tag:blogger.com,1999:blog-6577177873759803722024-03-12T20:21:24.231-07:00Bad bytesIndependent security analysiscontact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-657717787375980372.post-10028236310109948572012-08-09T12:07:00.001-07:002012-08-09T12:07:06.377-07:00Some excellent recent analysis of APT networks<br />
<br />
<a href="http://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-with-byzantine-candor.html">http://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-with-byzantine-candor.html</a><br />
<br />
<a href="http://www.secureworks.com/research/threats/chasing_apt/">http://www.secureworks.com/research/threats/chasing_apt/</a>contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com0tag:blogger.com,1999:blog-657717787375980372.post-42171012409090976612012-07-24T15:35:00.003-07:002012-07-24T15:35:35.687-07:00Kaspersky and the FSBVery interesting article on Kaspersky and the FSB from Wired, <a href="http://www.wired.com/dangerroom/2012/07/ff_kaspersky/all/" target="_blank">link</a>.contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com0tag:blogger.com,1999:blog-657717787375980372.post-32742776360672251142012-07-21T05:34:00.003-07:002012-07-21T05:34:42.976-07:00Website of South Korean news agency hosting malwareGoogle safe browsing is showing that the website of Yonhap news, South Korea's largest news organization, is hosting malware. See images below.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-D-0GBwo_Xy0/UAqhn012vdI/AAAAAAAAAEk/AgxE5Rlh_C8/s1600/yonhap_news_attack_gsearch.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="http://2.bp.blogspot.com/-D-0GBwo_Xy0/UAqhn012vdI/AAAAAAAAAEk/AgxE5Rlh_C8/s320/yonhap_news_attack_gsearch.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-GO9RECc40-s/UAqhrFoTecI/AAAAAAAAAEs/Pq5IxE5Xr3o/s1600/yonhap_news_attack_page.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="http://1.bp.blogspot.com/-GO9RECc40-s/UAqhrFoTecI/AAAAAAAAAEs/Pq5IxE5Xr3o/s320/yonhap_news_attack_page.png" width="320" /></a></div>
<br />contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com1tag:blogger.com,1999:blog-657717787375980372.post-47158112741061646412012-07-09T14:11:00.003-07:002014-04-20T16:50:24.773-07:00MacControl cyber espionage RAT linked to Chinese source codeThe recently discovered Mac Control cyber espionage tool used within an espionage campaign against Tibetan related NGOs and described <a href="http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/" target="_blank">by AlienVault</a> probably draws on code available on the Chinese web. Searching for strings within the tool reveals the following function names(the below image linked from the Microsoft analysis).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-62-58/3806.042412_5F00_2107_5F00_AnInteresti6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://blogs.technet.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-62-58/3806.042412_5F00_2107_5F00_AnInteresti6.png" height="320" width="182" /></a></div>
<br />
<br />
A Google search of the Internet for the strings "ParseCMD" "NM_CMD_S" results in only 5 hits. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-W_vQeoGJb-s/T_r4kRPOc9I/AAAAAAAAAEY/vhRWNiabebU/s1600/image_maccontrol_search.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-W_vQeoGJb-s/T_r4kRPOc9I/AAAAAAAAAEY/vhRWNiabebU/s320/image_maccontrol_search.png" height="320" width="291" /></a></div>
These five results are all Chinese programming forums. The number 1 hit is for a posting to the programming forum <a href="http://www.pudn.com/">www.pudn.com/</a>. The hit is for strings within the source code package shykVC.rar(size 1072 K) uploaded 2009-03-02 by 许凤(Xu Feng) and downloaded 425 times.<br />
<br />
blog post by dmackeycontact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com1tag:blogger.com,1999:blog-657717787375980372.post-36166584679164193022012-07-02T08:25:00.001-07:002014-03-22T10:54:38.518-07:00SSL encryption being used in malware command and controlEvolution in malware command and control presents a significant challenge to network based intrusion detection. According to an <a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_trends-in-targeted-attacks.pdf" target="_blank">October 2011 report by TrendMicro</a> some targeted attacks are making use of SSL encrypted command and control communications. These techniques are a response to defensive measures taken against standard command and control mechanisms which use specially created domains and DNS. Damballa's work provides an <a href="http://blog.damballa.com/?p=1558" target="_blank">example of such defense</a>. Here are some excepts from the TrendMicro report.<br />
<br />
<i>"There are malware samples that use webmail accounts as elements of command and control. When malware connects to <b>well known services such as Gmail or Yahoo! Mail the</b> <b>session is protected by SSL encryption</b> and therefore network monitoring software will be unable to determine if the subsequent traffic is malicious or not. The attackers use such webmail accounts to send commands to compromised hosts, update compromised hosts with additional malware tools or components, and ex-filtrate data from compromised hosts. In addition to webmail services, could-based storage services are being used to host additional malware components. The use of such services provides the attackers with command and control infrastructure that cannot be easily detected as malicious."</i><br />
<br />
<i>"Some threat <b>actors use compromised legitimate sites as command and control servers</b>. This allows the attackers some element of deception because even if the network communication is detected as anomalous, upon further inspection the website will be determined to be legitimate. One threat actor simply embeds commands within HTML comment tags in web pages on compromised, legitimate web sites. The malware simply visits these pages and extracts and decodes the commands. The use of custom base64 alphabets and XOR makes decoding the command and the network traffic increasingly difficult. In addition, <b>attackers are making use of stolen or forged SSL certificates</b> in an attempt to make their network traffic appear to
be legitimate."</i><br />
<br />
These techniques make detection of command and control communications very difficult and will defeat many network based IDS. This situation reveals problems at the core of computer security. A small change by the attacker results in a significant expense by defenders to produce new defensive measures. Lets look at the most troubling of these techniques. <br />
<br />
<b>SSL encrypted session with Gmail, command and control via Gmail</b><br />
<br />
An example, syschk.ocx (md5:16ba21c1eac48eb20c04ac91ef9c2bd1) is available at the links below.<br />
<br />
<a href="http://www.nartv.org/2010/10/22/command-and-control-in-the-cloud/">http://www.nartv.org/2010/10/22/command-and-control-in-the-cloud/</a><br />
<br />
<a href="http://contagiodump.blogspot.com/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html">http://contagiodump.blogspot.com/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html</a> <br />
<br />
<a href="http://pastebin.com/8f51r7Q0">http://pastebin.com/8f51r7Q0</a><br />
<br />
How is an enterprise to detect this? One detection option is to use an <a href="http://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-Slides.pdf" target="_blank">SSL interception proxy </a>and then run signatures over the decrypted traffic. But this is terribly cumbersome, running an SSL interception proxy can be a nightmare for a large enterprise. And this suffers from the problems standard IDS has which is that the system only detects known threats. The other is to use anomaly detection to detect anomalous SSL flows, some research on this has been done, <a href="http://dies.ewi.utwente.nl/teaching/master/13/" target="_blank">see this report</a>. But anomaly detection suffers from high false positives, and I have my doubts about whether this would work with a large enterprise. In addition an attacker could modify their malware so that C&C communications better mimic standard SSL communications.<br />
<br />
As the Australian <a href="http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm" target="_blank">Defense Signals Directorate showed</a> network based IDS is not the best way to prevent targeted attacks. The best approach involves an effective OS and third party software patching program coupled with application whitelisting and a heavy reduction in administrative accounts.<br />
<br />
<br />
<b></b>contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com3tag:blogger.com,1999:blog-657717787375980372.post-31225014731256461262012-06-26T06:49:00.001-07:002012-06-28T05:38:30.711-07:00Security Service(MI5) Director General speaks on cyber securityThe Director General of the British Security Service(MI5), Jonathon Evans, spoke at Mansion House on security threats facing the UK including cyber security issues. Some interesting points fromm the speech include the following.<br />
<br />
<i>"Vulnerabilities in the internet are being exploited aggressively not
just by criminals but also by states. And the extent of what is going on
is astonishing – with industrial-scale processes involving many
thousands of people lying behind both State sponsored cyber espionage
and organised cyber crime."</i><br />
<br />
<i>"What is at stake is not just our government secrets but also the safety
and security of our infrastructure, the intellectual property that
underpins our future prosperity and the commercially sensitive
information that is the life-blood of our companies and corporations.
And the threat to businesses relates not only to major industrial
companies but also to their foreign subsidiaries, and to suppliers of
professional services who may not be so well protected."</i><br />
<br />
<i>"One major London listed company with which we have worked estimates
that it incurred revenue losses of some £800m as a result of hostile
state cyber attack – not just through intellectual property loss but
also from commercial disadvantage in contractual negotiations. "</i><br />
<br />
The full speech is available <a href="https://www.mi5.gov.uk/output/the-olympics-and-beyond.html" target="_blank">here</a>.contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com1tag:blogger.com,1999:blog-657717787375980372.post-88663495992308055752012-06-22T14:28:00.001-07:002012-06-28T05:37:45.093-07:00South Korea facing North Korean cyber attack campaginSouth Korea is facing an increasing onslaught of cyber attacks from North Korea. Below is a list of the most recent significant incidents. This is a useful tactic for North Korea as it is difficult for South Korea to respond.North Korea has little Internet infrastructure to attack via computer network operations(CNO) and it would take an extreme North Korean attack involving loss of life to prompt South Korea responding militarily. South Korea, one of the most networked countries on Earth, has to just play defense and take the hits.<br />
<br />
<b>June 2012</b>, <b>South Korean Newspaper JoongAng Ilbo</b><br />
In June 2012 cyber actors linked to North Korea attempted to destroy the newspaper's article database and the editing system which moves articles through the paper's intranet. <a href="http://koreajoongangdaily.joinsmsn.com/news/article/article.aspx?aid=2954219" target="_blank">Link</a>. <a href="http://www.bad-bytes.blogspot.com/2012/06/joongang-ilbo-cyber-attack.html" target="_blank">Previous blog entry</a>.<br />
<br />
<b>April 2011, South Korean National Agricultural Co-operative Federation(NACF, Nonghyup Bank)</b><br />
In April 2011 cyber actors linked to North Korea destroyed 100s of the Nonghyup Bank's internal computer servers disrupting banking services for millions of customers for over a week. <a href="http://www.koreatimes.co.kr/www/news/nation/2011/05/117_86369.html" target="_blank">Link</a>.
<br />
<br />
<b>March 2011, DDoS against South Korean websites</b><br />
In March 2011 an advanced DDoS attack was launched against a number of South Korean websites, the computers used by the botnet which launched the attack were rendered unusable after the attack by overwriting the hard drive's Master Boot Record(MBR). <a href="http://blogs.mcafee.com/mcafee-labs/10-days-of-rain-in-korea" target="_blank">Link</a>.
<br />
The attacks in March were also linked to a covert North Korean operation to import computer games containing malware into South Korea. <a href="http://koreajoongangdaily.joinsmsn.com/news/article/article.aspx?aid=2953940" target="_blank">Link</a>.
<br />
<br />
<b>July 2009 DDoS against South Korean and US websites</b>
<br />
In July 2009 several waves of DDoS attacks targeted South Korean and US websites. <a href="http://en.wikipedia.org/wiki/July_2009_cyber_attacks" target="_blank">Link</a>.
<br />
<br />
<b>Further reading</b> <br />
<br />
<i>"Increasing concerns regarding cyber warfare capabilities of North Korea"</i>, <a href="http://securityaffairs.co/wordpress/6239/intelligence/increasing-concerns-on-cyber-warfare-capabilities-of-the-north-korea.html" target="_blank">Security Affairs Blog</a>
<br />
<i>"North Korea's cyber warfare strength grows"</i>, <a href="http://www.bloomberg.com/news/2012-03-28/north-korea-s-cyberwarfare-strength-grows-general-says.html" target="_blank">Bloomberg News</a><br />
<i>"North Korea's IP address space"</i>, <a href="http://www.northkoreatech.org/2011/06/26/north-koreas-chinese-ip-addresses/" target="_blank">North Korean Tech blog</a><br />
<br />contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com3tag:blogger.com,1999:blog-657717787375980372.post-52968534929511833442012-06-22T06:54:00.001-07:002014-03-24T09:12:01.193-07:00SCADA systems: 15 new HTML reply signatures and examplesThere is an incredible variety of things now connected to the Internet from industrial control systems and digital video security systems to printers and VoIP telephone systems. Many of these systems provide a web service via
HTTP on port 80. A good deal of information about these devices can be found by looking at the meta-data within a reply from a simple HTTP Get message. The <a href="http://www.shodanhq.com/" target="_blank">Shodan system </a>scans the Internet to acquire this information and its database now holds the records for millions of IP addresses around the world.<br />
<br />
In the tables below I have put together a list of signatures(i.e search strings)
that appear in the HTTP meta-data for 15 Supervisory Control and Data Acquisition(SCADA) systems. An additional list of 29 signatures is available in <a href="http://www.cl.cam.ac.uk/%7Efms27/papers/2011-Leverett-industrial.pdf" target="_blank">this paper</a> by Cambridge University Master's student E P Leverett, the paper also has a great introduction to SCADA systems.<br />
In the following analysis I follow the same engagement rules as E P Leverett which are from the joint US DHS & UK CPNI <a href="http://scadahacker.com/library/" target="_blank">good practice guide</a>.<br />
<ol>
<li>I will not interact with any system except to view a publicly accessible HTTP interface.</li>
<li>I will not attempt to login to any system. </li>
</ol>
What sort of SCADA systems are out there? Here are a couple of examples.<br />
<br />
<b>Wastewater overflow management pumping station, <a href="http://www.boncourt.ch/" target="_blank">Boncourt</a>, Switzerland</b><br />
<br />
The SCADA system on this pump is a <a href="http://products.schneider-electric.us/products-services/products/webenabled-solutions/transparent-ready-automation/factorycast-web-server/" target="_blank">Schneider Electric FactoryCast system</a>. According to
the user manual.
