A Friend's Blog Got p0wnd

I spent a good part of today investigating a javascript injection that a friend of mine suffered on his personal blog site. It turned out that this is nothing more than a typical adbot/scriptjacking malware infection. The actual injection code is an obfuscated iframe that tries to download a HTTP browser attack tool. The code is inserted in the page build (usually via the wordpress function framework, the style-sheet or even maybe a rogue module) and looks something like this:


The obfuscation resolves to a call that pulls a source script from a website hosted at add-block-filter.info and by then tries to either retrieve stored passwords & cookies or hijack open webpages. More generally targeting e-mail services to send out spam ( your typical adbotnet behaviour).

Tracking back the domain name, it came back to a know malware pusher 7addition.info/8addition.org. So in most likelyhood a new variant of script injection attack whish is picked up & revealed a known trojan downloader javascript iframe infection (at least reported by a few AV vendors e.g: trojan-downloader.js.iframe.ah). In this case, the trojan goes on to contact 2 other malware sites at firstgate.ru & benyodil.cn whom in turn download 3 additional malware infections to continue the pownage:

• a malicious flash file which is in fact a download exploit (e.g: Exploit.SWF.Downloader.ks);


• another html based script which is fact a trojan download agent and also sends out spam asking you to visit a site or click on a video link(e.g: Trojan-Downloader.HTML.Agent.np);


• and finally, a packer javascript html agent which installs a BHO (browser helper object) that turns off the firewall and other windows services (e.g: Packed.JS.Agent.ad).

That's as far as I went with the malicious activity...

Before investigating, my friend and I exchanged a few messages regarding him being p0wnd. He was trying to figure out what had been the root of his infection. Although he blames it on a combination of Twitter/Hotmail and a few other sites, seeing the root of the malicious software that gets pushed I would say that he original got hit from visiting an already infected site or from clicking on some weird website with flash videos (he does love to visit those). Interestingly enough, I think I can track back part of his problem to the 13th of march or a few days before. At that time I received an e-mail from him that was unusual:

I didn't really pay attention to it but maybe should have and warned him at that time of the possible hijacking of his info. He learnt a few things (like not using the same password for his different services). I learnt for myself that when I see a friend sending a weird message to me to get on the ball and warn him/her.
Some more advice I offered is to:

1. Update with regularity his personal blog framework;


2. Recommend also to be careful about using the remember me option on some of these websites as the stored cookies give these clickjack malware a fair bit of leverage.

In These Times, Can You Protect the Business From Insider Threat

This post & thoughts are a reflection on my experience and years of dealing with the problem of identity management and how to relate a user versus his roles and responsibilities in the IT infrastructure and how this affects the departure processes (or exit procedures).

As the economic recession goes into it's darkest times, businesses are making the hard choice of letting people go. The IT organisation is typically an area were decision makers take the opportunity to trim the fat. However an important part of decision making process, that can be easily overlooked, needs to be a good understanding of the risk involved in letting go of certain categories of IT staff and how their roles and responsibilities can potentially create a serious exposure footprint.

Why would HR & the security officers need to establish this risk analysis? The simple answer is that businesses need to ensure that staff who potentially hold the keys to the kingdom are not irate when they leave. The risk here is that an irate ex-employee with key information to be able to access the infrastructure may be tempted to take action in frustration or revenge. This unfortunate (and let me be clear sometimes illegal) type of action potentially involves damage that can range anywhere from serious data leakage to denial of services hampering a company's ability to do business.
A few examples scenario of a departing IT staff's role versus what they can do could involve:

• A network engineer (remember the San Francisco city network incident) who has extensive knowledge of the network configuration and holds some of the common super-user password could place back-doors allowing him to later bring down the network, redirect traffic out of the corporate network releasing sensitive information, or even using the network as a way-point for other types of illegal activities.


• How about a server system administrator who has local administrator access to boxes and can place a backdoor allowing for remote acces and thus the ability to grab information or even stop critical business applications.


