Thursday, November 29, 2007

Malware Serving Online Casinos

Don't play poker on an infected table part two. The following three online casinos are currently serving embedded malware in the form of IFRAMES and the average javascript obfuscation.

The first one is poker.gagnantscasino.com (213.186.33.4) with current obfuscation loading statistics-gdf.cn/ad/index.php (116.0.103.133) where another obfuscation loads, deobfuscated attempts to load p423ck.exe (Zlob) at statistics-gdf.cn/ad/load.php, playing around with the host for too long results in zero malicious activity, at least they make you think so. Here's another internal URL statistics-gdf.cn/ad/index.php?com

Detection rate : Result: 7/32 (21.88%)
File size: 43008 bytes
MD5: 08f445712adcef5ef091378c51bbbaaa
SHA1: 3478fe6a600251b2ee147dbd50eaf4f204a884cb

Last week's obfuscation at this online casino was pointing to traffmaster.biz/ra/in.cgi?5 which is now down.

The second casino is fabispalmscasino.com (82.165.121.138) with current obfuscation attempting to connect to the now down stat1count.net/strong, a host residing on a netblock I covered before showcasing a scammy ecosystem. The third one is sypercasino.com which was resolving to 203.117.111.102 early this week, and taking advantage of WebAttacker at sypercasino.com/biling/index.php. Now it resolves to 58.65.236.10 and promotes banner.casino.com/cgi-bin/SetupCasino.exe

Detection rate: 9/32 (28.13%)
File size: 194077 bytes
MD5: 26da6f81349ff388d08280ababab9150
SHA1: f20e8fee439264915710f9478ec1e74583563851

It's interesting to monitor how people behind these manually change the obfuscations to further expand their connections with other scammers, or services and attack approaches they use, and even more interesting to see it happen on-the-fly just like meds247.org for instance.

Don't play poker on an infected table.

Wednesday, November 28, 2007

66.1 Host Locked

Having found a static pattern for identifying a Rock Phish domain a couple of months ago in the form of the bogus "209 Host Locked" message, the Rock Phishers seems to have picked up the finding and changed the default domain message to "66.1 Host Locked" as of recently. Here are the very latest Rock Phish domains using this :


business-eb.bbt.com.4rrt.es
ntu3ot1.com
nikogonet.com
ne5oe.com
nod-for-pc.com
sparkasse.de.4rrt.es
marip.com.es

Moreover, a recently released survey results by Cloudmark, whose study into the Economics of Phishing is also worth going through, indicates that current and prospective customers of a certain brand lose trust in it, if they're exposed to phishing emails pretending to be from that brand :

The survey revealed that:

- 42% of respondents surveyed feel that the trust in a brand would be greatly reduced if they received a phishing email claiming to be sent by that brand
- 41% of those surveyed felt that their trust in a bank would be greatly reduced if they received a phishing email claiming to be from that company, compared to 40% who felt the same for an ISP, 36% for an online shopping site and 33% for a social networking site
- 26% of those surveyed feel that they are the party most responsible for protecting themselves from phishing attacks, with 23% believing their Internet Service Provider (ISP) or email service provider is the most responsible and 17% thinking that the sender’s ISP and email service provider holds the greatest responsibility

The last point is perhaps the most insightful one, given it has to do with self-awareness and responsibility, forwarding the responsibility to the provider of the email service, and best of all, seeking more responsibility in fighting outgoing phishing and spam compared to incoming one.

Which CAPTCHA Do You Want to Decode Today?

Once you anticipate your success, you logically start putting more efforts into achieving a decent level of efficiency in the process of breaking CAPTCHA, now that's of course in between commercializing your know-how. CAPTCHA breaking or decoding on demand has been a reality for a while, with malicious parties empowered by proprietary tools, publicly available DIY CAPTCHA breakers, or services like this one doing it on demand.

The following service is offering the possibility for CAPTCHA decoding on a per web service basis, and enticing future customers by providing percentage of accuracy, the price, and the ease of difficulty of breaking it. CAPTCHA decoding is listed for the following services : 9you, tiancity, cncard, the9, kingsoft, taobao, dvbbs, shanda, csdn, chinaren, monter, and baidu. The hardest to break CAPTCHAs mentioned are those of Yahoo, Hotmail, QQ, Google. Moreover, Ticketmaster's the most expensive one, followed by Ebay's CAPTCHA decoding process.

What happens when malicious parties cannot directly decode the CAPTCHA? They figure out ways to adapt to the situation, namely by enjoying the benefits of the human factor in the process while sacrificing some of the efficiency, but continuing to achieve their objective.

Tuesday, November 27, 2007

A TrustedSource for Threats Intell Data

Following the series of posts on early warning security events systems, Secure Computing have just announced a major upgrade of their threat intell service :

"Secure Computing's TrustedSource acts like a satellite advanced-warning system for the Internet that detects suspicious behavior patterns at their origins, and then instructs security devices to take corrective precautions or action," said Dr. Phyllis Schneck, vice president of research integration for Secure Computing. "TrustedSource pinpoints reputation by looking at behavior and specific factors such as traffic volumes, patterns and trends, and enabling it to rapidly identify deviations from the norm on a minute-by-minute basis."

I've already mentioned the radical perspective of integrating all the publicly known IPs with bad reputation, and sort of ignoring their online activities in order to prevent common problems such as click fraud for instance. Think from the end user's perspective, what's the worst thing that could happen to both the average and experienced end user? Try witnessing the situation when a known to be infected with malware end user starts receiving messages like these, and will continue to receive them until a certain action is taken presumably disinfecting themselves. Of course, it's more complex than it sounds, but start from the basics in terms of the incentives for end users to disinfect themselves, the masses of which aren't that very socially oriented unless of course it's global warming and the possibility for a white Christmas you're talking about. Issuing an "Internet Driver's License" wouldn't work on an international scale, and even if it works on a local scale somewhere in the world, it wouldn't really matter, since you'll have the rest of the world driving unsafely, and you'll be the only country which has fastened its seat belt. Here's an example of such mode of thinking.

Are You Botnet-ing With Me?

Informative and recently released study by ENISA on the problem of botnets, especially the emphasis on how client side vulnerabilities surpassed email attachments, and downloading of infected files as infection vectors. Not because these aren't working, but because of the botnet's masters attitude for achieving malicious economies of scale has changed. Despite that we can question whether or not they put so much efforts while strategizing this, let's say they stopped pushing malware, and started coming up with ways for the end users to pull it for themselves :

"The most common infection methods are browser exploits (65%), email attachments (13%,) operating system exploits (11%), and downloaded Internet files (9%). Currently, the most dangerous infection method is surfing to an infected webpage. Indications of a bot on your computer include e.g.: Slow Internet connection, strange browser behavior (home page change, new windows, unknown plug-ins), disabled anti-virus software; unknown autostart programs etc."

Here's the entire publication - "Botnets - The Silent Threat" by David Barroso.

