Skip to content

Phone call with a Heavily-Accented Phisher

or How I failed to get the whole story

I am lying on the bed with a stomach bug when the phone is ringing. It says 544 Unknown Name. The following is an abbreviated recollection of the phone call.

Woman: Hello. This is a computer support call. Are you the owner of a Windows XP, Windows 7 or Windows 8 computer?

Me: Thanks for calling.

Woman: Are you the owner of a Windows XP, Windows 7 or Windows 8 computer.

Me: Yes, I own the computer I am using.

Woman: Can you look at your keyboard. In the left bottom corner do you have a key that says CTRL.

Me: I turned off the computer. Do you want me to turn it back on.

Woman: Yes, turn the computer back on. Let me know when it is ready.

Me: OK. I pressed the power button. It says it’s booting.

Deliberate pause for dramatic accent. I wait about 30 seconds. During the whole phone call, I managed to turn the computer off at least 5 times.

Me: It says user name now. What shall I do?

Woman: What is your user name and password. Continue reading "Phone call with a Heavily-Accented Phisher"
Categories: Hacking
Defined tags for this entry: ,

Lizamoon SQL Injection Campaign Compared

Malware infections such as SQL injection are a well known security problem. Over the past two years we have seen several large-scale infections on the web, e.g. Gumblar.cn and Martuz.cn. Recently, a new SQL injection campaign called Lizamoon has gained a lot of attention. I had expected web sites would become more secure over time and less susceptible to simple security problems, so it is surprising that SQL injection is still a prevalent problem. That let me to wonder: Was Lizamoon as successful as previous infections? In a discussion about this problem, my colleague Panayiotis Mavrommatis suggested that comparing the size of campaigns via search engine result estimates might not be very accurate measurement.

That begs the question of how to assess the impact of infections. While the number of infected URLs is one possible measure, it is skewed by many different factors, e.g. a single vulnerable site contributes a large fraction of the infected URLs and overstates the impact. Instead, counting the number of infected sites might be a better metric. Even so, to judge the relative scale of an infection campaign, it might be helpful to compare it to previous incidents.

Below is a comparison of the Gumblar.cn/, Martuz.cn/ and Lizamoon infections based on Google's Safe Browsing data. The graph shows the number of unique infected sites over a 30 day sliding window.

For this analysis, I counted the sites that had a functioning reference to it, e.g. a script src=. Sites that escaped the script tag rendering it harmless were not counted. For Lizamoon, I aggregated the sites provided by the websense blog into a single measure:

hxxp://lizamoon.com/
hxxp://tadygus.com/
hxxp://alexblane.com/
hxxp://alisa-carter.com/
hxxp://online-stats201.info/
hxxp://stats-master111.info/
hxxp://agasi-story.info/
hxxp://general-st.info/
hxxp://extra-service.info/
hxxp://t6ryt56.info/
hxxp://sol-stats.info/
hxxp://google-stats49.info/
hxxp://google-stats45.info/
hxxp://google-stats50.info/
hxxp://stats-master88.info/
hxxp://eva-marine.info/
hxxp://stats-master99.info/
hxxp://worid-of-books.com/
hxxp://google-server43.info/
hxxp://tzv-stats.info/
hxxp://milapop.com/
hxxp://pop-stats.info/
hxxp://star-stats.info/
hxxp://multi-stats.info/
hxxp://google-stats44.info/
hxxp://books-loader.info/
hxxp://google-stats73.info/
hxxp://google-stats47.info/
hxxp://google-stats50.info/

The graph shows two interesting facts.
  • The Lizamoon campaign started around September 2010 and actually peaked in October 2010 with ~5600 infected sites. At the moment, it seems to be undergoing a revival.
  • If we compare the number of infected sites, Gumblar.cn/ is still clearly the winner with ~62,000 sites, followed closely by Martuz.cn/.
For future studies of malware infections, I suggest taking the number of infected sites as a more reliable measure than counting the number of infected URLs.

