Following the Trail of Web-based Malware

December 14, 2011 in Hacking, Web, Web Application Security

Recently a client of mine alerted me to an email that was received by one of their HR staff members.  The body of the email is shown below:

Despite having received security awareness training, the staff member clicked on the link thinking this was a document that needed to be reviewed.  In actuality, it was a link to a malicious site. Fortunately, there were technical controls in place that prevented the user’s machine from being compromised, but I thought it would be illuminating to follow the trail of this attack.

Step 1

The email bypassed the client’s anti-spam and anti-malware defenses most likely because the link in the email was actually to a legitimate website rather than a known malicious site, the email came from a well known email provider, and there was little else in the message.  Below is the actual html contained in the email.  Notice the part in bold as this is the hyperlink used in the email.

After our legal department studied this contract carefully, they’ve notic= ed the following mismatches with our previous arrangements. We’ve compose= d a preliminary variant of the new contract, please study it and make sur= e that all the issues are matching your interests
 neymix.cuna.org/blog/wordpress/wsdno.htm?M0DJ854=3D318L77Y4SFO&3L6=3DG2DG= Z8C9F2O9DV2LFX&99G2R=3DI996N6O9B3WJQ8DVL&FV882F6=3D5CFM197E9&”>Contract.d= oc 72kb


 With Best Wishes
Elvina Riggs


Secure Checksum: 9d08e1116b5<= br>

Step 2

Once the user clicked on the link, they were taken to the site hxxp://moneymix.cuna.org.  This is a legitimate site operated by the Credit Union National Association, a credit union trade association.  Moneymix is a service offered by the association to other credit unions to provide social media content to the websites of credit unions that sign up for the service.  Hackers had injected a malicious iframe on this website that would then redirect the user to hxxp://ciredret.ru/main.php.

Step 3

The main.php script contained javascript that attempted to exploit several potential vulnerabilities on the user’s machine.  I was able to download the script and analyze it.  By inserting an “alert” statement into the script just prior to the actual execution of the code, we can get a good idea of what the script does. Below is a sample of the output:

 

This exploit checks the installed versions of a number of applications including browsers, java, flash and Adobe reader.  If it finds a vulnerable version, it attempts to exploit the vulnerability and compromise the machine.  This code appears to be very widely used as I found numerous copies of it on sites such as Pastebin.  A more readable version of the above code can be found .  Given that this script is being used on so many sites, it seems likely that it is part of one of the many commercial exploit packs that are available on the web.

Conclusion

Based on this research we can draw some conclusions about appropriate countermeasures to address this type of threat.  First, user awareness is key. Users must be educated about these types of threats so that they can identify and avoid them. Second, defense in depth is a must.  In this case the client had anti-spam and anti-malware technology on their mail gateway, but this threat still made it through. Additional countermeasures such as a web security gateway or proxy server are also recommended.  The last line of defense would be on the endpoint itself. Third, it is important to understand that even legitimate websites can be victimized and used to spread malware. Don’t assume that because a site is well known or in a particular industry that it is safe. Lastly, keep your systems patched, including third party applications. Ninety-five percent of known exploits are useless against a fully patched system.

Note: I contacted the administrators of the Credit Union National Association website to advise them of the fact that their site was compromised. To their credit they removed the offending file very quickly.

Affiliate Marketing Scam

November 20, 2011 in Credit Card Fraud, Web | No comments

Affiliate marketing is a very popular way for people to make money from their websites.  Most websites that charge membership fees have affiliate marketing programs whereby they pay others for driving traffic to their sites. Usually the affiliate will receive  a certain percentage of the money spent by each person that signs up for a service or buys a product that was referred by the affiliate site.  For example, Amazon has a huge affiliate program where it will share revenue with affiliates that drive traffic to Amazon that results in a sale.

Affiliate marketing is very widespread in the online adult entertainment industry. Just about every adult website has an affiliate program and it is not uncommon for scammers to look for ways to take advantage of these programs in a effort to make quick money, even if it means committing fraud to do it.  I was recently informed by a large payment gateway operator of an affiliate scam that is is currently in operation in the adult arena.  Here is how it works:

First, the scammers establish affiliate relationships with legitimate websites that have generous affiliate payouts.  Then the scammers create a website of their own with teaser content that is likely to generate interest.  The site requires a fee of X dollars for full access to the site, which in actuality has little or no content.  Of course viewers won’t discover this until after they have signed up for the site and provided the scammers with their credit card information.  The scammers then take that credit card information and use it to sign up with one of the websites with which they have an affiliate relationship. The scammers will then collect the affiliate payout from their affiliate partner sites.

Based on the information I have received, the elements listed below have been associated with this latest scam:

  • Billing Phone:
  • Billing Email: 
  • Email: 
  • Email: 
  • Email: 
  • Company Name: Anton Dzarty

Additionally, it seems that a payment gateway operating out of Germany called is associated with this scam and is injecting the harvested details directly into payment pages of merchants.  I would advise all merchants with affiliate programs to search their databases for any of the above information and to scrutinize traffic coming from the gateway.  Currently this scam is focusing on those merchants in the adult space, but it is likely that this will spread to other markets with big affiliate programs as well.

Mitigating the Apache Range Header DoS Vulnerability

August 26, 2011 in Web, Web Application Security, Web Server Security | 1 comment

A new Apache DoS vulnerability was reported recently by security researcher Kingcope on the mailing list that affects most default installations of Apache 1.3/2.x.  This report also included a working exploit called that has been shown to reliably exhaust the memory of the web server and cause it to crash.  RedHat has released an  related to this vulnerability.  Currently there is no patch available for this issue.

This exploit generates a very large range header value such as shown below:

Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15,5- 16,5-17,5-18,5-19,5-20,5-21,5-22,5-23,5-24,5-25,5-26,5-27,5-28,5-29,5-30,5-31,5-32,5- 33,5-34,5-35,5-36,5-37,5-38,5-39,5-40,5-41,5-42,5-43,5-44,5-45,5-46,5-47,5-48,5-49,5- 50,5-51,5-52,5-53,5-54,5-55,5-56,5-57,5-58,5-59,5-60,5-61,5-62,5-63,5-64,5-65,5-66,5- 67,5-68,5-69,5-70,5-71,5-72,5-73,5-74,5-75,5-76,5-77,5-78,5-79,5-80,5-81,5-82,5-83,5- 84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,5-97,5-98,5-99,5-100,5- 101,5-102,5-103,5-104,5-105,5-106,5-107,5-108,5-109,5-110,5-111,5-112,5-113,5-114,5- 115,5-116,5-117,5-118,5-119,5-120,5-121,5-122,5-123,5-124,5-125,5-126,5-127,5-128,5- 129,5-130,5-131,5-132,5-133,5-134,5-135,5-136,5-137,5-138,5-139,5-140,5-141,5-142,5- 143,

–CUT–

1268,5-1269,5-1270,5-1271,5-1272,5-1273,5-1274,5-1275,5-1276,5-1277,5-1278,5-1279,5- 1280,5-1281,5-1282,5-1283,5-1284,5-1285,5-1286,5-1287,5-1288,5-1289,5-1290,5-1291,5- 1292,5-1293,5-1294,5-1295,5-1296,5-1297,5-1298,5-1299

Accept-Encoding: gzip

This in turn causes Apache to make separate copies of the requested resource on the server which consumes memory resources, eventually causing the server to start swapping and ultimately to crash.  There is a web site that discusses the issue in great depth.

Fortunately, there are some Apache configuration settings that can be adjusted to mitigate this vulnerability:

  • Use mod_headers to completely disallow the use of Range headers.  For example, in your httpd.conf file add the lines:

RequestHeader unset Range 

RequestHeader unset Request-Range

Note that this may impact certain clients, particularly if a web server is used for serving content to e-Readers or providing streaming video. However, this should be safe for most websites that are not serving this type of content.

  • Limit the size of the request field to a only few hundred bytes.  For example, in your httpd.conf file add the line:

LimitRequestFieldSize 200

While this will keep the offending Range header short, it may break other headers such as a large cookie or security fields header settings.  Also, as the attack evolves you may have to further limit this or impose other LimitRequestFields settings.

  • Configure Apache to detect a large number of ranges in the request header and then either ignore the header or reject the request. For example, add the following lines to your httpd.conf file:

SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range env=bad-range

The value 5 is arbitrary and may need to be made larger depending on the type of content your site serves. For example, the value may need to be increased to 10 for sites that serve PDFs to eReaders for example, or that serve other types of large files such as video.

  • Finally, if you are using mod_security you can use the below rule to detect and block the attack.  Thanks to for this bit of code.

SecRule REQUEST_HEADERS:Range “^bytes=(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,” \ “phase:2,capture,rev:’2.2.1′,t:none,block,msg:’Range: Too many fields’,logdata:’%{matched_var}’severity:’5′,id:’958231′,tag:’RULE_MATURITY/5′,tag:’RULE_ACCURACY/7′,tag:’https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}’,tag:’PROTOCOL_VIOLATION/INVALID_HREQ’,tag:’http://www.bad-behavior.ioerror.us/documentation/how-it-works/’,setvar:’tx.msg=%{rule.msg}’,setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}”

I believe that most sites could easily implement the first option (denying Range headers altogether) without any negative impact to site viewers.   I have tried all of these mitigation strategies on my web server and have not seen any adverse results.  Of course, you should always test these changes in a non-production environment prior to implementing on your production servers.

Advance Fee Scams: A Case Study

July 10, 2011 in Fraud, Social Engineering | No comments

Advance fee fraud, sometimes called the Nigerian bank scam, is one of the most common scams on the Internet.  I am sure you all have received an email purportedly from a wealthy person located in Africa or Europe who needs your help transferring money into a bank account.  The reasons vary for requiring your assistance, but they always promise a large sum of money in return for your help.  Recently I received the following email that was an attempt at advance fee fraud:

From: “Sherer, Renslow [BSD] – MED” < >
To: “Sherer, Renslow [BSD] – MED” < >

RE: Beneficiary of £7,500,000.00

Dear Beloved, It is by the grace of God that I write you,I am Mrs. Julie
Meno,i have a project worth 7.5 Million Pounds.contact me

The original email came from , but with a reply-to of   This is probably a compromised email account that is being used by scammers.  I decided to reply to the email and find out exactly how this particular scam worked.  I sent a short reply indicating my willingness to help and I quickly received the below email:

Dear Beloved,

I am Mrs. Julie Meno, the wife of Mr. Mohammed Saha Meno, both citizens of the United Arab Emirates. My husband worked with the Chevron/Texaco in Russia for twenty years before he died in the year 2003.Since his death, I decided not to re-marry. When my late husband was alive he deposited the sum of 7.5 Million Pounds (Seven Million Five Hundred Thousand Pounds)in a Financial House in Europe.The management just wrote me as the beneficiary that the account is DORMANT and if I, the beneficiary of the funds, do not re-activate the account;the funds will be CONFISCATED or I rather issue a letter of authorization to somebody to receive it on my behalf, since I cannot come over.

Blessings to you beloved. The words in your response have given me great joy. This is a good work of charity project I have placed in your hands. My dear I will only say to you with reason of my throat cancer I am unable to speak but all I want is that the money is first safe in your account before I meet the Lord so that it can be used for the intended purpose. i have told you in confidence that I want the project to be kept very secret and details of my contact with you should not be disclosed to anybody and this is because my husband’s family might want to do everything to gain possession of this money for their own selfish interest.

My dear the financial house in possession of the money is in Europe, the money can be transferred to your account electronically once you activate the DORMANT ACCOUNT and I need the following details below to send LETTER OF AUTHORIZATION to the financial house in Europe that you are now the sole beneficiary see below:

NAME IN FULL:
CONTACT ADDRESS:
DATE OF BIRTH
COUNTRY:
TEL:FAX:
OCCUPATION:

I want you to know now that if the project does not take place it will be your fault as I have done all in my power to see that everything works in the manner that we have discussed.  My dear, I want you to have faith and pray always knowing the task ahead and the bold step. I have taken to give you this money and I need you to do is always stay focused and follow instructions, there is need for prayers as obstacles will arise but all that stand against the success of this transfer and the project proper will fall.

Let me rest and leave you to pray and build your mind towards the task ahead and also always be in contact with me. It is very important that you complete this project in good faith even if I join my husband before time and always know your share of the funds is 20% and the balance must be used for the  project proper which is 80% dispatching it to the list of the charity organizations that I’ll be sending to you.

Regards
Mrs. Julie Meno

In an effort to add authenticity to the email, and to generate sympathy for her cause, there were two photos attached (shown below):

                                                       

 

 

 

 

I responded to the email with some bogus information and indicated  my willingness to help her out in any way possible.  Soon I received another email with a list of charities that she intended to help once she had the money and encouraged me to include some of my own charities that I would like to help.  Clearly the scammer was trying to appeal to my sense of honor and placate any suspicions I might have regarding this deal.  Again I responded with my willingness to help her with this situation.

Interestingly, the next email I received from the scammer requested that I use a different email address for future correspondence.  I suspect that the previous email account may have been shut down.  The new email address used an Argentinian domain:

Dear Mark Baldwin,

How are you today? I hope you are doing fine and blessed. I have a problem with my email address,  i think i was asked to validate my email address because my mail box was full, but i ignored the mail and now i am having issues with receiving mails but i can send out. I Had no choice but to use an alternative email address, please contact me with this new email  .   i think its much more better.  Please give me updates regarding the previous mail that i sent to you.I have been very weak,but the doctors are taking care of me, i just want this project successful so i can rest. God Bless you.
Regards
Mrs. Julie Meno

Finally, on June 24 2011 I received the below email which is the start of the actual attempt to get me to send her money.  The email included two attachments: 1) a “Power of Attorney” naming me as the trustee of the 7.5 million pounds and 2) a deposit certificate from Halifax bank of London with me as the recipient of the 7.5 million pounds.  I am promised 20% of the 7.5 million pounds in return for my assistance with the transaction.

Dear Mark Baldwin,

Attached to this email is the Certificate of Deposit and a Power Of Attorney.

God bless you for your zeal and seriousness to help me out in this charitable course and God will surely bless you and i want you to know that i am a very devoted Christian and do only the things directed by my father. I contacted you purely on divine instruction and i want you to know that so far i prayed about this divine direction to you then God has appointed you for this project to bless you and your family, all i need is absolute trust and honesty when this funds get to you that it will be used to accomplish the purpose for which it was made. When my late husband was alive we were so much in love and fond of ourselves that we combined his first name and my middle name john and Alice to become Joyce which we always used to call ourselves and i will want you to set up a charity home or foundation with this name when the fund has been released to you. Dear you are now my only source of strength and hope and you alone can make me happy if only Joyce dreams come to pass then i shall wait upon the lord with joy in my heart. Please do not disappoint me because you know what it takes to entrust so much money on you.

I have just received a Power Of Attorney from my attorney and I have sent it to the bank regarding my appointing you as my beneficiary and you are now the sole and sole beneficiary to this fund totaling  £7,500,000.00 Pounds Sterling and you have to keep 20% for your services for you and your family.  I attach a copy for you to contact the bank with. As i told you in my last email my health is not too good now which means sometimes it will be difficult for me to be on the Internet and send messages to you but do send me messages and my prayer and blessings is with you. Also as soon as the funds get to you let me know so that i can still advise you on things to do.

The contact details and email of the finance firm is below and you have to contact them immediately via email as i have already issued the authority to them and they will be expecting to hear from you so that they can arrange on how the funds will be transferred to you. You have to provide them with every assistance the bank will need to effect the transfer to enable the funds released to you without delay. I want you to contact the bank stating my deposit File No: Reference: HAL/2010/678/51829/UK for easy trace of my file, and also note that you “MUST” open an offshore online account with this branch of HALIFAX  FINANCIAL HOUSE before my deposit willed to you will be credited in your name and thereafter you can transfer online to local account or anywhere you want in the world, this is because they said that my dormant account can only be reactivated by me, since I cannot go there due to my health, they have advised that the beneficiary setup a new Offshore account as an alternative means. If you follow the instructions from the bank directly within the next 3 working days you will have this funds transferred to you and available for use.

Address and contact email of my bank branch and head office below:

HALIFAX FINANCIAL HOUSE CENTRAL OFFICE:
HEAD OFFICE:  6389 Coburg Road,
Suite 202, Halifax, NS B3H 2A5 UK,London.
Director Of Operations: Mr.Winter Blakes
Email:
Email: 
Tel:
Fax:

Once again, The agreement reached due to the dormancy of my account states that who ever i authorize to inherit this deposit will complete it through the use of an online account that MUST be opened by the new customer, therefore note that your contact with the HALIFAX FINANCIAL will involve the opening of a new private account in your name which automatically credit the deposit into your account. That is the HALIFAX e-banking policy like I was told, so you should be ready to open an account with them upon your contact.

God bless you and your family for what you have chosen to do.

God Bless you.
Julie Meno

 

Next I received an email purportedly from Halifax bank asking me to fill out an online form in order to establish my account into which the 7.5 million pounds would be deposited.  Notice at the bottom of the email there are instructions for staying safe online, including not providing your personal information to unknown people.  This is quite amusing given that this is exactly what they are asking me to do.

HALIFAX FINANCIAL HOUSE . HEAD OFFICE:

6389 Coburg Road,
Suite 202, Halifax, NS B3H 2A5 UK,London.
Tel: (+44)702-409-6780
Fax (+44)709-284-9743
Company Reg no: UK0186483UR82345.

Dear Respected Beneficiary (MARK BALDWIN)

You are welcome to the support department of the Halifax Financial House.

RE: BEQUEATHED £7,500,000.00 TO MARK BALDWIN

Compliment of the day to you, upon the receipt of your mail. We would like you to visit our website online with the link below

WEBSITE:  http://www.hali-fxbklondon.com/fh/ or visit directly to our Online Verification form with this link http://hali-fxbklondon.com/fh/en/i-fund/reg.html

Do endeavor to complete the required information’s on the form and submit. As soon as we receive the details we will send you instructions in other to have your account accessed.
We pledge our efficient banking services.

Yours Faithfully,
Support Department

This message contains confidential information and is intended only for the individual named in the TO Column, of this e-mail. If you have received this and are not the named addressee, Please notify the sender. The sender therefore does not accept liability for any error or omission in the contents of this message, which arises as a result of e-mail transmission.

If you have any questions,please feel free to contact me. On behalf of my bank let me welcome you as one of our most-valued clients.  

