Most websites and services today use some kind of framework, based on modern languages such as PHP, Ruby, Python and others. This has allowed many individuals to host arguably complex websites. This can be a good thing except when it comes to the fact that many website owners do not pay sufficient attention to the security of the software packages and do not beef up the default configurations from those set out-of-the-box.

More importantly, some webmasters are not even aware of the various misconfigurations which may leak sensitive information about their website and customers over the web.

Overview

This article is written to raise awareness of misconfiguration related to the domains they manage so more webmasters will pay attention. From our interaction with webmasters, we understand that they are already bogged down with many maintenance duties. However, the fact remains that misconfiguration errors, when left unaddressed, can spew important information into the hands of malicious persons.

An Example

Consider a website that we analyzed a few days ago, the URL looked like this:
hxxp://www.[scrubbed].net/forms/[scrubbed]/[scrubbed]/simple.log

This particular page was listing all email addresses that were registered on the website. These registrations may have been as a result of user requests to be put on a weekly newsletter of some sort. The page listed 623 email addresses, including addresses belonging to .mil, @gmail.com, @yahoo.com domains and more. The server was running an Apache/1.3.41 Server.

Conclusion

Though this incident may not have caused direct harm to the website, it is definitely undesirable to have an email address list laying out in the open. It only serves as fodder for spam bots and malicious persons to launch social engineering attacks.

In conclusion, webmasters, please do not leave your software installations in their default settings, and do pay attention to misconfiguration and other errors.

Report, Security email, error, misconfiguration, spam

It has been said that universities all around the world are harboring zombie machines in droves. These are the same zombie machines responsible for sending out massive amounts of spam. In this article, we attempt to understand if the university zombie-spam problem really is as big a deal as it is made out to be.

Most universities spend large sums of money buying IDS, IPS and Spam Filter technology and their various licenses. This should, at least in theory, allow universities to cut down on the number of such zombie machines by identifying tell tale signs of malicious communication and by analyzing their network traffic.

Experiment Goal

To understand if universities are harboring zombie machines, which can be used for spam campaigns.

Methodology

We have collected a list of 2070 universities. Each university’s DNS was queried to determine the IP address being used to host each website. This IP address was cross-referenced with data from Route Views to identify the AS number hosting that IP (using data from CAIDA). The AS number was then used to mine IP ranges advertised as BGP updates. Once the CIDR IP ranges were been found, the IPs in the CIDR range were checked with Spamhaus’s Zombie Blacklist. The experiment was conducted between March 12th and March 16th, 2010.

Our Observations

• Number of unique universities: 2070
• Number of Unique ASes observed: 829
• Total number of probed: 434,083 IPs
• Size of zombie blacklist: 2,130,944 IPs

Highlights

We present some interesting observations on the data analyzed.

• Only AS174, Cogent Communications, Inc., was found to contain zombies (see list below).
• Only 0.67% of educational institutions are associated with spam-zombie IP addresses.
• Only 0.12% of ASes seem contain spam-zombie IP addresses.

Frequency distribution of the number of IPs tested.

Conclusion

It seems that Universities are unfairly maligned by reports of zombies in their networks. Based on the findings of this preliminary set of experiments, having not found spam-zombie machines in large numbers in residence on university sub-nets, it seems that universities are doing a pretty good job of combating spam-zombies and keeping the Internet safe.

Till next time.
Read more…

News, Report spam, universities, zombie

Popular Internet websites are a good place to advertise and therefore a target for spammers. Large throngs of visitors who view content on popular sites are the main draw. Spammers use vulnerabilities in message boards and forums to insert spam advertisements.

This “malvertising” is bad for the reputation of the website in question and because it opens up a Pandora’s box of security issues if a visitor decides to follow the link in the advertisement. In this short article we try to determine if certain subsets of the most popular 1 million Internet websites are more vulnerable to attack by spammers.

Experiment Goals

• Where are the spammers targeting their efforts?
• What kind of websites need to put more effort into stopping spammers?

Methodology

We obtained a list of the top 1 million websites from Alexa. We partitioned the list into 3 equal parts, designated as “top,” “middle” and “low” websites. From each subset, we randomly selected 1000 websites and determined if they were hosting spam advertisements.

To determine whether a site was hosting spam advertisements, we queried Google and other search engines with a list of keywords suggesting pharmacy spam (e.g. “buy Kamagra cheap” and “no prescription needed”). Once a website was found to include spam advertisements, the suspect pages from that website were downloaded to ensure that spam advertisements were indeed present.

Interesting Results

• The “top” tier was responsible for 9% of sites hosting spam ads.
• The “middle” tier was responsible for 4% of sites hosting spam ads.
• The “low” tier was responsible for 3% of sites hosting spam ads.

Conclusion

It is surprising to see that “top” ranking websites were more than twice as likely to have spam advertisements on their web pages than “middle” or “low” ranking websites.

It could be that spammers prefer to concentrate on the most popular sites versus the not-so-popular ones or that popular sites have more discussion/message boards that can be exploited. This question could be the basis of a more in-depth study of this phenomenon.
Read more…

Report, Security alexa, online pharmacy spam, spam, top, websites

Malicious hackers have, for many years, been offering services to unscrupulous individuals and companies for monetary compensation. With the growth of Email Spam advertising everything from medical supplements to cars and lottery tickets, email scrubbers and filters have taken the game up a notch by implementing ever increasing layers of complexity to cut down on such spam. In turn, hackers have started to focus on advertising spam, such as medication and fraudulent scams by compromising web-based message boards and forums.

Hackers employ two basic techniques:

• Creating large numbers of users on forums. These accounts are then used to post spam on the message boards.
• Exploiting Web Application vulnerabilities in the software used to run the forum.

Approximately two weeks ago, Lenny Zeltser, from ISC SANS, posted an informative article about online pharmacy ads popping up on message boards. In this vein we have conducted a limited experiment with about 14,000 websites which contain spam announcing online pharmacies.

The aim of the experiment:

• What percentage of websites which advertise online pharmacies are message boards and Internet forums?
• What Web Applications, e.g. CMS packages, are used on the message boards that are compromised?

We believe this will provide us with a rough estimate of how focused are hackers toward using message boards and forums on the Internet to advertise spam. From another perspective, it will provide us some idea of how vulnerable websites are if it hosts a message board or forum from being abused by hackers.

Testing methodology:

We have used Google to mine the websites which contain certain keyword patterns such as “buy zocor online”, or “buy brand kamagra online” etc. Once the links suggested by Google were mined, each of the websites was tested against Google’s Safe Browsing List to determine if they had hosted malware (according to Google). Next, an analysis was done to determine if the link(s) mined from Google pointed to a forum or message board. This was done by identifying the presence of multiple strings inside a link. For example, if a link has the keywords “topic”, “view”, “thread” or similar keywords, including characters associated with dynamic page generation, it is probably hosting a message board or forum.

The test was conducted between January 21st and January 23rd, 2010.

Popular software packages installed on compromised forums and message boards.

We present the most interesting results below:

• 47.9% of websites displaying “online pharmacy” spam are message boards and forums.
• None of the websites advertising “online pharmacy” spam were listed on Google Safe Browsing List.
• 20.28% of forums displaying “online pharmacy” spam were using Jquery.
• 15.73% of forums displaying “online pharmacy” spam were using phpBB.
• 11.54% of forums displaying “online pharmacy” spam were using WordPress.
• 10.84 % of forums displaying “online pharmacy” spam were using Mootools.

These results and other software packages, helper-scripts, tracking-code are depicted in the graph presented above.

This small experiment shows that a high percentage of websites displaying online spam campaigns are message boards or forums. This indicates that there are many unsecured software installations and older software packages still in use which are often exploited by malicious individuals to post spam. Further, it seems that most sites which were hacked are using jQuery. This supports our previous observations regarding jQuery scripts being used to push malware to unsuspecting visitors.

Read more…

Company, News, Report google, malware, online pharmacy spam, safebrowsing, spam