One of the features included with Google’s new Chrome web browser is the ability to show suggestions for navigation errors. This feature is intended to replace certain traditional 404 error messages with the additional option to search Google’s web search engine for phrases that are parsed out of the incorrectly entered web address that returned the 404 message.

In the past an issue with this has brought to light when a similar technology was first introduced with the Google Toolbar 5 browser plug-in.

The HTTP method GET is frequently used to pass form data from one page to the next for further processing. When using the GET method this data is appended to the URL delimited by a preceding question mark character.

Ex..
http:// [somewebsite] /accountinfo.php?user=Jdoe&session=12345678

In the above example accountinfo.php would be passed the parameter USER containing a value of JDOE as well as a parameter SESSION containing a value of 12345678.

To help explain some of the privacy concerns that may be associated with a 404 hijack lets take a scenario in which a web server is undergoing maintenance and a URL that normally would display a valid web document is returning a 404 error.

In this case a user is logged into [somewebsite] as user jdoe with a session ID of 12345678. After logging in the user selects the account information option on [somewebsite] and is directed to http:// [somewebsite] /accountinfo.php?user=Jdoe&session=12345678

In this example [somewebsite] is under maintenance and the server hosting the accountinfo.php document is generating a 404 message.

The Chrome browser instead of displaying the 404 message generated by [somewebsite] will display a custom error that contain links to search links that redirect to Google’s web search.

A side effect of hijacking the original 404 while maintaining the original URL is that if any of these links that are clicked or when the search button is pressed the browser will send the above mentioned data (USER containing a value of JDOE as well as a parameter SESSION containing a value of 12345678) to google.com as part of the referrer field of the HTTP headers of the created query.

In this case the user may not have intended or be fully aware that the user and session values are transmitted to Google’s servers.

>>>>>>>>>>>>>>>>>>>>>>>>>Update Sept 4, 2008<<<<<<<<<<<<<<<<<<<<<<<<<<<

It has been reported by one of our fellow McAfee researchers that when the Google 404 page is initially rendered an image file is requested from Google (exact path may very depending on localized build of Chrome). This http request also contains the referrer value referenced in the initial post. The result of this discovery is that no action is actually required from the end user for the information to be sent to Google. By the time the Goggle 404 page is displayed the information has already been transferred to Google.

I was at a friend’s house this past weekend when I asked to connect to his wireless router with my laptop. This friend was not computer savvy so I wasn’t surprised to find that security was not configured on his router.

This reminded me of an article (Secure You Wireless Router) a colleague of mine at Avert Labs had written several months ago about how more and more homes in China nowadays have wireless routers, but very few people bother to secure their routers.

I proceeded to lecture my friend about the importance of being security-aware, and the dangers of not being so – identity theft, stolen passwords, private documents, pictures, etc.

To demonstrate my point, I asked his permission to perform a penetration test which he agreed to.

I proceeded with the same steps described in my colleague’s article. I obtained an IP on the unsecured network, found the router’s IP, opened up a browser to that IP and was presented with the router’s administration login page. A quick search online easily gave up the default admin password for this router – “admin”. I tried that and sure enough, got into the admin page.

Next I checked the logs on the router and identified an active host on the network that was not my own. I then tried to open a NetBIOS NULL session with the host which worked. So far everything I tried had worked on the first attempt. Getting the NULL session opened up some opportunities for some good information gathering. For one, I determined that the host was running Windows 2000. More interestingly, I was able to get a list of user accounts. All without the need for a username and password. Only one of the accounts sounded like it was user-created. I tried to map a drive using that account with a blank password, and failed. I tried a few more times before giving up on guessing passwords.

I was using my work laptop so I had a Foundstone Enterprise install handy. I scanned the host for vulnerabilities, looking out for anything remotely exploitable. I came up with a handful, but one check jumped out at me – “Administrator Account Has No Password”. I tested this by mapping a drive with the administrator account and a blank password, half hoping that it was a mis-detection. Alas, the map succeeded and at this point the demonstration was over. I now had full access to my friend’s filesystem, and now the possibilities were endless. Having an Administrator account with a blank password on a Windows machine is such an old security hole that I didn’t even bother to test it early on.