Yours Faithfully

Mr. Winter Blakes
Director Of Operations
Halifax Financial House

**ABOUT US**
News Alert: Stay Safe Online It’s easy to protect yourself online if you follow these simple steps:

1.Never divulge your full PIN or Password
2.Never respond to an e-mail that asks for your confidential or personal security information
3.Install and maintain anti-virus software
4.Install and activate a Personal Firewall
5. Keep your computer software up to date

I went to the online form mentioned in the email expecting that it might be a malicious website that would attempt to install malware on my machine, but found that it is actually a fake banking site designed to trick visitors into providing their financial information.  Unfortunately, it no longer appears to be online and I did not take a screen-shot prior to writing this article.  However, I did look at the page source when it was still online and noticed that they had used Httrack website copier to create their fake banking site.  It was very poorly done with many of the links not working properly and the source code not cleaned up at all, making it obvious as a phony banking site.

The next email I received from “Halifax Bank” was a request to wire them $600, which is the minimum amount required to open an account.  At this point I imagine they were anxiously waiting for the money to come in.

We received your Online application details. Be informed that we will have Mr. Mohamed Saha Meno’s account activated from it’s dormant state and move the funds into your account which you will be operating in our bank because you cannot make transfer from his dormant account.

Once you have received your account details upon meeting our account requirements, The sum of Seven Million, Five Hundred Thousand Great British Pounds Sterling would be added to your initial deposit for you to make transfer.

We he have also attached our account opening form which you are to fill and send back to us along with the payment details for your account initial deposit.  The Initial deposit for an Online Banking Pro Tem  Account  is £373.500 GBP = $600 USD.  Payment for the Pro Tem  account (Initial deposit) should be sent through Western Union to our account officer with the following information in our payment head office.

Name:   Adrien Addison
Address: 6389 Coburg Road,
Suite 202, Halifax, NS B3H 2A5 UK,London

On receiving the payment receipt, you are required to send a copy of the payment receipt to this office so it could be filled for official references.

The payment details sent should include the following:
1. Name of sender.
2. Address of sender.
3. Amount sent.
4. Money Transfer Control Number. (M.T.C.N)

We anticipate a swift response from you in other to activate all services required to make your transfer. Note that The initial deposit remains in your account and will be added to your funds.For any help and problems do not hesitate to contact us.

Yours Faithfully,
Support Department

This message contains confidential information and is intended only for the individual named in the TO Column, of this e-mail. If you have received this and are not the named addressee, Please notify the sender. The sender therefore does not accept liability for any error or omission in the contents of this message, which arises as a result of e-mail transmission. If you have any questions,please feel free to contact me. On behalf of my bank let me welcome you as one of our most-valued clients.  

Yours Faithfully

========================================================
Mr. Winter Blakes
Director Of Operations
Halifax Financial House

**ABOUT US**
News Alert: Stay Safe Online It’s easy to protect yourself online if you follow these simple steps:

1.Never divulge your full PIN or Password
2.Never respond to an e-mail that asks for your confidential or personal security information
3.Install and maintain anti-virus software
4.Install and activate a Personal Firewall
5. Keep your computer software up to date

At this point my ruse had run its course as I was not about to send them any money.  I responded that I did not have the $600 to fund the account and ask Julie Meno if perhaps she could loan me the money to fund the account.  The last email I received from her is below:

Dear Mark Baldwin,

I received your mail, but you alone know that i am disabled and all i have right now i do not have them in my possession any longer since my late husband’s relatives took over because of my disability.  This involves just the both of of us, and if you do not do something about getting this funds, its either the bank would informed them later after i die or the British Government would take over it.

Now that i have been able to give you all you need, why not take this as a personal project. We are talking about a huge funds here,and i do not see why you cannot go extra length in making sure this funds get’s to your account and then you alone can dedicate without anyone given you instructions.  But everything is a matter of choice. Just get back to me because i do not have any way of assisting you financially, i already explained that to you.

Mrs. Julie Meno

Scams such as these are very prevalent on the Internet and gullible people frequently fall prey to these.  It should go without saying that if a deal seems to good to be true, it is.  To avoid these types of scams, simply delete any emails you receive from unknown sources, especially ones promising money or other goods.  Never give out personal information and don’t follow links in emails from unknown senders.  Check out the for a list of useful tips for avoiding becoming a victim of Internet fraud.

Webapp Scanner Review: Acunetix Versus Netsparker

April 11, 2011 in Research, Security Testing, Web Application Security | 1 comment

In the past, small businesses and independent consultants had to rely on freely available tools to aid in their security assessments of web applications due to the cost of commercial scanners.  Tools such as AppScan (IBM) and WebInspect (HP) can run into the tens of thousands of dollars which is outside the budget of most independent consultants and SMBs.  Freely available tools such as WebScarab and Burp have long been critical tools in the arsenal of the small consulting companies, and will remain so I am sure.  However, as useful as these tools are, they lack many of the time saving features available in most commercial tools and frequently one must use a dozen or more open source tools to even come close to the features available in one commercial tool.

Fortunately, in recent years, two companies have developed commercial webapp scanners that rival the features, the speed, the usability and the accuracy of any commercial tool on the market.  And they do it at a price point that just about any small business or independent consultant can afford.  and are commercial webapp scanners that won’t break the bank.  Both of these tools cost approximately $3000 for a one year subscription with unlimited scanning capabilities.  The focus of this article is to provide a comparison of these two tools in terms of accuracy, features, speed, and usability.

For this comparison I selected two well known vulnerable web applications: the Damn Vulnerable Web Application () and the IBM AppScan demo site called .  Both of these web applications were purposely developed with vulnerabilities in order to facilitate web application testing and research.  The DVWA application was installed on a VM on my network and is running CentOS 5.5, MySQL 5.0.77, PHP 5.1.6 and Apache 2.2.3.  Due to the way that DVWA works, it is important to note that the security setting was purposely set to the “low” setting.  Additionally, I dropped and recreated the database after each scan to ensure that previous scans did not interfere with subsequent ones.  The Testfire demo site is maintained by IBM and is running Microsoft ASP.NET.  These two applications provide me with two different applications to scan, each using different platforms, and each containing different types of vulnerabilities.  The versions of the scanners used in this test were Acunetix 7.0 (build 20110308) and Netsparker 1.8.3.3.  Lastly, when scanning with Netsparker I used the “Full Scan” scanning profile and when scanning with Acunetix I used the “Default” scanning profile (which includes all checks Acunetix supports).

