Wednesday, January 28, 2009
This isn't the first time the Register shows an oudated siatuational awareness, following the two month-old coverage of a proprietary email and personal information harvesting tool, which I extensively covered in between receiving comments from one of the affected sites.
A blackhat SEO-ers group that's been generating bogus link farms ultimately serving malware to their visitors during the past couple of months, has recently started poisoning Google Video search queries and redirecting the traffic to a fake flash player using the PornTube template. (The Template-ization of Malware Serving Sites). Approximately 400,000+ bogus video titles have already been crawled by Google Video.
Instead of sticking to a proven traffic acquisition tactic in the face of adult videos, the campaigns are in fact syndicating the titles of legitimate YouTube videos in order to populate the search results. What's also worth pointing out that is that once they start duplicating the content -- like they're doing with specific titles -- based on their 21 bogus publisher domains, they can easily hijack each and every of the first 21 results for a particular video. The fake flash player redirection is served only when the visitor is coming from Google Video, if he or a researcher isn't based on a simple http referer check, a legitimate YouTube video is served.
Upon clicking on the video from any of their publisher domains, the user is taken to porncowboys .net/continue.php (188.8.131.52) then forwarded do xfucked .org/video.php?genre=babes&id=7375 (184.108.40.206) to have the binary served at trackgame .net/download/FlashPlayer.v3.181.exe and qazextra .com/download/FlashPlayer.v3.181.exe. Detection rate for the flash player.
nudistxxx .net - 22,000 bogus video titles
realsexygirls .net - 21,000 bogus video titles
trulysexy .net - 27,100 bogus video titles
madsexygirls .net - 18,900 bogus video titles
mypornoplace .net - 25,700 bogus video titles
hotcasinoxxx .net - 28,900 bogus video titles
hotgirlstube .net - 37,900 bogus video titles
xgirlplayground .com - 50,600 bogus video titles
puresextube .net - 20,700 bogus video titles
xxxtube4u .com - 11,400 bogus video titles
sexygirlstube .net - 63,100 bogus video titles
xporntube .org - 12,800 bogus video titles
xxxgirls .name - 33,500 bogus video titles
girlyvideos .net - 37,500 bogus video titles
mytubecentral .net - 38,900 bogus video titles
puresextube .net - 20,700 bogus video titles
teencamtube .com - 18,400 bogus video titles
celebtube .org - 41,100 bogus video titles
truexx .com - 16,900 bogus video titles
hottesttube .net - 28,100 bogus video titles
hotgirlsvids .net - 27,200 bogus video titles
watch-music-videos .net - 14,900 bogus video titles
marketvids .net - 29,900 bogus video titles
gamingvids .net - 7,930 bogus video titles
hentaixxx .info - 25,500 bogus video titles
The campaign is currently in a cover-up phrase since discussing it yesterday and notifying Google with all the details. But the potential for abuse remains there. Timeliness vs comphrenesiveness of a malware campaign?
Following this example of comprehensivess, take into consideration the timeliness in the face of October 2008's campaign when hot Google Trends keywords were automatically syndicated in order to hijack search traffic which was then redirected to several hundred automatically registered Windows Live blogs whose high pagerank made it possible for the blogs to appear within the first 5 results.
Posted by Dancho Danchev at Wednesday, January 28, 2009
Tuesday, January 27, 2009
Interestingly, the malicious attackers centralized the campaign by parking the three iFrames at the same IP, and since no efforts are put into diversifying the hosting locations, two of them have already been suspended. Let's dissect the third, and the only currently active one. iFrames embedded at the embassy's site:
wsxhost .net/count.php?o=2 (220.127.116.11) redirects to 18.104.22.168 /mito/?t=2 and then to 22.214.171.124 /mito/?h=2e where the binary is served, a compete analysis of which has already been published. The rest of the malicious domains -- registered to email@example.com -- parked at mito's IP appear to have been participating in iFrame campaigns since August, 2008 :
As always, the embassy is iFramed "in between" the rest of the remotely injectable sites part of their campaigns.
