abuse.ch

Many companies, military- and governmental-networks have banned social networking sites like Facebook, Twitter, MySpace &Co from their networks. For instance in August 2009 the U.S. Marine corps just banned Social Networking Sites (SNS) from their classified network (called MARINE CORPS ENTERPRISE NETWORK – MCEN):

IMMEDIATE BAN OF INTERNET SOCIAL NETWORKING SITES (SNS) ON MARINE CORPS ENTERPRISE NETWORK (MCEN)
[...]
REF A: ORDER TO ADDRESS RISK OF USING NIPRNET CONNECTIVITY TO ACCESS INTERNET SNS.
[...]
1. PURPOSE.
THIS MESSAGE ANNOUNCES AN IMMEDIATE BAN ON INTERNET SNS WITHIN THE MCEN UNCLASSIFIED NETWORK (NIPRNET).

2. BACKGROUND. INTERNET SNS ARE DEFINED AS WEB-BASED SERVICES THAT ALLOW COMMUNITIES OF PEOPLE TO SHARE COMMON INTERESTS AND/OR EXPERIENCES (EXISTING OUTSIDE OF DOD NETWORKS) OR FOR THOSE WHO WANT TO EXPLORE INTERESTS AND BACKGROUND DIFFERENT FROM THEIR OWN. THESE INTERNET SITES IN GENERAL ARE A PROVEN HAVEN FOR MALICIOUS ACTORS AND CONTENT AND ARE PARTICULARLY HIGH RISK DUE TO INFORMATION EXPOSURE, USER GENERATED CONTENT AND TARGETING BY ADVERSARIES. THE VERY NATURE OF SNS CREATES A LARGER ATTACK AND EXPLOITATION WINDOW, EXPOSES UNNECESSARY INFORMATION TO ADVERSARIES AND PROVIDES AN EASY CONDUIT FOR INFORMATION LEAKAGE THAT PUTS OPSEC, COMSEC, PERSONNEL AND THE MCEN AT AN ELEVATED RISK OF COMPROMISE. EXAMPLES OF INTERNET SNS SITES INCLUDE FACEBOOK, MYSPACE, AND TWITTER.

3. ACTIONS. TO MEET THE REQUIREMENTS OF REF A, ACCESS IS HEREBY PROHIBITED TO INTERNET SNS FROM THE MCEN NIPRNET, INCLUDING OVER VIRTUAL PRIVATE NETWORK (VPN) CONNECTIONS.
[...]

Reference: www.usmc.mil/news

Of course USMC is not the only organistion who banned Social Networking Sites from their network – there are many other companies and governments out there which followed the ban at the USMC and started banning Social Networking Sites as well. The two most often claimed reasons for such bans are commonly:

Security issues while using Social Networking Sites (privacy, mal- and crimeware, targeted attacks, leak of information on classified networks)
Performance problems/bottlenecks while using Social Networking Sites (direct impact on business/enterprise operations)

I don’t wan’t to talk with you about the sense of banning Social Networking Sites, but please let me loose a few words about it:

Often there are (legal and comprehensible) reasons to ban SNS from coperate- an governmental networks. But the problem is that often the responsible persons and/or administrators who decided to ban SNS don’t know the consequences that such a ban can trigger. Let me ask you: Do you really think that users will accept a ban of their *most-favorite-websites*? Of course most of the user won’t, so they will start trying digging holes in your coperate firewall and webproxies/gateways. The point I would like to outline in this post are the consequences you will trigger when banning social networks as well as the risks/threats which result out of this.

As said before, most user won’t accept a ban of SNS (and please belive me: that’s fact ). The first thing they will do after your ban becomes active is googling about by-passing your security infrastructure. The first thing your users will come accross are PHP-based web proxy scripts. One of the most popular PHP-based proxy script is called Glype: It’s a tiny, powerful and fast web proxy which is based on PHP. You just have to download the ZIP file, upload the “upload” folder to a webspace and start using your brand new webproxy. But WOW – hey, you even don’t have to install your own web proxy, you just can use sites like proxy[dot]org and get a fresh list of 5′000+ working web proxies!

What sounds like honey being poured down their back to your users is purly pain for the administrators and security folks of companies and governmental organizations: Within a few minutes users will be able to bypass security gateways easily. But let’t talk about the security risks of such Anonymous web proxies.

