fantom-stranger.com » Security

Bot-vector analysis: Vodafone owned by Mariposa infected microSD cards

Andy — Wed, 24 Mar 2010 05:09:40 +0000

INTERNET!~ I knew it was the SD card, I knew it! The Vodafone bot vector analysis I mentioned earlier this month was correct. It’s over.

The infection of microSD cards for the HTC Magic with the Mariposa information-stealing client and other strains of malware was first reported after Vodafone Spain supplied a malware-infected Android phone to a Panda worker earlier this month. [From the register]

Users get new microSD cards. Yay, but at what cost did buying the $2 phone really bring? 3,000+ phones infecting every windows machine that they come in contact with, snap. I guess that means more you have to start using Linux or scan your new phones with a Linux machine first. Hey there’s a new service, phone virus removal…

Bot-vector analysis: Android OS comes pre-installed with malware

Andy — Tue, 09 Mar 2010 23:05:13 +0000

Apparently, there has been a compromise at HTC or Vodaphone. There are rumors on the web that a Vodaphone “HTC Magic” came pre-installed with multiple malware programs. How would someone slip a file onto a phone before it enters an end user’s hands? Any way you look at it, this seems like a hack.

A quick analysis of the malware reveals that it is in fact a Mariposa bot client.

Every android phone *can* be plugged into any PC or Mac via USB. Under windows it works just like any other insert digital medium (CD, DVD, Flash Drive). Upon being plugged in, it opens the folder and executes the file specified in autorun.ini. This would be the vector a bot herder/malware researcher would use to launch it’s “spread” and stay infected. As long as nobody notices the files on the phones, users would just keep getting re-infected every time they plug in their phone to download their photos. One speculation that may be responsible is: “the SD card” since all that someone would need to do is put “files” in the root of the SD card for them to execute. So the question might be instead be: “How would someone slip a file onto a flash card before it’s inserted into a phone?”.

Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware.

Why did it take so long for a person to notice malware on the phone? The HTC Magic is one of the most popular smart-phones in the UK. In the US, T-mobile branded this product as the “myTouch 3G“, and that phone has a massive pop. Where is the supporting evidence on the phone? The only “proof” we have so far is a few windows screen shots. I’m intrigued by this and it will be interesting to see what comes to light. I’ll keep you updated when I hear more.

Virgin Airlines removes all FLASH to make the web a faster place

Andy — Fri, 05 Mar 2010 05:34:35 +0000

In a move to stop CPU waste from processing bloated content, Virgin Airlines has trash-canned all of their FLASH content. I commend them on this move; someone needed to start the movement. Flash is bloated. End of story. There is no standard, there is no open source, and there is no relief. As soon as you start adding flash to a site, you’ve degraded the ability of the browser.

“Apple does not support Flash because it is so buggy… Whenever a Mac crashes more often than not it’s because of Flash. No one will be using Flash…The world is moving to HTML5.” — Wired

(HAHA!). But flash has it’s place, it is the best medium to deliver video on a web page and play web-games.

Hopefully, HTML5 can fix the web game problem.

Adding my own flavor to this post:

Over the technology years, flash has been metaphorically turned into a baseball bat by business owners and web publishers. This proverbial baseball bat has been beaten across every web developer’s face (repeatedly) for the last 11 years and there hasn’t been anything that the developers can do about it. You MUST specialize in flash, to make flash.

New personal hero: Ravi Simhambhatla

He has some sweet open source ideals as well.

site updates

Andy — Mon, 15 Feb 2010 19:50:35 +0000

Good news! I’ve been working a lot on my site features recently. Today I’ve included an update that adds 47 languages to the entire site. To select a different language, scroll to the bottom and click the appropriate flag (this will probably move to the top). Site page translation is an ongoing process so it may be slow at first. Page requests also include Google translator for instant page translation.

Oh, heads up!

I’m in the process of starting a new web hosting solution for my friends, family, and colleagues. The service is dedicated to providing quick customer support response times and easy to use web hosting tools (this alleviates headaches of most hosting providers). Starting out, I will be the sole person managing the servers, applications, and support. Your questions, comments and concerns will go straight to me. The best part about this service is that I can now offer you any web related service (ruby on rails, postgresql, ad serving, social network integration, endless etc.). If you would like some solid, secure, and highly customizable hosting on my managed dedicated servers then please contact me at fantomstranger.net. Keep an eye out here for web hosting discounts by subscribing to the fantom-stranger.com facebook fanpage.

lemme borrow that botnet

Andy — Sun, 24 Jan 2010 05:46:41 +0000

A group of researchers stole the ‘torpig’ bot-net for 10 days. Encryption madness ensued….

Here’s the google techtalk about what they did to take over the botnet and analyze it (get ready its long and boring (an hour and 15 minutes) but crazy):

Protect your passwords and your intertubes!

[Reference]

die, some spam!

Andy — Wed, 09 Dec 2009 13:41:20 +0000

If you haven’t browsed through fantom-stranger.com, I have a paste bin for directly pasting any text, into my site. Really handy for sharing text. It kind of an open security hole and recently, some bots have found it and taken the time to nestle in some content. Luckily I caught it before anything turned into a rash. The text-dump paste-bin has been updated and now employs recaptcha in attempts to narrow bot spam. This is my round 2 attempt as my first custom captcha didn’t stop any “inappropriate” content. I’ve also wiped the database to start a-fresh in “the text-dump pastes”, from this point forward. Bot spam will not be tolerated any longer and I will put harder captchas in place it comes down to that. Jerks.

fantom software pick: moon secure anti-virus

Andy — Wed, 09 Dec 2009 07:21:22 +0000

I can get paranoid about my “local” security quite often and I am a big fan of open source software. I try to go open before anything, really. I had used clamwin for awhile but was interested in a more “active” anti-virus tool because clamwin is only on demand. That wasn’t enough for me; I know it can’t protect you from getting viruses. I looked up open source alternatives that had more aggressive/constant memory scanning protection that wouldn’t stop when I clicked close. I found Moon Secure and I have been installing it everywhere. Moon Secure is an enterprise level active anti-virus scanner for Microsoft Windows, that currently employs clamav scan engine and virus database. The best part about it is that it’s free! The UI isn’t fancy but it’s worth a try if you are sick of controlling n0rton or the buggy resource hogs like mcafee.

Control IIS IP address binding and prevent all unassigned IP addresses

Andy — Wed, 04 Nov 2009 21:12:52 +0000

This post is for Windows XP and Windows 2003.

If using Windows 2000 and IIS 5.0, you need to disable socket pooling. Here is the Microsoft article for disabling socket pooling in IIS 6.

This info discusses how to change (force) which IP addresses that IIS listens too. There are several scenarios that this would fall into. Most people generally only need to separate services and IIS listens to all IP addresses by default, IP so errors will occur if multiple web servers are using port 80 on the same IP. Example: Your server has multiple IP addresses and you need to run a new apache wordpress blog site on a separate dedicated IP address then your .net survey e-commerce IIS site to avoid any conflicts. There are other options in this scenario if you only have one IP address on a server but also need to run more then one web server on a single box, but that’s a different post. Alternatively, I also address binding IIS to all addresses.

To do this, we first stop IIS from binding to all addresses and explicitly select which ones to use. Once we tell it this, the IP addresses will be free to use by other applications and services. If you’re using Windows XP, then you may need to install Windows XP Service Pack 2 Support Tool. If you’re using Windows 2003, then you don’t need to worry because it’s most likely installed.

Now we need to open a command prompt. The quickest way to open command prompt in windows is to press “windows key”+R, and then type cmd into the run dialog box. Then press enter…
Were going to use “httpcfg” to setup IIS. So type:

httpcfg query iplisten

That should return:

IP : 0.0.0.0
——————————————————————————
The first change we make should delete the listening on all IP addresses, so lets do it:

httpcfg delete iplisten -i 0.0.0.0

If you typed everything correctly and the program likes it you should see:

HttpDeleteServiceConfiguration completed with 0.
Now we assign the IP address(es) that you would like IIS to bind too:

httcfg set iplisten -i 192.168.0.23

and again for if we need multiple:

httcfg set iplisten -i 192.168.0.24
Now we need to restart the http service so it will use the new configuration:

net stop http

and then:

net start http
Now we really need to check IIS manager to make sure that the sites are working properly. If you find any sites that are offline (marked with a red X), make sure the site configuration is using one of the IP addresses you entered earlier or “(All Unassigned)”. If it isn’t set it to the new address and turn on the site.

After IIS restarts, it will only be listening to the IP addresses you told it to. You can now setup your other web services to use the unallocated IP addresses. If you are still experiencing issues after completing these steps, you may need to disable socket pooling.

Force IIS to bind (listen) to All IP Addresses

Make sure you have httpcfg, then do the following:

Open a command prompt. The quickest way to open command prompt in windows is to press “windows key”+R, and then type cmd into the run dialog box. Then press enter…
We need to check what the current assignment is:

httpcfg query iplisten

That should return something similar to this:

IP : 192.168.0.23
——————————————————————————
We should delete the entry for any IP that isn’t 0.0.0.0, like this:

httpcfg delete iplisten -i 192.168.0.23
Next, we assign 0.0.0.0 to iplisten. 0.0.0.0 tells IIS to assign to ALL IP addresses:

httcfg set iplisten -i 0.0.0.0
Check the current configuration and make sure that 0.0.0.0 is the only assignment. If it isn’t, delete the other IP address(es) until it is:

httpcfg query iplisten

IP : 192.168.0.24
——————————————————————————
IP : 0.0.0.0
——————————————————————————

httpcfg delete iplisten -i 192.168.0.24
Now we need to restart the http service so it will use the new configuration:

net stop http

and then:

net start http

IIS should now be listening to all IP addresses again.

I found these sites useful when I was collecting my information:
Prevent IIS from Binding to all Assigned IP Addresses
egghead cafe question
IIS wikipedia entry
Setting metabase property DisableSocketPooling has no effect

sidekick danger: danger

Andy — Sun, 11 Oct 2009 02:58:23 +0000

Well here is some bad news for t-mobile sidekick users. Danger/Microsoft’s servers are “on the fritz” and when users shut off their sidekick they lose all their data. The event has pulled all sidekicks from the stores.

Wow.

free windows “security” software “soon”

Andy — Fri, 25 Sep 2009 06:10:25 +0000

Get ready! “In the coming weeks” you can be protected from some stuff a bit more then usual for no cost or hassle. I recommend that everyone who uses a Microsoft Windows®, take advantage of these options as they come.