<br />
<br />
<i>"FactoryCast is a software package that allows you to customize a Web site on the Embedded Web Server module. The site can be accessed via a browser to view and modify data from a Quantum or Premium programmable logic controller (PLC)."
</i><br />
<br />
System home page
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-lnN7CMsMJ_4/T-NwfJbCoqI/AAAAAAAAACg/5j6ATU7nmQk/s1600/schneider_allain_water_img1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-lnN7CMsMJ_4/T-NwfJbCoqI/AAAAAAAAACg/5j6ATU7nmQk/s320/schneider_allain_water_img1.png" height="265" width="320" /></a></div>
<br />
Found on Google maps
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Kd1k14CH2wg/T-NzXsHfbzI/AAAAAAAAAC8/GrmzoRm63mM/s1600/schneider_seba_station_boncourt_gstreetview1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-Kd1k14CH2wg/T-NzXsHfbzI/AAAAAAAAAC8/GrmzoRm63mM/s320/schneider_seba_station_boncourt_gstreetview1.png" height="225" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-WqdwdT_22u0/T-N0Ji13Z7I/AAAAAAAAADM/UIR6NMi1MPQ/s1600/schneider_seba_station_boncourt_goverview1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-WqdwdT_22u0/T-N0Ji13Z7I/AAAAAAAAADM/UIR6NMi1MPQ/s320/schneider_seba_station_boncourt_goverview1.png" height="211" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
This small pumping station is used to manage wastewater overflow in the Basse-Allaine region
of Switzerland. Wastewater from the town of Boncourt flows through a pipe down to the
treatment plant in Grandvilliars,France. But what happens if there is heavy rain? Along the
pipe's path are overflow stations which consist of a large underground basin, a pump and
a overflow pipe leading to the Allaine river. When it rains the overflow first runs into the basin
and the pump returns it to the pipe reducing the flow down the pipe and lessening the chance
of overflow to the river. Of course if the rains are heavy enough then the basin will fill and wastewater will overflow into the river. <br />
<br />
The installers of the Schneider system, Swiss firm <a href="http://www.stebatec.ch/" target="_blank">Stebatec</a>, have customized the embedded web site. <br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<b>1.9MW solar power plant, Mysliv, Czech Republic</b><br />
<br />
This system is running Schneider Electric FactoryCast. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-0sf5LyHwduw/T-RmhrKPTGI/AAAAAAAAADg/RBH6BpH7LkI/s1600/solarpark_mysliv_homepage.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-0sf5LyHwduw/T-RmhrKPTGI/AAAAAAAAADg/RBH6BpH7LkI/s320/solarpark_mysliv_homepage.png" height="231" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
News items give further details on this plant.<br />
<br />
<i>"On October 7, Solar Park Mysliv, located in the south-western part of Bohemia, 20 kilometers east of the city of Klatovy, started producing solar electricity. This is the first solar power plant Gehrlicher Solar AG has built in the Czech Republic. The plant has a peak performance of 1.99 MWp and comprises an area of 3.8 hectares. It will be producing 1.79 million kilowatt hours of green electricity and covering the electricity requirements of 510 three-person households. 8.844 Yingli modules and two SMA inverters were used in the construction."</i><br />
Biomass boiler systems<br />
<br />
<b>Unknown HVAC system in Germany</b><br />
<br />
This small HVAC system, running a <a href="http://www.saia-pcd.com/en/products/Pages/products.aspx" target="_blank">Saia-Burgess PCD</a> allows anyone level 0 access(the least privileged) which allows viewing of measurements.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-3JKpMvGZkF8/T-RwBNjN65I/AAAAAAAAAD4/IxWivwcENdM/s1600/saia_boilers_img0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-3JKpMvGZkF8/T-RwBNjN65I/AAAAAAAAAD4/IxWivwcENdM/s320/saia_boilers_img0.png" height="234" width="320" /></a></div>
<br />
<b>Solar power plant, Coppola S.p.A, Scafati, Italy
</b><br />
<br />
<a href="http://www.coppolaspa.it/it/index.html" target="_blank">Coppola</a> is company located in <a href="http://www.comune.scafati.sa.it/" target="_blank">Scafati</a>, it's solar power system was installed by <a href="http://www.magaldi.com/en/home/" target="_blank">group magaldi</a>.The system allows anyone to view solar plant measurements. It is running a <a href="http://www.spidercontrol.net/" target="_blank">SpiderControl system</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-iISPHJlxbek/T-SbIE7AkoI/AAAAAAAAAEI/F-MEMyk-1qg/s1600/spidercontrol_solarplant_italy_img3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-iISPHJlxbek/T-SbIE7AkoI/AAAAAAAAAEI/F-MEMyk-1qg/s320/spidercontrol_solarplant_italy_img3.png" height="164" width="320" /></a></div>
<br />
The security of some of these systems can be very weak. I have seen cases of the system login password being shown directly within the HTML source code of the publicly accessible device home page(anyone can view this source code using a browser's view HTML source button).<br />
<br />
<style type="text/css">
.nobrtable br { display: none }
</style>
<br />
<div class="nobrtable">
<table border="2" bordercolor="#bbb6565" cellpadding="3" cellspacing="3" style="background-color: #bbb6565;">
<tbody>
<tr>
<td colspan="4" style="text-align: center;">SCADA systems
</td>
</tr>
<tr style="background-color: #bbb6565; color: #d07070; padding-bottom: 4px; padding-top: 5px;">
<th>System</th>
<th>Signature</th>
<th>Shodan count</th>
<th>Comments</th>
</tr>
<tr>
<td>Siemens building automation energy management</td>
<td>Siemens Switzerland Ltd</td>
<td>449</td>
<td><a href="http://www.buildingtechnologies.siemens.com/">http://www.buildingtechnologies.siemens.com</a></td>
</tr>
<tr>
<td>Beck IPC embedded controller</td>
<td>IPC@CHIP</td>
<td>4038</td>
<td>For example used by Solar plant energy monitor <a href="http://solar-log.net/">solar-log.net</a>,<a href="http://beck-ipc.com/">beck-ipc.com</a></td>
</tr>
<tr>
<td>SMA Solar remote solar plant monitoring/maintenance</td>
<td>Sunny webbox</td>
<td>6675</td>
<td><a href="http://www.sma-america.com/en_US/products/monitoring-systems/sunny-webbox.html" target="_blank">SMA Solar Sunny webbox </a>
</td>
</tr>
<tr>
<td>Kieback&Peter Bus Module Controller</td>
<td>BMR/0.09</td>
<td>85</td>
<td><a href="http://www.kieback-peter.de/de-en/products/automation-stations/bus-module-controller-bmr/" target="_blank">kieback&Peter BMC</a>. Controller for controlling,monitoring & operating HVAC systems. </td>
</tr>
<tr>
<td>Saia-Burgess Process Control Device(PCD)</td>
<td>Saia PCD</td>
<td>839</td>
<td><a href="http://saia-pcd.com/">saia-pcd.com</a>,control devices for remote monitoring and machine control</td>
</tr>
<tr>
<td>Schneider Electric energy management/monitoring</td>
<td>Schneider-WEB</td>
<td>197</td>
<td>Schneider <a href="http://products.schneider-electric.us/products-services/products/webenabled-solutions/transparent-ready-automation/factorycast-web-server/" target="_blank">FactoryCast system</a> </td>
</tr>
<tr>
<td>Sciopta system software</td>
<td>sciopta Webserver</td>
<td>2</td>
<td>System Software for Safety-Critical Embedded Applications, <a href="http://sciopta.com/">sciopta.com</a></td>
</tr>
<tr>
<td>Phoenix contact system running SpiderControl</td>
<td>Phoenix-Contact</td>
<td>155</td>
<td><a href="http://phoenixcontact.com/">phoenixcontact.com</a>,<a href="http://spidercontrol.net/">spidercontrol.net</a></td>
</tr>
<tr>
<td>Moxa industrial systems</td>
<td>MoxaHttp</td>
<td>4734</td>
<td><a href="http://moxa.com/">moxa.com</a></td>
</tr>
<tr>
<td>Trihedral SCADA software</td>
<td>"Server: VTS"</td>
<td>102</td>
<td><a href="http://www.trihedral.com/products/vtscada-scada-software/" target="_blank">Trihedral VTS</a></td>
</tr>
<tr>
<td>Electro Industries/GaugeTech</td>
<td>EIG Embedded Web Server</td>
<td>118</td>
<td><a href="http://electroind.com/">electroind.com</a></td>
</tr>
<tr>
<td>clearSCADA integrated SCADA host platform</td>
<td>clearSCADA</td>
<td>13</td>
<td><a href="http://www.clearscada.com/">www.clearscada.com</a></td>
</tr>
<tr>
<td>Delta enteliTOUCH</td>
<td>DELTA enteliTOUCH</td>
<td>22</td>
<td><a href="http://www.deltacontrols.com/pl/rozwiazania-produkty/produkty/enteliSYSTEM/enteliTOUCH" target="_blank">Delta entelitouch system</a></td>
</tr>
<tr>
<td>TAC Xentra control systems</td>
<td>TAC/Xentra</td>
<td>53</td>
<td>Old systems,TAC now owned by Schneider Electric</td>
</tr>
<tr>
<td>Loxone home automation system</td>
<td>Loxone</td>
<td>165</td>
<td>Home automation <a href="http://www.loxone.com/Pages/en/produkte/LoxWEB-Steuern-ueber-den-Browser/LoxWEB.aspx" target="_blank">web control system</a></td>
</tr>
</tbody></table>
</div>
<br />
<br />
<b>Links to further reading</b><br />
<br />
SCADA security news and consulting, http://scadahacker.com/ <br />
SCADA security analysis, <a href="http://www.reversemode.com/">www.reversemode.com</a><br />
SCADA security consulting firm, <a href="http://www.digitalbond.com/">www.digitalbond.com</a><br />
SCADA security consulting firm, <a href="http://www.tofinosecurity.com/">www.tofinosecurity.com</a><br />
US government ICS-CERT, <a href="http://www.us-cert.gov/control_systems/ics-cert">www.us-cert.gov/control_systems/ics-cert</a><br />
SCADA security consulting firm, <a href="http://www.scadahacker.com%20/" target="_blank">www.scadahacker.com </a><br />
SCADA security consulting firm, <a href="http://www.redtigersecurity.com/">www.redtigersecurity.com</a><br />
<br />
Some interesting articles on problems with Moxa systems in the Netherlands.<br />
<br />
<a href="http://www.tofinosecurity.com/blog/cyber-security-nightmare-netherlands">www.tofinosecurity.com/blog/cyber-security-nightmare-netherlands</a><br />
<br />
The following are in Dutch. <br />
<br />
<a href="http://webwereld.nl/nieuws/109526/zeeuwse-gemalen-te-hacken-via-scada-lek---update.html">webwereld.nl/nieuws/109526/zeeuwse-gemalen-te-hacken-via-scada-lek---update.html</a><br />
<a href="http://webwereld.nl/nieuws/109565/scada-bedrijf-xylem-ontkent-kwetsbaarheden.html" target="_blank">webwereld.nl/nieuws/109565/scada-bedrijf-xylem-ontkent-kwetsbaarheden.html </a><br />
<br />contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com2tag:blogger.com,1999:blog-657717787375980372.post-22215956404968722082012-06-13T08:35:00.001-07:002012-06-28T05:28:57.589-07:00JoongAng Ilbo cyber attackIn June 2012 the South Korean newspaper JoongAng Ilbo(중앙일보) was hit by a major cyber attack (해킹, 차원 다른 악의적 수법으로) which attempted to destroy the papers article database, editing and distribution system. News reports indicate that this attack was likely carried out by North Korean state actors and follows a threat made by North Korea earlier this year against several South Korean news outlets. In addition the attack left the following image on the paper's website joongang.co.kr<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-TeVu3AVfYZk/T9itTkEMc2I/AAAAAAAAACU/taBgSu-9OIE/s1600/joongang_attack_10212626.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="288" src="http://3.bp.blogspot.com/-TeVu3AVfYZk/T9itTkEMc2I/AAAAAAAAACU/taBgSu-9OIE/s320/joongang_attack_10212626.jpg" width="320" /></a></div>
The text in yellow is a message from the hackers written using SQL and is as follows .
