Wednesday, December 28, 2011

Web threats: trends and statistics

One of the question I often get asked is "What is the most prevalent threat on the Internet for the enterprises?". In terms of the total number of transactions, botnets are the biggest security risk. Once a host gets infected, the botnet usually spreads quickly within an enterprise. It also generates a significant amount of traffic to the command and control server, to download additional malware or perform other actions. For the last 30 days, botnets account for almost 80% of the security blocks at Zscaler.

Security blocks for the last 30 days

When it comes to individual variants of malware, botnets, or other threats, there is no single piece of malware that dominates. Some threats appear one day, and disappear just as quickly. Others are seen daily for months, with random peaks. For example, Blackhole exploits and Zeus have been active for months.
One of the Blackhole exploits
Zeus traffic
Mass infections of legitimate sites can still be seen months after the infection initially occurred and the vulnerable application has been patched. For example, our customers are still hitting websites infected with Lizamoon which was first reported in May 2011 and reached it's peak in September.
Legitimate sites infected by mass LizaMoon SQL Injection attacks
The security landscape is very wide. Although botnets, as a category, represent the majority of overall malicious web traffic, there are a huge number of different threats seen daily by enterprise users. This means that security solutions must be able to detect and block a wide variety of traffic by looking at all components: URLs, HTTP header and content on both the client and server side.

Wednesday, December 21, 2011

Facebook used to make scams look legitimate

One of the recurring web spam themes I saw in 2011, was the "Work from home and make $X,000/month" scam. In some variations of the well-known and well-used scam, websites are set up to look like a well-established newspaper with a front-page (fake) article about making a lot of money from home.

Here are a few examples I saw earlier this year (now offline):

Fake NBC website at hxxp://

Fake news site at

The new scam I found this week included an interesting new trick and is still online.

Fake news site at hxxp://
The site is set up like the previous scams - it claims to be an online, established newspaper, which displays an article about someone who is making a lot of money, working from home.

At the top of the picture, which shows a woman and a girl, on the right, you can see a Facebook Like button that says "214,217 people recommend this. Be the first of your friends." Apparently, 214,217 went to his page and clicked on "Like", making this page look more legitimate.

At first, I thought this was a fake Facebook widget. But this is the real deal, as seen from the page HTML code:

Real Facebook widget (click on the image too see in full screen)
There is however a trick. The "Like" widget does not point to hxxp://, but rather to As you can see in the images taken from the two websites, the number of Likes is the same:

214,217 Likes on hxxp://
214,217 Likes on

Facebook allows you to embed any Like widget on any website, even if the domains or URLs do not correspond. Scammers are using this trick to appear more legitimate, by tricking visitors into thinking their website has been visited and liked by many people.

My guess is that this technique is very effective, and will be used more and more by spammers and scammers.

Tuesday, December 20, 2011

2012 Security Predictions

It’s the most wonderful time of the year. A time when we set aside our quarrels and show compassion for complete strangers, realize that it’s better to give than to receive and in the security industry, let everyone know just how smart we are playing Nostradamus. Yes, it wouldn’t be December if I didn’t join in the chorus of prognosticators to let you know exactly what is in store for us all in the coming twelve months.


With WebOS now officially an orphan, Blackberry OS racing to the grave and Windows Mobile still trying to get ready for the party, the victors can be crowned – iOS and Andorid have won. The interesting part of the race is about to begin, namely who has the best security model. Will it be Apple’s draconian, ‘we control everything’ or Google’s happy-go-lucky ‘come on in, everyone’s invited’ approach?
Prediction: The ‘do no evil’ company will struggle mightily to keep evil applications out of their App Marketplace. In an effort to avoid being to mobile what Windows is to PCs (a breeding ground for malware), Google will subtly make Android less open to both partners and developers. They will also announce an initiative to increase security screening for applications before deployment in the App Marketplace. Apple on the other hand will have comparatively few malicious apps to deal with, but at least three major OS flaws that impact all users (and make the jailbreak team happy). Apple will address the vulnerabilities several days late and apologize to no one. iPad 3 and iPhone 5 sales will turn financial analysts into giddy schoolgirls.


