Le blog sécurité de Philippe Vialle / Phil Vialle's blog

Je vais rédiger cet article en Français, vu que le message et la cible sont francophones... :)

J'ai reçu un message, et j'avoue que moi le premier j'ai failli me faire prendre. Heureusement, je me suis souvenu que j'avais résilié il y a quelques mois déjà mon abonnement Orange (France Telecom). Il s'agit d'un message indiquant que ma soit-disant banque a refusé un prélèvement automatique pour France Telecom.

Le texte est plutôt bien fait, mais il manque les caractères spéciaux (surtout les accents) :

Mozilla Shredder bloque le "contenu distant" des messages. Il propose à l'utilisateur de toujours valider le téléchargement de ce contenu, selon l'adresse email indiquée en émetteur. Il s'agit ici de : 

service@Securecode.eu

Ce qui est certainement assez tentant pour un utilisateur lambda.

La vraie adresse d'expédition du courriel est pourtant : envelope-from <root@s15385563.onlinehome-server.info>

Donc là-dessus, Thunderbird (Shredder) induit l'utilisateur en erreur. Il ne prend pas le bon champ dans le courriel indésirable, et du coup, affiche une adresse "choisie" par les auteurs du message, pour induire les utilisateurs en erreur.

Au niveau du filtrage du courriel (qui aurait dû avoir lieu) :

- filtrage Orange : inefficient

- filtrage SpamAssassin : inefficient

- filtrage Razor, DCC, XBL : inefficient 

- filtrage par Thunderbird (Bayésien principalement) : inefficient.

Concernant la machine émettrice du message : s15385563.onlinehome-server.info   un joli message nous accueille quand on accède à la page.

Pour le FQDN de l'émetteur du message, voici ce que donnent quelques tests :

- Netcraft : à peine un peu de rouge dans la barre d'outil

- trustedsource.org : risque minimum, catégorie "internet services"

- senderbase.org : aucune alerte pour l'URL. Bonne réputation pour l'adresse IP ! (87.106.216.161)

- dnsbl.info : aucun listage de l'adresse IP

- robtex.com : la zone onlinehome-server.info a 2 signalements : postmaster.rfc-ignorant.org et abuse.rfc-ignorant.org

J'apprends grâce à Trustedsource que les serveurs de nom sont chez 1and1(donc le domaine malveillant aussi). Tiens donc, une vieille connaissance pour ceux qui épluchent le web pour ce qui est VX.

Grâce à domaincrawler.com, j'apprends (ou confirme) que l'adresse IP est allemande.

Dans le code source du message, il y a un lien vers une image : 

 http://hocusadabra.com/upload/userfiles/VerifiedMasterVisa.jpg 

C'est une "vraie" image de Mastercard SecureCode , toujours pour induire l'utilisateur en erreur.

Si l'on clique sur le lien inclus dans le courriel, voici la vraie URL qui s'affiche dans le navigateur :

http://cinedis. famfmalaga.org/tmp/login-vbv/logine745514566/

On notera les belles fautes de frappe : "Veuillez Remplire l'au dessous de la forme", qui pourraient peut être alerter un utilisateur soucieux de parler en bon français...

Au niveau des navigateurs :

- Opera : aucune alerte

- Internet Explorer 8 : aucune alerte

- Chrome : aucune alerte

- Firefox 64 (Namoroka) : aucune alerte

- Netcraft : aucune alerte

- Safari : aucune alerte

Donc en résumé... aucune alerte !

Ce que je trouve également intéressant, c'est le code source de cette page : entièrement obfusqué.

D'autre part, en remplissant le formulaire et en cliquant sur "Valider", les sessions HTTP révèlent que la machine distante, plus que probablement compromise, tourne avec :

Server Apache/2.2.3 (CentOS)

X-Powered-By PHP/5.1.6

On appréciera la mention "service vérifié par Visa"..

Je parierais que les failles PHP (non corrigées dans cette vieille version) ont pu faciliter l'intrusion sur le serveur.

Quite surprisingly, I was not even thinking about writing an article when I set up my Thunderbird for a MS Live mail account. 

One day, without any notice, I had the following warning:

Because I use a 64 bits version (Shredder), there is no locale version of if, ie. in French. So I wonder what a lambda user is supposed to understand about this warning...

Let's have a look at the certificate by itself:

It appears that the POP3 Server of MS Live Mail tries to present a certificate for pophm.sympatico.ca. Where, yes, it seems to be a problem there... and Shredder is right warning me about it.

Once again, how a lambda user is supposed to handle that? How could he or she make the difference between that case (which could certainly be accepted as an exception), and a real fraud/phishing attempt?

 And the most surprising part could be that MS Live Mail client does not prompt any warning while retrieving the same MS Live Mail account... does it hide a security weakness?

Well that was not expected once again to find such an issue...

Here is the configuration I'm gonna talk about :

- Win 7 Ultimate

- full patched

- Google Chrome 5.0.375.125

I let this laptop running when I went to bed. During the night, the last Windows updates have been installed, as I set it up. At the end, the WUAUSERV launches a restart procedure, with a warning before doing it.

The thing is, I was not there to delay the reboot, so it happened.

I had Google Chrome (and other applications) opened, with several tabs. Google Chrome is supposed to show a panel when it's being launched after a crash.

But this time, nothing. The history was not even working. And above all: I could not access google.com anymore (quite funny, isn't it...), whereas my other browsers Opera and FF were working like a charm.

Solution?

Close any chrome.exe instance, including (but not only) GMail app! (yeah, don't forget this one).

Restart Chrome,  then GMail.

Now, it works, Google.com access and history.

This story to remind people that web apps run on top of a browser.  

If the browser encounters a problem, all the (instances) web apps should be closed to fix it entirely. And last, be careful with automatic reboot after system update: check that your apps/docs do resist a forced close for reboot...

I had recently to deal with a compromised computer. It was though supposed to be protected by a up to date antivirus with real policies.

The file has been detected using Spybot S&D: ZBot. It's been a long time ago since I did not find a malware which is not a spyware/adware/rogue AV, with Spybot. Anyway...

The computer was also protected by Clam for Windows, the 'in the cloud' version of Clam AV. See: http://www.clamav.net/lang/en/about/win32/ But it did not detect anything however.

Since I like to contribute to OpenSource projects, I thought of submitting this sample that Clam was not supposed to detect. Then I was astonished to see that the online form to submit samples to Clam was complaining the sample was 'already detected' and that I should check my own Clam updates...!

Here is the screenshot:

What's going on with Clam In The Cloud? is it less efficient than the regular ClamAV?  I still do not have any answer...

By the way, I was kindda disappointed to see at first that McAfee was not planning to publish an extrat.dat:

Fortunately, they did publish an extra.dat later on. Why did the WebImmune portal say 'inconclusive' and 'no Extra', so?

To finish about Clam, I'm gonna try to check if there are real differences between the regular ClamAV version and the 'Clam in the cloud, for Windows'.

First, let's see what VT says about the sample:

So, VT already scanned the sample on the 23rd... the day I submitted the sample to McAfee.

And the detections summary array confirms that Clam was supposed to detect the sample:

Let me remind you that, as other people like T. Zoller said, VT uses command line versions of AV engines. I know quite well ClamAV, and yes, it is the command line version that is available by default on Linux!

Thus, ClamScan most probably detected the sample, but not the Clam 'in the cloud' version... wheras the 'in the cloud' technology was said to offer better protection in real time... (I even tried to move the sample on the HDD to see if Clam in the could would detect it, but nothing happened).

According to that example, I would say that the 'in the cloud' version may offer better protection in real time, but can also miss samples that the regular version of Clam would just detect...

Just for once (again?), I'm gonna deal with linux / Unix system administration., and in particular, migration.

This may be related to scurity, as you may say that integrity does concern system configuration, when it's about renewing a server or transfering a whole system configuration from a machine to another.

First of all, let's say that you have an old server, and you want to migrate it to a new one, with new hardware. If you create an image of the whole system and restores it on the new server, it may just not work because of hardware differences and/or special configuration elements.

To insure a transfert with integroty check, I'll suggest you to use RSync. Here is what could the command line look like:

rsync -avchz --bwlimit=150 --stats /etc remote_host:/sync_etc

The way of synchronizing is source - > destination (last argument).

The bwlimit limits the bandwidth, so that you would not pay extra money for this (huge) transfer, depending on your hosting contract.

The folders that you would at least need to synchronize between the two servers are:

- /etc

- /var

Special thanks: Roro, Duckx, Fredy, and Lucky ;)  the guys who helped me meeting Linux ;)