Friday, December 5, 2008

eBay inundated by scripts for $1 holiday promotion

Slashdot has an interesting article about how scripts are trolling around eBay's $1 holiday promotion in order to tip the odds in favor of the cheaters. This whole thing has me thinking: isn't that what black hatting is really all about? Cheating, that is. Sometimes I wonder if I should take a psychology course to establish the correlation between, perhaps, an inner feeling of non-confidence in one's ability to be successful and the drive to crack systems.

Meanwhile, those of us who play by the rules are screwed once again.

Saturday, August 4, 2007

The Worms Crawl In, The Worms Crawl Out...

I have seen several new strains of the Storm-based "greeting card" worm dumping tons of crap into the inboxes of my clients, and unfortunately, my own company as well. The links invariably point to some numeric IP without a domain name; likely these IPs are zombie hosts in the same manner as the zombies that sent the spam.

The really bad news is coming in from several of the analyst sites, which have found new variants are installing rootkits in some instances. More than likely, that means we'll be working on stamping out this new variant from a good while to come. Fortunately, the new strain appears to have limited polymorphic capabilities when it comes to its message body template; therefore, filtering the content should be relatively simple for the time being with a simple regex. Hopefully the people who modified this version won't catch on to the idea that their spam payload is woefully easy to identify and filter.

The really interesting question comes down to what to do about all these IP addresses that appear in these spams -- obviously these machines are compromised, and their owners certainly should be aware of the situation. Given the current legal situation surrounding white hat activities, I have to admit that I'm rather more of the "screw 'em" mentality. Rampant lawyers suing white hats tends to do that.

Frankly all I am going to do is put that same regex code used to filter the spam payload to further use. We could identify these IPs and simply perform something equivalent to DenyHosts-style H-IDS and slap those entries into hosts.deny for a 60-day term. Anyone carrying that kind of infestation on their box has no compelling reason to be allowed to talk to mine.

Multi-vector attacks are certainly dangerous, but I think the good news for white hats is the increasing complexity in adding the factors of social engineering to worms and malware also gives us the ability to more easily find and eliminate source systems... in this case, practically automatically with simple expression filters.