web analytics

Tools ‹ HackerSafe Security Related Blog for all — WordPress

Sep 21

Tools ‹ HackerSafe Security Related Blog for all — WordPress.

Read More

BlueCoat DNS

Sep 17

I’ve been having some issues with BlueCoat DNS for a few days now.   Since I’m not seeing a huge outcry, I”m wondering if its just me.

It started with warning emails from each BlueCoat appliance saying they “Download of the BlueCoat WebFilter database failed.”   It is trying to download a file from https://list.bluecoat.com.  

A WHOIS query for bluecoat.com shows they have four authoritative name servers:

The ultradns servers currently work.  The servers EPONYM and SYNONYM don’t respond at all.

A traceroute successfully leaves our network and our upstream provider.   It appears to be working until it gets to the destination network.
I have a  similar problem when I test from my home network.   That would seem to rule out issues here at work.

Go to Source

Read More

Webmail Account Compromises

Sep 17

A couple of my friends had their webmail accounts compromised and I got pharma spam  from them over the weekend.   One had a Hotmail account and another a Yahoo account.   I’m not sure whether they should be mocked more for using accounts at those domains or for getting compromised.

Restoring Access
If this happens to you and you’re really fortunate, you’ll be able to log into your webmail account, change your passwords, and change the security questions used to reset the password.  

If you can’t gain access because the bad guy changed the passwords, try using the lost password button.   If you can’t reclaim your account that way, you’re going to have to contact the Google/Hotmail/Yahoo, whoever the website owner is.   Good luck with that.

Cleaning Up
Review all your settings.   In Google  Mail check your Filters and your mail forwarding.   Mail from your bank could now be forwarded to the bad guy.   

Maybe its paranoia talking but I would search my mailbox for “password” to see if any other accounts might have been learned by the bad guy because a plain text password was available in your inbox.

People always want to know how this happened to them.   Often they jump first to blaming their webmail provider.   While that’s possible, it’s not something you can really control.   It’s better to start looking at simpler explanations that you can do something about.

Was your computer hacked?   Did a keystroke logger gather your webmail credentials?   That is certainly possible.   And it doesn’t hurt to check out the computer.   I would have to wonder why the spammer would gain your credentials and then use another computer to send the spam.   Some webmail providers give full mail headers including the PC used to send the email.   For the spam I received I could see it wasn’t the same country as the sender.

Were you phished or tab napped.   Attackers manipulate victims into providing valid authentication credentials at fake sites.   The best defense to this is to use bookmarks to avoid typos, and go directly to https sites where possible.  

Did you use the account from an insecure computer or network.    It’s so tempting to hop on an open access point at the coffee shop.    It’s tempting to use the ‘guest kiosk’ at the hotel while on vacation.   You don’t know the hygiene of that computer.    You don’t know who is snooping on that coffee bar network.  

Is your password really weak?   I don’t think webmail providers would allow a lengthy bruteforce attack without locking out the account.   But if your password is incredibly bad, this could still be a cause.

Was your password used on another service?   While blaming the host isn’t my first thought, hosts do get compromised every now and again.  There ae multiple account/password lists available from server compromises.   If you’ve been on a system that was compromised and their password list stolen, if you reuse the same credentials than you have a problem.

Unfortunately the causes for account compromise aren’t any clearer than the ways to get your mailbox back.   Hopefully this gives some food for thought.

Go to Source

Read More

Cash and "Labels and such" lead to ZEUS

Sep 17

Websense® Security Labs™ ThreatSeeker™ Network has detected another wave of Zeus malicious email messages. This campaign is related to the familiar "pharma" spam messages that we see everyday, with one exception. This campaign combines an HTML or ZIP attachment with a social engineering technique, similar to what we normally see in malicious email campaigns. For example, the message may state that $375 has been sent to a mail recipient's account, and include a link to view the transaction in the recipient's account. Opening the attachment results in a compromised user machine via an obfuscated JavaScript in the attached HTML file.  So far, we have seen this type of email with subjects like "Labels and such" and "Greetings from Rivermark Bill Payer!".


Websense customers are protected by the real-time protection for customers in our Advanced Classification Engine, ACE.


Here is a screen shot of an email message with an HTML attachment:



In the case of an HTML attachment, criminals use obfuscated JavaScript.  Content is encrypted with a commercially available HTML obfuscation tool.



When viewing the deobfuscated content we see that the script uses a meta refresh tag to redirect a user who views the attachment. The script checks which browser is used and only performs the redirection if one of the following browsers: Firefox (navigator.userAgent.indexof('Gecko')) or Chrome/Safari (navigator.userAgent.indexOf('KHTML')).



A user who is using one of the affected browsers will get redirected to a pharmaceutical site like this one:



For email messages that have ZIP attachments, the ZIP file has coverage in VirusTotal – 5/43. The "label.zip" file contains "label.exe" which is a copy of Zeus. The malware copies itself to "C:Documents and SettingsuserApplication DataEwcarefef.exe" and tries to access two sites located in the .ru zone.


Here is a screen shot of the encrypted Zeus configuration file being downloaded after the malware injects itself into a legitimate process:


So far, we have seen more than 100,000 email messages like this.

Go to Source

Read More

This Month in the Threat Webscape – August 2010

Sep 17

Month of August 2010

(Please visit the site to view this media)


Major hits

Mass compromises & infections
Network Solutions, one of the oldest domain registrars in the world, was found to be serving up a malicious widget on its customers' Web sites. All sites that opted to display a "Small Business Success Index" widget were infecting their visitors. This includes sites not hosted by Network Solutions itself, such as Google Blogger accounts that installed the widget. Armorize has a more detailed analysis here, and pegged the number of compromised sites at a minimum of half a million (source: Google) or five million (source: Yahoo). It was also discovered that this widget is served up as part of the standard domain parking page for new domains registered.