For the home user, here are are just a couple tips to get you started with security and get you in way better shape than my friend:

1. Secure your wireless network. Look up how to do it online or have your techie friend do it for you, like I did for mine.
2. Set a strong password for your Windows Administrator account. Better yet, disable the account.
3. Disable NULL sessions. Look up how to do it online.

Inspired by Igor’s post (and whilst Terry is dancing in doorways) I’ve taken some time out from my current project and beaten a path through the tangled web of service providers, registrars, resellers and registrants of the domain name system supporting the darker side of the web.

This investigation originally started when Garth from Knujon pointed out that Directi have some shill registrars on their books (Whilst I was enjoying the Kaiser Chiefs @ Rock en Seine in Paris no less). I then read Brian Krebs post about Atrivo being one of the best known dangerous networks around… He finished with a teaser note about ESTDomains. So guessing whats coming next I’m going to jump the inter-networking gymnastics that binds EST with Atrivo/Intercage/(cernel|inhoster)/Etc, privacy services and others and start at the far end of the story and expose a secret about a not-so-little Indian company called Directi and shine a light on the almost invisible but vital service that powers the domain registration core of the largest group(s) of bad-actors on the web today.

Let me provide some bullet points about the Directi Group of companies to get you up to speed.

• Directi are a privately owned Indian company with a reported turnover in excess of $300M USD.
• Directi own LogicBoxes the maker of a product used to manage the registrar relationship with registries.
• Directi own the reseller Resellerclub.com, and the registrar Answerable.com amongst others.
• Directi own skenzo.com a domain typo squatting monetization service.
• Directi’s Logicboxes are responsible for over 3.5M domains, about 45K resellers across 50+ ICANN accredited registrars.
• LogicBoxes has no acceptable use policy (AUP) for their service.

That last point is the weak link in the chain. Directi’s Logicboxes provide domain registration automation services under contract but without an AUP, and to organizations that have an un-holy tie to organised crime at that.

LogicBoxes is a software product or turnkey ASP solution but some simple tests (that I’m deliberately withholding for now) prove that it’s software combined with a backend service and Directi are involved at every stage of the game via it’s service-layer even though it looks on the face of it like they aren’t.

(If you don’t understand the cats-cradle of knotted string that holds the domain name registration system together then blame John Levine as he has admitted it’s all his fault and this slide explains it all, “apparently” ).

So on the the murky world of Registrars also being Resellers and why:
ESTDomains, Dynamic Dolphin, to name but a few are huge Directi resellers, and as ICANN accredited registrars also customers of LogicBoxes too. But as Garths and Brian’s posts show there are also many other “shill” registrars and unanswered questions too. However between them they provide a disproportionate amount of domains that are used for illegal activities and most have a path back to Directi’s logicboxes service. I’d estimate the total to be north of 100,000 domains by now, everything from Social networking spam through illegal pharmaceutical supply to botnet command and control.

There is a metric truckload of publicly available evidence for anyone that still doubts the darkness of their hats take a look at the URIBL listings for the last 5 days for ESTdomains. All the linked domains are sites you do not want to click as they contain spam landing pages, fake anti-mailware, porn with fake codecs amongst other things. Why on earth a legitimate registrar would not monitor uribl’s published information and act on it is completely beyond me.

ICANN don’t help the situation by accrediting registrars without a verifiable legitimate address and well publicized & working contacts. We have procurement and vendor qualification processes that’s a real pain some times excellent IMHO, I’ll ask someone to send them a copy

Our friends at Spamhaus have plenty to say about ESTDomains too on many listings, take a look at their nameserver listings for starters SBL53320 SBL53319. Searching ROKSO will reveal a whole lot more. As for Atrivo, it’s a rats nest of issues; A rats nest that would do well to fall off the internet. For more information on the internet-gymnastics I jumped over take a look at this great pdf from hostexploit.com. Keep in mind though that some of the feeder transit networks may be owned or run by the same gang and just exist for redundancy.

