Overblog
Suivre ce blog Administration + Créer mon blog
20 juillet 2010 2 20 /07 /juillet /2010 21:30

Voici un échantillon tout frais de hameçonnage ciblant SFR.

 

Cher client Sfr.

  
Ce mail vous a ete envoye suite a une faut comptable qui s est produite lors de nos factur mensuel .
En effet le 19  juillet 2010 la somme de (154,00) cent cinquante quatre Euros a ete indument preleve a cause d'un Probelem technique,un reversement en votre faveur sera effectue dans les plus brefs delais,a cet effet nous vous invitons a cliquer sur le lien ci-dessous et vous connectez pour fournir toute information susceptible d accelerer ce restitution .
le versement effectuer sera considere comme valide et aucune reclamation ne sera accepte.
Nous vous remercions de votre comprehension et nous nous excusons pour le desagrement encouru.
plus brefs delais,a cet effet nous vous invitons a cliquer sur le lien ci-dessous et vous connectez pour fournir toute information susceptible d accelerer ce restitution .
le versement effectuer sera considere comme valide et aucune reclamation ne sera accepte.
Nous vous remercions de votre comprehension et nous nous excusons pour le desagrement encouru.
Remplissez le formulaire de remboursement en cliquant sur le lien suivant.
 
  
  
Important :
Le versement effectue par Sfr sera porte sur votre prochain releve bancaire.
Nos clients Sfr beneficieront d un geste commercial.
Nous vous assurons de la confidentialite des informations fournies et Sfr se porte garant quant a la responsabilite juridique de ces transactions
--------------------------------------------------

Voici les entêtes du courriel :

Return-Path: <giosef@dazzler.unbit.it>
Received: from smtp.%serveur%.com ([unix socket]) by 
hermes.assonetworx (Cyrus v2.2.13-Debian-xxxxxx+lenny3) with LMTPA; 
Tue, 20 Jul 2010 12:42:46 +0200
X-Sieve: CMU Sieve 2.2
Received: from sabretooth.unbit.it ([81.174.68.19]) by 
smtp.%serveur%.com with esmtp (Exim 4.69) (envelope-from 
<giosef@dazzler.unbit.it>) id 1ObAHY-0004gq-Ne for 
philippe.vialle@%serveur%.com; Tue, 20 Jul 2010 12:42:46 +0200
Received: from dazzler.unbit.it (unknown [192.168.0.57]) by 
sabretooth.unbit.it (Postfix) with ESMTP id 578C5201D9ED for 
<philippe.vialle@%serveur%.com>; Tue, 20 Jul 2010 12:11:00 +0200 (CEST)
Received: by dazzler.unbit.it (Postfix, from userid 18372) id 
67EE520CFEE43; Tue, 20 Jul 2010 12:13:00 +0200 (CEST)
To: philippe.vialle@%serveur%.com
Subject: probleme technique
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: Service Client <Service@allmail.com>
Message-Id: <20100720102348.67EE520CFEE43@dazzler.unbit.it>
Date: Tue, 20 Jul 2010 12:13:00 +0200 (CEST)
               
                    
Au niveau filtrage SpamAssassion :
- DCC positif
- MIME_HTML_ONLY BODY  positif (mais donc score négatif)
- HTML_MESSAGE BODY positif
                  
                    
Quid des détections au niveau du lien inséré dans le courriel :
- Google Chrome : signalement de "site de phising"
- Safari : blocage partiel (en faisant F5, l'avertissement peut apparaître, mais pas à tous les coups...)
- Internet Explorer 8 : aucune alerte
- Mozilla Firefox et Shiretoko : avertissement de "site contrefait"
- Opera 10 : avertissement de "site frauduleux"
- barre d'outil Netcraft : avertissement classique
- McAfee trustedsource.org : site catégorisé "phishing", risque maximal
- CISCO Surfcontrol (mtas.surcontrol.com) : ne fonctionne pas :(
- Fortiguard : classifié en "information technology"...
- DrWeb URL analysis tool : URL injoignable, test impossible
- Finjan URL test : URL injoignable...
                     
                       
Quid des informations sur l'émetteur du courriel ?
Apparemment cela tourne autour de dazzler.unbit.it. Il semblerait qu'une machine interne soit compromise (192.168.0.57). L'adresse IP en résolution est : 81.174.68.57.
- IronPort Senderbase : très bonne réputation (cf. http://www.senderbase.org/senderbase_queries/detailip?search_string=81.174.68.57 )- 
            
               
A propos de l'adresse IP elle même : https://dns.l4x.org/81.174.68.57
Hébergement mutualisé : http://www.w3who.com/reverse-ip/81.174.68.57  Ceci aura probablement facilité la compromission du serveur.
              
Méfiance donc ! il est probable que les CERT assistant SFR sont déjà sur le pont...

Partager cet article
Repost0
8 juillet 2010 4 08 /07 /juillet /2010 23:58

Most of the time I would say and repeat: people should review their security systems and probably harden their configurations and system settings.

 

This time, my post is gonna deal with the contrary: how a hardened URL filtering system can impact productivity and vital assets.

You may read that security vendors tend to add a new way to block malicious / suspect content: security reputation.

I will not discuss the idea by itself right now. Let's just say that to protect from compromised systems, it could be a really interesting concept.

But what happens if the security reputation is wrong? That kind of measure is somewhat a score, which is most probably dynamic.

The firms that are being protected by that security reputation filtering system do not see the reputation score of their online applications and needed websites (assets).

Because the score is dynamic, it can be different today from yesterday.

Here is a part of a real story: it is about a vital portal, I mean a portal related to a vital function of a state (counter terrorism point of view, such as energy, communications, transportation, medical emergencies...).

One day that portal had its security reputation to be reviewed and reach "high security risk". In that case, most of the systems working with "security reputation filtering" automatically blocked any access to that website...

This was quite serious... We are not talking about Facebook being unreachable, not even Google... it is about a crucial web portal, government watched and related for a service that helps the country to run.

Were the firms informed before the website was automatically blocked? not at all, since it is an automatic check and update.

Could the firms easily bypass that filter? not really, if you consider that proxies are vital equipments and may not have their configuration radically changed so quickly, in emergency mode, and in production...

Could the firms monitor all the virtal websites/portals they know they need, to prevent that kind of situation? well if you consider 100 000 computers, several millions requests a day, and several thousands websites being whitelisted...  certainly not!

 

So I really warn any people that use or plan to use a technology close to security reputation score with automatic blocking. You may have real situations, with oproductivity loss and above all collateral damage...

Partager cet article
Repost0
7 avril 2010 3 07 /04 /avril /2010 22:48

It's been a quite long time since I wanted to write this article. But taking into account the fact that I spent 3 hours at night to understand what was happening to my BIOS, I could not forget it, I guess...

How did all of that started? very simple. I thought of applying some of the best practices in laptop security: (BIOS) password at startup.

Very well, I entered the BIOS. I had a few difficulties, because the 'Care' button did not work that well, and the boot-splash did hide the key to press to enter the BIOS. Anyway, I'm more patient than that.

Once I had got into the BIOS, I went to the security tab. Setting a password up seemed to be quite simple, as usual.

Then, I started my laptop, like in a regular way. As usual, it remained on for a few days, without reboot. And obviously, the problem came out at the next reboot. Thanks Windows Update (automatic / forced) reboot at night, for that...

Not even scared, I saw the next evening the bootstrap stucked at the password check. So I entered my so said password. Yikes, it seemed to compute a lil bit, and then displayed a warning telling me that my password was wrong. I tried a second time, a third one... then forced reboot....

This time, I started to feel less at ease... 

My password was 7 letters long, with 2 more digits. I imagined the problem could be a keymap issue (Qwerty in the Bios, else Azerty). So I built all the combinations I could imagine: typos, and keymaps issues... 

3 hours later, I was still in front of a locked computer. Then, fortunately, a bit of 'password hardening experience' came to my mind: what if the Bios could not register my whole password?

After 5 minutes, bingo! Only the first 6 characters had been saved! 

But no warning told me that only 6 out of 9 characters were going to be saved... I find it quite abnormal and tricky!

I hope this will help other people, at night, in a rush... like I was...

Partager cet article
Repost0
26 mars 2010 5 26 /03 /mars /2010 23:07
Once again, I was not even expecting to get a sample that way...

Here is the
message I received on one of the Skype accounts I use as 'honeypots' (one day ago):

MSG_Skype_dreams-lady.com_250310.jpg 


I never requested in any way to receive such ads!

Okay so let's go to 'dreams-lady'. To be honest, at this point, I was really expecting a malicious website, or even a fake portal to steal my CB number...
Sometimes the habit does not help you out at 100%...

However, I was surprised to see the website that responds to dreams-lady. Here is a screenshot:
dreams-lady.com_250310-copie-1.jpg


Looks really like a kindda russian version of meetic, huh? just kidding.

