Browser Bingo

bingoImage by hownowdesign via FlickrWay back in 2007 the European Commission and Microsoft began a legal dispute over competition concerns regarding Microsoft’s domination in the European user space. In December of 2009 the dialogue between the EC and Microsoft ended, culminating in a resolution that would aid in easy interoperability with various software and force Microsoft to force browser choice on its current European users.

A large part of the agreements by Microsoft deals with browser choice for OEMs and end users on Windows 7, XP, and Vista operating systems. Starting the week of March 1st, users in 30 European nations with IE as their default browser may start seeing an introductory screen pop up on their machines. This introductory screen, only seen after installing the relevant Microsoft update and restarting their systems, will explain the purpose behind the subsequent choice screen.


The choice screen will display 12 of the most used browsers in random order, with the top 5 highest ranked browsers displayed randomly in the first positions. The idea behind the settlement is to prevent monopoly holdings for any one vendor and create a fair presentation of consumer options, but this top 5 configuration will obviously give the bigger guns a better aim at end user installment. Internet Explorer, as a major holder of the browsing community, will then always be listed in the first few slots.

So, what will user reaction be to all this? I’m guessing more confusion than anything else. Part of the update being sent out will allow IE to be turned off, it will “unpin” the IE icon from the taskbar and, where IE is turned off, “no icons, links or shortcuts or any other means will appear within Windows to start a download or installation of Internet Explorer.” (microsoft commitments document) Then users will be given a choice to select their browser.

I know that some people need to be presented their options in a supermarket fashion, like side by side sodas in the snacks aisle, where Coke is next to Pepsi and the generic version, but I don’t think this is an ultimate solution to the problem. For the less clueful users who “just want to get on the internet”, this may just create problems. Those same users, who are now presented with a browser lineup, may not understand or try to understand what their options actually are. In all likelihood they will recognize Internet Explorer from the list given them and click on install without reading the additional information.

For the users who already understand the choice of browser usage, they have already made their choice. They don’t need any more education and, likely not having IE as their default browser, won’t see the new choice screen. Efforts like this to change bias will likely be ineffective in producing real change or raising awareness to the right people. The bias of users comes from long term ignorance, disinterest, marketing inundation, and comfort level on the internet. None of this will be reversed by what many users will just view as more pop ups.

Matt Sully
Director
Threat Research & Analysis

sources:
Microsoft On the Issues
Microsoft.com

Reblog this post [with Zemanta]

Buzz Words

Neil Armstrong & Buzz AldrinImage by cliff1066™ via FlickrGoogle Buzz is definitely the buzz word of the week and, in this industry, has been quickly put under the microscope. As a result, a cross-site scripting vulnerability was already discovered and fixed in the mobile version of the buzz utility. I’m sure close examination will continue to reveal additional security or operational flaws in Buzz, but security minded folks were not the only active critics of the social networking tool from Google.

Initial users were upset by Buzz’s default “all inclusive” settings. These automatic features included adding yourself as a follower of those you most contact through email or chat, (allowing them to automatically follow you as well), displaying all users involved in the follow-fest on your Google Profile, and instant sharing of activity on your other Google sites like Picasa and Reader. Providing easy display of a lot of information to potentially a lot of people, all of these features raised a lot of concern over privacy issues. In addition, new Buzzers were disappointed with the difficulty in finding settings options regarding these features, most while trying desperately to disable them.

While some may not be all that concerned, instant exposure of this information to user contacts without giving expressed permission has been more than disappointing. Some social circles are meant to be separated. Facebook users have been forced to explore this friends and family cross communication fiasco due to multi-generational interest in the social networking world. For many users this is uncomfortable at best.

Complete testing before release may have prevented the scramble for alterations that Google is now the middle of, but the feasible protection of online privacy is the real issue here. In our efforts to connect with the world, can we expect to keep secrets or achieve selective and exclusive information sharing? When we type something into our network connected devices, can we blame anyone but ourselves when that information spreads beyond the originally intended parties?

Anonymity while on the internet is becoming progressively harder to maintain. With photo tagging and friends who gossip across Facebook, even people who never participate in social networking sites have an online profile, in a sense. While reluctant or non users are losing control over just how much the online world can find out about them, self surveillance is now commonplace. We’ve become comfortable with sharing information about ourselves and living and working online, making us vulnerable to attack over the internet and in the physical world. If the Buzzing is getting a little too close you could be in danger of getting stung.

For those interested in de-Buzzing, the links below can guide you through the process:

http://news.cnet.com/8301-17939_109-10451703-2.html
http://securitylabs.websense.com/content/Blogs/3553.aspx

For those sticking with it:

http://gmailblog.blogspot.com/2010/02/new-buzz-start-up-experience-based-on.html
http://gmailblog.blogspot.com/2010/02/5-buzz-tips.html

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]

RUmblar

PepsiImage by elmada via FlickrGumblar, the massive iframe injection attack that made and sustained front page security news in early 2009, appears to still be going strong. Only slightly altered in its approach, the ongoing attack is still injecting malicious domains into sites on a fairly large scale, each site having the intention of spreading malware to the end user.

Gumblar domains were previously injected into iframes of otherwise benign sites using stolen FTP credentials. The new domains are likely still injected using stolen credentials but are now using obfuscated scripts to generate a formulaic Russian domain. The obfuscated scripts are appended to javascript files and html files within script tags and create rather lengthy domain names.

The second level domains for these are plentiful. Amazingly, the following list is incomplete and will likely remain so with the constant generation of new redirection domains:

18-plus.ru bluejackmusic.ru mozg-testing.ru thegiftsale.ru
airseasite.ru blueseaguide.ru mozgilla.ru thelaceweb.ru
allnewface.ru brownbagbar.ru musicboxpro.ru thelifetag.ru
allpropro.ru brynetka.ru mygreatsale.ru themobisite.ru
ampsguide.ru carswebnet.ru newhavenparks.ru thetruehelp.ru
authentictype.ru cobalttrueblue.ru newlifeworld.ru toplinemarine.ru
avattop.ru cometruestar.ru pastanotherlife.ru truelifefamily.ru
b-i-o-v.ru counterbest.ru recentmexico.ru urlnext.ru
battop.ru cyberprotech.ru red-wolf.ru videosaleonline.ru
beeeo.ru easylifedirect.ru saletradeonline.ru viewhomesale.ru
before-this-life.ru easytabletennis.ru seasilvercoop.ru votrelib.ru
beofree.ru ezpoh.ru shoozi.ru warbest.ru
bestage.ru funwebmail.ru simplehomelink.ru webdesktopnet.ru
bestbio.ru gametopsite.ru simpleworldhouse.ru weblessnet.ru
bestbondsite.ru genuinecolors.ru sitesages.ru webnetenglish.ru
bestseasilver.ru genuinehollywood.ru sugaryhome.ru webpowerguide.ru
bi-test.ru genuinehollywood.ru superhighest.ru webworldshop.ru
biltop.ru greatsalecenter.ru superore.ru whosaleonline.ru
bio-age.ru guidebat.ru superseatoddy.ru wintersaleonline.ru
bio-free.ru halfsite.ru superseawind.ru worldhighspeed.ru
bio-oib.ru homesaleplus.ru supertruelife.ru worldsouth.ru
bio-tube.ru homesitedesigns.ru supertruelife.ru worldwebworld.ru
bio-z.ru huntalong.ru susance.ru xboxliveweb.ru
bionaft.ru huzzahwebdesign.ru teenwebdesign.ru yourasite.ru
biovoz.ru inother.ru theanotherlife.ru yourauthentic.ru
biozavr.ru lagworld.ru theantimatrix.ru yourhotelsite.ru
biozov.ru maxserviceworld.ru theatticsale.ru yourtagheuer.ru
bitest.ru mindgameworks.ru theaworld.ru yourtruegame.ru
bluejackin.ru mingleas.ru thechocolateweb.ru yourtruemate.ru

Though the groupings here are obviously all .ru domains, other researchers indicate countless other domains being used in the same way. Many are using dynamic dns 2lds while others have a similar structure to the domains above, only with .cn TLDs, as was the original gumblar.cn. Others appear to have no theme and are using .cz, .dk, .de, .nl, and several other country code TLDs. The IPs behind these domains are just as widespread and varied. This list is also likely incomplete:

188.138.24.133 77.68.44.169 89.110.147.181 91.121.86.130
188.40.118.68 78.31.107.49 89.149.202.142 91.121.88.218
188.72.199.24 78.41.156.236 89.149.244.211 91.121.96.181
188.72.211.253 80.69.74.73 91.121.1.99 92.48.124.212
195.242.98.212 82.165.194.22 91.121.108.53 92.48.78.252
212.117.165.149 82.165.47.29 91.121.112.227 94.228.219.11
213.186.57.19 82.192.88.35 91.121.121.6 94.23.11.38
213.251.164.84 82.98.231.25 91.121.142.111 94.23.14.110
213.251.184.114 84.16.227.72 91.121.166.221 94.23.199.154
217.160.110.21 84.201.9.32 91.121.167.41 94.23.206.229
217.23.5.27 85.14.202.210 91.121.211.226 94.23.211.214
62.212.74.148 85.184.10.80 91.121.24.139 94.23.4.164
62.250.9.105 85.25.152.241 91.121.4.99 94.23.89.95
62.4.85.229 85.25.73.243 91.121.49.129 95.168.170.89
62.75.184.40 87.106.247.193 91.121.7.26 95.211.10.130
62.75.218.192 87.118.90.76 91.121.74.84 95.211.4.193
77.37.19.43 89.105.199.130 91.121.79.191