The ESTDomains that I’ve investigated first hand have generally fallen into two camps, one where they are registrar directly and one where PublicDomainRegistry is mentioned in the whois, the latter being the “shill” sorry I mean “white labeled Registrar” for the previously mentioned Directi company “resellerclub dot com“. The fact that PrivacyProtect.org is Directi’s whois privacy service (pasted from here) for resellers just makes matters worse.

Don’t get me wrong, Directi have a clue, register a domain directly with a Directi owned registrar and break the AUP and they will act well as any registrar must. I’m specifically talking about the other services they provide to the criminal corners of the web.

It would appear too that the ESTDomains portfolio has had their privacy protection revoked too, this is definitely a step in the right direction. (Breaking news this evening from El Reg and knujon, nice work guys) However, these guys move pretty fast and recently EST moved their privacy needs to their own protectdetails.com domain.

So finally I have to ask those making money by providing the core services Bhavin Turakhia & Divyank Turakhia from Directi, you clearly know the score, so when will you completely stop supporting the illegal acts of EST, DD and other very obvious darkside entities and kick the bad apples out?

Before anyone from a registry or registrar starts the classic “Smith & Wesson” rant think about this, “Smith and Wesson” don’t sell maps or cars, drive you to the forest, apply your camouflage, help with your ICANN accreditation or load your gun for you

After I read the Chris post on our blog that dissected the darksides domains, I wondered about the Russian Business Network and its state of health.

This year, the posts and white papers circulating on the web portray new protagonists like AbdAllah, Atrivo, Directi or EstDomains. Like their RBN senior branch, these Internet network providers are strongly suspected to protect many actors in the malware/phishing/fraud world.

In February 2008, a ShadowServer foundation document explained that many domains had moved from RBN to AIH (AbdAllah Internet Hizmetleri). Like me, many researchers saw here a revival of RBN. But as it is assumed by some French bloggers, it was only a migration from customers, from one bulletproof hoster to another.

2 weeks ago, in the last Jart Armin controversial paper, the St Petersburg entity was hardly mentioned. Various networks previously known as RBN bastions were listed as core component of the Atrivo California-based family of companies (you can read the Brian Krebs post to be convinced).

In October 2007, after the media got in the Russian ISP in the spotlights, their representative Tim Jaret forcefully denied the accusations. He said that his company investigated abuse complaints and took care of them if there was a violation of law. Now, Emil Kacperski, the Atrivo founder hands out the same message. He assures the company works very hard to clean up his image and respond to abuse reports and then proceed to any corrective action when necessary. But some people don’t believe them!

One thing is sure, each time a report discloses a lax ISP, many unscrupulous customers looking for discretion, cover or camouflage, are disrupted. As I said before, we have seen some of them moving to AbdAllah or Atrivo. I should not be surprised if they started searching for a new refuge! All the more probable that bad advertising arrived to the ears of many attentive backbone providers bring about Atrivo to lose peering from all sides. At least it is something!

Today several researchers announce the dissolution of RBN and with the Atrivo and Directi disclosures, we gave new kicks into the anthill. But all these criminals who pay for dedicated server and protection from takedowns due to abuse complaints are still busy. For that reason, the criminal business network is still living even if it changes sometimes in name and management.

People don’t seem to seriously care about Wi-Fi security yet. Inspite of oft-repeated warnings, ignorant folks with unlimited bandwidth plans believe that they are doing a social service by allowing neighbors to leach their Wi-Fi freely. What they fail to understand is that by doing so, they can become an unwitting accessory to cyber crime.

Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user.

SOHO routers log every connection and DHCP lease but these logs are flushed once the router is rebooted. If an attacker has access to the administrative console of the router (thanks to the default password), once their nefarious actives have been carried out, a simple restart of the router will erase all tracks.

The extent to which an unsecured Wi-Fi connection can be abused is purely left to imagination of the attacker. Putting on my Dr.Evil hat, here are couple of wicked acts a Wi-Fi hacker could commit and get away undetected using an unsecured network.

