Spam and All Things Salty: Spambot v2013

Size: px
Start display at page:

Download "Spam and All Things Salty: Spambot v2013"

Transcription

1 Spam and All Things Salty: Spambot v2013 Jessa dela Torre 1 and Sabrina Lei Sioting 2 1 Forward-Looking Threat Research Team 2 Threat Cleanup and Analysis Team Trend Micro, Inc., Philippines Abstract. This paper will discuss our research on a threat that involves the massive attacks on Wordpress, Joomla and Drupal sites and where they attempt to test the waters on a new spamming cycle. This routine involves different forms of web threats working independently of each other and has posed a challenge when it comes to authentication. We will look into the (1) compromised website, (2) compromised machine, (3) command and control server, the (4) payloads and/or affiliates involved, (5) the telemetry of the data we collected, and(6) how we emulated the threat to milk the server. 1 Introduction In a paper we have previously released, we detailed the malware and spamming routines of Stealrat 3, a new botnet that we have been monitoring. In this paper we will look at the various Content Management Systems (CMS) that are used extensively by the botnet operators as well as the other components that are part of this operation that we have yet to discuss. However, for continuity, we will still include some key points that we have already mentioned before. Stealrat introduced a new spamming technique wherein the communication between the spamming websites and the actual spam server is mediated by a compromised machine. This makes it difficult for spam filters to authenticate s since they come from legitimate sites. While porn still remains to be the primary theme in the spam s they send, we have also seen a spike in s that take excerpts from The Stainless Steel Rat 4 science fiction series, albeit, the subject is still porn-related Stainless Steel Rat

2 Fig. 1. samples One of the ways Stealrat is unique from the other spam botnets is how they have set up their model: there are 2 compromised websites (one does the spamming and the other contains the payload) and a compromised machine. The compromised machine (end-user) will connect to a server to collect spam data and send it over to a compromised website where the will be constructed and sent to the recipient. The contains a link to another compromised website.

3 Fig. 2. Stealrat model In a nutshell, the binary component in the compromised machine connects to several URLs to gather the following data needed to construct the spam Mail server (backup) Sender name Recipient s address template (subject and body) It then sends a POST request to a compromised website where a PHP script builds the actual spam and sends it to the recipient. Detailed descriptions of the malware (binary and PHP) components is in the previous paper under the sections Modules and PHP Scripts 5 and a summary of each component is briefly mentioned below. 2 Content Management Systems During the course of our research, we have found the compromised websites to be running Content Management Systems (CMS). While only a small fraction of Drupal sites are affected, Joomla! and Wordpress comprise of 51% and 19% of the infection, respectively based on our data and may vary with the actual statistics

4 Fig. 3. CMS infection breakdown While we have not determined most of the exploits and vulnerabilities used to gain access to the websites, we looked at these sites and plugins that are commonly compromised and enumerated some of the popular and interesting ones. On some instances, we have also seen some of the exploits used to gain root privilege to webservers running on Linux. One of them is the Abacus exploit which affects Linux kernel versions to and involves a poisoned perf swevent enabled array in a perf event open system call. Fig. 4. Sample abacus exploit snippet and files

5 Once successfully exploited, the other websites hosted in that webserver will be accessible and vulnerable as well. Using the WSO web shell, the attackers can create, view, upload and execute files in all the hosted sites (see image). Fig. 5. Other websites hosted in a webserver 2.1 Joomla! Joomla! is an open source Content Management System coded in PHP and can be modified or expanded functionally by using extensions. Officially, there are 5 different kinds of extensions: Component Plugin Template Modules Languages In Joomla! sites, we found most of the malicious scripts inside the following components directory: com virtuemart com jce com weblinks Com virtuemart Virtuemart 7 is an e-commerce component for Joomla!. It acts as a shopping cart, catalog and payment system for online merchandise. A normal installation contains the following files in the /components/com virtuemart folder: fetchscript.php show image in imgtag.php virtuemart.php 7

6 virtuemart parser.php Fig. 6. Sample compromised com virtuemart directory content Com weblinks Weblinks 8 is Joomla! s component for adding links to a webpage. A normal installation contains the following files in the /components/- com weblinks folder: controller.php router.php weblinks.php Fig. 7. Sample of a compromised com weblinks directory content 8 Weblinks Links

7 Com jce Joomla Content Editor (JCE) 9 is Joomla! s component for editing pages which includes styling and other WYSIWYG tools. A normal installation has the following files in the /components/com jce folder: jce.php popup.php Fig. 8. Sample of a compromised com jce directory content 2.2 Wordpress Similar to Joomla!, Wordpress 10 is also coded in PHP and is a popular blogging tool as well as a Content Management System. In Wordpress sites, we found most of the malicious scripts inside the directory of the following plugins: ˆ tell-a-friend ˆ akismet ˆ tv1/tv1mod Tell-a-friend Tell-a-friend is a Wordpress plugin that allows website visitors to tell their friends about the site by clicking on a button (see image) and sending an to their contact list. A normal installation only has the tell-a-friend PHP file in the /plugins/tella-friend folder plus several image files

