Everyone knows the Internet is for porn...

but did you know our EDUs are too? This is either funny or sad, depending on your point of view, but sooooooo many EDUs turn up in our prevalence data, that you could just about make the case that EDUs are the biggest identifiable segment for porn hosting.

Here are a few examples of the charming subject matter that we regularly detect in EDUs...

/incest-porn.html
/porn-videos.html
/mature-porn.html
/ladyboys.html
/teen-sex.html

Now, the fact that we keep seeing the same directory names on _geographically_ diverse EDUs actually means that the students and EDU's are not doing this deliberately, but rather that it's a deliberate and systematic hacking by some group. These directories are typically full of exploits, and fake codecs, so they're a good place to avoid anyway, but very often they have probable child pornography (LinkScanner is often able to detect kiddie porn by analyzing the html on the page, and preemptively blocks those pages) on them, so they're probably dangerously illegal as well as malicious.

As much as I'd like to think that EDUs might rise up en masse, and evict all this stuff, and fix their security, I don't like our chances, and I anticipate that they're part of the exploit infrastructure of the web forever.


Cheers

Roger

One mystery solved - it's MPACK not WebAttacker2

Hi folks,

For ages now, we've been seeing certain patterns of exploits, wrapped in distinctive patterns of obfuscation. We saw them start at a particular site in Russia, and gradually spread to _many_ other places, and it was obvious to us that it was being sold as a package. So obvious, in fact, that we blogged about it with the title "WebAttacker is dead, Long live WebAttacker". In other words, there was clearly at least one new kid on the pre-packaged exploit block, but we didn't know what to call it.

Today we do... it's called MPACK (Thanks to Symantec and Panda for figuring that out).

It's been interesting to watch the development of this one, as they've added exploits, and changed their encryption. Like WebAttacker, they track the visitors IPs and won't serve the exploits a second time. They used to say "Sorry! You ip is blocked." but now they just display a grumpy face if you come back for a second look.... like this ... :[ .

At least they have a sense of humor.

We've seen a real uptick in hacked legit sites pointing to other servers that have been hacked and are now MPACK exploit servers, so everyone should be careful for a bit.

Cheers

Roger

And I thought I was patched!

Hi folks,

We got all excited today because one of our fully-patched goat pcs got nailed by a website. (The fact that we got all excited tends to show how sad malware researchers are in general, but that's another matter)

"0-day!", we thought, but as we examined the packets from our sniffers, we sadly realized that we weren't really fully patched. Turns out we had an old copy of WinZip (yes, licensed!), and this particular website had a WinZip exploit, along with several others.

This got us to thinking and wondering, however, how many other machines have some third party software that is not patched? Windows is ubiquitous, some third-party software is _almost_ so, and an exploit for a third party package is likely to be just as productive as a windows 0-day.

The moral of the story, folks, is keep _all_ your software up to date.

Remember, the Bad Guys don't want to shut down the Internet any more... they don't want to cut down the tree... they just shake it from time to time, and see what apples fall off.

Cheers

Roger

Three bags full

Hi folks,

The title actually bears little relationship to the story... it merely reflects that I have little kids and have been reading too much Mother Goose.

There are three items I'd like to share though.

The first is this excellent article by Didier Stevens. See here

The nub of this matter is that Didier conducted an experiment where he registered adwords and waited to see how many clicks he'd get. The adwords were variations of "drive by download" and for $23 his ad was displayed 259,723 times over six months, and clicked on 409 times. It's a great article and well worth a read.

The second item I wanted to share was that the iframecash boyz have now started using .hk domains. It will be interesting to see how this pans out.

The third item is that, overall, things are pleasantly quiet in the web-based exploit world. We sincerely hope that it's not calm-before-storm stuff.

Cheers

Roger

So, Cinco de Mayo is dangerous

Hi folks,

Of course, you could have called that in from your couch. It turns out that these guys, http://freewebcards.com have been hacked. Let me stress that they are not deliberately doing this, but they are now an Innocent Lure. We first noticed them on April 26th, and they fixed it almost immediately, and noted that they were trying to address the problem.

Today, however, it turned up on SearchShield results. If you search for "what is cinco de mayo" in google, it shows up on the second page with an MDAC injection. See here.

The webpage looks like

this

and a source view shows a chunk of obfuscated javascript like this.

Now, these guys are obviously trying to be careful. See this message from 26th April, where they acknowledged that people were getting at them, and they trying to sort it out, so if these guys can get nailed again within a couple of weeks, _anyone_ can get nailed.

Cheers

Roger

Nope, they're victims too

Hi folks,

Over the last few days, I've had lots of people asking me questions about the targetted sites, such as Better Business Bureau, with some people thinking mistakenly that the BBB is actually serving exploits to them. That is not the situation at all. BBB (and all the other websites targetted by the scam) had nothing to do with it, and didn't even know their name was being used.

I've also had lots of people asking me what they can do to stay safe from this sort of thing, and the short answer is (1) patch and (2) install LinkScanner (shameless plug). It's actually worth installing LinkScanner even if you do patch because it's nice to know if a website _tried_ to bite you, even if you were not vulnerable.

LinkScanner scans all webpages returned by search engines when you do a query, and the Pro version also scans all tcpip traffic in real time anyway. What this means is that even if a bad web page is cunning enough to wait until you actually try to surf to it to launch the exploit, LinkScanner will still see it and block it.

By the way, we've found some more interesting sponsored links (not google this time), and as soon as we finish documenting them, we'll write about it here.

Cheers

Roger