Just in case of, I had a look at the WhoIs. And there came an unexpected surprise:
http://www.domaincrawler.com/domains/view/dreams-lady.com
 
Wow,
IP located in China? seems weird.  
Any other information provided by the WhoIs looks relevant to a russian origin.

Just a thought... let's see the
IP reputation...
An old tool: 
http://www.dnsbl.info/dnsbl-database-check.php
Bingo...!
59.53.91.107 listed! And I do trust SpamHaus' lists.

But that's not all. The IP address really seems to be a chineese one: 
http://www.ip-adress.com/whois/59.53.91.107

Okay then, russian domain name, chineese IP... still looks strange to me.

But the IP address reveals other interesting details:
http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=59.53.91.107
Listed because I is said to host a malware.

And guess what... ESET confirms it (access blocked while accessing it)

 
Partager cet article
Repost0
23 mars 2010 2 23 /03 /mars /2010 21:51
I was honestly not expecting it.
I recently found out that one of my Skype accounts had received an offline message, from an unknown contact (meaning I hadn't accepted myself!)

Here is a screenshot of it:
capture_thebulletintrackers.com_230310.jpg 

 At the time of writing (24 hours after I received the message), I still don't know if this is a new scam variant or not. In case of, I publish it (if anybody has got any additional information about it, feel free to post any comment).

But what I do know is that it  appears that Skype used an opt-out way to contact me. I never requested to receive such marketing ads (probably targeted ones...). 

If you visit the website 
http://thebulletintrackers.com/ , you'll see at the top of a page a link (yes it's quite small) called 'skype removal'... yes sounds weird since I did not subscribe to anything.
This weblink points to: http://thebulletintrackers.com/skyperemoval.php

I did try to unsubscribe myself, I'm gonna see what happens, and I'll keep my readers up to date. Untill then, I suggest anybody to be prudent with this marketing campaign. 
Partager cet article
Repost0
17 mars 2010 3 17 /03 /mars /2010 22:44
I'd heard that Norton (I mean the last version) has improved quite a lot.

It is said to be less system resource consuming, and more efficient. On my part, I spent almost 5 years cleaning computers that were supposed to be protected by Norton... (and others AV, that's true). This is the real life, I can't lie about it.

Anyway. Since I'm curious and I believe Symantec is able to improve its product, I decided to have a look at the famous "last Norton".

This came to me like in a natural way. I installed a software that offered me to install "Norton Security scan" as well (choice by default, please note that point...).

My main computer is being protected at the moment by an up to date AV (MS Security Essentials), and 2 AV on demand (Spybot + MalwareByte). 
I let the Norton Security Scan do...

What results? well... something like 35 'threats'! But, in fact, only cookies...
 
It is very well known that a cookie is a serious threat, able to destroy my computer... [bad joke]. Nonetheless, according to Norton, my computer is at risk, and a serious one.

To fix the 'dangerous items', users obviously have to buy Norton... They definitely are smart, at Symantec Corp.

But the trickky part is not there. 

The Norton Security Scan wakes by itself, from time to time, takes the focus, and displays its warning until you click on 'proceed to checkout' or 'no thank you'.
Please note that 'no thank you' is a very very small button on the popup, like if users were not supposed to see it. Furthermore, there is not "cancel" button on the default popup, you have to click on the cross to close it...!

Then the warning comes again and again. You may reboot the computer, it will still show up after a little bit of time.

Well, sounds like some viral technology... doesn't it? A software you can't really close and that reminds you it is there, and that goes back even after reboot is quite similar to what you can expect from a spyware, adware, or even a keylogger... isn't it?

Here is an example of the 'scary' message you can see, from Norton:

NortonSecScan_alert_080310.JPG


Sorry it's a French version, but quite badly translated.


Anyway, you may read
many complaints on the web about software that harvest and/or harass users until they pay for a so said license... Rogue antivirus are one of the best examples.

Is Norton playing the same way that rogue antivirus do? That's an interesting marketing strategy (use customers fear...).

In the past, we'd seen computers being sold with "antivirus pre-installed"... well yeah, just a 3 months demo license, which point was not clear to the customer. And after that, warnings coming from everywhere to remind the user to buy Norton...

Thus, new version right, but means even worse than in the past? I can't hardly believe what I saw on my screen.
 
