Phishing Pattern-Squatters
Recently, I received some of the email messages purportedly telling me I had a refund from the IRS. If you click on the link you will get infected by the ZeusBot Trojan of which there seems to be a new variant about every four to six hours to avoid detection by the various Anti-Virus and Anti-Spy engines. How bad is the detection on them? Usually less than 10/41 AV engines at VirusTotal will detect it as bad. In the best of all worlds, everybody would be using Thunderbird, Claws Mail, or similar MUA (Mail User Agent) programs. We would also get the email messages like I did - no jangling telephone, screaming kids or other organized mayhem or disorganized chaos. I could not even see the links. I had to save the email messages and read them in Vim to suck down the then current ZBot for analysis.
But we don't all live in an ideal world. The messages arrived right before American Thanksgiving which even put a lot of pressure on me to do something about it. Most people are using WebMail (Sarah Palin, et al), Outlook Express, Outlook or some other helpful (not) MUA that obligingly displays the links in the HTML for people to click on them and get infected. There is no doubt that having it arrive in the midst of major winter holidays is making for a very successful campaign. At least tens of thousands and perhaps even hundreds of thousands or even millions of machines running Microsoft Windows now have been infected. Linux, Macintosh, and other Unix or Unix-like owners should not chortle. What makes most of these campaigns so successful is the PEBKAC (Problem Exists Between Keyboard And Chair) factor. I must say that the smugness of Macintosh owners is not a good thing. As Dai Zovi has said, "There is no magic fairy dust protecting Macs."
So I had to do something. One was to just tell people to be tardy in reading their email. The hosts in the email messages usually have a life-span of 24 hours or less. Guess what? That will work! If you are late getting around to reading that particular message, the host will no longer have an IP address and so you will be protected. But do not let that lull you into a false sense of security. Even though what I normally work with does have host names that come and go like mad, making them totally immune to even the most ambitious black-list type approach, two possible threats exist. First, people mistakenly assume that once the initial salvo of hosts has died, the problem has gone away. Au contraire. My samples came well over two weeks after the University of Alabama Birmingham resesarchers led by Dr. Gary Warner identified the host name patterns that were in the message I received. You can see the latest of what the UAB anti-malware team discover here:
http://GarWarner.BlogSpot.com
Just because it may have died down for now, doesn't mean it cannot be resurrected later. The hackers can always count on the PEBKAC factor to help them get the job done. Second, even though the hosts are currently not staying around for more than 24 hours doesn't mean the hackers cannot change their modus operandi. All the hackers have to do is identify the email addresses the UAB.edu research team are using and have their malware avoid sending their messages there and other email addresses as identified by a reverse email black-list. The other part would be to allow the hosts to live longer. The hackers will very likely do precisely both of those things in the future. So what is needed is something that will spring into action defending against unknown threats. I am adding rules that do precisely that with the PAC filter we provide which I have always touted over the blocking hosts file provided at HostsFile.org and SecureMecca.com. The PAC filters are here:
http://www.HostsFile.org/pac.html
http://www.SecureMecca.com/pac.html
I am using the magic of how the rules are looked at (the fourth dimension in the words of Dr Emmett L Brown) in the PAC filter to restrict what is successful. For example, for the IRS and FDIC I have the following sets of rules:
GoodDomains[i++] = "fdic.gov";
GoodDomains[i++] = "irs.gov";
// BadHostParts[i++] = "fdic\.gov";
BadHostWordStarts[i++] = "fdic\.gov";
// BadHostParts[i++] = "irs\.gov";
BadHostParts[i++] = "refund-services\.irs";
BadHostParts[i++] = "refunds\.irs";
BadHostWordStarts[i++] = "irs\.gov";
BadHostWordStarts[i++] = "refund-services\.irs";
BadHostWordStarts[i++] = "refunds\.irs";
First, you will notice I am feeling my way along here. Any filtration system can have false positives. The commented out rules are active for me, but deactivated (commented out) for others. For the current campaign, the other rules will do nicely at protecting you. You can click on the links and the PAC filter will spring into action to protect you. Once I am convinced the commented out rules produce very few or no false positives most of the other rules will disappear and just the commented out rule and GoodDomains rule will be retained. There is one glaring security hole here. You could go to a host named NewAndImprovedIRS.gov. Since the likelihood of the hackers being able to stick something like that into the DNS caches is low I will live with it until it can be shown it is a high security risk. The reason why is the way it is now you can type irs.gov, but with the more restrictive way you must type www.irs.gov or have something / anything followed by an ".irs.gov". You make it more restrictly by putting a dot at the start of the GoodDomains pattern (what is inside the quotes).
Second, I just added slightly over two dozen phish threats that were in Dr. Warner's blogs where they attempt to steal your FTP / CPanel credentials for slightly over two dozen of the top web page providers that use CPanel for their customers. Here is one of them for the top ranked web page provider as identified by Alexa:
GoodDomains[i++] = ".yahoo.com";
GoodDomains[i++] = ".yahooapis.com";
BadHostParts[i++] = "yahoo\.com";
BadHostParts[i++] = "yahooapis\.com";
BadHostWordStarts[i++] = "cpanel";
Like the other rules they are of course all in their relevant sections. What this does is prevent me from clicking on a phish saying I must click on the link to correct my a problem with my account. We will ignore for the moment that I do not use cpanel and would never click on such a link (normally because I cannot even see it). But if I ever did and I was a Yahoo customer, these PAC rules would spring into action to protect me. These rules will even prevent me from going to something like NewYahoo.com. On the down side, they also prevent me from going to Yahoo.com but allow me to go to www.Yahoo.com. If you want things less secure just delete the leading dot in the pattern (what is insided the quotes) in a GoodDomains rule. There are a few where there is no leading dot. That is because the way they work prevented this more secure stance from being adopted. Here is one of them:
GoodDomains[i++] = "all-inkl.com";
BadHostParts[i++] = "all-inkl\.com";
There is nothing I can do about it. If you paste www.all-inkl.com into the URL bar of the browser it will immediately redirect you to all-inkl.com. I am glad they want a pattern-squatter to imitate them in the COM domain.
You may state: "My web hosting provider is not in the file. What can I do?". Well say your web hosting provider is softlayer.com. All you need to do is add the following two rules into the relevant sections:
GoodDomains[i++] = ".softlayer.com";
BadHostParts[i++] = "softlayer\.com";
If you want to live a little more dangerously you can delete the leading dot in the GoodDomains rule pattern. IOW, it would be just "softlayer.com". Please realize I practice what I preach:
GoodDomains[i++] = ".hostsfile.org";
GoodDomains[i++] = ".securemecca.com";
BadHostParts[i++} = "hostsfile\.org";
BadHostParts[i++} = "securemecca\.com";
I am now protected from NewHostsFile.org and BetterSecureMecca.com and you can see this in my update scripts. I can understand any name service provider not trying to prevent those names from being granted. Both are only rated around 6,000,000+ and if it starts going up I immediately being to search for the new trackers that are mostly likely the cause for the rating going up. But for the first few thousand top rated web sites as identified by Alexa or similar, a red flag needs to be raised that NewMicrosoft.com or BoobYouTube.com should be looked at very suspiciously at every host name service provider. They certainly shouldn't be granted immediately. At any host name provider a human needs to be notified before the name is granted. If you ask me there are certain patterns like "irs.gov", "fdic.gov", "chase.com" (pick your favorite bank) that should just be denied outright. Think of it as an extended trademark protection in host names. Perhaps we need a siren to go off and red light to start flashing for the higher priority host name patterns at the name service provider.
If you have rules you feel need to be added to the PAC filter my email address is in the the PAC filter file. That doesn't mean I will add them. There is a priority based on my estimation of how many people will use them. The top ones are my responsibilty. The lesser used ones are each individual user's responsibility.
For the person in the Washington Post who said that everybody should use sftp instead of ftp you are correct. But you should provide a list of host name / web service providers along with the relevant pages of how they provide the sftp access and how you should set it up. And I do not want some wham doozle Windows executable to do it. I would use sftp from a Unix system with an expect script to do the job of uploading. IOW, I need their web pages and they better have support for both Windows and Unix systems. Those host name / web service providers that will starting doing the pattern rejections like I propose they should be doing and providing sftp access deserve our support. By sftp access, I mean that there should be a detailed page in how to set it up on both Windows and Unix systems. Host name providers and web service providers that do these two things deserve our support.
