Setting up a web trap…
In order to better understand web threats, what better way than to create your own web server?
Web admin stuff is not my forte, so I decided to follow my friend JP’s advice and go the easy way with XAMPP.
XAMPP will install pretty much all the stuff you need to start your own web server. It configures Apache, MySql and a bunch of other components used by most servers.
The other advantage that this has for me is the fact that XAMPP is not recommended for ‘real life’ uses. It is mainly geared towards testing and development. One of the reasons is because by doing a lot of the ‘default’ set up for you, it is not making your server very secure right off the bat.
It happens that this what I want anyway. 
I still have a lot to learn about Intrusion Detection Systems (IDS)Â and we’ve had a lot of malware lately causing us grief in our network, such as Conficker.
The idea here is to set up a vulnerable web server (Windows Server 2003) with very lax security settings (default passwords, open connections to DB etc.)
However, this site will not be available to the WWW. It is going to stay in our ‘very infected’ LAN, where I hope it will get owned soon.
Please do that’s what it’s for.
Jerome
|
File infector reveals some lessons to be learned
I have a webpage to monitor some of our stats and I use some GIF files to make it user friendly.
Yesterday I noticed that the pics were’nt displaying properly… Oddly enough, all the files also had the same size now…
I still had the originals, so I compared two of them. The new (infected) GIF contains PE Sections and PE Headers!
I renamed the GIF file to EXE and ran it:
Talk about a payload…
It replicates itself as “picture files” that really are executables, and disables the file extensions display.
Upon analysis with our tools, you can see the registry key in question that hides all the .EXE extension.
The file is well detected on VirusTotal:
You may wonder how the GIF files got infected in the first place…
The files are stored on a SAMBA network share… This being a Worm, it’s no big surprise that it tried to propagate through everything it could find.
This allowed us to realize there was a security hole in our virtual machines systems that opened up the network in some rare cirmcustances, but not rare enough to happen every once in a while.
We also tightened up the file permissions to prevent such a thing from happening again:
What does that teach me?
- Never take for granted what malware can and can’t do
- Access control is crucial
- System designs must be built with potential weak spots in mind
Jerome
|
Rogue Trail
This story will take us from Poland, to Ukraine and Russia in the fascinating world of fake software.
WinPC Defender is a rogue anti virus program. For some reason, the program crashed on my machine… I guess not much time is spent on quality control.
It also hijacks your browser and displays fake warnings when you click links.
I thought this one was interesting, what about a sub affiliate? What exactly is it? If anyone knows, please tell me!
This page is registered to Andrzej from Poland. Â 
It then takes me to the “check out” page. Time to get my credit card information!
This page is registered to Nexton Limited from Kiev, Ukraine:
After a failed attempt (bad credit card), I got redirected to another payment page:
This time folks, meet Sergey from Russia:
Well, after this Eastern Europe trip I still had some questions left in my bag. I found an answer to the sub affiliate:
A sub-affiliate is someone who joins a two-tier affiliate program after being referred to it by another affiliate.
As well as earning commissions on your own sales, you earn commissions on sub-affiliate sales.
So if Betty persuades John to join, and John (the sub-affiliate) makes a sale, Betty earns a commission.
(Taken from associateprograms.com).
It sounds like a lucrative business to me.
This is just one example, of many rogue scams. Why are there so many online criminals in Eastern Europe? Well, different countries have different laws. How do you fight against someone in another jurisdiction? There is no international agreement for those kinds of matters. Â Read “Is it time for InternetPol?” from F-Secure for more on the topic.
Being a cyber criminal can be an easy way to make a lot of money with minimum efforts in a country where unemployment and socio-economic problems are high.
A lot of those fake programs are localised, so don’t think only North America is targeted. In fact their reach is pretty wide, so long as you have a computer and an Internet connection, you can be a victim. Those hackers leverage the lack of computer knowledge that most people have. It gets me though sometimes, how some simple things don’t get people to think twice.
Is there an end in sight? Not likely for a while, as the delivery mechanism (exploits, social-engineering) is pretty solid.
On the defensive side, blocking the malicious domains is always an arms race… and it is easy to change them dynamically (fast-flux) to prevent blocking.
If you are interested in reading about the rogue software business, I recommend checking out Dancho Danchev’s blog. He often posts very detailed reports.
