Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

URL Shortening Service Cligs Hacked

Published: 2009-06-16
Last Updated: 2009-06-16 18:54:58 UTC
by John Bambenek (Version: 1)
2 comment(s)

A post over at Cligs talks about an intrusion with their URL shortening service.  In essence, an malicious individual got in and edited all the destination URLs to point to freedomblogging.com, likely for nefarious purposes. This exposes two problems with URL shortening services.

1) Previously, malware domains tend to be easy to spot. The URLs tend to be less and less sensical as it is difficult to get a domain name that looks close enough to a legit site.  However, with URL shortening you are using a well-known and "safe" domain.  There is generally no way (for most services at least) to see the destination URL that a shortened URL points to.  For twitter and facebook, URL shortening services are common and no one thinks twice of them.  E-mail has become a less reliable means for phishing because of the anti-spam services involved. With URL shortening, it becomes easier because it "looks legit". It's little more than an accepted form of obfuscation.

2) Most URL shortening services are not highly financed (nor do they need to be). If a URL shortening service was penetrated, it would be easy to take a popular shortened URL and modify it to point to malware instead the intended "clean" site.  This is what happened with Cligs.

The bad news: We are behind the curve on dealing with this threat.

The good news: Some simple steps could be used to help prevent this.  "Blacklisting" malicious domains from URL shortening, deactivating known malicious shortened URLs and more real/near-time monitoring of what URLs get shortened to shorten the detection cycle.

--
John Bambenek
bambenek /at/ gmail /dot/ com

 

 

2 comment(s)

Iranian hacktivism

Published: 2009-06-16
Last Updated: 2009-06-16 17:28:02 UTC
by Bojan Zdrnja (Version: 2)
1 comment(s)

With the increase of violence in Iran due to the recently held election, it was just a matter of time when we will see some hacktivism. Similarly to some previous cases, we are again seeing people calling supporters of one or the other side to attack certain web sites. Back in January we saw Israeli proponents asking people to run a special program that will attack Palestinian web sites (http://isc.sans.org/diary.html?storyid=5638). It turned out that this "special" program was actually a Trojan horse, so obviously people behind it had a little bit different agenda.

Regarding the current events in Iran, it was interesting to see that proponents are inviting people to support their case over Twitter – they posted instructions on how to launch DDoS attacks against some Iranian sites as Twitter updates. It's clear that Twitter became increasingly interesting to hacktivists due to a large user base.

So far I've seen two groups launching DDoS attacks against Iranian web sites – in both cases we are talking about technically very, very simple attacks.

The first group created a special web page that supporters should visit. This web page is very simple – it creates 10 iframes, each iframe pointing to a different site in Iran. The visitor can then change the frequency which will be used to refresh iframe status. The browser will then regularly refresh every single web site from the list attached below. This is a poor man's DDoS; what's interesting is that I've seen a very similar method used by the Cyber Jihad program last year.

iframes pointing to Iranian web sites

The second group uses a bit more advanced approach. They created a .NET application called "Low Orbit Ion Canon". This is a very simple HTTP and TCP/UDP flooder, as you can see in the screenshot below. All the user has to do is enter the target web site and/or IP address and click on the Launch button after which the tool will start the attack in the background.

LOIC

The two attacks described show that hacktivism is still in its early days – both applications have some errors and are relatively easy to mitigate and analyze (even after the authors of LOIC used EZIRIZ's .NET Reactor to protect the code).
We will keep an eye on the development of the situation, of course, and post additional diaries if there is something interesting.

UPDATE: Aaron wrote in to write that the LOIC tool has been available for quite some time. Indeed, after digging a bit more, it appears that it is just a generic DDoS tool that the Iranian proponents started using.

--
Bojan

 

Keywords: hacktivism iran
1 comment(s)

Iran Internet Blackout: Using Twitter for Operational Intelligence

Published: 2009-06-16
Last Updated: 2009-06-16 14:19:21 UTC
by John Bambenek (Version: 1)
1 comment(s)

One of the topics in the halls here at SANSFIRE is how twitter has been the one tool that has breached the attempt of Iranian national censors to control the information flow within and outside the country. Much of the media reporting on the violence that has resulted from the protests was first covered on twitter before it made the news. Can twitter be a useful intelligence tool? Kinda.

The problem with twitter, or for that matter any "as-it-happens" information, is that there is no good way to determine the reliability of that information. You can read some of the latest posts on the Iranian issue here.  On of the top posts as I write this is that the Iranian Army itself is moving into Tehran to restore order. Is that, in fact, true? I tend to think not, but time will tell.

Because of the way "trending" twitter topics work, anyone talking about an issue will show up in that feed. That includes accounts just created today. Why does this matter? It's relevant because it would be trivial to put up "counterintelligence" via twitter. There is no tools with which to measure the "reputation" of the person posting the information. Number of followers and tweets helps, but most of the people posting information have followers in the hundreds which is a trivial amount of followers to acquire before even posting your first tweet.

An example I use in my criticism of emergency text messaging is that there have been incidents where false information led victims TO a threat instead of away from one. While there is some debate, the Omagh bombing in N. Ireland in 1998 arguably included this where the Real IRA called in a bomb threat to the court house by the car bomb was near a market center. The result was that the police evacuated people to the area the bomb actually.  "Leading people to the threat" is a real danger in unreliable information and it is a tactic that's known. Bottom-line is that unreliable communications can be used just as easily by people who would feed in unreliable or intentionally false information (counter-intelligence).

From an information security perspective, the threat is leading people to malicious websites. Set up a blog with an archive of posts on the issue, "borrow" a few pictures of the conflict and post them.  Tweet a message that says "live images of protestors being shot at" and point to your blog that also includes pre-tested malware that is known to be not detected by AV vendors.  Twitter and social networking tools provide another mechanism to lead people to the cyber-threat where only e-mail was used before.  Twitter has no "anti-spam" features, everyone talking about a subject shows up.

So while the use of twitter and other tools provide for a means to breach censorship rules of foreign regimes, it does not come without risks. Is the information valid? Is it leading you to malware infecting your machine?

P.S. I'm working on the intellectual exercise of developing a "honeypot" for twitter / social networking so we can get some visibility into those who would use those avenues to distribute malware. Feel free to send in suggestions.

--
John Bambenek
bambenek /at/ gmail /dot/ com

1 comment(s)
Diary Archives