DVWA Scan Results

DVWA was developed with specific vulnerabilities (such as SQL injection, XSS and others) in specific pages of the application.  The DVWA application has 9 specific vulnerabilities that were tested for.  The goal of the test was to see how many of these specific vulnerabilities each tool would be able to identify, how many other vulnerabilities they could detect, and how many false positives each tool reported.  The tables below show the results of the scans against the DVWA application.  Acunetix correctly identified 7 of the 9 known  vulnerabilities while Netsparker discovered only 4 of 9.   Both scanners accurately detected the command injection, file inclusion, SQL injection and file upload vulnerabilities.  Both scanners failed to detect the CSRF and blind SQL injection vulnerabilities.  The three vulnerabilities that Netsparker failed to detect that Acunetix did detect were the brute force attacks and the XSS bugs (reflected and stored).  Netsparker does not currently check for brute force attack vulnerabilities which explains its failure to detect this vulnerability.  This feature is expected to be available in a future release according to MavitunaSecurity.

Both Netsparker and Acunetix identified a number of other vulnerabilities in the DVWA application that while valid, were not specifically part of the test.  The table below provides a list of these vulnerabilities.  In some cases the tools found the same vulnerabilities in the same pages, but in many cases they differed quite a bit. Some of those worth noting are:

  • Acunetix identified XSS vulnerabilities in cookie parameters of nearly every page.  Netsparker does not currently have a check to identify this type of vulnerability, but will in a future release.
  • Acunetix identified that passwords are submitted via the GET method rather than POST.
  • Netsparker was able to identify file inclusion vulnerabilities in a number of pages that were missed completely by Acunetix.
  • Acunetix identified that session cookies do not have the Secure flag set, even though SSL is not enabled.  While this is not exactly a false positive, it certainly does not make sense to have the Secure flag enabled when SSL is not in use.
  • None of the vulnerabilities detected by either tool could accurately be classified as a false positive.

Testfire Scan Results

The tables below show the results of the scans against the Testfire application.  Acunetix correctly identified 9 of the 16 known vulnerabilities while Netsparker discovered 8 of 16.  Both scanners correctly identified SQL injection bugs in login.aspx and transaction.aspx.  They also both correctly identified XSS bugs in customize.aspx, comment.aspx, and search.aspx.  Both scanners failed to detect SQL injection in account.aspx, ws.asmx and / as well as XSS in disclaimer.htm.  Acunetix was able to detect an Xpath injection vulnerability, a check that is not currently included in Netsparker.  Netsparker, on the other hand, detected an LFI in default.aspx that Acunetix missed.

Both Netsparker and Acunetix identified a number of other vulnerabilities in the Testfire application that while valid, were not specifically part of the test.  The table below provides a list of these vulnerabilities.  In some cases the tools found the same vulnerabilities in the same pages, but in many cases they differed significantly.  Some of those worth noting are:

  • Acunetix detected that the application is vulnerable to password guessing attacks.
  • Netsparker found a bug that allows for HTTP header injections.
  • Both scanners detected that ASP.NET debugging was enabled and that the ViewState was not encrypted.
  • Netsparker went further and detected that MAC validation was not used in the ViewState data.
  • Again, Acunetix identified that session cookies did not have the Secure flag set, even though SSL is not enabled.
  • None of the vulnerabilities detected by either tool could accurately be classified as a false positive.

The Skinny on the Scanners

Both Acunetix and Netsparker performed similarly at detecting vulnerabilities in the Testfire application.  Acunetix did slightly better against the DVWA application.  Neither of them discovered all the vulnerabilities in the applications, but they performed in a manner that is consistent with other commercially available tools.  In fact, it is arguable that these two tools, which are two of the least expensive on the market, out-perform some of the better known, higher cost solutions.  Several studies have examined some of these more expensive webapp scanners and the results are rather surprising (see the links at the end of this article).

As far as Acunetix and Netsparker are concerned, they each have particular strengths and weaknesses that make them more or less appealing depending on how one intends to use the tool.  Let’s start with Netsparker.  The most compelling feature of Netsparker is its ability to confirm vulnerabilities, thereby saving the tester time having to confirm them manually.  The creators claim that Netsparker is false positive free which may be a bit of an over-statement.  However, Netsparker does have an internal exploitation engine that will attempt to verify a vulnerability by safely exploiting it.  If it is able to do so, then Netsparker will list the vulnerability as “confirmed” in the report.  The screen capture below shows an example of this.

This is a very powerful feature indeed and one that can save the tester time when performing an analysis of a web application.  Netsparker also has a very intuitive and simple interface.  This can be both a positive and a negative.  For the tester who wants to quickly run a scan and get reliable results without having to spend a lot time learning how to use the tool, Netsparker is a great choice.  However, I found that it did not provide the same amount of flexibility and configurability as Acunetix.

The strength of Acunetix lies in its ability to quickly detect a wide variety of vulnerabilities with little need for advanced tuning and configuration.  However, for those who desire more control over the tests and like to “get their hands dirty”, Acunetix provides the flexibility and built-in tools that even the most advanced pen testers will appreciate.  For example, Acunetix has a built-in SQL injection exploitation tool that allows the tester to actively engage with a backend database through a vulnerable application.  The screen capture below shows an example of this tool.

As can be seen, using the SQL injection tool I was able to list the databases via a SQL injection vulnerability and even manipulate them if so desired.  Acunetix also includes an HTTP sniffer, an HTTP fuzzer, an authentication tester, a port scanner, Google hacking database queries and much, much more.  Acunetix also allows you to create customized scanning templates.

If you are performing white box testing or have access to the application server being tested, Acunetix Acusensor is a particularly powerful tool for detecting bugs in PHP and ASP.NET.  Acusensor works by combining black box scanning techniques with feedback from sensors placed inside the source code while the code is executed on the application server.  This allows Acunetix to detect more vulnerabilities with fewer false-positives, provide source code line number and stack trace information related to the vulnerability, and improves its ability to detect SQL injection bugs without having to rely on web server error messages.  When a scan was run against the DVWA application with Acusensor enabled, the results were quite different than when run without it.  Acunetix with Acusensor detected a total of 156 vulnerabilities as opposed to 73 without it.  Moreover, Acunetix also detected the specific blind SQL injection bug in /vulnerabilities/sqli_blind which it missed without Acusensor enabled.  Thus, with Acusensor enabled, Acunetix detected 8 of the 9 specifically crafted vulnerabilities in DVWA.   Below are screen captures demonstrating the effectiveness of scans with and without Acusensor enabled.

