22 Sep A psychological experiment
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Fabio, our researcher in Brazil, has noticed malware authors using an old trick to mask URLs. The trick involves specifying an IP address such as say, 220.127.116.11 (the IP address of google.com, borrowed from my colleague, Costin) in a numerical base other than base 10. The supported bases are octal (8) and hexadecimal (16), and even a single 32bit number work, thus the following are all valid, and each will take you to google.com:
Now, by itself, this isn’t terribly interesting from a technical perspective; this ‘feature’ of IP specification has been around for quite a while.
However…what is interesting though is that due to the relative obscurity of using such methods to denote an IP or URL, it is quite feasible that existing security products do not correctly identify the URLs as valid or flag them as malicious when they point to existing known bad websites.
In my testing, Firefox on Windows supports all of the above addresses, under Linux however, Marco from our German office says some are unsupported. Based on poor browser support for such features, it’s possible to imagine URL filtering tools having the same lack of support.
In addition to potential weak tool support for such URLs, it is likely that unsuspecting users may be more easily convinced that a particular URL is legitimate, which I think is the obvious goal of using such URL obfuscation techniques.
News has spread pretty quickly about the latest IE 0-day exploit. Unfortunately, in trying to publicize the quality of his employer’s product in relation to this new exploit, according to Ryan Naraine, a researcher at McAfee inadvertently divulged too much information about the vulnerability leading to some unintended consequences.
The consequences were - the prompt creation of a PoC Metasploit module for the vulnerability, turning what was once an exploit used in targeted attacks into a potentially widespread issue for users IE 6 and 7.
What exactly was divulged? Well, I was curious too, as I frequently am faced with what information I should or should not mention. It turns out that all that was divulged was a list of file names involved with the exploit and malware dropped by the exploit, and the domain name that the malware connected to.
It seems pretty reasonable to list that information in a blog post, right? Surely someone writing IDS signatures would find the URL used by the malware useful, and other anti-virus researchers might gain benefit from knowing the file names associated with the attack.
This leads to the question then, exactly what can be safely disclosed? Should nothing be disclosed? As a technical individual I get frustrated when an author redacts all important information in regards to indentifying a threat; the McAfee researcher was obviously trying to keep people like myself interested.
My suggestion for researchers writing about live threats is simple. If the domain(s) hosting un-patched exploits are still active, don’t post the URL or filenames associated with the exploit: frequently Google will happily locate the page for you.
Does this mean researchers shouldn't share key information about live threats? Of course not, we do it all the time. But not in public - there are plenty of secure methods for sharing details about live threats.
Today marks the largest patch Tuesday ever from our friends in Redmond with 13 vulnerabilities addressed, covering a total of 34 potential exploits. Three of the exploits have had public code posted while 11 of them are rated as likely to be consistently exploitable.
The most alarming vulnerability this month is MS09-050, which according to its discoverer, was introduced by the patch for MS07-063. MS09-050 was first published publicly on security researcher Laurent Gaffié’s blog on September 7th outlining a denial of service vulnerability in SMB 2.0, specifically the srv2.sys driver. You might remember some of the buzz when this was first released as several people immediately added that that this was not only a denial of service, but could easily lead to remote code execution. What should be just as concerning for Microsoft, however, is the fact that the vulnerability affects Windows Vista and Windows 7 machines and not Windows XP - not an encouraging sign.
Included in this patch are also updated kill bits for ActiveX controls ala MS09-035, which if you remember was related to several vulnerabilities in ATL. Also, MS09-060 appears to address these vulnerabilities as they pertain to MS Office. It’s less than settling to see this vulnerability still has not been fully patched.
Another highly visible patch this month is the fix for the SSL certificate impersonation vulnerability, MS09-056. Those who attended Blackhat LV in July won’t have forgotten that this was the exploit being enthusiastically described to a standing room only audience by Moxie Marlinspike. Interestingly enough, this vulnerability was discovered by Dan Kaminsky.
As always, make sure to apply these patches as soon as possible and especially this month if you are using Windows Vista or later with SMB enabled!
I've been thinking a bit about human psychology in the wake of the Fan Check virus scare. There were a lot of rumors flying – depending on who you listened to, the Fan Check Facebook app was malicious, not malicious, a hoax...And while I was thinking, a controversial psychology experiment kept coming back to me.
Back in 1963, Yale psychologist Stanley Milgram published an article in the Journal of Abnormal and Social Psychology detailing his research findings on how people respond to authority figures. In Milgram's experiment, a test subject was told to give electric shocks (which escalated in intensity) to an individual in a separate room if the individual failed to respond correctly to questions. The test subject was also told that the individual had a heart condition. No electric shocks were actually administered, but when the button was pressed to "deliver" a shock, a pre-recorded response was played – ranging from screaming to pleading for the shocks to stop to silence. Many of the test subjects continued to administer shocks up to "maximum voltage", even though they admitted they felt uneasy about doing so.
Milgram's experiment showed clearly that when a person is told to do something, they'll usually do it, even if it goes against their own perceived values. Our adversaries, the malware authors, have a great understanding of basic psychology, and they know that this principle holds true in the digital world as well. Their latest “experiment”, where they sent Facebook users messages asking them to warn their friends about the “Fan Check” virus was pretty successful. People complied simply because they'd been told to.
Of course, this case isn't exactly analogous to the study described above; those who "warned" their friends didn't see any harm in doing so, and probably thought they were being helpful. But the behavior is very similar to the "blind obedience" mentality highlighted by Milgram.
The behavior demonstrated in the Milgram study has been replicated in the real, non-research world. And the boundaries between the physical world and the digital world are getting increasingly blurred. At the moment malware scares are mostly created unwittingly. But we've also seen the emergence and rise of cyberbullying and other nasty behavior. How long will it be before we see cybercitizens knowingly acting against their own values, simply because they've been told to do so?