Scammer tying in on disasters
We saw them before, scum trying to make money off of disasters in other people's lives. And an aircraft crash in Brazil is not different. Start with a spammed campaign promoting a website, the website promoting clicking on tiny thumbnail images that lead to malware. Not cool.
Find courtesy of Websense, who has an article about it.
Here is what the antivirus vendors think of the malware (virustotal):
[ file data ]| size | 274462 |
| md5 | fca50b317ac7648b65c80a2f08ede9ef |
| sha1 | bd85d52e616ab14bef3bfe42e9d44c0820d895cf |
[ scan result ]
| AntiVir | 7.2.0.22/20061003 | found [DR/Spy.Bancos.YT] |
| Authentium | 4.93.8/20061002 | found [W32/Banker.XCA] |
| Avast | 4.7.892.0/20061003 | found nothing |
| AVG | 386/20061003 | found nothing |
| BitDefender | 7.2/20061003 | found [Generic.Banker.VB.11DF9CB6] |
| CAT-QuickHeal | 8.00/20061003 | found nothing |
| ClamAV | devel-20060426/20061003 | found nothing |
| DrWeb | 4.33/20061003 | found [BackDoor.Generic.1437] |
| eTrust-InoculateIT | 23.73.11/20061002 | found nothing |
| eTrust-Vet | 30.3.3113/20061003 | found nothing |
| Ewido | 4.0/20061003 | found nothing |
| F-Prot | 3.16f/20061002 | found [security risk named W32/Banker.XCA] |
| F-Prot4 | 4.2.1.29/20061002 | found [W32/Banker.XCA] |
| Fortinet | 2.82.0.0/20061003 | found [Spy/Bancos] |
| Ikarus | 0.2.65.0/20061003 | found [Backdoor.Win32.Radmin.w] |
| Kaspersky | 4.0.2.24/20061003 | found [Trojan-Spy.Win32.Bancos.yt] |
| McAfee | 4865/20061003 | found nothing |
| Microsoft | 1.1603/20061003 | found nothing |
| NOD32v2 | 1.1787/20061003 | found [probably a variant of Win32/Spy.Bancos.U ] |
| Norman | 5.80.02/20061003 | found [Bancos.KVY] |
| Panda | 9.0.0.4/20061003 | found nothing |
| Sophos | 4.10.0/20061003 | found nothing |
| Symantec | 8.0/20061003 | found nothing |
| TheHacker | 6.0.1.090/20061003 | found [Trojan/Spy.KeyLogger.bp] |
| UNA | 1.83/20061003 | found nothing |
| VBA32 | 3.11.1/20061003 | found [Trojan-Spy.Win32.Bancos.yt] |
| VirusBuster | 4.3.7:9/20061003 | found nothing |
IOW: a bank aware keylogging piece of malware that's not detected by some of the big name vendors.
The important lesson to learn is not to click on links in email or IM, or any other way you could be social engineered into doing things you don't want to do. That however needs to be translated not just on the receiving end into not following links we're given, but also on the sending end by not offering friendly links to our friends.
e.g.:
- NOT: pointing to http://news.bbc.co.uk/1/hi/world/americas/5401846.stm
- BUT instead tell them go to the bbc and search for 'brazil aircrash' instead.
Swa Frantzen -- Section 66
Firefox ...
Firefox seems to have its share of followers, just like the Mac community. I'm actually using both typing this so don't get on my case too much. Their supporters seem to react a lot when it comes to vulnerabilities being exposed at hacker venues. While fascinating from a social perspective, let's look at what we do know:
Over the weekend a conference called ToorCon was held in San Diego and one of the presentations by Mischa Spiegelmock and Andrew Wbeelsoi was (among other things?) about Firefox security.
None of us handlers at that point had seen the presentation(*) itself and the interaction with a Mozilla staffer, but we did see the Mozilla developers react to it like it was real (as they should) and we reported briefly about it ourselves. So there was something but none of us knew exactly what or how it was and the threat of having more exploits up their sleeve wasn't going to give a comfortable feeling any time soon.
Today we were pointed by numerous readers towards more news by Mozilla. While it seems to debunk the whole situation somewhat, do reread this one before calling it a hoax. There is a DoS in there and those have shown in the past this nasty habit of sometimes turning around and biting you with code execution (like the setslice thing did for MSIE).
All in all the whole thing obviously was hilarious to present and attend (see the video above), but it still leaves the rest of us with a foul taste.
(*): In a twisted way, you need javascript enabled and sit through the commercial before you can see it.
--
Swa Frantzen -- Section 66
Detecting attacks against servers
We all hear of servers getting hit on one of their exposed interfaces and then being used in phishing attacks, spreading malware, feeding warez and basically support all other things the bad guys out there do.
But how can you detect it with little to no fancy means?
Flows are a neat source of information. Basically it's the routers you already have telling you what IP address talked to what other IP address using what port during a relatively short interval. Now collecting flows from a high end router is no little feat, so you will need storage and processing resources but if you can do it, it allows for insights in traffic patterns on a large scale.
E.g. discovering machines scanning for SSH (port tcp/22) next starting to talk on port tcp/4000 to some of those machines is a sign of something spreading to the next server. If those already affected IP addresses are then also relatively high bandwidth and owned by companies that sound like they are in the hosting business, the impact of each and every of these machines getting owned is not insignificant. A shared hosting server can service many hundreds domainnames and each one of those might be adding the newest 0-day exploit towards its visitors.
So keep those applications such as openssl and openssh patched on your servers, they are being scanned for.
Update: Andrew provided a pointer to a list of netflow tools.
--Swa Frantzen -- Section 66
Comments
Anonymous
Dec 3rd 2022
10 months ago
Anonymous
Dec 3rd 2022
10 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago