Thursday, June 23, 2011

Beware shortcuts for getting more followers on Twitter

There are various different ways of getting more followers on Twitter.
The easiest method is to be a celebrity. It doesn't matter if you tweet anything interesting, you'll probably find a fair number of people will follow you regardless.
Alternatively, you could try to tweet something that people find useful or amusing or informative on a regular basis. If you put in the hours, write great tweets and be yourself then you may find others are happy to follow you and engage with you online.
But if both of those options sound far too tricky, you might be tempted to try the Twitter equivalent to a "get rich quick" scheme in your hunt for more followers.
Take these messages which are currently appearing on Twitter, for instance:
Get more followers tweets
If you are tempted to click on the link, you will be taken to a webpage which offers you a service that promises hundreds or thousands of new followers. Many different websites exist like this, here's just two of the sites we have seen being used in the current campaign.
Get more followers webpages
Although the graphics differ, the basic template of the site remains the same - including options to either pay for a VIP plan or try out a free service that promises hundreds of new followers.
I must admit I smelt a rat, and so I created a brand new Twitter account to see what would happen if I tried out the "free trial".
Get more followers username and password request
Hello hello.. what's this? The pages ask you to enter your Twitter username and password. That should instantly have you running for the hills - why should a third-party webpage require your Twitter credentials? What are the owners of these webpages planning to do with your username and password? Can they be trusted?
In the bottom right hand corner, they admit that they are not endorsed or affiliated with Twitter.
Now obviously I wasn't going to handle over the password for my @gcluley Twitter account, so I entered the login details for the test account I had just created instead.
Before I knew it, I was presented with a familiar Twitter dialog box asking me if I really wanted to grant an application access to my Twitter account.
Get more followers authorise app
Common sense would hopefully tell you to step back at this point, and not allow the app's authorisation. But if you're hungry for new followers maybe you would continue, oblivious to the risks.
But sadly, some people are too keen for new followers. And they pay the price in the form of a message promoting the followers service is posted to their feed. In this way, the links can spread rapidly between Twitter users.
Get more followers tweets
What surprised me the most however is that I started to get many more followers on my test Twitter account. Other, seemingly random, Twitter user began to follow my test account in huge swathes and my account began to follow seemingly random people in return.
Although this may seem like a good thing, it isn't. After all, the rogue app has now made your account follow scores of seemingly random Twitter users - if you have no interest in what they have to say, you're going to find that pretty irritating.
Blue birdFurthermore, if you're just playing a numbers game on Twitter you're fooling no-one but yourself. It doesn't actually matter how many people in total follow you on Twitter - what's much more important is how many people are listening to what you're saying on Twitter.
It's no good, for instance, if you have five million Twitter followers but there aren't actual people sitting behind them, reading what you have to say.
In other words, these "get more followers fast" apps are a waste of time. You're not interested in what random people are saying on Twitter, so why should random people care about what you have to say?
Furthermore, whose to say that some of these new people who you are following are not cybercriminals, planning to tweet out malicious links or spam messages in your direction?
Twitter has published information on its help pages which describes the dangers of these "Get More Followers Fast"-type websites and apps.
So, what should you do?
Well, if you fell for the trap and granted the rogue application access to your Twitter account, revoke its rights immediately by going to the Twitter website and visiting Settings/Applications and revoking the offending app's rights.
Revoke Twitter application
But don't forget that you entered your username and password on the third-party website too! That means you should consider your password to now be compromised, and you should change it as soon as possible.
Remember - the fact that you gave them your username and password means they could in theory log into your account and read any of the information you store up there - including your email address and your private direct messages.
If you take no action against attacks like this, don't be surprised if the unknown parties who now have control over your Twitter account use it to commit crimes or cause a nuisance.

Original Blog:

modsecurity - SQL Injection Challenge

Trustwave Security Solution Company, announced their first hacking challenge for community. All the challenges about SQL Injection and Filter Evasion. There have four commercial demo sites.

Each of the winner who success to second level will reward with T-Shirt from Trustwave's Spiderlabs.

McAfee WhitePaper - The New Reality of Stealth Crimeware [PDF]

Another good reading material from McAfee about Stealth Crimeware Whitepaper.


As cloud computing continues to gain widespread adoption across organizations, the issue of security and maintaining a secure environment still remains a top concern. This white paper highlights powerful toolkits that make stealth malware development a "point-and-click" effort.
Learn from this exclusive resource about Zeus Crimeware Toolkits and the available malware software that can help you achieve a secure cloud environment. Protect your organization's data in the cloud with this easy to use software tool developer.

Read the Full Whitepaper from here.

Spam and Suspicious link 23-June-11

Wednesday, June 22, 2011

Spam & Suspicious link 22-June-11 (Internal local IP)

Monday, June 20, 2011

Malware campaign uses direct injection of Java exploit code

Attackers usually compromise web pages to drive traffic to web servers hosting exploit kits. In this injection though, we see exploit code directly planted into legitimate pages:

The code shown attacks an Oracle Java vulnerability (CVE-2010-4452) by exploiting a design flaw in the Java class loader to execute an unsigned Java applet with local user rights. The exploit affects Java Runtime Environment versions 6 Update 23 and earlier. It was addressed by Oracle with Update 24 in February 2011. In internal tests, we could confirm that the malicious applet would load in all popular browsers with built-in Java support like IE, Firefox, and Opera. The applet in this attack is used to locate and execute a .exe payload that is disguised in the foreground parameter of the applet-tag as a .jpg file. While the system gets attacked, the user would only see the Java icon popping up in the Windows taskbar:

The payload in this case is the nowadays ubiquitous Rogue Antivirus:

In case you haven't already done so, don't forget to update your Java version as soon as possible.

