SecurityZone.org - Information Security Blog

It has been a while since I have updated anything. I have been to busy and sometimes lazy to write stuff here or on the Shadowserver website. Since my last update I have been all over the states, to Moscow, Russia and Oslo, Norway. Very cool places! In any event I am still alive and have a few interesting links to post that are worth reading if you haven’t seen them already:

3FN Shut Down

Microsoft DirectX Vulnerability - Yikes

It seems my comment spam awaiting moderation has reached over 10,000. Quite impressive.. there is surely a lot of interesting data from that. Might make that into a feed one of these days. Keep an eye out and I’ll try and update more with better stuff soon.

Steven

bosee domains

Just a quick post on some of the newer Waledac domains. The following were registered on February 4, 2009:

adoresong.com
alldatanow.com
alldataworld.com
bestlovehelp.com
cantlosedata.com
chatloveonline.com
cherishletter.com
cherishpoems.com
freedoconline.com
losenowfast.com
lovecentralonline.com
lovelifeportal.com
mingwater.com
theworldpool.com
wagerpond.com
whocherish.com
worldlovelife.com
worshiplove.com
yourdatabank.com
yourteamdoc.com

These have been updated and added to the list on the Shadowserver site at:

http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

Steven

Got the full list also being updated and posted on the Shadowserver website at the following URL:

http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

However, just wanted to reiterate to people that you should block all of these domains:

Registered January 23, 2009:

adorelyric.com
adorepoem.com
adoresongs.com
bestadore.com
bestlovelong.com
funloveonline.com
youradore.com
yourgreatlove.com

Registered January 19, 2009:

bestgoodnews.com
goodnewsdigital.com
goodnewsreview.com
linkworldnews.com
reportradio.com
spacemynews.com
wapcitynews.com
worldnewsdot.com
worldnewseye.com
worldtracknews.com

Registered January 15, 2009:

bestbarack.com
bestbaracksite.com
bestobamadirect.com
expowale.com
greatbarackguide.com
greatobamaguide.com
greatobamaonline.com
jobarack.com
superobamadirect.com
superobamaonline.com
thebaracksite.com
topwale.com
waledirekt.com
waleonline.com
waleprojekt.com

Older:

bestchristmascard.com
bestmirabella.com
bestyearcard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
eternalgreetingcard.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
greatmirabellasite.com
greetingcardcalendar.com
greetingcardgarb.com
greetingguide.com
greetingsupersite.com
holidayxmas.com
itsfatherchristmas.com
justchristmasgift.com
lifegreetingcard.com
livechristmascard.com
livechristmasgift.com
mirabellaclub.com
mirabellamotors.com
mirabellanews.com
mirabellaonline.com
newlifeyearsite.com
newmediayearguide.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
newyearcardservice.com
smartcardgreeting.com
superchristmasday.com
superchristmaslights.com
superyearcard.com
themirabelladirect.com
themirabellaguide.com
themirabellahome.com
topgreetingsite.com
whitewhitechristmas.com
worldgreetingcard.com
yourchristmaslights.com
yourdecember.com
yourmirabelladirect.com
yourregards.com
youryearcard.com

Waledac Exploit Domain List:

googol-analisys.com
seocom.name
seocom.mobi
seofon.net

—-

Also, if you are interested in all things Waledac (omghi2u!), check our Jeremy’s Waledac tracker here:

http://sudosecure.net/waledac/

Have you heard about the new Google Chrome browser lately? Chances are high that you have. However, are you or anyone you know actually using the browser? My guess is there’s a good chance the answer is NO. Sure, it’s just a beta version, but it’s been getting all kinds of hype.. seemingly out of no where. In fact I haven’t used it and don’t plan on even trying it out for some time. Why? Well, for starters I haven’t seen a real compelling reason to use it yet. Couple that with the horrendous privacy issues that have been raised and you’ve got a potential (as the article puts it) security nightmate. Oh did I mention there’s already been multiple public proof of concept exploits that can possibly result in a remote compromise?

