<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d33547542\x26blogName\x3dNotes+%26+Thoughts\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://jonpoon.blogspot.com/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://jonpoon.blogspot.com/\x26vt\x3d-1867863693374616355', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Sunday, October 22, 2006

Got some spare time? Let's do some (anti)phishing together

I'm going to make use of the unexpected and sudden increase in traffic on this blog, due to my previous post, to talk about a volunteer project that I've been doing in my spare time.

The volunteer project that I'm talking about is the Phishing Incident Reporting and Reporting Squad, or PIRT as it is more commonly known.

What this project does is to vet through each and every submission of potential phishing sites and scam mails that are submitted and prepare the necessary information for ISPs, hosting providers, NIC handlers, CERTs, the commercial entities that are being faked, and/or other organizations that need to gather such reports for takedown or legal proceedings.

The gathering point for PIRT is on CastleCops, and is the first public and volunteers-based antiphishing community. The group of handlers are friendly and training is provided to help the newcomers get up to speed in determining whether a site is a phish/scam/exploit/spam or not.

As i go through the submissions, and gathered the necessary information for the reports, I've increased my knowledge of how such exploits work, usage of network tools, and the ways that the hosting sites are exploited or hacked to host such pages. I believe that's the same case for the rest of the handlers too.

Though not a primary focus of PIRT, the queue does get submissions of direct links to malware. Due to my concern as the admin of the release scanning system, i do gather such samples and forward them to the AV vendors for their detection (if they are not being detected at the point of investigation).

Recently, PIRT has hit the 10,000 submissions to Netcraft. Though it is indeed a good landmark to hit, it's also a bad reflection on what the end users are facing on a day to day basis.

It's also an indicator of the amount of daily submissions to PIRT. Though the current handlers are doing their best, the ever-increasing queue make one feel like a member of the Rohirrim defence in Helm's Deep while overlooking the oncoming army of Saruman's Uruk-hai!

Chances are, you will get at least a phish mail once in a while. Even if you do not have the time or knowledge to join the handlers, you can still send the phish mails to PIRT for the folks to take care of. You can also forward the phish mail to pirt (AT) castlecops.com.

By doing either of these actions, you will be helping to reduce the chances that another fellow Internet user will be scammed by the phishing sites.

Using an excerpt from Eric Cartman, in Make Love, Not Warcraft, as he was gathering support from his buddies to fight against the one with no life, "You can just hang around.... or you can sit at your computer and do something that matters.".

I think it applies in this case too. 8)

For more info about PIRT,  check out the Castlecops' wiki.

Tuesday, October 17, 2006

Where's your class? Your integrity?

Heard about the portable video and music device that came preinstalled with a virus?

Instead of focusing on how and why it was even included in the first place, the company that published a series of video ads, including this one, actual try to divert the blame on the Windows platform!

It's not a matter of which platform that the virus originated. The fact that it's found on the portable player means that there's an issue with how the quality checks, specifically the content check was done. This also indicates that through the manufacturing cycle, the base device from which the image was duplicated to the other devices in the manufacturing run, was connected to a PC that most probably did not have , and i quote their press release, "up to date anti-virus software which is included with most Windows computers".

The press release also show a lack of awareness of how malware works. Focusing on the filename, instead of the actual malware info, might confuse the owners of both the media player and the antivirus program of the same filename!

Is it now open season for Zune to come up with their own ad to highlight this incident, as a direct response to the video ad?

Taking this into perspective, McDonald's in Japan encountered a similar incident just a few days earlier as well.

Indeed, they published a press release (via Babelfish or Google Translate), apologized for it, and did not insinuate that Windows was the cause of their issue.

Furthermore, they provided a very specific fix to their issue, compared to a general set of linkages to trial and/or free versions of anti-virus scanners.

Steve, if you need someone to advise on how to improve your quality checks, feel free to contact me 8).

As i was writing this post, i found that Ed Bott did a similar post as well.

Update (10/17) : Randy did a similar post too on Eset's Threat blog. It's almost 100% exactly the same as my post here, which shouldn't surprise those that know both of us as we have the same experience in managing the same scanning system.

Another Update (10/19) : Add a little clarification on the second paragraph. I did not mean that the company published the ad as a response to this incident. I meant that the conpany had previously published the ad as part of their campaign. It's common knowledge that these ads were published and promoted a long while ago. I do appreciate the comments. Thanks!

Yet Another Update (10/19) : Sunbelt, and many other AV vendors, on the Ravmone.exe trojan.

Monday, October 02, 2006

detecting test files

Recently, i came across a set of files that were only flagged by one of the av products as being possibly malicious, specially as a trojan.

Since these were executables, i was able to use the sandbox technologies, Norman and Sunbelt among others, to try to figure out why these files are triggering the flag.

The sandbox output from the above tools didn't show anything malicious in the executables, even with my low level of assembly language knowledge.

I also used VirusTotal and Jotti's malware Scan to get the scanning results from scanners that i do not use, and the results were the same. Only one of the scanner sets (the same one that triggered my initial analysis) on both sites flagged the files.

I then loaded the files into a Virtual PC session, and launched tools like filemon/netmon/regmon and other similar tools and found nothing that indicate typical malicious behavior.

After doing these analysis, and it was truly a "DUH" moment, i re-examined the scanner log file.

Next to the flag of trojan, was an additional note of testfile. In the log, it was shown like (format changed somewhat below):

xxx.exe - a possible trojan--testfile

This led me to switch my train of thought. Assuming that these were indeed correct flags by this one single product, could these files be created to show that the product can detect the set of files, and that the product (at least its detection) works? Think of it as a scanner's own version of the Eicar test file.

I have not verified whether these are indeed files created for this purpose, but assuming that they are, what do this set of file truly represent? Probably in the hands of the marketing folks of that product, it could be used as a demonstration of how good the product is, no matter how one-sided it is.

Would these files be eventually detected by other antimalware products? Why would they do so? If they do not, would that just add ammunition to this company's salesforce?

In the hands of the uninformed, would the testing results be skewed unfairly to one product vs the others?

Don't we have enough confusion already?

Technorati tags: ,