I See Alive IFRAMEs Everywhere - Part Two

The never ending IFRAME-ing of relatively popular or niche domains whose popularity is attracting loyal and well segmented audience, never ends. Which leads us to part two of this series uncovering such domains and tracing back the malicious campaign to the very end of it. Some of these are still IFRAME-ed, others cleaned the IFRAMEs despite Google's warning indicating they're still harmful, the point is that all of these are connected.

Affected sites :

Epilepsie France - epilepsie-france.org
Iran Art News - iranartnews.com
The Media Women Forum - yfmf.org
Le Bowling en France - bowling-france.fr
The Hong Kong Physiotherapists Union - hkpu.org
The Wireless LAN Community - wlan.org
The First HELLENIC Linux Distribution - zeuslinux.gr

The entire campaign is orbiting around pornopervoi.com, which was last responding to 81.177.3.225, an IP that's also known to be hosting a fake bank (weiterweg-intl.com) according to Artists Against 419. Within the domain, there were small files loading a second IFRAME. For instance, pornopervoi.com/u.php leads to 88.255.94.246/freehost1/georg/index.php?id=0290 (WebAttacker), the same campaign is also active at 81.29.241.238/freehost1/georg/index.php?id=0290, these try to drop the following :

88.255.94.246/freehost1/chris0039/lu/dm_0039.exe
81.29.241.238/freehost1/chris0031/lu/dm_0031.exe

An Apophis C&C panel was located in this ecosystem as well. Among the other files at pornopervoi.com, are pornopervoi.com/i.php where we're redirected to the second one spelredeadread.com/in.php?adv=678. Even more interesting, energy.org.ru a Web hosting provider is also embedded with pornopervoi.com/m.php again forwarding to spelredeadread.com. To further expand this ecosystem, yfmf.org the Media Women Forum is also IFRAME-ed with a link pointing to pornopervoi.com/m.php. Another site that's also pointing to pornopervoi.com/m.php is the Hong Kong Physiotherapists Union hkpu.org. Two more sites serving malware, namely wlan.org, the Wireless LAN Community also pointing to pornopervoi.com/m.php, and zeuslinux.gr, The First HELLENIC Linux Distribution.

Who's behind this malware embedded attack? It's the ongoing consolidation between defacers, malware authors, and blackhat SEO-ers using the infamous infrastructure of the RBN.

Related posts:
Bank of India Serving Malware
U.S Consulate in St.Petersburg Serving Malware
Syrian Embassy in London Serving Malware
CISRT Serving Malware
Compromised Sites Serving Malware and Spam
A Portfolio of Malware Embedded Magazines
Possibility Media's Malware Fiasco
The "New Media" Malware Gang
Another Massive Embedded Malware Attack

Monday, November 26, 2007

But Malware is Prone to be Profitable

Read this a couple of times, than read it several more times, and repeat. It's usually "powerful stuff" that prompts such confusing descriptions of what sound like defense in-depth at one point, and a combination of intergalactic security statements in respect to the "massive amounts of computing power required" to solve the "security problem" at another. Stop predicting weather and assessing the impact of global warming, and command the supercomputers to figure our the scientific mysteries behind common insecurities :

"Even if we can't produce effective network security, we can at least make it more difficult and therefore expensive to attack a network by adopting some of the hacker's own techniques. He favors randomizing the use of a number of techniques for filtering content, so that individual malware vectors will sporadically stop working. By changing the challenge involved in compromising systems, the whole malware economy is changed. Stolfo also took a positively Darwinian view of how much change was needed, suggesting that security only had to be good enough to make someone else's system look like a more economical target. Overall, the talks were pretty depressing, given that the operating systems and software we rely on will probably never be truly secure. The process of blocking malware that takes advantage of this insecurity appears to be entering the realm where true security has become one of those problems that requires massive amounts of computing power and an inordinate amount of time."

The operating systems and the software we use can be truly secure, but will be useless compared to the currently insecure, but useful ones we're using. Now here's a great and straight to the point article, that's segmenting the possible uses of a host that's already been compromised, a great example of how innovations in terms of improved Internet connectivity, increased CPU power, and flexibility of online payments both steamline progress, and contribute to the growth of the underground.

Beat malware by doing what malware authors do? Sounds great. Malware authors outsource, do it too. Malware authors embraced the on demand SCM concept, embrace it too. Malware authors consolidate with stronger strategic partners, and acquire the weaker ones by providing them with DIY malware creation tools in order for them to make the headlines at a later stage, consolidate too. Malware authors keep it simple the stupids, you fight back with rocket science theoretical models and shift the focus from the pragmatic reality just the way it is - consolidation, outsourcing, shift towards a service based economy, quality and assurance of the malware releases, malicious economies of scale in the form of malware exploitating kits, ones it's getting hard to keep track of these days.

At the bottom line, how to solve the "malware problem"? It all depends on who you're solving it for. Long live marginal thinking.

Related posts:
Malware - Future Trends, January, 2006
Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Managed Spamming Appliance - The Future of Spam
Multiple Firewalls Bypassing Verification on Demand

Exposing the Russian Business Network

It was about time someone comes up with an in-depth study summarizing all of the Russian Business Network's activities, as for me personally, 2007 is the year when bloggers demonstrated what wisdom of the crowds really means, by putting each and every piece of the puzzle to come up with the complete picture, one the whole world benefits from. A highly recommened account into the RBN's activities courtesy of David Bizeul's "Russian Business Network study" :

"It’s interesting to observe that many recent cyber crime troubles are relating to Russia. This observation is obviously a simple shortening. Indeed nothing seems to link to Russia at first sight, it’s a nasty country for sending spam but many are worst, Russia is only the 8th top spam country. We need to dig deeper to identify that cyber crime is originating mostly from Russian dark zones. In a digital world, those dark zones exist where the Internet becomes invisible and it’s used for collecting phishing sites credentials, for distributing drive by download exploits, for collecting malware stolen data, etc. It’s a considerable black market as it has been revealed in this paper. A lot of information can be available over the web on Russian malicious activities and precisely on the way RBN (Russian Business Network) plays a major role in these cases."

What contributed to such a well coordinated exposure of the RBN during the last two quarters at the bottom line? It's not just security researchers exchanging info behind the curtains, but mostly due to RBN's customers confidence in RBN's ability to remain online. And while remaining online has never been a problem for the RBN, until recently when DIY IP blocking rulesets were available for the world to use, they undermined their abilities to remain undetected. In fact, I was about start a contest asking anyone who can come up with a IP with a clean reputation within the RBN's main netblock right before it dissapeared, and would have been suprised if someone managed to find one.

The RBN doesn't just makes mistakes when its customers embedd malware hosting and live exploit URLs on each and every malware and high-profile attack during the year, it simply doesn't care in covering its tracks and so doesn't their customers as well. RBN's second biggest mistake for receiving so much attention is their laziness which comes in the form of over 100 pieces of malware hosted on a single IP, without actually bothering to take care of their directory listing permissions, allowing my neatly crafred OSINT gathering techniques to come up with yet proof of a common belief into their practice of laziness. Moreover, the KISS strategy that I often relate to the successful malicious economies of scale that malware authors achieve due to DIY malware kits using outdated exploits compared to bothering to purchase zero day ones, didn't work for the RBN. Remember that each and every of the several Storm Worm related IPs that I covered once were returning fake suspended account notices in a typical KISS strategy, while the live exploit URLs and the actual binaries were still active within the domains.

This isn't exactly what you would expect from what's turning into a case study on conversational marketing, or perhaps how conversational marketing provokes the wisdom of crowds effect to materialize, so that the entire community benefits from each and everyone's contribution - in this case exposing the RBN.

How would the RBN change its practices in the upcoming future given all the publicity it received as of recently? They will simply stop benefing from the easy of management of their old centralized infrastructure, and will segment the network into smaller pieces, but while still providing services to their old customers, they're easy to traceback, and to sum up this post in one sentence - the Russian Business Network is alive, and is providing the same services to the same customers, including malware and live exploits hosting URLs under several different netblocks.

It's also great to note that David's been keeping track of my research into the RBN's activities. Go through the study and find out more about the RBN practices.

Related posts:
Go to Sleep, Go to Sleep my Little RBN
Detecting and Blocking the Russian Business Network
RBN's Fake Security Software
Over 100 Malwares Hosted on a Single RBN IP
The Russian Business Network

Friday, November 23, 2007

The State of Typosquatting - 2007

The recently released "What’s In A Name: The State of Typo-Squatting 2007" is a very in-depth and well segmented study into the topic, you should consider going through :

Introduction
Typo- and Cyber-squatting on the rise
Key Findings
Methodology
Rankings by Category
Sample site: McAfee.com
The Economics of Typo-Squatting: Why it Works
What is driving the increase in typo-squatting
The decline in adult content on typo-squatters
Discussion of our methodology
Defining Typo-Squatting
Other Methods for Combating Typo-Squatting
Conclusions
Complete Results

Is it just me using bookmarks and only risking to fall victim into a pharming attack, compared to manually typing and mistyping an URL? My point is that coming across several articles emphasizing how important typing the right URLs is, I think they've missed an important point which is that typosquatting by itself isn't that big of a security threat, but in a combination of tactics it becomes such. There's no chance you will ever mistype an URL such as paypal-comlwebscrc-login-run.com, a typosquatted domain like the ones I covered in September, since these ones come in as phishing emails hosting a Rock Phish kit, namely they turn into threats when combined with other tactics. Blackhat SEO is another such tactic. The type of buy-cheap-iphones.com always aim to trick search engines into positioning them among the first 20 results, and they often succeed until a search engine figures out it's a blackhat SEO spam and removes it from the index.

Here's an example of such combination of tactics, use-iphone.com for instance was spammed according McAfee, the folks behind the study. What's was use-iphone.com all about? Icepack kit in action - use-iphone.com/ice-pack/index.php.

Wednesday, November 21, 2007

A Botnet of Infected Terrorists?

Redefining malware to minimize the negative public outbreak by renaming it to Remote Forensic Software, now that's a evil marketing department's positioning strategy in action. I've already discussed how inpractical the utopian central planning of a security industry is, and while you're limiting the access to the tools who may help someone unethically pen testing an internal asset, you're also limiting the possibility for the discovery of such vulnerable asset - basically a false feeling of security, you don't touch it, it doesn't move, until of course someone else outside your controlled environment comes across it, the way they will sooner or later since it's an open network, one you benefit from, but cannot fully control.

Australian law enforcement have been using spyware for a while, and Austria following Germany's interest into the concept is getting involved too:

"Germany is hiring software specialists to design "white-hat" viruses that could infiltrate terrorists' computers and help police detect upcoming attacks, an Interior Ministry spokeswoman in Berlin confirmed Saturday. The government is still drafting legislation to permit snooping via the internet under judicial control, but has decided there is no time to lose in developing the "remote forensic software." The ministry said the BKA federal police had been instructed to resume the development and hire two specialists."

Are cyber criminals or bureaucrats the industry's top performer? In November, 2008, we'll be discussing how come so much money were spend to develop the malware, given the lack of any ROI out of this idea during the entire period, whereas DIY malware tools are not just a commodity, but also freely available for a law enforcement to use. Moreover, emailing malware is so old-fashioned and noise generating, that even the average Internet users knows "not to click on those email attachments sent from unknown source". A far more pragmatic approach would be to embedd the malware on sites suspected of evangelizing terrorism, or radicalizing their audiences, by doing so you'll end up with a larger infected sample, and eventually someone, let's say 1 out of 10,000 infected will turn out to be a terrorist, by whatever definition you're referring to in the case. Even more pragmatic, by requesting a botnet on demand, and requiring the botnet master to tailor your purchase by providing you with infected hosts in Germany whose browser language, and default fonts used are Arabic, you will not just save money, but will increase the probability of coming across a stereotyped terrorist, by outsourcing the infecting stage to those who excell at it.

Excluding the sarcasm, it's your money that go for funding of such initiatives who basically "shoot into the dark" to see if they can hit someone. Even if they manage to infect someone, more staff will be required to monitor the collected data, which means more money will go into this, ending up with an entire department monitoring wishful thinking and thought crime. Geheime Staatspolizei anyone?

If you really want access to real-time early warning threat intell for possible threats, monitor the public cyber jihadist communities don't come up with new ones to use them as honeypots for cyber jihadists, identify local residents, evaluate their state of radicalization and attitudes towards standard terrorist ideas, prioritize, and take action if necessary.

Cartoon courtesy of Mahjjob.com

Mass Defacement by Turkish Hacktivists

At first it appeared that it was just the official site of Goa's DoIP, that's been defaced by Turkish defacers, but looking further the campaign gets much bigger than originally anticipated :

"The official website of the Goa government’s Department of Information and Publicity (DoIP) - goainformation.org - was hacked by a group of Turkish militants on Saturday. The hacker has not only defaced the website, replacing all information with the group’s propaganda material in Turkish language, but also posted some gory pictures of slain terrorists. The DoIP has now lodged a complaint with the Panjim Police and the Panjim crime branch is investigating the matter."