Related assessments of embassies serving malware:
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware
Posted by Dancho Danchev at Tuesday, January 27, 2009
Wednesday, January 21, 2009
Despite my personal reservations towards the use of Google sponsored ads as an emerging traffic acquisition tactic on behalf of scammers and cybercriminals -- blackhat SEO is getting more sophisticated -- Google sponsored ads are whatsoever still taken into consideration.
The fraudulent AdWords scheme that I'll discuss in this post, is an example of a Dominican scammer (firstname.lastname@example.org; Sms Telecom LLC, Roseau, St. George (00152) Dominica Tel: +117674400530) who's hijacking search queries for popular software applications, taking advantage of geolocation and http referer checks, in order to deliver a customized toolbar while earning revenue part of the Conduit Rewards Program.
Brandjacked software domains part of the AdWords campaign :
The AdWords campaigns are spread across different local Google sites, and are targeting a particular local demographic only. Moreover, if the end user isn't coming from a sponsored ad, the download link on each and every of the participating sites is linking to the official site of the brandjacked software, and if he's coming from where he's supposed to be coming the software bundle including the revenue-generating toolbar is served in the following way :
Upon installation the toolbar generates revenue for the campaigner, and given the fact that a single DIY toolbar can be associated with a single rewards account, the campaigner is also maintaining a modest portfolio of toolbars. For instance :
peer2peerne.media-toolbar.com - UserID=UN20090120111936062
peer2peeren.media-toolbar.com - UserID =598F9353-BD10-47B9-8B40-29B33AD7A3E4
The bottom line is that despite the fact that the campaigner is acquiring lots of traffic through the brandjacking, and is definitely breaking even based on the number of toolbars installed, he's failing to monetize the fraud scheme, at least for the time being.
UPDATE: Hai Habot's comments - "The information you have provided will help us track the publisher and I will personally see that our compliance team looks into it ASAP.
The Conduit Rewards program is not a standard affiliate network. It offers incentives to publishers based on their toolbar’s long term performance. I didn’t look into the stats of this specific publisher yet but I can assure you that such spam traffic would generate very little (if any) rewards. In any case – we will make sure that the rewards account of this publisher will be disabled until this compliance issue is resolved."
Posted by Dancho Danchev at Wednesday, January 21, 2009
Monday, January 19, 2009
rapidspywarescanner .com (126.96.36.199)
Name: Aennova M Decisionware
Address: Rua Maestro Cardim 1101 cj. 112
City: Sgo Paulo
Postal Code: 01323
rapidantiviruspcscan .com (188.8.131.52)
Vadim Selin email@example.com
+74952783432 fax: +74952783432
ul. Vorobieva 98-34
Moskva Moskovskay oblast 127129
antivirus-scan-your-pc .com (184.108.40.206; 220.127.116.11)
Name: Nikolai V Chernikov
Address: yl. Kravchenko 4 korp. 2 kv.17
Postal Code: 119334
secure.softwaresecuredbilling .com (18.104.22.168) registered to Viktor Temchenko (TemchenkoViktor@googlemail.com)
secure.goeasybill .com (22.214.171.124) registered to Chen Qing (firstname.lastname@example.org)
secure-plus-payments .com (126.96.36.199) registered to John Sparck (email@example.com)
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
Posted by Dancho Danchev at Monday, January 19, 2009
Despite the fact that 2008 was clearly the year of the massive SQL injection attacks hitting everyone, everywhere, massive iFrame injection tools through stolen FTP accounts are still in development. Take for instance this very latest console/web interface based proprietary one currently offered for sale at $30.
Its main differentiation factors according to the author are the pre-verification of the accounting data in order to achieve better speed, advanced logs management and update feature allowing the malicious campaigner to easily introduce new iFrame at already iFrame-ED hosts through the compromised FTP accounts, and, of course, the what's turning into a commodity feature in the face of long-term customer support. In this case, that would be a hundred FTP accounting details to get the customers accustomed to the tool's features.
Interestingly, at least according to the massive SQL injections taking place during the entire 2008, iFrame-ing has reached its decline stage, at least as the traffic acqusition/abuse method of choice. And with SQL injections growing, this very same FTP account data is serving the needs of the blackhat search engine optimizers bargaining on the basis of a pagerank.
Posted by Dancho Danchev at Monday, January 19, 2009
Wednesday, January 14, 2009
Each of these campaigns is orbiting around a unique application released on behalf of the coordinators. In China vs CNN campaign it was anticnn.exe, in the Electronic Jihad campaign it was e-jihad.exe, and in the pro-Israeli hacktivists vs Hamas it is PatriotInstaller.exe. Excluding anticnn.exe which was working, both e-jihad.exe and PatriotInstaller.exe act as examples of how people's information warfare execution goes wrong. How come? The tools failed to deliver what they promised. An idle bot that I left upon becoming a patriotic supporter of the cause, indicated that the participants are basically idling, without any active DDoS attacks against a particular pro-Hamas web site.
Who are the people behind the project?
"We are a group of students who are tired of sitting around doing nothing while the citizens of Sderot and the cities around the Gaza Strip are suffering, NO MORE! We will not sit around and watch our children fear and cry out for help while the missiles are flying over their heads! We say NO MORE!
We created a project that unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel. The more support we get, the efficient we are! You download and install the file from our site. The file is harmless to your computer and could be immediately removed. There is no need for identification of any kind - anonymity guaranteed!"
The Help-Israel-Win movement is naturally feeling the heat as well, and is constantly switching locations, with its currently active one - borabora.globat.com/~help-israel-win.com. The following are related domains used by the pro-Israeli cyber warriors:
In times when DDoS attacks can be cost-effectively outsourced, it's pretty surprising that all the cyber warriors -- excluding the ones in the Russia vs Georgia cyberattack -- aren't taking advantage of the concept, but are relying on grassroots movement. The reason for this is the lack of contact points between the sellers of the DDoS services and the potential buyers, at least for the time being.
Monitoring of the pro-Israeli patriot campaign would continue, with updates posted as soon as something actually happens.
Posted by Dancho Danchev at Wednesday, January 14, 2009
This tactic once again demonstrates the dynamics of the international underground communities whose understanding of valuable stolen goods greatly differ based on the local market's demand for a particular item. For instance, stolen accounting data for a MMORPG is more than access to a stolen banking account on the Chinese underground marketplace, and exactly the opposite on the Russian underground marketplace. Interestingly, if the IE zero day was first discovered and abused in a targeted nature by Russian parties the very last thing they'd be serving is a password stealer for a MMORPG given the far more valuable from their perspective crimeware. Here are all of the SQL injected domains participating in the attack, with two Chinese groups responsible for them :
SQL injected domains currently active:
- c.nuclear3 .com/css/c.js (188.8.131.52; 184.108.40.206;220.127.116.11) also SQL injected as c.%6Euclear3 .com/css/c.js in a cheap attempt to avoid detection
- zs.gcp.edu .cn/z.js redirects to alimcma .3322.org/a0076159/a07.htm (18.104.22.168) and then to tongjitj.3322 .org/tj/a07.htm
- w.94saomm .com/js.js (22.214.171.124) redirects to clc2007.nenu.edu .cn/tt/swf.htm (126.96.36.199)
- idea21.org/h.js (188.8.131.52) redirects to idea21 .org/index1.htm
- yrwap .cn/h.js (184.108.40.206) redirects to kodim .net/CONTENT/faq.htm
Currently down, for historical preservation purposes and case building as these were exclusively serving the ex-IE zero day in December, 2008:
Thankfully, the IE zero day attack in December is an example of a "wasted" zero day, with the potential for abuse not taken advantage of.
Massive SQL Injection Attacks - the Chinese Way
Yet Another Massive SQL Injection Spotted in the Wild
Obfuscating Fast-fluxed SQL Injected Domains
Smells Like a Copycat SQL Injection In the Wild
SQL Injecting Malicious Doorways to Serve Malware
SQL Injection Through Search Engines Reconnaissance
Stealing Sensitive Databases Online - the SQL Style
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists
Posted by Dancho Danchev at Wednesday, January 14, 2009
Wednesday, January 07, 2009
Domains used on the bogus profiles :
sextapegirls .net (220.127.116.11)
celebsvids .net (18.104.22.168)
katynude .com (22.214.171.124)
delshikandco .com (126.96.36.199)
All the internal pages at sextapegirls .net (sextapegirls .net/1.html; sextapegirls .net/2.html; sextapegirls .net/3.html; sextapegirls .net/4.html; sextapegirls .net/5.html) redirect to hotvidz .info/5.html (188.8.131.52) as well as all the internal pages at celebsvids .net where TubePlayer.ver.6.20885.exe is served as a fake video player.
Among the rest of the domains used, katynude .com/1.html (184.108.40.206) redirects to quickly-porn-tube .net/get.php?id=20885&p=74 (220.127.116.11) which then redirects to tube-4you-best .com/xxplay.php?id=20885 (18.104.22.168) where 2009download-best-soft .com/TubePlayer.ver.6.20885.exe (22.214.171.124) is again served.
The fourth domain used on the bogus LinkedIn profiles, delshikandco .com/movies/linkedin.html (126.96.36.199) once deobfuscated leads to delshiktds .com/in.cgi?6 (188.8.131.52), a traffic management kit's redirection point which redirects to delshiktds .com/in.cgi?11, celebs-online2009 .com/video.php (184.108.40.206) and megaporntubesonline .com/xplays.php?id=88 where codecdownload.filesstorage4you .com/exclusivemovie.88.exe is served next to codecdownload.viewersoftwarearchive .com/exclusivemovie.0.exe (220.127.116.11) which a copy of Win32/Renos.
The downloader then phones back to :
dasgdasg .net (18.104.22.168)
new-york-images .com (22.214.171.124)
future-pictures .com (126.96.36.199)
Naturally, the people behind this malware campaign have centralized the rest of the malicious domains by parking them at the very same IPs used in the redirectors. The domains are pretty descriptive themselves, and it's also worth pointing out that they intend to start introducing newly registered fake security software ones:
The same people, the same tactics, different domains and netblocks used.
Posted by Dancho Danchev at Wednesday, January 07, 2009
Tuesday, January 06, 2009
Notable articles for December include ICANN terminates EstDomains, Directi takes over 280k domains (interview with Stacy Burnette from the ICANN); With 256-bit encryption, Acrobat 9 passwords still easy to crack (interview with Dmitry Sklyarov and Vladimir Katalov from Elcomsoft) and Gmail, Yahoo and Hotmail systematically abused by spammers.
01. AlertPay hit by a large scale DDoS attack
02. IT expert executed in Iran
03. Vendor claims Acrobat 9 passwords easier to crack than ever
04. Microsoft’s Live Search (finally) adds malware warnings
05. ICANN terminates EstDomains, Directi takes over 280k domains
06. Password stealing malware masquerades as Firefox add-on
07. With 256-bit encryption, Acrobat 9 passwords still easy to crack
08. Trusteer launches search engine for malware configuration files
09. With or without McColo, spam volume increasing again
10. Vint Cerf’s Twitter account hacked, suspended for spam
11. Gmail, Yahoo and Hotmail systematically abused by spammers
12. IE7 XML parsing zero day exploited in the wild
13. Four XSS flaws hit Facebook
14. Thousands of legitimate sites SQL injected to serve IE exploit
Posted by Dancho Danchev at Tuesday, January 06, 2009
The myth that geolocating their malicious activities would always end up in an Eastern European network where developed law enforcement agencies would have little to no jurisdiction at all, proved to be a common stereotype given that the well known cybercrime-friendly ISPs that were shut down in 2008 were and have always been U.S based operations. Therefore, the excuse of not being able to take action due to the lack of international law enforcement cooperation isn't appicable in this case.
