Thursday, October 23, 2014

Where does all the spam come from?

This is part 3 in a series investigating a particular piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.
Ever wondered how spam ends up in your inbox, or how spammers come up with the email addresses from which to send spam? The spammer needs a few things in order to send messages: obviously he needs a list of target email addresses to send messages to; those can be bought on the dark market at very little cost. Unless he wants to send email from his own server though, he also needs an abuseable email relay server and spoofed source address. Why? Two reasons – not every Internet provider would turn a blind eye to a spammer sending millions of malicious email; and he can gain far more capacity by sending mail through thousands of open relays.

From click to pwned

This is part 1 in a series investigating a particular piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.

Malware writers and scammers have a number of tricks up their sleeves, all with the goal of making your computer become their computer. Some tactics involve technology, some involve sleight-of-hand (sleight-of-mouse?), some involve social engineering, and some involve a combination of factors. I received an email scam that slipped past my spam filters and that exhibited a combination of old and new tactics, so took some time to break it apart.

If you don't want to read through the technical details, here's the short version: don't click links or open attachments in unexpected email, don't trust email from an unknown or uncertain source, and be aware that there are lots of ways to make a malicious link look legitimate. In short, don't click the link.

Wednesday, October 22, 2014

An introduction to malware forensics

This is part 2 in a series investigating a particular piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam. 


In my last post, we looked at a fairly typical spam message used to deliver malware to unsuspecting users. This message played on psychology (aka social engineering) to trick the reader - a confirmation message for an expensive purchase (in this case, about $1,600), with a link to retrieve the "invoice" (actually the malware). It used Google redirectors to avoid a suspicious-looking link to DropBox or some random web site.

Once the reader clicks the link and allows it to download and run, their computer becomes infected with a botnet agent. In this post, I downloaded the malware into a virtual environment to do some analysis.

Tuesday, October 14, 2014

Snapchat: What every parent needs to know (and teach)

Some topics are less pleasant to write about than others, though at times far more important. It is with this in mind that I write today on a topic every parent needs to know about. Late last week, rumors started to surface regarding a database breach that revealed thousands of supposedly private messages and photographs sent via the social sharing app Snapchat. Over the weekend that has proved true.

Snapchat is heavily used by younger people - in fact, roughly half of all Snapchat accounts belong to children under 17 years old. The selling point behind Snapchat is that messages and photos can be seen by the intended recipient only, for a brief time only, and then disappear forever - much like old Mission: Impossible assignments ("this message will self-destruct in 10 seconds..."). As such, it has been used by many teenagers for "sexting" - sharing indecent photos of themselves, never suspecting that the photos might not actually disappear.

Friday, October 10, 2014

Another day, another breach

It seems like almost every week another business is in the news for having their payment network compromised and leaking customer information, often in the form of payment card data. Target, Home Depot, Jimmy Johns, Goodwill Industries, JP Morgan Chase, KMart/Sears, the list goes on. Today, Dairy Queen was (formally) added to the list.

I say formally, because Dairy Queen was strongly suspected to be on that list as of late August, but only now made a public statement confirming the fact. This incident hits a little closer to home because my hometown Dairy Queen is on the list of those compromised.

Tuesday, October 7, 2014

One simple move that can dramatically reduce the risk of identity theft

Identity theft is a common fear, one that is reinforced with each new headline. 40 million credit cards stolen from Target! Home Depot leaks 56 million payment cards! Hackers steal info on 145 million eBay customers! Giant data breach affects 152 million Adobe accounts! It seems each new breach is more "epic" than the last. A data visualizer known as "Information is Beautiful" has a frightening but fantastic visualization.

Most of these incidents involve theft of credit and debit card information - a form of identity theft that is damaging but generally not terribly difficult to unravel. Consumer protection laws generally limit one's liability, and many banks promise zero liability for fraudulent charges. Using credit cards instead of debit cards further separates the fraudulent activity from your actual cash.

Wednesday, October 1, 2014

The high price of free wifi: your eldest child?

In keeping with National Cyber Security Awareness Month, I'll be updating a number of articles written over the last 4 years. In January of 2011 I entered the blogosphere with a story about Firesheep, a Firefox plugin that made wireless eavesdropping scarily simple.

Most of us know by now to look for the little "padlock" icon in the browser status bar before logging in to a web site, or the "https://" at the beginning of the URL - we want to be sure our password is protected, right? And most sites now use an SSL (secured) connection for the login page - your password is in fact protected (massive Internet-wide vulnerabilities notwithstanding). But once you log in, many sites used to switch back to non-secured. The problem with that approach was, how does the web site know who you are after you have logged in? It is often done with cookies - little bits of data stored on your computer, and automatically sent to the site that created them every time you load or reload a page from that site. The cookies (usually) do not contain your password, but they do identify you to the site. So, if you log into Facebook, then click a link to reload the page, your computer sends your cookie to Facebook, and the site says "hey, I remember who you are, I saw you just a minute ago; you are already logged in, so here you go!" (OK, not literally, but you get the point).

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in appdev support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. When not at work, I spend my time raising five rambunctious kids - twins age 14, a 13-year-old, and twins age 11. Amongst that, I am the Commander for a Wednesday night Awana club at my church, teaching some 60+ preschool through 6th grade kids. Follow @DSTX_Awana or Like FBC Dripping Springs Kids to see what is going on in our club.