• But even more critical (at least from my experience) is surely a security engineer, the knowledge of the security profile and accesses that have been made available to that profile makes this the highest risk footprint. To do the job, he/she has gained knowledge that renders the infrastructure critically vulnerable.

So the question that begs to be said out-loud is can a company avoid any issues?

The real protection that a company can achieve is to have a comprehensive identity management process and tool. Identity Management [IdM] is about a lot more than just being able to determine who works in the company which unfortunately is the baseline thinking or the minimal implementation that gets carried out. It's also about being able to link a person to his/her role and authorizations. A well implemented IdM process and infrastructure will ensure that a person in the organization has a well defined role. That well defined role will correctly identify his/her authorizations and access rights. The ability to correctly define those authorizations provides a safeguard and a well-defined means to not only properly implement an exit procedure but also help evaluate a risk profile based on that persons footprint in the organization. The well-defined profile will ensure that the user is correctly matched to the tools & resources required for the job: no more, no less. This same correlation can then be used in the exit procedure to quickly identify and revoke all accesses. There are of course many more benefits for day-to-day operations to a complete IdM environment but that may be the subject of an alternate post.

The simplistic answer or quick fix if a comprehensive IdM is not in place is to make sure that the person leaves on good terms. The important part is to evaluate the risk versus the cost versus the potential loss. Unfortunately that is a short term strategy and somewhat impractical.

Related Links

• Protect Yourself from IT Staff Abuse: How to Manage Privileged Identities


• Security Experts Weigh In on Insider Threats


• Suspect In Hijacking Of San Francisco Computer Network 'Willing To Cooperate'


• Identity management takes on new shape, importance


• Drunken BOFH wreaks $1.2m in Oz damage


• Risky Business #99 — H D Moore rang… 4500 times [during the podcast guest interview they also cover this subject]


• Sony execs detained by workers over severance pay [not really related to the issue being discussed but reflecs on the current mode]

Using TweetDeck's Features

Following a pleasant feature review (or how-to) of TweetDeck by Cali Lewis on GeekBrief.TV ep.517, I figured it was about time to actually sit down and fully investigate the different functions in the utility and did so this weekend.
I've been using TweetDeck for quite a few months now from time to time (I alternate with Twhirl) and was only really using it with some of the default columns :- all friends, replied, directs.

From time to time I also used twitscoop and in rare occasions would also run a search. For what it's worth that basic mode in itself is a very functional Twitter interface with the benefit of quickly allowing you to see the tweet feed plus tweets where you are mentioned. That's about it for the TweetDeck features :- this post is about some new features rather than a review.

The function that intrigued me during Cali's how-to was the groups ability. With it, you can group different Twitter accounts into one column. I follow a number of tech & general news magazines/webzines that use Twitter as a form of notification. The group functionality allows you to put these all together for quick identification and review. I set this up and a couple of others (tech products, security & close friends tweets).
After running TweetDeck for a few days like this, my conclusions are that it's useful and interesting but... (the buts are related to the following two points):

• you need a really wide monitor (on my laptop this is inconvenient as you spend much time scrolling in all directions);
• it hasn't given me and noticeable benefits in the way I look at tweets! The main reason for this is that I tend to speed read through most Internet chatter/info and focus on the points that catch my eye or raise a flag. I can do this quite easily and efficiently in the general all friends feed. This however could be a side effect of the lack is screen realestate.

I'll continue to use these features especially on my gaming rig with the big monitor where it will give me a better vision of things. On another note here, it would be nice to have a save/transfer settings feature.

I am still stuck on one point with TweetDeck and that is that I am unable to find and easily follow a new Twitter. I am sure it is there somewhere but just not that obvious (at least from my PoV). It will be interesting to watch it evolve.

Related Links:

• TweetDeck
• Twhirl
• GBTV epsiode 517
• My profile on Twitter