© 2008 Websense, Inc. All Rights Reserved.
Blog
09.24.2007 - 4:32 PM
Archive
+ August 2007
+ July 2007
+ June 2007
+ May 2007
+ April 2007
Keep it Simple Stupid: KISS principle states that design simplicity should be a key goal and unnecessary complexity avoided (http://en.wikipedia.org/wiki/KISS_principle).
Bookmark This Post:
Post a Comment:
Previous Posts
September 2007| 09/28/2007 | AV Killer Analysis Report » |
| 09/26/2007 | Storm Worm Chronology » |
| 09/24/2007 | K.I.S.S. Principle » |
| 09/21/2007 | Tapping into the Opera JavaScript Interpreter » |
| 09/19/2007 | The Malware That Keeps On Giving » |
| 09/13/2007 | Phast Phlux Phishing » |
| 09/05/2007 | Tapping into the IE 7 JavaScript Interpreter » |
+ August 2007
+ July 2007
+ June 2007
+ May 2007
+ April 2007
The K.I.S.S. principle also applies to information security attacks in many ways. The most recent example is something we picked up on this month. It is a very simple malicious code attack that is very simple, yet is very affective. Note: DNS redirectors are nothing new; this is simply another example of how we need to keep our eye on the ball to cover the most complex and simple threats today.
Like many the attack starts of as a simple spam run that requests users download a new “Anti Phishing Toolbar” from Microsoft. In this particular case the attackers are going after Spanish speakers who, in particular bank, with Banamex.
The users are tempted to connect to a website to download the tool. The site, which was up and running at the time of this blog, was hosted in the United States on a free hosting provider website and was serving a filename called “Microsoft_AntiPhishing.exe”. There was no exploit code on the site so users would be prompted to download and install the file. The files MD5 hash is 76d80aeff8248df387caa34b3389f52a, was written in Visual Basic, compiled with a Spanish version of Windows, and was poorly covered by anti-virus signatures (2/32 vendors recognized it).
Screenshots of Virustotal output:
Once run the file had two very simple tasks. The first was to connect to download.microsoft.com and attempt to download the Spanish version of the Microsoft Live Toolbar (filename WS_ToolbarSetup_Es.exe). The first step was simply a deception tactic to make the user think they were downloading and installing the right program. The second task of the code was to modify the end-users hosts file.
As you can see the attackers are redirecting all HTTP requests for a variety of Banamex sites to a fake set of sites. They simple setup a website, which was also hosted in the United States and was up and running at the time of this blog, that synchronized all the HTML from the real sites.
When users would connect to their site to perform online banking they would be presented with the fake site. If you viewed the HTML the links were all pointing to the original/real Banamex sites but the local hosts file redirection would send and receive pages from the fake site.
Screenshot of logon page:
Screenshot of Posting of Credentials to fake site:
As we said at the beginning on the blog, there is nothing new here. But the K.I.S.S. principle applies in many ways:
Keep It Simple Stupid:
- Security vendors cannot overlook the most simple attacks (6% detection rate is NOT good)
- Attackers often use low hanging fruit attacks that utilize simple deception
- Sometimes the simples attacks can be the most affective