Wednesday, February 27, 2008
RBN URLs used in the phishing redirects :
Known malware to have been connecting to 18.104.22.168 :
Trojan-PSW.Win32.LdPinch.bno, Trojan-Downloader.Win32.Small.emg, Trojan.Nuklus, where the malware detected under different names by multiple vendors is the only one that ever made a request to 22.214.171.124, which in a combination with the fact that the screenshot is made out of Nuklus production speaks for itself.
Some facts are better known later, than never.
buytraffic.cn/in.cgi?11 - 126.96.36.199
sclgntfy.com/ent2763.htm - 188.8.131.52
tds-service.net/in.cgi?20 - 184.108.40.206
spywareisolator.com/landing/?wmid=sga - 220.127.116.11
warinmyarms.com/check/upd.php?t=670 - 18.104.22.168
coripastares.com/in.php?adv=1267&val=3ee328 - 22.214.171.124
xanjan.cn/in.cgi?mikh - 126.96.36.199
chportal.cn/top/count.php?o=4 - 188.8.131.52
buhaterafe.com/in.php?adv=1208&val=65286d - 184.108.40.206
Who says there's no such thing as free malware cocktails.
Related posts :
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two
Tuesday, February 26, 2008
Monday, February 25, 2008
- Utah Attorney General’s Office Identity Theft Reporting Information System -
idtheft.utah.gov/pn/modules/pagesetter/pntemplates/plugins - 20, 200 SEO pages
- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 3, 630 pages
- Readyforwinners e-magazine - readyforwinners.hertscc.gov.uk/templates/2 - 890 SEO pages
- National Homecare Council - homecare.gov.uk/nhcc.nsf/discmainview - 220 SEO pages
- Washington Wing Website - wawg.cap.gov/calendar/editor/themes/simple - 93 SEO pages
- Fauquier County - fauquiercounty.gov/government/departments/procurement - 69 SEO pages
- Wisconsin Department of Military Affairs - dma.wi.gov/mediapublicaffairs - over 1,000 pages embedded with "invisible SEO content" meaning the content is also visible to search engines just like the one in a previous assessment
Sampling the outgoing links also speaks for itself, take canadianmedsworld.com (220.127.116.11) for instance, and the fact that a great deal of outgoing links also respond to nearby IPs within the scammy ecosystem (217.170.77.*) such as :
This is perhaps the perfect moment to clarify that the appropriate people responsible for auditing and securing these hosts, are already doing their forensics job and are coming up with more data, on how it happened, when it happened, and who could be behind it - an example of threat intell sharing a concept that should be getting more attention than it is for the time being. So far, there haven't been repeated incidents like the malware serving ones I assessed in previous posts, but as it's obvious they're automatically capable of embedding and locally hosting any content, it's only a matter of intentions in this case.
Friday, February 22, 2008
"In typical proxybot infections we investigate proxy servers are installed on compromised machines on random high ports (above 1024) and the miscreants track their active proxies by making them "call home" and advertise their availability, IP address, and port(s) their proxies are listening on. These aggregated proxy lists are then used in-house, leased, or sold to other criminals. Proxies are used for a variety of purposes by a wide variety of people (some who don't realize they are using compromised machines), but spam (either SMTP-based or WEB-based) is definitely the top application. The proxy user will configure their application to point at lists of IP:Port combinations of proxybots which have called home. This results in a TCP connection from the "outside" to a proxybot on the "inside" and a subsequent TCP (or UDP) connection to the target destination (typically a mail server on the outside)."
The commercial aspect's always there to say, and vertically integrate since besides selling the product in the form of the tool for, they could eventually start coming up with various related, and of course malicious services in the form of spamming, phishing etc. It's perhaps more interesting to discuss the big picture. Once a great deal of these malware infected hosts is accumulated in such a way, there's no accountability, and these act as stepping stones for any kind of cybercrime activities, as well as the foundation for other services such as the managed fast-flux provider I once exposed.
