Anatomy of a Hack 2008

A few years ago I delivered a very popular presentation I called "Anatomy of a Hack." Well, actually, I called it "How to Get Your Network Hacked in 10 Easy Steps" but the marketing department at my previous employer thought that title was a bit, edgy, so they renamed it. The Chinese called it "Anatomy of a Hacker" at TechEd China in 2005, but that's another story altogether. The presentation, which is actually documented in Protect Your Windows Network, had me wandering through an entire network once I got a foothold on one computer.

For the past couple of years I've been telling people that the future of attacks are against people, not networks. In June I got further confirmation of that. A notification came in from my blog that I had a new comment to approve. The comment was just a link, looking like this one:

 A Comment has been posted to Jesper's Blog: Hey, Mozilla: Quotes Are Not Legal in a URL by Google Images:
images.google-us.info/index.html Google Images

This looked suspicious enough so I started investigating a bit. What I found just hit the net on The Register. I thought it made an interesting tale of how the bad guys are trying to monetize their handiwork. Sandi has also written about this on her blog here, and here, and here...

On a very much related note,  I will actually do a live walkthrough of this type of attack at TechEd EMEA ITPro in Barcelona this coming November. Yes, that's right, I'm going back to TechEd. Hope to see you there!

Published 22 August 2008 02:46 PM by jesper
Filed under: ,

Comments

# Max said on 23 August, 2008 01:29 PM

Nice to hear this good news. I attended at this amazing session in Amsterdam, it was really great. Happy to see you in Barcelona. I'm also looking for a buddy, if you're interested for some nice dives, let me know.

# Dmitry said on 25 August, 2008 11:36 AM

Hi Jesper,

All I can say (after finishing reading your TheRegister article) is that someone has got a lot of free time... My bet will be on a group of Ukrainian students. It is amazing how much effort/energy/time is spent to make this software look legitimate.

I guess this is just about the right time to have OS supporing (out-of-the-box) fully-virtualised internet browsing experience.

# John C. Kirk said on 27 August, 2008 07:34 AM

That's an interesting article, so thanks for that. However, you mentioned the "chrome" for the popup; maybe I'm going blind, but I can't see any significant difference between figure 1 and figure 4. I can see that the scrollbar is different in the main IE window, but the only difference in the popup is that the Vista version is smaller. Am I missing something obvious here?

# Candee said on 29 August, 2008 07:18 AM

Thanks for posting that, Jesper.

This morning I was looking for some ampage stats and clicked on a perfectly legitimate link.... and up pops "figure 2"...

Will you be back at TechEd USA this year?

Yay!

# jesper said on 29 August, 2008 09:44 AM

Candee, thanks. At this point, I have not heard anything about TechEd USA. Since it is no longer my job to go speak at those events, I'm only doing them if I get an invite to speak.

# Andy Dowling said on 01 September, 2008 09:38 PM

Thanks for the rundown - I've seen a few systems affected by this lately. We've found it also infects removable media with a setup.exe and autorun.inf, to spread to other PCs in the old-school way.

# Marco said on 04 September, 2008 04:23 PM

Great! Good news: Jesper back on TechEd! Would be great if you would do a session with Steve Riley.

# Mats said on 26 October, 2008 10:44 AM

Would love to see that happend.

I had the fortune to see Jesper and Steve live doing a preconf on Security and for you that haven't seen it, its on technet.

See you in Barcelona Jesper

Leave a Comment

(required) 
(required) 
(optional)
(required)