Igor Delovski Board

[delovski]

Is the Botnet Battle Already Lost?

"Now, there is a general feeling of hopelessness among security
professionals involved in finding and disabling botnets. It remains to be
seen how this despair affects security products and the attitudes of the
technology executives who rely on them."

[delovski]

The SpamHuntress Wiki Page and accompanying Blog

"Ann Elisabeth Nordbø works as a security specialist at Nittedalsnettet,
a local ISP in Norway that's wholly owned by Hafslund. She's the mailserver
administrator, and likes tuning her servers to reject as much spam as
possible.

One website (spamhuntress.com) was perhaps the first blog to take
webspam seriously, and quickly shot to the top in that field."

[Ike]

Digg: The world's most sophisticated Trojan uncovered

"Botnet software installs its own anti-virus engine. Security experts have
discovered new spambot software that installs its own anti-virus scanner
to eliminate competition, alongside a number of other sophisticated features."

[Ike]

JoS: Exposing Blog thief?

"What would YOU do if you discovered somebody was directly ripping off
(republishing without permission) one of your blog postings on his
AdSense-riddled blog? And not only that, but the whole blog seems to be
composed of rip-offs from lots of people such as Guy Kawasaki."

[delovski]

Slashdot: Joanna Rutkowska Discusses VM Rootkits

"There's an interesting interview on eWeek with Joanna Rutkowska,
the stealth malware researcher who created 'Blue Pill' VM rootkit and planted
an unsigned driver on Windows Vista, bypassing the new device driver
signing policy. She roundly dismisses the quality of existing anti-virus &
anti-rootkit products and makes the argument that the world is not ready
for VM technology. From the article: 'Hardware virtualization, as recently
introduced by Intel and AMD, is very powerful technology. It's my personal
opinion that this technology has been introduced a little bit too early,
before the major operating system vendors were able to redesign their
systems so that they could make a conscious use of this technology,
hopefully preventing its abuse.' "

[XNote]

Reddit: Paypal Building Rocked by Explosions

"An explosion at eBay's PayPal division Tuesday night shattered a window
and forced the evacuation of 26 employees, as crews combed the company's
North First Street complex for incendiary devices."

[Ike]

Digg: New phishing statistics

"Phishtank, a service run by the good folks at OpenDNS, have
published their first set of phishing statistics. Interesting stuff, showing
that Paypal and eBay continue to be the most targeted organizations in
phishing attacks, but some German banks are climbing up the scales."

[delovski]

Slashdot: How to Prevent Form Spam Without Captchas

"Spam submitted to web contact forms and forums continues to be a huge
problem. The standard way out is the use of captchas. However, captchas
can be hard to read even for humans. And if implemented wrong, they will
be read by the bots. The SANS Internet Storm Center covers a nice set of
alternatives to captchas. For example, the use of style sheets to hide certain
form fields from humans, but make them 'attractive' to bots. The idea of
these methods is to increase the work a spammer has to do to spam the
form without inconveniencing regular users."

[delovski]

Slashdot: Cybercrime — an Epidemic?

"'Cybercrime is pervasive, nondiscriminatory, and dramatically on the
increase.' So states TEAM CYMRU, an altruistic group of researchers
focused on making the Internet more secure. This article is a look into the
root causes of Cybercrime, its participants, and their motivations, as well
as suggestions on what we can do to stop this epidemic."

"Many victims do not seem to draw the correlation between their losses
and cybercrime; worse, they often view it as a crime that is impossible to
investigate and prosecute. For cybercrime to be acknowledged as an
important issue, the victims must report such incidents to a receptive law
enforcement community with a well-informed judiciary. Attempts such as
the president's National Strategy to Secure Cyberspace represent a
significant first step in the right direction. To have the desired impact,
however, the detailed provisions delineated as action/recommendations
must be implemented."

[delovski]

Slashdot: Best Method For Foiling Email Harvesters?