<br />
<blockquote>
select count (*) from tbTarget // 1000000<br />
select domain, d-day, method from tbTarget WHERE seqnumber = 2048 //www.joongang.co.kr, 2012-06-09, APT <br />
select domain, d-day, method from tbTarget where seqnumber = 2049 //???.??????.???,2012 -??-19,???? < br />
select domain, d-day, method from tbTarget where seqnumber = 2050 //???.?????.???,2012 -??-29,?? <br />
select count (*) from tbHacker // 10000 <br />
select name, birthday, sex from tbHacker where age < 5 //IsOne, 2011-06-09, woman
</blockquote>
There is a purported SQL query followed by the supposed result. This is threatening further attacks on the 19th and 29th day of an unknown month in 2012. The hacking group is calling itself "IsOne".contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com0tag:blogger.com,1999:blog-657717787375980372.post-66790567632814984112012-06-12T10:51:00.000-07:002014-03-22T11:32:15.030-07:00Only seven cyber attacks. The term is widely over used.<br />
Many analysts misuse the term cyber attack, making it seem that operations better classed as espionage or vandalism are more dramatic than they really are. According to the Department of Defense, Computer Network Attack(CNA) consists of actions taken through the use of computer networks to disrupt, deny,
degrade, or destroy information resident in computers and computer networks, or the computers and
networks themselves(see <a href="http://www.fas.org/irp/doddir/dod/jp3_13.pdf" target="_blank">Joint Pub 3-13</a>). I would be even more strict that the DoD and suggest that denial of service operations have to be extremely significant for them to be classed as an attack. A bank or government website being unusable for a few days is hardly in the same class of operation as destroying information throughout an organization to cripple its operations. <br />
<br />
I would argue that there has been only 7 publicly known cyber attacks in history and 3 of them are probably by North Korea. It is not surprising that all the attacks relate to significant real world conflicts.<br />
<br />
<b>June 2012</b>, <b>South Korean Newspaper JoongAng Ilbo</b><br />
In June 2012 cyber actors linked to North Korea attempted to destroy the newspaper's article database and the editing system which moves articles through the paper's intranet. <a href="http://koreajoongangdaily.joinsmsn.com/news/article/article.aspx?aid=2954219" target="_blank">Link</a>.<br />
<br />
<b>April 2012, Iranian Oil Ministry </b><br />
Unknown cyber actors launched an attack against the Oil Ministry to destroy key ministry information. <a href="http://english.farsnews.com/newstext.php?nn=8101301403" target="_blank">Link</a>.<br />
<br />
<b>March 2012, Al Qaeda forums knocked offline</b><br />
Unknown cyber actors disabled several major Al Qaeda online forums, the forums remained offline for many weeks. <a href="http://www.csmonitor.com/USA/2012/0403/Al-Qaeda-rocked-by-apparent-cyberattack.-But-who-did-it" target="_blank">Link</a>.<br />
<br />
<b>February 2012, BBC news</b><br />
In early 2012 cyber actors linked to Iran launched an attack against the BBC's Persian language service, the attack seemed to be coordinated with Iranian satellite jamming efforts. <a href="http://www.bbc.co.uk/news/technology-17365416" target="_blank">Link</a>.<br />
<br />
<b>April 2011, South Korean National Agricultural Co-operative Federation(NACF, Nonghyup Bank)</b><br />
In April 2011 cyber actors linked to North Korea destroyed 100s of the Nonghyup Bank's internal computer servers disrupting banking services for millions of customers for over a week. <a href="http://www.koreatimes.co.kr/www/news/nation/2011/05/117_86369.html" target="_blank">Link</a>.<br />
<br />
<b>March 2011, DDoS against South Korean websites</b><br />
In March 2011 an advanced DDoS attack was launched against a number of South Korean websites, the computers used by the botnet which launched the attack were rendered unusable after the attack by overwriting the hard drive's Master Boot Record(MBR). <a href="http://blogs.mcafee.com/mcafee-labs/10-days-of-rain-in-korea" target="_blank">Link</a>.<br />
<br />
<b>2008-2010 Natanz, the Iranian centrifuge plant</b><br />
According to the New York Times the US launched a cyber attack against Natanz to destroy centrifuges. <a href="http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html" target="_blank">Link</a>.contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com0tag:blogger.com,1999:blog-657717787375980372.post-85036306770431094202012-06-07T07:26:00.001-07:002012-06-28T05:41:37.710-07:00Internet infrastructureIt is good to remember that cyberspace is maintained by physical hardware. Here are some great links to information on the physical infrastructure that keeps the global Internet running.<br />
<br />
<a href="http://www.submarinecablemap.com/" target="_blank">Global submarine cable map</a><br />
<br />
<a href="http://www.theatlantic.com/video/archive/2011/11/bundled-buried-behind-closed-doors/248055/" target="_blank">Bundled,Buried and Behind Closed Doors by Ben Mendelsohm via The Atlantic</a><br />
<br />
<a href="http://gizmodo.com/5912383/how-to-destroy-the-internet" target="_blank">Gizmodo on Internet infrastructure</a><br />
<br />
<a href="http://www.intelsat.com/network/satellite/" target="_blank">Intelsat's satellite fleet footprint</a><br />
<br />
<a href="http://www.eutelsat.com/satellites/satellite-fleet.html" target="_blank">Eutelsat fleet</a><br />
<br />
<a href="http://www.asiasat.com/asiasat/contentView.php?section=3&lang=0" target="_blank">Asiasat fleet </a>contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com0tag:blogger.com,1999:blog-657717787375980372.post-77408851490204237012012-06-05T11:00:00.002-07:002012-06-28T05:42:31.094-07:00PKI infrastructure attacks, FlameSome excellent analysis of Flame's usage of compromised certificates<br />
<br />
<a href="http://blog.cryptographyengineering.com/" target="_blank">Matthew Green's Cryptographic engineering blog</a><br />
<br />
<a href="http://rmhrisk.wpengine.com/" target="_blank">The unmitigated risk blog </a><br />
<br />
<a href="http://blog.didierstevens.com/" target="_blank">Didier Stevens' blog</a><br />
<br />
<a href="http://blog.crysys.hu/" target="_blank">CrySys Blog </a><br />
<br />
<a href="http://blogs.technet.com/b/srd/" target="_blank">Microsoft Security Research and Defense blog</a>contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com0tag:blogger.com,1999:blog-657717787375980372.post-43857587858724728152012-05-22T06:07:00.000-07:002012-06-28T05:36:56.143-07:00Adobe Systems, a national security threat?<span style="font-size: small;">Slopping coding and software development practices by Adobe Systems has made things easier for China based cyber espionage actors. The number one vector for</span> these intrusions has been carefully crafted e-mails containing malicious attachments or links. And the most commonly targeted vulnerable applications have been Adobe Systems products. Let's look at this a little closer. Below is a table listing the number of high severity vulnerabilities within the National Vulnerability Database for several different products. Adobe product vulnerabilities dominate those of Microsoft Windows. But there are obviously serious issues across the entire software industry which may be a subject for another post.<br />
<br />
<br />
<style type="text/css">
.nobrtable br { display: none }
</style>
<br />
<div class="nobrtable">
<table border="2" bordercolor="#bbb6565" cellpadding="3" cellspacing="3" style="background-color: #bbb6565;">
<tbody>
<tr style="background-color: #bbb6565; color: #d07070; padding-bottom: 4px; padding-top: 5px;">
<th>Year</th>
<th>Adobe</th>
<th>Adobe Reader</th>
<th>Adobe Flash</th>
<th>Microsoft Powerpoint</th>
<th>Microsoft Windows XP SP3</th>
</tr>
<tr>
<td>2012</td>
<td>44</td>
<td>9</td>
<td>0</td>
<td>14</td>
<td>12</td>
</tr>
<tr>
<td>2011</td>
<td>166</td>
<td>49</td>
<td>19</td>
<td>57</td>
<td>90</td>
</tr>
<tr>
<td>2010</td>
<td>184</td>
<td>63</td>
<td>25</td>
<td>59</td>
<td>62</td>
</tr>
<tr>
<td>2009</td>
<td>77</td>
<td>42</td>
<td>33</td>
<td>18</td>
<td>73</td>
</tr>
<tr>
<td>2008</td>
<td>34</td>
<td>12</td>
<td>17</td>
<td>11</td>
<td>23</td>
</tr>
<tr>
<td>2007</td>
<td>13</td>
<td>3</td>
<td>2</td>
<td>3</td>
<td>3</td>
</tr>
</tbody></table>
</div>
<br />
Looking in further detail, here are the vulnerabilities which have actually been exploited in the wild during the period January, 2011 to today, Adobe Systems vulnerabilities dominate those of Microsoft 7 to 2. This information can be found from searching the National Vulnerability Database for the string "exploited in the wild" and cross correlating with the analysis of virus researchers.<br />
<br />
Adobe:CVE-2012-0779,CVE-2011-4369,CVE-2011-2462,CVE-2011-2110,CVE-2011-0627,CVE-2011-0611,CVE-2011-0609<br />
<br />
Microsoft:CVE-2012-0158,CVE-2011-3402 <br />
<br />
Should software firms be held liable for the losses their bugs impose on customer's? Why are people<br />
still using Adobe products? This points to wider issues of market failure within the software and information security industry which has now caused issues of national security concern to governments world wide.<br />
<br />contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com0tag:blogger.com,1999:blog-657717787375980372.post-77215153091243225832012-05-21T05:00:00.003-07:002014-03-22T10:52:02.514-07:00US government publications/statements link China to decade long campaign of cyber espionage operations<div style="margin-bottom: 0in;">
<style type="text/css">
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
A:link { so-language: zxx }
-->
</style> </div>
<div style="margin-bottom: 0in;">
The last 6 months has seen a series of
extraordinary revelations by US government officials who have revealed that China based actors are
responsible for an extensive industrial cyber espionage campaign and, further, link this activity to the Chinese government itself.
This started in October 2011 when the Office of the National
Counterintelligence Executive issued the 2011 report on Foreign
Economic Collection and Industrial Espionage which is available <a href="http://www.ncix.gov/index.php" target="_blank">here</a>.
The report has many interesting details and is well worth reading but
from the executive summary we have the key paragraph.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<i>"Chinese
actors are the world’s most active and persistent perpetrators of
economic espionage. US private sector firms and cybersecurity
specialists have reported an onslaught of computer network intrusions
that have originated in China, but the IC cannot confirm who was
responsible.”</i>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
This is the first time the US government has
officially named Chinese actors as carrying out extensive cyber espionage, but it is worded carefully to not say the Chinese government or name any entities within China. Then in January
2012 Mike McConnell,Michael Chertoff, and William Lynn writing in the Wall
Street Journal stated something stronger, naming the Chinese government as responsible.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<i>"Only three
months ago, it would have been a violation of national security rules
for us to share what we are about to say, even though, as the former
Director of National Intelligence (DNI), Secretary of Homeland
Security, and Deputy Secretary of Defense, we have long known this to
be true: The Chinese government has a national policy of economic
espionage in cyberspace. In fact, the Chinese are the world’s most
active and persistent practitioners of cyber espionage today.” </i>
<br />
<br />
<i>"Evidence of China’s economically devastating thefts of
proprietary technologies and other intellectual property of U.S.
