Last Updated: 2007-12-07 00:46:05 UTC
by William Salusky (Version: 1)
Throughout my daily incident response thought process I contemplate whether any given issue is the result of a new "Web 2.0 worm". Well, I didn’t necessarily find a new one in this case, but I almost can't avoid stumbling into surges of fast flux network activity. What follows here is not new, but certainly worthy of rehashing the state of flux.
If we "Flash back" to the
The malicious life cycle of this specific flux net is maintained through:
- MySpace User credentials compromised by Phishing campaign
- The above referenced phish sites are Fast Flux hosted domains
- Every Phish site page load contains a drive-by exploit
- Drive-by exploit results in Fast Flux network growth
New flux nodes become service endpoints
- Phished MySpace user credentials are injected with links to the drive-by flux domains
Only the domains and IPs of the innocent have been changed.
*Actually, I see no innocence here, it's just bad!*
If you are unlucky enough to fall prey [or intentionally fall prey!] during a visit to one of the many Flux net hosted MySpace Phish sites: (By no means is the following an attempt to build a complete list of active flux domains, I can't cut/paste faster than domains are being registered)
*** LIVE BROWSER EXPLOIT CODE - BE WARNED ***
http://profile.mysp ace.com.fuseaction.id.user.viewprofile.198 7383.cn/
http://profile.mysp ace.com.fuseaction.id.user.viewprofile.370 913.cn/
http://profile.mysp ace.com.fuseaction.id.user.viewprofile.187 098.cn/
http://profile.mysp ace.com.fuseaction.id.user.viewprofile.188 273.cn/
The resulting drive-by would attempt to add your computer into the fast flux fold and begins it’s iframe journey through the inclusion of:
http://currentses sion.net/session/file.php (file.exe)
Sample: currentses sion.net/session/file.exe
File type(s): MS-DOS executable (
Size: 14848 Bytes
I'm going to skip the technical deep dive involved in foot printing the local host activity for a host that has been compromised and file.exe was executed. I will only offer that the criminal goal has been accomplished. A Fast Flux proxy node has been deployed and you would find that both
My T-Shirt today says,
"I was a fast flux node and all I got to serve were a few online casino's"
If the NoScript browser plug-in were a person, they would so be on my buddy list. Consider yourself introduced, and it goes without saying, be careful when and where you choose to browse.
Handler on Duty ;)
Last Updated: 2007-12-06 17:06:55 UTC
by William Salusky (Version: 1)
Malvertising (malicious advertising) is a reasonably fresh take on an online criminal methodology that appears focused on the installation of unwanted or outright malicious software through the use of internet advertising media networks, exchanges and other user supplied content publishing services common to the Social Networking space. The most popular Malvertising vector active "in the wild" is a result of the client rendering of Adobe Flash SWF files that contain maliciously coded Flash ActionScript. In my own limited (but growing) experience, Malicious SWF files may share one or more of the following features:
- They are often protected from casual swf decompiler tools though the use of commercial SWF encryption tools
- May contain complex de-obfuscation routines to hide the actual intent of any embedded ActionScript.
- May directly contain exploit code used to attack the client
- May act solely as the drive-by vector in performing a 'GetURL' equivalent referral to the actual upstream exploit host
- May primarily be a Social Engineering attack to confuse or trick a user into accepting the installation of software
- Contains time sensitive payloads which do not go 'live' until a specific date and time.
In light of a growing problem that has the potential to effectively place every internet user at risk, even when only visiting sites they would otherwise fully trust, there is at least a new tool available to assist the security researcher community with a means to better identify malicious SWF files. The timing for this is excellent, as I have personally only learned of this tool just this morning. This particular tool is the OWASP hosted project named 'SWFIntruder'. I will be doing my own deep dive into the details of it's use for inclusion into my own SWF analysis tool bag. The personal SWF analysis tool bag happens to include two other freely available (also cross platform) SWF file decompilers:
SWFIntruder : https://www.owasp.org/index.php/Category:SWFIntruder
swfdump : http://www.swftools.org/ (source available)
and 'flare' : http://www.nowrap.de/flare.html (binary only) :(
We may expand on how you might consider applying security mitigations for this threat type as a protection for the average user which may include your spouse, parents, children, corporate network users, etc... in a future diary. Please do write in with your own insights into the malvertising problem space.
Handler on Duty :)
Last Updated: 2007-12-06 04:59:13 UTC
by Mark Hofman (Version: 1)
T'is the season to be jolly as the saying goes.
During the holiday period we are all going to be subjected to various scams and schemes. About 10.30 this morning people in Sydney Australia started to receive emails advertising a Lindt Chocolate sale at the Elizabeth Street Store (mostly forwarded by friends and family).
A cash only sale between 11 and 1 on Thursday the 6th of December. Needless to say as I write this there are several hundred people outside the store hoping to cash in on the $5 per bag deals advertised in the email. The PDF looks really good and genuine. I had junior on his way to get some (BTW kgleeson, you might want to remove the properties from the PDF file before doing something like this, although there could be a good explanation for the name being there).
A slightly panicked security guard is currently outside the store yelling "It's a scam!!, there is no Sale".
Whilst this is a mildly amusing scam/prank during the holiday season everyone should be on the lookout for the usual greeting cards, "free gifts", credit card reprieves and other emails designed to extract money from our pockets.
Cheers, I'll have to send junior off to Coles or Woollies to get my weekend stash.
Other information received (thanks Scott) points to a forum post regarding this. It looks like the sale was meant for the people in the building only and got a bit out of hand and was canceled. Find the explanation here. So no scam/prank after all kgleeson is safe.
Back to grabbing my greeting cards, playing elf bowl, purchasing pressies from the dodgy brothers, whilst supplementing my income by working from home.