The campaign is aiming to send a PSYOPS signal to the rest of the world regarding the recent tensions between Turkey's military operations in northern Iraq against PKK, an action the U.S doesn't seem to enjoy at all. Some sample defaced sites are savymedia.com; itrit.com; sledderforever.com; pssoc.org; youthblood.org; prisonministry.com. The defacers are sending the following message :

"The United States of America who is feeding on and strengthening behind closed doors the universal terrorists, is the greatest terrorist country. pkk/kadek/hpg/kkk is the world's most bloody and brutal terrorism group. They killed approximately 35.000 innocent people without any cruel till now. All the nations and states must know which are supporting these bloody and brutal terrorism groups, supporting terrorism will brings suffer and deathness. We are always be a side of peace. but we have always some words to say these terrorists "which" wants to seperate us and kill innocent people"

Moreover, Turkish hacktivists from another group have also been active recently by defacing the Assyrian Academic Society, Assyrian actress and author Rosie Malek-Yonan's site, and International Campaign to Support the Christians of Iraq petition's site. Three other Turkish hacktivists are also currently defacing under the handles of NusreT, MUSTAFAGAZI, and Storm, using the same defacement templates. The first group is reachable at a closed forum turkmilliyetcileri.org, and the second at turkittifak.org. Apparently, these groups are all under the umbrella of the Turkish Republican Hackers group.

Tuesday, November 20, 2007

Large Scale MySpace Phishing Attack

In need of a "creative phishing campaign of the year"? Try this, perhaps the largest phishing attack spoofing MySpace and collecting all the login details at a central location, that's been active for over a month and continues to be. A Chinese phishing group have come up with legitimate looking MySpace profiles (profile.myspace.com) in the form of subdomains at their original .cn domains, and by doing so achieve its ultimate objective - establish trust through typosquatting, remain beneath the security vendors radar by comment spamming the URLs inside MySpace, and obtain the login details of everyone who got tricked.

Key points :

- all of the participating domains are using identical DNS servers, whereas their DNS records are set to change every 3 minutes

- each and every domain is using a different comment spam message, making it easy to assess the potential impact of each of them

- the URLs are not spammed like typical phishing emails, but comment spammed within MySpace by using legitimate accouts, presumably once that have already fallen victim into the campaign, and mostly to remain beneath the radar of security vendors if the URLs were spammed in the usual manner

- all of the URLs are the subdomains are currently active, and the login details get forwarded to a central location 319303.cn/login.php

This how the fake MySpace login looks like on the fake domains/subdomains :
(form action = "http://319303.cn/login.php" method = "post" name = "theForm" id = "theForm)

This is how the real MySpace login looks like :
(form action = "http://secure.myspace.com/index.cfm?fuseaction=login.process" method = "post" id = "LoginForm")

Sample MySpace phishing URLs from this campaign :

profile.myspace.com.fuseaction.id.0ed37i8xdd.378d38.cn
profile.myspace.com.index.fuseaction.id.370913.cn
profile.myspace.com.fuseaction.id.0ed37i8xdd.125723.cn
profile.myspace.com.fuseaction.id.Dx78x00iJe5.982728.cn
profile.myspace.com.fuseaction.user.id.28902334.arutncbt.cn
profile.myspace.com.fuseaction.id.0nd8di8xfd.125723.cn
profile.myspace.com.fuseaction.id.0ed37i8xdd.109820.cn

Ten sample Chinese domains participating in the phishing attack, returning the MySpace spoof at the main index and the subdomains :

378d38.cn
978bg33.cn
370913.cn
107882.cn
103238.cn
978nd03.cn
107882.cn
pcc2ekxz.cn
125723.cn
pckeez.cn

Assessing the comment messages used on ten phishing domains for internal comment spamming at MySpace :

370913.cn - "haha i cant believe we went to high school with this girl"
978bg33.cn - "sometimes i cannot believe the pics people put on their myspaces"
982728.cn - "I cannot believe this freaking whore would put pics like that on her myspace page.. how trashy.."
977y62.cn - "did you see what happened? OMG you gotta see Mike's profile."
125723.cn - "did you see what happened? OMG you gotta see Mike's profile."
pckeez.cn - "can you believe we went to highschool with this chick?"
pcc2ekxz.cn - "can't believe a 18 year old chick would put half-nude pics on myspace. whore alert."
arutncbt.cn - "wow her brother is gonna be so pissed when he sees the pictures she put on her myspace"
125723.cn - "Did you hear what happened Omg you gotta see the profile.. So sad!"
109820.cn - "sometimes i just cannot believe the pics that people put on their myspaces LMAO!"

The campaign is surprisingly well thought of. If they were spamming the phishing URLs, security vendors would have picked it up immediately and its lifetime would have been much shorter compared to its current one. The phishers aren't sending emails asking people to login to MySpace via profile.myspace.com.random_digits.cn for instance, instead they're spamming inside MySpace by posting comments prompting users to click further using the phrase "haha i cant believe we went to high school with this girl". It gets even more interesting, compared to the common logic of them having to register fake accounts and posting the comments by using them, in this case, the three sample comments posted on Nov 2 2007 11:22 AM; Nov 4 2007 1:02 PM ; Nov 5 2007 8:47 AM; Nov 5 2007 9:33 PM, are all posted by legitime users, well from legitimate users' accounts in this case. How huge is this? Over 378,000 results for the campaign under this phrase keeping in mind that people embed their MySpace profiles at their domains, and 128,000 instances of a sample phishing domain (370913.cn) at MySpace.com itself. This is for one of the phishing domains only.

Now if that's not enough to disturb you, each and every of the .cn domains are resolving to what looks like U.S based hosts only that will change every 3 minutes. Not necessarily as dynamic as previously discussed fast-flux networks, but these are worth keeping an eye on :

107882.cn
978bg33.cn

Here are some central DNS servers that all the .cn domains use :

ns4.6309a46.com
ns1.52352a0c60a9c29.com
ns3.926817a885d86e1.com
ns2.terimadisirida.net

I'll leave the data mining based on these patterns to you, what's important is that the URLs are still serving spoofed MySpace front pages, with the only downsize that they cannot sucessfully load MySpace's videos, and don't provide any SSL authentication, which I doubt have prevented lots of people from falling victims into it.

Does all the data lead us to conclude that this could be the most "creative phishing campaign of the year"? Let's have it offline first.

Monday, November 19, 2007

Another Massive Embedded Malware Attack

Compared to the previous massive malware embedded attack in Italy that I asessed in June, 2007 which was primarily relying on the fact that a shared hosting provider got hacked into, this one is more interesting to follow because the domains have nothing to do with each other, in fact some are suspected of being generated for blackhat SEO purposes in combination with embedded malware. The rest are legitimate sites. Moreover, the campaign is currently in a cover up stage, but the sites are still serving the IFRAME you can see in the attached screenshot. Currently affected sites where over 90% still have the IFRAME within :

syncopatedvideo.com

ja-bob.com
idledrawings.com
biblequizzer.net
johnnydam.com
gonaus.com
caribbeanjamz.net
campbellscollision.com
instopiainsurance.com
electronicesthetics.com
blackopalproductions.com
loadway.com
mtwashingtonkennelclub.com
shoveltown.com
simplabase.com
ajrivers.com
jacquelinesdayspa.com
epidemianet.com
aabosa.net
bisign.com
orangevaleson.com
blackmanassociates.com
jumarktrade.com
queerduck.icebox.com

The main campaign IFRAME URL is megazo.org/trans.htm serving TR/Crypt.XPACK.Gen and using its own nameservers ns1.megazo.org (203.117.111.102) and ns2.megazo.org (203.117.111.103) which is also hosting 13fr.info; 1sense.info; 1speed.info. Deobfuscation leads to 1spice.info/t/ (203.121.79.164) where we're redirected to 203.121.79.164/cgi-bin/new/in.cgi?p=user4, both URLs try to exploit MDAC ActiveX code execution (CVE-2006-0003) vulnerability. Another exploit URL is also active at this IP - 203.121.79.164/web/index.php which is Icepack is action.

Related posts:

Sunday, November 18, 2007

The "New Media" Malware Gang

Since Possibility Media's Malware Fiasco, I've been successfully tracking the group behind the malware embedded attack at each and every online publication of Possibility Media. Successfully tracking mostly because of their lack of interest in putting any kind of effort of making them harder to trace back, namely, maintaining a static web presence, but one with diversifying set of malware and exploits used. Possibility Media's main IFRAME used was 208.72.168.176/e-Sr1pt2210/index.php, and at 208.72.168.176 we have a great deal of parked domains in standby mode such as :

repairhddtech.com
granddslp.net
prevedltd.net
stepling.net
softoneveryday.com
samsntafox.com
himpax.com

grimpex.org
trakror.org
dpsmob.com
besotrix.net
gotizon.net
besttanya.com
carsent.com
heliosab.info
gipperlox.info
leader-invest.net
fiderfox.info
potec.net

However, the latest IPs and domains related to the group are dispersed on different netblocks and are actively serving malware through exploit URLs :

78.109.16.242/us3/index.php
x-victory.ru/forum/index.php (85.255.114.170)
asechka.cn/traff/out.php (78.109.18.154)
trafika.info/stools/index.php (203.223.159.92)

What's so special about this group? It's the connection with the Russian Business Network. As I've already pointed out, the malware attack behind Possibility Media's was using IPs rented on behalf of RBN customers from their old netblock, here are two such examples of RBN IPs used by this group as well :

81.95.149.236/us3/index.php
81.95.148.162/e202/

In case you also remember, some of this group's URLs were also used as communication vehicle with a downloader that was hosted on a RBN IP, that very same RBN IP that was behind Bank of India's main IFRAME. Now that's a mutually beneficial malicious ecosystem for both sides. Here are more comments on other ecosystems.

But of Course I'm Infected With Spyware

Remember those old school fake hard drive erasers where a status bar that's basically doing a directory listing is shown, and HDD activity is stimulated so that the end user gets the false feeling of witnessing the process? Fake anti spyware and anti virus software, like the ones courtesy of the now fast-moving RBN, have been using this tactic for a while, and adding an additional layer of social engineering tricks by obtaining the PCs details with simple javascript. The folks behind online-scan.com; spyware.online-scan.com; antivirus.online-scan.com own a far more deceptive domain name compared to RBN's ones. In fact, even an anti virus vendor could envy them for not picking it up earlier and integrating it in upcoming marketing campaign or service to come. SpywareSoftStop's statements :


"At present the Internet is stuffed with viruses of any kind. Every PC is at risk and most probably IS infected. Anti-viruses can detect viruses only, but spyware, installed surreptitiously on a PC without the user's informed consent, is modified each day and solely particularized software can help to detect and remove it. However, a spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. In some infections, the spyware is not even evident; moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Right now your system is going to be scanned and spyware, if any, will be detected."

The name servers preved.spywaresoftstop-support.com and medved.spywaresoftstop-support.com serve : spywaresoftstop.com; spywaresoftstop-cash.com; spywaresoftstop-support.com. The popup at online-scan.com that's now returning a 404 error for ldr.exe (downloadfilesldr.com/download/2/ldr.exe) will even appear if you try to close the window while your PC is "being scanned". What's ldr.exe? It's the default output of a DIY malware courtesy of Pinch.

Friday, November 16, 2007

Lonely Polina's Secret

Just as I've been monitoring lots of spam that's using Geocities redirectors, yesterday Nicholas posted some details on a malware campaign using Geocities pages as redirectors, and Roderick Ordonez acknowledged the same. Original Geocities URLs used : geocities.com/MediciChavez7861 (active) ; geocities.com/IliseNkrumah2 (down) ; geocities.com/GounodNanon5 (down). Original message of the spam campaign :

"Hallo! Meine Name ist Polina. Ich bin Studentin und Ich habe zur Germany zu lernen angekommen . Ich suche mich den Freund und der Sex-Partner. Aller dass Ich will es ist ein guter Mann. Sie sollen ernst, sicher, klug sein. Geben Sie mich zu wissen wenn Sie wollen mit mir treffen. Ebenso konnen Sie einfach mein Freund sein. Sie konnen meine Fotos auf meiner Seite sehen: geocities.com/MediciChavez7861 BITTE, NURR DIE ERNSTE Vorschlages. KUSSE, POLINA"

The fake lonely German student Polina was also accessible from other URLs as well - ThePagesBargain.ru/polina; dibopservice.com, both now down as well as the main 58.65.238.36/polina URL which is forwarding to baby.com in an attempt to cover up the campaign -- you wish. Internal pages within the IP are still accessible - 58.65.238.36/index2_files/index3.htm; 58.65.238.36/index2_files/index.htm, and so is the malware itself - 58.65.238.36/iPIX-install.exe.

Malware campaigners are not just setting objectives and achieving them, they're also evaluating the results and drawing conclusions on how to improve the next campaign. Back in January, 2006, I emphasized on the emerging trend of localization in respect to malware, take for instance the release of a trojan in an open source form so that hacking groups from different countries could localize it by translating to their native language and making it even more easy to use, as well as the localization of MPack and IcePack malware kits to Chinese. In this campaign, a localized URL was also available targeting Dutch speaking visitors 58.65.238.36/polinanl, so you you have a German and Dutch languages included, and as we've seen the ongoing consolidation of malware authors and spammers serves well to both sides, spammers will on one hand segment all the German and Dutch emails, and the malware authors will mass mail using localized message templates. Great social engineering abusing a common stereotype that for instance German users were definitely flooded with English messages courtesy of Storm Worm targeting U.S citizens, which is like a Chinese user who's receiving a phishing email from the Royal Bank of Scotland - it's obvious both of these are easy to detect. Which is what localization is all about, the malware and spam speaks your local language. One downsize of this campaign is that Polina doesn't really look like a lonely German student, in fact she's a model and these are some of her portfolio shots.

Let's discuss how are the malware campaigners coming up with these Geocities accounts at the first place. Are the people behind the campaign manually registering them, outsourcing the registration process to someone else, or directly breaking the CAPTCHA? Could be even worse - they may be buying the already registered Geocities accounts from another group that's specializes in registering these, a group which like a previously covered concept of Proprietary Malware Tools is earning revenues based on higher profit margins given they don't distribute the product, but provide the service thereby keeping the automatic registration process know-how to themselves. Once the authentication details are known, the process of anything starting from blackhat SEO, direct spamming, malware hosting, and embedding such scripts, even IFRAMEs in a fully automated fashion.