HHH
Recently, I received some of the email messages purportedly telling me I had a refund from the IRS. If you click on the link you will get infected by the ZeusBot Trojan of which there seems to be a new variant about every four to six hours to avoid detection by the various Anti-Virus and Anti-Spy engines. How bad is the detection on them? Usually less than 10/41 AV engines at VirusTotal will detect it as bad. In the best of all worlds, everybody would be using Thunderbird, Claws Mail, or similar MUA (Mail User Agent) programs. We would also get the email messages like I did - no jangling telephone, screaming kids or other organized mayhem or disorganized chaos. I could not even see the links. I had to save the email messages and read them in Vim to suck down the then current ZBot for analysis.
But we don't all live in an ideal world. The messages arrived right before American Thanksgiving which even put a lot of pressure on me to do something about it. Most people are using WebMail (Sarah Palin, et al), Outlook Express, Outlook or some other helpful (not) MUA that obligingly displays the links in the HTML for people to click on them and get infected. There is no doubt that having it arrive in the midst of major winter holidays is making for a very successful campaign. At least tens of thousands and perhaps even hundreds of thousands or even millions of machines running Microsoft Windows now have been infected. Linux, Macintosh, and other Unix or Unix-like owners should not chortle. What makes most of these campaigns so successful is the PEBKAC (Problem Exists Between Keyboard And Chair) factor. I must say that the smugness of Macintosh owners is not a good thing. As Dai Zovi has said, "There is no magic fairy dust protecting Macs."
So I had to do something. One was to just tell people to be tardy in reading their email. The hosts in the email messages usually have a life-span of 24 hours or less. Guess what? That will work! If you are late getting around to reading that particular message, the host will no longer have an IP address and so you will be protected. But do not let that lull you into a false sense of security. Even though what I normally work with does have host names that come and go like mad, making them totally immune to even the most ambitious black-list type approach, two possible threats exist. First, people mistakenly assume that once the initial salvo of hosts has died, the problem has gone away. Au contraire. My samples came well over two weeks after the University of Alabama Birmingham resesarchers led by Dr. Gary Warner identified the host name patterns that were in the message I received. You can see the latest of what the UAB anti-malware team discover here:
http://GarWarner.BlogSpot.com
Just because it may have died down for now, doesn't mean it cannot be resurrected later. The hackers can always count on the PEBKAC factor to help them get the job done. Second, even though the hosts are currently not staying around for more than 24 hours doesn't mean the hackers cannot change their modus operandi. All the hackers have to do is identify the email addresses the UAB.edu research team are using and have their malware avoid sending their messages there and other email addresses as identified by a reverse email black-list. The other part would be to allow the hosts to live longer. The hackers will very likely do precisely both of those things in the future. So what is needed is something that will spring into action defending against unknown threats. I am adding rules that do precisely that with the PAC filter we provide which I have always touted over the blocking hosts file provided at HostsFile.org and SecureMecca.com. The PAC filters are here:
http://www.HostsFile.org/pac.html
http://www.SecureMecca.com/pac.html
I am using the magic of how the rules are looked at (the fourth dimension in the words of Dr Emmett L Brown) in the PAC filter to restrict what is successful. For example, for the IRS and FDIC I have the following sets of rules:
GoodDomains[i++] = "fdic.gov";
GoodDomains[i++] = "irs.gov";
// BadHostParts[i++] = "fdic\.gov";
BadHostWordStarts[i++] = "fdic\.gov";
// BadHostParts[i++] = "irs\.gov";
BadHostParts[i++] = "refund-services\.irs";
BadHostParts[i++] = "refunds\.irs";
BadHostWordStarts[i++] = "irs\.gov";
BadHostWordStarts[i++] = "refund-services\.irs";
BadHostWordStarts[i++] = "refunds\.irs";
First, you will notice I am feeling my way along here. Any filtration system can have false positives. The commented out rules are active for me, but deactivated (commented out) for others. For the current campaign, the other rules will do nicely at protecting you. You can click on the links and the PAC filter will spring into action to protect you. Once I am convinced the commented out rules produce very few or no false positives most of the other rules will disappear and just the commented out rule and GoodDomains rule will be retained. There is one glaring security hole here. You could go to a host named NewAndImprovedIRS.gov. Since the likelihood of the hackers being able to stick something like that into the DNS caches is low I will live with it until it can be shown it is a high security risk. The reason why is the way it is now you can type irs.gov, but with the more restrictive way you must type www.irs.gov or have something / anything followed by an ".irs.gov". You make it more restrictly by putting a dot at the start of the GoodDomains pattern (what is inside the quotes).
Second, I just added slightly over two dozen phish threats that were in Dr. Warner's blogs where they attempt to steal your FTP / CPanel credentials for slightly over two dozen of the top web page providers that use CPanel for their customers. Here is one of them for the top ranked web page provider as identified by Alexa:
GoodDomains[i++] = ".yahoo.com";
GoodDomains[i++] = ".yahooapis.com";
BadHostParts[i++] = "yahoo\.com";
BadHostParts[i++] = "yahooapis\.com";
BadHostWordStarts[i++] = "cpanel";
Like the other rules they are of course all in their relevant sections. What this does is prevent me from clicking on a phish saying I must click on the link to correct my a problem with my account. We will ignore for the moment that I do not use cpanel and would never click on such a link (normally because I cannot even see it). But if I ever did and I was a Yahoo customer, these PAC rules would spring into action to protect me. These rules will even prevent me from going to something like NewYahoo.com. On the down side, they also prevent me from going to Yahoo.com but allow me to go to www.Yahoo.com. If you want things less secure just delete the leading dot in the pattern (what is insided the quotes) in a GoodDomains rule. There are a few where there is no leading dot. That is because the way they work prevented this more secure stance from being adopted. Here is one of them:
GoodDomains[i++] = "all-inkl.com";
BadHostParts[i++] = "all-inkl\.com";
There is nothing I can do about it. If you paste www.all-inkl.com into the URL bar of the browser it will immediately redirect you to all-inkl.com. I am glad they want a pattern-squatter to imitate them in the COM domain.
You may state: "My web hosting provider is not in the file. What can I do?". Well say your web hosting provider is softlayer.com. All you need to do is add the following two rules into the relevant sections:
GoodDomains[i++] = ".softlayer.com";
BadHostParts[i++] = "softlayer\.com";
If you want to live a little more dangerously you can delete the leading dot in the GoodDomains rule pattern. IOW, it would be just "softlayer.com". Please realize I practice what I preach:
GoodDomains[i++] = ".hostsfile.org";
GoodDomains[i++] = ".securemecca.com";
BadHostParts[i++} = "hostsfile\.org";
BadHostParts[i++} = "securemecca\.com";
I am now protected from NewHostsFile.org and BetterSecureMecca.com and you can see this in my update scripts. I can understand any name service provider not trying to prevent those names from being granted. Both are only rated around 6,000,000+ and if it starts going up I immediately being to search for the new trackers that are mostly likely the cause for the rating going up. But for the first few thousand top rated web sites as identified by Alexa or similar, a red flag needs to be raised that NewMicrosoft.com or BoobYouTube.com should be looked at very suspiciously at every host name service provider. They certainly shouldn't be granted immediately. At any host name provider a human needs to be notified before the name is granted. If you ask me there are certain patterns like "irs.gov", "fdic.gov", "chase.com" (pick your favorite bank) that should just be denied outright. Think of it as an extended trademark protection in host names. Perhaps we need a siren to go off and red light to start flashing for the higher priority host name patterns at the name service provider.
If you have rules you feel need to be added to the PAC filter my email address is in the the PAC filter file. That doesn't mean I will add them. There is a priority based on my estimation of how many people will use them. The top ones are my responsibilty. The lesser used ones are each individual user's responsibility.
For the person in the Washington Post who said that everybody should use sftp instead of ftp you are correct. But you should provide a list of host name / web service providers along with the relevant pages of how they provide the sftp access and how you should set it up. And I do not want some wham doozle Windows executable to do it. I would use sftp from a Unix system with an expect script to do the job of uploading. IOW, I need their web pages and they better have support for both Windows and Unix systems. Those host name / web service providers that will starting doing the pattern rejections like I propose they should be doing and providing sftp access deserve our support. By sftp access, I mean that there should be a detailed page in how to set it up on both Windows and Unix systems. Host name providers and web service providers that do these two things deserve our support.
HHH