8 Fig. 9. Sample of a compromised tell-a-friend directory content Interestingly, with the tell-a-friend plugin, all of the compromised sites we have seen have the tell-a-friend.php file modified and appended with the WSO 2.5 web shell. Fig. 10. Modified tell-a-friend.php Fig. 11. Original tell-a-friend.php

9 Akismet Ironically, Akismet 11 is a Wordpress plug-in for spam filtering, although it is for the comments section only. A normal installation has the following files in the /plugins/akismet folder: admin.php akismet.css akismet.gif akismet.js akismet.php widget.php Fig. 12. Sample of a compromised Akismet directory content TV1 The most intriguing plugin we have seen is TV1. According to the Wordpress site, there is no plugin named TV1. In most of the sites we checked, aside from the malicious files, there are always the following PHP scripts in the /plugins/tv1 folder: class-wp-importer-cron.php tumblr-importer.php These scripts (see image below) are part of the tumblr-importer plugin which imports a Tumblr blog to a Wordpress blog. 11

10 Fig. 13. Tv1 directory content 3 The Malware Aside from exploiting CMS-run websites, another important aspect of Stealrat is the array of malware in its arsenal. While we have seen other components associated with this campaign, we will only look at those directly involved in its spamming routine. This section will briefly describe these components. A more detailed analysis of each component is discussed in our previous paper. 3.1 The Downloader (Mutator/Rodecap) Rodecap, or Mutator (according to its PDB debug string) downloads the SmMgr component from a specified URL. What has made Mutator interesting is its method of connecting to the C&C server to get its download instructions. One of its variants would connect to the mail servers of what seems like innocently named sites (eg. lyrics-db.org) and after a connection has been established, it would modify the hostname in the HTTP header to google.com. Its initial check-in to the C&C follows the format below: protocol.php?p=[volume serial number]&d=[b64 encoded string] 3.2 The Collector (SmMgr/Symmi) Symmi, or SmMgr (according to its PDB debug string), is the component that downloads the spam data (which includes the sender name, subject and body) and the list of addresses to send the spam to. It then encrypts this information and sends it to the compromised websites. One interesting aspect about SmMgr (at least for the versions that we analyzed) is that it for every successful or failed function, it will send a debug string via UDP to what we call the Testing or Debug server.

11 Recently, we have also seen a Linux version of SmMgr (ELF file). It checks for some Linux environment variables if present in the system. The values found in these variables are used as parameters to the link where this malware will connect to. It will connect to a URL (spam server) which contains the addresses where the spam mails are sent. Similar to its Windows counterpart, the URL has the following format: It also possibly connects to other URL where the configuration, spam mail data, format and compromised page is given. It will send the spam mail which is B64 encoded to a compromised page via POST request. If all parameters in the POST request are correct the site replies the string OKe807f1fcf82d132f9bb018ca6738a19f+0. Then it is up to the compromised page to send the spam mail. 3.3 The Spammer (PHP script) Downloaded as Sm[number]e.php, this PHP script receives the spam template from SmMgr and constructs the spam that will be sent to the recipients. By default, the script uses the compromised site s mail server, but has a backup server included in the spam data which is typically Google (Gmail). 12 This script comes in multiple and different file names and the number of scripts usually vary in each site. 4 Command and Control Over time, the operators have moved the C&C to several domains scattered across several IP addresses. It seems that they are using a single domain structure and just copy the entire thing when moving to different domains (see image) current domains are circled in RED

12 Fig. 14. Domains and IPs associated with Stealrat Communications with the C&C vary among the components and done via TCP or UDP. Though implemented, the various encryption methods are simple and not overly complicated. Detailed description of each method is discussed in the Malware and Network Communication section of the previous paper. 5 Payloads and Affiliations The links embedded in the s are compromised sites injected with several HTML pages that are frequently updated. These pages range from pornography to online pharmacy. 5.1 Porn Pornography is still the main theme of Stealrat s payload. Fig. 15. Sample payload page Once the page loads, it will redirect to another compromised webpage that has been planted with pornographic links and images.

13 Fig. 16. Sample compromised webpage injected with porn 5.2 Online Pharmacy Another common landing page is an online pharmacy site, particularly doctorpied.com (previous sites were doctorpot.com and doctoregpg.com). Fig. 17. Online pharmacy site Interestingly, doctorpied.com is registered by the address which also registered several other online pharmaceutical sites that we have attributed to a certain actor. While we have not yet determined their exact rela-

14 tionship, we are not discounting the possibility that the same actor is involved here. Fig. 18. Pharma domains and IPs associated with 6 Telemetry We have been monitoring this botnet intermittently since mid-april of 2013 and so far we have recorded about 215,000 websites that have been, at one point or another, compromised. Some of these websites had not denied directory listings, so we were able to view their files and contents. Using the access logs and data available from 3 random sites, we compiled and averaged some of the information we know about this threat. Although 3 out of 215,000 may not glean a good representation of the entirety of this operation, at the very least, we hope to get a glimpse and estimate its size. Fig. 19. Geographic distribution of the IP addresses that connected to the 3 compromised websites