Jerome
|
Cyber Crime Series from McAfee
I just watched the first epsiode of H*Commerce from McAfee. I like the concept very much and I would recommend anyone interested in security and the internet to check it out.
It’s rather short but there are extra bits of vids on certain topics and the quality is crisp.
The first episode talks about wardriving and Cap’n Crunch.
Jerome
|
Paretologic’s SWAT team, finalists for Team of the year
We were finalists for Employee/Team of the year at the VIATeC technology awards.
We thank Viatec for their recognition of our work on Vancouver Island and around the world!
 
Jerome
|
Malware Samples Share
We are sharing our malware samples with other trusted partners. New samples are uploaded every day.
Where do they come from?
- HoneyPots: we get lists of URLs from third-party partners, we build our own lists… Then we run these lists against our HoneyPots.
- Derived payload from Sandbox Analysis: after analysing a malware sample, we scrape the disk for malware samples. We are using different techniques to do that, mounting the NTFS partition from Linux, reading the registry and scrapping it. That way, we can get everything, including rootkits.
If interested, contact me at:
 Â
 
 Jerome
|
To install or to uninstall? That is the question.
As I was adding this rogue to our Database, I noticed a growing trend in the rogue business. As you complete the installation wizard, here pops out of the blue the uninstall wizard: What gives?
Are they being extra cautious? Are they confusing me?
Either way, I’m not keeping it.
Jerome
|
Cheap way to scan your system
Here is a cheap way to simulate a system scan… scam.
Randomly goes through a list of names… Very roguish 
Jerome
|
A link between developers and end-users
Every now and again I think about when I graduated. It was back in 2003 in my native city of Grenoble, France.
To be honest, I had no idea I was going to be in the security industry. I knew I liked computers, but wasn’t a geek either.
One topic always interested me very much though, regarding the search for information. After all, my Masters was called “Information Systems and Organisation”. So many online businesses rely on information: where and who are my customers? What are my competitors doing? etc… And you’ve got to get that information somehow… spying anyone?
Well, in the malware world, you need that information too. Where are the bad sites? Where does this connect to? What does that do?
We use complex tools to do what we need to do. You must have a certain level of knowledge in order to understand all of that and this often uses skills that span across several fields. There are some (few) people that can combine all of that and I admire them. That’s great if you are the kind of person who likes to work alone and gets things done all on your own.
However, if you work in a normal environment, you most likely will be interacting with several people. So, why not use the skills those people have, combine them and get things done twice as fast?
You do need to trust whoever you are going to delegate a task to. I believe that trust can be greatly achieved by first evaluating what that person is the best at. It would be asking for trouble if you are giving a project to someone that has no clue about it. It might turn out good, but do you want to chance that?
 Also, think about the time and efforts it took that person to master a particular skill. Are you ready to undertake that yourself? (Personally I’ve always been about the easy way out )
Last thing, by getting people involved, it gives them a sense to collaborative work and satisfaction.Â
It’s all about being the guy in the middle… (no kinky thoughts please!)
In the next posts I will introduce some of the guys from our team.
Â
Jerome
|
Zhengâ„¢ File Analysis
I am proud to announce the official release of our File Analysis service, using our heuristic engine, nicknamed Zheng™.
I have been working with several people that have contributed to this project and I must say I have been very impressed by their expertise.
As Manager of our SWAT Team I have always been interested in innovative and creative ideas. That is one of our strengths as a young company, to always be pushing the boundaries and achieve the best level of service.
I, myself, am young to this industry. It has been roughly 4 years now but I have seen many trends in the security field. It all started with the spyware and adware craze… and along the way Botnets have taken over the stage with the Storm Worm for example.
Another drastic change is in the number of malware samples we see each day. This number has skyrocketed and shown the limitations of current Anti-Virus products.
Signature-based scanning is proven and solid, but it simply cannot keep up with the volume of samples. New methods have to be employed to detect malware.
If you look closely, those millions of threats do have things in common. Actually most of them are variants of each other. Capitalizing on that, it is possible to detect automatically generated malware that normally evades MD5 checks, for example.
Our team is working on several different techniques and algorithms. From the scientist’s point of view, to the software developper’s implementation.
There are many challenges along the way. Those make the research projects all the more fascinating and mind-boggling. We know we have to think fast though, otherwise we would be trailing behind.
So, today, we are presenting a great milestone in our research and we encourage you to give it a try and tell us what you think.
Thanks!
Jerome
|