Stepping stones as a concept in cyberspace, can be used for various purposes such as, engineering cyber warfare tensions, virtual deception, hedging of risk of getting caught, or actually risk forwarding to the infected party/country of question, PSYOPs, the scenario building approach can turn out to be very creative. One of the main threats possed by the use of infected hosts as stepping stones that I've been covering in previous posts related to China's active cyber espionage and cyber warfare doctrine, is that of on purposely creating a twisted reality. China's for instance the country with the second largest Internet population, and will soon surpass the U.S, logically, it would also surpass the U.S in terms of malware infects hosts, and with today's reality of malware, spam and phishing coming from such, China will also undoubtedly top the number one position on malicious activities.
However, with lack of accountability and so many infected hosts, is China the puppet master the mainstream media wants you to believe in so repeatedly, or is the country's infrastructure a puppet itself? One thing's for sure - asymmetric and cost-effective methods for obtaining foreign intelligence and research data is on the top of the agenda on every government with an offensive cyber warfare doctrine in place.
Thursday, February 21, 2008
"By localization of malware, I mean social engineering attacks, use of spelling and grammar free native language catches, IP Geolocation, in both when it comes to future or current segmented attacks/reports on a national, or city level. We are already seeing localization of phishing and have been seeing it in spam for quite some time as well. The “best” phish attack to be achieved in that case would be, to timely respond on a nation-wide event/disaster in the most localized way as possible. If I were to also include intellectual property theft on such level, it would be too paranoid to mention, still relevant I think. Abusing the momentum and localizing the attack totarget specific users only, would improve its authenticity. For instance, I’ve come across harvested emails for sale segmented not only on cities in the country involved, but on specific industries as well, that could prove invaluable to a malicious attack, given today’s growth in more targeted attacks, compared to mass ones."
It's been happening ever since, and despite that it's already getting the attention of vendors, malware authors do not need to know any type of foreign language to spread malware, spam and phishing emails in the local language, they do what they're best at (coding, modifying publicly obtainable bots source code), and outsource the things they cannot do on their own - come up with a locally sound message which would leter on be used for localized malware, spam and phishing attacks, a tactic with a higher probability of success if there were to also request that spammers can segment the harvested email databases for better campaign targeting. The Release of Sage 3 - The Globalization of Malware :
"In this issue we look at the growing trend of localization in malware and threats. Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits. Cybercrooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They're not just skilled at computer programming they're skilled at psychology and linguistics, too."
With all due respect, but I would have agreed with this simple logic only if I wasn't aware of translation services on demand for anything starting from malware to spam and phishing messages. We can in fact position them in a much more appropriate way, as "cultural diversity on demand" services, where local citizens knowingly or unknowingly localize messages to be later on abused by malicious parties. Malware authors aren't skilled at linguistics and would never be, mainly because they don't even have to build this capability on their own, instead outsource it to cultural diversity on demand translation services, ones that are knowingly translating content for malware, spam and phishing campaigns.
The perfect example would be MPack and IcePack's localization to Chinese, and yet another malware localized to Chinese, as these two kits are released by different Russian malware groups, but weren't translated by them to Chinese, instead, were localized by the Chinese themselves having access to the kits - a flattery for the kits' functionality, just like when a bestseller book gets translated in multiple languages. As for the socioeconomic stereotype of unemployed programmers coding malware, envision the reality by considering that sociocultural, rather than socioeconomic factors drive cybercrime, in between the high level of liquidity achieved of course.
01. quinquecahue.com (18.104.22.168)
02. akamahi.net (22.214.171.124)
03. thetechnorati.com (126.96.36.199)
04. vozemiliogaranon.com (188.8.131.52)
05. newbieadguide.com (184.108.40.206)
06. traffalo.com (220.127.116.11)
07. burnads.com (18.104.22.168)
09. adtraff.com (22.214.171.124)
10. mysurvey4u.com (126.96.36.199)
11. traveltray.com (188.8.131.52)
12. tds.promoplexer.com (184.108.40.206)
Additional domains sharing IPs with some of the domains, ones that will eventually used in upcoming campaigns :
Contact details of the fake new media advertising agencies :
- Traffalo - "A Leader in Online Behavioral Marketing"
- MyServey4u - "Relax At Home ... And Get Paid For Your Opinion!"