companies is growing exponentially, and only in October 2011 were the
details declassified in a report to Congress by the Office of the
National Counterintelligence Executive. By contrast, as a matter of
official national policy, the United States does not engage in or
allow economic espionage.”</i>
<br />
<br />
The full article is available <a href="http://online.wsj.com/article/SB10001424052970203718504577178832338032176.html" target="_blank">here</a>.<br />
<div style="margin-bottom: 0in;">
<br />
Then from a Senate Armed Service
Committee hearing on Cyber Command from March 2012(transcript and
video is available <a href="http://armed-services.senate.gov/e_witnesslist.cfm?id=5283" target="_blank">here</a>)
we have the following.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
From Chairman Levin's opening remarks.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<b>Chairman LEVIN.</b><i>"...General Alexander has
stated that the relentless industrial espionage being waged against
U.S. industry and Government chiefly by China constitute ‘‘the
largest transfer of wealth in history.’’ The committee needs to
understand the dimensions of this technology theft and its impact on
our national security and prosperity..."</i>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
From an exchange between Chairman Levin and General Alexander(commander Cyber Command and Director NSA).</div>
<div style="margin-bottom: 0in;">
<br /></div>
<b>Chairman LEVIN.</b><i>"...The industrial espionage
campaign I noted in my opening statement, and you made reference to
it in your statement, particularly China’s aggressive and
relentless industrial espionage campaign through cyberspace. I
wonder. Can you us some examples in open session of the technologies
that have been stolen through penetration of major DOD contractors
and perhaps the Department itself."</i>
<br />
<b>General ALEXANDER.</b> <i>"...We are seeing a great deal of DOD-related equipment
stolen by the Chinese. I cannot go into the specifics here, but we do
see that from defense industrial base companies throughout. There are
some very public ones, though, that give you a good idea of what is
going on. The most recent one, I think, was the RSA exploits. RSA
creates the two-factor authentication for things like PayPal. So when
you get on and order something and pay for it over the network, the
authentication is done by encryption systems that RSA creates. The
exploiters took many of those certifications and underlying software
which makes it almost impossible to ensure that what you are
certifying or what someone else is certifying is in fact correct. </i>
<br />
<i>Now, RSA acted
quickly and is replacing all those certificates and has done that in
priority order for the Defense Department and others.</i>
<br />
<i>But when you
think about it, the ability to do it against a company like RSA is
such a high-order capability, RSA being one of the best, that if they
can do it against RSA, that makes most of the other companies
vulnerable."</i>
<br />
<br />
(The Chinese state actor then used the stolen RSA information to attempt to breach
Lockheen Martin and other Defense contractors, see for example <a href="http://www.nytimes.com/2011/06/04/technology/04security.html" target="_blank">this article in the New York Times</a>.)<br />
From an exchange between Senator McCain and General Alexander.<br />
<br />
<b>Senator
MCCAIN.</b> <i>"I want to thank the witnesses. I would ask General
Alexander. Do you agree that Secretary Panetta and the FBI have said
that cyberattacks may soon be the number one threats to the United
States?"</i>
<br />
<b>General
ALEXANDER</b>. <i>"Absolutely, Senator."</i>
<br />
<b>Senator
MCCAIN.</b> <i>"And would you agree that the major threats to our
national security come from outside the United States specifically,
obviously from unclassified information, from China"</i>
<br />
<b>General
ALEXANDER.</b> <i>"Absolutely." </i>
<br />
<br />
In late April 2012 Rep. Mike Rogers (R-Mich,chairman) and Rep. Dutch Ruppersberger (D-Md,ranking member) of the House Permanent Select Committee on Intelligence wrote an op-ed for Politico which opens with a very strongly worded article.<br />
<i>"The Chinese government has been quietly pursuing a strategy to help
project that nation into superpower status. China steals as much
intellectual property as it can from U.S. companies and uses it to
artificially and unfairly compete in the global marketplace. Beijing
uses this information to further its military modernization and, most
important, to help fuel economic growth."</i><br />
and continues<br />
<i>"Every morning in China, thousands of highly trained computer spies now
wake up with one mission: Steal U.S. intellectual property that the
Chinese can use to further their economic growth. American companies are
hemorrhaging research and development on products ranging from fighter
engines, to pesticides, to cutting-edge information technology."</i><br />
The full op-ed is available <a href="http://www.politico.com/news/stories/0412/75602.html#ixzz1vWR9YpeT" target="_blank">here</a>.
<br />
Then on the 18, May 2012 the Department of Defense released its 2012 report on <a href="http://www.defense.gov/pubs/" target="_blank"><i>"Military and Security Developments involving the People's Republic of China"</i></a> which mentions concerns regarding China and cyber espionage. At the news conference launching this report there was the following exchange between a reporter and Dave Helvey, the acting deputy assistant secretary of defense for East Asia. The official is much more cautious than the members of congress and only talks about China based actors.<br />
<br />
<b>Q:David, Bob Burns from AP.</b><i>"On the topic of cyber espionage, which
you mentioned very prominently in the report, do you see signs of
them accelerating this capability, in particular as it could be
applied against U.S. targets?"</i><br />
<br />
<b>MR. HELVEY:</b><i>"Well, we continue to highlight in this report some of
the concerns that we have about China's investment in cyber
capabilities.We note that China's investing in not only capabilities
to better defend their networks but also they're looking at ways to
use cyber for offensive operations.We also highlight a number of
areas where we see China engaging in cyber activity focused on
computer network exploitation.That continues to be a concern of ours,
and we've raised it and we've talked to the Chinese about it, most
recently during the Strategic Security Dialogue in Beijing.As well,
Secretary Panetta raised that with General Liang in their visit. So
this is something that we continue to pay very careful attention to,
and we've raised these concerns with the Chinese."</i><br />
<i>The full transcript is available <a href="http://www.defense.gov/transcripts/transcript.aspx?transcriptid=5036" target="_blank">here</a>.</i><br />
<br />
Turning now to
non-government sources we have the following from the March
26,2012 <a href="http://www.uscc.gov/hearings/2012hearings/written_testimonies/hr12_03_26.php" target="_blank">testimony of Richard Bejtlich</a>, CSO,<a href="http://www.mandiant.com/" target="_blank">Mandiant</a> before the
U.S.-China Economic and Security Review Commission.
<br />
<br />
<i>"For the
most part, our team and I use the strict definition of APT as created
by the Air Force in 2006, namely as an unclassified reference to
intrusions sets ultimately traced back to actors in China. Our
intelligence team currently tracks approximately twenty distinct APT
groups. These groups include all of the parties identified by reports
publicly released by other security companies, as well as actors that
we believe are unknown to many of those other companies. “</i><br />
<i>"Most of the
APT groups we track target the US defense industrial base (DIB). Some
of these groups also target US government agencies, think tanks and
political organizations, and other commercial or private targets.”</i><br />
<br />
So there are at
least 20 distinct groups of cyber espionage actors tied to China. Is
further attribution possible? Yes of course, despite what is commonly
said regarding the difficultly of attribution. A <a href="http://www.reuters.com/article/2011/04/14/us-china-usa-cyberespionage-idUSTRE73D24220110414" target="_blank">Reuters report</a> based on authoritative information clearly attributes at least some
Chinese cyber espionage activity to the People's Liberation Army's
Third Department Technical Reconnaissance Bureaus. The report also
links this activity with the intrusions detailed within the 2009
Information Warfare Monitor report <i>“Tracking GhostNet:
Investigating a Cyber Espionage Network”</i>, the subsequent IWR report
<i>“Shadows in the Cloud: Investigating Cyber Espionage 2.0”</i> details
similar activity. These reports make for fascinating reading and are
available <a href="http://www.infowar-monitor.net/research/" target="_blank">here</a>.
A couple of actors involved in these activities have even been named,
in particular, <a href="http://www.thedarkvisitor.com/2009/04/hunting-the-ghostnet-hacker/" target="_blank">Lost33</a> and <a href="http://www.thedarkvisitor.com/tag/peng-yinan/" target="_blank">Yinan Peng</a>. An excellent
report on the PLA Third Department is available from the Project 2049
Institute, <a href="http://project2049.net/publications.html" target="_blank"><i>“The Chinese People's Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure”</i></a>. Further
information on the PLA and Cyber Espionage is available from a report
prepared for the U.S.-China Economic and Security Review Commission,
<a href="http://www.uscc.gov/RFP/2012/USCC%20Report_Chinese_CapabilitiesforComputer_NetworkOperationsandCyberEspionage.pdf" target=""><i>“Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage”</i></a>.<br />
<br />
Early reporting on Titan Rain suggest Chinese based cyber operations have been underway for many years.<br />
<a href="http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html" target="_blank">http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html</a><br />
<br />
Here is some links to useful summaries of significant cyber events over the last few years.<br />
<ul>
<li>Center for Strategic and International Studies, cyber events since 2006 <a href="http://csis.org/publication/cyber-events-2006" target="_blank">report</a>.
</li>
<li>Jamie Metzl at the Asia Society on <a href="http://asiasociety.org/policy/strategic-challenges/china-and-cyber-espionage" style="font-weight: normal;" target="_blank">China and cyber espionage</a>.</li>
<li>Foreign Policy's <a href="http://thecable.foreignpolicy.com/posts/2010/01/22/the_top_10_chinese_cyber_attacks_that_we_know_of" target="_blank">The Cable's Top 10. </a></li>
<li><a href="http://www.bloomberg.com/news/2011-12-13/china-based-hacking-of-760-companies-reflects-undeclared-global-cyber-war.html" target="_blank">Bloomberg report on 760 companies</a> which have experienced cyber espionage intrusions.</li>
<li>Command Five consulting research papers, <a href="http://www.commandfive.com/research.html" target="_blank">here</a>. </li>
</ul>
<div style="margin-bottom: 0in;">
Of course others do it too, see reports below on Buckshot Yankee.</div>
<div style="margin-bottom: 0in;">
<ul>
<li>William Lynn (writing when he was United States Deputy Secretary of Defense) in Foreign Affairs magazine on <a href="http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain" target="_blank"><i>"Defending a New Domain"</i></a>.</li>
<li>Extensive Washington Post article with many interesting details, <a href="http://www.washingtonpost.com/national/national-security/cyber-intruder-sparks-response-debate/2011/12/06/gIQAxLuFgO_story.html" target="_blank">here</a></li>
<li>Here is a <a href="http://articles.latimes.com/2008/nov/28/nation/na-cyberattack28" target="_blank">LA Times article</a> which suggests the intrusion came from Russia.</li>
</ul>
</div>
<div style="margin-bottom: 0in;">
<br /></div>
contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com0tag:blogger.com,1999:blog-657717787375980372.post-89576221644461021452011-09-14T07:50:00.000-07:002012-06-28T05:35:45.202-07:00Revisting recent oscommerce mass compromise<div style="margin-bottom: 0in;">
Open source commerce(oscommerce) “is an e-commerce and online store-management software program. It can be used on any web server that has PHP and MySQL installed. It is available as free software under the GNU General Public License.”[1,2]</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
In the first half of 2011 an attack targeted e-commerce sites running oscommerce using the Blackhole Exploit Kit. The attacks scans millions of web servers for oscommerce vulnerabilities. Many servers run old or badly configured servers which are vulnerable so the mass attack was very successful. In particular the attacks are searching for the vulnerabilities below[3]. Some aspects of the attack have changed over the months. As defenders have blacklisted or de-registered domain names, the attackers have responded by changing domains, exploits and payloads. </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
<a href="http://www.1337day.com/exploits/16505">osCommerce Remote Edit Site Info Vulnerability</a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<a href="http://www.exploit-db.com/exploits/17285/">osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability</a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<a href="http://www.exploit-db.com/exploits/12801/">Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass</a>. </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
The above vulnerabilities target a problem with securing remote admin access to an oscommerce site. According to the oscommerce site, </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
"The Administration Tool is used to configure the online store, insert products for sale, administrate customers, and process orders. The Administration Tool is protected by a login mechanism which only allows verified administrators to login and to administrate the online store. "[4]</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
