Inside the “Ron Paul” Spam Botnet
URL: http://www.secureworks.com/research/threats/ronpaul
Date: December 4, 2007
Author: Joe Stewart

On the weekend of October 27, 2007, the Internet was suddenly bombarded with a rash of spam emails promoting U.S. presidential candidate Ron Paul. The spam run continued until Tuesday, October 30,when it stopped as suddenly as it began. At the same time, politicalblogs began to light up, accusing the campaign (or at least its ardent supporters) of running a criminal botnet for political purposes. We decided to cut through the spin and take a closer look at this botnet to determine its origins and shine some light on who might be responsible.

Tracking the Spam
Tracking specific spam back to a particular piece of botnet malware is somewhat challenging, but given the right cooperation between researchers who hold different pieces of the puzzle, …
[continues at http://www.secureworks.com/research/threats/ronpaul ..]

Also see: Ron Paul Supporters Using Criminal Botnets to Spread Message of Hate

The search.live.com search engine index appears to be vulnerable to a form of XSS Meta Manipulation and fraudulent content cross-domain injection attacks.

Links to XSS injected domains are being indexed and followed by the Live spiders, as can be seen in the following example when searching for “XSS Hacking” information:

http://search.live.com/results.aspx?q=hacking+xss&go=Search

Any user following the link from live.com to the Ethical Hacking expert knowledge site ethicalhacker.net will currently see this output:

It is unknown at this time if dynamic search engine rankings or other abstract Web 2.0 technologies that rely on indexed search engine results are affected by this vulnerability. It is very possible that the search.live.com spider could be tricked into following and indexing vulnerabilities far more serious than common cross-site javascript alert() injections, but XSSWorm has not yet tested this exploit vector on Live.

Thanks to XSSWorm readers, Ethicalhacker.net has now been informed of the serious XSS injection bug in their installation of Wordpress. It is obvious from the image above that the vulnerability is being exploited in the wild by Blackhat SEO optimizers, malicious crackers and possibly for cross-net spear pharming and targeted phly-phishing attacks. Microsoft has not yet responded to this bug advisory as the vulnerability still appears to be exploitable at time of writing. We will post updates here at xssworm.com as new spider injection holes are discovered.

Expert hackers from the elite security and hacking specialist TELUS claim that their research demonstrates that Buffer Overflows are still the top threat to the safety of the Internet in these days of distributed social data networks and rich Web 2.0 application platforms.

Web application vulnerabilities such as cross-site scripting (XSS) and SQL injection may be widespread, but old-fashioned buffer overflow bugs are the most common flaws reported, according to new vulnerability research from Telus. The hacking experts also report that the level of severity of bugs in Microsoft products is declining significantly.

Telus, which provides vulnerability research analysis to most of the 20 top security vendors — including IBM ISS and McAfee — bases its data on vulnerabilities reported in enterprise-class products.

Microsoft went from around 175 high-severity vulnerabilities reported last year to 129 this year, and from 20 critical bugs to eight this year so far, according to Telus’s data. And overall, the top 50 software and network equipment vendors have had fewer severe bugs this year than last, says Richard Reiner, chief security and technology officer for Telus, who based its data only on vulnerabilities reported in enterprise-class products.

“The severity of Microsoft’s product [vulnerabilities] are dropping dramatically,” Reiner says.

Web app bugs are less severe than other types of vulnerabilities, the research firm said. Buffer overflows, which accounted for 1,470 of the reported bugs (in enterprise-class software, according to Telus data) from January ‘04 until now, are also typically the most severe. “This was surprising, because buffer overflows are among the easiest vulnerabilities to avoid or correct,” Reiner says. “When they exist, they tend to be the most critical… I’m not surprised by that part, but by how prevalent they are.”

Telus has been widely respected for their long-time hacking expertise ever since acquiring Canadian security specialists Assurent and Richard Reiner for an undisclosed sum in April 2006.

“Customers will be the beneficiaries of our combined suite of internationally recognized security solutions that have a long and successful track record of enabling business resiliency” claimed Richard Reiner at the time of the acquisition.

Common Web vulnerabilities such as cross-site scripting (XSS) and SQL injection aren’t typically critical threats, Reiner says. Only one bug in the off-the-shelf Web products studied by Telus had a critical SQL bug, and none of them had a critical XSS flaw, he says.

The good news, then, is that off-the-shelf Web platforms are relatively secure. The bad news is that the customized or home-grown Web apps Telus studied were riddled with critical bugs.

“The number of vulnerabilities in widely used Web application platforms has been relatively small,” he says. “But the situation is quite different in custom and one-off applications businesses build.”