15 Table 1. Average content of the 3 random compromised websites Description Average Number Spam mailer scripts (PHP) 4 Spam s sent on a single date (Sep 21, 2013) 1, Unique IPs (end-users) that sent spam data on a single date (Sep 21, 2013) 1, Currently, there are about 17 million addresses that get periodic spam s from these sites. 7 Emulation To uncover a significant part of this operation, we emulated the binary (SmMgr) responsible for collecting the spam data and sending it over to a compromised website. Every 10 seconds, this binary spawns a thread that will perform these processes. We created several scripts to download and decode (see appendix) the following: recipients spam template website to post the spam data to 8 Conclusion While it is relatively small compared to the more established botnets such as Asprox 14 and Pushdo 15, its spam cycle is one of the ways that makes Stealrat unique. Its operators used compromised sites to send out spam. They also used compromised machines but only as mediators between the compromised sites and the spam server. This allowed them, in a way, to cover their tracks, as they left no clear evidence of a connection between the sites and their server. Another interesting characteristic is that they also attempted to mask their network traffic by modifying its HTTP header to make it seem like they are accessing normal domains. This shows the operators resiliency in adapting to the security enforced in networks and their attempt to stay under the radar for as long as possible. While compromising websites to send out spam is not a new technique, we believe that this particular botnet is worth a look not just because of the volume of spam it has managed to send out but because of the subtle and gradual

16 improvement of their methods. The StealRat botnet is a perfect example of determined operators who will try anything to thwart the security defenses. A Appendix A.1 MD5 of Hashes Mutator/Rodecap Symmi/SmMgr ELF PHP scripts MD bb4957d552dec81c2c288c f5e93efec7c87b97e bb 60acc7b343e51e61f240e66ca9a c689488d9f7e6ddb7de45dd4e2bb1 6d478471ed054e5d2f9436ba8c770f06 49a7ef24fd ee7d1b8b 10ce473a1d7acd67e15a798f5f495c1e 19e26ea780139c92691d372a3ac9c663 a3bcbf239b15262f5a7e8fe264d5edd1 9faf609654db710587c40542f181bdf6 79f bbf88f9fd137fe e831f73b7f20e3e0e ce095ab289e7dbc aab1b 3c039993b98103a1c974e6cd64d3bbef 59b b5ad8b98f696c0f4eee c06ac0e77f889ab4d11cf1659e95 95d565d d9db f1bd556eb165a3ae0f887e7e1831d00 345b4a2f59aeb6e50c00fbaa7aa8130b 1c5a24297a6631b95afadc39b84e dce7e1309dd09df0998f7c5be8219 bedbb698bf2fb05394fd831efab2d091 44f200ad1e561ec6a533521c4cb865b6 d098b b08b7c4a27d0769b6079 aa e1a8008a61cbf01b5df2 11dfd5daa3359fe6967fe69e2413e59d c6c5886b685d2d33f7be0704ba5da951 e a82beb775faa e0 a6752df85f35e6adcfa724eb5e15f6d0 9b6d87c50b58104e204481c580e630f1 d3c35d2fe48d8767fbb32c6ef974e26a 6fdd4a5f517b0faead39a681e62c86f1 A.2 Sample Decryption Script (decrypt.py) #! / usr / bin /env python import s t r i n g

17 import base64 import b i n a s c i i import sys import ctypes import o p e r a t o r i f ( l e n ( sys. argv ) < 3 ) : #Usage : #dec. py <type> <f i l e > # #Type : #1 Config f i l e #2 UDP t r a f f i c #3 address l i s t #4 Spam template # #Output : <f i l e >. dec sys. e x i t else : encrypted = sys. argv [ 2 ] source = open ( encrypted, rb ) s1 = source. read ( ) source. c l o s e ( ) s r c l e n = l e n ( s1 ) i f ( sys. argv [ 1 ] == 1 ) : DecConfig ( s1, s r c l e n ) i f ( sys. argv [ 1 ] == 2 ) : DecUDPTraffic ( s1, s r c l e n ) i f ( sys. argv [ 1 ] == 3 ) : Dec List ( s1, s r c l e n ) i f ( sys. argv [ 1 ] == 4 ) : Dec Template ( s1, s r c l e n ) i f ( s1 ) : out = open ( encrypted+. dec, wb ) out. w r i t e ( b i n a s c i i. u n h e x l i f y ( s1 ) ) out. c l o s e ( ) def DecConfig ( s1, s r c l e n ) : c t r = 0 ptr = 0

18 while True : i f ( c t r < s r c l e n ) : d1 = s1 [ ptr ]. encode ( hex ) val = hex ( i n t ( d1, 16) 1) ab = val [ + 2 : ] i f ( l e n ( ab ) == 1 ) : ab = 0 + ab s1 = s1 [ : ptr ] + ab + s1 [ ptr +1:] ptr = ptr + 2 c t r = c t r + 1 else : break def DecUDPTraffic ( s1, s r c l e n ) : c t r = 0 ptr = 0 while True : i f ( c t r < s r c l e n ) : d1 = s1 [ ptr ]. encode ( hex ) val = hex ( i n t ( d1, 16) ˆ 12) ab = val [ + 2 : ] i f ( l e n ( ab ) == 1 ) : ab = 0 + ab s1 = s1 [ : ptr ] + ab + s1 [ ptr +1:] ptr = ptr + 2 c t r = c t r + 1 else : break def Dec List ( s1, s r c l e n ) : ptr = s r c l e n 1 c t r = 0 while True : i f ( c t r < s r c l e n ) : d1 = s1 [ ptr 1]. encode ( hex ) d2 = s1 [ ptr ]. encode ( hex ) i f ( ptr == 0 ) : val = hex (18 ˆ i n t ( d2, 16)) else : val = hex ( i n t ( d1, 16) ˆ i n t ( d2, 16)) ab = val [ + 2 : ] i f ( l e n ( ab ) == 1 ) : ab = 0 + ab s1 = s1 [ : ptr ] + ab + s1 [ ptr +1:] ptr = ptr 1

19 c t r = c t r + 1 else : break def Dec Template ( s1, s r c l e n ) : s1 = base64. b64decode ( s1 ) s r c l e n = l e n ( s1 ) ptr = 0 c t r = 0 while True : i f ( c t r < s r c l e n ) : d1 = s1 [ ptr ]. encode ( hex ) val = hex ( i n t ( d1, 16) ˆ 2) ab = val [ + 2 : ] i f ( l e n ( ab ) == 1 ) : ab = 0 + ab s1 = s1 [ : ptr ] + ab + s1 [ ptr +1:] ptr = ptr + 2 c t r = c t r + 1 else : break

Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs AN IN-DEPTH ANALYSIS

Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs AN IN-DEPTH ANALYSIS Trend Micro Incorporated Research Paper 2012 Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs AN IN-DEPTH ANALYSIS By: Jon Oliver, Sandra Cheng, Lala Manly, Joey Zhu, Roland

More information

A Trend Micro Research Paper. Stealrat. An In-Depth Look at an Emerging Spambot. Jessa Dela Torre (Trend Micro Forward-Looking Threat Research Team)

A Trend Micro Research Paper. Stealrat. An In-Depth Look at an Emerging Spambot. Jessa Dela Torre (Trend Micro Forward-Looking Threat Research Team) A Trend Micro Research Paper Stealrat An In-Depth Look at an Emerging Spambot Jessa Dela Torre (Trend Micro Forward-Looking Threat Research Team) Contents Introduction...4 Inside the Compromised Website...6

More information

CS 558 Internet Systems and Technologies

CS 558 Internet Systems and Technologies CS 558 Internet Systems and Technologies Dimitris Deyannis deyannis@csd.uoc.gr 881 Heat seeking Honeypots: Design and Experience Abstract Compromised Web servers are used to perform many malicious activities.

More information

The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection

The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection Trend Micro, Incorporated Marco Dela Vega and Norman Ingal Threat Response Engineers A Trend Micro Research Paper I November

More information

Web Hosting Control Panel

Web Hosting Control Panel Web Hosting Control Panel Our web hosting control panel has been created to provide you with all the tools you need to make the most of your website. This guide will provide you with an over view of the

More information

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware How a DNS Firewall Helps in the Battle against Advanced As more and more information becomes available

More information

ReadySpace Limited Unit J, 16/F Reason Group Tower, 403-413 Castle PeakRoad, Kwai Chung, N.T.

ReadySpace Limited Unit J, 16/F Reason Group Tower, 403-413 Castle PeakRoad, Kwai Chung, N.T. Reputation and Blacklist Monitoring Basic Professional Business Enterprise Reputation Monitoring Blacklist Monitoring Standard Malware Detection Scan for known Malware Scan for known viruses All pages

More information

Web Hosting Control Panel

Web Hosting Control Panel Web Hosting Control Panel Our web hosting control panel has been created to provide you with all the tools you need to make the most of your website. This guide will provide you with an over view of the

More information

Site Store Pro. INSTALLATION GUIDE WPCartPro Wordpress Plugin Version

Site Store Pro. INSTALLATION GUIDE WPCartPro Wordpress Plugin Version Site Store Pro INSTALLATION GUIDE WPCartPro Wordpress Plugin Version WPCARTPRO INTRODUCTION 2 SYSTEM REQUIREMENTS 4 DOWNLOAD YOUR WPCARTPRO VERSION 5 EXTRACT THE FOLDERS FROM THE ZIP FILE TO A DIRECTORY

More information

The Epic Turla Operation: Information on Command and Control Server infrastructure

The Epic Turla Operation: Information on Command and Control Server infrastructure The Epic Turla Operation: Information on Command and Control Server infrastructure v1.00 (August 7, 2014) Short Report by Laboratory of Cryptography and System Security (CrySyS Lab) http://www.crysys.hu/

More information

Network Detection Evasion Methods

Network Detection Evasion Methods A Trend Micro Research Paper Network Detection Evasion Methods Blending with Legitimate Traffic Jessa Dela Torre and Sabrina Sioting Contents Introduction...3 Known Threats That Use Advanced Evasion Techniques...3

More information

Cross Site Scripting in Joomla Acajoom Component

Cross Site Scripting in Joomla Acajoom Component Whitepaper Cross Site Scripting in Joomla Acajoom Component Vandan Joshi December 2011 TABLE OF CONTENTS Abstract... 3 Introduction... 3 A Likely Scenario... 5 The Exploit... 9 The Impact... 12 Recommended

More information

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City JOOMLA SECURITY by Oliver Hummel ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City CONTACT Nicholas Butler 051-393524 089-4278112 info@irelandwebsitedesign.com Contents Introduction 3 Installation

More information

The easy way to a nice looking website design. By a total non-designer (Me!)

