Tuesday, November 25, 2008

Symantec Released "Underground Economy Report"

Worth reading, http://www.symantec.com/business/theme.jsp?themeid=threatreport
Here are some interesting points:

Economic Figures:
- Underground business matured and became like traditional business model.
- The estimated potential worth of all credit cards information sold is $5.3 billion
- "Reported" transactions using stolen credit cards, valued $4.3 million
- Value of "Reported" advertised goods was over $276 million, with around 60% of that value from Credit Cards, 16% from identity theft, and 10% from selling server accounts. these numbers does not calculate the usage of these stolen information.
- Specialization in the services offered is becoming an increasing trend, because of the complexity of the business model. the tools need to be developed, used by attackers, goods and services must be marketed and traded.
- There is a certain amount of collaboration between different underground groups and organizations, specially at the administrative level

Groups and Organizations:
- Channels used for communication: IRC rooms , and Web based Forums
- IRC channels are used more than web forum
- Almost 80% of IRC servers life span is relatively short (7days - 30 days)
- Members of forums and IRC rooms are changing identities more often

Goods & Services:
- Almost 70% of goods and services sold are "credit card information", "financial accounts", and "spam & phishing information"
- Users also sell safe "drop" physical location, in order to safely receive physical goods without being traced.

Malicious code:
- Banking trojans, backdoors, password stealers, and all other types are trying mainly to evade AntiVirus detection
- 163% increase of new Malicious code in 2nd half of 2007
- The focus now is not on new malicious code, as it is on Packers, and Binders (bind malicious code with legitimate one)
- Binders and Packers are the most costly tools with price range (10-100$)
- Exploits targeting specific site (banking) is the most expensive exploit with avg. price 740$
- Remote File Include (RFI) exploits for 500 links will cost 200$
- ecommerce exploit (50 shop site) is traded for 150$
- Browser exploits, cost is 37$
- The most common php shells used with RFI, are C99/R57 shells and php SPAM mailer

Payment System:
- Almost 65% of payments are through online currency accounts which convert money into electronic money based on metals , such as gold or silver

Saturday, November 22, 2008

Anti Virus EffectiveLESS

I am trying to measure the effectiveness of AntiVirus engines, as there are lots of talks about AV companies, so I decided to try myself.

The huge variations of malware that appear everyday is making things harder on the AV vendors. Here is a clear and practical example:

I am using Bifrost as my test malware, it is well known trojan since 2006, very easy to use, you just need to configure it and it will generate a server.exe file that when you run it on the victim's machine, it will connect to your Bifrost trojan on your machine.

- Bifrost will allow you to have full control over the victim, things like file manager, offline and online key logger, screen shots with different resolutions, ...... it is a nice tool indeed.

- Let us check how many AV will detect the server.exe file as a malware, the detection rate is more than 95%, which is good if we discard the fact that all AV should detect it as it is an old well known trojan, however let us skip this part.

- My goal here is to trick AV, let us do some packing, and use MS IExpress, which is MS tool to create a self-extracting and self-installing package.

- Let us check the results now, detection rate is 52%, wow, Mcafee and Symantec did not catch it, as most Enterprises I knew are using Mcafee and Symantec AV, this should be an alarming sign to them, watch out. Kaspersky, MS, AVG, clamAV, sophos,.. detected it.

- Let us add some complexity to the AV engines, I will change the extension of the server.exe file to server.jpg, and create a shortcut to it , then zip the 2 files as SFX exexutable file winrar, the end result is server.exe. the detection rate now is 51%, not bad, we are progressing.

- Let do something else, I will email the last file to myself using some of the widely used free web mail services, here is what i got:
Google: did not allow me to attach the file.
Hotmail: the email was sent but it was placed it in the spam section, with a warning that there might be some unsafe content.
yahoo new interface: the email went to the spam folder.
yahoo classic: the email was delivered in the inbox with no warning

Now imaging that a hacker has crafted a nice well prepared social attack against you, and attracted you to open the file even it is in the spam folder,.... job done :)

The message is clear now, AV engines are not good anymore, they have to evolve or die.

One last nice note, Microsoft AV detected them all !!!

Monday, November 17, 2008

Monday, November 10, 2008

How profitable is SPAM?

Ever Wondered about the hidden economy of SPAM? check this out...
Researchers from University of California conducted several researches into the in-famous Storm botnet, to measure the effectiveness, and response rate of Storm SPAM campaign, according to the study, only 0.000001% of the spam messages sent, have a response back from people. That is a fairly low number, it means that out of 12.5 million SPAM email, they got 1 response. So, would you consider this profitable...... YES, it is still profitable, specially if the cost of sending these SPAM emails is null, and the money they are getting from selling things like V i a g r a is not bad.

Here are some calculations, utilizing the storm network, the operator can get a revenue of 2 million US$ per year. not bad at all....

Wednesday, November 5, 2008

New automated security tools released

Automated web defacement ( MultiInjector):
Based on Python, "MultiInjector" a configurable automatic website defacement software, the tool uses SQL injection attacks.

Automated SQL-Injection (BSQL Hacker):
Support MS-SQL, Oracle, and Mysql, PostgreSQL and MS-Access.

Tuesday, November 4, 2008

Worm Exploiting MS08-067 in the Wild

Several reports indicate a worm is propagating in the wild, the worm is based on the MS08-67 patch releases on October 23rd. The origin of the worm is believed to be China.
The detected worm will start scanning the local subnet for port 139, once the victim machine is infected the malware will then try to download additional code, one of the additional codes spotted is an old DDOS malware as part of a DDOS botnet. The trojan will then block access to most Antivirus sites.

The worm doesn't appear to be very widespread, although that could change.

Exploits Available from :
Core Technology
Security focus


Monday, November 3, 2008

Security Intelligence

This paper can be a starting point to establish a watch and warning team in any organization. I can see Security watch-and-Warning as a vital part of any security team in any medium and large organization.