Thanks to marketing teams across the globe, APT (Advanced Persistent Threat) has become a meaningless buzzword in the security lexicon. Let’s therefore ditch that term and instead focus on targeted attacks, specifically those focused on enterprises with the goal of corporate espionage or to inflict financial damage. Many praised Google for coming forward in January 2010 to reveal that they and others had been the victim of a sophisticated targeted attack, likely originating from China. Many in the public mistakenly assumed that this was a new and previously unseen event on the security stage. What was new about it was the openness displayed by Google in discussing the situation, not the class of attack.
Prediction: The term ‘APT’ will go the way of ‘eCommerce’ and the Dodo bird, but stories of targeted attacks against enterprises will rise tenfold in the media. This will be a reflection of increased activity by attackers as they broaden their reach to smaller companies and decisions by corporate council to disclose details of an attack rather than to suppress the information and risk litigation for trying to cover up such activity.


Want to know a secret for making security predictions? Take a look at what was being discussed at security conferences 2-3 years ago. At Black Hat DC 2009, I discussed the dangers of persistent web browser storage. One of the key technologies that will be taking browser storage to the next level is HTML5. In 2009, HTML5 apps were few and far between. Thanks in large part to mobile browsers; HTML5 is now much more mainstream. As with any new technology, developers are quickly rushing to play with the new kid on the block and publishing their goods, without taking the time to understand the security implications.
Prediction: We’ll see an increasing number of web application vulnerabilities in HTML5 apps, not because the technologies behind them are insecure, but because HTML5 is not well understood from a security perspective.


Security in the hardware space is at least ten years behind security in the software industry. This isn’t so much a reflection of the good work being done in software, as it is the reality of software vendors being forced to address an issue that was impacting business. Thanks to the efforts of many great researchers investing countless hours doing QA work that should have been done long before products hit the shelf, today most major security vendors have no choice but to employ security response teams and take vulnerability disclosure very seriously.
Hardware vendors simply haven’t faced the same scrutiny, but that’s changing. This year at Blackhat, I spoke about the sad state of embedded web servers and recently researchers at Columbia University discussed the ability to remotely cause physical damage to HP printers due to security flaws.
Prediction: Hardware vendors will get a wake-up call as researchers shift their efforts and party like it’s 1999.


The majority of malicious activity surrounding social networks today primarily involves unwanted or nuisance traffic as opposed to attacks that lead to a fully compromised machine. We’re seeing an increase in likejacking and self-inflicted JavaScript injection attacks that have the same overall goal – drive web traffic or prompt software downloads that can earn the scammer a few cents per click.
Social networks such as Facebook are of value to more serious criminals, but mainly for reconnaissance during targeted attacks. They are a great resource for learning background information about an individual and uncovering relationships, all of which can be of great value for social engineering. We’re not however, commonly seeing the communication aspects of social networks used to deliver malicious payloads directly to victims or investments in uncovering web application vulnerabilities used to compromise end user machines as opposed to spreading the aforementioned scams.
Prediction: Attackers will raise the bar and leverage social networks for more sophisticated attacks, the goal of which will be full compromise as opposed to marketing financial scams.
Merry New Year!
- michael

Thursday, December 15, 2011

Google Safe Browsing v2 Lookup libraries for Perl, Python and Ruby

Last week, I mentioned that the Google Safe Browsing API has migrated to version 2. The new protocol is much more complex than version 1 and there are only a few libraries available for version 2 (see the full list in the previous post). Some popular languages, like Ruby, don't have any implementation at all.

To make the API accessible to more developers, Google has also introduced the Lookup API. This API is fairly simple. It lets users send a list of URLs (up to 500 per request) to Google and receive the classification for each of them. You still need a free API key to use the service and you are limited to 10,000 lookups per day.

I have released libraries for the Google Safe Browsing v2 Lookup API in Perl, Python and Ruby:


PyPi: Safe Browsing v2 Lookup/


All the libraries contain proper documentation and unit tests. You can use the corresponding github repository to file bugs or discuss the libraries.

Tuesday, December 13, 2011

Java Drive by download attack

Recently I blogged about how attackers are forcing users to download fake codecs to spread malicious content. I’ve also encountered across another drive by download attack vector, which uses Java applets to execute downloaded malicious content on the victim’s machine. Download and execution of malicious content happens without user interaction. Let’s take look at a screen-shot of the malicious URL “hxxp://”,

As you can see, when a user visits the website the browser requests user permission to execute the Java applet code. Here is the HTML source of the page:

When the user allows the applet code to run by clicking on “run” button, the browser downloads the “Client.jar” file from “hxxp://”. Let’s take look at the Wireshark captures, which show the network activity performed during this process:

The downloaded JAR file contains “Client.class”, which is executed by the JRE. An argument to the “Client.class” file is passed with the location of the malicious .exe residing on “hxxp://”. It’s interesting to see that the malicious exe file is uploaded on The file “server_crypt.exe” is then downloaded by the above applet code and executed on the victim’s machine.