The full unobfuscated domains look something like this, containing popular domain name snippets in an effort to appear legitimate:

foxsports-com.google.cn.spiegel-de.avattop.ru
yomiuri-co-jp.google.cz.playstation-com.yourtagheuer.ru
theplanet-com.1133.cc.nikkansports-com.bestnewhaven.ru

The full URLs will include file requests similar to:
:8080/ts/in.cgi?pepsi[variable numbers]
:8080/cache/readme.pdf
:8080/cache/flash.swf
:8080/filez/java.html
:8080/filez/Show.class
:8080/filez/win.jpg

The files are designed to exploit vulnerabilities in Acrobat, Flash, and Office, and redirect to the final domain for download of the actual malware, which consistently appears to be Bredolab.

The Bredolab downloader has been tied to Gumblar from the beginning and is still being served by the malicious domains, ultimately serving up rogue AV and information theft end-goal malware. The information theft malware is to grab the FTP credentials to perpetuate the whole cycle. Bredolab has also been found in mass spam campaigns since late last year, attached to emails purporting to represent DHL, UPS, Facebook, Western Union, ISPs fake ecard senders and “potential girlfriends.”

You may have come across one like:

Subject: Facebook Password Reset Confirmation.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team

If many benign sites are hosting the final malware download due to the highjacking mechanism, blocking the redirection attempts would to be the best course of action. It is necessary for the owners of the highjacked sites to clean up the injected redirection domains or malicious files, and the end user to keep their software updated in an effort to negate exploits.

The Pepsi Challenge
Many of the files requested on the redirect domains have something similar to
“:8080/ts/in.cgi?pepsi18”:

18-plus.ru:8080/ts/in.cgi?pepsi18
inother.ru:8080/ts/in.cgi?pepsi18
test-health.ru:8080/ts/in.cgi?pepsi18

I just find this amusing, because one of the Gumblar sites reported here hosted “/rimages/coke.php”. It’s nice that we have a choice of malicious beverage and, while I prefer Coke, it seems Pepsi is the choice of the new “Rumblar” generation of domains.

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]

AV Plays Catch Up

No security or AV company is equipped with a procedure, independent of hardware or personnel requirements, that can easily keep up with the daily barrage of newborn threats. Shadowserver shows they receive daily unique binaries numbering in the tens of thousands. With the mass amount of malware being created and distributed across the internet, each security company is left with the burden of being unable to “catch ’em all.”

They must then employ a prioritization method of analysis, often leaving data too long in the queue, some collecting dust. Some security companies concentrate on searching for malicious domains and IPs while others concentrate on binary identification, many using a hybrid approach. All, however, are in search of a way to efficiently label these variables as malicious or benign, trying desperately to keep pace with the release of new malware.

AV companies have of course felt the strain of keeping up with the Joneses and for fear of looking inferior have made the choice to often “borrow” the conclusions made by other AV groups.

According to this “Analyst’s Diary” entry at Kaspersky Lab, an experiment was used to show just how often AV groups rely on one another to categorize samples as malicious in order to appear up to date. From the blog:

“We created 20 clean files and added a fake detection for 10 of them. Over the next few days we re-uploaded all twenty files to VirusTotal to see what would happen. After ten days, all of our detected (but not actually malicious) files were detected by up to 14 other AV companies…”

I can’t exactly blame those copycat AV companies for trying to stay on par with others. There is constant pressure, of which all security groups are aware, to try and balance reputation, integrity, and effectiveness. Trying to avoid false positives means evil may slip by unnoticed, while avoiding false negatives means sacrifices in accuracy. A series of check systems could be put in place but often there is insufficient detail or time for quality assurance, and delays in the conviction process detracts from the goal of real-time protection.

Security researchers often collaborate in some way, perhaps only in certain circles, but we do so because each performs their own independent analysis in their own area of expertise, bringing unique input to the table. Our products should behave no differently. Only shared information that meets certain quality requirements should be used, according to the individual company’s ruleset. If a company or security product has nothing to contribute and only relies on the work of others then it has little purpose in this industry, (yet may find success with the right marketing). However, a company will struggle greatly if they dismiss or completely separate themselves from the security zeitgeist.

In recognition of this need for both dependence and originality, Defence Intelligence is working to bring security and internet architecture groups together to create something new and more complete. We want to make a product that takes a more global approach to the threats we’re facing, but also bring a confidence and purpose back to our industry that seems to have waned. A strong offence may rely on a good defence but we need both if we’re ever going to make real advancement on this battleground.

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]