Our friends at Websense have recorded what happens when a workstation visits an infected site exploiting the current VML issue. They did a similar video when the WMF zero-day was released and their workstation was instantly flooded with Spyware applications and pop-ups galore. It was an impressive sight and obvious that they had just visited an infected site.
From the site:
So, we fired up our trusty video capture tools and pointed a VMWare workstation at a random site where our miners had recently discovered an iframe containing a VML exploit.
But…what’s this? Nothing happened, or so it seemed.
We were hoping to capture another onslaught of Spyware, but this malware author had something else in mind. Digging a little further, we discovered that this exploit is being used to install a new variant of a keylogger called Goldun. The attacker doesn’t want you be suspicious, so they have made certain that the infection process is as unobtrusive as possible. You are given no indication that there was anything wrong with the website you just visited.
After we visit the infected site, we log into a PayPal account to show you an example of the information that can be stolen. This keylogger operates by indiscriminately capturing the entire contents of EVERY web form on any page — all data entered into your financial, webmail, and Intranet sites can be captured. We added some commentary to the end of the video to provide a brief explanation of what happens behind the scenes.
Breach Security, Inc. today announced the acquisition of Thinking Stone Ltd., the leading provider of services and enhancements for the ModSecurity web application firewall.
ModSecurity is the most widely deployed web application firewall in the world with more than 10,000 deployments. It began as an open source project written by Ivan Ristic, a world-recognized authority in Apache Security, who will join Breach Security as a Senior Executive.
As the Chief Evangelist of the combined companies, Ristic will focus on extending Breach Security’s security application solutions and the continuous improvement of the ModSecurity open source offerings.
Ivan has the following to say in his bog announcement:
So much good is going to come out of this:
- I am going to continue to work on ModSecurity, now able to spend more time on the technical aspects of the project.
- There is going to be another developer assigned to work full time on ModSecurity.
- Yet another full time position will be created to to expand the documentation and interact with the community.
Breach Security are going to bring their web application security expertise to the table. While I expect for their entire organisation to become involved with the ModSecurity community in one form or another, there are also going to be several immediate benefits:
- ModSecurity Console, limited to supporting three remote sensors, is going to be made free for a limited time.
- Breach Security are going to design a core ModSecurity rule set and make it a part of the official distribution.
So not only is ModSecurity for Apache going to remain an open source product, but a large amount of resources is going to be invested into it to make sure the community is supported and the development accelerates.
Please excuse the spelling but this is a direct quote from the blog.
According to an article posted in the September issue of Network Computing by Andrew Conroy-Murray, the peak time for Skype usage in the United States is around noon CST. Unfortunately, there’s no way to tell the difference between business usage and chit-chat.
To quote the article:
Skype users are most active during work hours, according to a new study from Cornell University. Peak time in the United States is noon CST. Unfortunately, the researchers didn’t differentiate between chit chat and business usage. That’s a shame, because while commercial VoIP and IM products are useful for communicating with customers and co-workers, they’re also fraught with productivity and compliance problems. Skype, which encrypts voice and data packets, makes it easy to sneak sensitive information out of the enterprise.
That company that my wife works for uses Skype for inter-business communications on a daily basis. In fact they probably couldn’t operate without it as they have multiple geographic locations and those phone bills could add up.
In my experience, however, there is no good way to block skype traffic at the perimeter of your enterprise since it runs over port 80 and 443. From the ‘Guides: Skype and Firewalls’ section of the Skype Help Section:
There are four options for Skype to work:
- Ideally, outgoing TCP connections to all ports (1..65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype to be able to connect to the Skype network and will not make your network any less secure.
- If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 or later.
- If the above is not possible, open up outgoing TCP connections to port 80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this case Skype can not use it since Skype does not use HTTP. In some firewalls it is possible to open up all traffic to port 80, not just HTTP, and in this case Skype will work.
- If the above is not possible, Skype versions 0.97 or later can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Then Skype will be able to use it as well.
This makes blocking outbound Skype traffic very difficult using just a firewall unless you want to either:
None of these appear to be an easy and desirable solution to this problem. Perhaps you’re thinking, “Why not use an IPS to detect the traffic and disallow it?”
That would be ideal! Unfortunately the only product I have found, so far, that is able to match the signature of Skype traffic is TippingPoint IPS and they don’t appear eager to share their signature methods.
If anyone happens to have any ideas how to identify Skype traffic I would love to hear it.