[Scam Discovery Tour'09] - Week II - Facebook and their bad bad security practices!

Today i found something intressting which gives the ability to spread malicious messages over Facebook with some XSS vulnerability in combination with a redirecting bug. Well this isn't something new - we all remind ourselfs back to koobface. But Now? Did facebook close atleast some of their known holes? Did facebook add more security for protecting their users? Answer: NO they did nothing!

I'm really wondering how stupid the facebook developers must be to not have learned from the past facebook security issues especially koobface. Somehow the XSS holes used by koobface haven't been fixed and even a redirecting bug consisting at facebook hasn't been fixed since months now.


Here some screenshot of a mail i reviced today:

A legit private message from a real contact on my Facebook profil just arrived. After having a closer look on the previously legit-looking url I noticed some quite old redirecting flaw in facebook beeing used here. The flaw has been used for koobface months ago. but wait wait.. It still works?? what's up with facebook devs? security? nothing?

A click on the link with a sandboxed firefox environment gives me a facebook scam page with  tons of drive-by's in background and some scam showing me that i would need a new flash player (Setup.exe) shown above.  The malicious binary is probably a variant of Koobface.


Summary:  I'm really obsessed of facebook developers and their security principes. It kinda seems to be like a kids playground to me and they seem to care more about money than protecting their users.

[Scam Discovery Tour'09] - Week I - "Case Steampowered.com"

Hello everybody!

I decided to start some scam discovery in the month november where every week a online scam found by myself will be discoverd and reported to the vendors. In this post i describe some Steam phising scam which leads to a german account store and was discovered recently by myself.

Reviced some Mail claiming to be a legit message from the Steam Account support at one of my honeypot e-mail boxes.  The cyber-criminals use a XSS vulnerability in cafe.steampowered.com to inject their malicious java script code.

Their malicious javascript code allows the criminals to inject an IFrame into the original page.

The mails seem to be sent from some hacked server or webhost.

The fake page injected looks like the following.

This page allows them to directly grab the users input.

The cyber criminals also host their own account-store on the same

server. The shop provides an illegal marketplace for stolen accounts.

Their server is located at some bulletproof hosting provider which is also known for supporting many other cyber-criminal attitudes such as illegal marketplaces, phising and botnet c&c hosting.

Complexity of Passwords

Every now and then security researchers stumble over a database which holds user data like account names and passwords. Amazingly, each and every time the passwords seem to be the same when analysed. This time Tõnu Samuel found such a database and counted the passwords. While he tried to spot differences between male and female password choosing habits, for me the most interesting part is the overall view. The top ten passwords are:

Password	Gender	Occurrences
123456	M	17601
password	M	4545
12345	M	3480
1234	M	2911
123	M	2492
123456789	M	2225
123456	F	1885
qwerty	M	1883
12345678	M	1791
	M	1489

So the best guess for a user password is still 123456. This isn’t coincidence – just take a look at the ‘Top 500 worst passwords of all time’.
When it comes to choose a password, you should always have such statistics in mind. Also dictionary attacks are quite usual – with all permutations like word combination, backwards spelling, capital letters in all positions, ‘leet substitution’ (31337) and also adding numbers.

A good password doesn’t contain words that you can find in a dictionary. Try to take the first letters of the words of a sentence that you can remember. Make some of them capital and add special signs and numbers. An example: ‘My two Children are getting up at 7 a.m. in the morning.’ could result in ‘M2Cagua7amitm’. There are still special signs missing, but you get the point. This password is also long enough to make brute force or rainbow table attacks less likely to be successful.

Source:   http://techblog.avira.com/2009/09/15/proper-passwords/en/

10.000 Stolen Hotmail Passwords

Microsoft acknowledged that passwords of 10.000 Hotmail, MSN and Live users leaked into the Internet. Microsoft’s research lead to the result that the account data – mostly of European users – has been gathered by criminals with phishing.

According to the Windows Live Blog, Microsoft has closed down the leaked accounts; also the list with the passwords is no longer available. Affected users should fill out a form to reclaim their account. The company also recommends some security measurements in their Blog entry to avoid successful phishing.

Another recommendation is to change the password in any case – Microsoft advises to change it every three months.

China's Firewall blocks TOR Nodes

On September 25, 2009, the GFW (Great Firewall) of the Republic China started blocking the public list of Tor relays and directory authorities by simple IP address blocks. Currently, about 80% of the public Tor relays are blocked by IP address and TCP port combination. Tor users can still connect to the network through bridges. At the simplest level, bridges are non-public relays that don't exit traffic, but instead send it on to the rest of the Tor network. More here.

SMB2 Remote Code Execution Exploit published!

The announced Remote Code Execution Exploit developed out of the SMB2 DoS Proof-of-Concept recently found by Laurent Gaffié  was published 2 hours ago in Metasploit's SVN Trunk by HD Moore.

Check it out at the Metasploit Subversion Page.

Please remeber to secure your Vista / 2k8(without R2) and W7-RC  clients until there is no update from Microsoft published. Check the Microsoft Security Adivsory Site for more Informations in how to secure machines.

The exploit at the moment only works with Metapreter Backconnect. Download & Execute, Bindshell or cmd_exec does not work.

Google Groups Used To Control Botnets

Symantec discovered a C&C ( command & control ) structure on private google groups pages, from the symantec blog the following quotes are available:

Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. Recent developments have included the utilization of Web 2.0 social networking websites to deliver commands. By integrating C&C messages into valid communications, it becomes increasingly difficult to identify and shut down such sources. It's a concept very similar to that of chaffing and winnowing. Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec has detected.
It’s worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.
The Trojan itself is quite simple. It is distributed as a DLL, and when executed will log onto a specific account:

Escape[REMOVED]@gmail.com
h0[REMOVED]t

The Web-based newsgroup can store both static “pages” and postings. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.