Partager cet article
Repost0
17 mars 2010 3 17 /03 /mars /2010 00:29
Quelquefois, pas besoin de chercher pour qu'un élément malveillant à analyser pour qu'un ben échantillon vienne à moi.
Les mauvaises langues diront que ce sont tous mes pots de miel qui sont derrière ce constat... pas à tout à fait faux.

Bref, en lisant mes courriels le plus naturellement du monde, j'ai reçu une notification de Viadeo me disant que j'avais un message non lu.
Ce message est en fait une pratique frauduleuse d'extorsion de fond :
le scam 419, du numéro de l'article de loi nigérian (4.1.9) interdisant ce type de pratiques.

ATTENTION donc, ce message cache une pratique dangereuse, je déconseille à tous de prendre contact avec toute personne l'ayant envoyé, ni même de chercher à "investiguer"...


Voici le message en question, si cela peut aider certains à comprendre ce qui peut leur arriver dans leur boîte aux lettres.


bonne charité

Bonsoir très cher Monsieur J’accuse bonne réception de votre réponse et je vous remercie pour son 
contenu, Je suis Monsieur josé paulo fernandez, née le 18 mars 1946
au portugal
Je souffre d'un cancer de gorge depuis maintenant près d'un
mois et demi et je souffre terriblement en ce moment.Mon medecin 
traitant vient de m'informer que mes jours sont comptés du fait de mon 
état de santé dégradante.
C'est par Amour pour les enfants que je veux léguer cette somme.Je 
suppose que je peux vous faire confiance car vous savez ce qu'est cette 
maladie qui me ronge.

je n’ai pas eu d’enfants avec mon épouse Maria (que la terre lui soit 
légère) de puis 15 ans ce qui fait que j'ai personne a qui léger mon 
héritage.

Pour ce fait je voudrais de façon gracieuse et dans le souci d’aider 
les démunis vous donner ce dit héritage s’élevant à une valeur de 
cinq millions de dollars americain (6.000.000 §) pour vous 
permettre d'établir une fondation de bienfaisance en ma mémoire afin 
que la grâce de Dieu soit avec moi jusqu'à ma dernière demeure pour que 
je puisse bénéficier d'une place honorable auprès du Seigneur notre 
père.

N'ayez aucune crainte car avant de vous contacter j'ai prié pendant 
plusieurs nuits pour que le seigneur Jésus Christ puisse m'accorder le 
contact d'une personne de confiance à qui je pourrai confier cette 
affaire et c'est à la suite de cela que j'ai fais des recherches qui 
m'ont permis d'avoir votre adresse.
Sachez que vous pouvez conserver la moitié de cet argent pour vous et 
le reste servira à crée une fondation de bienfaisance en ma mémoire 
ainsi qu'une fédération de lutte contre le cancer et construis une 
maison de charité pour aider les démunis.
J'ai se projet en tête de depuis fort le temps maintenant que je dois 
mourir plus que c'est mon voeux qui me coûte chère je dois le faire 
maintenant avant de quitter cette terre des humains.
Je voudrais avoir les informations suivantes :
Votre nom et prénoms, votre adresse précise et votre contact 
téléphonique permanent afin de les transmettre à mon notaire pour 
qu'ensemble vous effectuez les démarches de transaction.
Je vais transmettre vos coordonnées au Notaire qui va s’occuper de 
cette transaction par la suite,il prendra contact avec vous dès demain 
pour entamer la procédure de transfert et le changement du bénéficiaire.
Je lui demanderais de vous contacter pour la procédure à suivre.
Je vous souhaite une Très bonne comprehension.
Sur ce, recevez mes très cordiales salutations.

Monsieur josé paulo fernandez


mon adresse email : josefernandez2010@live.fr






************** ENGLISH part ****************


Sometimes (but more and more often), I don't even have to look for malicious things to analyse: they directly come to me.

So I was just reading my emails, like naturally. I received an alert from viadeo: I had a message to read. There comes the best part of it: it is a new variant of scam 419, but on profesionnal networks.

Just a reminder: scam 419 comes from the article of the nigerian law 4.1.9 which forbids such financial fraudulent activities.

There we go: I'm gonna copy the whole message above, if that can help in any way those who wonder what that is.

Sorry, it's written in French ;) not all the bad things on the Internet are in English... unfortunately...


 
Partager cet article
Repost0
2 novembre 2009 1 02 /11 /novembre /2009 22:17
I find it quite funny when an AV or any security system alerts for something regarding another security system.

This time, it is about antispam and AV vendor security newsletter...

The antispam is: Thunderbird  2.0.23
The newsletter is: Sophos enews

Here is what I found out within my mailbox "junk"  folder:

 

Basicly what happens is that the Thunderbird embedded antispam system believes Sophos enews is to be considered as spam.

But I don't! And the worst is that even if I tag almost any of these emails as "acceptable" (not junk), the next ones are still being deplaced within the Junk folder.

How can I tell Mozilla that Sophos enews is not spam? I subscribed to their newsletter, and above all, their are a antispam vendor...
 
Partager cet article
Repost0
14 octobre 2009 3 14 /10 /octobre /2009 23:50
As everybody would say, an antivirus is not supposed to take all the system ressources.
Taking that into account, I tested ESET Nod on my computers, because I knew it was said to prove quite reasonable memory and CPU usage.

Anyway, this was about real time protection, certainly just for a few hours long, right. But, what if I let my laptop running for days? That should not be a problem.

Nonetheless, I noticed that my computer was becoming really slower, with an almost permanent disk access. I decided to investigate a little bit about it, SysInternals tools are my friends.

Here is what I found out: the ESET modules were permanently accessing my HDD, ang generating SWAP activity.

The reason? It may be in the following screenshot:
As the ProcessExplorer's GUI says, the "ekrn.exe" binary (standing for ESET Kernel?) takes more than 750 MB of memory (virtual memory)!
This is quite strange, even abnormal. Just enough to stuck user's applications.


Since I use a limited user account (and I'll talk also about that later), the ProcessExplorer information window is not complete, as you can see:
This screenshot also tells how long the "ekrn.exe" module had run before I noticed its memory usage: it's about a month... (well, yeah, my laptop even works for me during the night... and the day... :) this can be also true for professional stations that are not shut down at night)

If that helps (the guys at ESET for example?), here is my config:
- Lenovo SL500
- Vista SP2, full patched
- Nod32 AV 3.0.684.0



Thus, to me and until I get a proof of the contrary, I think there is a memory leak in the "ekrn.exe" module of Nod32 Antivirus.

Partager cet article
Repost0
19 septembre 2009 6 19 /09 /septembre /2009 01:20
Noticing the fact that APT upgrades were becoming slower for a while, I started to investigate further.

After checking all the configuration files of APT and its logs, it became clear that the problem was not on the hosts that used the APT-proxy running on the server.

It looked like a Dos, or time out, or an APT resource. But it was not.

Unfortunately, the APT-proxy logs are not so verbose, but... considering the fact that a service has a special procedure to be stoped and started, the old reflex to reload the service and its configuration was helpful.


In fact, APT-proxy was just yelling during its start.
Here is what I got:

Starting apt-proxy:/usr/lib/python2.5/site-packages/twisted/manhole/telnet.py:8: DeprecationWarning: As of Twisted 2.1, twisted.protocols.telnet is deprecated.  See twisted.conch.telnet for the current, supported API.
  from twisted.protocols import telnet
None
/usr/lib/python2.5/site-packages/twisted/manhole/telnet.py:8: DeprecationWarning: As of Twisted 2.1, twisted.protocols.telnet is deprecated.  See twisted.conch.telnet for the current, supported API.
  from twisted.protocols import telnet
None

.

Thus, it appears that the real problem comes from Python, and more especially from one of its library: twisted.protocols.telnet

Obvisously, it was not possible to uninstall and reinstall Python, because of its numerus dependances.

I tried Google...
http://www.google.fr/search?rlz=1C1CHNU_enFR333FR333&sourceid=chrome&ie=UTF-8&q=/usr/lib/python2.5/site-packages/twisted/manhole/telnet.py:8:+DeprecationWarning:+As+of+Twisted+2.1,+twisted.protocols.telnet+is+deprecated.

The bug was confirmed, but no real solution provided:
https://bugs.launchpad.net/ubuntu/+source/apt-proxy/+bug/308376

The guys over there should also say that Debian stable Lenny is affected to.

Anyway, I dared to look deep into Apt-proxy source code. Guess what, it's written down in python ;)

Here is the solution I found : comment the line
from twisted.manhole.telnet import ShellFactory
at the top of the binary file of APT-proxy (something like /usr/sbin/apt-proxy).

And viola, it works!

I love /etc/init.d/apt-proxy start
Starting apt-proxy:None
None
.
I'll keep an eye on it to see what happens during the next upgrade of apt-proxy through... apt :)

Hope this helps.
Partager cet article
Repost0