The easy way to a nice looking website design. By a total non-designer (Me!) The easy way to a nice looking website design By a total non-designer (Me!) Website Refresher Three types of Website 1.Hand rolled HTML. Lightweight static pages. 2.Scripted Website. (PHP, ASP.NET etc.)

More information

WordPress Security Scan Configuration

WordPress Security Scan Configuration WordPress Security Scan Configuration To configure the - WordPress Security Scan - plugin in your WordPress driven Blog, login to WordPress as administrator, by simply entering the url_of_your_website/wp-admin

More information

How to Create a Simple WordPress Store Online for Free

How to Create a Simple WordPress Store Online for Free How to Create a Simple WordPress Store Online for Free The Internet is one of the most fertile grounds on which you can build a business to sell your products or services. This is because of the fact that

More information

STABLE & SECURE BANK lab writeup. Page 1 of 21

STABLE & SECURE BANK lab writeup. Page 1 of 21 STABLE & SECURE BANK lab writeup 1 of 21 Penetrating an imaginary bank through real present-date security vulnerabilities PENTESTIT, a Russian Information Security company has launched its new, eighth

More information

Trend Micro Incorporated Research Paper 2012. Adding Android and Mac OS X Malware to the APT Toolbox

Trend Micro Incorporated Research Paper 2012. Adding Android and Mac OS X Malware to the APT Toolbox Trend Micro Incorporated Research Paper 2012 Adding Android and Mac OS X Malware to the APT Toolbox Contents Abstract... 1 Introduction... 1 Technical Analysis... 2 Remote Access Trojan Functionality...

More information

State of the Web 2015: Vulnerability Report. March 2015. 2015 Menlo Security Alright Reserved

State of the Web 2015: Vulnerability Report. March 2015. 2015 Menlo Security Alright Reserved State of the Web 2015: Vulnerability Report March 2015 Motivation In February 2015, security researchers http://www.isightpartners.com/2015/02/codoso/ reported that Forbes.com had been hacked. The duration

More information

Malware B-Z: Inside the Threat From Blackhole to ZeroAccess

Malware B-Z: Inside the Threat From Blackhole to ZeroAccess Malware B-Z: Inside the Threat From Blackhole to ZeroAccess By Richard Wang, Manager, SophosLabs U.S. Over the last few years the volume of malware has grown dramatically, thanks mostly to automation and

More information

Operation Liberpy : Keyloggers and information theft in Latin America

Operation Liberpy : Keyloggers and information theft in Latin America Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation

More information

Malware Analysis Quiz 6

Malware Analysis Quiz 6 Malware Analysis Quiz 6 1. Are these files packed? If so, which packer? The file is not packed, as running the command strings shelll reveals a number of interesting character sequences, such as: irc.ircnet.net

More information

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014 VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014 CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS 4 Mitigations by Attack Size 4 Mitigations by Industry 5

More information

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security

More information

Web24 Web Hosting Guide

Web24 Web Hosting Guide Web24 Web Hosting Guide Welcome Dear Web24 customer, We would like to thank you for choosing Web24 as your preferred web hosting provider. To make your experience as enjoyable as possible, we have prepared

More information

Customer Control Panel Manual

Customer Control Panel Manual Customer Control Panel Manual Contents Introduction... 2 Before you begin... 2 Logging in to the Control Panel... 2 Resetting your Control Panel password.... 3 Managing FTP... 4 FTP details for your website...

More information

How to Build an Effective Mail Server Defense

How to Build an Effective Mail Server Defense How to Build an Effective Mail Server Defense A multi-stage approach to securing your email communication August, 21 2006 Author: Alin Dobre, Head of Customer Support, AXIGEN GECAD Technologies 10A Dimitrie

More information

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks TLP: GREEN Issue Date: 1.12.16 Threat Advisory: Continuous Uptick in SEO Attacks Risk Factor High The Akamai Threat Research Team has identified a highly sophisticated Search Engine Optimization (SEO)

More information

B1ST a Premium Ticketing System

B1ST a Premium Ticketing System B1ST a Premium Ticketing System Copyright 2016 by EgyFirst Software, LLC. All Rights Reserved. Table of contents Introduction...4 About B1ST Ticketing System...4 What's new...7 Getting Started...8 System

More information

Exploring the Black Hole Exploit Kit

Exploring the Black Hole Exploit Kit Exploring the Black Hole Exploit Kit Updated December 20, 2011 Internet Identity Threat Intelligence Department http://www.internetidentity.com http://www.internetidentity.com 12/29/11 Page 1/20 Summary

More information

SendMIME Pro Installation & Users Guide

SendMIME Pro Installation & Users Guide www.sendmime.com SendMIME Pro Installation & Users Guide Copyright 2002 SendMIME Software, All Rights Reserved. 6 Greer Street, Stittsville, Ontario Canada K2S 1H8 Phone: 613-831-4023 System Requirements