"One of the common ways that spammers generate email mailing lists is
by harvesting email addressess from websites. But in many cases you also
need to make it easy for your customers to reach you. I have found three
common solutions to this problem: 1.) Use an image to replace your email
address. 2.) Use ascii encodings for some/all of the characters. 3.) Use
javascript to concatenate and/or obfuscate your email address. Which of
these methods are most effective? Are email harvesters able to interpret
javascript? What do you use?"

[Ike]

World’s Worst Spammers Named and Shamed

"What this reveals, rather alarmingly, is that around 80% of spam that
targets Internet users in North America and Europe is actually generated
by a small hardcore group of no more than 200 professional spam gangs."

[delovski]

Slashdot: Spammers Learn to Outsource Their Captcha Needs

"Guardian Unlimited reporter Charles Arthur speaks with a spammer,
discussing the possibility that his colleagues may be paying people in
developing countries to fill in captchas. In his report, Arthur discusses
Nicholas Negroponte's gift of hand-powered laptops to developing nations
and the wide array of troubles that could arise as the world's exploitable
poor go online."

From the article: "I've no doubt it will radically alter the life of many in
the developing world for the better. I also expect that once a few have
got into the hands of people aching to make a dollar, with time on their
hands and an internet connection provided one way or another, we'll see
a significant rise in captcha-solved spam. But, as my spammer contact
pointed out, it's nothing personal. You have to understand: it's just business."

[delovski]

Reddit needs a Captcha. A new user just dropped 265 spam-comments in 5 minutes.

"Maybe there just needs to be a comment throttle. Just store a timestamp
in the users profile and only let them post once per minute or something. I
mean, how often do you find yourself posting faster than once per minute?
If it is very often, maybe you need to think things out more!

In any case, that would have reduced this to "6 spam comments in 5
minutes" which wouldn't be nearly as annoying."

[delovski]

Slashdot: RFID Personal Firewall

"Prof. Andrew Tanenbaum and his student Melanie Rieback (who published
the RFID virus paper in March) and 3 coauthors have now published a paper
on a personal RFID firewall called the RFID Guardian. This device protects
its owner from hostile RFID tags and scans in his or her vicinity, while letting
friendly ones through. Their work has won the Best Paper award at the
USENIX LISA Conference."

[delovski]

JoS: Virus won't let me install AV

"Although I had Free AVG installed, a virus closed it down, and won't
let me either restart it, uninstall and reinstall it, or install another AV
like ClamWin."

[delovski]

NY Times: Attack of the Zombie Computers Is Growing Threat

"With growing sophistication, they are taking advantage of programs that
secretly install themselves on thousands or even millions of personal computers,
band these computers together into an unwitting army of zombies, and use
the collective power of the dragooned network to commit Internet crimes.

These systems, called botnets, are being blamed for the huge spike in spam
that bedeviled the Internet in recent months, as well as fraud and data theft."

[Ike]

Slashdot: Six Rootkit Detectors To Protect Your PC

"InformationWeek has a review of 6 rootkit detectors.This issue became
big last year when Sony released some music CDs which came with a rootkit
that silently burrowed into PCs. This review looks at how you can block
rootkits and protect your machine using F-Secure Backlight, IceSword,
RKDetector, RootkitBuster, RootkitRevealer, and Rookit Unhooker."

Later in the comments: "Hey, thanks for the mention in the article but that
is a really old version you've used to test! The last version I've released
publicly is AFX Windows Rootkit 2005, it's open source and can be found
on http://www.rootkit.com/ [rootkit.com] the other more recent versions
I've sold privately.

Now on the subject of rootkit detection. Most of these use the method
based on Microsoft's Strider: GhostBuster. Which uses a low-level method
to gather seemingly clean system information then gathers the same
information using a high-level method. The idea is that rootkits will have
only hooked the high-level methods so there should be a difference in
results. Whatever is listed in the low-level results and not listed in the
high-level results is displayed as "hidden information". Effectively they
are using the rootkit's own hiding functions against itself to detect it. If
the rootkit doesn't hide itself to avoid detection it's still made itself visible.

The problem is that you put yourself in an arms race with who can hook
system information at the lowest level. Luckily since we (the sysadmin)
have access to the hardware and presumably the attacker does not, a
hardware method of gathering system information would be the best. You
can bet money that we are going to be seeing hardware level rootkit
detectors sooner or later.