while a security patch was issued to address the critical issues with remote admin, again from the oscommerce site we have,</div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
“The Administration Tool log-in feature introduced in v2.2RC2 can be bypassed on Apache web servers with AcceptPathInfo enabled by manipulating the URL. “[5]</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
Once compromised the attacking group will insert a hidden malicious link which points to the first in a chain of re-directors which ultimately lead to a site which attempts to exploit the user and install malicious programs, for example the Zeus banking trojan. As mentioned earlier the attacking group has responded to defenders by changing domains, exploits and payloads so over the months the details of the attack as changed.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Let's look at an example of a compromised oscommerce e-commerce site from August 2011.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
The site hxxp://cledwilliams.co.uk looks to be a forgotten/half completed e-commerce site for a small coach tour company in the UK. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-m6Rmadnsgek/Tm-W8gJSd9I/AAAAAAAAABo/fzDSN7MqD9M/s1600/analysis_oscommerce_cledwilliams.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="http://1.bp.blogspot.com/-m6Rmadnsgek/Tm-W8gJSd9I/AAAAAAAAABo/fzDSN7MqD9M/s320/analysis_oscommerce_cledwilliams.png" width="320" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
The site would have been compromised at some point in the past and a look at the HTML code for the page shows the malicious link left by the attackers. The attackers use the oscommerce vulnerability to edit the "Store Name" variable which is used to construct the page header/title and below the malicious link is seen in the code for the page header.[6]</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-WR9bd3zU2xA/Tm-ZNsgrZnI/AAAAAAAAABs/5ux7EHf0qIY/s1600/analysis_oscommerce_cledwilliams_htmlsrc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="69" src="http://1.bp.blogspot.com/-WR9bd3zU2xA/Tm-ZNsgrZnI/AAAAAAAAABs/5ux7EHf0qIY/s320/analysis_oscommerce_cledwilliams_htmlsrc.png" width="320" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
The orangeblue site is the first in a re-direction chain that, in a process completely invisible to the average user, leads to an attack on their computer.</div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
<br />
<b>Stage one</b> <br />
<br />
The following obfuscated javascript is pulled from the orangeblue site. Code obfuscation has been used to evade detection by antivirus engines. In the code below <i>h</i> gets the value -2, this is used to modify the values in the array <i>n</i> which then become the correct ASCII decimal code values e.g the first three 9=TAB,9=TAB,105=i. This array is used to create the string <i>ss</i> which is then passed to an eval for execution.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-4t_i4D3ZEGQ/Tm-crj1uAGI/AAAAAAAAABw/ViHRETQPvJo/s1600/analysis_oscommerce_objscript1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="http://4.bp.blogspot.com/-4t_i4D3ZEGQ/Tm-crj1uAGI/AAAAAAAAABw/ViHRETQPvJo/s320/analysis_oscommerce_objscript1.png" width="320" /></a></div>
This decodes to the following which implants a hidden malicious iframe.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-snWGJjHS9yo/Tm-dyuHQzdI/AAAAAAAAAB0/iUGDa4JEpxI/s1600/analysis_oscommerce_pljscript1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="http://3.bp.blogspot.com/-snWGJjHS9yo/Tm-dyuHQzdI/AAAAAAAAAB0/iUGDa4JEpxI/s320/analysis_oscommerce_pljscript1.png" width="320" /></a></div>
<div style="margin-bottom: 0in;">
<b>Stage two</b><br />
<br />
Gzipped compressed data is now pulled from the zapto domain given above, when decompressed this reveals the following javascript(shown in the below 4 images).</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-UrhgQ7OM41o/Tm-j54w1M3I/AAAAAAAAAB4/yy2QwWXRpXQ/s1600/analysis_oscommerce_objscript2_part1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="144" src="http://3.bp.blogspot.com/-UrhgQ7OM41o/Tm-j54w1M3I/AAAAAAAAAB4/yy2QwWXRpXQ/s320/analysis_oscommerce_objscript2_part1.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-HHz4Z9838ZE/Tm-j7bNiIUI/AAAAAAAAAB8/OPuVSgBL4dg/s1600/analysis_oscommerce_objscript2_part2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="http://2.bp.blogspot.com/-HHz4Z9838ZE/Tm-j7bNiIUI/AAAAAAAAAB8/OPuVSgBL4dg/s320/analysis_oscommerce_objscript2_part2.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-d8neicQGMAM/Tm-j9A2SFwI/AAAAAAAAACA/S_Qdmjc_Oa0/s1600/analysis_oscommerce_objscript2_part3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="http://4.bp.blogspot.com/-d8neicQGMAM/Tm-j9A2SFwI/AAAAAAAAACA/S_Qdmjc_Oa0/s320/analysis_oscommerce_objscript2_part3.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-AHlA5UtuRio/Tm-j_gtF9bI/AAAAAAAAACE/ulFTiyXVHLM/s1600/analysis_oscommerce_objscript2_part4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="http://2.bp.blogspot.com/-AHlA5UtuRio/Tm-j_gtF9bI/AAAAAAAAACE/ulFTiyXVHLM/s320/analysis_oscommerce_objscript2_part4.png" width="320" /></a></div>
<div style="margin-bottom: 0in;">
Lines 1-23 are obfuscated while lines 25-76 attempt to contact the Blackhole command & control server, and finally lines 77-88 reach out to a counter. Note the Russian comments within the code(I have added the English translations). Similar to stage one, in line 18 <i>o</i> gets the value 2 which is used to create the ASCII array <i>m</i>. This is then used in the lines 22-23 to construct the string <i>s</i> which is then executed. The obfuscated script decodes to the following.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-y8c_ZmBjEaU/Tm-mQB6PHNI/AAAAAAAAACI/aHUbXIK2g2A/s1600/analysis_oscommerce_pljscript2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="129" src="http://2.bp.blogspot.com/-y8c_ZmBjEaU/Tm-mQB6PHNI/AAAAAAAAACI/aHUbXIK2g2A/s320/analysis_oscommerce_pljscript2.png" width="320" /></a></div>
<br />
<b>Stage 3</b><br />
<br />
The above script now reaches out to the rinzestark site. This last link is the one that actually pulls down code which attempts to exploit the unsuspecting user. The code is obfuscated and appears as follows. The obfuscation is more complex than the earlier stages. The crucial line is 21 which when variable values are substituted becomes <i>z[substr](a[i],1)</i>, this uses the array <i>a</i> as an index to grab length 1 substrings from <i>z</i> which are concatenated to form string <i>s</i>, this is then executed in line 27.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-EN6-NhMrZ48/Tm-pCkQg1XI/AAAAAAAAACM/KIz0CFIb8pM/s1600/analysis_oscommerce_objscript3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="http://1.bp.blogspot.com/-EN6-NhMrZ48/Tm-pCkQg1XI/AAAAAAAAACM/KIz0CFIb8pM/s320/analysis_oscommerce_objscript3.png" width="320" /></a></div>
This decodes to over 900 lines of javascript which is the Blackhole Kit attempting to exploit the end user. The code attempts to determine a number of things about the users software configuration and then launches an exploit tailored to the configuration found. A snippit of this code is shown below.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-6o91CVqSNVc/Tm-sk21zaLI/AAAAAAAAACQ/P5_3hZ4KZMU/s1600/analysis_oscommerce_pljscript3_part1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="http://1.bp.blogspot.com/-6o91CVqSNVc/Tm-sk21zaLI/AAAAAAAAACQ/P5_3hZ4KZMU/s320/analysis_oscommerce_pljscript3_part1.png" width="320" /></a></div>
<div style="margin-bottom: 0in;">
<br />
<br />
If the exploit is successful then further stages follow as the attackers now have control of the user machine and can install and do anything they wish, often this group has installed a banking trojan designed to steal information users enter when visiting e-commerce and e-banking sites.<br />
<br />
<b>Defense and counter attack </b></div>
<div style="margin-bottom: 0in;">
<br />
Soon after this attack was first noticed steps were taken by the information security community to blacklist and de-register the domains involved, for example the orangeblue.cl domain. Of course the attackers are watching closely and quickly respond by changing domains. Over the months this wack-a-mole process continued with the following domains being used by the attackers for the first stage(later stage domains also changed over time). These sites may be specifically created by the attackers or in the case of lamacom, adorabletots, orangeblue and ayba be legitimate sites that the attackers have compromised and turned into part of their exploitation network.<br />
<br />
<div style="margin-bottom: 0in;">
hxxp://willysy.com/images/banners/ </div>
<div style="margin-bottom: 0in;">
hxxp://exero.eu/catalog/jquery.js</div>
<div style="margin-bottom: 0in;">
hxxp://1see.ir/j/ </div>
<div style="margin-bottom: 0in;">
hxxp://lamacom.net/images/j/ </div>
<div style="margin-bottom: 0in;">
hxxp://orangeblue.cl/js/</div>
<div style="margin-bottom: 0in;">
hxxp://gibu.de/js/ </div>
<div style="margin-bottom: 0in;">
hxxp://tiasissi.com.br </div>
<div style="margin-bottom: 0in;">
hxxp://eponim.mk </div>
<div style="margin-bottom: 0in;">
hxxp://adorabletots.co.uk</div>
hxxp://ayba.co.uk/j/</div>
<div style="margin-bottom: 0in;">
<br />
Let's look at defense efforts in more detail. The main tools available to defenders are blacklisting, de-registering and of course contacting the owners of compromised e-commerce sites with advice on how to clean and secure their sites. Blacklisting involves listing the domains in a blacklisting service like hphosts or MDL while de-registering involves reaching out to the domain registrar or hosting company to ask for the domain to be deleted.<br />
<br />
<b>Domain name analysis</b><br />
<br />
The third phase address hxxp://rinzestark.co.cc, is on the notorious co.cc domain. A Korean based company owns the co.cc domain and offers a subdomain registration service with DNS. According to the companies website two domains can be obtained for free while bulk sets of domains can be obtained very cheaply, 100 domains for $10 up to 15000 domains for $1000[7]. In July 2011 all subdomains of co.cc were removed by Google from it's search results because of the prevalence of phishing and malware sites[8]. According to a recent report by the Anti-Phishing Working Group(APWG) co.cc was the most abused subdomain service in the world[9,10].<br />
<br />
The second phase address gdgfddhfghk.zapto.org is also a subdomain address. Zapto.org is owned by US company No-IP/Vitalwerks Internet Solutions[11].<br />
<br />
The majority of first phase addresses have been legitimate websites which have been compromised by the attackers and used to host the javascipt file. <br />
<br />
<br /></div>
<div style="margin-bottom: 0in;">
<b>Further information</b><br />
<br />
<a href="http://www.theregister.co.uk/2011/08/01/banking_trojan_exploits_ecommerce_website_flaws/">The Register </a><br />
<a href="http://stopmalvertising.com/malware-reports/oscommerce-attacks-leads-to-blackhole-exploit-kit-via-adorabletotscouk.html">Stopmalvertising analysis</a><br />
<a href="http://blog.sucuri.net/2011/08/non-stop-attacks-against-oscommerce-time-to-take-action.html">Sucuri research blog</a><br />
<a href="http://research.zscaler.com/2011/02/blackhole-exploits-kit-attack-growing.html">Zscaler research blog</a><br />
<br />
<b>Bibliography</b><br />
<br />
[1] <a href="http://en.wikipedia.org/wiki/OsCommerce">http://en.wikipedia.org/wiki/OsCommerce</a></div>
<div style="margin-bottom: 0in;">
[2] <a href="http://www.oscommerce.com/">http://www.oscommerce.com/</a></div>
<div style="margin-bottom: 0in;">
[3] <a href="http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html">http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html</a></div>
<div style="margin-bottom: 0in;">
[4] <a href="http://www.oscommerce.info/confluence/display/OSCOM23/Administration+Tool+%28Backend%29">http://www.oscommerce.info/confluence/display/OSCOM23/Administration+Tool+(Backend)</a></div>
<div style="margin-bottom: 0in;">
[5] <a href="http://www.oscommerce.info/confluence/display/OSCOM23/%28A%29+%28SEC%29+Administration+Tool+Log-In+Update">http://www.oscommerce.info/confluence/display/OSCOM23/(A)+(SEC)+Administration+Tool+Log-In+Update</a><br />
[6] <a href="http://stopmalvertising.com/malware-reports/oscommerce-attacks-leads-to-blackhole-exploit-kit-via-adorabletotscouk.html">http://stopmalvertising.com/malware-reports/oscommerce-attacks-leads-to-blackhole-exploit-kit-via-adorabletotscouk.html</a></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
[7] <a href="http://www.co.cc/">http://www.co.cc/</a> <br />
[8] <a href="http://www.theregister.co.uk/2011/07/06/google_cans_11m_dot_co_dot_cc_sites/">http://www.theregister.co.uk/2011/07/06/google_cans_11m_dot_co_dot_cc_sites/</a><br />
[9] <a href="http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_2H2010.pdf">http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_2H2010.pdf</a></div>
<div style="margin-bottom: 0in;">
[10] <a href="http://www.antiphishing.org/reports/APWG_Advisory_on_Subdomain_Registries.pdf">http://www.antiphishing.org/reports/APWG_Advisory_on_Subdomain_Registries.pdf</a><br />
[11] <a href="http://www.no-ip.com/">http://www.no-ip.com/</a></div>contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com0tag:blogger.com,1999:blog-657717787375980372.post-6304282276581099352011-08-22T07:44:00.000-07:002012-06-28T05:33:52.902-07:00Website hijack example: from Brigham Young to Romaina and Belarus<b>update</b>: I informed Brigham Young of the issue which was fixed for a time but now the cfacbeta site redirects again. I also submitted the tobmarket.com and business-download.com domains to hpHosts but soon after this the attacker changed the store front address to index-downloads.com. This is standard practice for malicious actors, as soon as a domain gets too hot it is easy to switch it a clean domain. This is what the intermediary controller at tobmarket.com is for.<br />
<br />