More information

Web Hosting Control Panel

Web Hosting Control Panel Web Hosting Control Panel Page 1 Our web hosting control panel has been created to provide you with all the tools you need to make the most of your website. Web Hosting Control Panel Home Page Once you

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

Figure 9-1: General Application Security Issues. Application Security: Electronic Commerce and E-Mail. Chapter 9

Figure 9-1: General Application Security Issues. Application Security: Electronic Commerce and E-Mail. Chapter 9 Figure 9-1: General Application Application Security: Electronic Commerce and E-Mail Chapter 9 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Executing Commands with the Privileges

More information

Sandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers

Sandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security

More information

$920+ GST Paid Annually. e-commerce Website Hosting Service HOSTING:: WHAT YOU GET WORDPRESS:: THEME + PLUG-IN UPDATES

$920+ GST Paid Annually. e-commerce Website Hosting Service HOSTING:: WHAT YOU GET WORDPRESS:: THEME + PLUG-IN UPDATES e-commerce Website Hosting Service HOSTING:: WHAT YOU GET Where you host your website is an extremely important decision to make, if you choose simply on price, you may be making a huge mistake. We encourage

More information

Elgg 1.8 Social Networking

Elgg 1.8 Social Networking Elgg 1.8 Social Networking Create, customize, and deploy your very networking site with Elgg own social Cash Costello PACKT PUBLISHING open source* community experience distilled - BIRMINGHAM MUMBAI Preface

More information

WHM Administrator s Guide

WHM Administrator s Guide Fasthosts Customer Support WHM Administrator s Guide This manual covers everything you need to know in order to get started with WHM and perform day to day administrative tasks. Contents Introduction...

More information

Web Vulnerability Scanner by Using HTTP Method

Web Vulnerability Scanner by Using HTTP Method Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 4, Issue. 9, September 2015,

More information

There are no complicated features to install - just one click of the mouse and the feature you want is automatically installed for you!

There are no complicated features to install - just one click of the mouse and the feature you want is automatically installed for you! extend Control Panel Managing your web hosting account is simplicity itself using Web Host Internet's extend Control Panel 2.0. extend is a Web-based environment that puts you in control of your web hosting

More information

Malicious Websites uncover vulnerabilities (browser, plugins, webapp, server), initiate attack steal sensitive information, install malware, compromise victim s machine Malicious Websites uncover vulnerabilities

More information

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201 Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...

More information

Merak Outlook Connector User Guide

Merak Outlook Connector User Guide IceWarp Server Merak Outlook Connector User Guide Version 9.0 Printed on 21 August, 2007 i Contents Introduction 1 Installation 2 Pre-requisites... 2 Running the install... 2 Add Account Wizard... 6 Finalizing

More information

Networks and Security Lab. Network Forensics

Networks and Security Lab. Network Forensics Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite

More information

5.2.3 Thank you message 5.3 - Bounce email settings Step 6: Subscribers 6.1. Creating subscriber lists 6.2. Add subscribers 6.2.1 Manual add 6.2.

5.2.3 Thank you message 5.3 - Bounce email settings Step 6: Subscribers 6.1. Creating subscriber lists 6.2. Add subscribers 6.2.1 Manual add 6.2. Step by step guide Step 1: Purchasing an RSMail! membership Step 2: Download RSMail! 2.1. Download the component 2.2. Download RSMail! language files Step 3: Installing RSMail! 3.1: Installing the component

More information

Shellshock. Oz Elisyan & Maxim Zavodchik

Shellshock. Oz Elisyan & Maxim Zavodchik Shellshock By Oz Elisyan & Maxim Zavodchik INTRODUCTION Once a high profile vulnerability is released to the public, there will be a lot of people who will use the opportunity to take advantage on vulnerable

More information

1: 2: 2.1. 2.2. 3: 3.1: 3.2: 4: 5: 5.1 5.2 & 5.3 5.4 5.5 5.6 5.7 5.8 CAPTCHA

1: 2: 2.1. 2.2. 3: 3.1: 3.2: 4: 5: 5.1 5.2 & 5.3 5.4 5.5 5.6 5.7 5.8 CAPTCHA Step by step guide Step 1: Purchasing a RSMembership! membership Step 2: Download RSMembership! 2.1. Download the component 2.2. Download RSMembership! language files Step 3: Installing RSMembership! 3.1:

More information

Smartphone Pentest Framework v0.1. User Guide

Smartphone Pentest Framework v0.1. User Guide Smartphone Pentest Framework v0.1 User Guide 1 Introduction: The Smartphone Pentest Framework (SPF) is an open source tool designed to allow users to assess the security posture of the smartphones deployed

More information

CPanel User Guide DOCUMENTATION VERSION: 1.2

CPanel User Guide DOCUMENTATION VERSION: 1.2 CPanel User Guide DOCUMENTATION VERSION: 1.2 Table of contents 1 What is CPanel? 8 2 How do I get help? 9 3 CPanel themes 10 4 How do I use CPanel? 11 4.1 Logging on..............................................