It looks like Google Chrome is a pretty risky proposition right now. Yes, it is beta but some of these items are a bit alarming. I am not one of the people that calls Google evil, but I try not to let them near my data whenever possible. Using this browser definitely won’t further that cause. It is still a bit early with a few early adopters(testers), so we might see a lot of fixes and improvements across the board before its final release. I’ll post my two cents at a later date for anyone that might care.

I did a quick check and I can see that at least two visitors of the blog are trying out Google Chrome. Hopefully I’m not scaring anyone away from testing the browser, that certainly isn’t my intent. However, I just want people to know about the potential risks to privacy and security that presently exist. All browsers have security issues, however, that doesn’t mean we should ignore them. If you have any comments on this issue or the browser, feel free to submit them and I will post them.

In case there’s any interest, the Google Chrome User-Agent looks like this:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13

…and well I am a bit disappointed. Note that I’ve added a new “category” in my blog called “whining” because that’s basically what I am doing now, so if you hate whining (read: b*tching) then you might want to skip this post.

In 2004 I got a copy of PGP 8.1 for Windows to use on an XP install at home. With this install came the standard PGP system tray icon that would let you control a sleuth of things to include clipboard and current window encryption/decryption as well as give you quick access to the PGP keys interface. This fine little install also had an Outlook (Express for me on that machine) plug-in for easy encryption/decryption of e-mail. It had its kinks and bugs but it worked pretty well. Now jump 4 years ahead to the present and on my Mac and Linux systems I use GnuGP (gpg) but that’s all done on the command line, so it’s kind of a pain. On an XP install with Office 2007 that I have at home — I do not have anything at all (no PGP or GPG).

Today I decided to put and end to that and paid for the upgrade for $29.99 (I was eligible from my old license) to PGP Home Desktop 9.8. Sure I feel like a sucker paying for software for which there are similar free options, but the GUI and a couple of other features are something I wanted to have. The new version also has some full disk encryption options as well as the creation of encrypted drives/storage spaces, which sounds nifty I suppose. Still consider checking out TrueCrypt anyway.

Anyway, the first thing I noticed was that the download of PGP Desktop was 72 MB .zip file, which seemed a little large. To my surprise they decided to pack both the 64-bit and 32-bit versions into the same .zip file. I really don’t see the logic in this. They could save bandwidth usage and time for both parties and I’ll take an absolutely wild stab in the dark that their 64-bit installs aren’t quite as numerous as their 32-bit installs (I could be wrong… it happened once). Great so I managed to install the correct version and am all fired up and good to go. Only I guess I suck at the whole RTFM thing because I didn’t realize there is no longer an Outlook plug-in. They went with the god awful proxy-detect-email-look-for-encryption-keys-we-suck method. All I can say is that I am very disappointed. I believe the plug-in was one of the best features of the old product. Now you’re stuck with some half-assed detection method that will send unencrypted messages if it messes up — super idea! I think I will pass on that.

Anyone else have some thoughts and opinions on the latest versions of PGP? I would love to hear them and I’ll approve/post the comments as long as they’re not overly vulgar (PG-13 at worst please).

I just got a humorous Spam message that someone else told me about earlier. Apparently it’s supposed to have some sort of Virus attached to it. Only it seems my copy has been made a bit safer. The Spam message looks a little something like this:

Subject: We have hijacked your baby

Body:

Hey We have hijacked your baby but you must pay once to us $50 000. The details we will send later…

We has attached photo of your fume

Funny topic and bad grammar all make for a good virus/spam campaign. However, you might be wondering if I am nervous about receiving such an e-mail? Well, e-mail never really makes me nervous and then again I also don’t have a baby. Although I think I would be concerned if I had a baby and someone “hijacked” it. It seems my message got nibbled on by “MIMEDefang”, which was a bit disappointing since I wanted to see the attachment. I wanted to see if the trojan included a picture of a baby or not. I guess I’ll have to wait in suspense until someone shares a copy with me.

Feel free to drop me a line with a copy of this e-mail if you have it intact - steven [at] securityzone [dot] org

Update: 11:40 PM

Got a copy of the e-mail with the attachment in place. Sorry no picture but there is an attachment called “photo.zip” that has “photo.exe” inside of it. File MD5 for the .exe is 807efe034e50327234e83bc9e6a94b32.

This is a piece of malware which then downloads more malware from the known malicious website reddii.org. Stay away from these e-mails and that domain.

Woops! It looks like multiple servers by the Red Hat and Fedora projects were compromised last week. It’s always unfortunate when this sort of stuff happens, especially when the hackers make modifications to the SSH packages. Fortunately the issue only affects a few versions of the packages and only existed for a short time. There have been various announcements and mailing list postings on this issue that can be viewed here and here.

Potential affected OS versions that may have received these updates:

Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)

You can grab the OpenSSH blacklist script from the Red Hat website by clicking here. This script can be run by a non-privileged users to check if the OS has any of the listed malicious packages.

It appears there are now Adobe Flash vulnerabilities live and in the wild on several sites. This is not good considering some of the websites involved in the recent mass SQL injection attacks are aiming to exploit this vulnerability. Basically, if you can’t recall upgrading flash recently, you probably need to go ahead and do it.

You can check your current flash version by clicking here.

You can upgrade to the latest version of flash by clicking here.

Don’t wait - just upgrade right now!

The phishers out there are once again finding new ways to obfuscate their URLs in attempts to fool end users. I am pretty sure I saw this method mentioned this elsewhere recently, but I cannot recall where. In any event, this recent phish found itself into SPAM folder on one of my e-mail accounts. Notice the URL they provided:

Subject: Tax Notification
From: “Internal Revenue Service” <taxrefund@1×8c.8xdb95d4.irs.gov>
Date: Tue, May 20, 2008 6:36 am

Internal Revenue Service (IRS)
United States Department of the Treasury

Dear Taxpayer,

After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, use the following personalized link:

http://0×7C.0xDB11D1/www.irs.gov/

Regards,
Internal Revenue Service

Document Reference: (0×7C.0xDB11D1).

Notice that the URL is http://0×7C.0xDB11D1/www.irs.gov/ and that they used 0×7C.0xDB11D1 as the “Document Reference” in attempt to make it look more official. Well it turns out that 0×7C.0xDB11D1 really converts to an IP address in Taiwan - 124.219.17.209. Visiting this IP address or the URL abovve ends up redirecting you http://www.comtipps.de/www.irs.gov/index.htm?memberID=0×7C.0xDB.0×11.0xD1.

This then tries to get your social security number, credit card information (including CVV code and ATM PIN), date of birth, full name and address, phone number, and finally e-mail address (wouldn’t one assume they already have this if they e-mailed you? :D). Be on the look out for this slightly different take on an old trick.

It appears that CNN has been and will be the target of choice for Chinese hackers to show their displeasure with Western media coverage over “pro-independence protests in Tibet.” It would seem that some people in China have been offended by this coverage and are calling form attacks according to the website The Dark Visitor. They have provided details on several Chinese websites calling for attacks on www.cnn.com starting at 8:00 PM Beijing Time (8:00 AM EDT or 12:00 PM GMT) today April 19, 2008. However, according to another update on The Dark Visitor’s website, these attacks have seen been called off and are to be rescheduled.

According to a recent update on the CNN website, they have already observed several attacks that occurred this past Thursday. They took action to limit access to the site from certain regions and users in Asia may have experienced minor disruptions. These attacks appear to be either coincidental or preemptive in nature as they came two days earlier than called for. Arbor Networks is also monitoring this situation and has reported they have observed at least 36 different attacks thus far.

While the attacks have been “called off” for now, it will be interesting to see if they continue regardless — as scheduled or at a later date. It appears that attacks are expected and are being planned for. We can hope that they are unsuccessful regardless of the level of participation. We will update more if we learn anything new.