Telus’s data differs from that of Mitre Corp.’s latest Common Vulnerabilities and Exposures Report, which was released in May. The broader CVE report named XSS as the most prevalent vulnerability reported in 2006. It is currently unknown at this time how Telus and the Mitre Corp., while working with the same public vulnerability information, arrived at such opposite conclusions. Some readers have suggested that Telus’ only motivation for releasing this questionable “research” is to generate PR and increase sales - possibly through fear and misinformation - while others claim that respected security vendors such as Telus would rarely (if ever) resort to such unethical tactics in pursuit of profits.

The number of critical and high-risk vulnerabilities is increasing, but that may be because these bugs are now being discovered on smaller vendors’ products, Telus says. Server vulnerabilities still outnumber client flaws, but client bugs have increased from 31 percent of the vulnerabilities last year to 39 percent this year.

Read the original article over at DarkReading.com - a security portal for “IT professionals with security specialties and CISSP or CISA certifications; CIOs; CTOs; CSOs, CISOs, and CCOs.”

Domain Name System Hijacked: Hackers Abuse Domain-Name Trust

InternetWorld’s Andy Patrizio and Finjan’s Yuval Ben-Itzahk discuss the fundamental weaknesses in Finjan’s Blacklist-based URL Filtering products

Using variations on trusted, popular domains has long been a common tactic for scammers, spammers and porn sites. But cyber criminals have devised a new twist on the misspelled domain-name trick by hijacking IP addresses. And they tried it on Yahoo.

To fix the old problem, server-based security products would trace the IP address of the server behind the domain. Once the IP address resolved the misspelled domain name, the products would then compare the IP address against a database of known fraudulent sites or questionable locations. So if a site were masquerading as eBay but the filters found it was really a server in China that had only been established one week earlier, it would block access.

“Web 2.0 sites are great fun but also a great platform for hackers to host malicious code.” - Ben Itzahk from Finjan on why his product is still relevant.

In the case of Yahoo, security firm Finjan said hackers exploited an unused IP address within Yahoo’s hierarchy and used that as the domain address behind a forged Google Analytics domain name. This fooled the Finjan Web-filtering product into believing a person was going to a highly trusted Yahoo domain. The victims, customers of Finjan, never knew they were on a malicious Web site, and neither did the security mechanisms on the network. (In this case, Finjan’s Web-filtering product.)

“They managed to resolve the domain name to an IP address owned by Yahoo. How they added an address into a DNS server to appear to be an IP address owned by Yahoo is unknown,” Yuval Ben-Itzhak, CTO of Finjan, told InternetNews.com. He added that Yahoo, while responsive and quick to shut down the compromised address, did not disclose exactly what equipment was behind the compromised IP address.

“You can upload anything you like, so you can upload malicious content, as well.” - Ben-Itzahk on design flaws within Finjan’s product.

Ben-Itzhak thinks something in the server was broken that enabled the bad guys to push that content down to users without Yahoo knowing. He said that’s a flaw in social networks.

“In 2007, something very clear has come out: these Web 2.0 sites are great fun but also a great platform for hackers to host malicious code as well,” said Ben-Itzhak. “You can upload anything you like, so you can upload malicious content, as well. On MySpace we found hundreds of pages with malicious code this year.”

Ben-Itzhak said server-based security is still the primary mode of defense but also recommended browser plug-ins, such as Finjan’s SecureBrowsing or SnakeOil’s HackerExpert, both of which scan the actual content coming over the wire from a site and alert the user if it’s suspicious.

InternetWorld - Hackers Abuse Domain-Name Trust

“With Finjan’s web security there will be no need to worry about getting caught napping by the latest round of web-based threats” - SC Magazine

Giorgei Jorge [xssworm] writes:

After explaining that Finjan’s server-based web security filtering products fail to actually inspect web content or protect the user in any significant way .. beyond checking to see if the target domain name is ‘highly trusted’ such as Yahoo.com .. it’s patently clear that this vendor is totally qualified to discuss the emerging threats related to Web 2.0, social networks and distributed passive attacks. It is also clear that Finjan’s server-based products are highly effective, technically advanced, provide enhanced security for your users and in the context of modern web vulnerabilities, are totally relevant and obviously worth the many tens of thousands of dollars that Finjan charges for licensing and support.

To ensure that all web sites are thoroughly tested to ensure that they belong only to “highly trusted domains” such as yahoo.com it is recommended that users install Finjan’s SecureBrowsing product. SecureBrowsing does not actually check to see if a web site belongs to a highly trusted domain such as yahoo.com, but it does actually inspect some of the content in transit to ensure that only highly trusted domains such as yahoo.com are allowed to install components silently into the browser or take advantage of client vulnerabilities to execute arbitrary code on the users desktop. When used in conjunction with the Finjan total security suite of products, including Finjan’s server-based web-filtering product and Finjan’s server and desktop email malware badware and anti-virus filter scanning products and Finjan’s Instant Messaging to Highly Trusted Domains Like Yahoo.com Only Desktop filtering product, the user can be guaranteed near real-time protection from the most popular and widely reported malicious DNS host names. Security of the Web 2.0 is still somewhat dependant on whether hackers can take over unused IP Addresses in Highly Trusted domains - such as yahoo.com - but rest assured that Finjan webgineers are working around the clock to combat these new threats to your information assets.

Click here to send your facebook cookies to xssworm (-;

http://www.facebook.com/share_redirect.php?h=fef648d6fe6177edfa9ff58e779a83&url=http%3A%2F%2Fwww.facebook.com%2Fshare_redirect.php%3Fh%3D0%26url%3Dhttp%3A%2F%2Fxssworm.com&sid=6330305874

We can upload JPG injected with JAR? or 2nd pass of redirect bugs. Facebook now allows embed of mp3 and other items using share bookmarks

javascript:var d=document,f=’http://www.facebook.com/share’,l=d.location,e=encodeURIComponent,p=’.php?src=bm&v=4&i=1182484661&u=’+e(l.href)+’&t=’+e(d.title);1;try{if(!/^(.*\.)?facebook\.[^.]*$/.test(l.host))throw(0);share_internal_bookmarklet(p)}catch(z){a=function(){if(!window.open(f+’r'+p,’sharer’,'toolbar=0,status=0,resizable=0,width=626,height=436′))l.href=f+p};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else{a()}}void(0)

Facebook has many hole like this

vaj.

While Web 2.0 applications might be all the rage for developers and increasingly important in the enterprise, security experts warn they represent a serious threat — a fact that won’t change until businesses start demanding greater protections.

That was the theme at the New New Internet conference here yesterday, where a panel of security experts told audience members that Web 2.0 application developers lack tools to secure their applications, creating a problem unlikely to be fixed without greater prompting by IT management.

“Beat up on your vendors and your own developers,” said Steve Orrin, director of security solutions for Intel Corp. “Look for and ask for security features in your applications. Until you start asking, they aren’t going to see it as a requirement.”

Much of the issue stems from the fact that underlying technologies being used in new Web applications and Web services were never properly secured to begin with, panelists said.

“We’ve already moved on and started to look at Web 2.0 technology, when Web 1.0 wasn’t secure yet,” Orrin said.

“By networking with code-writing peers and hearing lectures by security experts”, he said, “hackers can gather the truth: information necessary to build safer systems and to push for better security.”

“Cross-Site Scripting is much more powerful when used in a Web 2.0 environment”

“What we’re seeing is advanced uses of the same sorts of attacks that were used before.” Cross-site scripting, for example, is “much more powerful” when used in a Web 2.0 environment, he suggested. “As powerful a tool as Web 2.0 technology is for developers and users, it’s even more so for attackers.”

That’s especially true of things like phishing attacks, Orrin said.

“It’s become a lot easier to trick users with Web 2.0 — the automation is to the point where the user doesn’t even have to be involved for the attack to occur.”

Hart Rossman, chief security technologist at research and engineering giant Science Applications International Corporation (SAIC), agreed. He pointed to the difficulties that security professionals face in checking some Web 2.0 applications for vulnerabilities. “AJAX is the weapon of choice for sex appeal, but current vulnerability assessment tools have trouble traversing AJAX sites, and it’s harder to find the vulnerabilities,” Rossman said. “You can’t recreate sessions as easily, so if something happens, it’s very difficult to create the forensics to analyze it.”

“AJAX is the weapon of choice for sex appeal.”

Rossman added that the rise of the use of widgets and other outside components on sites raises the specter of people using “Web 2.0 on top of Web 2.0″ to mount large cross-network attacks.

Experts such as Rossman are currently focusing their efforts on determining a suitably-scary-sounding name for these new and unprotected (and potentially devestating to your E-business) Web 2.0 on top of Web 2.0 attack worms.

“People tend not to trust the mash-up developer.. they trust the API provider. There’s very little thought given to the mash-up, or the mash-up on top of the mash-up.”

News Link : http://www.internetnews.com/dev-news/article.php/3708876