Online Virus / Malware News

It seems to be the season for defacements and hacktivity. The week began with the Cross Site Scripting attack on the Spanish EU website and the defacement hack of Iranian President Ahmadinejad’s Official site and it closes with a high profile hack of the Pakistani National Response Center for Cyber Crimes, part of the Federal Investigation Authority.

The web site was compromised and defaced as below

Click for larger image

 Unfortunately for the Pakistani FIA though this attack appears to go beyond a simple defacement. The hacker “zombie_ksa” also states on the defaced page

“your whole database and e-mails are leaked …. i was really excited to read, see what the f__k is private in here lOl“

 At first glance this could well seem like idle l33t H4×0r bragging so I did a bit of digging to see if the boast could be substantiated. In a forum posting, zombie_ksa said

“I was Browsing! today Propakistani.pk So i saw post about” how to register complaint with fia cyber crime”! so i feel to check there Security, and i started Penetration Test On there Webserver, unfortunately I GOT access!! And they got Pwned!! !! thats Sounds crazy ! I got whole database! and e-mail Backup! everything!”

The hacker then posted two screen shots, one of the hacked site and second one, below demonstrating his access to their email database (I have sanitised the email addresses here)

Screen shot posted by the hacker

So it seems that from an amateur penetration test a hacker has access at least to the full email database and possibly the backups, of a National Response Center for Cyber Crimes in a highly politically sensitive country. The forum post was made at 4 in the afternoon yesterday and the hack is still live at the time of writing. To say this hack has national security implications would not be overstating the matter.

Any organisation holding material this sensitive should, as a priority, make sure all Internet facing servers are hardened and fully patched, the servers should also be regularly audited, preferably daily to look for evidence of new vulnerabilities as they arise. Web application firewalls should be used to look for evidence of and block anomalous or malicious behaviour.

But perhaps most importantly emails dealing with matters this sensitive should not be connected with, or stored on your public web server and they should always be stored in a secure encrypted format.

Hot on the heels of the Cross Site Scripting attack on the Spanish EU Presidency site, the  official web site of President Ahmadinejad of Iran appears to have also been compromised.

The site www.ahmadinejad.ir, otherwise known as “Mahmoud Ahmadinejad – The Official Blog – Tehran, Islamic Republic of Iran“ has been compromised and is currently hosting a file called “owned.txt” at the URL http://www.ahmadinejad.ir/userfiles/file/owned.txt. UPDATE: The file has now been removed, see screen capture below.

Click preview for larger image

The file says

“Dear God, In 2009 you took my favorite singer – Michael Jackson, my favorite actress – Farrah Fawcett, my favorite actor – Patrick Swayze, my favorite voice – Neda.
Please, please, don’t forget my favorite politician – Ahmadinejad and my favorite dictator – Khamenei in the year 2010. Thank you.”

The reference to “favourite voice” is probably referring to Neda Agha-Soltan who was shot dead during the 2009 Iranian election protests.

No further details are yet available on how the compromise was effected or who is responsible, if more information comes to light I will update this blog post.

Banner from hacked site

At about 6am GMT Twitter fell victim to a DNS hijacking attack by a group calling itself the “Iranian Cyber Army” (I wonder if they noticed the CIA irony)? The site was affected for the best part of an hour.

Full hacked page

The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says

“As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.”

This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.

These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.

Twitter was not the only web site affected by thsi compromise, a quick search revealed one other site displaying the same content.

Google search result

When it comes to attacking high profile targets it can often be that the registrar is the chink in the security armour. In fact Zone-H, the defacement archive, has previously noted that registrars have been “one of the main aims of the past months“.

If attacks like this can be said to serve any purpose at all, then perhaps they can serve as a reminder that we all need to absolutely ensure that our business partners meet our own high security standards, and that stands in both the on and offline worlds.

How to Survive a Zombie Attack, by Acey Duecy

2009 has been a notable year for malware and malicious online activity for a number of reasons and several of them relate to what is known as botnets. A zombie, or a bot, is a PC infected by malware that brings it under the remote control of a criminal. Criminals run networks that can range from thousands to millions of infected machines and they use them to power most of the cybercrime we see today including spam, DDoS, scareware, phishing, and malicious or illegal website hosting. They have a finger in every cybercriminal pie.

In the first half of the year, the Conficker worm (also known as Downadup or Kido) stole all the headlines in the malware world. Eventually the Conficker botnet was seen to deliver standard cybercriminal payloads, such as spambots and Fake AV (or scareware), much to the disappointment of some of the more hysterical commentators. Just because the outbreak received so much coverage that died away just as rapidly, don’t be fooled into thinking this threat has gone away. The Conficker Working Group, an alliance of security vendors, researchers and other commercial organisations is currently showing around 6 million unique IP addresses as appearing to be infected with this malware.

