Monday, April 20, 2009

Mac Proof-of-Concept Code In The Wild: Malicious Disk Images

Proof-of-concept source code has been released to the public for the five Mac OS X kernel vulnerabilities that were discovered last month. One of these vulnerabilities involves maliciously crafted HFS disk images, meaning that it would be fairly simple for a Mac malware developer to begin distributing disk images (typically .dmg files) that when mounted could do a number of harmful things to the system. Unlike most Mac malware, this exploit would not require the user to enter an administrator password in order to execute and cause damage.

The code has been tested against Tiger and Leopard, and reportedly works against pre-release versions of Snow Leopard as well.

None of the major antivirus engines utilized by virustotal.com or virscan.org currently detects the proof-of-concept code as malicious. Intego, a Mac-only antivirus vendor which does not provide an online scanner, claims that its VirusBarrier X5 product can "protect against the possible use of this flaw" as of a few days ago.

Apple is aware of this and the four other kernel vulnerabilities, but has not yet released a Mac OS X security update to address these issues.

Saturday, April 18, 2009

Social Engineering in the Scriptures

This post is really more about historical accounts of social engineering than a discussion about religion. Since social engineering is the focus of this discussion, I felt this post would be of more interest to the security crowd than those interested in religion. I normally discuss religious topics on my religion blog.

Often we think of social engineering as a trick that crackers and pen testers use to gain information to help them get access to someone else's system. However, the concept of social engineering predates computers and hackers by thousands of years.

A couple days ago I came across a passage in Alma chapter 55 in The Book of Mormon: Another Testament of Jesus Christ, which gave a very interesting account of how a group of people around 63 B.C. used social engineering to win a battle without having to kill a single person. A group of people called the Nephites was in the midst of a war with a rival group, the Lamanites. Moroni, a Nephite military leader, found a man among the Nephites who was a descendant of Laman and thus looked like a Lamanite (the man's name, incidentally, was also Laman), and sent him with some wine to the entrance of a city that was being held by the Lamanites. When the Lamanite guards spotted him, Laman told the guards that he was a Lamanite who had escaped from the Nephites and had stolen some of their wine. The guards (who were probably bored during their night shift) said that they were weary and insisted on drinking Laman's wine, which was very strong. Before long, the Lamanite guards were all drunk and had fallen into a deep sleep, and the Nephite army entered the city. When the Lamanites awoke the next morning, they saw that they were surrounded by the army of the Nephites, and they had no choice but to surrender their weapons and plead for mercy. This battle was won all because of a simple but very clever social engineering attack.

Reading this reminded me of a Biblical passage from the Old Testament in Judges chapter 12 which took place roughly a thousand years earlier on the opposite side of the globe. This passage talks about a failed social engineering attempt by the Ephraimites. The Gileadites, who were enemies of the Ephraimites, put guards at the crossing of the Jordan River so that the Ephraimites would have to get past them to return to their own land. The Ephraimites tried to trick the Gileadite guards into thinking they weren't in fact Ephraimites, but they were unsuccessful:
"...and it was so, that when those Ephraimites which were escaped said, Let me go over; that the men of Gilead said unto him, Art thou an Ephraimite? If he said, Nay;
Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand." (Judges 12:5-6 KJV)
The Gileadites knew that the Ephraimites pronounced the word "shibboleth" differently, so they used this as a test which foiled the Ephraimites' attempt to trick them.

If you're interested in social engineering, you'll enjoy reading The Art of Intrusion by renowned security consultant Kevin Mitnick, who shares real-life cases of modern social engineering schemes and outlines how each case could have been prevented.

Wednesday, April 15, 2009

Malware and Malicious Site Reports: googleadserver, interinetskim

Yesterday I researched two malware distribution sites, googleadserver dot com and interinetskim dot com.

For more detailed reports for googleadserver dot com and its malicious payload, see:
File details courtesy of VirusTotal:
File name: smss.exe
File size: 73728 bytes
MD5...: 4e3c8d06c0cd632926ccc7dd8a5d058c
SHA1..: 1626c4854ab4b5b47790ac350581c7c5a9fbe7ab
SHA256: 971d2d18a99ec2cdf1f98e0d9a241485666499ac7d8e828fd1a09a4cda324ad4
SHA512: 73d18f25d362af308018f610a4063aad2417c066b3d452ea89ef6a2506820c3e
3553f48bac31ad43938669a6b633fe343576912dab55c496c53d6577f61349bd
ssdeep: 1536:pPueEUR9TwT8DlhQTrhkvFUtvTAlayBOBlhYDrCkownAk:pmBUR9TwTmhQh
katDirCkownA
Variously identified as: Win-Trojan/Vaultac.73728, TR/PSW.Wow.fxc, PSW.OnlineGames.BRKZ, Trojan-GameThief.Win32.WOW.fyk, Trojan-Dropper.Win32.Vaultac, Trojan-PWS/W32.WebGame.73728.BD, Trj/Lineage.BZE, Mal/GameDll-A, etc.
Google Safe Browsing (built into Firefox 3 and Safari 3.2) blocks googleadserver dot com, and most major antivirus products (except Antiy, Authentium, ClamAV, eTrust, F-Prot, PCTools, and TheHacker) detect its payload as malware. I submitted a sample to several vendors and haven't heard back from any of them yet.

The second site I researched yesterday was interinetskim dot com. For more detailed reports for this domain and its malicious payload, see:
File details courtesy of VirusTotal:
File name: install.exe
File size: 101410 bytes
MD5...: fa2cc0ae61020365bfcb6af3b28730c9
SHA1..: deb23a2f5b65b53aedbf69907d84f2788df1e34d
SHA256: 45966f9367ef2bcdf68d3b5014693e851eb2c55b23e4e2ab045d48ecb6b1767a
SHA512: f986bfc325f951e452ad1af1ac66e3162eac0e73c423591b349a46c16ddd9d5a
3aa56dee52ff23f7d705126a558c6a67972755b10c362db19766ed1d7984973e
ssdeep: 3072:UZiIWBSRGGxZYHLz+UJLLIXXsUJLLIXX/:UYM6H/VJiXJiP

Variously identified as: ADSPY/AdSpy.Gen, Win32:FakeAlert-BD, Program:Win32/Winwebsec, a variant of Win32/Kryptik.MR, Mal/FakeAV-AK, etc.
As of yesterday, only 12 major antivirus products (Avira AntiVir, Authentium, Avast!, AVG, F-Prot, GData, McAfee-GW-Edition [which is not the same as the current commercial versions of McAfee VirusScan], Microsoft, NOD32, Prevx1, Sophos, and Sunbelt) detected the payload as malware.

I submitted a sample to several vendors and so far I have only heard back from two of them. McAfee merely sent an autoreply saying that their scan was inconclusive and that my submission would be forwarded to an Avert Labs Researcher for further analysis (which is typical), and I haven't gotten a follow-up from them since then. A Virus Analyst from Kaspersky got back to me within a couple hours and said that it would be included in the next update as "Trojan-Downloader.Win32.FraudLoad.edu".

Saturday, April 11, 2009

How to Preview Shortened URLs (TinyURL, bit.ly, is.gd, and more)

On many social networks, it's a common practice to use shortened redirect URLs rather than linking directly to the (often much longer) original URL of a page. This is especially common when character limits are imposed, such as Twitter's 140 character maximum.

From a security standpoint, blindly clicking on redirect URLs is probably not the best idea, especially if you don't know (or don't implicitly trust) the person who shared it. In fact, even a trusted user's account could theoretically be hijacked, as happened earlier today when an XSS attack was launched against Twitter.

Thankfully, many URL shortening services offer ways of previewing the full URL before visiting it. Instructions for some of these sites follow (roughly in order of popularity). Note that I do not necessarily endorse any of the services below; this information is given for information purposes only, based on what I was able to find out by researching and testing each service.

TinyURL
Add "preview." before the "tinyurl.com" portion of the URL to see where the link will take you, e.g. you can change http://tinyurl.com/cz23u4 into http://preview.tinyurl.com/cz23u4
Better yet, you can force TinyURL to always take you to the preview link whenever you click on a tinyurl.com shortcut. If you go to http://tinyurl.com/preview.php you can set a cookie for the site that will enable this feature.

Bitly.com / bit.ly / j.mp / urls.im (and Bitly Enterprise sites like amzn.to, aol.it, atmlb.com, bbc.in, bhpho.to, binged.it, bloom.bg, buff.ly, cnet.co, huff.to, lat.ms, nyr.kr, nyti.ms, on.fb.me, on.mtv.com, on.vh1.com, oreil.ly, politi.co, tcrn.ch, usat.ly, wapo.st, yhoo.it, etc.)
Just add a plus ("+") after a bit.ly URL to see where the link will take you, and also to get statistics for that shortened URL (bit.ly, bitly.com, j.mp, and urls.im are interchangeable). For example, you can change http://bit.ly/2KeAT into http://bit.ly/2KeAT+ which will redirect to http://bit.ly/info/2KeAT
Alternatively, you can add "/info" after the domain portion of the URL. For example, you can change http://bit.ly/2KeAT into http://bit.ly/info/2KeAT

Note that amzn.to links always redirect to Amazon.com, and nyti.ms links redirect to nytimes.com (The New York Times). These companies have Bitly Enterprise (formerly known as "bit.ly Pro") accounts and use the special URLs to link only to their own sites, so you can be reasonably confident about where these URLs will take you. Other Bitly Enterprise sites like oreil.ly (owned by O'Reilly Media) do not link exclusively to one specific site. All Bitly Enterprise addresses, regardless of which company is responsible for them, can be previewed the same way as regular bit.ly addresses using the methods outlined above.

goo.gl
Google's short URLs can be previewed the same way as bit.ly URLs. Just add a plus ("+") after a goo.gl URL to see where the link will take you, and also to get statistics for that shortened URL. For example, you can change http://goo.gl/1tRbb into http://goo.gl/1tRbb+ which will redirect to http://goo.gl/info/1tRbb
Alternatively, you can add "/info" after the "goo.gl" portion of the URL. For example, you can change http://goo.gl/1tRbb into http://goo.gl/info/1tRbb

is.gd
Just add a hyphen ("-") to the end of any is.gd URL to preview it, e.g. http://is.gd/rZ7U can be changed into http://is.gd/rZ7U-

Snipurl / Snipr / Snurl / Sn.im / Cl.lk
Add "peek." before the snipurl.com, snipr.com, snurl.com, sn.im, or cl.lk part of an address to find out where the link leads, e.g. http://snipurl.com/fpyfq can be changed into http://peek.snipurl.com/fpyfq

Tiny.cc
Just add a tilde ("~") to the end of any tiny.cc URL to preview it and get statistics for it, e.g. http://tiny.cc/d7bza can be changed into http://tiny.cc/d7bza~

BudURL
Simply add a question mark ("?") to the end of any BudURL shortcut to preview it, e.g. you can change http://budurl.com/gtg3 into http://budurl.com/gtg3?

Fwd4.Me
Like BudURL, just add a question mark ("?") to the end of any Fwd4.Me URL to preview it, e.g. you can change http://fwd4.me/uPV into http://fwd4.me/uPV? (Note: You need to enable JavaScript in order to create Fwd4.Me URLs.)

su.pr
StumbleUpon's URL shortener, su.pr, can be previewed similarly to bit.ly; just add a "+" after a su.pr URL to get a preview page, e.g. you can change http://su.pr/2xZo8c into http://su.pr/2xZo8c+ (Note that su.pr shortcuts put an annoying StumbleUpon bar across the top of the destination page.)

yi.tl
This service provides a preview if you add a tilde ("~") after the URL. For example, you can change http://yi.tl/B03ImN into http://yi.tl/B03ImN~ to see the long URL. As a bonus, you'll also get to see the title of the destination page and see whether the URL is in Google's phishing or malware database.

y.ahoo.it
In order to preview y.ahoo.it URLs, you must go to http://y.ahoo.it (with JavaScript and cookies enabled) and click on the checkbox next to "Show me a preview of the destination URL when viewing y.ahoo.it links".

sURL.co.uk
When you visit a sURL.co.uk short URL, you will automatically get a preview of the destination address and its status on hpHosts, Malware Domain List, and PhishTank so you can instantly see whether it's a known malware or phishing scam site. The preview cannot be disabled. This is by far the most safety-focused URL shortening service, which is no surprise since it's operated by the maintainer of hpHosts.

cli.gs
Another service that automatically gives you a preview is cli.gs. The feature can be explicitly disabled by each user, if desired; there's a "Click here to disable previews" link on each preview page, which when clicked sets a cookie to disable previews in the future.

Tinyarro.ws / ta.gd
Tinyarro.ws is the only other URL shortener service I know of that automatically gives you a preview. Again, the preview can be disabled, if desired; there's a "Never show a URL preview again" link on each preview page, which when clicked sets a cookie to disable previews in the future.

Other services
Unfortunately, several popular services (including, as far as I can tell: t.co, twurl.nl, moourl.com, ow.ly, lnkd.in, lnk.ms, wp.me, mcaf.ee, and awe.sm) don't offer the ability to preview the original long URL before visiting it. Personally, I'm not interested in using URL shorteners that don't offer previews. It's just nice to give people the opportunity to be able to view the full URL without having to click the link first. However, if someone else sends you a shortened link from another service and you want to preview it, you may still be able to do so using a third-party site. Here are a couple of sites that let you do just that:
If you know of any other URL shortening services that offer a preview feature, feel free to leave a comment with the details of how to change a shortened URL into a preview URL.

See also my follow-up article about a Firefox add-on that lets you preview full URLs automatically: LongURL: Preview Shortened URLs, No Clicking Required. (UPDATE: This add-on is no longer being developed and will not work with current versions of Firefox. The best alternative I've been able to find is unshorten.it for Firefox and Chrome.)

UPDATE, 3 Mar 2010: Removed defunct shortening services: poprl.com, sn.im (which has been replaced with st.im and cl.lk), and plurl.me. Also added the plus character shortcut to the bit.ly section. 
UPDATE, 30 Mar 2010: Added tiny.cc and surl.co.uk.
UPDATE, 5 Apr 2010: Added j.mp and re-added sn.im.
UPDATE, 30 Nov 2010: Added goo.gl due to popular demand, plus mentioned bit.ly Pro. Also added a couple sites that can be used to find out long URLs, even when the shortening service itself doesn't offer a way to preview where a link will take you.
UPDATE, 25 Jan 2011: Added info about previewing cli.gs, urls.im, su.pr, fwd4.me, tcrn.ch, and bu.tt. Added moourl.com and Twitter's own t.co to the list of shorteners that unfortunately don't offer previews. Removed mentions of defunct tr.im and twurl.cc.
UPDATE, 31 Mar 2011: Added info about previewing binged.it, on.fb.me*, y.ahoo.it, and yhoo.it. Added lnk.ms, lnkd.in, mcaf.ee, and wp.me to the list of shorteners that unfortunately don't offer previews. *Note that on.fb.me is different from fb.me, and the latter cannot be previewed as far as I can tell. However, if you see a human-readable word or name after fb.me, this will redirect to one of Facebook's so-called "vanity URLs" for a user profile or fan page; thus fb.me/facebook will redirect to facebook.com/facebook.
UPDATE, 22 May 2012: Updated link and name for URLVoid's service (now called Unshorten URL instead of Extract URL). Added yi.tl preview instructions. Added bitly.com to the Bitly section and updated the old "bit.ly Pro" name to Bitly Enterprise. Added lots of Bitly Enterprise domains: aol.it, atmlb.com, bbc.in, bhpho.to, bloom.bg, cnet.co, huff.to, lat.ms, nyr.kr, on.mtv.com, on.vh1.com, politi.co, usat.ly, and wapo.st. Mentioned awe.sm. Removed st.im, short.ie, bu.tt, and kl.am, which all appear to be defunct. Removed mention of adjix.com, which is no longer accepting new URLs but is supposed to redirect previously created URLs "indefinitely" (it never offered a preview). Added note about the LongURL Firefox extension no longer being actively developed. Replaced link to Damon Cortesi's article on the Twitter StalkDaily Worm with an archived copy since the original site appears to be down.
UPDATE, 6 May 2013: Added buff.ly to Bitly Enterprise list. Mentioned unshorten.it extensions for Chrome and Firefox.
UPDATE, 10 May 2013: Updated URLVoid unshortener link to new Toolsvoid URL.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Introduction

Welcome to the JoshMeister on Security. the JoshMeister (Joshua Long) is a computer security researcher from Southern California.

For several years Josh has been reporting spam, phishing scams, and malware sites to help protect others online. He regularly submits samples of viruses, Trojan horses, backdoors, rootkits, and other types of malware to major anti-virus vendors when he finds undetected malware in the wild. In 2006, Josh earned a Master of Information Technology degree concentrating in Internet Security.

The purpose of this site is to publicly share some of Josh's research and musings on security-related topics.

Please feel free to subscribe to this site's Atom or RSS feed. You can also follow the JoshMeister on Twitter or other social networks.