RFI List

Some remote file includes (RFI's) for your enjoyment:

hxxp://christiansongwriters . org/evanescence/cid . txt
hxxp://gabifir . yourfreehosting . net/z6id . txt
hxxp://h1 . ripway . com/jembutz/idbaru . txt
hxxp://home . bellavillapattaya . com/modul/mic . txt
hxxp://injek . by . ru/download/source/klr-id . txt
hxxp://katsioulis . com/idd . txt
hxxp://kihineh . net/tmp/id . txt
hxxp://kiliclub . com/e-com/cid . txt
hxxp://secret-admirer . info/scan/id . txt
hxxp://septimamaipu . cl/septima/mambots/idxx . txt
hxxp://thepornhandbook . com/templates/id . txt
hxxp://utilz . info/a4
hxxp://verinet . com . tr/id . txt
hxxp://wtv . mathiaskarge . de//marthabotid . txt
hxxp://wtv . mathiaskarge . de//v6id . txt
hxxp://www . 21stcenturywoman . com/pics/echo
hxxp://www . chilecapacita . cl/nweb_portal/uploads/spypsy/help/id . txt
hxxp://www . computercreationscorp . com/dmdocuments/z6id . txt
hxxp://www . cookaround . com/yabbse1/impex/log/id . txt
hxxp://www . desperate-souls . com/templates/portax/images/media/ida . txt
hxxp://www . desperate-souls . com/templates/portax/images/media/maxid . txt
hxxp://www . djaviboss . com/install/idmia . txt
hxxp://www . geocities . com/jembutzmu/albania . txt
hxxp://www . hotelsunflower . it/images/zoom/splash . me . gif
hxxp://www . loblab . com/mgm/vote/include/iddc9 . txt
hxxp://www . ordconstruction . com/skins/default_blue/mail/common_templates/index . php/echo
hxxp://www . saren-first . com/images/n . txt
hxxp://www . secondlive24 . de/help/sql . txt
hxxp://www . tsw . ru/ips . txt

(Fixup: sed 's/hxxp/http/g;s/ //g')

Paris Hilton Returned By Aliens (damn!)

Occasionally my spam folder gets some really exciting messages. However, the subject of is one left me a bit disappointed.

Poor Paris - it must be really bad when even the little green men aren't interested in her.

From: "Magnus Bonnel"
To: [REDACTED]
Subject: Paris Hilton Returned By Aliens
Date: Thu, 21 Aug 2008 22:02:07 -0400
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198


PLAY NOW

The image would have displayed for any of you who had HTML parsing enabled within your email client. I cropped it at the chest for a "G" rating. The nipples were blurred already. If you clicked that image, you'd happily download player.exe from roskiman.com. Similar spam points to merk2web.com.ar offering stream.exe. The second version wasn't censored. An unsuspecting individual would get an eye full of this womans breasts (cropped for worksafe rating):



a3aec9130af6f69c715dc6eb89949079 stream.exe
a3aec9130af6f69c715dc6eb89949079 player.exe

Anubis results for the binary are available here.

Mailbag

I had some time today, so I thought I'd post this mornings mailbag:

Compromised website (Javascript Compromise):

http://emergency [dot] charlestoncounty [dot] org/index2.asp?p=/ElectedO.htm

PayPal/City Credit Union Phish - with kits:

http://85.45.179.9/icons/small/Secure/home/management/

Kits located at:

http://85.45.179.9/icons/small/www.citycu.org.tar.gz (info goes to alvin.thecrazy@gmail.com)
http://85.45.179.9/icons/small/citycu.org.tar.gz -> (info goes to pep.xxl@gmail.com)
http://85.45.179.9/icons/small/paypal.tar.gz -> (info goes to pep.xxl@gmail.com)

Todays "Breaking News" spam:

From: Tinney
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: [REDACTED]
Subject: BREAKING news
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Did Bill Clinton Cross the Line? http://www[dot]sakapfet[dot]com/1.html

Attempts to trick users into downloading a fake AV client called Antivirus XP 2008 from antivirusxp-08.com.
Trys to convince users they need to download and run "install.exe" which of course is a trojan. (VirusTotal Output)

Reported malicious domains:

fbcel.org
www.jewelryboxes.net
sakapfet.net
tvmonitoringservice.com
cheahahs.com (msn_video.html)

Bots/Malware:

http://www [dot] 1rc-chat [dot] net/a.exe
http://members [dot] lycos [dot] co [dot] uk/dbrowny/server.exe

Defcon 16

It was a pleasure seeing several of you at Defcon this year. I ran into Steven Adair from Shadowserver and Brian Krebs from Washington Post. They get honorable mention because both promised me a beer, and never paid up - guess I'll have to collect next year with interest. :) In all seriousness, it was great to see old friends and make new ones.

I'd like to extend a special thanks to StillSecure and IOActive for hosting a wonderful party on Saturday Night.

A few new tools were released at Defcon this year. Among my favorites are Grendel Scan and The Middler.

Grendel-Scan is an open-source web application security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests.

Grendel was written by a fellow penetration tester, David Byrne. David's skills are exceptional and he claims to use this tool during the initial phases of a penetration test. I was granted an early release of this tool, which I used on several recent vulnerability assessments, and I was thrilled with the results. While its not yet perfect, it certainly makes my job much easier, and identifies points of weakness that I can focus my attacks on. Since the scans can be throttled, the tool is perfect for use in production and development environments alike.

The Middler was written by Jay Beale with help from his friends at Intelguardians. The Middler allows an attacker with no web application hacking experience to launch attacks that previously required substantial time and skill. The Middler is still pending official release, but Jay promised in his talk to release it as soon as he fixed one critical bug.

These two tools serve very different purposes. Jay's tool is focused more on exploitation and attacks. David's tool is a weakness identification aid, and does not make any attempt to compromise a host. Both tools look promising and should be added to your toolbox.

This is my fourth Defcon. I'd like to challenge the presenters to step it up a notch. Several presentations this year were recycled from previous years.