As <a href="http://research.zscaler.com/2011/01/high-profile-websites-hijacked-to-lead.html">Zscalar pointed</a> out there was a large campaign of .EDU web hijacking earlier this year. The purpose of the hijacking was to redirect users to fake online stores that purport to sell heavily discounted commercial software using techniques similar to those used to route people to fake online pharmacies. An <a href="http://www.lightbluetouchpaper.org/2011/08/10/measuring-search-redirection-attacks-in-the-illicit-online-prescription-drug-trade/">excellent paper</a> on the fake pharmacy problem was recently published by researches at the University of Cambridge.<br />
<br />
Let's take a closer look at this, starting with the fake software stores. Here are some of the top 10 results from a Google search for “buy windows 7” in early August 2011. The red arrows indicate two fake stores which have made it into the top 10. The second one, cfacbeta.byu.edu, is a web hijack.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-fgva1RxKPqM/TlAHDEzNlXI/AAAAAAAAABE/01fgGB-Wf9c/s1600/analysis_fakewebstores_initialgooglesearch.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="http://4.bp.blogspot.com/-fgva1RxKPqM/TlAHDEzNlXI/AAAAAAAAABE/01fgGB-Wf9c/s320/analysis_fakewebstores_initialgooglesearch.png" width="320" /></a></div>
<br />
<div align="LEFT">
A more refined Google site search shows that many cfac.byu.edu pages are redirected.</div>
<div align="LEFT">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-lPn_lP1Vd08/TlAHWLxoHNI/AAAAAAAAABI/6BNzmrgYCfY/s1600/analysis_fakewebstores_cfacweb_only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="259" src="http://1.bp.blogspot.com/-lPn_lP1Vd08/TlAHWLxoHNI/AAAAAAAAABI/6BNzmrgYCfY/s320/analysis_fakewebstores_cfacweb_only.png" width="320" /></a></div>
<div align="LEFT">
</div>
<div align="LEFT">
cfac.byu.edu is the home page of the College of Fine Arts and Communications at Brigham Young University and from the look of the below page they have been working on upgrading their site and in the process may have inadvertently opened themselves up to an attack. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-GysP8l5rWn8/TlAHs2HPfjI/AAAAAAAAABM/d37JUJ4kRw0/s1600/analysis_fakewebstores_byucfac_home.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="http://2.bp.blogspot.com/-GysP8l5rWn8/TlAHs2HPfjI/AAAAAAAAABM/d37JUJ4kRw0/s320/analysis_fakewebstores_byucfac_home.png" width="320" /></a></div>
<div align="LEFT">
<br /></div>
<div align="LEFT">
<span style="font-size: large;">Down the rabbit hole </span></div>
<div align="LEFT">
<br /></div>
<div align="LEFT">
A web hijack starts by an attacker compromising a web server and altering the site code so that users are unknowingly redirected to the attackers' website. Let's look at what happens when a user visits a compromised site.</div>
<div align="LEFT">
<br /></div>
<div align="LEFT">
</div>
<div style="margin-bottom: 0in;">
If the Google result above is clicked, the below sequence of six HTTP packets is generated between the client and server. HTTP packet 2 redirects the user to tobmarket.com, a re-director/controller, which as shown in HTTP packet 4, redirects the user to business-download.com, the final shopfront site. If a user visits the cfacbeta.byu.edu site without clicking through Google they will see the actual site. The redirection is only triggered when the correct referer field and search terms are present within the HTTP GET request. The minimal string which triggers the redirect is.</div>
<br />
<div style="margin-bottom: 0in;">
Referer: http://www.google.com/search?q=windows</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
<i>HTTP packet 1: Client to Server</i></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
GET /departments/tma/fulton-chair-menu HTTP/1.1</div>
<div style="margin-bottom: 0in;">
Host: cfacbeta.byu.edu</div>
<div style="margin-bottom: 0in;">
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0</div>
<div style="margin-bottom: 0in;">
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</div>
<div style="margin-bottom: 0in;">
Accept-Language: en-us,en;q=0.5</div>
<div style="margin-bottom: 0in;">
Accept-Encoding: gzip, deflate</div>
<div style="margin-bottom: 0in;">
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7</div>
<div style="margin-bottom: 0in;">
DNT: 1</div>
<div style="margin-bottom: 0in;">
Connection: keep-alive</div>
<div style="margin-bottom: 0in;">
Referer: http://www.google.com/search?q=buy+windows+7&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a</div>
<div style="margin-bottom: 0in;">
Cookie: SESSb3f40867ca15d6a84ab81b0c22a576f9=d4e0d99e5fe575e3ad399de82051dec2; transpass=385f37072a55969b1d8b294e88720b3e8ba49f63; has_js=1</div>
<div style="margin-bottom: 0in;">
If-Modified-Since: Mon, 15 Aug 2011 16:58:05 GMT</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<i>HTTP packet 2: Server to client, redirect to tobmarket.com via 302 Found</i></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
HTTP/1.1 302 Found</div>
<div style="margin-bottom: 0in;">
Date: Mon, 15 Aug 2011 17:14:18 GMT</div>
<div style="margin-bottom: 0in;">
Server: Apache/2.2.14 (Ubuntu)</div>
<div style="margin-bottom: 0in;">
X-Powered-By: PHP/5.2.10-2ubuntu6.10</div>
<div style="margin-bottom: 0in;">
Location: http://tobmarket.com/in.cgi?5&seoref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dbuy%2Bwindows%2B7%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26client%3Dfirefox-a&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Fcfacbeta.byu.edu%2Fdepartments%2Ftma%2Ffulton-chair-menu&default_keyword=</div>
<div style="margin-bottom: 0in;">
Vary: Accept-Encoding</div>
<div style="margin-bottom: 0in;">
Content-Encoding: gzip</div>
<div style="margin-bottom: 0in;">
Content-Length: 20</div>
<div style="margin-bottom: 0in;">
Keep-Alive: timeout=15, max=100</div>
<div style="margin-bottom: 0in;">
Connection: Keep-Alive</div>
<div style="margin-bottom: 0in;">
Content-Type: text/html</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<i>HTTP packet 3: Client now contacts server tobmarket.com</i></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
GET /in.cgi?5&seoref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dbuy%2Bwindows%2B7%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26client%3Dfirefox-a&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Fcfacbeta.byu.edu%2Fdepartments%2Ftma%2Ffulton-chair-menu&default_keyword= HTTP/1.1</div>
<div style="margin-bottom: 0in;">
Host: tobmarket.com</div>
<div style="margin-bottom: 0in;">
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0</div>
<div style="margin-bottom: 0in;">
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</div>
<div style="margin-bottom: 0in;">
Accept-Language: en-us,en;q=0.5</div>
<div style="margin-bottom: 0in;">
Accept-Encoding: gzip, deflate</div>
<div style="margin-bottom: 0in;">
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7</div>
<div style="margin-bottom: 0in;">
DNT: 1</div>
<div style="margin-bottom: 0in;">
Connection: keep-alive</div>
<div style="margin-bottom: 0in;">
Referer: http://www.google.com/search?q=buy+windows+7&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a</div>
<div style="margin-bottom: 0in;">
Cookie: SL_5_0000=_1_</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<i>HTTP packet 4:Server to client, second redirect this time to business-download.com</i></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
HTTP/1.1 302 Found</div>
<div style="margin-bottom: 0in;">
Date: Mon, 15 Aug 2011 17:12:58 GMT</div>
<div style="margin-bottom: 0in;">
Server: Apache/2.2.3 (CentOS)</div>
<div style="margin-bottom: 0in;">
Set-Cookie: SL_5_0000=_1_; domain=tobmarket.com; path=/; expires=Tue, 16-Aug-2011 17:12:58 GMT</div>
<div style="margin-bottom: 0in;">
Location: http://business-download.com</div>
<div style="margin-bottom: 0in;">
Connection: close</div>
<div style="margin-bottom: 0in;">
Transfer-Encoding: chunked</div>
<div style="margin-bottom: 0in;">
Content-Type: text/html; charset=CP-1251</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<html></div>
<div style="margin-bottom: 0in;">
<head></div>
<div style="margin-bottom: 0in;">
<meta http-equiv="REFRESH" content="1; URL='http://business-download.com'"></div>
<div style="margin-bottom: 0in;">
</head></div>
<div style="margin-bottom: 0in;">
<body></div>
<div style="margin-bottom: 0in;">
document moved <a href="http://business-download.com">here</a></div>
<div style="margin-bottom: 0in;">
</body></div>
<div style="margin-bottom: 0in;">
</html></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<i>HTTP packet 5:Client now contact business-download.com</i></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
GET / HTTP/1.1</div>
<div style="margin-bottom: 0in;">
Host: business-download.com</div>
<div style="margin-bottom: 0in;">
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0</div>
<div style="margin-bottom: 0in;">
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</div>
<div style="margin-bottom: 0in;">
Accept-Language: en-us,en;q=0.5</div>
<div style="margin-bottom: 0in;">
Accept-Encoding: gzip, deflate</div>
<div style="margin-bottom: 0in;">
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7</div>
<div style="margin-bottom: 0in;">
DNT: 1</div>
<div style="margin-bottom: 0in;">
Connection: keep-alive</div>
<div style="margin-bottom: 0in;">
Referer: http://www.google.com/search?q=buy+windows+7&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a</div>
<div style="margin-bottom: 0in;">
Cookie: shopsesid=1313422538StMyVnEqtxpIrywMeQTTnAAAAZjdhiIt</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<i>HTTP packet 6:Server to client, setting a cookie.</i></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
HTTP/1.1 200 OK</div>
<div style="margin-bottom: 0in;">
Server: nginx/0.8.54</div>
<div style="margin-bottom: 0in;">
Date: Mon, 15 Aug 2011 17:14:25 GMT</div>
<div style="margin-bottom: 0in;">
Content-Type: text/html</div>
<div style="margin-bottom: 0in;">
Transfer-Encoding: chunked</div>
<div style="margin-bottom: 0in;">
Connection: keep-alive</div>
<div style="margin-bottom: 0in;">
X-Powered-By: PHP/5.3.6</div>
<div style="margin-bottom: 0in;">
Set-Cookie: shopsesid=1313422538StMyVnEqtxpIrywMeQTTnAAAAZjdhiIt; path=/</div>
<div style="margin-bottom: 0in;">
Content-Encoding: gzip</div>
<br />
<br />
<div style="margin-bottom: 0in;">
Visting the site tobmarket.com directly triggers a HTTP connection:Close packet while visiting tobmarket/in.cgi triggers the redirection to business-download.com. The registrar for tobmarket.com is Ukranian firm ukrnames.com and Whois information is masked by a privacy service. As of August 2011 the domain resolves to 95.64.58.238, a machine hosted by Voxility of Romania.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-BV7N5H1pgRw/TlAKAEc_O0I/AAAAAAAAABU/m5vxlLBJa0U/s1600/analysis_fakestores_business_download.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="http://3.bp.blogspot.com/-BV7N5H1pgRw/TlAKAEc_O0I/AAAAAAAAABU/m5vxlLBJa0U/s320/analysis_fakestores_business_download.png" width="320" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
Upon clicking through business-download.com to the checkout pay site, we are sent to https:private-pay.net.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-k9ov9F8ZOao/TlAJ2hly1yI/AAAAAAAAABQ/1tDx8cyPtoA/s1600/analysis_fakewebstores_private-pay.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="78" src="http://3.bp.blogspot.com/-k9ov9F8ZOao/TlAJ2hly1yI/AAAAAAAAABQ/1tDx8cyPtoA/s320/analysis_fakewebstores_private-pay.png" width="320" /></a></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
As shown above they have used SSL to make the site seem more legitimate, the site is using a real certificate issued by Certificate Authority RapidSSL/GeoTrust Inc in the United States. Many Certificate Authorities do only minimal checks on their clients so the possession of a certificate really means nothing anymore. Below is RapidSSL's home page, they make it very easy to get a certificate!</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-PaPtEF4vwkE/TlAKR571RfI/AAAAAAAAABY/gwF1fqmqNZs/s1600/analysis_fakewebstores_rapidssl.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="164" src="http://4.bp.blogspot.com/-PaPtEF4vwkE/TlAKR571RfI/AAAAAAAAABY/gwF1fqmqNZs/s320/analysis_fakewebstores_rapidssl.png" width="320" /></a></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
Whois information shows that business-download.com was registered by planetdomain.com with the fake contact details below.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<pre class="western">Owner, Administrative Contact, Technical Contact, Billing Contact:
Isabelle Franchet (ID00467503)
6 Rue de la Republique
Avignon, Provence 84000
FR
Phone: +33.490864978
Email: curve@cutemail.org</pre>
<pre class="western"> </pre>
<div style="margin-bottom: 0in;">
As of August 2011 business-download.com resolves to 213.152.172.90 which also hosts business-download.net,download-sale.net and luxury-customer.net and the supposed pay site private-pay.net. All of these actually host the same fake software store.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
The controller/re-director domain tobmarket.com was issued by ukrnames.com of Ukraine and has anonymous Whois records. The domain is hosted at IP address 95.64.58.238 located in Romania. This IP address also hosts the-first-five-pages.com which redirects users to tobmarket.com. Whois information for the-first-five-pages.com reveals that it too was registered with ukrnames.com but this time we are given the contact details below.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Registrant:<br />
Vitalij Shorikov mboga12@yahoo.com<br />
Nagornaya,78<br />
Gomel, 246015<br />
BELARUS<br />
+375232724839 </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-size: large;">Now for some Google searching </span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Search on cutemail.org</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
