SecurityZone.org - Information Security Blog

In case you haven’t seen there has been a recently release vulnerability and exploit code for a vulnerability in Apple QuickTime 7.x (confirmed 7.3 and exploit code says 7.2 also). You can read details of the issue at http://www.kb.cert.org/vuls/id/659761. This first came to light 6 days ago and is currently unpatched. A steady stream of exploits have appeared on milw0rm that have modifed the exploit to continually support more operating systems and browsers. The latest release today now apparently works on Mac OS X. To make things even worse on Apple’s part is that there is a CVE from 2002 seemingly describing this exact issue in QuickTime 5.0.1 and 5.0.2.

Anyway, if you’ve got QuickTime installed be careful where you browse and be on the lookout for an update to patch this issue.

Surfing through the CNN website earlier today I came across an article about cybercrime, botnets, the FBI, and what appears to be some updates/developments since Operation Bot Roast. It appears a teenage going by the handle “AKILL” from New Zealand is being questioned in relation to what might be a botnet case. I cannot say I recognize the name, but it’s good to see more is being done and that the knowledge is being spread here.

“Today, botnets are the weapon of choice for cyber criminals” -FBI Director Robert Mueller

It seems everyone is starting to get the big picture that botnets are more than just infected computers. They lead to fraud, identity theft, DDoS attacks, SPAM, and all kinds of other bad stuff. Perhaps we will now see even more law enforcement resources thrown at the problem.

Well, I wanted to go check a website on SurfControls “Test A Site” area at www.surfcontrol.com. Boy was I confused when I was some how redirected to http://www.websense.com/acquisition/index.html. Some how I missed it that in April of this year that Websense had announced they were going to acquire SurfControl for $400 million. In any event, it looks like this acquisition has completed. It will be quite interesting to see where the product(s) go and what this does to cost. Will this make it harder or easier for competitor 8e6 to get market share? I know this will definitely give some what of a boost to some of the website detected by Websense now, as SurfControl boasts having researchers worldwide and a larger URL list. Will we see the emergence of WebControl or Surfsense? I guess we’ll have to stay tuned.

I don’t really seem to get too many legitimate comments on any of my blog postings. Usually I log in to see a couple and most of them are Spam. I last logged in a few days ago and had 6 awaiting moderation, which is the most I’ve had at any one time. Today I logged in and I have 100 in moderation. This is quite an up tick in spam to my blog. It appears the WordPress blog spammers are in full affect. Here is some additional information about the increase.

1) They almost all deal with drugs (xanax, cialis, viagra, etc), replica watches, loans, or airline tickets.

2) The most common name that’s entered for the commenter is “hakStashy” with an e-mail of “GroodO@Idods.com”

3) There were 72 different IPs associated with the 100 different Spam messages. The highest repeat IP was 85.255.119.202 —
with 4 separate comments. Go figure this is an IP in the range previously blogged about below.

4) There were 48 different URLs entered into the URL field where the commenter is to put their homepage with the most common 5 being:

payday333loans.com
cialis-gl-pills.com
payday-gl-loans.com
xanax-gl-pills.com
xanax777pills.com

5) There is no consistency to the User-Agents provided when the comments are posted, however, the most common in my sampling is “Opera/9.01 (Windows NT 5.1; U; en)”. However, the IP 69.120.73.20 for example posted 3 comments in a 26 hour period and had the following three separate User-Agents (different each visit):

“Mozilla/4.0 (compatible; MSIE 5.13; Mac_PowerPC)”
“Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8) Gecko/20051111 Firefox/1.5″
“Opera/9.01 (Windows NT 5.1; U; en)”

6) The vast majority of the domain names involved with the URLs entered are all hosted at 203.223.150.64. According to Domain Tools’ Reverse IP look up, there are at least 71 domains hosted on the IP. Judging by the ones that come up in the free search and the ones I already have, it appears they all have to do either pornography or the aforementioned areas.

7) Almost every single one of the comments are being posted to the following entry http://www.securityzone.org/?p=16 (ISOI3, Comment Spam, and More Storm).

I am not sure why the sudden increase in spam messages in such a short period of time. Maybe that blog posting just got indexed somewhere and triggered a magic spam word. Perhaps if anyone else has experienced this or has more information, you could drop me a comment (hopefully I’ll see it) or shoot me an e-mail.

If you would like a full listing of the IP address or URLs provided for the blog spam, see the following:

Spammer IP addresses
Spammer URLs

Steven

Well, you may have heard some of ruckus about terrorists calling for a cyber jihad against websites on November 11, 2007 (today). It seems this was about as successful as just about anything a terrorist and/or DDoS kiddy normally organize. Did you notice or hear about any websites being down today? Well that makes two of us because I didn’t hear about anything either. I wonder if they even tried. I think the results would be about the same. It just goes to show that whether you’re a DDoS kiddy or a terrorist, you’re pathetic idiot either way.

Since I am super slow to update my blog, you may have heard that the Russian Business Network (RBN) has been taken down a notch. Some of the core ranges they operate within are no longer being routed and have had their ASNs withdrawn.

- 81.95.144.0/22 Withdrawn
- 81.95.148.0/22 Withdrawn
- 81.95.154.0/24 Withdrawn
- 81.95.155.0/24 Withdrawn

However, this doesn’t mean they have disappeared or are finished. Spamhaus reported a while back that the Russians are going “Chinese” over here. A lot of people are keeping their eyes on all of this. Even the Bleeding Threats project has start publishing rulesets for RBN related activity. You can grab the Snort rules for RBN related hosts and ranges from http://www.bleedingthreats.net/rules/bleeding-rbn.rules.

We’ve noticed a big increase in the last few months in the amount of malware coming out of one of the IP ranges being tracked on those rulesets. What range is that you ask? Well that would be Intercage. You might as well block or pay specific attention to this range:

85.255.112.0/20

I’m not promising it will be perfect and free of false positives, but it is definitely worth a look. We’re seeing a bunch of stuff out of the whole 85.255.0.0/16 but I wouldn’t block all of it. Plenty of legit stuff but be on the look out.

Well it looks like there is a new Mac trojan going around targeting all of us (I have a powerbook) OS X users — well sort of. It seems that links to pornography websites (and possibly others) have been spread in areas that Mac users frequent. If a user attempts to visit the malicious website they will be prompted to install a video codec in order to see the clip. However, the file is none other than a trojan, that at this point in time just modifies DNS settings. Thus giving the attack control of what your websites resolve to. There’s really nothing special or new here in the security world. It just seems what is being deemed a “professional” (whatever that means exactly) trojan is being targeted at Mac users. Just be on the look out as always, and don’t just arbitrarily install things — especially if you’re surfing naughty stuff.