Web hosting companies Media Template and Rackspace also found themselves compromised and accidentally serving up malicious code to their visitors. 

DLL Hijacking
Another tactic to infect users, dubbed "DLL hijacking", grabbed headlines this month. Basically, when you fire up an app in Windows (e.g. Microsoft PowerPoint), more often than not big apps search a series of locations for "helper" libraries to assist with the job. Knowing that the app will search for other libraries to execute, a bad guy can place a malicious binary in the location the app is searching in an attempt to trick the app into thinking that the malicious file is the correct library. This vulnerability has been added to Metasploit; check out this video to see it in action.

iPhone Web drive-by exploit
Usually when we talk about drive-by exploits, it goes without saying that we're referring to something bad that is to be avoided. But what about people who intentionally try to get exploited by a drive-by, whether they understand it in those terms or not?!? Yes, we're talking about the much hyped JailbreakMe Web site for Apple's iOS. Basically, all you need to do is open your browser from your iOS device (iPad, iPhone, etc.) and visit the Web site. With just one click (or "swipe" on the "touch" interface) and the Web site jailbreaks your device (using an exploit). The broader food for thought here is that whereas this Web site prompts for your permission to execute an exploit on your device to do things the owners consent to, the fact that this is technically possible (our research) in the first place opens the door to malicious Web sites that don't have to prompt you for permission to do malicious things on your device that you don't consent to.

In other news, watch out for malicious fake YouTube pages and malicious links that show up in Bing search results, both of which can lead to rogue or fake anti-virus software.


Web 2 dot uh oh

This month saw a huge increase in the number of abused and fake accounts being used for spam propagation such as in the case of the fake Friendster.com accounts that seem to have happened over the course of a few days (blogged about here).  

The threat of Web spam seems more real than ever as the world of Web 2.0 and the use of social networking sites becomes ever more popular.  Another way to look at it is that "it is really here to stay".


Browser and friends

At the Black Hat USA 2010 conference, researcher Charlie Miller presented an exploitable vulnerability in Adobe's PDF Reader. Adobe delivered an out of cycle patch in the middle of August to patch the CVE-2010-2862 vulnerability and another critical vulnerability. Adobe also released two security updates this month, one was for Adobe Flash Player, which fixed six critical vulnerabilities, and the other was for Shockwave Player.


A security update for QuickTime was released in early August, to plug a hole that allowed arbitrary code execution. At the end of August, a 0-day vulnerability in Apple's QuickTime player was discovered. The flaw affected the latest version of QuickTime (, an alert was published here.


Google released Google Chrome 5.0.375.127 with patches for 9 security holes. Google paid $10,011 to award those who reported the bugs.

Opera released Opera 10.61 update which fixed three vulnerabilities.



Microsoft had to send out an out-of-band update to patch the LNK vulnerability that was discovered last month. One week after that, Microsoft had a record "patch Tuesday" that included 14 bulletins patching 34 vulnerabilities, eight of them were critical. The patches affected Windows, Microsoft Office, Internet Explorer, SQL and Silverlight.

However, Microsoft is not alone in the game as Adobe had to patch 10 critical vulnerabilities in Flash Player, Flash Media Server, and ColdFusion.


Hello ThreatSeeker. You've got mail!

This month in the email space saw some of the usual suspects come around again.  There were spoofed Microsoft emails that tried to get users to download a spam bot executable.  The attackers tried to make recipients of these emails believe that they needed to patch their systems for a dangerous 0-day attack.  We also saw a large spike in malicious spam that used various subjects which looked personalized as a social engineering trick to entice recipients to open malicious attachments in emails. 

For attackers, every day is tax day as they continued their tax themed social engineering tricks.  This campaign of emails contained variants that told of under reported income warnings or higher tax bracket notifications.  These messages also either contained a link to a malicious executable or an attachment. 

Perhaps the most interesting trend this month was the use of many brands with which to spam people.  This technique is nothing new, but how it was being used was a bit new.  With these messages, we saw the use of malicious links that were meant to download and install Rogue AV software on victim computers.  This is a bit new as most attacks involving Rogue AV used Blackhat SEO as their attack vector.






Security Trends

60GB of accounting data for social networking sites, bank accounts, credit card numbers, and intercepted emails were stolen by a mini ZeuS botnet dubbed Mumba. Thirty three percent of the infected users are based in the U.S, followed by 17 percent in Germany, and 7 percent in Spain.

The first SMS Trojan for Android OS has been detected as Trojan-SMS.AndroidOS.FakePlayer.a spread in Russia. For now, the Trojan only causes losses for Russian users, and as far as we can tell, it’s currently not being spread via the Android Marketplace.

A kind of Interesting PHP injection has been found by researchers.  The script uses the User-Agent field as the deobfuscation key and the injected PHP script contains multiple eval() calls of which every one uses a different deobfuscation key.

The United States edition of the second annual International Barometer published by Panda Security showed that 46 percent of U.S. small- and medium-sized businesses (SMBs)  have fallen victim to cybercrime, up two percent from last year’s survey.  The group surveyed nearly 10,000 SMBs around the globe and more than 1,500 in the United States.

Innocent companies with good reputations are targeted by identity thieves looking for valid certificates to provide malware authors. There are many possible scams purposely make it very difficult to verify that the CA coming from a company is genuine. This should give us all serious concern about the trustworthiness of code signing in general.
This month's roundup contributors:

  • Saeed Abu-Nimeh
  • Lei Li
  • Ulysses Wang
  • Chris Astacio
  • Amon Sanniez
  • Matthew Mors
  • Jay Liew


Go to Source

Read More