Be careful Ameritrade customers!

05.25.2007 - 9:59 AM
Be careful what you type ! Yesterday we noticed that one of the sites our Threatseeker technology was classifying appears to be using a typo-attack to infect users. The site is a typo attack on the real domain “freetrade.com” which is owned by Ameritrade / TD and is an onlin...
Read more »

Month of Bugs

05.22.2007 - 12:03 PM
As quick as mushrooms spring into existence after a rainy day, the popularity of "Month of X Bugs" projects (where X is a name of some kind of technology*) has been an entertaining public display of leet-ness between the good and the shades-of-grey. * Not limited to but including: names of popular software, names of software companies, and names of Web 2 dot uh-oh companies. The black hats (the mal-intent crowd), for obvious reasons, do not contribute to such projects as it is in their best interest to keep all known exploits to themselves only. However, I&rsquo;ll bet that they are sitting on the sidelines gleefully picking up the piping hot proof-of-concept exploits as soon as they are served up. But why would anyone line up outside of the Department of Software Defects? Wouldn&rsquo;t that be the equivalent of waiting outside of a vehicle junk yard waiting to be thrown a used car part? Both cases are similar in that you would be scavenging, but that&rsquo;s where the similarity ends. In the case of the used car part, you&rsquo;re hoping to eek out some cash out of whatever intrinsic value is left in the almost-worthless hunk of metal. In the case of the exploit, it&rsquo;s another life-line to your lucrative spyware and keylogger cash cow. More exploits in their repertoire simply means more spyware and keylogger products to be pushed out to consumers. The more casual surfers they infect with drive-by downloads, the larger the size of their zombie desktop army. And that my friend, translates to cold hard cash. Among the Month of Bugs projects in existence today (in no particular order): <font face="A...
Read more »

Google, "the ghost in the browser" : The Good NEWS and the bad NEWS...

05.16.2007 - 3:11 PM
Recently researchers at Google released a paper at the Usenix conference titled &ldquo;The Ghost in the Browser&rdquo;. &nbsp; See: http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf &nbsp; The paper outlined research efforts at Google that spanned several months analyzing websites, their content, and the amount of malicious code discovered within the sites. It highlights the significant shift and increases in the web as an attack vector and was well presented.&nbsp; Security research in this area is particularly important due to the volume and sophistication of web attacks and its encouraging seeing a major search engine player researching the issues. &nbsp; The paper has garnered a lot of media attention, much of which we believe the media overstated the problem and miss-represented some of the statistics. &nbsp; The Good NEWS &nbsp; Several media reports used headlines similar to: &nbsp; &ldquo;10% of sites are Dangerous&rdquo; and &ldquo;Google finds 10% of sites are malware laced&rdquo;. The headlines and reports read as though 10% of the websites on the entire Internet contain malicious code. While we believe that the report does not portray this as an overall percentage of the websites. It is a representation of the number of sites ...
Read more »

Kernel Driver Backdooring

05.04.2007 - 2:17 PM
One interesting piece of code we found this week was actually "backdooring" an existing Windows kernel driver. In the past, we have seen malwares patching Windows drivers to increase their performance (by removing the connection limit), but this time, the driver is modified to execute code and appended to the driver, using parasitic techniques. The Windows file protection won't trigger when the driver is patched, but the protection isn&rsquo;t disabled either, so if you try to modify the driver once it has been patched, Windows complains. The backdoored driver is TCPIP.SYS. The malicious code actually uses a basic EPO (Entry Point Obscuring) technique. Below, you can see the original entry point of TCPIP.SYS: This is the patched entry point: The start of the malicious stub is in the reloc section of the driver, as you can see below: <font face=...
Read more »