Update 2011-04-04:
The blog post incorrectly referred to Gumblar.cn and Martuz.cn/ as SQL injection attacks. These attacks used stolen FTP credentials.
Categories: Hacking, Malware, News, Security, SpyBye
Defined tags for this entry: , ,

Virtual Nudity at Airports

Recently, I had the pleasure of flying from the new terminal at the San Jose Airport. The building is quite nice from the inside and even has some cool futuristic moving statues. With all the good stuff comes also a set of virtual nudity machines at the security screening point. The virtual nudity machines also known as backscatter x-ray screening promise increased privacy since the naked images of passengers are viewed at a remote location and there is no requirement of a physical examination. As the sign states these machines are optional but whoever refuses must subject themselves to a thorough physical pat down. I already had one really bad experience with the virtual nudity machines at another airport - I was told I was not allowed to wear my watch or any necklaces. Well, this time I chose the metal detector and walked through without any further hassles. However, I had the pleasure of watching every single person who was shepherded through the virtual nudity machines being patted down. One woman had her breast touched - perhaps she dared to wear an underwire bra? The next guy got patted down around his legs. His offense was a chap stick hidden in his pocket. What really amused me was the guy after him who was patted down because he had not removed his handkerchief from his pocket. At the end of the day, anyone going through the backscatter x-ray machines got patted down and spent a significantly longer time at the security checkpoint. This seems like an overly expensive experiment that hopefully will be abandoned soon.
Categories: Security
Defined tags for this entry: ,

Adobe PDF Vulnerability: Stack overflow in Font File parsing

Metasploit has a great write up on new vulnerability in PDF. The basic problem is a stack overflow when parsing OpenType fonts. In particular, SING Glyphlet tables contain a 27 byte long unique name that is expected to be NUL-terminated and stored in a 28-byte buffer. The vulnerable code is using strcat and lacks bounds checking resulting in a stack overflow.

The PDF in the wild prepares the heap via Javascript and contains multiple different font files that are selected by navigating to a specific page in the PDF based on the viewer version. Each font files has slightly different shell code. It was amusing to see that the attackers after modifying the head and SING tables did not fix up their respective checksums. According to Metasploit, this exploit works under Windows 7 with both DEP and ASLR turned on. Fun Fun. As of now, no patched version is available. The SecBrowsing blog contains instructions with temporary remedies.
Categories: Malware, News, SpyBye
Defined tags for this entry: , ,

LEET '10 Call for Papers

The call for papers for the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '10) Botnets, Spyware, Worms, and More just went out. It will be held on April 27, 2010 in San Jose, CA.

LEET '10 will be co-located with the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI '10), which will take place April 28–30, 2010.

Important Dates
  • Submissions due: Thursday, February 25, 2010, 11:59 p.m. PST
  • Notification of acceptance: Wednesday, March 24, 2010
  • Final papers due: Monday, April 5, 2010

Workshop Organizers
Program Chair
  • Michael Bailey, University of Michigan
Program Committee
  • Dan Boneh, Stanford University
  • Nick Feamster, Georgia Institute of Technology
  • Jaeyeon Jung, Intel Labs, Seattle
  • Christian Kreibich, International Computer Science Institute
  • Patrick McDaniel, Pennsylvania State University
  • Fabian Monrose, University of North Carolina, Chapel Hill
  • Jose Nazario, Arbor Networks, Inc.
  • Stefan Savage, University of California, San Diego
  • Matt Williamson, AVG Technologies
  • Yinglian Xie, Microsoft Research
  • Vinod Yegneswaran, SRI International

Go submit your work!
Categories: Malware, News, Security, SpyBye, Systrace
Defined tags for this entry: , , ,

DirectShow Vulnerability Exploited Everywhere

The DirectShow vulnerabilities are being exploited all over the place now. Unfortunately, the second vulnerability in DirectShow is still unpatched and exploit sites seem to be jumping on this. There is even some evidence that it's possible to successfully exploit the vulnerability without even using JavaScript. New exploit domains are popping after every day. DirectShow now seems to be what Flash and PDF were earlier in the year.
Categories: Malware, Security, SpyBye
Defined tags for this entry: , ,