An unrelated, but important trend in 2009 was the exponential increase in the abuse of social networking providers for malicious purposes. The enormous active user populations on sites like Facebook, Twitter and MySpace prove a very attractive lure to organised online crime and its attendant money-making, bot recruitment and Fake AV pushing scams. Facebook has been abused by rogue Apps, designed to fool users into clicking links that reward the creator through pay-per-click affiliate advertising networks. It has also been used to spread malware through many means; malicious links in wall posts and messages, malware designed specifically to hijack accounts and by external compromise of legitimate Facebook Apps. The Koobface family of malware (also a botnet) has evolved over the course of 2009; it was initially spread through malicious messages and wall posts with links to fake YouTube sites punting a supposed codec in order to view the video. The codec of course was nothing of the sort and led to infection and account hijacking. Koobface now though has evolved to the point where it is fully capable of creating its own fake Facebook profile pages, complete with confirmed Gmail address, photo and biographical data. These fake accounts then set about joining networks and sending friend requests again all in a completely automated fashion.

Here’s where it gets interesting, in addition to spamming and malware, web 2.0 sites have been abused in new and concerning ways over the course of 2009. Twitter and Google Reader have been used as the landing page in spam campaigns, to attempt to overcome URL filtering in email messages. In recent months Twitter, Facebook, Pastebin, Google Groups and a Google AppEngine have all been used as surrogate Command & Control servers for botnets, and just last week it was reported that a Zeus botnet was leveraging compromised servers inside Amazon’s EC2 cloud for command and contro. These public forums have been configured to issue obfuscated commands to globally distributed botnets, these commands often contain further URLs which the bot then accesses to download commands or components.

The attraction with these sites and services lies in the fact that they offer a public, open, scalable, highly-available and relatively anonymous means of maintaining a command and control infrastructure, which at the same time further reduces the chance of detection by traditional technologies. Whilst network content inspection solutions could reasonably be expected to pick up on compromised endpoints that are communicating with known-bad sites (command & control servers), or over suspicious or unwanted channels such as IRC; it has been historically safe to assume that a PC making a standard HTTP GET request, over port 80 to a content provider such as Facebook, Google or Twitter, even several times every day, is as acting entirely normally. However, as botnet owners and criminal outfits seek to further dissipate their command and control infrastructure and blend into the general white noise of the internet, that is no longer the case.

It is no coincidence that much the innovation in 2009 has been around command & control systems for botnets. The vast majority of old-school IRC controlled botnets are shut down within 24 hours and peer-to-peer bots often leave visible signatures too, leading to their neutralisation at machine level. One factor of web 2.0 botnet controls that I would expect cybercriminals to be currently evaluating is the single point of failure represented by relying on a single provider such as Facebook or Google–shut down the malicious Facebook page and you disable the botnet. Botnet creators have invested significant amounts of time and code in distributing their management infrastructure, in fast-flux and in peer-to-peer protocols. We can fully expect them to carry these lessons learned into the newer “cloud-enabled” botnet. It is entirely possible that the capability of the latest Koobface variant to create multiple automated profiles could be leveraged to mitigate against the single point of failure inherent in using a single Facebook or Twitter profile as a covert channel.

When it comes to botnets it would be really nice to be able to say “it’s getting better”.  It’s not.  More and more computers are being infected, and they are staying infected for longer.

UPDATE: At the suggestion of Dan Raywood from SC Magazine I am now offering up a prize to the first person to mail me all the fish I have (kind of) hidden in the blog entry. You can win my splendid USB fridge to keep your prize catch cool.

UPDATE 2: This competition has now closed and the prize been claimed. The lucky recipient of a Trend Micro USB fridge is The Harmony Guy, congratulations and may you have many happy hours together, and many thanks to all who played.

________________________________________________________________________________________

Good Cod! Sometimes it feels as though I am endlessly carping on about web site security and the value of personal information and while I realise that this is no plaice for levity, this most recent hake is noteworthy enough to cover. Most recent victims of the cybercriminal in their pursuit of gold, fishkeepers are not immune.

The web site Practical Fishkeeping has been compromised and the details of their forum users have been put at risk. Practical Fishkeeping is no sprat, boasting almost 24,000 registered users. The site is currently offline as the damage is repaired.

