Comments Off

By Admin, December 15, 2007 10:38

Hot:

Finally, a “critical” Java runtime update from Apple by ZDNet‘s Ryan Naraine — Apple has shipped a long-overdue Java runtime update to plug at least 30 vulnerabilities that expose Mac OS X users to remote code execution attacks.

This article really only highlights the issue. Quicktime has (and still has) many bugs so many that I’d simply deem it the ‘Buggiest and Most Insecure Application of ALL TIME’. Anyone who uses Quicktime should REMOVE IT immediately, and then clean there system. I’d even recommend cleaning the registry of any APPLE or QUICKTIME entries, something I’m typically loathe to do under any circumstances. Apple simply seems to not understand the security climate in todays world, or doesn’t care about it’s users. Either way it’s reprehensible that they are doing so well in the technology markets without putting security first.

Apple could learn a lot from Microsoft on this, but I’m not saying Microsoft’s approach is superior, I’m just saying it’s actually far more committed to keeping it’s user base informed. Apple seems to prefer just keeping us in the dark, or to use an alliteration, they prefer to keep the apples on the tree so they don’t bonk someone on the head and perhaps wake them up to reality. Apple’s products and OS is really insecure! This is like many ignorant companies that seem to think if ‘we have a security breach, we keep it secret’, and this is the approach I find criminal. I for one am lobbying governments to change this, and FORCE ANYONE with sensitive data or source code to proprietary OS’s to FULLY DISCLOSE vulnerabilities to reduce ones exposure to 0-day attacks.

It took Apple 6 months (!!!!) to come up with the latest patch, and it didn’t fix all of them, actually of the 30 it claimed, only 18 are TRULY fixed. I’d call it lying…I don’t mix my fruit up.’

Comments Off

By Admin, November 9, 2007 12:53

Hot:

Really? A FREE YEAR of Broadband?!? Nobody gives away a free year…

Recently I’ve received copies of a Phishing Attempt that looks like it’s from Shaw (a cable/internet/telephone service company in Canada). This phishing attempt is congruous to the Ebay and banking phishes of the recent past, in that it actually does NOT resemble a ‘real’ email, rather a fictional email to get people excited, in this case instead of warning the user it attempts a positive reaction from “getting free internet for a year”. Whoopie! A years worth of internet from Shaw isn’t that expensive. Phishing attempts are typically NOT viral or malware orientated but certainly can and do use such methods. In this case it looks like a standard email spam sent via exploited web sites.

This is a sophisticated method. It uses a similar style as Shaw uses in their correspondence and uses a legit; if inappropriate, email address. The email was generated and sent using multiple methods so tracking it will be harder to accomplish. Additionally, I shall show the details of the spam and my analysis. Our whois data will be included in the rest of the article.

First off, I will advise of the RED FLAGS in this phishing attempt

#1- “A Free Year of Broadband” – This doesn’t make sense. Shaw has trademarks and service marks that it would use to advertise it’s broadband internet service. Only someone ignorant of Shaw’s trademarks would say this. It’s really unlikely anyone who really works for Shaw would make this error.

#2 – Canadian Law states that any ‘contest’ or ‘giveaways’ contain details of said event. In most cases it’s prudent to disclaim whether or not the contest is allowed in Quebec, since the law is vastly different, and Quebec law generally does NOT allow this type of Contest. (disclaimer: I’m in no way a lawyer, but I am aware of consumer rights.). Missing the disclaimer is a definite flag

#3 – The email that is seen in the From: header is not a normal Shaw correspondence email account.

#4 – The link clearly shows a ‘secure’ link, but in no way is it going to a ‘secure’ site.

#5 – Typical email headers (on email from Shaw) missing

So just upon a quick review of this email we can deduce that it’s not a valid email. To get more pertinent details I’ll analyze these email in detail. I won’t paste the email headers in entirety, any ambiguity will be displayed by ‘XXXXXXXX’, to avoid email harvesting, but I will show you what details were more noteworthy.

The return-path was interesting. One was:

apache@utel16.besthosting.com.ua

, the other one was:

nobody@omega.omc.net

This would indicate to me that the web server sent this email, and in typical hosting fashion, it would be doing so via script on one of the hosts or virtual hosts on the system.

None of the received headers would indicate anything unexpected here, “omega” even has SSL/TLS

enabled but verify set to no.

The header in one of the emails is very interesting:

Date: Thu, 08 Nov 2007 20:49:28 +0200

From: “Shaw Communications Inc.” service@shaw.ca

Subject: Win a year of free broadband

To: XXXXXXX@shaw.ca

Reply-to: service@shaw.ca

Message-id: XXXXXXXXXXXXXXXXX@utel16.besthosting.com.ua

MIME-version: 1.0

Content-type: text/html

X-PHP-Script: 213.186.117.120/~loveterra/indexzz.php for 82.208.212.146

Date and time indicates a East European Time zone. I know Shaw doesn’t have any servers in Europe…

The X-PHP-Script header shows a very interesting detail of where this email came from. We’ll come back to this IP in a bit. But this is a key indicator of an exploited web site on a hosting company or something similar. This IP definitely hosts a web server, and with the above mentioned user account, but at time of checking this link generated a error.

