ve gotten several variations on this theme:

From: ruminateh@rogue-research.com
Subject: Status
Attachment: IMG_1746.zip

Hi,

I have your DVD's ready but I'm burning the Blu-Ray's today. I expect them to be ready for tomorrow.

Here is a pictures of my wife and I at my wedding since you had mentioned you'd like to see a picture.

Marquita

One of the messages’ subject lines read, “FW: Resume as discussed.” Since I had just sent out a couple of them, I almost fell for that one:

Attachment: Resume.zip
I have forwarded your resume to Jerel for consideration. He is the Worley Parson’s director for NNSA work all over the country. Would you consider moving?

These look legitimate at first blush; but, as you might suspect, they contain malware. In the first case, the file contained IMG_1746.exe which Sunbelt Labs reports as FraudTool.Win32.AVSoft (v). The second one contained Resume.exe which is the same Trojan in a different guise.


August 13, 2010  5:01 PM

Hacking Skills Challenge – Uncle Arnold’s Local Band Review

Ken Harthun Ken Harthun Profile: Ken Harthun

With the completion of Hacking Skills Challenge #11 back in May (wow! time flies), we’ve now entered the realm of realistic missions. As always, things start out relatively easy, then escalate into the stratosphere.

But first, let me point out that when you go to the site, there is always a witty, poignant or otherwise pithy, but often true, quote. Here’s the one I just encountered: “If you ask the government for permission to protest it, you deserve to be told no.” –Manhattan Libertarian Party Chair, Jim Lesczynski.”

OK. So, let’s take the first challenge and see what gives:

Uncle Arnold’s Local Band Review
Your friend is being cheated out of hundreds of dollars. Help him make things even again!
Difficulty rating: Easy.

So, here’s the challenge we get upon entering:

From: HeavyMetalRyan

Message: Hey man, I need a big favour from you. Remember that website I showed you once before? Uncle Arnold’s Band Review Page? Well, a long time ago I made a $500 bet with a friend that my band would be at the top of the list by the end of the year. Well, as you already know, two of my band members have died in a horrendous car accident… but this [expletive deleted] still insists that the bet is on!

I know you’re good with computers and stuff, so I was wondering, is there any way for you to hack this website and make my band on the top of the list? My band is Raging Inferno. Thanks a lot, man!

Sounds like a plan! Let’s get into it. It’s really almost too easy.

Visit the site and view the page source. Note that it uses “v.php” with the GET method to record the votes. There are two hidden inputs: PHPSESSID and id; you’ll need to use both of these. What we’re going to do is use the address bar to pass a very high value to the server and move Raging Inferno to the top.

Copy the value of PHPSESSID and note the id value (yours may be different than what I show here). Using the values for PHPSESSID and id, construct this URL: http://www.hackthissite.org/missions/realistic/1/v.php?PHPSESSID=abcaeadfc31a5c43b2534bf995c0553f&id=3&vote=99 and submit it.

If you’ve done everything right, you’ll see a blue button on the next page that says “Go On.” Clicking that button takes you to the next mission.

Congratulations!


August 11, 2010  6:58 PM

Why DNS Rebinding Is in the News Again

Ken Harthun Ken Harthun Profile: Ken Harthun
Figure 1

Linksys Router

As old as this issue is, you’d think it would be solved by now; in fact, everyone thought it was. Many browsers and plug-ins protect against it. But it showed up in a different form that no one had considered until it was  revealed at Black Hat. The hacker discovered that not only can you browse to your router’s web browser using the private gateway IP (192.168.xxx.xxx or whatever), you can also get there using its public IP–the address on WAN IP–even if you have disabled remote administration from the WAN side. Steve Gibson, in his usual, thorough manner, analyzed the matter in Security Now! episode 260.

And so the next-generation attack that was revealed last week, which I’m sure all of the various firmwares are in the process of scrambling around to fix right now, solves, well, what it does is it gets around the blocks against internal LAN access IPs by using your public IP. And of course the remote DNS server gets your public IP because that’s the IP from which the request comes to it. It’s emitted by your computer, asking for the IP address of attacker.com. Well, that comes from your public IP. So it’s able to return the public IP to the [attacker] script running in a plug-in, which then knows how to get around the use of private IPs on the LAN to access your router.