• Download child pornography
• Download copyrighted movies and music via P2P
• Download Warez and abuse your bandwidth
• Send bomb hoaxes, terror or threatening emails.
• Send spam (sexual aids, pharmacy or money laundering scams)

Any of the above acts could lead to law enforcement authorities knocking on your door. This is not mere speculation and many unsuspecting people have fallen victim. To quote a high profile example, in the recent serial bomb blasts in India, terror emails that took responsibility for the blasts were sent from unsecured Wi-Fi connections. And it was the unfortunate owners of the unsecured Wi-Fi connection that were subjected to police questioning and house arrest.

In addition to using an unsecured Wi-Fi network for malicious purposes, an attacker can also use it to steal personal information for identity theft. For example:

• Infiltrate and break into internal machines
• Modify DNS settings on the router to point to a rouge server.
• Sniff Wi-Fi traffic for usernames and passwords

The above discussed scenarios are neither speculation nor an exhaustive listing of different ways for abusing unsecured Wi-Fi networks. These scenarios are being enacted by criminals everyday around the world.

Now why would want to be an unwitting host to criminal activities emanating from your IP address or make yourself vulnerable to identity theft? Be a responsible Netizen and please secure your Wi-Fi connection now!

Following the public advisory of a zero-day attack published by JustSystems and McAfee® Avert® Labs on August 26, an official security update is now available from the vendor at: http://www.justsystems.com/jp/info/pd8002.html.

The protection has also been available to McAfee customers in the 5368 DATs since August 22. As Avert Labs continues to update our protection for ongoing attacks, Ichitaro users are highly advised to patch this vulnerability as soon as possible.

The debate of full disclosure vs. responsible disclosure vs. nondisclosure has been going on for years, and we have discussed it several times in blogs and even in one of our earliest AudioParasitics podcast sessions:

- http://www.avertlabs.com/research/blog/?p=270
- http://podcasts.mcafee.com/audioparasitics/AudioParasitics-Episode7-5-2007.mp3

We would like to highlight the importance of responsible disclosure such as this. In case of a new attack, restricted information and protection must be made available to all affected users just sufficient to detect and protect against the latest security compromises. All information must be released without compromising the security of affected users, and while providing ample time for affected vendors to verify the issue and inform their customers. No details must be given that would allow the bad guys to discover and exploit the vulnerabilities; however, keeping the existence of a known vulnerability secret leaves users unprotected and uninformed.

As our vulnerability research colleague Rahul Kashyap puts it in his blog, “our mission is to protect our customers and the Internet community at-large, not to create hype and FUD by giving the world a chance to exploit unpatched flaws! Failing to disclose to anyone leaves the good guys in the dark–but supporting irresponsible disclosure gives the bad guys night vision.”

Ichitaro zero-day vulnerability response:

A zero-day exploit against the latest QuickTime (Version 7.5.5) and iTunes (8.0) was released yesterday. The exploit author announced this as a remote heap overflow so we decided to take a look and analyze it.

After our research, we found that this is actually an off-by-one stack overflow. Some noteworthy points:

1. QuickTime has the /GS switch option enabled, hence a cookie is put into the stack.

2. Since this is an off-by-one stack overflow, the attacker can just overwrite one byte of the cookie. The Check_stack_cookie function is called when the function returns. If the Check_stack_cookie found out that the cookie is not matched, then the program exits. This results in the crash of QuickTime and iTunes.

The crash means it is unlikely that code execution would be feasible via this attack vector. Howerver, users of these apps should take the attack seriously and look at appropriate defenses.

The casino spammers have been chaining together a lot of link redirectors recently to avoid being taken down by redirector sites checking anti-spam blacklists.

Here is a good example from one of our partner traps of how you go from one of the most popular torrent forums on the web to a Malta-based casino in one click.

This is the URL used in the email and our starting point:
http://demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h

Here is the redirection chain:
http://demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h
--> 301 Moved Permanently

http://www.demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h
--> 200 OK (and stops if you’re using LWP)

HEADER : Refresh: 0;url=http://tinyurl.com/4nr46h

GET http://www.spinpalace.com/index.asp?a=634991
--> 301 Moved Permanently
(then they hide the affiliate string for some reason)

GET http://www.spinpalace.com/
--> 200 OK

Affiliate 634991, your time is up.