More information

Open Source Content Management System for content development: a comparative study

Open Source Content Management System for content development: a comparative study Open Source Content Management System for content development: a comparative study D. P. Tripathi Assistant Librarian Biju Patnaik Central Library NIT Rourkela dptnitrkl@gmail.com Designing dynamic and

More information

Penetration Testing with Kali Linux

Penetration Testing with Kali Linux Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or

More information

Content Management System

Content Management System Content Management System XT-CMS INSTALL GUIDE Requirements The cms runs on PHP so the host/server it is intended to be run on should ideally be linux based with PHP 4.3 or above. A fresh install requires

More information

A perspective to incident response or another set of recommendations for malware authors

A perspective to incident response or another set of recommendations for malware authors A perspective to incident response or another set of recommendations for malware authors Alexandre Dulaunoy - TLP:WHITE alexandre.dulaunoy@circl.lu June 7, 2013 CIRCL, national CERT of Luxembourg CIRCL

More information

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: Learn the various attacks like sql injections, cross site scripting, command execution

More information

Web DLP Quick Start. To get started with your Web DLP policy

Web DLP Quick Start. To get started with your Web DLP policy 1 Web DLP Quick Start Websense Data Security enables you to control how and where users upload or post sensitive data over HTTP or HTTPS connections. The Web Security manager is automatically configured

More information

Using Form Scripts in WEBPLUS

Using Form Scripts in WEBPLUS Using Form Scripts in WEBPLUS In WEBPLUS you have the built-in ability to create forms that can be sent to your email address via Serif Web Resources. This is a nice simple option that s easy to set up,

More information

VESZPROG ANTI-MALWARE TEST BATTERY

VESZPROG ANTI-MALWARE TEST BATTERY VESZPROG ANTI-MALWARE TEST BATTERY 2012 The number of threats increased in large measure in the last few years. A set of unique anti-malware testing procedures have been developed under the aegis of CheckVir

More information

UNMASKCONTENT: THE CASE STUDY

UNMASKCONTENT: THE CASE STUDY DIGITONTO LLC. UNMASKCONTENT: THE CASE STUDY The mystery UnmaskContent.com v1.0 Contents I. CASE 1: Malware Alert... 2 a. Scenario... 2 b. Data Collection... 2 c. Data Aggregation... 3 d. Data Enumeration...

More information

Multifaceted Approach to Understanding the Botnet Phenomenon

Multifaceted Approach to Understanding the Botnet Phenomenon Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon Basic

More information

Parallels Plesk Automation. Customer s Guide. Parallels Plesk Automation 11.5

Parallels Plesk Automation. Customer s Guide. Parallels Plesk Automation 11.5 Parallels Plesk Automation Customer s Guide Parallels Plesk Automation 11.5 Last updated: 17 March 2015 Contents Quick Start with Hosting Panel 4 Set Up Your First Website... 4 1. Create Your Site... 5

More information

WordPress 2.9 e-commerce

WordPress 2.9 e-commerce WordPress 2.9 e-commerce Build a proficient online store to sell and services products Brian Bondari Table of Contents Preface 1 Chapter 1: Getting Started with WordPress and e-commerce 7 Why WordPress

More information

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform

More information

Application Security: Web service and E-Mail

Application Security: Web service and E-Mail Application Security: Web service and E-Mail (April 11, 2011) Abdou Illia Spring 2011 Learning Objectives Discuss general Application security Discuss Webservice/E-Commerce security Discuss E-Mail security

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Phishing Activity Trends Report June, 2006

Phishing Activity Trends Report June, 2006 Phishing Activity Trends Report, 26 Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account

More information

SAIP 2012 Performance Engineering

SAIP 2012 Performance Engineering SAIP 2012 Performance Engineering Author: Jens Edlef Møller (jem@cs.au.dk) Instructions for installation, setup and use of tools. Introduction For the project assignment a number of tools will be used.

More information

LAMP Secure Web Hosting. A.J. Newmaster & Matt Payne 8/10/2005

LAMP Secure Web Hosting. A.J. Newmaster & Matt Payne 8/10/2005 LAMP Secure Web Hosting A.J. Newmaster & Matt Payne 8/10/2005 How do I lock down my server? & ModSecurity is an open source intrusion detection and prevention engine for web applications. Operating as

More information

Document Freedom Workshop 2012. DFW 2012: CMS, Moodle and Web Publishing

Document Freedom Workshop 2012. DFW 2012: CMS, Moodle and Web Publishing Document Freedom Workshop 2012 CMS, Moodle and Web Publishing Indian Statistical Institute, Kolkata www.jitrc.com (also using CMS: Drupal) Table of contents What is CMS 1 What is CMS About Drupal About

More information

Manage Website Template That Using Content Management System Joomla

Manage Website Template That Using Content Management System Joomla Manage Website Template That Using Content Management System Joomla Ahmad Shaker Abdalrada Alkunany Thaer Farag Ali الخالصة : سىف نتطشق في هزا البحث ال هفاهين اساسيت كيفيت ادساة قىالب الوىاقع التي تستخذم

More information

Lecture 11 Web Application Security (part 1)

