Monday, June 6, 2011

Hack-a-thon has started

So it's official, it's a free-for-all hacking contest on a world-wide basis. Up until now, we suspected - kind of knew - that governments had cyber-armies to act offensively or defensively against other organizations or enemy nations.

Stuxnet told us how some countries see the internet as the next battlefield. It was possible to make a very targeted and effective attack while keeping the identity of the organization pretty much anonymous. Yes, we all kind of know that it was the US or Israel or both but there's no official word being said about it. This is very handy to keep nice diplomatic relations going unchanged.

But apparently, all this changed this week when news surfaced that the MI6 (British intelligence agency) hacked into the Al-Qaeda online magazine and changed their bomb creation how-to guides by cupcake recipes. Read more on it here. As ridiculous a story as this may seem, it tells us something very important, in my eyes: government agencies hack and they're not afraid to tell us.

In my opinion, this is as stupid as planting bombs into their training camps or killing their leader in his summer house in Pakistan. Why? Because this gives them a place to direct their newfound anger. If the hack is kept anonymous, they can be mad but they won't know at whom. Now they have a new somebody to hate (yeah, long list...). Not smart.

As anybody who has played Diplomacy in their lifetime knows, you can attack your neighbor, you just need to keep a straight face about it. Just sayin'...

Friday, May 21, 2010

More Blackhat SEO stuff

I've been investigating Blackhat SEO attacks lately. I find these to be on the rise and I reckon they must be quite effective at directing traffic to the bad guys' sites. Most of the bad sites I find end up pointing the visitor's browser to a fake antivirus download site to try and scam the user.

Some others aren't quite so obvious. There's this php script being downloaded onto php-enabled servers that I find quite interesting. This trend.php accepts any combination of words as parameters and then it googles them and creates a mish-mash of a page with related pictures and other information, which at first glance might be legitimate. This is an example of the scrip when called with the words "trend micro":

As you see, the HTML layout is decent so that a casual observer might think this is a real page with information and there is no malicious redirection after all. So what is this and what is it being used for? What does the bad guy gain by compromising web sites and uploading this script onto them?

I can only think of the following:

These pages are not meant to be seen by human eyes. They have been created to be crawled by search engine bots and look legitimate to them. The authors of the script want it to be positioned highly on Google.

These pages contain a very high amount of links to other similar pages on other domains. When one of them scores high on google with the set of terms they contain, all the pages in their "SEO ring" will do too. Once they reach a very high score, I'm guessing that the bad guys will add the redirection payload into the page. In the meanwhile, they're sleepers, behaving nicely in front of the google bot.

Since they're not dangerous at the moment, I'm not blurring out URLs. If you want to take a look at these, just google "inurl:images/trend.php" (by the way, there's no relation between the script name and the company name, it's just coincidence).

Comments? Ideas? Let me know.

Friday, April 9, 2010

How I got scammed and how you can avoid it

The worst thing about being scammed in my case is that I deal with scams in my job every day so I should know better, but when they hit me this time, I didn't see it coming.

It was about a month ago, I was looking for USB drives on eBay and I found this seller with about 7,000 feedback selling pretty cheap 32 gig USB drives. After following up his auctions for a couple of days I finally won one of them for 18GBP, about $28 with free shipping from China. It was only after I paid for it that I continued looking at other similar items and I saw another seller with more expensive prices stating "this is more expensive because it's not a fake item, like most others being sold on eBay". Something dawned on me: Is there such thing as fake USB drives?

A simple google search set all my alarms off. I found the central site for victims of fake flash drive scams, SOSFakeFlash, where there is a black list of known fake USB sellers on eBay. Of course my seller, obamastores, was there. I tried to back out from the sale and get a refund but the seller only replied the next day saying that the item was already on the mail. Crap! I waited two weeks until it finally arrived. By then, I already had downloaded h2testw, a tool to check the real size of the drive. Yes, it reports 32 Gb to Windows but that's because the controller has been "fixed". In reality it's a 4gb drive, probably a factory reject if the terrible speed of the drive was any indication.

