Archive for June, 2009

A Fourth of July Portent

Tuesday, June 30th, 2009

Posted by: Barracuda labs

While perusing my spam folder today, I came across the following run-of-the-mill pharmacy email:

From: Hilda McIntyre < hmcintyre_qm@evd.nl >
Date: Tue, Jun 30, 2009 at 8:20 AM
Subject: Unbeatable Pharmacy Offers!
To: < redacted >@gmail.com

An Incredible Canadian Pharmacy is available at your Fingertips!
*No~Doctor~Needed*! Browse our Site Today! -> hxxp://skincarry.com

skincarry.com currently resolves to IPs (e.g., 61.191.191.241) that map back to hundreds of other domains (e.g., *.fnueukej.cn, *.fbaiuaao.cn) hosting the same fake Canadian pharmacy website; the domains exist in part to help spammers get their solicitations past email filters. Not surprisingly, no part of the order process on this site uses SSL (so credit card information, etc. is sent from the browser as unencrypted plain text). However, the wholly fraudulent nature of the site and the operators behind it is not what I wanted to talk about today.

At the top of the site is a picture of fireworks, with text underneath that offers preemptive congratulations on the upcoming July 4th holiday.

July 4th Banner

While above banner is a slightly boring twist on an all-too-familiar social engineering tactic, its presence should serve as a warning. For the past several years, most major holidays in the United States have been accompanied by waves of malicious email that leverage a given event’s popularity to compromise the systems of unsuspecting users. Independence Day is no exception: past uses have included campaigns by botnets as ubiquitous as Storm. Users should be especially diligent when handling holiday-related emails this weekend, as invariably, some will receive messages whose sole purpose is to place malware on their computer.

Share

Posted in Research | No Comments »

Fake Twitter Invitation Campaign Spreads Malware

Thursday, June 18th, 2009

Posted by: Barracuda Labs

As Twitter’s popularity continues to increase, so does use of its name as a way to spread malware. Late last week a Purewire employee received the following email, which presented itself as an invitation to join Twitter.

From: invitations@twitter.com [mailto:invitations@twitter.com]
Sent: Friday, June 12, 2009 1:05 PM
To: < redacted >@purewire.com
Subject: Your friend invited you to twitter!

Your friend invited you to twitter!

Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?

To join or to see who invited you, check the attachment.

The attachment accompanying the email–Invitation Card.zip–contained a file named “document.doc     (many spaces)     .exe”. Even if the user’s system was configured to show extensions for known file types, the file (after being extracted from the archive) would still have the following deceptive appearance:


Invitation Card

As with previous campaigns of this nature, if the user attempts to “view” the “invitation card”, they will infect their system with malware. To avoid becoming victims of these multi-facted social engineering attacks, users should be especially diligent when handling attachments claiming to be ecards, invoices, invitations, etc.

Share

Posted in Research | No Comments »

Twitter’s Dirty Little Secret

Monday, June 8th, 2009

Posted by: Barracuda Labs

Today, we officially launched TweetGrade™ (http://tweetgrade.com) — a free, online ranking system for Twitter users. TweetGrade provides a quantitative assessment of a user’s reach and influence in the Twitter community, and it helps promote safety and establish order in an increasingly popular social networking environment.

To create the intelligence that drives TweetGrade, we initially crawled more than 7 million Twitter user accounts and a sample of each account’s corresponding tweets. Then, we analyzed this data along a number of dimensions, including the frequency and content of tweets, user-to-user interactions, and each account’s overall activity level. Based on this analysis, we made a number of interesting observations about Twitter.

First, a large percentage of Twitter users abandon their accounts almost immediately after they are created:

  • 40% of Twitter users have not tweeted since their first day on Twitter (i.e., the account was most likely created and subsequently forgotten about).
  • 25% of the users are not following anyone; more than 50% of the users are following less than 5 people, and 2/3 of the users are following less than 10 people. The figure below reiterates these numbers with a cumulative distribution graph for the Twitter population’s following habits.

Twitter population’s following counts

Second, Twitter is being used as a mass medium for receiving information as opposed to being used to interact with others. Basically, Twitter is more similar to an RSS feed than an email or IM system:

  • More than 1/3 of Twitter users do not have any tweets, and almost 80% of the users have less than 10 tweets. The cumulative distribution graph for the Twitter population’s tweet counts is shown below.

Twitter population’s tweet counts

  • 30% of the users do not have any followers; 70% of the users have less than 5 followers, and 80% of the users have less than 10 followers. These findings are clearly shown in the following cumulative distribution graph for the Twitter population’s follower counts.

Twitter population’s follower counts

  • 50% of the users are following more people than they have as followers, and another 30% of the users are following the same number of people that are following them.

TweetGrade evaluates Twitter users based on their interactions in the Twitter community.  Users receive a simple letter grade that ranges from an ‘F’ to an ‘A+’ to represent their reputation on Twitter, and users can easily share these grades with the community.  In addition to promoting high-quality Twitter accounts, TweetGrades can also be used to identify malicious accounts (e.g., spammers) and abandoned accounts.  The overarching goal of TweetGrade is to help Twitter users make informed decisions about other Twitter users.

Share

Posted in Research, Tweet Grade | 1 Comment »

Unicode Encoding for Bypassing XSS Filters

Friday, June 5th, 2009

Posted by: Barracuda labs

Unicode encoding-based filter evasions have been around for years and we thought web developers would write filters to cover it all. However, it seems that is not true.  The new round has come with Arian Evans and Jeremiah Grossman testing a unicode-encoded left (%u00AB) and right (%u00BB) angle quotation mark for getting around XSS filters. They hinted at it 2 years ago but did not get a chance to actually testing it until now (nobody else did either as there is no mention of it on the XSS cheat sheet).

According to their post on webappsec mailing list, unicode left and right angle quotation marks sometimes get translated into ‘<’ and ‘>’, respectively. This would allow inclusion of arbitrary html contents on a web page and hence javascript too (e.g. %u00ABscript%u00BB). They tested around 300 to 1000 websites and found about 44 of them vulnerable to this evasion technique, with 200 locations and 1000+ input variables to attack! What is noticeable is they only counted those sites where this was the only way to evade so there might be many more where this would have worked along with others.

Lessons learned, security is a state at a given time. Once achieved it does not hold forever. You need to constantly evaluate and update it to counter new attacks.

Share

Posted in Research | No Comments »