Practical Fishkeeping have not left their members floundering, an email from Matt Clarke, Editor-in-Chief of the Practical Fishkeeping magazine was sent to all forum members on Friday evening. It is not immediately clear how the hack came to light, but the mail noted

“We have been made aware that hackers have breached our website security. This is a criminal offence, and information on our register about our readers (usernames, passwords, email addresses, postal addresses and in some cases telephone numbers) may have been viewed or taken.“

The mail goes on to say “If you used your password for practicalfishkeeping.co.uk for other websites, you should change those passwords.”

It may be easy from my perch to criticise. but if passwords truly were visible to attackers, then the web site was not applying even the most bassic secure design principles such as storing passwords in an encrypted format (along with other personally identifiable information). This would ensure they are not made available to any john dory.

In all seriousness, this attack is highly reminiscent of the recent hack of the Richard Dawkins forum and is very much a trend I expect to see increasing over the coming months and years. Gaining access to the database of a popular website offers potential high returns for relatively little effort. If this phenomenon is in need of a new name, I offer up the term Phlatphishing.

There are several ways that your details can be exposed when they are stored by third parties; misconfiguration, poor coding or unpatched systems for example. This will only increase in importance as cloud services are more widely adopted. Remember, when you are registering for a community such as an online forum, you are under no obligation to give either complete or accurate personal information.

Only give whatever information is essential for the use of the service you are registering.

If the service requires more details than you are willing to share, you don’t necessarily have to be truthful, there’s always room for a red herring.

Consider using disposable email addresses for online services, that way if there is a compromise you can simply delete the address.

If you are concerned that you may have been affected by this attack and have not yet received a notification from Practical Fishkeeping, you could try contacting the publishing house Bauer Media in the first instance.

You may have noted I am not one to let the chance for a good pun goby, and if any of these have been crappie, I offer my sincere apologies.

British law enforcement today completed a project dubbed Operation Papworth, aimed at reducing the exposure of the British online shopping public to fraudulent websites in the run up to Christmas. The Metropolitan Police Central e-Crime Unit have been widely reported in the media as “shutting down” or “taking down” more than 1200 websites peddling fraudulent designer goods such as Ugg boots, ghd hair straighteners and Tiffany jewellery at temptingly low prices. I’m sure in many cases you’ve seen the “tempting” spam for yourselves.

The sites were registered with .co.uk domain names so as to appear more credible and attractive to UK based buyers, even though in many cases both the sites and the domain registrations themselves were outside the UK. Obviously people tempted into buying from these shops risked not only receiving sub-standard goods with no chance of recompense, but also having their financial details or identities stolen, abused and/or traded on the underground economy. So before I go on, let me make it clear that despite my reservations about its effectiveness, I applaud and support this initiative by UK law enforcement (I’m sure they’ll be relieved to hear that).

But (and you knew there was going to be a “but”) this represents at best a stopgap measure and at worst a simple waste of time. The root cause remains unaddressed and I fully expect these same sites to reappear under different names in the very near future. The sites themselves have not been “taken down” at all as far as I can tell. What has happened is that Nominet, the body responsible for the .uk top-level domain has simply broken the link between the domain name and the server the site is based on. What does that mean? It means when you type www.globalugg.co.uk into your browser it doesn’t go anywhere anymore.

If it was your criminal operation, what would you do? You’d register another domain name of course!

Here are the current details for a dodgy looking site, notice the Registration status is SUSPENDED, perhaps this was one of those 1200 sites.

WHOIS query for globalugg.co.uk

There are a few other interesting bits to this registration though, look at the Registrant’s address, how can they be a “UK individual”? Notice too that the domain was not even registered in the UK, the Registrar is eNom Inc. a (totally legitimate) US-based registrar. The Name servers responsible for this domain belong to US Web Hosting, another totally above board US provider. So we have a scammer with a Chinese address, registering a .co.uk domain with an American registrar and hosting their server with another US outfit.

To bring my whole scam back to life all I have to do is register a new domain and point it to the same server as before, maybe just for variety’s sake this time with a Ukrainian registrar, just like this:

Domain availability through Ukranian Registrar Imena

And that is the real issue, far too many DNS domains, including .co.uk and those of many other countries, are operated as “open” domains and in the words of Nominet:

“We do not impose restrictions on your status as applicant for the registration of a Domain Name in the following SLDs (“Open SLDs”):

   1. 4.4.1 .co.uk; or

   2. 4.4.2 .org.uk.

In the SLD Charter of the SLD Rules for the Open SLDs we do set out certain intentions regarding the class of applicant or use of registrations of the Domain Name which we assume you will comply with when applying for a registration of a Domain Name within an Open SLD. However, we do not forbid applications, and will take no action in respect of registrations that do not comply with the SLD Charters“

Until regulation is tightened and international cooperation is improved then well-intentioned initiatives like Operation Papworth will be um, micturating in the tempest.