...

Basically you're just hooking accept() Winsock API in all processes and
then any listening service is a potential backdoor. This is a simple user-mode
method. Someone could write a more specific version for a particular
service such as IIS that hooks deeper into the code that receives network
data."

[Ike]

Mafia 2.0: Is The Mob Married To Your Computer?

"How the mob could be using your PC to run rackets on the internet and
what you can do about it."

[delovski]

Slashdot: "Free Wi-Fi" Scam In the Wild

"DeadlyBattleRobot writes in with a story from Computerworld about a
rather simple scam that has been observed in the wild in several US airports.

Bad guys set up a computer-to-computer (ad hoc) network and name it
"Free Wi-Fi." You join it and, if you have file sharing enabled, your computer
becomes a zombie. The perp has set up Internet sharing so you actually
get the connectivity you expected, and you are none the wiser. Of course
no one reading this would fall for such an elementary con. The article gives
detailed instructions on how to make sure your computer doesn't connect
automatically to any offered network, and how to tell if an access point is
really an ad hoc network (it's harder on Vista)."

[Ike]

Slashdot: Trojan Analysis Leads To Russian Data Hoard

"An attack by a single Trojan variant compromises thousands, circumvents
SSL, and uploads the results to a Russian dropzone server. A unique blow-
by-blow analysis reveals evidence of cooperation between groups of malware
specialists acting as service providers and points to the future of malware's
growing underground economy."

[Ike]

Slashdot: PayPal Asks E-mail Services to Block Messages

"PayPal, the Internet-based money transfer system owned by eBay, is trying
to persuade e-mail providers to block messages that lack digital signatures,
which are aimed at cutting down on phishing scams, a company attorney
said Tuesday.So far, no agreements have been reached,..." "...PayPal is using
several technologies to digitally sign its e-mails now, including DomainKeys,
Sullivan said. DomainKeys, a technology developed by Yahoo Inc., enables
verification of the sender and integrity of the message that's sent." "...An
agreement with, for example, Google for its Gmail service could potentially
stop spam messages that look legitimate and bypass spam filters."

[delovski]

Spamhaus: 200 Known Spam Operations responsible for 80% of your spam

"The Register of Known Spam Operations (ROKSO) database collates information
and evidence on known professional spam operations that have been terminated
by a minimum of 3 Internet Service Providers for spam offenses."

[delovski]

Join the fight against phishing: PhishTank

"PhishTank is a collaborative clearing house for data and information
about phishing on the Internet. Also, PhishTank provides an open API for
developers and researchers to integrate anti-phishing data into their
applications at no charge."

[Ike]

nytimes: Digital Fears Emerge After Data Siege in Estonia

"The Russian government has denied any involvement in the attacks, which
came close to shutting down the country’s digital infrastructure, clogging the
Web sites of the president, the prime minister, Parliament and other government
agencies, staggering Estonia’s biggest bank and overwhelming the sites of
several daily newspapers.

Computer security experts from NATO, the European Union, the United States
and Israel have since converged on Tallinn to offer help and to learn what
they can about cyberwar in the digital age."

On Digg: The First Cyberwar? Groundzero: Estonia

"We are talking about hacking here or hyping a story? This (if memory
serves) would be the largest DDoS attack ever.

But seriously guys.... Did you see who wrote this article??? John Markoff
.... name ring a bell? (http://en.wikipedia.org/wiki/John_Markoff). You may
remember him as the author of the (in)famous Kevin Mitnick article."

[Maja]

Email Obfuscation Helps Spammers

"Google returns 27 million results for "* at * dot com". That's 27 million
email addresses waiting to be spammed. Google doesn’t allow you to
search for the "@" sign, so that’s 27 million email addresses that wouldn’t
be available on Google if they were not obfuscated."

[XNote]

Jeff Atwood: How to Clean Up a Windows Spyware Infestation

"But the unpatched browser spyware infestation from visiting GCW-- just
from visiting the web pages, even if you don't download a single thing-- is
nearly immediate and completely devastating.
...