Original Source:

Saturday, June 18, 2011

Spam and Suspicious link 18-June-2011 - Part2

Spam and Suspicious link 18-June-2011 - Part1

Acrobat Memory Corruption Denial of Service (DoS) Exploit - CVE-2011-2105

Adobe released their Security updates to cover several critical vulnerabilities in Adobe Reader X(10.01) and earlier version for Windows, Adobe Reader X (10.0.3) and earlier versions for Macintosh, and Adobe Acrobat X (10.0.3) and earlier versions for Windows and Macintosh.

One of the vulnerability (CVE-2011-2105) has been disclosed in public through Exploit-DB.

PoC Details: 
The following JS was the problem point inside the PDF file (Open the PoC file by a text editor):
var temp;
for(var i=0;i<=8;i++)
var result = temp;
viewState= result;
dirty; // Important!

Apply an update

Adobe recommends all users upgrade to Adobe Reader and Acrobat 10.1, 9.4.5, or 8.3. APSB11-16 contains more details. Please also consider the following workarounds:

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this and other vulnerabilities.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Disable JavaScript in Adobe Reader and Acrobat

Disabling JavaScript helps to reduce attack surface and mitigates some exploitation techniques. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities.

To disable JavaScript in Adobe Reader:

    Open Adobe Acrobat Reader.
    Open the Edit menu.
    Choose the Preferences... option.
    Choose the JavaScript section.
    Uncheck the Enable Acrobat JavaScript checkbox.

Note that when JavaScript is disabled, Adobe Reader and Acrobat prompt to re-enable JavaScript when opening a PDF that contains JavaScript.

Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:

    Windows Registry Editor Version 5.00


Disable the displaying of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser with Adobe Reader:

    Open Adobe Acrobat Reader.
    Open the Edit menu.
    Choose the Preferences... option.
    Choose the Internet section.
    Uncheck the Display PDF in browser checkbox.


Tuesday, June 7, 2011

RSA finally comes clean: SecurID is compromised

RSA Security will replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.
SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.
The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorithm, and a seed value used to initialize the token. Each token has a different seed, and it's this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.
This admission puts paid to RSA's initial claims that the hack would not allow any "direct attack" on SecurID tokens; wholesale replacement of the tokens can only mean that the tokens currently in the wild do not offer the security that they are supposed to. Sources close to RSA tell Ars that the March breach did indeed result in seeds being compromised. The algorithm is already public knowledge.
As a result, SecurID offered no defense against the hackers that broke into RSA in March. For those hackers, SecurID was rendered equivalent to basic password authentication, with all the vulnerability to keyloggers and password reuse that entails.
RSA Security Chairman Art Coviello said that the reason RSA had not disclosed the full extent of the vulnerability because doing so would have revealed to the hackers how to perform further attacks. RSA's customers might question this reasoning; the Lockheed Martin incident suggests that the RSA hackers knew what to do anyway—failing to properly disclose the true nature of the attack served only to mislead RSA's customers about the risks they faced.
RSA is working with other customers believed to have been attacked as a result of the SecurID compromise, though it has not named any. Defense contractors Northrop Grumman and L-3 Communications are both rumored to have faced similar attacks, with claims that Northrop suspended all remote access to its network last week.

Source: Ars Security

Another Android Malware Utilizing a Root Exploit

Another Android malware utilizing the root exploit "Rage Against The Cage" has been found. We were able to find a sample ourselves and we now detect it as Trojan:Android/DroidKungFu.A.

This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:

Infection: Part 1

The first part is the installation of a trojanized application that would gain root privilege and install the application. This application points to the Trojan:Android/DroidKungFu.A's service component that will start a service On the creation of this service, it will call the function getPermission() that will install an embedded APK.

Droid Kung Fu create

Droid Kung Fu permission

This will call for checkPermission() that will check if already exists. If not, it will install the "legacy" file, which is an APK file, to the "system/app" (the application folder).

Droid Kung Fu check permission

Infection: Part 2

The second part deals with the main malware component, As we may recall, this component was also present in the trojanized application.

Here is a screenshot showing the installed.

Droid Kung Fu screen

The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:

  •  execDelete — execute command to delete a supplied file
  •  execHomepage — execute a command to open a supplied homepage
  •  execInstall — download and install a supplied APK
  •  execOpenUrl — open a supplied URL
  •  execStartApp — run or start a supplied application package

Trojan:Android/DroidKungFu.A can also obtain the following information and post it to a remote server:

  •  imei — IMEI number
  •  ostype — Build version release, e.g., 2.2
  •  osapi — SDK version
  •  mobile — users' mobile number
  •  mobilemodel — Phone model
  •  netoperator — Network Operator
  •  nettype — Type of Net Connectivity
  •  managerid — hard-coded value which is "sp033"
  •  sdmemory — SD card available memory
  •  aliamemory — Phone available memory

Root is set to 1 as to signify with root, and these information are then sent to "http://search.gong[...].php."

The malware obtains the commands from "http://search.gong[...].php" by posting in the "imei," "managerid" and root value. It also reports the status of the commands on "http://search.gong[...].php" by posting in "imei," "taskid," "state" and "comment."

Threat Solutions post by — Zimry


Updated to clarify: Original discovery of the trojan was by a research team at North Carolina State University. We were able to independently find a sample for our own analysis.    

Source: F-Secure Labs Blog