Lecture 11 Web Application Security (part 1) Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)

More information

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes 1. HARDENING PHP Hardening Joomla 1.1 Installing Suhosin Suhosin is a PHP Hardening patch which aims to protect the PHP engine and runtime environment from common exploits, such as buffer overflows in

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

Thexyz Premium Webmail

Thexyz Premium Webmail Webmail Access all the benefits of a desktop program without being tied to the desktop. Log into Thexyz Email from your desktop, laptop, or mobile phone, and get instant access to email, calendars, contacts,

More information

Rensselaer Union Club Webhosting CPanel Guide

Rensselaer Union Club Webhosting CPanel Guide Rensselaer Union Club Webhosting CPanel Guide Introduction: One of the many services the Systems Administrators offer Union recognized clubs is website hosting with a union.rpi.edu subdomain. The service

More information

http://docs.trendmicro.com/en-us/smb/hosted-email-security.aspx

http://docs.trendmicro.com/en-us/smb/hosted-email-security.aspx Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release

More information

THE OPEN UNIVERSITY OF TANZANIA

THE OPEN UNIVERSITY OF TANZANIA THE OPEN UNIVERSITY OF TANZANIA Institute of Educational and Management Technologies COURSE OUTLINES FOR DIPLOMA IN COMPUTER SCIENCE 2 nd YEAR (NTA LEVEL 6) SEMESTER I 06101: Advanced Website Design Gather

More information

Tableau Server Trusted Authentication

Tableau Server Trusted Authentication Tableau Server Trusted Authentication When you embed Tableau Server views into webpages, everyone who visits the page must be a licensed user on Tableau Server. When users visit the page they will be prompted

More information

WEB ATTACKS AND COUNTERMEASURES

WEB ATTACKS AND COUNTERMEASURES WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder. CMSC 355 Lab 3 : Penetration Testing Tools Due: September 31, 2010 In the previous lab, we used some basic system administration tools to figure out which programs where running on a system and which files

More information

MySQL Quick Start Guide

MySQL Quick Start Guide Quick Start Guide MySQL Quick Start Guide SQL databases provide many benefits to the web designer, allowing you to dynamically update your web pages, collect and maintain customer data and allowing customers

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Storm Worm & Botnet Analysis

Storm Worm & Botnet Analysis Storm Worm & Botnet Analysis Jun Zhang Security Researcher, Websense Security Labs June 2008 Introduction This month, we caught a new Worm/Trojan sample on ours labs. This worm uses email and various phishing

More information

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure

More information

WEB ANALYTICS. Presented by Massimo Paolini MPThree Consulting Inc. www.mpaolini.com 408-256-0673

WEB ANALYTICS. Presented by Massimo Paolini MPThree Consulting Inc. www.mpaolini.com 408-256-0673 WEB ANALYTICS Presented by Massimo Paolini MPThree Consulting Inc. www.mpaolini.com 408-256-0673 WEB ANALYTICS IS ABOUT INCREASING REVENUE WHAT WE LL COVER Why should you use Asynchronous code What are

More information

Linux VPS with cpanel. Getting Started Guide

Linux VPS with cpanel. Getting Started Guide Linux VPS with cpanel Getting Started Guide First Edition October 2010 Table of Contents Introduction...1 cpanel Documentation...1 Accessing your Server...2 cpanel Users...2 WHM Interface...3 cpanel Interface...3

More information

What do a banking Trojan, Chrome and a government mail server have in common? Analysis of a piece of Brazilian malware

What do a banking Trojan, Chrome and a government mail server have in common? Analysis of a piece of Brazilian malware What do a banking Trojan, Chrome and a government mail server have in common? Analysis of a piece of Brazilian malware Contents Introduction.................................2 Installation: Social engineering

More information

SPAMfighter Mail Gateway

SPAMfighter Mail Gateway SPAMfighter Mail Gateway User Manual Copyright (c) 2009 SPAMfighter ApS Revised 2009-05-19 1 Table of contents 1. Introduction...3 2. Basic idea...4 2.1 Detect-and-remove...4 2.2 Power-through-simplicity...4

More information

Web Application Security

Web Application Security E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary

More information

Penetration Test Report

Penetration Test Report Penetration Test Report MegaCorp One August 10 th, 2013 Offensive Security Services, LLC 19706 One Norman Blvd. Suite B #253 Cornelius, NC 28031 United States of America Tel: 1-402-608-1337 Fax: 1-704-625-3787

More information

http://docs.trendmicro.com/en-us/enterprise/safesync-for-enterprise.aspx

http://docs.trendmicro.com/en-us/enterprise/safesync-for-enterprise.aspx Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release

More information

ERT Attack Report. Attacks on Large US Bank During Operation Ababil. March 2013

ERT Attack Report. Attacks on Large US Bank During Operation Ababil. March 2013 Attacks on Large US Bank During Operation Ababil March 2013 Table of Contents Executive Summary... 3 Background: Operation Ababil... 3 Servers Enlisted to Launch the Attack... 3 Attack Vectors... 4 Variations

More information

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE Distribution: Merchants, Acquirers Who should read this: Information security, incident response, cyber intelligence staff Summary Kuhook

More information