This is Jerry Bryant. I am the Business, Operations & Communications Manager on the Security Response Communications team. I am writing to let you know about a new process we are implementing regarding the questions and answers from our monthly security bulletin webcast.
Attendees to the webcast ask a lot of great questions concerning the security updates we just released and we have many subject matter experts (SMEs) on hand to answer them. In order for the broader community to also benefit from the exchange, we will now be posting the questions and answers here on the MSRC blog. Our goal is to get them here within two days of the webcast.
To kick things off, we have posted the questions and answers from the June 2008 and July 2008 webcasts:
Sixty of the 100 most popular websites either hosted malicious content or linked to malicious websites at some point during the first six months of 2008, according to a new study by web security firm Websense.
23:20 McAfee SiteAdvisor blocks SANSShowing you just how much they understand about security, McAfee blocked the SANS website, sans.org, as well as giac.org and sans.edu, with their SiteAdvisor application, listing it as a “bad” site.
Interestingly enough, SANS sites are some of the best sites to go to for security related news. Several people count on SANS for training on [...] >>>
21:28 Security World: First automated DNSSEC signing applicationSecure64 Software Corporation has developed a product that simplifies the implementation and management of DNSSEC. Secure64 DNS Signer is the first and only product that addresses each of the obstacle... >>>
21:24 Security World: Security for road warriors using WindowsCoSoSys released Carry it Easy +Plus 3.0 for portable storage devices. The new software version includes features that focus on increased security, productivity and comfort for users of portable stora... >>>
18:08 HD Moore pwned with his own DNS exploit, vulnerable AT&T DNS servers to blameA week after |)ruid and HD Moore release part 2 of DNS exploit, HD Moore’s company BreakingPoint has suffered a traffic redirection to a rogue Google site, thanks to the already poisoned cache at AT&T servers to which his company was forwarding DNS traffic :
“It happened on Tuesday morning, when Moore’s company, BreakingPoint had some [...] >>>
17:26 OS fingerprinting Apples iPhone 2.0 software - a trivial jokeJust like every decent web service out there wanting to identify the iPhone’s mobile Safari browser in order to serve custom applications, in this very same way malicious attackers would like to remotely identify iPhone devices through a basic pen-testing practice known as OS detection or OS fingerprinting. It seems that the difficulty level of [...] >>>
17:20 Gary McKinnon worlds most dangerous hacker to be extraditedThe Guardian, out of the United Kingdom, is reporting that Gary McKinnon, the “world’s most dangerous hacker”, will be extradited to the United States to face criminal hacking charges. McKinnon, a 42 year old unemployed systems administrator from north London, allegedly hacked into systems belonging to the US army, navy, air force, and Nasa [...] >>>
With cybercrime getting easier to outsource these days, and with the overall underground economy's natural maturity from products to services, "managed spamming appliances" and managed spamming services are becoming rather common. Increasingly, these "vendors" are starting to "vertically integrate", namely, start diversifying the portfolio of services they offer in order to steal market share from other "vendors" offering related services like, email database cleaning, segmentation of email databases, email servers or botnets whose hosts have a pre-checked and relatively clean IP reputation, namely they're not blacklisted yet.
How much does it cost to send 1 million spam emails these days? According to a random spamming service, $100 excluding the discounts based on the speed of sending desired, namely 10-20 per second or 20-30 per second. Let's dissect the service, and emphasize on its key differentiation factors, as well as the customerization offered in the form of a dedicated server if the customer would like to send billions of emails :
"-- High quality and percentage of spam delivery
-- Fast speed of delivery
-- Spam database on behalf of the vendor, or using your own database of harvested emails
-- Easily obtainable and segmented spam databases on per country basis
-- Randomization of the spam email's body and headers in order to achieve a higher delivery rate
-- Support for attachments, executables, and image files
The cost - $ 100 million for letters delivered spam, with the large volume of spam discounts 20% -30% -40% based on the value-added Do-it-yourself customer interfare based on a multi-user botnet command and control interface :
-- Automatic RBL verification
-- Support for many subjects, headers,
-- Total customization of the email sending process
-- Autogenerating junk content next to the spammers email/link in order to bypass filtering
-- Faking Outlook Message ID / Boundary / Content-ID
-- Interface added. Now do not necessarily understand all the features into the system to start the list.