- AdTraff - "Leader enterprise in Online Marketing"
Phone number: +49-511-26-098-2104
Detection rate :
gnida.swf : Result: 21/32 (65.63%)
File size: 3186 bytes
The bottom line - who's behind it? Now that pretty much all the domains involved are known, as well as the structure of the campaign itself, it's interesting to discuss where are all the advertisements pointing to. Can you name a three letter acronym for a cybercrime powerhouse? Yep, RBN's historical customers' base, still using RBN's infrastructure and services. Here's further analysis of this particular case as well - Inside Rogue Flash Ads, by Dennis Elser and Micha Pekrul, Secure Computing Corporation, Germany, as well as a tool specifically written to detect and prevent such types of malvertising practices.
Wednesday, February 20, 2008
"Quickly and easily learn who blocked you on MSN. The longly awaited feature for MSN Messenger, completely for free! Please input your MSN Messenger account information to learn who has blocked you. Our system will login with this information and learn who has blocked you."
Domains and DNS entries are still active, content's currently hidden :
msnliststatus.com - 220.127.116.11
msnblockerlist.com - 18.104.22.168
msnblocklist.org - 22.214.171.124
blockdelete.com - 126.96.36.199
Why would malicious parties care for collecting accounting data for IM users? If we're to put basic scenario building intelligence logic in this particular case, having access to couple of hundreds IM accounts acts as the perfect foundation for a IM malware spreading campaign, where access to the stolen data is actually the distribution vector. What would malicious parties do if they want to vertically integrate and earn higher return on investment in this case? They would segment the screenames by countries, cities and other OSINT data available, and earn higher-profit margins with the segmentation service offered to SPIMmmers.
MSN Spamming Bot
DIY Fake MSN Client Stealing Passwords
Thousands of IM Screen Names in the Wild
Yahoo Messenger Controlled Malware
The business strategies applied for such a hefty amount of money, are the lack of transparency means added biased exclusiveness, in order to cash-out through high-profit margins while taking advantage of the emerging malware kits cash bubble. A bargain hunter will however look for the cheapest proposition from multiple sellers, or subconsiously ignore the existence of the kit until it leaks out, and turns into a commodity just like MPack and IcePack are nowadays.
Related posts :
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Monday, February 18, 2008
- Cobb County Government - cobbcountyga.gov/css - over 2,240 pages
- Benton Franklin Health District - bfhd.wa.gov/search/templates/dark/.thumbs - 1,200 pages
- Bridger, Montana - freeporn.eee.bridger-mt.gov - 778 pages
- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 336 pages
- Michigan Senate - senate.michigan.gov/FindYourSenator/top - 26 pages
- Nevada City, California - nevadacityca.gov/postcards - 13 pages
- Brookhaven National Laboratory - pvd.chm.bnl.gov/twiki/pub/Trash/OnlinePharmacy - 12 pages
Who's behind all of these? Checking the outgoing links and verifying the forums the advertisements got posted at could prove informative, but for instance, topsfield-ma.gov/warrant where a single blackhat SEO page was located seems to have been hacked by a turkish defacement group who left the following - "RapciSeLo WaS HeRe !!! OwNz You - For AvciHack.CoM with greets given to "J0k3R inf3RNo ByMs-Dos FuriOuS SSeS UmuT SerSeriiii Ov3R YstanBLue DeHS@ CMD 3RR0R SaNaLBeLa Keyser-SoZe GoLg3 J0k3ReM JackalTR Albay ParS MicroP"
Upon registering at xbanners.biz, you're enticed to IFRAME your web property, and point to xtraff.biz/banner.php (188.8.131.52, also responds to interace8.com and cheap-web-host.net) and xtraff.biz/ads2.htm currently trying to exploit MDAC ActiveX code execution (CVE-2006-0003) through the Neosploit malware kit. Banner.php is for the time being loading IFRAMEs to :
hartnetwork.org/cgi-bin/in.cgi?p=1018b (184.108.40.206) - Neosploit malware kit
Moreover, two other IFRAMEs within banner.php attempt to load a multitude of exploit serving URLs. xtraff.biz/ads1.htm loads :
winhex.org/tds/in.cgi?9 (220.127.116.11; the malware embedded attack againt the French government's Lybia site)
xtraff.biz/ads2.htm loads :
xtraff.biz/ad3.htm loads :
Upon registering at the second affiliate program, the participant is asked to use the following URL to redirect traffic to asearchfor.com/search.php (18.104.22.168); getmysearch.com/search.php (22.214.171.124); merrysearch.com (126.96.36.199). Known domains/IPs with bad reputation. It gets even more interesting as we try to further expand the affiliate program under the many other different domain names they use such as :
Why would they bother sharing the revenues with other parties at the first place? To hedge of risk of getting caught serving malware directly, so what they're basically doing is risk-forwarding the serving process to each and every participant in the affiliate network. The bottom line - xbanners.biz is a frontend to xtraff.biz's malicious practices, and xtraff.biz itself is a frontend to FunPPC.com, among the many affiliate programs that once establishing trust with a web site owner, start abusing it by randomly serving live exploir URLs and dropping malware.
- Ukrtelegroup Ltd
188.8.131.52 - 184.108.40.206
220.127.116.11/16 - 18.104.22.168/17
- Hong Kong Hostfresh
22.214.171.124 - 126.96.36.199
Hong Kong Hostfresh
No. 500, Post Office,
Tuen Mun, N.T,
These are not just some of the major malware hosting and C&C providers, their infrastructure is also appearing on each and every high-profile malware embedded attack assessment that I conduct. And since all of these are malicious, the question is which one is the most malicious one? Let's say certain netblocks at TurkTelecom are competing with certain netblocks at UkrTeleGroup Ltd, however, the emphasis shouldn't be on the volukme of malicious activities, but mostly regarding the ones related to the RBN, and the majority of high-profile malware embedded attacks during 2007, and early 2008.
Sample blogs :
With a basic sample of ten such blogs, the entire operation could be tracked down and removed from Google's index. And while firesearch.sc is pitching itself as a "search engine that you can trust", it looks like it's not generating revenues for the people behind the operation, but also, acts as a keyword popularity blackhole.
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
Malicious Keywords Advertising
Visualizing a SEO Links Farm
Spammers and Phishers Breaking CAPTCHAs
But of Course It's a Pleasant Transaction
Vladuz's EBay CAPTCHA Populator
The Blogosphere and Splogs
p0rn.gov - The Ongoing Blackhat SEO Operation
Wednesday, February 13, 2008
And with Mpack's now easily detectable routines, they're migrating to use the Advanced Pack, a copycat malware exploitation kit, trouble is it's all done in an organized and efficient manner.
Detection rate : 17/32 (53.13%) for Win32.Virtob.BV; W32/Virut.j
Naturally, according to publicly obtainable data in a typical OSINT style, the domain used to respond to an IP within RBN's previous infrastructure. The big picture is even more ugly as you can see in the attached screenshot indicating a huge number of different malwares that were using ntkrnlpa.info as a connection/communication host in the past and in the present. I wonder would the vendor brag about their outbreak response time regarding the malware that come out of their site in times when malware authors are waging polymorphic DoS attacks on vendors/reseachers honeyfarms to generate noise?
Tuesday, February 12, 2008
"BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike mostcommon bots, this bot does not communicate with the botnet master using IRC. Also, wedo not see any exploit activities from this bot, unlike a traditional IRC bot. This is a small(under 50KB) binary for the Windows platform that uses a simple grammar tocommunicate. Most of the botnets we have been tracking (over 30 at present) are locatedin Malaysian and Russian IP address space and have targeted Russian sites with theirDDoS attacks."
The following are currently live botnet C&Cs administration panels, and with BlackEnergy's only functionality in the form of DDOS attacks, it's a good example of how DDoS on demand or DDoS extortion get orchestrated through such interfaces :
It's getting even more interesting to see different campaigns within, that in between serving Trojan.Win32.Buzus.yn; Trojan.Win32.Buzus.ym; Trojan-Proxy.Small.DU, there's also an instance of Email-Worm.Zhelatin. A clear indication of a botnet in its startup phrase is also the fact that all the malware binaries that you see in the attached screenshot use one of these hosts as both the C&C and the main binary update/download location.
The bottom line - according to publicly obtainable stats and the ever-growing list of high-profile malware embedded attacks, legitimate sites serve more malware than bogus ones as it was in the past in the form of dropped domains for instance. How come? Malware campaigners figured out that trying to attract traffic to their malware domains is more time and resources consuming than it is to take advantage of the traffic a legitimate site is already getting. In fact, they're getting so successful at embedding their presence on a legitimate site that they're currently taking advantage of "event-based social engineering" campaigns by embedding the malware at one of the first five search engine results to appear on a particular event.