cyberwart

I’m into phishing attacks. I think they can be very clever and effective. So despite hating spam, when a particularly interesting attack makes it through my filters I’m interested. Here is a below message I recently received:

Received: from rrcs-70-61-41-118.central.biz.rr.com ([70.61.41.118]) by
XYZ.cyberwart.com with XYZ; Wed, 20 Aug 2008
16:46:16 -0400
Received: from [70.61.41.118] by vs.inext.co.jp; Wed, 20 Aug 2008 15:46:19
-0500
From: “Curtis Townsend” <xire@braintrust-art.com>
To: <XYZ@cyberwart.com>
Subject: Fedex Tracking N_ 6625268383
Date: Wed, 20 Aug 2008 15:46:19 -0500
Message-ID: <01c902db$e3389780$76293d46@xire>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=”—-=_NextPart_000_000E_01C902DB.E3389780″
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700
Importance: Normal
Return-Path: xire@braintrust-art.com
X-OriginalArrivalTime: 20 Aug 2008 20:46:24.0488 (UTC)
FILETIME=[CF540680:01C90305]
X-Evolution-Source: pop://XYZ@localhost/

This is a multi-part message in MIME format.

——=_NextPart_000_000E_01C902DB.E3389780
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: 7bit

Unfortunately we were not able to deliver postal package you sent on August the 1st in time
because the recipients address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your FEDEX

——=_NextPart_000_000E_01C902DB.E3389780
Content-Type: application/zip; name=”WD6128922.zip”
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=”WD6128922.zip”

I’m waiting on a couple fedex packages so I almost opened it. The sad thing is that looking at it, the details aren’t really there. They should have spoofed the sender and made it look more like a real fedex message.

Not too long ago, I had a customer have some trouble with malicious email being sent to corporate users. The emails came from outside the network, but appeared to be coordinated by an accomplice on the inside. We wanted to see if we could discover who that accomplice was. So I wrote a quick little script using Python and SCAPY to monitor who is emailing who.

#!/usr/bin/python

import sys, signal, os, time

try:
from scapy import *
except:
print “scapy must be installed”
sys.exit()

def net_handler(p):
efrom = eto = esubj = ” ”

t = str(time.strftime(‘%X %x’))
src = str(p[IP].src)
dst = str(p[IP].dst)
p = p.getlayer(“TCP”)
msg = str(p.payload).split(‘\n’)

#print “–email detected–”

for line in msg:
line = line.upper()
if line.find(“FROM: ” ) == 0:
efrom = line[5:]
efrom = efrom.strip()
if line.find(“TO: ” ) == 0:
eto = line[3:]
eto = eto.strip()
if line.find(“SUBJECT: “) == 0:
esubj = line[8:]
esubj = esubj.strip()

if efrom != ” ” and eto != ” “:
print ‘%s, %s, %s, %s, %s, %s’ % (t, src, dst, efrom, eto, esubj)

def main():
sniff(count=0, store=0, iface=”eth0″, filter= “tcp port 25 or tcp port 110″, prn=net_handler)
print “finis”

main()

My company will be giving out Free Tshirts at Defcon during Bob Rick’s talk. Make sure to stop by to get one!

Despite being a hardcore linux guy, I like all the features Exchange provides. Sure they add additional attack surface, but on the whole the features make business a lot easier. Anyway, CyberWART moved our email server to Exchange and spam instantly increased. Setting up email filtering didn’t fully work out until I enabled it for SMTP — as opposed to the server in general. Since it was a bit of a pain, I thought I’d link the article:

http://technet.microsoft.com/en-us/library/bb914061.aspx

I just stumbled across an interesting article about an upcoming talk at BlackHat. They dub the technique “GIFAR” where they rename a java file as a gif but it still executes as a jar.

CyberWART and G2 have used similar techniques. One of my favorites is to create a html file and rename it to a .doc extension. The file will open, and if done correctly, will look exactly like a MS Word document. However, there are a couple nice perks.

First, some html commands will work. You can embed an hotlink to an image on the web. The computer will automatically pull it. This is useful for SPAM and such.

Additionally, you can embed ActiveX. The ActiveX will autoexecute in the context of the localhost — which is lovely. We’ve been fuzzing those controls.

Update to NOP certifications: they will be available first come
first served (sign up sheet) at the Immunity Inc. booth in the vendor
section of DEFCON. Participants can use their own tools if provided to
us on CD, or
Immunity tools will be provided. …..

….we can confirm that not only will certified NOPs at DEFCON receive
an invitation to the Sexy Hacking party, to be held in an as-yet
undisclosed location on Saturday August 9, but at the party certified
NOPS will also have the opportunity to play Hugh Jackman’s role from
the film Swordfish while sitting an advanced NOP certification test!
Select Sexy Hacking girls will be scene extras and the winners will
receive a job interview with Immunity.