Meanwhile, what are the chances there's another scammy ecosystem on the same netblock? But of course. vaichoau.com fake watches, pimpmovie.net malware C&C, urolicali.com.cn spammers, westernunion.reg-login.com a phishing url.

Thursday, November 15, 2007

First Person Shooter Anti-Malware Game

Just when you think you've seen everything "evil marketers" can come up to both, consciously and subconsciously influence your purchasing behaviour and improve the favorability scale towards a company - you can still get surprised. After a decent example of the DIY marketing concept, Microsoft's perception of security as a "threat from outer space", an example of rebranding a security vendor, the Invible Burglar game, here comes another good example of new media marketering practice - while some companies seek to embed their logos into popular games, others are coming up with ones on their own. Symantec's Endpoint Protection Game - a first person shooter where the typically mutated creatures are replaces with viruses, spyware and rootkits is what I'm blogging about :


"Your task is to simply save your global network from viruses, worms, and a hideous host of online threats that are poised to take your IT infrastructure down."

Eye catching trailer as well. Such marketing campaigns can have a huge educational potential if they're, for instance, customized for a specific security awareness program module.

Cyber Jihadist Blogs Switching Locations Again

Having had their blogs removed from Wordpress in a coordinated shutdown operation courtesy of the wisdom of the anti cyber jihadist crowd, The Ignored Puzzle Pieces of Knowledge and The Caravan of Martyrs have switched location to these URLs - inshallahshaheed.muslimpad.com; inshallahshaheed.acbox.com; caravanofmartyrs.muslimpad.com; ignoredknowledge.blogspot.com. Apparently there's an ongoing migration of cyber jihadist blogs from Wordpress to Muslimpads presumably with the idea to increase the time from a TOS abuse letter to shut down, if shut down ever occures given Muslimpad is significantly biased in removing such positioned as "free speech" communities given it's hosting provider is islamicnetwork.com. Should such propaganda be tolerated? This is where the different mandates of anti cyber jihadist organizations across the world contradict with each other. Some have a mandate to shut down such blogs and sites as soon as they come across such, others have a mandate to monitor and analyze these to keep in pace with emerging threats in the form of real-time intelligence, and in the near future other participants will have a mandate to infect such communities with malware ultimately targeting the cyber jihadists behind them or the visitors themselves.

The bottom line - the propaganda in the form of step-by-step video of an attack in question is a direct violation of their operational security (OPSEC) thereby providing the world's intelligence community with raw data on their warfare tactics. The propaganda's trade off is similar to that of the Dark Cyber Jihadist Web, while you may want to reach as many future recruits and "converts" as possible, you increase the chance of an intelligence analyst coming across your community, compared to closing it down to sorted and trustworthy individuals and therefore limiting the number of potential future jihadists. Inshallahshaheed are however, going for mass marketing with full speed, and in fact maintain a modest repository of videos at inshallahshaheed.vodpod.com. By the way, what's the difference between wishful thinking and thought crime? It's a threat that proves there's a positive ROI of your actions.

Related posts :
GIMF Switching Blogs
GIMF Now Permanently Shut Down
GIMF - "We Will Remain"

Wednesday, November 14, 2007

Popular Spammers Strategies and Tactics

It's been a while since I last participated with an article for WindowSecurity.com, so here it goes - Popular Spammers Strategies and Tactics :

"During 2007, spammers on a worldwide basis demonstrated their adaptability to the ongoing efforts anti-spam vendors put into ensuring their customers enjoy the benefits of having a spam-free inbox. What strategies do spammers use in order to achieve this? What tactics do they use in order to obtain email addresses, verify their validity, ensure they reach the highest number of receipts as possible in the shortest time span achievable, while making sure their spam campaigns remain virtually impossible to shut down?"

The article covers strategies and tactics such as : Redirectors/doorway pages; Rapid tactical warfare; Verification/confirmation of delivery; Consolidation; Outsourcing; and Affiliation based models.

Electronic Jihad's Targets List

Despite the fact that the Electronic Jihad 3.0 campaign was a futile attempt right from the very beginning, given the domains that were supposed to synchronize the targets to be attacked were down, it's interesting to try finding out who were they targeting at the first place? In the first campaigns, the URLs of the targets, not the victims since they couldn't scale enough to cause even partial damage, were obtainable via the web, compared to the third one where they were about to get synchronized. And since the synchronization URLs were down before we could take a peek, here are the targets URLs from the first two campaigns.

First campaign's targets list :
gov.il
keshmesh.net
meca-love4all.com
love4all.us

Second campaign's targets list :
love4all.us
islameyat.com
aldalil-walborhan.com
rapsaweyat.com
investigateislam.com
meca-me.org
ladeeni.net
meca-love4all.com

The attached table is the classificaton of the attacks, as site to be attacked, reason for the attack, importance, the results, and the site's status after tha attack, namely is it up and running or shut down completely, and how shutting it down would please God.

There's a saying that a person is judged by the type of enemies he has. If we apply it in this situation, you would see a bunch of inspired wannabe cyber jihadists whose biggest enemy is their idiocity at the first place. So, if these are the cyber jihadist enemies of yours - lucky you, and your critical infrastructure's integrity.

Scammy Ecosystem

In this example of a scammy ecosystem, you have a single IP (88.255.90.50) hosting the now, retro WebAttacker exploitation kit (inn2coming.com/income/index.php), a viagra scam (pctabletshop.hk) on the second parked domain, and an investment banking scams on another two - progold-inv.biz; cfinancialservice.com. Now, all they're missing is a Rock Phish kit hosted on it and it would have made it an even more interesting operation to monitor. Of course putting more personal efforsts into everything pays off. The same netblock is also hosting such popular downloader's update locations and live exploit URLs such as stat1count.net; all1count.net; and the recently appeared on the radar mediacount.net (88.255.90.253).

