Wednesday, November 19, 2008

The DDoS Attack Against Bobbear.co.uk

When you get the "privilege" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.

The attached screenshot demonstrates how even the relatively more sophisticated counter surveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.

Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.

Related posts:
A U.S military botnet in the works
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Botnet on Demand Service
OSINT Through Botnets
Corporate Espionage Through Botnets
The DDoS Attack Against CNN.com
A New DDoS Malware Kit in the Wild
Electronic Jihad v3.0 - What Cyber Jihad Isn't

Thursday, November 13, 2008

Dissecting the Latest Koobface Facebook Campaign

The latest Koobface malware campaign at Facebook, is once again exposing a diverse ecosystem worth assessing in times of active migration to alternative ISPs tolerating or conveniently ignoring the malicious activities courtesy of their customers. The -- now removed -- binaries that the dropper was requesting were hosted at the American International Baseball Club in Vienna, indicating a compromise.

us.geocities .com/adanbates84/index.htm
lostart .info/js/js.js (79.132.211.51)
off34 .com/go/fb.php (79.132.211.51)
youtube-spyvideo .com/youtube_file.html (58.241.255.37)
ahdirz .com/movie1.php?id=638&n=teen (208.85.181.69)
top100clipz .com/m6/movie1.php?id=638&n=teen (208.85.181.67)
hq-vidz .com/movie1.php?id=638&n=teen (208.85.181.68)

The dropper then phones back home to : f071108 .com/fb/first.php (79.132.211.50) with the binaries hosted at a legitimate site that's been compromised :

aibcvienna.org/youtube/ bnsetup24.exe
aibcvienna.org/youtube/ tinyproxy.exe

Related fake Youtube domains participating :
catshof .com (79.132.211.51)
youtube-spy .info (94.102.60.119)
youtubehof .net (218.93.205.30)
youtube-spyvideo .com (58.241.255.37)
yyyaaaahhhhoooo.ocom .pl (67.15.104.83)
youtube-x-files .com (94.102.60.119)

The development of cybercrime platforms utilizing legitimate infrastructure only, has always been in the works. With spamming systems relying exclusively on the automatically registered email accounts at free web based providers, to the automatic bulk registration of hundreds of thousands of domains enjoying a particular domain registrar's weak anti-abuse policies, it would be interesting to monitor whether marginal thinking or improved OPSEC relying on compromised hosts will be favored in 2009.

Related posts:
Fake YouTube Site Serving Flash Exploits
Facebook Malware Campaigns Rotating Tactics
Phishing Campaign Spreading Across Facebook
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles