Saturday, January 25, 2014

PhishTank

Volunteer Reviewers Needed
   I have noticed that Phishtank has gone from something where I could review the phish they had in one session of about two three hours to impossible.  It is not the only thing that has gone down.  Here was what my and others email spam problem used to look like:

(click on picture to enlarge)

Now it is malware as numerous as spam:

(click on picture to enlarge)

So kiss any idea of any help you will get from "the man".  I have been getting many hundreds of malware per day recently.  I have been submitting what I can at VirusTotal but the number has gone way beyond ridiculous.  I can only assume that if the FBI didn't request it that they are in favor of it.  Ditto for the US and Russian governments, the NSA, and the CIA.  Look, we have millions of stolen credit card numbers at Target and Neiman Marcus at the end of 2013.  Except for the contractors working on the problem they seem to be going it alone.  Right now the world is upside down.

First, you need the link to Phishtank.  Here it is with the secure login specified since they shift you to that whether you want it or not if you use their GUI to review..  Trust me; it is to your advantage to use the secure route (port 443) since many Internet Service Providers will interpret it as your machine is infected and no, they will not see that you are going to PhishTank.  Okay, here is where they are at:

Phishtank Home


Here are tips mostly in just what pops into my mind order to help you to review the phish:
  1. I frown on the use of Windows for doing this.  There is malware at Phishtank. Even worse there is no button say it is malware which could be used to winnow those entries out.  I have tried to encourage a redesign that has a malware button but we won't get it.  Use Windows only if you really know what you are doing.  Avoid obvious malware links where the URL ends in ".cpl", ".exe" or similar.  Better yet, use some sort of block mechanism that blocks those for you.  But Firefox on Linux is one recommended phish review combination.  Be aware that Firefox doesn't handle iFrames.  Opera has similar problems where it really is a phish but you don't see it.  Either Firefox or Safari on Macintosh will also do nicely as well.  You don't have to use the GUI since Phishtank does provide lists but I strongly discourage the list approach if you are using Windows.
  2. Okay, you ignored me and you are using Windows anyway.  Then I advise skipping those enties where they don't show you a picture.  Just be aware that if it shows Google Docs in the picture and the URL is definitely not Google Docs that does not mean it is still a phish.  Things come and go quickly here.  What it does mean is that you can probably safely snatch the URL and try it out since it at least was a phish.
  3. While working on these I have two lists showing in vim in an xterm.  They are Phish / Not Phish.  They are the list not of the URLs but just the affected hosts when I notice three or more phish at a domain they go into the phish list.  Rather than blaze away calling them all phish, check them every so often during the session.  Do not be surprised that the host goes the phish list to the no phish list even during the session.  The list I use has dates when I added them.  These are helpful but volatile.  Anything older than 5-7 days in your list is probably gone.
  4. If the URL shown to you is using not a host name but an IP (IPv4) address, if it shows what was a phish, then it is still a phish.  The only question remaining is whether it is an active phish or whether it is gone.  What do I do?  If it shows one of the many banks, Google Docs, or other known phish types in the picture I mark it as a phish.  It is never (well, almost never) a legitimate host.  Instead it is a hacked Windows PC.  See the two pictures in this blog entry?  The machines sending the email messages are hacked Windows PCs.  They are not supposed to be doing web-service duty or sending email directly.  Mark them as phish and let us Linux and Mac reviewers put them to bed.
  5. You just got a redirect to Google so the people fixed the problem, right?  Wrong!  Malware links in web pages frequently let only 5% to 15% of the people through to the malware.  Often, they redirect the others to Google or do nothing.  So how do you "fix a phish?"  First, clean the server and install new web-server code.  Second close the entire folder down where all the phish live.  Third, set all the phish links to redirect to your own home page.  Fourth, set it to just give a blank line.  In Firefox this can be viewed under Tools - Web Developer - Page Source.  You will see a grayed out 1, or 1 and 2 which means that many blank lines.  But it is just as likely that the phisher themselves have set the phish to go to Google or some place else 85% to 95% of the time.  The only valid redirect phish fix is to yourself.  It showed Google docs and now it shows Google?  It is still a phish since you and me don't know who did the redirect.
  6. If your filters caused a block and you know this some way, just click on either "I don't know" or preferably just ask for the next entry.  I use my PAC filter but in a file with all of the phish rules stripped out of it.  I then actually have to add some of the GoodDomains phish rules back in but not the pair.  E.g., the GoodDomains ebay rules may be added back in but I don't put the other Bad rules for ebay in.  We shouldn't be testing your phish filtration.  We are reviewing the phish.
  7. I will put more here as they come to me.  Right now I am handling a slug of malware that despite the scam being the same the malware is not.  I am probably getting 5+ different types of malware per day.

Monday, January 20, 2014

Ridiculous

   PerniciousMalware (nee PeskySpammer), lets review what I have already given you for pruning your lists.  I am doing this because I may be posting to slashdot to shame some people into rectifying major defects in the way things are being done right now.  So here is the code for doing a first pass clean up of your TO list:

Winnow Users

   What is the result of you, Yahoo and other Mail service providers doing it wrong?  Here is how it looks in Thunderbird:




(click on picture to enlarge)
  
   And here is what it looks like in Yahoo's web-mail interface:

(click on picture to enlarge)

   I call the first one DOS because that is exactly what it is. a Denial Of Service.  There are no fake pharmacy URLs or malware.  In fact the supposedly real world user names are nothing more than the titles of the articles whose contents you put into the messages.  In short, how stupid can you be?  Sending somebody hundreds of messages like this makes me wonder if the FBI requested that you do it.  As bad as you are there are some others this message is addressed to.
   To Yahoo - stop changing your web-mail GUI and take care of your hack-in.  You have been shoving out malware through your ad-servers and I have detected the hackers still have various levels of internal access.  Make it so your paying customers get the email addressed to the users for the given domain with mail for the users postmaster, webmaster, and abuse delivered to the master user.  For me that means only four email accounts.  All other email to other non-existent users should be stapled, mutilated, spindled, and shredded.  This especially includes email like this that isn't even coming from the domains it purportedly comes from.  Search for previous blog entries to learn to handle them.  If you did this your email volume would be reduced to a trickle of what is now.
   To Comcast - after about the fourth time it seems you would have a log that once you talked to Yahoo your check would result in the proper action for me and others like me that are victims of this type of abuse - complain to Yahoo or other Mail Service Providers to fix their problems.  Instead you have blocked me from sending email repeatedly due to your stupid no white-list rule.  If I was rich I would sue you for slander and anything else an attorney would be willing to go after you on.  All I know is you must be stupid to have not figured it out by now. Almost all the mail is coming DOWN to me.  I send out less than 1% of what I receive.
   To the FBI, Interpol, and NSA.  The sending IP addresses are in the saved email messages.  It would be a simple matter to do forensic analysis on one of the machines and track it back to the Russian (sometimes the stupidity of PerniciousMalware makes me disbelieve they could be Russian) or Chinese hackers.  It isn't just spam.  I just made information on their two malware today and will make the malware available to the AV companies on demand (as if they really need it - they are swamped).
   To the Russian and / or Chinese governments.  Find these people and put them where the sun doesn't shine.