So I immediately left negative feedback stating that this was a scam. The seller contacted me pretty fast, apparently shocked at the discovery that this was a fake drive. He offered me a refund only if I send the item back to China. Now, there's three things here:

1) This costs money so I wouldn't really get a full refund of my money.
2) He would use it to scam somebody else, and
3) Sending known counterfeit items in the mail is illegal.

So I let him know that the item was not useable and I didn't want to spend money on mailing it back. The scammer then told me he'd refund the money only if I took back my negative feedback. That's their main concern: negative feedback is their bane because eventually eBay will notice if enough people complain. I rejected the offer and opened an eBay complaint, where they told me that I had to send the item back, there was no other way. I refused.

I didn't give up though. I opened a Paypal complaint reporting this as a counterfeit item and the seller as a scammer, which he is. Paypal refunded me the full amount no questions asked but I did point out that the seller was already blacklisted as a scammer. This guy knows what he's selling!!

The beautiful part of the story is that the SOSFakeFlash site has a very good community of people trying to get this particular seller suspended so we are trying to contact other buyers to let them know they've been victims of a scam.

The fact is that most people only insert the drive in the usb port, check that windows reports 32Gb and they're happy with that. When they finally fill up the 4Gb and any further data is lost, then they'll realize it's a fake drive but by then it'll be already too late: the positive feedback has already been left and the 20 days Paypal gives for complaints are up.

I was lucky to get my money back but for the looks of it, many people aren't aware of this scam. When I paid this guy on March 14th he had 7,000+ feedback. Today he's over 10,000. That's a lot of people scammed and a lot of money made. So the lesson to learn here: Not all that glitters is gold: beware of eBay bargains.

Thursday, March 25, 2010

Google and China

So this week, Google finally announced that they were leaving the Chinese market as we all expected. The end result was that their searches were being redirected to their equivalent search results from the Google Hong Kong site. These uncensored results are being displayed in simplified Chinese so they are targeted to the People's Republic. That's a very clever way of bypassing the Chinese law that dictates that searches for certain terms within China have to be censored. That very law is what enacted the Great Firewall of China, which blocks many web sites from being accessed from inside the country. I'm not sure if their Honk Kong site redirection will be very effective in reality though because if a Chinese person searches a censored topic and Google HK provides a list of real-world uncensored results, that person will still be unable to access those sites from within the great Firewall of China. It would be sort of like making the wall transparent: you can see through it but you're still trapped behind. I could be wrong but it looks as if the Google stand for liberty is pretty futile.

What's worse, if they try to serve the sites from their cache, they run the risk of being blocked by the Chinese government, therefore leaving their HK site out of the wall.

Google have marketed their move out of the country in a very clever way as the defenders of democracy and free speech but I don't have very clear what their real intent is. There's a theory that says that their business in China was doomed to begin with, that they can't possibly beat Baidu as the number one search engine in the mid-term and they already wanted out. If this theory were true, Google would be using the Free Speech fight as a way of covering their retreat. Whatever their real reason is, there's something nobody can deny: they are masters at marketing.

Friday, March 12, 2010

It's botnet shutdown season

Lately it seems to be botnet-takedown season. For one, Microsoft went the legal route and ask a judge permission to reroute domain name servers related to the Waledac botnet in order to shut it down permanently. Actually, the process is more complicated than that but the domain server procedure was the only non-technical issue that needed external approval.

Then, Panda announced that after a few months of investigation, they provided enough data to the police so they could apprehend three criminals behind a huge botnet managed from Spain. Second takedown of the month and a pretty big one at about 13 million bots involved.

Lately, a few industry researchers followed quite a few Zeus Command and Control servers to a single provider and managed to cut their internet connection, therefore stopping those botnets from working at all. After a few reconnections and counter-attacks by the provider, apparently it's shutting down for good. Third take-down of the month!