Everyone should immediately check this list to see if your router is vulnerable. If it is, then you should go to the manufacturer’s website to check for firmware updates to your router.


August 6, 2010  8:06 PM

Microsoft Issues Emergency Out-of-cycle Patch for Windows Shell Vulnerability

Ken Harthun Ken Harthun Profile: Ken Harthun

You probably heard all about Microsoft Security Bulletin MS10-046 – Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198). Microsoft actually issued a FixIt workaround last week; but, as many people found out, it wrecked the icons on their desktop causing them to display as white squares with no graphics.

On Monday, Microsoft issued a rare out-of-cycle patch to permanently fix the vulnerability. However, applying the patch does not disable the workaround, so those who used the FixIt solution will need to go here and use the “disable workaround” button. According to The Register, “. . . Microsoft released the update outside of its normal patching schedule because the vulnerability is being actively targeted. When the flaw first came to public attention three weeks ago, it was being used to attack SCADA — supervisory control and data acquisition — systems that control sensitive equipment at power plants, gas refineries, and other other critical infrastructure.”

Be sure all your machines have this one.


July 31, 2010  12:56 PM

How to Avoid Online Shopping Scams – Part 2

Ken Harthun Ken Harthun Profile: Ken Harthun

[Part 1 covered five ways to avoid online shopping scams. This second, and final, installment covers the remaining five. Again, this is a heavily-edited article whose original version is posted at http://www.tomtop.com/blog/antiscam/. I had to edit the article heavily because its English is quite fractured. In that source posting, there appears to be tacit consent to reprinting with attribution. The writer(s) posted this in the comments section of "How to Recognize and Avoid Email Scams - Part 3," but it's worthy of a post of its own.]

6. Check whether the merchant supports Business Bank Account payment–A company running a trustworthy shopping site will be a legitimate business and  will have a business bank account.  When you do a large wholesale business involving in large orders, there should be some option to make direct payment  to the company bank account.

7. Check whether they have a customer support or feedback forum–Customer comments, views and experiences of using the product will help future customers to make a buying decision. An honest business will allow customers to write product reviews, forum, blog, and third-party social networks (facebook, twitter, YouTube) comments to express their views and opinions. It’s a good bet that if there is no provision for customer feedback at an online store, there’s something wrong. Steer clear.

8. Check whether the site is professionally designed–Details often determine success or failure. Professional B2C sites must  pay close attention to details. The site will often provide coupons, an affiliate program, help before ordering , post-sale assistance and many other services. The site will also provide detailed company information and a clear return policy. Scam sites usually will not waste time on these details; of, if they appear to provide these things, they often won’t work properly.

9. Check whether they support face to face transactions–Does the company have a valid physical location? Can you actually visit their storefront and buy from them? This is essential when you are dealing in large transactions. If you cannot locate the business and have no way of meeting a real person face to face, then be careful.

10. Practice is the sole criterion for testing truth–If all of above are not sufficient to judge whether the business is a cheater or not, you can place a small order to test. Even if they are scamming, the loss willl not big. In fact, the scams will often ignore your small orders and directly refund or ask you to add more.

In general, Online shopping has brought us convenience and many other advantages. In the main, most online businesses are honest. For those who aren’t, if you keep in mind the 10 things here, you will be able to spot the scammers before they get your money.


July 30, 2010  11:07 PM

How to Avoid Online Shopping Scams – Part 1

Ken Harthun Ken Harthun Profile: Ken Harthun

[What follows--in two parts--is a heavily-edited article whose original version is posted at http://www.tomtop.com/blog/antiscam/ if you want to read it. I had to edit the article heavily because its English is quite fractured. In that source posting, there appears to be tacit consent to reprinting with attribution. The writer(s) posted this in the comments section of "How to Recognize and Avoid Email Scams - Part 3," but it's worthy of a post of its own.]

