June's Crypto Challenge Results

June's Crypto Challenge has now came to a close and I'm glad to report that several participants were able to complete the challenge successfully. I've posted the solution below for everyone to see, so click here if you want to try and solve the challenge without looking at the answer first. 

Winners

1st – @apolkosnik 
2nd – @alecrwaters
3rd – @shftleft
4th – @RavenBlackthorn
5th – @schuetzdj
6th – @SecShoggoth
7th – @DuncanGilmore
8th – @thornmaker

Solution

Step 1: Decode Base64

NjggNzQgNzQgNzAgNzMgNjMgNnMgNnAgNnMgNnIgNzMgNnAgNjEgNzMgNjggNzMgNnAgNjEgNzMg
NjggNjQgNnAgNjQgNnMgNzQgNjcgNjUgNzQgNjQgNzIgNnMgNzAgNjIgNnMgNzggNjQgNnMgNzQg
NjMgNnMgNnEgNzMgNnAgNjEgNzMgNjggNzUgNzMgNnAgNjEgNzMgNjggMzIgMzIgMzAgMzggMzAg
NzMgNnAgNjEgNzMgNjggNjggNjkgNnIgNzQgNjQgNnMgNzQgNjggNzQgNnEgNnA=

Step 2: Decode ROT13

68 74 74 70 73 63 6s 6p 6s 6r 73 6p 61 73 68 73 6p 61 73 68 64 6p 64 6s 74 67 65 74 64 72 6s 70 62 6s 78 64 6s 74 63 6s 6q 73 6p 61 73 68 75 73 6p 61 73 68 32 32 30 38 30 73 6p 61 73 68 68 69 6r 74 64 6s 74 68 74 6q 6p

Step 3: Decode Hex

68 74 74 70 73 63 6f 6c 6f 6e 73 6c 61 73 68 73 6c 61 73 68 64 6c 64 6f 74 67 65 74 64 72 6f 70 62 6f 78 64 6f 74 63 6f 6d 73 6c 61 73 68 75 73 6c 61 73 68 32 32 30 38 30 73 6c 61 73 68 68 69 6e 74 64 6f 74 68 74 6d 6c

Step 4: Form URL

httpscolonslashslashdldotgetdropboxdotcomslashuslash22080slashhintdothtml

Step 5: View URL

http://dl.getdropbox.com/u/22080/hint.html

Step 6: Decode ASCII art using link at bottom of hint.html

Step 7: ASCII decodes to an image of a link (http://bit.ly/ciph3r).  Access the link to retrieve the ancient alphabet. 

Step 8: Revisit hint.html and decode the AES encrypted string.  Key and other hints are hidden in CSS.

Decoded: httpscolonslashslashdldotgetdropboxdotcomslashuslash22080slashfiledotzip

Step 8: Fix URL

https://dl.getdropbox.com/slash/u/22080/file.zip

Step 9: Download and Unzip the file

Step 10: Use Spectrogram 16 (hint from CSS) to analyze the WAV file

Step 10: Decode the image from the spectral analysis with the legend found in Step 7

Step 11: Decode  ROT13

graroebhf

Final Solution: Tenebrous (It was the word of the day) 🙂 

 I'm going to start working on creating the next challenge soon, so feel free to send me your suggestions and I will factor them in next round.

 

 

 

Visualizing the Twitter Trends Attack

Post Updated on 6/24/09 at 7:52 PM

For the past few weeks, cyber criminals have been targeting Twitter users by creating thousands of messages (tweets) embedded with words involving trending topics and malicious URLs.  If the URLs were accessed, the victims would arrive at a rogueware website designed to trick them into thinking that their computer is infected, therefore justifying the need to purchase the fake software offered.

Since the initial discovery, we have been keeping a close eye on this attack, but the malicious tweets continue.  From June 2nd – 3rd we noticed over 3,000 of these malicious tweets (actually, the number is a lot higher than 3k because we only tracked the main abuse site and excluded the shortened URL’s from the initial search).  On June 6th, the main site was taken offline and the attack shifted from Adware/PrivacyCenter to the Adware/FastScan. On June 23rd, the fake screen saver website appeared. 

