What is Toluu?
Toluu is a free service for sharing the feeds you read and discovering new ones.		 Get Invite

Finjan MCRC Blog: Posts

Finjan is a global provider of proactive web security solutions that protect businesses and organizations against all types of web threats, including Spyware, Trojans and malicious code.


Guess who’s got your passwords and emails stored on their servers…?May 18

In our recent MPOM report, we reported on a Crimeserver hosting 1.4G of unprotected stolen data, including passwords, medical data, emails etc.

Many people asked us how we found the data. Was the data secure or not?

Although we cannot disclose all information to the public (for obvious reasons), I can say that the data on that Crimeserver was unprotected, meaning anyone could access it.

Today we came across another Crimeserver - it seems that we are finding one every other day...

To demonstrate how easy it  is to access the data and how vulnerable the data are once stored on an unprotected Crimeserver, I want to share the following very interesting example with you.

As we disclosed in our Q3/2006 Trend report, malicious code is hosted on caching servers of leading Search Engine Providers. This time we reported in our recent MPOM that stolen end-user data is also stored on these caching servers. Yes, your passwords, Social Security numbers, Online banking information …. no data is safe, as the  examples below illustrate.

Let’s say we are looking for some stolen login credentials. How would  we look them up? Simple:  search engine...

We typed the Crimeserver domain [site:crimeserver_we_cannot_disclose] and added popular keywords:

Lets see if we can find some passwords...

Crimeware server catering to “grab and run” criminalsMay 6

During our research for the latest Malicious Page of the Month that has just released, we came across a domain that was being used as a command and control for the Crimeware that was executed on attacked machines. This domain was also used as the “drop site” for private information being harvested by that Crimeware.
When we further examined this server, we found that the stolen data on it was unprotected and free accessible to anyone - we found no access restrictions, no encryption whatsoever!
In total, we found more than 1.4Gb of personal and business data (including emails and web related data) for grabs, collected from infected PCs.

Obviously, no business or personal data was safe; we found logs with business information on shipments, intellectual property, pension funds, legal cases, patients, marketing strategies etc. but also personal information that criminal elements could use to their own benefit.

Following are some of the records that were on that server for grabs.
We changed/blurred information to protect people’s and company’s privacy.

Medical record:

http://...../de...nts/.../MedicalRecordReview/ "Diagnosis=Admitted for IV abx 2nd spinal rod infection. Hx of SMA, wheelchair bound, on bipap c back up rate. ESR increased. Ctx neg. Not getting meds at home. Will need 42 days abx…. low grade fever 2 days ago."



Optimizing Cross Site Scripting - and general security practicesMarch 16

We have been working recently on a XSS attack that impacted  a huge number of  potential victims, as the attack itself has been “optimized” by SEO (Seacrh Engine Optimization) practices that pushed it to Google’s indexes.

In itself, this is not a new technique, but the sheer size of it made us take a second look (incidentally, another security researcher has gone public with the details at the same time while we were communicating with Google’s security team about it). So how does it work? Basically the recipe is quite simple:

  1. Find an XSS vulnerability on a major site that has a decent amount of traffic (easy).
  2. Decide what you want your victim to “experience” – this can vary from serving some malicious code, to pure  Crimeware marketing (lessons learned from “what to avoid”  from SPAM email marketing).
  3. Start googling it with the XSS in the URL (most sites normally allow parameters to be passed in a GET rather than enforcing POST only).
  4. Enjoy the show – make sure that the XSS (usually a search page) also contains some keywords that would attract hits from legitimate searches.

XSSed sites used:

From what we have seen so far – including sites such as torrentreactor.net (first one) and zdnetasia.com (on 3/4/2008), tv.com (2/5/2008), torrentportal.com (3/8/20

And the winner for "top virus" of 2007 is...January 6

Not a virus. Not even a malware. Neither is the runner up… It's the method of how malware is populated.

According to a report, the most common malware attack in 2007 is the notorious IFRAME.

top_virus_2007.png

On our monthly and quarterly reports we provided more in-depth analysis of such top-ranking IFRAME and Obfuscated code.
In Finjan’s terminology, the top-ranked virus IFRAME is not a malware or a virus, its more like how criminals are directing users’ browsers to a malware. Interestingly enough – the runner-up is “Mal/ObfJS” – Obfuscated javascript, again no a virus or malware but a simple technique to hide exploits from signature matching inspection.

How come? Well, remember that signature based solutions are in a dire need to be able to stop the more common techniques employed by attackers (we have actually started to report on them during 2006), having that the detection technology is limited in detecting the obfuscation and evasive techniques – typically signaturing the de-obfuscating portions of the script.

This has led to the recent


Google Faux PasNovember 5 2007

Whoops. It happens even to the best of the best.

You try to close all the cross-site-scripting (XSS) holes in all of the dynamic pages distributed all over your domain, but forget the main page...

This time it happened to Google, but others had the same problem before, and will probably have it in the future.

Recently, we encountered an embarrassing XSS issue on the main search page of Google.

Nothing tricky. No pockets in our sleeves. Just a simple non existing query with a script, and poof the injected script is executed.

I don’t need to tell you how serious this issue was. Yes, was… Google was very quick to fix this issue, in just few hours.

Just for the record, here is a video demonstrating the vulnerability:

Posted by Aviv Raff