cutemail.com is a webmail service operated by SafetyNet Systems Ltd of the UK but cutemail.org does not resolve to anything though the domain is registered with FastDomain.com. A search on cutemail.org reveals that @cutemail.org addresses have been used to register numerous malware and web hijack campaign sites including recent fake AV, money mule recruitment and fake online drug stores.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Search on +33.490864978</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Reveals this to be the fax number for a hotel in France!</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Search on Vitalij Shorikov, <a href="mailto:mboga12@yahoo.com">mboga12@yahoo.com</a> or +375232724839 (actually normalized to +375.232724839)</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
This reveals two other domain names registered using this contact information.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
belkonvert.net IP address 91.226.78.9</div>
<div style="margin-bottom: 0in;">
This is a HTTrack Website Copy of belkonvert.com. Belkonvert.com is a legitimate business site for a Minsk,Belarus advertising company. No other hosts were at this address.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
tdsfree.org IP address 91.217.153.46</div>
<div style="margin-bottom: 0in;">
This returns a HTTP 403 forbidden message but this IP address also hosts the following sites.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
dorotydiary.org</div>
<div style="margin-bottom: 0in;">
com-watch-id181222ooo.info</div>
<div style="margin-bottom: 0in;">
casinonewsblog.org</div>
<div style="margin-bottom: 0in;">
bradpittfanclub.org</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Both bradpittfanclub.org and dorotydiary.org have recently been flagged as involved in malware distribution and fake AV campaigns as the below results from Malware Domain List show.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-mB4d0QeWn24/TlANu2CPL_I/AAAAAAAAABc/E4SN3ILtHEk/s1600/analysis_fakestores_blacklist1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="36" src="http://1.bp.blogspot.com/-mB4d0QeWn24/TlANu2CPL_I/AAAAAAAAABc/E4SN3ILtHEk/s320/analysis_fakestores_blacklist1.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-eSu9fmc-MZ0/TlAN0JyZm4I/AAAAAAAAABg/mAXWJEN57F4/s1600/analysis_fakestores_blacklist2.org.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="33" src="http://2.bp.blogspot.com/-eSu9fmc-MZ0/TlAN0JyZm4I/AAAAAAAAABg/mAXWJEN57F4/s320/analysis_fakestores_blacklist2.org.png" width="320" /></a></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
And from hphosts we can find that the whole of ASN 41390 91.217.153.0/24 RN-DATA-LV RN Data, SIA is riddled with malware sites</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Qxcmbhcfou0/TlAN7tj0RGI/AAAAAAAAABk/nZwfQg2DrS8/s1600/analysis_fakestores_asnblacklist.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="http://3.bp.blogspot.com/-Qxcmbhcfou0/TlAN7tj0RGI/AAAAAAAAABk/nZwfQg2DrS8/s320/analysis_fakestores_asnblacklist.png" width="320" /></a></div>
<div style="margin-bottom: 0in;">
</div>
<div align="LEFT">
<br /></div>
<div align="LEFT">
So there we have it, clicking on a Brigham Young University page takes a visitor on a unexpected trip to Romania and Belarus! Following the threads further has lead us right into a nest of malware domains at 91.217.153.0/24<br />
<br />
Be careful out there on the interwebs.....</div>
<div align="LEFT">
<br /></div>contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com4tag:blogger.com,1999:blog-657717787375980372.post-19658281812695295382011-08-17T11:28:00.000-07:002012-06-28T05:32:25.108-07:00A little analysis on that Zugo toolbar<div style="margin-bottom: 0in;">
Related names: StartNow, Whitesmoke, Babylon, HyperBar, Zugo, toolbar<br />
Threat: low<br />
Main artifacts: Browser toolbar installed and home page set<br />
Main install vector: Surreptitious install by affiliate with little or no notice to user.<br />
Company behind all this: Zugo Services Ltd of London</div>
<b>How to remove:</b> See this <a href="http://mymountain.blogspot.com/2010/03/how-to-remove-bingzugo-toolbar-hijack.html" target="_blank">link</a>.<br />
<br />
<span style="font-size: large;">Introduction</span><br />
<br />
<div style="margin-bottom: 0in;">
The Zugo toolbar for web browsers, a Zugo Services Ltd product, is an annoying adware product that often gets installed on users computers in a surreptitious manner. The product is included within other software and during install the user may only be given limited information on the toolbar installation or, worse, no information at all. According to GFI Software, Zugo Services Ltd has a large affiliate network with affiliates being payed up to $1.50 per install. There is little oversight of affiliates by Zugo which have every incentive to obtain the largest possible number of installs by whatever means necessary.<br />
<br /></div>
<div style="margin-bottom: 0in;">
Zugo's default toolbar is StartNow though Zugo has also created toolbar products for other companies, including Whitesmoke and Babylon. Once installed, the software will change the user's home page and relay search information to the Zugo infrastructure to allow the placement of targeted advertising. An earlier version of this product was known as the StartNow HyperBar.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
An example is provided by the website adlsoft.net which hosts a number of free download utilities, all of which install the toolbar. Interestingly adlsoft.net resolves to the same IP address as zcode.biz, a host that the toolbar installer contacts suggesting that the adlsoft site was established to drive installs of the toolbar.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-3K9LvXBlBiQ/TkvDm76CtnI/AAAAAAAAAAM/7MNyJ0Ds-lM/s1600/adlsoft_home.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="62" src="http://1.bp.blogspot.com/-3K9LvXBlBiQ/TkvDm76CtnI/AAAAAAAAAAM/7MNyJ0Ds-lM/s320/adlsoft_home.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Intro paragraph on adlsoft.net</td></tr>
</tbody></table>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
Incidentally this site has taken the free download version of Systweak's Advanced System Protector and re-packaged it to include the StartNow Toolbar.</div>
<div style="margin-bottom: 0in;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-9vIMBfPDAaY/TkvD_Kj5UBI/AAAAAAAAAAQ/gAWJ7rLdgAk/s1600/adlsoft_ASP_home.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="146" src="http://3.bp.blogspot.com/-9vIMBfPDAaY/TkvD_Kj5UBI/AAAAAAAAAAQ/gAWJ7rLdgAk/s320/adlsoft_ASP_home.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">adlsoft.net with Systweak software for download</td></tr>
</tbody></table>
<br /></div>
<div style="margin-bottom: 0in;">
Here is the install screen of one of the products, in this case a decompression utility.</div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-x0zO3FIsIwo/Tkv8CvTAEJI/AAAAAAAAAAY/x5HBTQRHEqc/s1600/adlsoft_uncompressor_install_screen_with_inet.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="247" src="http://1.bp.blogspot.com/-x0zO3FIsIwo/Tkv8CvTAEJI/AAAAAAAAAAY/x5HBTQRHEqc/s320/adlsoft_uncompressor_install_screen_with_inet.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Uncompressor install screen</td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
Though the screen does mention that another product will be installed, the language could very easily be missed. Liberal use is made of the “Bing” name rather than the StartNow name. It looks almost as though it was designed to be overlooked.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Interestingly, when you install the software without an Internet connection, a different install screen appears(see below). There is now a reference to the Babylon toolbar which is a different Zugo toolbar product.</div>
<div style="margin-bottom: 0in;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-3G--SjI0Wpg/Tkv8QKmN-1I/AAAAAAAAAAc/dpV3YFTcnQI/s1600/adlsoft_uncompressor_install_babylon_toolbar.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="248" src="http://4.bp.blogspot.com/-3G--SjI0Wpg/Tkv8QKmN-1I/AAAAAAAAAAc/dpV3YFTcnQI/s320/adlsoft_uncompressor_install_babylon_toolbar.PNG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Uncompressor install screen showing Babylon toolbar</td></tr>
</tbody></table>
<br /></div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
In contrast, below is an example of best practice in toolbar installation. This is the screen an Adobe installer will give you before installing the Google toolbar. Nice and clear.</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-yksLvgNrPjc/Tkv8m9Afw-I/AAAAAAAAAAg/RDABfnYQPio/s1600/example_adobe_with_googletoolbar.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="242" src="http://4.bp.blogspot.com/-yksLvgNrPjc/Tkv8m9Afw-I/AAAAAAAAAAg/RDABfnYQPio/s320/example_adobe_with_googletoolbar.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Adobe Googler toolbar install</td></tr>
</tbody></table>
<br />
<span style="font-size: large;">Tracking the install</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://2.bp.blogspot.com/-uUHBwKnYeMA/Tkv-VTXZd4I/AAAAAAAAAAk/JNJ-Ji52P9U/s1600/zugo_zsilent_process.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="68" src="http://2.bp.blogspot.com/-uUHBwKnYeMA/Tkv-VTXZd4I/AAAAAAAAAAk/JNJ-Ji52P9U/s320/zugo_zsilent_process.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">z-silent starts!</td></tr>
</tbody></table>
<span style="font-size: large;"> </span>Once the utility installer is executed two files are downloaded via HTTP on port 80, a tiny token file and an executable named z-silent.exe(why name this silent Zugo folks, a little spooky no?). Z-silent.exe is a Nullsoft NSIS installer for Zugo products signed by Zugo Ltd. The HTTP GET commands are as follows.<br />
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
HTTP GET sent to 204.232.212.106</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
GET /getCountry/ HTTP/1.0</div>
<div style="margin-bottom: 0in;">
Host: zcode.biz</div>
<div style="margin-bottom: 0in;">
User-Agent: NSISDL/1.2 (Mozilla)</div>
<div style="margin-bottom: 0in;">
Accept: */*</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
HTTP/1.1 200 OK</div>
<div style="margin-bottom: 0in;">
Date: Mon, 02 Aug 2011 14:23:12 GMT</div>
<div style="margin-bottom: 0in;">
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch</div>
<div style="margin-bottom: 0in;">
X-Powered-By: PHP/5.2.6-1+lenny9</div>
<div style="margin-bottom: 0in;">
Vary: Accept-Encoding</div>
<div style="margin-bottom: 0in;">
Content-Length: 2</div>
<div style="margin-bottom: 0in;">
Connection: close</div>
<div style="margin-bottom: 0in;">
Content-Type: text/plain; charset=UTF-8</div>
<div style="margin-bottom: 0in;">
US</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
HTTP GET sent to 184.25.108.35</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
GET /z-silent-2804.exe HTTP/1.0</div>
<div style="margin-bottom: 0in;">
Host: c194738.r38.cf1.rackcdn.com</div>
<div style="margin-bottom: 0in;">
User-Agent: NSISDL/1.2 (Mozilla)</div>
<div style="margin-bottom: 0in;">
Accept: */*</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
z-silent is then started with the following command.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
z-silent.exe /S /CHANNEL="2_6" /TOOLBAR /DEFAULTSTART /DEFAULTSEARCH</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
z-silent now does a number of things including the following.</div>
<ol>
<li><div style="margin-bottom: 0in;">
Disables proxy use and Internet connection auto configuration scripts.</div>
</li>
<li><div style="margin-bottom: 0in;">
Calculates a unique user globally unique id(guid) and machine id.</div>
</li>
<li><div style="margin-bottom: 0in;">
Installs the StartNow toolbar software to Program Files/Startnow Toolbar</div>
</li>
<li><div style="margin-bottom: 0in;">
Registers StartNow as a Browser Helper Object, Internet Explorer will now run with Toolbar32.dll</div>
</li>
<li><div style="margin-bottom: 0in;">
Spawns the toolbarupdateservice process</div>
</li>
<li><div style="margin-bottom: 0in;">
Registers the install with remote infrastructure via HTTP GET.</div>
</li>
</ol>
<div style="margin-bottom: 0in;">
Most registry and file activity is routine,however, the following keys are deleted. This disables proxy use and auto configuration scripts.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
HKCU/Software/Windows/CurrentVersion/Internet Settings/ProxyServer</div>
<div style="margin-bottom: 0in;">
HKCU/Software/Windows/CurrentVersion/Internet Settings/ProxyOverride</div>
<div style="margin-bottom: 0in;">
HKCU/Software/Windows/CurrentVersion/Internet Settings/AutoConfigUrl</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
z-silent and most of the various files it generates in the Temp directory during install are now deleted.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Interestingly registry activity includes a check for the existence of the key shown below. This is the first of three ties between Zugo Services Ltd and the company AfterDownload.com</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
HKLM/Software/AfterDownload</div>
<div style="margin-bottom: 0in;">
<br />
The second is that if the properties details tab of z-silent is examined it can be seen that both the File description and Product name fields have the value AfterDownload.<br />
<br /></div>
<div style="margin-bottom: 0in;">
The following Internet traffic is generated during the z-silent install.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
HTTP GET sent to 209.159.151.3</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
GET /getcountry?</div>
<div style="margin-bottom: 0in;">
pid=628</div>
<div style="margin-bottom: 0in;">
channel=2_6</div>
<div style="margin-bottom: 0in;">
bdate=20110802T091233</div>
<div style="margin-bottom: 0in;">
bversion=1.7</div>
<div style="margin-bottom: 0in;">
client=installer</div>
<div style="margin-bottom: 0in;">
action=tb_installed,sp_installed,ds_installed</div>
<div style="margin-bottom: 0in;">
user_guid=<removed></div>
<div style="margin-bottom: 0in;">
Host: installer.zugo.com</div>
<div style="margin-bottom: 0in;">
User-Agent: NSISDL/1.2 (Mozilla)</div>
<div style="margin-bottom: 0in;">
Accept: */*</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
HTTP GET sent to 209.159.151.3</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
GET /ztb/update?</div>
<div style="margin-bottom: 0in;">
partner_id=249</div>
<div style="margin-bottom: 0in;">
product_id=628</div>
<div style="margin-bottom: 0in;">
affiliate_id=</div>
<div style="margin-bottom: 0in;">
channel=2%5F6</div>
<div style="margin-bottom: 0in;">
toolbar_id=200</div>
<div style="margin-bottom: 0in;">
toolbar_version=2.0</div>
<div style="margin-bottom: 0in;">
install_country=US</div>
<div style="margin-bottom: 0in;">
install_date=20110802</div>
<div style="margin-bottom: 0in;">
user_guid=<removed></div>
<div style="margin-bottom: 0in;">
machine_id=<removed></div>
<div style="margin-bottom: 0in;">
browser=IE</div>
<div style="margin-bottom: 0in;">
os=Win</div>
<div style="margin-bottom: 0in;">
os_version=5.1</div>
<div style="margin-bottom: 0in;">
Accept: */*</div>
<div style="margin-bottom: 0in;">
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)</div>
<div style="margin-bottom: 0in;">
Host: tbupdate.zugo.com</div>
<div style="margin-bottom: 0in;">
Connection: Keep-Alive</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Once the toolbar is installed information will be stored in cookies beginning with the following strings.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
\Documents and Settings\Owner\Cookies\owner@www.startnow</div>
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
Searches using the toolbar will send information to the Zugo infrastructure via HTTP GET requests as the following search for “football” shows. This information includes the operating system version, country of install and a globally unique machine id.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
HTTP GET sent to 64.20.54.67</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
GET /s/?q=football</div>
<div style="margin-bottom: 0in;">
category=web</div>
<div style="margin-bottom: 0in;">
dummy_pn=Bing</div>
<div style="margin-bottom: 0in;">
partner_id=249</div>
<div style="margin-bottom: 0in;">
product_id=628</div>
<div style="margin-bottom: 0in;">
affiliate_id=</div>
<div style="margin-bottom: 0in;">
channel=2_6</div>
<div style="margin-bottom: 0in;">
toolbar_id=200</div>
<div style="margin-bottom: 0in;">
toolbar_version=2.0</div>
<div style="margin-bottom: 0in;">
install_country=US</div>
<div style="margin-bottom: 0in;">
install_date=20110802</div>
<div style="margin-bottom: 0in;">
user_guid=<removed></div>
<div style="margin-bottom: 0in;">
machine_id=<removed></div>
<div style="margin-bottom: 0in;">
browser=IE</div>
<div style="margin-bottom: 0in;">
os=win</div>
<div style="margin-bottom: 0in;">
os_version=5.1-x86-SP3</div>
<div style="margin-bottom: 0in;">
provider=bing</div>
<div style="margin-bottom: 0in;">
provider_name=bing</div>
<div style="margin-bottom: 0in;">
provider_code=Z082</div>
<div style="margin-bottom: 0in;">
src=startpage HTTP/1.1</div>
<div style="margin-bottom: 0in;">
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*</div>
<div style="margin-bottom: 0in;">
Referer: http://www.startnow.com/</div>
<div style="margin-bottom: 0in;">
Accept-Language: en-us</div>
<div style="margin-bottom: 0in;">
Accept-Encoding: gzip, deflate</div>
<div style="margin-bottom: 0in;">
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)</div>
<div style="margin-bottom: 0in;">
Host: www.startnow.com</div>
<div style="margin-bottom: 0in;">
Connection: Keep-Alive</div>
<div style="margin-bottom: 0in;">
Cookie: </div>
<div style="margin-bottom: 0in;">
sp_query_string=src startpage</div>
<div style="margin-bottom: 0in;">
provider Bing</div>
<div style="margin-bottom: 0in;">
provider_code Z082</div>
<div style="margin-bottom: 0in;">
partner_id 249</div>
<div style="margin-bottom: 0in;">
product_id 628</div>
<div style="margin-bottom: 0in;">
affiliate_id</div>
<div style="margin-bottom: 0in;">
channel 2_6</div>
<div style="margin-bottom: 0in;">
toolbar_id 200</div>
<div style="margin-bottom: 0in;">
toolbar_version 2.0</div>
<div style="margin-bottom: 0in;">
install_country US</div>
<div style="margin-bottom: 0in;">
install_date 20110802</div>
<div style="margin-bottom: 0in;">
user_guid <removed></div>
<div style="margin-bottom: 0in;">
machine_id <removed></div>
<div style="margin-bottom: 0in;">
browser IE</div>
<div style="margin-bottom: 0in;">
os win</div>
<div style="margin-bottom: 0in;">
os_version 5.1-x86-SP3</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
In contrast this is the information the real Bing toolbar sends back to Bing infrastructure. </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
GET /search?q=football</div>
<div style="margin-bottom: 0in;">
FORM=BB07LB</div>
<div style="margin-bottom: 0in;">
PC=BB07</div>
<div style="margin-bottom: 0in;">
QS=n HTTP/1.1</div>
<div style="margin-bottom: 0in;">
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*</div>
<div style="margin-bottom: 0in;">
X-SearchRewards: brcv=18.0.2066.0[mi=4ef64220-fc5d-4894-9972-3dfef868b86f,HID=0,IID=781940d98b126d94fc80273927bd9c20,tc=1]</div>
<div style="margin-bottom: 0in;">
Accept-Language: en-us</div>
<div style="margin-bottom: 0in;">
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BRI/2)</div>
<div style="margin-bottom: 0in;">
Accept-Encoding: gzip, deflate</div>
<div style="margin-bottom: 0in;">
Host: www.bing.com</div>
<div style="margin-bottom: 0in;">
Connection: Keep-Alive</div>
<div style="margin-bottom: 0in;">
Cookie: </div>
<div style="margin-bottom: 0in;">
SRCHUID=V=2</div>
<div style="margin-bottom: 0in;">
GUID=<removed><br />
_SS=SID=<removed></div>
<div style="margin-bottom: 0in;">
CW=555</div>
<div style="margin-bottom: 0in;">
CH=0</div>
<div style="margin-bottom: 0in;">
bIm=147; RMS=F=GgAg</div>
<div style="margin-bottom: 0in;">
A=AAAAAAAAAAAQAAAk; SRCHD=D=1896158</div>
<div style="margin-bottom: 0in;">
SM=1MS=1896158</div>
<div style="margin-bottom: 0in;">
AF=MSN005; SRCHUSR=AUTOREDIR=0</div>
<div style="margin-bottom: 0in;">
GEOVAR=</div>
<div style="margin-bottom: 0in;">
DOB=20110730; MUID=<removed>; _UR=OMW=1</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
<span style="font-size: large;">Whitesmoke and Zugo</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
An example of how using Zugo's services can help a company comes from the public SEC filings of Whitesmoke. Whitesmoke offers a spelling and grammar correction software product and entered into an agreement with Zugo which resulted in significant benefits for Whitesmoke. From the SEC filing we have<br />
the following.</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
"A significant portion of our revenues arise when end-users download a custom third-party toolbar for use with third-party websites, such as bing.com. In the United States, Zugo powers and operates this toolbar download process under a letter of intent with us, dated February 25, 2010. Under the binding letter of intent, Zugo agrees to perform at a specified service level to ensure, among other things, 99.9% uptime. Zugo pays us either a portion of the revenues or a per-download amount from toolbar downloads. Our letter of intent with Zugo may be terminated by either party with 24 hours notice. In November 2010 we entered into an amendment to the letter of intent with Zugo which amended certain payment terms."</div>
<br />
<div style="margin-bottom: 0in;">
<span style="font-size: large;">Whois information and related entities</span></div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
A whois search of zugo.com previously revealed that it is held by Zugo Ltd with a Jersey, Channel Island PO Box address. However, this recently changed to an anonymous entry.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-Q38AWcg_8TY/Tkv_BL-VOaI/AAAAAAAAAAo/SMkylvhA4fE/s1600/zugo_old_whois2_info.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="http://3.bp.blogspot.com/-Q38AWcg_8TY/Tkv_BL-VOaI/AAAAAAAAAAo/SMkylvhA4fE/s320/zugo_old_whois2_info.png" width="305" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Old zugo.com Whois record</td></tr>
</tbody></table>
Interestingly when the code signing certificate for z-silent is examed the subject field reveals a slightly different Channel Island address.<br />
<br />
CN = Zugo Ltd<br />
O = Zugo Ltd<br />
STREET = PO Box 36<br />
STREET = 1st Floor<br />
STREET = 37 Broad St.<br />
L = St Helier<br />
S = Jersey<br />
PostalCode = JE4 9NU<br />
C = JE<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-fAnYFW4qh7s/Tkv_OwjOf-I/AAAAAAAAAAs/swOWd8Dvk_I/s1600/zugo_current_whois_info.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="http://1.bp.blogspot.com/-fAnYFW4qh7s/Tkv_OwjOf-I/AAAAAAAAAAs/swOWd8Dvk_I/s320/zugo_current_whois_info.png" width="250" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Whois record updated Aug-2011, now anonymous</td></tr>
</tbody></table>
<br />
<br />
The domain zcode.biz from which z-silent downloads the GetCountry token is registered to an Omer Kaplan with a Tagore St,Tel Aviv, Israel. This person also founded the company AfterDownload.com and note that z-silent checks for the existence of an AfterDownload registry key. AfterDownload.com used to list the same name and Israeli address as zcode.biz in the whois database however this has recently changed to an anonymous entry. According their website, AfterDownload is “t<span style="font-size: small;">he first and largest CPC platform to provide effective display monetization for the entire download funnel.” It is likely that Omer and AfterDownload are acting as an affiliate of Zugo and being payed for each install.</span> </div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
The domain startnow.com is registered anonymously via Moniker Privacy Services and is hosted at IP address 64.20.54.67. The hosts installer.zugo.com, tbupdate.zugo.com and utrack.zugo.com resolve to IP addresses 209.159.151.2-4.</div>
<div style="margin-bottom: 0in;">
<br />
The domain adlsoft.net is registered anonymously via Domains by Proxy but interestingly it is hosted on the same IP address as zcode.biz, 204.232.212.106.</div>
<br />
<span style="font-size: large;">More on Zugo and a possible connection to porn company Inxio Ltd</span><br />
<br />
Zugo Services Ltd is a registered UK company and a search of public UK records reveals that the company's physical address is<br />
<br />
UNIT 5 UTOPIA VILLAGE,<br />
7 CHALCOT ROAD PRIMROSE HILL<br />
LONDON<br />
NW1 8LH<br />
<br />
The current CEO is Jeronen Seghers(see http://about.me/jeroenseghers) and a named director is a Mark Simon Hirschfield. Mr Seghers founded StartNow International (now dissolved).<br />
<br />
Referral whois information reveals a connection between the IP addresses used by Zugo and the porn company Inxio Ltd. The IP address Zugo sends search query information to is 64.20.54.67 and the referral whois record below shows that the block 64.20.54.64/29 is registered to Inxio Ltd.<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-OfNOP93OJxo/Tkv_7OOSJnI/AAAAAAAAAAw/fRIkz-Y6ooc/s1600/rwhois_startnow_address_inxio.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="298" src="http://3.bp.blogspot.com/-OfNOP93OJxo/Tkv_7OOSJnI/AAAAAAAAAAw/fRIkz-Y6ooc/s320/rwhois_startnow_address_inxio.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Referral whois record showing block registered to Inxio Ltd</td></tr>
</tbody></table>
<br />
<br />
<div style="margin-bottom: 0in;">
<span style="font-size: small;">Further the IP addresses utrack.zugo.com etc resolves to e.g </span>209.159.151.4 is also a member of a block registered to Inxio Ltd as the below record shows.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-i5iubtzfmhQ/TkwCVVcVLGI/AAAAAAAAAA4/RIAuIC-quXg/s1600/rwhois_zugo_address_inxio.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="262" src="http://3.bp.blogspot.com/-i5iubtzfmhQ/TkwCVVcVLGI/AAAAAAAAAA4/RIAuIC-quXg/s320/rwhois_zugo_address_inxio.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Referral whois record showing block registered to Inxio Ltd</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
In addition a simple Google search on the phone number Zugo Ltd supplied for it's whois record reveals that this number is also used as a registration contact for a large number Inxio porn websites(see below).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Z-9I3kAaclI/TkwSKd8489I/AAAAAAAAAA8/UQ3XzrfS8qQ/s1600/zugo_inxio_phone_num_search.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="313" src="http://1.bp.blogspot.com/-Z-9I3kAaclI/TkwSKd8489I/AAAAAAAAAA8/UQ3XzrfS8qQ/s320/zugo_inxio_phone_num_search.png" width="320" /></a></div>
<br />
<span style="font-size: large;">People</span><br />
<br />
Jeronen Seghers, CEO Zugo Services Ltd,<a href="http://about.me/jeroenseghers"> http://about.me/jeroenseghers</a><br />
Mark Simon Hirschfield, Director Zugo Services Ltd.<br />
Omer Kaplan, Founder of AfterDownload, <a href="http://il.linkedin.com/in/omerkaplan1">http://il.linkedin.com/in/omerkaplan1</a><br />
<br />
<span style="font-size: large;">IP addresses, hosts and domains</span></div>
<br />
<table border="1"><tbody>
<tr> <th>IP address</th> <th>Hosts</th> </tr>
<tr> <td>204.232.212.106</td><td>zcode.biz,adlsoft.net</td> </tr>
<tr> <td>209.159.151.2-4</td><td>installer.zugo.com,tbupdate.com,utrack.zugo.com</td> </tr>
<tr> <td>64.20.54.67</td><td>startnow.com</td> </tr>
<tr> <td>66.45.232.178</td><td>zugo.com</td> </tr>
<tr> <td>184.25.108.35</td><td>c194738.r38.cf1.rackcdn.com</td> </tr>
</tbody> </table>
<br />
<div style="margin-bottom: 0in;">
<span style="font-size: large;">Further information</span></div>
<div style="margin-bottom: 0in;">
<a href="http://blogs.mcafee.com/mcafee-labs/adware-2-0-finds-a-distribution-channel">Mcafee labs adware analysis</a> </div>
<div style="margin-bottom: 0in;">
<a href="http://www.readwriteweb.com/archives/facebooks_3rd_biggest_advertiser_is_a_bing_affilia.php">Readwriteweb Facebook adware analysis</a><br />
<a href="http://searchengineland.com/bing-to-address-problems-with-affiliate-doing-tricky-home-page-switch-61551">Searchengineland Facebook adware analysis </a><br />
<a href="http://malware.cbronline.com/news/fight-breaks-out-between-security-lab-and-malware-firm">GFI Software and Zugo fight</a></div>
<br />
<div style="margin-bottom: 0in;">
</div>
<div style="margin-bottom: 0in;">
</div>contact unithttp://www.blogger.com/profile/09201912009730634722noreply@blogger.com4