 

Update

In the last 48 hours we have observed over 54,000 malicious tweets on
Twitter.  

We have been working tirelessly with various URL shortening services, in
conjunction with Blogspirit, Bloglines, and Twitter to get these malware sites and
accounts taken down as soon as possible.  The attack has reduced by now,
but it's not going to go away.  Understand that we are witnessing the
evolution of Blackhat SEO right in front of our eyes.  In the past, the
cyber criminals had to wait for search engines to index their malicious
content. This meant that they could not take advantage of 100% real-time
trends.  With an open communication tool and a readily available API,
cyber criminals are now able to prime their SEO campaigns in real-time via Twitter.
At the same time, they also generate the same old BHSEO campaigns on the search
engines.  Evidence of this was first shown in our earlier posts of a
tandem attack on Google search results and Twitter (http://bit.ly/XSwBS, http://bit.ly/lFde3) Luckily,
Twitter's problem is easier to fix than the problem with search engines, which
must rely on search algorithms.  Since Twitter has not publicly
acknowledged the situation, we'll just have to wait and see what they do. 

 

 

Current targeted phrases:

Outlook 2010, Spain, HTC-Touch, Korea, Argentina, Transformers 2, Perez Hilton, Ed McMahon, #iranelection, free, invites, fake, girls, follow, blackout, control, tehran, Fathers Day, Fake Twitter Invites, WordPress 2, Fallon, Top Chef, Tila Tequila Live, AT&T, Limp Bizkit, Sytycd, iPhone, Adam Lambert, Wipeout, Holocaust Museum, Miss California, Claim your Facebook, Squarespace, Lakers, NBA Finals, Zack Morris, addict, video, trailer.

Tag Cloud:

 Malicious Tweet:

 

Malware distribution sites: (Updated 6/24/09 6:57 PM)

 Bloglines page 

 

 

Blogspirit Page 

 

Fake screen saver website

 

Fake codec website

Fake scan site

File: Adobe-Flash-Player-Upgrade-Pack_125.exe

File: Setup_build6_27.exe (MD5: efe9ddbea8bd71fdfee44d44811e4695 )

Installer:

Adware/FastAntivirus

Visualization:   (Updated: 6/24/09)

Blue = Twitter Account
Yellow = Tweet

2 hour capture of malicious tweets (Updated 6/24/09 6:57 PM)

 Zoom in:

The ease of carrying out this type of attack leaves us to believe that this will not go away anytime soon.  We’re all going to have to work together in taking these threats down and the good news, in this case, is that I have already received a response from the abuse team at TinyURL and they have responded by killing the redirections on their end.  Now all we need is for everyone else to start working together and we’ll be able to help take these dangerous accounts down sooner!   

More rogueware campaigns on Twitter…

Again cybercriminals are using the Trending Topics to spread rogueware. In this case the Trending Topic is David Carradine:

 

When you click on the links you go to this website:

 

Or this one:

 

Or many other similar ones. And at the end you will have installed an Adware/PrivacyCenter:

 

 

Cyber Criminals Exploit Drupal CMS to Distribute Malware

In a previous post, I stressed the importance of updating web applications frequently. Cyber criminals are always on the lookout for newly exploitable
distribution methods and will go to great lengths to take advantage of any
website. It may not be widely known, but web application vulnerabilities
pop-up just as frequently as Software or Operating System vulnerabilities
do.

If you are using dynamic web applications, such as Content Management Software, E-Commerce or blogging software, then it's especially important to make sure that those applications are always up-to-date with the latest security patches. If you don't, not only do you put your viewers at risk for possible SQL injection related infections, but you also open up to the possibility of a data breach, which can leak all kinds of sensitive data out to the hands of cyber criminals.

Today, I came across a State University website which was running a
vulnerable version of the popular Drupal CMS software. The site was
exploited by cyber criminals and over 3600 links were injected and indexed
by Google in less than 10 hours of exploitation.

Search Results:

Malicious Site:

If any of the links are accessed, the user is put through a series of
redirections to various Rogueware sites where the user is told
that their computer is infected and prompted to install a file called
onlinescan.exe, which we detect as Adware/PrivacyCenter

,a

Two years of Collective Intelligence

I still remember the very first meeting we started talking about the cloud three years ago. It was 2006, a sunny day, and a few of us were meeting in a room on the 7th floor of our old building. Mikel Urizarbarrena, our founder, started talking about the evolution of the Internet, and how we could take advantage of it to improve our customer's protection level. Many buzzwords like Web 2.0 started floating around, and I was reminded of the first time we talked about TruPrevent, back in 2002… so it was going to be something big 🙂

From the lab's point of view, we were already overwhelmed with an increasing and non stopping flood of malware at that time. Nothing new, the amount of malware was multiplying per a factor of two every year, and even though the cloud had some issues –and still has, because there is no perfect technology- it was a smart approach to solve the different problems we were facing at that time (adding a huge volume of detections, faster updates, etc.). Furthermore, we saw an early opportunity to use the cloud for some exciting stuff:

– Adding some self-developed technologies that could not otherwise be run on a user's computer.
– Detecting good files (aka goodware.)
– Using new approaches to detect malware (contextual information, correlation of different behaviours.)

At the time, one of our major concerns was that a lot of people were infected even if they were supposed to be protected, and even worse, they didn't know that they were infected. Se we started building up what we now call Collective Intelligence 1.0, a database with all the knowledge we had about malware. At the same time we were developing a proof of concept in-the-cloud scanner (code name: Nanoscan) to validate that our feeling about infection rates was right, and to test the cloud technology and confirm it was worth the effort.

A few months later we released Nanoscan. It was light (~300kb), and it could scan the different processes the computer was running at the same time as the scan. Collective Intelligence back then was not able to run all the technologies we had in the lab, but it was good enough to show us what was happening out there. And as far as we know it was able to detect more malware than any antivirus product (including Panda!) since no one else had this kind of technology integrated in an antivirus. Another nice feature in Nanoscan was that it queried the Windows Security Center so we could know if there was an antivirus installed, which one it was and if it was active and updated. We gathered data for a couple of months (a few million computers scanned) and the results were as bad as we were afraid of: 23 percent of the computers scanned that had an antivirus running and updated had malware loaded in the memory. It didn't matter which antivirus it was, everyone had many users infected: McAfee (24%), Panda (15%), Symantec (23%), Trend (17%), etc. We wrote a paper about this, which you can download here.

In that moment we decided that we had to move forward and develop Collective Intelligence. And we did. Later we launched 2009 products, the same kind of products we had in the past but they were capable of connecting to the cloud when running an on-demand scan, as well as in the perimeter real time protections. A few weeks ago we launched Panda Cloud Antivirus, a brand new product we created from scratch, which is basically the first antivirus thin-client from the cloud.

So now it’s the 2nd anniversary of Collective Intelligence, and I have been playing around with the numbers, which are huge:

– + 26 millions of malware samples
– + 900,000,000,000 registries in the database
– + 18 Tb of information (now you can wonder why we don’t create a signature file with this 😉

Some curiosities:

– To send all the data through a regular DSL, would take 3 years.
– If we write down all the data on paper, it would be equivalent to 727,373 Encyclopaedia Britannica.
– If we put all that paper sheets one after another, we could walk to the moon and come back… 12 times!

We have published a nice video about Collective Intelligence in YouTube.

Rogueware campaign on Twitter continues…

The Twitter Trends based attack we blogged about yesterday has expanded from just one trend to nearly all of them!   Over the past 24 hours, there have been several thousand tweets targeting trending topics on Twitter and the numbers continue to rise. 

Example Tweets:

As you can see from the example tweets, the cyber criminals are targeting twitter trends in real-time.    I went ahead and captured every tweet up until about 8PM tonight and put together a Tag Cloud so that you can see what terms were targeted more frequently.

Clicking on any of the links will put you through a series of redirects, at which point you will arrive at a website prompting you to install a fake Adobe Flash plugin (flash_player_plugin.exe).  If the so-called “plugin” is installed, then the computer will be infected with Adware/PrivacyCenter.