This is not a new trick. Forward-thinking anti-spammers have been reputing against this type of behavior for quite a while, coupled with generic redirector detection. (This mail was three times over our usual deletion threshold.) The issue lies in the fact that some of these links stay alive for days, as it takes a long time and a lot of effort for the redirect sites to clean up the working redirectors. Spammers don’t re-try tricks like this without reason, however.

If any readers are going to be at MAAWG next week, be sure to say “Hi”!
(Slacker Ed. is going too!)

In a recent email to the Full-Disclosure mailing list there’s an interesting article that grabbed our attention. This email talks about how a hacking team claims to have compromised some Linux-based computers and have successfully installed OpenSSH backdoors.

It’s evident that the attackers probably obtained root access by a SSH-password brute-force attack, leveraging the infamous Debian OpenSSL Package Random Number Generator Weakness (CVE-2008-0166) vulnerability. According to the email, after installing this OpenSSH backdoor, the backdoor is capable of recording all information about user accounts, passwords, and IP addresses connecting to and from this host. Hence by social engineering tricks, the attackers can gather the sensitive system information of even more hosts that connect to the compromised machine. At the end of the report this team also lists some achievements they gained, some of which is information on compromised computers.

We have some suggestions for administrators to verify whether they’ve been compromised:

– First compare your devices to check whether any of these are in the records. Note: This list might not be exhaustive; thus even if your host is not present, we recommend you continue to the following steps.

– Use this command to determine whether SSHD on the host has been replaced:

echo netdump|nc localhost 22 or echo netdomp|nc localhost 22

It should output the following information if the backdoor has been installed:

SSH-2.0-OpenSSH_4.3
netdump
SSH2_OUT: 127.0.0.1 user: root pass: password (localhost)


– By using commands such as “strings /pathto/sshd | grep netdump” you can verify whether the backdoor is currently installed and is working.

– And of course, the most effective method is to have all the latest patches installed. If the system is a Debian flavor, you should definitely confirm that the OpenSSL Weakness (CVE-2008-0166) patch has been installed.

– We also suggest the use of public-key-based authentication rather than just a password-authentication mechanism.

We’ll continue to monitor this threat and will update you with more information as it becomes available.

Laptop and notebook theft is a major problem; it rates at between 3 percent to 7 percent of reported thefts, according to experts. In 2006, a company making computer-tracking products estimated 750,000 pieces of equipment a year were being stolen.

Another tracing firm said FBI statistics show two million laptop and notebook computers were stolen in the United States in a recent year. And 50 percent of 403 senior managers surveyed in the Computer Security Institute’s 2007 Computer Crime and Security Survey said their organization experienced laptop or mobile-device theft within the last 12 months.

In June 2008, Dell sponsored a Ponemon Institute study about lost laptops at airports. In this paper, we discovered that 12,000 laptops were lost in U.S. airports each week. Another press release indicated there were more than 3,300 lost at the eight largest airports in Europe, the Middle East, and Africa. Even if a good many are rapidly retrieved or end up at the lost-and-found desk, others vanish into thin air. Somebody, somewhere will be very happy with them.

I decided to blog on this subject because it was just yesterday that I was a speaker at the Eurosec’2008 conference in Paris. Just after my talk, someone working in the counterespionage and counterterrorism circles explained that data theft and reselling equipment on the black market were not the only targets of thieves. 30 percent of these thefts are dedicated to industrial espionage, he said. In 70 percent of the instances, they are stolen to attempt unlawful acts of software piracy, for downloading pedophilia images, browsing terrorist and extremist web sites, exchanging information via blogs and forums, and for sending terror email for intimidation or for claiming responsibility for bombings.

When a burglary occurs, thieves often use stolen cars. Some days after the crime, the police often find the charred car at the bottom of a forest. Now, the same method is being used by cybercriminals; after it’s been used, the computer is destroyed and never found again. And it’s far easier to steal a laptop than an automobile.