MOTW: Halloween Hunting

10.26.2006 - 3:49 PM
With one of my favorite days of the year looming, I thought it was a good idea to do something related to Halloween. No IDA, Olly, or ASM, just some simple examples of what to watch out for when you are surfing the web. This article also shows how important the phrases "user-education" and "user-awareness" are. As you can see by the examples, novice users would have to be careful about what they type in their search engines; investigate raw HTML with alternative browsers or client tools; ignore most security warning messages; and know that instead of clicking on "YES" or "CANCEL" they should sometimes do neither and instead kill some processes. So, on with the shooooow: HALLOWEEN HUNTING: BE CAREFUL OUT THERE EXAMPLE I What do people do around a current event to get more information? They "Google" for it of course! One of the great things about today’s search engines is that you have a world of information at your fingertips. By simply querying for some key phrases, you gather a plethora of options from around the world. Unfortunately, as we have pointed out in the past, you don’t always get what you expected. The first example is something we call a typo-attack. This is when website owners create pages and links to those pages for commonly queried words and phrases that may have been miss-typed (AKA "Fat Fingered") in order to attract users to their sites. As you can see by the screenshot below, we searched for "halkoween" instead of "halloween". The "K" and the "L" are pretty darn close to each other on the keyboard, so I can see this happening. Well, obviously others believe that this error is a possibility also, because approximately 10,000 results came back from the search. Within the top five were two links to two different sites that, when clicked, attempted to install a number of programs onto my machine. They had advertised in their titles Halloween-related details but had no content whatsoever. I selected the second returned result from the list and got the following in my browser. Bea...
Read more »

MOTW: Parasitic Infector Analysis

10.21.2006 - 12:57 PM
Parasitic Infector Analysis Parasitic file infectors aren't a trend anymore, but we still get some new ones from time to time, and this is what I choose to present for the malcode of the week. I have seen it regularly, sometimes appended to very common worms. This virus isn't very complex but it has a few interesting features such as an IRC component. Our malcode will connect to a hard-coded IRC server and join a random channel. It will then wait for commands passed in query. The main command is used to download a file from a web server, and can be used to install a trojan/rootkit on the infected machine. Since this is a parasitic virus, it uses a delta offset to find its own data. In order to make analysis easier, here is a very useful trick one can use. We first need to find the delta offset value by disassembling or debugging our sample: Once we have calculated our delta offset, we need to load our file manually inside IDA.  And we need to subtract the delta offset from the original image base: <font face="Arial, He...
Read more »

Microsoft Internet Explorer&nbsp;7 Released

10.19.2006 - 3:24 PM
Today marks Microsoft's official release of Internet Explorer 7. Only hours after the new browser was released, the first official security vulnerability was announced by Secunia: "MHTML URI Handler Information Disclosure Vulnerability"<a href...
Read more »

MOTW: Stealing Fun for Profit

10.13.2006 - 10:47 AM
Stealing Fun for Profit Malicious code these days is often written with financial gain in mind, and for this reason a large number of the targets for Trojans are ones where the potential for monetary gain is quite obvious, such as financial institutions. There are some targets, however, where the potential for profit isn't quite so clear. One example of such a target is the video game industry, and in particular Massively Multiplayer Online Role Playing Games, or MMORPGs. Video games are certainly not a "traditional" target for those who write malicious code for their own profit, and perhaps not one with the same potential return on investment as targeting bank accounts or credit cards, but such targeting does occur. There are a number of games that Websense Security Labs has seen being targeted by these attacks, but one of the most popular--due in large part to the market share that it holds--is the game World of Warcraft. One infection method that is used for tricking people into infecting their computers with Trojans and compromising their World of Warcraft accounts is the official forums for the game. The exact method used to trick users into visiting the URL may vary, but typically the malicious user will make a post suggesting to people that they should visit a URL that contains some information that players will be likely to want, which can range anywhere from tips on how to play the game better to humorous articles or videos. Because the forums for the game are heavily monitored and moderated by employees of Blizzard Entertainment, these posts do not typically stay alive for long. With the amount of traffic that the forums get, however, it doesn't take a lot of time for a number of people to get infected. Even if a malicious post were to stay active for only a couple of minutes, it would be possible for that post to get dozens of viewers, due to the amount of activity on the forums. By selecting times when the forums are most active, such as during the game&rsquo;s weekly maintenance, when players aren't able to play the game and so visit the forums instead, an attacke...
Read more »

MOTW: Search Engine Typosquatting

10.09.2006 - 12:13 PM
Getting a victim to visit a site containing exploit code is one of the major obstacles to be overcome when a malicious attacker is attempting to exploit users on the web. Unfortunately, there are a number of tools and tricks at their disposal which are used to lure victims to the malicious site. In this edition of Malcode of the Week, I&rsquo;m going to show an example of one of the more popular lures: Search Engine Typosquatting. This lure relies upon the eventuality that a user will make a typo while entering a term into a search engine. There are an endless number of possible typographical errors for any given term, but with a few algorithms and statistics you can significantly narrow down the number of possibilities. Attackers have been doing this for years and have become very good at predicting the most common typos for each keyword. To give you an example of how this attack works, I&rsquo;m going to hit the "x" key instead of "c" key (a surprisingly common typo) while searching Google for the name of my bank. This ends up spelling "banxa" instead of "banca" ("Banca" is "Bank" in Italian). Even though this typo has created a meaningless word, we still get plenty of results from Google: Warning:&nbsp;Visiting any of the sites mentioned in this article can and likely will compro...
Read more »

Googling for security in source code.

10.06.2006 - 1:52 PM
Google has launched a new service to search for "publicly accessible source code". The service dubbed "Google Code Search" allows programmers to query for code using a myriad of syntax options i.e. regular expressions, exact strings, file types, packages and languages. One very cool feature of this new service is that google code search automatically extracts all files from archive files (zip, rar, etc), and makes it extremely easy to navigate and search through the extracted files. Google has also released a <a href="http://code.google.com/apis/gdata/codesearch.html"...
Read more »