The emergence of this type of threat distribution method demonstrates how cyber criminals are adjusting and evolving to the newer services offered on the Internet.  It’s especially dangerous with sites like Twitter, which offer up to the second updates (or live tweets) of events as they unfold in real time.  In the future, sites which promote an unfiltered and open dialog through a global hive of users will have to think twice about the potential threats exposed by features or even API services that they offer.    

Cyber Criminals Target Air France, YouTube, E3, Microsoft, Project Natal, and more…

It seems like these days every other news breaking story is paralleled with a similar Blackhat SEO fueled Rogueware campaign. Today, Luis Corrons and I were talking about Microsoft’s recently announced Project Natal when his Google search for a video of the technology in action turned out to place a malicious link in the very top of the search results.

Connection: (Google to Rogue)

 

**UPDATE** 6/04/09 – 

16,000 new malicious links have appeared in Google over the last 24 hours targeting the phrase "TV Online". The malicious site appears to be a video viewing website.  It will prompt to you to downoad and install a codec.exe file, which of course is a malicious file.

 

Knowing that this link wouldn’t be the only one, we started researching the domains and keywords being targeted and here is what we found:

Keywords:
16,000 links targeting "TV Online"
16,000 links targeting “YouTube”
10,500 links targeting "France" (Airline Crash)
  8,930 links targeting "Microsoft" (Project Natal)
  3,380 links targeting "E3"
  2,900 links targeting "Eminem" (MTV Awards/Bruno Incident)
  2,850 links targeting “Sony”

The sites are all hosted via Lycos Tripod, which is a free web host. This allows the cyber criminals to create thousands of free sites to take advantage of the Blackhat SEO and then simply redirect the free sites to just a handful of their own servers.

Blackhat SEO is definitely one of the most prevalent threat distribution methods today. We expect to see several more examples of this type of attack throughout the year, so be especially careful when searching for news breaking stories.

All of the links associated in this attack have already been blocked for Panda users.

Rogueware Campaigns blending in with Twitter Trends

 Update: 6/4/09 – Rogueware campaign on Twitter continues…

"PhishTube Broadcast" became a trending topic on Twitter today. The word “tube” is a big red flag to any Threat Researcher these days, so naturally I had to investigate it.

I clicked on the section inside of the trending topics group and ironically the links in the tweets looked fishy.

I started to investigate further and found that while there was definitely legitimate tweet traffic for the band Phish, several zombie accounts were posting hundreds of strange and highly suspicious messages. Eventually the links led me through several redirections and finally to PornTube malware websites.

Connections/Redirects leaving Twitter:

 

Clicking on any element inside of the PornTube page resulted in a run of the mill Adware/PrivacyCenter infection, but the interesting part of it all is that cyber criminals are starting
to target social networking sites more than ever. In this case they
took advantage of the open dialog on Twitter and essentially blended in
with the trending topics in order to effectively trick unsuspecting
users into clicking malicious links. This technique is strikingly
similar to the Blackhat SEO tricks criminals use on search engines to
place their malicious links at the top of search results.

 

 

Crypto Challenge

Those of you who already follow me on Twitter know that every once in a while I throw together a quick, geeky puzzle for everyone to solve. After my last challenge, a few people asked me to make the next puzzle a little bit harder to solve. This meant including a few more steps and throwing in some visual elements in, as well.

The Top 10 people to direct message the solution to me on Twitter win a prize.  Contest ends on 6/15/2009

I hope you all have as much fun cracking it as I did putting it together! 🙂

NjggNzQgNzQgNzAgNzMgNjMgNnMgNnAgNnMgNnIgNzMgNnAgNjEgNzMgNjggNzMgNnAgNjEgNzMg
NjggNjQgNnAgNjQgNnMgNzQgNjcgNjUgNzQgNjQgNzIgNnMgNzAgNjIgNnMgNzggNjQgNnMgNzQg
NjMgNnMgNnEgNzMgNnAgNjEgNzMgNjggNzUgNzMgNnAgNjEgNzMgNjggMzIgMzIgMzAgMzggMzAg
NzMgNnAgNjEgNzMgNjggNjggNjkgNnIgNzQgNjQgNnMgNzQgNjggNzQgNnEgNnA=