With the rapid development of e-commerce, Internet scams have become more and more prevalent. According to a report by the U.S. Federal Bureau of Investigation (FBI) , phishing caused losses of 265 million dollars in 2008 and more than doubled to 560 million dollars in 2009.  Since 2004, [the writers of this report] have engaged in e-commerce and have struggled with a variety of scams. Consequently we have accumulated rich experience in scam prevention.  We believe that the following 10 unique anti-scam prevention skills, leave the scammers nowhere to hide.

1. Check Domain registrar information–As we all know, great companies tend to survive; longevity is often a key to trustworthiness. You can get all of the information you need here: http://whois.domaintools.com/, including age, registered name and business address.  The longer the site has been registered and the more detailed the registrar information, the higher credibility the site has.

2. Check whether they have business in authoritative third-party trading platform–In general, a good merchant will use authoritative third party trading platform selling products, in order to improve their market share, at the same this is a symbol of strength. Common third-party trading platform are Alibaba, eBay, Amazon, etc. These third-party trading platforms are transparent and fair. In particular, the credibility of their evaluation system is perfect. You can obtain more objective information from them.

3. Check whether they pass the third-party network security certification–McAfee and Versign are the world’s most authoritative network security certification. Fortune 500 companies usually pass their certification. Their certifications have strict business identity confirmation systems and they frequently perform site scans to ensure that the site is free of trojan horses, viruses, spyware and other threats. If a site does not have such certification, please be careful when purchasing products from them. (Note: Many sites just hang a symbol, yet have not been authenticated. You should be especially careful about these sites.)

4. Check whether there exists a price trap–Online shopping scams often rely on prices that are incredibly far below market price, producing an impulse to buy immediately. At this moment, remember to be calm, extremely low price for a brand name product probably means the product is defective, an imitation, refurbished, etc. Sometimes it’s just an outright theft and you’ll never see the product. Of course, sometimes an honest merchant may offer clearance, discounts, payment coupons, so please check the site by other methods, too.

5. Check whether they support PayPal payments–PayPal provides good buyer protection. If a customer does not receive goods or received goods do not match the description, he can initiate a dispute within 45 days and get full unconditional refund. Moreover, frequent complaints by customers about merchants who sell a large number of fake or shoddy products will result in suspension of the scammer’s PayPal account.

I’ll continue this post in Part 2 and wrap it up.


July 29, 2010  6:49 PM

Pardon Me, Steve

Ken Harthun Ken Harthun Profile: Ken Harthun

MySpace Layouts Consider me duly humbled. I took Steve Gibson to task for reporting on the DNS Rebinding attack that has been in the news. I thoroughly misunderstood Steve’s take on it. Here is exactly what he said in the Security Now! episode 258:

I want to discuss this in detail in two weeks because it’s an interesting type of attack that we haven’t discussed in the past. It’s been around and has been known for a while. And it’s sneaky. And it will make for a great detailed coverage in two weeks. It’s called a DNS Rebinding Attack. And it’s in the news now because someone named Craig Heffner is going to be presenting at the Black Hat conference at the end of this month his presentation titled “How to Hack Millions of Routers.”

Pretty clear, don’t you think? Well, it is–now that I look back on it–but you know how emotion can get in the way sometimes. Here’s our email exchange:

Me: Hi Steve, I’ve been a loyal Security Now! listener since Episode 1 and I value your insight on current security issues. Haven’t missed a single episode (If I did, I’d have withdrawal symptoms!) However, I have to take issue with your reporting in Episode #258, that there is something new about what is really an old, stale issue: DNS Rebinding Attacks. It seems that when someone wants some attention (not referring to you, of course) they take a new twist on this one. In other words–different guy, same vulnerability.

Steve: Hi Ken! Thanks very much for your note.  I certainly agree with you that DNS Rebinding has been around for awhile, and I did also mention that last week.  Mostly the reason I’m bringing it up is that active attacks using it are around again … but more than that … because it’s something that we’ve never covered in detail on the Security Now podcast and I think it’s a clever and conceptionally interesting vulnerability/hole/glitch.  It also perfectly demonstrates, I think, the inherent trouble with the ever-growing complexity of our systems.

