lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <43FB98C9.9030402@securescience.net>
Date: Tue, 21 Feb 2006 14:48:41 -0800
From: Lance James <bugtraq@...urescience.net>
To: Ken Kousky <kkousky@...inc.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: First WMF mass mailer ItW (phishing Trojan) -
	think singularities


I don't disagree with you one bit - I was simply making a similar point,
they are fly below the radar, with that intent.

But there are ways to make pre-emptive signatures based on tracking
certain phishing/spam/porn rings and noting their serial pattern. This
is how you detect "below the radar" attacks. This isn't for prevention,
but detection only. I don't agree with signatures as a reactive response
to most problems, rather I believe in problem response as a whole.

These class of attacks have been definitely observed since the
Korgo/Padonock days and have been going nice and steady for these rings
quite frequently. The time to discovery by AV vendors that we have
observed has been from 2 weeks, all the way to 9 months. Low
distribution, low detection and it allows for rapid deployment. And
slight modifications in variants at such rapid deployment tends to cause
problems for AV vendors in general.


I think to sum it up, we're on the same page - the snort sigs that were
avail were designed to look at trojans such as these in a general
problem response by examing the way they are packed, rather than just
the specific malware.

-Lance James


Ken Kousky wrote:
> Are we missing the point. Hope this isn't too long but here goes .....
>
> Worms and viruses spread and get found out but there's a large class of
> Trojan who don't want to be found out. 
>
> The propagation vector matters a lot if we can use it as a means of finding
> malware and capturing signatures. Worms, Spam and viruses that have broad
> propagation scheme get found out pretty fast - that's the good part of their
> efforts to spread but not all malware wants to spread so recklessly. 
>
> Sometimes it's more important to remain undiscovered which is more likely
> the case in the world of Trojans.
>
> Last year IP3 focused a great deal of analysis on what we called
> Singularities - non-signatured exploits due to their low volume presence.
> This goes way beyond day zero since some reported Trojans hit day 1,000
> without being discovered!
>
>  Spam, defacement or propagation proof-of-concept worms all have been
> reasonably controlled because of their expansive propagation which leads to
> their discovery.
>
> Most economic exploits including ddos zombie nets or identity theft
> campaigns could easily continue to use these same kind of exploits, like WMF
> and are not likely to show up unless they're reckless in distributing
> phishing emails or eventually launching a worm that propagates into a
> discovery zone.
>
> The same root problems that gave rise to WMF will persist in many
> server-side applications for years to come.
>
> The point is that we may spend way to much time looking at the mass mailer
> variants and not enough time looking at the targeted and purposeful
> exploits.
>
> Remember, these exposures existed across our Microsoft platforms for over a
> decade. The exposure didn't begin with it's public disclosure or patch
> release. 
>
> Because gaming and pornography continue to be major revenue streams for
> online providers and because they get very little protection through law
> enforcement, even when legal enterprises, we've allowed a very lucrative
> extortion industry to thrive with individuals well paid to find these
> vulnerabilities. It's hard to believe the potential disparity in good-guy vs
> bad-guy spending on exploring for openings. 
>
> We've cataloged hundreds of buffer overflow patches over the last year alone
> that prove that virtually all enterprises have been widely exposed and have
> little or no way of knowing if anything other than a widely propagating (and
> therefore signatured) exploit has occurred.
>
> Signatures filters do not fix the WMF exposure but they've done a great job
> stopping most of the propagations but it's not the whole story.
>
> -----Original Message-----
> From: Lance James [mailto:bugtraq@...urescience.net] 
> Sent: Friday, February 17, 2006 2:03 PM
> To: bugtraq@...urityfocus.com
> Cc: full-disclosure@...ts.grok.org.uk
> Subject: Re: First WMF mass mailer ItW (phishing Trojan)
>
> Gadi Evron wrote:
>   
>> The first worm (mass mailer) to (ab)use the WMF 0day is now spreading in
>> Australia.
>>   
>>     
> Respectfully speaking:
>
> There are a few corrections to this that need to be expressed.
>
> The language you're using describing it as a mass-mailing worm is coming
> off confusing to some. The WMF exploit is actually seeded on a website,
> and the mass-mailing is used to get people to go to that site. Stating
> that it's a worm is similar to saying that phishing emails and spam are
> worms. I have seen some actual phishing worms, and this is definitely
> not it.
>
> A correction also needs to be made on this comment
>
> "Abusing websites is mostly how WMF is
> exploited, but no much in the way of emails before today."
>
>
> This is grossly incorrect - here are the dates we started seeing this
> activity:
>
> January 3rd -  WMF exploit distributing identified phishing trojan
> January 9/10th -  WMF exploit distributing identified phishing trojan
> Jan 18th/19th - WMF exploit distributing identified phishing trojan
> Jan 22nd-25th - WMF exploit distributing identified phishing trojan
> Jan 24th - WMF exploit distributing identified phishing trojan
>
>
> I can go into February but we get the point.
>
> This same phishing group works in regions, so it's not surprising that
> they are now targeting Australia. They are also targeting Europe as well
> in February.
>
> Summary:
> WMF Mass-Mailing phishing has not been uncommon, just in small
> distributions, so it may have not been seen on the radar. Since the
> public discovery of the WMF exploit, there have been a few mass-mailings
> taking users to a site that distributed WMF exploits to date.
>
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