Monday, November 12, 2007

Teaching Cyber Jihadists How to Hack

Yet another indication of the emerging trend of building a knowledge-driven cyber jihadist community, are such online archives with localized to Arabic standard security and hacking research papers, ones you definitely came across to before, or may have in fact written by yourself. As I've already discussed this trend in previous posts, it's a PSYOPS strategy in action, one that's aiming to improve the overall perception of cyber jihadists' ability to wage their battles without using software and web services of their enemies. Whether the investment in time and resources is worth it is another topic, what's worth pointing out are the efforts they put into localizing the content in between adding the standard propaganda layer, and later on, building a community around it.

p0rn.gov - The Ongoing Blackhat SEO Operation

Want pr0n? Try .gov domains in general, ones that have been getting the attention of blackhat SEO-ers for a while, just like the most recent related cases where the City of Chetek, Winsonsin, the City of Somerset, Texas and Town of Norwood, Massachusetts got their blackhat SEO injection. The previous attack is related to the one I'll assess in this post, the blackhat SEO tool is the same given the static subdomains generated, what remains to be answered is how they've managed to get access to the control panels of the domains in order to add the subdomains? Let's look at the facts :


- the targets in this attack are The Virgin Islands Housing Finance Authority (VIHFA), and the City Of Selma, Alabama

- this is the second blackhat SEO operation uncovered during the past couple of months targeting .gov domains

- access to the control panels is somehow obtained so that subdomains pointing to 89.28.13.207 (89-28-13-207.starnet.md) and 89.28.13.195 (89-28-13-195.starnet.md) are added at both domains

- both .gov domains that are targets in this attack are using a shared hosting provider, meaning their IP reputation is in the hands of everyone else's web activities responding under the same IP

- no malware is served in this incident, compared to the previous one, a combination of malware and blackhat SEO

Subdomains at City of Selma currently hosting around 9000 blackhat SEO pages :

m21.selma-al.gov
m22.selma-al.gov
m23.selma-al.gov
m24.selma-al.gov
m25.selma-al.gov
m26.selma-al.gov
m27.selma-al.gov
m28.selma-al.gov
m29.selma-al.gov
m30.selma-al.gov
m31.selma-al.gov
m32.selma-al.gov
m33.selma-al.gov
m34.selma-al.gov

Subdomains at the Virgin Islands Housing Finance Authority with constantly changing structure :

a1.a.vihfa.gov
a2.a.vihfa.gov
a3.a.vihfa.gov
a4.a.vihfa.gov
a5.a.vihfa.gov
a6.a.vihfa.gov
a7.a.vihfa.gov
a8.a.vihfa.gov
a9.a.vihfa.gov
a10.a.vihfa.gov

Related subdomains now no longer responding :

2k110.x.vihfa.gov
2k106.x.vihfa.gov
j11.y.vihfa.gov
j9.y.vihfa.gov
z1.z.vihfa.gov

Where's the connection between this blackhat SEO operation and the previous one? It's not just that both subdomains at the different .gov's are responding to IPs from the same netblock, but also, 89.28.13.202 is responding to City of Somerset's subdomains from the previous incident such as : j6.y.somersettx.gov; st9.x.somersettx.gov; x.somersettx.gov.

Looks like someone in Moldova will get spanked for these incidents.

Targeted Spamming of Bankers Malware

This particular incident is interesting mostly because we have a good example that once a site gets compromised the potential for abusing the access for malware distribution becomes very realistic, this is in fact what happened with autobroker.com.pl, as the following URLs were active as of yesterday, now down due to notification. Basically, the compromised host, compromised in an automatic and efficient way for sure, started acting as the foundation for the campaign, which as it looks like was spammed in a targetted manner. A tiny php file at autobroker.com.pl/l.php was launching the downloader :

TROJ.BANLOAD
Result: 18/31 (58.07%)
File size: 46080 bytes
MD5: 690e71077c9d78347368c6cf8752741e
SHA1: 7dedad0778a24c69d6df4c8ceedc94f20292473e

the downloader then drops the following bankers that are strangely hosted on the French site Opus Citatum, and are still active :

opuscitatum.com/modules/PHP%20Files/__steampw12318897_.exe

Trojan-Spy.Win32.Banker.ciy
Result: 9/32 (28.13%)
File size: 2498560 bytes
MD5: cee1fdea650487e0865a1b8831db1e73
SHA1: ad55ff3e5519d88b930d6a0a695e71fcc253351e

opuscitatum.com/modules/PHP%20Files/Ivete_Sangalo.scr

Trojan.PWS.Banker
Result: 13/32 (40.63%)
File size: 2505216 bytes
MD5: 1bdb0d3e13b93c76e50b93db1adeed3e
SHA1: f472693da81202f4322425b952ec02cbff8d72bc

The campaign was originally spammed with the messages : "Chegou 1 vivo foto torpedo" and "Vivo torpedo foi enviado de um celular para seu e" by using the web based spammer you can see in the attached screenshot.

More info about banking malware, comments on a recently advertised metaphisher malware kit with banker trojans infected hosts only showcasing the malicious economies of scale botnet masters mentality, as well as related posts on targeted malware attacks.

Friday, November 09, 2007

Yet Another Malware Outbreak Monitor

Such early warning security events systems always come as handy research tools for security analysts and reporters, and it's great to see that more and more vendors are continuing to share interactive threats data in real-time, type of data that used to be proprietary one several years ago. Commtouch's recently announced Malware Outbreak Center is another step in the right direction of intelligence data sharing, and building more transparency on emerging spam and malware outbreaks :

"The Commtouch Malware Outbreak Center displays a sample of email-borne malware that has recently been detected and blocked by Commtouch's Zero-Hour(TM) Virus Outbreak Protection solution. It also incorporates data from AV-Test.org, an independent third-party organization that tests most of the commercially available anti-virus scanners. This data enables the Center to publish comparative detection times for leading AV vendors, a first in this comprehensive format which includes malware variant checksum. Detection times are critical, since individual virus variants often peak and then nearly disappear, all in under three hours. IT managers now have access to an online tool that allows them to verify their AV vendor's performance for each new outbreak, and to download comparative data per malware variant."

Zero day DIY malware, and open source one undermine the reactive response time's model, but without anti virus signatures in 2007 your company and customers would still be getting infected by outdated Netsky samples - it's a fact, yet not the panacea of dealing with malware, and has never been. Another important issue that deserves to be discussed is the issue with the virus outbreak time of different vendors in Stormy Wormy times for instance. In the past, vendors were even using their detection in the wild, and on-the-fly binary obfuscation which in times of open source malware results in countless number of variants. Good PR is vital, and so is gaining competitive advatange in the minds of prospective customers by positioning the company among the first to have responded to the outbreak, but it raises the issue on the degree of exchanging malware samples between the vendors themselves, and the lack of transparency here. The way initiatives in the form of honeyfarms contributing hundreds of malware samples, and "wisdom of crowds" end users filling the gaps in reactive response indirectly protect millions of customers on behalf of anti virus software, in this very same way exchanging malware samples in the shortest possible time frame, ultimately benefits each and every customer and organization that's having an anti virus in its perimeter defense strategy.

A non-profit honeyfarm can collect hundreds of thousands of undetected malware samples in a single month, let's speculate that it could even outperform a small AV vendor's malware aggregation capabilities. In the anti virus industry, branding is crucial and therefore the non-profit honeyfarm cannot enter the market, instead, it's only incentive to donate the samples to the anti virus vendors is that of social responsibility. AVs should build more awareness on the importance of malware samples sharing among them, compared to pitching themselves as the vendor who first picked up the outbreak and protected its customers. Bargaining with someone's upcoming infection isn't that much of a success if you think about it. "Hey that signature is mine" days should have been over by now.

