Company Information Leakage and Web Search

01.26.2007 - 10:27 AM
A Company Diary? Imagine the scope and nature of all the web searches that you and your employees do on a daily or weekly basis. A log of such search queries is almost like an intimate diary, isn&rsquo;t it? Not only are your professional interests laid out quite clearly, but your hobbies, health concerns, family concerns, political slant, travel plans, shopping efforts, dining considerations, and on and on, are all succinctly summarized in your search log. Now imagine what the combined search log of everyone in your company might look like. The stats can in fact reveal a wide range of proprietary information. Here might be a sampling: The technology areas you&rsquo;re currently focusing on Shifts in technology focus Possible new products or initiatives being planned Mergers or acquisitions under consideration Key internal products you&rsquo;re considering, such as a new security system Increases in employee job search activity (Internal mismanagement? Undisclosed financial difficulties?) How are Profiles Created? Now we&rsquo;ll take a look at just how these profiles or company diaries get created. First, here are a few ways an individual&rsquo;s search activity can get tied to that person: Cookies Network Address Registered user accounts<...
Read more »

What's In A Link

01.23.2007 - 3:58 PM
When our classification systems are attempting to determine if a website is legitimate, one of the many factors taken into consideration is the reputation of the sites that link to the website in question. The theory is that if a known legitimate site links directly to another site, chances are that the linked site will be legitimate as well. Makes sense, right? We are not the only ones who follow these practices. Results ...
Read more »

New MySpace Phish using CSS.

01.12.2007 - 4:11 PM
This afternoon we discovered another attack on Myspace. MySpace users receive a message in their profile from someone called "Arnelle" with the following text: "this chick is using like almost all of ur pix and part of ur profile.. people have no lives, i swear. heres the URL if u want to check it out" Followed by a link to...
Read more »

Multi-hack...defaced site hosting Phish.

01.04.2007 - 10:27 AM
Today we received the below email in one of our mail honeypots. The mail basically&nbsp;informs the user they have one "secure message" and that they need to click on the URL in order to&nbsp;access the message. Upon accessing the site they are redirected to a Phishing page that requests information&nbsp;for their bank.&nbsp;Nothing really interesti...
Read more »

MOTW: "Skype" Trojan Analysis

01.02.2007 - 4:46 PM
"Skype" Trojan Analysis Last week, we received a sample that was spammed to a Skype user through a message containing a link. The user clicked on the URL and downloaded a file named sp.exe that was executed. This trojan, is not to be confused with the Chatosky malware which also propagates through skype chat messages. This week i will present the analysis of sp.exe because it is an interesting case study. This trojan uses interesting techniques such as encrypted data, obfuscated function loading, delta based data addressing (for injected code), its own IAT-like array that get injected into the remote processes, the offsets made up to call various subfunctions (no direct cross references), the download of payloads from a remote website for execution on the heap, and etc. The file was protected with "NTkrnl Secure Suite", a commercial protection system using anti-cracking techniques, polymorphic engines, and other interesting features. Unpacking I won't provide too much details on how I unpacked the sample because it uses a commercial product, but I feel comfortable talking about the copy pasted code. The main protection scheme I faced was the copy pasted from my Honeynet Scan of The month 33 Challenge. The breakpoint detection was 100% identical, even the numbers I had generated randomly. More importantly, the technique I had written based on SEH + cpuid/rdtsc was also copied. The only difference was that they used the EDX register to compare the timing. Copy pasting protection code without even changing it a little, provides no security at all and allowed me to unpack it even quicker. (gotta love looking at code you wrote 2 years ago) It apparently included some other tricks, that made it a little harder to unpack, and the file looked like it was corrupted at some point. In order to debug it and comment my disassembly in a readable way, I opted to use a&nbsp; userland debugger, and thus had to write a little shellcode for injection into the packed malware. Basically, it entailed abusing Windows Exception Handling (using a hook), to get past every check. After that, one could attach his favorite userland debugger to the malware and eventually find the Original Entry Point. Although the imports rebuilding for this protector isn't hard at all, it wasn't mandatory in this executable as it only imported one function: ExitProcess The malcode is resolving its own imports whenever it needs to call some Windows functions, without any function (emulated GetProcAddress), which rendered one of the protection features useless. Getting an unpacked sample wasn't all that hard in the end. Unpacked Sample Analysis Encrypted data We did not see any strings when disassembling the unpacked sample. However a very obvious decrypting loop is right after a few instructions. Here, you can see encrypted strings and the "XOR" used to decrypt them: Once decrypted, you can see some interesting strings such as CLSID and...
Read more »