Our first order of business is to stop any spyware that's currently running.
You'll need something a bit more heavy-duty than mere Task Manager--
get Sysinternals' Process Explorer.
....

Stopping the running spyware is only half the battle. Now we need to stop
the spyware from restarting the next time we boot the system. Msconfig
is a partial solution, but again we need something more powerful than what
is provided out of the box. Namely, SysInternals' AutoRuns utility."

[delovski]

Slashdot: Former Spammer Reveals Secrets in New Book

"A retired spammer is looking to make money from a tell-all book rather
than fleecing people dependent on pharmaceuticals and people with
gambling problems. In this Computerworld article 'Ed', a retired spammer,
predicts the spam problem will only get worse, aided by consumers with
dependencies and faster broadband speeds.

From the article: 'He sent spam to recovering gambling addicts enticing
them to gambling Web sites. He used e-mail addresses of people known to
have bought antianxiety medication or antidepressants and targeted them
with pharmaceutical spam. Response rates to spam tend to be a fraction of
1 percent. But Ed said he once got a 30 percent response rate for a campaign.

The product? A niche type of adult entertainment: photos of fully clothed
women popping balloons ... "Yes, I know I'm going to hell," said Ed."

[delovski]

Gathering 'Storm' Superworm Poses Grave Threat to PC Nets

"Although it's most commonly called a worm, Storm is really more: a worm,
a Trojan horse and a bot all rolled into one. It's also the most successful
example we have of a new breed of worm, and I've seen estimates that
between 1 million and 50 million computers have been infected worldwide."

[Ike]

ars technica - Storm worm going out with a bang, mounts DDoS
attacks against researchers

"... the worm now attacks those who publish new information on the inner
workings of the worm. Researchers are allegedly "running scared" from the
worm, which seemingly has a sentient ability to detect and attack whoever
threatens it."

[delovski]

reddit - Russian bloggers expose Gravikol 21 pharmaceutical scam targeting pensioners

"This third group wrecked most havoc on the Farmit operations, possibly
halting them at some point. By placing orders to non-existing locations or by
canceling the orders after the couriers have arrived, the callers managed to
distract Farmit from fulfilling the genuine orders."

[delovski]

Slashdot: Digital Picture Frames Infected by Trojan Viruses

"The San Francisco Chronicle is running a story on viruses loaded into
digital picture frames, similar to the ones we discussed at the end of last
year. The difference is in the virus used: 'The authors of the new Trojan
Horse are well-funded professionals whose malware has 'specific designs
to capture something and not leave traces ...

This would be a nuclear bomb of malware.' Apparently, a number of regular
folks have hooked them up to their home computer and loaded the virus.
And if you think you're too smart to be fooled, apparently the Anti-Virus
software makers have not caught up to the threat quite yet."

[Ike]

Mac is the first to fall in Pwn2Own hack contest

"A brand-new MacBook Air running a fully patched version of Leopard was
the first to fall in a contest that pitted the security of machines running OS
X, Vista and Linux. The exploit took less than two minutes to pull off."

[delovski]

Malware authors take aim at growing number of Macs

"With Apple's market share now around 8.5 percent -- and growing quickly,
with sales of almost 2.5 million Macs in the last quarter -- these Mac newbies
are a tempting target for profit-minded cybercriminals."

[delovski]

linuxjournal.com - With Linux, Even Rootkits Are Open Source

"... as a commercial "penetration testing" firm released what may be the
most difficult to detect Linux rootkit to date — under an open source license.

Whatever is said, the one thing that can't be changed is the reality that
easy, pre-packaged Linux malware is now in the hands of every hacker
from here to Helsinki and back."

[delovski]

Slashdot: World Bank Under Cybersiege In "Unprecedented Crisis"

"The World Bank Group's computer network — one of the largest repositori-
es of sensitive data about the economies of every nation — has been raided
repeatedly by outsiders for more than a year, FOX News has learned. It is
still not known how much information was stolen. But sources inside the bank
confirm that servers in the institution's highly-restricted treasury unit were
deeply penetrated with spy software last April.

