LinkedIn passwords leaked, cracked

Posted on by
Reply

LinkedIn, the popular networking site, was hacked and more than 6 million passwords were leaked. The breach was confirmed today.

It took only minutes for the full dump of passwords to spread virally (combo_not.zip)

The decrompessed file weighs 258 MB and contains 6458019 lines of hashed passwords.

LinkedIn hashed the passwords (meaning they created a checksum of the plain text strings) but did not apply any other level of security, including salting.

For example the password ‘password’ was stored as e4c9b93f3f0682250b6cf8331b7ee68fd8 (SHA1).

It is trivial to find the original (clear text) password using tools such as hash-cat:

It is quite interesting to look at passwords people use… it reveals a lot about human nature ;-) Warning, coarse language ahead!

LinkedIn announced that they are taking immediate action by blocking accounts that have been affected as well as introducing new security measures (in the form of salting their passwords).

This is a reminder that there is no total security. However, strong passwords are still a great protection. For example, to retrieve those passwords hackers use a ‘wordlist’ or dictionary attack. That means if your password was weak, it will be uncovered in seconds. If your password was fairly complex, it will take hackers a lot of pain and effort to crack it.

On that topic, we should change the word password to passphrase. The term is so much more meaningful and shows that actual phrases such as ‘Jimmylovescarsespeciallyatnightonchannel99′ are so hard to crack versus your typical password.

Jerome Segura

A happy website owner

Posted on by
Reply

Getting testimonials like this one really makes you feel like you provided value to the customer.

 

I can’t believe the amount of work this company did for me in such a short period of time.

It all began when I started getting strange messages when going on to a few of my websites, these messages would say things like do not go to this website for possible phishing and Malware… WHAT? I couldn’t believe it, these were MY websites and I know I didn’t install anything like that. Next thing I know I get an email from SparkTrust.com telling me the same thing while at the same time reassuring me that they could help me fix the problems. I called them by phone and spoke to Jerome, who first showed me that my websites had been banned from Google and others because of the phishing and malware. I started to sweat, my business was based on my websites and if they were gone so is my business. But then Jerome, made me feel very at ease and confident that he could help me and definitely fix my problem. They then found hundreds of corrupt files, they found back doors, a bunch of stuff that quite frankly I have no clue to what they are but these guys fix it all by that afternoon and I mean ALL!!! The monthly or yearly fee they charge for their work is so reasonable that I think anyone would be a fool to have a website without this kind of protection because yes, the protection doesn’t stop after the problem is fixed but continues on a daily basis with emails anytime something is detected on any of my 18 websites… however small.

I am truly amazed and very grateful to Jerome, Jean Phillip and Sparktrust.

Guys if I could give you a medal I would.

Thanks again for everything

Your faithful customer for life.
Alain, AbsClubLA

Jerome Segura

Reporting Badware: a better way?

Posted on by
1

As some of you may remember, I’ve had quite the experience (read The joys of reporting hacked websites) reporting malicious websites to their owners.

I spent a lot of time crafting various email templates, following guidelines from StopBadware’s Best Practices for Reporting Badware URLs, but yet at the end of the day it was a total disaster.

For starters, an email marketing guy I know told me quite clearly:

Hi Jerome,

This is a risky campaign to run, as it is unsolicited with, as you said, no prior relationship.

You probably want to avoid doing this.

Cheers,

 

Let’s stop and think for a moment. I am trying to alert someone that their site has been hacked and is serving malware but yet because of the strict CAN SPAM rules and what not, I am not allowed to because I don’t have a previous relationship, an opt-in etc… This is stupid. Let’s take a real life example, I see someone’s car has a flat tire. Should I not be allowed to tell them about it so they don’t get into an accident?

OK, once you can get over that nonsense, here is the reality with most website owners:

  • they have little knowledge about internet security
  • they don’t trust any email warning and label it as a SCAM (have they been trained too well?)
  • they can be rude
  • they send their lawyers

My conclusion is that contacting website owners directly is not the way to go. It is a waste of time and energy because these days nobody trusts anyone whether it’d be by phone, email, snail mail, etc… You can blame the spammers and scammers for that.

So instead, I chose a different route which maybe I should have taken to begin with… I am contacting the hosting provider directly with irrefutable evidence:

I understand abuse departments don’t want to spend time trying to confirm something is bad. So I give them all the details they need, and more.

This email is made from a template since I don’t have the time the write a few hundred of those every day. I wrote long and complex Bash/PHP/Python scripts to gather all the information needed from a specific URL.

As such, for each URL:

  • the malicious code (or file) is downloaded
  • it is sent to be analyzed by Virustotal with MD5/SHA256 checksums
  • an IP and ASN are identified
  • an abuse email contact is found by querying the ASN whois
  • an email is created from the template and then the email is sent

It was a fair amount of work to get that automated, but it is worth it to watch thousands of URLs being parsed and abuse emails being sent ‘magically’.

So far the response has been pretty good. Most abuse departments are quick to act and resolve incidents. They know what I’m talking about and I don’t have to convince them that this is not a scam but rather an effort to get infected websites cleaned up.

Will this be the end of the story… who knows? there might be more developments and surprises, although I think I’ve seen a fair share of stupidity already.

Jerome Segura

The hunt for the secret malicious .htaccess file

Posted on by
2

Yesterday I cleaned up the largest web malware infection I have ever done. It involved 18 infected websites (77,518 php and html files) hosted on GoDaddy.

I am documenting the process here as it may help other people.

One of the main symptoms that lead to the first identification was a redirection to a Fake AV site. Digging deeper I only found more bad stuff…

Fake AV scam:

The redirection is done through tradehilton.ru and tradeincas.ru.

Porn redirections:

A PayPal phishing scam:

Backdoors and shells:

The main redirection was orchestrated by a whopping 181 infected .htaccess files. Here is what a hacked.htaccess file looks like:

As you can see, any request from that site that matches the criteria is sent to the malicious site “tradeincas.ru“.

The cleanup process started with a complete local backup of the entire directory structure (18 websites). This was done through FTP and took a full night.

After removing all backdoors and cleansing the .htaccess files the redirection was still happening and that left me puzzled. I had used all the grep commands I could think of and was certain all the bad stuff was gone.

At this point I requested our customer to ask for SSH access. GoDaddy has a security policy in place where they will phone you to give you a pin that lets you activate SSH. This is very good practice and they were quick about it.

While SSH gave me direct access to run my commands, one issue made my job more difficult. One particular command (grep -r -l ‘tradeincas’ *) would not complete. It seemed to time out after a few minutes with an error of “Terminated”. This could have been due to the very large directory structure.

This annoyed me greatly as I now had to run that command on each folder one by one. But then something came to mind and I went back to the very root of the folder and ran a special command:

find . -name .htaccess -exec grep ‘tradeincas’ {} \;

For some reason, this command would not generate the error mentioned above and it found the one .htaccess file that was tormenting me. However, this file was located one directory above what the FTP access gave me as root, meaning I would never have been able to find it without SSH:

In FTP both using GoDaddy’s web version and FileZilla, the top directory is html, while with SSH I can go back to one above:

So, despite cleaning the other 181 .htaccess files, it would never stop redirecting until the main one sitting at the very top was taken care of.

After renaming it to .htaccess.bak (creates a backup and disables it), everything went back to normal.

Part of the operation involved updating 8 Joomla websites which I did simultaneously using as many FileZilla windows to upload the new Joomla setups.

A few things learned: SSH is crucial to cleaning up an infected website. It can be done with  FTP sometimes but overall SSH is way faster and more thorough. The GoDaddy user interface to manage your account can be a challenge, however, the support team was quick to respond and professional, so maybe that evens things out.

Jerome Segura

Back to the Citi malware

Posted on by
Reply

This spam email is not a phishing scam that is after your banking information (at least not right away). Instead, it wants to add your computer to a large botnet.

Clicking on the link launching the drive-by download infection. It’s one of those situations where you can’t finish swearing before it’s too late:

A successful infection loads the following:

tradifrance.net/NGxo03v6/index.html
urbannex.co.za/SVVsEJwY/js.js
shokani.net/YvKDGVwn/js.js
69.194.194.90/showthread.php?t=4a6d866826776084
69.194.194.90/favicon.ico
69.194.194.90/Cal.jar
69.194.194.90/data/hcp_vbs.php?f=0cf26&d=0
69.194.194.90/q.php?f=0cf26&e=0
69.194.194.90/q.php?e=5&f=0cf26

The java exploit currently has 0 detection on VirusTotal.

Jerome Segura

Exposed Intranet serves malware

Posted on by
Reply

A simple Google search for a malware string reveals a private intranet site, not so private…

This company’s court records are publicly available. The data which contains sensitive information has been sanitized for obvious reasons.

As if that wasn’t enough, the page is also a host for a malicious script (a0v.org/x.js):

What is worse? Data leak or malware? You be the judge.

To publish or not to publish malware links?

Posted on by
Reply

Today I got into a little debate on Twitter with fellow researchers @dimitribest@nicolasbrulez@virusbtn about whether or not publishing malware links in blog postings is acceptable.

Here is my opinion on the debate:

  • Large security companies are tied to potential legal issues and posting malicious URLs within a blog presents a risk. I do believe the researchers who say they want to prevent unnecessary infections, but at the same time I feel like the big corporations they work for are more worried about possible lawsuits with people clicking links by mistake and infecting their PC. For them, it could be legal battles costing them millions of dollars.
  • Including malicious links is used by many as a marketing / SEO technique to generate buzz and traffic. Naming (and shaming) a well-known website means you get your name in the press with all the benefits it entails.
  • In some cases, including full links can be used to prove that you indeed discover something (and not just made it up).
  • Many security researchers, including myself, post full links because we feel we should share our discovery with others. I like to read other people’s blogs and follow such and such links they posted to do my own bit of research. Sure, I could ask them but it introduces barriers etc…

Is the argument that people can get infected really valid? I think taking the necessary precautions such as including a disclaimer, making the links non clickable, and labeling them clearly as harmful is enough. The argument that people can still copy and paste the link to get infected is weak in my opinion. If someone really did that, they are making a conscious decision… it is not just an accidental click of the mouse… After all, Google doesn’t prevent people from copying and pasting in its “this site may harm your computer”, it just blocks the hyperlink:

However, I think there are a couple of exceptions to openly sharing malicious links:

  • In some cases, you may not want to make a powerful tool (such as an exploit toolkit) available to the masses. By publishing the link, you could easily ‘give away’ a weapon to people who have the intent of using it for their own good to harm other users.
  • Some malware research can involve sensitive data and not letting the cat out of the bag makes sense. Obfuscating or blurring the URL can protect the writer against personal reprisals from malware authors, or simply to not let the bad guys know you have penetrated their network.

Jerome Segura

Exploit-friendly domain, malware and a very dirty French host

Posted on by
Reply

Our journey starts with domain (hxxp://jbhx0aibh1zl.az.pl/ - IP address: 109.234.111.23 Poland) that hosts several landing pages typical of the drive-by download exploits we see with the BlackHole kit.

There’s also one folder 7X0GYVjk where we find a sample of the Zbot Trojan family:

The actual exploit-driven pages (all the other folders) contain a redirect to a malicious javascript:

hunmuhendislik.com (IP address: 95.173.190.224 Turkey)

The javasscript file js.js contains one line, which is our final destination and where our fun begins:

document.location=’hxxp://91.121.84.204:8080/showthread.php?t=977334ca118fcb8c‘;

Location: Roubaix, France.

That link is an exploit URL, although it is no longer active.

Other domains on that IP include one about the best of the web:

Apparently it is limited to porn, webcams, warez and free movies:

Another domain on the same IP that is loaded with malware: gamespile.fr

The garbled code translates into iframes (big surprise):

hxxp://cibudit.ru/count20.php
hxxp://jazzute.ru/count5.php

So all in all, that IP is not somewhere you want to hang out too often. ;-)

Jerome Segura

Canada Revenue Agency scam

Posted on by
Reply

Today is the deadline for submitting your tax return (in Canada). So receiving the following email may seem like the perfect timing:

Recent annual calculation of your fiscal activity, our record indicate you are eligible
to receive a tax refund of $1500.00 (PENDING) Please submit a verified tax refund
request and allow us in order to process it. Click the “Refund Me Now” link below and
follow the on screen step in order to have us process your request.

The link (zoe-flury.com/wp-content/plugins/sitemap-generator/index.html) is thankfully no longer active.

Jerome Segura