So how should the cybercrime ecosystem be squeezed? Personalize it and communicate the levels of efficiency cybercriminals achieve by using the very same disturbing photos that they use to demonstrate the effectiveness of their web based stolen credit card shops in order to achieve the necessary public outbreak.
Even though I pretend that the research and profiles of the underground tools and services that I've been detailing throughout 2008 is cutting-edge research, this research is basically scratching the surface, but how come? Just like there's a perfect and bad timing for a particular product or service to hit the market, in this very same fashion the general public is still not ready to embrace some of the highly disturbing point'n'click identity theft services that have been operating for years. Sadly, some even question the usability and authenticity of these underground services, and therefore a change has to be triggered by starting to publish the cybercriminals' ROI out of using them in the form of the photos of users swimming in cash that they've cashed-out of the stolen credit cards. Disturbing? It's supposed to be, since it will not only prompt public outbreak, but also, have a well proven self-regulation effect on behalf of the service owner's, at least from my personal experience while profiling related services.
This is perhaps the perfect moment to emphasize on how important threat intell sharing with law enforcement, whether directly based on personal contacts or through one-to-many communication model through private mailing lists, a cyber threats analysts case-building capabilities would not only prove valuable in the long term, but would also make it easier for someone to do their prosecuting job faster. And while important, threat intell sharing with law enforcement is not the panacea of squeezing the cybecrime ecosystem, since cybercrime should not be treated as the systematic abuse of common IT insecurities for fraudulent purposes, instead, it should be treated as a form of economic terrorism. Only then, would cybercrime receive the necessary attention instead of such comments regarding McColo or Atrivo - "Resource-wise, we can't be in the business of prevention. We have to be in the business of prosecution." Exactly. I guess that just like you cannot be a prophet in your own country, you cannot also be a prophet in your own agency, thankfully, the wisdom of the cybercrime fighting crowd is always there to take care and get zero credit at the end of the day.
Personally, 2009 is going to be the year when personalizing cybercriminals would be taking place on a more regular basis, so stay tuned for an upcoming report summarizing "behind the curtains" cybercrime activities in 2008, underground responses to some of major busts of year including the DarkMarket operation, the fraudulent schemes allowing them to cash-out digital assets into hard cash, the basics of their social networking model, who's who in the hierarchy of a sampled business model of vendors of ATM skimming devices, the post-DarkMarket OPSEC practices introduced in order for cybecrime communities to verify the authenticity of their customers, the process of advertising and operating underground services as well as the communication methods used, in short - all the juicy details, screenshots and photos courtesy of the owners and customers of the services that haven't been communicated to the industry and the world throughout 2008.
Find attached a photo teaser acting as a confirmation for the usefulness of "yet another stolen credit card details service" in the wild, and have a productive year exposing low lifes and spilling coffee over their business models.
76Service - Cybercrime as a Service Going Mainstream
Using Market Forces to Disrupt Botnets
Localizing Cybercrime - Cultural Diversity on Demand
Localizing Cybercrime - Cultural Diversity on Demand Part Two
EstDomains and Intercage VS Cybercrime
E-crime and Socioeconomic Factors
Money Mules Syndicate Actively Recruiting Since 2002
Price Discrimination in the Market for Stolen Credit Cards
Are Stolen Credit Card Details Getting Cheaper?
The Underground Economy's Supply of Goods
Posted by Dancho Danchev at Tuesday, January 06, 2009