Digital Choke Daynotes

 Monday morning, November 22, 2004       mail    link   the story

Virus Alert! The Register" is a popular computer news site. They, like many news sites, have ads that are supplied by a third-party ad serving company. One of those companies was infected with the Bofra/Iframe exploit, which allows installation of any program (virus/worms/spyware)just by displaying their content. So by visiting a web site that uses an infected ad server, you are vulnerable. The Register story is here (link fixed):

Note that although this is a IE 6 exploit, it does *not* affect Windows XP with SP2 installed.

If you visited The Register Saturday (11/20/04), you should ensure they are properly patched. If not, update your anti-virus, then scan your system. Then install Windows XP Service Patch 2.

This problem of ad servers causing viral/worm problems may be a problem that will get more prevalent.

Note also that many will say to use an alternate browser. Firefox is the current 'geek and media darling'. I have tried it, and have found some differences in how it displays sites, mostly in the size of text, which displays smaller with Firefox than IE. Table borders are also sometimes MIA in Firefox. And I haven't been able to get the tabbing to work.

So I am not a Firefox zealot yet. I still use IE6 for most of my browsing; I also use NetCaptor, which uses the IE6 engine.

But even though I use IE6, I haven't been hit by any Windows vulns yet. Safe computing here: Windows updates, anti-virus updates, hardware/software firewall, and adware scanning.

 Monday evening, November 22, 2004       mail    link   the story

Oops ... Dan Seto (you should visit his place regularly; today he has a great link about decorating your vacationing office worker cubicle spaces) noted a bad link to the story on the Register's problem with the infected banner ad server. As he put it, the problem was " No doubt this was caused by random cosmic rays".

Yeah, that's it.

There is some more info on that story (see this morning's post up there), which I think is being under-reported. The banner ad company works with a lot of sites. I suspect that a corporate setting might find traffic from that place.

Since we do web filtering (we use SurfControl WebFilter) to keep track of all the company's web access, blocking inappropriate sites, I thought it might be interesting to see how much that site (the company is Falk AG) was used. So I fired up Crystal Reports, made an ODBC data connection to the SQL database on the web filter server, got all the pieces of the databases linked together. Then I designed a report looking for all content from Falk AG from Friday to Monday.

After I got all the pieces working (still learning how to use Crystal Reports), it turns out there were about 80 accesses over the weekend. The Falk Folks say that only one in every 30 ads were served from the infected server. Their (Falk Folks) statement said (as reported by The Register):

The use of a weak point in one of our load balancers led to user requests not being passed to the ad servers. Instead the user requests were answered with a 302 redirect to a compromised website. This happened with approximately every 30th request. Users visiting websites that carry banner advertising delivered by our system were periodically delivered a file from the compromised site. This file tries to execute the IE-Exploit function on the users' computer.

That doesn't sound like much of a problem; only a 3% chance? But that's assuming only one ad per page load. If one was the paranoid type (and information security dweebs tend to be), you might really be worried about the problem. It is unclear when the problem started at Falk AG. And how their client sites might (or might not) be protected. And how many computer systems are vulnerable (remember that XP/SP2 is not affected by the Bothra/Iframe vulnerability).

So were taking a closer look at our IDS and firewall logs to see if we can see any of the Bothra traffic (port 1639 neighborhood) on our network.

But the larger issue is how does a company ensure that their 'partners', like ad banner companies) are protected against exploits? What liabilities might you have if your partner is serving up exploits? How will your customers react?

The Internet Storm Center has some interesting thoughts on this incident, along with links to other information sources about this attack.

I think this will be (or is) a bigger problem than most think. It's wider than just The Register. Take a look at Matt's blog of this problem.

Remember the big flap about major web servers that were compromised and downloaded exploits to your computer? What we called the "Russian Ject" exploit?

This one may be just as widespread. You heard it here first. We'll be keeping track of this one.

In the meantime, virus scanning might be in order. Along with some analysis of your IDS and firewall logs.

 Tuesday afternoon, November 23, 2004       mail    link   the story

As we continue with our look at the banner-ad-site-hack (see above)...

The FalkAG site was probably not the original source of the attack. It appears from Matt's blog that the Comedy Central site was previously hacked. It contained the actual exploit files, which were accessed by the attack on the FalkAG site. When you got an infected ad banner (served by the compromised FalkAG server), that contained code to get (and run) some programs that were on the Comedy Central site. Matt says that the actual exe's on the CC site were dated on 11/9 and 11/12, so the CC site was compromised before the FalkAg site.

The files on the FalkAg site had buffer overflow code that grabbed files from the CC site. So this was a deliberate attack, whose purpose seems to be to install backdoors on a vulnerable computer getting a banner ad from FalkAG.

I suspect that the back door's main purpose is to establish a 'bot net', or a group of infected computers, probably to use those computers as mail relays for spam. This seems to be a common thing for virus writers to do, and seems to be part of a pattern that the hackers are joining with the spammers to allow spam mail to be sent through (relayed) compromised systems. The relay obscures the actual source of the spam, making it harder for the anti-spam programs to blacklist mail spamming sources.

I also suspect that the intent may also be to harvest information from the infected (bot) computer. Valid emails are valuable to the mail spammers -- a known good email address is worth more. And there are identity theft harvesting worms, whose purpose is to extract keystrokes or data files related to financial information.

Imaging a keystroke logger on a computer that watches for access to a bank web site, or eBay or PayPal or Amazon. When the logger sees that access, it starts capturing all of the keystrokes -- the credit card number, PIN, shipping address, etc. Then the logger, when contacted by the bot's "owner", will send that information back to the owner (the hacker). That financial information can be quite valuable.

The interesting thing about this attack is how widespread it might be. Take an ad-banner company that serves up millions of ads each day...not an unreasonable task. What if a percentage of those were also serving up program that is installed on a computer? Using an banner ad company as your attack point will make your attack much more widespread. For instance, in March 2004, FalkAG reports over 12 Billion ad impressions in one month. Not a bad attack vector.

On another subject: do you have "caller ID" on your color printouts? An article in PC World states that your color laser printer may have unique hidden printing to identify the printer used.

"According to experts, several printer companies quietly encode the serial number and the manufacturing code of their color laser printers and color copiers on every document those machines produce. Governments, including the United States, already use the hidden markings to track counterfeiters.

"Peter Crean, a senior research fellow at Xerox, says his company's laser printers, copiers and multifunction workstations, such as its WorkCentre Pro series, put the "serial number of each machine coded in little yellow dots" in every printout. The millimeter-sized dots appear about every inch on a page, nestled within the printed words and margins. "

Other news reports indicate similar tracking on HP printers, in addition to Xerox; not all models. You can see the yellow dots with a blue LED light, although they are quite small, so you might need a magnifying glass (more info in the above link).

Document Tracking, anyone?

(Excuse me now while I retreat into my 'no technology' safe room ....)

 Wednesday, November 24, 2004       mail    link   the story

Turkey day tomorrow. Although we're doing a honey-baked ham; we had a turkey dinner last Sunday. But the family will all be here, including Stacy back from college for the long weekend.

There will probably be too much food, and lots of leftovers. But we'll attempt to do our share in consumption.

Hope you all have a good holiday. And for those of you that are not in the U.S., take an extra day off with my permission.

 Saturday, November 26, 2004       mail    link   the story

It was just as I predicted. Too much food, lots of leftovers, family togetherness. A good thing.

It started with a quiet Thursday morning. Pam was cooking in the kitchen, and I was goofing with the computers and the 'net. Stacy is back from Idaho for the holiday. Jason came up for dinner, and Christine and her family showed up for desert afterwards. Christine and the grandkids spent the night (Jared and Jason went to their respectives houses, as they both had to work on Friday).

Friday morning dawned before dawn. One of the family traditions is that Pam and the girls go shopping on the day after turkey day. And they get up early to hit the stores when they open at 5:30am. My job was to stay home and watch the grandkids. Everyone was happy with their duties.

So my Friday morning was filled with the grandkids. We colored, watched kid's TV, had snacks, and played with our toys. And the girls had a good time shopping, as evidenced by the full car trunk, and the emptiness of my wallet.

Today, we all slept in, and had a relaxing day. I made a trip to Home Depot to get a carbon monoxide detector for Stacy to take back to her apartment in Idaho. Pam and Stacy did a bit more shopping, and then the rest of the day has been Christmas movies on the Hallmark channel.

A very early day tomorrow. Stacy's flight leaves a bit after 7:00 am, so we need to get to the airport by about 5:30am. The the usual Sunday meetings, and a quiet Sunday afternoon. Pam will probably be reading, and I will be the one with the laptop on my lap.

Hope your weekend was also pleasant. Even if you didn't get to celebrate Turkey Day.