Me: Hi Steve, So good to hear from you. Thanks for the clarification. DNS Rebinding certainly is a clever trick and am definitely going to be looking forward to your analysis of it. You’re not kidding about complexity in our systems being the inherent trouble. As you say “complexity is the enemy of security.” That’s one of my mantras.

Steve: Hi again Ken… I’ve also just realized that I can add DNS Rebinding Attack protection detection to my (still) forthcoming DNS Benchmark.  I’m already detecting and alerting users to domain name error (NXDOMAIN) redirections.  So checking for rebinding protection would be very cool too! :) Thanks again for your note!

For the record, I goofed. I should have thought it out a bit before I hit the Send button, but it resulted in a very pleasant exchange with a guy I respect, so I guess it’s all good.


July 29, 2010  5:57 PM

Why People Are Complacent About Security

Ken Harthun Ken Harthun Profile: Ken Harthun

Every day I see another example of an insecure system. When I inquire about it, I’m told things like “Oh we used to keep up with it, but we haven’t had any problems” or “We don’t use that program anyway.”

I’ve always wondered: Why are they so complacent? I think I’ve finally figured it out: The ones who are so complacent are the ones that have never had anything bad happen to their systems.  For example, I have left my garage door open on occasion. Anyone could have walked into my house and taken anything they wanted; it didn’t happen. In fact, the one time I was robbed, 38 years ago, was when everything I owned was so securely locked, the thieves had to break the door frames on my house and smash my car windows.

Now, I don’t take any unusual chances, but, in truth, nothing bad ever happens to me, so I really don’t worry about security. This has to be why a lot of people go “ho hum!” when I talk about security. It’s like “Why bother? Nothing bad has or will happen to me.”

Well, given today’s environment (see my recent Secunia post), most people are simply whistling past the graveyard. Sooner or later, something is going to happen; maybe not today, maybe not next week or next month, but it’s inevitable.

What do you think?


July 27, 2010  1:41 AM

Secunia Half Year Report 2010 Paints a Bleak Picture

Ken Harthun Ken Harthun Profile: Ken Harthun

Secunia, the firm who provides the Personal Software Inspector (PSI) that detects vulnerable and out-dated programs and plug-ins, has just released  their first Secunia Half Year Report. In the report, Secunia looks at the last five years in terms of vulnerabilities, the threat posed by them and the outlook for 2010 based on the data acquired during the first six months of this year. The news is not good:

The overall conclusion is that despite considerable security investments, the software industry at large still proves unable to produce software with substantially less vulnerabilities, highlighting the continued need for Vulnerability Intelligence and Patch Management.

Further, the report shows an alarming development in 3rd party program vulnerabilities, representing an increasing threat to both users and business, which, however, continues to be greatly ignored. This trend is supported by the fact that users and businesses still perceive the operating system and Microsoft products to be the primary attack vector, largely ignoring 3rd party programs, and finding the actions to secure these too complex and time-consuming. Ultimately this leads to incomplete patch levels of the 3rd party programs, representing rewarding and effective targets for criminals.

What’s interesting is that since 2005 in more than 29,000 products covered by Secunia’s intelligence, no significant up- or downward trend in the number of vulnerabilities could be discerned. But that just means that software is still just as insecure as it was five years ago; no progress is being made. Not surprising, ten vendors, including Microsoft, Apple, Oracle, IBM, Adobe, and Cisco account for an average of 38 percent of all vulnerabilities disclosed on a yearly basis. Further highlights:

  • In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the number is expected to almost double again in 2010 to 760.
  • During the first six months of 2010, 380 vulnerabilities or 89% of the figures for all of 2009 has already been reached.
  • A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010.

Secunia is testing its own Auto Update technology that will work with a broad variety of programs from a number of different vendors. They plan to release a version later this year with the intention to significantly improve the security of home users’ PCs.

Kudos to them, I say; it’s just a shame that the vendors themselves don’t take a more proactive role. That’s what absolutely must happen if we’re ever to get ahead of the curve.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: