Monday, July 30, 2007

The Privacy Risks of Social Networking Sites

For those concerned about privacy on the Net and social networks like Facebook, Hi5, Myspace, etc., there is a good article in the last issue (May-June 2007) of IEEE's Security & Privacy magazine by David Rosenblum.


"For the Net generation, social networking sites have become the preferred forum for social interactions, from posturing and role playing to simply sounding off. However, because such forums are relatively easy to access, posted content can be reviewed by anyone with an interest in the users' personal information." "It is possible to glean personal information even without accessing a home page on these sites because many people use the public wall as a private message board to post intimate details of their lives, schedules, or recent sexual conquests. But what would motivate people to broadcast their private lives? As one user explained it: 'Like many of my generation, I consistently trade actual human contact for the more reliable high of smiles on MySpace, winks on Match.com, and pokes on Facebook. I live for Friendster views, profile comments, and the Dodgeball messages that clog my cell phone every night.”

Many websites ask its users to enter a "secret question/answer" in case they forget the password, so the user can recover/reset it. Many of the secret answers could be found at myspace or hi5, i.e.: name of the primary school, name of the pet, city of birth, favorite team.

Worst, many of these questions are used as authentication method at phone services offered by many banks, so when you call for the very first time you will be asked for your mother's maiden name and even if you didn't publish this info, it isn't hard for an attacker to directly ask this question at your myspace/hi5/facebook site(using social engineering). Worth a look.

Friday, July 27, 2007

Pharming in the wild

My SPAM folder is an unbeatable source of malware, I think better than the honeynet project (JK); last week I found an e-mail with an interesting subject "Combate al robo de combustible" loosely translated "Fighting the gas rip-off", let me explain, in Mexico there are some gas station pumps that dispense less fuel than what you're paying for, you pay for 1 L but you get, let's say 900 ml (or less). Well, there is a study on this topic and a list of gas stations that rip you off.

Back to the e-mail stuff, it was supposedly sent by the "Tec de Monterrey" (private university in Mexico), it seems to be fake.
And it includes a link to a file that pretends to be the list of gas stations (Gasolinera.rar); inside this rar is contained a "gasolineras.exe" file with md5 hash: f5e9203e2d799cc98016db11a1832880.


It was evident this file was malware, but I always upload suspicious files to virustotal before start a deeper analysis (to save efforts in case of an existing malware), but reported nothing. Then I sent a copy of the file to the malware team at UNAM-CERT for analysis, at the same time I was trying to reverse-engineer the code to highlight the main activities of this malware.

The file has interesting strings:

Gasolineraxc
SeguridadBanamex
Gasolineras
ProductName
SeguridadBanamex
FileVersion
1.00
ProductVersion
1.00


This malware add entries to the "C:\WINDOWS\system32\drivers\etc\hosts" file, specifically:

209.40.195.154 banamex.com
209.40.195.154 www.banamex.com
209.40.195.154 banamex.com.mx
209.40.195.154 www.banamex.com.mx
72.249.77.180 www.bancanetempresarial.banamex.com.mx
209.40.195.154 bancanetempresarial.banamex.com.mx
209.40.195.154 boveda.banamex.com
209.40.195.154 www.boveda.banamex.com


This kind of attack is known as "PHARMING" and will fool the browser and other applications into resolving to fake internet portals, mainly online banks. This means, that when I type www.banamex.com at the browser, the system will go to check the hosts file, the malware previosly added the entry, so the www.banamex.com domain now belongs to the IP: 209.40.195.154, and of course the attacker has control over this IP.

The antivirus fails to detect this malware as potentially unwanted because doesn't open TCP ports, doesn't add entries to the windows registry and doesn't spy hardware interruptions (among other hacking activities), needless to say it's a very NASTY attack.

The details maybe quite technical for some people, but let's make an analogy: An attacker overwrites the yellowpages book, so when you try to reach Domino's pizza by phone you get in fact the number of Pizza hut.

So, how can I protect myself?, ALWAYS check the SSL certificate when browsing online banks, no matter you type directly the URL in the browser, and NEVER execute files received as attachment, even if antivirus says it's ok.

Thursday, July 5, 2007

New celebrity phishing

Today I found an interesting brand new (at least for me) vector of infection; usually when you are being phished the attackers send you e-mails with the look & feel of some bank's website trying to convince you of the authenticity of the site. But now it's being obvious and people do know how phishing e-mails look like.

This time I got a supposed video from a well-known magazine with the headline "Luis Miguel cheating on his wife", some pictures and three links to the "video". The video is a tvnotas.exe file.

You may wonder why would a victim click on that link, well Luis Miguel is a famous singer in Mexico, one of the richest, and all the magazines and TV programs are always following his career and personal life (far beyond of his public life). Maybe I'm not the target for this phishing, but I know a lot of people (mostly women) who would click before they finish reading "luis miguel"; you know, his wife is another beautiful woman "Araceli Arámbula", and it would be embarrasing to him to be caught "on action".

If you are curious about who was luis miguel supossedly kissing, it was "Jessica de Alba" (sic), I guess phisher was referring to "Jessica Alba" the chick from Dark Angel and Fantastic four.

After all this "background", I downloaded the tvnotas.exe troyan from www.nocleh.cz and uploaded to virus total (www.virustotal.com) to scan it. Virus total is a public free service in Spain, you can upload any file you like to get scanned for virus and malware.


From all the 30+ engines used at virus total, just 6 reported from "suspicious file" to "Trojan/Delphi.Downloader.Gen", Symantec and Mcafee reported nothing.

What we can learn from this is not to blindly trust the Antivirus. Everyday hackers are trying to fool you into clicking an image or link and have freshly programmed code that intercepts your request. You might get convinced with a headline and download a file, run the antivirus and as long as there isn't any alerts you double click the file and you are gone.