-- Convenient management tasks.
-- A high percentage of punching, on the basis of good europe - 40-60% (For the United States - less because there aol and others).
-- Improved metrics, whether or not the emails have been sent, lost, unknown receipt, or have been RBL-ed
With the weight of a billion - even discounts and the possibility of making a personal server. "
Rather surprising, they state that European email users have a higher probability of receiving the spam message compared the U.S due to AOL. What they're actually trying to say is due to AOL's use of Domain Keys Identified Mail (DKIM). As far as localization of the spam to the email owner's natiave language is concerned, this segmentation concept has been take place for over an year now.
This service, like the majority of others rely entirely on malware infected hosts, which due to the multi-user nature of most of the malware command and control interfaces, allows them to easily add customers and set their privileges based on the type of service that they purchase. This leaves a countless number of opportunities for targeted spamming, and yes, spear phishing attacks made possible due to the segmentation of the emails based on a country, city, even company.
In the long term, the people behind spamming providers, web malware exploitation kits and DIY phishing kits, will inevitably start introducing built-in features which were once available through third-party services. For instance, hosting infrastructure for the spam/phishing/live exploit URLs, or even managed fast-flux infrastructure, have the potential to become widely available if such optional features get built-in phishing kits, or start getting offered by the spamming provider itself. And since the affiliate based model seems to be working just fine, the ongoing underground consolidation will converge providers of different underground goods and services, where everyone would be driving customers to one another's services and earning revenue in the process.
13:21 Evolution is punctuated equilibriaGuest editorial by Dino Dai Zovi
In evolutionary biology, the theory of punctuated equilibiria states that evolution is not a gradual process but instead consists of long periods of stasis interrupted by rapid, catastrophic change. This is supported by fossil evidence that shows little variation within a species and new species that appear to come out [...] >>>
The distributors of Neosploit, one of the most noxious infection kits available on the internet, are retiring the product, citing support costs that didn't justify the expense.
04:04 No podcast this weekRich and I are both incredibly busy, trying to get some work done before Black Hat and Defcon start. We’re planning on producing a podcast next week from the showroom floor at BH as well as a few microcasts from the both Black Hat and Defcon.
So tune in next week, I promise [...] >>>
This is just sad. The TSA confiscated a battery pack not because it's dangerous, but because other passengers might think its dangerous. And they're proud of the fact.
"We must treat every suspicious item the same and utilize the tools we have available to make a final determination," said Federal Security Director David Wynn. "Procedures are in place for a reason and this is a clear indication our workforce is doing a great job."
My guess is that if Kip Hawley were allowed to comment on my blog, he would say something like this: "It's not just bombs that are prohibited; it's things that look like bombs. This looks enough like a bomb to fool the other passengers, and that in itself is a threat."
Okay, that's fair. But the average person doesn't know what a bomb looks like; all he knows is what he sees on television and the movies. And this rule means that all homemade electronics are confiscated, because anything homemade with wires can look like a bomb to someone who doesn't know better. The rule just doesn't work.
And in today's passengers-fight-back world, do you think anyone is going to successfully do anything with a fake bomb?
"Lets discuss their business model, how other cybercriminals disintermediated it thereby ruining it, and most importantly, how is it possible that such a popular web malware exploitation kit cannot seem to achieve a positive return on investment (ROI). The short answer is - piracy in the IT underground, and their over-optimistic assumption that high-profit margins can compensate the lack of long-term growth strategy, which in respect to web malware exploitation kits has do with the benefits coming from converging with traffic management tools. Lets discuss some key points."
The end of Neosploit malware kit, doesn't mean the end of Neosploit Team, or the sudden migration to other malware kits since they're no longer providing support in the form of new obfuscations and set of exploits to their customers. Their customers have been in fact self-servicing their needs enjoying the modular nature of the kit, the result of which is an unknown number of modified Neosploit kits.
