Article on DDoS Tarpitting

June 26th, 2007

I just wrote up an article about using tarpits to fight off HTTP-based DDoS attacks. Since I myself have been a victim of DDoS, I thought I’d throw out an idea to help those who might find themselves at the mercy of some anonymous attacker.

The full article can be found at:

Detecting BBB/IRS/FTC/Proforma Trojan-Infected Users on Your Network

June 18th, 2007

We’ve gotten some inquiries as to how to find users infected by the recent BBB/IRS/FTC/Proforma trojan scams on corporate networks where an IDS/IPS device that can detect the exfiltration traffic might not be in play.

If you keep logs of firewall/proxy or DNS server traffic, you may be able to spot infected users by traffic analysis. This activity has been going on since at least February, so it is prudent to go back in the logfiles at least until the beginning of 2007 when searching.

Read more…

BBB Scam Changes Social Engineering Ploy

June 15th, 2007

Since we first wrote about the BBB phishing emails, we’ve seen variants change from forging BBB complaint letters to false IRS criminal investigation notices to FTC investigation notices. We’re now seeing messages from the same phishing group posing as “Proforma” invoices, now being sent with a Word document attachment (actually MS Word this time, not RTF doc files as in the other BBB/IRS phishing scheme).

Read more…

BBB/IRS Phishes and the Chinese Connection

June 7th, 2007

Recently we detailed the workings of two different phishing emails designed to install malware on the computers of executives through social engineering ploys. The first ploy was an email pretending to be a complaint routed through the Better Business Bureau. We saw this used to install two different families of malware. The second ploy, posing as a criminal investigation notice from the IRS, has now been seen installing the same two families of malware.

The one that got our attention in the first place, known as Troj-iwebho, has a simple yet powerful tactic - steal ALL data being sent from the victim’s web browser. Banking, email, shopping, stock trading, prescription/healthcare data and casual (sometimes very personal) browsing - everything the user does online is databased by the attacker. It seems on the surface that it makes for an identity theft scam with a very high payoff potential.

Read more…

Speaking at BlackHat USA 2007

June 4th, 2007

My presentation “Just Another Windows Kernel Perl Hacker” has been accepted at BlackHat Briefings USA 2007. If you’re going to Vegas this year, stop by and catch my talk, and I’ll tell you how to use Perl to remotely debug the Windows kernel from the *nix box of your choice.