Invaders also had full access to the rest of the bank's network for nearly a
month in June and July. In total, at least six major intrusions — two of them
using the same group of IP addresses originating from China — have been
detected at the World Bank since the summer of 2007, with the most recent
breach occurring just last month. In a frantic midnight e-mail to colleagues,
the bank's senior technology manager referred to the situation as an
'unprecedented crisis.'

In fact, it may be the worst security breach ever at a global financial ins-
titution. And it has left bank officials scrambling to try to understand the
nature of the year-long cyber-assault, while also trying to keep the news
from leaking to the public."

[delovski]

washington.edu - Adeona - private, reliable, open source

"Adeona is the first Open Source system for tracking the location of your
lost or stolen laptop that does not rely on a proprietary, central service
which is a project of University of Washington. What it does is that it sits
in the background of your computer and continually monitors the current
location of the laptop, gathering information (such as IP addresses and
local network topology) that can be used to identify its current location.

The Mac OS X version also has an option to capture pictures of the laptop
user or thief using the built-in iSight camera."

[delovski]

reddit - 0WN3D on Mac OS

"I am a longtime Mac OS user and defender of Mac OS security. Under a dif-
ferent username, two weeks ago I was doing battle with people suggesting
that Mac OS and Safari were anything less than secure. Last week, I disco-
vered that my desktop has been part of an IRC botnet for months."

[Ike]

darkreading.com - Botmaster: It's All About Infecting, Selling Big
Batches of Bots

"The botmaster also shed light on the dog-eat-dog world of cybercrime. He
said he once used a stolen account and impersonated a law enforcement of-
ficial in order to chase another botmaster away from his 6,000 node botnet.

And there are different levels of expertise in the bot world, too: only 20 per-
cent of botmasters actually understand the bot code they get via online foru-
ms, and about three- to five percent write their own botnet code, he said."

[Ike]

Slashdot - Coder of Swiss Wiretapping Trojan Speaks Out

"Ruben Unteregger has worked for a long time as a software-engineer for
the Swiss company ERA IT Solutions. His job there was to code malware that
would invade PCs of private users, and allow the wiretapping of VoIP calls —
in particular, calls made through Skype. In the German-spoken areas, the
trojans were called 'Bundestrojaner' because the Swiss government was in-
volved with their development and use. Unfortunately, Unteregger has to re-
main silent about the customers of the company. Last night, he published the
source code of his Skype-trojan under the GPL."

[delovski]

/. - First iPhone Worm Discovered, Rickrolls Jailbroken Phones

"Users of jailbroken iPhones in Australia are reporting that their wallpa-
pers have been changed by a worm to an image of '80s pop icon Rick
Astley. This is the first time a worm has been reported in the wild for the
Apple iPhone. According to a report by Sophos, the worm, which exploits
users who have installed SSH and not changed the default password, hu-
nts for other vulnerable iPhones and infects them. Users are advised to
properly secure their jailbroken iPhones with a non-default password, ..."

[Ike]

ars - Researchers' well-aimed stone takes down Goliath botnet

"Botnets can be taken down by a relatively small team if the efforts are co-
ordinated and all the right steps are taken at the right time. That's what ha-
ppened in the case of the Mega-D botnet—though the spam hiatus is likely
to be temporary."

[delovski]

Slashdot: AT&T Breach May Be Worse Than Initially Thought

"I'm somewhat of an authority on GSM security, having given presentati-
ons on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about
GSM at this year's Defcon). This is my take on the iPad ICCID disclosure
— the short version is that (thanks to a bad decision by the US cell com-
panies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the
disclosure of IMSIs leads to some very severe consequences, such as na-
me and phone number disclosure, global tower-level tracking, and making
live interception a whole lot easier. My recommendation? AT&T has 114
thousand SIM cards to replace and some nasty architectural problems to
fix."

[Ike]

digg - How even the dumbest Russian spies can outwit the NSA

"arstechnica.com - The recently-busted Russian spy ring appears to con-
sist entirely of complete incompetents. But as amateur as they were, they
had a trick for passing messages over the Internet that the NSA's expen-
sive Internet snooping and data-mining programs could never detect: ste-
ganography."