Several major ISPs are substituting ad pages for the error messages normally displayed when users navigate to non-existing subdomains. Ryan Singel writes in Wired that:

“The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain webmale doesn’t exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it’s the official Google site.”

Within this system, when a user tries to locate a nonexistent subdomain of a real website the title of the browser page changes to correspond with the searched-for site. By signaling that the user has reached a subdomain of the target website, ISPs create a potentially dangerous situation. It is possible that nefarious actors could combine fake subdomains with active spamming campaigns to draw users to links and badware camouflaged by a legitimate website’s branding.

Dan Kaminsky, a security researcher at IOActive initially reported the problem. He says that even after the vulnerabilities with advertisers were patched, the loophole remains dangerous as it allows ISPs (Kaminsky cites Earthlink, Verizon, Time Warner, Comcast and Qwest) to subvert the DNS system map to monetize on those nonexistent subdomains. Since 2006, Earthlink has intercepted the non-exsting domain response, sending it to its advertising partner (Barefruit), and then serving a page of suggestions and ads. While the company claims this action enhances the user experience, it exposes them to third party content which may not be held to a high level of security scrutiny.

Katherine Noyes at TechNewsWorld writes that Kaminsky does not see a technical way to fix this problem until ISPs, and others, are forced to stop spoofing subdomains through legal means: “It’s someone else’s domain, someone else’s property.”

Paul Vixie, president of the nonprofit Internet Systems Consortium, believes the problem correlates to ISP’s desire for increasing monetization of their users browsing without necessary regard for security. Speaking with TechNewsWorld he said “The only reason this one wasn’t dangerous is that the discoverer was a good person.”

Additional Coverage

Brian Krebs posted a new piece with additional information on his Washington Post blog, Security Fix, on March 30th.

Happy hunting!

The Symantec Security Response blog today features a bizarre end user license agreement (EULA) – not for a legitimate piece of software, but for a bot builder sold in the criminal black market.

Many of the restrictions the bot vendor places on its customers are straightforward enough, but without the ability to resort to actual laws to enforce their EULA, the botmakers take a more direct approach. Symantec translates the threat for noncompliance with the EULA from Russian:

In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.

As Symantec notes, none of this has stopped the software from being traded in underground markets. No word on whether security companies have been flooded with bot binary code reports from mysterious sources recently.

From the official WordPress.org blog:

Version 2.5.1 of WordPress is now available. It includes a number of bug fixes, performance enhancements, and one very important security fix. We recommend everyone update immediately, particularly if your blog has open registration. The vulnerability is not public but it will be shortly.

If you run a WordPress site, and haven’t already implemented this new security update, doing so now is your best bet to prevent your site from being victimized. Once hackers can reverse engineer the vulnerability, there will probably be attacks on sites running earlier versions of WordPress.

Badware distributors have attacked WordPress sites before, most notably with the recent wp-stats iframe. At StopBadware, we’re still hearing from website owners whose sites are running older versions of WordPress and are being compromised with wp-stats, which exploits a vulnerability that’s now several months old.

Our advice for owners of WordPress sites? As StopBadware volunteer Steven Whitney wrote during the previous wave of attacks:

New versions of WordPress should always be installed promptly because the popular blogging software is heavily targeted by hackers using automated crawlers. You can register at http://wordpress.org/ to receive email notifications when new versions are announced.

Two noteworthy exploits have surfaced recently. This blog post will cover: first a server-based attack-tool and second the discovery of a now-patched vulnerability in Flash.

First:

Tornado, a web-based exploit tool, can exploit more than a dozen browser vulnerabilities. ITNews Australia explains that the tool “is commonly installed on a server by a single ‘administrator,’ who then offers accounts on the server to other attackers.” This structure protects the proprietary code and protects it from being released “underground.”

The seller is also able to discriminate between clients, which Liam O’Murchu, a Symantec researcher, sites as a reason that the exploit has remained undiscovered for so long. Shaun Nichols of ITNews writes that Tornado “offers attackers a full set of traffic statistics and options for selecting which exploits can be conducted.”

Second:

Robert Jaques reports for ITNews that a new Flash vulnerability has been discovered by Tier-3. This issue arises from the use of “NULL pointers,” software code which points to specific locations in a computer’s memory. Geoff Sweeney, an executive at Tier-3, is quotes as saying,

“Buffer overflows are still an issue, but they are a problem that has been tackled by the industry for many years. NULL pointer de-referencing has not received anywhere near the same level of attention, which means that users need to be more vigilant than ever.”

A recent paper by Mark Dowd, a researcher at IBM Internet Security Systems, provides a detailed example of this type of exploit. The Matsano Chargen blog explains Dowd’s achievement while claiming that Dowd was “sent back through time to kill the mother of the person who will grow up to challenge SkyNet.” And his accomplishment does inspire some awe. In brief:

“Dowd’s exploit uses a NULL pointer write32 to knock the locks off the bytecode interpreter in Flash, so that his SWF file can run bytecode that will rewrite the system stack.”

So the NULL pointer presents an entry point for Dowd to run his exploit, and this entry exists on Internet Explorer and Firefox, which have compatible internal addressing, and Vista.

According to DailyTechNotes Adobe has already released a patch for the vulnerability and you should download it now. They explain the risk,

“Vulnerabilities in various online software is nothing new. But what makes vulnerability in flash so much damaging is that flash is installed on almost all browsers and it is independent of the operating system you are running.”

Robert McMillan over at ComputerWorld reports that Microsoft has found a significant increase in web-based attacks in the past year:

Criminals changed tactics in the last six months of 2007, dropping malicious e-mail in favor of Web-based attacks, according to data reported to Microsoft Corp. by Windows users.

The company saw the number of Trojan horse downloader programs it removed from Windows machines jump by 300%, according to Jimmy Kuo, principal architect with Microsoft’s Malware Protection Center. These programs masquerade as legitimate pieces of software, but once installed they then download malicious software such as spyware or adware onto the victim’s computer. They are typically installed via the Web.

See the ComputerWorld story or the original report for more interesting stats.