Tag Archives: computer security

Computer security? Best practice? yeah, those are things we’ve heard of.

Posted on by
14

If you’ve ever run a small business, or done any accounting, you’re probably familiar with Intuit, the company that makes the popular QuickBooks accounting software.

Intuit does a lot of things other than QuickBooks, of course. They are also a business Web hosting company, a payroll tax service, a credit card merchant account company, a computer virus distribution network, and a marketing company, among other things. Not everyone knows about all the services they offer; in particular, their marketing and computer virus distribution services appear to be underrated.

Yep, you read that right. They distribute computer viruses.

Oh, not on purpose, I’m sure. They simply appear to run Web sites whose Webmasters don’t really seem to know a lot about Web security. Which would seem to be about par for the course these days, except that they..err, specialize in software that handles business financial information.

Which is a wee bit concerning, if you use Intuit and would like to feel reassured that they take the security of their network and servers seriously.

Now, to be fair, it’s not actually their main site that has the problem, at least not that I’ve seen so far. Instead, they run many “community” sites, and on some of these sites they appear to have a…relaxed approach to security and best practices.

*** WARNING *** WARNING *** WARNING ***
The URLs listed below are live as of the time of this writing. They WILL try to redirect you to sites that attempt to download malware onto your computer. DO NOT visit these URLs if you don’t know what you’re doing!

While cleaning out the contents of the spam trap on one of the WordPress sites I run, I spotted a large number of spam-trapped comments advertising FREE NUDE PICTURES with URLs of an Intuit-owned property, community.quickbooks.co.uk. Now, I see these spam posts all the time, usually made from machines in Eastern Europe and usualy pointing to sites that try to download the Asprox or Zlob malware.

This particular site, though, is overrun to a large degree even for sites that have security problems. The site itself allows users to create their own profiles, but it does not appear to sanitize the user-supplied profiles for things like JavaScript and it allows users to embed links and images in their profiles.

Which is, when you get right down to it, a recipe for disaster.

Anyway, the community.quickbooks.co.uk Web site is currently home to a large number of fake, automatically-generated profiles which redirect through a series of intermediates to malware sites that use a cocktail of browser exploits and social engineering tricks to try to slip malware onto visitors’ computers.

A smattering of these profiles includes:

http://community.quickbooks.co.uk/discussion/index.php?showuser=57944

http://community.quickbooks.co.uk/discussion/index.php?showuser=58063

http://community.quickbooks.co.uk/discussion/index.php?showuser=58395

http://community.quickbooks.co.uk/discussion/index.php?showuser=57939

Some of these profile sites, unusually, redirect through TinyURL to to destination payload site; others redirect more conventionally, through traffic loader sites in a manner similar to the ones I’ve written about before.

The sites redirect through TinyURL or another traffic loader to several intermediates and eventually end up at a place such as

http://stereotube.net/xfreeporn.php?id=45035

which offers free porn if you download a movie-player codec…which is, of course, a virus. (No free porn for YOU!)

Unsurprisingly, the payload site stereotube.net is registered with bogus information belonging to an identity theft victim; also unsurprisingly, it’s hosted on black-hat Web hosting company Calpop, a California Web host that has a long and ignoble history of knowingly hosing malware sites for Russian organized crime, as I’ve mentioned before.

In basic scope and layout, this is nothing but yet another Russian malware distribution network. There are only a few things about it that deviate at all from the bog-standard run-of-the-mill compromises I see every day. The first is that the compromised site is owned by Intuit, which makes me very nervous about how seriously they take computer security.

The second is that the phony profile pages that redirect to malware hide some of the redirection steps behind TinyURL redirectors such as http://tinyurl.com/25avirua rather than relying 100% on their own redirector network (the TinyURL address redirects to a more conventional traffic redirector at http://arhetector.com/in.cgi?3&parameter=25aug, hosted by Worldstream.nl, which itself redirects to one of several sites such as stereotube.net or to http://tinyurl.com/stereotubeonline-boom-03, which redirects to http://stereotubeonline.com/xplays.php?id=48034 also hosted by Calpop.

The third is that the phony profile pages are pulling images from various real porn sites. For example,

http://community.quickbooks.co.uk/discussion/index.php?showuser=57939

is grabbing a picture from http://www.pink4free.com/blogs/wp-content/uploads/Pink4Free/Cecash/BigTits/AllFreePorn.gif. The Web site pink4free.com used to run a WordPress blog–it appears to be defunct now–but that WordPress blog still has an open image directory, and it contains advertising banners that the Russian hackers are drawing from in a bid to make the redirectors look more convincing.

When I go to my taxes next year, I don’t think I’ll use Intuit.

New computer virus scam targets Web site owners

Posted on by
40

There appears to be a new social engineering attack making the rounds of registered owners of Web sites that have SSL encryption certificates. I have a large number of Web sites, and so far I’ve only received emails to the technical address of sites which have SSL (security) certificates on them.

*** WARNING *** WARNING *** WARNING ***
This attack is currently live. DO NOT attempt to visit the URLS in this email if you do not know what you are doing!

The emails come from a phony From: address that is system@[thewebsitename.com]. Each email takes the form:

Attention!

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.

http://updates.[thenameofthewebsite.com].secure.ssl-datacontrol.com/ssl/id=712571016-[email address of registered contact]-patch257675.aspx

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

So for example if you have a Web site called “theweaselstore.com” and your email address is “headweasel@theweaselstore.com” you may receive an email claiming to be from: system@theweaselstore.com, which tells you to click a link that looks like

http://updates.theweaselstore.com.secure.ssl-datacontrol.com/ssl/id=712571016-headweasel@theweaselstore.com-patch257675.aspx

Needless to say, the “patch” you download from this address is a computer virus.

This is one of the most sophisticated social engineering attempts I’ve seen to date. It seems to be going after a very specific group of people: people who own secure Web sites. The email itself is custom-tailored to look as much as possible like it comes from the system operators of the Web site in question, and the payload is delivered from a hostile server with a URL that has the address of the target site owner’s Web site embedded within it.

My suspicion, though I have not taken the time to analyze the payload, is that it is a key logger, and that the virus writers are attempting to get FTP credentials for the target Web site.

Being able to hack secure Web sites would offer the hacker a treasure trove of advantages. First, secure Web sites may contain customer information, transaction records, payment histories, and credit card numbers for the site’s customers.

Second, a phony bank or eBay site placed on a secure server is more convincing, because the phony site can be accessed using “https://” and will have the browser padlock indicating that the site is secure, which may help it to fool more people.

I’ve mentioned in this post how a Web address can be designed to fool people. It does not matter what’s in the address except for the part in front of the very first / character; so for example if you see a Web address that looks like

http://www.ebay.com.ws.eBayISAPI.dll.signin.ru/?SignIn&ru=12345

you are not on eBay. You can see where you are by looking at the part just before the first / which in this case is

http://www.ebay.com.ws.eBayISAPI.dll.signin.ru/?SignIn&ru=12345

a site called signin.ru in Russia.

Similarly, in the URLs in these hacker emails, the key part of the URL is

http://updates.theweaselstore.com.secure.ssl-datacontrol.com/ssl/id=712571016-headweasel@theweaselstore.com-patch257675.aspx

The computer virus is being distributed from a site called “ssl-datacontrol.com”.

ssl-datacontrol.com lives on servers belonging to an ISP called trouble-free.net, which is now a subsidiary of another ISP called interserver.net.

Trouble-free.net is an ISP I’m very familiar with. As near as I can tell, the “trouble” they are free of is meddling trouble such as legal issues, or those pesky problems you might have with having your spam or phish site shut down; they have, in my experience, a long and ignoble history of hosting viruses, spammers, pirate software sites (notorious credit card fraudster and pirate Art Schwartz has been hosted on trouble-free.net for over five years), and other criminal content.

The whois for ssl-datacontrol.com is, unsurprisingly, Russian:

whois ssl-datacontrol.com

Whois Server Version 2.0

Domain Name: SSL-DATACONTROL.COM
Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS1.CEDNS.RU
Name Server: NS2.CEDNS.RU
Status: clientTransferProhibited
Updated Date: 05-oct-2009
Creation Date: 05-oct-2009
Expiration Date: 05-oct-2010

>>> Last update of whois database: Mon, 12 Oct 2009 21:44:52 UTC <<< Registrant ID: HEIGAAS-RU Registrant Name: Elena V Zhuravlyova Registrant Organization: Elena V Zhuravlyova Registrant Street1: Orekhovyi boulevard Registrant Street1: d.31 kv.72 Registrant City: Moscow Registrant State: Moscow Registrant Postal Code: 115573 Registrant Country: RU Administrative, Technical Contact Contact ID: HEIGAAS-RU Contact Name: Elena V Zhuravlyova Contact Organization: Elena V Zhuravlyova Contact Street1: Orekhovyi boulevard Contact Street1: d.31 kv.72 Contact City: Moscow Contact State: Moscow Contact Postal Code: 115573 Contact Country: RU Contact Phone: +7 499 2678638 Contact E-mail: awoke@co5.ru Registrar: ANO Regional Network Information Center dba RU-CENTER

So in short what we have is a very sophisticated, highly directed attack targeted at Web site owners who are using SSL security certificates on their Web sites, being conducted through emails which create a custom From address and custom attack URL for each specific victim.

The same rules apply to this as to all emails:

– DO NOT believe the From: address of an email. Ever.

– DO NOT respond to ANY security alert, question, or prompt you receive in ANY email. Ever. No matter who it appears to be from.

– Learn to read Web site URLs. DO NOT trust any part of a URL except the part immediately in front of the first slash.

Another day, another massive Web hack by the Zlob gang

Posted on by
72

I blame the_xtina for the fact that I discovered this evening what appears to be a large, coordinated, and widespread attack on multiple Web hosting providers.

I hadn’t actually intended to do any computer security stuff today; my plans for the evening involved playing WoW. the_xtina speculated during an IM conversation this evening about the existence of Viking porn, so naturally I did a Google search, and got rather more than I expected.

A Google search for “viking porn” turns up a few hits with a Google “this site may harm your computer” tag. Both of the first two I looked at–because I can’t stay away from the “this site may harm your computer” tag–had a couple of interesting things in common: they were hosted on iPower Web, the notoriously insecure Web host I’ve written about on several occasions in the past; both had malicious redirection files in a directory named /backup/, both used a complex series of traffic redirectors before ending up at the malware site proper, and both were heavily seeded throughout Google using a very large number of popular pornographic and non-pornographic keywords.

In other words, all the hallmarks of the Russian Zlob gang. God, how I hate those people.

I widened the Google search using both common keywords (like “porn”) and keywords I know the Zlob gang favors, and specifying inurl:/backup/ as part of the search.

What I ended up with was a VERY long list of compromised Web sites, each with a directory named /backup/ containing large numbers of files stuffed full of keywords and each of which redirects through a series of redirectors to a site that attempts a drive-by malware download.

Click here for more technical details (down the rabbit hole we go!)

Well, THAT didn’t take long…

Posted on by
12

Michael Jackson is scarcely a few days dead and the malware writers are hard at work using the news of his death to spread computer viruses.

This morning I received an email telling me (in Spanish) that there was a YouTube video of Michael’s death on the Internet, and I could see it (oh boy!) by visiting

http://youtubemichaelj.com

*** WARNING *** WARNING *** WARNING ***
This site is live as of the time of this writing. DO NOT visit this site if you don’t know what you’re doing. This site WILL attempt to download a Windows virus onto your computer.

The Web site looks just like YouTube, and presents a phony blank movie player image with a “An error occurred, please try again later” message in it, then attempts a drive-by download from

http://youtubemichaelj.com/Codec/120.exe

The download is a bit unwieldy for malware (1.8 MB in size)–much too large to be a variant on Zlob, Asprox, or any of the other malware commonly distributed as phony movie-player CODECs. I don’t believe I’ve seen this particular malware before.

The registration information is most likely bogus. The site was registered yesterday:

whois youtubemichaelj.com

Whois Server Version 2.0

Domain Name: YOUTUBEMICHAELJ.COM
Registrar: DOMAINPEOPLE, INC.
Whois Server: whois.domainpeople.com
Referral URL: http://www.domainpeople.com
Name Server: A.DNS.HOSTWAY.NET
Name Server: B.DNS.HOSTWAY.NET
Status: clientTransferProhibited
Updated Date: 29-jun-2009
Creation Date: 29-jun-2009
Expiration Date: 29-jun-2010

Registrant:
T—- G—- (youtubemichaelj.com)
(WHOIS information redacted)
US

Registrar: DomainPeople Inc.

Domain Name: youtubemichaelj.com
Created on ………….2009-06-29-14.36.03.127000
Expires on ………….2010-06-29-14.36.03.000000
Record last updated on .
Status ……………..ACTIVE

Administrative Contact:
T—- G—-
(WHOIS information redacted)

The site’s hosted on Hostway. Hostway is an unusual choice for a virus dropping site; they’re fairly clean, and a bit pricey. I suspect that the site will be disabled soon.

Given the choice of hosting companies and the size of the malware download, I am wondering if the people responsible for this malware aren’t fairly new to the game. More experienced malware and virus writers, like the Zlob gang, prefer to host on hacked sites, screen their hosts behind a network of redirectors, and store the actual payload itself on servers in Eastern Europe.

Well, now, THAT’S interesting…

Posted on by
28

A while ago, I wrote about an outfit called a2b2.net, which was hosting a number of phony PayPal and bank sites designed to dupe people into giving up their financial information.

A short time later, that particular server went offline, only to come back a few days later as a site that sold and distributed software for hacking Web servers and setting up phony bank and PayPal sites.

Well, now things take a turn for the strange. It appears that Web host has been hacked, and every Web site running on the entire Web host has been wiped.

Hm. When you go to bed with monsters…

Score one more for the good guys!

Posted on by
40

According to this article on CNet News, the Federal Trade Commission has just shut down an ISP called Pricewert, which had sought to act as a one-stop shopping center for spammers, child porn, botnet operators, and virus and malware distributors.

Pricewert operated as a Web host under a bunch of different names–3FN.net, Triple Fiber, APS Communications, and a bunch of others.

I first became aware of 3FN back in February of 2008, when I started seeing spam for all kinds of porn sites hosted on their IP space. The spam I saw generally involved URLs hosted on 3FN that redirected to the affiliate sites of large pay-for-access porn sites–a common spam tactic I’ve seen before, especially from big-name offenders like Streamate.com.

Pricewert/3FN’s business extended well beyond spam, though, and into hosting for botnet command and control servers, virus droppers, malware distribution, and even kiddie porn. In other words, about business as usual for an ISP in a place like the Ukraine or Latvia, but somewhat surprising for an ISP in the US. (Somewhat surprising, at least, until you consider that the founder of Pricewert/3FN was from the Ukraine, where the business culture is such that hosting malware, child porn, and botnet control servers is part of any ISP’s normal revenue stream.)

And here’s the part where I get all Ranty McRanterson.

What’s really, really, really disappointing to me is how poor the US ISPs and backbone providers are at policing themselves, and how even egregiously illegal activity is tolerated by the vast majority of Internet service providers.

3FN’s upstream providers knew that 3FN was a rogue ISP hosting criminals involved in spam, viruses, and malware. I know for a fact that they knew this, because I told them myself, with detailed evidence. In February of 2008. And in March of 2008 (four times). And in June of 2008. And in July of 2008. And in…well, you get the idea.

There is, in the world of ISPs and Internet connectivity, a tacit understanding that any sort of illegal activity, including identity theft, malware, fraud, and computer virus distribution, will be tolerated so long as it doesn’t create too big an uproar and so long as ISPs occasionally move the offenders around from one IP address to another. Even child pornography is not going to create a problem so long as the hosting ISP removes or moves the child porn if they receive complaints.

ISP abuse employees do not generate revenue for an Internet company. In fact, they cost a company revenue. For that reason, ISPs will often hobble their own abuse teams (I sent seven complaints to one ISP about a hacked server on their network over a period of two months, only to be told that the abuse people were not permitted to take down the server until eight weeks after they had notified the owner to fix the problem–which is about like calling the fire department because your neighbor’s house is on fire and the flames are spreading to your house, only to be told that the fire department would mail a notice to your neighbors, and would send the trucks out in eight weeks if the neighbors hadn’t taken care of the problem themselves by then).

ISPs make money by selling hosting and bandwidth to people. Every site they take down is lost revenue; every downstream service provider they cut off is a lot of lost revenue. They’re not going to lose that revenue unless they’re forced to.

Case in point: The rogue hosting provider McColo, which was notorious for hosting child porn, computer viruses (they were a preferred host for the Russian Zlob gang and for the Asprox virus gang), and credit card identity theft rings (Fraudcrew hosted sites on McColo), yet remained merrily in business, with no problems from their upstream providers, for four years in spite of the fact that it was widely known and publicized that McColo catered exclusively to criminal clientele.

And, sadly, that’s the norm, not the exception. Upstream and backbone providers will cheerfully provide connectivity to known-rogue ISPs even though the rogue ISPs violate not only the law but also the upstream providers’ Terms of Service. Global Crossing, a mainstream, respectable business, knew that McColo was hosting computer viruses and child porn; they simply didn’t care. The money of organized crime spends just as well as the money of honest businesses, and often there’s more of it.

In the ISP world, often government intervention is the only way to shut down these operators. History has proven, conclusively, beyond all shadow of doubt, that ISPs and connectivity providers absolutely, positively can not be counted on to police themselves; left to their own devices, they will permit just about anything to happen on their networks. The ongoing corrupt business practices of US ISP Calpop, for example, is ample proof of that.

It pisses me off to no end to see an entire industry that has, for all intents and purposes, quietly agreed to permit organized crime, identity theft, and child pornography on their networks as long as there’s not too much of a fuss about it, and to take action only against the one or two most extreme offenders after many years of operation. While I do not normally see government intervention as a good way to solve business problems, in this case I do not believe the ISPs will ever police themselves effectively, or even want to; there’s too much money in allowing this sort of network abuse. Given how widespread the problem is, I do not think there is any solution other than tighter regulation of criminal activity on the backs of ISPs’ networks.

More computer security: Running online frauds for fun and profit

Posted on by
20

A little while ago, I posted about a phish scam in which someone had placed multiple fake PayPal and bank sites on one server in order to trick people into handing over their bank account information. This particular type of scam is quite common, of course; I get a couple dozen a week in my email box these days.

It’s rare to see one computer hosting multiple different fake sites, and rarer still to see them hosted for an extended period of time. Usually, the way it works is that hackers break into a poorly secured Web server (for example, in today’s crop of phish emails there’s a fake PayPal page that’s on a Web site running an outdated, insecure WordPress install, and a fake Abbey Bank page running on a hacked Web site that’s using an old, unpatched copy of the Joomla content management software.)

The fake PayPal and bank sites I discovered a couple of weeks ago were running on a server belonging to an ISP called a2b2.com, which at the time I believed wasn’t actually a corrupt ISP, but rather a single clueless individual. The ISP a2b2.com is located in Great Britain and seems to be run by just one person.

A day after I posted about that site, I received an email from the guy who runs that ISP, telling me that the server had been taken offline and the fake bank and PayPal sites were gone.

I thought that was the end of it. I was wrong.

We’re about to get technical here!

Postscript to the phishing scam

Posted on by
16

Many weeks, six emails, one complaint lidged in the ISP’s automated ticketing software, and the phish sites I talked about here remained active and functioning.

But two hours after I make a LiveJournal post about it, the site is knocked offline and I get the following email in my mailbox:

HI
We are aware of this but can’t comment further at this time however please be assured that it is being handeled inline with the local police

Rus

It’s possible the timing was a coincidence, of course, and the site being knocked offline had nothing to do with talking about the phish fraud openly. It’s possible, but it seems pretty weird to me.

Computer security: Down the rabbit hole

Posted on by
40

So a couple weeks back, I get an email in my mailbox telling me that there is a problem with my PayPal account, and asking me to click a link to verify my account information.

Since I don’t have a PayPal account, it didn’t take a great deal of intellectual prowess to figure out that it was a “phish” email–an email designed to trick the credulous and unwary into going to a phony site and handing over their PayPal password. I get about a half-dozen of them a day, and I fired off emails to the appropriate Web hosts and forgot about it.

Next day, I got another phish asking me to validate my Bank of America account information. I don’t have an account with Bank of America, naturally. Again, a standard phish.

The only weird part was that the phony Bank of America site was hosted on the same Web server as the phony PayPal site. Fired off another email to the ISP hosting the fake sites and forgot it.

And got another phish email. And another, and another after that, and another after that. All advertising phony Web sites hosted on the same server.

“Huh,” I thought. “This is weird.”

We are, of course, about to get technical here

The Russians are at it again

Posted on by
18

Mac users, we had a three-month respite. The Russian Zlob gang, which last September lost its servers that were distributing the Mac DNSchanger malware when the corrupt hosting company EST Hosts went dark, are back after Macs again.

Just discovered a server being used to spread Mac malware from

http://brakeplayer.net/download/get7003.dmg
*** WARNING *** WARNING *** WARNING *** This link is live as of the time of this writing. The payload, named get7003.dmg, contains a new version of the Mac DNSchanger, aka OSX.RSplug.A, OSX.RSplugin.A, or OSX/Zlob, computer malware.

The malicious server brakeplayer.net is brand new and is hosted in Latvia, on an ISP called “zlkon.lv”.

whois brakeplayer.net

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: BRAKEPLAYER.NET
Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru
Name Server: NS1.BRAKEPLAYER.NET
Name Server: NS2.BRAKEPLAYER.NET
Status: ok
Updated Date: 26-dec-2008
Creation Date: 15-dec-2008
Expiration Date: 15-dec-2009
Name servers:
ns1.brakeplayer.net
ns2.brakeplayer.net

Registrar: Regtime Ltd.
Creation date: 2008-12-15
Expiration date: 2009-12-15

Registrant:
Nikolaj Selivestrov
Email: paul.aspen111@gmail.com
Organization: Private person
Address: ul. kosmonavtov, 132-13
City: Moskva
State: Moskovskaya
ZIP: 129301
Country: RU
Phone: +7.4957854978

I’ve also noticed an uptick in the number of hacked Web sites hosted by iPower Web lately. As I’ve talked about extensively here, here, here, and here, iPower is basically a mess. For more than a year now, hackers have been walking all over their servers, planting virus redirectors in sites that are hosted by iPower or their subsidiaries.

For a while, the number of attacks against iPower dropped to next to nothing, and I thought that they’d fixed their security problem. Now, Im not so sure–now, I think that iPower is as compromised as it always has been, but the hackers toned down the attacks when they started getting attention. Can’t prove it, but my hunch is there’s a long-standing zero-day exploit in vDeck, iPower Web’s home-grown Web control panel software.

I think we’re going to be seeing more Mac malware in the near future.