DVWA Scan Results Without Acusensor Enabled

DVWA Scan Results With Acusensor Enabled

Summary

The world of web application security testing is constantly evolving and thankfully we now have tools that are affordable and provide a very strong set of features to aid the security tester in her work.  In this article I have performed a thorough comparison of two such web application scanners (Netsparker and Acunetix) in order to determine their relative strengths and weaknesses.

Netsparker is a very good tool for point and shoot type testing.  It does not require a great deal of knowledge to use the tool, it has a very good user interface, and it does a decent job detecting the most important vulnerabilities.  It has good reporting features that are easy to read and intuitively designed.  Moreover, its ability to confirm detected vulnerabilities is a very nice feature that is unique to this scanner. This feature can be a real time saver as the tester does not need to validate those vulnerabilities that have been confirmed by Netsparker.  The downside of Netsparker is that it does not provide a high level of control and flexibility that more experienced testers are likely to require.  It also does not include many additional tools that are useful for performing more manual testing.  Finally, Netsparker does not appear to have the same number and breadth of checks that Acunetix has.

Acunetix is a very robust scanner with lots of features that will allow advanced users the flexibility and control that they will desire.  While it’s user interface is not bad, it is not as streamlined as Netsparker’s and the learning curve is a little steeper.  However, the payoff is a very powerful tool with excellent reporting capabilities.  The Acusensor technology is especially useful and greatly improves the tool’s ability to find vulnerabilities in PHP and ASP.NET applications.  This is a must in any situation in which the tester has the ability to install Acusensor on the targeted application servers.  It combines the best of white-box and black-box testing to provide a very detailed report on the application’s security.  Both Netsparker and Acunetix did a very good job of not reporting false positives.  None of the reported vulnerabilities in my tests were discovered to be false positives.

Notes

  • I would like to thank MavitunaSecurity for providing me with a Netsparker evaluation license in order to perform this review.  They were very responsive to all my questions and provided helpful information during my tests.
  • Both and provide free (limited) versions of their tools that can be downloaded from their web sites.
  • No single tool is capable of finding every vulnerability that may exist in a web application.  It is useful to employ multiple automated scanners if possible as this approach will be more likely to uncover potential vulnerabilities.  It is also critical to supplement automated testing with manual tests in order to find issues in business logic and authentication which are often difficult to test with automated scanning.  Automated scanners are just one tool in the security tester’s arsenal and should not be relied on as the sole source of information when testing web applications.
  • Below are links to previous comparisons of webapp scanners by other researchers:

Profiling the Use of Javascript in a Driveby Download Attack

February 20, 2011 in Browser security, Hacking, malware, Web | 1 comment

While there is nothing surprising these days about finding a website that contains malicious code, it is educational to investigate them in order to determine how the bad guys are using the web to scam people and make money.  A recent documents the increased use of javascript by attackers in their attempts to install malware on victim machines.  Recently I came across a site with some malicious javascript that caught my attention. In this article I will detail how the javascript works in its attempt to download and install malware on unsuspecting visitors’ machines.

The site in question is hxxp://www.dompimps.com. Do not attempt to access this site unless you know how to protect your machine or else you may find yourself dealing with a nasty infection (and this one won’t be treatable with antibiotics). I attempted to notify the owners of the site to alert them to the malicious javascript, but I have not received any response. It is impossible to know if this malicious code was installed by the site owners themselves or if it was injected by a hacker who took advantage of a vulnerability in the site. In either case, the result is the same for visitors to this site.

The screen shot below shows the malicious javascript that exists on this site.

Interestingly, no attempt is made to obfuscate this code which frequently is the case with malicious javascript in order to make detection more difficult.  The result when someone visits hxxp://www.dompimps.com is that the javascript will be executed by the browser which will then load hxxp://onlineisdudescars.com/js.php.   This site has an IP address of and appears to be registered in Latvia.  And this is where things get interesting.  I submitted this URL to Anubis for analysis and used the provided network trace to determine exactly what this PHP script does.  The below screen shot shows the pertinent part of this PHP script and how it attempts to install its malware.

As can be seen, the js.php script makes a call to hxxp://www3.netsurfingprotectionuc.rr.nu/?9247dcba5c=m%2Bzgl2uglqasm%2BLPzaualubj4KKbpZ%2Bk0KWbYKWklJI%3D” which has an IP address of and appears to be registered in Virginia.  This site actually serves up the scareware that attempts to install rogue anti-virus software and infect your machine.  It is particularly persistent and requires you to kill your browser via task manager in order to get away from the site.

Since I started working on this article last week, the js.php script on hxxp://onlineisdudescars.com has been updated and now refers to hxxp://www4.lawcps-safe.rr.nu/?944184a698=m%2BzgmGuekqmcluOW156Zi6Lm3mvUpnJpaGFvZpFrmlw%3D rather than hxxp://www3.netsurfingprotectionuc.rr.nu/?9247dcba5c=m%2Bzgl2uglqasm%2BLPzaualubj4KKbpZ%2Bk0KWbYKWklJI%3D.  Hackers frequently change the source of their malware distribution points to make detection more difficult and help prevent their sites from being exposed and possibly taken offline.

The process described in this article is very typical of how hackers use javascript to install malware on unsuspecting users browsing the web.  There are often two or three hosts involved with the first one being used to distribute the javascript that has either been placed on a web server without the knowledge of the owners (e.g. via SQL injection) or on purpose by the site owners.  The javascript will redirect to another site that either actually attempts to install the malware or possibly uses redirection to yet another site that will actually host the malware.  By using this series of redirections and changing the intermediate hosts/URLs occasionally, it is much more difficult to track down the people behind the scam.  Understanding how the bad guys use web technology to conduct their attacks can help all of us defend our networks from them.

Home Depot Website Hack

January 10, 2011 in Hacking, Web | 3 comments

It is interesting how a minor home improvement project can result in the discovery of a hack on a major retail website.  It all started with a simple Google search for “home depot stair spindles”.

The first unpaid result in the search is hxxp://www6.homedepot.com/stairparts/gallery.html as shown above.

As it turns out, there is an invisible iframe in this page that links to the external site vwui.in on port 8080 as shown below.

As can be seen in the screenshot, the below code has been injected into the page:

The site vwui.com is listed as a malicious site by both Google and StopBadWare with one listing going back to July of 2009.

After I discovered this hack I decided to investigate the vwui.in site to try and determine what type of malware it was hosting.  As it turns out, this domain no longer resolves.

[prompt ~]$ host vwui.in
Host vwui.in not found: 3(NXDOMAIN)

StopBadWare lists the IP associated with this domain as which according to the whois database belongs to ThePlanet.com Internet Services.

[prompt ~]$ whois
[Querying whois.arin.net]
[whois.arin.net]
Optical Jungle EVRY-753 (NET-209-85-51-0-1) 209.85.51.0 –
ThePlanet.com Internet Services, Inc. NETBLK-THEPLANET-BLK-EV1-15 (NET-209-85-0-0-1) 209.85.0.0 –

Furthermore, when accessing this IP in a browser it redirects to hxxp://searchmanified.com which also appears to be serving up some type of malware.

So how did this page on Home Depot’s website get compromised?  While it’s not possible for me to know for certain without doing an complete investigation, I can make an educated guess.  Typically, these types of attacks use one of several attack vectors:

  • Compromised FTP credentials due to a weak password
  • Brute force compromise of server credentials
  • SQL injection

Back in 2009 tens of thousands of web sites were injected with hidden iframes that attempted to download malware when a visitor accessed one of the compromised sites.  In many cases these attacks took advantage of SQL injection vulnerabilities to insert the hidden iframe.  They also tended to host their malware on port 8080 rather than the standard port 80.  Given the fact that the server vwui.in was first listed as a malicious site back in 2009, that the malicious site uses port 8080, and the fact that it no longer has any associated DNS records, it is quite possible that the Home Depot page was originally compromised as part of this massive attack in 2009 and only now has been discovered.  While the iframe in the Home Depot website is not currently a threat, the vulnerability that allowed it to be inserted into the page may still be present which could lead to a future compromise of this site.  I attempted to contact Home Depot to inform them of this issue, but as of this writing I have not received a response.

Dissection of an Active Malware Campaign

August 2, 2010 in Browser security, Hacking, malware, Web | 2 comments

If you have used the web for any length of time at all, it is quite likely that you have seen a pop-up box similar to the one above on your computer when visiting a web site.  In the security industry this type of malware is frequently referred to as scareware or rogue anti-virus.  When confronted with this message, many people will unsuspectingly click the “OK” button which will usually install some type of malware that claims your machine is infected with a virus.  It then offers to remove the virus if you purchase a product.  The problem is, not only is this not going to protect your machine, but will likely lead to further system compromise and possibly the loss of personally identifiable information or credit card data.

A client of mine recently called to inform me that his system had been infected with malware after clicking the “OK” button on the above pop-up box.  After removing the malware from his machine, I decided to dig further into this scareware campaign.  The client reported that he performed a search for “tatiana banx” and one of the top 10 results took him to this site.

I started my analysis by performing the same search as my client.  The results of my search are shown below.  Notice the 10th result which I have highlighted with a red arrow.

The URL is hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242.  Also notice all the keywords listed for “tatiana”.  This one caught my attention and sure enough, clicking on this link will take you to a rogue AV site.  Moreover, your browser will become unusable except to click the “OK” button.  In fact, if you click on any part of the pop-up box the malware will be installed, indicating that is part of this attack as well.  The only way to prevent infection after clicking on the link in the search result is to kill the browser process. Clicking on any part of the pop-up box results in infection.

So, the first part of this scareware campaign is the use of SEO poisoning to generate high search results for the term “tatiana banx” among others.  This is a common technique used by scammers to increase traffic to their sites and to increase infection rates.  But how did they do this?  I began by investigating the collin-county-real-estate.rmdfw.com site.  This site is the Dallas-Fort Worth Re/Max Realtor web site.  The A record for this server is 216.177.141.4 with a PTR of web17.websitesource.net.  Thus, it appears that this site is hosted at WebSiteSource with a location somewhere in Kansas if the geoIP information is accurate.   Next I examined the web server itself and found that directory listing was enabled which led to a treasure trove of interesting information.

This is only a partial list of over 330 files on this server that appear to be part of an SEO poisoning campaign.  Examination of these files indicates that this server is being used to manipulate search results for many, many different search terms.  For example, the search I performed for “tatiana banx” brought the result hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242.  A partial listing of the contents of the file 500242 is listed below:

collin-county-real-estate.rmd
fw.com

tatiana milovani


shte eet glawa ivanova tatiana che


eest ivanova tatiana dean electrical


tatiana narvaez


life info on tatiana golovin


tatiana isotov


mary tatiana krot


tatiana fistrovic and us visa


tatiana gregorieva


tatiana keeshan


tatiana petit


tatiana scam


tatiana startseva parkville


chris tatiana


tatiana free pics


tatiana nikolaevna tumanova


tatiana ali in king mag


tatiana jones


tatiana petersen


find tatiana schwappach


tatiana alverez

Other files on this server show similar content for different search terms.  It appears that this server is being used as part of an SEO poisoning campaign, likely without the knowledge of the web site’s owner.  Furthermore, assuming that the owners of the rmdfw.com domain are not purposely redirecting traffic to malware distribution sites, it is likely that this server has been compromised.

The next step in my analysis involves an examination of the method that the site uses for redirecting traffic from hxxp://collin-county-real-estate.rmdfw.com to another site that attempts to install malware on the visitor’s machine.  This turns out to be the most interesting part.  There is a PHP script (yuxfm.php) that redirects to various other sites that host the scareware campaign.  You will only be redirected if you click on the URL from a search result, indicating that the referer is being used to determine how traffic will be handled.  Using a proxy to capture all of the communication between my system and the servers involved, I was able to reconstruct the sequence of events.  After performing a search and clicking on the URL hxxp://collin-county-real-estate.rmdfw.com/gsfyn/yuxfm.php?gu=500242 which was the 10th result presented, the server responds with a 302 redirect to one of several different URLs.  Below is the original request:

GET http://collin-county-real-estate.rmdfw.com/gsyfn/yuxfm.php?gu=500242 HTTP/1.1
Host: collin-county-real-estate.rmdfw.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 GTB7.1 (.NET CLR 3.5.30729) Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=&q=tatiana+banx&sourceid=navclient-ff&rlz=1B3GGGL_enUS340US341&ie=UTF-8
Cookie: Hello-friend=4

And the response:

HTTP/1.1 302 Found
Date: Tue, 27 Jul 2010 02:37:50 GMT
Server: Apache
Set-Cookie: Hello-friend=5
Location: hxxp://zeoro1.strangled.net/3/?c=947
Content-Type: text/html

In this case I was redirected to hxxp://zeoro1.strangled.net/3/?c=947.  This server then presents the scareware that attempts to trick the visitor into installing malware.  Notice the javascript that gets executed on the client.  No doubt this is the source of the malware.  The site also includes images that resemble actual Windows warning messages in order to increase the likelihood that the visitor will be fooled into accepting the malware:








Online Protection








Initializing Virus Protection System…




The redirected URL changes frequently in an attempt to make detection and investigation more difficult.  In fact, since I started my analysis a week ago, the  collin-county-real-estate.rmdfw.com URL no longer shows up when searching for “tatiana banx” and no longer appears to be used in this malware campaign.  However, other top 10 search results for “tatiana banx” result in the same scareware tactics.  For example, today hxxp://tmsoftwaresolutions.co.uk/linmx/plol.php?gi=438195 shows up as the number 6 result.  It is also important to keep in mind that this type of attack is not confined to only searches for “tatiana banx”.  It is clear that whoever is behind this attack is targeting many different search terms and thus all search results should be viewed with care.  Also, it appears that there are many compromised servers that are part of this campaign leading to the conclusion that this is not an isolated case.

To summarize, this scareware campaign makes use of a variety of techniques in order to spread its malware.  First, it uses compromised hosts to manipulate search results and drive traffic to its servers, a technique called SEO poisoning.  When a visitor clicks on one of these bogus search results, they are then redirected to a the malware delivery host which serves up content designed to make the visitor think their machine is infected with a virus.  If the visitor clicks on the pop-up box to try and “remove” the virus, they will actually be installing malware on their machine.  This malware pretends to be an anti-virus program, but in fact is malicious software.  In the the near future I will be conducting further analysis on the hosts involved, how they may have been compromised and used as part of this malware distribution campaign, and the nature of the malware itself.



WPA Keeps Law Enforcement Away

June 19, 2010 in Wireless | No comments

Recently with aggravated identity theft and threatening the vice president after allegedly tapping into a neighbor’s wireless network and sending threatening email messages to US Vice President Joe Biden.   With a long history of having disputes with neighbors, he also allegedly stole personal information, sent offensive email messages, and emailed indecent photographs to his neighbor’s co-workers from an email account set up to appear as if the messages were coming from the neighbor.

While this may be an extreme case, this situation does show why it is so important for home users to take the time to secure their wifi networks using WPA/WPA2 encryption.  There are no systematic studies of security on home wifi networks that I am aware of, but have found that upwards of 65% of wireless networks tested are open.  Given how easy it is to configure encryption on wifi networks, there is no reason not to do it.  This is especially true if you live in a high population density area such as an apartment complex where easily dozens of other people could piggy back on an open wireless network.  Someone could use an open network to send spam, launch attacks against you or others, gather your personal data, or commit other illegal acts such as downloading pirated software or illegal copies of music.

Bruce Schneier, a well known information security researcher, has .  He cites the following reasons for not securing his network:

  • Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea.
  • Any potential spammer is far more likely to sit in a warm room with a cup of coffee at a coffee shop than in a cold car outside a house.
  • If you configure your computer to be secure regardless of the network it’s on, then it simply doesn’t matter.
  • Sharing Internet access is a polite thing to do and he likes to return the favor as he often uses open wifi networks when traveling.

While some of these arguments are legitimate, it still seems to me that from a risk analysis standpoint, it makes more sense to secure a wireless network than not, especially if you live in a densely populated area.  It only takes a couple of minutes to turn on WPA or WPA2 encryption, so there is very little cost to doing so.  But the benefits of enabling this security are quite high.  It significantly raises the amount of work a would-be attacker or scammer would have to undertake to abuse your wifi network.  In all likelihood, unless you were specifically being targeted, he would simply move on to a more easily accessible network.  So use the built-in security provided by wifi access points.  It is easy to configure and can help prevent you from being woken up in the middle of the night by the FBI.

McAfee Does It Again

April 21, 2010 in malware | No comments

It was about noon today when the first reports started coming in.  Several people reported seeing a message on their screen from McAfee VirusScan indicating that their machine was infected with a virus.  Then, their machines shutdown.  As I was looking over the shoulder of one of my SAs, I saw the same thing happen to his machine.  VirusScan claimed to have detected the W32/wecorl.a virus showing a message similar to this:

The file C:WINDOWS\system32\svchost.exe contains the W32/Wecorl.a Virus.
Undetermined clean error, OAS denied access and continued.
Detected using Scan engine version 5400.1158 DAT version 5958.0000.

My first reaction was that we were suffering a worm outbreak.  However, after a couple of minutes it became clear that this was not malware, but badware.  The 5958 DAT released by McAfee today incorrectly detected the svchost.exe file on Windows systems as a virus and then proceeded to delete/quarantine it.  We took several actions immediately:

  • We added an exclusion for the svchost.exe file and pushed it out to all PCs
  • We deleted the 5958 DAT from the ePO software repository
  • We stopped the automated download of DAT files from McAfee
  • We disabled the automatic push of DAT files to client machines

The svchost.exe file is very important for the proper operation of Windows and PCs cannot function properly without it.  Luckily, we only had a handful of systems that were impacted before we could prevent further damage.  Repairing the problem required physically visiting each system with a USB thumb drive to replace the deleted file.  Being a small company, this was not a huge issue for us.  However, large enterprises have been severely impacted with losses mounting as IT staff physically go to each machine to undo the damage.

McAfee VirusScan is one of the most widely used anti-virus products in the world.  This is not because it is particularly good at malware detection and removal, but because of its superior management tools.  I have used McAfee products for many years and can attest that this is not the first time McAfee has had such an incident.  In fact, just a few months ago we had to update the code on our web sites because McAfee VirusScan falsely alerted our visitors that we had malware on our site.  Below is a list of links documenting recent instances of false positive detections from McAfee:

This list only covers the last couple of years and only the major false positives that caused enough problems to be reported.  I for one am getting tired of dealing with these incidents.  I expect more from a major security vendor such as McAfee.  Given the number of issues they have had over the years, it is clear that they need to improve their QA processes.  Right now I am more concerned about the next update from McAfee than I am about a malware infection.  And that is not a good thing for McAfee as I will definitely be evaluating other vendors when it comes time to renew our subscription.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved