When performing a system based audit (or if you are the one being audited), you will no doubt run into the recommendation of disabling unnecessary Windows services. The problem with this is that there are many services that are started by default, and the Windows built-in explanations don’t make it any easier.
Usually, this audit recommendation is taken with a grain of salt and only the glaringly bad services will actually be disabled (telnet, snmp, etc.). I ran into this site the other day that will help clear all this up:
http://www.devotedgeek.com/the-ultimate-guide-to-tweaking-useless-windows-xp-services/
This site lists each default service one at a time, and explains scenarios for their use. Very helpful for the technical auditor without the high-functioning rainman type autism to remember these types of things.
Heres a really interesting quasi-cross-site scripting/phishing attack that uses Google rankings to propagate malicious links.
http://garwarner.blogspot.com/2008/12/more-than-1-million-ways-to-infect-your.html
To summarize:
1) An attacker finds legitimate (and hopefully popular) websites that are vulnerable to external site redirection via URL injection.
2) Using a script, this link is posted around the intarwebs such that it is picked up many, many times by Google crawler bots. Since it piggy backs off the popularity of the host’s domain name, its rankings will be vaulted to one of the top search results.
3) User clicks on this link after performing a Google search and is redirected to the infected site.
4) = Profit ??
One common web app I know that is susceptible to URL redirection is Outlook Web Access when running on Exchange 2003. If you append a site to the end of the main login page, you will be redirected to that site once you try logging in (ie. https://owa.good-site.com/exchweb/bin/auth/owalogon.asp?url=http://bad-site.com) Not sure how you would craft this into an earth shattering attack unless people are actively searching for a company’s exchange server, but I’m just throwing it out there as an example.
The folks over at philosecurity.org posted a revealing interview with Matt Knox, an ex-adware designer/creator for Direct Revenue. Check out the following snippet:
So we’ve progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that’s encrypted– really more just obfuscated– to an executable that doesn’t even run as an executable. It runs merely as a series of threads.