The for address 82.208.212.146 is interesting as it resolves to:

whois -h whois.geektools.com 82.208.212.146 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #1.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the “-B” flag.

% Information related to ’82.208.212.0 – 82.208.212.255′

inetnum: 82.208.212.0 – 82.208.212.255

netname: ITSOLUTIONSNET

descr: ITSolutions, Obrenoviceva 124 4/10

descr: 18000 Nis

descr: Serbia and Montenegro

country: CS

admin-c: IS1188-RIPE

tech-c: AZ919-RIPE

status: ASSIGNED PA

mnt-by: PTTSRBIJANET-MNT

source: RIPE # Filtered

person: Ivan Stankovic

address: ITSolutions

address: YU

e-mail: i.stankovic@my-its.net

phone: +38118512796

fax-no: +38118512797

nic-hdl: IS1188-RIPE

source: RIPE # Filtered

person: Aleksandar Zakic

address: ITSolutions NET

address: CS

e-mail: a.zakic@my-its.net

phone: +381-63-222-361

fax-no: +381-18-512-797

nic-hdl: AZ919-RIPE

source: RIPE # Filtered

% Information related to ’82.208.192.0/19AS13091′

route: 82.208.192.0/19

descr: JP PTT Srbija

descr: PTT Srbija Net

origin: AS13091

mnt-by: PTTSRBIJANET-MNT

source: RIPE # Filtered

Results brought to you by the GeekTools WHOIS Proxy

Server results may be copyrighted and are used with permission.

Reviewing the other IP address of the X-PHP-Header gives us this info:

whois -h whois.geektools.com 213.186.117.120 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #3.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the “-B” flag.

% Information related to ’213.186.117.0 – 213.186.117.143′

inetnum: 213.186.117.0 – 213.186.117.143

netname: UTEL-DC5

descr: Utel DataCenter networks. Colocation

country: UA

admin-c: UNOC-RIPE

tech-c: UNOC-RIPE

status: ASSIGNED PA

mnt-by: AS6877-MNT

remarks: INFRA-AW

source: RIPE # Filtered

role: Utel NOC

address: 101, Volodymyrska str.

address: 01033, Kyiv, Ukraine

phone: +380 44 2359001

fax-no: +380 44 2304560

e-mail: noc@utel.net.ua

admin-c: OLE-RIPE

tech-c: BES100-RIPE

tech-c: OLE-RIPE

tech-c: JIM-RIPE

tech-c: ALT-RIPE

tech-c: UHM-RIPE

nic-hdl: UNOC-RIPE

mnt-by: AS6877-MNT

source: RIPE # Filtered

% Information related to ’213.186.112.0/20AS16124′

route: 213.186.112.0/20

descr: Utel DataCenter, Ukraine

origin: AS16124

mnt-by: AS6877-MNT

source: RIPE # Filtered

Results brought to you by the GeekTools WHOIS Proxy

Server results may be copyrighted and are used with permission.

So, it looks like someone possibly in Serbia and Montenegro, ran a cross site script residing on a server in the Ukraine, against utel16.besthosting.com.ua which sent the email. One would actually have to test this out, which I have not done to confirm this. This is a dangerous step I decided to avoid for brevity.

[page_break]

Looking at another similar email we see:

Date: Tue, 06 Nov 2007 23:24:54 +0100 (CET)

From: “Shaw Communications Inc.”

Subject: Win a year of free broadband

To: XXXXXXXXX@shaw.ca

Reply-to: service@shaw.ca

Message-id:

MIME-version: 1.0

Content-type: text/html

X-Authentication-warning: omega.omc.net: Host localhost.omc.net (127.0.0.1)

claimed to be omega.omc.net

But we can see the authentication warning from this server. No detail unfortunately.

Regardless, the viewable content of these two emails is identical, including an ‘offical’ Shaw footer to further reinforce it’s legitimacy, but it’s futile. These are NOT from SHAW.

The content included in plaintext: However to ensure not even ‘google’ browses the evil link from our site I have sanitized it so it breaks. Details to fix will be below the actual email content:

Content-Transfer-Encoding: 8bit

209.85.15.18 is the address removed above with “Removed.example.com”. This address resolves to:

11/09/07 14:19:19 whois 209.85.15.18@whois.geektools.com

whois -h whois.geektools.com 209.85.15.18 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.arin.net.

Results:

OrgName: Everyones Internet

OrgID: EVRY

Address: 390 Benmar

Address: Suite 200

City: Houston

StateProv: TX

PostalCode: 77060

Country: US

ReferralServer: rwhois://rwhois.ev1servers.net:4321/

NetRange: 209.85.0.0 – 209.85.127.255

CIDR: 209.85.0.0/17

NetName: EVRY-BLK-15

NetHandle: NET-209-85-0-0-1

Parent: NET-209-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.EV1SERVERS.NET

NameServer: NS2.EV1SERVERS.NET

Comment:

RegDate: 2005-12-14

Updated: 2006-11-28

RAbuseHandle: ABUSE477-ARIN

RAbuseName: Abuse Department

RAbusePhone: +1-713-579-2850

RAbuseEmail: abuse@ev1servers.net

RNOCHandle: NOC1445-ARIN

RNOCName: Noc

RNOCPhone: +1-713-579-2850

RNOCEmail: noc@ev1servers.net

OrgAbuseHandle: ABUSE271-ARIN

OrgAbuseName: Abuse

OrgAbusePhone: +1-214-782-7802

OrgAbuseEmail: abuse@theplanet.com

OrgNOCHandle: NOC1445-ARIN

OrgNOCName: Noc

OrgNOCPhone: +1-713-579-2850

OrgNOCEmail: noc@ev1servers.net

OrgTechHandle: VST3-ARIN

OrgTechName: Stinson, Valarie

OrgTechPhone: +1-713-579-2850

OrgTechEmail: admin2@ev1servers.net

# ARIN WHOIS database, last updated 2007-11-08 19:10

# Enter ? for additional hints on searching ARIN’s WHOIS database.

At this point this site seems to be up. Anyone receiving any email similar to this should simply delete it.

If you think it really is legit, call Shaw directly and ask them BEFORE you click on the link. I feel this analysis is accurate and is limited in it’s conclusions. However I hope it serves to help or assist any other who seeks to eliminate phishers, and other scammers.

Comments Off

By Admin, September 4, 2006 13:40

Hot:

Like most folks these days I presume, you typically scan your computer either daily or weekly using a Anti-Virus program.  You also probably run cleanmgr.exe routinely to clean up your drives from junk and temp files.  You probably use some kind of firewall on the PC.  You probably also then use some kind of spyware product also.

I’ve become very disappointed with most spyware/adware products these days.  They are simply either ineffective or too paranoid.  Neither is an effective solution.  The industry leading Webroot is probably the most balanced on the market today, but it’s updating is making it ineffective when a outbreak occurs.  I for one will not buy a product that doesn’t effectively update its database constantly.  This is a big job and why I think it’s worth the money to spend on a solution, ONLY if it stays up to date. 

For a free solution you can always turn to SpyBot and Ad-aware SE.  Both these tools can be had for no cost stay ”reasonably” up to date, if not as current as some of the non-free products.  However every day one see’s a new product coming out claiming to be the latest and greatest. 

In order to get the most effective detection capabilities I think one needs to run the anti-spyware using a central repository that is constantly updated and does not require ”downloading” to update, or does so with the latest (built hourly) rules.

I have tried out Trend Micro Anti-Spyware Online Scan and will provide you with a step by step usage.

Using Trend Micro Online Scan

This is a very easy process.  The first thing you’ll obviously need is a PC connected to the Internet and to be running Internet Explorer v6.01 or greater to use the ActiveX component.

I tried it with Firefox using the ”IE Tab” extension, which worked fine, and also with the ”Open in IE” extension, which also worked fine.  Obviously the latter actually spawns IE, where the former simply opens a window within the firefox chrome.  If you don’t understand all this, don’t worry.  It works.

So, next you go to the link I provided above and allow the web site to install the ActiveX component which downloads the executable to perform the update and scan.

Once you get the executable running it will then update it’s rules from the repository at trend micro and start scanning.

Now we wait until it’s done.  The final result is noted by this screenshot we took:

From here we would have taken a very serious glance at the machine itself, if it wasn”t for the simple facts.

1.  This PC has Avast AV running, Scanned before detected nothing.
2.  This PC also has Tiny PF 2005 installed, and could not verify any infection directly or indirectly.
3.  We don’t know what it exactly found that was the problem.
So we take a closer look at the details that Trend Micro found, and this was the screenshot:


Taking a closer look would again give us indication that our box is owned.  But a few of these items are not a total surprise as far as the findings, the others are just lacking any real detail.
So we click on the ”Threat Details” link at the bottom for a select item such as this keyfinder.  Unfortunately the ”Detail” is rather pathetic.

As you can see for yourself this doesn’t tell us anything, and doesn’t confirm what we’ve found.  So I decide to submit these ”positives” to virus.com for testing against the worlds top AV programs.

First though, lets just double check it against our machines Avast AV:

Nothing. Well lets just make 100% sure.

As I was able to verify NONE OF THE ”POSITIVES DETECTED BY TREND MICRO ANTI-SPYWARE were legit.  Most of them in fact would have been cleaned and then rendered numerous software packages unusable.  The ONLY agreement with Trend Micro was noted in this screenshot below.  No other files were tested positive.

This is not an acceptable tool for any ”type” of detection and certainly not acceptable as a cleaner. 

I would not consider this tool to be ”beta” quality.  You are better off running NOTHING than this software.

Comments Off

By Admin, July 4, 2006 15:07

Hot:

Well as my previous blog item indicated I’ve gotten Vista installed on VMWare.   I’m still debating about actually using a  PC to do a full install as I feel I may wipe this and start fresh again.

It’s a good thing I’m not a rush out and upgrade everything person such as I was in the past.  Yes, I used to be terrible at getting the latest code/beta’s and hardware and throwing it together and hoping it works.  With tear apart PC’s this is ok, but for production work or serious gaming boxes one needs stability.  Rushing the latest OS or patch just to eliminate a bug or add a feature are nice reasons one needs to ensure that everything that was, still is, and everything we expect to be, will be.  Today I’ve been burned by so many upgrades that either broke itself or something else that I’ve gotten very particular about what I install and what I don’t.  On my companies web page we review many software and seldom does a package achieve better than a 70%.  It’s just very hard to find a good documented piece of software that acutally does what it states without issues.  Even some old favorites don’t score as high as would be expected.

This is something that seems lost with many IT professionals, but moreso with Marketing folks than the technical folks.  Yes rush out and get that new update, you’ll appreciate it.  Really?  Thank god for Virtual Machines.  When it comes down to Vista patching during the beta is something that will just have to be done, but at what point does it lose focus with my needs?

Why you don’t need every upgrade or patch.

My main gaming PC is currently running XP SP1 as I also use this as my main chat and torrent machine.  SP2 showed that it put ‘Microsoft’s idea of security’ ahead of the user, and did things that simply are not required for experienced PC users.   I saw more problems that I decided not to upgrade this machine.  It has caused a lot of problems and as a result to changes to the way Microsoft allows access to it’s updates I no longer get automatic updates on this box.  I can still get them manually and download them, but I hesitate to say that for the most part I don’t even worry about it.  I checked and with the exception of two critical patches in the last year that had to be installed, I haven’t installed any patches or updates on this machine in 18 months.  It’s quite unlikely that for the life of this box (another two years max) I will probably never upgrade this again.  Will Windows stop working or break?  Unlikely it’s working fine now, and since I’m not changing any componants or core kernals functions or adding new unwanted functionality it will remain that way until it dies of a natural death.  This box has been well protected for it’s entire life and the last thing I needed was Microsoft adding features that dumbed down my protection since most users are not aware.   The key is not to allow malware to get on this machine.  To date we’ve been very successful and only now are we seeing others adopt my solutions that have been used since 1996. 

Vista – Latest dummy-proof OS
When it comes to dumbed down, it seems that Vista is king at this.  If my experience with Vista doesn’t improve from newbie-land soon I shall say that I’ll never adopt Vista as too immature of an OS.  I realize how that sounds given all the really cool features implemented but really, many of these cool features can be had elsewhere, other linux distro’s, third party tools to add to XP.   Where I could really use some dummying down is with the error messages and the parlance of the ‘event viewer’.

When you have a problem do you think you get a sensible error message?  No.  It seems the ‘operation’ is dummy-proof, but ‘configuration’ is left cryptic.  Why can’t I have better control of my PC out of the box?  It seems this type of internal schism to the operation of the desktop is tantamount when dealing with any Microsoft product or tool.  When Microsoft cannot adopt their own ideas fully, I should not either.  Neither should you.  Of course this is a beta product so final remarks will wait until it\’s release.

I have Vista installed and running at this point from fresh install.  The security center is complaining bitterly about not having an AV installed on it.  I really don’t need one but to get rid of this annoying red X in my systray I’ve been attempting to install something.

Bitdefender v10 beta.  First choice, says it runs on all Windows OS.  Does not install, unknown error.

Kapersky v6 beta.  Second choice, does not claim to run on Vista.  Does not install, incompatible OS.

PC-Cillan – The Microsoft recommended Vista Beta Product.  Does not install, incompatible OS.

OF course every single tool used MSI to install, so my guess is it never got past unpacking it then it checked.

Why don’t they check before you download and waste all that bandwidth?  I guess they’d rather waste the bandwidth.  I don’t.

So, I’m not impressed with Vista’s installation ability, since there does seem to be a disconnect between what works and what doesn’t with both Vista as an OS and the vendors supplying their tools.

And I still have that red X in my systray…..