The Dangers of Iframe

This is old news but something worth blogging about.

An estimated 5.8 million pages belonging to 640,000 websites were infected with code designed to launch malware attacks on visitors, according to a report released Tuesday.
...
An estimated 54.8 percent of the attacks observed by Dasient involved malicious javascript that was injected into compromised sites. iFrames that silently redirected users to malicious sites came in second at 37.1. Dasient has cataloged more than 72,000 unique malware infections involving websites.

Full article from the Register: Mass web infections spike to 6 million pages

Also:

The number of legitimate Websites being hacked to host malware has hit startling highs in recent days, new figures from MessageLabs have revealed.
Data taken from the days between May 4 and 8 showed that 84.6 percent of Websites blocked by the company for hosting malicious content were 'well-established' domains that have been around for a year or more.

Full article from PCWorld: Most Attacks Come from Legit but Hijacked Sites

Iframe attacks, being a largescale threat is relatively new. In the past, we used to tell people to surf the internet safely by not to searching or browsing suspicious websites, porn, cracks, free music/lyrics/movies, gambling, etc.. Then came along safe search add-ons such as mywot and siteadvisor which would greatly help people avoid questionable and unsafe sites. However, the threat webscape today has changed as the bad guys are moving into different tactics. With the appearance of iframe attacks, the borderline that distinguishes black and white sites might no longer be useful. The problem is that the sites that we completely trust can be vector of getting our computers infected. Browser security software such web access protection (used by antiviruses and firewalls) and reputation rating in these cases will no longer work here. It will protect user from being infected from black sites, but not from the white sites. Also, there is no way to tell if a legitimate site contains an iframe unless we look at its page source, since iframes may oftenly not change the sites appearance or functionality.

In my opinion the only way to be protected from a trusted site that happens to have a malicious iframe is disabling iframes altogether.
For details on how to disable iframes on Internet Explorer, please see:
http://antivirus.about.com/od/securitytips/ht/ieiframe.htm

How to tell if an unknown file is a legitimate or a malware file

This article is intended mainly for HJT helpers and trainees. Prior knowledge and expertise of the windows OS is required. None of the steps below are 100% accurate. You will need to use multiple steps in this guide order to be able to end up with a confident conclusion.

Step 1. there are 4 rules of thumb in which you can immediately know within seconds that the unknown file is a malware file:

1) The name of the file or folder is randomly generated or makes absolutely no sense. These type of files would typically display zero results in search engines.

Ex: c:\p0sdn8flqy.exe

2) The malware uses a name that is similar to the name of a legitimate file (commonly windows file) within the same folder.

Ex: legitimate = c:\windows\system32\lsass.exe

malware = C"\windows\system32\lsasss.exe

3) The malware uses the exact name of a legitimate file, commonly a windows file but in another folder.

Ex: legitimate = C:\windows\explorer.exe

malware = c:\windows\system32\explorer.exe

4) The malware uses a name that are commonly only used by malware. Ex. startup file names with controversial words somewhere within its name, the names of celebrities, the use of non-alphanumeric characters, or white spaces.

Ex: c:\windows\system32\crack.dll

Step 2.

Virmansec Event Success!

Elhamdulilah, the presentation I gave on conficker at the Microsoft Innovation Center, Riyadh was a success.

The presentation can be downloaded from here:
http://staff.kfupm.edu.sa/coe/shafei/downadup.zip

The powerpoint slides is mostly pictures and it may not be of much benefit to those who havent attended. However, a lot of the technical information has already been mentioned here this blog. The presentation style was inspired by the best presentation gurus such as:
- bio/intro and overall structure as by Garr Reynolds
- slides and graphics as by Dick Hardt and Seth Godin
- speaking freely as by Guy Kawasaki
- walking freely as by Steve Riley

Running the powerpoint will be a bit heavy on a windows OS. had to optimize my operating system in order for it to run smoothly on a projector with completely no lag. This is what I have done to have a lag-free presentation:
1. Disabled all real-time protection tools including firewall. (assuming you are not connected to the internet)
2. Disabled automatic updates
3. Disabled Task Scheduler via services mmc
4. Disabled screensaver, and all power saving options.
5. Disabled wireless connection and all related processes. (left bluetooth on for my bluetooth mouse/pointer)
6. Disabled all unneccessary processes. In my task manager I had a total of 28 processes left running on an XP machine. I preferred not to disable other OS processes because I had to run a demo on the same machine.

Conficker Presentation at Riyadh

God willing, I will be doing a presentation at the Microsoft Innovation Center on fighting the Conficker worm. This a highly technical presentation mainly targeted towards enterprise environments. The presentation includes live demos on infected machines. Microsoft Corporation (MSFT), Virmansec and R-Tech will be sponsoring the event.
The presentation covers all possible techniques in detecting and removing conficker for enterprises.

Attendance and registration is for free. Snacks and refreshments are also for free. If you are in Riyadh, please take the time to read and register for the event here:
http://www.eventbrite.com/event/472252520

Advanced knowledge about windows NT operating systems and active directory is a must.

Server 2008 RMS Installation Problem

I spent a few days trying to implement a simulation environment to test windows Rights Management Services and some third-party plugins on a server 2008 native. Every time I attempt to install RMS 2008 I was confronted with the following error message:

Error: Attempt to configure Active Directory Rights Management Server failed. An error was encountered while trying to provision AD RMS. Remove and re-install AD RMS to attempt provisioning again.

Despite uninstall/reinstalling the RMS service several times and verifying all the pre-requisites the error message still popped-up. I have followed every single line mentioned in the microsoft guide but yet the error re-appeared. There were absolutely no log files or events to explain the acause of the error. Also I couldnt find any solution on the internet that worked.
Almost giving up, my partner and I resorted to an unexpected solution..... changing the AD domain name.
RMS 2008 seemed to distaste single lettered domain names such as A.com and B.com that we initially tried to use. This was a bit strange since RMS 2003 worked fine using these same test domain names.

So after the changing the domain name to demo.com seemed to work with us in getting rid of the mysterious error message.

With courtesy of Samer Alotaiby.

3,200 Reported Account Hijacking on Facebook,Twitter

If you're on Facebook, Twitter or any other social networking site, you could be the next victim.
That's because more cyberthieves are targeting increasingly popular social networking sites that provide a gold mine of personal information, according to the FBI. Since 2006, nearly 3,200 account hijacking cases have been reported to the Internet Crime Complaint Center, a partnership between the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance

Continue reading:
http://edition.cnn.com/2009/CRIME/10/19/social.networking.crimes/index.html?iref=mpstoryview

From the article:

How to protect yourself against social media scams:
- Change your passwords frequently
- Adjust Web site privacy settings
- Be selective when adding friends
- Limit access to your profile to contacts you trust
- Disable options such as photo sharing
- Be careful what you click on
- Familiarize yourself with the security and privacy settings
- Learn how to report a compromised account
- Use security software that updates automatically

(Information provided by FBI and Internet security experts)

New Variant of Total Security Locks up Applications on Infected PC's

A new variant of scareware has been detected that not only inundates
users with exhortations to purchase phony antivirus software called
"Total Security 2009," but that also locks users out of nearly all
applications until they purchase the disreputable product. Once their
PCs are infected with the malware, the only program users can open is
Internet Explorer, so they can navigate to the site and make a purchase.

More:
http://blogs.usatoday.com/technologylive/2009/10/new-twist-on-scareware-locks-up-your-pc.html
http://www.pcworld.com/article/173765/a_rogue_demands_a_ransom.html