These three stories have a single enemy in common: botnets. They have quickly become the biggest enemy of the computer user, but that's not new. What's more recent is the fact that they have become so popular among criminals as a quick way of making money that the criminal underground is steaming with new tools to create and maintain botnets for profit. This "new" software category has become a market that criminals are exploiting to trade with other criminals. Of course there's also fraud in there but who are you going to complain if a fellow criminal scammed you? There are figures like the garant who can verify if the seller is legit. It's some sort of escrow system where some trusted people check the product before the transaction goes through. It's like a real market where malware weapons are being exchanged for money.

Botnet-DIY Kits like Zeus are being sold by thousands of dollars. Piracy is so rampant that the Zeus author has put anti-piracy measures in place. Now, there are some other groups that regularly crack those protections and sell pirated versions of the kit for a lower price. Honor among pirates is a thing of the past and the poor user is the one who will suffer.

The only hope we have is to keep hammering C&C centers, disconnecting them from the internet until they all get the message that letting criminals establish botnets is as bad as being accomplices of the criminal act. This is the only way of getting rid of "bulletproof" hosting providers that ignore abuse complaints and are uncooperative with the police. I hope we keep taking botnets down... it's been a good month.

Thursday, February 25, 2010

Kneber say never

The Zeus malware has been featured in the media lately and I thought I'd talk about it here. The news rage last week started with a security company announcing that they had found a big botnet out there with about 74,000 people infected. These guys dubbed the botnet "kneber" because the domain names involved in this case mentioned a Hillary Kneber. From there, all marketing departments in all security companies went crazy asking "Do we know anything about this new Kneber botnet??".

So digging a bit deeper into the mysterious new botnet that appeared from thin air, it turns out that this is nothing more than our old friend Zeus. This led to a whole new wave of people discussing whether this was important or not and how.

In any case, Zeus is a do-it-yourself malware kit. You can purchase the software, configure your bots and spread them around so you can grow your own botnet with information-stealing capabilities perfectly targeted to your audience (ehm... victims). Obviously the criminals behind the Kneber botnet followed those instructions and managed to get 74,000 people infected. Actually, there's lots of other malware toolkits for sale out there from shady companies that often include tech support and antivirus detection protection among other services.

So this is the world we live in today, one where anybody can make profit in the internet by stealing other people's money. It's as easy as buying a malware kit and building your own botnet. At any moment there are hundreds of different "Zeus" botnets commanded by different criminal groups. Some of them are much bigger than 74,000 PCs and there's really no need to report each one of them as news because they are not. Nevertheless, if this served to raise awareness about Zeus and about how cybercriminals carry out their internet business, maybe something good came out of it.

Saturday, February 13, 2010

You got a Valentine card! click here to open...

Tomorrow will be Valentine's day, the day of love and romance. In the last 10 years it has also been well known for being a favorite theme used by malware writers to lure unsuspecting users to get infected. "Your loved one sent you an e-card. Click here to retrieve it" is already a classic and it doesn't look like it will leave us anytime soon. There is a deeper problem other than people looking for love through the internet though: users are the natural victims of social engineering attacks.

My automated script to parse email messages won't care about love letters sent to him, paypal trying to freeze his account or the big Nigerian fortune recently available to him. Humans, on the other hand, are prone to these and other tricks that exploit naiveness, greed, generosity or any other very human passions that move us. You'd think awareness campaigns have lessened this to some extent but criminals still use the same tricks over and over with a high degree of success.

Just this week I read the story of an ex-scammer from a Nigerian gang telling some of their techniques and the kind of money they're making with the age-old "Give us some money to get a very big payout". People are still falling for the same tricks!!

The IT security industry can make super-sophisticated software that stop zero-day exploits, detect viruses trying to penetrate the computer's defenses, stop bots from making phone-home connections and any other technical attack but what we'll never be able to do is stop the user from clicking on that malicious link because he wants to see the porn video they told him was going to be displayed.

If you think about it, we're trying to save the user from... yes, the user. The problem of creating tight security measures to keep a user safe is that he will try to bypass them because that valentine ecard is more important to him than firewalls, antivirus or any other fancy three-letter-acronym software thrown at them. As somebody in an IT security list I'm subscribed to recently quoted "The problem of making something foolproof is that fools are very ingenious". I suspect we'll keep getting fake valentines that lead to malware for years to come.