*** The bad things you don’t know about such proxies ***
Unfortunately the other site of the coin looks much worse:

You don’t know who run these proxies
You don’t know if these proxies are secure and clean from any malware and drive-bys
You don’t know the intentions of the persons who runs these proxies (maybe they have mean ill?)

But you have must be aware of one fact: Those proxies aren’t anonymous! Web Proxy scripts like Glype&Co have a free configurable option wheter the administrator of the (glype-) proxy wants to log the requests which are passing his proxy or not. And you can be sure that the most Glype administrators will do.

*** The facts ***
Fact is that there are a lot of insecure servers out there running Glype: I was able to retrive the logs of several Glype proxies – and the results are really interesting. Some statistical information first:

# of checked proxies: 20
# of Logfiles retrived: 1′700
# of hits: 64′063′377
# of unique IPs: 1,05 Mio
Total Size of logfiles : ~10GB

I took a few hours to analyse the logfiles. The result of my analysis didn’t suprised me much (Top countries by unqiue IPs):

Most of the top countries shown above are explainable like China (for building a great firewall around its internet users), Turkey (for banning most favorite websites like Facebook, MySpace, Wordpress and Blogspot) and Germany (for the planed Data Retention Law).

Let’s take a deeper look at the origin IP addresses which are using such Glype proxies. A huge part of the Glype users are users from:

Educational networks like schools and univiersities (trying to break the blockade of Facebook&Co on Edu-Networks)
Home users from DSL- and dialup accounts (trying to bypass the internet censoreship of their ISPs/country)

Beside those (mostly) legitimate traffic (generaly I don’t support internet censorship in any country – so in my opinion this is some kind of legitimate traffic), there is a lot of noise coming from governmental and military networks around the world. I wont name any countries, but you can be sure that dozens of countries are affected. Some of the affected departments and ministries are listed below (I have translated the most of them from other languages, so don’t assume all of them belongs to the US – they don’t):

Ministry of Foreign Affairs
Ministry of Finance
Ministry of Economy
Ministry of Statistics
Ministry of Administration and Interior
Ministry of Industry
Ministry of Interior and Justice
Ministry of Labour and Social Policy
Ministry of Social Development
Department of Defense
Department of Atomic Energy
Department of Health
Department of Science and Technology
Department of Home Affairs
Department of Water Affairs and Forestry
Department of Environment and Conservation
National Labratory
National Police Service
Residence of the President
Atomic Energy Comission
Centre for Atomic Research
State police
National Telecommunications Commission
Supervision and Administration Commission
State-owned news agency
Various Military Test- and Command Centres around the globe
Various networks which are just named as “Government of xxxx”

Let’s have a look at the Top websites accessed by those Glype proxies:

# of hits	Domain	Descripton
6′799′818	www.aisex.com	Chinese porn site
5′195′698	www.facebook.com	Facebook (incl. fbcn.net)
1′019′967	doubleclick.net	Advertising
629′881	www.t66y.com	Chinese porn site
619′020	change.menelgame.pl	Online game
582′162	whitepages.com.au	Australian Address / Telephone directory
565′832	www.wretch.cc	Chinese Social Network / News site
489′843	www.manyway.net	Advertising
477′499	www.youtube.com	Youtube
473′341	www.google-analytics.com	Tracker / Webstatistics
363′371	www.xvideos.com	Porn site
348′057	notification.pennergame.de	Online game
318′106	www.pidown.com	Free file hosting (missused for Torrents)
297′981	www.highba.com	Chines porn site
295′866	www.google.com	Google
267′695	www.palacemoon.com	Chinese porn site
266′117	i1.hk	Unknown
265′410	www.divshare.com	File sharing / Webdriver (supported by Amnesty International)
259′349	www.mycould.com	Chinese Forum
255′328	www.jword.jp	Unknown
229′032	www.denic.de	German domain registrar (whois missuse)
198′225	www.139flash.com	Online games

As we know most users of these Glype proxies are located in China. But for those of you who thought that the chinese users are searching for “free speach” and “tibet” – I have to disappoint you: The chinese folks seems not to be different than the folks from the west. So don’t be suprised that the top website is a chinese porn site (you didn’t know? China also blocks access to various porn sites).