Moreover, it's a basic principle of every competitive market that the more competition, the more choices the customer would have, thereby making vendors innovate or cease to exist in irrelevance. Does the same apply to the anti virus market? Can we have a built-to-flip honeyfarm into an anti virus vendor to be later on acquired and integrated within a company's existing products portfolio? Let's hope not, and it's doubtful as there's a difference between an anti virus software and an "anti virus software", at least from the perspective that the second "anti virus software" may be occupying markets that could have otherwise been served by a better market proposition. Product development of an AV courtesy of a security vendor's products portfolio given the vendor realized that a huge percentage of security spending goes to perimeter defense solutions can be tricky, and even if acquisition has taken place you'd better stick to a company whose core competency is anti virus solutions.

Still Living in the Perimeter Defense World?

Thursday, November 08, 2007

Go to Sleep, Go to Sleep my Little RBN

Yesterday, Paul Ferguson tipped me on the sudden disappearance of the Russian Business Network. And just like babies have different understanding of day and night, the RBN isn't interested in going to sleep too, in fact there's a speculation that they're relocating their infrastructure to China, speculation in terms of that it could be another such localized RBN operation :

"Jamz Yaneza, a Trend Micro research project manager, agreed. "We're seeing signs of RBN-like activity elsewhere, in Turkey, Taiwan and China. RBN may be moving to places even more inaccessible to the law [than Russia]. Everyone knows they were in St. Petersburg, but now they're changing houses, changing addresses. The Spamhaus Project antispam group has posted information that indicates RBN may have already laid claim to IP blocks located in China, Shanghai in particular."

It's always a pleasure to monitor the RBN, a single activity on behalf of their customers represents an entire sample to draw conclusions out of. Catch up with such activities like over 100 Malwares Hosted on a Single RBN IP, Fake Anti Virus and Anti Spyware Software, and the most recent Fake Suspended Account Messages while the IPs are alive and serving exploits and malware. Well, used to.

UPDATE: RBN - Russian Business Network, Chinese Web Space and Misdirection

Wednesday, November 07, 2007

Electronic Jihad v3.0 - What Cyber Jihad Isn't

It's intergalactic security statements like these that provoked me to do my most insightful research into the topic of what is cyber jihad, or what cyber jihad isn't. The news item on cyber jihadists coordinating a massive DDoS attack is a cyclical one, namely it reappears every quarter as it happened in August, and so I reviewed the tool, provided screenshots, and commented that while it's an aspirational initiative, with thankfully lame execution, it's not the coordinated DDoS attack executed in such way that should be feared, but cyber jihadists outsourcing the process. Despite that absolutely nothing has changed in respect to the way the program operates since v2.0, except that al-jinan.org changed to the now down al-jinan.net, the web is buzzing about the plans of wannabe cyber jihadists, the Al Ansar Hacking Team to be precise, to DDoS infidel sites on the 11th of November. Boo! Spooky - Al Qaeda cyber-jihad to begin Nov. 11; The e-Jihadists are coming, the e-Jihadists are coming!; Report: Al Qaeda to Launch Cyber-Attack on Nov. 11; Al-Qaeda Planning Cyber Attack?.


Key points :

- despite that the recommended DoS tool itself in the previous post is detected by almost all the anti virus vendors, in a people's information warfare situation, the participants will on purposely turn off their AVs to be able to use it

- the Electronic Jihad program is an example of poorly coded one, poorly in the sense of obtaining lists of the sites to be attacked from a single location, so you have a situation with 1000 wannabe cyber jihadists not being able to attack anyone in a coordinated manner given the host gets shut down

- the central update locations at the al-jinan.net domain are down, thank you Warintel, and so are the several others included, so you have a situation where forums and people start recommending the tool, they obtained it before the site was shut down, but couldn't get the targets to be attacked list

Time to assess the binary. The program archive's fingerprints as originally distributed :

File size: 358490 bytes
MD5: f38736dd16a5ef039dda940941bb2c0d
SHA1: 769157c6d3fe01aeade73a2de71e54e792047455

No AV detects this one.

E-Jihad.exe as the main binary
File size: 94208 bytes
MD5: caf858af42c3ec55be0e1cca7c86dde3
SHA1: f61fde991bfcc6096fa1278315cad95b1028cb4b

ClamAV - Flooder.VB-15
Panda - Suspicious file
Symantec - Hacktool.DoS

In a people's information warfare incident where the ones contributing bandwidth would on purposely shut down their AVs, does it really matter whether or not an perimeter defense solution detects it? It does from the perspective of wannabe cyber jihadists wanting to using their company's bandwidth for the purposely, an environment in which they are hopefully not being able to shut down the AV, thus forwarding the responsibility for the participation in the attack to their companies.

Al-jinan.org has been down since the Electronic Jihad Against Infidel Sites campaign became evident, the question is - where's the current DDoS campaign site? A mirror of the first campaign is available here - al-ansar.virtue.nu. Cached copy of al-jinan.net (202.71.104.200) is still available. Emails related to Al Ansar Hacking Group - the_crusaders_hell @ yahoo.com; the_crusaders_hell @ hotmail.com; al-ansar @ gooh.net Now the interesting part - where are Al-Jinan's new target synchronization URLs, and did they actually diversified them given that Al-Jinan.net is now down courtesy of what looks like Warintel's efforts? Partly. Here are the update URLs found within the binary :

al-jinan.net/ntarg.php?notdoing=yes
al-jinan.net/ntarg.php?howme=re
al-jinan.net/tlog.php?
al-jinan.net/tnewu.php?
arddra.host.sk/ntarg.php
jofpmuytrvcf.com/ntarg.php
jo-uf.net/ntarg.php

All are down, and jo-uf.net was among the domains used in the first version of the attack. If you think about it, even a wannabe botnet master will at least ensure the botnet's update locations are properly hardcoded within the malware. More details on jo-uf.net.

Let's discuss what cyber jihad isn't. Cyber jihad is anything but shutting down the critical infrastructure of a country in question, despite the potential for blockbuster movie scenario here. It's news stories like these, emphasizing on abusing the Internet medium for achieving their objectives in the form of recruitment, research, fund raising, propaganda, training, compared to wanting to shut it down. Logically, this is where all the investments go, because this is the most visible engagement point between a government and potential cyber terrorists - its critical infrastructure. I'm not saying don't invest in securing it, I'm just emphasizing on the fact that you should balance such spendings with the pragmatic reality which can be greatly described by using an analogy from the malware world, and how what used to be destructive viruses are now the types of malware interested in abusing your data, not destroying it.

The real threat does not come from wannabe cyber jihadists flooding a particular site in a coordinated manner, but from outsourcing the entire process to those who specialize in the service, or providing the infrastructure for it on demand. Now that's of course given they actually manage to keep up the update locations for longer than 24 hours, and achieve the mass effect of wannabe cyber jihadists using it all at once, the type of Dark Web Cyber Jihad trade-off.