Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bad url classification

Published: 2008-07-07
Last Updated: 2008-07-08 13:54:57 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

Update: Some readers told about testing with a referer, which is quite used by malwares. In this case I only checked it through the original webpage, capturing the traffic.

Update2: Some readers pointed that this domain is registered by ESTDOMAINS, which is very known to be a register of lots of websites serving malwares.

Last weekend, I was playing around with some urls/websites...

On one of those websites, I found an iframe, that at first glance, looked suspicious. It was highly obfuscated.

With a help from a nice tool, called Malzilla I was able to get the that it was actually pointing to hxxp://google-stat.net/stat/stat.php . At the time I was checking it wasnt really doing anything nasty, just a redirection to google.com website...maybe a counter...maybe a step to another infected site...

But what if my job was to classify that URL? What would be the right thing to do?

Let go to the facts:

- First of all, it is abviously a kind of typosquatting on Google brand...

-Google (through stopbadware) and McAfee SiteAdvisor shows warnings on that link, so it may be really not a nice site.

- A whois shows interesting information:

Smart LTD
    Valeriy        (orensmm@gmail.com)
    ul. tulpanov 11
    Karategin
    Karategin,555555
    TJ
    Tel. +555.5555555
 

So, fake phone number,  Country is TJ, which is the country code of Tajikistan(!), and probably a fake address...

Besides all these facts, it was not really doing anything nasty (at the time of my research). Would be fair to add this URL as "Bad" ?

My answer is yes, because putting all these together, you will notice that the dog is not barking, but it is deffinitely there...just wating for the right time to bite you!

---------------------------------------------------------------------------------------

Pedro Bueno ( pbueno //&&// isc. sans. org)

 

0 comment(s)

We need academic volunteers - Web security research

Published: 2008-07-07
Last Updated: 2008-07-07 22:24:57 UTC
by Jason Lam (Version: 1)
0 comment(s)

At SANS Internet Storm Center, we are always researching and monitoring the latest trends of attacks on the Internet. There are currently some research projects related to Web Security that are at infancy stage and would significantly benefit with the help of some research efforts. We have decided to open these opportunities up to the education communities. This will benefit the research projects and give students opportunities to be part of cutting edge research projects.

Requirements

  • College or University students
  • Enrolled in an information security course which allows you to work on the ISC research projects as part of your assignment or term project
  • A sponsor from the educational institute. This will likely be the professor of the information security course or program director. This requirement can be ignored for SANS Technology Institute students.
  • Programming knowledge (PHP and Perl a big plus) and willingness to learn
  • Knowledge of OWASP Top 10 vulnerabilities
  • 10 weeks projects with a total of 80-100 hours time commitment

Perks or sexiness

  • Working with members of SANS ISC and SANS EDU faculty members
  • Cutting edge research projects, you will learn a lot (drinking from the fire hose experience)
  • Real world experience

Compensation

  • NONE, this is on a volunteer basis

Application

  • Apply through Email to isc@sans.org. Please include a short description of your background in point form
  • There will be an interview stage before individuals are accepted for the projects
  • Priority given to SANS Technology Institute students

Evaluation

  • There will be evaluation during (mid-term) and after the duration of the project.
  • Evaluation will be provided by a committee within SANS ISC and results will be provided to both the student and the sponsor.
Keywords: volunteers
0 comment(s)

Microsoft Snapshot Viewer Security Advisory

Published: 2008-07-07
Last Updated: 2008-07-07 19:13:32 UTC
by Scott Fendley (Version: 1)
0 comment(s)

Microsoft earlier today released a Security Advisory which discusses a
remote code execution vulnerability in the ActiveX control for Snapshot
Viewer. The Snapshot Viewer ActiveX control enable the user to view an
Access report snapshot without having the standard or run-time version of
Microsoft Access.  This ActiveX control is shipped with all versions of
Microsoft Access with exception of Access 2007.

As this is a remote code execution issue, the attacker would have access
to run any code of their choosing at the same user rights as the logged-on
user.  So those users running with reduced privileges have a more limited
risk than those running with full administrator access.

Microsoft's advisory has several recommendations on how to set a kill bit.
As tomorrow is the normally scheduled Patch Tuesday, it is likely that an
appropriate update for the ActiveX control or a kill bit update will not
be released.   With that in mind, it is recommended that appropriate steps
be taken using group policy at the same time that you roll out the updates
to your environment.

For more information on the vulnerability, please see MS Security Advisory
955179 at http://www.microsoft.com/TechNet/security/advisory/955179.mspx

0 comment(s)
Diary Archives