Decompiling “Client.class” reveals the Java code, which you can read to better understand how it downloads the file and executes it. Let’s have look at piece of decompiled java code, which executes the downloaded file.

Virustotal Reports:
Client.jar - 27 AV vendors on Virustotal reports it as “Trojan Downloader”.
server_crypt.exe - 16 AV vendors reports as “Trojan”

ThreatExpert Report:
server_crypt.exe – Indicated highest severity level for this threat.

Beware of drive by download attacks.


Friday, December 9, 2011

Switch to Google Safe Browsing v2

Google maintains a list of malicious URLs and phishing sites distributed through their Google Safe Browsing API. On December 12, version 1 was deprecated in favor of version 2. The API for version 2 works quite differently from version 1.

Importance of Google Safe Browsing

Google Safe Browsing is part of most popular web browsers including Firefox, Chrome, Safari and Opera. Internet Explorer uses it owns list, Microsoft SmartScreen. This makes Google Safe Browsing lists the most used security filter among all web users.

The Google Safe Browsing lists are also very extensive. There are currently about 460,000 entries in the lists and they are updated every 30 minutes. You can refer to "Google Safe Browsing v2: Implementation Notes" for more detailed numbers.


I was curious see the overlap between Google Safe Browsing v2 and a few other security blacklists
Of the Alexa top 1,000,000 sites, 250 are blocked by Google Safe Browsing v2.

Google Safe Browsing v2 libraries

The Google Safe browsing v2 API is fairly complex, at least more so than version 1. There are a number of libraries available, but not all implement the complete API. Here is a list of the libraries available within Google Safe Browsing v2:

Language Name Missing features Comment
Python google-safe-browsing none Reference implementation from Google
Perl Net::Google::SafeBrowsing2 none Several back-ends available for storage: MySQL, Sqlite, DBI, etc.
PHP phpgsb MAC Helpful statistics for testing
PHP gsb4u MAC Storage: MySQL, Sqlite;
C# google-safebrowse-v2-client-csharp MAC
Back-off mechanism ?
Save full hashes,
discard them after 45 minutes
Storage: data file
C# Google-Safe-Browsing-API-2.0-C-p MAC Storage: SQL server
Java jGoogleSafeBrowsing ??? Not finished?
Google Safe Browsing v2 libraries

Lookup API

If you need to check fewer than 10,000 URLs a day, you can use the much simpler Lookup API. This API allows you to send URLs directly to Google and receive the classification.

I've made a Perl library for the Lookup API, Net::Google::SafeBrowsing2::Lookup and I'm working on Ruby anfd Python implementations.

Tuesday, December 6, 2011

Fake video codecs still going strong

Convincing users to download malicious software using fake AV pages is not a new attack vector, but has been a very successful one. Julien has previosuly blogged about how fake codecs are starting to replace fake AV pages. I recently encountered an interesting example employing both fake AV and fake codecs in a single attack. When a victim visits a page, they are presented with a warning message stating “You don’t have the correct Codec installed. Download should start automatically, if not, please click here to download”. Here is the screenshot of the page:

The page is loaded from “hxxp://”. Let’s take a look at the HTML source of the page to identify the malicious code.

As you can see, it downloads an exe from “hxxp://". If the victim runs “codec.exe”, it starts a fake antivirus scan and delivers a report such as the following:

The above screenshot is typical of a fake AV attack and displays several fictitious threats being detected on the victim’s computer. Every time you run this exe file, different threats are allegedly detected . Once installed, the victim is asked to activate or buy the full version of this fake AV. This exe file downloads it’s content from a remote web server hosted at “”. The ThreatExpert report for this IP address details the network activity performed by this malware.

The VirusTotal results for the fake security software in this example show that it is detected by only 20/42 popular AV vendors. You can find some tips to stay away from such attacks in a separate blog post.

Make sure you are downloading real codecs, not fake ones!