Wednesday, October 11, 2006

Dang! That didn't take long.

Hi folks,

My last entry was "Chalk one up for Spamhaus", wherein I lauded Spamhaus for getting some of the Bad Guys summarily shut down.

Alas... it seems that they are back up, minus the single domain that we fingered.... Thanks to our friends at Sunbelt for noticing this one, and kudos to them again for sharing research.

It seems the Bad Guys are more resilient than we thought (but honestly about what we expected) and are happily serving VML and SetSlice from all/many of their other domains.

Not only that, but it seems that Microsoft did not include the patch for the DirectAnimationPatchControl vulnerability (commonly known as Daxctle) in this month's patch batch, so it remains to be seen if the Bad Guys will pick this one up.

Folks .... you need to patch and install SocketShield. It's getting tricky out there.


Monday, October 09, 2006

Chalk one up for Spamhaus

Hi folks,

In my previous blog entry, I expressed surprise that the sites serving the SetSlice zero-day had been shut down so abruptly, and I opined that they'd made someone really grumpy.

It turns out that the grumpy ones were Spamhaus! Actually, I doubt they were really grumpy, because I doubt they take this stuff personally... but I digress... Spamhaus saw my warning about the CoolWebSearch sites using the SetSlice zero-day, and took the potentially original step of complaining to the ISP, variously known as EstHost or InHoster, and shockingly, EstHost/InHoster actually shut down those websites and a bunch of related websites immediately.

So why is this shocking? Isn't that what ISPs are supposed to do? Well, yes, but CoolWebSearch has been serving up Windows Metafile exploits with impunity since January! 48 hours of SetSlice, and whap!.... half their network is gone.

One of four things has happened. Either ...

(1) The ISP has suddenly become more responsible. Kudos to them if they have, and perhaps this is a harbinger of better days ahead, or,
(2) The ISP decided it didn't like the heat of being associated with a zero-day. In other words, it's fine to serve up mouldy old exploits, but not zero-days, or,
(3) The ISP is simply scared of Spamhaus, or,
(4) All of the above.

Spamhaus has been under siege lately, and I think it would behoove us all to understand and remember that they have nipped a potentially huge problem right in the bud.

Folks, do what you can to support Spamhaus.


Friday, October 06, 2006

Follow up from the weekend's SetSlice activities

Hi folks,

Now that the dust has settled from the weekend's activities, it's worth trying to figure out what happened. The basic timeline went like this...

Friday evening, we discovered the SetSlice exploit in use in the St Petersburg iframers sites, and just when we thought it is was safe to go back in the water the next morning, we discovered it in the bogus search engine (normally called CoolWebSearch) sites.

No patch exists for this exploit even now, but the exploit is not really widespread because something really interesting happened.... someone shut their websites down!

Now, normally, I wouldn't be all that shocked to see an exploitive website shut down, except that these guys have been around so long, I thought they must be invulnerable. The iframers have been doing exactly the same thing for years, just swapping ISPs when someone got tense with them, and the CoolWebSearchers have been shooting WMF exploits at people with impunity since January this year at least.

I guess they made someone really grumpy.

You have to admire their resilience though. The iframers are already up and running somewhere else, and the CWS folk are trying.

It's good for Internet safety though, because it puts us closer to Patch Tuesday and a (hoped-for) official patch.



It's _not_ MySpace!

Hi folks,

Last night, I, along with several other people that I know, received an email, purporting to be from a friend on MySpace, offering a new song.

There were multiple enticing links in the email, all similar to this one ....

Click here to get 5-free songs downloaded to Your Space:
h t t p : / / myspace . /?reloc.cfm=6& id=9129294431_5free

and text like this ....

"At MySpace we care about your privacy. We have sent you this
notification to facilitate your use as a member of the MySpace service. If
you don't want to receive emails like this to your external email account
in the future, change your Account Settings to "Do not send me
notification emails"

Given that none of us are actually members of MySpace, I was immediately suspicious and decided to take a look at it in a bit of detail.

Here's what I found:

Firstly, resolves to, which is part of this address space ...

inetnum: -
netname: CNCGROUP-GD
descr: CNC Group Guangdong province network
descr: China Network Communications Group Corporation

Gosh! I thought was in Santa Monica! I'm shocked!

Let's visit the actual site (in a virtual PC, of course). I'll click on the link that offers five free songs.... that can't hurt, can it?
Wait .... I'm not at a MySpace page at all... the link has taken me to h t t p ://

And where are my five free songs? This place is just selling mp3s for 10 cents a song. I wonder if the RIAA knows about this?

Port 8080? That's a bit suss. Web pages are supposed to be on port 80 normally. Hmmmm.

In summary, on the plus side, there are no exploits, and no codecs, fake or otherwise, to download as far as I can see. It seems to be nothing more than a site selling MP3s.

There are a bunch of things on the minus side, however...

(1) it was advertised in spam (we should _never_ buy anything advertised in spam),
(2) it said it was from MySpace. It clearly has nothing to do with MySpace
(3) It offered me five free songs, but then forgot all about that offer when I got to the website.
(4) When there is that much untrustworthiness to begin with, there is no way to tell what might happen in the future.

It's just bait and switch spam.

You could put your credit card in and buy some mp3s for 10 cents a piece, but you _might_ find that it ends up costing you a lot more in the long run.

Never buy anything from spam.