*** Glype proxies as security risk ***
As I already pointed out I don’t see a problem in users bypassing internet censorship per se. They just have to know that they don’t really surf anonymously when they use such script based proxies (like Glype) and that those logfiles are propably accessible by anyone from anywhere.

But such proxies are becoming a problem as soon as they are used by employees of governmental and military organistaions (like shown above): These proxies could be a great resource for terroristic organization and foreign intelligence services! Many of the governmental traces I’ve seen are on facebook – so I was able to catch the names of employees of various governmental and military organizations. To show you the threat of such ‘information’ I will make real example which I saw in those logfiles.

You might have noticed that I mentioned Ministry of Foreign Affairs before (of a country which I won’t name here). While checking the logs I just came across a user who surfed on Facebook. The Logfiles provides a link to a profile of a employee of the Ministry of Foreign Affairs. When I checked the profile, I just noticed that this user is obviously a employee of the Security Service at the Ministry of Foreign Affairs. In fact, this person is now a high value target for terroristic organization and foreign intelligence services who are now able to get personal information about this person easily. This allows them to apply pressure and blackmail the person in order to gain access to classified information and documents.

*** Conclusion ***
My research on these Glype proxies allow me to make the following conclusions:

Glype- (and other script based proxies) aren’t really anonymous
You don’t know who runs these proxies
Most users for those proxies just want to bypass internet censoreship of their country or schools/universities
But there are many users from governmental and military organizations using those proxies too
In those cases you may be able to hide your web traffic from your administrator but you will leave traces in other places which are probably a threat of your whole company!
Administrators and security folks have to know about these risks and have to adopt compensating measures and/or providing awareness to its users
If you run such a Glype proxy you have to know that you will propably be responsible for any illegal activites which are passing your proxy. Are you sure that your Glype proxy is not being abuse to access ilegal content like Childporn?

Bookmark, tagg it or email it to a friend:

Close Bookmark and Share This Page

Save to Browser Favorites / Bookmarks

Email This to a Friend

Copy HTML:

If you like this then please subscribe to the RSS Feed.

A month ago, the well-known bulletproof hoster Troyak was cut from the internet (read more). Troyak tried hard to get reconnected to the internet – But the disconnect of Troyak made a lot of noise in the international press which led to that Troyak was not able to stay connected with the World Wide Web.

But maybe you wonder why the number of active ZeuS C&Cs still dropped after the Troyak shutdown. Let me clear this: After the shutdown of troyak, several other ISPs which went a platform for cybercriminals for month got obviously under massiv pressure from their upstream providers. Many of those ISPs contacted me during the last few weeks and made a clear statement that they no longer tolerate any cybercriminals in their networks.

The good news first:
Today, a month after the Troyak shutdown, the number of active C&C servers is still on a very low level. We are now at a point where ZeuS C&C servers get offline just a few minutes after they appears on the ZeuS Tracker.

And now the bad news:
During the last few days I just noticed that more and more ZeuS C&C servers popping up which are hosted on a FastFlux botnet. To be precise: It’s not new that cybercriminals are hosting the infections binaries (used to infect their vicitims) on FastFlux botnets. Even more it’s pretty new to me that the cybercrmininals are hosting their Command&Control servers (the servers which are hosting the dropzone) are also FastFlux hosted. For example:

To go along with this ‘new’ trend I decided to add a new ‘level’ to the ZeuS Tracker:

Level: 5
Description: Hosted on a FastFlux botnet
Color: Blue

Whenever you see a ZeuS C&C server which is FastFlux hosted on the ZT, the ZeuS Tracker will now provide you additional information:

As you can see above, the ZeuS Tracker shows up the assigned bots (IP addresses) as well as their status on Spamhaus’s XBL. Additionally the time to live (TTL) of the A record will be displayed (on FastFlux hosted domains mostly between 180 and 1800 seconds).

To get a list of ZeuS domains which are currenlty hosted on a FastFlux botnet you can just set a filter for “level 5” tagged domains on the ZeuS Tracker:

Currently there are just 9 domains hosted on a FastFlux botnet. But let’s see how many ZeuS C&Cs will move over to FastFlux hosting during the next few month.

Bookmark, tagg it or email it to a friend:

Close Bookmark and Share This Page

Save to Browser Favorites / Bookmarks